ULB_ebusiness_ePayments_Final_v1.1 by fanzhongqing

VIEWS: 2 PAGES: 48

									UNIVERSITE
LIBRE DE
BRUXELLES




                     Solvay Business School


             SEMINAIRE DE TECHNOLOGIES
               DE L’INFORMATION ET DE
                 LA COMMUNICATION
                                              GEST 116


             eBusiness – Payments & Security
                     Pascale Vande Velde
                                                  Content of eBusiness course
 Technologies de l’information et de
        La communication




                                       Introduction – Part I



                                       Introduction – Part II



                                       Payments & Security



                                       Supply chain management

V.1.1                                                 Solvay Business School    2
 Technologies de l’information et de
        La communication




                                       Introduction to epayments



                                       Network security principles and concepts



                                       B2C ePayments solutions



                                       B2B ePayments solutions

V.1.1                                               Solvay Business School        3
                                                                        Generic Payment Process
 Technologies de l’information et de
        La communication




                                           1. Payment request or              Customer                          1’. Payment request or instruction
                                       instruction transmitted by the                                               transmitted by the customer
                                        customer to an intermediary                                                      directly to the bank

                                                                               2. Customer’s
                                                                            payment request or
                                                                                 instruction
                                                                             transmitted by the
                                                                            intermediary to the
                   Intermediary                                                vendor’s bank                                             Vendor’s bank
                                                                                                   After verification of the
                                                                                                  customer solvability, the
                                                         Clearing                                  transaction is sent to a
                                                                                                       clearing entity

                                                        Intra-banks

                                                                                          Settlement when clearing
                                                                                                 achieved
                                                        Inter-banks


                                                       International




V.1.1                                                                    Solvay Business School                                                          4
                                                     The payments market by instrument in Belgium
 Technologies de l’information et de
        La communication


                                       However, there is a significant shift from paper based towards electronic transfers and
                                                     use of debit and credit cards has significantly intensified

                                                                                      Volumes                                         Value
                                                                                 (mio transactions)                                 (EUR bio)

                                                                                                              Distr
                                                                                                                                                         Distr.
                                                                       1995            1999                    .      1995      1999           
                                                                                                                                                         1999
                                                                                                              1999
                            Cheques                                       117,1             80,2     -31,5%      6%      305          98     -67,9%       0,6%

                            Paper-based transfers                         447,9           412,1      -7,99%      30%    9.054      2.184     -75,9%        14%
         Cost of payment




                            Electronic transfers                          220,6           310,9      +40,9%      22%     910     13.002     +1328%         85%

                            Credit cards                                    32,2            48,7     +51,2%      4%        3            5    +66,7%            NA

                            Debit cards                                   185,9           354,3      +90,6%      25%       9          18      +100%       0,1%

                            Direct Debit                                  104,5           142,3      +36,2%      10%      24          41     +70,8%       0,2%

                            Electronic Money                                 0,7            45,5     +6400%      3%       NA         0,2            NA         NA

                            Total                                       1.108,9         1.394,0      +25,7%   100%     10.305    15.348      +48,9%       100%


                           * The data are very small relative to other relevant data in the table.                        Source : ECB Blue Book – June 2001



V.1.1                                                                                   Solvay Business School                                                      5
                                              Internet is by far the cheapest way to process a
 Technologies de l’information et de
        La communication
                                                                   payment


                       Payment Unit Costs in Europe: € per transaction:

                                       –   Paper-based transfer:        1.24 (still 30% of all payments in volumes)
                                       –   Direct Debit modification:   0.74 to 4.96 (opening, changes, cancellation, …)
                                       –   Phone:                       0.50
                                       –   ATM:                         0.27
                                       –   Online (PC):                 0.23
                                       –   Internet:                    0.10




V.1.1                                                            Solvay Business School                                    6
                                                Significant differences between US and Europe
 Technologies de l’information et de
        La communication



                          Checks are intensively used in the US while transfers and direct debits are hardly used



             US Consumer Payments in 1998                   US Consumer Payments in 2005                US Consumer Payments in 2010
                (% Share of Transactions)                      (% Share of Transactions)                   (% Share of Transactions)



              Debit Cards          Electronic                       Electronic                                Electronic

                                                           Debit                                                                    Checks
         Credit                   43                       Cards           10                                       14
                                                                                             Checks                           22
         Cards                                                        12          31
                           22
                                                                                                      Debit    17
                                         51       Checks                                              Cards                    16      Cash
                                                                       26
                             20                                                  19                                      30
                                                           Credit
                  Cash                                     Cards                       Cash
                                                                                                                    Credit
                                                                                                                    Cards


                        100% ~$4.5 Trillion                         100% ~$6.8 Trillion                       100% ~$8.8 Trillion




          Source: Nilson Reports; Accenture analysis

V.1.1                                                               Solvay Business School                                                    7
 Technologies de l’information et de
                                       Electronic billing is a promising solution in the USA
        La communication




                                                                                 US Retail Bills Presented & Paid Online
                                                                                                  (million)                                      1,962
                 But the situation is different in
                 Europe: actually, in Belgium, 80%                            Consumers
                 of people use direct debit* to pay                          able to view &
                 their bills. Consequently, billing                           pay at least
                 presentation is not so important.                           60% of all their
                                                                            recurring bills at                                     1,142
                 e-Billing/invoice used in the US is
                                                                                one site
                 an obsolete system compared to
                 the system in application in
                 Europe
                                                                                                                      446

                                                                                                        84
                                                                           0.9           6.7

                                                                          1999          2000          2001           2002          2003          2004

                                       EBPP Households (million)           0.1           0.6           2.1            6.0          13.1           20.7
                                       Recurring Household
                                       Bills Payable Online (%)             5             8             28            52             61            66

                                       Percentage of all Bills (%)        0.01          0.04           0.6            3.0           7.6           13.1
                                                             Source: IDC; Jupiter Communications; Data Monitor; Forrester Research; Tower Group; Gartner Group; Accenture
          *Domiciliation                                        analysis
V.1.1                                                                     Solvay Business School                                                                     8
                                                                                    Billing Process
 Technologies de l’information et de
        La communication



   EBPP includes bill presentment and payment


                                              Electronic Bill Presentment and Payment Overview



                                       1. Customer uses                                              2. Billers send
                                       Internet to access                                           electronic bills to
                                        websites where                      Internet                   appropriate
                                           bills reside                     Website                       site(s)
                                                                                                                                    Billers

                                                 3. Customer
                                                  authorizes                                                            5. Remittance and
                                               payment through                                                        payment information is
                                                    website                                                           sent to biller for posting

                                                                       4. Payment is sent
                                                                          electronically
                                                                       (ACH*, RPS, etc.)
                                                                         from customer
                                                                       bank to biller bank
                                 Customer’s                                                                     Biller’s Bank
                                   Bank



        *Automated Clearing Housed: Clearing method including netting, and typical to the U.S.


V.1.1                                                                      Solvay Business School                                                  9
                                                        EBPP Multi-channel presentation and delivery
 Technologies de l’information et de
        La communication




                                                                                                                   Third party CSP
     Billers                                                                                                                                         Customers
                                                                                                   FTP/XML/
                                                                                                   EDIFACT             eBanking
               Large                     FTP/XML/
                                         EDIFACT                                                                                                          Consumer
               billers                                                                             FTP/XML/
                                                                                                   EDIFACT           Other Portal
                                                           Trusted Third Party (TTP)
              Medium                     FTP/XML/             EBPP Consolidator                                                                           Consumer
                                         EDIFACT                                                                 GUI for view and pay
             enterprises                                                                                            + eMail with bills
                                                                                                                      + notification
                                                                                                                GUI for view and pay .
            Small                                                                                 + integration into standard accounting packages             SME
                                       Online invoice                                                           + bill analysis features
        Enterprises &                    templates                                                                 FTP/XML/EDIFACT
        independents                                                                                       + integration into ERP systems
                                                                                                           + notification to responsible A/P              Corporate

         Presentment options:
         •         White labeled: direct billing through
                                                                           Client subscription DB with:
                   ASP or presentment via a third party CSP
                                                                           • delivery preferences:
         •         TTP branded: on the TTP’s Portal                               • Physical delivery                Printing &
         Payment options:                                                         • WAP & PDA                        physical         Potential Value Added
         1.        For the B2C and SME                                            • eBanking                         delivery         Services by TTP:
                                                                                  • TTP Portal                                        1.       Factoring
                   •        eBanking                                              • Other Portal
                   •        Credit cards                                          • eMail@TTP.be                                      2.       Intra-corporate and inter-
                   •        E-mail based payments (paypall, x.com)                • Other eMail                                                corporate Netting
         2.        For corporates                                          • Notification preferences:                                3.       Cash Management (incl. FX)
                   •        Regular payment systems                                 • SMS                                             4.       Trade Finance
                                                                                    • eMail                                           5.       Trust services
                   •        International                                           • Portal Alert
                   •        Netting of payments

V.1.1                                                                   Solvay Business School                                                                              10
 Technologies de l’information et de
        La communication




                                       Introduction to epayments



                                       Network security principles and concepts



                                       B2C ePayments solutions



                                       B2B ePayments solutions

V.1.1                                               Solvay Business School        11
 Technologies de l’information et de
                                                                   Six security principles
        La communication



                                            Digital security data must address several critical needs



                          Need                   Description

                          Identification         Our customers are identified

                          Authentication         Transaction participants are known


                          Authorization          Transaction participants are authorized


                          Integrity              Data is not changed in an unauthorized way


                          Non-Repudiation        An individual cannot deny that a transaction was made


                          Confidentiality        Transactions and communications are kept private




V.1.1                                                              Solvay Business School                12
                                                                                                  Authentication
 Technologies de l’information et de
        La communication


                                                    Authentication flow

                                Authentication
                                    Client


                                                                                                               • Two components necessary : authentication server
             Authentication     Application          Web Server
                Server            Server                                  Firewall
                                                                                                                 and authentication client
             Entity One (Business)
                                                                                                  Internet     • The authentication client will prompt the user to
                                                                                                                 enter his identifier and shared secret and will pass
                                                                                                                 the information to the authentication server


                                                  User ID &
              End User PC
                                                  Password
             Entity Two (User)



                                                  Authentication response
                                 Authentication
                                     Client                                             Yes/No
                                                                                       Response                 • The authentication server will then confirm that the
               Authentication
                                                                                                                  identifier is valid, and that the shared secret
                                 Application          Web Server
                  Server           Server                                  Firewall
                                                                                                                  matches the identifier.
               Entity One (Business)
                                                                                                  Internet      • The authentication server will then pass a yes/no
                                                                                                                  response back to the autentication client. The user
                                                                                                                  will then be granted or denied access to the
                                                                                                                  application

                End User PC
               Entity Two (User)



V.1.1                                                                                 Solvay Business School                                                             13
                                                                                                             Encryption
 Technologies de l’information et de
        La communication


                                                      Encryption architecture
                               Authentication
                                  Client                                                                            • Cryptography services are provided with a Public
                                                                                                                      Key Infrastructure (PKI)

           Authentication      Application                                                                          • In public key encryption, all entities will be issued
                                                         Web Server
              Server            Server                                         Firewall                               public keys
            Entity One (Business)                     Public Key Storage
                                                                                                         Internet   • The private key is generated via an algorithm based
                                                                                                                      on the public key and all public keys are stored in a
                                                                                                                      central storage location
                            Private Key
                                                                                                                    • The distribution of public keys and maintenance of
                                                                                                                      central storage for the public keys establishes the
             End User PC
            Entity Two (User)                                                                                         public key infrastructure for ecommerce transactions
                                                                                            Decrypt with user’s
                                                                                            public digital
                                                                                            signature key

                            Authentication
                                Client
                                                                                                                    • When the end user wants to send a message, he
                                                                                                                      generates a private key based on its public key

         Authentication
                                                                                                                    • He encrypts the message using his private digital
                            Application               Web Server
            Server            Server                                       Firewall
                                                                                                                      signature key
         Entity One (Business)                 Public Key Storage
                                                                                                   Internet         • When the business application server receives the
                                                                                                                      transaction, it looks up the end user’s public key
                                                                                                                      from the central storage location and decrypts the
                          Private Key                                                                                 message with the key

          End User PC
                                                                                                                    • The business application server can decrypt the
         Entity Two (User)                                                                                            message because he has the corresponding public
                                                                             Message encryption process               key
                                Encrypt with user’s
                                private digital
                                signature key
V.1.1                                                                                     Solvay Business School                                                              14
                                                                                                           Digital signatures
 Technologies de l’information et de
        La communication


                                              Digitally signing a message
                            Authentication
                                Client
                                                        Private Key                                                         • A digital signature is an encrypted message hash
                                                                                                                            • A message hash is a mathematical formula that is
        Authentication      Application         Web Server
                                                                                                                              run against a message to create a unique number.
           Server             Server                                                                                          This mathematical formula is well known to all
                                                                                  Firewall
                                             Public Key Storage
        Entity One (Business)                                                                                                 participants in a transaction
                                                                                                             Internet
                                                                     Certificate
                                                                     Directory                                              • When the message hash is encrypted with the
                                                                    Certificate Authority                                     user’s private key, it becomes a digital signature
                         Private Key


         End User PC                     X= [(y)*]         011010111011            End User Signature
        Entity Two (User)

                                       Computes
                                                            Encrypts message hash
                                       message hash
                                                            with user’s private key


                                               Sending a digitally signed message
                                                                                                                             • A certificate is a digital document that binds a public
                            Authentication                                                                                     key to an entity. In their simplest form, certificates
                                Client
                                                        Private Key                                                            contain an entity’s name and public key
                                                                                                                             • When signing a message with a digital signature, an
        Authentication     Application          Web Server                                                                     entity will also send its certificate containing its
           Server            Server                                              Firewall
        Entity One (Business)
                                             Public Key Storage                                                                identity and public key
                                                                                                            Internet
                                                                    Certificate                                              • Certificates are issued and maintained by a
                                                                    Directory
                                                                   Certificate Authority                                       Certificate Authority (CA). This CA is a secure,
                         Private Key
                                                User                                                                           trusted entity who will issue certificates to
                                              Certificate
                                                                                                                               authorized entities only and who will verify that a
         End User PC                                                                                                           certificate is valid
        Entity Two (User)
                                          End User Signature
V.1.1                                                                                              Solvay Business School                                                            15
                                                                                   Digital signatures/2
 Technologies de l’information et de
        La communication




                                               Digital Certificate Industry Standard:
                                              name, public key, expiration date, CA
                                                name, CA signature, CA signature                                                    Digital Certificate
                                              algorithm identifier, certificate version,
                                                        and serial number
                                                                                                                    •Sender applies to Certificate Authority
                                                                                                                    (CA) as trusted third party*
                      Trusted third party
                                                                                                                    •CA verifies sender’s identity, issues
                                                                                                                    certificate (with public key data) and
                      Certificate Authority              Certificates                                               publishes certificate in repository
                                                                                       Certificate
                              (CA)                     and Revocation
                                                                                       Repository
                                                         Lists (CRLs)                                               •Sender creates and signs message and
                                                                                                                    attaches certificate
                                                                                                                    •Recipient trusts CA, certificate and
                                                                                                    Certificates    contents, including public key**
                                                                                                  and Revocation    •Recipient extracts public key to verify
                                                                                                    Lists (CRLs)
                                                                                                                    sender signature
                                                                                                                    •Recipient verifies identity and integrity


                                                           Security
                              Sender                       Services                        Recipient
                                                                                                                   * In practice the entity that identified the users is
                                                                                                                    called a Registration Authority


            ** If recipient does not trust CA, they can find a certificate attesting to
             identity of ICA, and possible construct a chain of certificates terminating
             at trusted root CA (Source: Digital Signature Trust; Accenture analysis)

V.1.1                                                                           Solvay Business School                                                                     16
 Technologies de l’information et de
                                                                               Validating digital signatures
        La communication


                                             Validating a digitally signed message
                             Authentication                                                                               • The business will receive the message and the end
                                Client
                                                         Private Key                                                        user’s certificate. However, the business has no
                                                                                           End User Signature               way of knowing that the certificate is valid; i.e. that it
                                                                                               User                         contains the correct name and public key
        Authentication       Application          Web Server                                 Certificate                    information
           Server              Server                                           Firewall
                                               Public Key Storage
         Entity One (Business)                                                                                            • Therefore the business will send the end user’s
                                                                                                               Internet
                                                                      Certificate                                           certificate to the CA
                                                                      Directory
                                                                     Certificate Authority

                         Private Key


          End User PC
         Entity Two (User)                                   Validating a certificate

                            Authentication
                                Client
                                                       Private Key                                                        • The CA maintains a directory of authorized entities
                                                                                       End User Signature
                                                                                                                            and their public keys. When the CA receives the end
        Authentication      Application         Web Server
                                                                                                                            user’s certificate, it will confirm or deny the validity
           Server             Server                                                                                        of the certificate and send it back to the business
                                                                            Firewall
                                             Public Key Storage
         Entity One (Business)
                                                                                                           Internet
                                                                   Certificate
                                                                   Directory
                                                                  Certificate Authority           User
                                                                                                Certificate
                         Private Key


         End User PC
        Entity Two (User)


V.1.1                                                                                     Solvay Business School                                                                    17
                                                        Digital signature – Recent legislation
 Technologies de l’information et de
        La communication




                          European directive (December 13, 1999) on digital signatures
                          Belgian law (October 20, 2000 and July 9, 2001)
                              –        A signature can consist of a set of electronic data which can be associated to a well
                                       defined person and which certifies the integrity of the content
                              –        Legally binding of a digitally signed document
                          The law targets mainly the digital signatures based on assymmetric
                           cryptography and combined with a digital certificate (PKI)
                          Legislation defines role and responsibilities of the Certification Authority
                              –        Approval
                              –        Control
                          CA role consists of certifying the link between a person and its public key
                          CA liability : a CA which delivers a qualified certificate is liable for any damages
                           caused to anyone who has trusted the certificate
                              –        In practice, purpose is to limit carelessness (not timely revocation of a certificate…)




V.1.1                                                                Solvay Business School                                      18
                                                                            Providing non repudiation
 Technologies de l’information et de
        La communication

                                                                                                                     Re-computes
                                                Providing non repudiation                                            message hash




                                                                                                                                    Decrypts message hash
                                                                                                                                    with user’s public key
                                                                                             011010111011            X= [(y)*]
                                                                                                           Message
                                             Authentication                                                hashes
                                                 Client                                                     match
                                                                        Private Key                                  011010111011   End User Signature


                         Authentication     Application          Web Server
                            Server            Server                                         Firewall
                                                              Public Key Storage
                          Entity One (Business)
                                                                                                                            Internet
                                                                                     Certificate
                                                                                      Directory
                                                                                   Certificate Authority

                                          Private Key


                           End User PC
                          Entity Two (User)




        • The business now knows that the certificate contains the correct public key for the end user. The business will then decrypt the
          message hash using that public key. The business will then rerun the message hash using the known mathematical formula. If the
          decrypted message hash matches the message hash which the business just created, then it has been verified that the message
          was sent by the end user, and that the message was not altered during transmission. Therefore non repudiation for the message is
          provided


V.1.1                                                                              Solvay Business School                                                    19
                                                Transport/Encrypted connection
 Technologies de l’information et de
        La communication



                       The TCP/IP (Transmission Control protocol/Internet Protocol) governs the
                        transport and routing of data over the internet
                       The SSL protocol allows an SSL-enabled server to authenticate itself to an SSL-
                        enabled client, allows the client to authenticate itself to the server, and allows
                        both machines to establish an encrypted connection
                       SSL protocol addresses security issue of the communication while symmetric
                        and assymmetric encryption addresses security issues related to data
                        transferred




                                                              HTTP
                                                                                     Application layer

                                                                                      Network layer
                                                   Secure sockets layer (SSL)
                                                         TCP/IP layer




V.1.1                                                   Solvay Business School                               20
                                                             Data encryption - Isabel illustration
 Technologies de l’information et de
        La communication




                                                                                                 Registration Authority (RA)


                                                                                             Client’s bank
                  Client
                                                                                     Identification of the client


                                                                      Isabel Platform
        Payment software                                             (acting as root                   Certification                         Contains
        + empty microship                                         Certification Authority)            Authority (CA)                        client data
                                                                                                      delivers digital                      and stores
                                                                                                        certificate
                                                                      Isabel’s network                                                      public key
                                                                              =
                                                                   Belgian banks network
                                                                                                         Public Key
                                                                                                      (key publicly known)

                                                                                                                          The digital
                                                                                                                         certificate is
                                                                                                                          stored in a
                                                                                                                           directory

                                                                There is a logical (mathematical relation)
                +                +                               between the private and the public key
                                                              The private key is generated and recorded on the chip
Software Interface                     Private Key                                                                                        Public Directory
                                                              When the PC is started. To use the chipcard, a pincode must be entered
                                  (key known only to user)                                                                                 (Yellow pages)
V.1.1                                                                   Solvay Business School                                                            21
                                                        Data encryption - Isabel illustration/2
 Technologies de l’information et de
        La communication




                                                                               Isabel Platform
                                                                                                      Checks
                                                                               Isabel’s network          his
                                                                                       =             Accounts
                                                                            Belgian banks network
                                                                                                        And
                                                via                                                   Initiates
                                                                                                     payments
                         +
        User         Software Interface


     Four characteristics to determine the security level of an
     electronic file:

     Authentication: confirming the identity of parties involved in the transaction
     Integrity: confirmation that the content of a message has not been altered
     Non-repudiation: the signer can not deny the signing of the message
     Encryption: allow the sender to encrypt the messages he wants to send in
     order to keep its content secret
                                                                                                                  User’s Banks
     These characteristics can only be conferred to an electronic
     file through Certification



V.1.1                                                                       Solvay Business School                               22
 Technologies de l’information et de
        La communication




                                       Introduction to epayments



                                       Network security principles and concepts



                                       B2C ePayments solutions



                                       B2B ePayments solutions

V.1.1                                               Solvay Business School        23
                                            What do the Belgians buy online and where ?
 Technologies de l’information et de
        La communication




                       Most frequent goods bought online are books, CDs, softwares, hardware,
                        events tickets, transport tickets
                       More than one third of purchases are made on a foreign internet site. This has
                        an impact on the payments methods used




        Source : Belgian internet mapping – October 2000
V.1.1                                                      Solvay Business School                        24
                                       Which tools do the Belgians use to pay their online
 Technologies de l’information et de                      purchases ?
        La communication


                       One order out of two is paid by credit card. Use of edebit cards is limited at this
                        stage
                       Remittance (eg virements) account for a significant share of payments, in
                        particular for domestic purchases




        Source : Belgian internet mapping – October 2000
V.1.1                                                      Solvay Business School                             25
                                             Retail Solutions: eDebit Card
 Technologies de l’information et de
        La communication

              Banxafe is the security label developed by Banksys to guarantee total reliability of bankcard payments over the
              Internet. This concept has already set a new standard for on-line payment security.




                1°)Install your Banxafe terminal      2°)Choose your Banxafe payment sytem:         3°)Insert your Bancontact/ Mister Cash card
                                                      Bancontact, Mister Cash, Visa, Mastercard                     In the terminal

                                                     4°)Type your secret code twice and confirm the amount of your purchases
                                                                             Your payment is done!


                                                       PKI and digital signature
                                                        Security is achieved by a public key authentication applet. This applet is accessed by a
                                                        banking PIN and generates a digital signature which is checked by a public key
                                                        infrastructure certificate.
                                                        The client uses a private key to sign his payments. Banksys has the corresponding
                                                        public key and can authentify the identity of the sender


V.1.1                                                         Solvay Business School                                                          26
                                                                                                                       Banxafe
 Technologies de l’information et de
        La communication


                                              Digitally signing a message
                            Authentication
                                Client
                                                        Private Key


        Authentication
           Server
                            Application
                              Server
                                                Web Server                                                                  • An authentication applet will generate a message
                                                                                  Firewall
        Entity One (Business)
                                             Public Key Storage                                                               hash when the user inputs his PIN code
                                                                                                            Internet
                                                                     Certificate                                            • The payment itself and the message hash are
                                                                     Directory
                                                                    Certificate Authority
                                                                                                                              encrypted with a private key. The user certificate is
                                                                                                                              sent with the encrypted transaction
                         Private Key
                                                                                                                            • Certificates are issued and maintained by Banksys
         End User PC                     X= [(y)*]         011010111011            End User Signature                      (Certificate Authority (CA)).
        Entity Two (User)

                                       Computes
                                                            Encrypts message hash
                                       message hash
                                                            with user’s private key


                                               Sending a digitally signed message
                            Authentication
                                Client
                                                        Private Key


        Authentication     Application          Web Server
           Server            Server                                              Firewall
                                             Public Key Storage
        Entity One (Business)
                                                                                                           Internet
                                                                    Certificate
                                                                    Directory
                                                                   Certificate Authority
                                                User
                         Private Key          Certificate

         End User PC
        Entity Two (User)
                                          End User Signature
V.1.1                                                                                              Solvay Business School                                                             27
 Technologies de l’information et de
                                                                                                               Banxafe
        La communication


                                             Validating a digitally signed message
                             Authentication                                                                               • Banksys will receive the message and the end
                                Client
                                                         Private Key                                                        user’s certificate.
                                                                                           End User Signature

        Authentication       Application                                                       User
                                                  Web Server                                 Certificate
           Server              Server                                           Firewall
                                               Public Key Storage
         Entity One (Business)
                                                                                                               Internet
                                                                      Certificate
                                                                      Directory
                                                                     Certificate Authority

                         Private Key


          End User PC
         Entity Two (User)                                   Validating a certificate

                            Authentication
                                Client
                                                       Private Key                                                        • Banksys is the CA and maintains a directory of
                                                                                       End User Signature
                                                                                                                            authorized entities and their public keys. Based on
        Authentication      Application         Web Server
                                                                                                                            the end user’s certificate, it will confirm or deny the
           Server             Server                                                                                        validity of the certificate
                                                                            Firewall
                                             Public Key Storage
         Entity One (Business)
                                                                                                           Internet       • Banksys will decrypt the transaction with the
                                                                   Certificate
                                                                   Directory
                                                                                                                            corresponding public key
                                                                  Certificate Authority           User
                                                                                                Certificate
                         Private Key


         End User PC
        Entity Two (User)


V.1.1                                                                                     Solvay Business School                                                                  28
                                                                                     Banksys overview
 Technologies de l’information et de
        La communication



                                Key facts and figures per business line                                           Evolution of Ratios

                                                                                                       160%
         Founded in 1989 as a merger of Bancontact and Mister Cash                                                         135%
                                                                                                       140%
         Consortium owned by 58 banks (Belgian or with subsidiary in                                  120%
          Belgium)                                                                                     100%                      87%
         Provider of integrated card-system to banking industry, traders,                                 80%
                                                                                                                                                                            60%
                                                                                                                                                   53%
          self-employed persons and card holders:                                                          60%
                                                                                                                    38% 44%                           36%                      42%
                                                                                                           40%
            –     Networking: managing Banknet, private IP network, with 25 mio transactions                                               15% 14%                   11% 12%
                                                                                                           20%
                  monthly
                                                                                                           0%
            –     Equipment: design, installation and maintenance of terminals Bancontact/Mister
                                                                                                                            98                    99                       00
                  Cash, Proton(76.000)
            –     Customer services and support for Visa cards, due to take-over of activities              Profit margin   Return on assets   Shareholders return    Return on capital
                  (except sales) of Bank Card Company in 1999
         Banknet accounts for International presence:                                                 •    Net sales: € 211 mio
            –     STEP, managing ATM-ETP activities in different European countries
                                                                                                       •    Operating Income: 24 mio
            –     Proton as the international standard of rechargeable wallets (34,5 mio cards in 24
                  countries)                                                                           •    Net profit (after tax): € 13 mio
            –     Terminal and card applications (C-Zam/Smash, solution for e-commerce)                •    Employees: 1008
            –     Banxafe as ultra secure payment solution for Credit card payment over Internet
         6 accountable units since 1999:
            –     Customer services and support
            –     Networking
            –     Field service
            –     Operations
            –     Terminals and card applications
            –     Card transactions
                                                                                                             Source : Annual report Banksys and Dun & Bradstreet

V.1.1                                                                        Solvay Business School                                                                                  29
                                                                  Internet Banking security
 Technologies de l’information et de
        La communication


             Most common security configuration
                          –      Use of SSL for transport security
                          –      Use of digital signatures (via Digipass or a C-ZAM/PC terminal)



             The Digipass looks like a “calculator”, but is a little electronic machine which generates a digital signature. This signature will
                   allow the user to present himself to PC Banking, will “sign” the operations, … The Digipass is connected to the PC




             The C-ZAM/PC terminal is a little machine provided with a keyboard, and connected to the PC. To login or sign operations in
                   PC Banking, the user must introduce his bankcard in the terminal, and then type his usual secret code. Encryption of
                   transaction




V.1.1                                                                Solvay Business School                                                        30
 Technologies de l’information et de
                                                                     Use of mPayments
        La communication


                                       FACT: Customers will start using mobile devices to make payments


            PKI and digital signature
             Security is achieved by a public key authentication applet embedded in the SIM card.
             This applet is accessed by a PIN and generates a digital signature which is checked by
             a public key infrastructure certificate.
             The client uses a private key to sign his payments. The telco or a company like Banksys
             could have the corresponding public key and could authentify the identity of the sender




                                                      New actors emerge in the payments market


                                                             TelCo                         Payment Provider   Bank




V.1.1                                                          Solvay Business School                                31
                                                       eCash/Deutsche Bank illustration
 Technologies de l’information et de
        La communication


                                                    Virtual wallet
                                                    Virtual pre-paid account is credited with credit card or electronic transfer and used for e-
                                                    commerce/C2C payments. Enormous success of Paypal in the US based on e-mail payment
                                                    procedure (12 million users. Volume : 200.000 payments/day. Value : 10 MUSD/day)




                                                               Customer can choose from the
                                                               following payment options:
                                                               -Upload money from bank’s
                                                               system onto personal system and
                     Customer deposits money into an           e-mail eCash to vendor                     Vendor needs to have an account
                     eCash-enabled account. The                - Use a mobile device to transfer          with a bank supporting the eCash
                     electronic money is stored into the       eCash to the vendor                        payment system. This bank will
                     bank’s system until the customer                                                     then convert eCash into a regular
                     uploads the money on his personal                                                    deposit on vendor’s bank account
                     system or makes a purchase by                                                        after it has verified the payer’s
                     mobile device                                                                        eCash account with the DB 24.



V.1.1                                                                Solvay Business School                                                        32
 Technologies de l’information et de
        La communication




                                       Introduction to epayments



                                       Network security principles and concepts



                                       B2C ePayments solutions



                                       B2B ePayments solutions

V.1.1                                               Solvay Business School        33
                                                                 Payment functionality for a B2B site
 Technologies de l’information et de
        La communication


                                eCommerce applications are often pre-enabled to use a vendor’s payment services
                                 application
                                The payments services application has links with many payments networks
                                Transfer of payments orders from the B2B site via the web or interface

                                                                                                                        Seller’s bank




                                                                                                             SWIFT
                                     Off the shelf
                                     ecommerce
                                     applications




                                                                                                             Isabel
                                                                                    Payments
                      MERCHANT




                                                                   INTERNET
          $ $$                                                                       services
                                                                                    vendor site                         Clearing House
                                                     INTERFACE




                                                                                                          Mastercard/
                                       Custom




                                                                                                           Eurocard
                                     ecommerce                                  Services
                                     application                                •Transaction reporting
                                                                                •Virtual terminal
                                                                                •Merchant configuration
                                                                                •Manual capture and




                                                                                                            Banksys
                                                                                settlement                               Buyer’s bank




V.1.1                                                                         Solvay Business School                                     34
                                                    The B2B eCommerce Value Chain
 Technologies de l’information et de
        La communication


          The classic sale value chain

                                                 Pre-Sale               Sale
                                                                     Post-Sale           Post-Sale



           The eCommerce value chain as an instance of the sale value chain

                                                                          Context

                                       Content           Pre-Sale    Post-Sale    Sale            Post-Sale



               The value chain desegregates a firm into its strategically relevant activities
               The eCommerce technologies and possibilities for interaction have an impact on the classic sale value chain by
                enriching it with two new factors of differentiation: content and context.
               Content
                             •Information presented with text, graphics, sound and video, i.e. a product description in an on-line
                             catalogue
                    –     Context:
                           • The context adapts and presents the content (useful for the one-to-one marketing), i.e. a catalogue
                             where the content is customised with respect to a specific customer

V.1.1                                                          Solvay Business School                                                35
                                                                  eCommerce value chain
 Technologies de l’information et de
        La communication


                       These processes illustrate the typical interactions between buyers and sellers in trading
                        relationships
                       The processes of the actors interact mutually through the services provided by intermediaries
                       eCommerce intermediaries: actors enabling various eCommerce related activities
                                                                                  Context
                                          Content            Pre-Sale      Post-Sale
                                                                            Post-Sale   Sale                  Post-Sale


                                       Sellers

                                                                                                            


                                       Electronic Commerce Intermediaries

                                                                                        
                                                                                                               11



                                       Buyers


                                                                                                                      Mandatory
                                       Sellers:                                      Buyers:                         Optional

                                        - Prepare market presence                    - Investigate offerings
                                        - Publish offerings                          - Publish need
                                        - Bid in expressed demand                    - Evaluate and select offers
                                        - Respond to standard inquiries              - Place order
                                        - Process orders                             - Cancel order
                                        - Confirm order                              - Receive goods or services
                                        - Acknowledge cancellation                   - Accept/non-accept goods
                                        - Distribute goods                           - Receive invoice
                                        - Issue invoice                              - Dispute (protest invoice,…)
                                        - Receive payment                            - Submit payment - Request support
                                        - Provide support
V.1.1                                                                Solvay Business School                                       36
                                              Specific issues in eCommerce value chain
 Technologies de l’information et de
        La communication


               The transposition of a B2B sales cycle into a fully ‘electronic’ value chain context raises
                                           specific issues to be addressed

                  Identification
                      and                                         Authorizations
                                                                                                             Integrity
                 non-repudiation


                                                                           Context
                                                Content     Pre-Sale Post-Sale Sale          Post-Sale


                                              Sellers
                                                                                                             Standardized
                                                                                                    message
        Archiving of                                                                                          exchanges
        transactions
                                                                                 
                                                                                            
                                              Buyers
                                       $ $$
                                                                                                          Mandatory
                                                                                                          Optional




                 Transaction and                                      Electronic                         Guarantees and
                 payment closure                                       contract                            financing
                                                                     enforcement

V.1.1                                                           Solvay Business School                                      37
                                          The Roles of eCommerce Intermediaries
 Technologies de l’information et de
        La communication


        In an eCommerce market place, a number of (new) intermediaries are assuming several
        responsibilities:
           – Certification Authority: an entrusted service by one or more entities to create and assign certificates, and to
             mange the revocation of certificates
           – Registration Authority: reliable services, which have the responsibility of registration and approval of users of
             certificates on behalf of the Certification Authority
           – Transaction authorisation Authority: when a transaction is sent, the transaction authorisation authority checks if
             the amount being ordered is under the limit authorised, and takes the engagement to the receiving party
           – Transaction tracing Authority: offers a proof-of-evidence of a particular transaction at an instance in time.
             Querying services can be provided to the buyer and seller. This can be extended with the association services
             of linking related transactions
           – Transaction archiving Authority: archives and manages digital documents and other data for longs period of time
           – Notarial Authority: notaries can provide their certification or digital signature to trading or other official documents
           – Transaction translation Authority: facilitates the integration of systems by translating the output data of the
             sending system into a suitable format of the receiving system
           – Network Services provider: ensures the network management and provides additional services directly related
             to the infrastructure
           – Navigation Services provider: ensures the ease of navigation on the main areas of the platform
           – Trusted security software provider: designs and implements trusted security solutions based on the platform’s
             standards


V.1.1                                                       Solvay Business School                                                      38
                                                  The Intermediaries of eCommerce
 Technologies de l’information et de
        La communication




                       All these service providers intermediaries are forming the middle layer in the
                        model


                                                                     Buyers


                                                                 Intermediaries
                                                                                      Trusted
                                                                    Transaction                   Navigation
                              Certification   Registration                            security
                                                                     Archiving                     Services
                               Authority       Authority                              software
                                                                     Authority                     provider
                                                                                      provider




                              Transaction     Transaction
                                                                    Transaction                    Network
                              Translation     Authorisatio                            Notarial
                                                                      Tracing                      Services
                               Authority           n                                  Authority
                                                                     Authority                     provider
                                               Authority




                                                                     Sellers




V.1.1                                                        Solvay Business School                            39
                                                  International considerations
 Technologies de l’information et de
        La communication



                   When virtual communities are created with overlapping trust zones, standards and
                                governance are needed to support the B2B sales cycles

                                                                                                      Third party
                                                                    Seller                  (e.g. Seller service provider)
         When actors with no previous business relationship
         are involved in an ‘electronic’ value chain at ‘e-
         speed’, trading communities are built from scratch
         and use the power of a virtual network
         (representing by the 4-corner model)


         For this 4-corner model to operate efficiently, there
         is a need for a community or industry wide                             $   $   $




         convention to agree on standards relating to
         contracts, financing, delivery,…
                                                                     Buyer                           Third party
                                                                                            (e.g. Buyer service provider)


                                                                                             ‘Trust’ Zone for Seller
                                                                                             ‘Trust’ Zone for Buyer

V.1.1                                                  Solvay Business School                                                40
                                         Therefore, to enable trusted exchanges throughout the full
                                         electronic value chain involving many actors, the following
 Technologies de l’information et de
        La communication
                                              Trust Transaction Services need to be set up (1/2)
                                             Seller                                            Seller Bank




                                       Trust enablement through the Trust Transaction Services
                                                                        Registration
        Trusted Third Party                                             Identification                       Trusted Third Party


                                                      Roles and                             Value-added
                                                        Rules           Transactions          Services

                                                                    Transactional Support

                                                                       Administration




                                                        $   $   $




                                             Buyer                                              Buyer Bank
V.1.1                                                                 Solvay Business School                                       41
                                           Therefore, to enable trusted exchanges throughout the full
                                           electronic value chain involving many actors, the following
 Technologies de l’information et de
        La communication
                                                Trust Transaction Services need to be set up (2/2)
                                                       Seller                                     Seller Bank




    Trust enablement through the Trust Transaction Services
                                           Registration                   -Enrollment                           -SLA/OLA
                                                                          -Registration                         -Revocation
                                                                          -Certification

                                           Identification                 -Authentication
                                                                          -Warranty (Insurance of identify)

           Roles and Rules                         Transactions                                                                Value-Added Services
                                                                                                                               -Reputation services (e.g. creditworthiness)
           -Organization and roles                 -Selection and execution of transactions
                                                                                                                               -Financing
           -Authorization and Privileges           -Fulfilment of order process
                                                                                                                               -Warranty/insurance of settlement, quality,
           -Policies                               -Settlement of payment
                                                                                                                               timely delivery,etc
                                                                                                                               -Notary Services

                                           Transactional                  -Standards and protocols              -Integrity
                                           Support                        -Integrity and non-repudiation        -Compliance auditing
                                                                          -Privacy and confidentiality

                                            Administration                -Trusted archiving and logging
                                                                          -Dispute resolution
                                                                          -Montoring, measurement and management




                                                                $   $ $




                                                      Buyer
V.1.1                                                                          Solvay Business Buyer Bank
                                                                                               School                                                                         42
                                       Traditional economic actors and new entrants are starting to
                                          provide fragmented and piece-wise Trust Transactions
 Technologies de l’information et de
        La communication
                                                              Services (1/2)
  Financial institutions:                                                                                      Marketplaces:
  • Registration and identification (strong security level)                                                    • Registration and identification (low security level)
  • Transactions – Settlement of payment                                                                       • Roles and Rules
  •Value-Added Services – Reputation services (off-line)                                                       • Transactions – Bid/Order/Buy/Sell
  • Value-Added Services – Financing (off-line)                                                                • Transactions – Settlement of payment
  • Privacy and confidentiality                                      Seller                                       Seller Bank
                                                                                                                                • Transactional support – Standards and
                                                                                                                                protocols




                                                               Trust enablement through the Trust Transaction Services
                                                                                              Registration
                                         Trusted Third Party                                  Identification                           Trusted Third Party


                                                                              Roles and       Transactions     Value-added
                                                                                Rules                           Services

                                                                                          Transactional Support

                                                                                             Administration




                                                                                $   $ $




  Secured Infrastructure Providers:
  • Registration and identification                                  Buyer                                         Buyer Bank


  • Value-Added Services – Warranty/insurance                                                                  Standardization bodies:
  • Value-Added Services – Notary services                                                                     • Transactional support – Standards and protocols
  • Transactional support – Integrity and non-repudiation                                                      • Transactional support – Compliance auditing
  • Administration                                                                                             • Roles and Rules - Policies
V.1.1                                                                           Solvay Business School                                                                    43
                                       Traditional economic actors and new entrants are starting to
                                          provide fragmented and piece-wise Trust Transactions
 Technologies de l’information et de
        La communication
                                                              Services (2/2)

  Financial institutions:                                                 Secured Infrastructure Providers:
  • Registration and identification                                       • S.W.I.F.T. with TrustAct is a secured Internet-based messaging
            – Corporate customers of Belgian banks with Isabel              service with non-repudiation and identification based on
            – ABN-AMRO, Deutsche Bank and Allianz (via                      Identrus certificates
              HypoVereinsbank) started using Identrus-based               • Isabel provides proprietary certificates and a secured messaging
              certificates to secure new applications                       service to all corporate customers of the Belgian banks (more
  • Transactions                                                            than 45,000 companies)
            – Barclays B2B.com UK first purchase-to-payment portal        • Government sponsored bodies such as the Spanish Mint
              to cover entire B2B trading chain                             provide all citizens with a digital certificate and signature
            – Dresdner Bank Europe’s first transactional financial
              portal to offer corporates online banking, risk             Standardization bodies:
              management and transaction services                         • S.W.I.F.T. with Bolero have released 65 XML document definitions
                                                                            as used in international trade (e.g. commercial, documentary
  Marketplaces:
                                                                            credit, customs) to be transported through the secured S.W.I.F.T.
  • ‘Industry-centered’ (industry consortia or independent) or
                                                                            /TrustAct infrastructure
     ‘company-centered’
                                                                          • Identrus has defined a industry standard for digital certificates, a
  • Focus on seamless procurement and supply chain
                                                                            payment initiation application and a contractual framework that
     integration
                                                                            regulates their usage
                                                                          • E.U. passed a directive on 19 January 2000 making digital
                                                                            signatures equivalent to paper based signatures




V.1.1                                                           Solvay Business School                                                       44
                                                                                               Identrus
 Technologies de l’information et de
        La communication


             System-wide roles & responsibilities
                                                                                                                                  Contracts & Procedures

                                                                                      Identrus
             Root Certificate Authority (CA)
                                                                                      Root CA
                                                                                OCSP Resp. & Repository
                                       Online Certification Service
                                         Provider: check banks’                     Risk Mgmt Module
                                        certificates + yellow page
                                                                                Transaction Coordinator



             Issuing Participant                                                                                                       Relying Participant
                                                                 OCSP Responder                    OCSP Responder
                                                                  & Repository                      & Repository
                                                                 Risk Management                   Risk Management
                                             Certificate                                                                  Certificate
                                                                      Module                            Module
                                              Authority                                                                    Authority
                                                                      Transaction                      Transaction
                                                                      Coordinator                      Coordinator




             Subscribing                                                                                                                      Relying
             Customer                              Client App
                                                                                                                                              Customer
                                                                                     Business to                     Client App
                                                   Purchasing                         Business
                                                                                                                        Seller
                                                    Manager                           Interactions                   (Relying Party)
                                                  (Certificate Holder)




V.1.1                                                                           Solvay Business School                                                       45
                                                                                                                Identrus
 Technologies de l’information et de
        La communication


           • Identrus was created in April ’99. It acts as Root Certification Authority (CA) amongst the different public key
             infrastructures (PKI) of the banks set-up across the world, ensuring their inter-operability.
           • Identrus uses the “four-corner” model among the Buyer, the Seller, and their respective banks to allow these
             banks to provide trusted eCommerce services
               • Payments, Warranty of identity and of settlement, Letters of credit, Commercial paper, Credits,
                  Creditworthiness, Secure Mail and intermediation, …
           • Identrus and Swift have recently announced an alliance whereby Swift will operate a trusted and value added
             network for B2B exchanges based on the Identrus model and trust tree
           • A number of the original Identrus founding banks are working on the Eleanor project, jointly defining new
             global standards for B2B ePayments and market place facilities

                                                                                                    Its 30 to 40 shareholder banks include
                Figure 1
                                                                                                       ABN Amro                      Commerzbank
                                                                                                       ANZ Banking Group             Deutsche Bank
                                                                                                       Bank of America               Dresdner Bank
                                              I d e n tr u s R o o t C A
                                                                                                       Barclays Bank                 HSBC Group
                            $                                                      $
                                                                                                       BNP Paribas                   Hypo Vereinsbank
                                                                                                       BSCH                          Industrial Bank of Japan (IBJ)
                      B u y e r‘ s                                             S e l le r‘ s           CIBC                          NatWest Group - RB of Scotland
                  I d e n tr u s B a n k                                   I d e n tr u s Ba n k
                                                                                                       Chase Manahattan Bank         Sanwa Bank
                                                                                                       Citigroup                     Scotiabank
                                                                                                       Crédit Agricole de France     Société Générale
                                $    $   $
                                                                                                                                     Wells Fargo
                                             B 2B C om m erce


                      B uy e r                                               S e ll e r




V.1.1                                                                                              Solvay Business School                                             46
                                                                TrustAct - SWIFT
 Technologies de l’information et de
        La communication



               SWIFT and Identrus™ LLC have entered into an alliance to offer a joint solution to facilitate business-to-
               business (B2B) trusted communication (based on Identrus' identity trust services and SWIFT's
               messaging capability.

                                                                           How the service works
                                                                           Two businesses having subscribed to the e-trust service from
                                                                           their respective financial institutions. Using TrustAct,
                                                                           businesses can validate their trading partners' certificates and
                                                                           have complete assurance of the identity of the other trading
                                                                           party

                                                                            1.      The buyer browses the seller's catalogue.
                                                                            2.      The seller wants identity assurance and requests the buyer to
                                                                                    forward a signed commercial document to TrustAct together with a
                                                                                    certificate from the buyer's financial institution.
                                                                            3.      TrustAct performs a basic validation of the certificate and requests
                                                                                    the respective financial institutions to validate the identity of their
                                                                                    business. TrustAct also checks with Identrus to ensure that both
                                                                                    institutions are scheme members.
                                                                            4.      TrustAct relays the assured order to the seller who now has an
                                                                                    order that can be relied upon.
                                                                            5.      The seller returns a signed receipt to the buyer, via TrustAct, who
                                                                                    now has an assured receipt that can be relied upon.
                                                                            6.      TrustAct records and maintains time-stamped records of all
                                                                                    messages received by the TrustAct server.




V.1.1                                                      Solvay Business School                                                                             47
                                                           SWIFT overview
 Technologies de l’information et de
        La communication



                                                                                Swift statistics YTD 08 2001

        • Swift (Society for Worldwide Interbank Financial                     Traffic
          Telecommunication), located in Brussels, is a cooperative
          society owned by 239 member banks and financial institutions         # messages YTD 082001     987,617,134
          (founded in 1974)                                                    # messages 2000           1,274,000,000
        • Offices in 25 locations worldwide
        • Employees : 1,800 (of which 1,000 in Belgium)                        Message growth YTD        16,42%
        • Geographic spread : Europe accounts for 2/3rd of revenues            Average daily traffic     5,868,194
               • US #1
               • UK #2                                                         FIN Availability
               • Germany #3
               • France #4                                                     FIN Systems               100%
               • Belgium #5                                                    Transport network         99.995%

        Business include                                                       Overall service           99.995%
        • Financial messaging                                                  Customer base
              • Payments
              • Securities                                                     Live countries            193
              • Treasury
                                                                               Live members              2,268
              • Trade finance
        • E services                                                           Live sub members          3,054
                  •    TrustAct (Identrus)
                                                                               Live participants         1,901
                                                                               Total live users          7,223




V.1.1                                                 Solvay Business School                                             48

								
To top