Security Issues In Online Payment Mechanism- Internet Banking, E-Payment & Mobile Payments (PayTM, Google Pay, UPI, etc.)

Security Issues In Online Payment Mechanism

In the past decade, methods of effecting banking and other financial transactions via the Internet throughout the globe have quickly become more and more sophisticated.

This blog post will examine the implications of this trend towards conducting financial transactions electronically. The focus of blog post is not on legal theories, but rather on the interesting and novel practical security issues that arise in the implementation of new electronic payment systems that are now more prevalent or are appearing on the horizon.

Consumers have generally been willing to adopt these new electronic systems because they have confidence in the financial system in general and in electronic operations in particular. The traditional, trusted and convenient means of effecting payments still have a strong attraction to consumers, who therefore change their economic behaviour slowly because of their emotional relationship to money and the payment mechanisms they trust.

This paper specifically discusses the Online Transactions from consumer’s point of view and concentrates on how the particular characteristics of the new electronic payment systems (contrasted to the “traditional systems”) effect the consideration of two issues: Information Security and Efforts in Maintaining Security in Online Payment Mechanism.

1. INTRODUCTION

Online banking has grown rapidly using today's computer technology thereby providing the option of online payment bypassing the time-consuming, traditional banking in order to manage the finances more quickly and efficiently. However, online banking security issues have become one of the most important concerns of the banks.

Banking frauds are the main reason why people or potential customers tend to avoid online banking, as they perceive it as being too vulnerable to fraud. A detailed study into the various security issues would ease to find the vulnerability areas of the online payment mechanism and develop an approach to tackle the issues arising with them. Further the improvements required in the present online payment mechanisms will also be the core area of study. Also, various precautions that are required to be taken by the involved parties during an online transaction will also be covered in the study.

Usage of security tokens is also becoming more popular and is far more secure than any other method as it provides a two way authentication facility. Some banks offer enhanced security using digital certificates which digitally authenticate the transaction by linking the user to a physical device like a computer. Most banks usually use one or more of the above combinations to enhance their security features.

It is very important to understand that the security measures employed by most of the banks can never be completely safe and secure. Further, online banking becomes less secure if users are careless or computer illiterate. An increasingly popular criminal practice is to gain access to a user's finances is phishing, whereby the user is in some way persuaded to hand over their password(s) to a fraudster.

2. OBJECTIVES OF THIS BLOG POST

The main role of a Payment System is to provide a way of transferring value between different parties in the economy. As such, it determines partly economic transaction costs. Its design will be optimal if organized to allow quick and effective value transfers while imposing a minimum of additional costs and risks. High costs of the payment process may seriously affect economic activity in that transactions are rendered too expensive and, as a consequence, reduced. Conversely, lower costs through efficient payment systems could have a positive impact on economic growth.

The use of any payment system involves direct and indirect costs. Direct costs are the fees charged by financial payment service providers. Indirect costs include those related to the complexity of transaction processes, speed of transactions, risk and uncertainty, and opportunity costs for the buyers and sellers involved. The modalities of the payment system also affect the cost structure as they determine the financial loss to both parties in case either one of them defaults on the terms of the contract.

For the reasons described above, online payment services involve a complex set of practical and analytical challenges. These include the technological capabilities of service providers, commercial relationships, issues of regulation and law (buyer and seller protection), security considerations including identification issues, such as authentication and verification, and co-ordination among a variety of parties with different and sometimes competing interests. This blog post analyses the development of online payments and evidence on their use across different countries. The blog post identifies impediments to growth and emerging security issues related to further developments and structure of online payments.

3. CORE AREAS OF DISCUSSION

This blog post discusses various modes of online payment that are used to purchase items on the Internet or to transfer funds from one bank account to the other.

The main focus is on online payment means (such as credit card, debit card, online banking and e-money), and these are set in the context of traditional payment options as many on-line payment systems are extensions of off-line systems. Mobile payments, defined as payments using wireless devices such as mobile phones and personal digital assistants (PDAs), wireless tablets and mobile computers, are also examined.

The blog post concentrates on Business-To-Consumer Online Payments rather than on Business-To-Business (B2B) Financial Transactions. With the success of online auctions person-to-person markets have gained in importance and are also considered. Further, the security related mechanism and different modes of secure online payments will be discussed in a comparative manner.

3.1 ELECTRONIC PAYMENT AND ONLINE ELECTRONIC PAYMENT

An Online Electronic Payment, also known as Electronic Currency, broadly speaking, refers to a transaction in the online exchange of funds. Electronic Payment System is the basis for online payments, and Online Payments System development is a higher form of electronic payment.

3.2 COMMON ONLINE ELECTRONIC PAYMENT SYSTEM

In online shopping online electronic payment function is the key issue to ensure the consumers are fast and convenient, we have to ensure the safety and secrecy of the parties to a transaction, which requires a complete electronic trading systems. Currently, a wide range of systems has been developed for online payments. It is divided into Account-Based and Electronic Currency Systems.

Account-Based Systems allow payment via an existing personalized account (usually a bank account), whereas Electronic Currency Systems allow payment simply if the payer has an appropriate amount of electronic currency.

 Account-Based Systems of five different forms are described: (I) CREDIT CARDS, (II) DEBIT CARDS, (III) MEDIATING SYSTEMS, (IV) MOBILE PAYMENT AND TELEPHONY ACCOUNT SYSTEMS, & (V) PAYMENTS VIA ONLINE BANKING.

Electronic Currency Systems can be divided into:

(I) SMART CARD                (II) ONLINE CASH SYSTEMS.

Selected characteristics of Online Payment Systems

1. Applicability
2. Ease to obtain
3. Reliability/ease of use
4. Cost 
5. Security
6. Liability
7. Anonymity

 

Figure. Classification of Online Payment Systems

1)  3.2.1 Account-Based Systems

     1) CREDIT CARDS

Credit cards are widely used to make on-line payments. Initially there was relatively little adaptation of credit cards to online payments apart from additional security codes. But new, more secure features have been added to protect transactions. A major difference between online and offline payments is that in online purchases a physical copy of the card is not provided and the merchant does not obtain a signed, or similar, confirmation from the customer. Also, whereas all offline transactions are authorized this is not the case for all online purchases (especially with small businesses,) although authentication and verification technologies have increased the ability of accurately authorizing transactions.

Security and related Issues

Since credit cards were not specifically designed as online payment systems, there are inherent risks associated with their use as such. Cardholder authentication has usually been handled through the provision of name, credit card number and expiration dates without further authentication. In giving this information the online customer provides the merchant with information that could be used by others for online purchase if intercepted. Hence this information needs to be secured during transmission and on the receiving server. Moreover, an important share of online sellers store credit card information. To the extent that they keep financial data on their servers, additional requirements for secure Web site information storage arise to prevent misuse of financial information.

To prevent information interception during the transmission of credit card information, secure Socket Layer (SSL) Service, which is widely used for a variety of security applications, is commonly used. SSL also allows verification of merchant identity via the SSL Server Certificate.

Enhancing Security

Credit card companies have taken numerous steps to address security concerns, and a number of complementary systems have been developed. Some such as SET have not had a wide take-up, and currently the most important systems are one-off credit card numbers, MasterCard SecureCode and Verified by Visa.

The latter two protect an existing credit card with a password created by the user, assuring the user that only they can use their credit card when shopping online. The idea is to progressively have these more secure payments substitute simple credit card payments.

Verified by Visa is a system that connects the card owner for each transaction directly with the bank by using a personal password and a personal message verifies the bank connection. This double authentication increases payment security. Inscription for customers at their bank is relatively easy.

Another important characteristic of the system is its payment guarantee. The higher frequency of payment cancellation in online payments often represents a significant cost to merchants. With Verified by Visa the entire cost is borne by the credit card company, addressing merchant concerns over accepting credit cards. But at the same time, limitations for charge-backs mean that consumers face less favourable conditions under this system in comparison to simple credit card payments and lower costs for merchants is balanced against less flexibility for customers.

MasterCard’s SecureCode provides a similar service to add protection against unauthorised online use of credit cards. Once the user has registered and created a private SecureCode, they are automatically prompted by the financial institution to provide the personal SecureCode in order to purchase online. The merchant will not receive information concerning the code.

 2)    DEBIT CARDS

Debit card payments are directly withdrawn from the bank account and not from an intermediary account in contrast to credit cards. This can make it difficult for consumers to handle a dispute/chargeback, since there is typically no extra protection of the funds in a debit account. Once the funds have been withdrawn, they are harder to refund than with a credit card. Also, for debit payments a physical card and/or providing a card number is often not necessary; an account number may be enough. Apart from these differences, the payment mechanism is comparable with credit card transactions.

Debit cards have a significant user spread, which in most countries is higher than the number of credit card users depending on financial regulation and conditions attached to credit card issuance. However, debit card payment is generally not as widespread on merchant Web sites as credit card payment. Furthermore, as this is an account-based payment card, it does not usually allow for anonymous payments.

 3) MEDIATING SERVICES

These mechanisms employ traditional payment means and add a further layer to it. To be able to use the service, it is necessary to register providing credit card or bank account details as the source of payments. A very successful mediating service for online transactions, beginning in the United States, is the PayPal payment option. To pay, buyers only need to know the seller’s e-mail address, which is verified and linked to a PayPal account. The payment will be debited from the buyer’s personal PayPal account. No further financial information is transmitted to the seller.

Security

Centralized account systems can, in principle, support only limited technical security above that of the established payment networks on which they are based, because their advantage over other payment instruments (easy registration procedures) may be lost if stronger security measures (strong authentication) were implemented on top of the established payment networks. In order to enhance security and be able to deal with phishing, identity theft and other criminal activity, providers have planned two factor authentication at the domain level, i.e. authentication methods that include a hardware token. It depends on the exact features whether this will render the payment process more complicated.

4) MOBILE PAYMENT AND TELEPHONY ACCOUNT SYSTEMS

Mobile payments are payments conducted through wireless devices. They may be used to conduct payments for example via a bank account or via the telephone bill.

Mobile Banking: GSM/SMS systems are used for contacting and effecting payments with the bank (m-banking) as alternatives to PC-based systems. A further method is to make use of WAP for e-banking applications. In the Postbank-O2 mobile banking payment Postbank customers are provided with WAP telephones based on pre-paid subscription to access an m-banking application.

Bank-Based Mobile Mediation Services: An example of a mass-market mobile phone payment method is Paybox using GSM phones. Internet transactions and payments to other GSM phones are possible. The client enters the mobile number together with the amount to be paid and confirmation takes place with a personal Paybox PIN. An automatic reply from Paybox acknowledges the payment. The amount is debited from the customer’s bank account.

Unified Payments Interface (UPI) is a Payment system in India that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing & merchant payments into one hood. It also caters to the “Peer to Peer” collect request which can be scheduled and paid as per requirement and convenience. Each Bank provides its own UPI App for Android, Windows and iOS mobile platform(s).

A Mobile Wallet is also a way to carry cash in digital format. You can link your credit card or debit card information in mobile device to mobile wallet application or you can transfer money online to mobile wallet. Instead of using your physical plastic card to make purchases, you can pay with your smartphone, tablet, or smart watch. An individual's account is required to be linked to the digital wallet to load money in it. Most banks have their e-wallets and some private companies. e.g. Paytm, Freecharge, Mobikwik, Oxigen, mRuppee, Airtel Money, Jio Money, SBI Buddy, itz Cash, Citrus Pay, Vodafone M-Pesa, Axis Bank Lime, ICICI Pockets, SpeedPay etc.

Telephony for Payment: There are two different ways in which telephony accounts are used for payment: i) Premium Rate Models and ii) Direct Transfer Models. In the Premium Rate Model the customer pays a higher rate for the service, which is then passed on to the merchant by the telephony operator. Payment occurs by phoning a special number the merchant has installed with an operator, by sending a particular code by SMS, by voice contact, or by dialup to access content on a site and the user is charged by the minute for using the site. The Direct Transfer Model consists of charging the telephony account directly for payment. This is often done by installation of specific software by the operator that offers the payment option. It can be used to debit the consumer’s account to pay another account.

Security: Security characteristics differ across services. As a general aspect for mobile phones, they offer additional possibilities for customer authentication, specifically SIM and PIN. For specialized payment services, security is assured via multiple measures; a personal PIN, the phone number and the mobile phone (i.e. the SIM card) itself are all necessary for payment. Furthermore, the connection between the handset and the base transceiver station (BTS) is encrypted.

6) PAYMENT VIA ONLINE BANKING

Use of e-banking for online payments is not widespread across OECD countries. However, for three EU countries (Finland, Portugal and the Netherlands) online banking payment appears to be important according to their Web site availability and it appears to be growing in availability and use in Northern Europe particularly.E-banking enjoys widespread use in the United States, in particular among early adopters of the Internet and online services.

A number of online payment systems have been developed in Europe, especially where offline bank transfers are already well established. The most common and easy to use include: online banking transfers where the account holder is redirected to the bank’s Web site by the merchant site to effect payment. Other options are: i) Electronic and Mobile Banking which have more advanced features, for example, schedule payments and ii) EBPP, where instead of having to enter all transaction details manually, these are automatically entered from the electronic bill and the payer only authorizes. The EBPP provider (either bank or third party) establishes contracts with the organizations whose bills it can present electronically (e.g. utility companies) and will send in the bills the buyer has authorized.

Security: Banks have frequently implemented supplementary security provisions beyond the standard use of a password and PIN. One development is the use of one-off passwords for authentication, which cannot be re-used. E-banking also often applies multiple authentications to improve payment security. The consumer has to provide several confidential pass codes to access a personal account. Compared with alternative hardware systems, these are relatively low cost solutions.

The online payment option may be integrated into the shopping process, but it may also be used to pay after the purchased item has been received. This provides additional security to buyers and its availability may encourage consumers who distrust online shopping to purchase on the Internet.

3.2.2 Electronic Currency Systems

1.    Smart Card Systems

In the early stages of the online payment market new products such as Cybercash or DigiCash, were proposed. However, they had little success and most of these instruments have disappeared. Currently, Smart Card-Based Systems are most commonly used to pay small amounts within organizations (e.g. vending or copying machines). They usually rely on specialized hardware and dedicated smartcard readers for authentication.

 2.    Online Cash Systems

A number of online cash systems designed for online purchases such as Virtual BBVA (Spain) have been implemented, and there are similar payment mechanisms in Italy, Austria and Australia (e.g. PAY offered by SNAP). Online cash systems are software-only electronic money instruments. They usually work via prepaid cards, and arrangements differ although most require merchant subscriptions. Electronic tokens representing a certain value are exchanged in a similar way to cash.

3.3 SECURITY FOR ONLINE PAYMENTS

There are two main systems for transaction security, Secure Socket Layer and Secure Electronic Transaction:

3.3.1 Secure Socket Layer (SSL)

SSL is the widely used secure service system and is an important measure to establish trust between online seller and buyer. Encryption and decryption allow secure transfer of information between an Internet browser and server (i.e. between buyer and seller). Data cannot be intercepted or changed during transmission. SSL also permits merchant identification through SSL server certificates.

The SSL standard has been widely adopted because it is relatively simple and easy to use and does not place excessive demands on the average consumer’s home PC, while at the same time reducing major concerns about the public nature of the communication infrastructure. SSL has an over 90% share of security measures, about the same as credit cards among online payment systems.

 3.3.2 Secure Electronic Transaction (SET)

SET is an alternative, more complex security system based on digital certificates and signatures. SET needs specific software and is more difficult for cardholders to obtain and use, and despite the high level of security offered it has not gained widespread use.

Provision of Security Information

Governments and businesses have become increasingly aware of the need for a culture of security among all participants to protect national and international systems and networks because of the ubiquitous nature of the Internet and potential threats to and vulnerabilities of the networked world, The 2002 OECD Guidelines for the Security of Information Systems and Networks is one example of these concerns and the response suggests nine principles for participants:

(I) Awareness, (II) Responsibility, (III) Response, (IV) Ethics, (V) Democracy, (VI) Risk Assessment, (VII) Security Design, (VIII) Implementation, (IX) Security Management and Reassessment.

3.4 Systemic Measures to Secure Electronic Payment Systems

Obviously, sophisticated electronic systems and technical procedures exist which can be used to counter each of the threats mentioned above. But from a Legal Perspective, the primary area of concern is not the technical details, but instead the measures taken at a systemic level by financial institutions and other organizations to protect their electronic payment systems. Lawyers look at the security system as a whole in order to understand the framework in which these security measures will be evaluated. Lawyers focus on the fact that, at some point, a third party will examine the merchant or financial institution to determine whether its electronic payment systems are sufficiently secure.

This third party could be a bank regulator conducting a periodic examination, or an independent auditor, or an adverse party in litigation, or an internal investigation conducted by the organization itself. The point is to consider, now, the factors which will be important in that examination, later, and to consider steps the organization should take, now, so that its systems will be in compliance, later. Lawyers cannot wait for a problem to occur in order to attempt to fix it.

3.5 Electronic Payment Systems Require Remote Interaction

The analysis of information security requires an understanding of the underlying characteristics of electronic payment systems which increase their vulnerability to security threats. For example, it is important to understand that remote interaction is crucial to electronic payment systems. At its core, any electronic payment system is based on an ability to query a database of financial information from a distance, and then cause that database to be modified (e.g., by making debit and credit entries) to reflect a transaction. But this remote interaction is also the characteristic which renders electronic payment systems vulnerable to fraud, hacking and other disruptions. This risk is becoming of greater concern as users demand continuous access to their funds and ever faster transaction completion

3.6 Steps to Information Security Compliance

There are steps that are recommended to secure electronic payment systems, in light of threats to the system. We refer to these steps as “Information Security Compliance.”

Security efforts must be “risk-based,” meaning that the company or financial institution must evaluate the threats to its information assets and concentrate on counteracting those that involve the highest risk of severe adverse consequences.

Security efforts must be continuous. Compliance measures must be periodically tested, reevaluated and modified to maintain their effectiveness.

Security efforts must cover the entire organization. Specific practices and the compliance culture must be overseen by the board of directors and extend to the lowest level of employee with operational responsibility.

Information systems must permit later auditing in order to detect efforts to alter or compromise information.

Third-party service providers must be held to the high standards. Many information systems tasks are subcontracted (or “outsourced”) to third party service providers which are able to perform these services more efficiently.

 

3.7 Balancing Difficulties Arising in Electronic Payment systems

There are benefits and detriments in electronic payment systems in terms of the risk of money laundering and illegal activities. While it is true that electronic transactions can be effected more rapidly and from remote locations, it is also easier to maintain automatic records of such transactions or to put in place automated blockages of certain transactions. Similarly, while it is nearly impossible to verify the identity of someone who initiates a transaction remotely by electronic means, we must bear in mind that identity verification, in itself, raises a number of conceptual difficulties. 

CONCLUDING REMARKS:

This Blog Post has made an in-depth analysis of the recent development of Online Payment Systems for e-commerce, covering different payment mechanisms, the extent to which these different systems are used and the implications of industry characteristics and network effects. It discusses drivers and impediments to the uptake of payment systems and identifies some policy issues for further examination.

As there are many Secure Online Payment sites available in the market, it is felt that the study will help understand the risks associated with both the Client Side as well as the Service provider side and an idea of how to address the issues arising in online payment methodology This blog post will also benefit e-customers and online business practices by clarifying the influence of knowledge on users’ level of trust. In addition to knowledge, this study discusses the influence of safety features which should be incorporated in online shopping to make it a preferred and convenient choice for customers.

Written By- Sameer 

*********************