Implementing Electronic Card Payment Systems (Artech House Computer Security Series)

8.1 A model for remote card payments

Section 2.2 presented a model for the payment card processing in face-to-face transactions. In this section we present a possible extension of this model for supporting payment card processing in remote transactions. An overview of this model is presented in Figure 8.1.

Figure 8.1: Payment card processing in remote transactions.

The model aims at offering a unified framework of the payment card processing in remote transactions, both for the e-commerce and the m-commerce scenarios. In both cases, the interaction between the card-holder and the merchant is carried out on open networks.

This interaction can be divided in two logical phases: the browsing/ordering phase and the payment phase. The two phases can be carried out using the same channel in the same open network, using different channels in the same open network, or using different channels in different open networks.

Browsing/ordering phase For decades, distance selling has been a wellestablished commercial practice. Instead of physically visiting the shops , the consumer browses the commercial offer using some conventional channels provided by merchants , like printed catalogs or specialized television broadcast stations . After the consumer makes his or her choice, merchants provide the consumer with the facility of ordering the goods and services through mail order and/or telephone order (MO/TO). The merchant's operator dispatches the order received from the consumer and delivers the purchase to the address indicated in the order.

• E-commerce is a case of distance selling, where the browsing/ordering phase is carried out on an Internet channel. In the remainder of the book we assume only TCP/IP channels over the Internet.

• M-commerce is a case of distance selling, where the browsing/ordering phase is carried out on a wireless application protocol (WAP) channel over the GSM network (see Appendix G, Sections G.1 and G.2, for terminology).

Payment phase In the payment phase, one can distinguish between:

• Payments carried out on conventional channels like those that were used in distance selling for MO/TO;

• Payments carried out on channels established over open networks.

At present, a considerable number of payment methods for e-commerce orders are still carried out outside any open network channel. The payment phase is completed in a session subsequent to the browsing/ordering phase, using a conventional channel. Checks and direct money transfers, or cash at delivery, which were used for MO/TO, are still widely used for paying in a domestic e-commerce environment. These methods provide the consumer with a considerable level of control regarding the whole transaction process [2], which can explain their use in the e-commerce framework. While these payment methods can be used for tangible goods, they are totally inappropriate for digital goods and services. These payment methods are not studied in this book.

For the scope of this book, we are only interested in remote card payments. The payment card data is conveyed between the cardholder and the merchant using an open network channel. This channel can be:

• A TCP/IP channel over the Internet;

• A WAP channel over the GSM network (see Appendix G, Section G.2, for explanations on WAP and PP-SMS);

• A PP-SMS channel over the GSM network.

There are various types of cardholder access devices (for details see Appendix G, Section G.3):

• Unique Internet channel device (channel 1 only): Both the browsing/ordering and the payment phases are carried out on a TCP/IP channel (channel 1) in one single session.

• Unique WAP channel device (channel 2 only): Both the browsing/ordering and the payment phases are carried out on a WAP channel (channel 2) in one single session.

• Dual Internet channel device (channel 1 and channel 1bis): The browsing/ordering phase (channel 1) and the payment phase (channel 1bis) are carried out on different TCP/IP channels, in different sessions.

• Dual channel/dual network device (channel 1 and channel 3): The browsing/ordering phase is completed on a TCP/IP channel (channel 1), while the payment phase is carried out on a PP-SMS channel (channel 3), in different sessions.

• Dual mobile channel device (channel 2 and channel 3): The browsing/ordering phase is completed on a WAP channel (channel 2), while the payment phase is carried out on a PP-SMS channel (channel 3), in different sessions.