Embed Size (px)
DESCRIPTION
Payment Systems and Security. Richard Warner. The Internet and Financial System. The financial system is increasingly dependent on the Internet for communication and data transfer Hence, attacks on the Internet can affect the financial system - PowerPoint PPT Presentation
Citation preview
Payment Systems and SecurityRichard Warner
The Internet and Financial System The financial system is increasingly dependent on
the Internet for communication and data transfer Hence, attacks on the Internet can affect the financial
system All sorts of entities—not just financial
institutions—transfer money electronically Traditional reporting points may be circumvented,
making regulation more difficult
Issues Discussed The credit card system Credit card fraud Electronic transfers by entities not
traditionally regarded as financial institutions
The Credit Card System Currently, the main form of payment in
business to consumer transactions in e-commerce is by credit card
A picture of the credit card system is essential background for our issues.
The Basic Credit Card Transaction
Issuing bank
Merchant
Card holder Merchant bank
Authorization requestRecord of charge
Record of charge
Payment
Purchase / CC #
National switch
Payment
Authorization
Advantages One key advantage of the credit card system
is its charge-back procedures for dispute resolution
This provides effective, efficient dispute resolution for participants in the credit card system
Alternatives to the credit card system will need some dispute resolution procedures
Advantages The legal framework that regulates credit card
transaction is well understood provides good consumer protection facilitates the worldwide use of credit cards
The legal framework EFTA and Regulation E State EFTAs Uniform Commercial Code Regulation CC promulgated under Expedited Funds
Availability Act, NACHA operating rules, and Regulation J
Truth in Lending Act Fair Credit Reporting Act Equal Credit Opportunity Act as implemented in
Regulation B
Electronic Fund Transfer Act and Regulation E
Passed in 1978 to provide a basic framework for consumer protection in EFT systems
To whom does it apply? To any “financial institution” – this is (under Regulation E) any “bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services”
EFTA To be subject to the EFTA, a transaction must
have three components: A transfer of funds Initiated by electronic means A debit or credit to a consumer account held
directly or indirectly by a financial institution
Regulation: Electronic Fund Transfer Act and Regulation E What is an electronic fund transfer? “Any
transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit an account.”
Regulation E The EFTA applies only to consumer “accounts”
– what is an account? An account is a demand deposit account, savings
account, or other consumer asset account held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes
Six EFTA Requirements Restricts unsolicited issuance of account access
devices Requires disclosures of terms and conditions Requires notice of changes Requires transaction receipts and periodic
statements Establishes error resolution procedures Limits consumer liability to $50
Processing Costs The extensive processing makes the credit
card system is the among the most costly forms of payment for retailers
The processing also helps control fraud
Alternative to Credit Card System? In the early days of e-commerce, most
assumed that some alternative to the credit card system was necessary.
Two reasons: To allow private parties to accept credit card
payments (on eBay, for example); To handle low value payments.
They Were Wrong To a considerable extent, they were wrong. Companies appeared that would handle credit
card transactions for private parties, and Low value transactions are handled by
waiting until a large batch of them can be processed in a single transaction.
The Current Focus: Security Suppose a web site or network accepts credit
card payments. Payment information is sent over a web site to its servers, and it stores credit card numbers those servers.
What security measures are in order?
Avoiding Negligence Is it negligent not to have:
A firewall; A network intrusion detection system; SSL for communication; Encrypted credit card numbers?
One owes a duty of reasonable care to another person only if one’s conduct creates a foreseeable risk to that person.
A foreseeable risk is a risk which a reasonable person would anticipate The hacker risk is one a reasonable person would
anticipate
Foreseeabilty
Firewalls? Benefit: A firewall analyzes data arriving at a
network or web site and blocks access of suspicious data.
Cost: Firewall hardware and software must be purchased; personnel must know how to configure the firewall. In addition, they do not work perfectly.
Network Intrusion Detection Benefit: analyzes traffic on the network to
detect suspicious activity Cost: hardware and software must be
purchased; personnel must know how to configure the system. In addition, they do not work perfectly.
SSL Communication SSL (Secure Socket Layer) cryptographically
protects messages traveling over the Internet. It protects against forgery, modification, and
eavesdropping (sniffing). A digital certificate verifies the identity of the e-
commerce server. The server provides a symmetric key for the duration
of the session.
SSL Communication This is an industry standard for
communication involving the transfer of financial information.
The industry has decided the benefits outweigh the costs. Given that fact, it is highly likely a court will hold it is negligent not to employ this technology.
Encrypted Data This is an industry standard for sites that store
sensitive financial information. As with SSL communication, the industry has
decided the benefits outweigh the costs, and it is highly likely a court will hold it is negligent not to employ this technology.
Credit Card Fraud Credit card numbers can be obtained in a variety of
ways. Skimming is the latest and most effective technology.
Use of credit cards on the Internet is relatively safe. What the Internet does is make it easy to transfer
stolen numbers around the world.
“Chip and Pin” Cards A “chip” card--a smart card—contains a
microchip with digital certificate technology on it.
The PIN is a number known to the cardholder and not recorded on the card itself.
When the cardholder uses the card, the certificate verifies identity and matches the identity to the PIN.
Non-Bank Electronic Transfers All sorts of entities electronically transfer
money. How should they be regulated?
Concerns include: Consumer protection; Money laundering ; Tax evasion; Terrorism.
A Hypothetical To attract people to his site, Fred offers rebates.
Each time a customer buys from him, 1% of the purchase price is credited to a special account in the customer’s name. Once the amount reaches $10, customers can request that amount in cash, use the amount to buy more items from Fred, or simply continue to let the amount increase through further purchases.
With what laws must Fred comply?
Money Services Act The USA has encouraged experimentation
with non-credit card payment systems by non-traditional financial institutions
The result: a variety of non-banks transfer small amounts of money
The statutory response has been the Money Services Act
Money Services Act A license is required for anyone engaging in money
transmission. Money transmission = issuing payment instruments,
receiving money or monetary value for transmission Payment instruments = check, draft, money order,
traveler’s check, or other instrument for the transmission of money or monetary value, whether or not negotiable
Money Services Act Money = a medium of exchange authorized or
adopted by a government Monetary value = a medium of exchange,
whether redeemable or not The Act imposes reserve requirements,
recording keeping, and reporting requirements
To increase the effective administration of the Acts requirements, it prohibits unlicensed money transmission. (373(a – b))
“Money transmission” is defined very broadly. (373(b)(C)) This may affect many e-commerce sites.
USA PATRIOT Act
Financial Institutions Under the Act, “financial institutions” are subject to
a variety of regulations. Such institutions include: insured banks,
commercial banks, trust companies, private bankers, an agency or branch of a foreign bank in the US, any credit union, thrift institution, broker or dealer registered with the SEC, a broker or dealer in securities or commodities (registered or not), . . .
Financial Institutions An investment banker or investment company, a
currency exchange, an issuer, redeemer, or cashier of travelers checks, checks money orders or similar instruments, credit card system operators, insurance companies, dealers in precious metals, stones or jewels, a pawn broker; a loan or finance company; a travel agency, a licensed sender of money or any other person who engages as a business in
Financial Institutions the transmission of funds, formally or
informally; a telegraph company; a business engaged in vehicle sales (including automobile, airplane, and boat sales); persons involved in real estate closings and settlements; the United States Postal Service; casinos, and certain government agencies.
