V   The Ultimate Internet Authentication & Payment Solution: E*MERGE®

E*MERGE® has been designed to follow the basic guidelines and principles defined by the payment card industry for a coherent payment mechanism. It is simply to use and efficient to manage. E*MERGE® is also not complicated by a complex cryptographic overhead[1] or a complex protocol.

E*MERGE® can support any means of payment. These can range from small value payments to credit and debit card payments, to checks and electronic wire transfers. Whatever the method, by using the 3DAS™ technology, E*MERGE® is able to create the trust required between all parties involved (seller, buyer, Issuer and Acquirer). The payment details needed to construct payment instructions never traverse the Internet and are therefore impervious to attack. E*MERGE®, powered by 3DAS™, stands to be the most cost-effective and application transparent offering on the market today. 

E*MERGE® delivers to all the parties involved the following fundamental capabilities:

*   Cardholder (buyer) Authenticity

*   Seller (merchant) Authenticity

*   Payment Data Confidentiality

*   Transaction Integrity

*   Transaction Irrefutability

*   Mobility

Unicate's E*MERGE® Design Principles

The Internet is an open on-line environment. 

The exponential growth of the Internet and information technology-based services dictates that complex issues of software maintenance and data management are more cost-effectively handled in network servers than in millions of personal computers. 

Buyers do not want to worry about managing certificates. They also do not want to discover that their re-issued card no longer works on the Internet.

Avoid the need for an extensive Public Key Certification infrastructure.

The central issue is one of trust. Does the public key that is presented belong to the rightful (claimed) owner? To answer this requires the search for a common Certification Authority (CA) known by the party that delivered the public key and by the party that needs to verify the public key. Two paths must be followed:

*   The first leads from the owner to his/her CA, then from this CA to the next higher level CA until a common, known (and trusted) CA has been found.

*   The second leads from the verifier to his/her CA, then to the next higher-level CA until a common, known (and trusted) CA has been found.

If no single global CA exists then this authentication process could end without a result.  A further issue for a Public Key Certification infrastructure is that it must rely on the secure storage of the secret key.  Arguments continue to rage between proponents of hardware solutions and proponents of software solutions, further slowing down the creation of an accepted, global solution.

1.        Avoid the need to encrypt data. In general, the laws governing the use of cryptography around the world are complex. In some cases, its use is illegal. Data encryption presents two specific problems:

*   Legislation does not always allow for long keys. This diminishes the value of encryption because an eavesdropper can decrypt the information.

*   Encryption requires key-synchronisation. Both the sender and the receiver need to know the key(s) required for successful encryption and decryption. Depending on the type of encryption used, this requires several extra messages to be sent between sender and receiver before the encrypted data can be exchanged. The result is that additional costs are incurred.

2.        Do not allow secure payment details to be stored in insecure buyer and seller computers

3.        Create a solution capable of supporting all existing banking payment products and adhere to the standard developed during the European Union funded SEMPER programme and the agreements reached by W3C and IETF.

4.        Adhere to the principles set out by the payment card industry, and defined in the "Secure Electronic Transaction Specification Book 1: Business Description

"Primary motivations for the payment card brands to provide specifications for secure payments are to:

*   "Encourage the payment card community to take a leadership position in establishing a secure payment specification and, in so doing, to avoid costs associated with future reconciliation of implemented approaches,

*   "Respect and preserve the relationship between merchants and Acquirers and between cardholders and Issuers,

*   "Facilitate rapid development of the marketplace,

*   "Respond quickly to the needs of the financial services market, and

*   "Protect the integrity of payment card brands."

SET also defines seven business requirements for an Internet payment mechanism:

1.       "Provide confidentiality of payment information and enable confidentiality of order information that is transmitted along with the payment information.

2.       "Ensure the integrity of all transmitted data.

3.       "Provide authentication that a cardholder is a legitimate user of a branded payment card account.

4.       "Provide authentication that a merchant can accept branded payment card transactions through its relationship with an Acquiring financial institution. 

5.       "Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction.

6.       "Create a protocol that neither depends on transport security mechanisms nor prevents their use.

7.       "Facilitate and encourage interoperability among software and network providers.”

Unicate believes that these principles should be the basis for evaluating the viability of any system claiming to be an easy to use and cost-effective merchant and consumer mechanism for effecting, in total confidence, all transactions and payments over the Internet.

Eight Easy Steps for payment transactions

E*MERGE® mimics the way payment transactions take place in the real world. 

1.        The buyer locates a seller on the Internet and shops

2.        The seller prepares an invoice and offers a set of payment options to the buyer

3.        The buyer confirms to the seller their plan to buy with a selected payment option

4.        The authorization for payment is requested

5.        The buyer and seller are authenticated inside a secure environment

6.        Without requiring any modifications to today's EFTPOS systems, the Issuer is asked to approve the payment

7.        The seller is informed of the approval or decline of the payment

8.        The buyer receives confirmation of the payment.

E*MERGE® - Internet Transaction and Payments Made Simple

The eight E*MERGE® steps assure the buyer, the seller, the Issuer and the Acquirer that sensitive details for payment never traverse the Internet. The seller is assured that they will be paid, the buyer that the goods will be delivered and the banks, that customers can securely take advantage of the power of eCommerce on the Internet.

What E*MERGE® Means for the Seller

The seller is able to offer buyers an assortment of payment systems within a mechanism that assures the buyer that the seller can be trusted. The entire technical infrastructure to interface with a chosen payment system is part of the solution.

The seller can be paid by any one of the following means of payment[2]:

*   Acquiring bank relationships supporting, for example, Visa, MasterCard, Maestro, Interlink, JCB, and domestic debit card schemes  

*   A set of bank relationships capable of accepting electronic cheques, or direct debits.

*   An American Express relationship

*   A micro-payment service

E*MERGE® also provides the seller with:

*   Irrefutable proof of the uniqueness and integrity of the invoice sent to the buyer, which is subsequently recorded as part of the buyer's agreement to pay.

*   An approval of payment that is based on the trusted authentication of the buyer and designed to match the business conditions of a card present transaction. Note that this card present feature translates into lower discounts for the merchant.

*   A means of proving to the buyer that they are paying the trusted seller.

What E*MERGE® Means for the Buyer

E*MERGE® creates a simple and secure payment and transaction environment in which the buyer is assured that the seller can be trusted. Enrollment is very straightforward and easy. The buyer is provided with a unique 3DAS™ Payment Card and an inexpensive 3DAS™ Reader. The reader may optionally contain a secure and low cost PIN pad allowing the support of PIN-based payment products. The 3DAS™ Reader is plugged into the PC and the plug & play software automatically loads the E*MERGE™ Browser Plug-in. The plug-in automatically connects to the Issuer's designated payment server and organizes the activation of the buyer's 3DAS™ payment card.

After the buyer has selected the goods and services they wish to purchase, the seller submits an invoice. After inserting the 3DAS™ payment card, the E*MERGE® Browser Plug-in presents the buyer with a list of payment methods that buyer and the seller both employ (including credit and debit cards and a micro-payment mechanism). By simply clicking on the payment method the buyer wishes to use for the transaction, the buyer accepts the seller's terms and authorizes payment.

The banks are convinced of the authenticity of the buyer and seller and the buyer's bank authorizes the payment. The buyer and seller then receive confirmation of completion from their E*MERGE® Payment Server. These two messages authenticate the seller to the buyer and the buyer to seller that the buyer's bank will make payment and seller will comply with the terms and conditions of the sale.

What E*MERGE® Means for the Banks

Unicate offers both Issuing and Acquiring banks a mechanism that supports their existing means of payment, without the need for any changes to their existing EFTPOS infrastructure. 

3DAS™ guarantees that both the seller and the buyer are who they claim to be, even when using the Internet. Furthermore, the E*MERGE® system offers irrefutable proof that the terms of payment, as agreed by the buyer, were as issued by the seller.  This all happens on-line while simultaneously creating a suitable audit trail able to provide evidential proof to assure irrefutability in the event of a dispute. 

Unicate offers the Issuing and Acquiring banks a cost effective means of guaranteeing payments over the Internet that is mobile, simple, efficient for the buyer and cost-effective for the seller.

Business Relationship Assumptions of E*MERGE®

E*MERGE® has been established based upon the principal that the payment card Issuer maintains control over the buyer relationship, and the payment card Acquirer maintains control over the seller relationship.

Unicate assumes that the E*MERGE® system will be set-up and managed by a consortium (most likely the payment schemes) who will establish the rules, manage the secure VPN and commission the associated MP and CP servers.

It is therefore assumed that the relationship with the buyer will be a three party relationship with the Issuing Bank taking the lead.  The operator of the CP server is a trusted agent of the Issuing Bank.

It is also assumed that the relationship with the seller would be via a three party relationship with the Acquiring Bank taking the lead.  Thus, the operator of the MP server becomes a trusted agent of the Acquiring Bank.

In many markets, sellers do not restrict processing their payment activity through any one Acquiring Bank.  As is true with any payment system, acceptance is the key.  So the E*MERGE® system assumes that the primary relationship for technical processing is between the seller and the operator of the E*MERGE® MP Server, while the primary relationship for payment processing is between the Acquiring Bank and the seller. 

The banks must trust the operators of the MP Servers.

horizontal rule

 2 The SET Secure Electronic Transaction Specification Book 1: Business Description includes fifteen pages devoted to the subject of cryptography in a document oriented to business people.

[2] Unicate has only validated that these payments can be supported, others simply require validation.