V The Ultimate Internet Authentication & Payment Solution: E*MERGE®
E*MERGE®
has been designed to follow the basic guidelines and principles defined
by the payment card industry for a coherent payment mechanism. It is simply to
use and efficient to manage. E*MERGE®
is also not complicated by a complex cryptographic overhead[1] or
a complex protocol.
E*MERGE®
can support any means of payment. These can range from small value
payments to credit and debit card payments, to checks and electronic wire
transfers. Whatever the method, by using the 3DAS™ technology, E*MERGE® is able to create the trust
required between all parties involved (seller, buyer, Issuer and Acquirer). The payment details needed to
construct payment instructions never
traverse the Internet and are therefore impervious to attack. E*MERGE®, powered by 3DAS™, stands to be the
most cost-effective and application transparent offering on the market
today.
E*MERGE®
delivers to all the parties
involved the following fundamental capabilities:
Cardholder
(buyer) Authenticity
Seller
(merchant) Authenticity
Payment
Data Confidentiality
Transaction
Integrity
Transaction
Irrefutability
Mobility
Unicate's E*MERGE® Design Principles
The Internet is an open on-line
environment.
The exponential growth of the
Internet and information technology-based services dictates that complex issues
of software maintenance and data management are more cost-effectively handled
in network servers than in millions of personal computers.
Buyers do not want to worry about
managing certificates. They also do not want to discover that their re-issued
card no longer works on the Internet.
Avoid the need for an extensive Public Key Certification infrastructure.
The central issue is one of trust. Does the public key that is presented belong to the rightful (claimed) owner? To answer this requires the search for a common Certification Authority (CA) known by the party that delivered the public key and by the party that needs to verify the public key. Two paths must be followed:
The first leads from the owner to his/her CA, then from this CA to
the next higher level CA until a common, known (and trusted) CA has been found.
The second leads from the verifier to his/her CA, then to the next
higher-level CA until a common, known (and trusted) CA has been found.
If no single global CA exists then this authentication process could end without a result. A further issue for a Public Key Certification infrastructure is that it must rely on the secure storage of the secret key. Arguments continue to rage between proponents of hardware solutions and proponents of software solutions, further slowing down the creation of an accepted, global solution.
1. Avoid the need to encrypt data. In general, the laws governing the use of cryptography around the world are complex. In some cases, its use is illegal. Data encryption presents two specific problems:
Legislation does not always allow for long keys. This diminishes the
value of encryption because an eavesdropper can decrypt the information.
Encryption requires key-synchronisation. Both the sender and the
receiver need to know the key(s) required for successful encryption and
decryption. Depending on the type of encryption used, this requires several
extra messages to be sent between sender and receiver before the encrypted data
can be exchanged. The result is that additional costs are incurred.
2. Do not allow secure payment details to be stored in insecure buyer and seller computers
3. Create a solution capable of supporting all existing banking payment products and adhere to the standard developed during the European Union funded SEMPER programme and the agreements reached by W3C and IETF.
4. Adhere to the principles set out by the payment card industry, and defined in the "Secure Electronic Transaction Specification Book 1: Business Description
"Primary motivations for the payment card brands to provide
specifications for secure payments are to:
"Encourage the payment card community to take a leadership
position in establishing a secure payment specification and, in so doing, to
avoid costs associated with future reconciliation of implemented approaches,
"Respect and preserve the relationship between merchants and Acquirers
and between cardholders and Issuers,
"Facilitate rapid development of the marketplace,
"Respond quickly to the needs of the financial services market,
and
"Protect the integrity of payment card brands."
SET also defines seven business requirements for an Internet payment mechanism:
1. "Provide confidentiality of payment information and enable confidentiality of order information that is transmitted along with the payment information.
2. "Ensure the integrity of all transmitted data.
3. "Provide authentication that a cardholder is a legitimate user of a branded payment card account.
4. "Provide authentication that a merchant can accept branded payment card transactions through its relationship with an Acquiring financial institution.
5. "Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction.
6. "Create a protocol that neither depends on transport security mechanisms nor prevents their use.
7. "Facilitate and encourage interoperability among software and network providers.”
Unicate
believes that these principles should be the basis for evaluating the viability
of any system claiming to be an easy to use
and cost-effective merchant and consumer mechanism for effecting, in total
confidence, all transactions and payments over the Internet.
Eight Easy Steps
for payment transactions
E*MERGE® mimics the way payment transactions
take place in the real world.
1. The buyer locates a seller on the Internet and shops
2. The seller prepares an invoice and offers a set of payment options to the buyer
3. The buyer confirms to the seller their plan to buy with a selected payment option
4. The authorization for payment is requested
5. The buyer and seller are authenticated inside a secure environment
6. Without requiring any modifications to today's EFTPOS systems, the Issuer is asked to approve the payment
7. The seller is informed of the approval or decline of the payment
8. The buyer receives confirmation of the payment.
E*MERGE® - Internet
Transaction and Payments Made Simple
The eight E*MERGE® steps assure the buyer,
the seller, the Issuer and the Acquirer that sensitive details for payment
never traverse the Internet. The seller is assured that they will be paid, the
buyer that the goods will be delivered and the banks, that customers can
securely take advantage of the power of eCommerce on the Internet.
What E*MERGE®
Means for the Seller
The seller is able to offer buyers an assortment of payment systems within a mechanism that assures the buyer that the seller can be trusted. The entire technical infrastructure to interface with a chosen payment system is part of the solution.
The seller can be paid by any one of the
following means of payment[2]:
Acquiring bank relationships supporting, for example, Visa,
MasterCard, Maestro, Interlink, JCB, and domestic debit card schemes
A set of bank relationships capable of accepting electronic cheques,
or direct debits.
An American Express relationship
A micro-payment service
E*MERGE® also provides the seller with:
Irrefutable proof of the uniqueness and integrity of the invoice
sent to the buyer, which is subsequently recorded as part of the buyer's
agreement to pay.
An approval of payment that is based on the trusted authentication
of the buyer and designed to match the business conditions of a card present
transaction. Note that this card present feature translates into lower
discounts for the merchant.
A means of proving to the buyer that they are paying the trusted seller.
What E*MERGE® Means for the Buyer
E*MERGE®
creates a simple and secure payment and transaction environment in which the
buyer is assured that the seller can be trusted. Enrollment is very straightforward
and easy. The buyer is provided with a unique 3DAS™ Payment Card and an
inexpensive 3DAS™ Reader. The reader may optionally contain a secure and low
cost PIN pad allowing the support of PIN-based payment products. The 3DAS™
Reader is plugged into the PC and the plug & play software automatically
loads the E*MERGE™ Browser Plug-in. The plug-in automatically connects to the
Issuer's designated payment server and organizes the activation of the buyer's
3DAS™ payment card.
After
the buyer has selected the goods and services they wish to purchase, the seller
submits an invoice. After inserting the 3DAS™ payment card, the E*MERGE®
Browser Plug-in presents the buyer with a list of payment methods that buyer
and the seller both employ (including credit and debit cards and a
micro-payment mechanism). By simply clicking on the payment method the buyer
wishes to use for the transaction, the buyer accepts the seller's terms and
authorizes payment.
The
banks are convinced of the authenticity of the buyer and seller and the buyer's
bank authorizes the payment. The buyer and seller then receive confirmation of
completion from their E*MERGE® Payment Server. These two messages authenticate
the seller to the buyer and the buyer to seller that the buyer's bank will make
payment and seller will comply with the terms and conditions of the sale.
What E*MERGE® Means for the Banks
Unicate offers both Issuing and Acquiring
banks a mechanism that supports their existing means of payment, without the
need for any changes to their existing EFTPOS infrastructure.
3DAS™ guarantees that both the seller and
the buyer are who they claim to be, even when using the Internet. Furthermore,
the E*MERGE® system offers irrefutable proof that the terms of payment, as agreed
by the buyer, were as issued by the seller.
This all happens on-line while simultaneously creating a suitable audit
trail able to provide evidential proof to assure irrefutability in the event of
a dispute.
Unicate offers the Issuing and Acquiring
banks a cost effective means of guaranteeing payments over the Internet that is
mobile, simple, efficient for the buyer and cost-effective for the seller.
Business Relationship Assumptions of E*MERGE®
E*MERGE® has been established based upon the principal that
the payment card Issuer maintains control over the buyer relationship, and the
payment card Acquirer maintains control over the seller relationship.
Unicate assumes that the E*MERGE® system will be set-up and
managed by a consortium (most likely the payment schemes) who will establish
the rules, manage the secure VPN and commission the associated MP and CP
servers.
It is therefore assumed that the relationship with the buyer
will be a three party relationship with the Issuing Bank taking the lead. The operator of the CP server is a trusted
agent of the Issuing Bank.
It is also assumed that the relationship with the seller
would be via a three party relationship with the Acquiring Bank taking the
lead. Thus, the operator of the MP
server becomes a trusted agent of the Acquiring Bank.
In many markets, sellers do not restrict processing their
payment activity through any one Acquiring Bank. As is true with any payment system, acceptance is the key. So the E*MERGE® system assumes that the
primary relationship for technical processing is between the seller and the
operator of the E*MERGE® MP Server, while the primary relationship for payment
processing is between the Acquiring Bank and the seller.
The banks must trust the operators of the MP Servers.
