comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

Electronic Payment Security

Traditional Payment System Problems

The security problems of traditional payment systems are well known:

Electronic Payment System Problems

Electronic payment systems have the same problems as traditional systems, and more:

Obviously, without additional security measures, widespread e-commerce is not viable. A properly designed electronic payment system can, however, provide better security than traditional payment systems, in addition to flexibility of use.

Adversaries in Electronic Payment Systems

Generally, in an electronic payment system, three types of adversaries can be encountered [9]:

Basic Security Requirements for Electronic Payment Systems

The basic security requirements for electronic payment systems can be summarized as:

Payment Authentication

Payment authentication implies that both payers and payees must prove their payment identities, which are not necessarily identical to their true identities. If no anonymity is required, an authentication mechanism may be used to satisfy this requirement. Authentication does not necessarily imply that a payer's identity is revealed. If anonymity is required, some special authentication mechanisms are needed.

Payment Integrity

Payment integrity requires that payment transaction data cannot be modifiable by unauthorized principals. Payment transaction data includes the payer's identity, the payee's identity, the content of the purchase, the amount, and possibly other information. For this purpose an integrity mechanism from the area of information security may be employed.

Payment Authorization

Payment authorization ensures that no money can be taken from a customer's account or smart card without his explicit permission. It also means that the explicitly allowed amount can be withdrawn by the authorized principal only. This requirement is related to access control.

Payment Confidentiality

Payment confidentiality covers confidentiality of one or more pieces of payment transaction data. In the simplest case it can be achieved by using one of the communication confidentiality mechanisms. In some cases, how- ever, it is required that different pieces of the transaction data be kept secret from different payment system participants. Such requirements can be satisfied by certain specially tailored payment security mechanisms.


Published on Thu 02 December 2004 by Dan Little in Security with tag(s): payment