I have been working on my thesis for a long time and I wanted to give everyone (especially my parents, who have been antsy to read it) a glimpse of what takes up most of my time nowadays.
Here is a part of the Introduction…
The concept of paying for goods and services electronically is not new as some part of almost every payment that we make is completed electronically either through the Internet or through private communication networks such as telephone lines or dedicated networks. Since the inception of modern computer networks early in the 1970s, there have been many proposals and schemes for payment systems that span across electronic communication networks [ ]. Although many of the concepts of these schemes were incorporated into later production systems, most of these schemes never got off the ground. The problem was that these methods were useless for merchants and businesses that were not directly connected to the private network of that financial institution. These private networks were expensive to implement and maintain and thus out of the reach of small and medium sized businesses. The advent of the Internet removed this obstacle to the progress of e-payment systems. The freedom of communication through the Internet was a great boon to the e-commerce industry.
The Internet is a network of networks which was put together late in 1970s as a method of sharing information between computers. This small and relatively unknown technology has grown exponentially into a global medium. Figure 1.1 is a good estimate of the Internet’s growth in the past few years. By January 2003 the estimated number of computers hooked to the Internet had increased to over 170 million. One estimate from NUA Internet Survey Group puts this total number of unique Internet users at a little over 600 million people worldwide [ ].
This growth can be attributed to the availability of the World Wide Web (WWW) and the ease of information retrieval that the WWW offers. The integration of multimedia, the simplicity of point and click operation and the false sense of anonymity are also considered to be prime factors for the increase of the webs’ popularity. Surveys of Internet users suggest that the average Internet user has a much larger spending power now as compared to a few years ago and people are much more willing to spend their money using the Internet today . This fact is well understood and exploited by businesses and industries as they try harder to woo a global Internet audience [3, 4].
With the growth of the Internet, businesses that are trying to sell merchandize on the Internet have also increased at a large rate. The most popular goods sold on the Internet are computer hardware and software, books and CDs and travel . This financial marketplace that exists between businesses and consumers is known as the Business to Consumer (B2C) e-commerce. In the United States alone, B2C spending was estimated to be about $7.7 Billion in 1998, $17.3 billion in 1999 and $28 billion in 2000 . Another type of online business that sells and purchases to businesses is termed Business to Business (B2B) e-commerce. These on-line marketplaces focus on bringing together companies which need goods and services from each other. This sector has grown larger than B2C in the last few years2. Some reports suggest that B2C e-commerce generated over $226 billion dollars worth of business in 2000 and an estimated $2 trillion dollars in 2003 [ ].
Early commerce on the Internet was performed through offline payment methods. As the industry and the web has matured, websites and vendors have found many different methods to gather information about credit card and payment details for their sales from forms embedded in web pages and process this information through electronically through organizations setup for the purpose of collecting and remitting credit card transactions. These organizations have come to be known as Acquirers. In many cases, the payment data from forms were downloaded to merchants’ servers without much regard for security of the clients and were processed through conventional methods before the purchased merchandize was finally shipped. This was a very precarious method of accepting payments and with the growth of marketplace and the lack of proper security procedures, crime and theft related to credit card transactions became more prevalent.
The first edition of Electronic Payment Systems was published in 1997. This publication contained various new electronic payment methods that had been developed in academia and industry. Some of these early systems were quickly launched into the market but they failed to become popular enough to be widely accepted. The market leaders of these systems included companies such as First Virtual Inc., Cybercash Inc., and Digicash. These payment systems saw extensive deployments and were thoroughly analyzed by the media. However, most of these companies failed to turn profits and were forced to go out of business, thus rendering their systems obsolete. Partly due to the failure of these alternative methods of accepting payments on the Internet and partly due to the popularity of credit cards, credit card issuing banks and credit institutions funded research into development of credit cards transactions over the Internet.
Credit card based e-commerce was integrated into B2B and B2C financial transactions. Conventional card processing methods were modified to suit the online community and new online credit acquiring companies were started. Along with credit cards, a few of the electronic payment pioneers managed to make their niche in the e-commerce markets. Most recent e-payment developments include the use of mobile phones and handheld wireless devices such as Radio Frequency Identification (RFID) technology. This method of paying for purchases using mobile phones or wireless devices is called Mobile Commerce (M-Commerce). M-commerce has the potential of becoming a very large industry and many payment technology providers are already in the process of implementing very viable solutions which are secure and easy to use.
According to BizStats.com, there are close to two million web pages on the Internet accepting currency through the electronic medium and offering their services to online customers from all over the world. Neilsen//NetRatings Online published that online consumers spent over $18.5 billion during the 2003 holiday season. This spending was up 35% over that in 2002 [ ]. According to analysts and financial advisors, this is the third straight season of record growth of online sales and commerce which indicates that online retailers are doing a much better job of appeasing their customers and making good use of their advertising and security resources. According to another report by Goldman Sachs and Harris Interactive, in the course of 2003, overall satisfaction levels for online shoppers increased five percent over satisfaction levels from 2002. During the technology hype of the recent past, electronic commerce flourished to unprecedented levels to become one of the most preferred methods of doing business. Businesses are considered to be less productive if they lack an online presence and an e-commerce storefront. The freedom, speed, anonymity and global accessibility of the Internet promoted real-time business which can be conducted from the comfort of a living room with people from across the world. This is fueled by tremendous advancements in information technology accompanied by increased versatility and permeation of online financial transaction tools such as PayPal and Discover Online.
However, this popularity of the medium also promotes criminality. The versatility and permeation of e-commerce systems in our society puts personal information at a greater risk of being covertly gathered, analyzed and misused. A recent article published on Internet.com reported from The Federal Trade Commissions report that online scammers and thieves robbed Americans of more than $437 million in 2003 [ ]. Most of this money was misappropriated using stolen identities, fake Internet auctions, and fraudulent shop-at-home schemes. There were an estimated half million complaints during the 2003 financial year and this was a 40% jump over the 2002 number. This article also suggests that a large 40% of these complaints were due to identity theft. This estimated number is considered to be less than the real statistic because a 60% of those affected by online fraud do not contact the proper authorities to report the theft. However, the part of this report that is most relevant to our discussion is that the most common identity theft perpetrated was related to credit card fraud and through stolen credit information. Figure 1.2 displays some the other statistical figures from the FTC and Internet.com report.
Fraudulent credit card transactions cost online merchants many millions of dollars annually. This raises the losses and thus increases the cost of doing business online. The increased risk of online business makes it more expensive to assure a certain level of security and consumers and merchants are more wary of each other as a result, thus reducing the propensity of doing business.
Complaints by Consumer
19 and under 4%
70 and over 1%
Note: Percentages are based on the total
number of Internet-related fraud complaints
for the year whereconsumers reported their
Top Products/Services for
Internet auctions 48%
Shop-at-home/Catalog sales 20%
Internet access services 8%
Internet info and adult services 6%
Foreign money offers 4%
Computer equipment/software 2%
Business opportunities 2%
Note: Percentages are based on the
total number of Internet-related
complaints for the year (166,617)
Figure 1.2: Internet Fraud Statistics 
Credit cards are the preferred method of modern consumer payments. These credit card transactions exchange sensitive financial information through arcane channels which were designed for face to face transactions. However, with the changing nature of business, the recent growth in technology related crimes and the hesitation of people to release personal information on the Internet, the demands on research and development for new, further secure, easier and more anonymous methods of accepting payments on the Internet, has increased tremendously.
This thesis proposes the development of a smart card based credit card system that protects the privacy of its users and increases the security of card transactions by reducing the exposure of purchase information to third parties. This system allows a user to pay for merchandize with a payment system that actively protects their privacy. Our system combines existing smart card technology with cryptographic elements to reduce the amount of information exchanged in order to validate a credit card transaction. The design idea for this system focuses on the hesitation of consumers to spend their money on the Internet due to the fear of having their identities stolen. A report from GartnerG2 published in 2002, shows that over 60% of online adults in USA do not do business through the web because they fear for their financial security and privacy [ ]. The Information Technology Association of America found that over 70% of Americans are very concerned about the dangers of online purchases and fear that their credit card numbers and other personal information might be stolen in the process [ ]. So, online credit card security concerns are very real and they prevent a large percentage of users from using this technology to buy products and services over the Internet.
Failure of smart card based credit card systems is attributed to the complexity of the systems and the up front cost of implementing them . Smart card based credit card systems also raise new questions about credit card laws and regulations because of the new algorithms and hardware involved in such transitions. Smart card solutions that are already in use are proprietary in nature and are not valid beyond certain geographical boundaries. This turns users off from these systems. Further research is required to develop payment systems which are easy to use, work well with existing technology, retain some of qualities of existing payment methodologies and reduce the risk of fraud.
To address the rising crime against credit card transactions, VISA and MasterCard have jointly developed the Secure Electronic Transaction Protocol (SET) in 1997 which was later refined into the 3D SET model [ ]. Though the development of SET was well accepted by the credit card community, the implementation of this protocol is still lacking . Complexity of the system and cost of implementation have been the limiting factors. Various publications in past few years denounce the data aggregation properties of the original SET and have proposed revisions to the protocol [ , ]. These revisions range from stronger encryption  to modified routing methods  to prevent data misuse. These revisions are directed at modifying the transaction process to increase security. However, they still depend on using imprinted credit cards which do not contain and cannot independently process electronic data to increase security.
Here is a part of the history of credit cards…
Origin and Development of Credit Cards
Early in 1914 Western Union gave some of their prominent customers a metal card to be used in deferring their payments without interest on services used. This card became known as “metal money” . Till the beginning of World War II, department stores, oil companies, communication companies and travel and delivery companies issued cards to their customers in exchange for a promise of deferred payment. The Second World War saw a decline in the credit card industry as credit cards were banned during the war.
However, at the end of World War II, credit cards became more accessible to the general public. With the general increase in spending through charge cards for travel and other services, banks became interested in the prospect of credit cards and saw them as a preferred method of processing money lent out to consumers. In 1951, the Franklin National Bank of New York issued the “Charge It” card which could be used at local and retail establishments. These card transactions were authenticated by the bank at the time a purchase was made. The vendors were reimbursed for their sale and the debts were collected from the card-owners at a later date. Soon after, Diner’s Club released their own charge card which could be used for travel and entertainment. These Diner’s Club cards were designed to attract traveling business people who did not want to carry a lot of cash with them in their travels. Diner’s Club allowed its cardholders up to 60 days to make the payments for their purchases.
Most of these credit cards were limited by their payment options until the first “revolving” credit card was offered by the Bank of America. This card was called the BankAmericard and was marketed all across the state of California. This card gave card holders the option to either pay for their purchases in bulk at the end of the month or pay in monthly minimum installments with interest. The concept of repaying a loan in small monthly installments for purchases made with a credit card became popular with the cardholder population and fueled the credit economy.
By the mid-1960s the process of issuing and processing credit cards had become too much for the banks to handle by themselves, as a result of which, bank card and credit card associations began to emerge12. The most prominent among these credit card organizations were the InterLink Association and the Western States Bank Card Association. The increasing complexity and volume of credit card transactions also led to the increase of credit card fraud. Early in the 1970s, electronic authorization methods for credit card were introduced to merchants and vendors for the first time. Electronic authorization allowed credit cards to be used internationally and most transactions could be completed within minutes and at any time of the day and night. This added to the popularity of credit cards and increased their scope and versatility. The early 1980s saw the introduction of ATM or automatic teller machines which could be used to deposit and withdraw cash 24 hours a day throughout the nation.
In 1970, Bank of America gave up control of the BankAmericard program. BankAmericard Issuer banks took control of the program, creating National BankAmericard Inc. (NBI), an independent non-stock corporation, which would be in charge of managing, promoting and developing the BankAmericard system within
Outside the U.S., Bank of America continued to distribute licenses to banks which allowed them to issue BankAmericard. By 1972, licenses had been granted in 15 countries. In 1974, IBANCO, a multinational member corporation, was founded in order to manage the international BankAmericard program. In many countries however, there was still reluctance to issue a card associated with Bank of America, even though the association was entirely nominal in nature. For this reason, in 1977 BankAmericard became the Visa card, retaining its distinctive blue, white and gold flag. NBI became Visa U.S.A., and IBANCO became Visa International.