Ebook Augmenting Internet-based Card Not Present Transactions with Trusted Computing
The Internet as an avenue for card-based commerce has seen something of a popularity explosion in recent years. In the UK alone, on-line shopping has become a multi-billion pound industry and in 2004 accounted for nearly 11 pence out of every £1 spent using credit cards. However, this particular form of commerce, typically referred to as Card Not Present1 (CNP) transactions, whilst commonplace, is currently far from secure.
A recent report by the Association for Payment Clearing Services (APACS) on card fraud showed that Internet-based CNP transactions accounted for 36% of all card fraud perpetrated in 2006 in the UK (up from 27% the previous year). This translated into £154.5 million in losses for card issuers and merchants. The proliferation of Internet-based commerce (and the increasing level of fraud associated with it) has resulted in a great deal of effort in developing protocols for securing these transactions. However, the vast majority of Internet-based payments are secured using a single protocol suite, namely SSL, to protect card account information.
Unfortunately, this usage of SSL is not a panacea for enabling secure Internet-based CNP transactions. SSL was not designed as a payment protocol but instead adopted as a de facto standard for securing CNP transactions. Indeed, the use of SSL in CNP transactions has a number of shortcomings. These ‘flaws’ in SSL can largely be attributed to the marriage of convenience that exists with current CNP-based card processing and are not necessarily intrinsic to the protocol itself.
For example, SSL is used only in relation to securing the payment channel; there is no guarantee that the customer owns the account number being proffered in a particular payment transaction. In this regard, transaction processing is reliant on a Mail Order Telephone Order (MOTO) based system whereby demonstrating knowledge of a card’s Personal Account Number (PAN) and corresponding Card Security Code (CSC) are deemed a sufficient form of transaction authorisation.
Download
PDF Ebook Augmenting Internet-based Card Not Present Transactions with Trusted Computing
Posted in :
