Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solvay Business School SEMINAIRE DE TECHNOLOGIES DE L’INFORMATION ET DE LA COMMUNICATION UNIVERSITE LIBRE DE BRUXELLES eBusiness – Payments & Security.

Similar presentations


Presentation on theme: "Solvay Business School SEMINAIRE DE TECHNOLOGIES DE L’INFORMATION ET DE LA COMMUNICATION UNIVERSITE LIBRE DE BRUXELLES eBusiness – Payments & Security."— Presentation transcript:

1 Solvay Business School SEMINAIRE DE TECHNOLOGIES DE L’INFORMATION ET DE LA COMMUNICATION UNIVERSITE LIBRE DE BRUXELLES eBusiness – Payments & Security Pascale Vande Velde GEST 116

2 V.1.1 Solvay Business School Technologies de l’information et de La communication 2 Technologies de l’information et de La communication Introduction – Part I Introduction – Part II Supply chain management Payments & Security Content of eBusiness course

3 V.1.1 Solvay Business School Technologies de l’information et de La communication 3 Technologies de l’information et de La communication Introduction to epayments Network security principles and concepts B2C ePayments solutions B2B ePayments solutions

4 V.1.1 Solvay Business School Technologies de l’information et de La communication 4 Technologies de l’information et de La communication Generic Payment Process 2. Customer’s payment request or instruction transmitted by the intermediary to the vendor’s bank 1. Payment request or instruction transmitted by the customer to an intermediary Intermediary Vendor’s bank 1’. Payment request or instruction transmitted by the customer directly to the bank After verification of the customer solvability, the transaction is sent to a clearing entity Clearing Intra-banks Inter-banks International Customer Settlement when clearing achieved

5 V.1.1 Solvay Business School Technologies de l’information et de La communication 5 Technologies de l’information et de La communication The payments market by instrument in Belgium Volumes (mio transactions) Value (EUR bio) 19951999  Distr. 1999 19951999  Distr. 1999 Cheques117,180,2-31,5%6%30598-67,9%0,6% Paper-based transfers447,9412,1-7,99%30%9.0542.184-75,9%14% Electronic transfers220,6310,9+40,9%22%91013.002+1328%85% Credit cards32,248,7+51,2%4%35+66,7%NA Debit cards185,9354,3+90,6%25%918+100%0,1% Direct Debit104,5142,3+36,2%10%2441+70,8%0,2% Electronic Money0,745,5+6400%3%NA0,2NA Total1.108,91.394,0+25,7%100%10.30515.348+48,9%100% * The data are very small relative to other relevant data in the table. Source : ECB Blue Book – June 2001 Cost of payment However, there is a significant shift from paper based towards electronic transfers and use of debit and credit cards has significantly intensified

6 V.1.1 Solvay Business School Technologies de l’information et de La communication 6 Technologies de l’information et de La communication Internet is by far the cheapest way to process a payment Payment Unit Costs in Europe: € per transaction: –Paper-based transfer:1.24 (still 30% of all payments in volumes) –Direct Debit modification:0.74 to 4.96 (opening, changes, cancellation, …) –Phone:0.50 –ATM:0.27 –Online (PC):0.23 –Internet:0.10

7 V.1.1 Solvay Business School Technologies de l’information et de La communication 7 Technologies de l’information et de La communication Significant differences between US and Europe US Consumer Payments in 1998 (% Share of Transactions) US Consumer Payments in 2005 (% Share of Transactions) 100% ~$6.8 Trillion100% ~$8.8 Trillion Source: Nilson Reports; Accenture analysis US Consumer Payments in 2010 (% Share of Transactions) 100% ~$4.5 Trillion Credit Cards Electronic Checks Cash 51 22 20 4 Debit Cards 3 31 12 26 10 19 Credit Cards Electronic Checks Cash Debit Cards 22 17 30 14 16 Credit Cards Electronic Checks Cash Debit Cards Checks are intensively used in the US while transfers and direct debits are hardly used

8 V.1.1 Solvay Business School Technologies de l’information et de La communication 8 Technologies de l’information et de La communication Electronic billing is a promising solution in the USA 199920002001200220032004 0.9 6.7 84 446 1,142 1,962 EBPP Households (million) 0.66.020.7 Recurring Household Bills Payable Online (%) 85266 Percentage of all Bills (%) 0.043.013.1 61 7.6 0.1 5 0.01 2.1 28 0.6 US Retail Bills Presented & Paid Online (million) Consumers able to view & pay at least 60% of all their recurring bills at one site Source: IDC; Jupiter Communications; Data Monitor; Forrester Research; Tower Group; Gartner Group; Accenture analysis But the situation is different in Europe: actually, in Belgium, 80% of people use direct debit* to pay their bills. Consequently, billing presentation is not so important. e-Billing/invoice used in the US is an obsolete system compared to the system in application in Europe *Domiciliation

9 V.1.1 Solvay Business School Technologies de l’information et de La communication 9 Technologies de l’information et de La communication Billing Process Electronic Bill Presentment and Payment Overview Billers Internet Website 1. Customer uses Internet to access websites where bills reside Customer’s Bank Biller’s Bank 3. Customer authorizes payment through website 4. Payment is sent electronically (ACH*, RPS, etc.) from customer bank to biller bank 5. Remittance and payment information is sent to biller for posting 2. Billers send electronic bills to appropriate site(s) EBPP includes bill presentment and payment *Automated Clearing Housed: Clearing method including netting, and typical to the U.S.

10 V.1.1 Solvay Business School Technologies de l’information et de La communication 10 Technologies de l’information et de La communication Presentment options: White labeled: direct billing through ASP or presentment via a third party CSP TTP branded: on the TTP’s Portal Payment options: 1.For the B2C and SME eBanking Credit cards E-mail based payments (paypall, x.com) 2.For corporates Regular payment systems International Netting of payments EBPP Multi-channel presentation and delivery eBanking Other Portal Consumer SME Corporate Client subscription DB with: delivery preferences: Physical delivery WAP & PDA eBanking TTP Portal Other Portal eMail@TTP.be Other eMail Notification preferences: SMS eMail Portal Alert Printing & physical delivery Small Enterprises & independents Large billers Medium enterprises FTP/XML/ EDIFACT Online invoice templates FTP/XML/ EDIFACT Third party CSP Billers FTP/XML/ EDIFACT FTP/XML/ EDIFACT GUI for view and pay + eMail with bills + notification GUI for view and pay. + integration into standard accounting packages + bill analysis features Consumer FTP/XML/EDIFACT + integration into ERP systems + notification to responsible A/P Trusted Third Party (TTP) EBPP Consolidator Customers Potential Value Added Services by TTP: 1.Factoring 2.Intra-corporate and inter- corporate Netting 3.Cash Management (incl. FX) 4.Trade Finance 5.Trust services

11 V.1.1 Solvay Business School Technologies de l’information et de La communication 11 Technologies de l’information et de La communication Introduction to epayments Network security principles and concepts B2C ePayments solutions B2B ePayments solutions

12 V.1.1 Solvay Business School Technologies de l’information et de La communication 12 Technologies de l’information et de La communication NeedDescription Integrity Data is not changed in an unauthorized way Confidentiality Transactions and communications are kept private Identification Our customers are identified Non-Repudiation An individual cannot deny that a transaction was made Six security principles Digital security data must address several critical needs Authentication Transaction participants are known Authorization Transaction participants are authorized

13 V.1.1 Solvay Business School Technologies de l’information et de La communication 13 Technologies de l’information et de La communication Authentication Two components necessary : authentication server and authentication client The authentication client will prompt the user to enter his identifier and shared secret and will pass the information to the authentication server The authentication server will then confirm that the identifier is valid, and that the shared secret matches the identifier. The authentication server will then pass a yes/no response back to the autentication client. The user will then be granted or denied access to the application Authentication flow Authentication response

14 V.1.1 Solvay Business School Technologies de l’information et de La communication 14 Technologies de l’information et de La communication Encryption Encryption architecture Message encryption process Cryptography services are provided with a Public Key Infrastructure (PKI) In public key encryption, all entities will be issued public keys The private key is generated via an algorithm based on the public key and all public keys are stored in a central storage location The distribution of public keys and maintenance of central storage for the public keys establishes the public key infrastructure for ecommerce transactions When the end user wants to send a message, he generates a private key based on its public key He encrypts the message using his private digital signature key When the business application server receives the transaction, it looks up the end user’s public key from the central storage location and decrypts the message with the key The business application server can decrypt the message because he has the corresponding public key

15 V.1.1 Solvay Business School Technologies de l’information et de La communication 15 Technologies de l’information et de La communication Digital signatures Digitally signing a message Sending a digitally signed message A digital signature is an encrypted message hash A message hash is a mathematical formula that is run against a message to create a unique number. This mathematical formula is well known to all participants in a transaction When the message hash is encrypted with the user’s private key, it becomes a digital signature A certificate is a digital document that binds a public key to an entity. In their simplest form, certificates contain an entity’s name and public key When signing a message with a digital signature, an entity will also send its certificate containing its identity and public key Certificates are issued and maintained by a Certificate Authority (CA). This CA is a secure, trusted entity who will issue certificates to authorized entities only and who will verify that a certificate is valid

16 V.1.1 Solvay Business School Technologies de l’information et de La communication 16 Technologies de l’information et de La communication RecipientSender Trusted third party Security Services Certificate Authority (CA) Certificate Repository Certificates and Revocation Lists (CRLs) Certificates and Revocation Lists (CRLs) Digital signatures/2 ** If recipient does not trust CA, they can find a certificate attesting to identity of ICA, and possible construct a chain of certificates terminating at trusted root CA (Source: Digital Signature Trust; Accenture analysis) Sender applies to Certificate Authority (CA) as trusted third party* CA verifies sender’s identity, issues certificate (with public key data) and publishes certificate in repository Sender creates and signs message and attaches certificate Recipient trusts CA, certificate and contents, including public key** Recipient extracts public key to verify sender signature Recipient verifies identity and integrity Digital Certificate Digital Certificate Industry Standard: name, public key, expiration date, CA name, CA signature, CA signature algorithm identifier, certificate version, and serial number * In practice the entity that identified the users is called a Registration Authority

17 V.1.1 Solvay Business School Technologies de l’information et de La communication 17 Technologies de l’information et de La communication Validating digital signatures Validating a digitally signed message Validating a certificate The business will receive the message and the end user’s certificate. However, the business has no way of knowing that the certificate is valid; i.e. that it contains the correct name and public key information Therefore the business will send the end user’s certificate to the CA The CA maintains a directory of authorized entities and their public keys. When the CA receives the end user’s certificate, it will confirm or deny the validity of the certificate and send it back to the business

18 V.1.1 Solvay Business School Technologies de l’information et de La communication 18 Technologies de l’information et de La communication Digital signature – Recent legislation nEuropean directive (December 13, 1999) on digital signatures nBelgian law (October 20, 2000 and July 9, 2001) –A signature can consist of a set of electronic data which can be associated to a well defined person and which certifies the integrity of the content –Legally binding of a digitally signed document nThe law targets mainly the digital signatures based on assymmetric cryptography and combined with a digital certificate (PKI) nLegislation defines role and responsibilities of the Certification Authority –Approval –Control nCA role consists of certifying the link between a person and its public key nCA liability : a CA which delivers a qualified certificate is liable for any damages caused to anyone who has trusted the certificate –In practice, purpose is to limit carelessness (not timely revocation of a certificate…)

19 V.1.1 Solvay Business School Technologies de l’information et de La communication 19 Technologies de l’information et de La communication Providing non repudiation The business now knows that the certificate contains the correct public key for the end user. The business will then decrypt the message hash using that public key. The business will then rerun the message hash using the known mathematical formula. If the decrypted message hash matches the message hash which the business just created, then it has been verified that the message was sent by the end user, and that the message was not altered during transmission. Therefore non repudiation for the message is provided

20 V.1.1 Solvay Business School Technologies de l’information et de La communication 20 Technologies de l’information et de La communication Transport/Encrypted connection nThe TCP/IP (Transmission Control protocol/Internet Protocol) governs the transport and routing of data over the internet nThe SSL protocol allows an SSL-enabled server to authenticate itself to an SSL- enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection nSSL protocol addresses security issue of the communication while symmetric and assymmetric encryption addresses security issues related to data transferred TCP/IP layer Secure sockets layer (SSL) HTTP Application layer Network layer

21 V.1.1 Solvay Business School Technologies de l’information et de La communication 21 Technologies de l’information et de La communication Data encryption - Isabel illustration Registration Authority (RA) Isabel Platform (acting as root Certification Authority) Isabel’s network = Belgian banks network Isabel Platform (acting as root Certification Authority) Isabel’s network = Belgian banks network Identification of the client Client Public Key (key publicly known) Public Directory (Yellow pages) Contains client data and stores public key Private Key (key known only to user) + + Software Interface The private key is generated and recorded on the chip When the PC is started. To use the chipcard, a pincode must be entered Payment software + empty microship Client’s bank There is a logical (mathematical relation) between the private and the public key Certification Authority (CA) delivers digital certificate The digital certificate is stored in a directory

22 V.1.1 Solvay Business School Technologies de l’information et de La communication 22 Technologies de l’information et de La communication Data encryption - Isabel illustration/2 User Isabel Platform Isabel’s network = Belgian banks network Isabel Platform Isabel’s network = Belgian banks network User’s Banks + Software Interface via Checks his Accounts And Initiates payments Four characteristics to determine the security level of an electronic file: Authentication: confirming the identity of parties involved in the transaction Integrity: confirmation that the content of a message has not been altered Non-repudiation: the signer can not deny the signing of the message Encryption: allow the sender to encrypt the messages he wants to send in order to keep its content secret These characteristics can only be conferred to an electronic file through Certification

23 V.1.1 Solvay Business School Technologies de l’information et de La communication 23 Technologies de l’information et de La communication Introduction to epayments Network security principles and concepts B2C ePayments solutions B2B ePayments solutions

24 V.1.1 Solvay Business School Technologies de l’information et de La communication 24 Technologies de l’information et de La communication What do the Belgians buy online and where ? nMost frequent goods bought online are books, CDs, softwares, hardware, events tickets, transport tickets nMore than one third of purchases are made on a foreign internet site. This has an impact on the payments methods used Source : Belgian internet mapping – October 2000

25 V.1.1 Solvay Business School Technologies de l’information et de La communication 25 Technologies de l’information et de La communication Which tools do the Belgians use to pay their online purchases ? nOne order out of two is paid by credit card. Use of edebit cards is limited at this stage nRemittance (eg virements) account for a significant share of payments, in particular for domestic purchases Source : Belgian internet mapping – October 2000

26 V.1.1 Solvay Business School Technologies de l’information et de La communication 26 Technologies de l’information et de La communication Retail Solutions: eDebit Card 2°)Choose your Banxafe payment sytem: Bancontact, Mister Cash, Visa, Mastercard 1°)Install your Banxafe terminal Banxafe is the security label developed by Banksys to guarantee total reliability of bankcard payments over the Internet. This concept has already set a new standard for on-line payment security. 3°)Insert your Bancontact/ Mister Cash card In the terminal 4°)Type your secret code twice and confirm the amount of your purchases Your payment is done! PKI and digital signature Security is achieved by a public key authentication applet. This applet is accessed by a banking PIN and generates a digital signature which is checked by a public key infrastructure certificate. The client uses a private key to sign his payments. Banksys has the corresponding public key and can authentify the identity of the sender

27 V.1.1 Solvay Business School Technologies de l’information et de La communication 27 Technologies de l’information et de La communication Banxafe Digitally signing a message Sending a digitally signed message An authentication applet will generate a message hash when the user inputs his PIN code The payment itself and the message hash are encrypted with a private key. The user certificate is sent with the encrypted transaction Certificates are issued and maintained by Banksys (Certificate Authority (CA)).

28 V.1.1 Solvay Business School Technologies de l’information et de La communication 28 Technologies de l’information et de La communication Banxafe Validating a digitally signed message Validating a certificate Banksys will receive the message and the end user’s certificate. Banksys is the CA and maintains a directory of authorized entities and their public keys. Based on the end user’s certificate, it will confirm or deny the validity of the certificate Banksys will decrypt the transaction with the corresponding public key

29 V.1.1 Solvay Business School Technologies de l’information et de La communication 29 Technologies de l’information et de La communication Banksys overview Key facts and figures per business line Founded in 1989 as a merger of Bancontact and Mister Cash Consortium owned by 58 banks (Belgian or with subsidiary in Belgium) Provider of integrated card-system to banking industry, traders, self-employed persons and card holders: –Networking: managing Banknet, private IP network, with 25 mio transactions monthly –Equipment: design, installation and maintenance of terminals Bancontact/Mister Cash, Proton(76.000) –Customer services and support for Visa cards, due to take-over of activities (except sales) of Bank Card Company in 1999 Banknet accounts for International presence: –STEP, managing ATM-ETP activities in different European countries –Proton as the international standard of rechargeable wallets (34,5 mio cards in 24 countries) –Terminal and card applications (C-Zam/Smash, solution for e-commerce) –Banxafe as ultra secure payment solution for Credit card payment over Internet 6 accountable units since 1999: –Customer services and support –Networking –Field service –Operations –Terminals and card applications –Card transactions Evolution of Ratios Source : Annual report Banksys and Dun & Bradstreet Net sales: € 211 mio Operating Income: 24 mio Net profit (after tax): € 13 mio Employees: 1008

30 V.1.1 Solvay Business School Technologies de l’information et de La communication 30 Technologies de l’information et de La communication Most common security configuration –Use of SSL for transport security –Use of digital signatures (via Digipass or a C-ZAM/PC terminal) The Digipass looks like a “calculator”, but is a little electronic machine which generates a digital signature. This signature will allow the user to present himself to PC Banking, will “sign” the operations, … The Digipass is connected to the PC The C-ZAM/PC terminal is a little machine provided with a keyboard, and connected to the PC. To login or sign operations in PC Banking, the user must introduce his bankcard in the terminal, and then type his usual secret code. Encryption of transaction Internet Banking security

31 V.1.1 Solvay Business School Technologies de l’information et de La communication 31 Technologies de l’information et de La communication Use of mPayments FACT: Customers will start using mobile devices to make payments TelCoPayment ProviderBank PKI and digital signature Security is achieved by a public key authentication applet embedded in the SIM card. This applet is accessed by a PIN and generates a digital signature which is checked by a public key infrastructure certificate. The client uses a private key to sign his payments. The telco or a company like Banksys could have the corresponding public key and could authentify the identity of the sender New actors emerge in the payments market

32 V.1.1 Solvay Business School Technologies de l’information et de La communication 32 Technologies de l’information et de La communication eCash/Deutsche Bank illustration Customer deposits money into an eCash-enabled account. The electronic money is stored into the bank’s system until the customer uploads the money on his personal system or makes a purchase by mobile device Customer can choose from the following payment options: -Upload money from bank’s system onto personal system and e-mail eCash to vendor - Use a mobile device to transfer eCash to the vendor Customer can choose from the following payment options: -Upload money from bank’s system onto personal system and e-mail eCash to vendor - Use a mobile device to transfer eCash to the vendor Vendor needs to have an account with a bank supporting the eCash payment system. This bank will then convert eCash into a regular deposit on vendor’s bank account after it has verified the payer’s eCash account with the DB 24. Virtual wallet Virtual pre-paid account is credited with credit card or electronic transfer and used for e- commerce/C2C payments. Enormous success of Paypal in the US based on e-mail payment procedure (12 million users. Volume : 200.000 payments/day. Value : 10 MUSD/day)

33 V.1.1 Solvay Business School Technologies de l’information et de La communication 33 Technologies de l’information et de La communication Introduction to epayments Network security principles and concepts B2C ePayments solutions B2B ePayments solutions

34 V.1.1 Solvay Business School Technologies de l’information et de La communication 34 Technologies de l’information et de La communication Payment functionality for a B2B site neCommerce applications are often pre-enabled to use a vendor’s payment services application nThe payments services application has links with many payments networks nTransfer of payments orders from the B2B site via the web or interface MERCHANT INTERNET SWIFT Off the shelf ecommerce applications Custom ecommerce application Payments services vendor site Isabel Mastercard/ Eurocard Banksys Clearing House $$ $ INTERFACE Buyer’s bank Seller’s bank Services Transaction reporting Virtual terminal Merchant configuration Manual capture and settlement

35 V.1.1 Solvay Business School Technologies de l’information et de La communication 35 Technologies de l’information et de La communication nThe value chain desegregates a firm into its strategically relevant activities nThe eCommerce technologies and possibilities for interaction have an impact on the classic sale value chain by enriching it with two new factors of differentiation: content and context. nContent Information presented with text, graphics, sound and video, i.e. a product description in an on-line catalogue –Context: The context adapts and presents the content (useful for the one-to-one marketing), i.e. a catalogue where the content is customised with respect to a specific customer The B2B eCommerce Value Chain The eCommerce value chain as an instance of the sale value chain Post-Sale SalePre-Sale Post-Sale SalePre-Sale Content Context Post-Sale The classic sale value chain

36 V.1.1 Solvay Business School Technologies de l’information et de La communication 36 Technologies de l’information et de La communication eCommerce value chain Sellers:  - Prepare market presence  - Publish offerings  - Bid in expressed demand  - Respond to standard inquiries  - Process orders  - Confirm order  - Acknowledge cancellation  - Distribute goods  - Issue invoice  - Receive payment  - Provide support Buyers:  - Investigate offerings  - Publish need  - Evaluate and select offers  - Place order  - Cancel order  - Receive goods or services  - Accept/non-accept goods  - Receive invoice  - Dispute (protest invoice,…)  - Submit payment - Request support nThese processes illustrate the typical interactions between buyers and sellers in trading relationships nThe processes of the actors interact mutually through the services provided by intermediaries neCommerce intermediaries: actors enabling various eCommerce related activities

37 V.1.1 Solvay Business School Technologies de l’information et de La communication 37 Technologies de l’information et de La communication Specific issues in eCommerce value chain Mandatory Optional Sellers Buyers  ‚  „    ‘     ’  “   Post-Sale SalePre-Sale Content Context Post-Sale ”    $$ $ Identification and non-repudiation Authorizations Integrity Standardized message exchanges Archiving of transactions Transaction and payment closure Electronic contract enforcement Guarantees and financing The transposition of a B2B sales cycle into a fully ‘electronic’ value chain context raises specific issues to be addressed

38 V.1.1 Solvay Business School Technologies de l’information et de La communication 38 Technologies de l’information et de La communication The Roles of eCommerce Intermediaries In an eCommerce market place, a number of (new) intermediaries are assuming several responsibilities: –Certification Authority: an entrusted service by one or more entities to create and assign certificates, and to mange the revocation of certificates –Registration Authority: reliable services, which have the responsibility of registration and approval of users of certificates on behalf of the Certification Authority –Transaction authorisation Authority: when a transaction is sent, the transaction authorisation authority checks if the amount being ordered is under the limit authorised, and takes the engagement to the receiving party –Transaction tracing Authority: offers a proof-of-evidence of a particular transaction at an instance in time. Querying services can be provided to the buyer and seller. This can be extended with the association services of linking related transactions –Transaction archiving Authority: archives and manages digital documents and other data for longs period of time –Notarial Authority: notaries can provide their certification or digital signature to trading or other official documents –Transaction translation Authority: facilitates the integration of systems by translating the output data of the sending system into a suitable format of the receiving system –Network Services provider: ensures the network management and provides additional services directly related to the infrastructure –Navigation Services provider: ensures the ease of navigation on the main areas of the platform –Trusted security software provider: designs and implements trusted security solutions based on the platform’s standards

39 V.1.1 Solvay Business School Technologies de l’information et de La communication 39 Technologies de l’information et de La communication The Intermediaries of eCommerce nAll these service providers intermediaries are forming the middle layer in the model Buyers Sellers Intermediaries Certification Authority Registration Authority Transaction Authorisatio n Authority Transaction Tracing Authority Transaction Archiving Authority Notarial Authority Transaction Translation Authority Network Services provider Navigation Services provider Trusted security software provider

40 V.1.1 Solvay Business School Technologies de l’information et de La communication 40 Technologies de l’information et de La communication International considerations When actors with no previous business relationship are involved in an ‘electronic’ value chain at ‘e- speed’, trading communities are built from scratch and use the power of a virtual network (representing by the 4-corner model) For this 4-corner model to operate efficiently, there is a need for a community or industry wide convention to agree on standards relating to contracts, financing, delivery,… Third party (e.g. Seller service provider) $$ $ Buyer Seller Third party (e.g. Buyer service provider) ‘Trust’ Zone for Seller ‘Trust’ Zone for Buyer When virtual communities are created with overlapping trust zones, standards and governance are needed to support the B2B sales cycles

41 V.1.1 Solvay Business School Technologies de l’information et de La communication 41 Technologies de l’information et de La communication Therefore, to enable trusted exchanges throughout the full electronic value chain involving many actors, the following Trust Transaction Services need to be set up (1/2) $$ $ Seller Buyer Trust enablement through the Trust Transaction Services Transactions Value-added Services Roles and Rules Seller Bank Buyer Bank Registration Identification Transactional Support Administration Trusted Third Party

42 V.1.1 Solvay Business School Technologies de l’information et de La communication 42 Technologies de l’information et de La communication Therefore, to enable trusted exchanges throughout the full electronic value chain involving many actors, the following Trust Transaction Services need to be set up (2/2) Trust enablement through the Trust Transaction Services Registration -Enrollment -Registration -Certification Identification -Authentication -Warranty (Insurance of identify) Roles and Rules -Organization and roles -Authorization and Privileges -Policies -SLA/OLA -Revocation Transactions -Selection and execution of transactions -Fulfilment of order process -Settlement of payment Value-Added Services -Reputation services (e.g. creditworthiness) -Financing -Warranty/insurance of settlement, quality, timely delivery,etc -Notary Services Transactional Support -Standards and protocols -Integrity and non-repudiation -Privacy and confidentiality Administration -Trusted archiving and logging -Dispute resolution -Montoring, measurement and management -Integrity -Compliance auditing

43 V.1.1 Solvay Business School Technologies de l’information et de La communication 43 Technologies de l’information et de La communication Traditional economic actors and new entrants are starting to provide fragmented and piece-wise Trust Transactions Services (1/2) Financial institutions: Registration and identification (strong security level) Transactions – Settlement of payment Value-Added Services – Reputation services (off-line) Value-Added Services – Financing (off-line) Privacy and confidentiality Standardization bodies: Transactional support – Standards and protocols Transactional support – Compliance auditing Roles and Rules - Policies Secured Infrastructure Providers: Registration and identification Value-Added Services – Warranty/insurance Value-Added Services – Notary services Transactional support – Integrity and non-repudiation Administration Marketplaces: Registration and identification (low security level) Roles and Rules Transactions – Bid/Order/Buy/Sell Transactions – Settlement of payment Transactional support – Standards and protocols

44 V.1.1 Solvay Business School Technologies de l’information et de La communication 44 Technologies de l’information et de La communication Traditional economic actors and new entrants are starting to provide fragmented and piece-wise Trust Transactions Services (2/2) Financial institutions: Registration and identification –Corporate customers of Belgian banks with Isabel –ABN-AMRO, Deutsche Bank and Allianz (via HypoVereinsbank) started using Identrus-based certificates to secure new applications Transactions –Barclays B2B.com UK first purchase-to-payment portal to cover entire B2B trading chain –Dresdner Bank Europe’s first transactional financial portal to offer corporates online banking, risk management and transaction services Standardization bodies: S.W.I.F.T. with Bolero have released 65 XML document definitions as used in international trade (e.g. commercial, documentary credit, customs) to be transported through the secured S.W.I.F.T. /TrustAct infrastructure Identrus has defined a industry standard for digital certificates, a payment initiation application and a contractual framework that regulates their usage E.U. passed a directive on 19 January 2000 making digital signatures equivalent to paper based signatures Secured Infrastructure Providers: S.W.I.F.T. with TrustAct is a secured Internet-based messaging service with non-repudiation and identification based on Identrus certificates Isabel provides proprietary certificates and a secured messaging service to all corporate customers of the Belgian banks (more than 45,000 companies) Government sponsored bodies such as the Spanish Mint provide all citizens with a digital certificate and signature Marketplaces: ‘Industry-centered’ (industry consortia or independent) or ‘company-centered’ Focus on seamless procurement and supply chain integration

45 V.1.1 Solvay Business School Technologies de l’information et de La communication 45 Technologies de l’information et de La communication Identrus Contracts & Procedures Seller (Relying Party) Client App Business to Business Interactions Identrus Purchasing Manager (Certificate Holder) Certificate Authority Risk Management Module OCSP Responder & Repository Transaction Coordinator Certificate Authority Risk Management Module OCSP Responder & Repository Transaction Coordinator Root Certificate Authority (CA) Issuing Participant Relying Participant Subscribing Customer Relying Customer Root CA Transaction Coordinator Risk Mgmt Module OCSP Resp. & Repository System-wide roles & responsibilities Online Certification Service Provider: check banks’ certificates + yellow page

46 V.1.1 Solvay Business School Technologies de l’information et de La communication 46 Technologies de l’information et de La communication Identrus Identrus was created in April ’99. It acts as Root Certification Authority (CA) amongst the different public key infrastructures (PKI) of the banks set-up across the world, ensuring their inter-operability. Identrus uses the “four-corner” model among the Buyer, the Seller, and their respective banks to allow these banks to provide trusted eCommerce services Payments, Warranty of identity and of settlement, Letters of credit, Commercial paper, Credits, Creditworthiness, Secure Mail and intermediation, … Identrus and Swift have recently announced an alliance whereby Swift will operate a trusted and value added network for B2B exchanges based on the Identrus model and trust tree A number of the original Identrus founding banks are working on the Eleanor project, jointly defining new global standards for B2B ePayments and market place facilities Its 30 to 40 shareholder banks include ABN Amro ANZ Banking Group Bank of America Barclays Bank BNP Paribas BSCH CIBC Chase Manahattan Bank Citigroup Crédit Agricole de France Commerzbank Deutsche Bank Dresdner Bank HSBC Group Hypo Vereinsbank Industrial Bank of Japan (IBJ) NatWest Group - RB of Scotland Sanwa Bank Scotiabank Société Générale Wells Fargo

47 V.1.1 Solvay Business School Technologies de l’information et de La communication 47 Technologies de l’information et de La communication TrustAct - SWIFT How the service works Two businesses having subscribed to the e-trust service from their respective financial institutions. Using TrustAct, businesses can validate their trading partners' certificates and have complete assurance of the identity of the other trading party 1.The buyer browses the seller's catalogue. 2.The seller wants identity assurance and requests the buyer to forward a signed commercial document to TrustAct together with a certificate from the buyer's financial institution. 3.TrustAct performs a basic validation of the certificate and requests the respective financial institutions to validate the identity of their business. TrustAct also checks with Identrus to ensure that both institutions are scheme members. 4.TrustAct relays the assured order to the seller who now has an order that can be relied upon. 5.The seller returns a signed receipt to the buyer, via TrustAct, who now has an assured receipt that can be relied upon. 6.TrustAct records and maintains time-stamped records of all messages received by the TrustAct server. SWIFT and Identrus™ LLC have entered into an alliance to offer a joint solution to facilitate business-to- business (B2B) trusted communication (based on Identrus' identity trust services and SWIFT's messaging capability.

48 V.1.1 Solvay Business School Technologies de l’information et de La communication 48 Technologies de l’information et de La communication SWIFT overview Swift (Society for Worldwide Interbank Financial Telecommunication), located in Brussels, is a cooperative society owned by 239 member banks and financial institutions (founded in 1974) Offices in 25 locations worldwide Employees : 1,800 (of which 1,000 in Belgium) Geographic spread : Europe accounts for 2/3rd of revenues US #1 UK #2 Germany #3 France #4 Belgium #5 Business include Financial messaging Payments Securities Treasury Trade finance E services TrustAct (Identrus) Swift statistics YTD 08 2001 Traffic # messages YTD 082001987,617,134 # messages 20001,274,000,000 Message growth YTD16,42% Average daily traffic5,868,194 FIN Availability FIN Systems100% Transport network99.995% Overall service99.995% Customer base Live countries193 Live members2,268 Live sub members3,054 Live participants1,901 Total live users7,223


Download ppt "Solvay Business School SEMINAIRE DE TECHNOLOGIES DE L’INFORMATION ET DE LA COMMUNICATION UNIVERSITE LIBRE DE BRUXELLES eBusiness – Payments & Security."

Similar presentations


Ads by Google