Electronic payment put in context
Transcription
Electronic payment put in context
Electronic payment put in context Bill payment, electronic commerce and exploitation of electronic products (Deliverable D0.1b) Colophon Date : March 4, 2002 Version : 3.0 Change : 2.0 January 24, 2001 2.6 November 29, 2001 Separated general backgrounds from Start of update GigaABP/2000/D1.1 payment in specific contexts 2.7 January 10, 2002 Version for (external) review 3.0 March 4, 2002 Final version Project reference : GigaABP/2001/D0.1b TI reference : TI/RS/2001/081 Company reference : URL : http://gigaabp.telin.nl Access permissions : Public Status : Final Editor : Sander Hille Company : Telematica Instituut Author(s) : Sander Hille, Petra van der Stappen Synopsis: This document puts electronic payment in the contexts of bill payment, electronic commerce and exploitation of electronic products such as content or electronic services. It takes mainly a business and functional perspective on this topic. As illustration we provide examples of commercial products and services that are available in the Netherlands to realise electronic payment in these contexts. COPYRIGHT © 2002 TELEMATICA INSTITUUT PERSONAL USE OF THIS MATERIAL IS PERMITTED. HOWEVER, PERMISSION TO REPRINT/REPUBLISH THIS MATERIAL FOR ADVERTISING OR PROMOTIONAL PURPOSES OR FOR CREATING NEW COLLECTIVE WORKS FOR RESALE OR REDISTRIBUTION TO SERVERS OR LISTS, OR TO REUSE ANY COPYRIGHTED COMPONENT OF THIS WORK IN OTHER WORKS MUST BE OBTAINED FROM OR VIA TELEMATICA INSTITUUT (HTTP://WWW.TELIN.NL). Preface This document reports on the second part of research on payment systems that has been conducted within the context of GigaPort Applications (http://www.gigaport.nl/), in particular the Giga Accounting, Billing and Payment project (GigaABP, see http://gigaaabp.telin.nl). It contains information on electronic payments systems in three contexts: 1. Bill payment (Electronic Bill Presentment and Payment – EBPP), 2. Electronic commerce (in particular: web-shops), and 3. Exploitation of electronic products (content, electronic services). We take the perspective of a decision maker in a company that wants to make use of electronic payment in any of the three contexts. We describe the aspects that (s)he should take into account when deciding upon systems to deploy. Our focus is on the situation in the Netherlands, sometimes extended when this may illustrate the domestic situation in comparison to other countries. We have tried to keep the discussions as less technical as possible, mainly taking a business and functional view on matters. The material presented here is extensive but not a complete encyclopaedic work containing all available commercial systems. Mentioning and discussion of the latter systems has been meant as illustration of the general line of discourse. The first part of research on payment systems was a survey of the current Dutch overall payment system as provided by the financial sector, i.e. the commercial banks, De Nederlandsche Bank, Interpay and credit card organsations (see [HiSt01]). This first part serves as background for the material presented in this document. The document also contains some material that was obtained from the GigaPort project on Transaction Services, GigaTS. We would like to thank Wil Janssen and Petra van der Stappen for providing this information. Moreover, we would like to thank Arnold Sneijers and Ivo Heemskerk (Interpay Nederland, Business Unit e-Commerce) for valuable discussions on electronic bill presentment, Roel Stap (TNO FEL e-Business), Henk Jonkers and Andrew Tokmakoff (Telematica Instituut) for their contributions in preparing this document. Finally we would like to thank the reviewers, Ivo Heemskerk, Wim Nouwens, Petra van der Stappen and Andrew Tokmakoff for their valuable suggestions and comments as reviewers of earlier versions of this document. More information with regard to the content of this report or on the GigaABP project can be obtained from the project manager, Sander Hille (email: [email protected], or by phone: +31-(0)53 4850485). Other reports that resulted from the project are available at http://gigaabp.telin.nl (‘Publications’), or through the GigaPort web site: http://www.gigaport.nl. Dr. Sander C. Hille Project manager GigaABP. G I G A A B P / 2 0 0 1 / D 0 . 1 B V Table of Contents 1 Introduction 11 1.1 Document scope 11 1.2 Related project research and information 13 1.3 Document structure 14 2 Payment over public communication networks 17 2.1 The issues 17 2.1.1 Trust 17 2.1.2 Cross-border payments 18 2.1.3 Direct payment 18 2.2 Misconceptions on Internet payment 19 2.3 The roles of mobile communication in payment 20 2.3.1 Payment terminal in the physical world 21 2.3.2 Payment terminal in the virtual world 22 2.3.3 Direct payment channel 22 2.4 Merging of payment flows 23 3 Overview of bill presentment and bill payment 25 3.1 Introduction 25 3.2 A functional reference model for billing and bill payment 26 3.3 Differences between B2C and B2B billing 26 3.4 Instruments for bill payment 27 3.5 Bill distribution and presentment: print and mail services 28 3.6 Developments in bill presentment and bill payment 28 3.6.1 A digital acceptgiro 29 3.6.2 Electronic Bill Presentment (e-Billing) 30 3.6.3 Bill consolidation and payment services 30 4 Electronic Bill Presentment and Payment 33 4.1 Introduction 33 4.2 The impact of cultural aspects 33 4.3 Models for EBP 34 4.4 US players 37 4.5 Dutch providers of EBP solutions and services 38 4.5.1 Anachron: ‘Pulse Suite’ 38 4.5.2 Bluem 39 4.5.3 TNT Post Group: ‘Privver’ 39 Intrum Justitia 39 4.5.4 4.6 Standards 40 4.6.1 Open Financial Exchange (OFX) 40 4.6.2 GOLD message standard 41 4.6.3 Interactive Financial Exchange (IFX) 42 G I G A A B P / 2 0 0 1 / D 0 . 1 B VII 4.7 Examples of Electronic Bill Presentment systems 42 4.7.1 BillCast (Avolent) 42 4.7.2 WorkOut (Alysis) 43 4.7.3 4.8 Oracle’s Bill Presentment and Payment Solution 44 Trends and developments 44 5 Payment in e-commerce context 47 5.1 Issues in the virtual world 47 5.1.1 Direct payment 47 5.1.2 International reach 48 5.2 Examples of dedicated account-based systems 48 5.2.1 PayPal 48 5.2.2 Jalda-based Safetrader 49 5.3 Example of international collection: GlobalCollect 50 5.4 Generic system architecture 51 5.5 Payment Service Providers (PSPs) 53 5.5.1 Bibit Internet Payment Services 54 5.5.2 NetGiro 55 5.5.3 TWYP - The Way You Pay 56 6 Electronic wallets: shopping and payment assistants 57 6.1 Introduction 57 6.2 Basic wallet functions 58 6.3 Product examples 58 6.3.1 ABN-AMRO’s e-Wallet 59 6.3.2 Microsoft Passport 59 6.3.3 Novell’s Digitalme 60 6.3.4 6.4 Xiring: the Wireless Wallet concept 60 Wallet standards and frameworks 61 6.4.1 Electronic Commerce Modelling Language (ECML) 61 6.4.2 Java Wallet 62 6.5 The future of e-wallets 63 7 Adaptation of real world payment instruments 65 7.1 Introduction 65 7.2 Credit cards 65 7.2.1 Secure Socket Layer (SSL) 66 7.2.2 Secure Electronic Transactions (SET) 67 7.2.3 I-Pay – Interpay’s Dutch SET payment platform 68 7.2.4 The Three Domain Model (3D SET) 69 7.2.5 Virtual Credit Cards 69 7.3 7.3.1 7.3.2 7.4 VIII Debit cards 70 Rabo Direct Betalen 70 On-line use of Maestro 71 Card-based electronic money 71 G I G A P O R T 7.4.1 Proton on Internet 72 7.4.2 Chip-Secure Electronic Transaction (C-SET) 72 7.5 Trends and developments 73 8 Exploitation of electronic products 75 8.1 Introduction 75 8.2 Characteristics 75 8.3 Potential payment scenarios 76 8.3.1 Example: ISP – Trivnet’s WiSP 77 8.3.2 Example: Access network operator 79 8.3.3 Example: ISP and Network operator – KPN’s SwitchPoint 79 8.4 Total solutions for content-exploitation 80 8.4.1 Magex 80 8.4.2 Qpass 81 8.4.3 NetBill 81 8.5 Network-based electronic money schemes 82 8.6 Evaluation of discussed payment systems 84 9 Micropayment systems 85 9.1 Introduction 85 9.2 The problems to solve 85 9.3 Potential players 86 9.4 Commercially available micropayment systems 87 9.4.1 NewGenPay’s Micropayment solution (former IBM) 88 9.4.2 Millicent (Compaq) – a token-based system 90 9.5 9.5.1 9.5.2 9.6 Micropayment standards and standardisation efforts 91 A Common Markup for micropayment per-fee-links 91 (Draft) Micro Payment Transfer Protocol (MPTP) 92 The future of micropayment systems 93 10 Conclusions 95 10.1 Coverage of on-line payment transactions 95 10.2 Cultural impact 95 10.3 Introduction of new payment services and instruments 96 10.4 Telco-finance integration 96 G I G A A B P / 2 0 0 1 / D 0 . 1 B IX 1 Introduction The Internet offers new business opportunities. New electronic products and services can be delivered. In order to get the services operational, substantial investments in technology and marketing must be made by those who endeavour in this new business. These companies require return on investments. The sooner, the better. The crucial question is how to realise (financial) return. First there is the question of selecting the appropriate exploitation strategy and business model. Various types exist and may look promising. However, an important issue in many cases may be the level of support provided by ICT systems for these strategies and models. The second issue therefore is to select systems, strategy and model in such a way that the company retains flexibility towards future developments – with regard to all three: changes in systems, strategy or business model. There are however two functions that are needed in any case: (1) measurement of the sales figures or individual usage (metering and accounting) and (2) the settlement of financial claims that the service provider holds on the service user or a third party that result from usage sessions or online order transactions (billing and payment). Money must change hands somehow. 1.1 Document scope The main objective of the research within the GigaABP project is providing insight into the divers ways in which the commercial exploitation of network-based services could be realised. This document focuses on the second main function: billing and payment, in a business-toconsumer (B2C) setting. These functions, complemented with the delivery of goods and services for which the consumer is paying, realise the settlement phase of a B2C transaction (see Figure 1). We do not consider the Business-to-Business (billing and payment) relationship between the merchant or service provider and his supplier(s). Moreover, we do consider only situations in which monetary value is exchanged for the goods and services. The support of barter, i.e. the exchange of products (goods or services) for other products, is beyond our scope. Delivery: Goods and services B2C transaction Consumer B2B Transfer: Money Beyond scope Merchant, Service Provider Supplier Figure 1: The Business-to-Consumer setting G I G A A B P / 2 0 0 1 / D 0 . 1 B 11 Various factors influence which payment systems and services are available or which players are involved in the transfer of monetary value, in the full payment transaction process. One factor is the international extent of the economic transaction. If goods, services and money need to cross national borders, then typically different players, processes and systems are encountered than in a national (‘domestic’) setting. Legislation and regulations vary over countries. In this document we focus on a domestic setting, on the Netherlands. The consumers and merchants or service providers are located in the Netherlands. We treat the services and systems that they have at their disposal for effecting payments over public electronic communication networks. These generally differ from those provided in other European countries, the US or other parts of the world. A second factor is the context in which payment transactions (the transfer of money) take place, i.e. the type of economic transactions in which they are used. We identify three fundamental contexts (see also Figure 2): 1. Bill payment, Typically used when there is a trust relationship between consumer and vendor, often on a long-term basis. The average transaction value ranges from about € 15 upwards to very large amounts. Bill payment is often used to aggregate small value amounts. 2. Electronic commerce, By which we mean here the selling of physical goods or services through electronic communication channels. The trust-relationship between consumer and vendor may be less established than in the bill payment context because of occasional buyers contacting the vendor though the indirect communication channels, such as phone, email or the Web. The transaction value in this type of transactions ranges somewhere between € 5 and € 500. Vendors may require direct payment, before delivery takes place. 3. Exploitation of electronic goods and services, That is, a context in which intangible, electronic products are sold and directly distributed through electronic communication networks with hardly any human activity involved in the selling and delivery process, if at all (‘unattended points-of-sale’). The transaction value in this context will be low, in the range of approximately € 0.10 to € 5. Bills Invoice ‘Subscription, post-paid, long(er) term relationship…’ Utilities Telecom B2B B2C €0 0.10 €5 Digital products € 15 € 500 Physical goods Content ‘Per item, direct, Books Electronic services Transaction value Clothing CDs/DVDs short term relationship…’ Figure 2: Payment contexts: ‘What are we paying for on-line?” 12 G I G A P O R T Each context has different characteristics and has different requirements on payment systems that can be used in these situations. Consequently companies offer payment products and services that target special usage context. It is the objective of this report to provide insight into the relationships between payment contexts, requirements and players involved. Furthermore, we sketch and analyse current developments in e-payment and billing. The settlement of Business-to-Consumer transactions as presented in Figure 1 attracts various players; from the financial sector, the telecom and Internet sector and from the transport & logistics sector (see Figure 3). Some players target the Consumer; others the Merchant/Service Provider. Some target both. In this document we focus on the role that the Telecom and Internet sector plays in electronic payment, together – or in competition – with the financial sector that traditionally has been the provider of payment services. The latter is involved in the processing, clearing and settlement of payment transactions even if dedicated Internet solutions are used. In fact, consumer’s money resides initially mainly in bank accounts. Therefore the relation between the financial sector’s overall payment system and these dedicated solutions is important to understand. For that purpose backgrounds on the overall payment system in the Netherlands are provided in [HiSt01]. Scope of [HiSt01] Central banks Credit card organisations Financial networks Banks Clearing Houses Financial sector Service Bureaus Fixed Banks ISPs Wallet SPs Consumer Network money issuers Financial networks e-Bill presenters PSPs Transaction Processors Merchant or Service Provider Telecom and Internet Mobile ISPs Mobile network operators Fulfillment companies Mobile Parcel delivery firms Scope of this document Transport & logistics Non-electronic ISP: Internet Service Provider SP: Service Provider PSP: Payments Service Provider Figure 3: Positioning of this document in the field of retail payment transactions 1.2 Related project research and information The GigaABP project was tasked to study the functionality, systems and business relationships that are required to establish an end-to-end solution for the financial exploitation of network-based services. The basis for all research activities is a functional architecture for G I G A A B P / 2 0 0 1 / D 0 . 1 B 13 1 financial exploitation that has been developed in the project [JBHS01] . In [JBHS01], examples have been worked-out: a webshop, a video-on-demand service and payment for electronic services through billing and pre-paid systems of a mobile network operator. Other research activities in the project, including those that resulted in this document, are related to this architecture (see Figure 4): · Metering and reporting of application usage, see [JST+01], · Demonstrator implementation, for demonstration purposes, and for obtaining ‘hands-on’ experience, see [ToWi00] and [Wibb01]. [JBHS01] describes Functional reference model Commercial e xploitation support use r info Information prov isioning a cco unting data charging data me ter input Usage data acquisition usage da ta Data & process manage me nt reconcilia tion data pro vide r info bill Financial Se ttle me nt payme nt i nititiatio n paym ent indicatio n Aspects covered Approaches to metering, report mechanisms; implementations Demonstrator implementation Backgrounds on the Dutch payment system Payment in various contexts e.g. Internet, mobile e-billing [HiSt01] This doc describes [JST+01] [ToWi00] [Wibb01] Project report: see references Figure 4: Overview of research activities in GigaABP, delivered reports, and their relations References to related research outside the GigaABP project are included in the text. We would like to point the reader however to [ECP00] (or its planned up-date) with regard to electronic payment systems in the Netherlands for e-commerce and [JSB+00] where electronic payment is considered in the context of on-line transaction services. [Webe98] provides a technical overview of various electronic payment systems (internationally). 1.3 Document structure The rest of this document is structured as follows: 1 A reader interested in the development of this model over time may consult the subsequent versions of the model in [JHTW00], [JHTW01a], [JHTW01b]. [JBHS01] contains the final version. 14 G I G A P O R T Chapter 2 provides a general overview of payment over public communication networks. It highlights differences with payment in the physical world, at points-of-sale, in situations where buyer and vendor ‘know each other’. It discusses issues and misconceptions with regard to payment over Internet. It treats mobile payment from a high-level. Chapters 3 and 4 continue with treating the context of bill payment. Chapter 3 serves as an indepth introduction to Chapter 4 on Electronic Bill Presentment and Payment (EBPP). In the latter chapter we discuss various models for EBPP (Section 4.3) and examples of commercial providers of such services in the Netherlands (Section 4.5). We pay attention to the differences between the US and European market for EBPP. Chapters 5, 6 and 7 discuss the context of electronic commerce, in particular the integration of web-shops with Internet payment systems and the provisioning of outsourcing and valueadding services by Payment Service Providers (Chapter 5, Section 5.4 and Section 5.5 respectively). Chapter 5 thus concentrates on merchant support. In contrast, Chapter 6 considers support for consumers in e-commerce transactions: electronic wallets. In Chapter 7 the bridge between the merchant side (cash register) and customer side (electronic wallet) is laid by discussing payment instruments that can be used for on-line electronic payment transactions, in the context of e-commerce. We discuss credit cards, debit cards and cardbased electronic money. Chapter 8 and 9 continue the discussion by considering the third payment context: exploitation of electronic products (content, services). Chapter 8 concentrates on the specific characteristics of this context that are relevant to payment (Section 8.2). Next it discusses various scenarios for payment for such products by means of examples (Section 8.3). Network-based electronic money is briefly discussed. Chapter 9 treats micropayment systems. Chapter 10 ends the document with overall conclusions. For the reader’s convenience we have included a list explaining acronyms at the end of the document, as well as an index of key words. G I G A A B P / 2 0 0 1 / D 0 . 1 B 15 2 Payment over public communication networks 2.1 The issues Initiating and executing payment over public communication networks poses various challenges to the systems and operator’s of these systems, as well as challenges to human factors as trust, security and fraud prevention and detection, and also to the organisation of business processes. Various aspects will be treated throughout this document. Let us highlight a few in the following. 2.1.1 Trust When payment is executed over public communication networks, there is a physical separation between buyer and vendor, between consumer and service provider. The two cannot see each other. It is hard to establish an indication that the buyer is trustable, or that the vendor will deliver the ordered products. It is hard to establish a trust relationship similar to the one at the physical point of sale, where the two parties can see one another. Buyer and vendor not only need to trust each other, they also need to trust the payment instrument used to effectuate the money transfer. Considering payment over telecommunication networks, they should trust the technology that implements a particular electronic payment system and the operator(s) of that payment system. Various companies and organisations have put quite some effort in creating and using new technology that enables the establishment of the two types of trust relationships just mentioned. One can think of the development of Public Key Infrastructure (PKI), quality certificates for on-line merchants like the Webtrader-initiative of the Dutch consumer organisation ‘Consumentenbond’ and new authentication mechanisms introduced by banks (e.g. ABN-AMRO’s e.dentifier, Rabobank’s random calculator and Postbank’s mobile banking initiative). Trust is not only a matter of technology. On the contrary, trust is a human attribute, which is hard to establish, differs among people and should be carefully managed. Branding is a marketing instrument that plays an important role in creating and maintaining adequate trust relationships. Technology can help in creating trust, but is not the main instrument for doing so. As trust is a human attribute, technology is able to create trust only if the target group of users of the technology is able to understand the level of security that the technology is providing. For example, consider the situation of a payment system operator that requires a pre-paid deposit on a special account, like e.g. PayPal (see Section 5.2.1). Apart perhaps from early adopters, users need top trust the organisation and its business operation in order to deposit a (substantial) amount of money in such an account. If there are not sufficient legal guarantees as to what happens to these deposits in case of bankruptcy of the operator, then G I G A A B P / 2 0 0 1 / D 0 . 1 B 17 this may influence the trust users will have in the system. Offering adequate service to the customers is yet another means to establish a trust relationship. 2.1.2 Cross-border payments Focussing on Internet as a public communication network and electronic commerce and service provisioning over Internet, we arrive at the next issue: cross-border payments. Internet is a global initiative. Companies involved in commercial activities over Internet should therefore consider the possibility of consumers from any location in the world, willing to consume their products. It is a strategic – and individual – decision whether to accept all customers (based upon trust…). If a company decides to also accept ‘foreign’ customers, payment for products will involve cross-border payments. There are essentially three types of solutions for cross-border payment: · International bank transfer, which is costly and cannot be initiated on-line (See [HiSt01] for more details on crossborder bank transfers). · Credit cards, which are less costly, have a substantial penetration in various countries, and are quite effective in conducting online payment transactions (see Section 7.2). Large consumer groups are principally excluded from their usage however (youth, lower incomes), and those that can use them may not trust these instruments for use on-line. · International collection services, which let consumers pay using their domestic payment instruments (e.g. cash, domestic bank transfer), often at delivery (see Section 5.3). Their support for on-line payment is limited, if possible at all. The variation in cross-border payment systems can be improved, as well as the efficiency of available systems. It may be for this reason that cross-border payments currently attract quite some attention from banks and firms outside the financial sector. The latter see an opportunity in offering easy-to-use instruments and payment services that are more efficient than those offered by the financial sector. 2.1.3 Direct payment Guarantees – for payment and for product delivery – are closely connected to trust. The higher the level of trust between buyer and vendor, the lower their need for guarantees. One way of circumventing the offering of extensive guarantees is reducing the time frame in which the full economic transaction takes place (recall Figure 1). If the exchange of product and goods immediately follows each other or is even concurrent (‘pay-as-you-play’), then the financial risks are smaller, and they are shared. Direct payment, i.e. payment with immediate finality and immediate feed-back to both buyer and vendor, would be a solution for circumventing guarantees or costly trust-enabling technology. However, direct payment is hard to realise on a large – national or even 18 G I G A P O R T international – scale, when making use of the overall payment system as provided by the financial sector. The very nature of the processing, clearing and settlement system in this sector currently prohibits this (cf. [HiSt01]). The only way in which direct payment can be realised at the moment is by using dedicated closed payment systems, like pre-paid accounts at mobile operators, at banks (as in ‘Rabo Direct Betalen’, see Section 7.3.1) or at special ‘Internet Payment Providers’ (as in the Jalda model, see Section 5.2.2). This approach inevitably reduces the reach of such systems. Large, internationally operating telecom operators such as Vodafone could play a role here however, exploiting further their reach in communication services. Thus they could play a role in cross-border payments as well. It should be kept in mind however, that consumers typically have most of their purchasing power, their money, on bank accounts. Trust is then an important issue (again) to incite them to transfer funds from these accounts to the dedicated accounts in control of the operators of direct payment systems. It is still an open question whether consumers are willing to do so. Moreover, reloading the account directly when its balance reaches zero still requires direct on-line payment systems, although the trust situation in this case is expected to be better than on the open global Internet. 2.2 Misconceptions on Internet payment We start with a discussion of a number of commonly heard assertions with regard to Internet payments that require some moderation, because they are not always true. We based this discussion on [Böhl01], Section 2.1. 1. Internet payments can evolve independently from the bank’s retail payment systems This statement is not true. As will become clear from examples we present below, Internet payment systems rely on bank retail payment systems at some phase, e.g. for making a deposit in the case of account-based systems. Thus, understanding the financial sector’s overall payment system is a prerequisite for a proper treatment of Internet (and mobile) payments. [HiSt01] provides a detailed discussion of the Dutch bank payment system. 2. E-commerce requires Internet-specific payment systems This statement does not hold in general. Some e-commerce applications, like selling content or on-line games, may require small-value payments (or even micropayments), which cannot be handled by current electronic retail payment systems. Often this will concern selling and delivery of electronic – information – goods. However, if e-commerce is understood as selling physical goods over an electronic channel (e.g. Mail Order/Telephone Order – MOTO or Internet), then often ‘traditional’ electronic and even non-electronic payment systems are sufficient. These systems may be even more popular than electronic (Internet) payment systems. Take for example the popularity of the ‘acceptgiro’ in the Netherlands for settlement of ordering and delivery of physical goods at web shops. G I G A A B P / 2 0 0 1 / D 0 . 1 B 19 Retailers of physical goods that sell over the Internet and serve an international market, may use Internet payment systems to facilitate cross-border payment, which is still a bottleneck for international retail (e-) commerce. However, such retailers will often set-up an international distribution network as well, including accounts at various national banks. Thus they reduce the issue of cross-border payments to domestic payments. Various payment service providers emerge that support localisation – both on Internet, e.g. Bibit Internet Payment Services and NetGiro (see Section 5.5.1and 5.5.2 respectively) and in the physical world, e.g. GlobalCollect (see Section 5.3). 3. Security is a fundamental problem for Internet commerce and payment systems This is almost true. It is not security however that should be discussed, but the risk that each party involved in a commerce transaction is willing to run. Having established an amount of risk that is agreeable by both parties, this will have implications for both security measures that need to be taken, as well as for payment systems that are appropriate in such a situation. Moreover, a joint study performed by central banks has revealed, that the level of security of Internet payment systems could be at the same level as that for existing payment instruments, provided the designers and implementers take the necessary precautions ([LGKV00, p.44], [BIS96]). 4. Credit cards are an insecure payment instrument on the Internet This is not entirely true. Cardholder authentication is relatively weakly secured: only a sixteen digit card number, expiry date and (in some cases) a Card Validation Code (CVC; see Section 7.2) are required. The most risky factor for loosing this data to criminals is not the network 2 (Internet) but the merchant . Note however, that credit card transactions at POS in the physical world create a risk of loosing the valuable card number and expiry date as well: these numbers, and the cardholders name, are also present on the printed receipt from the POS terminal. The Internet transaction protocols SET and its weaker form 3D SET have been designed to hide this valuable data for the merchant. 2.3 The roles of mobile communication in payment We identify three major roles that mobile communication networks and devices can play in payment: 1. the mobile device as a payment terminal in the physical world, where the device replaces the terminals for electronic funds transfer at points-of-sale (EFTPOS). 2. the mobile device as a payment terminal in the virtual world, for the payment of electronic service delivered over a channel different from the mobile network (like Internet, cable…). 2 According to discussions at the ‘Telco-Finance Integration’ workshop preceding the IIR Conference ‘Next Generation Billing Systems’, December 2000, in Rome. It is hard to obtain exact figures on credit card fraud. 20 G I G A P O R T 3. the mobile network as a direct payment channel, for electronic content and services consumed on the mobile device. 2.3.1 Payment terminal in the physical world In order to fulfil the first role, terminals need to be able to interface with existing payment instruments for retail transactions at points-of-sale, such as debit cards, credit card and smart cards containing electronic money. Conceptually, there are two options: (1) use an external multi-purpose card reader, or (2) integrate a card reader into the mobile device. The first option comes within range of realisation through the development of a European standard for card readers, FINREAD, see [HiSt01] for details. The second conceptual option has been rejected by the mobile phone manufacturing industry. According to [Mobe01, p.18] the major phone manufacturers (e.g. Nokia, Ericsson and Siemens) have indicated that they will not produce dual slot phones. One of the suggested reasons is that the integration of a card reader into phones puts too many limitations on phone design and size. In this way the discussion whether there will be dual-slot (i.e. with reader) or dual-chip phones has been finished in favour of dual-chip phones. Another possibility would be using the mobile phone or – more generally – the mobile device as the platform for a secure electronic wallet that contains payment instrument details, such as card numbers. It is an issue however, who is in control of what part of the device. The SIM (for communication) in a mobile phone is provided and owned by the network operator. The wallet could reside on a separate chip in the mobile phone under the control of the issuing financial institution(s), provided the mobile phone manufacturers are willing to produce dualchip phones. If such functionality is incorporated into the SIM (as Postbank has done in its mobile banking application in co-operation with Telfort and Siemens), the financial institutions need to have various bi-lateral agreements with the mobile network operators. Example: refuelling a car using the mobile phone Nedap, KPN Mobile and BP are currently running a pilot in the Netherlands with Nedap’s ‘Mobile Pay’ mobile phone payment system. The pilot started in October 2001 with 1500 users and three BP petrol stations, in co-operation with KPN Mobile. The mobile phone (GSM) is 3 used for refuelling a car , i.e. for identifying and authenticating the customer of the petrol station. The customer has to dial a special number and enter the number of the petrol pump and a PIN code on his mobile phone. After successful authentication the filling station is authorised to provide fuel. The charge is collected from the customer’s bank account by means of direct debit. The customer can get a statement of his transactions via the Internet. 4 3 According to De Volkskrant, ‘Experiment met tanken betalen via mobieltje’, October 20, 2001, Economy supplement. 4 See also http://www.bp.nl/ G I G A A B P / 2 0 0 1 / D 0 . 1 B 21 2.3.2 Payment terminal in the virtual world In this case the mobile device is used as an instrument for authentication and authorisation of the payment transaction, as a relatively secure device for entering payment information. Systems typically use a ‘call-back’ scenario. The user provides his mobile phone number after which the mobile device can be contacted through e.g. a voice response system, SMS, or – with the arrival of ‘always on’ Internet connectivity through GPRS and UMTS – by means of instant messaging techniques. The user then receives information on the payment transaction that was initiated through a communication channel different from the mobile channel. The mobile phone number and entering a PIN code authenticates the user. A confirmation by pressing a button on the mobile device finally establishes payment authorisation. The actual transfer of money can be realised through various ‘traditional’ payment instruments, such as direct debit or a credit card charge, or from a dedicated account. Example: Paybox Paybox is a mobile payment system offered by Paybox.net AG that was launched in Germany 5 in May 2000. Major shareholder is Deutsche Bank (50%) . The system supports real and virtual point-of-sale transactions as well as person-to-person transactions. The system requires new users to register with Paybox, after which they obtain a PIN code. When using Paybox in a payment transaction, the user communicates his phone number to the vendor. The latter communicates this number and the price of the product to be purchased to Paybox, after which Paybox calls the buyer and asks for payment authorisation by means of the PIN code. The vendor’s name and amount are mentioned in this request. After authorisation Paybox informs Deutsche Bank to settle the payment transaction through a type of direct debit. 2.3.3 Direct payment channel In this case the product delivery channel and payment channel coincide. Both actions take place over the mobile network. Concurrently or almost immediately after each other. The situation is similar to that on fixed Internet, where consumption and payment may take place through a single Internet connection from the user’s personal computer. The difference with fixed Internet is the limited computational capabilities of the terminal and the varying location (roaming) of the user. Example: payment over WAP – KPN Mobile and Bibit KPN Mobile and Bibit Internet Payments jointly developed a payment method for WAP, and announced it in May 2000. The system is used in the M-info service of KPN, in the online shop. Upon ordering, Bibit offers the customer choice between several payment systems. By 5 According to the electronic Payment System Observatory’s Inventory database: http://epso.jrc.es/cfapp/invent/details.cfm?uid=80 22 G I G A P O R T now, the assortment is close to that on the Internet. When Bibit has handled the payment, it signals the shop that delivery can go ahead. First retailer to use the system is hotorange.com, who has offered WAP payment from June 2000. 2.4 Merging of payment flows The consumer seems to be surrounded by providers that offer the basic services in western life, such as gas, electricity, water, cable television, Internet and telecommunication of various types (e.g. PSTN, ISDN, GSM, GPRS, …), financial, insurance, governmental and municipal services, etcetera. During the past few years in the Netherlands, many of these providers have joined forces with regard to billing and payment collection, e.g. cable television and municipality in collecting charges and taxes. Each of the mentioned providers with recurring customer contact can seek the opportunity to offer their customer contact as a contact opportunity to other (on-line) service providers or vendors. They can start to act as an intermediary with regard to billing and payment between buyers and vendors. The payment flows of service providers with recurring frequent customer contact can merge with those failing such an opportunity. They first need to be aware, however, of the credit risk that accompanies such an approach. Development: Open Service Access (OSA) – Parlay platform 6 The Parlay Group , which is an open multi-vendor consortium of ICT companies including (among many others) Alcatel, Compaq, Cisco Systems, Ericsson, IBM and Lucent Technologies, is developing a platform for Open Service Access. That is, developing Application Programming Interfaces (APIs) that enable applications to operate across multiple networking platform environments. One of the developed APIs enables the reservation and capture of funds in e.g. pre-paid accounts, and charging to the cost of a telecom billing system (e.g. see [ETSI01]). Note that this applies to new applications or services provided by third parties that leverage (or operate over) the mobile network. 6 See http://www.parlay.org G I G A A B P / 2 0 0 1 / D 0 . 1 B 23 3 Overview of bill presentment and bill payment 3.1 Introduction The bill or invoice represents a financial claim of a company on a customer. It is associated with a payment that is due. The latter part distinguishes a bill from a statement or notice: a bill must be paid within the prescribed time period, or other (legal) measures will be taken in order to establish payment. 7 Bill/Invoice : An electronic or paper document sent to a customer associated with a payment due. Statement/Notice: An electronic or paper document sent to a customer/agent that does not have a payment due associated with it. ‘A bill should be paid in time’ is probably a better wording: late payment is part of a country’s payment culture and varies over countries (see Figure 5). According to the European 8 Payment Survey that was executed for Intrum Justitia , the main causes for late payment are (1) intentional delay as a cheap means of obtaining credit (‘supplier credit’, in 35% of the considered cases), (2) financial difficulties of the debtor (33%), and (3) administrative inefficiency (e.g. errors; 16%). Another cause of late payment is disputes over the bill (5%). The first and second main cause for late payment cannot be addressed by means of billing technology, because they depend on the way firms do business. A reduction of supplier credit is harder to achieve: it requires a change in attitude. The others can. Source:European Payment Survey (1995, NOP for Intrum Justitia.www.intrum.com ) Figure 5: Late payment in Europe 7 8 From ‘Glossary of Terminology’ of eBilling.org: http://www.ebilling.org/glossary/default.htm See http://www.intrum.com G I G A A B P / 2 0 0 1 / D 0 . 1 B 25 A well-designed and executed billing process may reduce both the number of disputes and administrative errors. The latter can be achieved by limiting the number of human interactions in the bill payment process, e.g. the act of copying payment details from the bill to an input facility of a financial management system or e-banking application. The number of disputes that result in late payment can for example be reduced by offering various Customer (Self-) Care services. 3.2 A functional reference model for billing and bill payment Figure 6 presents a functional model for the financial settlement of economic transactions by means of billing and bill payment. It is based upon [JBHS01]. Billing consists of the preparation of the bill, tailored to the customer by adding personal information or providing special discounts, and the bill presentment function that realises that the payer will receive and review the bill. Sent bills and incoming payments are matched in the reconciliation function. This is a highly important function. Much inefficiency in the billing and bill payment process is created by exception handling in the reconciliation function, because often this requires manual labour. Payers could for example have made a mistake in copying the appropriate payment references. Payer’s financial handling Financial Settlement Billing Bill preparation charging data billing data Bill presentment bill bill Authorisation billing info to account & process management Reconciliation payment info Bill payment payment initiation payment indication Legend: Function Input Output Information duplication Figure 6: Functional reference model for billing and bill payment (after [JBHS01]). The “Payer’s financial handling” function may be simple, e.g. placing a physical signature, but can also be complicated: the administrative functions and policies within a company that deal with accounts payable. The precise content of this function is beyond our scope. For the discussion in this document it suffices that the function results in payment authorisation and initiation, based upon the bill as input. 3.3 Differences between B2C and B2B billing Billing, or invoicing, faces different requirements in the business-to-consumer market than in the business-to-business market. Legislation and regulations differ in these two markets, for example with regard to tax handling (e.g. Value Added Tax – VAT). In the Netherlands tax 26 G I G A P O R T regulations regarding B2B invoices are much stricter than those for B2C bills. However, the regulations (for B2B and B2C) vary over various European countries, thereby complicating international billing. The European Union is currently considering harmonisation of these regulations among its member states. Also the complexity of the administrative processes differs substantially, together with the relative number of disputes over received bills. In B2B situations there is much more need for exception handling. It is estimated that 40% of B2B billing requires resolution or adjustment [Mari00]. Moreover, in a B2B setting bill processing may cross various intra-organisational boundaries, and may cross the hands of multiple employees as well. Authorisation of payments is typically confined to a small number of employees however, which complicates the interaction between the payer’s financial handling function (Figure 6) and bill presentment and payment. Consumers do not have a complex financial administration in general. This makes bill processing much easier. The importance of the distinction between B2B and B2C is further stressed by the use of different terminology. In the literature the term ‘bill’ mainly refers to the B2C setting while ‘invoice’ indicates a B2B setting. See for example [CEBP01] and [Mari00]. It should be noted that this subtle distinction may be less apparent in product offerings by commercial service providers or system vendors. 3.4 Instruments for bill payment Currently in the Netherlands there are three common ways for paying paper bills: (1) by means of credit transfer between bank accounts, (2) by means of ‘acceptgiro’ (now ‘euro9 acceptgiro’) and (3) by means of direct debit. In the B2C market segment, acceptgiro and direct debit are particularly popular. The acceptgiro is convenient in situations where there is a one-time customer relationship or when the merchant or service provider is willing to give the customer the initiative for starting the payment transaction. In a periodic, recurring customer relationship direct debit is often used. It is also used in situations where the vendor prefers to keep the initiative in payment initiation. Banks prefer the use of direct debit as it is the cheapest instrument for bill payment. Both acceptgiro and direct debit have the advantage over bank transfers as they reduce the number of administrative errors. The first because of the pre-printed payment information that it contains; the second because the process of sending the collection requests to Interpay can be automated. Credit transfer between bank accounts is more costly in the end than acceptgiro or direct debit, because reconciliation may be complicated by incomplete or missing payment information, like payment reference or an incorrect amount. The bill payment instruments differ further in transactions costs (for the biller), in the payer’s convenience, payment finality and who initiates and controls the payment process. In the first 9 The payment instruments are discussed in detail in [HiSt01]. G I G A A B P / 2 0 0 1 / D 0 . 1 B 27 two methods the payer initiates and controls payment. In the last the biller initiates payment, while biller and payer have shared control: the payer has the so-called ‘Right of Reversal’ within a time frame depending of the type of direct debit used (see [HiSt01] for details, Table 1 provides an overview). Of these three methods, only the acceptgiro is directly linked to bill presentment, since often the acceptgiro is physically attached to the paper bill. Table 1: Comparison of payment methods for physical bills Payment method: Payment initiator: Control: Payment finality: Payer’s convenience: Credit transfer Payer Payer After processing Low Acceptgiro Payer Payer After processing Medium Direct debit Biller Shared After 5-30 days High 3.5 Bill distribution and presentment: print and mail services Firms that frequently send out large mailings or many invoices in short time periods often outsource these activities at providers of so-called print and mail services. Examples of such large volume recurring billers are telecom and utilities, banks (account overviews) and charity organisations. The providers of print and mail services have the equipment to print large volumes of paper, prepare the mailings, add promotional material, et cetera. They often also print acceptgiros, which are attached to the bill and sent to the payer. There are several hundreds of print and mail service providers active in the Netherlands. PTT Post Print & Mail, part of the TNT Post Group is one of them. Another is AddComm Direct B.V., which has a long-term strategic partnership with Bluem, a Dutch provider of Electronic Bill Presentment solutions (see Section 4.5.2). 3.6 Developments in bill presentment and bill payment Recall that a billing approach to the financial settlement of economic transactions creates the problem of late payment (Section 3.1), mainly because of the attitude of companies (‘supplier credit is easy and cheap…’), but also because of administrative errors and disputes over the bill. The central problem is that billing moves the initiative for payment initiation to the payer instead of the biller. The payer waits till he finds it convenient to pay. The payer makes mistakes in the payment information that is attached to the payment order, or the payer waits with payment until the dispute has been settled. Thus late payment may be reduced by using a payment instrument for bill payment that leaves the initiative with the biller: direct debit. Changing from acceptgiro to using direct debit also creates a cost reduction for large volume, recurring billers. In fact, printing acceptgiros is subject to precise conditions (set and verified by Interpay and Postbank) in order to establish efficient automated processing. Specialist knowledge and high quality equipment is needed. Therefore it is more costly than normal printing. 28 G I G A P O R T When using direct debit a statement is still sent. Therefore it is then only a small step to perform electronic presentment of this statement. The number of administrative errors can also be reduced by means of direct debit. Currently banks are also looking at the possibility of using digital signatures for signing electronic mandates for direct debit (cf. [HiSt01]), on-line. In that way direct debit becomes more convenient for on-line payment of bills as well. 3.6.1 A digital acceptgiro Direct debit seems to be the ultimate solution for bill payment. However, many consumers seem to value the concept of the acceptgiro as well, which gives the consumer the initiative of payment initiation, thereby keeping them ‘in control’. The acceptgiro concept also includes the idea of pre-printed payment information, which reduces the number of administrative errors. Moreover, the payment reference on the acceptgiro facilitates the reconciliation process. The acceptgiro is paper-based however. As the trend is towards electronic paper-less payment systems, the acceptgiro – with its sense of control – needs an electronic substitute. Currently there are no (de facto) standards for the electronic representation of the payment information contained in a bill, like the acceptgiro for paper bills. The Dutch banks and Interpay have the initaive to come with a standard however: the digital acceptgiro, or @cceptgiro. The idea is that the payment information is sent to the payer electronically through intermediaries (banks) in the financial sector, while the bill or statement is sent to the payer through any other channel of the biller’s choice (see Figure 7). That is, the bill may still be paper-based if that is more convenient. Electronic Bill Presentment (EBP) may be an electronic option. Bill Payment Service Provider Payment service Digital accepgiro Digital accepgiro (optional) Customer Payment channel hyper linking Biller Bill presentment channel Electronic bill presentment service Electronic Bill (Electronic) Bill Presenter Legend Role Data flow Data object Service Provisioning Figure 7: The envisioned scheme for the digital acceptgiro The digital acceptgiro need not end-up in the domain of the payer: it may remain on a server within the domain of control of a bank, providing special services for bill payment (including feed-back to the biller on an @cceptgiro’s payment status). The EBP service and the bill payment service are crosslinked, such that Customers can easily switch between bill details and payment details, while these two are coming from different sources (web sites). If G I G A A B P / 2 0 0 1 / D 0 . 1 B 29 required however, the digital payment information in the form of the @cceptgiro may be loaded into financial administration software or home-, web- and e-banking applications. 3.6.2 Electronic Bill Presentment (e-Billing) Electronic Bill Presentment (EBP) allows consumers 10 to receive and review their bills electronically, in particular over the Internet. ‘Electrifying’ paper bills in itself does not contribute much to reducing late payment. It may reduce the operational cost of printing paper bills, but an electronic biller needs to maintain an additional ICT system for EBP instead. Moreover, consumers will not instantly move towards the use of this new technology. In fact, [Mari00] states that ‘…billers have spent much effort getting bills online, but less on developing online bill payment as a consumer habit. … The …expenses required to implement online presentment of bills represent perhaps only 20 percent of the effort required to make it a consistent practice.’ The main value-adding aspects of EBP are in its combination with other functions, to the benefit of both EBP and these functions, e.g.: (1) Customer Relations Management (CRM), (2) bill consolidation and (3) online payment services. The combination of EBP with a payment function is commonly called Electronic Bill Presentment and Payment (EBPP). The combination of EBP with CRM is sometimes referred to as e-billing. Experiences with EBP show that there are less late payments due to convenience in payment: the payer only has to click a button to pay. Providing good Customer (self-)Care services through the EBP channel may reduce the number of disputes and thus late payment. An example of e-billing is the Web site of KPN Telecom, where subscribers can review their current and past phone bills. The service offers additional functionality for analysing a bill (e.g. call with the longest duration, most called phone numbers, et cetera). Moreover, EBP provides new means for maintaining customer attention to corporate web sites, enable interactive marketing and establish extended customer care. EBP can offer a single point of entry for all financial and related transactions with customers, offering the company a unified customer view. This point of entry can be personalised as well. 3.6.3 Bill consolidation and payment services Bill consolidation and payment sites offer consumers the opportunity of organising the received bills. Some consolidators even scan paper bills and include those in their list of electronic bills. Users can schedule bill payment. In this way late payment is reduced by providing better administrative facilities to consumers. The payment function reduces administrative errors and the usage of paper-based instruments. 10 The corresponding concept in the Business-to-Business market is referred to as Electronic Invoice Presentment (EIP). 30 G I G A P O R T Bill consolidation and payment services are particularly popular in the US. According to predictions, US consumers would like to pay all their bills at one web site. According to Yankee Group the main arguments for US consumers are the convenience of not having to 11 write checks (28.7%) and saving time (14.9%) . Candidates for such primary sites (in the 12 13 U.S.) are Internet portals like America Online (AOL) and Yahoo! , and OnMoney . AOL and Citigroup formed an alliance that makes AOL a candidate for a primary bill payment web site. Citigroup’s payment services are made available through all channels of AOL (AOL.com, CompuServe, Digital City, Netscape Netcenter and AOLTV). Citigroup will act as a clearinghouse for online purchases, but also for person-to-person money transfer. The billpaying services provided at Yahoo! and OnMoney, which are web sites that allow users to pay 14 bills using a web interface, are powered by Paytrust’s technology . Paytrust.com provides users with an on-line bill payment service that allows them to instruct Paytrust.com to handle all of their paper-based bills. When such bills arrive at Paytrust.com, they are scanned and entered into the system. Using a web-based interface, users may nominate bills to be paid by specific accounts. The system allows users to completely automate bill payment, while also allowing conditions to be attached to bill payment. For example one could imagine a scenario such as: ‘if the source of the bill is a restaurant and the cost is less than US$ 100, then pay it automatically’. Paytrust can also interface with many major banks, thereby allowing the system to obtain e.g. the user’s account balances for a complete overview of personal finance. The payment data created by Paytrust may be imported into personal financial software such as: MS Money, MS Excel and Quicken. In the Netherlands ‘Privver’ is a bill consolidation and payment service (see Section 4.5.3 for more details). In the following chapter we treat EBP in further detail. 11 Nora Macaluso, ‘Report: Online Payment Gaining Ground’, in E-Commerce Times, October 15, 2001. Available at http://www.ecommercetimes.com/perl/printer/14151/ 12 ‘BillPay’, see http://bills.yahoo.com/ 13 ‘BillCenter’, see http://www.onmoney.com/banking/billpay/ 14 According to the banners’Powered by PayTrust’ on these sites. G I G A A B P / 2 0 0 1 / D 0 . 1 B 31 4 Electronic Bill Presentment and Payment 4.1 Introduction Recall that the business market for bill presentment differs from the consumer market (Section 3.3). Accordingly, we follow the distinction between ‘bills’ and ‘invoices’, and between EBP or Electronic Bill Presentment and Payment (EBPP) and their counterparts in the business market: Electronic Invoice Presentment (EIP), and Electronic Invoice Presentment and Payment (EIPP) (following [CEBP99], [CEBP01]). Our focus is on the consumer market, on EBP and EBPP. EBP can also be seen within a broader setting: as a specific variant of electronic document or legal document presentment. We do not pursue this approach in the sequel. 4.2 The impact of cultural aspects Providing EBP services on-line is a growing field of commercial activities in which many large companies participate. Organisations, like the Global Billing Association (telecom sector) and the National Automated Clearing House Association (NACHA – US financial sector), have put the subject on their agendas for research, standardisation and discussion. As the market is growing, new firms enter the market. The competition is growing. The uptake and level of success of EBPP services is closely related to the payment culture and payment infrastructure of the countries in which it is applied. A solution – or model – for EBPP that is successful in one country need not be successful in another. US providers of EBPP services have experienced this observation in reality. Their entrance on the European market has not been as easy as they expected. Currently these companies tend to co-operate with European counterparts in order to get a grip on the cultural differences of which they were not fully aware initially. 15 The US market for EBP(P) differs from the European market. To mention a few differences: · The efficiency of the overall payment system; EBP combined with electronic payment functions reduces costs when compared with paper-based instruments: invoicing and cheques in the US. The payment system offered by the financial sector in the US is less efficient than many systems in Europe, the Netherlands in particular. The Dutch payment infrastructure is one of the most efficient in the world. Therefore the realisation of cost reductions by means of EBP(P) is less apparent to billers. 15 According to Anachron,at IIR Conference ‘E-billing and Customer Care Management, Schiphol, The Netherlands, March 20-21, 2001. G I G A A B P / 2 0 0 1 / D 0 . 1 B 33 · The availability of convenient bill payment instruments; In the Netherlands there are sufficiently many convenient payment instruments (from the payer’s perspective) that can be used for bill payment. There are direct debit services in various variants (see [HiSt01] for details) and the acceptgiro. In the US inconvenient paper cheques are commonly used still. · Heterogeneity in language, culture regulations and currency; The European market is a heterogeneous market because of the various languages, cultural differences, variations in legislation and regulations and different currencies, although the arrival of the euro in a large part of Europe will greatly remove the latter obstruction. · Security requirements; In Europe users, financial institutions and legislators have different security requirements on EBP systems than in the US. For example, a simple login and password would be sufficient protection for US user’s and banks, while in Europe this type of user authentication is considered not sufficiently secure. Additional techniques are required to obtain a higher level of security (e.g. one-time passwords, challenge-response systems using the bankcard and PIN-code). Figures (for the U.S.A.): Manually sending bill (cost): $1.00 - $1.50 Manually sending bill with error (cost): $2.00 - $3.00 Number of bills/month that consumer receives: 17 Manually paying bill by consumer: 10 minutes Total time/month for consumer: 3 hours Manually processing payment (cost): $1.00 Savings of EBPP on bill of $100: $1.90 Total cost of U.S. payment system: 3% of Gross Domestic Product Cost of check transaction: 50-100% more than electronic payment U.S. number of C2B billing transactions 1998 15 billion U.S. number of B2B billing transactions 1998 12 billion Sources: Wall Street Journal, March 1999; Banking Strategies, November 1998, and McKinsey & Co. 4.3 Models for EBP Some EBP players try to control all aspects, like architecture and service provisioning by using proprietary interfaces with billers. In the U.S., CheckFree used such a closed-system approach. It had a leading position in the past (1997), with an 80 percent share of the electronic bill payment market [OSS+98]. Others are developing and using open systems, based on standards. OFX (see Section 4.6.1) and GOLD (see Section 4.6.2) are two standard-based EBPP consortia operating in the U.S. They are now being replaced in favour 34 G I G A P O R T of IFX (see Section 4.6.3). In the middle there are companies that control the overall architecture of the EBPP system, but let others players exploit parts of the EBPP value chain. Parties in this value chain are e.g. billers, biller service providers, banks and customers. TransPoint, a company owned by Microsoft and First Data Corporation, follows this strategy. Apart form the system approaches (open or closed), several models for EBP(P) have been developed, which we shall now discuss. We base our exposition on [OSS+98], [NACH99], [CEBP99], [Mari00], [HJTW00], [CEBP01], and [AuKi01] (chronological order). Terminology 16 differs among the various sources. We followed that of eBilling.org . Commonly, the following elementary roles are identified: · Biller, A company or organisation that sends a bill or statement to a Customer. · Customer, An individual or company that receives goods or services which are subject to bills or statements. · Bill Receiver, A person or company that receives a bill or statement for goods or services ordered by a Customer. A Bill receiver and Customer may be different. · Biller Service Provider (BSP), An agent of the Biller that provides EBP services to the Biller. · Customer Service Provider (CSP), An agent of the Customer that provides a single point of entry (or one interface) for Customers, e.g. for enrolment, for reviewing bills and payment status. · Bill Consolidator, A Biller Service Provider that consolidates bills from other Biller Service Providers or Billers and delivers them for presentment to the Customer Service Provider or directly to the Customer. The following models have been identified: Direct Model In this model, a single firm (in the role of Biller) offers online bill presentment and payment directly to a customer (see Figure 8). Thus, the Biller incorporates an electronic bill presentment capability into its corporate web site. Consumers have to enrol into the EBP service of each of the billers with which they are involved separately. A Customer Service Provider may take care of the enrolment process for the various billers. The Biller may outsource the EBP service itself to a third party, the Biller Service Provider. Outsourcing is typically transparent for the Customer. 16 G See http://www.ebilling.org/glossary/default.htm I G A A B P / 2 0 0 1 / D 0 . 1 B 35 Biller EBP customer services (review, customer care) In-house Customer Outsourcing Biller EBP system outsourcing Biller Service Provider (BSP) Service provisioning Service payment (money flow) Figure 8: Direct Model for Electronic Bill Presentment Direct billing helps maintain contact with Customers and provides advertising and crossselling opportunities without an intermediary. A Direct Model is likely to be successful in a biller-to-business relationship where the biller represents a large part of the total volume of bills the customer (payer) receives. Opinions differ on whether this makes direct models most suited for Business-to-Business billing [OSS+98], or for Business-to-Consumer payments. Service Provider Consolidation Model In this model a central service provider collects (‘consolidates’) bills from various Billers so that a Customer of each of these Billers has a single point of access to all bills of all Billers (see Figure 9). There are two versions of this model, depending on the level of bill detail information stored at the central service provider, the Bill Consolidator: · Thin Consolidation Model, Where only a bill summary (‘thin’) is available at the Bill Consolidator, while the bill details remain at the Biller, and can be presented to the Customer on request. Thus the Bill Consolidator act as a ‘portal’ to bills from various billers with added administrative functions for organisation or payment scheduling. The Biller still has the opportunity of direct interaction with the Customer, which is useful for CRM for example. A bill summary may be distributed to (multiple) Bill Consolidators and/or CSPs. · Thick Consolidation Model, This model is similar to the Thin Consolidation Model, except for the Biller forwarding both bill summary and detail to the Bill Consolidator. In the Thick Provider Consolidation Model it is also possible that the remaining printing services are taken over from the Biller. EBP customer services (enrolment, high level review) Biller Bill Consolidator Customer Biller EBP customer services (details, customer care) EBP system outsourcing Biller Service Provider (BSP) Service provisioning Service payment (money flow) Figure 9: Thin Service Provider Consolidation Model for EBP 36 G I G A P O R T Customer Consolidation Model In this model the Biller directly delivers the electronic bill directly to the Customer, i.e. the bill data is transferred to the Customer’s domain of control, for example through email. After reception the Customer is able to import the bill data into their Personal Financial Management System (PFMS) or home-banking application for further processing. A comparison of models Looking only at current practices in the US the Direct Model and the Thin Provider Consolidation Model seem to be used (see [Mari00]). These observations hold for the Netherlands – and Europe – as well. Most players in the US are using the Thin Consolidation Model. The Direct Model is only feasible for large companies with a large enough volume of recurring bills and customer base willing to use the electronic services to justify the investments required for in-house deployment of bill presentment systems. The Thick Provider Consolidation Model has the drawback that the biller loses much of the potential interaction with its customers and hands-over (too) much control to the BSPs and CSPs. It offers opportunities to develop the market however (examples in Norway). As soon as the market is more mature – i.e. EBPP facilities at the biller’s site – the BiSP can make a shift to the Thin Model. The problem with the Customer Consolidation Model may be the electronic delivery of the bill and the bill’s integration into the PFMS. Open and commonly used standard bill formats or electronic formats for payment information are required in that case, and the availability of PFMSs conforming to these formats. It is also possible for a firm to feature aspects of both the Direct Model and the Consolidation Model in its service offerings. A Dutch example of such a combined offering is Bluem (see Section 4.5.2). The Consolidator and combined model are more complex than the Direct Model. The factors affecting this complexity centre around: who "owns" the customer relationship (biller, consolidator or CSP – e.g. the Internet portal), who processes the payment, who manages the data, how do consolidators interoperate, and how do consolidators translate bill data in multiple formats? 4.4 US players In the U.S. EBP is quite successful. The providers of EBP services there can be divided into two groups: (1) financial institutions (banks) and (2) non-financial institutions [AuKa01]. The Spectrum consortium 17 is leading in the first group. Recently, also MasterCard entered the EBPP scene [Mari00]. CheckFree and TransPoint are the main players in the second group. Players in this group offer EBP services to e.g. Internet portals as Yahoo! and America Online, which act as bill consolidators for consumers. These portals obtain payment services from other players in order to realise electronic bill payment and full EBPP functionality. 17 G Consisting of Chase Manhattan, First Union and Wells Fargo; see http://www.spectrumebp.com I G A A B P / 2 0 0 1 / D 0 . 1 B 37 Competition comes from home banking software companies (Home Financial Network, Edify) that aim at customers of small to medium-sized banks, bill publishing companies (International Billing Services, Princeton Telecom, Electronic Funds and Data) that offer paper and electronic bill publication, and others that mostly use third-party payment (EDOCS, Netdelivery, Intuit, Novazen, BlueGill, NCR, Electronic Data Systems). The second group of non-financial institutions is currently leading in the market. A survey performed in late 1999 by Gartner Group among 173 large U.S. companies indicated however, that these companies would prefer their banks to act as EBP service provider. They seem to be turning to the non-financial institutions for solutions instead ([AuKa01], [Lita00]). Table 2: US providers of EBP solutions. System vendors: Application Service Providers (ASPs): Alysis Iplanet BillServ.com CheckFree Avolent Checkfree Derivion Pinceton eCom Edocs Portal TransPoint Solant TransPoint YourAccounts.com 4.5 Dutch providers of EBP solutions and services In this section we focus on the players active in EBP in the Netherlands. Anachron and Intrum Justitia are such players that are also active throughout Europe. Bluem and the TNT Post group with Privver focus on the Netherlands. 4.5.1 Anachron Anachron: ‘Pulse Suite’ 18 is a Netherlands-based company, founded in 1999, that specialises in e-Billing and customer interaction solutions. They state that “Web-enabling … customers’ financial and personal information” is their core business. It offers the ‘Pulse Suite’ of electronic bill presentment and customer care solutions, both for B2B (Pulse Business Advantage) and B2C (Pulse Consumer Advantage). Their solution is platform-neutral. For example they showed EBP over a mobile platform developed by AtoBe 19 at the CeBit in Hannover in March 2001. The system uses 1024-bit Virtual Private Networks for the transfer of data to and from customers. Sensitive data is completely encrypted before it is stored. Anachron's solutions are based on open standards (e.g. XML, J2EE, 3DES, X.509). 18 19 See http://www.anachron.com Press release, Anachron-AtoBe, ‘Anachron and AtoBe Deliver Mobile e-Billing’, March 22, 2001. 38 G I G A P O R T 4.5.2 Bluem Bluem 20 is a Netherlands-based company founded in 2000. It acts as an Application Service Provider (ASP) of EBPP and Interactive Customer Care (ICC) solutions to medium to large size enterprises, with a focus on the first category. Bluem uses Avolent’s Billcast™ software suite for the realisation of its bill presentment services (see Section 4.7.1 for a product description). Bluem supports both the Biller Direct and the Thin Consolidation Model. Bluem also launched a bill payment service. Initially it was conceived to use PayNet, a Swiss system for Internet payments. As PayNet met problems in reaching a sustainable business, 21 that initiative was ‘unplugged’ however (april 2001) . Currently, Bluem’s payment service supports credit card payments and direct debits. Their system automatically sends payment reminders. 4.5.3 TNT Post Group: ‘Privver’ Privver 22 is a digital mail box of the Dutch PTT Post (part of the TNT Post Group – TPG) that targets the consumer market. In the past, companies could direct their flow of mail, like bills and statements, through PTT Post Print & Mail. Based upon data delivered in digital format this mail was printed and sent physically to the recipient. Privver offers the possibility to send this mail electronically as well. The recipient receives an e-mail notification from Privver if a new piece of electronic mail arrived in their Privver mail box. This mail box resides on a secure server in the TPG domain. The mail can then be accessed on-line (thus also from abroad). Apart from receiving electronic documents, the recipient can archive mail and pay bills as well with form of direct debit. To that end Privver uses direct debit with electronic authorisation. When subscribing to Privver, the mail box holder authorises Privver (in relation to his bank) to debit his bank 23 account after clicking the ‘Pay’ button . With this solution Privver is part of the money flow. It runs through Privver to the biller, because Privver is the party that requests the collection of the direct debit. A similar initiative has been launched in Austria: ‘bezahlen.at’, by the Őstereichische Postsparkasse ([Böhl01], footnote 9, p 22). 4.5.4 Intrum Justitia Intrum Justitia 24 is a Europe oriented provider of Receivables Management Services. In particular they offer sales ledger services, debt collection (consumer, commercial and international) and debt surveillance. The company was founded in Sweden in 1923. In the 20 See http://www.bluem.nl See Innonet New, April 9, 2001: ‘Aus für PayNet’, http://new.innonet.ch/all_active/sp_d/news/news.asp?ID=597 22 See http://www.privver.nl 23 According to the press release, http://www.tpg.nl/pressoffice/pressreleases/070501_pttpost_privver.html 24 See http://www.intrum.com 21 G I G A A B P / 2 0 0 1 / D 0 . 1 B 39 1980s and 1990s it expanded its activities into Scandinavia and the rest of Europe. Currently it has a presence in over 20 European countries. As part of the sales ledger services they offer (among others) invoicing and payment matching (with bills). Intrum Justitia has a strategic partnership with NetGiro (see Section 5.5.2) for expansion in Europe with regard to EBPP. Intrum Justitia uses NetGiro’s ‘G-Bill’ solution. 4.6 25 Standards In the (outsourced) Direct Model and the Service Provider Consolidation Model bill data needs to be exchanged between the Biller and the organisations that fulfil the roles of Biller Service Provider or Bill Consolidator (see Figure 9). In this section we discuss three standards are used for this purpose: OFX, GOLD and their successor IFX. The scope of these standards is broader however: the integration of systems of financial institutions with those of their customers. It should further be remarked, that these standards have been developed in the US with its Anglo-Saxon approach to financial affairs. This may make these standards less suitable outside the Anglo-Saxon world. 4.6.1 Open Financial Exchange (OFX) Open Financial Exchange (OFX) 26 supports a broad range of financial services by defining a framework for directly exchanging financial data and instructions between financial institutions and their customers. Customers can be individual consumers and businesses. Financial institutions can be any organisation that provides some kind of financial services, such as banks, financial advisors, government agencies (e.g. Tax Office), information providers, transaction processors, et cetera. For each financial service, OFX defines the format of financial data exchanged, the set of instructions (messages) and the way the data and the instructions are interpreted. The financial data and instructions are specified in SGML. The interpretation of data and instructions is realised by implementing OFX server and client applications. The OFX specifies a client-server architecture. The server implements financial services or has access to such, and the client can request such services. The communication between the client and server is carried out in HTTP (see Figure 10). 25 26 See http://www.netgiro.com http://whww.ofx.net/ 40 G I G A P O R T Server Application Web -server Client application OSF-server Legacy format OFX reply OFX reply OFX request HTTP (appl/x-ofx) OFX request Web-client Legacy system (implementing service 2) Service 1 Service 2 OFX client ... Service n Figure 10: OFX Architecture This section has been sourced from [Stef00]. 4.6.2 GOLD message standard The GOLD message standard 27 28 was created by the Integrion Financial Network , an industry- based consortium owned by fifteen Major International Financial Institutions that joined resources to positively impact the electronic delivery channel. The GOLD Message Standard is an interface protocol used to enable financial institutions, technology vendors and third party processors to connect to one another more efficiently and with enriched functionality. The standard has the following functions: · enables various end user products to connect to financial institutions core systems in an extendable protocol. · defines a broad range of messages and transactions embodying the complete set of banking functions. · shields the financial institution from the variety of end user devices, networks and protocols, as well as shielding the end user from the peculiarities of the financial institutions' core systems. In summary, GOLD defines an open, cross-platform standard messaging interface which facilitates the secure electronic exchange of data between financial institutions, their partners, and their customers. 27 28 http://www.integrion.net/gold/ http://www.integrion.net/ G I G A A B P / 2 0 0 1 / D 0 . 1 B 41 4.6.3 Interactive Financial Exchange (IFX) The Interactive Financial Exchange (IFX) specification 29 provides a robust and scalable framework for the exchange of financial data and instructions independent of a particular network technology or computing platform. It was developed as a co-operative industry effort among major financial institutions, service providers and information technology vendors serving these institutions and customers in the small business and consumer markets. IFX builds on the industry experience of the Open Financial Exchange (OFX) (see section 4.6.1) and Integrion GOLD (see section 4.6.2) specifications, which are currently implemented by major financial institutions and service providers. According to [Mari00], US banks seem to like version 1.0.1 of IFX, in particular because of the included account-management features that it includes. These features enable the seamless integration of EBPP with online banking services. For example the Spectrum bank consortium has accelerated its schedule to implement IFX. Electronic bill delivery and payment messages are highlighted in the IFX Specification. These messages were developed to support the open, interoperable and secure exchange of electronic bills and the reliable delivery of payment and remittance information. 4.7 Examples of Electronic Bill Presentment systems In this Section we treat EBP systems (products) that are being used by some of the providers of EBP services mentioned in Section 4.5. 4.7.1 BillCast (Avolent) BillCast is a product of Avolent (formerly of ‘Just in Time solutions’) 30 that provides Internet billing and interactive customer care. Customers can view, analyse, and get details on current and past bills. User profiles, together with an integrated business rules engine, are used to provide personalised billing. The engine is also used to realise the system’s flexibility: changes to the business logic can be made by adjusting business rules. No (re)coding is required. As part of customer care, a ‘home page’ is generated around bill presentment. From this page users can e.g. make scheduled payments. BillCast uses XML-based definitions of back-end systems. Therefore it is claimed that easy 31 integration with e.g. accounting systems is possible . The billing service is delivered through web-based and email channels. Personal digital assistants (PDAs) can be used to access the service. Figure 11 shows the BillCast Architecture. 29 30 31 http://www.ifxforum.org/ http://www.justintime.com/home.html http://www.justintime.com/productsTechnology/billCastArch.html 42 G I G A P O R T BillCast seems to be the back-end system for both Bluem’s service (see Section 4.5.2) as well 32 as Intuit's billing site . Figure 11: BillCast Architecture 4.7.2 WorkOut (Alysis) Alysis positions their WorkOut™ product as a ‘standard e-billing component’. It comes in three flavours: (1) one for Busines-to-Business (B2B) e-billing, (2) one for B2B e-billing tailored for Utilities, and (3) Business-to-Consumer (B2C) e-billing. The system is based upon Enterprise Java Beans (EJB) technology. Thus it runs on EJB application servers. Currently, WorkOut version 2.0 supports the two leading EJB-compliant application servers: IBM WebSphere® and BEA WebLogic®. It supports both Oracle8i and IBM DB2 database management systems, both on UNIX and Windows NT. Alysis participates in IBM’s Solution Investment Initiative in order to bundle its WorkOut software with IBM’s e-business solutions, in particular the above mentioned WebSphere and 33 DB2 Universal Database. . Moreover, Alysis signed a joint marketing agreement with Bibit Internet Payment Services (see Section 5.5.1) in order to offer Bibit’s bill payment methods in combination with its WorkOut e-billing solution. 34 32 http://www.techweb.com/wire/story/TWB19980521S0002 According to Alysis’ press release of September 20, 2000: ‘Alysis Technologies Teams with IBM to Provide Electronic Bill Presentment and Payment’. 34 According to Bibt’s press release of December 18,2000: ‘Alysis teams with Bibit to target European e-billing market’. 33 G I G A A B P / 2 0 0 1 / D 0 . 1 B 43 4.7.3 Oracle’s Bill Presentment and Payment Solution Oracle Bill Presentment and Payment allows customers to perform multiple functions such as view bill summary, view bill details, pay bills, dispute bills and set-up auto payment rules. All these functions are achieved through a browser-based interface that is customisable. Its features include: · Bill-delivery support through browser, e-mail to PFMS (through Open Financial Exchange OFX) and other clients; · Support of direct-biller, consolidator and combined models; · Interoperability with CheckFree via OFX and TransPoint; · Customisable billing look-and-feel for customers, customer service representatives, billers and administrators; · · · · · Rules-based e-mail notifications (new bill, auto-paid, etc.) and payment functions; Payment queues (real-time and batch); SSL (Secure Socket Layer) security Integration with partners for targeted marketing; Simple sign on. Bill Presentment and Payment is part of an Oracle portfolio of e-commerce product and service offerings. Oracle's e-commerce consulting solutions cover three main areas: Buy Side (Supply Chain Management), Sell Side (Customer Relationship Management) and In Side (Strategic Enterprise Management). Each offering incorporates Oracle's underlying Internet Platform and encompasses products and services for building comprehensive, scalable, extensible and integrated e-commerce solutions. Additionally, these solutions allow existing applications to incorporate e-commerce functionality so that an organisation's current investments in information technology can be leveraged. 4.8 Trends and developments Providers of EBP services compete with providers of print and mail services. It is also important to note that the EBP concept assumes that the biller and customer have a good trust relationship. Thus Billers will benefit most from extended customer (self) care functions offered in conjunction with EBP services, and from economies of scale because of the efficient payment system. Therefore EBP seems to be most suitable for large volume billers, with recurring customers and bills: so-called ‘recurring billers’. Typical companies are: telecom operators, utilities, financial institutions, insurance companies, mail order companies, charity organisations and governmental institutions, like the Tax Office and municipalities. The initial focus for bill presentment services has been on the business-to-consumer market, because of the relative simplicity of integrating EBP with consumers’ financial management systems when compared to the internal administrative processes for invoice handling encountered in firms. However, attention is now shifting towards business-to-business applications. B2B bill recipients, like consumers, benefit from the availability and personalisation, but are also interested in the possibilities of analysis and reporting. Hence, B2B systems must offer this functionality. Furthermore, they need to be scalable to handle 44 G I G A P O R T large (amounts of) bills, multi-part bills, and must integrate with existing financial and accounting software (for example offer data integration from various sources, access control, cost item allocation, and dispute resolution). Both in the B2C and B2B market the uptake depends on the penetration of Internet among households and firms. The rate of penetration is growing for both cases (e.g. consult [CBS01] for figures on the Dutch situation over the past few years). EIP requires much more than Internet connectivity however. For EIP Internet should reach to the workstation of the relevant employees. Business processes may need to be redesigned and these changes must be made operational. Currently this Customer’s point of view seems to be somewhat neglected. Most discussions stress the benefits for providers in the scheme: for billers, banks and other service providers. Paradoxically, the current schemes for activation of EB/IPP services (the enrolment) are Customer-driven. The benefits for the Customers are not always clear. [AuKa01] draws the conclusion from a Gartner Group survey (see [Lita00]), that it ‘suggests that consumers are only likely to sign up for EBPP if they are able to get most - if not all - of their bills online’. In the Netherlands the banks investigated the possibility of providing access to electronic bills of various billers for their customers: the bank as trusted party for the consumer. More light should be shed on Customer benefits – both consumers and businesses – before more can be said on the uptake of EBP and EIP services. G I G A A B P / 2 0 0 1 / D 0 . 1 B 45 5 Payment in e-commerce context 5.1 Issues in the virtual world Recall that we consider e-commerce in this document in the narrow sense of selling physical goods or services through an electronic communication channel, in particular Internet. There are various differences between this context and selling at physical points-of-sale. Firstly, the virtual ‘counter’ is unattended. In principal there is no human-to-human interaction. This makes trust an issue. Is the consumer really who he says he is? Is the merchant (part of) a decent organisation? Direct payment, like cash or debit card transactions in the real world, may be an option to assure the virtual cash flow. Secondly, Internet is international and accordingly the merchant can expect that his web shop will attract also consumers from abroad. If he is willing to sell to those consumers as well, he must make sure that there are appropriate payment systems available in the web shop that support cross-border payments. And he must also make sure that he is able to deliver the goods internationally… Let us consider direct payment and international reach in further detail. 5.1.1 Direct payment Direct payment is hard to achieve, primarily because of the inherent delay in payment transaction processing caused by the retail payment infrastructure as provided by the financial sector (see [HiSt01]). In the Netherlands, payments involving bank accounts of different banks are centrally processed at the Automated Clearing House (Interpay in the Netherlands) and settled once a day in the books of the Central Bank (De Nederlandsche Bank). Only after settlement the payment transaction is final (with exceptions, e.g. for direct debit. See [HiSt01]). Therefore, direct payment can only be realised (1) in systems that make use of bank accounts and the internal account management system of a single bank, (2) in systems that manage special accounts for Internet payments, (3) in systems that exchange monetary value similar to cash: electronic money schemes, or (4) simply using cash, on delivery. The first solution imposes the restriction that both consumers and the merchant hold a bank account at the same bank. Rabo Direct Betalen (discussed in Section 7.3.1) is an example. The second solution shifts the problem to another point in the overall process: loading of the special account on fore hand or when there are insufficient funds, or post-payment using a billing approach. Section 5.2 treats commercial examples of such systems in further detail: PayPal (Section 5.2.1) and the Jalda-based Safetrader (Section 5.2.2). Electronic money schemes are discussed in further detail in Section 7.4. See also [HiSt01]. Cash-on-delivery is G I G A A B P / 2 0 0 1 / D 0 . 1 B 47 a solution that works both domestically and internationally. GlobalCollect offers this service on an international scale (see Section 5.3). 5.1.2 International reach For an Internet merchant it is hard to predict the national origin of customers on its Web site. Worldwide there is a huge number of different Internet payment systems operational. The selection and subsequent implementation of these payment systems is therefore hard, costly or even impossible. There are only a few ‘general purpose’ international payment instruments available: (1) credit cards, (2) cross-border bank transfers, and (3) international collection services. We discuss the issues regarding on-line credit card usage in Section 7.2. The second instrument, crossborder bank transfers, is highly inefficient (see [HiSt01]). This makes them unsuitable for payment of products with a small margin. Currently they are not supported on-line in electronic banking applications as well. International collection is an option. We discuss GlobalCollect as an example in Section 5.3. 5.2 Examples of dedicated account-based systems In this section we discuss the PayPal system and Jalda, which is an Application Programming Interface to a central account management system proposed by EHPT, an Ericsson and Hewlett Packard joint venture. Before we discuss the system details, a few words from a business perspective. The operator of a dedicated account-based system has special concerns. In the pre-paid situation a consumer should have sufficient trust in the operator. Otherwise he will not deposit money into the account. Possibly the operator needs a banking licence as well, because he is attracting funds from the public. In the post-paid scenario the operator is having a credit risk. Loading will involve other (electronic) payment systems. Thus such a system may solve the direct payment issue, but the consumer may still be faced with the necessity of using various payment instruments over the Internet. By its very nature, such a system is perfectly suited for exploitation by intermediaries. 5.2.1 PayPal PayPal 35 is an account-based payments system that is exploited by a US company with the same name. In the US it is quite successful, partially because the biggest Internet auction site, eBay, uses PayPal [Econ01], partially because the system also supports person-toperson payment transactions. The latter functionality is rare among Internet payment systems (because of risk and fraud management). The only other payment system that currently supports this functionality is the card-based electronic money scheme Mondex (see [HiSt01]). 35 See http://www.paypal.com/ 48 G I G A P O R T Initially the service was free of charge for consumers en merchants. The initial business model was claimed to be based upon selling personal financial details to third parties. As of June 2000, PayPal changed its strategy. This change coincided with the introduction of new rules in the USA ‘curbing’ these activities. From that point in time PayPal asked 1.9% of the value of purchases from vendors [Econ01]. This is about two percent less than credit card companies charge for transactions. Moreover, PayPal has encouraged more Internet buyers away from using credit cards, by starting to pay interest on deposits in PayPal accounts. PayPal has a transaction monitoring system that is capable of identifying unusual money flows, e.g. from several accounts loaded by using stolen credit cards to a single PayPal account, where the money is collected. The system uses email addresses as account identifiers. Not all information on PayPal is positive: various users seem to have complained about the system in relation to fraud [Cave01]. Moreover, the European deployment of PayPal has been postponed, because the company should either obtain a banking licence or co-operate with a commercial bank, according to the European regulations. The ING Group was envisioned as European partner, but there is not much news on the deployment process. 5.2.2 Jalda Jalda-based Safetrader 36 is a ‘secure, flexible Internet payment method’ developed by EHPT. A Jalda system has three major participants: the customer, the e-commerce service provider and a payment service provider (or Internet Payment Provider – IPP). Jalda uses the concept of a ‘tick’ to represent a payment transaction. The value associated with one or more ticks is defined by the e-commerce service provider and agreed to by the customer in a digitally signed ‘contract’ or order confirmation. The ‘tick’-concept offers flexibility by supporting both single transactions (a web shop pursuit) and session-based ‘sliced’-payments (as IP-telephony, streamed video, music and on-demand services, discussed in detail in Chapters 8 and 9). Moreover it enables the support of payment transactions of almost any value. The system works as follows. Both the consumer and service provider hold an account in a Jalda compliant payment server, e.g. the ‘Safetrader’ payment server of EHPT that is managed by the IPP. Using the Jalda API the service provider’s application sends ticks to the server that charges the appropriate account and updates the service provider’s account. Ticks can be generated by any part of the service provider’s application: that is, the client, the server or an intermediary proxy. Thus it is possible to integrate the functions of a payment system into a web server or a client application that runs on the customer’s computer. In practice, the system works like this: 1. An agreement is made between the client and the service provider with regards to costing of the services that will be provided (e.g. based on time or per click, etc.) 36 G See http://www.jalda.com/. I G A A B P / 2 0 0 1 / D 0 . 1 B 49 2. With this agreement in place, the IPP is contacted by the service provider application (which may be a web server or an application running on the customer’s machine) and a secure connection is made between the two parties. 3. Using this secure connection, as the client utilises the services (as detected by the service provider application), the client’s account is billed as the service provider application sends ‘ticks’ over the secure connection to the IPP. At the IPP, a payment server maintains a database of pricing information (i.e., different rates for recurring customers etc.) and also customer profile information. When each tick is received by the IPP server, it must be analysed. This process involves determining: · who sent the tick, · the product it refers to, · the price, · the currency to be used, · any applicable discounts, · who is paying, · how to bill the customer. The charging information generated by the IPP may then be utilised by a billing system – i.e. for monthly bills or direct debit from an account. This system seems to be quite attractive since it allows service providers a flexible way to charge for Internet services. Its accounting model is somewhat like a taxi cab meter. Both the rate at which the meter ticks, and the value associated with each tick are customisable by the service provider. Since the payment functionality may be integrated into a web server, the impact of adding this technology to existing systems is lessened. The ability to integrate the Jalda payment API into a client-side application is also an attractive feature of the system. 5.3 Example of international collection: GlobalCollect GlobalCollect 37 is a service of the TNT Post Group (TPG) that offers ‘…an integrated, transparent and secure solution for worldwide cross-border collection of consumer payments’. Their slogan is ‘Act Global, Collect Local’. Accordingly it supports the production and despatch of invoices and reminders to customers abroad, in the local language and the currency of payer’s choice, following the local customs. The invoice recipient can pay the bill with various local payment instruments. By means of GlobalCollect’s network of associated banks the payer may even use a domestic credit transfer for settlement, instead of a costly cross-border transaction (cf. [HiSt01]). The payee receives detailed reconciliation reports regularly. Other (value-adding) services offered are fraud detection and debt collection. It seems that the company aggregates single 37 See http://www.globalcollect.nl 50 G I G A P O R T cross-border payments from each foreign country that it operates in, into single intra-company transactions with larger value. Thus it reduces the relative cost of the cross-border transactions. It is not clear if they also reduce the delay involved in cross-border payments. 5.4 Generic system architecture In Figure 12 we present an architectural overview of a typical Internet-based electronic payment solution for an e-commerce site, a web shop. This picture results from an analysis of various products of e-commerce system vendors and service offerings from service providers. In the overall picture we distinguish between the systems that realise (1) the primary service, i.e. the web shop, (2) the Internet-based electronic payment system and its integration with (3) the overall payment system provided by the financial sector (which is described in [HiSt01]). This distinction is made visible in Figure 12 as the three horizontal layers. Furthermore we distinguish between systems that are consumer oriented (left-hand side) and merchant oriented (right-hand side). Looking at the consumer side as example, systems, e.g. an ewallet, resides either physically in the domain of control of the consumer or their functions may be used as a service from a party of the consumer’s choice. That is, the hardware devices and the software on it that make up these systems are in the consumers personal environment or in a trusted environment of his choice, for example his bank or telecom operator. A similar distinction holds for the merchant oriented systems. Consumer oriented Web shop application Web shop application Merchant oriented (server side) (client side) Primary service Internet payment system Interface Device Internet Internet Cash Register e-Wallet e-Purse, debit card payment instruments Public communication network ‘issues’ (client-side) Payment Gateway Banking application Issuer’s bank system Financial sector’s payment system Public communication network (server-side) Financial network Acquirer’s bank system Figure 12: The generic overall architecture of an e-commerce payment system Outsourcing of system functions to an external service provider is common practice. For example there are various providers of an Internet Cash Register that offer this function as a G I G A A B P / 2 0 0 1 / D 0 . 1 B 51 service over Internet. These are the so-called Payment Service Providers (discussed in Section 5.5). The white horizontal spacing in Figure 12 between the merchant’s web shop application and the Internet Cash Register represents the possibility of outsourcing the latter function over a public communication network. The Merchant may also implement the Cash Register in his own domain of control however. The equivalent of the Cash Register in the consumer domain is the electronic wallet or ewallet. Among others it functions as organiser of the various Internet payment instruments, i.e. of the client-side applications that implement these systems. E-wallets are discussed in detail in Chapter 6. Various Internet payment instruments that are supported in the Netherlands are discussed in Chapter 7. The ‘Banking application’ in Figure 12 may be any application that the consumer’s bank uses for communication with its customer, the consumer. For example, it can be a home- or webbanking application that the consumer may use for entering a bank transfer order, or obtain balance information. Payment gateway The payment gateway requires more attention because of the potential security problem it creates. Essentially a gateway links two different communication networks, in our case a public communication network (e.g. Internet, cable, PSTN, GSM, GPRS) and a financial network. The gateway implements the mapping of the different communication and security protocols on the two networks that it connects. This typically implies that it is an end-point in the security protocols that are used on both networks. Thus, decrypted transaction information may be present inside the payment gateway system. Therefore, the financial sector requires that the payment gateway is located inside the domain of control of a party that they trust and where they can supervise the system’s security. A variant of this security problem with gateways is encountered in the situation of mobile payment. The WAP- or IP-gateway in the GSM and GPRS/UMTS network respectively connects the Internet to the mobile operators internal network and finally the air ‘interface’ (see Figure 13). Payment information that is securely sent over the latter mobile network is decrypted in these gateways before it is encrypted and securely sent over the public Internet to the relevant financial institution. Therefore, unauthorised persons may be able to obtain sensitive transaction information from the gateway. It is hard for financial institutions to supervise these gateway systems. Air interface Internal network WAP- / IP-gateway Internet • GSM • GPRS • UMTS To financial institution Mobile network operator Figure 13: Simplified view on data flow through network and devices for mobile payment 52 G I G A P O R T 5.5 Payment Service Providers (PSPs) Payment Service Providers (PSPs) assist merchants in the realisation of an Internet Cash Register and the merchant part of electronic payment instruments (see Figure 14). They enable outsourcing of Internet cash register functionality and typically implement various payment instruments. Thus PSPs act as particular Application Service Providers (ASPs). They support the integration of primary applications with payment systems. Web shop application (server side) Merchant oriented Internet Internet Internet Cash Register payment instruments Public communication network (server-side) Payment Gateway Figure 14: Scope of Payment Service Providers Additionally PSPs may offer not only the domestic payment systems, but also instruments used in other countries. Merchants are offered the opportunity to select the national and international instruments that they are willing to except. This set of accepted systems can be customised to the local, national situation of the payer. Individual buyers can then select their favourite instruments from the merchant’s list. In this way cross-border payments are facilitated (recall Section 2.1.2) and the merchant can take care of the local payment culture (see [HiSt01] for comments on payment culture and its importance). Moreover, PSPs may also accept multiple currencies and provide instant exchange services, as well as risk management (e.g. fraud detection, check of creditworthiness). Currently there are various companies that offer these ‘payment services’ to Internet merchants. In the Netherlands three PSPs are now active: Bibit Internet Payments B.V., TWYP (‘The Way You Pay’ from the ING group) and NetGiro (related to the debt collection firm Intrum Justitia). The Privver service from the TNT-Post Group (TPG) also offers a payment service for electronic bills, but is essentially a document (mail, bill, …) presentment service. G I G A A B P / 2 0 0 1 / D 0 . 1 B 53 5.5.1 Bibit Internet Payment Services 38 Bibit B.V. is a Netherlands-based company with international operations in Europe and the U.S.A. that provides easy access to an extensive choice of payment services, for commercial Internet sites. Their services allow Internet merchants to conduct business with consumers without having to manage their own payment systems. The payment service is targeted towards individual customers that purchase items or services over the Internet. The main service that Bibit provides is a front-end to a large number of payment instruments (e.g. all major credit cards, bank transfers, direct debit). At the moment they offer more than 50 payment systems, of which various are limited to local use, within countries in Bibit’s domain of operation. Their payment services are tailored to the local customs of the payer: for each country a different suite of payment systems is available, following the countries payment culture. Bibit’s focus is on the support of Internet merchants: sellers can accept a diversity of payment instruments, without the necessity of implementing the systems themselves. The number of Internet businesses using the Bibit payment service is steadily growing. The services are supported by Bibit’s self-developed secure Internet payment platform. Apart from supporting international and country-specific payment applications, this platform also enables the use of multiple currencies and languages. Bibit takes care of conversion of for example customer currency to merchant’s currency. A typical use of the Bibit payment service function consists of the following steps: · A customer makes a choice of, e.g., the products on sale in a virtual shop. · For payment, the customer can choose one of the available payment methods. The seller determines which of the payment methods are made available, and also provides the interfaces. · For the actual payment transaction, either the seller contacts the Bibit server, or the buyer is redirected to the Bibit server. · Bibit contacts the acquirer associated with the payment method for the necessary authorisations etc. · After a successful payment authorisation (and possibly also a settlement, depending on e.g. the payment method and policies), Bibit notifies the seller, after which e.g. shipping or service provisioning can commence. · The acquirer and the issuer of the payment method take care of the actual settlement, without the involvement of Bibit. · All the payment transactions conducted through Bibit are centrally stored in Bibit’s transaction database. 38 See http://www.bibit.com/ 54 G I G A P O R T Figure 15 illustrates the Bibit payment process. Note that the highly centralised structure of this system puts high demands on the availability, performance, scalability and reliability of the Bibit servers. buyer redirect BIBIT acquirer issuer seller transaction database Figure 15: Bibit payment Bibit and Alysis, a vendor of EBPP software, signed a joint marketing agreement. This alliance allows Alysis to offer Bibit’s payment services to their European customers. 39 Pay-it-now Pay-it-now 40 is a product of e.Trade, a supplier of a series of Internet products that should cover the requirements of Dutch SMEs with regard to e-commerce. e.Trade resells products of other companies and offers consulting and integration services. Pay-it-now is powered by Bibit and started in June 2000. Its first customer is zibb.nl. 5.5.2 NetGiro Netgiro International 41 was founded in Sweden in Autumn 1997 as the prinicipal processor of all credit card transactions in Scandinavia for the bank PariBas. Netgiro Sweden counts companies like SJ (Swedish Railways), Ericsson and Telenordia (telecom) among its customers. Currently it is active in about 25 countries in Europe. In the Netherlands NetGiro 42 serves ‘BelBios’ , a service for ordering cinema tickets. NetGiro operates an Internet payment platform that supports various payment instruments, like all major credit cards, Rabo Direct Betalen, direct debit and micropayments through various wallets. Apart from payment processing, NetGiro is also part of the money flow from the issuer’s bank to the merchant account. They offer additional services for transaction reporting and analysis (the Online Transaction Tool – OTT). Moreover, they also have an electronic bill presentment service. 39 According to Bibit’s press release of December 18, 2000: ‘Alysis teams with Bibit to target European e-billing market’. 40 See http://www.pay-it-now.nl/. 41 See http://www.netgiro.nl/ 42 See http://www.belbios.nl/ G I G A A B P / 2 0 0 1 / D 0 . 1 B 55 5.5.3 TWYP TWYP - The Way You Pay 43 - The Way You Pay is an ING subsidiary that acts as Payment Service Provider for on-line merchants and consumers. It processes the on-line payment transactions and provides the merchant with real-time transaction information. TWYP offers Internet Cash Register and Payment Gateway functionality (recall Figure 12) as service for payment systems such as credit cards (EuroCard/MasterCard, VISA, Diners Club), debit card (Maestro), single transaction direct debit (see [HiSt01]), credit transfer, acceptgiro and cashon-delivery. Moreover, it provides on-line access to a site with management information, like a transaction overview ordered e.g. on payment status or transaction date. 43 See http://www.twyp.nl/ 56 G I G A P O R T 6 Electronic wallets: shopping and payment assistants 6.1 Introduction An electronic wallet or e-wallet is generally understood to be an application or service that assists consumers in conducting online transactions, e.g. by allowing them to store billing, shipping, payment and preference information, and to use this information to automatically complete a merchant’s check-out page. Electronic wallets are not payment instruments themselves. Like their physical counterparts they contain information and (software of) payment instruments, e.g. software-based purses to store electronic money or software that implements the consumer part of security or payment protocols such as credit card payment with SET (so-called SET wallets;; see Section 7.2). In the latter sense many payment systems use an electronic wallet: a piece of software that is installed in the consumers domain, on his PC, to implement the consumer-part of a payment application. Systems that only store electronic money are called electronic purses or e-purses. These are discussed in [HiSt01]. E-wallets link together consumers, web shop applications and various payment instruments (see . They come in two main types: client-side and server-side. Server-side wallets are also called ‘thin wallets’. Initially there were only client-side wallets. These require users to obtain and install software on their PC. The information stored in the wallet, i.e. on the PC’s hard drive, is protected by means of encryption. Server-based wallets enable usage of the wallet’s functions from any location on the Internet. Browser Application server Internet Consumer Webshop application Primary service Wallet application Mediation Secundary services (supporting: payment) Card reader IC Card Bank system PSP platform E-Money system (PSP: Payment Service Provider) Figure 16: The role of electronic wallets G I G A A B P / 2 0 0 1 / D 0 . 1 B 57 6.2 Basic wallet functions We identify three main functions for electronic wallets, which we shall illustrate by commercial products. These products realise a partial combination of the functions, typically not all of them. Basically an e-wallet may function as: 1. Shopping assistant, for filling in forms at webshops. Currently, many users find the manual filling out of these forms – typically specific to merchants – confusing and tedious. The process is errorprone. According to industry figures, consumers abandon more than 60% of online purchasing prior to completion. The Electronic Commerce Modelling Language (ECML) facilitates this function (see Section 6.4.1). The wallet stores the personal data and preferences that are used for these forms, like preferred billing or shipping address. Some wallets offer far more advanced options, like storing cloth sizes, and even body shapes. Benefits are in entering the data only once (and when necessary, changing only once) and protection of the information by encryption. 2. Means of identification and authentication in the virtual world, which is encountered in products as MicroSoft Passport and the mentioned SET wallets. The wallet may contain one or more digital certificates to identify the user, and which may be used for encrypting messages and placing digital signatures. It may also check the validity of certificates received from merchants. Merchants benefit from these functions by receiving better protection against fraud. 3. Payment instrument organiser, that is, the wallet contains the data on the cards and other payment instruments that it supports as well as the client software that is required for the operation of network-based payment instruyments. This functionality is encountered in the Wireless Wallet concept that was conceived at Ericsson and that has now been acquired by Xiring (see Section 6.3.4) An e-wallet could further be used for storing information on electronic transaction, like status and transaction receipts. 6.3 Product examples 44 A list of SET-wallets is available at the SETco website . Table 3 presents a list of commercial wallets that we shall discuss below. The table also presents the functions that each wallet supports and whether it uses a thick or thin client approach. The Nokia 6310 is a mobile phone that has been equipped with an ECML compliant wallet for use in m-commerce transactions. Because of the inconvenience for users of mobile phones to enter data, this wallet focuses on the shopping assistant and payment instrument organiser functions. 44 See http://www.setco.org/cgi-bin/vsm.cgi. 58 G I G A P O R T Product name Provider e-Wallet ABN-AMRO Bank Thick Passport Microsoft Thin Wireless Wallet Xiring (was: Ericsson) Thick Digitalme Novell Thin X Nokia 6310 Nokia Thick X 6.3.1 Payment instrument organiser Identification, authentication Shopping assistant Approach (thin/thick) Table 3: A comparison of some commercially available wallets on their functionality and approach. X X X X X ABN-AMRO’s e-Wallet ABN-AMRO has developed a wallet, called ‘e-Wallet’, for use on the Internet. The software must be installed on the user’s personal computer. Access is obtained by entering your ABNAMRO bank account and bankcard card number, followed by a challenge-response initated by the e-wallet. This challenge-response uses a small hardware cardreader, the ‘e.dentifier’, in which the same bankcard must be inserted and the user’s PIN entered. Based upon the challenge provided by the e-Wallet, the e.dentifier computes the response, which must be entered into the e-Wallet. The response is verified by an authentication server in the ABNAMRO domain. The wallet currently supports only Eurocard/MasterCard and Maestro. It is SET-compliant: the e-Wallet can be used at Internet merchants that have implemented a SET-based cash register supporting these two brands, or use a Payment Service Provider (Section 5.5) that has. In particular, the user can shop at the merchants connected to Interpay’s I-Pay payment gateway (to be discussed in Section 7.2.3). 6.3.2 Microsoft Passport Microsoft Passport 45 is a server-based wallet. It offers two basic services: (1) a ‘single sign-in’ by means of log-in name and password that provides single access to a growing number of participating Web sites, and (2) a payment service that allows users to make fast online purchases. The single sign-in service allows a user to sign in to any participating Passport site and have their personal details (which are stored in a user profile) automatically available to that site. The user profile contains personal data (such as the user’s name, address, phone number and e-mail address) and payment information (such as credit card number and expiration date). Passport can only be used for credit card payments. 45 G http://www.passport.com/ I G A A B P / 2 0 0 1 / D 0 . 1 B 59 The passport wallet is stored on a secure Microsoft server and whenever passport information is sent over the Internet, it is encrypted, then sent using a secure connection (SSL). The wallet service supports ECML (see Section 6.4.1). The system utilises cookies for user tracking. Passport offers additional services that have nothing to do with payment: the ‘Kids Passport’ service that lets parents control the personal information that their children convey and the ‘public profiles’ service that allows to create a public page of information about the user. 6.3.3 Novell’s Digitalme Novell offers a data storage service, called Digitalme. Internet-users can store their personal data, like shipping info and clothing sizes, at a special website, and use it when ordering goods. The data can also be send as a business card. The service was introduced quickly in October 1999 to be ahead of Microsoft’s Passport. 6.3.4 Xiring: the Wireless Wallet concept Xiring acquired this concept from Ericsson. It is unclear whether an implementation is currently commercially available. The Wireless Wallet is a product that provides convenient access to any smart card based service. Using Bluetooth, WAP and an integrated 46 smart card reader , the Wireless Wallet enables smart card transactions over the mobile Internet. 47 The Wallet can communicate with any Bluetooth device, such as a mobile phone, PDA or personal computer. According to Ericsson, mobile phones will be the first to come out in “Bluetoothenabled” 48 versions. A secure payment, e.g. for an airline travel ticket, is made following several steps: 49 1. You get on the Internet, using wireless or fixed-line access, and contact a travel agency or airline 2. You choose the route and times and make a reservation. 3. The travel agency asks you how you want to pay. 46 More on card readers can be found e.g. in [HiSt01]. http://www.ericsson.com/wirelesswallet/ 48 http://www.bluetooth.com/ 49 http://www.ericsson.com/wirelesswallet/How.htm 47 60 G I G A P O R T 4. On your Wireless Wallet's home page, you can see all the smart cards currently in your wallet. 5. Your Bluetooth device, for example your phone, displays your Wireless Wallet’s home page. 6. You choose the smart card to use for this transaction. Let's say you select a credit card. 7. The card communicates via the wallet over the fixed wireless Internet connection. 8. The transaction then goes from your bank to your travel agency’s bank. 9. Your travel agency registers the payment. 10. The ticket is immediately downloaded to your smart card which will be read at the airport. 11. Finally you can get information about your flight or change your reservation 24 hours a day via your WAP phone, palm or personal computer. The ticket is already stored on a smart card in your Ericsson Wireless Wallet. The code for making ticket reservations and payments are stored on an application server at the travel agency or airline. The phone, notebook PC or desktop used for the reservation contains a WAP browser, while the Wireless Wallet contains a WAP server. The Wireless Wallet communicates with the cards using their normal interface and application software (see [HiSt01] for more information on these interfaces and on standards for chip cards). The communication goes over the Internet via your Bluetooth device and the wallet to the Smart Cards. 6.4 Wallet standards and frameworks The e-wallets standards that are currently available do not cover all three main wallet functions that we mentioned in Section 6.2. The shopping assistant function is supported by means of the Electronic Commerce Modelling Language (ECML) and there is a framework that describes a reference system architecture for the payment instrument organiser function: the so-called ‘SWAPEROO’ Digital Wallet Architecture [DBG+98]. This is the result of academic research however, of the ‘Digital Wallets’ project at Stanford University (U.S.A.). 50 We are not aware of commercial implementation of this framework. A wallet framework that is commercially used is the Java Wallet framework. We briefly treat this framework below. 6.4.1 Electronic Commerce Modelling Language (ECML) The IETF and W3C’s Electronic Commerce Modelling Language [EaGo99] is the product of 51 the ECML Alliance , which consists of a number of major industry leaders including American 50 51 See http://www-db.stanford.edu/~daswani/wallets/ See http://www.ecml.org/. G I G A A B P / 2 0 0 1 / D 0 . 1 B 61 Express, AOL, Brodia, Compaq, CyberCash, Discover, FSTC, IBM, Mastercard, Microsoft, Novell, SETCo, Sun Microsystems, Trintech and VISA. The ECML specification simplifies the exchange of payment, shipping and billing information between consumer and merchants – in particular, between consumer wallet applications and merchant servers – by providing standard labels and formats for attributes of web-forms in HTML pages. These labels include (among others) credit card, billing and shipping address information. Standardisation of these labels enables the automatic completion of electronic order forms at web shops, where electronic wallets act as shopping assistant. Thus ECML aims at simplifying online shopping for consumers and thus increasing merchant’s revenues 52 by reducing the high percentage of abandoned shopping carts . A full description of ECML is 53 given in the IETF’s RFC 2706 . 54 The ECML standard is adopted the wallet vendors in the ECML alliance: Brodia, CyberCash , 55 56 57 IBM , Microsoft Passport , and Trintech . Nokia introduced a mobile phone, the Nokia 6310 that contains an ECML-based electronic wallet for use in mobile commerce transactions. The use of ECML does not require a licence, being an open IETF standard. We conclude with an important observation made in the introduction of RFC 2706, by the IESG. Namely, that the ‘…data model [of ECML] is heavily biased towards conventions used in the United States, and the English language. As such it is unlikely to be suitable for international or multilingual use in the global Internet.’ 6.4.2 Java Wallet The Java Wallet is a client-side architecture designed to bring together pluggable commerce components to enable complex and secure online transactions of value and information in a platform-independent environment. The Java Wallet, as an open platform for purchasing, banking, and finance, is extensible, providing a framework whose functionality can be extended to accommodate the needs of a variety of institutions and end users. The Java Wallet framework incorporates: · the Java Commerce Client (JCC) - a client side solution for secure electronic commerce transactions. JCC users are provided with a Wallet-like user interface, a database, and an extensible platform that enables the use of a variety of payment instruments and protocols, · Commerce JavaBeans components which plug into the JCC and extend its functionality (new protocols etc.), 52 Jupiter's February, 1999 Consumer Survey indicates 27% of online buyers abandon orders prior to purchase due to the hassle of filling out forms. 53 Available at http://www.ietf.org 54 http://www.instabuy.com/ 55 http://www.software.ibm.com/ 56 http://www.microsoft.com/wallet/ 57 http://www.trintech.com/ 62 G I G A P O R T · the Gateway Security Model - a system of gates and permits that restricts access among Beans and between Beans and the JCC according to the Limited Trust Model of security. · and Java Commerce Messages - a format in which commerce servers communicate with the JCC. 6.5 The future of e-wallets Adoption of e-wallets by consumers is not widespread, while wallet vendors such as Brodia, CyberCash, IBM, Microsoft and Trintech provide them free of charge to consumers. The obstruction may lie in the charges merchants have to pay for making use of wallets and the current absence of sufficient standards. The uptake has been slower than expected also because of the initial choice for client-side (‘thick’) wallets, which requires consumers to obtain and install software on their personal computer. In fact, there are hardly any client-side wallets that were successful. The future of e-wallets will be in server-based solutions, such as Microsoft’s Passport (Section 6.3.2) or AOL’s ‘Quick Checkout’. These make downloading and installation of wallet software obsolete, and will offer multi-channel functionality: the same service can be accessed from any location over any communication channel. 58 A multi-channel server-based wallet also solves synchronisation problems by its centralised approach. Client-based solutions may coexist however for end-user devices with restrictive technical attributes, such as mobile phones. These solutions are then purpose-built for these devices. We expect that e-wallets will meet larger consumer acceptance if they provide the full set of basic functions that we described in Section 6.2: · · · Shopping assistant, Means of identification and authentication, and Payment instrument organiser. Offering these three services in a combined ‘package’ could be the value-adding role of a Wallet Application Service Provider (WASP) - from the consumer’s perspective. Payment Service Providers (Section 5.5) seem to target the Internet merchants instead of the consumers. Therefore, there seems to be a role for a party serving consumers. Microsoft seems to take this approach with its Passport concept. The organising function for payment instruments is especially important in the still diverse (international) world of Internet payment systems, not only in electronic commerce, but also in the exploitation of electronic products (content and services) over fixed and mobile Internet. We continue by treating this particular payment context. 58 G See also ‘Forrester on e-wallets’: http://www.ecml.org/Forester1012.htm: ‘Server-based wallets will prevail’. I G A A B P / 2 0 0 1 / D 0 . 1 B 63 7 Adaptation of real world payment instruments 7.1 Introduction Consumers are accustomed to using particular electronic payment instruments for transactions in the real world, at physical points-of-sale. Instruments like credit card, debit card and card-based electronic money. [HiSt01] discusses how these instruments work in that context – from a business and technology point of view. The providers and operators of these systems are firms in the financial sector: banks and clearing houses like Interpay (recall Figure 3). They are adapting these instruments to the special characteristics and requirements of public communication channels: fixed and mobile Internet. Special care is taken of the issues with payment over such public networks (Section 5.1). In this chapter we treat the adaptations and special protocols that have been devised for the use of the ‘traditional’, real world electronic payment systems on fixed and mobile Internet. 7.2 Credit cards Credit cards are the most popular payment instrument on the Internet right now. [Econ01] estimates that in the US about 50% of Internet transactions are paid for by means of credit card. 59 They are simple to use and they also provide a relatively easy and efficient way of implementing cross-border payments (see [HiSt01] for details on cross-border payments). Looking at this popularity it may seem that there are hardly any drawbacks to its usage. The opposite is true however. Credit card transactions on the Internet meet a high rate of fraud. This fraud is mainly caused by consumers that use stolen or false card details (card number and expiry date), fraudulent merchants that provide these details to others, or hackers obtaining these details by cracking the security of the appropriate servers. Only a small amount of details is obtained by ‘sniffing’ the network traffic. Various security protocols for credit cards have been devised to solve this problem. Secure Socket Layer (SSL) takes care of the communication, while Secure Electronic Transactions (SET) makes sure that only those parties that really need to have particular transaction information (like the card details) actually are able to access this information. Between these extremes with regard to security there are various variants, like Three Domain SET (3D SET). A completely different approach is that of ‘one-time card numbers’. Here the cardholder obtains card details that are valid during a specified period of time, often only for a single transaction. The cardholder can obtain this one-time card number on-line from his card issuer. 59 This is only 2% of all credit card business, most of which takes place at Point of Sale (POS), e.g. in shops, restaurants and hotels [Econ1]. G I G A A B P / 2 0 0 1 / D 0 . 1 B 65 It should be noted that the merchant runs the largest risk when accepting on-line credit card payments (except when using SET): the risk of charge-backs and fines when this happens too often. The credit card organisations consider a credit card transaction over Internet as a ‘cardnot-present’ transaction. In that case the merchant has the burden of proof that the consumer has actually ordered the goods that he paid for (and that these were delivered). In principle the consumer is directly refunded. Currently credit card organisations are making an exception for sex sites and on-line gambling. Apart from security risks there are also some non-technical objections to the use of credit cards for online payment. These may impose even stronger restraints on the applicability of credit cards on Internet: 1. Penetration of credit cards in the consumer population, Not every consumer may have a credit card, or is able to obtain a credit card. For example, people in the age of 15-18 years old are often surfing the Web. They cannot have a credit card to make payments on the Web, however. Others may not have a sufficient income to obtain a credit card. Therefore, credit card as a universal payment instrument on the Internet is not feasible. 2. Payment culture, Outside the Anglo-Saxon world credit cards may be less popular. This situation depends on the payment culture (see e.g. [HiSt01]). In the Netherlands about 4 million credit cards are in circulation, but they are not commonly used. 3. Consumer perception of security, Technically a system may be sufficiently secure, form the perspective of the operator, but it is also important that the users have the perception that it is secure. Credit cards on Internet now suffer from a lack of consumer confidence, at least in the Netherlands, in particular user groups of the Internet, e.g. the starters. For further backgrounds on the credit card system, like business model, technology, players involved and statistics the reader may consult [HiSt01]. We continue with a discussion of security schemes for credit card payments over Internet. 7.2.1 Secure Socket Layer (SSL) The Secure Socket Layer 60 (SSL) is a general-purpose protocol that secures every dialogue between applications across a ‘socket’ communication mechanism. If a client and a server communicate using this protocol, the server is always authenticated and the client may be authenticated. SSL is implemented above TCP and is independent of the higher-level application protocol that layers on top of it. For the web, this means that SSL sits in between the HTTP protocol and the TCP protocol. The protocol was developed by Netscape Corporation in 1994, and is widely used. It is approved as a standard of the Internet Engineering Task Force (IETF). 60 An interesting source of information on SSL is http://webopedia.internet.com/TERM/S/SSL.html. 66 G I G A P O R T SSL’s main application is securing credit card transactions on the World Wide Web. All of the application protocol data is transmitted encrypted. SSL uses RSA for key exchange and a choice of protocols for further encryption. One of the limitations is that it offers no means of determining the identity of the receiver. The receiver may be an illegal collector of credit card details. More limitations are discussed in [Stei98]. MasterCard International requires the use of the Card Validation Code (CVC) for Internet 61 credit card transaction over SSL, starting April 1, 2001 . This is a 3-digit code that is printed on the credit card in addition to the card number and expiry date. The Private Communications Technology protocol is the Microsoft equivalent of SSL. PCT is compatible to SSL, but servers that implement both protocols can distinguish between PCT and SSL clients. The most important difference between the protocols is the increased security, including the repair of bugs in SSL. The repairs concerned the authentication of a client when a broken session is reconnected. Furthermore, the possibilities to negotiate cryptography were extended. Several other systems, such as Point to Point Tunnelling Protocol (PPTP) and Layer 2 Forwarding (L2F) work on similar lines to create a secure channel between the parties. 7.2.2 Secure Electronic Transactions (SET) Secure Electronic Transactions is a payment protocol for credit card payments. Its development started in January 1996 as a joint initiative of MasterCard, Netscape Corporation, IBM (all three formerly involved in SEPP – Secure Electronic Payment Protocol), Visa, Microsoft and others (the latter two involved in STT – Secure Transaction Technology) [OMPT97]. The alliance is referred to as SETco 62 and is tasked with the management of the SET specification and the promotion and support for use of SET on the Internet. SET assumes the existence of a transaction processing and information distribution infrastructure within the card organisation. The protocol covers the communication between Payer (cardholder), Payee (merchant) and the Payment Gateway Provider (which role may be played by a party other than the Acquirer, for example a Payment Service Provider; see Section 5.5 below). The main purpose of the protocol is to secure this communication in such a way that neither the Payee, nor the Payment Gateway Provider can access all purchase transaction details. In fact, the Payee has access to the order information, but not to the payment information which contains the credit card details, while the Payment Gateway Provider has access to the payment information, but not to the order information. 63 The SET uses various encryption mechanisms to realize this , but the main role is plaid by public-private key mechanisms. To that end a Public Key Infrasture (PKI) is incorporated. The corresponding Certificate Authority (CA) hierarchy consists of a Root CA that signs the 61 62 63 G See http://www.i-pay.com/aanbieders/pags/cvc2.htm See http://www.setco.com Consult e.g. [OMPT97] for a detailed treatment of the security aspects. I G A A B P / 2 0 0 1 / D 0 . 1 B 67 certificates of the each of the Brand CAs using a 2,048 bit key (one Brand CA per credit card brand). The Brand CA signs certificates for the Cardholder CA (the Card Issuer), Merchant CA (the Customer Acquirer) and the Payment CA. The latter three CAs then sign the certificates for the cardholder, merchant and payment gateway provider respectively. Apart from the Root CA all use 1,024 bit keys. The certificates use the X.509 version 3 format ([OMPT97], Section 4.9). As additional security, neither cardholder’s name, nor card number are shown in the certificates. Instead a numeric quantity is used that has been computed from the credit card number and other input. This number is stored in the issuer domain and is used for the duration of the certificates’ validity. Simplified, the protocol works as follows. It starts after the cardholder has indicated that he wants to initiate payment for his order. The merchant then identifies himself with his certificate and provides the cardholder with the public key of the payment gateway provider. The cardholder can then encrypt the payment information using the latter key, such that the merchant cannot access this information. The merchant forwards the payment information to the payment gateway provider in his Authorisation request. 7.2.3 I-Pay 64 I-Pay – Interpay’s Dutch SET payment platform is the Internet payment infrastructure that was jointly introduced by Dutch banks in 1996. It has been developed by Interpay, which also operates the platform. The infrastructure aims at enabling credit card and debit card payments on the Internet. Currently only the Eurocard/MasterCard and Maestro brands are supported, probably because Interpay is involved in the transaction processing for transactions of both brands made in the physical world (see [HiSt01]). The platform is an implementation of the SET protocol for credit card payment (see Section 7.2.2). There is a payment gateway for the Eurocard/MasterCard credit card brand and for Maestro debit cards, which is operated by Interpay. The Maestro debit card payment instrument can only be used at Internet shops that have a bank account in the Netherlands. The credit card instrument should be usable at any SET-enabled merchant worldwide. Interpay functions as Certification Authority for SET in the I-Pay system ([LGKV00], Box 3.1, p. 40), and also as software provider: it offers (unbranded) SET wallet software that needs to be installed on the payer’s PC and an Internet Cash Register application (Internet Centrale Kassa – ICK) for the merchant’s domain, which implements the merchant’s part of the SET protocol. The Internet Cash Register can be connected to the merchant’s Web shop or any other application through a special API. 64 See http://www.i-pay.com 68 G I G A P O R T 65 The Payment Gateway does not support all SET messages . In fact, the system only processes authorise and capture requests for the credit card scheme and ‘Sale’ transactions for Maesto. The capture request has the additional constraint that the captured amount must be equal to the authorised amount (see [HiSt01] for details on the credit card payment process). Moreover, the system only deals with Dutch guilder and euro as currency. Currently only by ABN-AMRO, ING Bank, Postbank and SNS Bank support SET payments as card issuer, using the I-Pay platform. At the moment merchant support for SET consist of 66 about 215 Dutch merchants . ABN-AMRO has developed a special (branded) SET wallet, called ‘e-Wallet’, which makes use of the I-Pay infrastructure 67 (see Chapter 6). [BöRR99, p.49] assumes ‘…that it is seldom used.’ It mentions 20,000 reported users. No official usage statistics are available however. 7.2.4 The Three Domain Model (3D SET) The ‘Three Domain Model’ (3D) is more a philosophy than a technology. The idea is to split responsibility for security, for identification and authentication, over the various parties involved. Three domains can be identified (cf. [HiSt01]): (1) the issuer-cardholder domain, (2) the acquirer-merchant domain and (3) the interoperability domain, between the previous two. In the 3D approach each player within a domain (an issuing bank, an acquiring bank and the card brand organisation respectively) decide the security technology to be used, based upon his or her own risk assessment. The Three Domain Model ensures that the distributed systems can co-operate. More importantly, it prescribes the legal aspects, the responsibilities and liabilities of the various parties involved. 7.2.5 Virtual Credit Cards In 1998 VISA first issued a virtual credit card. This ‘card’ in fact is a SET certificate. The system is based on the SET protocol and uses a wallet that stores the certificate. The wallet can also contain certificates of other credit card brands. Consumers that want to apply for a VISA virtual card, should already have a VISA account. Merchants that want to accept the virtual card need SET software and need to have this software verified by VISA. GiSMo GiSMo is a GSM-based virtual credit card. It uses the customer’s mobile phone as an authentication tool. Before use, a customer must register at GiSMo’s web site. When purchasing at a merchant who accepts GiSMo, the customer clicks on the GiSMo button and enters his pass codes. The system generates a random number, which is sent to the 65 According to http://www.i-pay.com/aanbieders/index.htm According to http://www.i-pay.com/winkels/abnamro/winkels/allshops.htm. The I-Pay ‘Internetwinkel boulevard’, on the I-Pay web site (http://www.i-pay.com/winkels/index.html) mentions only 90. 67 See http://www.abn-amro.nl/frameset.html?/particulier/producten/indexframe-ewa 66 G I G A A B P / 2 0 0 1 / D 0 . 1 B 69 customer by SMS. The number must be entered on the purchase interface within two minutes. Bills are sent by email. GiSMo was released commercially in Sweden November 1999. Plans were to roll out to other parts of Europe in 2000. Using GiSMo is free to the customer, but asks a substantial fee from the merchant: 5000 Swedish Kronas for launch, a monthly fee of 400 Kronas, and a cut of 3.5% per transaction. GiSMo is a subsidiary of Millicom International Cellular, a Luxembourg wireless carrier. 7.3 Debit cards The debit card offers direct access to the cardholders bank account for the purpose of payment to merchants in point-of-sale transactions. There, the payment terminal interacts with the magnetic stripe on the bankcard and the cardholder for entering the PIN-code on the terminal’s console. The terminal then transmits the data securely to the issuing bank’s systems (through Interpay as ‘data switch’). These systems respond with the payment authorisation. The main concern (from the banks’ perspective) for use over public communication channels is in proper security and authentication. The banks consider the consumer’s PC as an insecure device, as opposed to the payment terminal at the physical shop. Therefore the banks use a secure intermediary device for reading the debit card, entering the PIN code and computing a response in a challenge-response type of authentication scheme. For example, ABN-AMRO uses a calculator, the ‘e.dentifier’, for authenticating access to a web-banking application or their e-Wallet (discussed in Section 6.3.1). The Rabobank uses a similar approach with their ‘Random Calculator’. Both calculators require that the user inserts the debit card and enters a PIN-code, after which a response is computed based upon a challenge. An authentication server in the bank’s domain of control provides verifies the response. The systems in the above mentioned examples implement an authentication system for access to some other (primary service) application. If this is a payment organiser like an electronic wallet, the user experience of accessing this wallet is quite similar to a debit card payment transaction at a point-of-sale. Technically the schemes use different systems however. 7.3.1 Rabo Direct Betalen The Rabobank offers the Direct Betalen service (‘Direct payment’), which enables directly charging payments to the payer’s standard bank account. The service is only offered to customers of the Rabobank who already use Rabo Internetbankieren or Telebankieren. The Rabo Direct Betalen system is valid for payments up to Fl. 5000 per day. Merchants are not required to have a Rabobank account. They must open a shop at a virtual marketplace called ‘Trefpunt’ however. This is a Rabobank initiative; the charge is Fl. 100 a month. Thus, Rabo 70 G I G A P O R T Direct Betalen can only be used by payers and merchants that have an account within the Netherlands. The payer must have an account at Rabobank. Initially the so-called digipasswas used for authentication. This system generated a one-time password (a number) for every transaction, based upon a provided challenge and the personal digipass. Now the digipass is replaced by the debit card and Random Calculator (as discussed above in Section 7.3). The calculator is not personal, unlike the digipass. Therefore consumers may use each other’s calculator with their private debit card and PIN-code if that is necessary. Transfer to Rabo accounts is direct as this type of payments is processed internally, within Rabobank’s back-office systems. Transfer to an account held at a different bank involves the interbank payment infrastructure. This consequently takes more processing time (1-2 days). 7.3.2 On-line use of Maestro Maestro was conceived initially as a scheme that enables the international usage of debit cards in payment transactions at physical points-of-sale [HiSt01]. The I-Pay SET payment platform (Section 7.2.3) supports online payment with debit card using the Maestro scheme. Such payments are restricted to (1) merchants within the Netherlands that have an I-Pay compliant cash register, and (2) consumers having a debit card issued by a Dutch bank that supports I-Pay (ABN-AMRO, ING Bank, Postbank and SNS Bank). The transactions are finally processed through the debit card payment system of Interpay and the Dutch commercial banks. 7.4 Card-based electronic money According to experts card-based electronic money is best applicable in situations where there is no human-to-human interaction required, at so-called unattended points-of-sale [HiSt01]. Examples of such points are vending machines, parking meters, public transport ticketing and also web shops on the Internet. Rabobank seems to be working on an Internet-‘version’ of the ChipKnip [BöRR99]. Abroad, in Germany, the Zentraler KreditAusschuß announced in June 1999 that German electronic purses could be used on Internet. The system uses a card reader plus additional software at the consumer side. In Belgium the Proton card, which is the same technology as the ChipKnip, can be used on Internet (Section 7.4.1 below). Purse schemes cannot directly be applied for on-line use, as this implies high security risks. Moreover, the chip cards on which the electronic money resides must be coupled to the devices and applications that realise the service for which the consumer should pay. Card readers are required. [HiSt01] provides a discussion on card readers. Here we focus on security schemes for card-based electronic money schemes. One option is using an enhancement of SET, realised in SET version 1.0.Another option is C-SET (Section 7.4.2 below). G I G A A B P / 2 0 0 1 / D 0 . 1 B 71 7.4.1 Proton on Internet Proton has met with limited success on the Internet, although Banksys was clearly aware of the potential of chip cards for payment on the Internet at the start of Proton. It upgraded their C-ZAM POS terminals from the Bankcontact/Mister Cash debit card network and made it available to the public as card reader in December 1997 (for 1,999 BEF, i.e. € 49.55). In December 1999 some 8,000 readers had been sold, far under the target of 20,000 [Hove00]. Almost one year after the start-up there were only six online shops – all Belgium – that accepted Proton payments over Internet. Currently there are 26 e-merchants accepting 68 Proton payments over Internet , still not very much. The cost for merchants were the following: participating merchants pay a commission of 3% of the transaction value to Banksys and 1% to the Internet access provider EUNet [Hove98]. 7.4.2 Chip-Secure Electronic Transaction (C-SET) One possible protocol to secure purse schemes for use on the Internet is Chip-Secure Electronic Transaction (C-SET). C-SET is based on the SET protocol (see Section 7.2.2). CSET was tested in a nation wide project in France and is now an approved SET extension. C-SET requires a number of hardware devices: · · a chip card, containing a special area reserved for Internet payments; a secured card reader (supporting several types of cards, secured against replacement of internal software, supporting RSA, and certified by the card issuing bank) · · an ‘electronic commerce black box’: a secured encryption unit an ‘Internet Remote Payment Controller’: a payment gateway. The consumer must obtain and install dedicated software. The C-SET protocol operates as follows: 1. The consumer starts the payment procedure through the browser. 2. The consumer inserts his chip card into the card reader. The card reader works as a payment terminal: the customer enters his PIN. 3. The Internet data in the chip plus the order data are encrypted with DES using the secret key stored in the chip. The result is transmitted to the merchant. 4. The merchant forwards the data to the Internet Remote Payment Controller, who performs security checks, and forwards the data to the banking network. 5. The result of the authorisation is returned to the merchant, who in turn notifies the customer and finishes the sale. 6. The customer receives a receipt from his card reader. 68 According to the ePSO datatbase, see http://epso.jrc.es/ 72 G I G A P O R T The customer can view the state of the payment. Additional hardware is available to guarantee secure international money transfers and to translate SET to C-SET and vice versa. 7.5 Trends and developments Most developments with regard to adapting real world payment instruments to the virtual world seem to be devoted to the credit card system. The main developments are (1) adapting credit cards for usage over mobile communication networks and (2) increasing the security of credit card payments, e.g. by using chip card technology. With regard to mobile developments, Visa and Nokia announced in a press release 69 that they plan to co-operate on a project that aims to develop ways of making it easier to buy goods and services over a mobile phone. The two parties reached an agreement to look for simple, ‘click-through’ payment methods for use with the Wireless Application Protocol (WAP), so - in theory - users could activate payment to a provider of goods or services simply by choosing an option onscreen. Nokia indicated that they intend to add a second SIM card to their handsets to be used for storing payment data. MasterCard and Motorola are working on a standard for wireless buying. They announced their plans in July 2000. The standard will allow payment from a Motorola Internet phone or other wireless device using a MasterCard. The agreement is part of MasterCard’s Global Mobile Interoperability Group. The development of the Nokia 6310 (recall Section 6.3) can be viewed in the light of enabling mobile e-commerce (m-commerce) as well. American Express issued the Blue Card, a credit card that besides the magnetic strip includes a chip for payment on the Internet. The chip holds a certificate used for the authentication of a wallet. The system further consists of a card reader, a PIN code, and software. American Express guarantees against ghost payments, offers refund possibilities, guarantees delivery, exchange and return possibilities. Blue was issued in Europe in Fall 2000. 69 G See http://www.totaltele.com/view.asp?ArticleID=25811&Pub=tt. I G A A B P / 2 0 0 1 / D 0 . 1 B 73 8 Exploitation of electronic products 8.1 Introduction In this chapter we discuss in further detail issues that arise when providers of digital content and electronic services let consumers pay for the consumption of these products on a perusage basis, possible combined with direct payment. Of particular interest is the support for payment transactions with a value in the range of about € 0.10 to € 5 (recall Figure 2). Thus the exploitation strategy is ‘sliced payments’, ‘pay-per-view’ or ‘pay-as-you-play’. We assume that the products are delivered electronically: CDs and DVDs contain digital content, but they have a physical carrier. Delivery of such goods consequently takes place through physical channels. Moreover, their value typically exceeds € 5. Payment issues concerning the selling of physical goods in an electronic shop have been discussed in Chapter 6. 8.2 Characteristics First of all it should be noted that a usage-based exploitation strategy and direct payment, that is payment just before or while consuming, introduce functional requirements that are less an issue in a per-transaction, shop-like situation: · Usage must be accurately measured, That is, measured per consumer or consumer group. Then it is rated (charged) and aggregated before payment can take place. This involves dedicated measurement systems and more computational effort than in a fixed-price, transaction-based context. Furthermore, if direct interpretation of the measured usage data is a requirement, then there are various consequences for the architecture of the supporting system. For example, the system must support (semi) real-time data processing for large data volumes in that case. · Payment and delivery systems are closely integrated, If direct payment is used, the Operation Support System that controls the electronic delivery of content or services will be connected to the payment system, or to the Business Support System of which the payment function is a part (see Figure 17): if a (partial or sliced) payment fails, delivery is stopped or not even started. Obtaining real-time feedback on the transaction status (‘paid’) is hard when using the banks’ retail payment infrastructure. The overall system design with aggregation, clearing and once-a-day settlement is prohibiting such functionality (cf. [HiSt01]. Client application Product request Product delivery Delivery application ‘Controls’ Operation Support System Usage Authorisation Payment request Business Support System Figure 17: Relations among payment and delivery systems G I G A A B P / 2 0 0 1 / D 0 . 1 B 75 Other characteristics of content exploitation find their origin in the nature of the products that are sold, and the distribution channel: · Prices per unit are low, Resulting in small charges up-front, during or after consumption. The supporting systems must be designed to be cost-efficient with regard to the expected charge amounts. · Marginal costs are low, Meaning that the cost of producing an additional copy of an electronic good or providing an electronic service to an additional customer is low. This makes copyright protection, or more general Digital Rights Management, an issue. · Support for economies of scale, Systems that implement DRM functions are costly when compared to the low prices per unit. Thus high initial investments must be recouped by means of large volumes of products. The system that handle the payment functions must therefore be able to support such large volumes. · Support for ‘impulse buying’, We expect content and service consumption in the consumer domain to be more subject to ‘impulse buying’ than in an e-commerce setting (partially because of the higher prices in the latter situation). Consumers feel a need for information, entertainment or special services and would like to see this need fulfilled in short notice. Subscriptions are an obstacle for such ‘once-stop-shoppers’. This makes exploitation strategies such as ‘postpaid billing’ for the content or service provider less feasible, unless these providers outsource these functions to parties that have a long lasting, recurring customer relationship. In fact, the use of a billing concept when small charges are expected is feasible only in a situation where users will frequently return for new purchases within a billing cycle, i.e. the time-period between to subsequent invoices. Moreover, late- or nonpayers may causer debt collection costs that heavily outweigh the aggregated charges on the bill. There is an ongoing discussion about user’s willingness-to-pay in the context of content exploitation. Most experts seem to agree that users are willing to pay for value-adding services concerning content and content distribution, but that they are not for the content in itself. We are not aware of scientific or market studies that address this topic however. 8.3 Potential payment scenarios The value system of firms involved in the distribution of electronic products over communication networks (see Figure 18) provides insight in the potential payment scenarios for electronically delivered products. In fact, in this value system there are the Content provider (starting-point) and Consumer (end-point), and in between various service providers that together realise the distribution of the electronic data. There are the Access Network Operators. They operate the co-called ‘local loop’, i.e. the telecommunication network that connects the Consumer and Content Provider to the ISP, e.g. fixed phone (PSTN) and hired line, cable, or mobile networks (GSM, GPRS, UMTS). The ISPs are connected through high capacity (broadband) backbone networks for IP-traffic. 76 G I G A P O R T Content provider Consumer Network access Access Network Operator Internet access & services ISP Network access, transport Network access, transport ISP Network access, transport High capacity interconnectivity Access Network Operator Backbone Network Operator(s) Legend: Role player Service provisioning Figure 18: Basic content distribution value system In practise, those service providers that are involved in the distribution process and have a direct relationship with the Consumer may also be involved in systems that realise payment for the distributed content: the ISPs or the Access Network Operator. There are also providers that are not involved in the electronic distribution, and that act as independent service providers for (micro-)payment services or total solutions (including Digital Rights Management). They target the Content provider as customer. Thus there are various scenarios for payment for content distribution. We continue by providing examples of scenarios where other parties than then the content provider realise the collection of the content provider’s charges. 8.3.1 Example: ISP – Trivnet’s WiSP Trivnet Ltd. 70 is a company with headquarters in Israel (founded in 1997) that develops paymenet systems for IP environments. In particular they enable ISPs to charge transactions to accounts held at that ISP or at a telecom network operator. This payment processing system is called ‘WiSP’. The patented technology enables the system to automatically identify the subscriber’s identity and billing information from the dynamically allocated IP number, regardless of proxies ‘or other barriers…’. The intended customers are merchants, ISPs, mobile service providers and billing companies. WiSP allows to bill online purchases through multiple channels, like mobile telephone bills, ISP bills, telephone bills, and credit cards. The WiSP payment solution has been operational since February 1999. Trivnet’s business model is based on revenue sharing, in which commissions paid by the merchant per transaction are shared between Trivnet and the ISP/telco. For merchants there is no minimum charge per transaction, allowing the sale of low-cost digital content. 70 G See http://www.trivnet.com I G A A B P / 2 0 0 1 / D 0 . 1 B 77 To the user, the look-and-feel of a WiSP-enabled site is similar to a free web site. Consumers do not need to download software or to register. WiSP jumps into action only when the user clicks on the product he wants to purchase. At this point, Trivnet identifies the user by his ISP. If the ISP is WiSP-enabled, the user sees a Purchase Authorization form created by Trivnet. The form is based on details supplied by the merchant, such as product name and price. To complete the purchase, the user must click Approve in the Purchase form. The user will be charged on his next ISP/telco bill. Every transaction is also recorded in the Trivnet database. At the end of the month, Trivnet transfers the transaction details to various ISPs so that they can charge their users. The payment flow and transfer of funds between all parties involved in the purchase process runs from user to ISP to Trivnet to merchant. Users can track their WiSP purchases through the Personal Account Manager (PAM). They may define a PIN for their WiSP account, to enhance the feeling of security and to prevent WiSP purchases by unauthorized people who may have access to the user’s PC and ISP account. Users can choose when WiSP will ask for the PIN from a number of options: when purchasing an item, when purchasing an item from an adult-oriented merchant, or when accessing the PAM. Users connected to the Internet through ISPs that are not WiSP-enabled, can still use the WiSP technology by using the WiSP Credit Card (WiSP CC). WiSP plans to support multiple currencies and languages. Prices will then appear both in the user’s and the merchant’s currency and purchase details in the user’s language. Each WiSP account has a credit limit of $100/month; this limit can be adjusted by the ISP and Trivnet. The Traveler feature allows the users to make WiSP purchases when he is not connected through his standard ISP, by previously setting up a traveler username and password through the PAM. We now describe the architecture of WiSP. To manage all the interactions between the software and data, WiSP uses four servers: The Central WiSP Server, responsible for synchronizing the flow of identification, authorization, and billing, serves as the central authorizing agent for all WiSP transactions. The Central WiSP Server is located near the Internet backbone and maintained by Trivnet. The WiSP Identification Server interfaces with the ISP’s authentication servers to allow the automaticidentification of the user. The WiSP FTM Server serves as the gateway between WiSP transactions and the financial world. The server tracks charges and payments, distributes revenues, and serves as a frontend for financial customer service. It is located near the Central WiSP Server and maintained by Trivnet. The WiSP Merchant Interface integrates with the merchant site and is responsible for initiating the transactions, and managing pricing and authorisation for products. Integration with the merchant’s site is established by the WiSP merchant API. 78 G I G A P O R T 8.3.2 Example: Access network operator The access network operator already has a payment relationship with the consumer: pre-paid or post-paid, by means of billing. Content and electronic service providers could make use of this relationship for their purposes. Their charges may be added to the operator’s bill or may be made to the cost of the consumer’s pre-paid account. This approach will be facilitated by the development of Open Service Access platforms such as Parlay (recall Section 2.4). There are various problems that need to be solved in this case however: · Credit risk By including charges of third parties in his bill the operator is running a larger credit risk. It may even be the case that disputes over third party charges may delay payment for the operator’s services that are on the same bill. · Banking licence When an operator let ‘arbitrary’ service providers charge pre-paid accounts, operators are starting to attract funds from the public and require a banking licence. · Payment on company’s account The company for which the consumer works may pay for his (mobile) communication costs. They may be less willing to pay also for the employee’s consumption of electronic products outside working hours. Libertel offers ‘split billing’ to its customers: the bill is split between company and employee. Calls and SMSs sent during working hours are charged to the company’s bill. Other events appear on the employee’s private bill. · Transfer of transaction information Information on the transaction needs to be transferred between content or service provider and the network operator, such that this data can be incorporated into the operators billing process. There are no standards for that (yet). · Technical support by commercial billing systems It is not clear to what extent commercially available, telco-grade billing systems are technically able to support the scenario that is presented above. 8.3.3 Example: ISP and Network operator – KPN’s SwitchPoint KPN Telecom offers a service to Internet content and service providers, called ‘SwitchPoint’ that enables charging consumers of content or services through the consumer’s phone bill at KPN Telecom. The service is able to support to types of charging policies: per-minute with an upper bound of € 0.70 per minute, and per-visit (session), with a maximum of € 1.15 per visit. 71 KPN guarantees payment to the provider, also when the consumer is late in paying the phone bill. For the consumer the service comes in three flavours: (1) SwitchPoint Connect, (2) SwitchPoint Direct and (3) SwitchPoint PayTV (the latter focussing on payment for streaming video and/or audio over Internet). In the first case, the consumer needs to install specific 71 G According to KPN Telecom, http://www.kpn.com/ I G A A B P / 2 0 0 1 / D 0 . 1 B 79 software on his PC. This is required only once. The software can be obtained from any site that supports SwitchPoint as Internet payment instrument. The Connect service works as follows. The consumer clicks on a special ‘SwitchPoint’ button on the web site. The SwitchPoint software then disconnects the existing Internet connecting and establishes a direct connection with a server on which the content (or service) resides for which the consumer must pay. The consumer is informed on fore hand about the tariff. After leaving the site the initial Internet connectivity is restored. In the Direct service, no software needs to be installed. The consumer clicks a SwitchPoint Direct button on the web site. He then obtains a phone number, tariff and access code. The consumer calls this number (using any phone, e.g. mobile phone) and enters the access code. If the provided information is correct, he gains access to the web site. The PayTV service also supports charging a fixed fee during a pre-defined period, e.g. a charge of € 1.00 for using the service for four hours. There is also a variant in development, SwitchPoint Prepaid’ in which consumers obtain an access code to a site in advance, e.g. by purchasing a scratch card. The Connect service is most appropriate for consumers that have Internet connectivity through a analogue modem, while the Direct service is specially designed for consumers that have ‘always-on’ connectivity, e.g. using cable, ADSL or company LANs. 8.4 Total solutions for content-exploitation In this section we mention systems that provide wide support for content-exploitation, i.e. they integrate payment functionality with Digital Rights Management (DRM) and copy protection mechanisms. 8.4.1 Magex Magex is a company 72 and a product name. The company positions itself as a ‘commerce enabler’ for mobile network operators, interactive TV (iTV) operators and financial institutions. It started with a financial clearing service for digital goods (and micropayments) that is discussed below. Currently they also target physical goods. Magex is backed by the Royal bank of Scotland Group and has (among others) Mitsubishi and the Universal Music Group as its customer. Magex - the product - is essentially a copyright protection system for content distribution combined with (micro-)payment functions and clearing. That is, Magex collects payments from various consumers of content, from different content providers, in an international setting. Magex acts as a Clearing House in the sense that it pays the content providers or copyright 72 See http://www.magex.com/ 80 G I G A P O R T holders the net amounts. Moreover, it charges each consumer for his total consumption of content. Consumers are currently charged using credit card payments. From a consumer perspective, the major drawback of the Magex system is the requirement to provide Magex with your credit card details. The content protection scheme in Magex consists of a secure DigiBox® container in which the content object is placed. This container can only be opened using a Magex Wallet. The wallet communicates with the Magex clearing house, for the purchase of a key for opening the container. The wallet software is freely available. Third parties that want to access the content also need this wallet software. At time of downloading this software, consumers need to register with Magex, including the provision of credit card details. 8.4.2 Qpass The company Qpass offers the Digital Commerce Service for the sale of content and services over IP networks. This includes Internet, broadband and mobile networks, and the use of several devices, such as personal computers, wireless phones, PDAs and interactive television. Qpass offers a platform that can be used for marketing, sale, and distribution of digital content and services online. This end-to-end solution includes product management and merchandising, campaign management and promotion, distribution, customer care, and transaction processing, billing, reporting and remittance. Customers can outsource these activities to Qpass. The Qpass Digital Commerce Service supports multiple payment options, including all major credit cards, debit cards, ISP-billing, and some network-based electronic money. Qpass integrates this service with its own wallet technology. Qpass claims to have over 500,000 registered, regular users. Among their customers are some influential publishers on the Web, like The New York Times, The Wall Street Journal, the Los Angeles Times, USA Today, Forbes.com and Factiva (a Dow Jones/Reuters Company). 8.4.3 NetBill NetBill 73 was a trial system of Carnegie Mellon University of which CyberCash acquired the commercial rights [Corc99]. The system is account-based: users must first create a NetBill account from which money is debited after a purchase. The purchase itself is recorded in a transaction log of the ‘Money Tool’, client software that verifies whether goods were received intact and that sends a verification message of this to the merchant’s server. 73 G http://www.netbill.com/ I G A A B P / 2 0 0 1 / D 0 . 1 B 81 A generic scenario looks as follows: 1. The merchant’s server sends goods (electronically and) encrypted to the consumer’s machine. 2. The Money Tool checks whether the goods arrived intact. It sends a verification message to the merchant’s server. 3. The merchant’s server sends the verification message, account information and decryption key to the NetBill server. 4. The NetBill server verifies if there is enough money in the consumer’s account. If so, it transfers funds, stores encryption key and sends a report back to the merchant’s server. 5. The merchant sends the decryption key to the Money Tool upon successful payment. If the merchant’s server fails before the completion of the last step, the decryption key can be retrieved form the NetBill server. 8.5 Network-based electronic money schemes Electronic money has been introduced in the 1990s in various forms: as card based electronic cash issued by banks, and as so-called network money, issued by commercial non-financial companies. The first type is discussed in [HiSt01]. It could be used in principal both on Internet and in the physical world. We deliberately say ‘in principal’, since the issuers - the banks - have primarily focussed on the use of electronic money in real life. Only recently, after the failure of the introduction for the physical world (consumers were not eager to use it [FaEc98]), the organisations behind the card-based electronic money schemes are thinking of application of card-based money on the Internet. Network money is electronic money that can only be used on Internet. The success story of network-based money is not impressive: various solutions have been invented and introduced, but hardly any has been able to attract a large user base outside a special early adopter community. DigiCash was an interesting system that enabled anonymous electronic payment. The company filed for bankruptcy however and the technology was taken over by eCash Technologies. Several electronic cash companies went out of business, were taken-over (like CyberCash that dissolved into VeriSign) or sought refuge in another type of business. Ecash is one of the few operational electronic money schemes with a relatively long history. It is used in the 74 Online shop of the Deutsche Bank . Therefore we spend some attention to this type of network-based electronic money below. There is a list of initiatives in the section ‘Payments on the Internet’ in [BöRR99]. 74 See http://public.deutsche-bank.de/global/ui/nav_ec.nsf/frameset/DMEL-47ULWU?OpenDocument 82 G I G A P O R T Ecash Ecash is fully anonymous secure electronic cash for payment on the Internet. Since 1995 several banks and ISPs issue Ecash coins in various currencies. It was initially developed by the Netherlands-based company DigiCash B.V., which filed for bankruptcy in 1998. In 1999 eCash Technologies Inc 75 76 acquired DigiCash’s ‘blind signature’ technology and other assets . eCash Technologies is still operational, although they seem to have broadened their scope. eCash is an open, non-exclusive system, available for implementation by any bank, or use by any bank customer or merchant. An open approach is intended to facilitate wide acceptance by banks, merchants, and consumers. The claim of openness suggests that eCash Technologies has added interbank clearing or exchange of coins from different banks to solve this problem. eCash Technologies provides the payment protocols. For example, they offer the ‘Monneta’ payment suite, which is used by Deutsche Bank 24. The payment service 77 provider Bibit (see Section 5.5.1) will include this product in its platform . Providers make money on eCash by processing transactions and by competing on value-added products and services. In the eCash system, the customer withdraws coins against his bank account. The customer generates the coins. The bank signs the issued coins to make their validity visible to the merchants. The bank subtracts the amount the coins represent from the customer’s bank account. The bank can not see the serial number of the coin it signs. (It is encrypted with the bank’s secret key and can be decrypted with the bank’s public key.) The bank uses a distinct signature for each coin value. The coins are stored in the wallet software on the customer’s computer. The wallet manages the coins and keeps a transaction log. The customer transfers coins from the wallet to the merchant. During the transaction the merchant forwards the coins to the bank to ensure they are valid and not double spent. The coins are then deposited into the merchant’s account. The bank enables the check of double spending by recording all coins that are deposited. Giving each coin an expiry date controls the size of the database, and deleting all expired coins from the database. An extra feature is the possibility of automatic payments, to specific merchants or for specific sums. The payment mechanism is not only suitable for payments from customer to merchant, but also the other way round (refund and payout). Payments from individual to individual are possible, but must go through the bank. The system is not efficient enough for micropayments (see Section 8.6). The system guarantees anonymity of the customer; even merchant and bank together can not identify the customer. To guarantee anonymity, however, it is required to pay exact. The merchant does not remain anonymous; her identity is needed to prove the payment if 75 See http://www.ecashtechnologies.com/ According to ePSO’s Inventory Database: http://www.jrc.es/cfapp/invent/details.cfm?uid=30 77 According to Bibit’s press release of January 3, 2000: ‘Bibit joins Deutsche Bank in suporting payment solutions from eCash Technologies’. 76 G I G A A B P / 2 0 0 1 / D 0 . 1 B 83 necessary. The protocol includes the sending of a payment request that contains the order; this request is insecurely sent. Customer and merchant must be registered with the same bank. Future developments might include interbank clearing or exchange of coins from different banks to solve this problem. In future a scalability problem might arise. 8.6 Evaluation of discussed payment systems We treated various payment systems for use in different contexts in the previous chapters. In this section we briefly evaluate the applicability of the major systems in the current context of exploitation of electronic products, of low value payments (under € 5, recall Figure 2). The payment instruments offered by the financial sector seem to be hardly appropriate for these type of transactions, either by processing and settlement delay, their transaction cost or that they seem to have been designed for a particular payment context. As an example, credit cards are not suitable for adult sites or on-line gambling because card organisations have banned such merchants. The risk for fraud or charge-backs for transactions from such merchants is too large. The most promising solutions are those developed by the telecom sector and ICT industry, for example TrivNet’s WiSP (Section 8.3.1), PayPal (Section 5.2.1) and the Open Service Access platforms in development, like Parlay (Section 2.4), that allow service and content providers to charge to the telecom operator’s billing and pre-paid systems. The latter solution is certainly useful on the mobile Internet. It has not been specifically designed for use on the fixed Internet. We consider KPN’s SwitchPoint Connect service (recall Section 8.3.3) as an intermediate solution as it is most appropriate in situations where consumers have Internet connectivity through a dial-in phone number. The trend is towards always-on solutions. SwitchPoint Direct offers a good solution in that situation. From a consumer’s point-of-view that latter has the benefit that not special software needs to be downloaded and installed. Charging in the SwitchPoint services is limited however to time- and session-/visit-based policies. Electronic money may be playing an important role in establishing payment for low-value electronic content and services in future. To some extent, network-based money has been designed with commercial exploitation of content in mind. Card-based money could play a role if a sufficiently large number of cardholders has card readers and applications that can use the readers and cards for conducting payments over the Internet. Currently, both types of electronic money do not have a promising usage history on Internet (recall Sections 7.4 and 8.5). 84 G I G A P O R T 9 Micropayment systems 9.1 Introduction Apart from network-based electronic money (Section 8.5) developers have designed and implemented various types of systems that can handle low- and micro-value payments, i.e. payments in the range of about € 0.10 to € 5, over the Internet (recall Figure 2). These are typically called micropayment systems. The driver behind these developments was the commercial potential of on-line content in relation to ‘sliced payments’, ‘pay-per-view’, or ‘payas-you-play’ type of exploitation strategies [Herz98]. Let us consider these systems in more detail. 9.2 The problems to solve Designers and operators of micropayment systems must face and solve various problems: Technical challenge The main technical problem is to realise a system that is able to process micro-value transactions with as little delay as possible, with an appropriate level of security, typically depending on the value of the transaction. Therefore, the cost per transactions should be as low as possible. Moreover, any micropayment system must be able to handle a large number of concurrent users. Establishing large transaction volumes is an essential part of a sustainable business case for micropayment systems. A sustainable business case In fact, the main problem with low-value payment systems and micropayment systems in particular has a business nature: making a sustainable business case. The margins on sales will be small for content and service providers. Therefore, the potential revenue per transaction or the price for a periodic fee that an operator of a micropayment system can ask for its payment services is small as well. The fee will be charged to the merchant primarily: consumers are accustomed to payment transactions being free of charge. From the point of view of such an operator, establishing a large customer base in short time (consisting of both providers and consumers) and sustaining this base is essential for its financial well-being. The operator (and the providers) must also seek to create a large active customer base: transaction volume is essential. It seems that the most appropriate business model would be to charge merchants a fixed fee, say per month, combined with a per-transaction charge based upon a percentage of the transaction value. Even if the technical system is able to reduce the cost per transaction to a few cents or even fractions thereof, the operator of the system needs to create huge transaction volumes in order to create some revenue in this way. G I G A A B P / 2 0 0 1 / D 0 . 1 B 85 On the other hand, micropayment systems are fairly complex, from a technical point of view. Therefore they are expensive to develop and operate. [Jong00] mentions a yearly recurring operational cost of about € 50,000. The initial investments to get the system operational will be of an order of magnitude € 500,000. Thus the operator needs a large number of users and a long time period in order to get return on his investments. The operational quality of service problem Micropayment systems must be combined with high quality content delivery services. If delivery is not successfully established, then any call of the consumer to a helpdesk or customer care center will cost a factor 10 to 1000 more than the value of the content that was sold. As Steve Crocker [Croc99] puts it: ‘Customer service becomes a serious burden in the micropayment world.’ If the primary service or content provider decides to provide poor customer care facilities instead, then this may harm his long-term revenue as well. In fact, customers that receive bad quality or want to complain may distribute negative advertisement in their environment, because the appropriate customer care facilities are lacking. This may discourage potential customers or stop established customers from recurring. Thus, it is uncertain whether a large customer base paying a micro-fee is able to provide less cost (and generate return on investment) than the same customer base using the same services or content for free. In the first case the initial fixed costs and recurring costs are higher, because of the more complex ICT systems needed to realise micropayment and optimal quality of service. The expected ‘killer’ for the micro-fee case is the customer care cost however. They potentially wash away any profits the service or content provider could have made so far. It should be noted however, that the absence of significant volume in any of the available micropayment systems makes it hard to predict the actual size of customer care costs and see whether assured delivery is an important way to reduce these costs [Croc99]. 9.3 Potential players Recall that aggregation is the key to any micropayment system. Aggregation of transactions can take place at the content or primary service provider, for example in the token-based systems, or aggregation takes place at the payment system operator, i.e. in the account management system. In the latter case the operator has the choice between pre-paid deposits or post-paid billing solutions for collection from the consumer. In both cases a fairly good relationship between payer and payment system operator is required. The payer must trust the operator in order to make a deposit upfront. In case of post-payment the operator must have some means to act appropriately if the consumer pays late or does not pay at all. In fact, the operator is providing credit. Banks and network operators may be best suited as operators. Deposit taking may even imply that the payment system operator must have a banking licence. Thus network operators must either collaborate with banks or effectively become banks themselves. 86 G I G A P O R T Telecom operators have the advantage over banks and other potential players that they already have systems operational that can be viewed as micropayment systems. The pre-paid and billing systems for fixed and mobile voice communication handle low value telephone call and SMS ‘transactions’. With the advent of 2.5 and 3G mobile networks these systems are adjusted for processing data traffic as well. We expect that the operators of these new networks will play a crucial role in the processing of micro- and low-value payments related to services that third parties deliver over these networks. The development of the OSA Parlay platform (see Section 2.4) supports this expectation. This platform allows these third party service providers to use the operator’s billing and pre-paid systems (among others), which can regarded as quite effective micropayment systems when considering the relatively small charges for phone calls and SMSs. 9.4 Commercially available micropayment systems The technical challenge as mentioned in Section 9.2 can be solved. Various systems have been devised. The most important to mention are IBM Micropayment ([HeYo97], formerly called MiniPay, now part of a spin-off company called NewGenPay), Millicent 78 (from DEC, now Compaq [GMA+95]), and Jalda™ (from EHPT). The latter is more a general purpose API for payment over the Internet that enables to charge an account held at a central Jaldacompliant server, such as Safetrader™ from EHPT (recall Section 5.2.2). CyberCash also developed a micropayment system, called CyberCoin. It slowly disappeared from the market however at the end of the 1990s. None of these system have been really successful. The main problem has been devising a sustainable business model. Only NewGenPay’s micropayment solution seems to be used. A 79 micropayment service provider in the Netherlands, Cartio , is active with pilots within companies. Employees can use the system to pay for content. Although hardly successful we still provide details on the most promising systems, because of the general interest of content and service providers in the capabilities of these systems and helping to understand further the possible reasons for lack of their success. Aggregation is the key to designing a micropayment system [Croc99]. It is therefore key to any of the products mentioned above. Small charges are aggregated before they are settled with payment systems that are efficient in the medium transaction value range, for example credit cards, bank transfers or paper-based invoicing and bill payment. The basic approaches to micropayments are: 78 79 See http://www.millicent.com/home.html See http://www.cartio.nl G I G A A B P / 2 0 0 1 / D 0 . 1 B 87 1. centralised account management, in which a central system efficiently processes (micro-) transfer orders between accounts. These micropayment accounts may be loaded on forehand (pre-paid) or account holders may be charged afterwards. The Jalda-based Safetrader payment server (from EHPT) and the CyberCash system are based on this approach; 2. electronic tokens, which simulate physical coins. The tokens represent (micro-) buying power. The exchange of tokens between user en service provider systems implements the payment function. In this approach the payer needs to buy tokens first. The vendor collects the tokens over time and changes them back to cash or bank money. Millicent is a micropayment system that uses this approach. Network-based electronic money provides another class of examples. 3. credentials, that show that the buyer is able to pay his debts later on. Transactions are logged and forwarded in batch to dedicated (distributed) processing and clearing systems, which also administer the payment obligations for individual payment system users. Aggregation thus takes place at the merchant and in these clearing systems. For many micropayment systems the level of security is such that fraud is more expensive than a purchase. 9.4.1 NewGenPay’s Micropayment solution (former IBM) NewGenPay 80 is a small spin-off company of IBM that continued the development of payment systems and infrastructure for the Internet. They are continuing the development of the former ‘IBM Micropayment’ solution [HeYo97]. We shall call NewGenPay’s solution simply ‘Micropayment’ in the sequel. The following description of the system is partly taken from [Herz98]. The basic idea behind the system is that the bottleneck is communication, not encryption/decryption, and hence communication is minimised. Over 10 transactions per second are supported at the merchant’s; the delay for the buyer is very small compared to the normal time for following a link. The system has a unique architecture that does not require a central organisation or server. Thus it tries to maximise acceptability. The Micropayment protocol distinguishes three types of entities: the content provider, the customer, and billing systems. Content provider and customer may have their own billing systems: a typical billing system for the customer is the Internet Access Provider, a typical one for the content provider his bank or Internet Service Provider. Micropayment allows an additional ‘gateway’ billing server to connect between their billing servers, for scalability. The Micropayment protocol involves two periodic - typically daily - processes. At the beginning of every day, the buyer's wallet exchanges with its billing server the total spending 80 See http://www.newgenpay.com 88 G I G A P O R T for the previous day and once the balance is synchronised, the billing server provides the wallet with a ‘daily credential’. This daily credential proves that the customer is a good customer as of that day; one could think of it as a new plastic card sent from the bank once every day rather than every year or so as common today. When the customer reaches a page with a ‘per-fee link’, this link will display on the browser using the Micropayment plug-in, which makes it appear a bit different from ‘regular’ links - in a rectangle rather than underlined. Furthermore, when the cursor moves over a per-fee link, its shape changes to reflect the fee - to either a cent sign or a dollar sign, where the cent is an amount under a user-defined threshold, and a dollar indicates an amount over that. Other currencies can be used as well. When the user clicks on the per-fee link, the Micropayment plug-in piggybacks a signed payment order, and the daily credential, on the regular request for the link. Note that no new window opens - the user experience is very similar to normal browsing. The Seller software verifies the daily credential and the signature from the buyer. Following that, the seller software decides whether to perform an on-line confirmation with the billing server of the buyer. This decision is based on the total spending by this customer on this day, and a parameter set by the merchant. At the end of the day, an efficient deposit and clearance protocol is run between the seller and the seller's billing server, and among all billing servers. Figure 19 illustrates the protocol. buyer’s billing daily deposits service daily credentials seller’s billing service daily deposits overspending prevention buyer seller payment order Figure 19. IBM Micropayment protocol. Micropayment allows for prepaid as well as credit accounts. It does not offer refund functionality. Micropayment uses an automated compiler tool that transforms HTML to turn normal links into Micropayment links. The seller may therefore use any HTML editor, and may change links from non-paid to paid. The authentication is based on peer-to-peer relationships. It is effective in reducing overheads associated with transactions since it is not compulsory to verify all transactions. This leads to the risk of customer ‘overspending’ since it is possible for a wallet to become empty without the transaction being verified. The developers’ viewpoint is that every party should take its own risks. Hence, a company that wants to prevent G I G A A B P / 2 0 0 1 / D 0 . 1 B 89 overspending must set its own rules for preventing losses such as, for example, checking limits online. Utilising a deposit and clearance protocol which requires all servers to interact could be vulnerable to network outages. Widespread availability of compatible billing systems may also be an issue, as with many billing/payment systems. 9.4.2 Millicent (Compaq) – a token-based system Millicent 81 is a micropayment system developed by Digital Equipment Corporation (DEC), which has been taken over by Compaq. It supports payments ranging from $0.001 to $5.00. It offers functionality for per-access purchase, subscriptions, promotional incentives, advertising rebates, tiered service levels and loyalty programs. It aims at three market segments: 1. Software developers and distributors. Millicent supports sale and rental of Java applets, ActiveX controls, software add-ons and games. 2. Information marketplace. E.g. for selling stock quotes, database queries, articles, research, cartoons, clip art, music and video. 3. Corporate intranets. Meter access to applications, services, databases and information resources. The system uses prepaid accounts that are managed by a so-called ‘broker’, thus reducing credit risk. A user can debit their account in return for so-called ‘broker scrip’, electronic coupons representing a prepaid value. These coupons are stored in a special Millicent wallet in the consumer domain: client software that is part of a Web browser as a plug-in. The consumer can change broker scrip into vendor or service provider specific ‘scrip’ and visaversa at the broker. The wallet also stores the changed scrip before spending. Thus, scrip is comparable to usual cash: both have an intrinsic value, however scrip can only be used with one vendor, unlike cash. Because scrip lacks general acceptance, it cannot be regarded as electronic money however. It should be viewed as ‘tickets’. Brokers will generally sell the scrip of various – but a limited number of – different vendors. The vendor scrip can either be generated by the vendor or by the broker. In the first case, the broker buys a large chunk of vendor scrip and stores it. In the second case, the broker has a license for the production of a specific amount of vendor scrip. The broker makes his money by buying at discount from the vendor and selling at full price to the customers. The broker role can be fulfilled for example by banks or ISPs. 81 http://www.millicent.digital.com/ 90 G I G A P O R T In a transaction the customer sends a purchase request to the vendor, and sends the obtained vendor scrip along. The vendor can validate the payment. This includes a double spending check. For this action he does not need the involvement of a third party. After approval, the vendor returns the purchase and sends the change along (in vendor scrip). The customer can use the change in another transaction with the same vendor. The acquired scrip is stored in the customer’s wallet. The system reduces processing and communication costs by using light-weight encryption: it uses symmetric encryption and a one-way hash function. There are three levels of security during transfer. The protocol for the desired level of security can be chosen. The first level is unsecured, on the second the connection is encrypted, and the third level does not guarantee privacy but protects against theft. Furthermore, verifying accounts through coupons at the vendor’s site reduces the need for a validation server at the broker’s site. Scrip is not fully anonymous: it shows serial numbers. 82 For more information, see the following resources: a paper on the Millicent Protocol , an 83 executive summary , [GMA+95], and also [MaPT97]. We found no information on recent usage of the system in a commercial setting. 9.5 Micropayment standards and standardisation efforts There are only a few standards available, or better: ‘almost standards’, because the activity on their development seem to have been placed on hold at the end of the 1990s. We mention the two most important initiatives in the following sections. Both were initiated by the World 84 Wide Web Consortium (W3C) . Currently W3C has closed its Ecommerce/Micropayment Activity. 85 9.5.1 A Common Markup for micropayment per-fee-links The W3C defined a micropayment task 86 as part of its e-commerce activity. A Micropayment Markup Working Group was created that worked out a specification for the encoding of perfee links in HTML pages [W3C99]. Per-fee links are hyperlinks in a web page that require (micro-) payment in order to be activated. In the W3C’s vision, if a customer clicks on a link requiring a payment, the browser would look for an electronic wallet. The starting point is then a standard way to represent payment information for following hypertext links from Web pages. The ‘Common Markup for micropayment per-fee-links’ specifies especially such a representation. 82 http://www.research.digital.com/SRC/personal/steveg/millicent/millicent.html http://www.millicent.com/works/index.html 84 See http://www.w3.org/ 85 According to http://www.w3.org/Ecommerce/Activity.html 86 See http://www.w3.org/ECommerce/Micropayments/Overview.html 83 G I G A A B P / 2 0 0 1 / D 0 . 1 B 91 The browser can interpret the embedded information to show the cost of each link to the user, and to ask the wallet to make a payment when the user clicks on a link. The browser communicates with the wallet via an Applications Programming Interface (API). When the user makes a payment via the browser, the browser talks to the wallet, and the wallet initiates the payment. This may involve a third party payment server. Some kind of token, or other form of recognition of payment, is sent to the Web server, and the document, image, or other Web resource, is made available to the user. Furthermore, the wallet will keep track of payments and credit. Customer side Wallet 1 Wallet 2 User agent Merchant side Internet (WWW) Per-Fee-Link Handler Web server Wallet 3 Browser Common Markup for per-fee-links Browser-to-wallet API W3C’s focus Figure 20: W3C’s basic micropayment architecture (after [W3C99]). A browser should be able to use multiple wallets in order to support several payment systems. A consumer should be able to access each wallet independently of the browser. Some systems may involve loading of the wallet. This is beyond the scope of the presented architecture. The specification [W3C99] focuses specifically on the flow of information from the Merchant server to the Per Fee Link Handler/Browser, in particular the mark-up of payment information embedded in the HTML page (see Figure 20). The Per Fee Link Handler is a common module that may be implemented as an applet or a browser plug-in. The W3C Micropayments API Working Group aimed to produce an API to transfer the micropayment information, defined in the Web page, to the wallet for processing. The API would be browser- and payment scheme-neutral, thus allowing for different payment mechanisms to be dropped into place as needed. Users would be able to download new payment schemes without further changes to their browsers. No further information on the results of this Working Group were available. 9.5.2 (Draft) Micro Payment Transfer Protocol (MPTP) Already in 1995 the W3C initiated the development of the Micro Payment Transfer Protocol (MPTP). Philip Hallam-Baker created a working draft. After the release of this document 87 on November 22, 1995, no further progress seems to have been made. MPTP implements a variation of the Pay-Word scheme for micropayments proposed by Rivest and Shamir (finally published in [RiSh97]). 87 http://www.w3.org/TR/WD-mptp-951122/ 92 G I G A P O R T Pay-Word uses an account-based approach. Thus, the protocol involves three parties: a Customer who makes the payment, a Vendor who receives the payment and a Broker who keeps the accounts for the parties concerned. The draft only considers a single broker model, implying that both customer and vendor must share the same broker. For further details please consult the W3C working draft. 9.6 The future of micropayment systems Establishing a sustainable business model for the exploitation of dedicated micropayment systems is a major obstacle in the way to success of these systems. Another is the consumer’s willingness to pay per-item, to be ‘nickelled and dime-ed’. Subscriptions compete with a pay-per-item approach. In particular for the content or service provider subscriptions have two major benefits: (1) a guaranteed income, hence predictability, and (2) information on the provider’s customer base. The concept of a micropayment system seems to be biased towards impulsive consumption (recall Section 8.2) and consumer ‘anonymity’ (although not completely). We already pointed out that a large transaction volumes needs to be established before a micropayment system can be exploited profitably. Micropayment systems thus face the typical ‘chicken-and-egg’ type of problem that payment systems in general face: consumers will use the system only if there are sufficiently many interesting products to purchase, while providers of these products will await the moment that the system has a sufficiently large user base. A fundamental question therefore is, ‘…are there sufficiently many interesting products on the Internet (content, services) for which consumers are willing to pay?’ (cf. also [Jong00]). According to [Ston01] there are various reasons why the micropayment concept has not taken up so far. Experts say that consumers do not want it, because they want predictability, i.e. subscriptions, similar to the content and service providers. They also stress the role of the ‘operational quality of service problem’, or ‘customer service trap’ (recall Section 9.2) that makes a profitable business hard to establish. There are also possible sounds to hear however. In France, Minitel is extensively used for about 10 years now, including micropayments. It seems that the SwitchPoint approach (Section 8.3.3) is also quite successful, especially in the adult entertainment segment. Both systems have in common that they are closed systems. There already exists a customer relationship with regard to other services than payment and payment is only possible for content and services of providers that have a specific business relationship with the provider of the payment system. They are not general purpose payment systems within the context of Internet payments. Also Cartio (Section 9.4) seems to first target closed user groups, inside specific companies. The dedicated payment systems that we discussed in this chapter were targeting special payment service providers, focussing on micropayment transactions for general users on the Internet (like the Internet Payment Provider in the Jalda model, Section 5.2.2). We feel inclined to conclude from the discussions above that such a model is not economically G I G A A B P / 2 0 0 1 / D 0 . 1 B 93 feasible in the short or medium term. It will become feasible only when consumers gradually get used to paying for content or electronic services on Internet. We see two ways in which this might happen, which can occur concurrently [HiBi01]. Firstly, card-based electronic money may find its way to Internet for micropayments using general-purpose card readers, e.g. complying to the FINREAD standard (see [HiSt01]). Since financing the distribution of card readers is a major obstruction in getting card-based electronic money on-line, the general-purpose aspect of the card reader is essential in achieving a sufficiently large customer base. It opens an opportunity for other parties than the consumer or financial institutions to subsidise card readers, as they can also be used for e.g. loyalty programmes or authentication on special web sites. Secondly, third party service providers, such as telecom operators, may open their billing (and pre-paid) systems for others. We already mentioned the OSA Parlay initiative at various points. In fact, their billing systems can already be considered as special purpose micropayment systems. It is still a challenge for billing system developers to design and implement systems that are able to deal with charges from various providers, for various services and content. The first steps in this direction have already been made however, and they look promising. 94 G I G A P O R T 10 Conclusions 10.1 Coverage of on-line payment transactions Recall the three payment contexts with which we started this document (Section 1.1, Figure 2): bill payment, electronic commerce and exploitation of electronic products (content and services). The advent of the digital acceptgiro (Section 3.6.1) and the current developments with regard to digital signatures that will enable signing mandates for direct debit on-line, will result in a rather complete set of payment instruments for bill payment that can be used on-line. These instruments will be provided by the financial sector. In electronic commerce there are various payment instruments currently available. Bottlenecks are still formed by cross-border payments and support for ‘direct payment’. The credit card is the main instrument in the first type of transactions, and is also the main instrument in domestic transactions initiated through Internet. However, not all Internet user groups have or even can have a credit card. Other instruments are thus required as well, in particular instruments that realise ‘direct payment’. The architecture of the overall payment system as provided by the financial sector currently inhibits the development of general direct payment systems. The systems that are available use dedicated accounts: consumer and merchant needs to have such an account at the payment system operator, typically a bank. In lower value e-commerce transaction also nonfinancial institutions may be going to play a role. There will be a role for value-adding Payment Service Providers as well: for currency exchange, localisation of the set of payment instruments offered by the merchant to the consumer, for out-sourcing Internet cash register functionality and fraud and risk management functions. Currently there are hardly any Internet payment instruments that support the exploitation of low-value content or services on a per-use basis. General-purpose micropayment services provided by a payment provider are not economically feasible on the short and medium term. We expect card-based electronic money issued by the commercial banks and connected to the Internet by means of a general-purpose card reader to fill the gap, together with (relatively) open access to billing and pre-paid systems of (mobile) network operators. [Hove00] and [FuWr00]argue that ‘on the Internet, the market of interactive pay-per-use services is underdeveloped because of the lack of an efficient payment mechanism for these applications. Stored value systems would provide the payment mechanism required to facilitate payment for such services’ 10.2 Cultural impact Cultural aspects are very important to take into account. Differences in payment culture influence to a large extent the success of introduction of new payment services in a specific G I G A A B P / 2 0 0 1 / D 0 . 1 B 95 country. It may also influence the success of introduction of payment enabling services such as electronic bill presentment. For example, successful US players in the EBP market turned out not to be successful (initially) on the European market. Moreover, a payment service provider as Bibit Internet Payments and a credit management company as Intrum Justitia stress the importance of tailoring their services towards the local, national culture. ‘Think global, act local’. System developers and integrators should also be aware of the cultural differences in executing financial transactions and reporting over such transactions. For example, standards such as ECML, OFX and IFX have been developed with the Anglo-Saxon way of doing business in mind. This may make these standard less suitable for use in other cultural regions, or may even inhibit their use. 10.3 Introduction of new payment services and instruments Application of technology may create new payment instruments. The design and implementation of such new instruments is one, but creating a substantial user base is another problem. According to [BIS99] (Section 4.2), it is the demand from a body of users that drives the development of the payment markets; not the technology however. The challenge with regard to the introduction of new payment services, both on the Internet and the real world, is to predict and promote a change in user behaviour [Econ01]. Such changes seem to be triggered as if by accident: successful examples are the pre-paid mobile phone and the mobile-phone text messaging (SMS). A change in user behaviour does not only relate to the use of the payment instruments themselves, but also usage of the services for which the user has to pay. We mentioned the necessity of a change in user behaviour in order to make electronic bill presentment (and payment) a success (Section 3.6.2). We also mentioned the importance of a change in customer behaviour with regard to payment for content on Internet in relation to micropayments (Section 9.6). 10.4 Telco-finance integration ‘Telco-finance integration’ is a term that has been dropped to indicate the potential merging of the roles of provider of telecommunication services with that of financial services, in particular (mobile) payment. It seems that financial institutions and telecom network operators are competing in this field, with the initiative with the operators. The situation is not as simple as that however. Looking at the various payment contexts that we considered (Section 1.1, Figure 2), competition only seems to take place in the electronic commerce context, and in that context only in the lower end of the transaction value. Medium and high-value transactions will remain to be handled by the financial sector. Consumers do not buy a car with their hand-held. It is a matter of trust. Thus bill payment and the higher end 96 G I G A P O R T of electronic commerce transactions will be paid for by means of instruments provided by the financial sector. The payment instruments that the telecom sector is currently developing aim at supporting content exploitation and low-value commerce transactions. There is hardly any competition with financial institutions in that field, perhaps only with regard to electronic money. The operators may gain an additional source of revenue from such value-adding services. The revenue for financial institutions from processing such low-value transactions is marginal compared to their other business operations. It may even be only a source of additional costs. The only competition that we see is on attracting funds from the public, when using pre-paid accounts for payment of services from other parties than the operator. It may cause consumers to move substantial funds from a bank account to an operator’s pre-paid account. However, the current banking legislation in the Netherlands would see such an activity – using pre-paid deposits for general purpose payments – as an activity for which a banking licence is required. The telecom operator is required to become a bank. In this scenario, there will not be a competition between banks and telecom operators, but between new banks owned by telecom operators and the banks that have been operational for decades. G I G A A B P / 2 0 0 1 / D 0 . 1 B 97 Acronyms ADIF Accounting Data Interchange Format CDR Call Detail Record CEPS Common Electroni Purse Specification DNB De Nederlandsche Bank N.V. EBP Electronic Bill Presentment EBPay Electronic Bill Payment ECML Electronic Commerce Modelling Language EIP Electronic Invoice Presentment EIPP Electronic Invoice Presentment and Payment EJB Enterprise Java Beans EPF Electronic Payment Forum GBA Global Billing Association IETF Internet Engineering Task Force IFX Interactive Financial Exchange IPDR Internet Protocol (IP) Detail Record JEPI Joint Electronic Payment Initiative IRTF Internet Research Task Force M3I Market Managed Multiservice Internet NACHA National (U.S.A.) Automated Clearing House Association OFX Open Financial eXchange PFMS Personal Financial Management System PIN Personal Identification Number VAT Value Added Tax W3C World Wide Web Consortium 98 G I G A P O R T References [AuKa01] Au, Y.A., and R.J. Kauffman, ‘Should We Wait? Network Externalities and th Electronic Billing Adoption’, Proceedings of the 34 Hawaii International Conference on System Sciences, 2001. [BIS96] Bank of International Settlements, ‘Security of Electronic Money’, Basle, August 1996. [BIS99] Committee on Payment and Settlement Systems, ‘Retail payments in selected countries: a comparative study’, Bank of International Settlements (BIS), Basel, September 1999. Available at: http://www.bis.org/. [Böhl01] Böhle, K., ‘The Potential of Server-based Internet Payment Systems – an attempt to asses the future of Internet payments –‘, Background Paper No. 3, Electronic Payment Systems Observatory (ePSO), March 2001 (Working draft). http://www.jrc.es/pages/projects/epso/Docs/Background-3.pdf [BöRR99] Böhle, K., M. Rader, and U. Riehm, ‘Electronic Payment Systems in European Countries; Country Synthesis Report’, IPTO/ESTO, September 1999. http://www.jrc.es/pages/projects/docs/ESTOCSRfinal.pdf. [Cave01] Cave, D., ‘Losing faith in PayPal’, Salon.com, February 23, 2001. Available at: http://www.salon.com/tech/feature/2001/02/23/pay_pal/print.html. [CBS01] ‘De digitale economie 2001’, Centraal Bureau voor de Statistiek, Voorburg, The Netherlands, 2001 (in Dutch).: http://www.cbs.nl/nl/producten/artikelen/bedrijfsleven/algemeen/p-34-01.pdf [CEBP99] NACHA’s Council for Electronic Billing and Payment, ‘An Overview of Electronic Bill Presentment and Payment Operating Models; Process, Roles, Communications, and Transaction Flows’, white paper, National Automated Clearing House Association, April, 1999. Available at http://cebp.nacha.org/. [CEBP01] NACHA’s Council for Electronic Billing and Payment, ‘Business-to-Business EIPP: Presentment Models and Payment Options’, white paper, National Automated Clearing House Association, January 2001. Available at http://cebp.nacha.org/. [Croc99] Crocker, S., ‘The Siren song of Internet micropayments’, iMP (The Magazine on Information Impacts), April 1999. http://www.cisp.org/imp/april_99/04_99crocker.htm [DBG+98] Daswani, N., D. Boneh, H. Garcia-Molina, S. Ketchpel, and A. Paepcke, ‘SWAPEROO: A Simple Wallet Architecture for Payments, Exchanges, Refunds, rd and Other Operations’, 3 USENIX Workshop on electronic commerce, Boston, Massachusetts, U.S.A, August 31 – September 3, 1998. Available at: http://www-db.stanford.edu/~daswani/wallets/. G I G A A B P / 2 0 0 1 / D 0 . 1 B 99 [EaGo99] Eastlake, D. and T. Goldstein, ‘ECML v1: Field Names for E-Commerce’, IETF RFC 2706, October 1999. http://www.ietf.org/rfc/rfc2706.txt [ECB98] European Central Bank. “Report on Electronic Money”, August 1998. http://www.dnb.nl/betalingsverkeer/index.htm. [ECB01] European Central Bank, Payment and securities settlement systems in the European Union, Blue Book, European Central Bank, June 2001. Available at: http://www.ecb.int/pub/bluebook/bluebook.htm. rd [Econ01] Anonymous, ‘Dreams of a cashless society’, The Economist, May 3 2001. Available at: http://www.economist.com/ [ECP00] ‘Betalen op Internet: Keuzemogelijkheden met de Nederlandse betaalsystemen’, Electronic Commerce Platform Nederland (ECP.NL) / Nationaal Chipcard Platform, Leidschendam, January, 2000. http://www.ecp.nl/publicatie/publicaties/betalen_op_internet.pdf [ETSI01] European Telecommunication Standards Institute, Open Service Access; Application Programming Interface; Part 12: Charging, Draft ETSI ES 201 915-12 V0.0.0, August 2001. [FaEc98] ‘Keep the change’, The Economist, November 21, 1998, pp. 77-78. [FuWr00] Furche, A., and G. Wrightson, ‘Why do stored value systems fail?’, Netnomics, Vol. 2, Nr. 1, 2000, pp. 37-47. [GMA+95] Glassman, S., M. Manasse, M. Abadi, P. Gauthier, and P. Sobalvarro. ‘The Millicient protocol for inexpensive electronic commerce’, in World Wide Web Journal, Fourth International World Wide Web Conference Proceedings, O’Reilly, December 1995, pp. 603-618. [Herz98] Herzberg, A., ‘Safeguarding Digital Library Contents – Charging for Online Content’, D-Lib Magazine, January 1998, (ISSN 1082-9873). Available at: http://mirrored.ukoln.ac.uk/lis-journals/dlib/dlib/dlib/january98/ibm/01herzberg.html [HeYo97] Herzberg, A. and H. Yochai, ‘IBM Micropayment: Charging per Click on the Web’, th 6 WWW Conference, Santa Clara, California, April 1997. [HiBi01] Hille, S.C. and F. Biemans, ‘Elektronische dienstverlening zit vast op betalingsprobleem’, Automatisering Gids, jrg. 35, nr. 48, November 30, 2001, p.15 (in Dutch). [Hill00] Hille, S.C., ‘Legal and regulatory requirements on accounting, billing and payment’, GigaABP project deliverable D1.4, Telematica Instituut, November 2000. Available at: https://extranet.telin.nl/docuserver/dscgi/ds.py/View/Collection-1259 [HiSt01] Hille, S.C. and P. van der Stappen, ‘Backgrounds on the Dutch payment system; Organisations, infrastructure, systems and services’, GigaABP project deliverable D0.1a, Telematica Instituut, Enschede, December 2001. Available at: http://gigaabp.telin.nl/ (‘Publications’). 100 G I G A P O R T [Hove00] Hove, L. van, ‘Electronic Purses: (Which) Way to Go?’, First Monday (Peerreviewed journal on the Internet), Vol. 5, Nr. 7, July 2000. http://www.firstmonday.org/issues5_7/hove/index.html [Hovi01] Hovinga, M., “Betaalmiddelen op Internet: Cruciale schakel voor e-commerce”, Controllers Magazine, January/February 2001. [JBHS01] Jonkers, H. (ed.), A. Bakker, S.C. Hille, R. Stap, ‘A fexible architecture for interdomain accounting, billing and payment’, GigaABP project deliverable D1.1, Telematica Instituut, Enschede, work in progress. [JHTW00] Jonkers, H. (ed.), S.C. Hille, A. Tokmakoff, and M. Wibbels, ‘Taxonomy of Accounting, Billing and Payment Concepts’, GigaABP project deliverable D1.2, Telematica Instituut, Enschede, April 18, 2000. (TI/RS/2000/021). Available at: http://gigaabp.telin.nl/ (Publications). [JHTW01a] Jonkers, H. (ed.), S.C. Hille, A. Tokmakoff, and M. Wibbels, ‘A functional architecture for the financial exploitation of network-based services’, GigaABP project deliverable D2.1, Telematica Instituut, Enschede, January 12, 2001. (TI/RS/2000/132). Available at: http://gigaabp.telin.nl/ (Publications). [JHTW01b] Jonkers, H. (ed.), S.C. Hille, A. Tokmakoff, and M. Wibbels, ‘A functional architecture to support commercial exploitation of Internet-based services’, in W. Winiwarter, S. Bressan and I.K. Ibrahim (eds.), Third International Conference on Information Integration and Web-based Applications and Services (iiWAS 2001), Linz, Austria, September 2001, pp. 277-288. [JST+01] Jonkers, H. (ed.), R. Stap, A. Tokmakoff, A. Bakker, S.C. Hille, and M. Wibbels, ‘Metering and Reporting of Application Usage’, GigaABP project deliverable D1.2, Telematica Instituut, Enschede, work in progress [Jong00] Jongeneel, Ch., ‘Microbetalingen schuiven stilaan uit beeld’, MNET, Number 14, September 2000, pp. 30-33. [Krue01] Krueger, M., ‘The Future of M-Payments – Business Options and policy Issues’, Institute for Prospective Technological Studies (IPTS), first draft of Background Paper No.2, Electronic Payment Systems Observatory (ePSO), March 2001. http://epso.jrc.es/Docs/Background-2.pdf [LGKV00] Lelieveldt, S., J.M. Groeneveld, S. Kaatee, A. Visser, Elektronisch betalen, e Afrekenen met een verleden, Financiële & Monetare Studies, 18 jaargang, Nr.2, Wolters Noordhoff, 2000. (ISSN 1383-7656) [Lita00] Litan, A. ‘Consumer E-Bill-Payment: Built, But When Will They Come?’, Gartner Group Research Note, February 28, 2000. [MaPT97] O’Mahony, D., M. Peirce and H. Tewari, Electronic Payments Systems, Artech House, Boston, 1997. (ISBN 0-89006-925-5) [Mari00] Marino, J. ‘Online Bill Payment: Not If but When’, in Network Magazine: strategies and solutions for the network professional. Vol. 15, 2000, afl. 11, pp. 62-69 G I G A A B P / 2 0 0 1 / D 0 . 1 B 101 [Mobe01] Kanniainen, L.(ed.), ‘The Preferred Payment Architecture; Technical Documentaition. Requirements for manufacturers and standardization bodies’, Mobey Forum, Version 1.0, July 2001. Available at: http://www.mobeyforum.org. [OMPT97] O’Mahony, D., M. Peirce, H. Tewari, Electronic Payment Systems, Artech House, Boston, 1997. (ISBN 0-89006-025-5). [OSS+98] Ouren, J., M. Singer, J. Stephenson, and A.L. Weinberg, Electronic bill payment and presentment. The options for banks are becoming clear. The McKinsey Quarterly 1998, number 4, pp. 98-106. [RiSh97] Rivest, R.L. and A. Shamir, ‘PayWord and Micro-Mint – Two Simple Micropayment Schemes’, Lecture Notes in Computer Science, Vol. 1189, 1997, pp. 69-88. [SFPW99] Stiller, B, G. Fankhauser, B. Plattner and N. Weiler. Charging and Accounting for Integrated Internet Services. INET’98 Proceedings, http://www.isoc.org/inet98_proc/3e/3e_2.htm. [Stef00] Stefanova, M., ‘OFX - Description of Open Financial Exchange Standard’, Giga Transaction Services, 2000. [Stei98] Stein, Web Security – A Step by Step reference Guide, Addison Wesley Longman,1998. [Ston01] Stone, A., ‘Paying for Stuff (Part Two): Why Micropayments Won’t Work’, Internet.Com, April 30, 2001. http://www.mcommercetimes.com/Industry/117 [ToWi00] Tokmakoff, A. (ed.), and M. Wibbels, ‘Description of experimental results’, GigaABP project deliverable D3.1, Telematica Instituut, Enschede, November 17, 2000. (TI/RS/2000/101). Available at: http://gigaabp.telin.nl/ (Publications). [ViGo97] th Visser, H. and L. van Goor. Inleiding tot het geld- en bankwezen. 4 edition, Academic Service, Schoonhoven, 1997. (ISBN 90 5261 197 1). [W3C99] W3C Micropayment Markup Working Group, ‘Common Markup for micropayment per-fee-links’, W3C Working Draft, 25 August 1999. (Editor: Thiery Michel). http://www.w3.org/TR/1999/WD-Micropayment-Markup-19990825 [Webe98] Weber, R., ‘Chablis – Market Analysis of Digital Payment Systems’, Technical University Munich, Munich, August 1998 (TUM-I9819). Available as on-line HTML document: http://medoc.informatik.tu-muenchen.de/Chablis/MStudy/ [Wibb01] Wibbels, M.,‘Design and implementation of a generic accounting, charging and billing system’, GigaABP project deliverable D4.2, Telematica Instituut, Enschede, 2001, work in progress. 102 G I G A P O R T Index Definition IP gateway A Acceptgiro Digital 29 25 52 J Java Wallet 61, 62 B Bill Definition 27 25 L 70 94 67 47 30 66 M Late payment Local loop 25 76 C Calculator Card reader Card Validation Code Cash on delivery Customer Relations Management CyberCash D Digipass Direct payment Dual-chip phones Dual-slot phones 71 18 21 21 Magex Micropayment system Millicent Mobile Pay Mobile payment Paybox WAP 80 85 90 21 96 22 22 O One-time card number Open Financial Exchange Open Service Access 65 40 23 E e.dentifier 70 E-billing 30 EBPP 33 Ecash 83 ECML 61 EIP 33 EIPP 33 Electronic Bill Payment 30 Electronic Bill Presentment 30 Electronic Bill Presentment and Payment 30, 33 Electronic Commerce Modelling Language 61 Electronic Invoice Presentment 33 Electronic Invoice Presentment and Payment33 Electronic money 47 Electronic purse 57 Electronic wallet 57 Architecture 61 Standards 61 e-purse 57 E-wallet see Electronic wallet F FINREAD 94 G Gateway issues GiSMo GlobalCollect 52 69 50 P Parlay Paybox Payment Streaming media Payment gateway Payment Service Provider Private Communications Technology Purse 23 22 79 52 52, 53 67 57 Q Qpass 81 R Reconciliation Recurring biller 26 44 S Secure Socket Layer 66 SET Wallet 57, 58 Split billing 79 SSL See Secure Socket layer Statement 25 SWAPEROO 61 SwitchPoint 79, 84 T Telco-finance integration 96 I Invoice G I G A A B P / 2 0 0 1 / D 0 . 1 27 B 103 U Unattended point-of-sale 71 WAP gateway 52 WASP see Wallet Application Service Provider WiSP 77 W Wallet Application Service Provider 104 63 G I G A P O R T