As with all commerce, payment is the foundation of any trade.  One fundamental observation in commerce is that it is insufficient for merchants and their customers to have just a secure payment system.  It is necessary for the system to also be stable and reliable.  To this end, a dependable and secure Internet payment mechanism becomes an imperative for electronic commerce (e-commerce). 

Having bought into the idea that the Internet has changed the way business is done, people are rushing into the dot-com world of e-commerce.  While it may be true that the Internet promises a new place for commerce, it also comes along with a slew of new problems.  “Despite the hype, commerce on the Internet has suffered from the lack of readily available and appropriate payment mechanisms.”  Even with the rapid pace of change in Internet technology, this 1996 statement remains true today.  While the architecture of universal payment systems continues to be developed, many proprietary Internet payment methods are filling the immediate needs.  The specific payment system to be examined in this report is the Bank Internet Payment System (BIPS). 

From the historic trading of Venice to the eBay auctions of today, the method of payment has been the center of all commerce.  When a trade involved merely exchanging objects, the method of payment was direct — namely the objects themselves.  As trade became more complex, currency was developed as an intermediate and portable method by which both parties of a trade could overcome the inconvenience of exchanging physical objects.  Currency quickly became the standard payment method. 
Over the last few decades, cash, checks, and credit cards have become the most important payment methods.  Many business systems today still operate on the same fundamental principles.   These payment principles are now being used on the Internet, yet retain the same characteristics.  The Internet offers the hope that commerce will become more efficient and effective.

Overview of Payment Mechanism

One of the most important Internet based payment functions is the enabling of consumer-oriented activities on the Internet, such as purchasing goods and services or paying bills.  Payment systems also enable business activities such as invoice payment, cash management, supply chain settlement, and procurement.  There are many emerging payment systems that are currently available and are designed to provide payment transactions over the Internet. The two general categories of Internet payment systems are those that are similar to payment instructions and those that are more like digital money transfers.  

A payment instruction is a verbal or written order to initiate a payment transaction.  The user of a payment instruction never actually takes possession of the money; instead, financial intermediaries transfer the money on behalf of the user.  If this category were compared to the current ‘off-line’ methods of making payments, a few examples would include electronic funds transfers (EFT), direct deposits, and debit /credit card transactions using point-of-service (POS) terminals.  It should be noted that instead of creating a revolutionary new type of payment, these systems tend to leverage existing payment infrastructures and methods such as the Federal Automated Clearing House (ACH) and the credit card network.  The Bank Internet Payment System (BIPS), developed by the Financial Services Technology Consortium (FSTC), provides a specification for a protocol and secure server for banks to enable their customers to initiate payment instructions over the Internet.  Yahoo! PayDirect, a service that allows customers to send and receive money on-line, is an example of this category. 

A digital money transfer is a payment mechanism that empowers the consumer to take possession of the electronic money from a bank account or credit card, and store the monetary value on a piece of hardware (i.e., a PC, cell phone, or personal digital assistant, or smart card).  Once consumers take possession of the ‘electronic cash’ they are able to transfer the value to another party — a consumer, bank, or vendor — over the Internet.  For example, CyberCash, Inc. is the world’s leading provider of Internet payment card services and electronic payment software.  Smart cards are used to store electronic cash.  Each time the card is used, a unique ‘digital signature’ is generated by a microchip on the card.  This allows cash to be sent and received electronically.  Table-1 is a list of some of the current payment methods, highlighting their advantages and disadvantages.

Table-1: Payment Methods

Traditionally, each of these payment methods is handled by a different system.  For example, credit cards are handled by a POS system while EFT’s are processed by the ACH.  In the Internet environment, a universal payment system (UPS) can be developed to support all types of payment transactions.

Internet Based Payment Systems

Some examples of current banking systems that are mostly disconnected from the Internet include the CD public network, ARS public networks, and SWIFT network for international banking.  Most of the Internet payment systems today provide for traditional banking and financial services over the Internet.   There are three scenarios for Internet based payment systems:

1. The payor’s bank offers services on the Internet but the payee’s bank has no Internet connection.  The payor can transfer money or pay by credit card on the Internet.  Once the payor’s bank gets the data from the Internet through UPS, then transfers the money through the inter-bank network and clears through the existing clearing system (see Figure-1).  This payment system supports only credit card transactions and EFT without on-line (real-time) verification.

Figure-1.  Only Payor’s bank connected to the Internet

2. Both the payor’s and the payee’s banks are connected to the Internet through their UPS front-ends (Figure-2).  In this scenario, clearing is still performed through the existing inter-bank network and clearing system.  If there is an agreement between both banks, in addition to credit card and EFT, electronic checks and notes are possible with on-line verification.  However, the clearing is still not on-line and hence the clearing of the payment would be delayed.

Figure-2.  Both banks with Internet connection

• Both the payor’s and payee’s banks are connected to the Internet with a new Internet based clearing system (Figure-3).  This makes the Unified Payment System possible.  With UPS, instantaneous payment clearing can be supported.  The transaction flow is shown in Figure-4.  Imagine Business to Consumer (B2C) transactions being performed with a ‘digital wallet’ communicating with a ‘virtual cash register’ in a cyber shop!

Figure-3.  All connected to the Internet

Figure-4.  Universal Payment System Transaction Flow

The Bank Internet Payment System (BIPS)

Founded in 1993, the FSTC is a not-for-profit research organization of banks, financial service firms, industry partners, national laboratories, universities and government agencies.  BIPS is a specification sponsored by FSTC providing a framework for banks to extend their traditional role of trusted agent for their customers on the Internet.  This specification is designed to connect current bank payment mechanisms to users over the Internet.  It applies existing standards and technologies where possible and includes new development only where there are gaps in existing Internet protocol and bank systems.  The BIPS project provides a non-proprietary protocol for sending payment instructions safely over the Internet.  It also includes a specification for a payment server to enable the processing of the payment instructions and a set of working prototypes that validates the specification.  The BIPS specification was developed by individuals from companies like Mellon Bank Corp.,  @Work Technologies, NCR, Glenview State Bank, Compaq, Fujitsu Research Institute, Concept Five Technologies, Citibank, The Open Group, FSTC, government agencies like the National Security Agency, Department of Treasury, and National Automated Clearing House Association.

Glenview State Bank, Mellon Bank, and Citibank were the early adopters of the BIPS implementation.  The BIPS system architecture (Figure-5) provides an easy access to existing bank payment processing systems over the Internet.  The components to support this system architecture are:

• A Network Payment Protocol (NPP) that provides the communication of payment instructions between customers and banks.
• A BIPS Server (EPH – Event Processing Handler, PSI – Payment System Interface) that handles all payment requests from customers over the Internet and routes payment transactions to the appropriate bank payment systems.
• A BIPS client application that sends payment instructions and receives acknowledgement with the BIPS Server using NPP.

Figure-5.  BIPS System Architecture
A typical BIPS system implementation with the bank payment system model is shown in Figure-6.  There are two types of BIPS transactions, Push and Pull activities.     

Figure-6.  A Typical BIPS Implementation

The party whose account is to be debited, initiates a push transaction.  Funds are ‘pushed’ from the originator’s account to the recipient’s account.  In ACH payments, this type of transaction is called ‘credit originations’ since a credit file is sent to the receiving depository institution on behalf of the payor.  Payroll, investment dividends, and Social Security are common examples of traditional push payments.  Yahoo! PayDirect supports push payments. 

Conversely, the party whose account is credited initiates a pull transaction.  Funds are ‘pulled’ from the payor’s account into the payee’s account.  In ACH payments, this type of transaction is called ‘debit originations’ since a debit file is sent to the receiving depository institution on behalf of the payee.  Examples of pull payments are pre-authorized direct withdrawal of utility bill payment, car payment, or mortgage payment.  With the recent approval of the digital signature rule, setting up pull payments over the Internet is now possible.

BIPS transactions are based on a request and response message model.  Network Payment Protocol (NPP) provides a standard for BIPS messages.  Some of the messages are Payment Request/Response, Feasibility Request/Response, Status Request/Response, and Stop Request/Response. Below is an example of BIPS message flows: 

Figure-7 An example of BIPS message flows
In this example, a BIPS user sends a Feasibility Request to find the best method to initiate a payment.  The response from the bank may provide a list of options.  Once the best option is determined, the user sends a Payment Request to instruct the bank to make the payment.  Acceptance is sent back to the user as an acknowledgement.  At a later stage, the user can check the status of previously sent Payment Requests, using a Status Request message.
For whatever reason, a Stop Request message can be sent by the user to terminate a previously requested payment.

Since NPP is implemented using the Extensible Mark-up Language (XML) messages are easily embeddable in e-mail or web-based data transfers.  However, neither e-mail systems nor web-based systems interpret the NPP messages they are merely a transport mechanism.  These messages are passed through to the BIPS server for handling (Figure-8).  In addition, Appendix A lists use cases for these NPP messages.   

Figure-8  NPP Messages in BIPS

While NPP can support the encryption of payment-critical fields within each message, the primary security of BIPS comes from the underlying Internet transport mechanisms.  In web-based systems, this is normally SSL or HTTPS. Email security is usually provided by PGP or S/MIME.

Authentication is one of the security features any Internet based payment system must handle effectively.  BIPS supports authentication through the use of digital certificates as defined in the ISO X509 standard.  A BIPS client will receive a digital certificate from the BIPS-enabled bank or a third party (such as VeriSign, Inc.).  This digital certificate is embedded in every BIPS message as a means of identification. 

The integrity of the content of a BIPS message is another security feature that must be handled properly.  BIPS must be able to determine that a received message has not been altered which is achieved through the use of a digital signature.  The message is then encrypted using a public-key algorithm and sender’s private key.  Each message has a unique digital signature derived from the message itself.  Any change to the message during communication would produce a different digital signature.  With this public-key system, the integrity of any BIPS message can be verified.  Through this digital signature and an event log, BIPS supports non-repudiation making it possible to verify whether a request was actually sent.  

Other security features used by BIPS are:

• Isolating physical access to BIPS hardware such as the BIPS server computers.
• Isolating electronic access to prevent unauthorized remote logins.
• Detecting and preventing hacker threats by monitoring BIPS audit trails, limiting access to certain resources from the outside of the firewall, having a virus detector, and using active intrusion detection.

The Future of Internet Payments
The current Internet payment systems mostly provide traditional banking or financial services over the Internet.  In the USA, all transactions are denominated in dollars and cents.  However, with the massive size of the Internet, customers may be able to purchase goods at a fraction of a cent.  These purchases can be for a music recording, news article, game-playing time, and etc.  In addition, one must carefully monitor the cost of the transactions relative to the amount of revenue generated.  Future Internet payment systems must be able to handle these types of ‘micropayments’. 

With the concept of the digital wallet, the use of credit cards over the Internet may become obsolete.  Both consumers and on-line vendors can agree to use a digital wallet vendor as a payment intermediary or escrow service.  Instead of providing a credit card number, a customer can simply charge the purchase to the digital wallet vendor.  The digital wallet vendor holds all the credit card or bank account details for the actual fund transfer to take place.  Moreover, if this digital wallet vendor is the user’s Internet Service Provider (ISP), then no confidential financial information has to be provided since the ISP already has such billing information.  It would be an added benefit for the consumers to deal with a single bill for all purchases including the monthly ISP service charge.  Additionally, there are new models for digital wallets, such as:

• iPIN (http://www.ipin.com), both consumers and content providers register with iPIN, but purchases are totaled over a month and added to the consumer’s ISP bill.
• WiSP by Trivnet (http://www.trivnet.com), enabling “an entire base of users — at an ISP or telco — at once with our WiSP service.  For users, WiSP is free and requires no registration or software, because our service resides with the ISP or telco.”
• Just In Time Solutions (http://www.justintime.com), used by telecommunications, credit card, insurance companies, and other similar institutions to electronically deliver bills and collect payments via the Internet.

Cross border Internet payment transactions are an important topic for e-commerce.  Government regulations, exchange rate, clearing/settling fund, liability, and security export control are the major issues.  Currently, banks and financial institutions use only wire transfer, which uses the SWIFT network, intermediary bank, or the Federal Reserve Bank to support international payment from U.S. accounts to oversea accounts. 

Conclusion
The Internet payment system is one of the most important functions in e-commerce.  Today there are many proposals and implementations that enable consumers to shop and pay bills on-line.  It is not possible to capture all the latest developments on this topic since they are still emerging and constantly changing.   What has been covered in this report is merely a high-level view of the Internet Payment landscape. 

Instructional payment and digital money transfer are the two categories of payment mechanism used over the Internet today.  In the instructional payment category, there are three general scenarios of Internet payment system configuration.  BIPS was reviewed as a practical example of a real-life Internet payment system specification, which has been adopted by many banks and financial institutions.  Although no ‘physical world’ payment system can satisfy all needs for all consumers, the Internet presents an opportunity to develop a Universal Payment System, which will address many of these needs.

Regardless of dot-com boom or bust, e-commerce will continue to grow.  The Internet payment system will also continue to evolve.  The digital money transfer payment mechanism will go beyond digital wallets.  Many new models of digital wallets (which may no longer be called digital wallets) will be introduced.  Micropayments will enable new Internet trade opportunities for vendors to collect payments regardless of the value of the sale.  With all these interesting activities going on in the area of payment mechanisms, will paper money someday be eliminated?  Only time will tell.

References

Sung, K., “Analysis and Design of the Internet Based Payment System”, Korea Advanced Institute of Science and Technology

FSTC Projects – BIPS, “Bank Internet Payment System Specification 1.0”, 1998

Short, S. G., “Beyond Digital Wallets”, Econtent, April, 2000

VeriSign, “Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services”