A comparative study of card-not-present e-commerce architectures with card schemes: What about privacy?

Internet is increasingly used for card not present e-commerce ar-chitectures. Several protocols, such as 3D-Secure, have been proposed in the literature by Card schemes or academics. Even if some of them are deployed in real life, these solutions are not perfect considering data security and user's privacy. In this paper, we present a comparative study of existing solutions for card not present e-commerce solutions. We consider the main security and privacy trends of e-payment in order to make an objective comparison of existing solutions. This comparative study illustrates the need to consider privacy in deployed e-commerce architectures. This has never been more urgent with the recent release of the new specifications of 3D-secure.

[1]  Lynn Margaret Batten,et al.  E-commerce: protecting purchaser privacy to enforce trust , 2011, Electron. Commer. Res..

[2]  Fabio Massacci,et al.  Formal Verification of Cardholder Registration in SET , 2000, ESORICS.

[3]  Christophe Rosenberger,et al.  Security for Electronic Commerce , 2008 .

[4]  Jianhua Shao,et al.  Privacy and e-commerce: a consumer-centric perspective , 2007, Electron. Commer. Res..

[5]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[6]  Huaxiong Wang,et al.  Formal analysis of card-based payment systems in mobile devices , 2006, ACSW.

[7]  Steven J. Murdoch,et al.  Optimised to Fail: Card Readers for Online Banking , 2009, Financial Cryptography.

[8]  Srecko Brlek,et al.  A flaw in the electronic commerce protocol SET , 2006, Inf. Process. Lett..

[9]  Felix C. Freiling,et al.  Fingerprinting Mobile Devices Using Personalized Configurations , 2016, Proc. Priv. Enhancing Technol..

[10]  Diego Suarez,et al.  New E-Payment Scenarios in an Extended Version of the Traditional Model , 2008 .

[11]  Fabio Massacci,et al.  Verifying the SET Purchase Protocols , 2005, Journal of Automated Reasoning.

[12]  Kjell Jørgen Hole,et al.  A Proof of Concept Attack against Norwegian Internet Banking Systems , 2008, Financial Cryptography.

[13]  Steven J. Murdoch,et al.  Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication , 2010, Financial Cryptography.

[14]  Christophe Rosenberger,et al.  An e-payment Architecture Ensuring a High Level of Privacy Protection , 2013, SecureComm.

[15]  Christophe Rosenberger,et al.  Privacy Preserving Transparent Mobile Authentication , 2017, ICISSP.

[16]  Fabio Massacci,et al.  The verification of an industrial payment protocol: the SET purchase phase , 2002, CCS '02.

[17]  Wang Tao,et al.  An empirical study of customers' perceptions of security and trust in e-payment systems , 2010, Electron. Commer. Res. Appl..

[18]  Tomi Dahlberg,et al.  Past, present and future of mobile payments research: A literature review , 2008, Electron. Commer. Res. Appl..

[19]  Aude Plateaux,et al.  Solutions opérationnelles d'une transaction électronique sécurisée et respectueuse de la vie privée. (Operational solutions for secure electronic transactions ensuring the privacy.) , 2013 .

[20]  Catherine A. Meadows,et al.  A Formal Specification of Requirements for Payment Transactions in the SET Protocol , 1998, Financial Cryptography.

[21]  See-Kiong Ng,et al.  Enabling Privacy-Preserving e-Payment Processing , 2008, DASFAA.

[22]  Hussein A. Abdou,et al.  Credit card fraud and detection techniques : a review , 2009 .

[23]  Angappa Gunasekaran,et al.  A review for mobile commerce research and applications , 2007, Decis. Support Syst..

[24]  Véronique Cortier,et al.  Designing and Proving an EMV-Compliant Payment Protocol for Mobile Devices , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).