An Efficient Secure Electronic Payment System for E-Commerce

Md Arif Hassan

Zarina Shukur

Mohammad Kamrul Hasan

Center for Cyber Security, Faculty of Information Science and Technology, National University Malaysia (UKM), UKM, Bangi 43600, Selangor, Malaysia

Submission received: 8 June 2020 / Revised: 20 June 2020 / Accepted: 22 June 2020 / Published: 27 August 2020

Abstract

E-commerce implies an electronic purchasing and marketing process online by using typical Web browsers. As e-commerce is quickly developing on the planet, particularly in recent years, many areas of life are affected, particularly the improvement in how individuals regulate themselves non-financially and financially in different transactions. In electronic payment or e-commerce payment, the gateway is a major component of the structure to assure that such exchanges occur without disputes, while maintaining the common security over such systems. Most Internet payment gateways in e-commerce provide monetary information to customers using trusted third parties directly to a payment gateway. Nonetheless, it is recognized that the cloud Web server is not considered a protected entity. This article aims to develop an efficient and secure electronic payment protocol for e-commerce where consumers can immediately connect with the merchant properly. Interestingly, the proposed system does not require the customer to input his/her identity in the merchant’s website even though the customer can hide his/her identity and make a temporary identity to perform the service. It has been found that our protocol has much improved security effectiveness in terms of confidentiality, integrity, non-repudiation, anonymity availability, authentication, and authorization.

1. Introduction

E-commerce was introduced to the consumer and business worlds as a unique approach in 1990 [1]. E-commerce has expanded since then and improved enormously, giving the world’s customers and companies incredible benefits. E-commerce history is closely linked to Internet history. When the Internet was open to the public in 1991, online shopping was made possible [1,2]. E-commerce is characterized as a primary business model by means of the selling process of goods, the purchasing of resources, and the distribution or exchange over the Internet of items, services, and knowledge [3]. E-commerce can be used with mobile payment systems, which allows customers to pay for their shopping by using smartphones [4,5]. Mobile business is a major e-commerce extension that enables customers with wireless handheld devices, e.g. tablets, smartphones, and laptops, to carry out online commercial transactions [6]. E-commerce is becoming very popular nowadays since the customer can spend from home; solutions are affordable, with items delivered to the home with no hassle. The popularity of e-commerce is mainly because of its online business perspective. It makes it possible to gain and sell goods online, to provide various services and information through the Internet, and to exchange money immediately between businesses [7]. Many individuals are excited about obtaining their own online website for their company, as it is possible to market items online around the world. Customers are also interested in online shopping since they do not wish to waste valuable time shopping. E-commerce implies an electronic purchasing and marketing process online by using typical Web browsers. It is described as selling and buying of services or goods through wireless technology. Developed nations tend to be more acquainted with systems, whereas Internet shopping is exploding in developing nations. The foremost goals of an electronic payment system are increasing efficiency, improving protection, and improving customer convenience and ease of use.

In the electronic payment system, the payment gateway is an essential component of the infrastructure to confirm that such exchanges happen with no concerns and to ensure that the common security over electronic systems is maintained [8,9]. Such a system will help secure a purchase along with a person’s transaction information. A payment gateway defends transaction information by encrypting personal information, such as credit/debit card details, to guarantee that information is transferred securely between a consumer and the transaction processor. Each online exchange should go through a managed transaction gateway. The secure electronic payment structure includes four system segments [10]. The interaction between the segments operate through protected communication tunnels. Secure communication tunnels offer a protected method for interaction between two or more people, or between segments, such as the buyer to the merchant, on the transaction gateway. The e-payment system must be harmless for online transaction applicants, for instance, fee gateway server, bank account server, and merchant server.

This paper is divided into six sections. Section 1 introduces electronic payments and their related study. Section 2 includes an overview of the existing system and the formulation of the problem. Section 3 describes the RSA cryptosystem. Section 4 addresses how the model will be implemented. Section 5 discusses the security analysis and proposed method advantages. Finally, the last section presents the conclusions and future work.

2. Literature Review

Electronic payment systems have continued to grow over recent years because of the increase of online banking and shopping. As the world advances much more with technological advancements, we are able to see the growth of e-payment methods and transaction processing devices. A payment gateway is a service provider that offers equipment to procedure a transaction between buyers and merchants, along with banks over the World Wide Web. It supports secure a purchase along with a person’s transaction information inside a transaction. A payment gateway defends transaction information by encrypting sensitive information, to guarantee the information is transferred securely between a consumer and the transaction processor. To help make it secure between each element, particularly between the client and the Internet payment or merchant gateway, a few strategies are recommended. Specifically, online buyers have to feel comfortable that their personal information and banking details are protected and cannot be seen by hackers. Thus, a connection that is secure it needed to assure payment transactions. Identity theft and phishing fraud are the two most popular types of fraud found within the Internet store [11].

To mitigate both types of fraud, a new secure electronic payment gateway to offer authorization was proposed by Izhar et al. [12]. The main objective of this proposed method was to provide authorization confidentiality, integrity, and availability for transactions. In their study, the authors utilized the Triple Data Encryption Standard (TDES, more often referred to as 3DES) cryptosystem to encrypt the transaction information and accomplish a greater speed of transactions within the payment gateway. The 3DES algorithm utilizes the data encryption standard (DES) cipher three times to encrypt its information. DES is a symmetric key algorithm based on the Feistel cipher [13]. As a symmetric crucial cipher, it applies a similar element for both encryption and decryption processes. The Feistel cipher can make both processes almost precisely the same, which results in an algorithm that is more effective to put into action. DES has both a 64-bit block and key measurement but, in training, grants just 56 bits of security [13]. 3DES was created as a safe option due to DES’s small crucial length. In 3DES, the DES algorithm is operated three times with three secrets and is regarded as safe in the event that three individual keys are used. To protect vulnerable cardholder information during transmission, good cryptographic and security protocols must be used. They encourage cryptographic libraries, such as certified AES and 3DES [14]. However, the most recent improvement, referred to as AES, is slow. Therefore, 3DES is safer and faster [12]. There is another popular cryptosystem used in payment systems [15], namely RSA. An RSA e-commerce security system (RSA-ESS) is implemented in [16], which resolves the security and privacy issues of credit card information in e-commerce transactions. In such systems, RSA is utilized to key the transaction information and realize greater speed in e-commerce transactions. This method is only used for privacy and security of fee information. A study of privacy and security of the e-banking adoption approach can be found in [17], where the authors proved a secure model of trust in an electronic payment system. Figure 1 shows the functional flow of a payment gateway.

A related review conducted for online banking security and privacy issues in Oman can be found in [18]. A secure and privacy-preserving electronic payment approach can be found in [19], where the authors suggested electronic tokens as being an abstraction of basic fiat currency of equivalent benefit in order to provide privacy and protection in digital payments, presenting an intermediate entity in the method that mediates a transaction between the payer and the payee. A software tool to investigate distributed guessing attacks in the payment transaction process is implemented in [20]. In this study, the authors analyzed that remote Internet banks and merchants with their very own security policies cannot be protected by such attacks. Thus, the number of guessing actions is restricted to avoid repeated invalid efforts produced within a particular time span, and the posting code is confirmed to identify the invalid address information stored by the card-issuing bank account. To obtain credit/debit card details, an adversary is able to utilize a web merchant’s transaction page in order to speculate the data: the merchant’s reply to some transaction attempt is going to state whether the estimate was correct.

A secure electronic payment gateway for a secure e-payment approach can be found in [21]. In the system, a consumer’s monetary information is delivered straight to a transaction gateway, known as a Trusted Third Party (TTP), rather than over an Internet merchant. The method was created by secure socket layer (SSL) with RSA utilized to improve the additional relationship in the payment process. A similar RSA algorithm-based universally unique identifier approach is used to avoid fraudulent activity in e-commerce in [22]. An efficient e-payment protocol for the mobile environment is proposed in [23], where mobile consumers can link directly with the merchant. Presently, numerous techniques are utilized for e-commerce payment systems. In this area, we briefly discuss three existing forms of e-commerce payment. A secure e-commerce protocol is explained here, which is a modified form of an efficient e-electronic for mobile users proposed in [23]. The existing systems and their proposed properties are summarized in Table 1.

3. RSA Cryptosystem

RSA was planned and created by Ron Rivest, Adi Shamir, and Leonard Adleman around 1978 [25]. It is probably the supreme identified cryptosystem for replacing digital or key autograph or perhaps for enciphering chunks of information [26]. The RSA algorithm is the basis of a cryptosystem—a sequence of cryptographic algorithms that are used for special purposes or for specific safety services—that allows public-key encryption and is used extensively for protecting sensitive data, especially if sent via an insecure network such as the Internet [27]. RSA makes use of an adjustable size encryption block along with a variable size key. The RSA algorithm is contingent upon the top number since it is tough to clap the big prime number [28]. It runs on two key numbers to create private and public keys. The sender encodes the idea with the public element of the receiver, and the receiver on buying the idea decrypts it with its own personal key.

RSA usually involves three steps: key generation, decryption, and encryption. RSA has numerous bugs in its strategy and thus is not encouraged for financial use. The most crucial security services that come with RSA are privacy and secrecy, authentication, integrity, and non-repudiation [26], because they prove RSA’s being an excellent security public-key cryptosystem. The RSA algorithm has many advantages, namely it has quick encryption and verification processes; offers a high level of security; and sustains data privacy, non-repudiation, and data reliability [22,26,29]. The approach presented in this research paper requires a high level of safety, which can be effectively achieved and fulfilled by RSA. The following is the algorithm of the RSA cryptosystem. Figure 2 shows how RSA public Key Cryptosystem works [30].