E-CRM Practices in E-Commerce Payment Gateways

I. INTRODUCTION

Consumer spending via the Internet is increasing at a significant rate. Online spending recently saw global double-digit growth nearing 50% on a year-to-year basis, and within the United States alone spending is expected to reach $3.5 trillion in 2006 [Rob & Opara, 2003, p. 1]. These trends are fuelled by global economic expansion. They can be expected to continue in the future. The growth in spending on the Internet, together with the underlying need for secure transactions, increases the importance of online payment systems. Online payment systems can be broadly defined as the means and processes involved in conducting transactions online; however, this description can be expanded to include the online monetary connections between sellers, buyers, financial institutions, and intermediaries. Online payment systems have been around for several years, yet are now becoming ubiquitous with the increased common use of the Internet. Some of the benefits provided by online payment systems include improved cash flow efficiency, guaranteed transactions, reduced costs, increased protection of sensitive information, and increased protection of the payment provider. Given that fraud is a prevalent concern with online transactions, secure online payment systems are particularly important. Despite the growth and importance of online payment in the current global economy, little academic literature exists in this area that integrates the disparate research streams about online payment systems and describes their implementation. Further, online payment processes are largely ignored by traditional textbooks, yet it is important for students to understand online payment because it represents the most significant shift in payment in the last two hundred years. IS students are likely to be involved in implementing, purchasing, maintaining, or interacting with these processes. For example, several instructors note the need or desire to include online payments into e-commerce curriculum [Ramakrishna & Ragothaman, 2001; Rob, 2003; Shaikh, 2004; Tikekar & Wilson, 2001]. However, attempts to develop relevant electronic commerce course curriculum prove difficult [Bloss, 2001] because the subject material changes rapidly. One successful course uses a hands-on approach to study electronic payments [Dhamija et al., 1999], but the literature is sparse on the specific topics that should be covered. Given these gaps and opportunities, we review the academic literature and typical processes currently used in practice to provide direction for future academic research and to provide a framework to help instructors teach the topic to students. Because e-credit is the most used and accepted source of payment, representing 90% of all online purchases [Rob & Opara, 2003], this paper primarily

The online payment options available on the Internet mirror those provided by physical retailers. Many payment methods can be used for online purchases [Hsieh, 2001; Roberts, 2004a; Roberts, 2004b]. Of these methods, Meng and Xiong [2004a; 2004b] categorize online payment options into three categories: • e-credit (electronic credit cards), • e-cash (electronic cash), and • e-check (electronic checks). E-cash is not commercially popular, but some institutions allow the payment of bills by e-check. Table 1 provides a brief overview of these categories of payment. Each category in this model represents proven methods of payment in the physical world applied to their digital use on the Internet [Peffers & Ma, 2003]. Because of existing electronic infrastructure surrounding e-credit, these types of processes have been the easiest for businesses to adapt for viable commercial use online. E-credit payments are the focus of this paper.

provider. Mobile commerce is an expanding area of importance for both researchers and users [Kreyer et al., 2002; Zheng & KeFei, 2002]. Although online payment systems from mobile devices generate great excitement, it is difficult to establish security and trust [Siau & Shen, 2003], and standards are lacking [Kreyer et al., 2003; van der Heijden, 2002]. Some research has investigated the potential use of mobile devices in short range wireless networks for commerce [Chen & Adams, 2004; Knospe & Schwiderski-Grosche, 2002], in conducting online mobile banking [Herzberg, 2003], and coupled with smart cards for added security [O‘Mahoney, 2004]. Like micropayments, challenges still remain for the mainstream use of mobile commerce, but mobile commerce is gaining momentum as the devices become ubiquitous. One research stream has described the benefits of leaving a centralized client-server payment system and moving toward distributed electronic payment systems using Peer-to-Peer (PtP) networks [Schmees, 2003]. Yang & Garcia-Molina [2003] describe a micropayment system protocol that is built upon a PtP network and provides superior performance to standard micropayment protocols. This new research stream is not yet commercial but provides insights into the future of online payment.

Most businesses seek online payment to increase purchases by accepting bankcards. In addition to expanding the payment options available to customers, certain inherent risks faced by businesses can be reduced by using online credit payment. This section reviews five ways providers bring value to businesses: improved cash flow efficiency, guaranteed transactions, reduced costs, increased protection of sensitive information, and increased protection of the payment provider.

Online payment providers assist businesses in keeping costs of receiving payments low while enhancing and improving the company‘s ability to collect funds. Finding an efficient and cost effective way to collect money is of great importance for any company. Hundreds of methods exist for a business to create a dynamic website and collect customer information, but far fewer allow for the easy collection of funds [Sims & Tikekar, 2001]. Online payment providers improve cash flow efficiency for small incremental costs. Many services offer the ability for customers to make a one-time payment or to pay by subscription. Both methods tend to involve corresponding transaction fees, depending on the type of account the

Online payment providers help reduce some of the risks associated with online purchasing by guaranteeing transactions with proper support and by protecting sensitive information [Wright, 2002]. If customers are not confident that a company will provide them with guaranteed transactions, they may refuse to conduct business with the company, with devastating effects on revenues. Online payment providers offer straightforward ways of assuring business transactions over the Internet. One way is by collaborating with larger companies and major financial institutions to obtain the resources necessary to guarantee payments. For example, PayPal teamed up with Wells Fargo to provide greater functionality and stability to its service [Bills, 2002]. Another way providers of online payment offer customer assurance is by maintaining highly reliable equipment and technical processes. By purchasing an online payment package, businesses avoid the need to become technically proficient and adept at handling such matters as cryptography, server configuration, redundancy, and load balancing [Wright, 2002]. In hiring an online payment provider, business owners are essentially tapping into best practices and expert knowledge on online payment practices, software, and hardware. Online payment providers also protect their customers by implementing policies in which the provider bears a portion of the transaction risk. For example, PayPal implements a ―seller protection‖ policy that allows eligible parties to obtain a PayPal refund up to $5,000.00 annually for any reversals1 that result from unauthorized use of a credit card or false claims that goods were not sent. Other companies offer additional fraud packages for purchase. For example, VeriSign offers a basic fraud package, as a normal part of their service, which will filter risky customers and provide a security audit for the business. Trust is an essential factor that facilitates these transactions. McKnight et al. [2002] show trust to be essential for the success of online transactions. Stewart [1999] described the ability of websites to receive transference of trust from another site that is seen as trustworthy. Thus, using a reputable e-credit vendor could increase the customer‘s perception of the trustworthiness of a small business website. Reduced Costs Online payment providers help reduce costs on both the business side and the client side of a transaction by reducing the paper work, processing time, and human resources needed to complete it [Rob & Opara, 2003]. More important, they may also reduce data-entry errors because customers enter their own information into the system rather than relying on a customer service representative to enter the data for them. Online payment providers also allow companies to eliminate the need for expensive servers, software, and maintenance. Furthermore, using an online payment provider can reduce costs associated with server downtime. Since small businesses are particularly susceptible to losses caused by system downtime (much more than larger businesses [Ball, 2001]) reducing of downtime is important in these environments. Using a provider also greatly reduces the need for technically proficient developers and administrators assuring the reliability, timeliness, and efficiency of the payment system. Increased Protection of Sensitive Information Online payment providers can also decrease the potential for payment fraud by increasing the security of sensitive information. Payment fraud is 30 times more likely in the virtual world than in the physical world [Valentine, 2003]. Accordingly, consumers conducting business over the Internet are extremely concerned with the security of their personal information [Wright, 2002]. Using an online payment provider should decrease employee access to financial information, reduce internal employee theft, and protect sensitive customer information. An online payment provider allows a business to control sensitive information without having to invest in a complex web application. Once a client‘s personal information is stored in the payment provider‘s database, it will not be transferred again over the Internet [Wright, 2002]. To decrease the costs of fraud further, online payment providers typically assume the risk of credit card fraud, identity theft, and other financial fraud [Quinn & Roberds, 2003]. Online payment providers typically are well-equipped to provide increased data security during transmission processes through techniques such as cryptography [Wright, 2002]3 . Virtually all major online payment providers maintain sophisticated fraud control groups that conduct cyber sleuthing to reduce the amount of fraud committed with their services.

Before PtP and third-party services were developed, the only way to accept online payments was for a business to obtain a merchant account from a bank, implement a virtual shopping cart, and program an interaction with a credit card gateway. These components interact with the customer, merchant, merchant bank, and credit card issuer during a typical transaction. Merchant Bank/Merchant Account A merchant account is a bank account established at the merchant‘s bank that is capable of accepting funds from credit card customers‘ banks. A merchant funds flow from the credit card account to the checking account. Internet merchants usually do not hold funds in an account like the average customer‘s typical savings or checking account Instead, the merchant transfers the funds daily to another bank account.

Shopping cart software involves a complex transaction processing system that maintains a link between a particular client and a set of selected items on the website This virtual shopping cart allows a customer to purchase more than one product at a time from a given website because all selected items are stored within the cart. A variety of different shopping carts are available, from simple ones that do not require any technical background to advanced ones that support programming and database functions5 . The shopping cart acts as a link between the merchant‘s website and the credit card processing network (payment gateway). Information entered by the user on the merchant‘s website is transmitted to the payment gateway to begin a transaction. Upon approval from the cardholder‘s bank, the payment gateway sends an authorization approval to the shopping cart. The shopping cart then relays this information to the website so that the customer can see the transaction approval. Care needs to be taken to ensure that the shopping cart package is compatible with the selected payment gateway because each shopping cart package supports only a selected number of gateway choices. credit card processor, connects the merchant‘s website and shopping cart, the acquiring bank (merchant‘s bank), and the issuing bank (cardholder‘s bank). The payment gateway handles all communication messages between these entities. By handling the two key parts of credit card processing, authorization and payment settlement, the payment gateway is the key link in an online transaction. During authorization, credit card information from the merchant‘s website is sent to the payment gateway by the shopping cart, which verifies the card information and then sends a request to the cardholder‘s bank for the card to be charged. If the card information is valid and the customer‘s credit is sufficient, then the credit card company sends an approval to the payment gateway, which in turn communicates with the shopping cart and confirms the authorization for the purchase. The payment gateway then initiates a payment settlement (funds transfer) to allow the transfer of funds from the customer‘s credit card account to the merchant‘s bank account.

Figure 1 shows a transaction in this system. The system is a simplified example of the complex transaction network that connects financial institutions to allow the online processing of credit cards. It is necessary that all the components of the network are compatible with one another for the transaction to be approved by all the entities. As a result, most merchant account providers offer merchant accounts that are already integrated with a payment gateway service to ensure that transactions can be performed seamlessly. Though it is possible to set up each of the different accounts separately, it is far easier, more convenient, and often more economical to find a merchant account provider that maintains an established relationship with a payment gateway provider.

Even with an understanding of the basic e-credit payment options, businesses must still decide on their vendor. One popular approach is to purchase the individual services from separate providers and ask programmers to integrate them into the business website. In doing so, two opposite approaches can be evaluated: 1. Acquiring a merchant account as the first step or 2. Acquiring a merchant account as the last step.

the second step. In the third step the business chooses either to build or buy a shopping cart compatible with the gateway selected. The alternative approach to choosing the merchant account first is to choose the shopping cart first, then choose a gateway that is compatible with it, and finally to choose a merchant account that is compatible with the chosen gateway. Each of the three services that are integrated into a complete solution has pros and cons associated with it. A business should carefully consider if they prefer certain pieces. Choosing a shopping cart first may ultimately lock the business into using a merchant account with unusually high fees, while choosing a merchant account first could require the use of a costly gateway service and force limited choices in shopping cart software. A popular way to acquire all of the components of e-credit is to purchase the components in bundles, often from resellers who guarantee their compatibility. This option can lead to higher costs, but fewer integration issues. Whether purchasing by individual payment component or in bundles, businesses should expect to pay fixed setup costs and monthly or yearly fees associated with these products. One way to eliminate these monthly fees is to use an integrated system such as PayPal, where the only costs associated with selling items is a transaction fee.

Using an online payment provider such as PayPal, VeriSign, or Cardservice International allows businesses, particularly small businesses, to conduct business online. It increases their customer base and allows them to be recognized and patronized from all over the world. If a business does not use an online payment provider of some sort, it limits its customer base and the ease in which transactions can occur.

As the Internet continues to grow and develop in the coming years, new services and technologies will also emerge. Information Systems instructors and students need not only to understand the current online payment options and their implementation, but also upcoming trends. Thus far, this tutorial focused on the e-credit payment methods currently available. Yet, other types of systems that may become more prevalent in the future such as e-cash or micropayments [Herzberg, 2003; Treese, 2003; Valentine, 2003] or options not even envisioned. This section describes potential areas of change and associated future research opportunities. We examine three topics: 2. The emerging payment technologies of e-cash, micropayments, mobile commerce, and new architectures or protocols. 3. Two emerging issues related to online payments: electronic bill payment and the legal issues associated with new forms of payment.

Beyond the type of system used by merchants to collect payments, one of the most significant challenges to online payments are high concerns about fraud and the security of transactions [Radcliff, 2002a; Radcliff, 2002b; Roberts, 2004a; Roberts, 2004b; Valentine, 2003]. New standards and procedures are continually developed as hackers and e-criminals develop new ways to steal sensitive personal and financial information. As e-criminals become more proficient in their ways, the industry needs to develop new methods and procedures to ensure the security of their clients and online information. For example, to combat this problem, some credit card companies are now providing temporary credit card numbers. These numbers can help increase the consumer‘s trust in the merchant because the actual card number is not revealed. Many banks require more information than a username and password to protect accounts online due to phishing and other scams. Online payment providers need to continually update their security and anti-fraud measures to maintain the integrity of transactions. Companies that provide secure, reliable online transaction systems for merchants should increase consumer trust and facilitate the growth of e-commerce.

E-cash was envisioned in the early work on e-commerce [Panurach, 1996] yet they experienced little commercial success. One exception is the Octopus system used in Hong Kong [Chau & Poon, 2003; Poon & Chau, 2001]. Although this system did not provide online payment capabilities, research could examine the success of this system and the web-based PayCash ecash system [Peha & Khamitov, 2003] to provide guidance to the future use of e-cash online. As a variation on e-cash, Lee, Yu, & Kuo [2001] suggest that smart card based e-cash may eventually replace other varieties of e-Cash. Smart cards were patented in the 1970‘s and first used by the French telephone system in 1983 [Wikipedia, 2005]. They are not yet widely adopted. One of the earliest e-cash smart card projects, Mondex, was acquired by MasterCard and experienced modest success [Yakal, 1997]. Due to the increased security and functionality provided by smart card cryptographic features and processing widespread smart card adoption for electronic payments. In particular the problem of maintaining security while providing anonymity in e-cash solutions could be addressed so that e-cash solutions can approach the liquidity of traditional cash payments.

Wireless technologies, including mobile commerce or mobile payment provide opportunities for future research. Although the mobile transactions do not represent a large percentage of ecommerce [Stroborn et al., 2004], this growing area should not be ignored. Researchers identified some of the early characteristics of mobile commerce [Herzberg, 2003; Kreyer et al., 2003], how businesses can gain trust from wireless users [Siau & Shen, 2003], and critical success factors in wireless e-commerce [van der Heijden, 2002]. Recent research described the integration of smartcards and wireless technology [Dandash et al., 2005]. The new wireless technologies introduce added security risks that need to be addressed so that customers are comfortable using the technology to do business.

Even though previous work identified architectures and protocols for conducting online payments, many of the findings were never implemented in practice. Research could address the difficulty in developing payments systems based on theoretical protocols and suggest new protocols or architectures related to e-commerce. For example, Schmees [2003] describes how distributed digital commerce could take the place of the current client-server type e-commerce systems. Zhang, Chung, and Chang [2004] proposed some initial research in migrating to a web services payment architecture, but future research could expand on their work.

As businesses increasingly adopt online payment technologies, researchers, faculty, and students need to understand the resulting benefits and problems. The systems currently available should decrease costs, provide risk management, and help provide competitive advantage to users. Electronic payment technologies offer both opportunities and challenges. The largest challenge to the use of online payments is security and fraud prevention. This challenge is expected to become greater as e-commerce becomes more prevalent. The potential of e-cash, micropayments, wireless commerce, and new architectures for online payment offer fertile ground for future research. Models and Strategies: Text and Cases. Boston: McGraw-Hill Higher Education. Au, Y. A. and Kauffman, R. J. (2001). "Should We Wait? Network Externalities, Compatibility, and Electronic Billing Adoption," Journal of Management Information Systems 18:(2), pp. 47- 63. Backes, M. and Dürmuth, M. (2005). "A Cryptographically Sound Dolev-Yao Style Security Proof of an Electronic Payment System," Paper Presented at the 18th IEEE Computer Security Foundations Workshop, June 20-22 Aix-en-Provence, France, pp. 78-93. Ball, K. (2001). "The Use of Human Resource Information Systems: A Survey," Personnel Review 30(5/6), pp. 677-693. Bella, G., Massicci, F., and Paulson, L. C. (2002). "The Verification of an Industrial Payment Protocol: The SET Purchase Phase," Paper Presented at the 9th ACM conference on Computer and Communications security, Washington, DC, November 18-22, pp. 12-20. Bills, S. (2002). "PayPal is First Client of Wells Processing Service," American Banker 167(222), pp. 7. Bloss, A. (2001), "Teaching Fundamentals for Web Programming and e-Commerce in a Liberal Arts Computer Science Curriculum," Journal of Computing Sciences in Colleges 16(2), pp. 300-305. Chau, P. Y. K. and Poon, S. (2003). "Octopus: An E-cash Payment System Success Story," Communications of the ACM 46(9), pp. 129-133. Chen, J. J. and Adams, C. (2004). ―Short-range Wireless Technologies With Mobile Payment Systems," Paper presented at the 6th International Conference on Electronic Commerce, Delft, The Netherlands, October 25-27 pp. 649-659. Dandash, O., Wu, X., and Le, P. D. (2005). ―Wireless Internet Payment System Using Smart Cards," Paper Presented at the International Conference on Information Technology: Coding and Computing, Las Vegas, NV, , April 4-6, 2005, pp. 16-21. Dani, A. R., Krishna, P. R., and Subramanian, V. (2005). ―An Electronic Payment System Architecture for Composite Payment

China, March 29-April 1, pp. 552-555. Dhamija, R., Heller, R., and Hoffman, L. J. (1999). "Teaching e-Commerce to a Multidisciplinary Class," Communications of the ACM 42(:9), pp. 50-55. Herzberg, A. (2003). ―Payments and Banking with Mobile Personal Devices," Communications of the ACM 46(5), pp. 53-58. Hou, X. and Tan, C. H. (2005a), "A New Electronic Cash Model," Paper presented at the International Conference on Information Technology: Coding and Computing, Las Vegas, NV, April 4-6, pp. 374-379. Hou, X. and Tan, C. H. (2005b). ―On Fair Traceable Electronic Cash," Paper presented at the 3rd Annual Communication Networks and Services Research Conference, Halifax, Nova Scotia, Canada, May 16-18, pp. 39-44. Hsieh, C. (2001). ―E-commerce Payment Systems: Critical Issues and Management Strategies," Human Systems Management 20(2), pp. 131-138. Kinateder, M. and Rothermel, K. (2004). ―Bringing Confidence to the Web–Combining the Power of SET and Reputation Systems," Paper Presented at the First IEEE Consumer Communications and Networking Conference, Las Vegas, NV, January 5-8, pp. 545- 550. Knospe, H. and Schwiderski-Grosche, S. (2002). ―Future Mobile Networks: Ad-hoc Access Based on Online Payment with Smartcards," Paper Presented at the 13th IEEE International Symposium on Personal, Indoor, and Mobile Radio Communications, Lisbon, Portugal, September 15-18 pp. 197-200. Kreyer, N., Pousttchi, K. and Turowski, K. (2002). ―Characteristics of Mobile Payment Pocedures," Paper Presented at the International Symposium on Methodologies for Intelligent Systems, Lyon, France, June 27-29 pp. 10-22. Kreyer, N., Pousttchi, K., and Turowski, K. (2003). ―Mobile Payment Procedures: Scope and Characteristics," e-Service Journal 2(3), pp. 7-22. Lee, Z., Yu, H. and Kuo, P. (2001). ―An Analysis and Comparison of Different Types of Electronic Payment Systems," Paper Presented at the pp. 38-45. Liu, A., Shen, V. Y. and Muppala, J. K. (2002). ―Security Issues on Server-Side Credit-Based Electronic Payment Systems," Paper Presented at the 3rd International Symposium on Electronic Commerce, Research Triangle Park, NC, October 18-19, USA, pp. 47-57. Mavridis, I., Pangalos, G., Koukouvinos, T. and Muftic, S. (1999). ―A Secure Payment System for Electronic Commerce," Paper Presented at the 10th International Workshop on Database and Expert Systems Applications, Florence, Italy, September 1-3, pp. 832-836. Meng, B. and Xiong, Q. (2004a). ―Research on Electronic Payment Model," Paper Presented at the 8th International Conference on Computer Supported Cooperative Work in Design, Xiamen, China, May 26-28, pp. 597-602. Meng, B. and Xiong, Q. (2004b). ―SOCPT: A Secure Online Card Payment Protocol," Paper Presented at the 8th International Conference on Computer Supported Cooperative Work in Design, Xiamen, China, May 26-28,pp. 679-684. Mjølsnes, S. F. and Rong, C. (2003). ―On-line e-Wallet System with Decentralized Credential Keepers," Mobile Networks and Applications 8(1), pp. 87-99. O‘Mahoney, D. (2004). ―Electronic Payment," In H. Bidgoli (Ed.), The Internet Encyclopedia, Volume 1, pp. 635-644. New York: Wiley. Panurach, P. (1996). ―Money in Electronic Commerce: Digital Cash, Electronic Fund Transfer, and Ecash," Communications of the ACM 39(6), pp. 45-50. Párhonyi, R., Nieuwenhuis, L. J. M., and Pras, A. (2005,). ―Second Generation Micropayment Systems: Lessons Learned," Paper Presented at the 5th IFIP Conference on e-Commerce, e-Business, and e-Government, Poznan, Poland, October 26-28. Peffers, K. and Ma, W. (2003). ―An Agenda for Research About the Value of Payment Systems for Transactions in Electronic Commerce," JITTA : Journal of Information Peha, J. M. and Khamitov, I. M. (2003,). ―PayCash: A Secure Efficient Internet Payment System," Paper Presented at the 5th International Conference on Electronic Commerce, Pittsburgh, PA, USA, pp. 125-130. September 30-October 3 Poon, S. and Chau, P. Y. K. (2001). ―Octopus: The Growing e-Payment System in Hong Kong," Electronic Markets 11(2), pp. 97-106. Quinn, S. F. and Roberds, W. (2003). ―Are On-line Currencies Virtual Banknotes?," Economic Review-Federal Reserve Bank of Atlanta 88(2), pp. 1-15. Radcliff, D. (2002a). ―Cyber sleuthing Solves the Case," Computer World 36(3), pp. 36-37. Radcliff, D. (2002b). ―Forensic Detectives," Computer World 36(3), pp. 32-33. Ramakrishnan, K. and Ragothaman, S. (2001). ―Development of a 'Technology Based Business' Course," Journal of Computing Sciences in Colleges 17(5), pp. 216-228. Rob, M. (2003). ―The Rise and Fall of an e-Commerce Program," Communications of the ACM 46(3), pp. 25-26. Rob, M. A. and Opara, E. U. (2003). ―Online Credit Card Processing Models: Critical Issues to Consider by Small Merchants," Human Systems Management 22(3), pp. 133-142. Roberts, S. (2004a). ―Tide Turns on E-payments: Managing Risk and Fraud in Business-to Business Transactions, part 1," Credit Control Journal (25)7, pp. 26-28. Roberts, S. (2004b). ―Tide Turns on E-payments: Managing Risk and Fraud in Business-to Business Transactions, part 2," Credit Control Journal (25)6), pp. 29-31.

Research Scholar, Management, Bundelkhand University, Jhansi vsy75@yahoo.com