17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

CONSEPP: Convenient and Secure Electronic Payment Protocol based on X9.59

Albert Levi, Cetin K. Koc
Oregon State University

The security of electronic payment protocols is of interest to researchers in academia and industry. While the ultimate objective is the safest and most secure protocol, convenience and usability should not be ignored, or the protocol may not be suitable for large-scale deployment. Our aim in this paper is to design a practical electronic payment protocol which is both secure and convenient. ANSI X9.59 standard describes secure payment objects to be used in electronic payment in a convenient and secure way. It has many useful convenience features for large-scale consumer market deployment, the best being the elimination of consumer certificates. Consumer public keys are stored in account records at financial institutions; the digital signatures issued by consumers are verified by financial institutions. Encryption is deliberately not provided by X9.59. In this paper we propose a new Internet e-payment protocol, namely CONSEPP (CONvenient and Secure E-Payment Protocol), based on the account authority model of ANSI X9.59 standard. CONSEPP is the specialized version of X9.59 for Internet transactions (X9.59 is multi-purpose). It has some extra features on top of the X9.59 standard. X9.59 requires merchant certificates; in CONSEPP we propose a lightweight method to avoid the need for merchant certificates. Moreover, we propose a simple method for secure shopping experience between merchant and consumer. Merchant authentication is embedded in the payment cycle. CONSEPP aims to use current financial transaction networks, like VisaNet, BankNet and ACH networks, for communications among financial institutions. No certificates (in the classical sense) or certificate authorities exist in CONSEPP. Convenience is not traded for security here; basic security requirements are fulfilled in the payment authorization cycle without extra messaging and significant overhead.

Keywords: Electronic payment, Security, Account Authority Digital

Read Paper Read Paper (in PDF)