based payment schemes 5. In SET, in addition to holding a valid credit card, a customer needs to install SET payment software (called SET wallet) on her computer. After browsing for goods or services from a SET supporting online store, the SET wallet installed on the customer’s computer is activated. After willing necessary payment information, the SET wallet performs highly secure cryptographic operations e.g. public-key cryptographic operations, to generate a purchase request. This request is transferred to the store and the customer’s credit card company for payment authorization. After getting an approval, the requested amount is transferred from the customer’s account to the store’s account and the customer then receives the requested goods and the corresponding payment receipt at the end of the transaction.
Credit-card payment seems to be a simple method to make a payment for goods or services on the Internet because many people have credit cards and regularly use them to purchase goods or services in physical stores. However, the credit-card payment systems have high operational cost, especially at the merchant side. As a result, credit-card payment is not suitable for low-valued payment transactions.
Alternatively, a payment method that is suitable for low-valued transactions is called “Micropayment”. Most micropayment systems deploy low computational cryptographic operations and simple message passing in order to reduce operational costs. The examples of micropayment systems are Milli- cent 6, Electronic payment in wireless environments introduces the term “Mobile Payment” which is defined as interactions among engaging parties in a payment system regarding a payment transaction where at least one engaging party is a mobile user. With mobile payment, obviously, customers can purchase electronic books from an online publisher, that has the system supporting the payment from mobile devices, while they are on the move.
Due to the fact that mobile payment represents e-payment, previously per- formed in fixed environments, in wireless environments, it offers the same services as that offered by e-payment. However, due to the constraints of wireless environments, low-valued payment methods, such as micropayment, which have lightweight operations and low operational cost are likely to be more suitable for wireless environments than other methods. The constraints of wireless environments will be discussed in details in the next section.
Electronic payment, including mobile payment, plays an important role in ecommerce in that it is relevant to fund transfer among engaging parties after having an agreement to purchase or sell products or services. It must be performed in a secure manner. Moreover, the security of electronic payment system is also one of the most concerns for customers to make online payment with online stores.
Security and Limitations of Mobile Payment Systems
Generally, two main reasons explain why securing mobile payment systems is not accomplished limitations of wireless environments and security of the mobile payment systems themselves
Limitations of Wireless Environments
Performing payment transactions in wireless environments mainly suffers from resource limitations of mobile devices and characteristics of wireless networks RdS98, KSL03a, and WC01.
Resource Limitations of Mobile Devices
Mobile devices have the following limitations:
• Computational capability of their processors is comparatively lower than that of personal computer (PCs).
• They are operated using battery power compared to electric power in PCs. Therefore, they can stay operated for shorter period than PCs.
• They have limited storage which affects available cryptographic algorithms applied to them.
A mobile device with the above limitations is not capable of performing high computational cryptographic operations such as public-key operations which are used in a fixed-network device such as a PC. Due to the low computational capability of mobile devices, completing a payment transaction on a mobile device takes longer period of time than that on a PC which has higher processing capability. Moreover, public key operations are required to have certificate verification processes which require storage on each mobile device to store public-key certificates.
Although recently, mobile devices with high computational capability such as smart phones or powerful, wireless enabled PDAs have been launched to the market, they are still un attracted by users.
Characteristics of Wireless Networks
Wireless networks have the following characteristics:
• Wireless networks have lower bandwidth than fixed networks.
• Network connections over wireless networks are less reliable since packet losses occur more frequently than that of fixed networks. Packets need to be retransmitted which may result in high latency.
• Connection cost of wireless networks is higher compared to that of fixed networks.
• Data transmitted over wireless networks is easily eavesdropped.
From the above limitations, mainly due to poor performance, performing payment transactions over wireless networks is time-consuming. Moreover, performing payment transactions on low computational capability mobile de- vices will spend longer time to complete each transaction. As the connection cost of the communications over wireless networks is much higher than that over fixed networks, performing payment transactions over wireless networks using such mobile devices will charge users a large amount of money on their bills. In addition, due to the fact that the data transmitted over the wireless networks is easily eavesdropped, this can be prevented by applying highly se- cure cryptographic techniques such as public-key operations. However, Such operations require high computational capability devices and high-speed wire- less networks that may incur high cost for users.
Security vs. Transaction Performance of Mobile Payment Systems
Performing electronic payment transactions over wireless networks raises concerns about security of the underlying payment systems. Ideally, both traditional and wireless Internet should serve all applications, including making payment, with the same level of security. Moreover, mobile payment applications should be compatible with existing infrastructure of traditional electronic payment applications so that the existing infrastructure can continue to operate.
However, as discussed in the previous section, performing payment transactions in wireless environments suffers from a number of limitations. A possible solution is to replace high computational cryptographic operations applied to the underlying payment protocol with the lower ones, e.g. replacing public- key cryptographic operations with symmetric-key