the Journal of Online Law

presents article 6 ...

CyberPayment Infrastructure

Henry H. Perritt, Jr.

JOL Copyright Policy

Copyright to the Journal of Online Law as a collective work belongs to the editor. Authors retain the copyright to their individual articles, but unless otherwise noted in an individual article, all authors and the journal's editor agree to the following:

Classroom use. Electronic or paper copies of the journal or its individual articles may be made for classroom use, provided that the copies are distributed at or below the cost of reproduction and the author(s) and the Journal of Online Law are credited and identified as the copyright holders.

Other uses. The journal may be distributed by individuals to individuals for non-commercial purposes, but not by means of Web site postings, distribution lists, listserv lists, newsgroups, BBS postings, multiple copies, or other bulk distribution, access, or reproduction mechanisms that substitute for a subscription or authorized individual access, or in any manner that is not a good faith attempt to comply with these restrictions.

Other postings. Because the WWW posting of the journal will likely be somewhat interactive, issues and articles may evolve and change over time. To ensure that readers are reading the up-to-date version, we ask that JOL not be posted on the Web except in its authorized location (<http://www.wm.edu/law/publications/jol>). But …

Links. Links from other sites to JOL's web site are encouraged.

 

CyberPayment Infrastructure (article 6)

Henry H. Perritt, Jr.[1]

 

[Cite as Henry H. Perritt, Jr., CyberPayment Infrastructure, 1996 J. ONLINE L. art. 6, par. ___ ]

To download this article, click here.

Abstract

 {par. 1} An essential requisite for commerce on the Internet is the existence of a reliable and secure system to handle payment for goods and services purchased. The basic technology for such systems is public key encryption. Professor Perritt explains how this technology can be used to create a variety of "payment infrastructures." Any payment system must meet certain requirements: merchants can depend on it to be paid; consumers have access to the means of payment through intermediaries like "certificate authorities;" these intermediaries understand their responsibilities and risks; and existing financial institutions understand their responsibilities in the world of non-paper-based financial instruments. Much of what is necessary can be accomplished within today's legal framework without need of new laws.

Payment Systems and Public Key Encryption

 {par. 2} The global information infrastructure must include subsystems that allow suppliers of information value and services to be paid. In other words, payment system infrastructures must exist as a part of the larger information infrastructure. The enormous popularity and growth of the Internet, particularly its World Wide Web application, is strong evidence of the potential of electronic commerce in open network environments such as the World Wide Web. The only thing needed for an explosion of real commerce on the Web is the availability of simple, reliable, and secure payment systems that are at least as easy for both merchants and consumers to use as credit card systems.
{par. 3} The basic technological infrastructure for such payment systems is in place.[2] Popularly known as public key encryption, this system facilitates electronic commerce because it permits someone to affix an encrypted digital signature to a message such as a promissory note or check using a private key known only to the signer. Public key encryption permits anyone else in the world to verify with almost complete certainty the authenticity of the signature and the fact that the message contents have not been altered. Such verification uses a public key corresponding to the private key used to sign the original message. Public keys are made available through special databases called certificate authorities ("CAs") which vouch for the relationship between a particular public key and its purported owner. Absent such certification service, a forger could falsely represent that his public key was the public key of the person whose signature is being forged.
{par. 4} Public key encryption plays a role in payment systems because it enables a merchant to verify the authenticity of a payment order such as a credit card charge, to verify the authenticity of an issuer of credit card-like credits or quasi money, and also permits the merchant and the merchant's bank to verify each other's identity and communications. The functioning of a payment system using public key encryption is illustrated in the figure, below.

Variety of Payment
Systems Possible

 {par. 5} There are a variety of payment system concepts that can be implemented within this basic framework. Some would look almost exactly like present credit card systems, only they would be implemented through the Internet, probably through the World Wide Web. A merchant would advertise its products or services on Web pages. A purchaser would provide a credit card number authenticating his identity through public key encryption. The merchant would use similar public key encryption techniques to verify the credit card charge and submit it for credit to its bank account.
{par. 6} Other payment systems also are conceivable, such as those more like cash or traveler's checks in which payment is less closely associated with particular individuals. Some people find this preferable because it protects the privacy of consumers participating in the system to a greater degree. Some of these "cybercash" or "digital cash" systems resemble personal checking systems more than they resemble cash. They differ from credit card systems in that, unlike credit card systems, digital cash arrangements draw upon a pre-established account balance involving payment tokens purchased in advance. In this respect they are like debit card systems. Because of the comparison with cash, some people erroneously conclude that these digital payment tokens might need to be legal tender, but as this article explains, that is not so.
{par. 7} These kinds of online payment systems are not yet in wide use. Major steps toward their implementation were taken in September of 1995, however, when both the Visa and MasterCard associations issued detailed technical standards for credit card transactions on the Internet. These reports built upon existing public key encryption concepts.

Other Models

 {par. 8} The company First Virtual Holdings presents a slightly different model. It is a kind of Internet consignment shop, in which sellers provide copies of their wares, and First Virtual takes care of marketing, selling, and obtaining payment for the consigned items. This qualifies as a particular type of payment system, but does not encompass payment directly between sellers and consumers.
{par. 9} First Virtual reported in its first year of operations[3] that its presence as an intermediary knowledgeable in the technology was an essential contribution to the resolution of disputes between consumers and merchants. Many of these disputes involved product malfunctions and malfunctions of the delivery system, which led to some initial consumer perceptions that they had been cheated. Regardless of whether public key encryption is used to facilitate electronic commerce, First Virtual believes that its quasi retailer function is essential to make electronic commerce acceptable.
{par. 10} Open Market[4] is another intermediary system, in which merchants offer products or services accompanied by an icon to authorize payment through conventional credit card accounts. Open Market handles the administrative tasks associated with verifying credit card information and setting up accounts.
{par. 11} What is missing now from Internet commerce is the wider deployment of actual commercial systems: merchants willing to accept credit card charges and other payment tokens through the Internet, an appropriately rich array of CAs, a critical mass of consumers possessing private keys, and banks willing to accept credit card charges and payment tokens communicated through the Internet. These things undoubtedly will arise to some degree regardless of the state of the law, but they are likely to happen more quickly if certain legal infrastructures are improved or, in some cases, simply better understood.

Legal Requirements

 {par. 12} Here are the basic requirements for the legal infrastructure:
  • {par. 13} Merchants must be reasonably secure against forgery and reasonably confident that credit card charges and other payment tokens will be honored upstream in the financial system.
  • {par. 14} Consumers must be able to obtain access to the means of presenting credit card authorizations and payment tokens in forms acceptable to merchants. This probably requires the existence of certificate authorities readily accessible to consumers.
  • {par. 15} Certificate authorities must understand their legal responsibilities so that they can insure against or otherwise provide for risk.
  • {par. 16} Banks and other financial institutions must understand their responsibilities. This is most notable because banks have been conditioned by a commercial culture with relatively precise and detailed specifications for presentment, acceptance, and dishonor of more conventional financial instruments such as personal checks.
    •
    {par. 17} All of these requirements can be satisfied without the erection of major new legal institutions or the creation of significant new areas of substantive positive law. The credit card payment system accounts for billions of dollars each year, and yet it is almost entirely regulated by private contracts among the several major credit card systems: Visa, MasterCard, American Express, and Diner's Club.
    {par. 18} On the other hand, new business opportunities sometimes frighten potential entrepreneurs when they cannot quantify their risk. When there is little case law, virtually no statutory or regulatory rules applicable by default, and few detailed contractual models or institutions facilitating electronic contracting, it can dissuade all but the boldest entrepreneurs from entering the field. All too frequently, the boldest do not have sufficient reputations to make consumers and merchants feel comfortable.
    {par. 19} It is helpful to consider the legal framework in four major categories: banking regulation; duties and limitations of liability of new intermediaries such as certificate authorities; allocation of the risk of fraud, unauthorized access, and trafficking in stolen keys or forged tokens; and jurisdictional and enforcement issues arising from the international character of the information infrastructure.

    Banking Regulation

    		 {par. 20} The banking part of the legal infrastructure involves the possibility that issuers of cybercash and cyber credit cards should be regulated as banks. Although banking law is complex, diverse, and surprisingly ambiguous or circular in its definitions of the activity of banking, the traditional hallmarks of banking are the issuance of commercial loans and the acceptance of deposits. While some of the cybercash models might involve something resembling demand deposits, surely the payment systems modeled on credit card transactions do not; the typical credit card holder pays the credit card bill after the charges have been incurred rather than depositing money in advance to draw upon as he makes charges.
    {par. 21} Moreover, the core purpose of banking regulation is to protect depositors against the risk of dishonor of their demands for withdrawals (including demands represented by personal checks), and against the insolvency of banks holding their deposits. The restrictions on banks against investing in securities, against performing investment banker functions, and requiring certain capital ratios and outside audits all derive from this core purpose. Articles 3 and 4 of the UCC define with great detail when banks are obligated to pay instruments such as personal checks.
    {par. 22} A regulatory system similar to that applied to banking might seem suitable for new Internet payment systems until one realizes that most payment systems encountered by ordinary consumers-aside from personal checks-occur largely outside this regulatory framework. The easiest example is American Express, which is not a bank, not subject to banking regulation, and yet is the hub of all of the electronic commerce that flows through American Express traveler's checks and credit card payments. The American Express system works, not because of a regulatory regime, but because consumers and merchants trust American Express. The same thing could occur in electronic commerce on the Internet.

    New Intermediaries: CAs

    		 {par. 23} On the other hand, the CA function does not have a clear analogue in historical practice. A CA is a kind of insurer of the authenticity of a payment token. As such, it is extremely difficult for the CA to predict financial risk, especially when the payment systems it insures are so new. Thus, many people perceive that the emergence of an adequate number of CAs depends on new laws to define their responsibilities.
    {par. 24} The Utah Digital Signature Act[5] is serious effort to do that. The ABA's draft digital signature guidelines[6] cover the same issues as the Utah act and similarly provide default rules and safe havens for CAs and make it clear what consumers and merchants can expect of CAs. There is some tendency for legislative proposals such as these to be enacted in other states, although it is hardly necessary for all fifty states or for all the countries of the world to enact such legislation before significant CA practice can get started. To some extent existing choice of law principles should make it possible for a CA to establish itself in a state with a statute like Utah's, and to do business so as to be reasonably confident that its home state statute will apply. Obviously, however, this possibility implicates some of the jurisdiction and international law problems discussed later in this article.

    Fraud, Unauthorized Access, Stolen Keys

    		 {par. 25} Fraud, unauthorized access, and trafficking in private keys and payment tokens are regulated reasonably comprehensively by the Federal Computer Fraud and Abuse Act, 18 U.S.C. § 1060 (1988), and the Electronic Communications Privacy Act, 18 U.S.C. § 2510-2521, and § 2701-2709. These provisions explicitly criminalize trafficking in computer passwords, which probably includes private keys and payment tokens. On the other hand, these criminal statutes do not establish default rules for allocating the loss resulting from the conduct they criminalize. It may be necessary for these matters to be made more certain by statutes such as the Utah Digital Signature Act, which defines duties and immunities reasonably well for all parties to an Internet transaction, or by the ABA guidelines.

    Jurisdictional Issues

    		 {par. 26} The most difficult part of the legal infrastructure to arrange relates to the inherently international character of any activities conducted on the Internet. Whose law applies if someone in the United States orders merchandise offered on a World Wide Web page by someone in Israel, and pays for it with credit based on a credit card issued by an issuer in Norway, with the whole process verified by a CA located in the Netherlands? Where can a person injured by some defect in this process sue? Who will enforce a judgment?
    {par. 27} To some extent these questions are already answered by choice of law rules developed over several centuries in private international law. Moreover, the questions may not arise frequently because of the criminalization of some of the grossest kinds of misconduct in virtually every civilized country. To a considerable degree, the uncertainties can also be reduced or eliminated by participation in international arbitration agreements. Criminal conduct jeopardizing international financial systems may be increasingly regulated through new international institutions such as the proposed international criminal court[7] and substantive guidelines for harmonization of national criminal law.[8]
    {par. 28} In the short run, the best hope is the development and use of specialized international arbitration systems drawing from the largely successful experience in commercial international arbitration, and on the remarkably complete governance systems represented by bank check clearing and funds transfer systems such as Fedwire and CHIPS, and their international counterparts. The consumer protection aspect of this proposal can be modeled on well established and highly successful master agreements under credit card subscriber contracts represented by American Express, Diner's Club, the Visa and MasterCard systems, and a growing number of others.
    {par. 29} In the meantime, comprehensive models such as those issued by Visa and MasterCard and resembling the ABA digital signature guidelines can be helpful starting points for entrepreneurs who want to set up CAs, to accept digital charges, or to pay for merchandise through the Internet, as well as for banks who want to participate in these new types of monetary flow.

    [END]

    FOOTNOTES

    [Return to text] 1. Professor of Law, Villanova University School of Law, Villanova, PA 19085. The author can be contacted at perritt@law.vill.edu or through <http://www.law.vill.edu>.
    [Return to text] 2. In the mid 1970s, three MIT engineers, Ralph Merkle, Whitfield Diffie, and Martin Hellman, patented the first public-key encryption algorithm. In 1978 Ron Rivest, Adi Shamir and Leonard Adleman patented a full-fledged system for asymmetric cryptography enabling privacy as well as digital signature applications. Most current public key systems employ both the Diffie-Hellman and the Rivest-Shamir-Adelman ("RSA") algorithms. Such systems permits secret keys used in decoding computer data to be exchanged in environments in which it is infeasible to make prior arrangements with every customer.
    [Return to text] 3. First Virtual Holdings Inc., Perils and Pitfalls of Practical CyberCommerce: The Lessons of First Virtual's First Year (presentation materials, AALS, Jan, 6, 1995) (available at <http://www.fv.com/pubdocs/fv-austin.txt>).
    [Return to text] 4. <http://www.open.market.com>.
    [Return to text] 5. Utah Digital Signature Act, As Proposed to the 1995 General Session of the Utah Legislature. Available at <http://www.law.vill.edu/~perritt/utahdsig.asc>.
    [Return to text] 6. Information Security Committee, Electronic Commerce and Information Technology Division, Science and Technology Section, American Bar Association, DIGITAL SIGNATURE GUIDELINES: LEGAL INFRASTRUCTURE FOR CERTIFICATION AUTHORITIES AND ELECTRONIC COMMERCE (Draft October 5, 1995). Available at <http://www.law.vill.edu/vls/student_home/courses/computer-law/abaguid.htm>). The official copy of the draft is not available from the ABA, though updates regarding the process of review and approval will likely be available at <http://www.intermarket.com/ecl/whatsnew.html>.
    [Return to text] 7. See William N. Gianaris, The New World Order and the Need for an International Criminal Court, 16 FORDHAM INT'L L. J. 88 (1992-93); The International Criminal Court Home Page, <http://www.igc.apc.org/iccl/>.
    [Return to text] 8. See, e.g., Bruce Zagaris and Sheila Castilla, Constructing an International Financial Enforcement Subregime: The Implementation of Anti-Money-Laundering Policy, 10 BROOKLYN J. INT'L L. 871 (1993).