Purses. A purse is an abstraction of an instance of a payment system that is available to the user. It is necessary to have services for:

• Creating a purse (i.e., a constructor to instantiate a purse object)
• Configuration and setup, which will be used by purse management applications (e.g., to associate a purse with a credit card and to register with a certification authority)
• Initialization, which is invoked during startup to activate the purse
• Creating transactions (see the next subsection)
• Information (e.g., answers to questions such as "Does this purse provide nonrepudiatable receipts for payments?")

Additionally, the Purse class hierarchy also provides services for information management corresponding to these purses (e.g., answers to questions such as "What is the user name associated with this purse?" or "What amount is associated with this purse [where applicable]?").

A further classification of purses can be made based on the subset of operations supported by the purse as follows: a pay-only purse can be used to make but not to receive payments, a receive-only[26] purse can be used to receive but not to make payments, and a pay-and-receive purse can be used for making and receiving payments.

Mondex and ecash are examples of payment systems that do support pay-and-receive purses. Most other payment systems do not.

Transactions and transaction records. As mentioned, the base ValueTransferServices interface defines value transfer services that are common to all payment models. Some example services defined in this interface are: pay makes a payment from a purse to a designated recipient; receivePayment is the counterpart of pay, it receives an incoming payment. Model-specific subinterfaces may define additional services. For example, the subinterface for the cash-like model has a service to withdraw money from the bank into the purse.

Every instance of a value transfer service is abstracted by a transaction. The PaymentTransaction class implements the value transfer services described in one branch of the ValueTransferServices interface hierarchy. Information associated with a transaction (both transient information such as state that is relevant only while the transaction is active and "permanent" information such as receipts or other evidence that is relevant long after the transaction is completed) is kept in a related PaymentTransactionRecord object. This information can be used in crash recovery and dispute management as well as for informational purposes.

The base PaymentTransaction defines general transaction services such as trying to abort an ongoing transaction or retrieving its current status. Each subclass of the base class implements a leaf interface of the ValueTransferServices interface hierarchy (e.g., SETTransaction extends PaymentTransaction and implements the CheckLikeValueTransferServices interface). Each leaf Purse class provides a startTransaction() method that creates a new transaction of the appropriate type (e.g., in the SETPurse class, the startTransaction() method will instantiate a SETTransaction object).

Payment manager. The payment manager provides services for purse selection as well as to retrieve management information. It keeps track of the currently available purses, known payment module adapters, etc. To maintain and manage this information, the payment manager provides various services such as creation and registration of a purse, deletion of a purse, and registration of a new adapter. Additional services are provided to make this information available to other objects and applications in a variety of useful ways. The manager is also responsible for initializing all the relevant components on startup. The current design does not yet address fault-tolerance issues. The manager will be the entity providing services for shut-down and fault-tolerance mechanisms such as crash recovery.

Selection of a purse to be used in a transaction is based on several factors: requirements for the transaction (e.g., security requirements), static user preferences, negotiation with a peer payment manager, and manual selection by a user. Except negotiation, the remaining factors are all local. The payment manager provides various services to facilitate this local selection.

Negotiation with the peer for selection of the payment instrument can be done in several ways. But all negotiation protocols consist of simple request-response exchanges. Currently, we restrict negotiation for tuples containing two parameters:

Adapting a payment system

1. Identify the model to which the payment system belongs (e.g., SET belongs to the check-like model).
2. Implement a subclass of the Purse class corresponding to the payment model identified (e.g., SETPurse extends CheckLikePurse). This step implies providing implementations for all abstract services defined in the ancestor Purse classes (e.g., Purse and CheckLikePurse) and overriding default implementations therein, where necessary. In particular, the new class must provide a proper implementation of the setup() method; this method should allow the user to carry out all configurations necessary for the payment system.
3. Implement a subclass of the PaymentTransaction class that implements the value transfer services defined in the leaf of the ValueTransferServices interface hierarchy corresponding to the payment model identified (e.g., SETTransaction implements CheckLikeValueTransferServices and inherits from PaymentTransaction).

Using the generic payment service

Payment transactions. The primary use of the generic payment service is via business applications making payment transactions.

A user will initiate payment transactions using some sort of a high-level business application (e.g., a Web browser or a CD-catalog reader). Figure 5 shows the object interactions that take place at the payer end during execution of a typical payment transaction. The important things to note are:

Figure 5

The sequence of events at the payee side is similar, with minor differences. The payee application is probably an unattended merchant server. Thus, there will be no user interaction. There may be interactions with third parties during the transaction. For example, in a check-like system, the payee's adapter may contact the acquirer for authorization. One can also imagine a payment system where the payer's adapter has to obtain some sort of a credential from the issuer before each payment. All such communication with third parties is carried out within the adapter--the calling applications are typically unaware of them.

This example is also intended to give an idea about how the generic payment service enables business application development. The primary services used by the business applications are purse selection and value transfer between payer and payee. Both of these are common to all payment systems. Thus, a large class of applications using the generic payment service need not be aware of system- or model-specific details. Certain special applications (see next subsection) will make use of the model-specific components of the generic payment service.

Special applications. The second category of usage is via special applications. The most important special application is a purse management tool.

Purse management. Before being able to use an installed payment instrument, a purse corresponding to it must be created and configured. A special "purse management application" is provided for this purpose. Changes to purses are written out to stable storage. Purse management is an infrequent activity. (Typically, once a purse is created and configured, it can be used in several subsequent payment transactions.) Purse management makes use of a setup() method provided by the Purse class in an adapter. This method must implement all the necessary configuration for that payment system. For example, the setup() method of the SETPurse allows the user to enter the credit-card information (cardholder name, brand, number, expiry date) that is then stored as part of the purse state.

Other applications. There can be a number of other special applications. Some of these are model-specific. A batch capture application can be used by the merchant to capture a set of received payments for check-like purses; typically this will be used as part of end-of-day processing. A withdrawal application can be used to load money into cash-like purses. The SEMPER prototype implementation comes with two model-independent special applications: a transaction browser allows the user to browse through accumulated transaction records; a module installer allows a user to install a new payment instrument along with its adapter.

Extending the design

Dispute management. Support for handling disputes is a crucial aspect of any system providing accountability. Consider some typical claims that users of a generic service might want to make or deny:

• ABC paid $100 to XYZ on 12/29/97, 10:32 GMT
• ABC paid $100 to XYZ with external reference "Order #432"
• ABC did not pay $100 to XYZ
• ABC deposited $100 at bank B on 12/29/1997
• ABC deposited $100 at bank B on 12/29/1997, before noon GMT

The problem of dealing with disputes in the generic payment service has three aspects: (1) how to express dispute claims, (2) how to map evidence collected during a transaction to subsequent dispute claims, and (3) since a dispute involves the interaction of more than one player, how to define a multiparty dispute protocol.

In general, disputes can be expressed in terms of statements about a (possibly alleged) transaction. We use the following structure for dispute statements:

[not]<TRANSACTION>[<role> = <player>]*
                                  [<attr><OP><value>]*

The examples above would then correspond to statements like:

• PAYMENT payer = ABC, payee = XYZ,
                   amount = $100, time = "12/29/97, 10:32 GMT"
• PAYMENT payer = ABC, payee = XYZ,
                   amount = $100, reference = "Order #432"
• not PAYMENT payer = ABC, payee = XYZ,
                         amount = $100
• DEPOSIT user = ABC, bank = B,
                 amount = $100, time = "12/29/97"
• DEPOSIT user = ABC, bank = B,
                 amount = $100, time < "12/29/97"

The dispute management interface provides services to construct dispute claims and prove them to a verifier. In the simplest case, it is enough to extract the right pieces of evidence (such as receipts) and present them to the verifier. In other cases, it may be necessary to interact with the verifier using a complex proof protocol. The Purse subclasses in the adapters will be required to implement the dispute management interface.

Typically, disputes are about payment transactions. These disputes will be started by the applications that initiated the payment in the first place (e.g., a Web browser on the payer's side and a merchant server on the payee's side). Disputes between a user and the bank (e.g., wrong entry in a bank statement) will require special bank-specific applications to drive the dispute.

Currently, we are expanding on these ideas in building a framework for handling disputes in the generic payment service.

Payment security policies. A number of considerations apply to payment security policies. We describe them here.

Limits on value transfer. A user of the generic payment service may wish to associate several types of limits to the purses available. Some examples of the types of limits are:

• Each payment from a specified purse (say P1) should not exceed 100 CHF (Swiss francs).
• Total payments from all purses taken together should not exceed 1000 CHF in any 24-hour period.
• Total payments from all purses should not exceed 10 000 CHF in a given calendar month.
• Payments below 10 CHF do not need explicit user authorization.
• No more than four payments without explicit user authorization can be made in any 24-hour period.
• If a payment will bring the balance in a specified purse (say P2) below 200 CHF, it must be explicitly authorized by the user.

Access control. Access control is a critical functionality of the generic payment service. We note the following in order to motivate our design:

Access control is required in the following cases:

• Access to secret information required to use the underlying payment system (e.g., personal identification numbers [PINs], pass phrases, credit-card numbers, etc.). There may be several different pieces of such information.
• Access to purse operations.

A common solution: Policy framework. We have taken a common approach to address both limits and access control requirements by using the notion of policy objects. A purse can associate one policy object with each service it provides. Whenever a service is requested from a purse, the corresponding policy object will be queried to determine authorization for the service (Figure 6). All policy objects provide ways to check for current availability of a service (the isAllowed() method), and to indicate that an authorized service is being provided (the update() method), so the policy object can change any relevant internal state parameters (note that policies as in the second last example above are stateful).

Figure 6

These methods can be used by purse services (such as pay() and receivePayment() methods) to manage authorization. A reference to the transaction record is provided as an argument to the isAllowed() and update() methods. Through the transaction record, it is possible to access the purse(s) involved in an operation. Thus, different implementations of these methods can access all the information they need in order to make the policy decisions.

The policy class hierarchy is shown in Figure 7. A policy may be simple or aggregate. Simple policy objects are self-contained and make their decisions independently of other policy objects. There may be several kinds of simple policy objects. Some examples are:

• The AskUser policy class displays relevant information about the transaction to the user and asks for his or her approval.
• The MinBalance policy class makes sure that the minimum balance is above a specified value.
• The TimebasedLimit policy class provides a way to set simple time-based limits.

Figure 7

Aggregate policy objects have a list of constituent policy objects. The policy decision of the aggregate object is a function of the policy decisions of its constituent objects. Some examples are: An OR policy allows the service if any of its constituent policies do so; an AND policy allows the service if all of its constituent policies do so.

With these policy objects we can express complex policies. For example, the policy "if the amount is less than CHF 10 and the balance afterwards is going to be above CHF 200, allow the payment, otherwise ask the user" will correspond to a policy object network shown in Figure 8. (When a policy object has other constituent policy objects in it, a top-to-bottom evaluation order for the constituent objects is assumed.)

Figure 8

Additional policy classes may be defined and incorporated into this hierarchy. Users of policies (e.g., the pay() and receivePayment() methods) will have a single access point. Notice that policy objects are intended as a mechanism to express policies. The enforcement of these policies is up to the implementations of the services: for example, as shown in Figure 6, the pay method in the transaction class of an adapter must query the payment policy object in its purse before proceeding with the payment.

Clearly, several issues need to be resolved. We require a language to express policies and efficient techniques for evaluating and updating policies. A similar approach is given by the PolicyMaker framework.[27] However, policies in this model cannot be defined in terms of pure contextual information such as the total amount spent from a purse.

The description here is intended only to give a flavor of the issues involved. We are currently working on addressing these issues in depth.

Token-based interface definition. The original design assumed a synchronous model since the first version of the SEMPER architecture did the same.[25] However, we have defined a "token-based" interface that can support an asynchronous model in a straightforward manner. Our token-based interface is inspired by the GSS-API[28] approach. It has two types of methods: (1) one "starter" method for each different type of protocol; the starter methods return a token containing the first message of the protocol, and (2) a common "processor" method; this takes a token as input, and depending on the internal state of the protocol run, may return another token as output.

In the token-based model, the payment service does not engage in any direct communication with the peer. Instead, the caller is expected to take care of the communication. The payment service is still responsible for maintaining the state of a protocol run. The initiating caller invokes an appropriate starter method in the payment service API to start a protocol. Typically, these starter methods will return a "token" as output. The initiating caller application is expected to communicate this token to its peer entity, the responding caller application. The latter in turn will invoke the processor method on its instance of the payment service and give the received token as input. From this point on, whenever a caller entity receives a token as output from the processor method, it will send the token to its peer; whenever a caller entity receives a token from its peer, it will invoke the processor method on its payment service, giving the received token as input.

We define a token-based version of value transfer services in an interface hierarchy called TValueTransferServices parallel to the ValueTransferServices interface hierarchy. For each method (e.g., pay()) in the latter, we define a corresponding starter method (e.g., startPay()) in the former. In addition, a common processor method processToken() is defined in the TValueTransferServices interface. Figure 9 illustrates object interactions in the same scenario depicted in Figure 5, but with a token-based interface for negotiation and value transfer.

Figure 9

Since no peer-to-peer communication is taking place inside the generic payment service, the caller does not have to block on service invocations. The designer of the calling application has the freedom to use an asynchronous implementation architecture. More importantly, the token-based approach can allow an application to supplement the level of security provided by a payment system by transporting the tokens via a channel with particular security attributes. For example, even though payment protocol messages in SET are encrypted, an eavesdropper may be able to determine and link the identity of the payer and payee by watching the network addresses in the payment messages. With a token-based interface, if the applications were able to establish an untraceable communication channel between them, they could extend the untraceability to SET payments as well.

Currently, the interface TValueTransferServices is optionally implemented by subclasses of the PaymentTransaction class. Since the token-based version is more general than the synchronous version, we plan to make the former the default value transfer services interface and deprecate the latter.

We are in the process of defining a token-based interface for the negotiation of payment system as well. The designers of the E-CO System have used a similar token-based API for the negotiation of payment system.[29]

Related work

The Joint Electronic Payments Initiative (JEPI) focuses only on defining the protocol for the negotiation of various payment-related parameters such as the payment system. The scope of our work roughly corresponds to the scope of these two projects taken together.

Sun recently announced their Java Electronic Commerce Framework (JECF). [32] The framework is still in the process of being defined. Their emphasis appears to be on the payer side: payers will be able to download different "payment cassettes" (roughly corresponds to a payment instrument and its adapter in our terminology) and integrate them into their JECF installation. They also propose a sophisticated general-access-control scheme that can be used in our work.

The E-CO System project had roughly the same scope[29] as our work, although their main focus so far seemed to be on establishing APIs and mechanisms for payment negotiation.[33] Additional information was not public, and the project appears to have been discontinued.

Status and conclusions

Acknowledgments

Interesting discussions with several people helped us develop and refine the ideas presented in this paper; in particular we thank Ali Bahreman, Mark Linehan, Birgit Pfitzmann, Tom Scanlan, John Schey, Berry Schoenmakers, Julia Sime, Els van Herreweghen, and John West. We are grateful to Jay Black and Matthias Schunter and the anonymous referees for their valuable comments on previous versions of this paper.

*Trademark or registered trademark of International Business Machines Corporation.

**Trademark or registered trademark of DigiCash bv, Mondex International Limited, Visa International Service Association, MasterCard International, Inc., CyberCash, Inc., Financial Services Technology Consortium, Inc., Sun Microsystems, Inc., Royal PTT Nederland NV, or the Dutch Postbank.

Cited references and notes

Accepted for publication August 20, 1997.