Web Technology & System Security and Maintenance

Web Technology & System Security and Maintenance

INFORMATION TECHNOLOGY TRAINING424

5.1 INTRODUCTION

To many, E-Commerce is defined as buying and selling of products and services over the Internet,but there are many more aspects to it. E-Commerce is a system that includes not only thetransactions that centre on buying and selling goods & services to directly generate revenue, butalso those transactions that support revenue generation, such as generating demand by thosegoods & services, offering sales support & customer service or facilitating business partner.There are different definitions of E-Commerce:� From a communication perspective, electronic commerce is the delivery of information,

products, services, or payments via telephone lines, networks or any other means.� From a business process perspective, electronic commerce is the application of technology

towards the automation of business transactions and workflows.� From a service perspective, electronic commerce is a tool that addresses the desire of firms,

consumers, and management to cut service costs while improving the quality of goods andincreasing the speed of service delivery.

� From an online perspective, electronic commerce provides the capability of buying andselling products and information on the Internet and other online services.

Electronic Commerce endeavours to improve the execution of business transactions over variousnetworks. These improvements may result in more effective performance (better quality, greatercustomer satisfaction and better corporate decision making), greater economic efficiency (lowercosts), and more rapid exchange (high speed, accelerated, or real time interaction).Electronic Commerce enables the execution of information-laden transactions between two ormore parties using interconnected networks. These networks can be a combination of POTS(plain old telephone systems), cable TV, leased lines, and wireless.Electronic Commerce can be viewed as a production process that converts digital inputs intovalue-added outputs through a set of intermediaries. For example, in the case of online trading,

LEARNING OBJECTIVES

During this chapter, we will learn:� Definitions of E-Commerce� Basics of Commerce� Web Commerce� E-Marketplace� Advertising and Online Marketing� Purchase Online� Electronic Payment Systems� Types of Electronic Payments� Infrastructure of E-Commerce� Basic Networking� Network Infrastructure� Other Networks

E-COMMERCE

5CHAPTER

© The Institute of Chartered Accountants of India

E - Commerce

INFORMATION TECHNOLOGY TRAINING 425

production processes can add value by including more value-added processing (such as trendanalysis) on the raw information (stock quotes) supplied to customers.5.2 BASICS OF COMMERCE

5.2.1 Commerce

Negotiated exchange of products of value between two parties and includes all activities thateach of the parties undertakes to complete the transaction.Elements of traditional commerce: Buyer’s side� Customer identifies a specific need that he requires to satisfy through a product or service� He searches for the products� Selects a vendor after a thorough vendor analysis� Negotiates a purchase including delivery logistics, inspection, testing and acceptance� Makes payment� Receives product� Uses product� Provides feedback if dissatisfied or specifically asked for by the seller� Performs regular maintenance and makes warranty claims� Repurchase, if requiredElements of traditional commerce: Seller’s side� Conduct market research to identify customer needs� Create product or service that will meet customer’s needs� Advertise and promote the product or service� Negotiate a sale transaction including delivery logistics, inspection, testing and acceptance� Ship goods and invoice customer� Receive and process customer payments� Provide after-sales support, maintenance and warranty services5.2.2 Process involved in Sales Cycle

The below diagram traces a traditional purchase process in an organization (Automobile Sector),which was predominantly paper and telephone based. A machine failure is detected at a unit inand it is decided by the management to replace the machine immediately. The following pictureexplains how a traditional process takes place in a sales cycle.� Unit Manager fills in a requisition form, which describes particulars about the item to be

purchased and forwards it to the Purchase department.� Purchase department then selects Vendor based on the negotiation of price and terms of

delivery.� After finalizing the vendor, a purchase order is released to the vendor and a copy is send to

accounts department for payments.� Purchase order is sent to the vendor through a mail or courier service� Vendor receives the mail/courier and then forwards the order to its sales department.� Vendor’s Sales department then forwards the order to the manufacturer unit. A work

order is issued to the manufacturing unit and a copy of the work order is sent to the accountdepartment.

� On completion of the production, manufacturing unit notifies the accounts departmentand sends it to the dispatch section.




� The Dispatch department then prepares a bill of lading using the invoice and sends it withthe machine to the buyer.

� Buyer’s receiving department checks the machine against the bill of lading and the purchaseorder released.

� Receiving department then sends a completed receiving report to the accounts.� Accounts department makes sure that the work is completed and checks for its related papers.� Receiving department then forwards the machine to the unit.

5.3 WEB COMMERCE

Background of E-Commerce

5.3.1 Electronic Data Interchange

All companies and administrative bodies with large information systems came to a point wheretyping/printing of all the information arriving or leaving their domain is no longer feasible.Everyone who works in a business organization where hundreds and thousands of standardforms, (e.g. invoices) are received and responded to, knows how difficult it is to manage thistask. These forms should be entered in the computer for processing, and response should begenerated and posted to the concerned parties. The whole process is time-consuming and proneto human errors during data entry and expensive to operate.

The solution to the above problem comes in the form of Electronic Data Interchange (EDI). Asquite obvious from the name, EDI refers to the electronic interchange of data between computersystems. More precisely EDI is defined as “The transfer of structured data for processing fromcomputer to computer using agreed formats and protocols.”

Fig. 5.2.1: Showing Process Involved In Sales Cycle


E - Commerce


The two key aspects of EDI that distinguish it from other forms of electronic communication,such as electronic mail, are:

� The information transmitted is directly used by the recipient computer without the needfor human intervention.

� It is rarely mentioned but often assumed that EDI refers to interchanges between businesses.It involves two or more organizations or parts of organization communicating businessinformation with each other in a common agreed format.

Illustration of EDI : EDI can be illustrated by the example of a manufacturing organization,which maintains suitable communication links through some networking facility with its partssuppliers. The manufacturing unit’s computerized inventory management system keeps trackof the quantity of each spare part in its inventory. The inventory management system detectswhenever the quantity of certain items falls below a certain level. Prior to EDI, the systemprinted purchase orders were mailed to the suppliers there were delays in dispatching thesemail orders.

With EDI, the inventory management system now electronically generates the purchase orderfor each supplier in a predetermined format. The format of this electronically generated purchaseorder is agreed upon between the manufacturer and its suppliers. These orders are thantransmitted to each supplier’s computer system using intermediate network.

The supplier’s computerized order processing system programmed to handle EDI messagesautomatically acknowledges the purchase order and generates necessary production orders toits shop floor for producing the ordered items. Note that EDI requires no human intervention inacknowledging purchase orders.

5.3.2 Electronic Fund Transfer (EFT)

An Electronic Fund Transfer (EFT) system involves the electronic movement of funds and fundinformation between financial institutions. The transfers are based on EDI technology transferof funds and involves minimum amount of data interchange between two parties. There aretwo major worldwide EFT networks: the Clearing House Interbank Payments System (CHIPs)and FedWire (the oldest EFT in the US). In 1993, these networks moved an estimated US $ 1.5billion each banking day. A third major network, the Society for World-wide Interbank FinancialTelecommunication (SWIFT) is capable of handling nearly 1 million messages per day.

EDI has been widely adopted by financial institutions and service sectors in the Western World.Insurance brokers can send EDI messages to the computers of various insurance companies andget details on specific policies. Even though EDI can be useful of almost any sector, banks havebeen the primary user for EDI services till now.

5.3.3 Value-Added Networks

A VAN is a communications network that typically exchanges EDI messages among tradingpartners. It also provides other services, including holding messages in “electronic mailboxes,”interfacing with other VAN’s, and supporting many telecommunications modes and transferprotocols.

A VAN’s “electronic mailbox” is a software feature into which a user deposits EDI transactionsand then retrieves those messages when convenient.

Businesses can exchange data either by connecting to each other directly or by hooking into aVAN. Traditionally, by acting as middlemen between companies, VAN’s have allowed companiesto automatically and securely exchange purchased orders, invoices, and payments. When a




company sends an EDI transaction, it arrives at a message storehouse on the VAN to await pickupby the destination company. In this way VANs can safeguard the transaction network.The disadvantages of EDI-enabling VANs are that they are slow and high priced, charging bythe number of characters transmitted. With connect time and mailbox charges factored in,companies incur changes of many thousands of dollars.Whether a company really needs a VAN is a question of simple logistics. For example, a businessthat wants to use EDI with some fifty trading partners have several communications choices:� The company can buy a multi-port modem capable of handling fifty incoming phone lines,

install fifty phone lines, add communications ports for its computer system, and allow eachtrading partner to communicate directly at his convenience.

� The company can use a single modem with a phone line and arrange a tight schedule foreach of its trading partners, for example, 12:00 A.M. for trading partner B, 12:11 A.M. fortrading partner C, and so on. The problems with this alternative become obvious when atrading partner misses its turn or has too many EDI messages to fit into a ten-minute slot.

� The company can establish an electronic mailbox on a VAN and require each trading partnerto use the VAN for sending and retrieving EDI messages.

This alternative works well because most VANs maintain a larger number of access points(known as ports, lines, nodes) to their clients. Thus a large number of trading partners canaccess the VAN at their convenience without encountering blockage from other trading partnersand at relatively low cost.Many businesses find that the decision to use a VAN is made for them by their trading partners.An organization selecting a VAN should consider the VAN’s reputation and experience, levelof technical support and service capacity, and ability to cope with network outages.Other factors include whether the VAN operates its own communications network or leasescapacity from a network provider, what are the means of connectivity to the VAN, and whatare the costs.

Third-party ValueAdded Network

(VAN)

Company Transport

companyTranslateincoming

documentPerform

compliance

checkingRoute to

mailbox IDFormat

translation of

(X.12⇒EDIFACTFinancial

institutionManufacturing

Functions of a third-party

Fig. 5.3.1: Showing Functions of A Third Party


E - Commerce


5.3.4 Internet: Evolution of the Internet

The Internet is a network of networks that connects computers all over the world. The Internethas its roots in the U.S. military, which funded a network in1969, called the ARPANET, toconnect the computers to some of the colleges and universities where military research tookplace.By the late 1980’s, the Internet had shed its military and research heritage and the generalpublic were able to use it. Internet Service Providers (ISPs) began offering dial-up Internet accountfor a monthly fee giving users access to e-mail, discussion groups and file transfer.In 1989 the World Wide Web (an Internet-based system of inter-linked pages of information)was born, and in the early 1990s, the combination of e-mail, the Web, and online chat propelledthe Internet into national and international prominence.5.3.5 Transaction: The E-commerce Model

The e-commerce model provides a framework for businesses requiring a different operationalmodel, because selling online is generally an expansion, as opposed to sole focus, of their business.The primary motive is to increase sales and profitability by using the Internet as a new channelto sell products or services and improve customer access, service delivery and intimacy. Thismodel is also used by those businesses that are knowledgeable and comfortable with thetechnology and are more aware of the potential impact the web can have on the relationshipthey build with customers.E-Commerce

Value proposition Buyer facingOrganization/culture Customer focusede-business IT focus/scope Secure financial transactions

Integration to legacyAlways open service level

Theme of process work Buying and sellingFulfillment

5.4 E-MARKET PLACE

A market brings together buyers and sellers to facilitate a mutually satisfying transaction. Theonline markets that satisfy all the stated points fit to be e-markets.� Critical mass of buyers and sellers – Bring a satisfying number of buyers and sellers to use

the medium for transactions.� Interactivity – Opportunity for independent evaluations; customer endorsements based

on dialogue, discussion, purchase and endorsement.� Negotiation and Bargaining – To bring mutual satisfaction in terms of price, terms and

conditions, delivery and evaluation criteria.� New products & services – Expectation for a proposed offering to meet a current need.� Seamless interface – Information flow seamlessly from one source to another in a secured

way.� Damage control – Customer support to the extent of resolving disputes.5.5 ADVERTISING AND ONLINE MARKETING

If you would like to sell something to a customer, at the very core of the matter is the somethingitself. You must have a product or service to offer. The product can be anything from ball




bearings to back rubs. You may get your products directly from a producer, or you might gothrough a distributor to get them, or you may produce the products yourself.Once we have a product to sell, advertising is a key for any product to be successful in themarket. In a typical e-market place, online marketing is the process of reaching the target segmentthrough paperless communication. This can be done by� Banner Ads and Banner Advertisement Exchange Sites� Newsletters� Hyperlinks and Logos� Chain letters� Search listingAdvertising and Online marketing can be classified as5.5.1 Active/Push Based Advertising

Incentive Marketing: Visitors are paid for viewing contents who collect points and encash themin the form of discounts. Smartbahu.com gives women-related contents and visiting the sitegives the viewer points to encash while making purchases (diamonds). This is also called asPush based advertising.� Activity done from the company’s side� Broadcasts or spamming� 2 models – Broadcast and Junk mailBroadcast� Reaches great number of people in a short period of time� Copies the traditional model� Utilizes direct mail, spot television, cable television� Intrusive and resource intensive� Requires active participation from the viewer’s end� Completely online – broadcasts in USENET news groupsJunk Mail� Targeted mailing lists to specialized audience – low waste in ad exposure� However, has a lot of advantages – high cost per contact, need for an updated and relevant

mailing list, scarce audience attention5.5.2 Passive advertising

� Discourse oriented and content driven� Promotes interactivity between potential customers and company� Feedback loop back into the organizationPassive advertising can be classified into 4 models namely Billboards, catalogs or yellow pagedirectories and endorsements.Billboard� Information is placed where it will attract the attention of customers in the course of their

search and involves no active search� Requires cooperation from ad partners who could link with the company’s content� Complete coverage of the market with high levels of viewing frequency


E - Commerce


� Disadvantage is reduced viewing timeCatalog� Least intrusive however needs active search on part of the customer� Disadvantages include lack of timeliness (not updated often), no creativity and potentialclutter.Customer Endorsements� Customers share their product or service experiences on the Internet� Always offered public in an interactive medium� Positive debates improve sales and loyalty� Negative debates give healthy feedback for product or service improvements.Portal Based� Free Model: High volume sites such as free greeting cards offer free services, which create

high volume. Eg: Advertisers offer Revlon product with every card sent frombluemountain.com.

� Personalized portal: To create user loyalty, portals allow customization of their sites by users.Eg: (My Netscape, My Yahoo)

� Specialized portal: A vertical portal where advertisers pay a premium to reach ‘Target’audience. Eg: indiaparenting.com

5.5.3 Role of Intermediaries

Intermediaries are Authors of marketing material - ad agencies, and Distribution channel such asPrint media and online media. Online media takes form as corporate websites, Affiliates, E-stores.

Roles of ad agencies

� Concept� Content� Creativity� Appeal� ConfigurationRoles of Distribution channels� Lead generation� Presentation� Selling5.6 PURCHASE ONLINE

A typical online purchase process will include

� Product to Sell over the Web

� Marketing process to invite customers to the E Market

� Website for

� Displaying product and its information

� Accept Orders using online registration forms

� Facilitate the Cash Transaction using Cash Transaction tools




� Confirm Orders

� Accept Returns

� Personalization & Online Support

� Infrastructure

� Connectivity

� Security

� Store Data for further processing

� Internetworking with

� Warehouse and logistics

� Third Party Payment Processors and Financial Institutions5.6.1 Consumer perspective

Business models that are necessarily consumer focused are classified under the 4 given verticals.

� Entertainment

� Financial Services & Information – Home banking & other financial services

� Essential services – Home shopping, telemedicine, electronic catalogues

� Education & Training – Interactive education, videoconferencing, on time databases.

� Value Chain Service Provider - Special services like payment of telephone bills on the net,not offered by competitors used to line customers.

5.6.2 Merchant’s perspective

Business models that are necessarily Seller focused are classified under the given verticals :

Merchant Model

This could take any of the following forms:

� As against the traditional “brick and mortar” model, this offers services or goods to e-tailers only on the web. In this case, the goods or services may be limited and very specialized.(e-toys, amazon). They seem to fair better than companies which have integrated fromtraditional model or made use of the web too, along with existing channels.

� Brick and mortar with web stores now known as brick and click. Best of both worlds isobtained here.

� Selling only digital products like software, music and net books.

Manufacturers Model

Manufacturers reach customers over riding the distribution channel.

� Eliminates middle men, offers better service

� Existing wholesalers become redundant

Collaborative Platforms

In order to provide better consulting services, enterprises collaborate on certain functions onlyespecially in the area of design. A virtual team of engineers provides project support. Care istaken to make arrangements to dismantling of team easily if circumstances arise.


E - Commerce


5.6.3 Common Perspective

Affiliate Model

� Purchase opportunities are offered to surfers from whichever site they are in with financialincentives.

� Banner exchange and revenue sharing.

Community Model

� As against high traffic, this model banks on loyal customers. Users are also normally willingto pay a subscription fee, if necessary. The site is sustained by voluntary contribution.

Subscription Model

� In case of knowledge sites, an expert is ready to give his advice over the net for a fee.(cyberlawindia.com)

Brokerage Model

� A broker brings buyers and sellers together and charges a fee for the transaction based onthe quantum (Value) or any other valid criteria.

Form of Model Salient FeaturesBuy/Sell Online Share tradingMarket Exchange Mostly in B2B markets, mostly based on valueBusiness Trading Community In B2B markets containing all details of a particular

industry in the form of a guide along with demand/supply details.

Buyer Aggregator Brings together individuals to take advantage of volumediscounts. Sellers pay a fee based on transaction value.

Distributor Brings manufacturers and retail buyers together. Thebuyers get information and discount. The distributor sellsby reduction of cost.

Virtual mall: E-mall Normally a supermarket combined with a general portallike fabmart.com

Auctions Could be a broker for seller or buyer who collects a fee onfulfillment of the bid. (bazee.com for used equipment)

Classifieds List of requirements, as in a newspaper. Chargesirrespective of where a transaction occurs.

Metamediary Like a virtual mall, but provides further services likequality assurance. Set-up fee and transaction fee in thesources of revenue.

Search Agent To search best price for goods/services, a software is used.

INFOMEDIARY MODELThe site normally offers free service to the viewers (dialpad.com) in exchange of informationcollected from them.� Recommender System: A site normally allows users to exchange information about quality

of product/services (Deja.com, planet customer.com)




� Registration Model: Context – based sites allow free viewing but require browsers to register.This helps tracking of usage patterns, which could be converted, into potential targets foradvertising. (pathfinder.com)

Exercise Questions1. What aspects differentiate E-Commerce from Traditional Commerce?2. How have the transaction (arts) changed from the traditional to the electronic arena of

commerce?3. How are e-markets different from markets?4. Which is the prevalent form of Advertising and why?5. The mercantile models having a common perspective could extend more towards consumer

perspective/merchant perspective. Comment.5.7 ELECTRONIC PAYMENT SYSTEMS

In everyday life, you pay for goods and services in a number of different ways. If you’re anindividual consumer dealing with a merchant, you can pay by cash, check, credit card, or debitcard. Businesses can often conduct transactions among themselves electronically, but they usuallyuse private networks. Now with the increasing commercialization of the Internet, and thepopularity of the Web, consumers and businesses are both looking for ways to conduct businessover the Internet.5.7.1 Transactions on the Internet

If your business is interested in allowing its customers to use electronic payment methods on theInternet, many of the procedures for handling payments are similar to those you use for aregular point-of-sale (POS) system in your store, or in a toll-free call centre. The main differenceis that everything takes place over the Internet using the customer’s personal computer andyour web server.Consumers use a Web browser to place an order and provide information about their form ofpayment, which might be a credit card, digital cash, or electronic check. Software on yourserver then has to settle the transaction by verifying the order (presumably from your onlinecatalog), and getting authorization for the funds transfer from a bank or credit card acquirer.Usually this last step is done via a gateway that communicates with the bank using either theInternet or the bank’s private network, much like a store’s POS system.

Fig. 5.7.1: Showing Transactions on the Internet


E - Commerce


Consumers are also just beginning to use new systems, such as electronic checking and digitalcash, for making small, immediate electronic payments to information providers and other thatare in keeping with the interactive, real-time nature of the Internet today.5.7.2 The Internet Payment Process

Don’t overlook business-to-business transactions, either. It’s true that many large businessesand banks have been conducting business electronically for the last few decades with electronicdata interchange (EDI) and electronic funds transfer (EFT), but many of these systems do nothave the flexibility required to compete in current markets. Businesses can also order goodsfrom suppliers via online catalogs, which is becoming a popular method of making productinformation available on the Internet. Companies using ledger-based purchasing might thenhandle the orders via EDI over either a value added network (VAN) or the Internet. Othermight use a corporate credit card over the Internet.As long as implementation and maintenance costs for electronic systems are low, both smallbusinesses and large corporations can take advantage or these systems. This is one of theadvantages of the Internet, with its current flat rate pricing for access. Past business commercesystems using VANs have been prohibitively expensive, but using the Internet lowers the costs,allowing small businesses to profitably use electronic commerce for business transactions. Evenif Internet service providers institute classes of fees for different types of traffic, and move awayfrom flat rate fees, those costs are still likely to be lower than those fond on VANs.5.7.3 Requirements of Payment Systems

Traditional financial transactions offer a set of special characteristics that people have come todepend on, even if they don’t think about them everyday. For example, when you give yourcredit card number to a merchant, you expect confidentiality – that the number will only bedisclosed to those who have a legitimate need to know it, such as the issuing bank. This situationalso requires integrity – that neither the purchase amount, nor the goods you bought, will bealtered inappropriately.Both the buyer and the seller may require authentication, that is, assurance that the other is areally who they claim to be. When you buy goods or services in person, you implicitly authenticatethe vendor based on the location of the business and the permanence of its facilities. If you’renot paying by cash, the merchant usually asks to see your driver’s license or similar photo ID, orjust compares you signatures in order to authenticate you. It’s more difficult to authenticate aparty if you’re not dealing face-to-face over the phone, for instance. In fact, many phone-basedorders are conducted without any authentication at all.Authorization allows the merchant to determine if the buyer actually has the funds to pay forthe purchase. The merchant will probably want to verify that your bank account can cover theamount of your check, or get the amount of your credit card purchase approved by a creditcard clearing house.You may also want some kind of assurance that the merchant is competent and worthy of yourtrust. This might take the form of a business license; endorsements from other customers,newspapers, or magazines; or even surety bonds for more complex transactions.There are also occasions when you want to insure the privacy of a sale. For example, a businessconducting research might purchase a market report, but probably wouldn’t want its competitorsto learn what was purchased. Cash payments can offer privacy because they don’t create apaper trail tying the buyer to the product that was purchased-once a cash purchase is completed;the merchant has no record of the buyer’s identity to tie a buyer to a particular item. And thereceipt is the only proof that the buyer purchased something at the store by paying cash. (This




alone does not prove that the holder of the receipt was the original buyer-how often have youreturned an item for someone else?).If you’re going to use electronic payment systems, then you ought to expect that the samerequirements be adhered to. There are technological answers for providing these principles online, but that alone doesn’t mean that they can be readily practiced. For example, you canelectronically authenticate yourself on the Internet by using a digital signature, by theinfrastructure for providing you electronic driver’s license, as were, and enabling all merchantsto verify it, isn’t yet in place. It’s almost as if a merchant couldn’t read your driver’s licensebecause it was issued in a foreign language.In cyberspace, it’s necessary to employ encryption to insure confidentiality, authentication, andprivacy. Which requirements are met by a particular payment system depends on what isencrypted and who’s allowed to decrypt it, as you’ll see in the following section. For example,encrypting all the information passed by a customer’s Web browser to the vendor’s Web serverwhen making a purchase maintains the confidentiality of the transaction, but neitherauthentication nor assurance is guaranteed if the vendor can decrypt all of the transactioninformation. On the other hand, if the vendor is only allowed to decrypt the order information,and must pass on the encrypted payment information (Checking account or credit card number)to a financial clearing house for authorization, then fraud is less likely to occur.In many cases, business-to-business commerce depends on prior negotiations and contracts.That’s been extended to the world of electronic commerce by EDI. But more flexible arrangementsare needed to accommodate the fast-paced world of today’s business, where trading partnershipscan be short-lived. The same is true for consumers-they may purchase an item on line form avendor with whom they’ve had no previous dealings.As someone one remarked, “There are no handshakes in cyberspace.” To help guard againstfraud, mechanisms are needed for authenticating a vendor or a buyer, as well as assuring theintegrity of a vendor. In short, a buyer needs some evidence that he can trust the vendor. Suchprocedures include using digital signatures for electronic correspondence, and digital certificatesto establish a company’s identity. These same procedures are also likely to see increased useover network, such as EDI and bank networks, because they can support the flexible andtransitory relationships that are more likely in today’s faster marketplace.5.8 TYPES OF ELECTRONIC PAYMENTS

The methods that have been developed for making payments on the Internet are essentiallyelectronic versions of the traditional payment systems we use everyday-cash, checks, and creditcards. The fundamental difference between the electronic payment systems and traditional oneis that everything is digital, and is designed to be handled electronically form the get-go-there’sno crinkle of dollar bills, no clink of coins in your pocket, or signing a check with a pen. In amanner of speaking, everything about the payment has been virtualized into strings of bits. Thisvirtualization will make many of the electronic payment options appear similar to each other –often the differences are due more to the companies and consortia developing the software thanto the logic involved.While many of the payment systems that are currently implemented now, uses personalcomputers. One day you’ll be able to use a personal digital assistant (PDA) for handling payment.Trials are already underway with smart cards for making transaction over the net possible.5.8.1 Credit Cards

In a credit card transaction, the consumer presents preliminary proof of his ability to pay bypresenting his credit card number to the merchant. The merchant can verify this with the bank,and create a purchase slip for the consumer to endorse. The merchant then uses this purchase


E - Commerce


slip to a collect funds from the bank, and, on the next billing cycle, the consumer receives astatement from the bank with a record of the transaction.Using a credit card to make a purchase over the Internet follows the same scenario. But on theInternet added steps must be taken to provide for secure transactions and authentication of bothbuyer and seller. This has led to a variety of system for using credit cards over the Internet. Two ofthe features distinguishing these systems are the level of security they provide for transactions,and the software required on both the customer and business sides of the transaction.

The picture shows Handling credit card and ordering datawith HTML forms and CGI script (non secure and secured with SSL)

Credit cards can be handled on line in two different ways:(a) Sending unencrypted credit card numbers over the Internet(b) Encrypting credit card details before any transactions are transmitted.Encrypting credit card transactions can also be subdivided according to what is encrypted. Ifthe entire transmission between buyer and merchant is encrypted, the merchant has to decryptat least the order details to a complete a purchase. Then to further assure the customer that only

authorized parties see his credit card information and protect against merchant fraud, a trustedthird party can be used to separately decrypt the credit card information for authorization ofthe purchase.

Fig. 5.8.1: Showing Electronic Payment




Fig. 5.8.2: Handling credit card and order data with a wallet as helper applicationand third party for credit card processing

A customer browsing the Web might enter a credit card number in an order form, and click asubmit button to transmit the information to the merchant’s web server. The data would beraw, and there are no security guarantees for this type of transaction, someone could be monitoringnetwork traffic and could intercept the transmission, or an unscrupulous merchant (or someoneposing as a merchant could use the unencrypted number for illegal charges).

On the business end, processing the incoming credit card information only requires a Webserver with a CGI script to process the form filled out by the customer. But if you want to securethe communication between buyer and seller against snooping, a good choice is a Web browser-server combination that supports the Secure Sockets Layer (SSL) protocol.

The use of servers and browsers that support the SSL protocol only protects data against networkmonitors and spies. It does not guarantee that the data is protected form spying eyes on themerchant’s end. To protect against merchant fraud (using a credit card for other unauthorizedpurchases, for example), use systems from either CyberCash, Verifone, of First Virtual. CyberCashand Verifone both use a helper application called a wallet for the Web browser, and pass theencrypted credit card number through the merchant to its own processor/server for authenticationand approval of the sale. First Virtual issues a Virtual PIN to the customer who then uses it inplace of the credit card number. After receiving the sales information from the merchant, FirstVirtual converts the VirtualPin to the credit card account number to clear the purchase.

Here’s a case where the electronic versions of a traditional payment system offer an addedadvantage-using encrypted credit card information with a trusted third party, such as Cybercashor First Virtual, instead of allowing the merchant to handle credit card processing, offers moreprotection against merchant fraud than is commonly seen in the everyday world.

)


E - Commerce


5.8.2 Transaction Using Third Party Verification

The market for handling credit card purchases on the Internet has yet to converge on a singleway of doing things, or a single standard that allows the software from different vendors towork together. This lack of interoperability will likely slow down both consumer and businessacceptance of using credit cards for making purchases on the Internet.

There are, however, two significant standards in the works that will make the interoperabilityof electronic wallet and credit card transactions simpler, both for consumers and businesses.5.8.3 Secured Electronic Transaction (SET)

First, there’s the Secured Electronic Transaction protocol (SET) developed by a consortium ledby MasterCard and Visa. SET is actually a combination of a protocol designed for use by otherapplications (Such as Web browsers) and a standard (Recommended procedures) for handlingcredit card transactions over the Internet. Designed for cardholders, merchants, banks, andother card processors, SET uses digital certificates to ensure the identities of all parties involvedin a purchase. SET also encrypts credit card and purchase information before transmission onthe Internet.5.8.4 Joint Electronic Transaction

The second standard is the Joint Electronic Payments Initiative, led by the World Wide WebConsortium and Commerce Net. JEPI, as it’s known, is an attempt to standardize paymentnegotiations. On the buyer’s side (the client side), it serves as an interface that enables a Webbrowser, and wallets, to use a variety of payment protocols. On the merchant’s side (the serveside), it acts between the network and transport layers to pass off the incoming transactions tothe proper transport protocol (e-mail vs. HTTP, for instance) and proper payment protocol(such as SET). Because it’s likely that multiple protocols will be around for payment, transport,and wallets, JEPI makes it easier for the buyer to use a single application, and single interface, ina variety of commercial situations. It also makes it easier for the merchant to support the varietyof payment system that customers will want to use.5.8.5 Electronic Cheques

Credit card payments will undoubtedly be popular for commerce on the Internet. However,following two systems have been developed to let consumers use electronic cheques to pay Webmerchants directly.

(a) By the Financial Services Technology Corporation (FSTC)

(b) By CyberCash

An electronic cheque has all the same features as a paper cheque. It functions as a message tothe sender’s bank to transfer funds, and, like a paper cheque, the message is given initially to thereceiver who, in turn, endorsees the cheque and presents it to the bank to obtain funds. Theelectronic cheque can prove to be superior to the paper cheque in one significant aspect. Assender, you can protect yourself against fraud by encoding your account number with thebank’s public key, thereby not revealing your account number to the merchant. As with the SET




protocol, digital certificates can be used to authenticate the payer, the payer’s bank, and bankaccount.

CyberCash’s system for electronic checking is an extension of their wallet for credit cards, andit can be used in the same way to make payments with participating vendors. Unlike the CyberCash credit card system, through, CyberCash will not serve as an intermediate party for processingthe cheque-that function will be handled directly by banks.

The FSTC is a consortium of banks and clearing houses that has designed an electronic cheque.Modeled on the traditional paper cheque, this new cheque is initiated electronically, and uses adigital signature for signing and endorsing.

To add to the flexibility of their payment system, the FSTC wants to offer users a choice ofpayment instruments that allow them to designate an electronic cheque as a certified cheque oran electronic charge card slip, for example. This means that the user can use a single mechanism,the electronic cheque, to complete payments that vary according to payee’s requirements. Forexample, you could decide to pay your utility bills by standard electronic cheque, but you coulddesignate that one of the electronic cheque be delivered as a certified cheque in order to make adown payment on a new house. The instructions accompanying your electronic cheque wouldbe processed by the electronic payment handler (EPH) software installed at you bank, anddistributed by the appropriate payment network.

Fig. 5.8.3: Extending electronic checks to existing payment systems


E - Commerce


Electronic cheque can be delivered either by direct transmission over a network, or by electronicmail. In either case, existing banking channels can clear payments over their networks. Thisleads to a convenient integration of the existing banking infrastructure and the Internet. BecauseFSTC’s plans for electronic checking include money transfers and transactions involving theNational Automated Clearing House Association for transferring funds between banks, businessescould use the FSTC scheme to pay in voice from other businesses.5.8.6 Smart Cards

Smart cards have an embedded microchip instead of magnetic strip. The chip contains all theinformation a magnetic strip contains but offers the possibility of manipulating the data andexecuting applications on the card.Three types of smart cards have established themselves.� Contact Cards – Smart cards that need to insert into a reader in order to work, such as a

smart card reader or automatic teller machines.� Contactless Cards – Contactless smart cards don’t need to be inserted into a reader. Just

waving them near a reader is just sufficient for the card to exchange data. This type of cardis used for opening doors.

� Combi Cards – Combi cards contain both technologies and allow a wider range ofapplications.

5.8.7 Electronic Purses

Electronic purse is yet another way to make payments over the net. It is very similar to a prepaidcard. Eg: Bank issues a stored value cards to its customers, the customer can then transfer valuefrom their accounts to the cards at an ATM, a personal computer, or a specially equippedtelephone. The electronic purse card can be used as a ATM card as well as a credit card.While making purchases, customers pass their cards through a vendor’s point of sale terminal.No credit check or signature is needed. Validation is done through a Personal IdentificationNumber (PIN Number).Once the transaction is complete, funds are deducted directly from the cards and transferred tothe vendor’s terminal. Merchants can transfer the value of accumulated transactions to theirbank accounts by telephone as frequently as they choose. When the value on a card is spent,consumers can load additional funds from their accounts to the card.EXERCISE QUESTIONS1. How simple could money be handled over the net?2. How is payment different from transaction?3. What is the procedure of issuing digital cash?4. Is it possible to mask the identity of the transacting party in an e-commerce transaction/

payment?5. How are smart cards different from credit cards?5.9 INFRASTRUCTURE OF E-COMMERCE

To understand the market structure that is developing around e-commerce, a simple frameworkhas been developed.Each aspect of the electronic commerce infrastructure is explained in detail beginning with themost broadly based term :The information superhighway infrastructure: The information superhighway has many different




types of transport systems and does not function as a monolithic entity. The players in theindustry segment can be called information transport providers. They include: telecommunicationcompanies that provide phone lines; cable TV systems that provide coaxial cables and directbroadcast satellites (DBS) networks; wireless companies that provide mobile radio and satellitenetworks; and computer networks. This industry segment also includes hardware and softwaretools that provide an interface with the various network options, and to the customer premisesequipment (CPE) or terminal equipment.5.9.1 Multimedia content and network publishing

The Information Superhighway is the transportation foundation that enables the transmission ofcontent. The electronic system through which content is transmitted is similar to the way inwhich different types of products (content) are stored in distribution centres (network publishingservers) before they are loaded onto various vehicles for transport.5.9.2 Messaging and Information Distribution

The information content transferred over the network consists of numbers, pictures, audio andvideo. However the network does not differentiate among content as everything is digital, i.e.,combinations of ones and zeroes. Once content has been created and stored on a server, vehicles,or messaging and information distribution methods, carry that content across the network. Themessaging vehicle is called middleware software that sits between the web servers and the end-user applications and masks the peculiarities of the environment.5.9.3 Common Business Services Infrastructure

This infrastructure includes the different methods for facilitating online buying and selling processes.In online commerce, the buyer sends an electronic payment (a form of electronic check or digitalcash) as well as some remittance information to the seller. Settlement occurs when the paymentand remittance information are authenticated by the seller and accepted as valid.In order to enable online payment for information and ensure its safe delivery, the paymentservices infrastructure needs to develop encryption (making contents indecipherable except forthe intended recipient) and authentication (making sure that customers are who they say they

Electronic Commerce application� Supply chain management� Video on-demand� Remote banking� Procurement and purchasing� On-line marketing and advertising� Home Shopping

Publicpolicylegal &privacyIssues

Technicalstandards for

electronicdocuments,multimedia

and networkprotocols

Common Business Service Infrastructure,(security/authentication, electronic payment

directories/catalogs)

The messaging and informationdistribution infrastructure

Multimedia context and networkpublishing infrastructure

The Information Superhighway infrastructure(telecom, cable TV, wireless, Internet

Fig. 5.9.1: Framework For E-Commerce Market Place


E - Commerce


are) methods that ensure security of contents travelling on the network. Other desirable paymentrelated services such as currency exchange, cash management, investment and brokerage,financial information and reporting, and billing and payment need to be incorporated.5.10 BASIC NETWORKING

What is a Network?A network is basically a collection of computers that allows various users to communicate andshare resources.Why do we need Networks?Networks were created to cut down costs by sharing resources. Any basic network has twocomponents a server and a client. A server is typically a computer of a higher configuration whodistributes or father shares various resources i.e., printer, scanner, files, with its various clients.The clients are computer of lower configurations who sometimes rely totally on the server for theirworking such clients are called Dumb Terminals/Nodes, clients that don’t require the server fortheir basic functioning are called Smart Terminals/Workstations and can operate on their own.5.10.1 Identifying the Various Hardware Components

To setup a network of computers, each computer must have at least two components.� Access device/Network Interface Card� Cables to transmit the data� Repeaters and RoutersThe Access Device/Network Interface Card (NIC): The Network Interface Card is the basiccomponent that will allow a computer to communicate over a network. The NIC’s main workingis to get the broken up data given by the software and send them across the network overcables.The Cables: The cable is another integral part of the network since they are responsible for theactual transportation of data. There are various types of cables that can be used in setting up anetwork.� Co-axial Cables� Twisted Pair Cables� Fiber Optic Cables.5.10.2 Identifying the Software Components

Software also plays a vital role in setting up a network as much as the hardware. The basicsoftware components required are:Multi-user Operating Systems: For general communication between computers, we requiresoftware that can support multiple users and also have the ability of establishing a communicationbetween them. Operating systems specifically for networking are Windows NT, SCO UNIX,Linux and Sun Solaris. Operating System’s that can support minimum networking requirementsare Windows 95/98, Windows 3.11 for Workgroups.Device Drivers: Device drivers are lists of commands that can be used by the Operating Systemsto use specific hardware device. Hence the device drivers for the Network Interface Card arerequired so that the Operating Systems can use them with ease.Protocol Suites: Protocols are the main software component of a network. A protocol basicallyprovides certain rules and specification for communication between computers and also providesunique identities to each computer in the network for identification purposes so that any datasent to a particular computer doesn’t go to any different one. The most widely used protocolsuites today are TCP/IP, IPX/SPX, AppleTalk and NetBIEU.




5.11 NETWORK INFRASTRUCTURE

5.11.1 TCP/IP

Set of rules has been established to take care of the communication happening between twocomputers connected to Internet. These sets of rules contain a wide range of functions that aregrouped into Protocol. Such groups of Protocols are called Internet Protocol Suites (IP’s) orsometimes referred as TCP/IP.Four Layers of TCP/IP� The link layer, or the data-link layer or network interface layer, includes the device driver in

the operating system and corresponding network interface card in the computer.� The network layer or internet layer) handles the movement of packets around the network.� The transport layer provides a flow of data between two hosts, for the application layer above.� The application layer handles the details of the particular application.

Application Layer(FTP, E mail, Telnet)

Transporting Layer(TCP, UDP)

Network Layer(IP, ICMP, IGMP)

Link Layer(Device driver and interface card)

5.11.2 OSI Reference Model

Open System Interconnection (OSI) Reference Model was created to have certain standards fordata communication, so that irrespective of the network two peers should be able to communicatewith each other.

The OSI model divides a communication session into 7 distinct layers.

� Application layer Layer 7

� Presentation layer Layer 6

� Session layer Layer 5

� Transport layer Layer 4

� Network layer Layer 3

� Data Link layer Layer 2

� Physical layer Layer 1

At the sender’s peer the data is passed from top-most layer to bottom-most and at the receiver’send the data is passed from the bottom-most layer to the top-most.

Layer 1 - Physical Layer: The Physical layer is responsible for transmitting and receiving theframes of data, which is created and given to the physical layer by the Data Link layer.

Fig. 5.11.1: TCP/IP Layers


E - Commerce


Layer 2 - Data Link Layer: The Data Link Layer has two basic responsibilities. One, on thetransmitting side the Data Link Layer is responsible for breaking the data to be sent into smallerpieces called frames. Frames also contain information about the destination client so as to ensurethat the data reaches its correct destination. Two, on the receiver’s side its responsible for receivingthe frames and send back an acknowledgement ensuring secure transmission of the data, afterchecking the contents of the frame received.

Layer 3 - Network Layer: The Network Layer is responsible for establishing the connectionpath between the sending and the receiving peer. This layer cannot detect any transmissionerrors that might occur.

Layer 4 - Transport Layer: The Transport Layer is responsible for the integrity of the transmissionand is capable of doing the same across LAN Segments. Transport Layer can detect packets/frames discarded by the routers and generate a retransmit request.

Layer 5 - Session Layer: Session Layer basically manages the flow of communication, whichcan be uni–directional or bi-directional. This flow of communication is called a session.Layer 6 - Presentation Layer: The Presentation Layer is responsible for the encoding of data.All systems do not follow the same encoding scheme, so it’s the Presentation Layer’s responsibilityto translate the data between these encoding schemes. Presentation Layer basically uses ASCII;pronounced as ‘As-Sky’ (American Standard Code for Information Interchange) and EBCDIC(Extended Binary Coded Decimal Interchange Code).Layer 7 - Application Layer: Application Layer is the top most layer in the OSI model. It isresponsible to provide the interface between the applications and the computers network services.5.11.3 Protocols

The following are the different types of protocol:Internetwork Protocol: This protocol is used for routing and it is connectionless datagram (packet)oriented.Routing Information Protocol: Used to keep routing tables updated in routers and hosts byperiodic broadcasts from routers.Address Resolution Protocol (ARP): Broadcasts on subnet by hosts or routers seeking physicalnode addresses given IP addresses.Internet Control Message Protocol: Messages for flow control, echo and flow redirection. “Ping”is a popular use of ICMP echo messages.Transport Control Protocol: Provides connection oriented transport services host-to-host (end-to-end) across the internet. Sequencing, acknowledgement and flow control are some of theseservices. Supports FTP, SMTP and TELNET process services.User Datagram Protocol : Provides connectionless transport services (no sequencing,acknowledgement or flow control) for those process protocols that do not require these services.Supports SNMP and NFS processes, for example.File Transfer Protocol : Copy (files) from one host to another. User must work through establishedaccounts on both hosts.Simple Mail Transfer Protocol (SMTP): Host to host electronic mail transfer. Connects locallyestablished E-mail systems.Simple Network Management Protocol (SNMP): This protocol specifies the management ofnetwork nodes that have agents running in them managed from nodes acting as networkmanagers. Data is kept in Management Information Base (MIB) database.




Network File System (NFS): Logically attaches portions of file systems on remote NFS server tolocal file system. Specification licensed by Sun. Uses RPC and XDR.Remote Procedure Calls: A redirector that filters calls by processes on one host to be executedon another. Local calls are passed to local operating system, network calls are sent via TCP/IPto remote system for execution.External Data Representation: C language routines that allow machine-independent formattingof data allowing sharing of information.Transport Layer Interface - A library of functions that provide an interface to the transportlayer of the OSI model, complies with ISO Transport Service Definition. Considered anApplication Programming Interface. It is not the transport provider but an interface.An Application Programming Interface (API): API provides network I/O (open, read, write,close) to remote file systems. Typically runs over TCP and IP.5.12 OTHER NETWORKS

Intranet: Intranet is a network (Private network) implemented inside the enterprise to facilitatecommunication between employees and the departments. An intranet can also be used to facilitateworking in groups and for teleconferences.Extranet: These are also networks similar to Intranet, but the main objective behind implementingExtranet is to share operational and other valuable enterprise information with suppliers, vendors,clients and other businesses. Extranet needs to be more secured, firewall, VPN, and Encryptionare used to install security on the system.EXERCISE

1. What are the basic components of an URL?

2. Where are the networking protocols implemented on a network?

3. Do the protocols for a LAN differ from that of a WAN (Internet)?

4. What are the ways by which an Extranet could be implemented?

5. Does TCP/IP supplant OSI?


Web Technology & System Security and Maintenance

Documents

Transcript of Web Technology & System Security and Maintenance