Electronic Commerce: On-Line Ordering and Digital Money

Electronic Commerce: On-Line Ordering and Digital Money

by Peter Loshin, Paul Murphy

Paperback(2ND BK&CD)

$33.37 $39.95 Save 16% Current price is $33.37, Original price is $39.95. You Save 16%.

Product Details

ISBN-13: 9781886801677
Publisher: Cengage Delmar Learning
Publication date: 04/28/1996
Edition description: 2ND BK&CD
Pages: 300
Product dimensions: 7.37(w) x 9.20(h) x 0.91(d)

Read an Excerpt


Chapter 3: Electronic Payment Methods

"A New Way to Pay Old Debts" - Phillip Massinger (play title, 1632)

Updating Traditional Transactions

The typical modern consumer uses a handful of different methods to pay for goods and services on a regular basis:

  • Cash
  • Credit
  • Personal check

This list is far from complete, leaving out choices like debit cards, money orders and bank checks, traveler's checks, barter systems, tokens, and other instruments used by consumers - organizations have their own instruments available, including purchase orders, lines of credit, and others. However, most consumer transactions can be handled by cash, credit cards, or personal checks.

Internet-based electronic commerce methods also focus on secure transmission of credit card information, electronic checking and digital currencies.

NOTE: Credit cards like MasterCard, Visa, and Discover allow consumers to extend themselves credit on purchases; charge cards like the American Express card do not extend credit. Debit cards are tied to checking accounts, and the amounts charged are debited immediately from the account. However, for the purposes of electronic transactions they are used similarly, and for the purposes of this book the term "credit card" should be taken to cover all credit-card-like plastic payment tokens (unless otherwise specified).

Adapting Existing Methods

Credit cards are the easiest method of the three to adapt to online transactions, in part because people are already accustomed to using them remotely, whether for telephone transactions or for mail orders. Credit card transactions simply require that the consumer provide a valid credit card number and expiration date (and often a billing address) when placing an order - that information can be, and often has been, provided through standard Internet applications like e-mail. This exposes the credit card to eavesdroppers monitoring for sequences of digits specific to credit cards along the message's route. Although I have not heard of any actual instance of an eavesdropper stealing credit information in this way, it is definitely possible. Securing Internet credit card transactions can be as simple as applying secure encryption (as described in Chapter 2).

Adapting cash for use over an open network is considerably harder, in part because most people associate cash with the physical exchange of currency, but doing so makes it possible to spend anonymously.

There are other problems to solve in the process of digitizing cash, where actual currency is replaced by digital "coins" represented as chunks of data. These will be discussed in greater detail in Chapter 8, but one of the most prominent schemes uses public key encryption as well as digital signatures, deployed within a framework managed by a central bank.

Checking across a network is conceptually simpler to grasp, in part because the check itself is simply a document with very specific information (bank, account number, payee, and dollar amount) which has been signed by the account holder. Turning a hard-copy check into an electronic check requires that the electronic check be transmitted securely and signed digitally. In some ways the process is similar to digitizing cash, but is simpler because there is no need to even consider the anonymity of the person "writing" the check.

Building a Commercial Environment

It's one thing to engineer and implement a technique for making purchases electronically, and another to make it useable and accessible. So much commercial activity is centered on the World Wide Web because it seems to provide an easily accessible forum for merchants to display and distribute their products, and an easily accessible environment for consumers to shop and make purchases. Since the World Wide Web was not designed for commerce but for information publishing, making it safe for commerce requires adding on security features and protocols, to be described in Chapter 4. These techniques only make it possible to transmit information securely - they do not address transmission of payments, nor do they do anything to further the transaction once payment information has been received.

An online commerce environment must go beyond the simple transmission of payment information, but it must start there, usually

with an Internet server capable of transmitting data securely. Although the payment information is usually the only portion of the transaction that must actually be transmitted securely, some systems offer methods of guaranteeing information such as shipping instructions, offering prices, and other order information through digital signatures. Security goes beyond encryption of ordering information, however, and it is necessary to guard against criminals who masquerade online as merchants authorized to accept consumer credit card information. Even more important is to secure the merchant's server system where credit information is collected.

As an entire solution, the commerce environment should be as flexible as possible, accepting different payment methods consistent with the market and the business. Next, it should help the merchant collect information about customer (wherever relevant and possible). It should be integrated into the general business environment, generating actions to be taken as a result of the order:

  • Product delivery instructions
  • Transaction settlement
  • Account activity reports
  • Confirmations
  • Order status reports
  • Gathering of marketing information

Some merchants will be able to do business on the Internet simply by purchasing and installing a secure World Wide Web server, and manually processing orders received over the Internet in the same way they process mail or telephone orders. Merchants who do not expect a large volume of orders from the Internet will prefer to operate in this way, since it costs less than the more holistic approaches - however, merchants wishing to maximize the benefit of selling online will invest in a more complete commercial environment. Secure servers and related commerce environment products are discussed in more detail in Chapter 7.

Offline and Online Transactions

In general, direct commerce solutions that use the Internet directly to transmit transaction information protect that information with some kind of encryption method. This neutralizes what is perceived to be, but actually isn't, the greatest threat to Internet transactions - the eavesdropper. Data encrypted with a sufficiently strong method is immune to likely threats (the cost of computer resources required to decrypt your credit card number ranges from millions of dollars to many billions of dollars, depending upon whether the decryption must be complete in a matter of decades or faster). There are easier ways to steal credit card numbers.

However, it is not strictly necessary to transmit any sensitive information over open networks when there are much more secure channels that can be used to carry sensitive information. For example, many people feel more comfortable discussing business with associates in person than discussing business over a telephone. Barring the relatively extreme instances of those whose business is under government scrutiny, personal conversations inspire a high level of confidence that no one is listening in: Eavesdroppers in most cases would most likely be noticed.

Although telephone conversations have a greater potential for eavesdropping (legal and illegal taps, someone listening in on an extension, cellular and cordless phone scanners), with a minimum of care a telephone conversation can be relatively secure. The same type of consideration can be applied to fax transmissions, as well as to postal mail and other delivery services. The result is that there are other channels across which sensitive information can be sent. Some Internet commerce solutions take advantage of the relative security of these alternative media to eliminate the need for software security solutions.

These solutions require that the consumer make a telephone call, send a fax, or send a hard copy with sensitive information like credit card numbers, consumer names, and billing and shipping addresses...

First Chapter



Electronic Payment Methods

"A New Way to Pay Old Debts" - Phillip Massinger (play title, 1632)

Updating Traditional Transactions

The typical modern consumer uses a handful of different methods to pay for goods and services on a regular basis:

  • · Cash
  • · Credit
  • · Personal check

This list is far from complete, leaving out choices like debit cards, money orders and bank checks, traveler's checks, barter systems, tokens, and other instruments used by consumers - organizations have their own instruments available, including purchase orders, lines of credit, and others. However, most consumer transactions can be handled by cash, credit cards, or personal checks.

Internet-based electronic commerce methods also focus on secure transmission of credit card information, electronic checking and digital currencies.

NOTE: Credit cards like MasterCard, Visa, and Discover allow consumers to extend themselves credit on purchases; charge cards like the American Express card do not extend credit. Debit cards are tied to checking accounts, and the amounts charged are debited immediately from the account. However, for the purposes of electronic transactions they are used similarly, and for the purposes of this book the term "credit card" should be taken to cover all credit-card-like plastic payment tokens (unless otherwise specified).

Adapting Existing Methods

Credit cards are the easiest method of the three to adapt to online transactions, in part because people are already accustomed to using them remotely, whether for telephone transactions or for mail orders. Credit card transactions simply require that the consumer provide a valid credit card number and expiration date (and often a billing address) when placing an order - that information can be, and often has been, provided through standard Internet applications like e-mail. This exposes the credit card to eavesdroppers monitoring for sequences of digits specific to credit cards along the message's route. Although I have not heard of any actual instance of an eavesdropper stealing credit information in this way, it is definitely possible. Securing Internet credit card transactions can be as simple as applying secure encryption (as described in Chapter 2).

Adapting cash for use over an open network is considerably harder, in part because most people associate cash with the physical exchange of currency, but doing so makes it possible to spend anonymously.

There are other problems to solve in the process of digitizing cash, where actual currency is replaced by digital "coins" represented as chunks of data. These will be discussed in greater detail in Chapter 8, but one of the most prominent schemes uses public key encryption as well as digital signatures, deployed within a framework managed by a central bank.

Checking across a network is conceptually simpler to grasp, in part because the check itself is simply a document with very specific information (bank, account number, payee, and dollar amount) which has been signed by the account holder. Turning a hard-copy check into an electronic check requires that the electronic check be transmitted securely and signed digitally. In some ways the process is similar to digitizing cash, but is simpler because there is no need to even consider the anonymity of the person "writing" the check.

Building a Commercial Environment

It's one thing to engineer and implement a technique for making purchases electronically, and another to make it useable and accessible. So much commercial activity is centered on the World Wide Web because it seems to provide an easily accessible forum for merchants to display and distribute their products, and an easily accessible environment for consumers to shop and make purchases. Since the World Wide Web was not designed for commerce but for information publishing, making it safe for commerce requires adding on security features and protocols, to be described in Chapter 4. These techniques only make it possible to transmit information securely - they do not address transmission of payments, nor do they do anything to further the transaction once payment information has been received.

An online commerce environment must go beyond the simple transmission of payment information, but it must start there, usually

with an Internet server capable of transmitting data securely. Although the payment information is usually the only portion of the transaction that must actually be transmitted securely, some systems offer methods of guaranteeing information such as shipping instructions, offering prices, and other order information through digital signatures. Security goes beyond encryption of ordering information, however, and it is necessary to guard against criminals who masquerade online as merchants authorized to accept consumer credit card information. Even more important is to secure the merchant's server system where credit information is collected.

As an entire solution, the commerce environment should be as flexible as possible, accepting different payment methods consistent with the market and the business. Next, it should help the merchant collect information about customer (wherever relevant and possible). It should be integrated into the general business environment, generating actions to be taken as a result of the order:

  • Product delivery instructions
  • Transaction settlement
  • Account activity reports
  • Confirmations
  • Order status reports
  • Gathering of marketing information

Some merchants will be able to do business on the Internet simply by purchasing and installing a secure World Wide Web server, and manually processing orders received over the Internet in the same way they process mail or telephone orders. Merchants who do not expect a large volume of orders from the Internet will prefer to operate in this way, since it costs less than the more holistic approaches - however, merchants wishing to maximize the benefit of selling online will invest in a more complete commercial environment. Secure servers and related commerce environment products are discussed in more detail in Chapter 7.

Offline and Online Transactions

In general, direct commerce solutions that use the Internet directly to transmit transaction information protect that information with some kind of encryption method. This neutralizes what is perceived to be, but actually isn't, the greatest threat to Internet transactions - the eavesdropper. Data encrypted with a sufficiently strong method is immune to likely threats (the cost of computer resources required to decrypt your credit card number ranges from millions of dollars to many billions of dollars, depending upon whether the decryption must be complete in a matter of decades or faster). There are easier ways to steal credit card numbers.

However, it is not strictly necessary to transmit any sensitive information over open networks when there are much more secure channels that can be used to carry sensitive information. For example, many people feel more comfortable discussing business with associates in person than discussing business over a telephone. Barring the relatively extreme instances of those whose business is under government scrutiny, personal conversations inspire a high level of confidence that no one is listening in: Eavesdroppers in most cases would most likely be noticed.

Although telephone conversations have a greater potential for eavesdropping (legal and illegal taps, someone listening in on an extension, cellular and cordless phone scanners), with a minimum of care a telephone conversation can be relatively secure. The same type of consideration can be applied to fax transmissions, as well as to postal mail and other delivery services. The result is that there are other channels across which sensitive information can be sent. Some Internet commerce solutions take advantage of the relative security of these alternative media to eliminate the need for software security solutions.

These solutions require that the consumer make a telephone call, send a fax, or send a hard copy with sensitive information like credit card numbers, consumer names, and billing and shipping addresses.

Secure Online Transaction Models

It may be simplest to contract with some other company, like an electronic mall operator, Internet service provider, or some other organization, to manage servers, orders, and content. However, that company itself must use some method or methods of accepting and processing orders. As has been mentioned, the simplest method of doing direct business online on the Internet is to set up a secure World Wide Web server, then create content pages and program forms to take orders.

Secure Web Servers

The current battle for domination of the secure World Wide Web server and Internet browser markets is between Netscape and Microsoft. However, Web browsers and servers from any vendor are expected to interoperate with the servers and browsers of any other vendor - this is the whole point behind using Internet standards. (The Netscape and Microsoft secure servers and browsers will be discussed in greater detail in Chapter 7.)

A secure World Wide Web server must, by definition, support some type of security protocol. At the moment, the two most important of these are the Secure Hypertext Transport Protocol (S-HTTP) and the Secure Sockets Layer (SSL), which was initially developed by Netscape and offered to the Internet community as a proposed standard in 1995. These protocols, as well as some others, will be discussed in greater detail later in this chapter and in Chapter 4. However, one of their primary advantages is their relative unobtrusiveness to the consumer using an SSL- or S-HTTP - enabled browser.

Secure Server Purchasing

The resulting browser/server interaction is, to the consumer, very closely mapped to the interaction that occurs when a consumer makes a purchase from a catalog. The consumer browses through graphical and textual descriptions of the merchant's products, selects a purchase, and usually clicks on a button that says something like "BUY NOW" to make a purchase. If the consumer is using a secure browser supported by the secure server, that button will produce a form on the consumer's screen, which the consumer must complete. Delivery and payment information will usually be required, and at some point after this information has been provided the product will be delivered. If the customer is using a browser that is not secure or that uses a protocol not supported by the server, then some other method must be employed to consummate the transaction (alternative methods will be discussed later in this chapter).

Delivery information represents name, address, delivery address, e-mail address, and any other information necessary or desirable to deliver the product. If the product happens to be a physical item, then a physical destination, preferred shipper, and telephone number may be necessary. If the product is a digital item, then it may be transmitted directly to the consumer via the browser, by e-mail, or through some other application such as file transfer.

Secure Server Selling

Merchants want to make it economical, pleasant, and easy for consumers to buy their products, and doing so with a secure Web server is no different. There is a broad spectrum of options to choose from to balance price against a pleasing shopping experience; these issues are beyond the scope of this book - but ease of use is definitely a factor for the consumer using a secure browser.

First, the merchant needs to publish product offerings on the Internet with a secure server. Servers are available that support SSL, S-HTTP, and both. Because the Internet is an open network, based strictly on the proper and widespread implementation of standards, it doesn't make sense for merchants to limit their potential customers by using only one standard. By supporting both SSL and S-HTTP, they support transactions with consumers whose browser uses either of those standards.

However, the merchant must go beyond merely setting up the server. As with mail orders, there must be a mechanism for processing the information contained on an order form. The Internet programming community has created and offers several utilities to manipulate data. One of the first was the Common Gateway Interface (CGI), which uses scripts or lines of code to perform different tasks. More recently, Java and ActiveX have arrived on the market, offering growing levels of sophistication and power in managing data between users and the Web sites they are visiting. World Wide Web forms prompt the consumer for some kind of information, and on receipt of the form, either the data is reported back to a data base, or the Web site massages the data, with CGI, ActiveX, or Java to take the user through another task.

In the simplest case, the information provided by the consumer might be dumped into a data file to be manually processed later. The merchant would go through this file, processing credit card information and shipping the product off to the indicated delivery address. This may be an acceptable solution for low-volume applications - merchants who do not anticipate a large flow of online transactions, for instance. It is not acceptable where the product sold is digital in nature: If the product is delivered immediately, there is no guarantee for the merchant that the payment information is correct, but waiting to ship the digital product may not be acceptable to the consumer who assumes immediate delivery.

More often, the merchant will use interfaces of some type to automate transactions. For example, banks, credit card clearing organizations, and credit card companies are all increasingly willing to authorize transactions executed over the Internet. Companies selling physical products over the Internet use e-mail confirmations and shipping notices to keep customers up to date on the status of orders, and all merchants can use network applications to notify their internal organization of orders.

Required Facilities

The merchant must understand (and the educated consumer should understand) that purchasing products over the Internet requires a significant investment in software, hardware, and services. Surprisingly, the software and hardware components are probably the smallest part of the investment, while the "services" can be acquired from any number of different providers.

The majority of Internet merchants will be unlikely to set up their own secure servers, because doing so can be complicated for the Internet novice, and also because there are so many companies now offering such services. However, merchants who are aware of what their options are can be smarter consumers of these services, and customers who are aware of how their online orders are processed can be smarter online consumers.

Hardware

Technically, any computer that can run an implementation of TCP/IP (including a World Wide Web server program) and that can be connected to the Internet can be a World Wide Web server. More realistically, the system should have a great deal of processing power to handle many simultaneous or near-simultaneous requests for information. It should have a hard disk sufficiently large to store all the information to be published in the Web server as well as system software. It should have a sufficiently fast Internet connection to support the maximum expected load on the system. And, it should have security features sufficient to protect it from unauthorized access. Perhaps surprisingly, a graphical user interface, or any graphics capability, is not technically necessary on the server - it does not have to display any information locally, but rather sends and receives data across the Internet.

In practice and at a minimum, this translates to a fast, current personal computer capable of running an operating system such as Windows NT (or possibly Windows 95), using an Ethernet connection to an Internet router. A UNIX workstation or PC-architecture server system is preferred, though. The Internet connection itself should probably be at least a dedicated telephone line running at 56 Kbps (thousands of bits per second). Internet routers are often included in Internet service packages, but they are often simply fast personal workstations with special networking software and hardware.

Some organizations using the Internet may prefer to simply get a server and an Internet connection, and leave their internal networks out of the loop. However, those who do opt to connect their organizational networks to the Internet along with their Web server will almost certainly want to invest in some kind of firewall architecture to protect their network from intruders. This is likely to add to the cost of the hardware required for an Internet connection, but is necessary whether they are running a Web server or not.

There is also a blossoming software industry enabling the presentationof data already existing on an internal computer system in a Web serverwithout reentering the data. This will be very useful for companies lookingto offer online order processing of inventories experiencing a high levelof turnover.

Total initial cost, depending on the systems selected, can be anywherefrom $1000 on up. A typical implementation, using a low-end PC server/high-endpersonal workstation, should cost somewhere between $4000 and $10,000, includingrouter, network cards, and cable.

Software

As mentioned earlier, a TCP/IP implementation is necessary for the Webserver. This may be built in to the operating system, or it may be a partof the Web server package, but in any case it is necessary. Likewise, aWeb server package is required. This is the software that responds to requestsfrom browsers on the Internet and sends out the desired information. Security,as mentioned before, should be part of the operating system.

Savvy system administrators make sure that there is no other softwareon Internet servers. This guarantees that if an intruder should compromisethat system, no software is available to the intruder for further mischief.For example, network software installed and

configured on a server allowing access to organizational data could beused by an intruder to access, modify, or delete that information.

Services

The raw materials are relatively cheap, but the knowledge of how to putit all together is (at least right now) expensive. And there is quite ahandful of different things that need to get done to set up a server:

  • · Obtain Internet service
  • · Administer Internet link and servers
  • · Create Web server content
  • · Process transactions

Obtaining Internet service is simply the process of getting connectedto the Internet, and keeping that access up and running. In some ways itis comparable to getting a telephone connection - the ISP simply offersconnectivity, not content.

Some Internet service providers will also manage your link and your serverhardware. This should mean they will keep the systems up and running andmanage access to and from those systems. This often includes security andfirewall services.

Creating and maintaining Web server content is critical and is a taskoften farmed out to consultants. While this approach may be effective forgetting a Web site online quickly, maintaining and updating content mustbe an ongoing task. Fortunately, there are many tools available to makeWeb authoring easy, and these will tend to drive down the cost of managingWeb content.

Finally, transactions using credit cards must be settled. Most peoplewill be familiar with the "swipe" machines used in stores wherecredit cards are accepted. These transmit information about the transactionto a clearing company, which then provides an authorization code indicatingwhether the transaction will be processed. This same process can be linkedto a secure Web server, for a price. This is just

one of the services included in online commercial environments, to bediscussed later in this chapter and in Chapter 7.

Electronic Malls

Setting up a Web site for buying and selling can be complicated and expensive;it is not for everyone. However, some companies have been setting up electronic,or virtual, or online malls. The shopping mall is a familiar and comfortablemodel for consumers and merchants, and it is relatively straightforwardto simulate using the World Wide Web. Mall operators allow individual merchantsto "rent space" on the mall. The financial arrangements may vary,but generally include some kind of monthly charge, charges for storage spacerequired, and also usually some charge for each transaction.

As with other Internet commerce service providers, digital malls providea way for individual merchants to sell online without having to assembleall the parts themselves. The parts are still all there, and merchants investigatingonline commerce options should consider the systems and networking expertiseof the service provider as well as the commercial facilities.

Online Commercial Environments

As should be apparent from the preceding discussion, simply having asecure World Wide Web server is far from a complete online commerce solutionfor merchants (although having a secure World Wide Web browser can be acomplete solution for the online consumer). There is an entire "backend" infrastructure needed to support electronic sales and fulfillment.This includes links to credit card authorization networks, as well as integratingalternative payment methods into the solution. Merchants maximize theirpotential sales by making it easy for all customers to buy, and this includesaccepting different payment methods.

Companies offering online commerce environments strive to produce anintegrated and complete solution for Internet merchants. This may includesoftware tools for creating World Wide Web documents and commercial offerings,secure Web server software, Web site management tools, and links to commercialtransaction settlement services for credit cards as well as other digitalpayment methods.

Merchant Requirements

As part of the ability to sell products electronically, the online commercialenvironment should provide at least some of the following abilities:

  • Automatically process transactions received through the Internet and send payment information to credit card authentication services, also via the Internet
  • Automatically process responses from the credit card authentication service
  • Get digital signatures or other proof of approval of the order from the customer
  • Generate necessary transaction tracking information, including electronic receipts, customer statements, and internal documentation of orders
  • For nonelectronic material, have a link to the delivery company (e.g., FedEx) for delivery status between the vendor and the customer.
  • Be able to handle occasional telephone or fax transactions as well as online transactions

Online commerce environment vendors must offer at least some of thesefunctions because they are necessary to transact business online. Many ofthe functions described in the preceding section (Required Facilities) mayalso be provided in an online commerce environment,

but these are offered as a convenience to merchants - the merchant canjust as easily supply its own facilities, or contract them out to some othervendor.

Customer Requirements

The successful online commerce environment makes no demands at all onthe customer, other than requiring the ability to access the online salesfacility and the intention to buy something offered. However, the environmentshould permit the customer to use whatever payment method is desired, consistentwith good business practice. In practice this means major credit cards,as well as an appropriate selection of electronic payment methods.

Customers, like merchants, will want some kind of audit trail or accountstatements, particularly when purchasing information products. The abilityto provide receipts, monthly billing statements, and account status reportswill be important to customers evaluating online business partners.

Chapter 7 will discuss an online commercial environment that includessome of these services.

Digital Currencies and Payment Systems

While secure commerce servers are intended to protect transaction databeing sent over the Internet, digital currencies and other types of digitalpayment mechanisms are intended to carry value in a protected digital formover the Internet. Digital currencies and payment systems do not necessarilycompete against secure Internet servers or commercial environments, butcan complement such products by adding another way to exchange values.

Two approaches are taken by companies offering this type of service.One is to link a customer payment method (credit card, checking account,or some other source of funds) to an online identity, managed by the serviceprovider. Merchants selling to a participating customer can then authenticatethe payment information through the service provider, who may also provideauthorization and clearing services. This type of service may seem to overlapsomewhat with commerce environment services. The difference is that thepayment system usually requires participants to register in some way withthe payment system sponsor, while commerce environments usually permit thecustomer to use a credit card or a payment system. The payment method mayalso become merged into the applications themselves as new protocols areintroduced which define procedures for transacting business using existing,nondigital payment methods.

The CyberCash and First Virtual payment systems are discussed in greaterdetail in Chapter 6.

Digital checking can also take advantage of the same techniques, in muchthe same way that debit cards are used the same way as credit cards - consumerspresent the card to the merchant, who must get an authorization for thepurchase. The charges are paid immediately out of the consumer's checkingaccount, rather than at the end of the monthly billing cycle.

A different approach is used for actual digital currencies, as opposedto payment systems. Usually, anyone can participate by opening an accountwith a financial institution offering digital currency service. Client softwareis used to withdraw money from the account, check on balances, and maintaina "digital wallet" that holds the value on the participant's computer.Cash exchanges between a user and the bank use the same types of cryptographictechnologies described in Chapter 2. Digital signatures guarantee cash transfers,and transactions may be encrypted.

New technologies for transfering cash without hard currency or a traditionalcheck are also appearing on the market and will be covered in Chapter 8.

Offline Secure Processing

All of the options discussed so far in this chapter require some typeof online security, whether it is a secure channel between the customerand the merchant or encryption of some or all data sent from one applicationto another. As entrepreneurs and developers investigated the methods fordoing business online, it became apparent that there were two general approaches:

  • Use cryptographic techniques to secure the channel and enable online, real-time transaction initiation and completion
  • Use alternative, secure channels to transmit sensitive data
  • To some developers, the advantages of using cryptography - all related to the securing of a previously unsecure channel - are outweighed by the costs of implementing it. These costs include the following:
  • Licensing fee for patented cryptographic tools
  • Creation and distribution of new Internet browsers and servers
  • Maintenance of public key certification facilities
  • Increased computing overhead needed to transact business exchanges
  • Difficulty in distributing cryptographic technologies outside of the United States due to export restrictions on strong cryptography

It has been argued that by taking the sensitive data out of the onlineInternet loop, companies can provide relatively secure commercial serviceson the Internet without the costs associated with implementing a securechannel or secure payment protocol. Most important is that implementingthis type of system independently of the underlying application means thatthe end user - the customer - does not have to upgrade or buy any specialsoftware to support new security protocols. All existing channels are capableof supporting commerce, whether through a World Wide Web server, file transferor terminal emulation, or even e-mail. What's more, any future applicationor network can also be supported just as easily, with no need for modification.

This approach was first used by First Virtual Holdings Incorporated in1994 and is described in more detail in Chapter 6. In this approach, customersmust telephone, fax, or mail (all relatively secure, or at least familiar,methods) their credit card payment and shipping address information to thesponsoring organization. They are then provided with an account ID, whichthey can use to order goods from participating merchants. The informationabout an order, including order status, can be transmitted in the clear,while the sensitive information, such as payment information, is kept entirelyoffline.

Although this approach has some interesting and attractive features,it is not likely to dominate the electronic commerce world. It is likelyto continue to be used in certain specialty and niche markets, but someassumptions that motivated this approach are proving wrong. For example,as larger numbers of new Internet users come online, it becomes easier toimplement new Internet browsers supporting commercial security features.Also, the United States government is granting export licenses for someelectronic commerce applications of varying strength.

Private Data Networks

The use of the Internet for the exchange of business data is a growing,unstoppable trend. Internet-based transactions are in the future for most,if not all, companies. However, many companies are still reluctant to usethe "open" Internet to conduct mission-critical business transactions.A genuine problem faces many companies, as they want to groom existing systemsand bring on new applications, but do not want to close out future possibilities.An alternative is available.

A solution for many companies may lie in the use of private data networksto pass Internet data. For example, a large distribution company clearlysees the Internet as a transaction medium in the next few years. They areproceeding with plans to build an online catalog and order processing applicationbut, at first, will not hook it to the Internet. Instead, they will connectit to a private third-party network.

This is not a new technology. For years, companies such as CompuServe,Advantis, AT&T, and, more recently, BBN Planet have offered privatedata networks for companies that are looking for a large network, but wouldlike to avoid the cost of building such a network from scratch.

In this scenario, users access the application and information with astandard Internet browser, and the distribution company will employ allof the required security methods, including firewalls, secure browser support,and electronic commerce servers. The only difference is that when the customersconnect to the distribution company, they will dial a toll-free number andbe connected to a third-party company, which will in turn be connected tothe distribution company. The third party will have a network in place thatfunctions exactly like the Internet, but that will not be accessible tothe general public.

In the future, management opinions may change, the nature of the applicationmay change or new Internet technologies could be deployed, and the companywill have the option of connecting the application to the open Internet.

Table of Contents


Preface ..... xiii

1 - Introduction and Concepts ..... 1

Networks and Commercial Transactions ..... 2
The Internet and Other Novelties ..... 3
Networks and Electronic Transactions Today ..... 6
A Model for Commercial Transactions ..... 7
Establishing Trust ..... 7
Negotiating a Deal ..... 9
Payment and Settlement ..... 10
Payment Vehicles and Currencies ..... 11
Products and Delivery ..... 12
The Internet Environment ..... 15
The Internet Advantage ..... 15
The Internet Is Open ..... 15
The Internet Does Not Belong to Anyone ..... 16
World Wide Web, Killer App of the Internet ..... 17
The World Wide Web ..... 18
World Wide Web Standards ..... 19
Browsers and Servers ..... 21
Selling on the World Wide Web ..... 22
Other Internet Sales Venues ..... 23
Online Commerce Solutions ..... 25
Public Key Cryptography ..... 25
Security Standards v 27
Commerce Models and Environments ..... 27

2 - Security Technologies ..... 29

Why the Internet Is Unsecure ..... 30
It's the Protocols ..... 32
Where the Risks Are ..... 36
What the Risks Are ..... 37
Internet Security Holes ..... 38
A Bigger Risk ..... 39
Fighting Back ..... 40
What It All Means ..... 41
A Brief Introduction to Cryptography ..... 41
Cryptography ..... 42
The Objective of Cryptography ..... 43
Codes and Ciphers ..... 44
Breaking Encryption Schemes ..... 45
Securing Algorithms ..... 46
Distributing Keys and Keeping Them Secret..... 47
Data Encryption Standard ..... 48
The Public Key Solution ..... 48
Modular Arithmetic ..... 48
Factoring and Large Numbers ..... 50
Public Key Encryption ..... 50
How It Works ..... 51
Why It Works ..... 52
Legal Issues ..... 53
Key Distribution and Certification ..... 54
Trusted Key Distribution and Verification ..... 55
Three Cryptographic Applications ..... 55
Encryption ..... 55
Digital Signature ..... 56
Nonrepudiation and Message Integrity ..... 57

3 - Electronic Payment Methods ..... 59

Updating Traditional Transactions ..... 59
Adapting Existing Methods ..... 60
Building a Commercial Environment ..... 61
Offline and Online Transactions ..... 63
Secure Online Transaction Models ..... 64
Secure Web Servers ..... 64
Secure Server Purchasing ..... 64
Secure Server Selling ..... 65
Required Facilities ..... 66
Hardware ..... 67
Software ..... 68
Services ..... 69
Electronic Malls ..... 70
Online Commercial Environments ..... 70
Merchant Requirements ..... 71
Customer Requirements ..... 72
Digital Currencies and Payment Systems ..... 72
Offline Secure Processing ..... 74
Private Data Network ..... 75

4 - Protocols for the Public Transport of Private Information ..... 77

Security Protocols ..... 78
Secure Hypertext Transfer Protocol ..... 79
S-HTTP Security Features ..... 80
Secure HTTP Data Transport ..... 81
S-HTTP Explained ..... 82
Secure HTTP Header Lines ..... 82
S-HTTP Message Contents ..... 83
S-HTTP Security Negotiation Headers ..... 83
Related Protocol Extensions ..... 84
Secure Sockets Layer ..... 85
SSL Record Specification ..... 87
Initiating an SSL Session ..... 88
Other SSL Options ..... 89
Integrating Security Protocols into the Web ..... 90
SET ..... 91
Credit Card Business Basics ..... 92
Early SET Trials ..... 93
Visa ..... 93
American Express ..... 94
SET Business Specification Document ..... 94
Certificate Issuance ..... 95
Nontechnical Considerations ..... 103

5 - Electronic Commerce Providers ..... 109

What to Look for, What to Look Out for ..... 109
Online Commerce Options ..... 106
Consumer Choices ..... 106
Merchant Choices ..... 108
Choosing Functions and Features ..... 108
What Lies Ahead ..... 110
Company Profiles ..... 110
Checkfree Corporation ..... 111
CommerceNet, Inc. ..... 112
CyberCash, Inc. ..... 114
DigiCash bv ..... 115
Financial Services Technology Consortium ..... 117
First Virtual Holdings Incorporated ..... 118
IBM Corporation ..... 119
Internet Shopping Network ..... 120
MasterCard International ..... 122
Microsoft Corp. ..... 123
Mondex International ..... 124
NetCash/NetCheque ..... 126
The NetMarket Company ..... 127
Netscape Communications Corporation ..... 128
Open Market, Inc. ..... 130
RSA Data Security, Inc. ..... 131
Secure Computing ..... 132
Surety Technologies ..... 133
Verifone ..... 135
VeriSign, Inc. ..... 136
Visa ..... 137
A Host of Others... ..... 138

6 - Electronic Payment Systems ..... 139

Digital Payment Systems ..... 139
First Virtual Internet Payment System ..... 142
Fundamental Assumptions ..... 143
Automation and First Virtual ..... 144
Account Setup and Costs ..... 145
Opening a First Virtual Account ..... 146
Setting Up as a Seller ..... 152
The First Virtual Transaction Process ..... 152
Confirming Transactions ..... 153
Reducing Merchant Risk ..... 157
InfoHaus ..... 157
InfoHaus Services ..... 159
Installing an InfoHaus Store ..... 160
Security Considerations ..... 165
Encryption and Cryptography ..... 166
The Security Situation ..... 166
Security Conclusions ..... 168
Summing Up the First Virtual Internet Payment System ..... 169
CyberCash ..... 170
The CyberCash Model ..... 170
CyberCash Security Considerations ..... 172
Customer Protection ..... 173
Using CyberCash ..... 173
CyberCash Availability ..... 174
CyberCash Client Application ..... 174
Getting the Software ..... 175
Installing the Software ..... 175
Running the Software for the First Time ..... 176
Linking Payment Information ..... 179
CyberCoin ..... 182
Configuration and Administration ..... 185
Making a Purchase ..... 186
Selling through CyberCash ..... 188
CyberCash Merchant Code ..... 189
Summing Up the CyberCash System ..... 190
HOT off the Presses: PayNow ..... 191

7 - Online Commerce Environments ..... 193

Servers and Commercial Environments ..... 195
Choosing Payment Methods ..... 195
Server Market Orientation ..... 196
Netscape ..... 197
Netscape's Approach to Building Business ..... 198
Netscape Product Line ..... 199
Netscape Navigator ..... 199
Getting Netscape Navigator ..... 200
Using Netscape Navigator ..... 202
Netscape Navigator Security Implementation ..... 206
Netscape Commerce Server ..... 209
SSL Security Breaches ..... 211
Brute-Force Attacks ..... 211
Netscape SSL Implementation Flaw ..... 212
Microsoft ..... 213
Microsoft Internet Explorer ..... 213
Getting Microsoft Internet Explorer ..... 214
Using Microsoft Internet Explorer ..... 214
Sanity Check ..... 216
Microsoft Internet Servers ..... 216
Microsoft Internet Commerce Strategy ..... 218
For the Balance of This Century ..... 225
Open Market ..... 225

8 Digital Currencies ..... 231

How Digital Currency Can Work ..... 233
Double-Spending, Part One ..... 234
What's Wrong with This Picture ..... 235
Adding Privacy ..... 236
Breaking the Law ..... 237
Double-Spending, Part Two ..... 238
DigiCash Ecash Trial ..... 240
Using Ecash ..... 241
Ecash Client Software ..... 241
Ecash Client Features ..... 242
Ecash Transactions ..... 243
Setting Up a Shop Accepting Ecash ..... 244
Ecash Implementation ..... 245
Smart Cards ..... 246
The Chip ..... 246
Mondex ..... 247
Smart Card Security ..... 247
Transactions ..... 248
Putting It All Together ..... 249
Electronic Data Interchange ..... 249
EDI Basics ..... 250
EDI versus the Internet ..... 250
EDI Over the Internet ..... 251

9 Strategies, Techniques, and Tools ..... 253

Internet Strategies ..... 254
Why Share? ..... 255
Success Stories ..... 255
Making It Work for You ..... 256
Internet Techniques ..... 257
Shopping Techniques ..... 257
Buying Commodities Online ..... 257
Buying Specialty Items Online ..... 258
Online Selling Techniques ..... 260
Make Your Store Easy to Get to ..... 260
Make Your Site Easy to Use ..... 261
Make Your Products Easy to Buy ..... 262
Internet Tools ..... 263
Choosing a Browser ..... 264
Other Internet Client Software ..... 264

Appendix A: Internet Glossary and Abbreviations ..... 267

Appendix B: Electronic Commerce Online Resources ..... 283
Appendix C: Guide to the CD-ROM ..... 301

Index ..... 309

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews