Transcript WHAT ARE THE THREE 'CORE/KEY SKILLS'?

Electronic Commerce
Richard Henson
University of Worcester
April 2008
Week 9: On-line Payment
Systems and Secure Networks

Objectives:
 explain how an on-line buyer can be authenticated
 describe how the buyer can be reassured during
the fulfilment process
 explain the acronym VPN and how part of the
Internet can become a VPN
 apply principles of “after sales service” to on-line
trading
 exercise greater control over web page data
extracted from databases
Authenticating the Buyer

E-commerce systems provide a range of
options for rapid on-line payment:
 by credit card
 by debit card
 by agreed credit terms with the vendor

The following methods are also included, but
are non-digital and slow the process down
 by cheque
 by bankers draft
Authenticating the Buyer

Whichever of the rapid payment
methods is used…
buyer needs to be authenticated by the ecommerce site

This requires on-line communication
with a financial institution
» must be via Internet
» fixed IP address needed

site must be secure
– therefore must use a secure protocol
Authenticating the Buyer

Financial institutions only tend to
communicate via Internet with trusted
sites
vendor would need to go through rigorous
procedures to become such a site
easier to outsource and hire a Merchant
Services Company to act as the trusted
site
» e.g. WorldPay, Netbanx, PayPal
Authenticating the Buyer

The merchant service does the following:
 connects the e-commerce site via secure link to
their secure server
 captures buyer details on their secure server
 connects via secure link to an on-line financial
institution
 passes buyer details to on-line financial institution

It is then up to the financial institution to deal
with the prospective sale…
Authenticating the Buyer
The financial system uses the personal
details supplied to authenticate the
buyer and authorise payment
 Three outcomes are possible:

authenticated and authorised
authenticated but not authorised
» e.g. over credit limit
not authenticated
» buyer details incorrect i.e. not matching records
or inconsistent
Arranging for Payment

Once the buyer has been authenticated
and authorised
payment can be taken from the account
The merchant services company will be
charged for accessing the secure
financial network
 It therefore makes sense for
authentication and payment to both occur
during the same “session” on the secure
financial network

More about the International
Banking Network

Extremely secure servers
configured/maintained by experts

Connected using a Virtual Private
Network
data only sent along secure channels
sent using PPTP (point-to-point tunnelling
protocol)
sent encrypted (512-bit)

Only trusted users can use it
Virtual Private Networks

Can be completely private
a mesh of dedicated private lines

Can use the Internet...
obvious security implications…
Intranets and Extranets
Both use standard www protocols (i.e
http, http-s)
 An Intranet can be:

a single LAN
several interconnected LANs which over
a larger geographic area
» what Microsoft call an “Enterprise network”

Extranets extend the Intranet to cover
selected “trusted” remote sites
e.g. business partners
Creating an Extranet

Can use private leased lines to link sites
secure, but expensive
do not need to use http, etc.

Can also use the Internet:
security issues need resolving
very little cost
use client-server web applications across
different sites
Extranets and Virtual Private
Networks
An Extranet is not necessarily a secure
means of transmitting data
 Data should be secure on the servers (if
set up properly)
 Data sent using HTTP on top of TCP/IP
can easily be intercepted
 A VPN carries sensitive data, which must
not be intercepted...

VPNs on the Internet

Four techniques can be used to
enhance security:
use of secure channels, rather than packet
switching
secure encryption techniques
secure protocol such as http-s for
sending/receiving data
“tunnelling” protocol such as PPTP
» hides the data within other data
More about PPTP

Sponsored by MS and CISCO
Proposal for consideration by IETF

Extension of PPP
Allow organisations to extend their own
corporate network by using private
“tunnels” over public Internet
Secure connection over public networks
Effectively using WAN as a single large
LAN
Secure Data Transfer Standards

Four technologies that have been
developed especially to enable secure
transactions over the Internet:
 HTTP-S : secure http
 SSL : Secure Sockets Layer (most used :
Netscape)
 SET : Secure Electronic Transaction
(Mastercard/Visa)
 Digital signature technology
SSL
Secure Sockets Layer
 Developed by Netscape for browser
participation in Internet security
 Provides encryption of http packets on
TCP/IP routes between Internet hosts
 Not been accessed by hackers so far
 Most commonly used protocol for ecommerce transactions, despite the
emergence of SET (next slide…)

SET



Secure Electronic Transactions
Developed by credit card companies
Based on the idea of a digital certificate
 customer and the merchant identity both validated
or “certified”

A need for “trusted” agencies
 who decides who is trustworthy?
 banks & financial institutions?
Issues surrounding on-line
payment

Potential shoppers suspicious about
security
doubts heightened by reporting of the
media

In time...
Internet will become a more common place
to do business
Shoppers will gain experience of the
advantages of buying on-line
Current Best Practice
Take payments by credit card through a
secure server
 Creators of shop@ssistant recommend
the use of a secure transaction service

“major contribution to the potential viability
of any e-commerce site on the Internet”
Reassuring the Shopper

Use of a secure transaction service
makes sure that:
credit card details are being transmitted
securely
credit card details are not being held on
any computer system where they could be
compromised.
Reassuring the Shopper

When the shopper is transparently
transferred to the secure server
the secure server icon is displayed in his
browser
designed to promote a feeling of
confidence in the mind of the shopper
when using this service
Reassuring the Shopper

Shopper Dealing with a nationallyknown, branded supplier of credit card
services
authorised to carry the logos of the card
issuers on their site
active participation of the credit card
issuers ’and merchant services ’
organisations.
Reassuring the merchant!

The existence of a secure network for
credit card transactions helps the
merchant too:
card details are never passed to the
merchant ’s site
not involved at all in the secure data
transmission
has no possibility to take, see or store the
card details
effectively removed from the possibility of
collusion in any card malpractice
Reassuring the merchant!

Flexibility in taking payments is assured
since all of the world ’s major credit and
debit cards are accepted by the
transaction services
Reassuring the merchant!
the merchant will know whether the
shopper has good credit to cover the
value of the goods before completing
processing of the order
 When the merchant receives an e-mail
from the transaction service provider
confirming payment, the money is
almost as good as in the bank!

Fulfilment - getting the goods
to the customer

Includes:
customer service
communications (e.g. by email)
warehousing
shipping
storage
insurance
Payment and Fulfillment

Agreed convention of on-line trading that
payment is not taken until the goods
have been “picked”
taken out of the warehouse in preparation
for delivery
Whole process of authentication and
payment is therefore delayed until the
product is about to be picked
 Errors in customer details not
discovered until picking takes place!

Payment and Fulfillment

If an authentication error does occur
the potential buyer is emailed, explaining
the problem
the picking process is suspended

If authentication is successful
buyer is emailed
» informed that product has been picked
picked product goes to delivery stage
Issues concerning Fulfillment

If:
either goods do not arrive
or buyer is not satisfied with the goods
The buyer has a right to a refund
 Under recent EU law the refund must
occur before goods are returned

Issues concerning Fulfillment

Fraud could occur:
site itself could be fraudulent
» buyers should look out for a secure connection
window
» if no window, don’t supply card details
If fraud has occurred, and e-commerce site
is:
» not to blame…
» unable to pay
credit card company will usually pay the
refund
Issues concerning Fulfillment
Fulfillment also includes after-sales
service
 Example: if a computer has been
purchased, and the buyer has a
problem, there need to be good
communication channels available:

telephone - call centre if high call volumes
can reasonably be expected
email - quick response required!
Product Pages –
a final word…



As you only have a small number of products,
a product summary for each can be included
on a single page
However, that summary page should also
include a link to a unique page for each
product
Thanks to parameter passing between pages,
this can be achieved with just a single
“master” page, and a single “detail” page
Dreamweaver and passing
parameters – 1



The master page must include a column for
each record with a hyperlink to the detail
page
The hyperlink must be appended by a get (?)
construct, which passes a field that has a
unique value for that record
The link then becomes long and potentially
“scary”, but this is essential for passing data
to another web page
Dreamweaver and passing
parameters - 2

When navigating from “master” to “detail”,
there is a need to make sure that…
 the correct fieldname is selected when the link is
created using “make link” option
 the correct parameter is chosen for passing the
appropriate value for that field to the detail page

This parameter needs to be picked up by the
detail page and an SQL statement used to
filter the data in the relevant product data
dataset
Passing Parameters
& “Scary Strings”

Dreamweaver shields the non-mathematician
from coding as much as possible…
 but sometimes the variables used for passing data
within or between pages just have to be “scary
strings”
 if you don’t want to engage with programming
logic that’s understandable
» Just remember when typing such strings that:


every “begin”({) has an “end” (})
every “start quotes” has an “end quotes”
» also, remember that Dreamweaver does colour coding
for its programming code, and this could be a useful way
to detect typing errors (we all make them!)
Dreamweaver and passing
parameters - 3

The detail page needs to know about the
parameter fieldname in order to correctly
make use of the parameter value passed from
the master page in its SQL query
 both can be achieved when the dataset wizard is
used to filter the data to be displayed
 just use the “advanced” option
» parameter section just needs a fieldname that
corresponds to the SQL query

a wizard will create the “scary string” so no worries
» main SQL statement needs “where fieldname=?” to put
the parameter value in the right place
Products: Control over asp.net
product pages


In a real e-commerce site, it is unlikely that all
on-line products can be displayed on a single
page
In such cases, a “category” field is included in
the products table, and product pages are
accessed via “category” pages
 category number can then be passed as a
parameter from a master page to select products
of a particular category for the “detail page”