1 / 38

Electronic Commerce

Electronic Commerce. Richard Henson University of Worcester April 2008. Week 9: On-line Payment Systems and Secure Networks. Objectives: explain how an on-line buyer can be authenticated describe how the buyer can be reassured during the fulfilment process

bmckinley
Download Presentation

Electronic Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Commerce Richard Henson University of Worcester April2008

  2. Week 9: On-line Payment Systems and Secure Networks • Objectives: • explain how an on-line buyer can be authenticated • describe how the buyer can be reassured during the fulfilment process • explain the acronym VPN and how part of the Internet can become a VPN • apply principles of “after sales service” to on-line trading • exercise greater control over web page data extracted from databases

  3. Authenticating the Buyer • E-commerce systems provide a range of options for rapid on-line payment: • by credit card • by debit card • by agreed credit terms with the vendor • The following methods are also included, but are non-digital and slow the process down • by cheque • by bankers draft

  4. Authenticating the Buyer • Whichever of the rapid payment methods is used… • buyer needs to be authenticated by the e-commerce site • This requires on-line communication with a financial institution • must be via Internet • fixed IP address needed • site must be secure • therefore must use a secure protocol

  5. Authenticating the Buyer • Financial institutions only tend to communicate via Internet with trusted sites • vendor would need to go through rigorous procedures to become such a site • easier to outsource and hire a Merchant Services Company to act as the trusted site • e.g. WorldPay, Netbanx, PayPal

  6. Authenticating the Buyer • The merchant service does the following: • connects the e-commerce site via secure link to their secure server • captures buyer details on their secure server • connects via secure link to an on-line financial institution • passes buyer details to on-line financial institution • It is then up to the financial institution to deal with the prospective sale…

  7. Authenticating the Buyer • The financial system uses the personal details supplied to authenticate the buyer and authorise payment • Three outcomes are possible: • authenticated and authorised • authenticated but not authorised • e.g. over credit limit • not authenticated • buyer details incorrect i.e. not matching records or inconsistent

  8. Arranging for Payment • Once the buyer has been authenticated and authorised • payment can be taken from the account • The merchant services company will be charged for accessing the secure financial network • It therefore makes sense for authentication and payment to both occur during the same “session” on the secure financial network

  9. More about the International Banking Network • Extremely secure servers • configured/maintained by experts • Connected using a Virtual Private Network • data only sent along secure channels • sent using PPTP (point-to-point tunnelling protocol) • sent encrypted (512-bit) • Only trusted users can use it

  10. Virtual Private Networks • Can be completely private • a mesh of dedicated private lines • Can use the Internet... • obvious security implications…

  11. Intranets and Extranets • Both use standard www protocols (i.e http, http-s) • An Intranet can be: • a single LAN • several interconnected LANs which over a larger geographic area • what Microsoft call an “Enterprise network” • Extranets extend the Intranet to cover selected “trusted” remote sites • e.g. business partners

  12. Creating an Extranet • Can use private leased lines to link sites • secure, but expensive • do not need to use http, etc. • Can also use the Internet: • security issues need resolving • very little cost • use client-server web applications across different sites

  13. Extranets and Virtual Private Networks • An Extranet is not necessarily a secure means of transmitting data • Data should be secure on the servers (if set up properly) • Data sent using HTTP on top of TCP/IP can easily be intercepted • A VPN carries sensitive data, which must not be intercepted...

  14. VPNs on the Internet • Four techniques can be used to enhance security: • use of secure channels, rather than packet switching • secure encryption techniques • secure protocol such as http-s for sending/receiving data • “tunnelling” protocol such as PPTP • hides the data within other data

  15. More about PPTP • Sponsored by MS and CISCO • Proposal for consideration by IETF • Extension of PPP • Allow organisations to extend their own corporate network by using private “tunnels” over public Internet • Secure connection over public networks • Effectively using WAN as a single large LAN

  16. Secure Data Transfer - Standards • Four technologies that have been developed especially to enable secure transactions over the Internet: • HTTP-S : secure http • SSL : Secure Sockets Layer (most used : Netscape) • SET : Secure Electronic Transaction (Mastercard/Visa) • Digital signature technology

  17. SSL • Secure Sockets Layer • Developed by Netscape for browser participation in Internet security • Provides encryption of http packets on TCP/IP routes between Internet hosts • Not been accessed by hackers so far • Most commonly used protocol for e-commerce transactions, despite the emergence of SET (next slide…)

  18. SET • Secure Electronic Transactions • Developed by credit card companies • Based on the idea of a digital certificate • customer and the merchant identity both validated or “certified” • A need for “trusted” agencies • who decides who is trustworthy? • banks & financial institutions?

  19. Issues surrounding on-line payment • Potential shoppers suspicious about security • doubts heightened by reporting of the media • In time... • Internet will become a more common place to do business • Shoppers will gain experience of the advantages of buying on-line

  20. Current Best Practice • Take payments by credit card through a secure server • Creators of shop@ssistant recommend the use of a secure transaction service • “major contribution to the potential viability of any e-commerce site on the Internet”

  21. Reassuring the Shopper • Use of a secure transaction service makes sure that: • credit card details are being transmitted securely • credit card details are not being held on any computer system where they could be compromised.

  22. Reassuring the Shopper • When the shopper is transparently transferred to the secure server • the secure server icon is displayed in his browser • designed to promote a feeling of confidence in the mind of the shopper when using this service

  23. Reassuring the Shopper • Shopper Dealing with a nationally-known, branded supplier of credit card services • authorised to carry the logos of the card issuers on their site • active participation of the credit card issuers ’and merchant services ’ organisations.

  24. Reassuring the merchant! • The existence of a secure network for credit card transactions helps the merchant too: • card details are never passed to the merchant ’s site • not involved at all in the secure data transmission • has no possibility to take, see or store the card details • effectively removed from the possibility of collusion in any card malpractice

  25. Reassuring the merchant! • Flexibility in taking payments is assured since all of the world ’s major credit and debit cards are accepted by the transaction services

  26. Reassuring the merchant! • the merchant will know whether the shopper has good credit to cover the value of the goods before completing processing of the order • When the merchant receives an e-mail from the transaction service provider confirming payment, the money is almost as good as in the bank!

  27. Fulfilment - getting the goods to the customer • Includes: • customer service • communications (e.g. by email) • warehousing • shipping • storage • insurance

  28. Payment and Fulfillment • Agreed convention of on-line trading that payment is not taken until the goods have been “picked” • taken out of the warehouse in preparation for delivery • Whole process of authentication and payment is therefore delayed until the product is about to be picked • Errors in customer details not discovered until picking takes place!

  29. Payment and Fulfillment • If an authentication error does occur • the potential buyer is emailed, explaining the problem • the picking process is suspended • If authentication is successful • buyer is emailed • informed that product has been picked • picked product goes to delivery stage

  30. Issues concerning Fulfillment • If: • either goods do not arrive • or buyer is not satisfied with the goods • The buyer has a right to a refund • Under recent EU law the refund must occur before goods are returned

  31. Issues concerning Fulfillment • Fraud could occur: • site itself could be fraudulent • buyers should look out for a secure connection window • if no window, don’t supply card details • If fraud has occurred, and e-commerce site is: • not to blame… • unable to pay • credit card company will usually pay the refund

  32. Issues concerning Fulfillment • Fulfillment also includes after-sales service • Example: if a computer has been purchased, and the buyer has a problem, there need to be good communication channels available: • telephone - call centre if high call volumes can reasonably be expected • email - quick response required!

  33. Product Pages – a final word… • As you only have a small number of products, a product summary for each can be included on a single page • However, that summary page should also include a link to a unique page for each product • Thanks to parameter passing between pages, this can be achieved with just a single “master” page, and a single “detail” page

  34. Dreamweaver and passing parameters – 1 • The master page must include a column for each record with a hyperlink to the detail page • The hyperlink must be appended by a get (?) construct, which passes a field that has a unique value for that record • The link then becomes long and potentially “scary”, but this is essential for passing data to another web page

  35. Dreamweaver and passing parameters - 2 • When navigating from “master” to “detail”, there is a need to make sure that… • the correct fieldname is selected when the link is created using “make link” option • the correct parameter is chosen for passing the appropriate value for that field to the detail page • This parameter needs to be picked up by the detail page and an SQL statement used to filter the data in the relevant product data dataset

  36. Passing Parameters & “Scary Strings” • Dreamweaver shields the non-mathematician from coding as much as possible… • but sometimes the variables used for passing data within or between pages just have to be “scary strings” • if you don’t want to engage with programming logic that’s understandable • Just remember when typing such strings that: • every “begin”({) has an “end” (}) • every “start quotes” has an “end quotes” • also, remember that Dreamweaver does colour coding for its programming code, and this could be a useful way to detect typing errors (we all make them!)

  37. Dreamweaver and passing parameters - 3 • The detail page needs to know about the parameter fieldname in order to correctly make use of the parameter value passed from the master page in its SQL query • both can be achieved when the dataset wizard is used to filter the data to be displayed • just use the “advanced” option • parameter section just needs a fieldname that corresponds to the SQL query • a wizard will create the “scary string” so no worries • main SQL statement needs “where fieldname=?” to put the parameter value in the right place

  38. Products: Control over asp.net product pages • In a real e-commerce site, it is unlikely that all on-line products can be displayed on a single page • In such cases, a “category” field is included in the products table, and product pages are accessed via “category” pages • category number can then be passed as a parameter from a master page to select products of a particular category for the “detail page”

More Related