seminar- e-commerce technology for safe money transaction over the net

National Conference on Automation in Banks and Financial Institutions 22-23 June 2000 CSIO Chandigarh INDIA

Copyrights © 2005 Noorjahan Haque / Raman K. Attri 1

E-commerce Technology for Safe money transaction over the net

Noorjahan Haquea , Raman K. Attrib,

a Faculty, Institute of Electronics & Telecommunication Engineers (IETE) Chandigarh

b Member IETE / Scientist, Central Scientific Instruments Organization (CSIO) Chandigarh ABSTRACT The Buzz word E-commerce has revolutionized the way the business and money transactions used to work in the past. It is the latest impact of software arena in the field of banking, business and purchasing. The term also refers to online stock and bond transactions and buying and downloading software without ever going near a store. In addition, e-commerce includes business-to-business connections that make purchasing easier for big corporations. This paper mainly concentrates on technology revolution behind the transaction of money over the net. There are still doubts and questions from business and corporate users on the safety aspects of e-commerce. The software and web technology has innovated many encryptions and secure software layering and protocols techniques which tries to make the e-commerce transactions safer. The concept behind these techniques along-with the technical aspect of e-commerce and how it can be implemented in bank for money transaction is discussed in this paper. Further it deals with safety and security issues related to e-commerce implementation in banks and business transactions. 1. Evolution of E-commerce and E-business The industrial revolution was perhaps the biggest change that businesses ever faced. It changed the very way one did business, particularly with large-scale production becoming the order of the day. Although the industrial revolution was confined to Europe, its impact was felt the world over. Two centuries later, a similar revolution, but of a higher magnitude and more global in nature, is invading businesses worldwide––a revolution called e-commerce. In any business there are three distinct groups: suppliers, customers, and the environment that may or may not have interactions with the manufacturer. This environment includes the government, the judiciary, the monetary system, competition, and other countries and international bodies that would have a direct impact on the way one-do business. Traditionally, organizations have maintained a clearly defined interface that separates them from the rest of the universe. In today’s information age, this interface is rapidly changing and is being replaced by new mechanisms that make it easier to transfer information across the boundary. The e-commerce has changed the way the business is done. The e-commerce and e-business has evolved through a set of technological changes coming in picture. These evolutions are as follows: a) Internal Computerization in the company: The manual

works being done in the business segments were computerized to speed up the work. Then networks were setup to share information pertaining to work. In the business universe, the network first appeared within the organization. Interactions of this network with the outside world were almost zero. For any data to get added to or get out of this system, manual intervention like retyping and transportation in floppy was required.

b) Electronics Data Interchange with suppliers: The next

big step was the extension of access of this network to suppliers. This is widely known as EDI—Electronic Data Interchange. Now one could directly place an order on his supplier’s network without needing the intervening paper work. One could also access information regarding availability of stocks and raw materials at his end, and so on. One could plan better, reduce inventories, improve turnaround time, and so on. But the cost of setting up an EDI system can be prohibitive, particularly if the seller and the suppliers are operating far apart. So very few businesses could go in for such systems.

c) Internet Connectivity to End-Users: The next logical step

would be to extend this network to the customers also. But for most businesses, even for the really big ones, this was impossible, given the spread-out nature of the end customer. The best that could be achieved was to extend

the network out to the distributor. The Internet has made it possible for business to interact directly with both the suppliers and the end-users without having to go in for heavy investments. And in the process, it re-wrote the basic rules of doing business. Anybody with a Web browser could directly make a purchase from any part of the world. Similarly, anyone with a Web server could run a multi-million-dollar business without having to invest in godowns, and other distribution and retail infrastructure. By automating the whole process––from order taking to delivery and the flow of information and decisions associated with it across organizations and the end customer–– businesses are able to react faster to customer demands, and keep market uncertainties to the barest minimum.

d) E-commerce Revolution: The services provided through

internet connectivity and money transaction, selling and purchasing over the net gave rise to revolution of E-commerce. E-commerce involve setting up Web sites, Establishing and automating business processes, enabling workflow, defining escalation mechanisms––all these are needed to get e-commerce enabled. And all this is geared toward giving better service to the customer.

Fig 1: Typical Evolutionary Path of E-Com The arena of E-business: In short, E-Business is the powerful business environment that is created when critical business systems are connected directly to customers, employees, vendors, and business partners using intranets, extranets, E-Commerce technologies, collaborative applications, and the Web. The typical evoution path of E-commece and E-business is shown in Fig 1. Electronic business is using innovative technology to build relationships and commerce globally and is the greatest opportunity and/or threat to existing business models. With the rise of the Internet and the proliferation of electronic commerce, sales force automation, call centers, and mobile computing, the very fabric of business has changed

forever. Customers have more power. Relationships are changing, competition increasing, distribution channels exploding, and startups are bringing giants to their knees. 2. Three cases of E-Commerce 1. E-commerce in Direct Point-to-point sale (Internet) 2. E-commerce in Supply chain (Extranet) 3. E-commerce to improve internal Business (Intranet) 2.1 E-commerce at Point of Sale Web offers complete capability for money transaction. The modes of transaction include catalogue purchase, auction, offer and acceptance. The catalogue purchasing sites offer listing of its entire range of products alongwith price information on the web site. Total warehouse, stock, delivery, online procurement and order tracking is fully integrated together for efficient services. The payment modes are from account, credit card, cash card and e-cash. Many of the web sites offering valued services have been applying this mode of e-commerce since a long time. The credit card payment system is one of the most popular systems of payment, even if it has some insecurity associated with it. 2.2 E-commerce at Supply Chain The suppliers have been integrated into the e-commerce network. New channels for exploiting the market have been introduced. It creates the most efficient market, reduce the labor cost, and improve flow and accuracy of information. The suppliers can download special reports, software, catalog and price list form the web and they can upload the tenders and relevant queries. For suppliers such implementation has benefit in reducing the sale costs and creating new business opportunities. At buyer's end process efficiency is achieved and the buyer has got larger supplier base and globalization of procurement can be achieved easily. Reduced purchase costs and reduced cycle time are obvious benefits. 2.3 E-commerce in internal corporate While improving the relations and interaction out of the company, the internal culture has to be improved for effective implementation of e-commerce. Total management, internal directory services, use of project management tools and putting the resources on-line will develop the intranet in the corporate. 3. Understanding E-Commerce Web shopping is only a small part of the e-commerce picture. The term also refers to online stock and bond transactions and buying and downloading software without ever going near a store. In addition, e-commerce includes business-to-business connections that make purchasing easier for big corporations. The Internet not only changed the rules of business, but also the frontiers. Today, if one has a presence on the Web, then the world is his customer. 3.1 The technologies contributing in E-commerce Electronic commerce encompasses all business conducted by means of computer networks. The typical setup is shown in fig 2. The technology development involved in creating a knowledge economy was: • Recent advances in telecommunications and computer

technologies have moved computer networks to the center of the international economic infrastructure.

• Heavy rise in Internet and the World Wide Web has transformed global commerce by facilitating instantaneous, inexpensive contact among sellers, buyers, investors, advertisers and financiers anywhere in the world.

• The rapid integration of Internet and other telecommunications-based functions into nearly every

sphere of business has led to an international focus on the New World of e-commerce.

3.2 Activities contributing to Global E-commerce Among the principal activities that can be identified as contributing to global e-commerce are –

• government services and information; • business-to-business wholesale and retail services

and sales; • business-to consumer (and consumer-to-consumer)

retail sales and transactions; • financial services and transactions; • subscription and usage-based telephony, online and

Internet access services; • subscription or transaction-based information

services and software sales; • advertising and marketing services; and

3.3 Characteristics of New Economy of E-commerce This new knowledge economy is characterized by –

• an emphasis on the human mind, rather than merely physical automation;

• being information- rather than energy intensive; • sustainability through networks, not single

organizations; • supporting distributed rather than centralized

intelligence; • requiring multiple skills and continuous learning; • replacing lifetime employment with labor market

flexibility; • customized rather than standardized products; • being enabled by information and communications

technologies

While many companies and communities are beginning to take advantage of the potential of e-commerce, critical challenges remain to be overcome before its potential can be fully realized for the benefit of all citizens. E-Commerce, security, intranets and extranets, supply chain automation and Web-enablement of existing applications are able to reduce the cost of doing business, as well as improve communications between customers and suppliers 4. Technology and Developing E-business Developing E-Business successfully means building reliable, scalable systems for security, collaboration, messaging, E-Commerce payments, supply-chain management, sales force, data warehousing, and customer relations - and integrating all of this with existing back-end operations. For E-business to survive and grow, it must deploy new E-Business technology tools to integrate new Internet-enabled enterprise with traditional legacy systems. The bottom line is that total quality of services should be ensured for proper implementation of e-commerce.



4.1 Communication Interaction As elaborated earlier, the mode of communication is changing big way both in and outside the company. The old way of correspondence is obsolete and new way, through internet and intranet are in picture. Intra-company, inter-company, intra-community communication has been highlighted in the figures Fig 3, 4(a) and 4 (b) indicating the shift in communication interactions.

4.2 Challenges in going E-commerce: As we saw earlier, getting into e-commerce (or as the brochures say, getting e-commerce enabled) is not as simple as setting up a Web page with an order form. There are three big internal challenges in "e-enabling" business. All of them have to be overcome to have a complete end-to-end e-business running. a) The first is to take your back-office processes online and to

automate your workflow

b) The second challenge is to make data-sharing possible across disparate applications like your ERP systems, your supplier’s systems, and your e-commerce order-taking systems.

c) And the third is to automate your decision-making process.

The disparate software systems that require data to be fed in to keep the business functioning—the subscriber database, the FA package, the MIS system, perhaps an ERP package, and a data warehouse need to be integrated and made fully automated. One need to ensure the smooth and automatic exchange of data across these systems. When you enter one credit-card number on the Web-based order form, it is automatically authenticated against the bank’s credit-card database. The bank would have also automated the transfer of money to the vendor’s account. That’s just one part. E-commerce happens completely when this information is automatically transferred from the bank to the vendor’s accounting package without manual intervention, and when this information automatically updates the inventory package, and so on. 5. E-commerce Security and Money Safety Issues Security is the biggest issue of E-commerce. Although Internet security breaches have gotten a lot of press, most vendors and analysts argue that transactions are actually less dangerous in cyberspace than in the physical world. That's because a great deal of credit card fraud is caused by retail sales employees who handle card numbers and every time you throw away a credit card receipt--you make yourself vulnerable to fraud. E-commerce systems remove temptation by encrypting the numbers on a company's servers. For merchants, e-commerce is actually safer than opening a store that could be looted, burned, or flooded. The difficulty is in getting customers to believe that e-commerce is safe for them. Businesses have begun exploiting the Internet for commercial transactions. Recognizing the dangers in sending confidential information over an inherently insecure media, a number of secure data transport protocols have emerged. Minimally, these protocols encrypt sensitive information such as credit card numbers to prevent unauthorized people from capturing the data. Some protocols even facilitate payment for merchants through banking institutions. Secure e-commerce transaction has to insure protection of assets and privacy. It should give reliable service, audit and accountability and identification procedure. Consequently, for these new globally technologies to advance, business and government institutions must develop policies that build greater trust in the new transaction media. The e-commerce service should be trustworthy. The principal elements of trust in the context of on-line commercial transactions can be classified as follows: • Security: Confidence that information transmitted during

a transaction will arrive in uncorrupted form and will not be improperly leaked to others; this category thus encompasses both the integrity and the confidentiality of data transmissions. It implies Security of data transmissions.

• Privacy: Concerns about access to and use of personal information obtained directly or indirectly as a result of electronic transactions. It implies Privacy protection.

• Authenticity: Verification that the parties to a transaction, and the services rendered, are truly as represented. Certification authorities and Consumer protection do it.

• Non-repudiability: Assurance that a transaction will be honored as agreed, and that each party can prove, in a court of law if necessary, the validity of the terms of the deal.

6. E-commerce Security Technologies Issues of security and cryptography tie in with both privacy protection and certification, as well as with the technical options for creating and validating digital signatures. A number of countermeasures are already being taken to ensure that e-commerce is as secure as traditional forms of transaction. Some of these are discussed below 6.1 Encryption Encryption is an essential tool in providing security in this highly-networked environment. Highly secure encryption can be deployed fairly cheaply. It is expected that encryption will be broadly adopted and embedded in most electronic communication products and applications for handling valuable data. Applications include protecting files from theft or unauthorized access, keeping communications secure from interception, and facilitating secure transactions. It is the only way to prevent forgery and eavesdropping. The open algorithms used in the past have been analyzed at great length and still there are chances of getting useful information from cyphertext analysis and traffic analysis. The whole sole security in this case depends upon the secrecy of the key with which encryption has been done. Longer keys provide the better security. Since encryption technology has been widely used in defense, so government may put some restriction in use of this technology. Because encryption technology is becoming so widely available and affordable, it would be impractical for governments to attempt to prohibit its use altogether. It may be appropriate, however, for the government to consider certain limits and requirements for encryption, such as restrictions on the complexity of encryption. An important issue that arises as the use of encryption spreads is the means and extent of lawful access to cryptographic codes (or decryption keys) by government agencies such as law enforcement and national security. 2.0 versions of Netscape Navigator and Microsoft Internet Explorer facilitate transactions encrypted using Secure Sockets Layer (SSL), a protocol that creates a secure connection to the server, protecting the information as it travels over the Internet. SSL uses public key encryption, one of the strongest encryption methods around. A way to tell that a Web site is secured by SSL is when the URL begins with https instead of http. 6.2 Cryptography Cryptographic is the technique, which can also be used to guarantee integrity (i.e. that the contents of a file or message have not been altered), to establish the identity of a party, or to make legal commitments. The strong crypto-system are now available which use different algorithms like DES, IDEA and RSA. USA law enforce data encryption algorithm key lengths to be limited to, say, less than 40 bits, to allow security agencies to decrypt transmissions, preferably in real time. This is not enough for many applications. Now how to protect the data being transmitted? This is done by doing encryption with the help of two keys. One is called private key and other is called public key. DES/IDEA requires both parties to use same keys. Now how to exchange keys over the insecure media. The message encrypted using receiver's public key can be decrypted only by receiver's private key. This technology is used widely in Web based secure servers. 6.3 Digital Signature Now in e-commerce the issue that how one know that it is really me? Evolving a digital signature does it. The digital signature is kind of message, known to me only and representing me. It is encrypted using my private key and anyone can decrypt it using my public key. The reception end, it is proved hat I have encoded the message and signed it. This technology makes the basis for the electronics cash. This is also the basis for user authentication and non-repudiation.

6.4 Digital Certificate Just signing on my messages is not enough. A identity has to be assigned to the fellow using the e-commerce services. It reflects who am I? These digital certificates are issued by some trusted third party. A digital registry of all digital certificate holders is made. The client negotiates with the registry before doing business with the server. Severs have the user's signature. 6.5 Fireball Fireball is the key component in security of network resources. Since the E-commerce is working over the net, firewalls are essential infrastructure. The firewalls are basically a software or set of protocols which isolate the networks and the traffics. The fireball have following three objectives:

- It keeps out external threats like virus and unauthorized access from external person.

- It keeps internal threats escaping out, means it prevent internal sensitive data to be transmitted outside without authorization. These are the biggest dangers. Because the persons internal to the network are having opportunity, motive an means and can exploit the misguided security policies which are more concerned with the external attacks.

- It prevent internal attacks Firewalls itself are not full proof security techniques. It introduces its own problems. Proper management and documentation has to be done in case of firewalls. It further have poor security attitudes. Over reliance on firewall can create new problems like complacency of internal threats. Further the system is poor at review and update. Fire Wall is analogous to a strong lock at the shop, but can not prevent robbery like credit card frauds. 7 Safe Money Transaction Technologies The technology providers have been continuously making new ways of payment and safe money transaction over the net. There are three most popular technologies for payments in the e-commerce and e-business arena. 1. Credit Cards 2. Electronics Cash 3. Electronics Cheques 7.1 Credit Card Money Transaction Mode When you pay with a credit card, a set of secure processes ensure that the payment reaches the merchant. Plastic money was a boon for people on the move, as they never again needed to carry hard cash. No e-commerce system can guarantee 100-percent protection for your credit card, but you're less likely to get your pocket picked online than in a real store. The credit card system has been an internationally accepted mode of payment. It has been tried to make it more secure. Browser makers and credit card companies are promoting an additional security standard called Secure Electronic Transactions (SET). SET encodes the credit card numbers that sit on vendors' servers so that only banks and credit card companies can read the numbers. This standard provides confidentiality of payment and ordering information. It also provides integrity of all the transmitted data. It also provide the authentication that card holder is the legitimate user of the card. It facilitates and encourage interoperability across software and network providers. It further provide authentication that a vendor can accept bankcard payment through its relationship with a financial institution. The disadvantages of the credit card is that a third party approval like bank is involved and further its charges come into picture. The credit card is generally not accepted for micro-



payments. The biggest disadvantages of credit card is the high security risk. The credit card number can be stolen and hence a huge damage can be possible. It creates the need for strong authentication like private keys and digital signature to avoid and fraud. 7.2 Credit card at Point of Sale Counter The standard method of credit-card authentication works through a point-of-sale terminal, or POS. When you give your credit card to the merchant, he swipes it through the POS and enters the amount to be billed. The POS dials to the acquiring bank over a telephone line and transmits this data. The acquiring bank immediately routes the information to the card-issuing bank, requesting for an authorization. The credit-card number identifies the type of credit card, issuing bank, date of expiry, and the cardholder’s account number. The issuing bank checks the credit cardholder’s account, verifies the credit limit and generates an authorization code. This is then sent to the acquiring bank, which in turn sends an approval or denial code to the merchant’s POS terminal. The POS prints out a sale draft that has to be signed by the customer. The merchant later reviews all sales drafts, and sends the codes on them to the acquiring bank through the POS. The acquiring bank sends a request to the issuing banks, which deduct an interchange fee from the acquiring bank, and pass on the payment. The acquiring bank then deposits the amount to the merchant’s account after deducting a transaction fee. It’s a great solution for merchants who process a single transaction at a time, such as restaurants, departmental stores, etc. However, for those who have to do it in bulk, it poses a big problem. So what is the solution? Taking these the transactions online. 7.3 Web Based Online-Credit Card Payment System Online transactions have become a part of normal routine in many countries, and India is fast catching up. The most common method also uses a security protocol SSL (secure sockets layer). To process credit card transactions online in real time, some software like CyberCash that must be installed both by the consumer and the merchant. When a web store is put online, the real-time credit card transaction processing works as follows: 1. A consumer places an order on your Web store using

Secure Socket Layer (SSL) encryption by clicking on buy button.

2. CyberCash software sends a request to the merchant. The merchant cybercash ask for credit card details. The consumer's payment information including credit card number is sent to CyberCash in encrypted form, then forwarded to the merchant bank, Payment Processing Inc (cybercash website).

3. Payment Processing Inc (cybercash) take out the credit card details and transfers the payment information to the cardholder's (consumer's) bank for authorization.

4. The cardholder's bank sends an authorization to your Web store by way of the merchant bank and payment-processing center.

5. An order confirmation is sent to the consumer.

The above process takes approximately 10-20 seconds to complete. If the transaction is approved, funds are usually transferred to your (merchant) bank account within 48-72 hours. Other than SET, A number of micro-payment and smart-card technology trials around the world, but these solutions haven't yet made it to the mainstream consumer. Over the last several years, a number of "virtual cash" alternatives have come and gone, but none of them have achieved widespread adoption.

7.4 Digital Currency Digital currency is very similar in concept and use as the ordinary cash. This is basically a smart card technology meant both for major and micropayments. Use of smart card technology increases security. It further provide security if the digital cash currency is stolen, it can be used once only and then it become invalidated. This is relatively is a new concept and it will take time to get popular in the customers. The biggest requirements is that smart card reader hardware is needed to available to users and merchant. Some of the technologies providers have devised its own digital currency. The most popular are Mondex. Digicash, Mondex works on smart card technology. The smart card reader reads the smart card inserted in the cartridge and sends the account information from the card to the issuing bank over the internet and after validation the amount being paid online is deducted form the account of the person's account. It can be used at ATM, Special phone, Internet. It is supported by Mastercard Transaction and purchasing. Similarly Visacash is also available to be used for online applications. The Digicash is in forms of some digital coins stored in special folder in the hard disk. These are basically some encoded software modules. Each module or coin has unique identification number. Each coin representing some particular amount. It can be sent over the network and can be e-mailed as well. There are 6 banks worldwide which accept such cash. You should have an account at the accepting bank. Now the smart card version of these coins is also available. While a buyer is intending to purchase anything over the net, it sends the coin to the seller. Seller's site sends request for verification and the validity of coin to the buyer's bank. The buyer's bank verify it with issuing institutions and sends confirmation to seller. The transaction with the buyer is completed upon confirmation. The specified amount coin is transferred to seller's bank for deposition or the seller just like ordinary cash can further spend it. The transaction model is depicted in the figure below. The technique is not so popular yet and is available in selected banks and merchants only. 7.5 Electronics Cheques Since the cheques are generally used in public, this mode of money transaction is expected to be quite popular. This technique is parallel to the debit card. This is potentially cheaper for the retailer since the third party payment or fees is not involved unlike credit card transaction. It is basically a very simple technology. So this is somwhat behind other technologies in development. 7.6 Hybrid Money Payment Mode -Cybercash The Cybercash is getting wide popularity among the world leader and merchants and users globally. It facilitate hybrid mode of payment which include credit card payment system working on SET protocols and Cybercoin system for payment from $0.25 to $10. It also support electronics cheques providing pay now facility for interactive billing applications just as ordinary bill services. The cybercash interface with many leading financial institutions. In India, the technology has not much introduced yet for implementation of web based money transaction. Only credit card system at POS terminal has become viable so far. Smart card technologies and cybercash system has yet to get into the public and it will be possible only with wide spread use of e-commerce and internet in the business arena. 8 Conclusions Electronic commerce - especially online shopping - creates radical changes in the value chain of various businesses. These changes emerged not only because of the new technology but also because of the willingness of customers to use the Internet

for commercial transactions. Therefore, some experience with the new medium is a must for successful business in future. Businesses have to find creative solutions how to deal with the spreading commercial use of the Internet. The security of money transaction over the net has to be insured either by proper use of advance technology or by use of global legal procedures enforcement. Cyber laws are at a nascent stage and the technology is far too advanced for complete control. Rules should be technology-neutral (they should neither require nor assume a particular technology) and forward-looking (they should not hinder the use or development of technologies in the future). Existing rules should be modified and new rules should be adopted only as necessary or substantially desirable to support the use of electronic technologies. The process should involve the high-tech commercial sector, as well as businesses that have not yet moved online for money transaction. The Internet has raised new issues concerning confidentiality of records in terms of access to personal details, jurisdiction over storage and use of data, and protection of financial information disclosed in electronic transactions. The e-marketplace demands a revision of national laws with a global perspective. The big issue facing e-trade is the absence of a clear-cut regulatory framework—worldwide. No wonder businessmen and consumers lack confidence in digital transactions. India, with its complex regulatory framework, needs to define transparent rules for e-commerce to keep pace with global growth.

A number of issues—taxation, tariffs, data protection, authentication, privacy and copyrights—need to be reviewed from the e-perspective. While trading on the Net, the seller needs to be sure that his intellectual property rights are protected and the buyers need to be sure of the authenticity of the products they buy. Privacy is another important issue on the Net. Organizations want to acquire all possible data about their customers/potential customers to unearth valuable relationships. E-transactions become an easy source for such personal data. Should an organization share the personal information that it collected, beyond the extent that it was collected for? References 1. Trust in Cyberspace, Committee on Information Systems

Trustworthiness, National Research Council (1999) 2. Risks and Challenges for Retailers: The Value Chain

Transformation. A European Perspective, Roman Brandtweiner, Proceedings of Association of Information Systems, Americas Conference (AIS'98), S. 277-289, (1998)

3. The Challenges of Law in Cyberspace - Fostering the Growth and Safety of E-Commerce, FTC Commissioner Mozelle W. Thompson , ( 1999)

4. E-Commerce Security: Weak Links, Best Defenses, Anup K. Ghosh, John Wiley & Sons (1998)