e-commerce notes at home

8/10/2019 E-commerce Notes at Home

1/12

Merchant Ecommerce Business Model

The merchant e-busines model is the online version of you local store. If you can name it you

can find an online store selling it. Some of these may have a brick and mortar store and anInternet store, but the great majority are solely online.

They accept online payment methodsand ship the merchandise to the customer, or they use a 3rd

party online shipping and warehousing service. These companies warehouse and ship goods

directly to the customer on your behalf, meaning no product handling or postage for you

Advertising Ecommerce business model

The advertising e-business model is based on your daily newspapers and monthly maga!ines,

"ou collect revenue either by renting a small space on your pages or getting paid for every clickon the ad.

#oogle adsenseis a perfect e$ample of this. There are many paths out there regarding onlineadvertising company for you to e$plore.

%dvertising should always be targeted directly at the readers to compliment your websites

content, most advertising companies are good at doing this job for you, but I am still ama!ed athow many sites get it wrong

Affiliate Ecommerce business model

The affiliate e-business model is based on commission sales. "ou do not have to buy the product

to resell, and you are not involved in the handling or shipping. %ll of this is done by the parent

company. "ou simply redirect the customer from your own website to the product on the parentcompanies website and if they make a purchase you earn a commission.

%ma!on is a good e$ample of a parent company. They were, infact, the first company to use this

method of selling, allowing anyone to sell and get commission through %ma!ons merchandise.

There are many reputable affiliate programs for you to join and earn commissions from.

Brokerage Ecommerce business model

The &rokerage e-business model is a website that brings two parties together to conduct

business, The best e$ample of this is online auctions like 'bay. (owever it is not limited to

online auctions, )nline *eal estate, business brokers, boat brokers etc also use this method. Theygenerally collect a fee for their service which can be worked out with a percentage base or a set

fee.

Information Ecommerce business model

The Information e-business model is based largely around speciali!ed information on a particular

subject. These websites can attract a large following of people interested in their specific field of
http://www.google.com/services/adsense_tour/index.htmlhttp://www.google.com/services/adsense_tour/index.html


2/12

knowledge and will use 'commerce business models, other than their speciali!ed information, to

create revenue.

Subscription Ecommerce business model

In the Subscription e-business model customers pay a set fee on a monthly or yearly basis to getaccess to the products or services of the company. Some good e$amples of this model are online

newspapers or maga!ines, adult websites, and Internet service providers.

Security in '-+ommerce

privacy information must be kept from unauthori!ed parties.

integrity message must not be altered or tampered with.

authentication sender and recipient must prove their identities to each other.

non-repudiation proof is needed that the message was indeed received.

rivacy is handled by encryption. In I /public key infrastructure0 a message is encrypted by apublic key, and decrypted by a private key. The public key is widely distributed, but only the

recipient has the private key. 1or authentication /proving the identity of the sender, since only the

sender has the particular key0 the encrypted message is encrypted again, but this time with aprivate key. Such procedures form the basis of *S% /used by banks and governments0 and #

/retty #ood rivacy, used to encrypt emails0.

2nfortunately, I is not an efficient way of sending large amounts of information, and is oftenused only as a first step to allow two parties to agree upon a key for symmetric secret keyencryption. (ere sender and recipient use keys that are generated for the particular message by a

third body a key distribution center. The keys are not identical, but each is shared with the key

distribution center, which allows the message to be read. Then the symmetric keys are encrypted

in the *S% manner, and rules set under various protocols. 4aturally, the private keys have to bekept secret, and most security lapses indeed arise here.

:Digital Signatures and Certifcates

5igital signatures meet the need for authentication and integrity. To vastly simplify matters /as

throughout this page0, a plain te$t message is run through a hash function and so given a valuethe message digest. This digest, the hash function and the plain te$t encrypted with the recipient6s

public key is sent to the recipient. The recipient decodes the message with their private key, andruns the message through the supplied hash function to that the message digest value remains

unchanged /message has not been tampered with0. 7ery often, the message is also timestamped

by a third party agency, which provides non-repudiation.


3/12

8hat about authentication9 (ow does a customer know that the website receiving sensitive

information is not set up by some other party posing as the e-merchant9 They check the digital

certificate. This is a digital document issued by the +% /certification authority 7erisign, Thawte,etc.0 that uni:uely identifies the merchant. 5igital certificates are sold for emails, e-merchants

and web-servers.

:Secure Socket Layers

Information sent over the Internet commonly uses the set of rules called T+;I /Transmission

+ontrol rotocol ; Internet rotocol0. The information is broken into packets, numbered

se:uentially, and an error control attached. Individual packets are sent by different routes.T+;I reassembles them in order and resubmits any packet showing errors. SS< uses I and

digital certificates to ensure privacy and authentication. The procedure is something like this the

client sends a message to the server, which replies with a digital certificate. 2sing I, serverand client negotiate to create session keys, which are symmetrical secret keys specially created

for that particular transmission. )nce the session keys are agreed, communication continues with

these session keys and the digital certificates.

:PCI, SET, Firewalls and Kerberos

+redit card details can be safely sent with SS


4/12

Secure Socket Layer (SSL) Secure Socket


5/12

'ach SS< +ertificate consists of a public key and a private key. The public key is used to

encrypt information and the private key is used to decipher it. 8hen a 8eb browser points to a

secured domain, a Secure Sockets


6/12

organi!ational identity. The high-security 8eb browser@s address bar turns green and reveals the

name of the organi!ation that owns the SS< +ertificate and the SS< +ertificate %uthority that

issued it. &ecause 'eriSign is the most recognied name in online security, 7eriSign SS[Public Key]-->Encrypted Message-->[Private Key]-->Message

#$%$%$ T!e Certifcate:

(ow do you know that you are dealing with the right person or rather the right web site. 8ell,

someone has taken great length /if they are serious0 to ensure that the web site owners are who

they claim to be. This someone, you have to implicitly trust you have his;her certificate loadedin your browser /a root +ertificate0. % certificate, contains information about the owner of the

certificate, like e-mail address, owner6s name, certificate usage, duration of validity, resource

location or 5istinguished 4ame /540 which includes the +ommon 4ame /+40 /web site address

or e-mail address depending of the usage0 and the certificate I5 of the person who certifies/signs0 this information. It contains also the public key and finally a hash to ensure that the

certificate has not been tampered with. %s you made the choice to trust the person who signs this

certificate, therefore you also trust this certificate. This is a certificate trust tree or certificatepath. 2sually your browser or application has already loaded the root certificate of well known

+ertification %uthorities /+%0 or root +% +ertificates. The +% maintains a list of all signed

certificates as well as a list of revoked certificates. % certificate is insecure until it is signed, asonly a signed certificate cannot be modified. "ou can sign a certificate using itself, it is called a

self signed certificate. %ll root +% certificates are self signed.

Public Key Encry(tion

ublic key encryptionrefers to a type of cypher architecture known as public key cryptography

that utili!es two keys, or a key pair0, to encryptand decrypt data. )ne of the two keys is apublickey, which anyone can use to encrypt a message for the owner of that key. The encrypted

message is sent and the recipient uses his or her private key to decrypt it. This is the basis of

public key encryption.

ublic key encryption is considered very secure because it does not re:uire asecret shared

keybetween the sender and receiver. )ther encryption technologies that use a single shared key

to both encrypt and decrypt data rely on both parties deciding on a key ahead of time without
http://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-cryptography.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-cryptography.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htm


8/12

other parties finding out what that key is. (owever, the fact that it must be shared between both

parties opens the door to third parties intercepting the key. This type of encryption technology is

calledsymmetric encryption, while public key encryption is known as asymmetric encryption.

% GkeyG is simply a small bit of te$t code that triggers the associated algorithmto encode or

decode te$t. In public key encryption, a key pair is generated using an encryption program andthe pair is associated with a name or emailaddress. The public key can then be made public by

posting it to a key server, a computerthat hosts a database of public keys. %lternately, the publickey can be discriminately shared by emailing it to friends and associates. Those that possess your

public key can use it to encrypt messages to you. 2pon receiving the encrypted message, your

private key will decrypt it.

ublic key encryption is especially useful for keeping email private. %ny stored messages on

mail servers, which can persist for years, will be unreadable, and messages in transit will also be

unreadable. This degree of privacy may sound e$cessive until one reali!es the open nature of the

Internet. Sending email unencrypted is akin to making it public for anyone to read now or at

some future date. 2nited States law does not recogni!e email as a protected or private form ofcommunication, unlike a telephone call or letter.

%cryptographicsystem that uses two keys-- apublic keyknown to everyone and aprivateor

secret keyknown only to the recipient of the message. 8hen Hohn wants to send a securemessage to Hane, he uses Hane6s public key to encryptthe message. Hane then uses her private key

to decryptit.

%n important element to the public key system is that the public and private keys are related insuch a way that only the public key can be used to encrypt messages and only the corresponding

private key can be used to decrypt them. =oreover, it is virtually impossible to deduce the

private key if you know the public key.

ublic-key systems, such as retty #ood rivacy /#0, are becoming popular for transmittinginformation via the Internet.They are e$tremely secure and relatively simple to use. The only

difficulty with public-key systems is that you need to know the recipient6s public key to encrypt a

message for him or her. 8hat6s needed, therefore, is a global registry of public keys, which is one

of the promises of the new


9/12

% document that is encrypted with one of these keys can be decrypted only with the other key in

the pair.

1or e$ample, let6s say that %lice wants to send a message to &ob using #/a popular publickey encryption system0. She encrypts the message with &ob6s public key and sends it using her

favorite email program. )nce the message is encrypted with &ob6s public key, only &ob candecrypt the message using his private key. 'ven major governments using supercomputers would

have to work for a very long time to decrypt this message without the private key.

se it uses two keys instead of one key /symmetric encryption0.

Digital Signature and)erifcationDigital signature is a mechanism by which a message is authenticated i.e. proving that amessage is eectively coming from a given sender, much like a signature on a paperdocument. !or instance, suppose that "lice wants to digitally sign a message to #ob. $o doso, she uses her private-key to encrypt the message; she then sends the message along withher public-key (typically, the public key is attached to the signed message). %ince "lice&spublic-key is the only key that can decrypt that message, a successful decryption constitutesa Digital %ignature 'erication, meaning that there is no doubt that it is "lice&s private keythat encrypted the message.

!at is a digital signature"

% digital signature is the electronic e:uivalent of a handwritten signature, verifying theauthenticity of electronic documents. In fact, digital signatures provide even more security than

their handwritten counterparts.

ore often than not a digital signature uses a system of public key encryption to

verify that a document has not been altered.

!at does PKE !a&e to do wit! digital signatures"

5igital signatures often use a public key encryption system. +onsider %lice and &ob again howcan &ob be sure that it was really %lice who sent the message, and not the criminally-minded

've pretending to be %lice9

This is where digital signatures come in. &efore encrypting the message to &ob, %lice can sign

the message using her private key when &ob decrypts the message, he can verify the signatureusing her public key. (ere6s how it works
http://www.pgpi.org/http://www.pgpi.org/


10/12

*. "lice creates a digest of the message + a sort of digital ngerprint. f themessage changes, so does the digest.

. "lice then encrypts the digest with her private key. $he encrypted digest isthe digital signature.

. $he encrypted digest is sent to #ob along with the message.

/. 0hen #ob receives the message, he decrypts the digest using "lice1s publickey.

2. #ob then creates a digest of the message using the same function that "liceused.

3. #ob compares the digest that he created with the one that "lice encrypted. fthe digests match, then #ob can be condent that the signed message isindeed from "lice. f they don1t match, then the message has been tamperedwith + or isn1t from "lice at all.

*riginal +essage -

.essage digest/t!roug! !as!ing by t!e

so0tware1-

.essage digest encry(ted using t!e (ri&atekey-

digital signature

Secure 'lectronic Transaction /S'T0 is a system for ensuring the security of financial

transactions on the Internet. It was supported initially by =astercard, 7isa, =icrosoft, 4etscape,

and others. 8ith S'T, a user is given an electronic wallet/digital certificate0 and a transaction isconducted and verified using a combination of digital certificates and digital signatures among

the purchaser, a merchant, and the purchaser6s bank in a way that ensures privacy andconfidentiality. S'T makes use of 4etscape6s Secure Sockets


11/12

%ssume that a customer has a S'T-enabled browser such as 4etscape or =icrosoft6s Internet

'$plorer and that the transaction provider /bank, store, etc.0 has a S'T-enabled server.

A. The customer opens a =astercard or 7isa bank account. %ny issuer of a credit card issome kind of bank.

B. The customer receives a digital certificate. This electronic file functions as a credit cardfor online purchases or other transactions. It includes apublic keywith an e$piration

date. It has been through adigital switchto the bank to ensure its validity.

3. Third-party merchants also receive certificates from the bank. These certificates include

the merchant6s public key and the bank6s public key.

C. The customer places an order over a 8eb page, by phone, or some other means.

D. The customer6s browser receives and confirms from the merchant6s certificate that the

merchant is valid.

E. The browser sends the order information. This message is encrypted with the merchant6s

public key, the payment information, which is encrypted with the bank6s public key

/which can6t be read by the merchant0, and information that ensures the payment can only

be used with this particular order.

F. The merchant verifies the customer by checking the digital signature on the customer6s

certificate. This may be done by referring the certificate to the bank or to a third-partyverifier.

J. The merchant sends the order message along to the bank. This includes the bank6s publickey, the customer6s payment information /which the merchant can6t decode0, and the

merchant6s certificate.

K. The bank verifies the merchant and the message. The bank uses the digital signature onthe certificate with the message and verifies the payment part of the message.

AL. The bank digitally signs and sends authori!ation to the merchant, who can then fill theorder.

=-commerce /mobile commerce0 is the buying and selling of goods and services through

wireless handheld devices such as cellular telephoneand personal digital assistants /5%s0.

nown as ne$t-generation e-commerce, m-commerce enables users to access the Internetwithout needing to find a place to plug in. The emerging technology behind m-commerce, which

is based on the 8ireless %pplication rotocol /8%0, has made far greater strides in 'urope,

where mobile devices e:uipped with 8eb-ready micro-browsers are much more common than inthe 2nited States.

In order to e$ploit the m-commerce market potential, handset manufacturers such as 4okia,

'ricsson, =otorola, and Mualcomm are working with carriers such as %TNT 8ireless and Sprint

to develop 8%-enabled smart phones, the industry6s answer to the Swiss %rmy nife, and waysto reach them. 2sing &luetoothtechnology, smart phones offer fa$, e-mail, and phone
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211951,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211951,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211763,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid182_gci212029,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213337,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211951,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211763,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid182_gci212029,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213337,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.html


12/12

capabilities all in one, paving the way for m-commerce to be accepted by an increasingly mobile

workforce.

%s content delivery over wireless devices becomes faster, more secure, and scalable, there iswide speculation that m-commerce will surpass wireline e-commerce as the method of choice for

digital commerce transactions. The industries affected by m-commerce include

1inancial services, which includes mobile banking /when customers use their handheld

devices to access their accounts and pay their bills0 as well as brokerage services, inwhich stock :uotes can be displayed and trading conducted from the same handheld

device

Telecommunications, in which service changes, bill payment and account reviews can all

be conducted from the same handheld device

Service;retail, as consumers are given the ability to place and pay for orders on-the-fly

Information services, which include the delivery of financial news, sports figures and

traffic updates to a single mobile device

I&= and other companies are e$perimenting with speech recognition software as a way to ensure

security for m-commerce transactions.

ayal is an e-commerce business allowing payments and money transfers to be made throughthe Internet. ...ayalis an e-commercebusinessallowing payments andmoneytransfers to be

made through the Internet.ayal serves as an electronic alternative to traditional paper methods

such as checksand money orders.

% ayal account can be funded with an electronic debit from abank accountor by acredit card.

The recipient of a ayal transfer can either re:uest a check from ayal, establish their ownayal deposit account or re:uest a transfer to their bank account. ayal is an e$ample of a

payment intermediary service that facilitates worldwide e-commerce.

ayal performs payment processing for online vendors, auctionsites, and other commercialusers, for which it charges a fee. It sometimes also charges a transaction fee for receiving money

/a percentage of the amount sent plus an additional fi$ed amount0. The fees charged depend on

the currency used, the payment option used, the country of the sender, the country of therecipient, the amount sent and the recipient6s account type. OBPIn addition, e&ay purchases made

by credit card through ayal may incur a Gforeign transaction feeG if the seller is located in

another country, as credit card issuers are automatically informed of the seller6s country of origin.
http://en.wikipedia.org/wiki/E-commercehttp://en.wikipedia.org/wiki/Businesshttp://en.wikipedia.org/wiki/Businesshttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Chequehttp://en.wikipedia.org/wiki/Money_orderhttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Auctionhttp://en.wikipedia.org/wiki/Feehttp://en.wikipedia.org/wiki/PayPal#cite_note-1http://en.wikipedia.org/wiki/E-commercehttp://en.wikipedia.org/wiki/Businesshttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Chequehttp://en.wikipedia.org/wiki/Money_orderhttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Auctionhttp://en.wikipedia.org/wiki/Feehttp://en.wikipedia.org/wiki/PayPal#cite_note-1

e-commerce notes at home

Documents