e-commerce notes at home
TRANSCRIPT
-
8/10/2019 E-commerce Notes at Home
1/12
Merchant Ecommerce Business Model
The merchant e-busines model is the online version of you local store. If you can name it you
can find an online store selling it. Some of these may have a brick and mortar store and anInternet store, but the great majority are solely online.
They accept online payment methodsand ship the merchandise to the customer, or they use a 3rd
party online shipping and warehousing service. These companies warehouse and ship goods
directly to the customer on your behalf, meaning no product handling or postage for you
Advertising Ecommerce business model
The advertising e-business model is based on your daily newspapers and monthly maga!ines,
"ou collect revenue either by renting a small space on your pages or getting paid for every clickon the ad.
#oogle adsenseis a perfect e$ample of this. There are many paths out there regarding onlineadvertising company for you to e$plore.
%dvertising should always be targeted directly at the readers to compliment your websites
content, most advertising companies are good at doing this job for you, but I am still ama!ed athow many sites get it wrong
Affiliate Ecommerce business model
The affiliate e-business model is based on commission sales. "ou do not have to buy the product
to resell, and you are not involved in the handling or shipping. %ll of this is done by the parent
company. "ou simply redirect the customer from your own website to the product on the parentcompanies website and if they make a purchase you earn a commission.
%ma!on is a good e$ample of a parent company. They were, infact, the first company to use this
method of selling, allowing anyone to sell and get commission through %ma!ons merchandise.
There are many reputable affiliate programs for you to join and earn commissions from.
Brokerage Ecommerce business model
The &rokerage e-business model is a website that brings two parties together to conduct
business, The best e$ample of this is online auctions like 'bay. (owever it is not limited to
online auctions, )nline *eal estate, business brokers, boat brokers etc also use this method. Theygenerally collect a fee for their service which can be worked out with a percentage base or a set
fee.
Information Ecommerce business model
The Information e-business model is based largely around speciali!ed information on a particular
subject. These websites can attract a large following of people interested in their specific field of
http://www.google.com/services/adsense_tour/index.htmlhttp://www.google.com/services/adsense_tour/index.html -
8/10/2019 E-commerce Notes at Home
2/12
knowledge and will use 'commerce business models, other than their speciali!ed information, to
create revenue.
Subscription Ecommerce business model
In the Subscription e-business model customers pay a set fee on a monthly or yearly basis to getaccess to the products or services of the company. Some good e$amples of this model are online
newspapers or maga!ines, adult websites, and Internet service providers.
Security in '-+ommerce
privacy information must be kept from unauthori!ed parties.
integrity message must not be altered or tampered with.
authentication sender and recipient must prove their identities to each other.
non-repudiation proof is needed that the message was indeed received.
rivacy is handled by encryption. In I /public key infrastructure0 a message is encrypted by apublic key, and decrypted by a private key. The public key is widely distributed, but only the
recipient has the private key. 1or authentication /proving the identity of the sender, since only the
sender has the particular key0 the encrypted message is encrypted again, but this time with aprivate key. Such procedures form the basis of *S% /used by banks and governments0 and #
/retty #ood rivacy, used to encrypt emails0.
2nfortunately, I is not an efficient way of sending large amounts of information, and is oftenused only as a first step to allow two parties to agree upon a key for symmetric secret keyencryption. (ere sender and recipient use keys that are generated for the particular message by a
third body a key distribution center. The keys are not identical, but each is shared with the key
distribution center, which allows the message to be read. Then the symmetric keys are encrypted
in the *S% manner, and rules set under various protocols. 4aturally, the private keys have to bekept secret, and most security lapses indeed arise here.
:Digital Signatures and Certifcates
5igital signatures meet the need for authentication and integrity. To vastly simplify matters /as
throughout this page0, a plain te$t message is run through a hash function and so given a valuethe message digest. This digest, the hash function and the plain te$t encrypted with the recipient6s
public key is sent to the recipient. The recipient decodes the message with their private key, andruns the message through the supplied hash function to that the message digest value remains
unchanged /message has not been tampered with0. 7ery often, the message is also timestamped
by a third party agency, which provides non-repudiation.
-
8/10/2019 E-commerce Notes at Home
3/12
8hat about authentication9 (ow does a customer know that the website receiving sensitive
information is not set up by some other party posing as the e-merchant9 They check the digital
certificate. This is a digital document issued by the +% /certification authority 7erisign, Thawte,etc.0 that uni:uely identifies the merchant. 5igital certificates are sold for emails, e-merchants
and web-servers.
:Secure Socket Layers
Information sent over the Internet commonly uses the set of rules called T+;I /Transmission
+ontrol rotocol ; Internet rotocol0. The information is broken into packets, numbered
se:uentially, and an error control attached. Individual packets are sent by different routes.T+;I reassembles them in order and resubmits any packet showing errors. SS< uses I and
digital certificates to ensure privacy and authentication. The procedure is something like this the
client sends a message to the server, which replies with a digital certificate. 2sing I, serverand client negotiate to create session keys, which are symmetrical secret keys specially created
for that particular transmission. )nce the session keys are agreed, communication continues with
these session keys and the digital certificates.
:PCI, SET, Firewalls and Kerberos
+redit card details can be safely sent with SS
-
8/10/2019 E-commerce Notes at Home
4/12
Secure Socket Layer (SSL) Secure Socket
-
8/10/2019 E-commerce Notes at Home
5/12
'ach SS< +ertificate consists of a public key and a private key. The public key is used to
encrypt information and the private key is used to decipher it. 8hen a 8eb browser points to a
secured domain, a Secure Sockets
-
8/10/2019 E-commerce Notes at Home
6/12
organi!ational identity. The high-security 8eb browser@s address bar turns green and reveals the
name of the organi!ation that owns the SS< +ertificate and the SS< +ertificate %uthority that
issued it. &ecause 'eriSign is the most recognied name in online security, 7eriSign SS[Public Key]-->Encrypted Message-->[Private Key]-->Message
#$%$%$ T!e Certifcate:
(ow do you know that you are dealing with the right person or rather the right web site. 8ell,
someone has taken great length /if they are serious0 to ensure that the web site owners are who
they claim to be. This someone, you have to implicitly trust you have his;her certificate loadedin your browser /a root +ertificate0. % certificate, contains information about the owner of the
certificate, like e-mail address, owner6s name, certificate usage, duration of validity, resource
location or 5istinguished 4ame /540 which includes the +ommon 4ame /+40 /web site address
or e-mail address depending of the usage0 and the certificate I5 of the person who certifies/signs0 this information. It contains also the public key and finally a hash to ensure that the
certificate has not been tampered with. %s you made the choice to trust the person who signs this
certificate, therefore you also trust this certificate. This is a certificate trust tree or certificatepath. 2sually your browser or application has already loaded the root certificate of well known
+ertification %uthorities /+%0 or root +% +ertificates. The +% maintains a list of all signed
certificates as well as a list of revoked certificates. % certificate is insecure until it is signed, asonly a signed certificate cannot be modified. "ou can sign a certificate using itself, it is called a
self signed certificate. %ll root +% certificates are self signed.
Public Key Encry(tion
ublic key encryptionrefers to a type of cypher architecture known as public key cryptography
that utili!es two keys, or a key pair0, to encryptand decrypt data. )ne of the two keys is apublickey, which anyone can use to encrypt a message for the owner of that key. The encrypted
message is sent and the recipient uses his or her private key to decrypt it. This is the basis of
public key encryption.
ublic key encryption is considered very secure because it does not re:uire asecret shared
keybetween the sender and receiver. )ther encryption technologies that use a single shared key
to both encrypt and decrypt data rely on both parties deciding on a key ahead of time without
http://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-cryptography.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-cryptography.htmhttp://www.wisegeek.com/what-is-encryption.htmhttp://www.wisegeek.com/what-is-encryption.htm -
8/10/2019 E-commerce Notes at Home
8/12
other parties finding out what that key is. (owever, the fact that it must be shared between both
parties opens the door to third parties intercepting the key. This type of encryption technology is
calledsymmetric encryption, while public key encryption is known as asymmetric encryption.
% GkeyG is simply a small bit of te$t code that triggers the associated algorithmto encode or
decode te$t. In public key encryption, a key pair is generated using an encryption program andthe pair is associated with a name or emailaddress. The public key can then be made public by
posting it to a key server, a computerthat hosts a database of public keys. %lternately, the publickey can be discriminately shared by emailing it to friends and associates. Those that possess your
public key can use it to encrypt messages to you. 2pon receiving the encrypted message, your
private key will decrypt it.
ublic key encryption is especially useful for keeping email private. %ny stored messages on
mail servers, which can persist for years, will be unreadable, and messages in transit will also be
unreadable. This degree of privacy may sound e$cessive until one reali!es the open nature of the
Internet. Sending email unencrypted is akin to making it public for anyone to read now or at
some future date. 2nited States law does not recogni!e email as a protected or private form ofcommunication, unlike a telephone call or letter.
%cryptographicsystem that uses two keys-- apublic keyknown to everyone and aprivateor
secret keyknown only to the recipient of the message. 8hen Hohn wants to send a securemessage to Hane, he uses Hane6s public key to encryptthe message. Hane then uses her private key
to decryptit.
%n important element to the public key system is that the public and private keys are related insuch a way that only the public key can be used to encrypt messages and only the corresponding
private key can be used to decrypt them. =oreover, it is virtually impossible to deduce the
private key if you know the public key.
ublic-key systems, such as retty #ood rivacy /#0, are becoming popular for transmittinginformation via the Internet.They are e$tremely secure and relatively simple to use. The only
difficulty with public-key systems is that you need to know the recipient6s public key to encrypt a
message for him or her. 8hat6s needed, therefore, is a global registry of public keys, which is one
of the promises of the new
-
8/10/2019 E-commerce Notes at Home
9/12
% document that is encrypted with one of these keys can be decrypted only with the other key in
the pair.
1or e$ample, let6s say that %lice wants to send a message to &ob using #/a popular publickey encryption system0. She encrypts the message with &ob6s public key and sends it using her
favorite email program. )nce the message is encrypted with &ob6s public key, only &ob candecrypt the message using his private key. 'ven major governments using supercomputers would
have to work for a very long time to decrypt this message without the private key.
se it uses two keys instead of one key /symmetric encryption0.
Digital Signature and)erifcationDigital signature is a mechanism by which a message is authenticated i.e. proving that amessage is eectively coming from a given sender, much like a signature on a paperdocument. !or instance, suppose that "lice wants to digitally sign a message to #ob. $o doso, she uses her private-key to encrypt the message; she then sends the message along withher public-key (typically, the public key is attached to the signed message). %ince "lice&spublic-key is the only key that can decrypt that message, a successful decryption constitutesa Digital %ignature 'erication, meaning that there is no doubt that it is "lice&s private keythat encrypted the message.
!at is a digital signature"
% digital signature is the electronic e:uivalent of a handwritten signature, verifying theauthenticity of electronic documents. In fact, digital signatures provide even more security than
their handwritten counterparts.
ore often than not a digital signature uses a system of public key encryption to
verify that a document has not been altered.
!at does PKE !a&e to do wit! digital signatures"
5igital signatures often use a public key encryption system. +onsider %lice and &ob again howcan &ob be sure that it was really %lice who sent the message, and not the criminally-minded
've pretending to be %lice9
This is where digital signatures come in. &efore encrypting the message to &ob, %lice can sign
the message using her private key when &ob decrypts the message, he can verify the signatureusing her public key. (ere6s how it works
http://www.pgpi.org/http://www.pgpi.org/ -
8/10/2019 E-commerce Notes at Home
10/12
*. "lice creates a digest of the message + a sort of digital ngerprint. f themessage changes, so does the digest.
. "lice then encrypts the digest with her private key. $he encrypted digest isthe digital signature.
. $he encrypted digest is sent to #ob along with the message.
/. 0hen #ob receives the message, he decrypts the digest using "lice1s publickey.
2. #ob then creates a digest of the message using the same function that "liceused.
3. #ob compares the digest that he created with the one that "lice encrypted. fthe digests match, then #ob can be condent that the signed message isindeed from "lice. f they don1t match, then the message has been tamperedwith + or isn1t from "lice at all.
*riginal +essage -
.essage digest/t!roug! !as!ing by t!e
so0tware1-
.essage digest encry(ted using t!e (ri&atekey-
digital signature
Secure 'lectronic Transaction /S'T0 is a system for ensuring the security of financial
transactions on the Internet. It was supported initially by =astercard, 7isa, =icrosoft, 4etscape,
and others. 8ith S'T, a user is given an electronic wallet/digital certificate0 and a transaction isconducted and verified using a combination of digital certificates and digital signatures among
the purchaser, a merchant, and the purchaser6s bank in a way that ensures privacy andconfidentiality. S'T makes use of 4etscape6s Secure Sockets
-
8/10/2019 E-commerce Notes at Home
11/12
%ssume that a customer has a S'T-enabled browser such as 4etscape or =icrosoft6s Internet
'$plorer and that the transaction provider /bank, store, etc.0 has a S'T-enabled server.
A. The customer opens a =astercard or 7isa bank account. %ny issuer of a credit card issome kind of bank.
B. The customer receives a digital certificate. This electronic file functions as a credit cardfor online purchases or other transactions. It includes apublic keywith an e$piration
date. It has been through adigital switchto the bank to ensure its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include
the merchant6s public key and the bank6s public key.
C. The customer places an order over a 8eb page, by phone, or some other means.
D. The customer6s browser receives and confirms from the merchant6s certificate that the
merchant is valid.
E. The browser sends the order information. This message is encrypted with the merchant6s
public key, the payment information, which is encrypted with the bank6s public key
/which can6t be read by the merchant0, and information that ensures the payment can only
be used with this particular order.
F. The merchant verifies the customer by checking the digital signature on the customer6s
certificate. This may be done by referring the certificate to the bank or to a third-partyverifier.
J. The merchant sends the order message along to the bank. This includes the bank6s publickey, the customer6s payment information /which the merchant can6t decode0, and the
merchant6s certificate.
K. The bank verifies the merchant and the message. The bank uses the digital signature onthe certificate with the message and verifies the payment part of the message.
AL. The bank digitally signs and sends authori!ation to the merchant, who can then fill theorder.
=-commerce /mobile commerce0 is the buying and selling of goods and services through
wireless handheld devices such as cellular telephoneand personal digital assistants /5%s0.
nown as ne$t-generation e-commerce, m-commerce enables users to access the Internetwithout needing to find a place to plug in. The emerging technology behind m-commerce, which
is based on the 8ireless %pplication rotocol /8%0, has made far greater strides in 'urope,
where mobile devices e:uipped with 8eb-ready micro-browsers are much more common than inthe 2nited States.
In order to e$ploit the m-commerce market potential, handset manufacturers such as 4okia,
'ricsson, =otorola, and Mualcomm are working with carriers such as %TNT 8ireless and Sprint
to develop 8%-enabled smart phones, the industry6s answer to the Swiss %rmy nife, and waysto reach them. 2sing &luetoothtechnology, smart phones offer fa$, e-mail, and phone
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211951,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211951,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211763,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid182_gci212029,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213337,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211947,00.htmlhttp://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212845,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci211951,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211763,00.htmlhttp://searchcio.techtarget.com/sDefinition/0,,sid182_gci212029,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213337,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.html -
8/10/2019 E-commerce Notes at Home
12/12
capabilities all in one, paving the way for m-commerce to be accepted by an increasingly mobile
workforce.
%s content delivery over wireless devices becomes faster, more secure, and scalable, there iswide speculation that m-commerce will surpass wireline e-commerce as the method of choice for
digital commerce transactions. The industries affected by m-commerce include
1inancial services, which includes mobile banking /when customers use their handheld
devices to access their accounts and pay their bills0 as well as brokerage services, inwhich stock :uotes can be displayed and trading conducted from the same handheld
device
Telecommunications, in which service changes, bill payment and account reviews can all
be conducted from the same handheld device
Service;retail, as consumers are given the ability to place and pay for orders on-the-fly
Information services, which include the delivery of financial news, sports figures and
traffic updates to a single mobile device
I&= and other companies are e$perimenting with speech recognition software as a way to ensure
security for m-commerce transactions.
ayal is an e-commerce business allowing payments and money transfers to be made throughthe Internet. ...ayalis an e-commercebusinessallowing payments andmoneytransfers to be
made through the Internet.ayal serves as an electronic alternative to traditional paper methods
such as checksand money orders.
% ayal account can be funded with an electronic debit from abank accountor by acredit card.
The recipient of a ayal transfer can either re:uest a check from ayal, establish their ownayal deposit account or re:uest a transfer to their bank account. ayal is an e$ample of a
payment intermediary service that facilitates worldwide e-commerce.
ayal performs payment processing for online vendors, auctionsites, and other commercialusers, for which it charges a fee. It sometimes also charges a transaction fee for receiving money
/a percentage of the amount sent plus an additional fi$ed amount0. The fees charged depend on
the currency used, the payment option used, the country of the sender, the country of therecipient, the amount sent and the recipient6s account type. OBPIn addition, e&ay purchases made
by credit card through ayal may incur a Gforeign transaction feeG if the seller is located in
another country, as credit card issuers are automatically informed of the seller6s country of origin.
http://en.wikipedia.org/wiki/E-commercehttp://en.wikipedia.org/wiki/Businesshttp://en.wikipedia.org/wiki/Businesshttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Chequehttp://en.wikipedia.org/wiki/Money_orderhttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Auctionhttp://en.wikipedia.org/wiki/Feehttp://en.wikipedia.org/wiki/PayPal#cite_note-1http://en.wikipedia.org/wiki/E-commercehttp://en.wikipedia.org/wiki/Businesshttp://en.wikipedia.org/wiki/Moneyhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Chequehttp://en.wikipedia.org/wiki/Money_orderhttp://en.wikipedia.org/wiki/Bank_accounthttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Auctionhttp://en.wikipedia.org/wiki/Feehttp://en.wikipedia.org/wiki/PayPal#cite_note-1