UNIT I

INTRODUCTION TO E COMMERCE

Electronic Markets:The principle function of an electronic market is to facilitate the search for the required product or service. Airline booking systems are an example of an electronic market.

Electronic Data Interchange (EDI):EDI provides for the efficient transaction of recurrent trade exchanges between commercial organizations. EDI is widely used by, for example, large retail groups and vehicle assemblers when trading with their suppliers.

Internet CommerceThe Internet (and similar network facilities) can be used for advertising goods and services and transacting one-off deals.Internet commerce has application for both business-to-business and business to consumer transactions.Fig 1.1 : The three categories of E Commerce

The Scope of Electronic CommerceElectronic Commerce (e-Commerce) is a term popularized by the advent of commercial services on the Internet. Internet e-Commerce is however, only one part of the overall sphere ofe-Commerce. The commercial use of the Internet is perhaps typified by once-off sales to consumers. Other types of transactions use other technologies. Electronic Markets (EMs) are in use in a number of trade segments with an emphasis on search facilities and Electronic Data Interchange (EDI) is used for

regular and standardized transactions between organizations. Themainstream of e-Commerce consists of these three areas; these are represented as a diagram in Figure 1.1 and outlined in a little more detail below.

Electronic MarketsAn electronic market is the use of information and communications technology to present a range of offerings available in a market segment so that the purchaser can compare the prices (and other attributes) of the offerings and make a purchase decision. The usual example of an electronic market is an airline booking system.

Electronic Data Interchange (EDI)EDI provides a standardized system for coding trade transactions so that they can be communicated directly from one computer system to another without the need for printedorders and invoices and the delays and errors implicit in paper handling. EDI is used by organizations that make a large number of regular transactions. One sector where EDI isextensively used is the large supermarket chains, which use EDI for transactions with their suppliers.

Internet CommerceInformation and communications technologies can also be used to advertise and make once-off sales of a wide range of goods and services. This type of e-Commerce is typified by the commercial use of the Internet. The Internet can, for example, be used for the purchase of books that are then delivered by post or the booking of tickets that can be picked up by the clients when they arrive at the event. It is to be noted that the Internet is not theonly technology used for this type of service and this is not the only use of the Internet in e-Commerce.

Usage of Electronic MarketsElectronic markets are exampled by the airline booking systems.Electronic markets are also used in the financial and commodity markets and again the dealing is done via intermediaries; to buystocks and shares a member of the public uses the services of a stockbroker. Arguably the use of electronic markets has served the customer well. With the assistance of a good travel agent theairline customer can be informed of all the flights available for an intended journey and then select, on the basis of price,convenience,loyalty scheme, etc. the flight that they wish to book.

Advantages and Disadvantages of Electronic MarketsThe advantages of an electronic market to the customer are self evident.Using an airline booking system, for example, there is a screen that shows all the flights from (say) New York to Los Angeles and the consumer can make an informed choice withouthaving to spend time and effort finding out which airlines fly that route and then contacting each of the

airlines to obtain flight times, price and availability details. Once a flight is selected the system facilitates the booking of that flight, paying the fare and printing the ticket.For the seller the advantages are less evident. The seller that is the most competitive may do well, the electronic market makes available information on their product and the advantage of that offering should be apparent. Less competitive suppliers are likely to be forced into price. Reductions and the competitive effect may force all suppliers to cut prices, possibly below the level at which it is possible to make a profit (as in the case on some air transport routes).

Fig 1.2: Basic transactions in EDIThe above figure shows the basic transactions which take place between two business organizations. Let’s see the benefits when these transactions are not taking manually but through computer systems and that is known as EDI.The Benefits of EDIEDI can bring a number of advantages to the organizations that use it. It should save considerable time on the exchange of business transactions and has the potential for considerable savings in costs. EDI can be simply used to replace paper transactions with electronic transactions – this is the normal route taken in the initial installation of EDI. The full advantage of EDI is only realized when business practices are restructured to make full use of the potential of EDI; when EDI is used as an enabling technology to change the way the business operates–just-in-time (JIT)

manufacture and quick response supply being prime examples of where EDI is used as an enabling technology to gain competitive advantage.The direct advantages of EDI include: Shortened Ordering TimePaper orders have to be printed, enveloped and sent out by the customer’s post room, passed through the postal service, received by the supplier’s post room, and input to the supplier’s order processing system. To achieve all this, reliably, in under three days would be to do very well. EDI orders are sent straight into the network and the only delay is how often the supplier retrieves messages from the system. Orders can be in the supplier’s system within a day, or if there is urgency the messages can be retrieved more frequency, for example every hour.Cost CuttingThe use of EDI can cut costs. These include the costs of stationery and postage but these will probably be fully matched by the costs of running the EDI service. The principle saving from the use of EDI is the potential to save staff costs. The obvious example of this is that if the orders are directly input to the system there is no need for an order entry clerk. Note also that seasonal peak, staff holidays, etc. no longer create a backlog in the order entry area. The cost saving need to be offset against the system development and network casts.Elimination of ErrorsKeying any information into a computer system is a source of errors and keying paper orders into the order processing system is no exception. EDI eliminates this source of errors. On the down side, there is no order entry clerk who might have spotted errors made by the customer – the customer will get what the customer asked for.Fast Response

With paper orders it would be several days before the customer was informed of any supply difficulty, such as the product is out of stock. With alternative product to be ordered or an alternative supplier to be used.Accurate InvoicingJust like orders, invoices can be sent electronically. EDI invoices have similar advantages to EDI orders in saved time and avoided errors. However, the major advantage in EDI invoices is that they can be automatically matched against the original order and cleared for payment without the sort of queries that arise when paper invoices are matched to orders.EDI PaymentPayment can also be made by EDI. The EDI payment system can also generate an EDI payment advice that can be electronically matched against the relevant invoices, again avoiding query and delay.

Indirect advantages of the use of EDI can be:Reduced Stock HoldingThe ability to order regularly and quickly reduces the amount of goods that need to be kept in a store room or warehouse at the shop or the factory. For many JIT manufacture and quick response supply systems stockholding is eliminated altogether with goods being delivered only as they are needed. Reduced stock holding cuts the cost of warehousing, the double handling goods (into store and then out again onto the factory or shop) and the capital requirement to pay for the goods that are just sitting in store.Cash FlowSpeeding up the trade cycle by getting invoices out quickly, anddirectly matched to the corresponding orders and deliveries, canand should speed up payments and hence improve cash flow.

Elimination of most invoice queries can be particularly significantin reducing delays in payments.Business OpportunitiesThere is a steady increase in the number of customers, particularlylarge, powerful customers, that will only trade with suppliers thatdo business via EDI. Supermarkets and vehicle assemblers areprime examples. Being ready and able to trade electronically can bean advantage when competing for new business.Customer Lock-inAn established EDI system should be of considerable advantageto both customer and supplier. Switching to a new supplierrequires that the electronic trading system and trading relationshipbe redeveloped, a problem to be avoided if a switch of supplier isnot essential.To gain these advantages EDI has to be seen as an investmentthere are costs upfront and the payback is longer term. The costs isthe set up of the EDI system (hardware, software and network)and the time required to establish agreements with trading partners.The savings only start when there is a significant volume ofbusiness transacted using EDI, a point that is called the ‘criticalmass’ in the jargon of EDI.

Summary:Electronic Commerce (e-Commerce) is a general conceptcovering any form of business transaction or informationexchange executed using information and communicationtechnologies (ICTs).E-Commerce takes place between companies, betweencompanies and their customers, or between companies andpublic administrations.Electronic Commerce includes electronic trading of goods,services and electronic material.An electronic market is the use of information andcommunications technology to present a range of offeringsavailable in a market segment so that the purchaser cancompare the prices (and other attributes) of the offeringsand make a purchase decision.EDI provides a standardized system for coding tradetransactions so that they can be communicated directly fromone computer system to another without the need forprinted orders and invoices and the delays and errors implicitin paper handling.Information and communications technologies can also beused to advertise and make once-off sales of a wide range ofgoods and services. This type of e-Commerce is typified by

the commercial use of the Internet.

IntroductionCategories of E commerceBenefits and limitations of E Commerce

Comparison between Traditional Commerce and Ecommerce

Summary

Objectives

Describe the categories of E commerceDescribe the benefits and limitations of E CommerceIn the previous lecture we divided the applications of E commercein three categories, today we will divide categorize E commerceaccording to the parties involved in the business. · Business-to-business (B2B). Most of EC today is of

thistype. It includes the EDI transactions described earlier andelectronic market transactions between organizations.Business-to-consumer (B2C). These are retailingtransactions with individual shoppers. The typical shopper atAmazon.com is a consumer, or customer.Consumer-to-consumer (C2C). In this category consumersells directly to consumers. Examples are individuals sellingin classified ads (e.g., www.clas-sified2000.com) and sellingresidential property, cars, and so on. Advertising personal

services on the Internet and selling knowledge and expertiseis another example of C2C. Several auction sites allowindividuals to put items up for auctions. Finally, manyindividuals are using intranets and other organizationalinternal networks to advertise items for sale or services.Consumer-to-business (C2B). This category includesindividuals who sell products or services to organizations, aswell as individuals who seek sellers, interact with them, andconclude a transaction.Nonbusiness EC. An increased number of nonbusinessinstitutions such as academic institutions, not-for-profitorganizations, religious organizations, social organizations,and government agencies are using various types of EC toreduce their expenses (e.g., improve purchasing) or toimprove their operations and customer service. (Note that inthe previous categories one can usually replace the wordbusiness with organization.)Intrabusiness (organizational) EC. In this category weinclude all internal organizational activities, usuallyperformed on intranets, that involve exchange of goods,services or information. Activities can range from selling

corporate products to Employees to online training and costreduction activities.Everything has its pros and cons, same is with E Commerce, letshave a look.Benefits and LimitationsThe Benefits of ECFew innovations in human history encompass as many potentialbenefits as EC does. The global nature of the technology, lowcost, opportunity to reach hundreds of millions of people(projected within 10 years), interactive nature, variety ofpossibilities, and resourcefulness and rapid growth of thesupporting infrastructures (especially the Web) result in manypotential benefits to organizations, individuals, and society. Thesebenefits are just starting to materialize, but they will increasesignificantly as EC expands.

Benefits to OrganizationsThe benefits to organizations are as follows:Electronic commerce expands the marketplace to nationaland international markets. With minimal capital outlay, acompany can easily and quickly locate more customers, thebest suppliers, and the most suitable business partnersworldwide. For example, in 1997, Boeing Corporation

reported a savings of 20 percent after a request for a proposalto manufacture a subsystem was posted on the Internet. Asmall vendor in Hungary answered the request and won theelectronic bid. Not only was the subsystem cheaper, but itwas delivered quickly.Electronic commerce decreases the cost of creating, processing, distributing, storing, and retrieving paper-based information. For example, by introducing an electronic procurement system, companies can cut the purchasing administrative costs by as much as 85 percent. Another example is benefit payments. For the U.S. federalgovernment, the cost of issuing a paper check is 430. Thecost of electronic payment is 20.Ability for creating highly specialized businesses. For example, dog toys which can be purchased only in pet shops or department and discounte stores in the physical world, are sold now in a specialized www.dogtoys.com (also see www.cattoys.com).Electronic commerce allows reduced inventories andoverhead by facilitating “pull”-type supply chainmanagement. In a pull-type system the process starts fromcustomer orders and uses just-in-time manufacturing.The pull-type processing enables expensive customizationof products and services, which provides competitiveadvantage to its implementers. A classic example is DellComputer Corp., whose case will be described later.Electronic commerce reduces the time between the outlay of

capital and the receipt of products and services.Electronic commerce initiates business processesreengineering projects. By changing processes, productivityof salespeople, knowledge workers, and administrators canincrease by 100 percent or more.Electronic commerce lowers telecommunications cost-theInternet is much cheaper than VANs.Other benefits include improved image, improved customerservice, newfound business partners, simplified processes,compressed cycle and delivery time, increased productivity,eliminating paper, expediting access to information, reducedtransportation costs, and increased flexibility.Benefits to ConsumersThe benefits of EC to consumers are as follows:Electronic commerce enables customers to shop or do othertransactions 24 hours a day, all year round, from almost anylocation.Electronic commerce provides customers with more choices;they can select Electronic commerce frequently providescustomers with less expensive products and services byallowing them to shop in many places and conduct quickcomparisons.In some cases, especially with digitized products, EC allows

quick delivery.Customers can receive relevant and detailed information inseconds, rather than days or weeks.Electronic commerce makes it possible to participate invirtual auctions.Electronic commerce allows customers to interact with othercustomers in electronic communities and exchange ideas aswell as compare experiences.Electronic commerce facilitates competition, which results insubstantial discounts.Benefits to SocietyThe benefits of EC to society are as follows:Electronic commerce enables more individuals to work athome and to do less traveling for shopping, resulting in lesstraffic on the roads and lower air pollution.Electronic commerce allows some merchandise to be sold atlower prices, so less affluent people can buy more andincrease their standard of living.Electronic commerce enables people in Third Worldcountries and rural areas to enjoy products and services thatotherwise are not available to them.This includes opportunities to learn professions and earncollege degrees.Electronic commerce facilitates delivery of public services,such as health care, education, and distribution ofgovernment social services at a reduced cost and/or

improved quality. Health-care services, for example, can reachpatients in rural areas.

The limitations of EC can be grouped into technical andnontechnical categories.Technical Limitations of ECThe technical limitations of EC are as follows:There is a lack of system security, reliability, standards, andsome communication protocols.There is insufficient telecommunication bandwidth.The software development tools are still evolving andchanging rapidly.It is difficult to integrate the Internet and EC software withsome existing applications and databases.Vendors may need special Web servers and otherinfrastructures, in addition to the network servers.Some EC software might not fit with some hardware, ormay be incompatible with some operating systems or othercomponents.As time passes, these limitations will lessen or be overcome;appropriate planning can minimize their impact.NonTechnical LimitationsOf the many nontechnical limitations that slow the spread ofEC, the following are the major ones.Cost and justification The cost of developing EC in-housecan be very high, and mistakes due to lack of experience mayresult in delays. There are many opportunities for

outsourcing, but where and how to do it is not a simpleissue. Furthermore, to justify the system one must deal withsome intangible benefits (such as improved customer serviceand the value of advertisement), which are difficult toquantify.Security and privacy These issues are especially important inthe B2C area, especially security issues which are perceived tobe more serious than they really are when appropriateencryption is used. Privacy measures are constantly improved.Yet, the customers perceive these issues as very important,and, the EC industry has a very long and difficult task ofconvincing customers that online transactions and privacyare, in fact, very secure.Lack of trust and user resistance Customers do not trust anunknown faceless seller (sometimes they do not trust evenknown ones), paperless transactions, and electronic money.So switching from physical to virtual stores may be difficult.Other limiting factors. Lack of touch and feel online. Somecustomers like to touch items such as clothes and like toknow exactly what they are buying.Many legal issues are as yet unresolved, and government

regulations and standards are not refined enough for manycircumstances.Electronic commerce, as a discipline, is still evolving andchanging rapidly. Many people are looking for a stable areabefore they enter into it.There are not enough support services. For example,copyright clearance centers for EC transactions do not exist,and high-quality evaluators, or qualified EC tax experts, arerare.In most applications there are not yet enough sellers andbuyers for profitableElectronic commerce could result in a breakdown of humanrelationships.Accessibility to the Internet is still expensive and/orinconvenient for many potential customers. (With Web TV,cell telephone access, kiosks, and constant media attention,the critical mass will eventually develop.)Despite these limitations, rapid progress in EC is taking place. Forexample, the number of people in the United States who buy andsell stocks electronically increased from 300,000 at the beginningof 1996 to about 10 million in fall 1999. As experience accumulatesand technology improves, the ratio of EC benefits to costs will

increase, resulting in a greater rate of EC adoption. The potentialbenefits may not be convincing enough reasons to start EC activitiesSummary:We can categorize E commerce according to the partiesinvolved in the business like B2B, B2C, C2C and C2BThe benefits of E Commerce to Organizations includeexpansion of the marketplace to national and internationalmarkets, decreases in the cost of creating, processing,distributing, storing, and retrieving paper-basedinformation, reduction in inventoriesE commerce enables customers to shop or do othertransactions 24 hours a day and provides customers withmore choicesElectronic commerce facilitates delivery of public services,such as health care, education, and distribution ofgovernment social services at a reduced cost and/orimproved qualityLimitations of E Commerce can be technical like lack ofsystem security, reliability, standards, and somecommunication protocols and non technical limitations likethe cost involve in developing in house E Commerce and thesecurity of data

UNIT – II

COMPUTER NETWORK

A computer network is an interconnection of various computer systems

located at different places. In computer network two or more computers are

linked together with a medium and data communication devices for the

purpose of communicating data and sharing resources. The computer that

provides resources to other computers on a network is known as server. In

the network the individual computers, which access shared network

resources, are known as workstations or nodes.

Computer Networks may be classified on the basis of geographical area in

two broad categories.

1. Local Area Network (LAN)

2. Wide Area Network (WAN)

Local Area Network

Networks used to interconnect computers in a single room, rooms within a

building or buildings on one site are called Local Area Network (LAN). LAN

transmits data with a speed of several megabits per second (106 bits per

second). The transmission medium is normally coaxial cables.

LAN links computers, i.e., software and hardware, in the same area for the

purpose of sharing information. Usually LAN links computers within a limited

geographical area because they must be connected by a cable, which is quite

expensive. People working in LAN get more capabilities in data processing,

work processing and other information exchange compared to stand-alone

computers. Because of this information exchange most of the business and

government organisations are using LAN.

Major Characteristics of LAN

Every computer has the potential to communicate with any other

computers of the network

high degree of interconnection between computers

easy physical connection of computers in a network

inexpensive medium of data transmission

high data transmission rate

Advantages

The reliability of network is high because the failure of one

computer in the network does not effect the functioning for other computers.

Addition of new computer to network is easy.

High rate of data transmission is possible.

Peripheral devices like magnetic disk and printer can be shared by other

computers.

Disadvantages

If the communication line fails, the entire network system breaks down.

Use of LAN

Followings are the major areas where LAN is normally used

File transfers and Access

Word and text processing

Electronic message handling

Remote database access

Personal computing

Digital voice transmission and storage

Wide Area Network

The term Wide Area Network (WAN) is used to describe a computer network

spanning a regional, national or global area. For example, for a large company

the head quarters might be at Delhi and regional branches at Bombay, Madras,

Bangalore and Calcutta. Here regional centers are connected to head quarters

through WAN. The distance between computers connected to WAN is larger.

Therefore the transmission medium used are normally telephone lines,

microwaves and satellite links.

Characteristics of WAN

Followings are the major characteristics of WAN.

1. Communication Facility: For a big company spanning over different parts

of the country the employees can save long distance phone calls and it

overcomes the time lag in overseas communications. Computer conferencing

is another use of WAN where users communicate with each other through

their computer system.

2. Remote Data Entry: Remote data entry is possible in WAN. It means

sitting at any location you can enter data, update data and query other

information of any computer attached to the WAN but located in other cities.

For example, suppose you are sitting at Madras and want to see some data of

a computer located at Delhi, you can do it through WAN.

3. Centralised Information: In modern computerised environment you will

find that big organisations go for centralised data storage. This means if the

organisation is spread over many cities, they keep their important business

data in a single place. As the data are generated at different sites, WAN

permits collection of this data from different sites and save at a single site.

Examples of WAN

1. Ethernet: Ethernet developed by Xerox Corporation is a famous example of

WAN. This network uses coaxial cables for data transmission. Special

integrated circuit chips called controllers are used to connect equipment to

the cable.

2. Aparnet: The Aparnet is another example of WAN. It was developed at

Advanced Research Projects Agency of U. S. Department. This Network

connects more than 40 universities and institutions throughout USA and

Europe.

Difference between LAN and WAN

. LAN is restricted to limited geographical area of few kilometers. But

WAN covers great distance and operate nationwide or even worldwide.

. In LAN, the computer terminals and peripheral devices are

connected with wires and coaxial cables. In WAN there is no physical

connection. Communication is done through telephone lines and satellite links.

. Cost of data transmission in LAN is less because the transmission

medium is owned by a single organisation. In case of WAN the cost of data

transmission is very high because the transmission medium used are hired,

either telephone lines or satellite links.

INTERNET

The Internet is a network of networks. Millions of computers all over the

world are connected through the Internet. Computer users on the Internet can

contact one another anywhere in the world. If your computer is connected to

the Internet, you can connect to millions of computers. You can gather

information and distribute your data. It is very much similar to the telephone

connection where you can talk with any person anywhere in the world.

In Internet a huge resource of information is accessible to people across the

world. Information in every field starting from education, science, health,

medicine, history, and geography to business, news, etc. can be retrieved

through Internet. You can also download programs and software packages

from anywhere in the world. Due to the tremendous information resources the

Internet can provide, it is now indispensable to every organisation.

Origin of Internet

In 1969 Department of Defence (DOD) of USA started a network called

ARPANET (Advanced Research Projects Administration Network) with one

computer at California and three at Utah. Later on other universities and R & D

institutions were allowed to connect to the Network. APARNET quickly grew

to encompass the entire American continent and became a huge success. Every

university in the country wanted to become a part of ARPANET. So the

network was broken into two smaller parts MILNET for managing military sites

and ARPANET (smaller) for managing non-military sites. Around 1980,

NSFNET (National Science Foundation Network) was created. With the

advancement of modern communication facilities, other computers were also

allowed to be linked up with any computer of NSFNET. By 1990 many

computers were looking up to NSFNET giving birth to Internet.

How Internet functions

Internet is not a governmental organisation. The ultimate authority of the

Internet is the Internet Society. This is a voluntary membership organisation

whose purpose is to promote global information exchange. Internet has more

than one million computers attached to it.

E-mail

E-mail stands for electronic mail. This is one of the most widely used features

of Internet. Mails are regularly used today where with the help of postage stamp

we can transfer mails anywhere in the world. With electronic mail the service is

similar. But here data are transmitted through Internet and therefore within

minutes the message reaches the destination may it be anywhere in the world.

Therefore the mailing system is excessively fast and is being used widely for

mail transfer.

UNIT -III

Topic:IntroductionTypes of Electronic Payment SystemsTypes of digital tokensDiscuss E-CashSummary

ObjectivesUnderstand what is an Electronic Payment SystemDescribe e-cash as one of the Electronic Payment Systems

All of you might have heard the term “ Electronic Payment”. Asthe name is suggesting it means making payments electronicallyi.e. through computer and telecommunication components.Let’s Discuss this in more DetailTypes of Electronic Payment SystemsElectronic payment systems are proliferating in banking, retail,health care, on-line markets, and even government-in fact, anywheremoney needs to change hands. Organizations are motivated bythe need to deliver products and services more cost effectively andto provide a higher quality of service to customers. This sectionwill briefly describe the pertinent developments in variousindustries to provide an overall picture of electronic paymentsystems of the past and present. Research into electronic payment systems for consumers can betraced back to the 1940s, and the first applications-credit cardsappearedsoon after. In the early 1970s, the emerging electronicpayment technology was labeled electronic funds transfer (EFT).EFT is defined as “any transfer of funds initiated through anelectronic terminal, telephonic instrument, or computer or magnetictape so as to order, instruct, or authorize a financial institution todebit or credit an account.” EFT utilizes computer and

telecommunication components both to supply and to transfermoney or financial assets.Transfer is information-based and intangible. Thus EFT standsin marked contrast to conventional money and payment modesthat rely on physical delivery of cash or checks (or other paperorders to pay) by truck, train, or airplane. Work on EFT can besegmented into three broad categories:Banking and Financial PaymentsLarge-scale or wholesale payments (e.g., bank-to-banktransfer)Small-scale or retail payments (e.g., automated teller machinesand cash dispensers)Home banking (e.g., bill payment)Retailing PaymentsCredit cards (e.g., VISA or MasterCard)Private label credit/debit cards (e.g., J.C. Penney Card)Charge cards (e.g., American Express)On-line electronic commerce paymentsToken-based payment systemsElectronic cash (e.g., DigiCash)Electronic checks (e.g., NetCheque)Smart cards or debit cards (e.g., Mondex Electronic Currency Card)

· Credit card-based payment systemsEncrypted credit cards (e.g., World Wide Web formbasedencryption) Third-party authorization numbers (e.g., First Virtual)

Period Innovation700BC Earliest coins produced in western Turkey to paymercenaries or taxes.1400 First banks open, in Italy and Catalonia, honoringchecks against cash reserves.1694 The Bank of England opens, creating deposits on the- principle that not all deposit receipts will be presentedfor redemption simultaneously. The bankmonopolizes the issuing of bank notes.1865 A sample of payments into British banks shows, that97 percent are made by check.1887 The phrase credit card is coined in Looking Backward, anovel by Edward Bellamy.1880-1914 Heyday of the gold standard as major currencies arepegged to gold at fixed rates.1945 Bretton Woods agreement links currencies to gold viatheir fixed parities with the U.S. dollar.1947 Flatbush National Bank issues first general purposecredit card, for use in select New York shops.1950 Diners Club Charge Card introduced mid 1950s Thedevelopment of magnetic ink character recognition(MICR), facilitating more timely processing of checks,sealed the check’s standing as the preferred noncashpayment option.1958 BankAmerica, in Fresno, California, executes the firstmass mailing of credit cards.

1967 Westminster Bank installs first automated tellermachine at Victoria, London, branch.1970 The New York Clearing House launches CHIPS theClearing House Interbank Payments System-whichprovides U.S.-dollar funds-transfer and transactionsettlements on-line and in real time.late 1970s Chemical Bank launches its Pronto system providing3000 computer terminals to customers’ homes linkedto its central computers bv telephone.It offers a range of facilities: balance inquiries, money transfersbetween Chemical Bank accounts, jind bill payments to selectedlocal stores.The stumbling block for first-generation homebanking systems in general was who is to pay for the terminals athome.1985 Electronic data interchange (EDI) extensively used inbank-to-bank payment systems.1994 Digital cash trials by DigiCash of Holland conductedon-line.1995 Mondex electronic currency trials begin in Swindon,England.Let’s discuss various types of Electronic payment systems.Firstly we will have a look on “Electronic Tokens”.Digital Token-Based Electronic Payment SystemsNone of the banking or retailing payment methods are completelyadequate in their present form for the consumer oriented ecommerce

environment. Their deficiency is their assumption thatthe parties will at some time or other be in each other’s physicalpresence or that there will be a sufficient delay in the paymentprocess for frauds, overdrafts, and other undesirables to beidentified and corrected. These assumptions may not hold for ecommerce and so many of these payment mechanisms are beingmodified and adapted for the conduct of business over networks.Entirely new forms of financial instruments are also beingdeveloped. One such new financial instrument is “electronictokens” in the form of electronic cash/money or checks.Electronic tokens are designed as electronic analogs of variousforms of payment backed by a bank or financial institution. Simplystated, electronic tokens are equivalent to cash that is backed by abank.Electronic Tokens are of Three Types:1. Cash or real-time. Transactions are settled with theexchange of electronic currency. An example of on-linecurrency exchange is electronic cash (e-cash).2. Debit or prepaid. Users pay in advance for the privilege ofgetting information. Examples of prepaid paymentmechanisms are stored in smart cards and electronic pursesthat store electronic money.

3. Credit or postpaid. The server authenticates the customersand verifies with the bank that funds are adequate beforepurchase. Examples of postpaid mechanisms are credit/debit cards and electronic checks.The following sections examine these methods of on-linepayment. But we must first understand the different viewpointsthat these payment instruments bring to electronic commerce.Here are four dimensions that are useful for analyzing the differentinitiatives.1. The nature of the transaction for which the instrument isdesigned, Some-tokens are-specifically designed to handlemicro payments, that is, payments for small snippets ofinformation. Others are designed for more traditionalproducts. Some systems target specific niche transactions;others seek more general transactions. The key is-to identifythe parties involved, the average amounts, and the purchaseinteraction.2. The means of settlement used. Tokens must be backed bycash, credit, elec-tronic bill payments (prearranged andspontaneous), cashier’s checks, lOUs, letters and lines ofcredit, and wire transfers, to name a few. Each option incurs

trade-offs among transaction speed, risk, and cost. Mosttransaction settlement methods use Credit cards, whileothers use other proxies for value, effectively creatingcurrencies of dubious liquidity and with interesting tax, risk,and float implications.3. Approach to security, anonymity, and authentication.Electronic tokens vary in the protection of privacy andconfidentiality of the transactions. Some may be more opento potentially prying eyes-or even to the participantsthemselves. Encryption can help with authentication, nonreputability, and asset management.4. The question of risk. Who assumes what kind of risk atwhat time? The tokens might suddenly become worthlessand the customers might have the currency that nobody willaccept. If the system stores value in a smart card, consumersmay be exposed to risk as they hold static assets. Alsoelectronic tokens might be subject to discounting orarbitrage. Risk also arises if the transaction has long lag timesbetween product delivery and payments to merchants. Thisexposes merchants to the risk that buyers don’t pay-or viceversa that the vendor doesn’t deliver.Let’s discus Electronic cash (e-cash) which is a new concept in onlinepayment systems because it combines computerized convenience with security and privacy that improve on

paper cash. Its versatility opens up a host of new markets and applications.E-cash presents some interesting characteristics that should make it an attractive alternative for payment over the Internet.Electronic Cash (E-cash)E-cash focuses on replacing cash as the principal, payment vehiclein consumer-oriented electronic payments. Although it may besurprising to some, cash is still the most prevalent consumerpayment instrument even after thirty years of continuousdevelopments in electronic payment systems.Cash remains the dominant form of payment for threereasons:(1) lack of trust in the banking system,(2) inefficient clearing and settlement of non-cash transactions,arid(3) negative real interest rates paid on bank deposits.These reasons seem like issues seen primarily in developingcountries. Not true. Even in the most industrialized countries,the ratio of notes and coins in circulation per capita is quite largeand is estimated to range from $446 to $2748. Consider thesituation in two of the most industrialized nations in world: theUnited States and the United Kingdom. In the United States,there supposedly was about $300 billion of notes and coins in

circulation in 1992. Interestingly, this .number is not shrinkingbut growing at approximately 8 percent per year. Deposits bycheck are growing by only 6 percent per year. It has been reportedthat in the United Kingdom about a quarter of all “spontaneous”payments over 100 pounds sterling are still made with cash. Forpayments under five pounds sterling, the percentage is 98 percent. The predominance of cash indicates an opportunity for innovativebusiness practice that revamps the purchasing process whereconsumers are heavy users of cash. To really displace cash, theelectronic payment systems need to have some qualities of cashthat current credit and debit cards lack. For example, cash isnegotiable, meaning it can be given or traded to some-one else.Cash is legal tender, meaning the payee is obligated to take it. Cashis a bearer instrument, meaning that possession is prima facieproof of ownership. Also, cash can be held and used by anyoneeven those who don’t have a bank account, and cash places no riskon the part of the acceptor that the medium of exchange may notbe good.Now compare cash to credit and debit cards. First, they can’t be

given away because, technically, they are identification cards ownedby the issuer and restricted to one user. Credit and debit cards arenot legal tender, given that merchants have the right to refuse toaccept them. Nor are credit and debit cards bearer instruments;their usage requires an account relationship and authorizationsystem. Similarly, checks require either personalknowledge of the payer or a check guarantee system. Hence, toreally create a novel electronic payment method, we need to domore than recreate the convenience that is offered by credit anddebit cards. We need to develop e-cash that has some of theproperties of cash.Properties of Electronic CashOf the many ways that exist for implementing an e-cash system,all must incorporate a few common features. Specifically, e-cashmust have the following four properties: monetary value,interoperability, irretrievability, and security.E-cash must have a monetary value, bank authorized credit, ora bank-certified cashier’s check. When e-cash created by one bank isaccepted by others, reconciliation must occur without any problems.Stated, another way, e-cash without proper bank certification carries

the risk that when deposited, it might be returned for insufficientfunds.E-cash must be interoperable-that is, exchangeable as paymentfor other e-cash, paper cash, goods or services, lines of credit,deposits in banking accounts, bank notes or obligations, electronicbenefits transfers, and the like. Most e-cash proposals use a singlebank. In practice, multiple banks are required with an internationalclearinghouse that handles the exchange-ability issues because allcustomers are not going to be using the same bank or even be inthe same country.E-cash must be storable and retrievable. Remote storage andretrieval (e.g., from a telephone or personal communicationsdevice) would allow users to exchange e-cash (e.g., withdraw fromand deposit into banking accounts) from home or office or whiletraveling. The cash could be stored on a remote computer’s memory,in smart cards, or in other easily transported standard or specialpurposedevices. Because it might be easy to create counterfeit cashthat is stored in a computer, it might be preferable to store cash ona dedicated device that cannot be altered. This device should have

a suitable interface to facilitate personal authentication usingpasswords or other means and a display so that the user can viewthe card’s contents. One example of a device that can store e-cashis the Mondex card-a pocket-sized electronic wallet.E-cash should not be easy to copy or tamper with while beingexchanged; this includes preventing or detecting duplication anddouble-spending. Counterfeiting poses a particular problem, sincea counterfeiter may, in the Internet environment, be anywhere inthe world and consequently be difficult to catch withoutappropriate international agreements.Detection is essential in order to audit whether prevention isworking. Then there is the tricky issue of double spending. Forinstance, you could use your e-cash simultaneously to buysomething in Japan, India, and England. Preventing doublespending from occurring is extremely difficult if multiple banksare involved in the transaction. For this reason, most systems relyon post-fact detection and punishment. Now we will see theconcept of Electronic Cash actually works.Electronic Cash in ActionElectronic cash is based on cryptographic systems called “digital

signatures”. This method involves a pair of numeric keys (verylarge integers or numbers) that work in tandem: one for locking(or encoding) and the other for unlocking (or decoding). Messagesencoded with one numeric key can only be decoded with the othernumeric key and none other. The encoding key is kept private andthe decoding key is made public. By supplying all customers (buyersand sellers) with its public key, a bank enables customers to decodeany message (or currency) encoded with the bank’s private key. Ifdecoding by a customer yields a recognizable message;” thecustomer can be fairly confident that only the bank could haveencoded it. These digital signatures are as secure as the mathematicsinvolved and have proved over .the past two decades to be moreresistant to forgery than handwritten signatures. Before e-cash canbe used to buy products or ser-vices, it must be procured from acurrency server.Purchasing E-cash from Currency ServersThe purchase of e cash from an on-line currency server (or bank)involves two steps:(1) establishment of an account and(2) maintaining enough money in the account to back thepurchase.

Some customers might prefer to purchase e-cash with papercurrency, either to maintain anonymity or because they don’t havea bank account. Currently, in most e-cash trials all customers musthave an account with a central on-line bank. This is overly restrictivefor international use and multi-currency transactions, for customersshould be able to access and pay for foreign services as well as localservices. To support this access, e-cash must be available in multiplecurrencies backed by several banks. A service provider in one countrycould then accept tokens of various currencies from users in manydifferent countries, redeem them with their issuers, and have thefunds transferred back to banks in the local country. A possiblesolution is to use an association of digital banks similar toorganizations like VISA to serve as a clearinghouse for manycredit card issuing banks.And finally, consumers use the e-cash software on the computerto generate a random number, which serves as the “note.” Inexchange for money debited from the customer’s account, thebank uses its private key to digitally sign the note for the amountrequested and transmits the note back to the customer.The network

currency server, in effect, is issuing a “bank note,” with a serialnumber and a dollar amount. By digitally signing it, the bank iscommitting itself to back that note with its face value in realdollars.This method of note generation is very secure, as neitherthe customer (payer) nor the merchant (payee) can counterfeit thebank’s digital signature (analogous to the watermark in papercurrency). Payer and payee can verify that the payment is valid, sinceeach knows the bank’s public key. The bank is protected againstforgery, the payee against the bank’s refusal to honor a legitimatenote, and the user against false accusations and invasion of privacy.How does this Process Work in Practice?In the case of DigiCash, every person using e-cash has an e-cashaccount at a digital bank (First Digital Bank) on the Internet.Using that account, people can withdraw and deposit e-cash. Whenan e-cash withdrawal is made, the PC of the e-cash user calculateshow many digital coins of what denominations are needed towithdraw the requested amount. Next, random serial numbersfor those coins will be generated and the blinding (randomnumber) factor will be included. The ‘ “ result of these calculations

will be sent to the digital bank. The bank will encode the blindednumbers with its secret key (digital signature) and at the sametime debit the account of the client for the same amount. Theauthenticated coins are sent back to the user and finally the userwill take out the blinding factor that he or she introduced earlier.The serial numbers-plus their signatures are now digital coins;their value is guaranteed by the bank. Electronic cash can becompletely anonymous. Anonymity allows free-dom of usage—to buy illegal products such as drugs or pornographic material orto buy legal product and services. This is accomplished in thefollowing manner. When the e-cash software generates a note, itmasks the original number or “blinds” the note using a randomnumber and transmits it to a bank. The “blinding” carried out bythe customer’s software makes it impossible for anyone to linkpayment to payer. Even the bank can’t connect the signing withthe payment, since the customer’s original note number wasblinded when it was signed. In other words, it is a way of creatinganonymous, untraceable currency. What makes it even more

interesting is that users can prove unequivocally that they did ordid not make a particular payment. This allows the bank to signthe “note” without ever actually knowing how the issued currencywill be used. For those readers who are mathematically inclined,the protocol behind blind signatures is presented.The customer’s software chooses a blinding factor, R,independently and uniformly at random and presents the bankwith (XR)E (mod PQ),where X is the note number to be signedand £ is the bank’s public key.1. The bank signs it: (XRE)D = RXD (mod PQ). D is thebank’s private key.2. On receiving the currency, the customer divides out theblinding factor: (RXD)/R = XD (mod PQ).3. The customer stores XD, the signed note that is used to payfor the purchase of products or services. Since R is random,the bank cannot deter-mine X and thus cannot connect thesigning with the subsequent payment. While blinding worksin theory, it remains to be seen how it will be used in the realbusiness world.Summary:Electronic payment means making payments electronically i.e.through computer and telecommunication components.

Electronic tokens are designed as electronic analogs ofvarious forms of payment backed by a bank or financialinstitution.Electronic tokens are of three types: Cash or real-time,Debit or prepaid and Credit or postpaid.Electronic cash is based on cryptographic systems called“digital signatures”.

Topic:IntroductionDigital currencyLimitations of E-cashSummary

ObjectivesUnderstand how to use e-cashDescribe the various issues that may arise in the organizationdue to the use of e-cashLet’s purchase something on the Internet using Digital Currency.Using the Digital CurrencyOnce the tokens are purchased, the e-cash software on the customer’sPC stores digital money undersigned by a bank. The user tanspend the digital-money of any shop accepting e-cash, withouthaving to open an account there first or-having to transmit creditcard numbers. As soon as the customer wants to make a payment,the software collects the necessary amount from the stored tokens.

Two Types of Transactions are Possible: Bilateral and Trilateral.Typically, transactions involving cash are bilateral or two-party(buyer and seller) transactions, whereby the merchant checks theveracity of the note’s digital signature by using the bank’s publickey. If satisfied with the payment, the merchant stores the digitalcurrency on his machine and deposits it later in the bank to redeemthe face value of the note. Transactions involving financialinstruments other than cash are usually trilateral or three-party(buyer, seller, and bank) transactions, whereby the “notes” aresent to the merchant, who immediately sends them directly to thedigital bank. The bank verifies the validity of these “notes” and that they have not been spent before.The account of the merchant is credited. In this case, every “note”can be used only once. In many business situations, the bilateraltransaction is not feasible because of the potential for doublespending, which is equivalent to bouncing a check. Doublespending becomes possible because it is very easy to make copiesof the e-cash, forcing banks and merchants to take extraprecautions. To uncover double spending, banks must comparethe note passed to it by the merchant against a database of spent

notes .Just as paper currency is identified with a unique serialnumber, digital cash can also be protected. The ability to detectdouble spending has to involve some form of registration sothat all “notes” issued globally can be uniquely identified. However,this method of matching notes with a central registry has problemsin the on-line world. For most systems, which handle high volumesof micro payments, this method would simply be too expensive.In addition, the problem of double spending means that bankshave to carry added overhead because of the constant checkingand auditing logs. Double spending would not be a major problem if the need for anonymity were relaxed. In such situations, when the consumer is issued a bank note, it is issued to that person’s unique license. When he or she gives it to somebody else, it is transferred specifically to that other person’s license.Each time the money changes hands, the old owner adds a tiny bitof information to the bank note based on the bank note’s serialnumber and his or her license. If somebody attempts to spendmoney twice, the bank will now be able to use the two bank notesto determine who the cheater is. Even if the bank notes passthrough many different people’s hands, whoever cheated will get

caught, and none of the other people will ever have to know. Thedownside is that the bank can tell precisely what your buyinghabits are since it can check the numbers on the e-cash and thevarious merchant accounts that are being credited. Many peoplewould feel uncomfortable letting others know this personalinformation.Drawback of E-cashOne drawback of e-cash is its inability to be easily divided intosmaller amounts. It is often necessary to get small denominationchange in business transactions. A number of variations havebeen developed for dealing with the “change” problem. For thebank to issue users with enough separate electronic “coins” ofvarious denominations would be cumbersome in communicationand storage. So would a method that required payees to returnextra change. To sidestep such costs, customers are issued a singlenumber called an “open check” that contains multipledenomination values sufficient for transactions up to a prescribedlimit. At payment time, the e-cash software on the client’s computerwould create a note of the transaction value from the “open check.”Let’s see how the business organizations gain from e-cash and

how sometimes it can create problems.Business Issues and Electronic CashElectronic cash fulfills two main functions: as a medium ofexchange and as a store of value. Digital money is a perfect mediumof exchange. By moving monetary claims quickly and by effectinginstant settlement of transactions, e-cash may help simplify thecomplex interlocking credit and liabilities that characterize today’scommerce. For instance, small businesses that spend monthswaiting for big customers to pay their bills would benefit hugelyfrom a digital system in which instant settlement is the norm.Instant settlement of micro payments is also a tantalizingproposition.The controversial aspects of e-cash are those that relate to theother role, as a store of value. Human needs tend to require thatmoney take a tangible form and be widely accepted, or “legal tender”.In most countries, a creditor by law cannot refuse cash as settlementfor a debt. With the acceptability of cash guaranteed by law, mostpeople are willing to bank their money and settle many of theirbills by checks and debits, confident that, barring a catastrophe,they can obtain legal tender (cash) on demand. If e-cash had to be

convertible into legal tender on demand, then for every unit therewould have to be aunit of cash reserved in the real economy: or, to look at it theother way round, there would be cash in the real world for whichdigital proxies were created and made available. This createsproblems, because in an efficient system, if each e-cash unitrepresents a unit of real cash, then positive balances of e-cash willearn no interest; for the interest they might earn would be offsetby the interest foregone on the real cash that is backing them.The enormous currency fluctuations in international financepose another problem. On the Internet, the buyer could be inMexico and the seller in the United States. How do you check-thatthe party in Mexico is giving a valid electronic currency that hassuitable backing? Even if it were valid today, what would happenif a sudden devaluation occurs such as the one in December 1994where the peso was devalued 30 percent overnight. Who holdsthe liability, the buyer or the seller? These are not technologicalissues but business issues that must be addressed for large-scalebilateral transactions to occur. Unless, we have one central bank

offering one type of electronic currency, it is very difficult to see ecashbeing very prominent except in narrow application domains.From a banker’s point of view, e-cash would be a mixed blessing.Because they could not create new money via lending in the digitalworld, banks would see electronic money as unproductive. Theymight charge for converting it, or take a transaction fee for issuingit, but on-line competition would surely make this a low-profitaffair. In the short term, banks would probably make less fromthis new business than they would lose from the drift of customersaway from traditional services. It seems unlikely that e-cash wouldbe allowed to realize its potential for bypassing the transactioncosts of the foreign exchange market. If you pay yen for e-cash inOsaka and buy something from a merchant based in New Yorkwho cashes them for francs, a currency conversion has taken place.That, however, is an activity toward which most governments feelhighly defensive; and if e-cash started to bypass regulated foreignexchange markets by developing its own gray market for settlement,then governments might be provoked into trying to clamp down

on it. Because of these obstacles, e-cash in its early forms may bedenominated in single currencies and exchanged at conventionalmarket rates.Next we will see the risks involved while doing the transactionsinvolving the use of e-cash.Operational Risk and Electronic CashOperational risk associated with e-cash can be mitigated byimposing constraints, such as limits on(1) the time over which a given electronic money is valid,(2) how much can be stored on and transferred by electronicmoney(3) the number of exchanges that can take place before a moneyneeds to be redeposit with a bank or financial institution,and(4) the number of such transactions that can be made during agiven period of time.These constraints introduce a whole new set ofimplementation issues For example, time limits could be setbeyond which the electronic money, would expire and becomeworthless. The customer would have to redeem or exchange themoney prior to the expiration deadline. For this feature to work;electronic money would have to be time-stamped, and time would

have to be synchronized across the network to some degree ofprecision. The objective of imposing constraints is to limit theissuer’s liability. A maximum upper limit could be imposed onthe value that could be assigned to any single transaction or thatcould be transferred to the same vendor within a given period oftime. Since the user’s computer could be programmed to executesmall transactions continuously at a high rate over the network, astrategy of reporting transactions over a certain amount would beineffective for law enforcement. However, a well-designed systemcould enforce a policy involving both transaction size and valuewith time. For example, an “anonymous coin-purse” feature mightbe capable of receiving or spending no more than $500 in anytwenty-four hour period. Alternatively, the “rate ceiling” for thenext twenty-four hours could be made dependent on the rate ofuse or on the number of exchanges that could be permitted beforeany electronic money would have to be redeposit in a bank orfinancial institution and reissued.Finally, exchanges could also be restricted to a class of services orgoods (e.g., electronic benefits could be used only for food,

clothing, shelter, or educational purposes). The exchange processshould allow payment to be withheld from the seller upon thebuyer’s instructions until the goods, or services are delivered withina specified time in the future.Conversely, it should allow delivery to be withheld upon the seller’sinstructions until payment is received. The next section deals withthe legal aspects of e-cash and the impact of e-cash on taxation.Legal Issues and Electronic CashElectronic cash will force bankers and regulators to make toughchoices that will shape the form of lawful commercial activityrelated to electronic commerce. As a result of the very features thatmake it so attractive to many, cash occupied an unstable anduncomfortable place within the existing taxation and lawenforcement systems. Anonymous and virtually untraceable, cashtransactions today occupy a place in a kind of undergroundeconomy. This underground economy is generally confined torelatively small scale transactions because paper money in largequantities is cumbersome to use and manipulate-organized crimebeing the obvious exception. As long as the transactions fare

small in monetary value, they are tolerated by the government asan unfortunate but largely insignificant by-product of the moderncommercial .state. As transactions get larger the governmentbecomes more suspicious and enlists the aid of the banks, throughthe various currency reporting laws, in reporting largedisbursements of cash so that additional oversight can be ordered.

Consider the Impact of E-Cash on Taxation.Transaction based taxes (e.g., sales taxes) account for a significantportion of state and local government revenue. But if e-cash reallyis made to function the way that paper money does, payments wewould never think of making in cash-to buy a new car, say, or asthe down payment on a house-could be made in this new formof currency because there would be no problem of bulk and norisk of robbery. The threat to the government’s revenue flow is avery real one, and officials in government are starting to takecognizance of this development and to prepare their responses.To prevent an underground economy, the government throughlaw may prevent a truly anonymous and untraceable e-cash systemfrom developing. But that raises its own problems because the

vision of “Big Brother” rears its ugly head. Just as powerfulencryption schemes permit the design of untraceable e-cashsystems, so, too, do powerful electronic record-keeping tools permitthe design of traceable systems-systems in which all financial transactions are duly recorded in some database, allowing those with access to know more about an individual than anyone could know today. Anything that makes cash substantially easier to use in a broader range of transactions holds the potential to expand this underground economy to proportions posing ever more serious threats to the existing legalorder. Under the most ambitious visions of e-cash, we would seea new form of currency that could be freely passed off from onecomputer to another with no record, yet incapable of being forged.A consumer could draw such e-cash electronically from his or herbank. The bank would have a record of that transaction, just as awithdrawal or check is recorded now. But after that, the encryptede-cash file could be handed off without the knowledge of anyonebut the par-ties to the transaction.However, as the politics and business play out, the technology isforcing legal, as issues to be reconsidered. The question e-cashposes is not, “Should the law take notice of this development?”butrather, “How can it not?”

By impacting revenue-raising capabilities, e-cash cannot escapegovernment scrutiny and regulation; but it is going to take someserious thinking to design a regulatory scheme that balancespersonal privacy, speed of execution, and ease of use. Without afunctioning system, what the government will do remains a mystery.Moreover, it is not even clear yet that the market as a whole willadopt an anonymous e-cash standard. For now, we are mainlywatching and trying to educate ourselves about the likely path ofthe transition to electronic cash.Summary:One drawback of e-cash is its inability to be easily dividedinto smaller amounts.One of the business issues while using Electronic Cash isthat it can’t take tangible form.The enormous currency fluctuations in international financepose another problem in business while using e-cashOperational risk associated with e-cash can be mitigated byimposing constraints, such as limits on(1)the time over which a given electronic money is valid,(2) how much can be stored on and transferred byelectronic money(3)the number of exchanges that can take place before amoney needs to be redeposit with a bank or financial

institution, and(4)the number of such transactions that can be madeduring a given period of time.The use of e-cash can cause threat to the government’srevenue flow.

Topic:IntroductionDiscuss Electronic cheque, smart card, Credit CardsAdvantages of Electronics chequesElectronic Purses and Debit CardsSummary

ObjectivesUnderstand what is an “Electronic Check”Describe the use of Smart cards and Credit cardsAnother type of Electronic Payment scheme that we are going todiscuss today is “Electronic Checks”. This scheme is basically forthose people who don’t prefer to pay by cash.Electronic ChecksElectronic checks are another form of electronic tokens. They aredesigned to accommodate the many individuals and entities thatmight prefer to pay on credit or through some mechanism otherthan cash. In the model shown in Fig. 14.1, buyers mustregister with a third-party account server before they are able towrite electronic checks. The account server also acts as a billing

service. The registration procedure can vary depending on theparticular account server and may require a credit card or a bankaccount to back the checks. Once registered, a buyer can then contactsellers of goods and services. To complete a transaction, the buyer sends a check to the seller for a certain amount of money. These checks may be sent using e-mail or other transport methods. When deposited, thecheck authorizes the transfer of account balances from the accountagainst which the check was drawn to the account to which thecheck was deposited. The e-check method was deliberately createdto work in much the same way as a conventional paper check. Anaccount holder will issue an electronic document that contains thename of the payer, the name of the financial institution, thepayer’s account number, the name of the payee and amount ofthe check. Most of the information is in uncoded form. Like apaper check, an e-check will bear the digital equivalent of a signature:a computed number that authenticates the check as coming fromthe owner of the account. And, again like a paper check, an e-checkwill need to be endorsed by the payee, using another electronicsignature, before the check can be paid. Properly signed and

endorsed checks can be electronically exchanged between financialinstitutions through electronic clearinghouses, with theinstitutions using these endorsed checks as tender to settle accounts.The specifics of the technology work in the following manner:On receiving the check, the seller presents it to the accountingserver for verification and payment. The accounting server verifiesthe digital signature on the check using any authentication scheme.A user’s digital “signature” is used to create one ticket-a checkwhichthe seller’s digital “endorsement” transforms into another-an order to a bank computer for fund transfer. Subsequent endorsers add successive layers of information onto the tickets, precisely as a large number of banks may wind up stamping the back of a check along its journey through the system.

Figure 14.1 Payment transaction sequence in an electronic check systemLet’s see the advantages of Electronic checks.Electronic checks have the following advantages:

They work in the same way as traditional checks, thussimplifying customer education.Electronic checks are well suited for clearing micro payments;their use of conventional cryptography makes it much fasterthan systems based on public-key cryptography e-cash).Electronic checks create float and the availability of float is animportant requirement for commerce. The third-partyaccounting server can make money by charging the buyer orseller a transaction fee or a flat rate fee, or if can act as a bankand provide deposit accounts and make money on thedeposit account pool.Financial risk is assumed by the accounting server and mayresult in easier acceptance. Reliability and scalability areprovided by using multiple accounting servers. There can bean inter account server protocol to allow buyer and seller to“belong” to different domains, regions, or countries. Youall must agree that the major issue of concern while doingpaying is security. In the next section we will discuss one ofthe Electronic Payment Systems that is more secure ascompared to the above discussed schemes.

Smart Cards and Electronic Payment Systems

The enormous potential of electronic tokens is currently stuntedby the lack of a widely accepted and secure means of transferringmoney on-line. In spite of the many prototypes developed, weare a long way from a universal payment system because merchantsand banks have to be signed up and a means has to be developedto transfer money. Such a system moreover must be robust andcapable of handling a large number of transactions and will requireextensive testing and usage to iron out all the bugs.In the meantime, thousands of would-be sellers of electroniccommerce services have to pay one another and are actively lookingfor payment substitutes. One such substitute is the smart card.Smart cards have been in existence since the early 1980s and holdpromise for secure transactions using existing infrastructure. Smartcards are credit and debit cards and other card products enhancedwith microprocessors capable of holding more information thanthe traditional magnetic stripe. The chip, at its current state ofdevelopment, can store significantly greater amounts of data,estimated to be 80 times more than a magnetic stripe. Industryobservers have predicted that, by the year 2000, one-half of all

payment cards issued in the world will have embeddedmicroprocessors rather than the simple magnetic stripe.The smart card technology is widely used in countries such asFrance, Germany, Japan, and Singapore to pay for public phonecalls, transportation/ and shopper loyalty programs. The idea hastaken longer to catch on in the United States, since a highly reliableand fairly inexpensive telecommunications system has favoredthe use of credit and debit cards. Smart cards are basically of twotypes:Relationship-based smart credit cardsElectronic purses. Electronic purses, which replace money,are also known as debit cards and electronic money.Relationship-Based Smart CardsFinancial institutions worldwide are developing new methods tomaintain and expand their services to meet the needs of increasinglysophisticated and technically smart customers, as well as to meetthe emerging payment needs of electronic commerce. Traditionalcredit cards are fast evolving into smart cards as consumers demandpayment and financial services products that are user-friendly,convenient, and reliable.A relationship-based smart card is an enhancement of existing

card ser-vices and/or the addition of new services that a financialinstitution delivers to its customers via a chip-based card or otherdevice. These new services may include access to multiple financialaccounts, value-added marketing programs, or other informationcardholders may want to store on their card. The chip-based cardis but one tool that will help alter mass marketing techniques toaddress each individual’s specific financial and personalrequirements. Enhanced credit cards store cardholder informationincluding name, birth date, personal shopping preferences, andactual purchase records.This information will enable merchants to accurately track consumerbehavior and develop promotional programs designed to increaseshopper loyalty.Relationship-based products are expected to offerconsumers far greater options, including the following:Access to multiple accounts, such as debit, credit,investments or stored value for e-cash, on one card or anelectronic deviceA variety of functions, such as cash access, bill payment,balance inquiry, or funds transfer for selected accountsMultiple access options at multiple locations using multiple

device types, such as an automated teller machine, a screenphone, a personal computer, a personal digital assistant(PDA), or interactive TVs Companies are trying toincorporate these services into a personalized bankingrelationship for each customer. They can package financialand non financial services with value-added programs toenhance convenience, build loyalty and retention, and attractnew customers. Banks are also attempting to customizeservices on smart cards, offering a menu of services similarto those that come up on ATM screens. As with creditcards/banks may link up with health careproviders,telephone companies, retailers, and airlines to offerfrequent shopping and flyer programs and other services.

Electronic Purses and Debit CardsDespite their increasing flexibility, relationship-based cards are creditbased and settlement occurs at the end of the billing cycle. Thereremains a need for a financial instrument to replace cash. To meetthis need, banks, credit card companies, and even governmentinstitutions are racing to introduce “electronic purses,” walletsizedsmart cards embedded with programmable microchips that

store sums of money for people to use instead of cash foreverything from buying food, to making photocopies, to payingsubway fares.The Electronic Purse Works in the Following Manner.After the purse is loaded with money, at an ATM or through theuse of an inexpensive special telephone, it can be used to pay for,say, candy in a vending machine equipped with a card reader. Thevending machine need only verify that a card is authentic and thereis enough money available for a chocolate bar. In one second, thevalue of the purchase is deducted from the balance on the cardand added to an e-cash box in the vending machine. The remainingbalance on the card is displayed by the vending machine or can bechecked at an ATM or with a balance-reading device. Electronicpurses would virtually eliminate fumbling for change or smallbills in a busy store or rush-hour toll booth, and waiting for acredit card purchase to be approved. This allows customers to payfor rides and calls with a prepaid card that “remembers” eachtransaction. And when the balance on an electronic purse isdepleted, the purse can be recharged with more money. As for the

vendor, the receipts can be collected periodically in person—or,more likely, by telephone and transferred to a bank account. Whilethe technology has been available for a decade, the cards have beenrelatively expensive, from $5 to $10. Today the cards cost $1, andspecial telephones that consumers could install at home to rechargethe cards are projected to cost as little as $50. A simple card readerwould cost a merchant less than $200.Summary:Electronic checks are another form of electronic tokens. Theyare designed to accommodate the many individuals and entities that might prefer to pay on credit or through some mechanism other than cash.Electronic checks are well suited for clearing micro payments;their use of conventional cryptography makes it much fasterthan systems based on public-key cryptographyElectronic checks create float and the availability of float is animportant requirement for commerceSmart cards are credit and debit cards and other card productsenhanced with microprocessors capable of holding moreinformation than the traditional magnetic stripeSmart cards are basically of two types:

Topic:IntroductionCredit Card-Based Electronic Payment Systems

Encryption in Credit CardsSummary

ObjectivesUnderstand why payment by Credit card is more secure thanother Electronic Payment SystemsTo avoid the complexity associated with digital cash and electronicchecks, consumers and vendors are also looking at credit cardpayments on the Internet as one possible time-tested alternative.Let’s discuss how the payment is made online using credit cards.Credit Card-Based Electronic Payment SystemsThere is nothing new in the basic process. If consumers want topurchase a product or service, they simply send their credit carddetails to the service provider involved and the credit cardorganization will handle this payment like any other.We can break credit card payment on on-line networks intothree basic categories:1. Payments using plain credit card details. The easiestmethod of payment is the exchange of unencrypted creditcards over a public network such as telephone lines or theInternet. The low level of security inherent in the design ofthe Internet makes this method problematic (any snooper

can read a credit card number, and programs can be created toscan the Internet traffic for credit card numbers and send thenumbers to its master). Authentication is also a significantproblem, and the vendor is usually responsible to ensurethat the person using the credit card is its owner. Withoutencryption there is no way to do this.2. Payments using encrypted credit card details. It wouldmake sense to encrypt your credit card details before sendingthem out, but even then there are certain factors to consider.One would be the cost of a credit card transaction itself. Suchcost would prohibit low-value payments (micro payments)by adding costs to the transactions.

3. Payments using third-party verification. One solution tosecurity and verification problems is the introduction of athird party: a company that collects and approves paymentsfrom one client to another. After a certain period of time,one credit card transaction for the total accumulated amountis completed.First Virtual Holdings:San Diego-based start-up offers an

Internet payment system to process credit card transactionson the Internet. It’s allied with ED& for data processing andFirst USA Merchant Services in Dallas for card processingservices.Interactive Transactions Partners Joint venture of EDS,France Telecom, USWest, and H&R Block for home banking andelectronic payment services.MasterBanking A home banking service started by MasterCardand Checkfree Corp., an on-line payments processor.VISA :Interactive VISA International acquired US Order, ascreen phone manufacturer. VISA Interactive has signed up morethan 30 banks, including NationsBank.Block Financial :This H&R Block unit owns Managing YourMoney personal-finance software and CompuServe. Provideselectronic-banking services for VISA member banks.Prodigy Teaming up with Meridian Bank and others to offer PCbasedhome banking via its online service.

Table 15.1 Players in On-Line Credit Card Transaction ProcessingLet’s see how the payment by credit card is more secure as comparedto other schemes.Encryption and Credit CardsEncryption is instantiated when credit card information is enteredinto a browser or other electronic commerce device and sent securelyover the net-work from buyer to seller as an encrypted message.This practice, however, does not meet important requirementsfor an adequate financial system, such as non refutability, speed,safety, privacy, and security. To make a credit card transaction trulysecure and nonrefutable, the following sequence of steps mustoccur before actual goods, services, or funds flow:1. A customer presents his or her credit card information (along

with an authenticity signature or other information such asmother’s maiden name) securely to the merchant.2. The merchant validates the customer’s identity as the ownerof the cred-it card account.3. The merchant relays the credit card charge information andsignature to its bank or on-line credit card processors.4. The bank or processing party relays the information tot thecustomer’s; bank for authorization approval.5. The customer’s bank returns the credit card data, chargeauthentication, and authorization to the merchant.In this scheme, each consumer and each vendor generates a publickey and a secret key. The public key is sent to the credit card companyand put on its public key server. The secret key is reencrypted witha password, and the unencrypted version is erased. To steal a creditcard, a thief would have to get access to both a consumer’s encryptedsecret key and password. The credit card company sends theconsumer a credit card number and a credit limit. To buy something from vendor X, the consumer sends vendor X the message, ‘It is now time T. I am paying Y dollars to X for item Z,” then the consumer uses his or her password to sign the message with the public key. The vendor will then sign the message with its own secret key and send it to thecredit card company, which will bill the consumer for Y dollars

and give the same amount (less a fee) to X. (See Fig.15.1)Nobody can cheat this system. The consumer can’t claim that hedidn’t agree to the transaction, because he signed it (as in everydaylife). The vendor can’t invent fake charges, because he doesn’t haveaccess to the consumer’s key. He can’t submit the same chargetwice, because the consumer included the precise time in themessage. To become useful, credit Card systems will have todevelop distributed key servers and card checkers.Otherwise, a con-centrated attack on these sites could bring thesystem to a halt.Support for Privacy Enhanced Mail (PEM) and Pretty Good Privacy(PGP) encryption has been built into several browsers. Both ofthese schemes can be substantially bolstered with the addition ofencryption to defeat snooping attacks. Now any vendor can createa secure system that accepts credit card numbers in about an hour.Third-Party Processors and Credit CardsIn third-party processing, consumers register with a third party onthe Internet to verify electronic micro transactions. Verificationmechanisms can be designed with many of theattributes of electronic tokens, including anonymity. They differfrom electronic token systems in that

(1) they depend on existing financial instruments and(2) they require the on-line involve-ment of at least oneadditional party and, in some cases, multiple parties toensure extra security. However, requiring an on-line thirdpartyconnection for each transaction to different banks couldlead to processing bottlenecks that could undermine the goalof reliable use. Companies that are already providing thirdpartypayment are referred to as on-line third-party processors(OTPPs) since both methods are fairly similar innature.OTPPs have created a six-step process that theybelieve will be a fast and efficient way to buy information online:1. The consumer acquires an OTPP account number by filling out a registration form.This will give the OTPP a customer information profile that is backed by a traditional financial instrument such as acredit card.2. To purchase an article, software, or other information online, the consumer requests the item from the merchant by quoting herOTPP account number. The purchase can take place in one of two ways: The consumer can automatically authorize the “merchant”via browser settings to access her OTPP account and bill her, or she can type in the account information.3. The merchant contacts the OTPP payment server with the customer’s account number.4. The OTPP payment server verifies the customer’s account number of the vendor and checks for sufficient funds.

5. The OTPP payment server sends an electronic message to the buyer. This message could be an automatic WWW form that is sent by theOTPP server or could be a simple e-mail. The buyer responds to the form or e-mail in one of three ways: Yes, I agree to pay; No, Iwill not pay; or Fraud, I never asked for this.6. If the OTPP payment server gets a Yes from the customer, the merchant is informed and the customer is allowed to download thematerial immediately.7. The OTPP will not debit the buyer’s account until it receives confirmation of purchase completion. Abuse by buyers who receiveinformation or a product and decline to pay can result in account suspension.To use this system, both customers and merchant mustbe registered with the OTPP. An on-line environment suitable for micro transactions will require that many of the preceding stepsbe automated. World Wide Web browsers capable of encryption can serve this purpose.Here the two key servers are merchant server and payment server . Users first establish an account with the payment server.Then, using a client browser, a user makes a purchase from a merchant server by clicking on a payment URL (hyper-Links), which isattached to the product on a WWW page. Unknown to the customer, the payment URL encodes the following details of purchase: price of item, target URL (for hard goods, this URL is usually an order statuspage; for information goods. Points to the information customers arepurchasing), and duration (for information goods, it specifies how long customers can get access to the target URL).

Payment URLs send the encoded information to the paymentserver. In other words, the payment URL directs the customer’sbrowser to the payment server, which authenticates the user byasking her for the account number and other identificationinformation. If the information entered by the customer is validand funds are available, the payment server processes the paymenttransaction. The payment server then redirects the user’s browser(using an HTTP redirect operation) to the purchased item with anaccess URL, which encodes the details of the payment transaction(the amount, what was purchased, and duration). The access URLis effectively-a digital invoice that has been stamped “paid” by thepayment server. It provides evidence to the merchant that the userhas paid for the information and provides a receipt that grants theuser access. The access URL is the original target URL sent by themerchant’s server, with additional fields that contain details ofthe access: expiration time (optional), user’s address (to preventsharing). The merchant runs an HTTP server that is modified toprocess access URLs (HTTP redirects). The server checks the

validity of the URL and grants access if the expiration time hasnot passed. If access has expired, the server returns a page thatmay give the user an opportunity to repurchase the item. Thepayment system can also generate access URLs in a format that canbe parsed by CGI scripts running on an unmodified HTTP server.Once a customer is authenticated, the payment is automaticallyprocessed. The payment server implements a modular paymentarchitecture where accounts can be backed by different types offinancial instruments, credit card accounts, prepaid accounts, billedaccounts, debit cards, and other payment mechanisms. For creditcard accounts, the payment system has a real-time connection tothe credit card clearing network. The system can authorize paymentin real time based on the profile of the transaction and the user.The system supports small transactions by accumulating themand settling them in aggregate. All transactions are recorded in a user’s on-line statement.The statement is a summary of recent purchases, and eachsummary line is a hypertext link. For informationgoods, this is a link back to the purchased item. If access hasexpired, the merchant’s server will give the user the opportunity

to repurchase the item. For non information goods, the link maypoint to an order status or summary page.

Figure 15.2 On-line payment process using a third-party processorSummary:Electronic checks are another form of electronic tokens. Theyare designed to accommodate the many individuals andentities that might prefer to pay on credit or through somemechanism other than cash.The enormous potential of electronic tokens is currentlystunted by the lack of a widely accepted and secure means oftransferring money on-line.Smart cards are credit and debit cards and other card productsenhanced with microprocessors capable of holding moreinformation than the traditional magnetic stripe.Smart cards are basically of two types: Relationship-based

smart credit cards and Electronic purses.Encryption is instantiated when credit card information is entered into a browser or other electronic commerce device and sent securely over the net-work from buyer to seller as an encrypted message.Topic:IntroductionAdvantages and disadvantages of Credit CardsManaging Credit RiskSummaryObjectivesUnderstand the advantages and disadvantages if using Credit cardsDescribe the infrastructure required to support Credit Card ProcessingIn the previous lectures we have learnt a lot about the use ofCredit cards. Also we have seen the security aspect of using thecredit cards. Today we will take a look at what are the BusinessPros and Cons of Credit Card-Based Payment.Third-party processing for credit cards, entails a number of prosas well as cons These companies are chartered to give credit accountsto individuals and act as bill collection agencies for businesses.Consumers use credit cards by presenting them for payment andthen paying an aggregate bill once a month. Consumers pay eitherby flat fee or individual transaction charges for this service.Merchants get paid for the credit card drafts that they submit to

the credit card company. Businesses get charged a transaction chargeranging from 1 percent to 3 percent for each draft submitted.Credit cards have advantages over checks in that the credit cardcompany assumes a larger share of financial risk for both buyerand seller in a transaction. Buyers can sometimes dispute a chargeretroactively and have the credit card company act on their behalf.Sellers are ensured that they will be paid for all their sales-theyneedn’t worry about fraud. This translates into a convenience forthe buyer, in that credit card transactions are usually quicker andeasier than check (and sometimes even cash) transactions.One disadvantage to credit cards is that their transactions are notanonymous, and credit card companies do in fact compile valuabledata about spending habits.Record keeping with credit cards is one of the featuresconsumers value most because of disputes and mistakes inbilling. Disputes may arise because different services may havedifferent policies. For example, an information provider mightcharge for partial delivery of a file (the user may have abandonedthe session after reading part of the file), and a movie distributor

might charge depending on how much of the video had been downloaded. The cause of interrupted delivery needs tobe considered in resolving disputes (e.g., intentional customeraction versus a problem in the network or provider’s equipment).In general, implementing payment policies will be simpler whenpayment is made by credit rather than with cash.The complexity of credit card processing takes place in theverification phase, a potential bottleneck. If there is a lapse intime between the charging and the delivery of goods or services(for example, when an airline ticket is purchased well in advanceof the date of travel), the customer verification process is simplebecause it does not have to be done in real time. In fact, all therelaying and authorizations can occur after the customer-merchanttransaction is completed, unless the authorization request is denied.If the customer wants a report (or even a digital airline ticket),which would be downloaded into a PC or other informationappliance immediately at the time of purchase, however, manymessage relays and authorizations take place in real time while thecustomer waits. Such exchanges may require many sequence-specific

operations such as staged encryption and decrying and exchangesof cryptographic keys.Encryption and transaction speed must be balanced,however,as research has show that on-line users get very impatient andtypically wait for 20 seconds before pursuing other actions. Hence,on-line credit card users must find the process to be accessible,simple, and fast. Speed will have design and cost implications, asit is a function of network capabilities, computing power, availableat every server, and the specific form of the transaction. Theinfrastructure supporting the exchange must be reliable. The usermust feel confident that the supporting payment infrastructurewill be available on demand and that the system will operatereasonably well regardless of component failures or system loadconditions. The builders and providers of this infrastructure areaware of customer requirements and are in fierce competition tofulfill those needs.There is also no question that banks and other financial institutionsmust resolve many key issues before offering on-line processingservices in e-com-merce markets. Should they go it alone or form

a partnership- and with whom? What technology to use? Whatservices to offer?Which consumers are interested and who shouldbe targeted? A wide variety of organizations are jumping into thefray. Regional electronic funds transfer (EFT) networks, credit cardassociations, equipment vendors, data processors, softwaredevelopers, bill payment companies, and telecommunicationsproviders are all wooing banks with the goal of building thetransaction processing infra-structure on the Internet .Infrastructure for On-Line Credit Card ProcessingCompetition among these players is based on service quality, price,processing system speed, customer support, and reliability. Mostthird-party processors market their services directly to large regionalor national merchants rather than through financial institutionsor independent sales organizations.Barriers to entry include(1) large initial capital requirements,(2) ongoing expenses related to establishing and maintaining anelectronic transaction processing network,(3) the ability to obtain competitively priced access to an existingnetwork, and(4) the reluctance of merchants to change processors. Whatexactly is at stake here? A lot. In the emerging world of

ecommerce,, the companies that own the transactioninfrastructure will be able to charge a fee, much as banks dotoday with ATMs. This could be extremely profitable.Microsoft, VISA, and other companies understand that theyhave to do something. If they wait for a clear path to emerge,it will be “too little too late.” They know all too well thatecommerce transaction architectures (similar to MS-DOS orWindows) on which other e-commerce applications aredeveloped will be very profitable.Many companies are developing advanced electronic services forhome-based financial transactions, and software companies areincreasingly allying with banks to sell home banking. Eventually,the goal would be to offer everything from mutual funds tobrokerage services over the network. Many banks are concernedabout this prospect and view it as an encroachment on their turf.After years of dabbling, mostly unsuccessfully, with remotebanking, banking is receiving a jarring message: Get wired or losecustomers.The traditional roles are most definitely being reshuffled, andelectronic payment on the Internet can have a substantial effect ontransaction processing in the “real” (non electronic) world.

According to some estimates, trans-action processing servicesaccount, for as much as 25 percent of non interest income forbanks, so banks clearly stand to lose business. Why banks are onthe defensive is obvious if we look at banking in the last ten years.A decade ago, banks processed 90 percent of all bank cardtransactions, such as VISA and MasterCard. Today, 70 percent ofthose transactions are processed by nonbanks such as First DataResources. If software companies and other interlopers becomeelectronic toll-takers, banks could become mere homes for deposits,not the providers of lucrative value-added services.Even more worrisome, banks could lose the all-important directlink to be the customer’s primary provider of financial servicesthat lets them hawk profitable services. The effect of electroniccommerce on the banking industry has been one of totalconfusion. To be fair, things are happening so fast in this area thatit’s hard to keep up with it all. Let’s see some of the risks involvedin the Electronic Payment System.Risks from Mistake and Disputes: Consumer ProtectionVirtually all electronic payment systems need some ability to keepautomatic records, for obvious reasons. From a technical

standpoint, this is no problem for electronic systems. Credit anddebit cards have them and even the paper-based check creates anautomatic record. Once information has been capturedelectronically, it is easy and inexpensive to keep (it might even costmore to throw it away than to keep it). For example, in manytransaction processing systems, old or blocked accounts are neverpurged and old transaction histories can be kept forever onmagnetic tape. Given the intangible nature of electronic transactionsand dispute resolution relying solely on records, a general law ofpayment dynamics and banking technology might be: No dataneed ever be discarded. The record feature is an after-the-facttranscription of what happened, created without any explicit effortby the transaction parties. Features of these automatic recordsinclude(1) permanent storage;(2) accessibility and traceability;(3) a pay-ment system database; and(4) data transfer to payment maker, bank, or monetary authorities.The need for record keeping for purposes of risk managementconflicts with the transaction anonymity of cash. One can say thatanonymity exists today only because cash is a very old concept,

invented long before the computer and networks gave us theability to track everything. Although a segment of the payment makingpublic will always desire transaction anonymity, many believe that anonymity runs counter to the public welfare because too many tax, smuggling, and/or money laundering possibilities exist. The anonymity issue raises the question: Can electronic payments hap-pen without an automatic record feature? Many recent payment systems seem to be ambivalent on this point. For instance, the Mondex electronic purse touts equivalence with cash, but its electronic wallets are designed to hold automatic records of the card’s last twenty transactions with a statement built in. Obviously, the card-reading terminals, machines, ortelephones could all maintain records of all transactions and theyprobably ultimately will. With these records, the balance on anysmart card could be reconstructed after the fact, thus allowing foradditional protection against loss or theft. This would certainlyadd some value versus cash. In sum, anonymity is an issue thatwill have to be addressed through regulation covering consumerprotection in electronic transactions. There is considerable debateon this point. An anonymous payment system without automaticrecord keeping will be difficult for bankers and governments toaccept. Were the regulation to apply, each transaction would have

to be reported, meaning it would appear on an account statementmaking mistakes and disputes easier to resolve. However,customers might feel that all this record keeping is an invasion ofprivacy resulting in slower than expected adoption of electronicpayment systems. The next risk involved is the privacy of the customer making a purchase.

Managing Information PrivacyThe electronic payment system must ensure and maintain privacy.Every time one purchases goods using a credit card, subscribes toa magazine or accesses a server, that information goes into, adatabase somewhere. Furthermore, all these records can be linkedso that they constitute in effect a single dossier.This dossier wouldreflect what items were bought and where and when. This violatesone the unspoken laws of doing business: that the privacy ofcustomers should be protected as much as possible. All details ofa consumer’s payments can be easily be aggregated: Where, when,and sometimes what the consumer buys is stored. This collectionof data tells much about the person and as such can conflict withthe individual’s right to privacy. Users must be assured that

knowledge of transactions will be confidential, limited only to theparties involved and their designated agents (if any).Privacy mustbe maintained against eavesdroppers on the network and againstunauthorized insiders. The users must be assured that they cannotbe easily duped, swindled, or falsely implicated in a fraudulenttransaction. This protection must apply throughout the wholetransaction protocol by which a good or service is purchased anddelivered. This implies that, for many types of transactions, trustedthird-party agents will be needed to vouch for the authenticity andgood faith of the involved parties..Managing Credit RiskCredit or systemic risk is a major concern in net settlement systemsbecause a bank’s failure to settle its net position could lead to achain reaction of bank failures. The digital central bank mustdevelop policies to deal with this possibility. Various alternativesexist, each with advantages and disadvantages. A digital centralbank guarantee on settlement removes the insolvency test fromthe system because banks will more readily assume credit risksfrom other banks. Without such guarantees the development of

clearing and settlement systems and money markets-may be impeded. Amiddle road is also possible, for example, setting controls onbank exposures (bilateral or multilateral) and requiring collateral.If the central bank does not guarantee settlement, it must define,at least internally, the conditions and terms for extending liquidityto banks in connection with settlement.Despite cost and efficiency gains, many hurdles remain to thespread of electronic payment systems. These include several factors,many non technical in nature, that must be addressed before anynew payment method can be successful. Let’s see what are thehurdles we have to pass for successful implementation ofElectronic Payment Systems.Designing Electronic Payment SystemsPrivacy. A user expects to trust in a secure system; just as thetelephone is a safe and private medium free of wiretaps andhackers, electronic communication must merit equal trust.Security. A secure system verifies the identity of two-partytransactions through “user authentication” and reservesflexibility to restrict information/services through accesscontrol. Tomorrow’s bank robbers will need no getaway cars

just a computer terminal, the price of a telephone call, and alittle ingenuity. Millions of dollars have been embezzled bycomputer fraud. No systems are yet fool-proof, althoughdesigners are concentrating closely on security.Intuitive interfaces. The payment interface must be as easy touse as a telephone. Generally speaking, users valueconvenience more than anything.Database integration. With home banking, for example, acustomer wants to play with all his accounts. To date,separate accounts have been stored on separate databases.The challenge before banks is to tie these databases togetherand to allow customers access to any of them while keepingthe data up-to-date and error free.Brokers. A “network banker”-someone to broker goods andservices, settle conflicts, and facilitate financial transactionselectronically-must be in place.One fundamental issue is how to price payment systemservice. For example, should subsidies be used to encourageusers to shift from one form of payment to another, fromcash to bank payments, from paper-’based to e-cash. Theproblem with subsidies is the potential waste of resources,

as money may be invested in systems that will not be used.Thus investment in systems not only might not be recovered butsubstantial ongoing operational subsidies will also be necessary.On the other hand, it must be recognized thatwithout subsidies, it is difficult to price all services affordably. ·Standards. Without standards, the welding of different paymentusers into different networks and different systems is impossible.Standards enable interoperability, giving users the ability to buyand receive information, regardless of which bank is managingtheir money. None of these hurdles are insurmountable. Mostwill be jumped within the next few years. These technical problems,experts hope, will be solved as technology is improved andexperience is gained. The biggest question concerns how customerswill take to a paperless and (if not cashless) less-cash world.Summary:Credit cards have advantages over checks in that the creditcard company assumes a larger share of financial risk forboth buyer and seller in a transaction.One disadvantage to credit cards is that their transactions arenot anonymous, and credit card companies do in factcompile valuable data about spending habits.

Record keeping with credit cards is one of the featuresconsumers value most because of disputes and mistakes inbilling.The electronic payment system must ensure and maintainprivacy, security, Intuitive interfaces, Brokers and Standards.

UNIT IVTopic:IntroductionTechnical elements of an EDIEDI StandardsSummary

ObjectivesUnderstand details of the technical elements of an EDIsystem:EDI StandardsEDI as discussed before stands for Electronic Data Interchange.

This is one of the applications of E Commerce which makesBusiness to Business transactions possible over a network.Electronic data interchange (EDI) is a technology poised forexplosive growth in use as the Internet provides an affordableway for businesses to connect and exchange documents withcustomers and suppliers of any size. EDI is the electronic exchangeof business documents, data, and other information in a publicstandardformat. It cuts the cost of managing business-to-business transactions by eliminating the need for labor-intensive manual generation and processing of documents.In this lecture we will discuss the EDI standards, the EDI networksand the EDI software that interfaces these two elements and thebusiness applications. These elements together with the EDIAgreement are covered in detail in this lecture.Let’s start with EDI Standards.EDI StandardsAt the heart of any EDI application is the EDI standard. Theessence of EDI is the coding and structuring of the data into acommon and generally accepted format -anything less isnothing more than a system of file-transfers. Coding andstructuring the documents for business transactions is no easy

matter. There have been a number of EDI standards developedin various industry sectors or within a specific country and thereare complex committee structures and procedures to support them.Following on from the various sectorial and national EDIstandards is the United Nations (UN) EDI Standard:EDIFACT. This is the standard that should be adopted for anynew EDI application.Now the question arises why we require EDI standards? EDIprovides an electronic linkage between two trading partners.Business transactions are output from the sendingcomputer system, transmitted or transported in electronic formatand input into the second, receiving computer system. Thecomputer systems that exchange data need a common format;without a common format the data is meaningless. Twoorganizations that exchange data can, with relative ease, agree aformat that meets their mutual needs. As the network of exchangesdevelops then the number of organizations needing to be partyto the agreement grows.To illustrate this, assume a network of three customers (saysupermarkets) ordering goods from four suppliers (foodmanufacturers), see Figure 8.1.

Fig. 8.1 Interchanges between Customers and Suppliers.The network in Figure 8.1 has 12 separate interchanges. It is unlikelythat each of these exchanges would have its own format but it isperfectly possible that each customer would have developed itsown standards (giving each supplier three separate standards tocope with). It is also possible that new exchanges added to thesystem will have requirements not envisaged when the dataformats were originally agreed; this would require a change to theexisting standard or the introduction of an additional standard.The overall picture is one of unnecessary complexity andincompatibility.EDI standards overcome these difficulties. The EDI standardprovides, or attempts to provide, a standard for data interchangethat is:

Ready formulated and available for use;Comprehensive in its coverage of the data requirements forany given transaction;Independent of hardware and software;Independent of the special interest of any party in thetrading network.

ELECTRONIC DATA INTERCHANGE

EDI Standards provide a common language for the interchangeof standard transactions.Most of the work on EDI standards has been concerned with theinterchange of trade documentation and financial transactionsbut the principle applies to any interchange where the data can besystematized and codified. EDI standards are used for theinterchange of information as diverse as weather station readingsand school exam results.Now let’s see how the various standards evolve.National and Sectorial StandardsEvolution of EDI StandardsThe first EDI standards evolved from the formats used forfile transfer of data between computer applications. Theevolution of EDI standards can be seen as having threestages (although in practice it was and is somewhat morecomplex than that):1. The first formats that might properly be called EDI were

developed by organizations that had to process data from alarge number of customer organizations. The data recipientsset the standard and the customers conformed to it.2. The concept of EDI as an application independentinterchange standard evolved and several industry sector and/ or national standards bodies developed EDI standards tomeet the needs of a specific user community.3. The requirements of international and cross sector trademeant that the sector and national standards were becomingan impediment to the further development of electronictrading. EDIFACT was developed, under the auspices of theUnited Nations (UN), as a universal standard for commercialEDI.Early EOI ApplicationsAn example of an early EDI application in the UK was the BAGSsystem:BACS was and is a consortium of the major banks that providesan automated clearing service for the transfer of money betweenbank accounts. Many organisations that made asignificant number of payments (including the pay-roll) use thisservice.Users of the BAGS system recorded the information they would

have printed as cheques on a computer file in accordance with theformat required by BAGS. The data was then sent to BAGS wherethe payments were processed without the delay, expense and riskof paper documents and manual data input.The use of the system was made much easier by the availability,for most types of computer, of standard software that outputthe payment data in the required format.In the early days the computer file would be recorded on a magnetictape and couriered to the BAGS headquarters. Subsequently anonline submission facility was added to the service.Sector and National EDI StandardsThe use of EDI on systems such as BAGS and the more generaluse of online systems demonstrated the potential of EDI for theexchange of general business documents. A number of tradesector organizations understood this potential and developedEDI formats for use in their sector. Some of the more notableexamples are:ODETTEAn EDI format developed for, and widely used in, the Europeanmotor industry. ODETTE stands for theOrganisation for DataExchange by Teletransmission in Europe. ODETTE was predated

by VGA, a standard developed, and still used, by the Germanmotor industry. The motor industry is planning to move fromVGA and ODETTE to EDIFACT when the standards are stableand their requirements are fully met.One problem they have is that the EDIFACT standard, with itswider application and more bureaucratic procedures, is slower toreact to evolving needs than is the case with the sector basedODETTE standard.TradacomsA UK EDI standard for general trade developed by the ANA(Article Numbering Association) in 1982. TRADACOMS evolvedto become the predominate UK EDI standard with widespreadapplication in the retail and catering trades (this was in the late1980’s / early 1990’s when Britain accounted for half the EuropeanEDI activity). Other European countries also developed their ownstandards for retail / general trade; examples of such standardsare SEDAS in Germany and GENCOD in France. TRADACOMSand the other national standards mentioned here are looking toevolve to, or convert to EDIFACT - a slow process given theinvestment in the existing standards.(The ANA is the body responsible for the allocation and

administration of the product codes used for the bar codes ongrocery and other items -product coding has an important role toplay in EDI systems).Ansi X12EDI in North America developed with differing standards in thevarious business sectors. Examples of such standards are UCSfor the grocery industry and ORDERNET for thepharmaceutical trade (Sokol, 1989). Electronic trade had developedrapidly in North America and the problems of cross sector tradewere becoming apparent. The problem was taken up by theAmerican National Standards Institute (ANSI) and X12 wasdeveloped as a national standard with the aim of replacing thevarious sector standards.The International EDI StandardAs already outlined, EDI developed in closed user communitieswithin trade sectors and / or national boundaries. The use ofsector and national standards for this type of trade wassatisfactory. However, as electronic trade developed to cover widertrading relationships there is a growing problem of trade betweenorganisations using different EDI standards.In addition to the problem of cross sector trade there is a desire to

use EDI for international trade. This (sensibly) requires a commonformat for the exchange of the standard business forms (order,invoice, etc.) between organisations in differing countries.International trade also requires a great deal of additionaldocumentation for shipping, customs authorities, internationalcredit arrangements, etc. - all of this is potentially electronic andobviously a common format is very desirable. To facilitate thiscross sector and international development of EDI the EDIFACTstandard has been, and is being, developed.EDIFACT is the United Nations standard of Electronic DataInterchange for Administration, Commerce andTransport.The EDIFACT standard was born, in the mid-1980sout of a United Nations Economic Commission for Europe(UNECE) committee and is supported by the Commission ofthe European Union.Underlying the EDIFACT initiative are various UN attempts tostandardize on trade documentation. These specify, for example,standards for the layouts of invoices (a provision of someimportance for organisations processing many hundreds, ofinvoices from numerous sources). Notable amongst the standards

documentation is the UN Trade Data Element Directory, a subsetof which forms the EDIFACT Data Element Directory.EDIFACT effectively assumed a world role when the Americansaccepted it as the world standard (while retaining their own ANSIX12 standard for domestic use in the short term):The acceptance by the North Americans of EDIFACT as theinternational standard was somewhat surprising. ANSI had donea lot of development work on the X12 standard andEDIFACT was, at that time, essentially a European standard.Since 1988 the use of EDI has been vigorously promoted by theEuropean Union (EU) through its TEDIS programme. TEDIShas promoted EDI through sectorial organisations but has alsoemphasised intersectorial trade. EDIFACT is seen as the commonstandard and as vital for electronic trade within the ‘single market’- funds have been made available for industry sectors to changefrom their existing EDI standard to EDIFACT.EDIFACT has been adopted as the EDI standard of choice bycountries and sectors new to EDI. In Europe, countries such asthe Netherlands, Denmark and Norway have been noted for theirrecent development of EDI with EDIFACT as the predominate

standard. Electronic trade is also developing outside Europe andNorth America; Australia and Singapore have been much writtenabout with EDIFACT being the standard of choice. Theimportance of a single international standard has been recognisedby many sectors currently using their own EDI standards. Manysector and national standards are been replaced or are ‘evolving’towards the EDIFACT standard -included in this process areODETTE, TRADACOMS and ANSI X12, a development alreadymentioned above.The EDIFACT StandardThe EDIFACT standard, like all other EDI standards, is aboutthe exchange of (electronic) documents - for EDIFACT eachdocument type is referred to as a message. For trade purposes thedocuments include order, dispatch advice, invoice, payment orderand remittance advice.For transmission purposes EDIFACTmessages are sent in an electronic envelope known as aninterchange. Note this is the data standard and is separately definedfrom any enveloping requirement of the transmission protocol.Within that interchange there may well be a number of messages.Messages equate to the trade documents and order and invoice are

prime examples.The messages themselves are made up of a series of data segments.Data segments encode a single aspect of the trade document, forinstance the order date or the buyers name and address. EachEDIFACT message specifies a great number of data segmentsand individual data segments may be .components of a numberof messages. The users of the message select the data segmentsthat are applicable to their particular needs.Data segments are, in turn/made up of tag and a number of dataitems. The tag identifies the data segment and the data elementsgive the codes and / or values required in the document (message).The data elements include the codes and values for items such asdate and address code but they are frequently used in combinationwith type or qualifier data items to specify the format of the dataand its use; for instance a date could be the order date and be ineight digit century format. The requirement to use data elementstogether forms a composite data element. This structure of theEDIFACT message is shown in Figure 8.2. The function groupshave been omitted; these are an intermediary level between the

interchange and the message but they are not normallyimplemented.

Fig. 8.2 EDIFACT Structure Chart (Simplified).Coding StandardsThe EDI standard provides the common format for the messagebut just as important is the ability to correctly interpret the dataheld within that format. Data in computer systems normally hasa code as a key. Computer systems have codes for customers,suppliers, products and so on. For EDI it is preferable to send thecodes rather than the associated names, addresses and descriptions.The use of codes cuts down the size of the transmitted messageand, provided the codes are mutually agreed, they can be used tomatch the appropriate records in the receiving computer system.EAN/UPC CodesFor the grocery and general retail trade there are standard systemsof coding. These are used for bar codes on merchandise and toidentify address points within the participating organisations; they

are also used in EDI messages. The two main systems are:EAN European Article NumberUPC Universal Product Code (American)The coding systems are administered by the national ArticleNumbering Associations (ANA). These organizations have alsobeen closely involved in the development of EDI; the BritishANA developed the Tradacom EDI standard that was discussedearlier in this chapter.The EAN and the UPC systems are similar. The EAN is a 13 digitcode with a two digit country code whereas the UPC is a 12 digitcode with only a single digit for the country. The makeup of theEAN code is shown in Figure 8.3.

Fig. 8.3 EAN Coding System.The check digit calculation, for the product code, uses a modulus10 algorithm. This is calculated by multiplying alternative digits,of the code, by 1 and 3 respectively. The results of thesemultiplications are summed and the check digit is the differencebetween that sum and the next highest multiple of 10, see Figure8.4.

Fig. 8.4 EAN Checkdigit Calculation.For very small items, eight digit (EAN-8) codes can be allocated.This is so that the smaller bar code can be printed on individualitems.The EAN code in the example above is a product code for a 420gram tin of Heinz Baked Beans. Each Heinz product has thesame manufacturers’ prefix but a different item code allocated bythe company, for example:Baked Beans - 420 gram tin: 50 00157 00171 9Cream of Tomato Soup - 300 gram tin: 5000157 00207 5Baked Beans - 205 gram tin: 50 00157 00023 1In the EDI Order message these codes can be used in the orderline, e.g. the line: LIN+1++5000157001719:EN’ EAN addresspoint codes are used in EDI messages to identify the sender andreceiver of the message. Address point codes are similar to theproduct code; the country and manufacturer’s prefix are the sameas for the companies products but the check digit calculation differs

for the two usages. The sender of the order may wish to specify anumber of locations, for instance an order, in addition to thebuyer and supplier, might identify: The Delivery Point - thewarehouse where the goods will be delivered; The Invoice Point -the head office where the invoice is to be sent.The EDIFACT order message provides for up to 20 name andaddress segments (NAD) to be sent in an order.Generic ProductsEAN codes are appropriate for ordering branded products. Theyare not applicable where the requirement is for a generic product.This circumstance may not arise when baked beans are ordered(we all tend to have our preferences for a particular brand) but theorder might be for:A generic product, e.g. red biros (any old red biros), orA commodity product, e.g. sheet steel or paper.Product coding in these circumstances is either agreed betweencustomer and supplier or there is an agreement on an industrysector basis. The paper and board trade is one such industry wherecoding conventions have been agreed -to specify grams / sq. cm,direction of fibre, size of sheet, etc. Coupled with such a conventionis the need for an understanding of the ‘pack quantity’. It is

unfortunate if an order for 1,000 sheets of paper is interpreted asan order for 1,000 reams (and it has happened!).Summary:The essence of EDI is the coding and structuring of the datainto a common and generally accepted format -anything lessis nothing more than a system of file-transfers.The first EDI standards evolved from the formats used forfile transfer of data between computer applications.An example of an early EDI application in the UK was theBAGS systemTo facilitate the cross sector and international developmentof EDI the EDIFACT standard has been, and is being,developed. EDIFACT is the United Nations standard ofElectronic Data Interchange for Administration, Commerceand TransportTopic:IntroductionEDI NetworkSummary

ObjectivesUnderstand details of the technical elements of an EDIsystem:EDI NetworksAfter discussing about EDI standards and coding let’s see howthe transmission of electronic data takes place and what are therequirements for this electronic transmission.

EDI CommunicationsThe EDI standard specifies the syntax for the coding of theelectronic document, it does not specify the method oftransmission. The transmission of the electronic document canbe:A magnetic tape or diskette that is posted or dispatchedusing a courier service.A direct data communications link.A value added data service (VADS), also known as a valueadded network (VAN).The physical transfer of magnetic tape or diskette is one way oftransmitting EDI messages. However, one of the advantages ofEDI is speed of transmission and this is hardly facilitated by thephysical transportation of the diskette or tape. For this, and otherreasons, this way of transmitting EDI is declining in popularity.The use of direct data communications links is the secondpossibility. It can be appropriate for trading relationships wherethere are large data volumes or where there are only one or twotrading partners involved. It does, however, have a number ofcomplications. It presumes that the trading partners agreetransmission times, protocols and line speeds – requirements

that become complex when there are several trading partners, someof them involved in a number of trading relationships. The finalpossibility is the use of a VADS. These can provide a number offacilities but the essential is the use of postboxes and mailboxesto provide ‘time independence’ and ‘protocol independence’. Thefacilities of a VADS are further discussed in the following sections.Postboxes and MailboxesThe basic facility of a VADS is a post and forward network. Thisnetwork is centered on a computer system with communicationsfacilities. For each user of the system there are two files:The postbox - where outgoing messages are placed.The mailbox - where incoming messages can be picked up.Taking the trading network shown at Figure 12.1, the postboxand mailbox arrangement of the VADS would be as shown atFigure 9.1.

Fig. 9.1 VADS – Postbox and Mailbox Files.

If Sava store, for example, needed to place orders for bread, meatand vegetables then it formats an EDI interchange containing anumber of orders for those three suppliers. The sequence ofevents would then be:Sava Store establishes a communication link to the VADSsystem. Sava Store makes extensive use of the system andhas a leased line communications link.The VADS computer system inspects postboxes, unpacksthe interchanges, moves any available messages (orders inthis case) to the mailbox of the intended recipients andrepackages them as new interchanges. The inspection ofpostboxes is frequent and, to all intents and purposes, theinterchanges are immediately available to the recipient.The users of the system establishes a communication linkto the VADS system at their convenience. Best Bread is thefirst user of the system to come online, in this case thecommunications link is a dial-up line.Best Bread inspects its mailboxes for new interchanges. Onfinding the order from Sava Store (and possibly furtherinterchanges from other customers) it causes them to betransmitted to its own order processing system.The EDI interchange is then available for processing in the user’s

application. See Figure 9.2 for a diagram of this interchange takingplace.

ELECTRONIC DATA INTERCHANGE

Fig. 9.2 VADS – Example Interchange.The post-box / mailbox system is also referred to as a ‘store andforward’ system. The two principle advantages of such a systemare:Time IndependenceThe sending and receipt of the interchange are synchronous. Thetwo processes can be carried out at the convenience of the usersinvolved. The first user may send all its EDI transmissions, to allits trading partners, in a single batch, at the end of its overnightprocessing run. The individual interchange can then be picked upby the trading partners, at their individual convenience.Protocol Independence

The type of communications link to be used is an option availableto each user of the VADS system. Low volume users will probablyopt for a dial-up modern link whereas high volume users maywell use a leased line or a packet switching network. The VADSsupplier makes available a wide variety of communications facilitiesand has the ability to handle a range of protocols. The transmissionprotocol envelope is stripped off incoming interchanges leavingjust the EDI interchange.Interchanges are then re-enveloped withthe transmission protocol appropriate to the recipient when theyare retrieved from the mailbox.Value Added Data ServicesA number of organizations have set out to provide VADS. Thebasic and most important facility of the VADS is the postbox /mailbox provision. There are, however, a number of furtherfacilities that can be made available; some or all of them may beprovided by any particular VADS provider.Trading CommunityAn established EDI VADS will have a large number of clients allwith an interest in electronic trade. There is a tendency fororganisations in a particular trade sector to concentrate on one

particular VADS (there are instances of formal agreements betweena trade sector organisation and a VADS). Joining the appropriateVADS can ease access to new electronic trading partners.Inter-network ConnectionsA VADS facilitates trade between partners that subscribe to thesame VADS but not between partners that might be using differentVADS services - not infrequently organisations have joined morethan one VADS to overcome this problem. A number of theVADS have made inter-network agreements that provide for thepassing of interchanges between them.International ConnectionsMany VADS are nationally based with a single computer serviceproviding the switching service - a set-up that is appropriate fordomestic trade. A number of the VADS’s are part of internationalorganisations or have alliances with VADS’s in other countriesthus facilitating international trade.Privacy, Security and ReliabilityA commonly expressed concern by EDI users is the privacy of thesystem and the security of their messages (a concern that can seemexaggerated given the relative insecurity of the postal system thatEDI might be replacing).Privacy provisions will normally include

user-id / password protection, of postboxes and mailboxes. Thesetting up of a trading relationship can also be under user controlwith both users required to enter the appropriate control messagebefore the exchange of message can take place. The EDI messagecan also be encrypted or can include an electronic signature(provisions that are not dependant on the VADS).Security will be built into the VADS system - it is important to theusers and to the reputation of the VADS that messages are notlost. The service must also be reliable - the VADS should have anappropriate hardware and software configuration so that it canensure the continuous availability of its service.Message Storage and LoggingUsers of the VADS would normally have control over the retrievaland retention of messages in their mailbox. New messages can becalled off selectively or in total. Once a message has been called offit will be marked as no longer new but it can still be retained in themailbox (and it is worthwhile making use of this facility until themessage is secure in the users system).As part of its service provision the VADS may well have a messagelogging facilities. This provides an audit trail of when the message

arrived in the VADS, when the recipient retrieved it and when itwas eventually deleted. A useful provision should messages belost - the result of an enquiry is normally to prove a fault in one ofthe users systems / procedures rather than any fault in the operationof the VADS.Message ValidationA number of VADS will provide a service that validates EDImessages for conformance with the chosen EDI standard andreturns an invalid interchange. This service is optional and normallyincurs an extra charge.Local AccessVADS, despite their alternative name of Value Added Networkare message switching services, not network services. The cost ofthe connection from the user to the VADS can be reduced byusing a local access node or a packet switching service. The timeindependence provided by the VADS gives the user the optionof accessing the service when cheap rate telephone charges apply.ChargesThe VADS is a commercial organisation and charges for its services.The charges tend to be a combination of :Subscription A monthly or annual subscription.Usage charge:A charge for the number of characters transmitted.

Differing VADS apply these charges in differing combinations - intheory a user could select the VADS with the charging structurethat gave it most advantage - in practice users choose the VADSalready used by their trading partners. For the Pens and Thingsexample, the VADS that is most likely to be adopted is that alreadyused by Packaging Solutions.Software and ConsultancyNetwork providers tend to have considerable experience in EDIand an interest in promoting its widespread adoption. MostVADS providers supply (or sell) EDI software that provides foreasy access to their own network. These VADS providers will alsoprovide consultancy and training - the basic provision concernsthe use of the software and the network but there can also beconsultancy on the business use of EDI within the organisation.Summary:Electronic Data Interchange is one of the applications of ECommerce which makes Business to Business transactionspossible over a network.EDI standards are required so that the computer systemscan exchange data in a common format.EDIFACT is the United Nations standard of Electronic

Data Interchange for Administration, Commerce andTransport.VADS stands for Value Added Data Services. The basicfacility of a VADS is a post and forward network which isTime and Protocol independent. VADS is also known asVAN (Value Added Network).

Topic:IntroductionEDI ImplementationSummary

ObjectivesUnderstand details of the technical elements of an EDI system:EDI ImplementationNow we will discuss the physical implementation of VADS. EDIin the Internet.Recently a number of organisations have started using the Internetas an EDI VADS. Using the Internet provides the basic store andforward facilities but not necessarily the other features of a VADSservice that are listed above. Security and reliability are two of the

major concerns, unlike the traditional VADS, the Internet doesnot guarantee the safe delivery of any data you send into it. Theplus side of using the Internet is that it is cheaper than any of thecommercial networks that provide specific EDI VADS services.EDI ImplementationThe final technical element of the EDI system is the EDI software.If a company is to send an order from its production controlsystem to Packaging Solutions it needs to code that order into theagreed EDI standard and ‘squirt’ it into the chosen VADS. Topick up the order at the other end, Packaging Solutions has asimilar need to extract the data from the network and to decodethe data from the EDI message into its order processing system.The coding / decoding of the EDI message and the interfacingwith the VADS is normally achieved using EDI Software. Theoverall picture is summarized in Figure 10.1.

Fig. 10.1 Sending an order using EDI Software.

EDI SoftwareThe EDI software is normally bought in from a specialist supplier.There are a number of software houses supplying EDI solutionsor the EDI software may come from: · A major trading partner -the trading partner may supply the software or recommend athird party supplier.The VADS supplier.As part of application package, e.g. packaged software forproduction control, order processing or accounting mayinclude EDI software as an integral feature or as an optionalmodule.A third party. An example of this is that a number of banksprovide EDI solutions that include the collection of andaccounting for electronic payments. Obtaining EDI softwarefrom an ‘interested’ party has both advantages anddisadvantages. If the software is, for example, bought fromthe VADS supplier then, hopefully, there would not be anyproblem interfacing with the chosen network but using anadditional VADS or switching to a new network suppliermay be more problematic.The basic functions of the EDI Software are the two alreadyoutlined, namely:

Coding business transactions into the chosen EDI Standard;Interfacing with the VADS.Many EDI software suppliers provide additional functions.Thesemay include:A trading partner database integrated into the EDISoftware.This can provide for code translation (e.g. internalcustomer codes to a trade sector standard code) and / or forthe specification of the EDI requirements of each tradingpartner;Support of multiple EDI Standards. The selection of theappropriate standard may be determined by the tradingpartner database;Sophisticated facilities to ease the formatting of internalapplication data to and from the EDI Standard. ‘Drag anddrop’ interfaces are available for this purpose. Various EDISoftware suppliers have associations with the large suppliersof business applications (production planning, orderprocessing, etc.) and provide standardised interfaces to thosepackages;Facilities for transactions to be sent by fax or e-Mail tocustomers that do not use EDI. The identification of suchcustomers may be determined by the trading partnerdatabase;

Interfacing with a variety of EDI VADS (including theInternet). The selection of the appropriate VADS may bedetermined by a trading partner database;The option to encrypt the EDI Message;Facilities for the automatic acknowledgement of the EDImessage;Message tracking and an audit trail of messages sent andreceived;Direct input and printed output of EDI transactionsallowing free standing EDI Operation-in effect the EDIsystem provides the service of a fax machine.EDI Software is available on a variety of platforms from the basicPC up to a mainframe system. As with all classes of software theprice varies: the basic PC packages starting at (say) 500 poundssterling / 800 US dollars and the price then goes up from there forthe larger machines, additional facilities and services such asconsultancy. For some EDI software the support of each standardand / or VADS is an additional plugin that is paid for separately.Yearly maintenance charges, that include updates as the newversions of the EDI Standards are released, tend to be quite hefty.At the top of the range is the concept of an EDI CorporateInterface. This software, often mounted on its own, mid range,

machine acts as a central clearing house for all the e-Commercetransactions of a large organisation. The external interfaces canlink to several EDI VADS’s and translate to a variety of EDIStandards to meet the needs of a large number of trading partners.The internal interfaces can link to a number of business systemssuch as order processing and accounts payable,possibly systemsthat are replicated across the various divisions of the organisation.The system can also be used for intra organizational transactions- if the interface for external customers and suppliers uses EDI,why not use the same interfaces for trades between divisions ofthe organisation.EDI IntegrationEDI software will do its job well at a relatively modest price. Whatpre-packaged EDI software cannot do is automatically integratewith the business application and a comprehensive solution tothis requirement can take a lot of time and cost a lot of money.The simple way to implement EDI is not to link the EDI softwareand the applications - a set-up sometimes referred to as EDI-Faxor EDInterruptus. This is, a course, followed bymany organisations when they first start and persisted with by

many small organisations who are only ‘doing EDI’ because alarge trading partner has told them to. In this mode of operation:Incoming EDI messages are printed out from the EDIsoftware and then manually keyed into the businessapplication that they are intended for;Outgoing EDI messages are extracted from the businessapplication and typed into the EDI software for formattingand onward transmission.The use of EDI in this way ensures that the transactions getthrough quickly (hence the term EDI-Fax) but it rules out any ofthe other advantages of using EDI. For full integration of thebusiness application and the EDI Software there needs to be aninterface to transfer data from the business application to the EDIsoftware and vis a versa. To ease this process, most EDI softwareprovides for a ‘flat file’ interface. If the data to be sent is (say) anorder then the business application can be modified so that:The supplier record in the order processing system has anindicator to say that its orders are to be sent via EDI;The order print run is modified so that orders for EDIcapable suppliers are not printed;An additional run is included to take the orders from theEDI capable suppliers and format the data onto the flat file;

The flat file is accessed by the EDI software and, using usersupplied parameters, the order data is formatted into therequired EDI standard and posted into the VADS.The reverse process is used for incoming EDI messages. This willinvolve the creation of a batch input routine to run in parallel withthe online facilities utilized by most businessapplications. The additional worry with incoming EDI messagesis validation. For orders, invoices and any other data manuallyinput into a business application there will be (or should be)comprehensive primary and secondary validation built into thesystem and there is a human operator there to deal with anyqueries.For EDI messages there will not be any input errors at the receivingend but there is(normally) no guarantee that the data sent by thetrading partner is correct or acceptable. Arguably the EDI routinestaking input messages need all the same validation checks as theequivalent manual input routines and there needs to be proceduresfor correcting the problems or informing the trading partner andgetting them to transmit a corrected message.EDI OperationOnce the EDI system is set-up it, like any other data processing

systems, needs careful and systematic operation. A big differencebetween electronic transactions and their paper equivalents is thatwith electronic transactions there is no paperwork to fall back onshould anything go wrong. In these circumstances, therefore, it issensible to keep a security copy of all incoming transactions -preferably in their EDI format as soon as they enter the system.This then gives a fall-back position should any data be lost orcorrupted and is an aid to the diagnosis of any problems.The second aspect to EDI operation is how often should thesystem be run. EDI has been implemented, in part at least, to cutdown transaction cycle time and there is no point in reintroducingunnecessary delays. For many organisations a daily download fromthe mailbox and processing run is sufficient - however, this is notentirely satisfactory if the daily run is timed for an hour before amajor trading partner sends out their daily orders. In somecircumstances, such as just-in-time manufacture in the vehicleassembly business, cycle times can be as short as one hour andobviously order processing needs to be very frequent / real-time.

Sample EDI ApplicationWebLogic Integration provides an EDI sample application thatdemonstrates how WebLogic Integration with the EDI Connectfor WebLogic Integration add-on can be used to exchange EDIpurchase-order information over a VAN. In the sample application,a supplier trading partner uses the EDI integration functionalityof WebLogic Integration to connect to a buyer over a VAN.The interactions between the buyer and supplier occur in thefollowing sequence:1. A buyer trading partner submits an EDI purchase order,over a VAN to the supplier.2. The EDI-to-XML transformation engine bundled withPower.Server! converts the purchase order to XML.3. The XML document triggers a business process in thesupplier application. The business process generates an XMLpurchase order acknowledgment.4. The supplier forwards the acknowledgment to thetransformation engine which converts it to EDI, and thenforwards it over a VAN to the buyer.Summary:A number of organisations have started using the Internetas an EDI VADSUnlike the traditional VADS, the Internet does notguarantee the safe delivery of any data you send into it

The plus side of using the Internet is that it is cheaper thanany of the commercial networks that provide specific EDIVADS services.The coding / decoding of the EDI message and theinterfacing with the VADS is normally achieved using EDISoftwareFor full integration of the business application and the EDISoftware there needs to be an interface to transfer data fromthe business application to the EDI software and vis a versa.A big difference between electronic transactions and their paperequivalents is that with electronic transactions there is no paperworkto fall back on should anything go wrong. In these circumstances,therefore, it is sensible to keep a security copy of all incomingtransactionsTopic:IntroductionEDI AgreementEDI security issuesSummary

ObjectivesAfter this lecture the students will be able to:Understand details of the technical elements of an EDIsystem:EDI AgreementsEDI Security

After discussing how the EDI is being implemented it is clear thata large organization that processes many electronic transactions isgoing to need its own EDI set-up. There are, however, manysmall companies that are dragged into EDI trade by a large tradingpartner but for who the set-up and running costs of an EDIfacility would outweigh the benefits. For these organizations thereare a number of alternatives as discussed below:EDI AlternativesThe low cost, PC based, free-standing EDI facility.Making use of an EDI clearing house. To do this thecompany contract for their EDI messages to be sent to aclearing house who decode them, print them out and thenpost or fax them on. The British Post Office is an exampleof an organisation that provides this service.Internet access via a clearing house. This is an update on theEDI-Post service outlined above where a clearing house isused but the inward and outward transactions aretransmitted between the end user and the clearing house andaccessed by the client using a standard web browser.As you know setting up an EDI system requires a lot of discussionwith trading partners. Manual systems rely a lot on theunderstanding of the people involved; when these interchanges

are automated there is no understanding between the machines -they just do what they are told (well they do on a good day!).The introduction of EDI may also be part of a wider process ofbusiness processing re-engineering that makes the effectiveoperation of the supply chain much more crucial to successfulbusiness operation. Traditional logistics had buffer stocks in thefactory’s parts warehouse or the retailer’s regional depot and stockroom. In just-in-time manufacture and quick response supplythese buffer stocks are eliminated - this reduces the capitalemployed and avoids the need to double handle goods. Withoutthese buffer stocks the EDI systems become crucial -the ordersneed to be delivered on time or cars will be madewith missing wheels and there will be no cornflakes on the shelvesin the supermarket. Hence to achieve a successful, electronicallycontrolled supply chain, businesses have to talk. They need toagree the nature of the business that is to be done electronically,the technical details of how it is to be undertaken and the proceduresfor resolving any disputes that arise.EDI Interchange AgreementsThe appropriate way to document the details of a trading

arrangement between electronic trading partners is an EDIInterchange Agreement. The agreement makes clear the tradingintentions of both parties, the technical framework for thetransactions and the procedures to be followed in the event of adispute. The EDI Agreement is a document, normally on paper,and signed by both trading partners before electronic tradingbegins. The first requirement of the agreement is to establish thelegal framework. This has a special significance as most businesslaw relates to paper based trading and how that law should applyto the less tangible form of an electronic message is not alwaysclear (although a number of countries are updating their legalprovisions to take account of electronic trade). This point is madein the commentary that is included in the EuropeanModel Electronic Data Interchange (EDI) Agreement (EUIA):‘For EDI to be a successful alternative to paper trading, it is essentialthat messages are accorded a comparable legal value as their paperequivalent when the functions effected in an electronic environmentare similar to those effected in a paper environment, and where allappropriate measures have been taken to secure and store thedata.’

The EU-IA, in the text of the Agreement, Includes the Clause:The parties, intending to be legally bound by the Agreement,expressly waive any right to contest the validity of a contracteffected by the use of EDI in accordance with the terms andconditions of the Agreement on the sole grounds that it waseffected by EDI.’And the agreement also specifies:The point in its transmission and processing at which amessage will be deemed to be legally binding - the usuallyaccepted standard is that the ‘document’ achieves legal statuswhen it arrives at the receiving party, the ‘reception rule’.The timescale for processing EDI massages. One purposeof EDI is to speed up the trade cycle and this is not achievedif messages are not reliably processed within an agreedtimescale.The time that copies of the message will be retained (adefault of three years is provided for by the EU-IA butmany member states require longer periods, e.g. seven or tenyears).The procedure for settling any disputes. The EU-IAsuggests a choice between arbitration by a namedorganisation, e.g. a chamber of commerce appointedarbitration chamber, or by recourse to the judicial process.

The legal jurisdiction in which, any disputes should besettled. In addition to the legal (or legalistic) aspects of theagreement it is important to specify the technicalrequirements. These requirements include:The coding systems that will be used for identifying entitiessuch as organisations and products and attributes such asquantities.The EDI standard that is to be employed and, within that,the messages and data segments that will be used. Updatingof message standards as new versions are released is an issuethat also needs to be covered.The network that is to be used - including details ofscheduling and protocol where a post and forward networkis not to be employed.Model agreements are available from various parties, includingtrade organisations, and references to example agreements can befound on the web pages that accompany this book.Another major issue of concern is the privacy and security of themessages and their exchange. Let’s discuss how to protect the datawhile it is being transferred from one place to another.EDI SecurityThe first point is to ensure that interchange of messages is reliable.In the first instance this is a matter of procedures at both ends of

the trading agreements. Procedures, rigid procedures, are requiredto ensure that all the processes are run and that they reach theirsuccessful conclusion - an old-fashioned requirement called ‘dataprocessing standards’. Procedures are particularly important whereoperations are manual (as opposed to being controlled by jobcontrol programs (JCP) run under the appropriate operatingsystem). Particular attention is needed if the EDI software is runon a separate machine (say a PC) and the application softwareoperates in a mainframe or similar environment; it is vital that allthe data received on the EDI machine is passed to and processed(once only!) on the mainframe and that outgoing data is reliablyprocessed in the reverse direction.Further aspects of security are:Controls in the EDI Standards:EDI Standards include controls designed to protect against errorsin, and corruption of, the message. The sort of thing that isprovided is for segment counts in the message and message countsin the interchange.Controls in the Transmission Protocol:Transmission protocols include protection, such as longitudinalcontrol totals, to detect any data corruption that occurs during

transmission. Where corruption is detected the network systemoccasions a retransmission without the need for outsideintervention.Protection against Tampering:Where there-is concern that the transmission might be interceptedand modified it can be protected by a digital signature. This isdesigned to ensure that the message received is exactly the same asthe message sent and that the source of the message is anauthorized trading partner.Privacy of Message:Where the contents of the message are considered sensitive theprivacy of the message can be protected, during transmission, byencrypting the data.Non-Repudiation:One potential problem is that the recipient of the message mightdeny having received it; the electronic equivalent of the idea thatthe unpaid invoice must have got ‘lost in the post’.One way out of this is to use the receipt acknowledgementmessages (see below) but the other alternative is a ‘trusted thirdparty’. The ‘trusted third party’ can be the VADS supplier or, ifyou don’t trust them, some other organisation. The role of thethird party is to audit trail all transactions (a role the VADS provider

is ideally positioned to fulfill) and to settle any dispute aboutwhat messages were sent and what messages were received.One aspect of security provided for by the EDI standard is thereceipt acknowledgement message. This is a transaction specificmessage sent out by the receiving system to acknowledge eachmessage, order or whatever. Trading partners that use receiptacknowledgement messages need to be clear about the level ofsecurity (guarantee) implied by the receipt of the acknowledgement.The EDI acknowledgement message can be:Automatically generated by the EDI Software (PhysicalAcknowledgement). It informs the sender that the messagehas arrived but there is no guarantee that it is passed to theapplication for processing or that it is a valid transactionwithin the application.Coded into the application to confirm that it is in the systemfor processing.Produced by the application once the message is processed toconfirm that the message was valid and possibly to giveadditional information such as stock allocation and expecteddelivery date (Logical Acknowledgement).

The need for security in an EDI system needs to be kept inproportion; after all EDI is very probably replacing a paper basedsystem where computer output orders, without signatures, werebunged in the post and eventually manually keyed in by an orderentry clerk. Transmission and EDI message controls are automatic.Checks over and above that all come at a cost; encryption anddigital signatures both require extra software and procedures;message acknowledgements require additional software to generatethe message and to match it to the original transaction on theother side of the trading relationship. EDI orders and invoicesfor regular transaction of relatively low cost supplies do not justifytoo heavy an investment in privacy and security – if an extra loadof cornflakes arrives at the supermarket distribution centre it ca besorted out on the phone and the error will probably be in thewarehouse, not the EDI system (whatever the supplier tells thecustomer!).EDI payments require more care; normally the payment transactionis sent to a bank (with its own procedures) with the paymentadvice being sent to the trading partner. The overall facilities for

EDI privacy and security are summed up in Figure 11.1

Fig. 11.1 EDI Privacy and SecurityThe overall EDI technical setup is summarized in fig 11.2

Fig 11.2 EDI summary

Summary:There are number of alternatives instead of setting ownEDI setup like the low cost, PC based, free-standing EDIfacility, making use of an EDI clearing house, Internet accessvia a clearing house.The appropriate way to document the details of a trading

arrangement between electronic trading partners is an EDIInterchange AgreementThe security aspects in EDI are Controls in the EDIStandards, Controls in the Transmission Protocol,Protection against Tampering, Privacy of Message,Nonrepudiation

Topic:IntroductionVarious preventive measures for computerCryptographyData Encryption Standard (DES)Summary

Objectives:Describe some security measures to prevent the ComputerSystems from various threats in a network .The incredible growth of the Internet has excited businesses andconsumers alike with its promise of changing the way we live andwork. But a major concern has been just how secure the Internetis, especially when you’re sending sensitive information throughit.Let’s face it, there’s a whole lot of information that we don’t wantother people to see, such as:Credit-card informationSocial Security numbersPrivate correspondencePersonal detailsSensitive company information

Bank-account informationInformation security is provided on computers and over theInternet by a variety of methods. A simple but straightforwardsecurity method is to only keep sensitive information on removablestorage media like floppy disks. But the most popular forms ofsecurity all rely on encryption , the process of encodinginformation in such a way that only the person (or computer)with the key can decode it.In the Key of...Computer encryption is based on the science of cryptography,which has been used throughout history. Before the digital age,the biggest users of cryptography were governments, particularlyfor military purposes. The existence of coded messages has beenverified as far back as the Roman Empire. But most forms ofcryptography in use these days rely on computers, simply becausea human-based code is too easy for a computer to crack.Most computer encryption systems belong in one of twocategories. Broadly speaking, there are two types of encryptionmethods:Secret-key cryptographyPublic-key cryptographySecret-Key Cryptography

Secret-key cryptography the use of a shared key for both encryptionby the transmitter and decryption by the receiver. Shared-keytechniques suffer from the problem of key distribution, sinceshared keys must be securely’ distributed to each pair ofcommunicating parties. Secure-key distribution becomescumbersome in large networks.To illustrate secret key cryptography, A encrypts a message with asecret key and e-mails the encryption message to B. On receivingthe message, B checks the header to identify the sender, thenunlocks his electronic key storage area and takes out the duplicateof the secret key. B then uses the secret key to decrypt the message.The Achilles heel of secret-key cryptography is getting the senderand receiver to agree on the secret key without a third party findingout. This is difficult because if A and B are in separate sites, theymust trust not being overheard during face-to-face meetings orover a public messaging system (a phone system, a postal service)when the secret key is being exchanged. Anyone who overhears orintercepts the key in transit can later read all encrypted messagesusing that key. The generation, transmission, and storage of keys

is called key management; all cryptosystems must deal with keymanagement issues. Although the secret-key method is quitefeasible and protocol for one-on-one document interchange, itdoes not scale. In a business environment where a company dealswith thousands of on-line customers, it is impractical to assumethat key management will be flawless. Hence, we can safely assumethat secret-key cryptography will not be a dominant player in ECommercegiven its difficulty providing secure key management.Data Encryption Standard (DES)A widely-adopted implementation of secret-key cryptography isData Encryption Standard (DES). The actual software to performDES is readily available at no cost to anyone who has access to theInternet. DES was introduced in 1975 by IBM, the National SecurityAgency (NSA), and the National Bureau of Standards (NBS) (whichis now called NIST). DES has been extensively researched andstudied over the last twenty yearsand is definitely the most well-known and widely usedcryptosystem in the world. DES is secret-key, symmetriccryptosystem: When used for communication, both sender andreceiver must know the same secret key, which is used both to

encrypt and decrypt the message. DES can also be used for singleuser encryption, for example, to store files on a hard disk inencrypted form. In a multiuser environment, however, secure-keydistribution becomes difficult; public-key cryptography, discussedin the next subsection, was developed to solve this problem.DES operates on 64-bit blocks with a 56-bit secret key. Designedfor hardware implementation, it operation is relatively fast andworks well for large bulk documents or encryption. Instead ofdefining just one encryption algorithm, DES defines a wholefamily of them. With a few exceptions, a different algorithm is generated for each secret key. This means that everybody can betold about the algorithm and your message will still be secure.You just need to tell others your secret key a number less than 256.The number 256 is also large enough to make it difficult to breakthe code using a brute force attack (trying to break the cipher byusing all possible keys).DES has withstood the test of time. Despite the fact that itsalgorithm is well known, it is impossible to break the cipher withoutusing tremendous amounts of computing power. A newtechnique for improving the security of DES is triple encryption

(Triple DES), that is, encrypting each message block using threedifferent keys in succession. Triple DES, thought to be equivalentto doubling the key size of DES, to 112 bits, should preventdecryption by a third party capable of single-key exhaustive search.Of course, using triple-encryption takes three times as long assingle-encryption DES. If you use DES three times on the samemessage with different secret keys, it is virtually impossible tobreak it using existing algorithms.. Over the past few years severalnew, faster symmetric algorithms have been developed, but DESremains the most frequently used.Public Key CryptographyA more powerful form of cryptography involves the use of publickeys. Public-key techniques involve a pair of keys; a private key anda public key associated with each user. Information encrypted bythe private key can be decrypted only using the correspondingpublic key. The private key, used to encrypt transmitted informationby the user, is kept secret. The public key is used to decryptinformation at the receiver and is not kept secret. Since only thebona fide author of an encrypted message has knowledge of the

private key, a successful decryption using the corresponding publickey verifies the identity of the author and ensures message integrity.Public keys can be maintained in some central repository andretrieved to decode or encode information. Public key techniquesalleviate the problem of distribution of keysLet’s examine How this Process Works:Each party to a public-key pairing receives a pair of keys, the publickey and the private key. When A wishes to send a message to B, Alooks up B’s public key in a directory, A then uses the public key toencrypt the message and mail it to B. B uses the secret private keyto decrypt the message and read it. Anyone can send an encryptedmessage to B but only B can read it. Unless, a third party, say C, hasaccess to B’s private key, it is impossible to decrypt the messagesent by A. This ensure confidentiality.Clearly, one advantage of public key cryptography is that no onecan figure out the private key from the corresponding public key.Hence, the key management problem is mostly confined to themanagement of private keys. The need for sender and receiver toshare secret information over’ public channels is completelyeliminated: All transactions involve only public keys, and no private

key is ever transmitted or shared; The secret key never leaves theuser’s Pc. Thus a sender can send, a confidential message merely byusing public information and that message can be decrypted onlywith a private key in the sole possession of the intended recipient.Furthermore, public-key cryptography can be used for senderauthentication, known as digital signatures. Here’s howauthentication is achieved using public-key cryptography: A, todigitally sign a document, puts his private key and the documenttogether and performs a computation on the composite (key +document) to generate a unique number called the digital signature.For instance, when an electronic document, such as an order formwith a credit card number, is run through the method, the outputis a unique “fingerprint” of the document. This “fingerprint” isattached to the original message and further encrypted with thesigner A’s private key. The result of the second encryption is thensent to B, who then first decrypts the document using Ks publickey. B checks whether the message has been tampered with or iscoming from a third party C, posing as A.To verify the signature, B does some further computation

involving the original document, the purported signature, andKs public key. If the results of the computation generate amatching “finger-print” of the document, the digital signature isverified as genuine; otherwise, the signature may be fraudulent orthe message altered, and they are discarded. This method is thebasis for secure e-Commerce, variations of which are beingexplored by several companies.Several implementations of these popular encryption techniquesare currently employed. In public-key encryption, the RSAimplementation dominates and is considered very secure, butusing it for overseas traffic conflicts With the US government’sposition on export of munitions technology of militaryimportance. Clearly, the government has not reckoned with theInternet data flow.Summary:The most popular forms of security all rely on encryption,the process of encoding information in such a way that onlythe person (or computer) with the key can decode it.There are two types of encryption methods:Secret-key cryptography and Public-key cryptographySecret-key cryptography the use of a shared key for both

encryption by the transmitter and decryption by the receiverA widely-adopted implementation of secret-keycryptography is Data Encryption Standard (DES)A more powerful form of cryptography involves the use ofpublic keys. Public-key techniques involve a pair of keys; aprivate key and a public key associated with each user.Information encrypted by the private key can be decryptedonly using the corresponding public key

RSA and Public-Key CryptographyRSA is a public-key cryptosystem for both encryption andauthentication developed in 1977 by Ron Rivest, Adi Shamir, andLeonard Adleman. RSA system uses a matched pair of encryptionand decryption keys, each, per-forming a one way transformationof the data. RSA is also developing digital signatures, which aremathematical algorithms that encrypt an entire document. Thesecurity of RSA is predicated on the fact that it is extremely difficulteven for the-fastest computers-to factor large numbers that arethe products of two prime numbers (keys), each greater than2112. RSA is important because it enables digital Signatures, whichcan be used to authenticate electronic documents the same way

handwritten signatures are used to authenticate paper documents.Here’s how. a digital signature works for an electronic documentto be sent from the sender X to the receiver Y: X runs a: programthat uses a hash algorithm to generate a digital fingerprint-a patternof bits that uniquely identifies a much larger pattern of bits-forthe document and encrypts the fingerprint with his private key.This is X’s digital signature, which is transmitted along with thedata. Y decrypts the signature with X’s public key and runs thesame hash program on the document. If the digital fingerprintoutput by the hash program does not match the fingerprint sentby X (after that has been decrypted), then the signature is invalid.If the fingerprints do match, however, then Y can be quite surethat the digital signature is authentic. If the document were altereden route, the fingerprints will not match (the output from thehash programs will be different) and the receiver will know thatdata tampering occurred. If the sender’ssignature has been forged (encrypted with the wrong private key),the fingerprints’ won’t match either. Therefore the digital signatureverifies both the identity of the sender and the authenticity of the

data in the document.The use of RSA is undergoing a period of rapid expansion andmay bec0me ubiquitous. It is currently used in a wide variety ofproducts, plat-forms, and industries around the world. It is beingincorporated into the World Wide Web browsers such as NetScape,giving it a wider audience. In hardware, RSA can be found insecure telephones, on Ethernet network cards, and on smart cards.Adoption of RSA seems to be proceeding more quickly forauthentication (digital signatures) than for privacy (encryption),Perhaps in part because products for authentication are easier toexport than those for privacy.Mixing RSA and DESRSA allows two important functions not provided by DES:Secure key exchange without prior exchange of keys, andDigital signatures.For encrypting messages, RSA and DES are usuallycombined as follows:first the message is encrypted with a random DES key, then,before being sent over an insecure communications channel,the DES key is encrypted with RSA.Together, the DES-encrypted message and the RSAencryptedDES key are sent. This protocol is known as anRSA digital envelope.

Why not just use RSA to encrypt the whole message and not useDES at all? Although RSA may be fine for small messages, DES(or another cipher) is preferable for larger messages due to itsgreater speed. In some situations, RSA is not necessary and DESkeyagreement can take place (the two-user environment; forexample, if you want to keep your personal files encrypted, justdo so with DES using, say, a password as the DES key.RSA, and public key cryptography in general, is best suited for amultiuser environment. Also, any system in which digitalsignatures are desired needs RSA or some other public-key system.Digital Public-Key CertificatesThe most difficult aspect of creating an effective multipartytransaction sys-tem is the distribution of public keys. Because thekeys are intended to. be public and widely distributed, secrecy isnot a concern; anyone should be able to get a copy of a public key.Rather, the primary concern is authenticity. An impostor couldeasily create a private / public key pair and distribute the public key,claiming it belonged to someone else.For instance, if A in England is doing business with B in Canadaand wants to encrypt information so that only B can read it, A

must first get the public key of B from a key directory.That’s where the problem lies. There is nothing that says that thispublic key information is valid and not a forgery put there by Cimpersonating B. One solution to this problem is a public-keycertificate. A public-key certificate is a data structure, digitally signedby a certification authority (also known as the certificate issuer),that binds a public-key value to the identity of the entity holdingthe corresponding private key. The latter entity is known as thesubject of the certificate. In essence, a certificate is a copy of apublic key and an identifier (number), digitally signed by a trustedparty. The problem is then transformed into finding a trustedthird party to create these certificates. A public-key user needs toobtain and validate a certificate containing the required public key.This is where it gets complicated. If the public-key user does notalready have a copy of the public key of the trusted party thatsigned by one certificate, then the user may need an additionalcertificate to get that public key- In such cases, a chain of multiplecertificates may be needed, comprising a certificate of the publickeyowner signed by one certification authority. and additional

certificates of certification authorities signed by other certificationauthorities.

Clipper ChipClipper is an encryption chip developed as part of the Capstoneproject. Announced by the White House in April 1993, Clipperwas designed to balance the competing concerns of federal lawenforcement agencies with those of private citizens and industry.Law enforcement agencies wish to have access-for example, bywire-tapping-to the communications of suspected criminals, andthese needs are threatened by secure cryptography. Clippertechnology attempts to balance these needs by using escrowedkeys. The idea is that communications would be encrypted with asecure algorithm, but the keys would be kept by one or more thirdparties (the “escrow agencies”) and made available to lawenforcement agencies when authorized by a court-issued warrant.Thus, for example, personal communications would beimpervious to recreational eavesdroppers and commercialcommunications would be impervious to industrial espionage,and yet the FBI could listen in on suspected terrorists or gangsters.

Skipjack, designed by the NSA, is the encryption algorithmcontained in, the clipper chip. It uses One 80-bit key to encrypt anddecrypt 64-bit blocks of data. Skipjack can be used in the same wayas DES and may be more secure than , DES, since it uses 80-bitkeys and scrambles the data for 32 steps, or “rounds”; by contrast,DES uses 56-bit keys and scrambles the data for only 16 rounds.The details of Skipjack are classified .The decision not to make thedetails of the algorithm publicly available has been widely criticized,and many are suspicious that Skipjack is not secure, either due todesign oversight or to deliberate introduction of a secret trapdoor.By contrast, the many failed attempts to find weaknesses in DESover the years have made people confident in the security of DES.Since Skipjack is not public, the same scrutiny cannot be applied,and thus a corresponding level of confidence may not arise.Aware of such criticism, the government invited a small group ofindependent cryptographers to examine the Skiplack algorithm.Their report stated that, although their study was too limited toreach a definitive conclusion, they nevertheless believe that Skipjack

is secure. Another consequence of Skipjack’s classified status isthat it cannot be implemented in software, but only in hardwareby government-authorized chip manufacturers.Summary:RSA is a public-key cryptosystem for both encryption andauthentication developed in 1977 by Ron Rivest, Adi Shamir,and Leonard Adleman.A public-key certificate is a data structure, digitally signed by acertification authority (also known as the certificate issuer),that binds a public-key value to the identity of the entityholding the corresponding private keyThe idea behind the clipper is that communications wouldbe encrypted with a secure algorithm, but the keys would bekept by one or more third parties (the “escrow agencies”) andmade available to law enforcement agencies when authorizedby a court-issued warrant

UNIT - V

Topic:IntroductionFirewallVarious Anti VirusesSummary

Objectives:

Describe some security measures to prevent the ComputerSystems from various threats in a networkIn the previous lecture we discussed Cryptography technique toprovide security of data in a network. Today we will take a look onother techniques which can further enhance the security.FirewallIf you have been using the Internet for any length of time, andespecially if you work at a larger company and browse the Webwhile you are at work, you have probably heard the term firewallused. For example, you often hear people in companies say thingslike, “I can’t use that site because they won’t let it through thefirewall.”If you have a fast Internet connection into your home (either aDSL connection or a cable modem), you may have found yourselfhearing about firewalls for your home network as well. It turnsout that a small home network has many of the same securityissues that a large corporate network does. You can use a firewallto protect your home network and family from offensive Websites and potential hackers.Basically, a firewall is a barrier to keep destructive forces away from

your property. In fact, that’s why its called a firewall. Its job issimilar to a physical firewall that keeps a fire from spreading fromone area to the next. As you read through this article, you will learnmore about firewalls, how they work and what kinds of threatsthey can protect you from.What It DoesA firewall is simply a program or hardware device that filters theinformation coming through the Internet connection into yourprivate network or computer system. If an incoming packet ofinformation is flagged by the filters, it is not allowed through.Let’s say that you work at a company with 500 employees. Thecompany will therefore have hundreds of computers that all havenetwork cards connecting them together.In addition, the company will have one or more connections tothe Internet through something like T1 or T3 lines. Without afirewall in place, all of those hundreds of computers are directlyaccessible to anyone on the Internet. A person who knows whathe or she is doing can probe those computers, try to make FTPconnections to them, try to make telnet connections to them andso on. If one employee makes a mistake and leaves a security hole,

hackers can get to the machine and exploit the hole.With a firewall in place, the landscape is much different. A companywill place a firewall at every connection to the Internet (for example,at every T1 line coming into the company). The firewall canimplement security rules. For example, one of the security rulesinside the company might be:Out of the 500 computers inside this company, only one of themis permitted to receive public FTP traffic. Allow FTP connectionsonly to that one computer and prevent them on all others. Acompany can set up rules like this for FTP servers, Web servers,Telnet servers and so on. In addition, the company can controlhow employees connect to Web sites, whether files are allowed toleave the company over the network and so on. A firewall gives acompany tremendous control over how people use the network.Firewalls use one or more of three methods to control trafficflowing in and out of the network:Packet filtering - Packets (small chunks of data) areanalyzed against a set of filters. Packets that make it throughthe filters are sent to the requesting system and all others arediscarded.Proxy service - Information from the Internet is retrieved

by the firewall and then sent to the requesting system andvice versa.Stateful inspection - A newer method that doesn’t examinethe contents of each packet but instead compares certain keyparts of the packet to a database of trusted information.Information traveling from inside the firewall to the outside ismonitored for specific defining characteristics, then incominginformation is compared to these characteristics. If the comparisonyields a reasonable match, the information is allowed through.Otherwise it is discardedWhat It Protects You FromThere are many creative ways that unscrupulous people use toaccess or abuse unprotected computers:Remote login - When someone is able to connect to yourcomputer and control it in some form. This can range frombeing able to view or access your files to actually runningprograms on your computer.Application backdoors - Some programs have specialfeatures that allow for remote access. Others contain bugsthat provide a backdoor, or hidden access, that providessome level of control of the program.

SMTP session hijacking - SMTP is the most commonmethod of sending e-mail over the Internet. By gainingaccess to a list of e-mail addresses, a person can sendunsolicited junk e-mail (spam) to thousands of users. Thisis done quite often by redirecting the e-mail through theSMTP server of an unsuspecting host, making the actualsender of the spam difficult to trace.Operating system bugs - Like applications, some operatingsystems have backdoors. Others provide remote access withinsufficient security controls or have bugs that an experiencedhacker can take advantage of.Denial of service - You have probably heard this phraseused in news reports on the attacks on major Web sites. Thistype of attack is nearly impossible to counter. What happensis that the hacker sends a request to the server to connect toit. When the server responds with an acknowledgement andtries to establish a session, it cannot find the system thatmade the request. By inundating a server with theseunanswerable session requests, a hacker causes the server toslow to a crawl or eventually crash.E-mail bombs - An e-mail bomb is usually a personalattack. Someone sends you the same e-mail hundreds or

thousands of times until your e-mail system cannot acceptany more messages.Macros - To simplify complicated procedures, manyapplications allow you to create a script of commands thatthe application can run. This script is known as a macro.Hackers have taken advantage of this to create their ownmacros that, depending on the application, can destroy yourdata or crash your computer.Viruses - Probably the most well-known threat is computerviruses. A virus is a small program that can copy itself toother computers. This way it can spread quickly from onesystem to the next. Viruses range from harmless messages toerasing all of your data.Spam-Typically harmless but always annoying, spam is theelectronic equivalent of junk mail. Spam can be dangerousthough. Quite often it contains links to Web sites. Be carefulof clicking on these because you may accidentally accept acookie that provides a backdoor to your computer.Redirect bombs - Hackers can use ICMP to change (redirect)the path information takes by sending it to a different router.This is one of the ways that a denial of service attack is set

up.Source routing - In most cases, the path a packet travelsover the Internet (or any other network) is determined by therouters along that path. But the source providing the packetcan arbitrarily specify the route that the packet should travel.Hackers sometimes take advantage of this to makeinformation appear to come from a trusted source or evenfrom inside the network! Most firewall products disablesource routing by default.Some of the items in the list above are hard, if not impossible, tofilter using a firewall. While some firewalls offer virus protection,it is worth the investment to install anti-virus software on eachcomputer. And, even though it is annoying, some spam is goingto get through your firewall as long as you accept e-mail.The level of security you establish will determine how many ofthese threats can be stopped by your firewall. The highest level ofsecurity would be to simply block everything. Obviously that defeatsthe purpose of having an Internet connection. But a commonrule of thumb is to block everything, then begin to select whattypes of traffic you will allow. You can also restrict traffic that

travels through the firewall so that only certain types ofinformation, such as e-mail, can get through. This is a good rulefor businesses that have an experienced network administratorthat understands what the needs are and knows exactly what trafficto allow through. For most of us, it is probably better to workwith the defaults provided by the firewall developer unless there isa specific reason to change it. One of the best things about afirewall from a security standpoint is that it stops anyone on theoutside from logging onto a computer in your private network.While this is a big deal for businesses, most home networks willprobably not be threatened in this manner. Still, putting a firewallin place provides some peace of mind.Proxy Application GatewaysA proxy application gateway is a special server that typically runson a firewall machine. Their primary use is access to applicationssuch as the World. Wide Web from within a secure perimeter (Fig22.1) Instead of talking directly to external WWW servers, eachrequest from the client would be routed Wed to a proxy on thefirewall that is defined by the user. The proxy knows how to get

through the firewall. An application level proxy makes a firewallsafely permeable for users in an organization, without creating apotential security hole through which hackers can get into corporatenetworks. The proxy waits for a request from inside the firewall,forwards the request to the remote serveroutside the firewall, reads the response, and then returns it to theclient. In the usual case, all clients within a given subnet use thesame proxy. This makes it possible for the proxy to execute efficientcaching of documents that are requested by a number of clients.Proxy gateways have several advantages. They allow browserprogrammers to ignore the complex networking code necessaryto support every firewall protocol and concentrate on importantclient issues. For instance, by using HTTP between the client andproxy, no protocol functionality is lost, since FTP, Gopher, andother Web Protocols map well into HTTP methods. This featureis invaluable, for users needn’t have separate, specially modifiedFTP, Gopher, and WAIS clients to get through a firewall-– a singleWeb client with a proxy server handles all of these cases.Proxies can manage network functions. Proxying allows for creating

audit trails of client transactions/including client IP address, dateand time, byte count, and success code. Any regular fields andmeta-information fields in a transaction are candidates for logging.The proxy also can control access to services for individualmethods, host and domain, and the like. Given this firewall designin which the proxy acts as an intermediary, it is natural to designsecurity-relevant mediation within the proxy. Proxy mediationhelps mitigate security concerns by(1) limiting dangerous subsets of the HTTP protocol (a site’ssecurity policy may prohibit the use of some of HTTP’smethods);(2) enforcing client and/or server access to designated hosts (anorganization should have the capability to specify acceptableweb sites); (3) implementing access control for network services that is lostwhen the proxy is installed (to restore the security policyenforced by the firewall); and(4) checking various protocols for well-formed commands. Abug existed in a previous version of the Mosaic browser thatpermitted servers to download a “Trojan horse” URL to theclient that would cause the client to run an arbitrary program.

The proxy must be in a position to filter dangerous URLs andmalformed commands.

What is antivirus software?Antivirus software is a program that either comes installed onyour computer or that you purchase and install yourself. It helpsprotect your computer against most viruses, worms, Trojans, andother unwanted invaders that can make your computer “sick.”Viruses, worms, and the like often perform malicious acts, such asdeleting files, accessing personal data, or using your computer toattack other computers.Why should I use antivirus software?You can help keep your computer healthy by using antivirussoftware. Remember to update your antivirus software regularly.These updates are generally available through a subscription fromyour antivirus vendor.Regular BackupsThis poster reminds each computer user of their responsibility tomake regular backups to protect their computer data. The task ofbacking up the data found on your computer is often the mostoverlooked and “hardly ever done until its too late” action withinthe computer end-user community. With the software tools now

available, it no longer is the arduous task that is once was a fewyears ago... There is no excuse not to backup your data - do it now,don’t wait until its too late! Once your system is in use, your nextconsideration should be to back up the file systems, directories,and files. Files and directories represent a significant investment of time and effort.At the same time, all computer files are potentially easy to changeor erase, either intentionally or by accident. If you take a carefuland methodical approach to backing up your file systems, youshould always be able to restore recent versions of files or filesystems with little difficulty.Note: When a hard disk crashes, the information contained onthat disk is destroyed. The only way to recover the destroyed datais to retrieve the information from your backup copy.There are several different methods of backing up. The mostfrequently used method is a regular backup, which is a copy of afile system, directory, or file that is kept for file transfer or in casethe original data is unintentionally changed or destroyed. Anotherform of backing up is the archive backup; this method is used fora copy of one or more files, or an entire database that is saved for

future reference, historical purposes, or for recovery if the originaldata is damaged or lost. Usually an archive is used when thatspecific data is removed from the system.Summary:A firewall is simply a program or hardware device that filters theinformation coming through the Internet connection into yourprivate network or computer system. If an incoming packet ofinformation is flagged by the filters, it is not allowed through.Firewalls use one or more of three methods to control trafficflowing in and out of the network: Packet filtering, Proxyservice, Stateful inspectionFirewall protects from Remote login, Applicationbackdoors, Operating system bugs, Denial of service,Emailbombs, VirusA proxy application gateway is a special server that typicallyruns on a firewall machine. Instead of talking directly toexternal WWW servers, each request from the client wouldbe routed Wed to a proxy on the firewall that is defined bythe user. The proxy knows how to get through the firewall.Antivirus software is a program that either comes installedon your computer or that you purchase and install yourself.

It helps protect your computer against most viruses, worms,Trojans, and other unwanted invaders that can make yourcomputer “sick.”

Topic:IntroductionEthical, Social, and Political issues in ECommerceSummary

Objectives:Understand Ethical, Social, and Political issues in ECommerceDefining the rights of people to express their ideas and theproperty rights of copyright owners are just two of many ethical,social, and political issues raised by the rapid evolution of ecommerce.These questions are not just ethical questions that we as individuals have to answer; they also involve social Institutions such as family, schools, and business firms. And these questions have obvious political dimensions because they involve collective choices about how we should live and what laws we would like to live under.In this lecture we discuss the ethical, social, and political issues

raised in e-commerce, provide a framework for organizing theissues, and make recommendations for managers who are giventhe responsibility of operating e-commerce companies withincommonly accepted standards of appropriateness.Understanding Ethical, Social, And Political Issues In E-CommerceInternet and its use in e-commerce have raised pervasive ethical,social and political issues on a scale unprecedented for computertechnology. Entire sections of daily newspapers and weeklymagazines are devoted to the social impact of the Internet. Why isthis so? Why is the Internet at the root of so many contemporarycontroversies? Part of the answer lies in the underlying features ofInternet technology and the ways in which it has been exploitedby business firms. Internet technology and its use in e-commercedisrupts existing social and business relationships and understandings.Instead of considering the business consequences of each uniquefeature, here we examine the actual or potential ethical, social,and/or political consequences of the technology (see Table 23.1).We live in an “information society,” where power and wealthincreasingly depend on information and knowledge as central

assets. Controversies over information are often in factdisagreements over power, wealth, influence, and other thingsthought to be valuable. Like other technologies such as steam,electricity, telephones, and television, the Internet and e-commercecan be used to achieve social progress, and for the most part, thishas occurred. However, the same technologies can be used tocommit crimes, despoil the environment, and threaten cherishedsocial values. Before automobiles, there was very little interstatecrime and very little federal jurisdiction over crime. Likewise withthe Internet: Before the Internet, there was very little “cyber crime.”Many business firms and individuals are benefiting from thecommercial development of the Internet, but this developmentalso exacts a price from individuals, organizations, andsocieties.These costs and benefits must be carefully considered bythose seeking to make ethical and socially responsible decisions inthis new environment. The question is: how can you as a managermake reasoned judgments above what your firm should do in anumber of e-commerce areas- from securing the privacy of yourcustomer’s click stream to ensuring the integrity of your companydomain name?

The major ethical, social, and political issues that have developedaround e-commerce over the past seven to eight years can be looselycategorized into four major dimensions: information rights,property rights, governance, and public safety and welfare as shownin Fig 23.1Some of the ethical, social, and political issues raised ineach of these areas include the following:Information rights: What rights to their own personalinformation do individuals have in a public marketplace, orin their private homes, when Internet technology makeinformation collection so pervasive and efficient? Whatrights do individuals have to access information aboutbusiness firms and other organizations?Property rights: How can traditional intellectual propertyrights be enforced in an internet world where perfect copiesof protected works can be made and easily distributedworldwide in seconds?Governance: Should the Internet and e-commerce besubject to public laws? And if so, what law-making bodieshave jurisdiction - state, federal, and/or international?Public safety and welfare: What efforts should beundertaken to ensure equitable access to the Internet andecommerce channels? Should governments be responsiblefor ensuring that schools and colleges have access to the

Internet? Is certain online content and activities - such aspornography and gambling - a threat to public safety andwelfare? Should mobile commerce be allowed from movingvehicles?To illustrate, imagine that at any given moment society andindividuals are more or less in an ethical equilibrium broughtabout by a delicate balancing of individuals, social organizations,and political institutions. Individuals know what is expected ofthem, social organizations such as business firms know theirlimits, capabilities, and roles and political institutions provide asupportive framework of market regulation, banking andcommercial law that provides sanctions against violators.Now,imagine we drop into the middle of this calm setting a powerfulnew technology such as the Internet and e-commerce.Suddenly individuals, business firms, and political institutionsare confronted by new possibilities of behavior. For instance,individuals discover that they can download perfect digital copiesof music tracks, something which, under the old technology ofCDs, would have been impossible. This can be done, despite the

fact that these music tracks still “belong” as a legal matter to theowners of the copyright - musicians and record label companies.The introduction of the Internet and e-commerce impactsindividuals, societies, and political institutions. These impacts canbe classified into four moral dimensions: property rights,information rights, governance, and public safety and welfare Thenbusiness firms discover that they can make a business out ofaggregating these musical tracks - or creating a mechanism forsharing musical tracks- even though they do not “own” them inthe traditional sense. The record companies, courts, and Congresswere not prepared at first to cope with the onslaught of onlinedigital copying. Courts and legislative bodies will have to makenew laws and reach new judgments about who owns digitalcopies of copyrighted works and under what conditions suchworks can be “shared.” It may take years to develop newunderstandings, laws, and acceptable behavior in just this one areaof social impact. In the meantime, as an individual and a manager,you will have to decide what you and your firm should do in legal

“grey”- areas, where there is conflict between ethical principles, butno c1ear-cutural guidelines. How can you make good decisions inthis type of situation?Before reviewing the four moral dimensions of e-commerce ingreater depth, we will briefly review some basic concepts of ethicalreasoning that you can use as a guide to ethical decision making,and provide general reasoning principles about social politicalissues of the Internet that you will face in the future.

Fig 23.1 The Moral Dimensions of an Internet SocietyLet’s take a look on what are Ethics, What is an Ethical dilemmaand what are the Ethical principles which we can follow in order tocome out of the ethical dilemma.Basic Ethical Concepts: Responsibility Accountability, and LiabilityEthics is at the heart of social and political debates about the

Internet. Ethics is the study of principles that individuals andorganizations can use to determine right and wrong courses ofaction. It is assumed in ethics that individuals are free moral agentswho are in a position to make choices. When faced with alternative courses of action, what is the correct moral choice?Extending ethics from individuals to business firms and evenentire societies can be difficult, but it is not impossible. As long asthere is a decision-making body or individual (such as a Board ofDirectors or CEO in a business firm or a governmental body in asociety), their decisions can be judged against a variety of ethicalprinciples. If you understand some basic ethical principles, yourability to reason about larger social and political debates will beimproved. In western culture, there are ability and liability principlesthat all ethical schools of thought share: responsibility, accountliability.Respons1nility means that as free moral agents, individuals,organizations and societies are responsible for the actions theytake. Accountability means that individuals, organizations, andsocieties should be held accountable to others for the consequencesof their actions. The third principle -liability - extends the concepts

of responsibility and accountability to the area of law. Liability is afeature of political systems in which a body of law is in place thatpermits individuals to recover the damages done to them by otheractors, systems, or organizations. Due process is a feature of law governed societies and refers to a process in which laws are knownand understood and there is an ability to appeal to higher authoritiesto ensure that the laws have been applied correctly.Analyzing Ethical DilemmasEthical, social, and political controversies usually present themselvesas dilemmas. A dilemma is a situation in which there are at leasttwo diametrically opposed actions, each of which supports adesirable outcome. When confronted with a situation that seemsto present ethical dilemmas, how can you analyze and reasonabout the situation? The following is a fivestep process that shouldhelp.1. Identify and describe clearly the facts. Find out who didwhat to whom, and where, when, and how. In manyinstances, you will be surprised at the errors in the initiallyreported facts, and often you will find that simply getting thefacts straight helps define the solution. It also helps to getthe opposing parties involved in an ethical dilemma to agree

on the facts.2. Define the conflict or dilemma and identify the higherorder value involved. Ethical, social, and political issuesalways reference higher values. Otherwise, there would be nodebate. The parties to a dispute all claim to be pursuinghigher values (e.g., freedom, privacy, protection of property,and the -enterprise system). For example, DoubleClick andits supporters argue that their tracking of consumermovements on the Web increases market efficiency and thewealth of the entire society. Opponents argue this claimedefficiency comes at the expense of individual privacy, andDoubleClick should cease its or offer Web users the optionof not participating in such tracking.3. Identify the stakeholders. Every ethical, social, and politicalissue has stakeholders: players in the game who have aninterest in the outcome, who have its vested in the situation,and usually who have vocal opinions. Find out the identityof these groups and what they want. This will be useful laterwhen designing a solution.4. Identity the options that you can reasonably take. You

may find that none of the options satisfies all the interestsinvolved, but that some options do a better job than others.Sometimes, arriving at a “good” or ethical solution may not,always be a balancing of consequences to stakeholders.5. Identify the potential consequences of youroptions.Some options may be ethically correct, butdisastrous from other points of view. Other options maywork in this one instance, but not in other similar instances.Always ask yourself, “what if I choose this optionconsistently over time?” Once your analysis is complete, youcan refer to the following well established ethical principle tohelp decide the matter.Candidate Ethical PrinciplesAlthough you are the only one who can decide which amongmany ethical principles you will follow and how you will prioritizethem, it is helpful to consider some ethical principles with deeproots in many cultures that have survived throughout recordedhistory.The Golden Rule: Do unto others as you would have themdo unto you. Putting yourself into the place of others andthinking of yourself as the object of the decision can helpyou think about fairness in decision making.

Universalism: If an action is not right for all situations,then it is not right for any specific situation (ImmanuelKant’s categorical imperative). Ask yourself, “If we adoptedthis rule in every case, could the organization, or society,survive?”Slippery Slope: If an action cannot be taken repeatedly, thenit is not right to take at all (Descartes’ rule of change). Anaction may appear to work in one instance to solve aproblem, but if repeated, would result in a negativeoutcome. In plain English, this rule might be stated as “oncestarted down a slippery path, you may not be able to stop.”Collective Utilitarian Principle: Take the action thatachieves the greater value for all of society. This rule assumesyou can prioritize values in a rank order and understand theconsequences of various courses of action.Risk Aversion: Take the action that produces the least harm,or the least potential cost. Some actions have extremely highfailure costs of very low probability e.g., building a nucleargenerating facility in an urban area) or extremely high failurecosts of moderate probability (speeding and automobileaccidents). Avoid the high-failure cost actions and choose

those actions whose consequences would not becatastrophic, even if there were a failure.No Free Lunch: Assume that virtually all tangible andintangible objects are owned by someone else unless there isa specific declaration otherwise. (This is the ethical “no freelunch” rule.) If something someone else has created is usefulto you, it has value and you should assume the creator wantscompensation for this work.The New York Times Test (Perfect Information Rule):Assume that the result of your decision on a matter will bethe subject of the lead article in the New York Times the nextday. Will the reaction of readers be positive or negative?Would your parents, friends, and children be proud of yourdecision? Most criminals and unethical actors assumeimperfect information, and therefore they assume thedecisions and actions will never be revealed. When makingdecisions involving ethical dilemmas, it is wise to assumeperfect information markets.The Social Contract Rule: Would you like to live in asociety where the principle you are supporting would becomean organizing principle of the entire society? For instance,

you might think it is wonderful to download illegal copiesof music tracks, but you might not want to live in a societythat did not respect proper:’ rights, such as your propertyrights to the car in your driveway, or your rights to a termpaper or original art. None of these rules is an absoluteguide, and there are exceptions and logical difficulties with allthese rules. Nevertheless, actions that do not easily pass theseguide-lines deserve some very close attention and a great dealof caution because the appearance of unethical behavior maydo as much harm to you and your company as the actualbehavior.Now that you have an understanding of some basic ethicalreasoning concept, let’s take a closer look at each of the majortypes of ethical, social, and political debates that have arisen in ecommerce.Privacy and Information RightsThe Internet and the Web provide an ideal environment forinvading the personal pri-vacy of millions of users on a scaleunprecedented in history. Perhaps no other recent -issue has raisedas much widespread social and political concern as protecting the

privacy of over 160 million Web users in the United States alone.The major ethical issues related to ecommerce and privacy includesthe following: Under what conditions should we invade the privacyof others? What legitimates intruding into others lives throughunobtrusive surveillance, market research, or other means? Themajor social issues related to e-commerce and privacy concern thedevelopment of “exception of privacy” or privacy norms, as wellas public attitudes. In what areas of should we as a society encouragepeople to think they are in “private territory” as opposed to publicview? The major political issues related to ecommerce and privacyconcern the development of statutes that govern the relationsbetween record keepers and individuals.How should organizations - public and private –who are reluctantto remit the advantages that come from the unfettered flow ofinformation on individuals - be restrained, if at all? In the followingsection, we will look first at the various practices of e-commercecompanies that pose a threat to privacy.

Information Collected At E-Commerce SitesAlmost all (97%) Web sites collect personally identifiable

information and use cookies to track the click stream behavior ofvisitors on the site.Personally identifiable information (PH) is any data that canbe used to identify, locate, or contact an individual. As describebelow, advertising networks track the behavior of consumers acrossthousands of popular sites, not just at one site. In addition,most sites collect anonymous information composed ofdemographic and behavioral information that does not includeany personal identifiers. For instance, sites collect Informationabout age, occupation, income, zip code, ethnicity, and other datathat place a cookie on your hard drive to identify you by numberbutnot by name.Table 23.1 lists many of the personal identifiers routinelycollected by online e-commerce sites. Table 23.2 illustrates someof the major ways online firms gather information aboutconsumers.

Table 23.1 Personal Information Collected by E Commerce Sites

Fig 23.2 The Internet’s major Personally identifiableInformation Gathering ToolsProfiling: Privacy And Advertising NetworksA majority (57 %) of all Web sites, and 78 % of the most popular100 sites allow third parties-including advertising networks suchas Adforce, Avenue A, DoubleClick, Engage, L90, MatchLogic,and 24/7 Media (these firms constitute about 90 % of the networkadvertising industry)- to place cookies on a visitor’s hard drive inorder to engage in profiling.Profiling is the creation of digital images that characterize onlineindividual and group behavior. An advertising network such as24/7 Media maintains over 60 million anonymous profiles andmore than 20 million personal profiles. DoubleClick maintainsover 100 million anonymous profiles.Anonymous profiles identify people as belonging to highlyspecific and targeted groups, for example, 20-30-year-old males,

with college degrees and incomes greater than $30,000 a year, andinterested in high fashion clothing.Personal profiles add a personal e-mail address, postal address,and/or phone number to behavioral data. Increasingly, onlinefirms are attempting to link their online profiles to offlineconsumer data collected by the established retail and catalog firms.In the past, individual stores collected data on customer movementthrough a single store in order to understand consumer behaviorand alter the design of stores accordingly. Also, purchase andexpenditure data was gathered on consumers purchasing frommultiple stores - usually long after the purchases were made - thedata was used to target direct mailand in-store campaigns, and mass media advertising. The onlineadvertising networks have added several new dimensions toestablished offline marketing techniques. First, they have the abilityto precisely track not just consumer purchases but all browsingbehavior on the Web at thousands of most popular member sites,including browsing book lists, filling out preference forms, andviewing content pages. Second, they create the ability to dynamically

-adjust what the shopper sees on screen - including prices. Third,they create the ability to build and continually refresh highresolutiondata images or behavioral profiles of consumers . What’sdifferent about advertising networks is the scope and- intensityof the data dragnet, and the ability to manipulate the shoppingenvironment to the advantage of the merchant. Most of thisactivity occurs in the background without the knowledge of theshopper, and it occurs dynamically online in less than a second.Online consumer Joe Smith goes to a Web site that sells sportinggoods. He clicks on the pages for golf bags. While there, he see abanner ad, which he ignores as it does not interest him. The adwas placed by USA and Network. He then goes to a travel site andenters a search on “Hawaii” the USAad Networks serves ads onthis site, and Joe sees an ad for rental cars there. Joe then visits anonline bookstore and browses through books about he worldsbest golf courses. USAad Network serves ads there as well. Aweek later, Joe visits his favorite online news site, and notices anad for golf vacation packages in Hawaii. Delighted, he clicks on the

ad, which was served by USAad Network. Later, Joe begins towonder whether it was a coincidence that this particular ad appearedand, if not, how it happened. The sample online profile illustratesseveral features of such profiles.First, the profile created for Joe Smith was completely anonymousand did not require any per-sonal information such as a name, emailaddress, or social security number. Obviously, this profilewould be more valuable if the system did have personalinformation because men Joe could be sent e-mail marketing.Second, ad networks do not know who is operating the browser.If other members of Joe’s family used the same computer toshop the Web, they would be exposed to golf vacation ads, andJoe could be exposed to ads more appropriate to his wife orchildren. Third, profiles are usually very imprecise, the result of“best guesses” and just plain guesses. Profiles are built using aproduct/service scoring system that is not very detailed, and as aresult the profiles are crude.In the above example, Joe is obviously interested in golf andtravel because he intentionally expressed these interests. However,

he may have wanted to scuba dive in Hawaii, or visit old friends,not play golf. The profiling system in the example took a leap offaith that a golf vacation in Hawaii is what Joe really wants.Sometimes these guesses work, but there is considerable evidenceto suggest that simply knowing Joe made an inquiry about Hawaiiwould be sufficient to sell him a trip to Hawaii for any of severalactivities and the USAad Network provided little additional value.As a result of the crudeness of the profiles, marketers have beenunwilling to pay premium prices for highly targeted, profile-basedads, preferring instead to use more obvious and less expensivetechniques such as placing travel ads on travel sites and golf adson golf sites.Network advertising firms argue that Web profiling benefits bothconsumers and businesses. Profiling permits targeting of ads,ensuring that consumers see advertising mostly for products andservices in which they are actually interested. Business benefit bynot paying for wasted advertising sent to consumers who have nointerest in their product or service. The industry argues that byincreasing the effectiveness of advertising, more advertising

revenues go to the Internet, which in turn subsidizes free contenton the Internet. Last, product designers and entrepreneurs benefitby sensing demand for new products and services by examininguser searches and profiles.Critics argue that profiling undermines the expectation ofanonymity and privacy that most people have when using theInternet, and change what should be a private experience into onewhere an individual’s every move is recorded. As people becomeaware that their every move is being watched, they will be far lesslikely to explore -sensitive topics, browse pages, or read aboutcontroversial issues. In most cases, the profiling is invisible tousers, and even hidden. Consumers are not notified that profilingis occurring. Prof1ling permits aggregating data on hundreds oreven thousands of unrelated sites on the Web.The cookies placed by ad networks are persistent. Their trackingoccurs over an extended period of time and resumes each time theindividual on to the Internet. This click stream data is used tocreate profiles that can include hundreds of distinct data fields foreach consumer. Associating so-called anonymous profiles with

personal information is fairly easy, and companies can changepolicies quickly without informing the consumer.Some critics believe profiling permits weblining – charging somecustomers more money for products services based on theirprof1les.Although the information gathered by network advertisers is oftenanonymous, in many cases, the profiles derived from trackingconsumers’ activities on the Web are linked or merged withpersonally identifiable information. DoubleClick and otheradvertising network firms have attempted to purchase offlinemarketing firms that collect offline consumer data for the purposeof matching offline and online behavioral data at the individuallevel. However, public reaction was so negative that no networkadvertising firms publicly admit to matching offline PH with onlineprofile data. Nevertheless, client Web sites encourage visitors toregister for prizes, benefits, or content access in order to capturepersonal information such as e-mail addresses. Anonymousbehavioral data is far more valuable if it can be linked with offlineconsumer behavior, e-mail addresses, and postal addresses. This

consumer data can also be combined with data on the consumers’offline purchases, or information collected directly from consumersthrough surveys and registration forms.As the technology of connection to the Internet for consumersmoves away from telephone modems where IP addresses areassigned dynamically, and toward static assigned IP addresses usedby DSL and cable modems, then connecting anonymous prof1lesto personal names and e-mail addresses will become easier andmore prevalent.From a privacy protection perspective, the advertising networkraise issues about who will see and use the information held byprivate companies, the absence of consumer control over the useof the information, the lack of consumer choice, the notice, andthe lack of review and amendment procedures. The pervasive andlargely unregulated collection of personal information online fearsand opposition among consumers. In recent surveys, 92%oeholdssaid they do not trust online companies to keep their personalinformation confidential, and 82 % agreed that the governmentshould regulate how online companies use personal information.

One result of the lack of trust toward online firms specific fearsof privacy invasion is a reduction in online purchases. An estimated$3 billion was lost in 2000 sales, and $18 billion will be lost in2002 online sales if nothing is done to allay consumer fears.Concerns about online privacy have led to two types of regulatoryefforts: governmental regulation by federal and state agencies andprivate self-regulation efforts led by industry groups. But beforeconsidering these efforts to preserve and maintain privacy, weshould first take a more in-depth look at the concept of privacy.The Concept of PrivacyPrivacy is the moral right of individuals to be left alone, free fromsurveillance or interference from other individuals or organizations,including the state. Privacy is a girder supporting freedom: Withoutthe privacy required to think, write, plan, and associateindependently and without fear, social and political freedom isweakened, and perhaps destroyed. Information privacy is a subsetof privacy. The right to information privacy includes both theclaim that certain information should not be collected at all bygovernments or business firms, and the claim of individuals to

control over personal of whatever information that is collectedabout them. Individual control over personal information is atthe core of the privacy concept.Due process also plays an important role in defining privacy. Thebest statement of due process in record keeping is given by theFair Information Practices doctrine developed in the early 1970sand extended to the online privacy debate in the late 1990s(described below).Privacy claims-and thinking about privacy - mushroomed in,the United States at the end of the nineteenth century as thetechnology of photography and tabloid claim of individuals tojournalism enabled the invasion of the heretofore private lives ofwealthy industrialists. For most of the twentieth century, however,privacy thinking and legislation focused on restraining thegovernment from collecting and using personal information.Withthe explosion in the collection of private personal information byWeb-based marketing firms since 1995, privacy concerns areincreasingly directed toward restraining the activities of privatefirms in the collection and use of in forma-tion on theWeb. Claims to privacy are also involved at the workplace:

Millions of employees are subject to various forms of electronicsurveillance that in many cases is enhanced by firm Intranets andWeb technologies. For instance, 38% o f employers monitoremployee e-mail, and 30% monitor employee computer files.Legal ProtectionsIn the United States, Canada, and Germany, rights to privacy areexplicitly granted in or can be derived from, founding documentssuch as constitutions, as well as in specific statutes. In Englandand the United States, there is also protection of privacy in thecommon law, a body of court decisions involving torts or personalinjuries. For instance, in the United States, four privacy-relatedtorts have been defined in court decisions involving claims ofinjury to individuals caused by other private parties intrusion onsolitude, public disclosure of private facts, publicity placing aperson in a false light, and appropriation of a person’s name orlikeness (mostly concerning celebrities) for a commercial purpose.In the United States, the claim to privacy against governmentintrusion is protected primarily by the First Amendmentguarantees of freedom of speech and association and the Fourth:

Amendment protections against unreasonable search and seizureof one’s personal documents or home, and the FourteenthAmendment’s guarantee of due process.In addition to common law and the Constitution, there are bothfederal laws and state laws that protect individuals againstgovernment intrusion and in some cases define privacy rights visa-vis private organizations such as financial, education~, and mediainstitutions (cable television and video rentals) Summary:Internet and its use in e-commerce have raised pervasiveethical, social and political issues on a scale unprecedented forcomputer technology.The major ethical, social, and political issues that havedeveloped around e-commerce over the past seven to eightyears can be loosely categorized into four major dimensions:information rights, property rights, governance, and publicsafety and welfare.Ethics is at the heart of social and political debates about theInternet. Ethics is the study of principles that individualsand organizations can use to determine right and wrongcourses of action