BUS303: Strategic Information Technology

Electronic commerce requires participants to have a secure means of transmitting the confidential data necessary to perform a transaction. For instance, banks (which bear the brunt of the cost of credit card fraud) prefer credit card numbers to be hidden from prying electronic eyes. In addition, consumers want assurance that the Web site with which they are dealing is not a bogus operation. Two forms of protecting electronic transactions are SSL and SET.

SSL

Secure Sockets Layer (SSL) was created by Netscape for managing the security of message transmissions in a network. SSL uses public-key encryption to encode the transmission of secure messages (e.g., those containing a credit card number) between a browser and a Web server.

The client part of SSL is part of Netscape's browser. If a Web site is using a Netscape server, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Other servers can be enabled by using Netscape's SSLRef program library, which can be downloaded for noncommercial use or licensed for commercial use.

SET

Secure Electronic Transaction (SET) is a financial industry innovation designed to increase consumer and merchant confidence in electronic commerce. Backed by major credit card companies, MasterCard and Visa, SET is designed to offer a high level of security for Web-based financial transactions. SET should reduce consumers' fears of purchasing over the Web and increase use of credit cards for electronic shopping. A proposed revision, due in 1999, will extend SET to support business-to-business transactions, such as inventory payments.

Visa and MasterCard founded SET as a joint venture on February 1, 1996. They realized that in order to promote electronic commerce, consumers and merchants would need a secure, reliable payment system. In addition, credit card issuers sought the protection of more advanced anti-fraud measures. American Express has subsequently joined the venture.

SET is based on cryptography and digital certificates. Public-key cryptography ensures message confidentiality between parties in a financial transaction. Digital certificates uniquely identify the parties to a transaction. They are issued by banks or clearinghouses and kept in registries so that authenticated users can look up other users' public keys.

Think of a digital certificate as an electronic credit card. It contains a person's name, a serial number, expiration date, a copy of the certificate holder's public key (used for encrypting and decrypting messages and verifying digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. A digital signature is used to guarantee a message sender's identity.

The SET components

Cardholder wallet

The application on the cardholder's side is also called the digital wallet . This software plug-in contains a consumer's digital certificate, shipping and other account information. This critical information is protected by a password, which the owner must supply to access the stored data. In effect, an electronic wallet stores a digital representation of a person's credit card and enables electronic transactions.

Merchant server

On the merchant side, a merchant server accepts electronic credit card payments.

Payment gateway

The payment gateway is the bridge between SET and the existing payment network. A payment gateway application translates SET messages for the existing payment system to complete the electronic transaction.

Certificate authority

The certificate authority issues and manages digital certificates, which are proofs of the identities for all parties involved in a SET transaction.

The process

The following set of steps illustrates SET in action.

13. The customer opens a MasterCard or Visa account with a bank.

14. The customer receives a digital certificate (an electronic file), which functions as a credit card for on-line transactions. The certificate includes a public key with an expiration date and has been digitally signed by the bank to ensure its validity.

15. Third-party merchants also receive digital certificates from the bank. These certificates include the merchant's public key and the bank's public key.

16. The customer places an electronic order from a merchant's Web page.

17. The customer's browser receives and confirms that the merchant's digital certificate is valid.

18. The browser sends the order information. This message is encrypted with the merchant's public key, the payment information, which is encrypted with the bank's public key (which can't be read by the merchant), and information that ensures the payment can be used only with the current order.

19. The merchant verifies the customer by checking the digital signature on the customer's certificate. This may be done by referring the certificate to the bank or to a third-party verifier.

20. The merchant sends the order message along to the bank. This includes the bank's public key, the customer's payment information (which the merchant can't decode), and the merchant's certificate.

21. The bank verifies the merchant and the message. The bank uses the digital signature on the certificate with the message and verifies the payment part of the message.

22. The bank digitally signs and sends authorization to the merchant, who can then fill the order.

23. The customer receives the goods and a receipt.

24. The merchant gets paid according to its contract with its bank.

25. The customer gets a monthly bill from the bank issuing the credit card.

The advantage of SET is that a consumer's credit card number cannot be deciphered by the merchant. Only the bank and card issuer can decode this number. This facility provides an additional level of security for consumers, banks, and credit card issuers, because it significantly reduces the ability of unscrupulous merchants to establish a successful Web presence.

In order to succeed, SET must displace the current standard for electronic transactions, SSL, which is simpler than SET but less secure. Because of SSL's simplicity, it is expected to provide tough competition, and may remain the method of choice for the interface between the on-line buyer and the merchant. The combination of SSL and fraud-detection software has so far provided low-cost, adequate protection for electronic commerce.

Cookies

The creator of a Web site often wants to remember facts about you and your visit. A cookie is the mechanism for remembering details of a single visit or store facts between visits. A cookie is a small file (not more than 4k) stored on your hard disk by a Web application. Cookies have several uses.

• Visit tracking: A cookie might be used to determine which pages a person views on a particular Web site visit. The data collected could be used to improve site design.
• Storing information: Cookies are used to record personal details so that you don't have to supply your name and address details each time you visit a particular site. Most subscription services (e.g., The Wall Street Journal) and on-line stores (e.g., Amazon.com) use this approach.
• Customization: Some sites use cookies to customize their service. A cookie might be used by CNN to remember that you are mainly interested in news about ice skating and cooking.
• Marketing: A cookie can be used to remember what sites you have visited so that relevant advertisements can be supplied. For example, if you frequently visit travel sites, you might get a banner ad from Delta popping up next time you do a search.

Cookies are a useful way of collecting data to provide visitors with better service. Without accurate information about people's interest, it is very difficult to provide good service.

Both Internet Explorer and Netscape Navigator allow surfers to set options for various levels of warnings about the use of cookies. Visitors who are concerned about the misuse of cookies can reject them totally, with the consequent loss of service.

Conclusion

The rapid growth of electronic commerce is clear evidence of the reliability and robustness of the underlying technology. Many of the pieces necessary to facilitate electronic commerce are mature, well-tested technologies, such as public-key encryption. The future is likely to see advances that make electronic commerce faster, less expensive, more reliable, and more secure.