0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
22 visualizzazioni7 pagine
TRANSACTION BASED SECURITY
ISSUES AND PATHWAYS TO
EFFECTIVE ELECTRONIC
COMMERCE: FROM TACTICS TO
STRATEGY
1 Dr.S.S.Riaz Ahamed 2
Dr.V.Kubendran 3
Mr.A.Ahamed Ansari,
TRANSACTION BASED SECURITY
ISSUES AND PATHWAYS TO
EFFECTIVE ELECTRONIC
COMMERCE: FROM TACTICS TO
STRATEGY
1 Dr.S.S.Riaz Ahamed 2
Dr.V.Kubendran 3
Mr.A.Ahamed Ansari,
TRANSACTION BASED SECURITY
ISSUES AND PATHWAYS TO
EFFECTIVE ELECTRONIC
COMMERCE: FROM TACTICS TO
STRATEGY
1 Dr.S.S.Riaz Ahamed 2
Dr.V.Kubendran 3
Mr.A.Ahamed Ansari,
EFFECTIVE ELECTRONIC COMMERCE: FROM TACTICS TO STRATEGY 1 Dr.S.S.Riaz Ahamed 2 Dr.V.Kubendran 3 Mr.A.Ahamed Ansari, 1 Principal, Sathak Institute of Technology, Ramanathapuram, India. 2. Professor, Dept of Management Studies, Bharathiar University, Coimbatore, India. 3 Assistant Professor, Dept of Management Studies, Mohamed Sathak Engineering College, India Email: globalresearch@india.com ABSTRACT Electronic commerce promises to empower consumers and producers alike with the ability to engage in mutually satisfactory interactions, providing fulfillment in real time over the Internet for the exchange of products, services, or information. Fulfillment in real time, offering a complete, self-directing, interactive order processing capability, is the true promise of electronic commerce for business. Electronic Commerce is thus conducting of business communication and transactions over networks and through computers. Most restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of funds, through digital communications. Electronic Commerce also includes all inter-company and intra- company functions such as, marketing, finance, manufacturing, selling, and negotiation that enables commerce and utilize file transfer, e-mail, EDI, video conferencing, workflow, or interaction with a remote computer, including the World Wide Web. Transaction security is a major concern for businesses that offer products or services over the Internet. Secures ecommerce has revolutionized the 21st century in a way that few other technologies have. Over the past decade, the phenomenon of ecommerce has developed into a full-blown industry. Once used solely for business-to-business purposes, today nearly everyone has made at least one purchase using an ecommerce platform. Keywords: Local Exchange Carriers (LEC), Competitive Local Exchange Carriers (CLEC), Secure Electronic Transaction (SET). 1 INTRODUCTION Electronic commerce is the symbiotic integration of communications, data management, and security capabilities to allow business applications within different organizations to automatically exchange information related to the sale of goods and services. The Internet has emerged as an appliance of every day life, accessible from almost every point on the planet. Students across the world are discovering vast treasure troves of data via the World Wide Web. Doctors are utilizing Tele-medicine to administer off-site diagnoses to patients in need. Citizens of many nations are finding additional outlets for personal and political expression. The Internet is being used to reinvent government and reshape our lives and our communities in the process. The Internet will also revolutionize retail and direct marketing. Consumers will be able to shop in their homes for a wide variety of products from manufacturers and retailers all over the world. They will be able to view these products on their computers or televisions, access information about the products, visualize the way the products may fit together (constructing a room of furniture on their screen, for example), and order and pay for their choice, all from their living rooms. Another issue to be tackled is just plain fraud, where the buyer simply supplies out-of-date or incorrect credit cared information.
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1304 Requirements Description Content security The ability to send information across the Internet in a manner in which unauthorized entities are not able to read the contents. Signature The ability to specifically identify the entity associated with the information. Many things may be signed: contents, the message, and, frequently, several signatures may be imbedded in a single message or information unit. Content integrity The ability to identify modification to the covered information. Nonrepudiation of origin The ability to identify who sent the information originally versus which intermediary forwarded it. Nonrepudiation of receipt The ability to identify that the information was received by the final addressed destination in a manner that cannot be repudiated. The information has been opened and interpreted to some degree. Nonrepudiation of delivery The ability to identify whether the information was delivered to an appropriate intermediary in a manner if cannot repudiate. Key management The functionality necessary to create, distribute, revoke, and mange the public/private keys. Table1: Secure Commerce Requirements While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories: Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account. Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance of your account or deleting a bill. Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions. Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise. Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents. 2. TRANSACTION AND ELEMENTS Sensitive information has to be protected through at least three transactions: Credit card details supplied by the customer, either to the merchant or payment gateway. Credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway. Order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Basically, Electronic commerce takes place between two computers. Upon closer examination, the real (but subtler) answer is that it takes place between two parties, each of whom may be on opposite sides of the globe. It happens this way because many times it is easier to conduct business in this manner than any other is. These complete fulfillments of transactions, apart from the actual shipping of goods, are done electronically in their entirety. In General, the electronic commerce requires the following five elements: 1. Organizations own enterprise networks which house appropriate information, usually beyond the organizations firewall apparatuses. Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1305 2. The Public-switched telephone network. This generally constitutes of LECs(Local Exchange Carriers) and CLECs(Competitive Local Exchange Carriers) at the local level and a multitude of Interchange Carriers (IXCs) at the national backbone level. 3. The Internet that consists of ISPs and NSPs and provides a large inter enterprise infrastructure. 4. Online networks 5. Specialized industry networks such as those supports EDI. 3 SECURE ELECTRONIC PAYMENT PROTOCOL IBM and MasterCard have cooperatively developed SEPP- an open, vendor-neutral, nonproprietary, license-free specification for securing on-line transactions. Many of its concepts were rolled into SET, which is expected to become the de facto standard.
There are several major business requirements addressed by SEPP. 1. To enable confidentiality of payment information. 2. To ensure integrity of all payment data transmitted. 3. To provide authentication that a cardholder is the legitimate owner of a card account. 4. To provide authentication that a merchant can accept MasterCard branded card payments with an acquiring member financial institution.
SEPP is the electronic equivalent of the paper charge slip, signature, and submission process. SEPP takes input from the negotiation process and causes the payment to happen via a three-way communication among the cardholder, merchant, and acquirer. SEPP only addresses the payment process; privacy of non financial data is not addressed in the SEPP protocol-hence, it is suggested that all SEPP communication be protected with encryption at a lower layer, such as with Netscapes SSL. Negotiation and delivery are also left to other protocols.
3.1 Process of SEPP SEPP assumes that the cardholder and merchant have been communicating in order to negotiate terms of a purchase and generate an order. These processes may be conducted via a WWW browser, alternatively, this operation may be performed through the use of electronic mail, via the users review of a paper or CD-ROM catalog or other mechanisms. SEPP is designed to support transaction activity exchanged in both interactive and noninteractive moder.
The SEPP system is composed of a collection of elements involved in electronic commerce.
Cardholder- This is an authorized holder of a bankcard supported by a issuer and registered to perform electronic commerce. Merchant- This is a merchant of goods, services, and/or e-products who accepts payment from them electronically and may provide selling services and/or electronic delivery of items for sale. Acquirer- This is a (MasterCard member) financial institution that supports merchants by providing service for processing credit-card based transactions. Certificate management system- This is an agent of one or more bankcard associations that provides for the creation and distribution of electronic certificates for merchants, acquirers, and cardholders. Banknet- This represents the existing network which interfaces acquirers, issuers, and the certificate management system.
These elements for Web commerce exist today and interact through existing mechanisms, with the exception of the certificate management system. In the SEPP systems, these components acquire expanded roles to complement existing functionality into the electronic commerce context.
Several basic transaction messages are required in a SEPP-based environment; when variations to the canonical flow occur; additional data will be required in the supplementary messages. Messages for SEPP-compliant processing of payment transactions Purchase Order Request Authorization Request Authorization Response Purchase Order Inquiry Purchase Order Inquiry Response Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1306 Additional messages for on-line customer Initiate Invoice Purchase Order Inquiry Response Messages for off-line transactions or transactions sent to merchant not on-line with the acquirer Purchase Order Response 4. SECURE ELECTRONIC TRANSACTION SET (Secure Electronic Transaction) is a specification designed to utilize technology for authenticating the parties involved in payment card purchases on any type of online network, including the Internet. SET was developed by Visa and MasterCard, with participation from leading technology companies, including Microsoft, IBM, RSA, Terisa Systems, and VeriSign. By using sophisticated cryptographic techniques, SET will make cyberspace a safer place for conducting business and is expected to boost consumer confidence in electronic commerce. SET focuses on maintaining confidentiality of information, ensuring message integrity, and authenticating the parties involved in a transaction. The significance of SET, over existing Internet security protocols, is found in the use of digital certificates. Digital certificates will be used to authenticate all the parties involved in a transaction. SET will provide those in the virtual world with the same level of trust and confidence a consumer has today when making a purchase at any of the 13 million Visa-acceptance locations in the physical world. Payments are the important factor of any transaction and Internet hardware/software vendors has put their efforts in concentrating the factor in secured way. They have made a variety of announcements in the past couple of years related to the support for the most popular security payment protocols. Three methods have evolved in the recent past. Netscape Communications Corporation and Microsoft Corporation have promoted their respective payment protocols and installed them in World Wide Web browsers and servers. 1. SEPP has been championed by MasterCard and Netscape and by other supporters; the American National Standards Institute (ANSI) is fast-tracking SEPP as a standard for the industry. 2. STT was developed jointly by Visa and Microsoft as a method to secure bankcard transactions over open networks. STT uses cryptography to secure confidential information transfer, ensure payment integrity, and authenticate both merchants and cardholders. Confidentiality of information is ensured by the use of message encryption; payment information integrity is ensured by the use of digital signatures; cardholder account authentication is ensured by the use of digital signatures and cardholder credentials, merchant authentication is ensured by the use of digital signatures and merchant credentials; and interoperability is ensured by the use of specific protocols and message formats. 3. At this juncture, it appears that SET will become the industry de facto standard. SET has emerged recently as a convergence of the previous standards and has a lot in common with SEPP. SET is expected to be rapidly incorporated into industrial-strength merchantware already available from Netscape, Microsoft, IBM, and other software sellers.
5 CERTIFICATE FOR AUTHENTICATION A digital certificate is a foolproof way of identifying both consumers and merchants. The digital certificate acts like a network version of drivers license it is not credit, but used in conjunction with any number of credit mechanisms, it verifies the users identity. Digital certificates, which are issued by certificate authorities such as VerSign and CyberTrust, include the holders name, the name of the certificate authority, a public key for cryptographic use, and a time limit for the use of the certificate. The certificate typically includes a class, which indicates to what degree it has been verified. For example, verisigns digital certificates come in three classes. Class 1 is the easiest to get and includes the fewest checks on the users background: only his or her name and e- mail address are verified. For class 2, the issuing authority checks the users drivers license, social security number, and date of birth. Users applying for a class 3 certificate can expect the issuing authority to perform a credit check using a service such as Equifax. In addition to requiring the information required for a class 2 certificate. It is now becoming easier for vendors and for consumers to get digital certificates. VeriSign and CyberTrust, the two primary commercial issuers of digital certificates, can issue certificates via the web.
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1307 Summary of confirmation of identity Issuing authority private key protection Certificate applicant and subscriber private key protection Applications implemented or contemplated by users Class 1 Automated unambiguous name and e-mail address search PCA: trustworthy hardware; CA: trustworthy software or trustworthy hardware PIN protected encryption software recommended but not required Web browsing and certain e-mail usage Class 2 Same as class 1,plus automated enrollment information check and automated address check PCA and CA: trustworthy hardware PIN protected encryption software required Individual and intra and intercompany e-mail, online subscriptions, password replacement, software validation Class 3 Same as class 1, plus personal presence and ID documents plus class 2 automated ID check for individuals; business records for organizations PCA and CA: trustworthy hardware PIN protected encryption software required; hardware token recommended but not required E-banking, corporate database access, personal banking, membership- based online services, content integrity services, e-commerce server, software validation. Table 2: Certificate Classes
6 SECURITIES ON WEB SERVERS AND ENTERPRISE NETWORKS Financial transaction security is a major concern for businesses that offer products or services over the Internet. However, there is also the need for security of the merchant host. This is necessary in order to protect (1) files containing buyers information that might reside on the accessible web server; and (2) the overall information platform of the organization.
Two general techniques are available: 1. Host- based security capabilities; these are means by which each and every computer on the system is made impregnable. 2. Security watchdog systems which guard the set of internal inter-connected systems. Communication between the internal world and the external world must be funneled through these systems. These watchdog systems that deal with security within an organizations own enterprise network are called firewalls. A firewall allows a business to specify the level of access that will be afforded to network users. Proxies support transactions on behalf of a client in a two step manner. 7 NETWORK TRANSPORT AND PAYMENT SECURITY Traditional networking protocols and applications are unable to enforce strong security measures for performing ECommerce transactions securely. This lack of security led to the design and implementation of many new security protocols that strive to reach different security goals. There are some secure transport protocols that provide confidentiality and authentication between systems and applications by using encryption. 7.1 Virtual Private Network Virtual Private Networking technology provides the medium to use the public Internet backbone as an Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1308 appropriate channel for private data communication. With encryption and encapsulation technology, a VPN essentially carves out a private passageway through the Internet. VPNs will allow remote offices, company road warriors, and even business partners or customers to use the Internet, rather than pricey private lines, to reach company networks. So the companies can save a lot of money. It also provides encryption and authentication services for a fairly good measure of privacy. 7.2 Smart Cards Smart card payment schemes are very popular. These schemes tend to protect the privacy of the buyer, while speeding up the verification portion of the transaction. Each smart card has a stored monetary value, and as a buyer purchases products, the value on the card is reduced. With smart cards, the money is linked to the card (not the user), so if a smart card is lost the cash value still on the card is lost as well. The biggest detractor of using smart cards is the need to use special hardware such as smart card readers. One company has attempted to overcome that by releasing a Universal Serial Bus (USB) smart card that plugs right into a USB port without requiring any additional hardware. 8. FIREWALL Firewalls (software or hardware) protect a server, a network and an individual PC from attack by viruses and hackers. Equally important is protection from malice or carelessness within the system, and many companies use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized employees. A firewall supports communication-based security to screen out undesired communications which can cause havoc on the host. Host-based security is a critical element of overall computer security, although it does not scale easily; nonetheless, it must be employed. Ideally, an administrator uses all available tools, including host security and communication gateway security. It is like having two locks on a door: both methods should be used for increased assurance. The firewall deployment in the enterprise network must support the following capabilities: 1. All traffic between the inside and outside must transit through the firewall; and 2. Only authorized traffic based on the security policy is allowed transit. The firewall itself must be immune to penetration. Firewalls act as a single focus for the security policy of the organization and support advanced authentication techniques such as smart cards and one-time passwords. In addition, they prevent the release of informato9n such as DNS and finger information. Furthermore, they provide an identifiable location for logging alarms or trigger conditions.
9. CONCLUSION On the surface, the future of ecommerce looks bright. There are benefits for both the retailer and the consumer. In many ways, eCommerce is becoming a self-fulfilling prophecy: as more consumers are drawn to the internet for their shopping needs, more and more retailers begin doing business on the internet, which leads to more consumers. E-commerce requires reliable and robust servers in order to store large amounts of digital content and to distribute the same to consumers. These servers are multimedia storage servers which are large information warehouses handling various contents, ranging from books, newspapers, advertisement catalogs, movies, games, and x-ray images. Electronic commerce combines the advantages of computer-based processing (speed, reliability and relatively high volumes of data) with the advantages of people-based insight (creativity, flexibility, adaptability). It enables the people to review, analyze, add value, and sell a variety of products that are represented electronically. Even more than benefiting the average consumer, eCommerce makes doing business easier and more economical for merchants and retailers. Advancements in technology have provided a fast, cheap way to sell and market products. Because of the mass appeal of the Internet and the enormous visibility, advertising and marketing has become an integral part of the ecommerce business model. Secures ecommerce also offers less overhead, a wider marketing base, and eliminates the need for a physical storefront. 10. REFERENCES 1) Kleindl, B. 2003. Strategic Electronic Marketing: Managing E-Business, 2e. South-Western Educational Publishing. 2) WilliamStallings, Cryptography and network Security, 3rd edition, Prentice Hall, 2003. 3) Michall E. Whitman and Herbert J . Maiiord, Information Security, Thomson, Inc. , 2003. 4) Dave Chaffey, E-Business and E-Commerce, 2 nd , Prentice Hall, 2005. 5) Mark Merkow . J imBreithaupt, "Information Security Principles and Practices", Pearson Prentice Hall, 2006. 6) Davis, J . 2000. A Guide to Web Marketing: Successful Promotion on the Net. UK: Kogan Page Limited. ISBN 0749431857 7) Deise, M. V., C. Nowikow, P. King and A. Wright. 2000. Executive's Guide to E-Business: FromTactics To Strategy. J ohn Wiley & Sons. Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1309 8) Ferguson, C., F. Finn, J . Hall and M. Pinnuck. 2010. Speculation and e-commerce: The long and the short of IT. International J ournal of Accounting Information Systems 11(2): 79-104. 9) Chapman, Merrill R., In search of stupidity: over 20 years of high-tech marketing disasters (2nd Edition) , Apress, ISBN 1-59059-721- 4 10) J anal, D. S. 1995. Online Marketing Handbook. New York: Van Nostrand Reinhold. ISBN: 0442020589 11) Arnold, V. 2006. Behavioral research opportunities: Understanding the impact of enterprise systems. International J ournal of Accounting Information Systems 7(1): 7-17. 12) Interactive Advertising Bureau. 2005. Interactive Advertising Basics 2005: 28 Reasons to Use Interactive Advertising. 13) Reid, Robert H. (1997). Architects of the Web: 1,000 Days that Built the Future of Business. J ohn Wiley & Sons. Chapter Seven: 'Hotwired - Publishing on the Web' (pp 300-308) ISBN 0471171875 14) Strauss, J . and F. Raymond. 1999. Marketing on the Internet: Principles of Online Marketing. New J ersey: Prentice Hall Inc. 15) Sheehy, D. E. 2002. Discussion of An experimental examination of alternative forms of web assurance for business-to-consumer e- commerce. Journal of Information Systems (Spring Supplement): 55-57. 16) Shields, M. G. 2001. E-Business and ERP: Rapid Implementation and Project Planning. J ohn Wiley & Sons. 17) Anderson, P. and E. Anderson. 2002. The new e-commerce intermediaries. MIT Sloan Management Review: 53-62. 18) Anthony, J . H., W. Choi and S. Grabski. 2006. Market reaction to e-commerce impairments evidenced by website outages. International J ournal of Accounting Information Systems 7(2): 60-78. 19) Norris, G., J . R. Hurley, J . Dunleavy and J . Balls. 2000. E-Business and ERP: Transforming the Enterprise. J ohn Wiley & Sons. 20) O'Donnell, E. 2006. Discussion of the influence of scope and timing of reliability assurance in B2B E-Commerce. International J ournal of Accounting Information Systems 7(2): 130-133. 21) David, J . S. 2003. Discussion of Information transfer among internet firms: The case of hacker attacks. J ournal of Information Systems : 83-86. 22) Deak, E. J . 2004. Economics of E-Commerce and the Internet with Economic Applications Card. South-Western Educational Publishing. 23) Knapp, M. 2003. E-Commerce: Real Issues and Cases. South-Western Educational Publishing. 24) Memp, P. 2006. Avatar-based marketing. Harvard Business Review (J une): 48-57. 25) Mensah, N. and L. Velocci. 2006. Market reaction to e-commerce impairments evidenced by website outages: Discussant comments. International J ournal of Accounting Information Systems 7(2): 82-86. 26) Miller, D. 2001. Rod Hoover: Royal & Sun Alliance sheds light on e-business and the state of insurance. Strategic Finance (March): 44-47. 27) Monahan, S. J . 2002. Discussion of The value relevance of revenue for internet firms: Does reporting grossed-up or barter revenue make a difference? Studies on Accounting, Entrepreneurship and E-Commerce. J ournal of Accounting Research: 479-484. 28) Cucuzza, T. G. and J . Cherian. 2001. The internet and e-business: Trends and implications for the finance function. J ournal of Cost Management (May/J une): 5-14. 29) Daigle, R. J . 2004. Discussion of: SportsStuff.com: A case study of XML technologies, e-business processes, and accounting information systems. J ournal of Information Systems: 75-77. 30) Dalton, D. 1999. Is e-business for you? Strategic Finance (March): 74-77. 31) Anthony, J . H., W. Choi and S. V. Grabski. 2006. Market reaction to e-commerce impairments evidenced by website outages authors' response. International J ournal of Accounting Information Systems 7(2): 87-90. 32) Murthy, U. S. and S. M. Groomer. 2004. A continuous auditing web services (CAWS) model for XML-based accounting systems. International J ournal of Accounting Information Systems (5): 139-163. Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST) ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1310