TRANSACTION BASED SECURITY

ISSUES AND PATHWAYS TO

EFFECTIVE ELECTRONIC
COMMERCE: FROM TACTICS TO
STRATEGY
1
Dr.S.S.Riaz Ahamed
2
Dr.V.Kubendran
3
Mr.A.Ahamed Ansari,
1
Principal, Sathak Institute of Technology, Ramanathapuram, India.
2.
Professor, Dept of Management Studies, Bharathiar University, Coimbatore, India.
3
Assistant Professor, Dept of Management Studies, Mohamed Sathak Engineering College, India
Email: globalresearch@india.com
ABSTRACT
Electronic commerce promises to empower consumers and producers alike with the ability to engage in
mutually satisfactory interactions, providing fulfillment in real time over the Internet for the exchange of
products, services, or information. Fulfillment in real time, offering a complete, self-directing, interactive order
processing capability, is the true promise of electronic commerce for business. Electronic Commerce is thus
conducting of business communication and transactions over networks and through computers. Most
restrictively defined, electronic commerce is the buying and selling of goods and services, and the transfer of
funds, through digital communications. Electronic Commerce also includes all inter-company and intra-
company functions such as, marketing, finance, manufacturing, selling, and negotiation that enables commerce
and utilize file transfer, e-mail, EDI, video conferencing, workflow, or interaction with a remote computer,
including the World Wide Web. Transaction security is a major concern for businesses that offer products or
services over the Internet. Secures ecommerce has revolutionized the 21st century in a way that few other
technologies have. Over the past decade, the phenomenon of ecommerce has developed into a full-blown
industry. Once used solely for business-to-business purposes, today nearly everyone has made at least one
purchase using an ecommerce platform.
Keywords: Local Exchange Carriers (LEC), Competitive Local Exchange Carriers (CLEC), Secure Electronic
Transaction (SET).
1 INTRODUCTION
Electronic commerce is the symbiotic integration of communications, data management, and security
capabilities to allow business applications within different organizations to automatically exchange information
related to the sale of goods and services.
The Internet has emerged as an appliance of every day life, accessible from almost every point on the planet.
Students across the world are discovering vast treasure troves of data via the World Wide Web. Doctors are
utilizing Tele-medicine to administer off-site diagnoses to patients in need. Citizens of many nations are finding
additional outlets for personal and political expression. The Internet is being used to reinvent government and
reshape our lives and our communities in the process. The Internet will also revolutionize retail and direct
marketing. Consumers will be able to shop in their homes for a wide variety of products from manufacturers and
retailers all over the world. They will be able to view these products on their computers or televisions, access
information about the products, visualize the way the products may fit together (constructing a room of furniture
on their screen, for example), and order and pay for their choice, all from their living rooms.
Another issue to be tackled is just plain fraud, where the buyer simply supplies out-of-date or incorrect credit
cared information.

Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1304
Requirements Description
Content security The ability to send information across the Internet in a manner in
which unauthorized entities are not able to read the contents.
Signature The ability to specifically identify the entity associated with the
information. Many things may be signed: contents, the message, and,
frequently, several signatures may be imbedded in a single message or
information unit.
Content integrity The ability to identify modification to the covered information.
Nonrepudiation of origin The ability to identify who sent the information originally versus
which intermediary forwarded it.
Nonrepudiation of receipt The ability to identify that the information was received by the final
addressed destination in a manner that cannot be repudiated. The
information has been opened and interpreted to some degree.
Nonrepudiation of delivery The ability to identify whether the information was delivered to an
appropriate intermediary in a manner if cannot repudiate.
Key management The functionality necessary to create, distribute, revoke, and mange the
public/private keys.
Table1: Secure Commerce Requirements
While security features do not guarantee a secure system, they are necessary to build a secure system. Security
features have four categories:
Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to
your Internet banking account.
Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from
increasing the balance of your account or deleting a bill.
Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking
transactions.
Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific
merchandise.
Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server.
When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a
handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the
information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents.
2. TRANSACTION AND ELEMENTS
Sensitive information has to be protected through at least three transactions:
Credit card details supplied by the customer, either to the merchant or payment gateway.
Credit card details passed to the bank for processing. Handled by the complex security measures of the
payment gateway.
Order and customer details supplied to the merchant, either directly or from the payment
gateway/credit card processing company.
Basically, Electronic commerce takes place between two computers. Upon closer examination, the real (but
subtler) answer is that it takes place between two parties, each of whom may be on opposite sides of the
globe. It happens this way because many times it is easier to conduct business in this manner than any other
is. These complete fulfillments of transactions, apart from the actual shipping of goods, are done
electronically in their entirety.
In General, the electronic commerce requires the following five elements:
1. Organizations own enterprise networks which house appropriate information, usually beyond the
organizations firewall apparatuses.
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1305
2. The Public-switched telephone network. This generally constitutes of LECs(Local Exchange Carriers)
and CLECs(Competitive Local Exchange Carriers) at the local level and a multitude of Interchange
Carriers (IXCs) at the national backbone level.
3. The Internet that consists of ISPs and NSPs and provides a large inter enterprise infrastructure.
4. Online networks
5. Specialized industry networks such as those supports EDI.
3 SECURE ELECTRONIC PAYMENT PROTOCOL
IBM and MasterCard have cooperatively developed SEPP- an open, vendor-neutral, nonproprietary, license-free
specification for securing on-line transactions. Many of its concepts were rolled into SET, which is expected to
become the de facto standard.

There are several major business requirements addressed by SEPP.
1. To enable confidentiality of payment information.
2. To ensure integrity of all payment data transmitted.
3. To provide authentication that a cardholder is the legitimate owner of a card account.
4. To provide authentication that a merchant can accept MasterCard branded card payments with an
acquiring member financial institution.

SEPP is the electronic equivalent of the paper charge slip, signature, and submission process. SEPP takes input
from the negotiation process and causes the payment to happen via a three-way communication among the
cardholder, merchant, and acquirer. SEPP only addresses the payment process; privacy of non financial data is
not addressed in the SEPP protocol-hence, it is suggested that all SEPP communication be protected with
encryption at a lower layer, such as with Netscapes SSL. Negotiation and delivery are also left to other
protocols.

3.1 Process of SEPP
SEPP assumes that the cardholder and merchant have been communicating in order to negotiate terms of a
purchase and generate an order. These processes may be conducted via a WWW browser, alternatively, this
operation may be performed through the use of electronic mail, via the users review of a paper or CD-ROM
catalog or other mechanisms. SEPP is designed to support transaction activity exchanged in both interactive and
noninteractive moder.

The SEPP system is composed of a collection of elements involved in electronic commerce.

Cardholder- This is an authorized holder of a bankcard supported by a issuer and registered to perform
electronic commerce.
Merchant- This is a merchant of goods, services, and/or e-products who accepts payment from them
electronically and may provide selling services and/or electronic delivery of items for sale.
Acquirer- This is a (MasterCard member) financial institution that supports merchants by providing
service for processing credit-card based transactions.
Certificate management system- This is an agent of one or more bankcard associations that provides for
the creation and distribution of electronic certificates for merchants, acquirers, and cardholders.
Banknet- This represents the existing network which interfaces acquirers, issuers, and the certificate
management system.

These elements for Web commerce exist today and interact through existing mechanisms, with the exception of
the certificate management system. In the SEPP systems, these components acquire expanded roles to
complement existing functionality into the electronic commerce context.

Several basic transaction messages are required in a SEPP-based environment; when variations to the canonical
flow occur; additional data will be required in the supplementary messages.
Messages for SEPP-compliant processing of payment transactions
Purchase Order Request
Authorization Request
Authorization Response
Purchase Order Inquiry
Purchase Order Inquiry Response
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1306
Additional messages for on-line customer
Initiate
Invoice
Purchase Order Inquiry Response
Messages for off-line transactions or transactions sent to merchant not on-line with the acquirer
Purchase Order Response
4. SECURE ELECTRONIC TRANSACTION
SET (Secure Electronic Transaction) is a specification designed to utilize technology for authenticating the
parties involved in payment card purchases on any type of online network, including the Internet. SET was
developed by Visa and MasterCard, with participation from leading technology companies, including Microsoft,
IBM, RSA, Terisa Systems, and VeriSign. By using sophisticated cryptographic techniques, SET will make
cyberspace a safer place for conducting business and is expected to boost consumer confidence in electronic
commerce. SET focuses on maintaining confidentiality of information, ensuring message integrity, and
authenticating the parties involved in a transaction. The significance of SET, over existing Internet security
protocols, is found in the use of digital certificates. Digital certificates will be used to authenticate all the parties
involved in a transaction. SET will provide those in the virtual world with the same level of trust and confidence
a consumer has today when making a purchase at any of the 13 million Visa-acceptance locations in the
physical world. Payments are the important factor of any transaction and Internet hardware/software vendors has
put their efforts in concentrating the factor in secured way. They have made a variety of announcements in the
past couple of years related to the support for the most popular security payment protocols. Three methods have
evolved in the recent past. Netscape Communications Corporation and Microsoft Corporation have promoted
their respective payment protocols and installed them in World Wide Web browsers and servers.
1. SEPP has been championed by MasterCard and Netscape and by other supporters; the American
National Standards Institute (ANSI) is fast-tracking SEPP as a standard for the industry.
2. STT was developed jointly by Visa and Microsoft as a method to secure bankcard transactions over
open networks. STT uses cryptography to secure confidential information transfer, ensure payment
integrity, and authenticate both merchants and cardholders. Confidentiality of information is ensured by
the use of message encryption; payment information integrity is ensured by the use of digital
signatures; cardholder account authentication is ensured by the use of digital signatures and cardholder
credentials, merchant authentication is ensured by the use of digital signatures and merchant
credentials; and interoperability is ensured by the use of specific protocols and message formats.
3. At this juncture, it appears that SET will become the industry de facto standard. SET has emerged
recently as a convergence of the previous standards and has a lot in common with SEPP. SET is
expected to be rapidly incorporated into industrial-strength merchantware already available from
Netscape, Microsoft, IBM, and other software sellers.

5 CERTIFICATE FOR AUTHENTICATION
A digital certificate is a foolproof way of identifying both consumers and merchants. The digital certificate acts
like a network version of drivers license it is not credit, but used in conjunction with any number of credit
mechanisms, it verifies the users identity. Digital certificates, which are issued by certificate authorities such as
VerSign and CyberTrust, include the holders name, the name of the certificate authority, a public key for
cryptographic use, and a time limit for the use of the certificate. The certificate typically includes a class, which
indicates to what degree it has been verified. For example, verisigns digital certificates come in three classes.
Class 1 is the easiest to get and includes the fewest checks on the users background: only his or her name and e-
mail address are verified. For class 2, the issuing authority checks the users drivers license, social security
number, and date of birth. Users applying for a class 3 certificate can expect the issuing authority to perform a
credit check using a service such as Equifax. In addition to requiring the information required for a class 2
certificate.
It is now becoming easier for vendors and for consumers to get digital certificates. VeriSign and CyberTrust,
the two primary commercial issuers of digital certificates, can issue certificates via the web.








Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1307
Summary of
confirmation of
identity
Issuing authority
private key
protection
Certificate
applicant and
subscriber private
key protection
Applications implemented
or contemplated by users
Class 1 Automated
unambiguous name
and e-mail address
search
PCA: trustworthy
hardware; CA:
trustworthy
software or
trustworthy
hardware
PIN protected
encryption
software
recommended but
not required
Web browsing and certain
e-mail usage
Class 2 Same as class 1,plus
automated
enrollment
information check
and automated
address check
PCA and CA:
trustworthy
hardware
PIN protected
encryption
software required
Individual and intra and
intercompany e-mail,
online subscriptions,
password replacement,
software validation
Class 3 Same as class 1,
plus personal
presence and ID
documents plus
class 2 automated
ID check for
individuals; business
records for
organizations
PCA and CA:
trustworthy
hardware
PIN protected
encryption
software required;
hardware token
recommended but
not required
E-banking, corporate
database access, personal
banking, membership-
based online services,
content integrity services,
e-commerce server,
software validation.
Table 2: Certificate Classes

6 SECURITIES ON WEB SERVERS AND ENTERPRISE NETWORKS
Financial transaction security is a major concern for businesses that offer products or services over the Internet.
However, there is also the need for security of the merchant host. This is necessary in order to protect (1) files
containing buyers information that might reside on the accessible web server; and (2) the overall information
platform of the organization.

Two general techniques are available:
1. Host- based security capabilities; these are means by which each and every computer on the system is
made impregnable.
2. Security watchdog systems which guard the set of internal inter-connected systems. Communication
between the internal world and the external world must be funneled through these systems. These
watchdog systems that deal with security within an organizations own enterprise network are called
firewalls. A firewall allows a business to specify the level of access that will be afforded to network
users. Proxies support transactions on behalf of a client in a two step manner.
7 NETWORK TRANSPORT AND PAYMENT SECURITY
Traditional networking protocols and applications are unable to enforce strong security measures for
performing ECommerce transactions securely. This lack of security led to the design and implementation of
many new security protocols that strive to reach different security goals. There are some secure transport
protocols that provide confidentiality and authentication between systems and applications by using encryption.
7.1 Virtual Private Network
Virtual Private Networking technology provides the medium to use the public Internet backbone as an
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1308
appropriate channel for private data communication. With encryption and encapsulation technology, a VPN
essentially carves out a private passageway through the Internet. VPNs will allow remote offices, company road
warriors, and even business partners or customers to use the Internet, rather than pricey private lines, to reach
company networks. So the companies can save a lot of money. It also provides encryption and authentication
services for a fairly good measure of privacy.
7.2 Smart Cards
Smart card payment schemes are very popular. These schemes tend to protect the privacy of the buyer, while
speeding up the verification portion of the transaction. Each smart card has a stored monetary value, and as a
buyer purchases products, the value on the card is reduced. With smart cards, the money is linked to the card
(not the user), so if a smart card is lost the cash value still on the card is lost as well. The biggest detractor of
using smart cards is the need to use special hardware such as smart card readers. One company has attempted to
overcome that by releasing a Universal Serial Bus (USB) smart card that plugs right into a USB port without
requiring any additional hardware.
8. FIREWALL
Firewalls (software or hardware) protect a server, a network and an individual PC from attack by viruses and
hackers. Equally important is protection from malice or carelessness within the system, and many companies
use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized
employees. A firewall supports communication-based security to screen out undesired communications which
can cause havoc on the host. Host-based security is a critical element of overall computer security, although it
does not scale easily; nonetheless, it must be employed. Ideally, an administrator uses all available tools,
including host security and communication gateway security. It is like having two locks on a door: both
methods should be used for increased assurance. The firewall deployment in the enterprise network must
support the following capabilities:
1. All traffic between the inside and outside must transit through the firewall; and
2. Only authorized traffic based on the security policy is allowed transit. The firewall itself must be
immune to penetration.
Firewalls act as a single focus for the security policy of the organization and support advanced authentication
techniques such as smart cards and one-time passwords. In addition, they prevent the release of informato9n
such as DNS and finger information. Furthermore, they provide an identifiable location for logging alarms or
trigger conditions.

9. CONCLUSION
On the surface, the future of ecommerce looks bright. There are benefits for both the retailer and the consumer.
In many ways, eCommerce is becoming a self-fulfilling prophecy: as more consumers are drawn to the internet
for their shopping needs, more and more retailers begin doing business on the internet, which leads to more
consumers. E-commerce requires reliable and robust servers in order to store large amounts of digital content
and to distribute the same to consumers. These servers are multimedia storage servers which are large
information warehouses handling various contents, ranging from books, newspapers, advertisement catalogs,
movies, games, and x-ray images. Electronic commerce combines the advantages of computer-based processing
(speed, reliability and relatively high volumes of data) with the advantages of people-based insight (creativity,
flexibility, adaptability). It enables the people to review, analyze, add value, and sell a variety of products that
are represented electronically. Even more than benefiting the average consumer, eCommerce makes doing
business easier and more economical for merchants and retailers. Advancements in technology have provided a
fast, cheap way to sell and market products. Because of the mass appeal of the Internet and the enormous
visibility, advertising and marketing has become an integral part of the ecommerce business model. Secures
ecommerce also offers less overhead, a wider marketing base, and eliminates the need for a physical storefront.
10. REFERENCES
1) Kleindl, B. 2003. Strategic Electronic Marketing: Managing E-Business, 2e. South-Western Educational Publishing.
2) WilliamStallings, Cryptography and network Security, 3rd edition, Prentice Hall, 2003.
3) Michall E. Whitman and Herbert J . Maiiord, Information Security, Thomson, Inc. , 2003.
4) Dave Chaffey, E-Business and E-Commerce, 2 nd , Prentice Hall, 2005.
5) Mark Merkow . J imBreithaupt, "Information Security Principles and Practices", Pearson Prentice Hall, 2006.
6) Davis, J . 2000. A Guide to Web Marketing: Successful Promotion on the Net. UK: Kogan Page Limited. ISBN 0749431857
7) Deise, M. V., C. Nowikow, P. King and A. Wright. 2000. Executive's Guide to E-Business: FromTactics To Strategy. J ohn Wiley &
Sons.
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1309
8) Ferguson, C., F. Finn, J . Hall and M. Pinnuck. 2010. Speculation and e-commerce: The long and the short of IT. International J ournal
of Accounting Information Systems 11(2): 79-104.
9) Chapman, Merrill R., In search of stupidity: over 20 years of high-tech marketing disasters (2nd Edition) , Apress, ISBN 1-59059-721-
4
10) J anal, D. S. 1995. Online Marketing Handbook. New York: Van Nostrand Reinhold. ISBN: 0442020589
11) Arnold, V. 2006. Behavioral research opportunities: Understanding the impact of enterprise systems. International J ournal of
Accounting Information Systems 7(1): 7-17.
12) Interactive Advertising Bureau. 2005. Interactive Advertising Basics 2005: 28 Reasons to Use Interactive Advertising.
13) Reid, Robert H. (1997). Architects of the Web: 1,000 Days that Built the Future of Business. J ohn Wiley & Sons. Chapter Seven:
'Hotwired - Publishing on the Web' (pp 300-308) ISBN 0471171875
14) Strauss, J . and F. Raymond. 1999. Marketing on the Internet: Principles of Online Marketing. New J ersey: Prentice Hall Inc.
15) Sheehy, D. E. 2002. Discussion of An experimental examination of alternative forms of web assurance for business-to-consumer e-
commerce. Journal of Information Systems (Spring Supplement): 55-57.
16) Shields, M. G. 2001. E-Business and ERP: Rapid Implementation and Project Planning. J ohn Wiley & Sons.
17) Anderson, P. and E. Anderson. 2002. The new e-commerce intermediaries. MIT Sloan Management Review: 53-62.
18) Anthony, J . H., W. Choi and S. Grabski. 2006. Market reaction to e-commerce impairments evidenced by website outages.
International J ournal of Accounting Information Systems 7(2): 60-78.
19) Norris, G., J . R. Hurley, J . Dunleavy and J . Balls. 2000. E-Business and ERP: Transforming the Enterprise. J ohn Wiley & Sons.
20) O'Donnell, E. 2006. Discussion of the influence of scope and timing of reliability assurance in B2B E-Commerce. International J ournal
of Accounting Information Systems 7(2): 130-133.
21) David, J . S. 2003. Discussion of Information transfer among internet firms: The case of hacker attacks. J ournal of Information Systems
: 83-86.
22) Deak, E. J . 2004. Economics of E-Commerce and the Internet with Economic Applications Card. South-Western Educational
Publishing.
23) Knapp, M. 2003. E-Commerce: Real Issues and Cases. South-Western Educational Publishing.
24) Memp, P. 2006. Avatar-based marketing. Harvard Business Review (J une): 48-57.
25) Mensah, N. and L. Velocci. 2006. Market reaction to e-commerce impairments evidenced by website outages: Discussant comments.
International J ournal of Accounting Information Systems 7(2): 82-86.
26) Miller, D. 2001. Rod Hoover: Royal & Sun Alliance sheds light on e-business and the state of insurance. Strategic Finance (March):
44-47.
27) Monahan, S. J . 2002. Discussion of The value relevance of revenue for internet firms: Does reporting grossed-up or barter revenue
make a difference? Studies on Accounting, Entrepreneurship and E-Commerce. J ournal of Accounting Research: 479-484.
28) Cucuzza, T. G. and J . Cherian. 2001. The internet and e-business: Trends and implications for the finance function. J ournal of Cost
Management (May/J une): 5-14.
29) Daigle, R. J . 2004. Discussion of: SportsStuff.com: A case study of XML technologies, e-business processes, and accounting
information systems. J ournal of Information Systems: 75-77.
30) Dalton, D. 1999. Is e-business for you? Strategic Finance (March): 74-77.
31) Anthony, J . H., W. Choi and S. V. Grabski. 2006. Market reaction to e-commerce impairments evidenced by website outages authors'
response. International J ournal of Accounting Information Systems 7(2): 87-90.
32) Murthy, U. S. and S. M. Groomer. 2004. A continuous auditing web services (CAWS) model for XML-based accounting systems.
International J ournal of Accounting Information Systems (5): 139-163.
Dr.S.S.Riaz Ahamed et al. / International Journal of Engineering Science and Technology (IJEST)
ISSN : 0975-5462 Vol. 3 No. 2 Feb 2011 1310