E-commerce and Its Implementation in Airline Industry

E-Commerce

1

AN INDUSRIAL TRAINEE PROJECT ON

E-COMMERCE AND ITS IMPLEMENTATION IN AIRLINE INDUSTRY

SUBMITTED TO: AIR INDIA

SUBMITTED BY: ASHISH RAWAT

09-ECE-29 B.M. COLLEGE OF TECHNOLOGY AND MANAGEMENT

E-Commerce

2

CERTIFICATE

This is to certify that Ashish Rawat, a B.Tech. Student of B.M. College of Technology and Management has completed 6-week summer training with Air India under the guidance of Mr. Mukesh Sareen on the project” E-COMMERCE AND ITS IMPLEMENTATION IN AIRLINE INDUSTRY

“and has completed and submitted report. Air India

E-Commerce

3

ACKNOWLEDGEMENT

I Ashish Rawat, a B.Tech (7th semester) student wants to give my heartiest thanks to Mr. Mukesh Sareen, AIR INDIA for his continuous support during my six week summer training at AIR INDIA. He gave his helping hand whenever I faced any obstacle. He not only provided technical help but also gave us very much required motivational support and made me work hard to achieve my goals. I also thank him for giving his precious time. I would also like to thank General Manager of COMPUTER CENTER, AIR INDIA for allowing me to have training under reputed people and in a very prestigious organization. ASHISH RAWAT

E-Commerce

4

INDEX

1. INTRODUCTION………………………………………………………………………………………………………………………. 6 1.1. HISTORY………………………………………………………………………………………………………………………….. 6 1.2. ADVANTAGES OF E-COMMERCE………………………………………………………………………………………. 6 1.3. DISADVANTAGES OF E-COMMERCE…………………………………………………………………………………. 7

2. E-COMMERCE CLASSIFICATION……………………………………………………………………………………………….. 7 2.1. BUISNESS TO BUISNESS E-COMMERCE…………………………………………………………………………….. 7 2.2. BUISNESS TO COSUMER E-COMMERCE……………………………………………………………………………. 8 2.3. CONSUMER TO CONSUMER E-COMMERCE…………………………………………………………………….... 9 2.4. GOVERNMENT TO CONSUMER E-COMMERCE………………………………………………………………….. 10 2.5. CONSUMER TO GOVERNMENT E-COMMERCE………………………………………………………………….. 10 2.6. MOBILE COMMERCE………………………………………………………………………………………………………… 10

3. ENTITIES OF E-COMMERCE………………………………………………………………………………………………………. 11 3.1. CREDIT CARD…………………………………………………………………………………………………………………… 11

3.1.1. INTEREST CHARGED………..…………………………………………………………………………………….. 12 3.1.2. MASTERCARD……………………………………………………………………………………………………….. 13 3.1.3. VISA………………………………………………………………………………………………………………………. 15 3.1.4. GENERAL STEPS IN CREDIT CARD TRANSACTIONS…………………..…………………………….. 15 3.1.5. BENEFITS TO CREDIT CARD USER…………………………………………………………………………… 16 3.1.6. BENEFITS TO CUSTOMER………………………………………………………………………………………. 16 3.1.7. BENEFITS TO MERCHANT………………………………………………………………………………………. 16 3.1.8. DETRIMENTS TO MERCHANT……………………………………..…………………………………………. 17 3.1.9. P-COMMERCE…………………………………………………………………………………………..………….. 17 3.1.10. CREDIT CARD FRAUD…………………………………………………………………………………………….. 18

3.2. DEBIT CARD……………………………………………………………………………………………………………………... 20 3.2.1. VISA ELECTRON……………………………………………………………………………………………………… 20 3.2.2. MAESTRO………………………………………………………………………………………………………………. 21 3.2.3. ADVANTAGES OF DEBIT CARD………………………………………………………………………………... 21 3.2.4. DISADVANTAGES OF DEBIT CARD…………………………………………………………………………... 22 3.2.5. DEBIT CARD TRANSACTIONS…………………..…………………………………………………………..... 22

4. CHANNELS OF E-COMMERCE PAYMENT…………………………………………………………………………………….. 23 4.1. PAYMENT GATEWAY.………………………………………………………………………………………………………... 23

4.1.1. HOW PAYMENT GATEWAY WORKS………………………………………………………………………... 23 4.1.2. WHY IS PAYMENT GATEWAY NEEDED....................................................................... 24

4.2. NET BANKING…………………………………………………………………………………………………………………… 24 4.2.1. FEATURES…..…………………………………………………………………………………………………………. 24 4.2.2. SYSTEM SECURITY USED IN NET BANKING………….…………………………………………………… 25 4.2.3. TRANSFER SCHEMES……………………………..………………………………………………………………. 25 4.2.4. GENERAL STEPS IN BILL PAYMENT THROUGH NET BANKING……………………..……..…... 27 4.2.5. SECURITY FEATURES………………………………..……………………………………………………….……. 27

5. TECHNOLOGICAL REQUIREMENTS OF E-COMMERCE…………………………………………………………………. 27 5.1. SERVER…………………………………………………………………………………………………………….……………..… 28 5.2. AUTHENTICATION…………………………………………………………………………………………….……………….. 31 5.3. FIREWALLS……………………………………………………………………………………………………….……………… 32

E-Commerce

5

5.4. DIGITAL CERTIFICATES………………………………………………………………………………………………….….. 34 5.5. NON-REPUDIATION……………………………………………………………………………………………………….… 36 5.6. ANTI- VIRUS……………………………………………………………………………….. ……………………………….… 37 5.7. ANTI-SPAM……………………………………………………………………….. ………..…………………………………. 37 5.8. IPSEC…………………………………………………………………………………………….……………………………….. 38 5.9. SSL………………………………………………………………………………………………………………………….………. 39

6. TECHNOLOGIES REQUIRED BY USER………………………………………………………………….…………………….. 41 6.1. PERSONAL COMPUTER…………………………………………………………………………………….……………… 41 6.2. VIRTUAL KEYBOARD……..…………………………………………………………….………………………………….. 41 6.3. PASSWORD PROTECTION……………………………………………………………………………………………….. 42 6.4. ANTI-VIRUS AND ANTI-SPAM………………………………………….………………………………………………. 42

7. POTENTIAL THREATS IN E-COMMERCE……………………………………………………………………………………. 43 8. IMPACT OF TECHNOLOGIES BY MERCHANT ON USER………………………………….…………………………… 45 9. TECHNOLOGICAL REQUIREMENTS BY USER FOR A SECURED TRANSACTION….…………………………. 46 10. ROLE OF SECURITY TECHNOLOGIES ON USER-MERCHANT TRANSACTION…….………………………….. 46 11. SUMMARY OF TECHNOLOGIES EMPLOYED BY BOTH USER AND MERCHANT IN TABULAR FORM. 50 12. STUDY OF COMPARISON OF E-COMMERCE SETUP OF AIR INDIA AND BRITISH AIRWAYS…………. 52 13. SUMMARY OF COMPARISON BETWEEN AIRINDIA.COM AND BA.COM IN TABULAR FORM………… 70 14. BRIEF DISCUSSION OF E-COOMERCE SETUP OF GOINDIGO.COM….……………………………………………. 72 15. BRIEF DISCUSSION OF E-COMMERCE SETUP OF MAKEMYTRIP.COM………………………………………….. 74 16. REFERENCES…………………………………………………………………………………………………………………………….. 76

E-Commerce

6

1. INTRODUCTION

Electronic commerce, also known as e-commerce, refers to the buying and selling of products and various services over electronic systems such as the Internet and other computer networks. E commerce is doing business electronically. We use electronic means such as EDI (electronic data interchange), electronic mail, bulletin boards, fax transmissions, electronic fund transfers and the internet. It covers a range of different types of businesses, from consumer based retail sites, through auction or music sites, to business exchanges trading goods and services between corporations. It is currently one of the most important aspects of the Internet to emerge.

We can explore and shop online from a distant place or acquire various services around the world through e-commerce without any barrier of distance.

1.1. History

Internet shopping is not only convenient and easy, but an efficient time-saver. E-commerce and its underlying technology have been around just for the past few decades. The e-commerce technologies first appeared in the late 1970’s. The execution of electronic transactions between businesses as well as the exchange of information took place in the form of electronic purchase orders and invoices. The Boston Computer Exchange started in 1982, and was one of the first known examples of e-commerce. Abundance of credit cards, ATM machines and telephone banking throughout the 1980’s was the next important step in the history of e-commerce. By the early 90’s, e-commerce would also incorporate things such as enterprise resource planning (ERP), data warehousing and data mining. But it wasn’t until the late 90’s, as the history of e-commerce reflects, things really began to get warm up. High speed internet connections such as DSL, introduction of security protocols and quicker online transaction capability gave a boost to e-commerce, where an explosive growth was predicted by the industry experts. By 2000, a considerable number of businesses in United States and Europe built out their first elementary e-commerce websites. The prospect of serving a global customer base electronically emboldened traditional businesses. In the next coming years, online business to business transactions grew exponentially, as we look into the history of e-commerce. Over $700 billion dollars in sales were recorded. Some of the major pioneers of e-commerce like eBay and Amazon soon became the leaders. First to establish prominent e-commerce brands, some of the major categories are computers, books, music, and a variety of electronics. Some other companies and industry giants followed such as Dell, Staples, Office Depot, and Hewlett Packard and soon became the most recognizable e-commerce brands online.

1.2. Advantages of E-commerce

E-Commerce

7

1. We can buy and sell a variety of goods and services from one's home requiring a computer with an

internet connection. 2. Transactions can be carried anytime and anywhere around the world 24*7. 3. We can look for lowest possible cost for specific goods or service 4. Businesses can reach out to worldwide clients. 5. Order processing cost is reduced 6. Payments through Electronic funds transfer are faster. 7. Supply chain management is simpler, faster, and cheaper using ecommerce

7.1. We can order from several vendors and monitor supplies simultaneously. 7.2. A check on production schedule and inventory of an organization can be implemented by

cooperating with supplier who can in-turn schedule their work. 8. There is no need of setting up a company physically.

1.3. Disadvantages of E-commerce 1. Security in e-commerce may not be very good where viruses, hacker attacks can be used to steal

personal information regarding the customer. 2. Costs of implementing e-commerce business platform can become not so profitable for smaller

businesses. 3. Some goods such as ‘perishable goods’ are difficult to be sold due to many inconveniences. For

e.g.:- transportation of eatables like ice-creams, vegetables etc. may cost more than their actual cost.

4. Quality of product is not guaranteed as quality cannot be checked physically on internet. So there is no guarantee of the product we get.

5. Delivery of goods may take longer time. 6. One knows nothing about the seller, hence can be tricked for money. 7. Mechanical failure of merchant’s server or customer’s system can cause unpredictable effects.

2. E-COMMERCE CLASSIFICATION

E-commerce can be broadly classified into following models:-

2.1. Business to Business (B2B)

B2B is simply defined as an e-commerce between two different business entities. B2B forms a major part of e-commerce. In B2B, a company may be selling its product to another company or buying others’ product which generally involves bulk transfer of products. B2B can also mean exchange of services between two companies. B2B e-commerce enables to reduce procurement cost of raw materials, avoid keeping excess build p of inventories and finding various alternatives.

Some examples of B2B E-commerce can be:-

Intel selling its range of processors to various desktop, laptop etc. manufacturers such as Dell and HP.

E-Commerce

8

An automobile manufacturer makes several B2B transactions such as buying tires, glass for windscreens, and rubber hoses for its vehicles.

B2B business in automotive industry (courtesy squidoo.com)

Business-to-Business models in e-commerce are an important part of any business online. Putting aside the simple transfer of funds, it needs to cover more. Creditworthiness assessment and guaranteeing the quality and delivery of goods, while safeguarding against fraud are important. Detailed reporting including approval of sale, invoicing, delivery, payment is essential. There are proper procedures to handle disputes.

2.2. Business to Consumer (B2C)

In business to consumer e-commerce, the company directly interacts with consumers online. One can experience shopping right from their homes. Company sells its products and services to individuals through its website which is generally built attractive to draw customer’s attraction. Direct interaction with the customers is the main difference with other types of e-commerce. Business-to-Consumer business model usually deal with business that are related to the customer. Customers are presented with catalogues offering a variety of products; hence a given product can be selected from large number of choices. For e.g.:- A person when buying a laptop from e-bay or any other seller OR a customer downloading an online movie.

E-Commerce

9

B2C E-Commerce (Courtesy eservglobal.com)

Customers are provided with a number of payment options like credit cards or debit cards, so payments can be made as per one’s convenience. However, seller should arrange for reliable security while acquiring e-payments. Various advantages of Business-to-Consumer type of e-commerce include faster and convenient shopping. One can also get the best offers and at a good price and make buying more pleasurable.

2.3. Customer to Customer (C2C) Customer to Customer e-commerce is trading between two private individuals which mean that both buying and selling is between two persons. A person can put up his belonging for sale which can be bought by another person. Common example of C2C e-commerce is buying a second hand car on internet.

C2C E-commerce (Courtesy eservglobal.com)

There is no company involved in C2C e-commerce. The most famed and flourishing example of Consumer to Consumer business model is EBay, that helps facilitates the trade of privately owned items between individuals. Anyone can trade practically anything at EBay. Some other good examples of

E-Commerce

10

Consumer to Consumer e-commerce applications are Monster.com, Seek.com.au and CareerOne.com which mainly focus on services. They offer valuable service to consumers looking for jobs. Employers advertise on these websites and the potential job seekers get in touch with their organization for an interview.

2.4. Government to Consumer (G2C) In this model, the government transacts with an individual consumer. Government can provide a number of opportunities for customers to take advantage of various government offers. G2C business involves everything from grants and loans to copies of property transactions and credit reports. Government contracts can be very lucrative and constitute a huge market for government to consumer businesses. Consumer to government markets are built by consumers looking for safe investments through bonds and other safe investment vehicles. In the government to consumer marketplace, consumers are protected by regulations and agencies that keep watch on the public safety. Finally, G2C e-commerce is becoming more popular for citizens to purchase postage, registrations and permits via G2C websites. For example, a government can enforce laws pertaining to tax payments on individual consumers over the Internet by using the G2C model.

2.5. Consumer to Government (C2G) In this model, an individual consumer interacts with the government. For example, a consumer can pay his income tax or house tax online. The transactions involved in this case are C2G transactions.

2.6. Mobile Commerce (M-commerce)

In M-commerce, buying of goods and services occurs through wireless technology using mobile phones.

M-Commerce (Courtesy leos-lies.blogspot.com)

E-Commerce

11

Various applications of m-commerce are:- 1. Mobile Ticketing. 2. Information services like News, Stock quotes, Sports scores, Financial records, Traffic reporting 3. Mobile Banking.

3. ENTITIES OF E-COMMERCE These are various requirements in an e-commerce transaction. These are like backbone of e-commerce transaction and e-commerce transactions are not completed without these. These are:-

3.1. CREDIT CARD Credit card is a plastic card that allows card holder to borrow money from the card issuing bank and pay to the seller. This borrowed amount can also be termed as a short term loan. This amount is to be returned to the issuing bank with a fixed interest rate in a given time. Thus, the issuing bank creates a revolving account and grants a line of credit to the customer. The credit card allows consumer a continuing balance of debt, subject to interest being charged. Hence, a customer needs not to pay complete amount every time but pay lesser amount maintains continuing balance. However, higher interests can be charged on continuing balance.

Credit Cards (Courtesy www.hdfcbank.com)

Credit cards are not issued to persons below age of 18 years or 21 years depending on the bank. The bank checks complete customer profile before issuing him a card. The following parameters form a customer profile:- Salary: Amount of salary earned in a given time period by the customer is checked before issuing him a card. If the customer is self employed, the customer’s income source and income’s stability is checked.

E-Commerce

12

Identification: Customer is fully verified before a card is issued to him. Customer’s ID card, voter ID, PAN card etc. are checked with his residence address. Other details such as place of work, salary slips etc. are also checked. Assets: Bank also checks for total assets such as his home, car etc. possessed by the customer. Credit cards are easily issued if customer has already a bank account in corresponding bank. Sometimes, when a person is not eligible for a card, credit card is issued on the basis of another person who knows him and has an account with the bank.

3.1.1. Interests Charged A fixed interest is charged for amount borrowed from the financial institution. Only, fixed interest is charged when the amount is repaid in the given time but if some amount gets unpaid, full interest is charged on total amount. Hence, interest rate of particular card may jump if user is late with payment or bank decides to raise its revenues. Generally, customers are charged lower interest rates at initial time when card is issued but interest rates are raised after some time. The customer can be exposed to multiple balance segments each at different rates.

The customers can be charged for:

1. Late payments or overdue payments 2. Charges that result in exceeding the credit limit on the card (whether done deliberately or by

mistake), called over limit fees 3. Returned cheque fees or payment processing fees (e.g. phone payment fee) 4. Cash advances and convenience cheques (often 3% of the amount) 5. Transactions in a foreign currency (as much as 3% of the amount). A few financial institutions do not

charge a fee for this. 6. Membership fees (annual or monthly), sometimes a percentage of the credit limit.

3.1.2. MASTERCARD

MASTERCARD logo (Courtesy en.wikipedia.org) MasterCard Incorporated or MasterCard Worldwide is an American multinational financial services corporation whose principal business is to process payments between the banks of merchants and the card issuing banks or credit unions of the purchasers who use the "MasterCard" brand debit and credit cards to make purchases. The major works done by MasterCard includes:- 1. Authorization: The cardholder gives his MasterCard to the merchant. The merchant’s bank asks

MasterCard to determine cardholder’s bank. MasterCard confirms the card and its validation and

E-Commerce

13

approves sending to cardholder’s bank. Purchase is confirmed by cardholder’s bank and MasterCard sends this approval to merchant’s bank which is then passed to customer.

2. Clearing: The merchant’s bank sends transaction information to MasterCard network which validates information and is passed to customer’s bank. MasterCard network provides reconciliation to both merchant’s bank and cardholder’s bank.

3. Settlement: Merchant’s bank sends clearing information to MasterCard network which calculates net settlement and transfer funds order to settlement bank. The settlement bank guarantees payment to merchant and accepts payment from card holder’s bank. Merchant’s bank pays the merchant and cardholder’s bank bills the cardholder for purchases.

MASTERCARD helps in securing e-commerce transactions using security tool such as MasterCard SecureCode. MasterCard SecureCode is initiated on a retailer’s website and interacts with both the cardholder and their card issuer. When your customer comes to pay, a window appears asking customer to enter a unique, personal code that has been registered with their bank. The bank then authenticates the cardholder performing the transaction and provides the electronic retailer explicit evidence of the online purchase.

3.1.3. VISA

VISA logo (Courtesy www.travelandtourworld.com) Visa Inc. is an American multinational financial services corporation which facilitates electronic funds transfers throughout the world, most commonly through Visa-branded credit card and debit cards. Visa does not issue cards, extend credit or set rates and fees for consumers; rather, Visa provides financial institutions with Visa-branded payment products that they then use to offer credit, debit, prepaid and cash-access programs to their customers. Visa has built one of the world’s most advanced processing networks. It’s capable of handling more than 24,000 transactions per second, with reliability, convenience and security, including fraud protection for consumers and guaranteed payment for merchants. Typical VISA transaction has four parties:-

1. Merchant: it can be a shop or online shopping website that accepts payment by VISA. 2. Acquirer: a financial institution that entitles merchant to accept VISA payments and ensure that

they get their payment. 3. Issuer: it is a financial institution that issues VISA cards to customers. 4. Account Holder: a customer that uses VISA cards to make purchases.

E-Commerce

14

VISA Transaction flow (Courtesy VISA Inc.)

The functioning of Visa is much similar to MasterCard. However, other credit card networks are also present. VISA provides various security measures to prevent detect and resolve the unauthorized use of your card information. And even if fraud should occur, customers are never held liable for unauthorized charges. The various measures are:-

Prevent

Various steps in preventing fraud against the card are:-

1. Verified by VISA: An extra security layer is provided that confirms your identity with an extra password when you make an online transaction. The Verified by VISA feature can be activated for free. Once your card is activated, your card number will be recognized whenever you shop at a participating Verified by Visa merchant. You will enter your password in the Verified by Visa window, your identity will be verified and the transaction will be completed. In stores that are not yet Verified by Visa enabled, your Visa card will continue to work as usual. The Verified by VISA feature works as shown below:-

(Courtesy usa.visa.com)

2. 3-Digit security code: This 3- digit code confirms that the card is in our physical possession while

online purchases.

Detect

Real time Fraud monitoring: This is done so that required actions can be taken right away to minimize fraud. Transactions done by a customer are continuously monitored for any suspicious spending by the cardholder. Each time an authorization request is processed, it's evaluated against the individual's transaction history. Also, if we see questionable activity, such as entry of mismatched shipping and

E-Commerce

15

billing addresses, unusually large purchases, and changes in Social Security number or other personal data, we'll work with your financial institution to suspend activity on your card to keep your account secure and prevent further damage. The customer is alerted as soon as anything from the above occurs. If a customer sees any suspicious activity in monthly statement, he should inform his financial institution immediately.

Resolve

1. Zero liability: If card is used for fraud, the customer is protected by VISA. That's because Visa protects your card information 24/7 and customer won’t be held liable for unauthorized purchases made with your card or account information. Any irregularity in the monthly statement should be reported to respective financial institution immediately for issues to get resolved quickly. If fraud occurs, Visa’s cardholder protection policy requires all financial institutions issuing Visa products to extend provisional credit for losses from unauthorized card use within 5 business days of notification of the loss.

2. Identity Theft Assistance: If, suspicions occur in monthly statement, financial institutions should be informed and VISA should be contacted for free counseling.

3.1.4. General steps involved in credit card transaction

We shall now discuss the various steps involved in a credit card transaction. The steps are:-

Step 1: Visitor places the order on the website and it is sent to the merchant's web server in encrypted format. This is usually done via SSL (Secure Socket Layer) encryption.

Step 2: Then, the complete transactional details are passed to the respective payment gateway which are passed to a credit card network (like VISA or MASTERCARD) for authentication of the card.

Step 3: The transactional details are passed to the card issuing bank. Step 4: Issuing bank checks for available funds with customer, validity of the card and his limit

and a response is sent back to the payment gateway which include information that whether the transaction has been approved or not. In case of decline of transaction, reason for it is also specified.

Step 5: This response is sent to merchant’s server by the payment gateway. In case of approval, payments are made for the transaction by issuing bank to the merchant’s bank through credit card network.

Step 6: The response is encrypted and is passed to the customer. Now, the customer knows whether the transaction has been accepted or not. Now, merchant gives customer product purchased after confirming the payment.

Steps 7: This complete process takes less than 5 seconds.

E-Commerce

16

Transaction flow for a credit card payment

3.1.5. Benefits to Credit Card users Users are provided short term easy loans with a limit instantly for making any purchase. Credit card allows users to pay debt in installments. Credit cards enable us to shop online. Credit Card offers more protection than debit cards. Users may be offered rewards and benefit packages. A user can block merchant’s payment if the user feels that he is being tricked. Credit cards can be used in case of emergencies when the user doesn’t have money.

3.1.6. Detriments to Customers Users are charged lower interest at initial times but higher rates are charged after that. If the user doesn’t pay complete balance amount in given specified time, huge interest rates are

charged on remaining debt. Hence, debt burden keeps on increasing which may even lead to bankruptcy.

Credit card weakens self regulation i.e. people buy without thinking about interest that will be charged on amount borrowed. Many times, users exceed their limit unknowingly and thus pay over-limit fees.

3.1.7. Benefits to Merchants

Merchants are also benefited in a number of ways by accepting credit cards. Some of them are as follows:-

Whenever a credit card is presented by a customer for transaction, the issuing bank guarantees payments to merchant once transaction gets authorized.

As people don’t think much while making credit cards, it can result in increased revenues for the merchant.

Customer Payment gateway

Credit Card Network (VISA or MASTERCARD)

Merchant’s Acquiring Bank

Issuing Bank Processor (POS m/c)

Funds Transfer

SSL encryption

E-Commerce

17

Credit card payment can help in discouraging thefts from merchant’s employees as amount gets transferred to the merchant’s account very securely.

Accepting credit card payments can reduce back office expense i.e. workload to deposit cash and cheques to banks, making transactional records etc.

Once a website is set up by a merchant, he can carry selling transactions online using credit cards.

As competition has increased, many merchants have now started to accept credit cards to overcome other competitors.

3.1.8. Detriments to Merchants

There are several disadvantages in accepting credit card payment such as:-

Merchants are charged several fees for accepting credit cards such as interchange fees for each transaction. In case of some low value transactions, profit margins are reduced considerably.

Merchants may need to subscribe for separate telephone lines of each point of sales machine and must also satisfy data security standards.

In some cases, delays can cause late transfer of funds to merchant’s account. Merchants also have the risk of chargebacks by consumers. Security is of major concern while using credit cards. One should use security measures such as

using a secure browser for online payments, use encryption protocols for messaging, check for authentication of a website etc. Other major concern is credit card fraud.

3.1.9. P-COMMERCE

P-Commerce is a type of E-Commerce that uses internet access for payments at a POS (point of sales) machine using methods such as credit cars or debit card payment. After picking up a desired product at a merchant’s place, one has to physically present the card for payments. Hence, a customer needs not to carry cash while shopping making it convenient for himself. Credit cards and Debit cards are also termed as plastic money. However, care should be taken to ensure security.

POS machine (Courtesy www.alibaba.com)

E-Commerce

18

3.1.10. Credit Card Fraud:

Nowadays, credit card fraud has become a major problem. Credit card fraud means theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. So, the credit card must used properly so as to keep secured by following certain measures such as:-

One should never disclose his Personal Identification Number (PIN) to anyone. This is a security number provided with the card and is required whenever a purchase is made.

A user should keep credit card in sight while making transactions as it could be skimmed. The information in the magnetic strip at the back of the card could be copied and reused.

One should always check his monthly statements and verify every purchase made. One should always destroy his payment receipts after making payment for the respective

transaction as details on payment slip can be misused. Online shopping should be done on a secure website. One can look for a padlock next to website

address at the top of the internet page or on can also look for digital certificates for a particular website.

For extra security, providers use an online verification scheme such as Verified by VISA or MASTERCARD secure code. We can set up an additional password which is verified by the card provider before making any payment.

One should report for lost or stolen card immediately.

Some of the recent big credit card frauds are:-

1. The TJX Heist

(Courtesy http://www.creditcardchaser.com)

Date: 2007 Data Stolen: 40 million credit cards; large volumes of customer data Potential Financial Damage: $1 billion Caught? One of 11 suspects has pleaded guilty

TJX is the parent company of the department store chains T.J. Maxx and Marshall’s. The thieves were able to gather data via snooping on unsecured networks that were transferring data between points of sale units. These were wireless networks that were basically being run unencrypted. This was a major operation with well over ten people involved in the theft, and not everyone in on this scam has been brought to justice.

E-Commerce

19

2. The Best Western Heist.

Best Western, Worst Security (Courtesy http://www.creditcardchaser.com) Date: 2008 Data Stolen: Credit card details from every guest of the chain’s 1,300 hotels over three months Potential Financial Damage: $4 billion Caught? Nope

A group of criminals pierced into Best Western’s IT network and extracted information about the guests staying at the hotel chain’s 1,312 hotels between 2007 and 2008. This included guests’ credit card numbers, addresses, and phone numbers, giving the thieves a perfect way to steal their identities and go on a potential spending spree. What’s amazing is the volume of data that was stolen before it was detected. The damage is estimated to be in the billions of dollars, and the thieves are still at large.

3. The 7-Eleven Heist

24/7 Robbery (Courtesy http://www.creditcardchaser.com)

Date: 2009 Data Stolen: Credit card details from 140 million customers Potential Financial Damage: Total damage unknown; company has paid $12 million to card issuers already Caught? Albert Gonzalez and two Russian nationals face 35 years in prison

Credit card processing company Heartland Financial Systems, which handles the electronic credit transfers for many regional grocery chains and for retailer 7-Eleven, was robbed due to vulnerability in their IT security. The thieves used something called a “SQL injection attack” to breach the firewalls that

E-Commerce

20

protected customer data. (At least it took more planning than logging onto a wireless network.) Ironically, Heartland had recently passed the Payment Card Security Standard certification, which typically proves strong financial security practices.

3.2. DEBIT CARD

A Debit card is a plastic card that allows the cardholder to access his account and make payments for purchases from his specified account. Thus, a debit card is different from credit card because it allows paying from cardholder’s account but doesn’t provide short term loans and paying this amount at a later date. Payments using a debit card are immediately transferred from the cardholder's designated bank account. The major benefits to this type of card are convenience and security. Debit cards are also considered to be a safer form of payment as a code is required to access the account funds, so it reduces chances of misuse.

Debit cards are issued at much ease as compared to a credit card as a debit card requires a savings or any other required type of account with the bank from which payments are debited. Many-a-times, a customer is required to maintain a minimum account balance by the customer. If not done so, interest can be charged from the customer.

There are two major types of debit card systems:-

1. Online Debit Card System: In online debit card system, the funds are deducted immediately after purchases are made. Online debit cards require electronic authorization of every transaction. The transaction may be additionally secured with the personal identification number. While shopping, merchant swipes debit card at point of sales machine after which cardholder is asked to enter his pin on PIN pads. The transactions are authorized in real time, funds in the customers' accounts are captured immediately, and money is transferred into storeowners' accounts in two to three business days.

2. Offline Debit Card System: Offline debit cards don’t require PIN. They are just used as a credit card at point of sale. Customers who choose to make offline debit purchases must hand over their check cards. Merchants swipe the cards through their payment terminals and complete the debit sales the same way they process credit card transactions. The customers then sign sales drafts that authorize the merchants to charge their accounts. Transactions normally settle in two to three business days.

3.2.1. Visa Electron

Visa Electron is a debit card available across most of the world. The difference between Visa Electron and Visa Debit is that payments with Visa Electron require that all the funds be available at the time of transfer, i.e., Visa Electron card accounts may not be overdrawn. Visa Electron cards have acceptance all over the world and come with in-built security features that mean you cannot accidentally overspend. This makes them ideal for a wide range of customers, from students and others new to banking to start-up businesses and people on a limited budget. Visa Debit cards, on the other hand, allow transfers exceeding available funds up to a certain limit. Some online stores and all offline terminals (like on trains and aircraft) do not support Visa Electron because their systems cannot check for the availability of funds.

E-Commerce

21

(Courtesy paypoint.net) (Courtesy agbank.az)

3.2.2. Maestro

Maestro is a multi-national debit card service which is owned by MasterCard. Maestro offers state-of-the-art technology to help keep your money safe at all times. Maestro cards are obtained from associate banks and can be linked to the card holder's current account, or they can be prepaid cards. The cardholder presents the card at the point of sale (POS) and this is swiped through the terminal by the assistant or the customer or inserted into a chip and PIN device. The payment is authorized by the card issuer to ensure that the cardholder has sufficient funds in their account to make the purchase and the cardholder confirms the payment by either signing the sales receipt or entering their 4 to 6-digit PIN. Within the EU and certain other countries, Maestro is MasterCard's main debit brand and is the equivalent of signature debit card which does not require electronic authorization, similar to the Visa Debit card. It requires electronic authorization much like a Solo debit card, i.e. not only must the information stored in either the chip or the magnetic stripe be read, this has to be sent from the Merchant to the issuing bank, the issuing bank then has to respond with an affirmative authorization. If the information is not read, the issuer will decline the transaction, regardless of any disposable amount on the connected account. This is different from other debit and credit cards, where the information can be entered manually into the terminal and still be approved by the issuer or stand-in processor.

(Courtesy blog.skoosh.com) (Courtesy sgeb.bg)

3.2.3. Advantages of Debit Card

As a customer can use funds that are available to him with his account, one doesn’t create unnecessary expenses and remains within limit.

We can avoid writing cheques for payment as money can be paid from cardholder’s account instantly.

There are no monthly interests charged on our purchases. Many debit cards allow access to ATM.

E-Commerce

22

3.2.4. Disadvantages of Debit Card

Many banks allow an extra available balance over existing balance which when used can result in overdraft fees being charged.

Debit cards provide lower levels of security. Theft of the users PIN using skimming devices is much easier than with a signature-based credit transaction.

Spending limits may be set by banks on existing balance. In many places, laws protect the consumer from fraud much less than with a credit card. Because debit cards allow funds to be immediately transferred from an account when making a

purchase, the consumer also has a shorter time (usually just two days) to report such fraud to the bank in order to be eligible for such a waiver with a debit card and recover the lost funds, whereas with a credit card, this time may be up to 60 days, and the transactions are removed without losing any credit.

3.2.5. Debit Card transactions.

Debit Card transactions take place in much similar way as that of credit card. Various Steps in Debit Card transactions are:-

Transaction Flow of debit card (Courtesy www.serve-first.com)

Card is first presented to the merchant. Merchant sends transactional details to the acquiring bank. The acquiring bank sends these details to credit card network (VISA or MASTERCARD) for

authentication of the card. The Card network submits these details to the issuing bank. The issuing bank pays amount of the transaction to the acquiring bank that then pays it to the

merchant. The Acquiring bank acts as a payment gateway.

E-Commerce

23

4. CHANNELS OF E-COMMERCE PAYMENT

4.1. Payment Gateway

Payment Gateway is the service that automates payment transaction between the shopper and the merchant. It is usually a third-party service that is actually a system of computer processes that process, verify, and accept or decline credit card transactions on behalf of the merchant through secure Internet connections. The payment gateway is the infrastructure that allows a merchant to accept credit card and other forms of electronic payment. When referring to payment gateways used for Internet transactions, it may also be called an IP payment gateway.

4.1.1. How does a Payment Gateway works.

Step 1: A customer places an order on a website and enters his card details. The customer's web browser encrypts the information to be sent between the browser and the merchant's web server. This is done via SSL (Secure Socket Layer) encryption.

Step 2: The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway.

Step 3: The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank.

Step 4: The payment processor forwards the transaction information to the card association (e.g., Visa/MasterCard) and the card association routes the transaction to the correct card issuing bank.

Step 5: The card issuing bank checks for consumer’s credit or debit and forwards a response back to the processor telling whether transaction has been approved or declined. In case, the reason is also specified explaining why the transaction is declined.

Step 6: The processor forwards the authorization response to the payment gateway. Step 7: The payment gateway receives the response, and forwards it on to the website where it

is interpreted as a relevant response then relayed back to the merchant and cardholder. This is known as the Authorization or "Auth"

E-Commerce

24

Step 8: The entire process typically takes 2–3 seconds. Step 9: The merchant fulfills the order and process is repeated to clear transaction. Typically the

"Clear" is initiated only after the merchant has fulfilled the transaction (e.g.: shipped the order). This result in the issuing bank 'clearing' the 'auth' (i.e.: moves auth-hold to a debit) and prepares them to settle with the merchant acquiring bank.

Step 10: The entire process from authorization to settlement to funding typically takes 3 days.

4.1.2. Why is Payment Gateway needed?

Payment Gateway holds the essence of any e-commerce site. One cannot think of making or receiving on-line payments without a Payment Gateway. Payment Gateway basically refers to an e-commerce service that authorizes payments for e-businesses & online retailers. It, in a way, represents a physical POS (Point-of-sale) terminal located in most retail outlets. Payment gateways encrypt sensitive information, such as credit card numbers to ensure that information passes securely between the customer and the merchant.

4.2. NET BANKING Net banking allows a customer to carry financial transactions online on a secure website operated by a financial institution. To access net banking facility, one must have an internet connection and should be registered with a financial institution with a password for authentication and security purposes. To access online banking, the customer would go to the financial institution's website, and enter the online banking facility using the customer number and password.

4.2.1. Features:

It can perform some non-transactional tasks through online banking. Some of these are:- A customer can view his account balances. One can view recent transactions. A customer can download bank statements. One can view images of prepaid cheques. One can also order cheque books.

Net banking allows transacting balancing tasks. Some of these are:-

Funds can be transferred between customer’s linked accounts. A customer can also pay third party i.e. paying bills. We can make an online purchase or sale of a product.

One may require following tools to have Net banking facility. These are:-

1. Login IDs: - These are generally user name or e-mail address of the user wanting to avail net banking facilities. These are unique for a particular user and are used for verification of the valid user.

2. Login password: - These are associated with the login ID and are also unique for a particular user. The user must not disclose his password as it is the key to his net banking account.

E-Commerce

25

3. Transaction Password: - These are generally on time passwords that are required to be entered at the time of transactions. These passwords are generated at the time of transaction and sent to the user via sms. These passwords remain valid only for a short period of time.

4. Security Questions: - These are questions set by the user at the time of registration for the net banking account. The user may choose questions of his type. The answers to these questions are unique to the user and these may be used for the security purposes.

5. Pre-set images: - These are images selected by the user at the time of registration. These images appear at the time when user logs in. These images are used for the purpose that the user can verify these images and ensure that the website to which he is dealing is not fake.

6. SMS/Mail alert: - This feature is optional but allows user to get informed about the transaction being carried out through his account and can inform his respective institution about transactions being carried out against his wish. The user is informed via sms every time a transaction is carried out from his account.

4.2.2. System Security used in Net Banking

1. Login ID and password: Each customer is provided with a User ID and Password. The password

is generated in such a way that it is only known to the customer. Without a valid IPIN corresponding to the customer ID, access to customer account cannot be gained by anyone. To provide enhanced security and safety we have introduced the Access Code. To log in to Net Banking / Payment Gateway you would need to enter an additional password i.e. you’re 'Access Code'. This Access Code is to be generated online and will be sent instantly to your preferred Email ID and Mobile Number registered with the Bank. Access Code is valid up to 11:59 P.M. (IST) of the day it is generated by you. Access Code can be generated by entering your User ID / Nick Name and your Net Banking Password and clicking on 'Generate Access Code' tab on the Access Code login page.

2. Session Security: Protected by the most stringent security systems, Net Banking allows you to transact over a completely secure medium. All your transactions travel via 256-bit SSL encrypted medium, the highest level of security on the internet. Many banks such as HDFC Bank use systems those time out the customer’s login sessions to his Net Banking account upon prolonged inactivity for protection against misuse.

3. Digital certificates: Web pages of many financial institutions are verified by Digital Certificates provided by VeriSign, TCS, and MTNL etc. so that the customer can identify the real web page of the financial institution and is not misled by fake websites.

4. Virtual keyboard: Many banks such as HDFC Bank use the feature of Virtual Keyboard while logging into his Net Banking account. This protects the users’ password from being compromised by keylogger software installed on untrusted/shared computers e.g. cyber cafes.

5. Instant Alerts: Various banks provide instant alert services like SMS or E-Mail alerts on making every transactions. Alerts are also provided while adding beneficiary for carrying out Third Party Transfer transactions.

6. Security tools: Many banks use security tools such as Firewalls and anti- malware systems to ensure safety of its customers.

4.2.3. Transfer Schemes

Funds transfer from on account to another account is a feature of net banking which usually follows RBI’s NEFT (National Electronics Funds Transfer) scheme. NEFT is a payment system which allows a net banking user to transfer funds to another account electronically. Here, account to which funds are being

E-Commerce

26

transferred should also follow NEFT scheme. Presently, NEFT operates as - there are eleven settlements from 9 am to 7 pm on week days (Monday through Friday) and five settlements from 9 am to 1 pm on Saturdays. The various steps involved in NEFT scheme are:-

Step 1: A user wishing to transfer funds using NEFT scheme has to fill an application form provided by the originating bank or user’s bank. Various details such as name of the beneficiary, his bank where he has an account, IFSC of beneficiary’s bank branch, his account type, account number etc. The user authorizes amount to be taken from his account and transfer it to beneficiary.

Step 2: The originating bank will prepare a message and send it to its pooling center which is also known as NEFT service center.

Step 3: The pooling center will forward this message to NEFT Clearing Center to be included in the next available batch. This Clearing Center is operated by National Clearing Cell, RBI, at Mumbai.

Step 4: The Clearing Center will sort funds transfer bank-wise and prepare accounting entries to receive funds from originating bank and gives the funds to destination banks. The bank-wise remittance messages are sent through their pooling centers.

Step 5: The banks receive remittance messages from the Clearing Center and pass the funds to beneficiary’s account.

NEFT scheme by Reserve Bank of India

There is another scheme which can be followed for transfer funds. RTGS stands for Real Time Gross Settlement. This means that instructions for transactions are handled in real time at which they are received rather than later. Gross Settlement means fund transfer instructions are processed individually or instruction by instruction. This is different from NEFT because in NEFT, settlement takes place in batches whereas in RTGS processing instructions are processed as soon as they are received. The RTGS system is primarily meant for large value transactions. The minimum amount to be remitted through RTGS is 2 lakhs. There is no upper limit for RTGS transactions. The RTGS service window for customer's transactions is available from 9.00 hours to 16.30 hours on week days and from 9.00 hours to 13.30 hours on Saturdays for settlement at the RBI end. However, the timings that the banks follow may vary depending on the customer timings of the bank branches.

Originating Bank

Pooling Center

NEFT Clearing Center

RBI

Pooling Center

Beneficiary’s Bank

Remittance Message

Message for next available batch at NCC, RBI

E-Commerce

27

Various charges involved in RTGS schemes are:- Inward transactions: Free. Outward transactions: Rs. 2 lakhs to Rs. 5 lakhs - not exceeding Rs. 30 per transaction.

Above Rs. 5 lakhs - not exceeding Rs. 55 per transaction.

4.2.4. Now, we shall see general steps involved in bill payment through net banking. Suppose, we want to pay telephone bill through net banking, thus the various steps are:-

Step 1: The primary step is visiting the merchant website. Step 2: To view our outstanding bills, we are directed to bill desk. Bill Desk acts as payment

gateway. Step 3: We select ‘Net Banking’ as payment mode and we are directed to our net banking

account. Here, user account details are entered. Users are generally asked to enter their Login ID with password and verify the picture registered by user at the time of Net Banking registration. Due amount is entered and paid.

Step4: The funds are transferred to merchant account.

Net Banking Account transaction Flow

4.2.5. Security features Security has become an important topic in E-Commerce. Security features are required to ensure of the financial transactions that one does in e-commerce. While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories:

1. Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account.

MERCHANT

BILL DESK

NET BANKING (Customer’s account)

MERCHANT

Directed to Due bills

Details are entered

Funds transferred to merchant

E-Commerce

28

2. Authorization:3.

Allows a user to login for the given transaction. Encryption:

4.

Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions. Auditing:

Security has three main concepts: confidentiality, integrity, and availability.

Keeps a record of operations. Merchants use auditing to prove that you bought specific merchandise.

1. Confidentiality allows only authorized parties to read protected information. 2. Integrity ensures data remains as is from the sender to the receiver. 3. Availability ensures you have access and are authorized to resources.

5. TECHNOLOGICAL REQUIREMENTS OF E-COMMERCE

There are number of technologies required for an e-commerce set up. These technologies are essential to do business effectively while remaining secure. As one cannot afford to lose databases of its customers, security features used remain a topic of prime concern. Apart from security, servers used for web hosting also play a major part as it only handles orders and payments. If a server can handle more traffic, more number of e-commerce transactions can be carried out at a given time.

Some of the technological requirements are:-

Web Servers. Authentication. Firewalls. Digital Certificates. Non–Repudiation. Anti-virus. Anti-Spam. IP-Sec. SSL.

5.1. Web Servers A web server is the combination of computer and the program installed on it. Web server interacts with the client through a web browser. It delivers the web pages to the client and to an application by using the web browser and he HTTP protocols respectively. We can also define the web server as the package of large number of programs installed on a computer connected to Internet or intranet for downloading the requested files using File Transfer Protocol, serving e-mail and building and publishing web pages. A web server works on a client server model. A computer connected to the Internet or intranet must have a server program. While talking about Java language then a web server is a server that is used to support the web component like the Servlet and JSP.

E-Commerce

29

A computer connected to the Internet for providing the services to a small company or a departmental store may contain the HTTP server (to access and store the web pages and files), SMTP server (to support mail services), FTP server (for files downloading) and NNTP server (for newsgroup). The computer containing all the above servers is called the web server. Internet service providers and large companies may have all the servers like HTTP server, SMTP server, FTP server and many more on separate machines. In case of Java, a web server can be defined as the server that only supports to the web component like Servlet and JSP. Notice that it does not support to the business component like EJB. Web software that runs some of the main functions of an online storefront such as product display, online ordering, and inventory management. The software works in conjunction with online payment systems to process payments. The first major task to complete before you can launch your ecommerce business is finding the right ecommerce hosting provider. Ecommerce hosting describes a type of website hosting platform that is used to serve an electronic commerce website. Ecommerce hosting differs from standard Web hosting in that a number of features and functionalities are required to manage and run a commercial website. This includes SSL, database support, shopping cart software, payment processing services, and additional ecommerce software and security initiatives. Ecommerce hosting is designed to basically provide entrepreneurs and businesses with all the tools and services required for them to set-up, manage and conduct an ecommerce business. Ecommerce hosting is an option offered by many Web hosting service providers. In addition to supplying ecommerce functionality, they will also provide Web space (Web server) to host your website, an email server or email support, technical support and other standard Web hosting features for businesses. Also, special software is used generally known as shopping cart software. A shopping cart is a piece of software that acts as an online store's catalog and ordering process. Typically, a shopping cart is the interface between a company's Web site and its deeper infrastructure, allowing consumers to select merchandise; review what they have selected; make necessary modifications or additions; and purchase the merchandise. Shopping carts can be sold as independent pieces of software so companies can integrate them into their own unique online solution, or they can be offered as a feature from a service that will create and host a company's e-commerce site.

E-Commerce

30

Web Server (Courtesy www.websitewarehouse.com)

How a web-server works

First, it's important to note that this is a two-sided story. Web servers are responsible for storing and exchanging information with other machines. Because of this, at least two participants are required for each exchange of information: a client, which requests the information, and a server, which stores it. In the case of the client, a browser like Netscape or Internet Explorer is used. On the server side, however, things are not as simple. There is a countless software options available, but they all have a similar task: to negotiate data transfers between clients and servers via Hypertext Transfer Protocol, the communications protocol of the Web. A simple exchange between client and server machine is go like this:

The client's browser dissects the URL in to a number of separate parts, including address, path name and protocol.

A Domain Name Server (DNS) translates the domain name the user has entered in to its IP address, a numeric combination that represents the site's true address on the Internet (a domain name is merely a "front" to make site addresses easier to remember).

The browser now determines which protocol (the language client machines use to communicate with servers) should be used. Examples of protocols include FTP, or File Transfer Protocol, and HTTP, Hypertext Transfer Protocol.

The server now responds to the browser's requests. It verifies that the given address exists, finds the necessary files, runs the appropriate scripts, and returns the results back to the browser. If it cannot locate the file, the server sends an error message to the client.

The browser translates the data it has been given in to HTML and displays the results to the user.

This process is repeated until the client browser leaves the site.

Hence, these servers become an integral part of e-commerce and acts as a backbone of e-commerce setup. So, apart from security measures used many web servers have a parallel server connected to them. This is done so that even if one server fails, the other server handles all the traffic on crashed server.

E-Commerce

31

A Server another Server A B Here, in the above figures we can see that there are two similar servers attached to each other. So even if one of the servers fails, the other server can handle all the traffic without interrupting e-commerce transactions.

5.2. Authentication

This requires Web site administrators to go through the layers of security before obtaining access to the hosting environment. Logging IDs and passwords are used for the verification of the user because they are unique and challenge with something one knows and something one not. This is an easy security measure for any e-commerce website to instate user passwords. Thus with this, users provide either their email address or a user name along with a password that lives up to a password policy. A password policy is a set of rules a website uses to ensure passwords are secure. Common examples are when websites require a minimum number of letters or numbers and when they instate a lockout threshold, which blocks a user from trying to login after a certain number of failed attempts.

Authentication Procedure (Courtesy codeproject.com)

Parallel connection to each other

E-Commerce

32

Some other authentication tools are:-

Security Questions - These are questions set by the user at the time of registration. The user may choose questions of his type. The answers to these questions are unique to the user and these may be used for the security purposes. These security questions are also helpful in case of password lost or stolen.

Alpha-numeric code- A special code which is generated on display and is asked to fill as compulsory. This code consist a sequence of numeric or alphabet and it is changes every time whenever you log-in. This is code used to check that it really a human who access the web-site or any other attacker’s written program code.

Pre-set images - These are images selected by the user at the time of registration. These images appear at the time when user logs in. These images are used for the purpose that the user can verify these images and ensure that the website to which he is dealing is not fake. Pre-set image is used to authenticate the server.

SMS/Mail alert- This feature is optional but allows user to get informed about the transaction being carried out through his account and can inform his respective institution about transactions being carried out against his wish. The user is informed via SMS every time a transaction is carried out from his account.

5.3. Firewall

A firewall can either be software-based or hardware-based whose primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A firewall helps to keep a network secure.

Working of a Firewall (Courtesy www.bestsecuritytips.com)

E-Commerce

33

There are two types of firewalls:-

Hardware based: Hardware based firewalls can be purchased as a separate product but nowadays are generally found in broadband routers. Hardware firewalls can be used with ease and with little configuration required. Mostly, hardware firewalls contain three to four ports to connect with other computers. A hardware firewall uses packet filtering to examine the header of a packet to determine its source and destination. This information is compared to a set of predefined or user-created rules that determine whether the packet is to be forwarded or dropped. To have optimal performance consumers will no doubt need to learn the specific features of their hardware firewall, how to enable them, and how to test the firewall to ensure its doing a good job of protecting your network. A consumer can get manuals and other documents related to firewall from the manufacturer’s webpage.

Software based: A software based firewall can be installed on a computer and be customized according to user’s wishes to control its functions and protection features. A software firewall is generally used to protect user’s computer from outside attacks such as Trojans and E-mail worms. Many firewalls can be used to prevent unsafe applications from running on the computer. The main disadvantage of software firewalls is that each firewall protects computer on which it is installed and not the other computer on the network. So, it becomes necessary to install software firewall on each computer. A user must know the system requirements for the firewall and any incompatibility with the operating system. A good software firewall runs at the background of the system with minimum requirements. A software firewall once installed must be updated regularly.

There can be many differences between Hardware based firewalls and Software based firewalls but both are required to have maximum security.

There can be several types of firewall techniques:-

Packet filter: In this technique, the firewall monitors all the incoming and outgoing packets. The packets are accepted or rejected on the basis of predefined rules by the user at the time of configuration. However, they are difficult to configure and are prone to IP spoofing.

Application Gateway: This technique applies security mechanisms to specific applications, such as FTP and Telnet servers. This technique is very effective but can lead to performance degradation.

Circuit-Level Gateway: In this technique, security mechanisms are applied when a TCP/IP connection is made. Once the connections are made, data packets can flow between hosts without further checking.

Proxy Server: It intercepts all incoming and outgoing messages of a network. The proxy server effectively hides the true network address.

A proxy server has a variety of potential purposes, including:

To keep machines behind it anonymous, mainly for security. To speed up access to resources (using caching). Web proxies are commonly used to cache web

pages from a web server. To apply access policy to network services or content, e.g. to block undesired sites. To access sites prohibited or filtered by your ISP or institution. To log / audit usage, i.e. to provide company employee Internet usage reporting.

E-Commerce

34

To bypass security / parental controls. To circumvent Internet filtering to access content otherwise blocked by governments. To scan transmitted malware content before delivery. To scan outbound content, e.g., for data loss prevention. To allow a web site to make web requests to externally hosted resources (e.g. images, music

files, etc.) when cross-domain restrictions prohibit the web site from linking directly to the outside domains.

In real, a firewall uses more than two techniques. Some examples of the software based firewall are: Zone Alarm by Check Point Software Technologies Pvt., Sygate, Kerio, AVG Anti-Virus plus Firewall Edition and examples of hardware based firewalls are: Linksys, D-Link, Netgear. 5.4. Digital Certificates

Digital certificates are digital files that certify the identity of an individual or institution seeking access to computer-based information. The main purpose of the digital certificate is to ensure that the public key contained in the certificate belongs to the entity to which the certificate was issued. Encryption techniques using public and private keys require a public-key infrastructure (PKI) to support the distribution and identification of public keys. Digital certificates package public keys, information about the algorithms used, owner or subject data, the digital signature of a Certificate Authority that has verified the subject data, and a date range during which the certificate can be considered valid. Certificates are signed by the Certificate Authority (CA) that issues them. In essence, a CA is a commonly trusted third party that is relied upon to verify the matching of public keys to identity, e-mail name, or other such information. A Digital Certificate typically contains the:

Owner's public key Owner's name Expiration date of the public key Name of the issuer (the CA that issued the Digital Certificate Serial number of the Digital Certificate Digital signature of the issuer

The most widely accepted format for Digital Certificates is defined by the CCITT X.509 international standard; thus certificates can be read or written by any application complying with X.509. Further refinements are found in the PKCS standards and the PEM standard. How a Digital Certificate Is Issued:

Key Generation: The individual requesting certification (the applicant, not the CA) generates key pairs of public and private keys.

Matching of Policy Information: The applicant packages the additional information necessary for the CA to issue the certificate (such as proof of identity, tax ID number, e-mail address, and so on). The precise definition of this information is up to the CA.

Sending of Public Keys and Information: The applicant sends the public keys and information (often encrypted using the CA's public key) to the CA.

E-Commerce

35

Verification of Information: The CA applies whatever policy rules it requires in order to verify that the applicant should receive a certificate.

Certificate Creation: The CA creates a digital document with the appropriate information (public keys, expiration date, and other data) and signs it using the CA's private key.

Sending/Posting of Certificate: The CA may send the certificate to the applicant, or post it publicly as appropriate. The certificate is loaded onto an individual's computer. A digitally verified website can be checked using the following sign.

VeriSign Logo (Courtesy us.norton.com)

While sending messages over the Internet, public key encryption may be used.

Public key encryption is the use of complex mathematical formulas to make data unreadable. Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a public key and a private key one for encrypting the data and a second key to decrypt it. Someone wanting to send a message would request the recipient's digital certificate, which contains the public key, from a trusted directory, and use the public key to encrypt the message before sending. Once the message is encrypted it can only be decrypted using the intended recipient's private key.

The sender can also digitally sign the message using their own private key to prove that the message originated from them. If the message has been digitally signed, the recipient would verify the sender by obtaining the sender's digital certificate from a trusted directory and using this to verify the sender's digital signature. The effectiveness and reliability of the digital certificate is based on the confidence all parties to a transaction have in the structure, policies and procedures surrounding the PKI system.

E-Commerce

36

Use of Digital certificates (Courtesy www.digi-sign.com)

5.5. Non-Repudiation In reference to digital security, non-repudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. There may be cases when a consumer refuses to pay for a given product, claiming that he has not made any purchase even he has done so. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Non-repudiation can be obtained through the use of:

Digital signatures -- function as a unique identifier for an individual, much like a written signature.

Confirmation services -- the message transfer agent can create digital receipts to indicate that messages were sent and/or received.

Timestamps -- timestamps contain the date and time a document was composed and proves that a document existed at a certain time.

Non repudiation can thus be implemented through two ways:-

The buyers and sellers may exchange confirmation messages simultaneously. Assists from Trusted Third Parties (TTP) can be taken for fair exchange of messages and non

repudiation evidences.

E-commerce uses technology such as digital signatures, Digital certificates and public key encryption to establish authenticity and non-repudiation. Traditionally non-repudiation has been achieved by having parties sign contracts and then have the contracts notarized by trusted third parties. Sending documents involved the use of registered mail, and postmarks and signatures to date-stamp and record the process of transmission and acceptance. Digital signatures which have been issued by a trusted authority (such as VeriSign) cannot be forged and their validity can be checked with any major email or web browser software. A digital signature is only installed in the personal computer of its owner, who is usually required to provide a password to make use of the digital signature to encrypt or digitally sign their communications.

On the Internet, a digital signatures is used not only to ensure that a message or document has been electronically signed by the person that purported to sign the document, but also, since a digital signature can only be created by one person, to ensure that a person cannot later deny that they furnished the signature.

Since no security technology is absolutely fool-proof, some experts warn that a digital signature alone may not always guarantee non-repudiation. It is suggested that multiple approaches be used, such as capturing unique biometric information and other data about the sender or signer that collectively would be difficult to repudiate. Email non-repudiation involves methods such as email tracking that is designed to ensure that the sender cannot deny having sent a message and/or that the recipient cannot deny having received it.

E-Commerce

37

5.6. Antivirus Antivirus is generally a software program that continuously monitors database files and services of computer programs stored on the server for any suspicious behavior and takes necessary steps to eliminate infection by viruses and malicious software.

Anti-virus software typically uses two different techniques to accomplish this:

Examining files to look for known viruses by means of a virus dictionary Identifying suspicious behavior from any computer program which might indicate infection

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.

In Virus dictionary approach, the antivirus continuously monitors files on servers and computer programs and compares them with a list of predefined viruses and malicious codes. This list of predefined viruses is made available by the author of the antivirus. While scanning, if a file on server matches with virus on the list, the antivirus can either remove it or block that file so that virus does not affect other files or computer programs. Antivirus may even make an attempt to repair the file by removing virus from it. However, for continuous safety, list of viruses must be regularly updated for upcoming viruses regularly coming up.

The antivirus can also be scheduled to scan all files on a regular basis. Although the dictionary approach is considered effective, virus authors may write "polymorphic viruses", which encrypt parts of them or otherwise modify themselves as a method of disguise, so that they are not matched with those on the list.

Suspicious behavior approach, the antivirus does not try to match scanned file to the list, rather it monitors the behavior of all programs. For example, if a program tries to write data to an executable program, this is said as suspicious behavior and the user is alerted and asked what to do. Thus, the suspicious behavior approach therefore provides protection against new viruses that do not exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user.

Another detection method can be using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analyzed for changes which might indicate a virus. However, this scanning is generally done on demand because of performance issues.

5.7. Anti-spam

Email spam which is also known as junk email, is identical message sent to numerous recipients by email. Clicking on links in spam email may send users to phishing web sites or sites that are hosting malware. Spam email may also include malware as scripts or other executable file attachments. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. To prevent email spam , both end users and administrators of email systems use various anti-spam

E-Commerce

38

techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users and administrators. No one technique is a complete solution to the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not rejecting all spam, and the associated costs in time and effort. There are various spam techniques that have been created and implemented since spam started infiltrating people’s inboxes.

Spam Filters

Spam filters work using a combination of techniques in order to filter through the messages and separate the genuine messages from the junk mail. These techniques would rely on the following measures:

Word lists – Lists of words that are known to be associated with spam and are commonly found in unsolicited mail messages.

Blacklists and Whitelists – These lists contain known IP addresses of spam senders (blacklists) and non-spam senders (e.g. friends and family). Therefore addresses that form part of your contact list are automatically registered as whitelist and any emails originating from these email addresses will be sent directly to your inbox

Some ISPs receive requests from legitimate companies to add them to the ISP whitelist of companies. In order to be approved for whitelisting, companies are either required to pay or else they must pass a series of tests to prove that they are not sending out spam emails

Trend Analysis – By analyzing the history of email sent from an individual, trends can help assess the likelihood of an email being genuine or spam. This can be an effective technique to help reduce false positives and improve spam detection rates

Learning or Content filters – Learning filters, such as Bayesian filtering, examine the content of each email sent to and from an email address, and by learning word frequencies and patterns associated with both spam and non-spam messages, it is able to recognize which messages are valid and should therefore be directed towards the inbox, and which are spam and should be sent to Junk.

These techniques all work together to ensure an effective anti-spam technique. By using just one method one risks losing out on valid emails. For example, since organizations such as banks or financial institutions would have a high keyword incidence of words like ‘mortgage’ in valid emails, (a word that is commonly found in spam too), genuine emails could get sent to the spam folder because of this anomaly. However, by combining all these filtering techniques the spam filter will realize that not all messages sent to the bank containing the word ‘mortgage’ is unsolicited mail.

5.8. IP Security Protocol (IPSec)

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, and data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based on Internet Engineering Task Force (IETF) standards. Internet Protocol security (IPsec) is truly one of the most useful security technologies.

E-Commerce

39

IPsec Operation

When two computers (peers) use IPsec to communicate, they create two kinds of security associations. In the first, called main mode or phase one, the peers mutually authenticate themselves to each other, thus establishing trust between the computers. In the second, called quick mode or phase two, the peers will negotiate the particulars of the security association, including how they will digitally sign and encrypt traffic between them. Packet signing ensures that the data hasn’t been tampered with in transit; packet encryption ensures that the data isn’t vulnerable to eavesdropping attacks.

A computer can have only one IPsec policy assigned at a time. The policy can have any number of rules, each of which has a filter list and a filter action. Filter lists contain one or more filters that specify the characteristics of the traffic that the rule should process: source and destination addresses, source and destination port numbers, and protocol types. Filter actions specify the behaviors of the rule: whether to permit traffic, block traffic, or negotiate the pair of IPsec security associations. Actions that specify negotiating security can have many options, including encryption suites, per-packet authentication methods, how often to generate new keys, how to respond to incoming insecure requests, and whether to communicate with computers that don’t support IPsec.

Each rule in an IPsec policy combines one filter list with one filter action. Traffic that matches a particular filter list is processed according to the settings in the linked filter action. Rules also indicate the security association’s mode (transport or tunnel, explained later) and one of three phase one authentication methods:

Preshared keys. We use preshared keys only when testing your IPsec policies. Every peer that participates in the same security policy will need the same preshared key. Furthermore, they’re stored in the registry and clearly visible to anyone with administrative privileges on the computer.

Digital certificates. As long as each peer possesses an IPsec or computer certificate signed by an authority the other peer trusts, the peers will authenticate to each other. Digital certificates are much preferred over preshared keys because each peer can have its own certificate, and a multilevel certificate hierarchy can help create more granular IPsec policies. For example, super-secure Machine A might accept only certificates signed by high-value Authority X, while sort-of-secure Machine B might accept certificates signed either by high-value Authority X or medium-value Authority Y.

Kerberos version 5 protocol. If both peers are in the same Active Directory forest, IPsec on computers running the Windows Server 2003 operating system can also use the Kerberos protocol for the initial computer-to-computer authentication. Kerberos is appropriate if you don’t have a public key infrastructure (PKI) and don’t need to establish IPsec security associations between computers outside a single forest.

5.9. SSL (Secure Socket Layer) Secure Socket Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http: Another protocol for transmitting data securely over the World Wide Web is

E-Commerce

40

Secure HTTP. Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing technologies. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.

Once the client and server have decided to use TLS/SSL, then the steps followed by both parties to ensure secure communication are:

1. The client sends the server the client's SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL.

2. The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certificate.

3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details). If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to step 4.

4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the encrypted pre-master secret to the server.

5. If the server has requested client authentication, the client also signs another piece of data that is unique to this handshake and the client's own certificate to the server along with the encrypted pre-master secret. If the client cannot be authenticated, the session ends.

6. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret.

7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity.

8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished.

9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.

E-Commerce

41

6. TECHNOLOGIES REQUIRED BY USER

Some of the technological features taken up by the consumers in e-commerce are:- Personal Computer. Password protection. Virtual Keyboards. Antivirus and Anti-spam.

6.1. Personal Computer Personal computer is a must to do an online transaction. It is also said to be a best scenario when a consumer buys a product online using his personal computer. PCs are private devices and therefore our personal details such as passwords, credit card numbers etc. cannot be leaked to anyone else. There are two main areas of risk when using a public terminal. First someone may be using a session logger to record the flow of data between the PC you are using and the websites you visit. Second there may be a keylogger fitted to the PC that allows someone to capture your keystrokes and sometimes your mouse clicks and screen session as well.

6.2. Virtual Keyboards A virtual keyboard is a software component that allows a user to enter characters. A virtual keyboard can usually be operated with multiple input devices, which may include a touch screen, an actual keyboard and a computer mouse.

Virtual Keyboard (Courtesy www.digitaltrends.com) A hardware circuit can be placed between keyboards and computers for keylogging. All the keystrokes can be stored and stored for later use. There are some Trojans available in the market that can note and store the keystrokes and send them to the hacker trying to steal the password. Once these are activated, they can note passwords entered online and generally work in the background without the user coming to know about them. This can create a problem as our password can be taken and thus break the security. Thus, by using virtual keyboards we can eliminate use of traditional keyboard for entering sensitive information such as password, credit card number etc. However, virtual keyboards may present disadvantage that some Trojans can take screenshots of keys pressed of the virtual keyboard. So, anti

E-Commerce

42

screen shot virtual keyboards can be used where pattern of keys gets continuously changed every time we press a keyboard key.

6.3. Password protection

Passwords are used for security purposes so that any other person is not able to misuse user’s authority. Passwords are like keys and are unique to a particular user. One cannot use his account without entering his password so that anyone else cannot log into user’s account. Hence, passwords can be used to verify user’s identity. However, care must be taken with one’s password and must be kept secured. Some do’s and don’ts for a user are:- Do’s

Create different passwords for different accounts and applications. Change your passwords regularly. Keep the password within ourselves, do not disclose it. Keep your passwords easy, so we don’t have to keep it in written. Do use a combination of uppercase and lowercase letters, symbols, and numbers. Do try to make your passwords as meaningless and random as possible.

Don’ts

Don't answer "yes" when prompted to save your password to a particular computer's browser. Instead, rely on a strong password committed to memory or stored in a dependable password management program.

Don’t use same password for various accounts and applications. Don't use a derivative of your name, the name of a family member, or the name of a pet. Don't use names or numbers associated with you, such as a birth date or nickname. Don't use a solitary word in any language. Hackers have dictionary-based tools to crack these

types of passwords. Don’t write your password anywhere and don’t disclose it.

6.4. Antivirus and Anti-spam These are softwares that are used for security against various viruses and Trojans. These are similar to those used in web servers. But antivirus for a user protects his personal computer and is installed on it. Regular updates are required to keep virus dictionaries up to date. Some of the anti viruses used on personal computers are AVG, Norton Internet Security, Kaspersky, and Quick Heal etc. AVG is one such anti-virus. Some of DETECTION METHODS provided in AVG are:-

AVG logo (Courtesy www.holyworldwide.com)

E-Commerce

43

The key to AVG’s efficiency in detecting infected files and exploits is the technology’s multiple layers of protection. Files are pre-processed - and those deemed unnecessary for virus analysis are excluded to enable faster scanning.

Signature-based detection This attempts to match files to known virus signatures. Detailed analysis is then performed to identify the exact infection.

Polymorphic-based detection A common method for detecting known viruses, this is used to determine new variants of recognized viruses, even if the new variant behaves differently.

Heuristic-based analysis The third looks at the way software behaves in order to identify whether or not it is malicious. This allows it to detect a virus, which is not included in the internal virus database.

Behavior-based analysis This is the fourth layer for detecting viruses which looks at how software behaves to determine hostile file behavior and preventing their execution.

7. POTENTIAL THREATS IN E-COMMERCE

Various potential threats in e-commerce are:-

Tricking a shopper

Generally in phishing schemes, users are directed towards a fake website having similar visual characteristics to that of the original. If user isn’t successful in distinguishing between original and fake, he can get caught and if personal details such as passwords, credit card details etc are entered on these sites; this can be misused by the hackers. So, a user should remain careful and try to find ways to distinguish between the original and the fake. A user can look for:-

Digital Certificates:

: One of the easiest attacks is tricking a shopper where observations are kept on a shopper and information is gathered about them and is used against them. One of the common methods of tricking a shopper is by phishing schemes where attempts are made to acquire information such as username, passwords, credit card details using fake website.

These are digital certificates as discussed earlier that are issued by a government recognized organization which proves the authenticity of the original websites. This government’s recognized organizations act as Third Party Trust (TTP). These certificates are not issued easily but only after verifying various companies’ documents to who certificate is being issued. These certificates are only issued by government recognized organizations and thus a user can rely on these. A user can look for following similar logo:

Snooping the shopper’s computer: Many times, security features are not enabled by a user which can allow entry of a hacker using tools such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the

E-Commerce

44

attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. A user can be secured from this type of attack by following security measures. These features prevent hackers from entering user’s computer. These are: Firewall: As discussed earlier, these continuously monitor incoming data and restrict entry to unwanted data and hackers which can be defined by a set of protocols. It will restrict the entry of user as soon as it finds something wrong about it. Also, it restricts entry of various viruses and Trojans from entering by continuously examining incoming data and by matching it with the permissible data.

Sniffing the Network:

A user can be made secure from sniffing by using SSL and TLS encryption during communications. Encryption:

Here, attacker continuously monitors data between user’s computer and server. Attempts are made by the attacker to steal shopper’s personal information. Monitoring is usually done near shopper’s computer or near server because it is difficult to monitor at middle of both as data is transferred using encrypted packets that can take various routes. Thus, it becomes difficult to monitor all packets. Wireless hubs make attacks on the shopper's computer network the better choice because most wireless hubs are shipped with security features disabled.

This is mainly done so that a hacker cannot read data currently being transferred to and from user. The user encrypts data and then sends through the network. This can be decrypted only by merchant and vice versa. Also, modern encryption techniques are very good and hackers may find years to decrypt it. Hence, the communication remains secure.

Using root server exploits:

IDPS

It refers to the techniques that gain access to server. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In buffer overflow attack, the server is tricked to execute code written by the attacker. Executing scripts against server require knowledge of scripts on which servers are running. The attacker tries to build scripts in the URL of his browser to retrieve information from server. This technique is used when the attacker is trying to access information from server.

: It continuously monitors ports. If it finds a user trying to affect server by gaining entry from same port again and again, it can block the user from entering and put that IP address in blacklist. Thus, it can prevent hackers from gaining entry.

Pharming:

Digital certificates-

In this technique, hacker’s attack is intended to redirect website traffic to another bogus website. The fake websites presents a similar look to that of the original website.

These are a source of visible trust for a user. Digital certificates are provided by trusted third party approved by the government. These certificates authenticate a given website and are a proof that the current site is a valid site.

Viruses and Trojan Horses permit a remote attacker access to a destination computer. Once the Trojan is installed on the destination computer, attacker is allowed to perform various functions such as data theft, downloading or uploading or modification of files on destination computer,

E-Commerce

45

electronic theft, crashing a computer etc. Some of the popular Trojan horses are Netbus, Subseven, Y3K Remote Administration Tools, and Back Orifrice etc. Antivirus suite-

8. IMPACT OF TECHNOLOGIES BY MERCHANT ON USER

This a complete package of security features that protect a computer from various viruses and Trojan horses. Antivirus continuously monitors a computer for viruses and unusual behavior with the computer by any program.

Hence, security remains a concern in e-commerce. As e-commerce transactions involve a user and a host environment, security measures are taken from both sides. Security measures can be of the form of technological steps used by merchants for protecting e-commerce transactions and consumer database. With continuously changing world, merchants as well as consumers have taken new and innovative technological measures to remain secure.

Now, we can summarize various technologies used by e-commerce merchants and their impact on customers using website maintained by the merchant. From the following table, we can clearly see the technologies being used by the users and their role for customers.

Technology By Merchant

Impact on Customers

Server A good server can make online transactions fast and reliable. So, users don’t have to wait for long for making transactions and online payments. A good Shopping Cart Software is also necessary to have healthier interactions with the customers.

Firewall Better the firewall, better the protection of server having customer database. Thus, the customer can feel secure about his personal details.

Digital Certificate Digital Certificates ensure that the website currently being visited by customer is not a phishing website but is a secured website. Digital Certificates are issued by government organizations and act as Third Party Trust (TTP). These authenticate a given website that it is safe and details entered will not be misused.

Non Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. This is necessary because neither the merchant nor buyer can refuse the transaction between them.

IPSec Internet Protocol security (IPsec) is cryptographic security service to protect communications over Internet Protocol (IP) networks. This is generally done to ensure safe connections so that customer information is not hacked by anyone else.

E-Commerce

46

SSL Protocol used for encryption of data so that connection made is secure. Secure connection removes hesitation by user in entering his personal details as data encrypted is not easy to decode and misuse.

Antivirus and Anti-Spam A good anti-virus and anti-spam prevent web servers from being attacked by hackers. Hence, these provide an extra layer of security and eliminate possibilities of internet attack. Customer feel secure and trust makes users visit website more.

9. TECHNOLOGICAL REQUIREMENTS BY A USER FOR A SECURED TRANSACTION

We can also summarize technologies required by a user and their respective roles.

Technologies By User Role Personal Computer It is a necessary requirement as e-commerce transactions cannot be

carried without a computer. Generally, it is recommended that one must use a personal computer and not a public computer.

Virtual Keyboards It is software that allows a user to enter characters without using a physical keyboard. It is necessary as some Trojans can record keystrokes on keyboard and send them to hacker. Hence, virtual keyboards are necessary as they eliminate possibility of recording keystrokes.

Password Protection Passwords are set so that another person is not able to access another user’s account. Passwords should be disclosed to anyone and the user must follow some do’s and don’ts to remain secure.

Anti-virus and Anti-spam These are softwares to protect user from viruses and Trojans. A User with a good and updated anti-virus keeps the user protected.

10. ROLE OF SECURITY TECHNOLOGEIS ON USER-MERCHANT TRANSACTION

Here, we will see the role played by various technologies on user-merchant transaction in an interactive manner. We will also see technologies used for security purposes by both user and merchant.

E-Commerce

47

AUTHENTICATION [THIS FEATURE IS USED SO THAT NO ONE ELSE THAN THE USER CAN ACCESS THE ACCOUNT

]

ANTI-VIRUS & ANTI-SPAM

PERSONAL COMPUTER [PHYSICAL HARDWARE]

VIRTUAL KEYBOARD [ELIMINATES USE OF PHYSIACAL KEYBOARD]

FIREWALL [ALSO DETECT SUSPICIOUS BEHAVIOR OF ANY USER]

SANDBOX

ANTI-MALWARE

SafeZone: Secures shopping & banking

[Courtesy avast antivirus]

VISIBLE TO USER

PHYSICALLY PRESENT WITH

USER VISIBLE TO USER

FIREWALL IS NOT VISIBLE

TO USER

SOME STEPS ARE:- USER LOGIN ID USER

PASSWORD SECURITY

QUESTIONS

NECESSARY REQUIREMENT TO CARRY OUT E-COMMERCE TRANSACTIONS THUS SHOULD BE:-

FAST RELIABLE &

SECURED

SOFTWARE ALLOWING USER TO ENTER CHARACTERS WITHOUT USING KEYBOARD THUS ELIMINATING POSSIBILITY OF KEYSTROKES BEING RECORDED THROUGH PHISICAL KEYBOARD BY VARIOUS TROJANS

IT IS GENERALLY INSTALLED TO RESTRICT ACCESS OF OTHER TO USER’S COMPUTER

CONTINUOUSLY MONITORS COMPUTER FOR VIRUSES

FEATURE THAT ENABLE TO SIMULATE A FILE IN PARTICULAR ENVIORNMENT

COMPLETE ANTI-VIRUS SUITE FOR

PC

COURTESY

WWW.TECH2DATE.COM

HELPS WITH INTERNET SECURITY

Malware doesn’t just want to disrupt network, it wants keystrokes, logins, passwords, address book, data, credit card information hence it becomes necessary to get secured from them

(COURTESY WWW.ABNGLOBALONLINE.COM)

USER

SECURITY FEATURES USED BY USER

AFTER PASSING THROUGH ALL SECURITY CHECKS, REQUEST IN ENCRYPTED FORM IS SENT TO MERCHANT

USER PUTS AN ONLINE REQUEST TO USER. FOR EG: PLACING A SHOPPING ORDER ONLINE

E-Commerce

48

(COURTESY WWW.CLIPARTOF.COM) USING ENCRYPTED FORM OF COMMUNICATION A HACKER CAN BE MADE

CONFUSED

http://www.google.com

https://www.google.com

AFETR ESTABLISHING CONNECTION, CUSTOMER WILL ENTER HIS DETAILS IN ENCRYPTED FORMS

AFTER DECRYPTION OF USER DATA, MERCHANT WILL ALSO SEND SSL ENCRYPTED FORM SO THAT COMMUNICATIONS REMAINS SECURED

IN IPSec MODE BUYER COMPUTER ALSO CALLED CLIENT WILL TRY TO ESTABLISH A SECURED CONNECTION. THIS CAN HAPPEN IN TWO WAYS:-

MAIN MODE OR PHASE NODE: HERE BOTH PEERS WILL MUTUALLY AUTHENTICATE EACH OTHER, THUS BUILDING TRUST.

QUICK MODE OR PHASE MODE: HERE PEERS WILL NEGOTIATE WITH PARTICULAR SET OF SECURITY

FOR IPSec OPERATION THE MERCHANT SERVER OR SIMPLY SERVER WILL RESPOND TO USER FOR ESTABLISHING SECURED CONNECTION

ADDITIONAL‘s’ WITH http INDICATES SSL CONNECTION

BEFORE SSL ENCRYPTION

E-Commerce

49

AUTHENTICATION USER LOGIN PASSWORD SECURITY QUESTIONS PRESET IMAGES

FIREWALL HELPS IN ILLEGAL ENTRY OF A

USER VARIOUS TECHNIQUES SUCH AS

PACKET FILTER, APPLICATION GATEWAY & CICUIT LEVEL GATEWAY ARE EMPLOYED

DIGITAL CERTIFICATES ENSURES WEBSITE IS NOT A

PHISHING WEBSITE DETAILS ENTERED BY USER

WILL NOT BE MISUSED

ANTI-VIRUSES AND ANTI-SPAMS

SEUCURES FROM INTERNET ATTACKS

HELPS IN SECURING FROM VARIOUS SPAMS

SECURE SOCKET LAYER ENCRYPTION PROTOCOL FOR

MAKING CONNECTIONS SECURED

REMOVES USER HESITATION

IPSec CRYPTOGRAPHIC

SECURITY SERVICE TO SECURE COMMUNICATION OVER THE NETWORK

WORKS ON PRINCIPLE OF CLIENT-SERVER COMMUNICATION

VISIBLE TO USER

VISIBLE TO USER

VISIBLE TO

USER

NOT VISIBLE

ONE CAN VIEW ONE’S INSTALLED ANTI-VIRUS BUT

NOT OTHERS’

VISIBLE TO

USER

Ensures that no one else logs in & Hence builds user trust

Act as third party trust for the merchant & hence increase user trust on it

‘S’ appear with http as https ensuring ssl encryption hence increasing user trust

Prevents unknown data from entering server & continuously monitors all ports for suspicious activity

Regularly monitors server and provides internet security

Increases trust of user by providing secured communication

NON REPUDIATION WAYS TO ENSURE THAT

NEITHER BUYER NOR SELLER BACKS FROM A GIVEN TRANSACTION

DIGITAL SIGNATURES CONFIRMATION SERVICES TIMESTAMPS

USER CANNOT REFUSE AFTER MAKING TRANSACTION AND SO THE MERCHANT HENCE CAN PREVENT BUYER FROM DENYING PAYMENTS

VISIBLE TO USER

COURTESY WWW.BEST MERCHANTRATES.COM

MERCHANT

SECURITY FEATURES EMPLOYED BY MERCHANT

INCOMING REQUESTS HAVE TO PASS THROUGH SECURITY PROCEDURE USED BY MERCHANT

USER REQUEST AFTER PASSING THROUGH SECURITY FEATURES ARE DECRYPTED & USER DETAIL REACH MERCHANT AS IT IS

E-Commerce

50

11. SUMMARY OF TECHNOLOGIES EMPLOYED BY BOTH USER AND MERCHANT IN TABULAR FORM

FFEEAATTUURREE CCUUSSTTOOMMEERR MMEERRCCHHAANNTT CCOOMMMMOONN VVIISSIIBBIILLIITTYY IIMMPPAACCTT NNAATTUURREE TTRRUUSSTT

AUTHENTICATION VISIBLE TO BOTH

RESTRICTS ENTRY TO

USER ONLY

PROACTIVE INCREASES ON BOTH SIDES

SERVER ---- NO NOT VISIBLE TO

USER

GOOD SERVER

ENHANCES SPEED AND

WEB TRAFFIC

PROACTIVE USER TRUST INCREASES ON

MERCHANT

FIREWALL NOT VISIBLE TO

EACH OTHER

RESTRICTS DATA

EXCEPT FOR THAT REQUIRED BY USER

PROACTIVE INCREASES ON BOTH SIDES

DIGITAL CERTIFICATE

---- NO VISIBLE TO USER

ASSURES USER THAT

WEBSITE HE IS

VISITING IS NOT A

PHISHING WEBSITE

PROACTIVE USER TRUST INCREASES ON

MERCHANT

ANTI VIRUS SUITE NOT VISIBLE TO

EACH OTHER

KEEPS USER AND

MERCHANT SERVER

FREE FROM VIRUS

ATTACKS

PROACTIVE INCREASES ON BOTH SIDES

SSL & IPSec VISIBLE TO BOTH

ENCRYPTED FORMS OF

DATA IS NOT EASILY

NOT READABLE

PROACTIVE BOTH GET ASSURED OF

SNIFFING

NON REPUDIATION

---- NO MAY OR MAY NOT BE VISIBLE

NEITHER BUYER NOR MERCHANT

CAN REFUSE A

TRANSACTION

PROACTIVE AS WELL AS REACTIVE

MERCHANT GETS

ASSUERED OF PAYMENT

E-Commerce

51

IP ADDRESS CAPTURE

---- NO VISIBLE TO USER

FAKE USER MAY

NOT ATTEMPT TO GAIN

ACCESS ON OTHER’S BEHALF

ACTIVE THIS CAN LEAD TO

DECREASE IN FRAUD

TIME STAMPS ---- NO NOT VISIBLE TO USER

ACCESS TIME IS

RECORDED

REACTIVE HELP IN DETECTING

FRAUD

INVESTINGATING PROCEDURES

---- NO NOT VISIBLE TO USER

METHODS TO

DETECT FRAUD

REACTIVE HELPS IN DETECTING

FRAUD

PROACTIVE V/S REACTIVE SECURITY MEASURES As we can clearly see that most of the security steps are proactive by nature, these are always desirable. One should always try to prevent frauds over internet and not just wait for frauds to happen and take some actions afterwards. Reactive measures are also cost consuming as investigations regarding fraud require extra manpower and time. Also, one must not forget “PREVENTION IS BETTER THAN CURE”.

E-Commerce

52

12. Study of Comparison of E-Commerce setup of AIR INDIA and British Airways

AIR INDIA is a government run airlines and has its own webpage at www.airindia.com. AIR INDIA presents its e-commerce portal at its webpage for online bookings and payments. We will now study AIR INDIA’s E-Commerce portal from security and consumer friendly’s perspective. Let us first list details to which a first time user will directly refer to:-

Customer friendly interface Website’s digital certification logo Address Bar for any encryption currently being employed during communication

If a user doesn’t find the webpage good and interactive, it is unlikely that he will proceed further. A good website should clearly present all the information required by the user which also helps in building user trust by clearing all his doubts about the website. Hence, chances are increased when users are provided with all the relevant information. In today’s world of internet many websites are added daily. Many times hackers create fake websites similar to original ones so that users are tricked. Hence, to differentiate between these digital certificates are used. So, a user can know about the authenticity about the website by looking at digital certificates. A digitally certified website will have a digital certificate logo on its website and users can check for these. Another feature that a user can look to is encryption. It can be visually seen that if a website is interacting using encryption we can notice the following change: Before Encryption: http://www.google.com After Encryption: https://www.google.com Green color with additional “s” with ‘http’ confirms encryption. If there is encryption currently being used one can be assured that hackers can’t know conversation between user and website.

Now let’s start with www.airindia.com

E-Commerce

53

The first thing that a user might look for is the authentication of the website. No Digital Certificate logo has been put up by the company which can be used for checking the authenticity of the website. This can create doubts in mind of a new user. Next point that a user will observe is the response time of the website. The Response Time of the Air India website is good. A user doesn’t need to wait for loading of webpage and can browse website without any delay.

My ratings for visible trust- POOR My ratings for Response Time- VERY GOOD

E-Commerce

54

British Airways have also not put any digital certificate on their webpage. However, the front page has been designed such that a user might still get convinced about the authenticity of the webpage. The Response Time for the website is also good. My ratings for visible trust- GOOD

My ratings for Response Time- VERY GOOD

Then a user looks for the content of the website. For Air India, Positive aspects

Booking portal provided by the company is easier to use. It is also easier to browse through the website.

FAQ’s can help a user clear much of his doubts. They have been put up in a good manner with an additional option of viewing it in Hindi.

The good thing is that the company mentions its contact numbers and address of its offices with their respective contact details at various places in India. For e.g.- company’s office at Delhi is at Air India Limited Reservations, Safdarjung Airport, Aurobindo Marg, New Delhi - 110003. [email protected] Telephone- 011 24622220, Fax-011 24653682.

E-Commerce

55

The booking process is also good as only required information is shown to user. The user is provided with options such as currency converter and breakdown of taxes for providing consumer satisfaction.

User is also provided with options such as ‘New Search’ so that a user can start a fresh booking if he is not satisfied with current travel search.

Assistance is given to user while entering details such as name. It gives user an option for having booking information being sent to user’s mobile (only to Indian

users).

Negative aspects Surfing can be made clearer by proper positioning of various offers provided to customer. The

various options put up look clumsy as they have been put together without much differentiation among them and hence making it difficult for each option to grab user’s attention at first sight.

The booking portal should be made a bit different, thus making it catchier so that it gets primary notice of user. It looks just mixed between various options. The website can be presented in a much interactive manner having flash messages, good graphic images and displaying various offers clearly.

Frequent Flyer option can be made small. General terms and conditions for online booking have been put up in a dull manner without any

proper manner without any proper format. One will have to browse through entire pdf for information regarding ticket cancellations and refunds etc.

Fare chart put up by the company cannot be understood by users as it uses various codes to define various terms etc. Also, various options like hotel booking and car rental service leave a bad impression as a warning from Air India is issued to user trying to access these options. It also shows poor relation between Air India and its partners.

The company has not put its privacy policy on its front page. My ratings for content management for Air India- GOOD For content management of British Airways- Positive aspects

The booking portal for the airways has been clearly put and is distinct from other options. Various offers have been put in excellent manner and are capable of drawing user’s attention at

first sight. One can easily access option for help and contacts. One can easily get information regarding refund of tickets, complaints and contact numbers for

the airlines. The company has provided a wide range of FAQ’s with a search engine for customer’s

assistance. The company has clearly mentioned its general terms and condition and its privacy policy under

the legal heading.

E-Commerce

56

Negative aspects

The webpage of the website is a bit long in length and some users may not like to scroll down till the end for various offers.

The response time for website increases when a user tries to access airline’s partners such as hotels and car rental services. Sometimes, users can also experience delay while accessing general terms and conditions.

The company has not provided any fare chart. So, a user will have to go through booking procedure for knowing the fare.

My ratings for content management for British Airways- VERY GOOD

E-Commerce platform for Air India

A merchant may offer various payment options to the customers and users can choose payment mode according to their wish. The various payment modes a merchant may offer are-

Cash On Delivery. (COD)

E-Commerce

57

Pay Order/ Demand Draft Cheque Payment Gateway- Credit cards and Debit cards. Net Banking.

Current payment options for Air India include card payments and bank transfers. One can make payments through cards issued by VISA, MASTERCARD and AMERICAN EXPRESS only.

If a user chooses a Credit Card payment option, he will be asked to fill details of card and proceed with the payment.

As of now, Air India accepts debit cards with payment gateway as Bank of India, Indian Overseas Bank, and State Bank of India, Union Bank of India and Punjab National bank only. If we proceed with debit card payment, the company issues a notice that ‘Payment will be taken remotely’ and will be directly directed towards the payment gateway of the respective bank. Users will be charged with fees set by the respective payment gateway which is being used. For e.g. Indian Overseas Bank charges Rs. 10 per transaction.

Hence, users are given flexibility of choosing payment gateway with respective fees being charged which is a good move as it makes it transparent that the company is not charging any extra charge for the given transaction.

E-Commerce

58

Also, a good thing that company does is that it offers users with taxes and charges separately as shown below,

Refund Policy- the Company does not clearly states its Refund policy while making bookings. A user will have to browse through FAQ’s specified by the company. One can get information about procedures for making a refund for both domestic and international bookings.

For time to get refund as stated by company is-

‘In normal circumstances a refund is processed almost immediately. However, in case of a credit card bank transfer, it takes a minimum of twenty days and in case of a lost ticket, it takes a minimum of six months as the mandatory cooling period needs to be met with and the documents are processed by our Central accounts office.’

However, the company does not state fees charged for making a refund.

My ratings for e-commerce platform of Air India- VERY GOOD

E-Commerce

59

E-Commerce platform for British Airways- Currently, British Airways accepts card payment of following types-

VISA MASTERCARD Diners Club American Express Airplus/UATP

Users are given options to select the type of card with which user is willing to make payments. After selecting card type, users are asked to enter card details. At the point of making payment, fees charged for using cards is not specified and thus a user cannot know about fees charged. The airline just mention that- Selecting 'Make booking' will confirm your purchase and charge your payment card. Refund Policy- the company clearly mentions it refund policy in its Help and Contacts option. One can get complete information regarding refunds. While entering card details for payments the company also gives a message regarding times when information entered by the user is not correct and the user has paid money. One can check for this by viewing following message by the airline.

For Refund or Cancellation charge, the airline mentions this under Fare Conditions while displaying the desired flight details as shown below,

E-Commerce

60

My ratings for e-commerce platform of British Airways- GOOD

E-Commerce

61

Privacy Policy of Air India

The privacy policy of the airline has not been put on the front page. Instead, a can find privacy policy while booking a flight through online booking. The privacy policy given by the company is in Hindi and needs to be translated if one does not Hindi too well. The privacy policy says nothing about the confidentiality of user’s details. Instead it only talks about situations where Air India’s e-commerce platform provider will not be held for errors in detail and for content on Air India’s website. This leaves a bad impression on the user. Following is the screenshot of the privacy policy put up by Air India.

However, in general Terms and Conditions Company also states that it shall not disclose any information to any third party and user’s personal information shall be protected. Following is a screen shot of this-

E-Commerce

62

My ratings for privacy policy of Air India-AVERAGE

Privacy policy of British Airways The privacy policy of British Airways is very clear. It answers all questions such as how user’s data is collected and website’s use to user and how the user data is used by the company. It also displays answers for questions such as through what countries user’s data will pass through and to whom this booking data can be disclosed. Following is the screen shot of the privacy policy of the airline-

E-Commerce

63

Hence, user can get his doubts get cleared before proceeding. A user can also see a brief privacy policy while making the payments for a given transaction. Following is the screenshot of it-

E-Commerce

64

My rating for Privacy Policy of British Airways-VERY GOOD

Security features of Air India.com These features help to build on the user trust on the merchant. These give an assurance of safe and guaranteed transaction to the user. Some of these also help in establishing the authentication of the website. Some of these are –

The company has not put any digital certificate logo on its front page. This may create doubts in minds of user that whether the site he is currently browsing is valid or not. Also, one can also see that there is no encryption used while user is on the front page. We can see the screen shot of Air India’s front page as follows-

E-Commerce

65

However, encryption can be seen as one proceeds with online booking. His information can only be seen by clicking at the lock at address bar.

This assures user of safety of his personal data. This is the only visible security that one can look for.

One can also look for various standards which company follows. These can be used for further increasing user trust. However, Air India does not state any such standards on its website.

Also, while making payments by credit card no visible certificate regarding safety of transaction can be seen.

However, while using debit card one can see certification logos of VeriSign etc. at the respective payment gateway he is currently using.

After clicking lock at the address bar while accessing Air India, one can see following messages while online booking-

Identity of website verified by VeriSign class 3 International Server CA-G3. Connection encrypted in 128 bit encryption. Uses TLS encryption.

The screen shot of this is shown below-

E-Commerce

66

While making bookings, users are provided with session time of 20 minutes. Users may or may not be informed about it. If the terminal used by user remains ideal for more than 20 minutes, the server automatically cancel the current transaction of the user and directs him to start again for security purposes.

If a user wishes to come back from a payment gateway while making payments, he will have to start by opening of web browser again as payment gateways are operated by third parties. This is good and increases security features.

My rating for security on Air India’s website- VERY GOOD

Security features of British Airways (ba.com)

The company has not put any digital certificate on its front page. Also, no encryption is employed while communicating on its front page. But, one can see a lock on the address bar once the user starts with booking. Following message can be seen after clicking the lock-

Verified by Global Sign Extended Validation CA-G2. Address of Headquarters of the company is also given here.

E-Commerce

67

128 bit encryption. Uses TLS 1.0

Following is the screen shot of the above information-

E-Commerce

68

British Airways also gives certain time for making a given transaction. If the user remains ideal for a particular screen, the server will automatically cancel user’s current transaction and direct him to start again for security purposes. However, users are not informed about it. Following is the screen shot of this-

E-Commerce

69

One can also see MasterCard etc. security logos while making card payments for the given transaction. These are the visible trust used by British Airways to enhance user trust so that users can proceed without any doubt. Following is the screen shot of the various logos put up by the British Airways.

My ratings for Security of webpage of British Airways-VERY GOOD

E-Commerce

70

13. SUMMARY OF COMPARISON BETWEEN airindia.com AND ba.com IN

TABULAR FORM

FEATURE

Courtesy

(docs.ispconfig.org)

AIR INDIA

(Courtesy onionlive.com)

BRITISH AIRWAYS

(Courtesy competetionrx.com)

VISIBLE TRUST POOR ( NO DIGITAL CERTIFICATE LOGO WITH POOR

WEBSITE PRESENTATION) COMPANY SHOULD BE LOOKING TO PUT UP

ITS DIGITAL CERTIFICATE ON ITS FRONT PAGE

AVERAGE ( NO DIGITAL CERTIFICATE LOGO WITH GOOD

WEBSITE PRESENTATION)

RESPONSE TIME VERY GOOD (THERE WERE NO DELAYS WHILE LOADING

WEBPAGES OF AIRINDIA.COM)

VERY GOOD (ONE WILL GET VERY GOOD BROWSING SPEED

WITHOUT ANY DELAYS) PRESENTATION OF

WEBSITE AVERAGE

(THE BOOKING PORTAL SHOULD BE CLEARLY HIGHLIGHTED WITH OTHER OPTIONS MADE DISTINCT WITH EACH OTHER. VARIOUS PICS AND FLASH PLAYER VIDEOS CAN BE USED)

BOOKING PORTAL CAN BE HIGHLIGHTED & INTERACTIVE IMAGES AND FLASH

MESSAGES CAN BE PUT UP

VERY GOOD (THE BOOKING PORTAL CAN BE SEEN AS ONE

OPENS THE WEBPAGE OF AIRLINES. GOOD INTERACTIVE IMAGES WITH WELL DEFINED

OPTIONS MAKES THE BROWSING EXPERIENCE GOOD)

CONTENT MANAGEMENT

AVERAGE (COMPANY PROVIDES USER WITH ITS CONATCT DETAILS. EASY TO ACCESS

VARIOUS OFFERS. ONE CAN ALSO SEE TERMS AND CONDITIONS AT LOWER END OF

WEBPAGE. FAQ’S ALSO HELP IN A NICE MANNER)

INFORMATION REGARDING VARIOUS TOPICS CAN BE PRESENTED IN AN

INTERACTIVE MANNER

VERY GOOD (THE INFORMATION IS EASY TO ACCESS AND ONE CAN EASILY SEE HELP AND CONTACTS

THAT ARE WELL DEFINED. CAN EASILY INFORMATION REGARDING REFUNDS,

TRANSACTION BOUNCE ETC. FAQ’S ALSO HELP A LOT)

E-COMMERCE PLATFORM

VERY GOOD (COMPANY IS TRANSPARENT IN CHARGING FEES FOR BOOKING THROUGH CARDS AND

HAS A SECURED PAYMENT MODE) COMPANY CAN ALSO LOOK FOR EMI PAYMENTS

BY AGREEING WITH VARIOUS BANKS

AVERAGE (OFFERS CARD PAYMENTS OF VARIOUS CARD

TYPES AND A SECURED BOOKING PORTAL. HOWEVER, COMPANY DOES NOT STATE FEES CHARGED FOR PAYMENT THROUGH CARDS)

SECURITY VERY GOOD (SECURITY OFFERED IN VERY GOOD. APART

FROM ENCRYPTION AND DIGITAL CERTIFICATES, USERS ARE ALLOWED WITH

VERY GOOD (HAS EXCELLENT SECURITY FEATURES. ONE CAN

SEE ENCRYPTION AND DIGITAL CERTIFICATES AND MASTER CODE AND VISA SECURECODE

E-Commerce

71

SESSIONS FOR BOOKING.ALSO, ONE HAS TO START FROM FRESH IF HE WISHES TO COME

BACK FROM A PAYMENT GATEWAY)

WHILE MAKING CARD PAYMENT. USERS ARE PROVIDED SESSIONS FOR BOOKING)

REFUND POLICY VERY GOOD (ASSURES CUSTOMER OF IMMEDIATE

PAYMENTS. ONE CAN GO THROUGH FAQ’S STATED FOR GETTING COMPLETE

INFORMATION REGARDING THIS. VARIOUS CONTACT NUMBERS ARE ALSO GIVEN)

VERY GOOD (ONE CAN GET INFORMATION REGARDING THIS IN VARIOUS FAQ’S SEARCH ENGINE. CONTACT

NUMBERS ARE ALSO GIVEN)

PRIVACY POLICY

AVERAGE (ASSURANCE IS GIVEN THAT USER’S

PERSONAL INFORMATION SHALL NOT BE DISCLOSED TO ANY THIRD PARTY)

VERY GOOD (USER CAN GET ALL HIS ANSWERS THAT WHY

PERSONAL DATA IS COLLECTED, HOW IT IS USED, DATA SHALL NOT DISCLOSE TO ANY

THIRD PARTY ETC.)

E-Commerce

72

14. Let us now have a brief look at WWW.GOINDIGO.COM

The screenshot of front page of goindia.com can be seen as-

The company does not have an impressive front page. The various offers put up are placed in a simple manner but are filled with very bright colors and may not be liked by many customers.

The booking portal is not properly highlighted and is mixed between various options. There are no interactive pictures and flash messages put up on the front page. The airline has not put up any digital certificate logo which can prove authenticity of the

website. The company has an excellent e-commerce platform. The company accepts MASTERCARD, VISA

and AMERICAN EXPRESS cards for payment. It also accepts debit card of selected banks. Apart from these the airline offers NET BANKING facility and EMI facility for CITI BANK and HDFC Banks.

Disclaimer and privacy policy of the airline can be viewed from front page. One can get much information regarding his doubts from these.

A TOLL free number with certain e-mails have been put up by the company for contact by users.

E-Commerce

73

Encryption is used as a security procedure. One can also see MASTERCARD SECURECODE and VERIFIED BY VISA logos while making card payments. Also, airline uses a proactive security measure as it clearly states that users for security measures user’s IP address with the airline is ****. This has been highlighted in the following screenshot-

MY RATINGS FOR GOINDIGO.COM- AVERAGE

E-Commerce

74

15. Let us now take a brief look at some other e-commerce portals-

MAKEMYTRIP.COM

Makemytrip.com is a holiday packages, flight, and rail etc e-commerce portal. The website has not an excellent presentation but various offers and options are easy to browse

through and use. One can see various options for flight booking and rail booking etc very easily. The website builds an immediate trust in user’s mind as one can go through various

authentication logos like Trustwave, VeriSign etc. One can click on these for obtaining more information regarding respective logo. The Trustwave logo’s screenshot can be seen above-

Content management of the website is very good but users may face delays while browsing through the website.

Booking portal is very good. For e.g. - for flight bookings, users are provided with all possible fares by various airlines and choose according to their wish. At, the same time lowest possible shares are shown to the user.

One can also have a look for lowest possible fares for flights using their given calendar. One can even see lowest possible shares for a month from now and decide his flight accordingly.

E-Commerce

75

The company offers various payment modes such as Credit Cards, Debit cards, Net Banking and Cash Cards and are secured.

The company clearly states its refund policies and privacy policies clearly and can be seen at the front page.

Contact numbers for various transport modes etc. are mentioned under contact us option.

The screenshot of Digital Certificate by Norton Secured VeriSign is shown as below-

MY RATINGS FOR MAKEMYTRIP.COM- VERY GOOD

E-Commerce

76

REFERENCE

1. AIRINDIA.COM 2. BA.COM 3. GOINDIGO.COM 4. MAKEMYTRIP.COM 5. STARTRUNGROW.COM 6. NETWORKSOLUTIONS.COM 7. SLIDESHARE.COM 8. COMMERCEPAGE.COM 9. DESIGNZZZ.COM 10. BIUSSNESS.COM 11. SERVE-FIRST.COM 12. ADVICEGUIDE.ORG.UK 13. DIGI-SIGN.COM 14. ANZ.COM 15. SUIDOO.COM 16. ESERVGLOBAL.COM 17. LEOS-LIES.BLOGSPOT.COM 18. HDFCBANK.COM 19. CREDITCARDCHASERS.COM 20. TRAVELANDTOURWORLD.COM 21. USA.VISA.COM 22. ALIBABA.COM 23. WEBSITEWAREHOUSE.COM 24. BESTSECURITYTIPS.COM 25. US.NORTON.COM 26. DIGITALTRENDS.COM 27. HOLYWORLDWIDE.COM 28. TECH2DATE.COM 29. CLIPARTOF.COM 30. MERCHANTRATES.COM 31. IBM SOFTWARE E-COMMERCE BUSINESS TO BUSINESS SALES AND MARKETING 2010 32. E-COMMERCE AND SECURITY- 1DL018, INTRODUCTORY COURSE ON E-COMMERCE SECURITIES

BY KJELL ORSBORN 33. PAPER “ SECURE AUTHENTICATION USING ANTI-SCREENSHOT VIRTUAL KEYBOARD “ BY ANKIT

PAREKH, AJINKYA PAWAR, PRATIK MUNOT AND PIYUSH MANTRI 34. VISA E-COMMERCE MERCHANTS’ GUIDE TO RISK MANAGEMENT, TOOLS AND BEST PRACTISES

FOR BIULDING A SECURE INTERNET BUSINESS 35. WIKIPEDIA