E-Commerce Infrastructure
Jan 13, 2016
E-Commerce Infrastructure
Learning Objectives1. Understand the major components of EC
infrastructure.2. Understand the importance and scope of
security of information systems for EC.3. Learn about the major EC security4. Identify and assess major technologies and
methods for securing EC access and communications.
5. Describe various types of online payment.
4-2Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-3
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-4
The Information Security ProblemInformation Security
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction
Security is needed for:Personal informationFinancial informationBusiness informationNational information
4-5Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security threats and attacksThere are many threats for EC security:
Virus: A piece of software code that inserts itself into a program (host) and change the action of that program.
Worm: A software program that runs independently, consuming the resources of its host.
Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk
4-6Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security threats and attacksbanking Trojan: A Trojan that comes to life when
computer owners visit an e-banking or e-commerce sites.
denial-of-service (DoS) attackUsing specialized software to send a flood of data packets to the target computer with the aim of overloading its resources
Spam: The electronic equivalent of junk mailHacker: Someone who gains unauthorized access to a
computer system.Cracker: A malicious hacker that may change codes
and steal information from the hacked systems.
4-7Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security threats and attacksZombies: Computers infected with malwarepage hijacking: Creating a rogue copy of a
popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites
Botnet: A huge number (e.g., hundreds of thousands) of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet
This techniques is called ‘Phishing’4-8
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
4-9Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security - Assurance ModelInternet Security Assurance Model:
Three security concepts important to information on the Internet: confidentiality, integrity, and availabilityConfidentiality: Assurance of data privacy and
accuracy.Integrity: Assurance that stored data has not been
modified without authorization; a message that was sent is the same message as that which was received
Availability: Assurance that access to data, the website, or other EC data service is timely, available, reliable, and restricted to authorized users
4-10Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security - Defense StrategyEC Security Requirements
Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website
Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform
Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction
Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it
Auditing Availability
4-11Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security - Defense StrategyEC Security Requirements
Authentication: Process to verify (assure) the real identity of an individual, computer, computer program, or EC website
Authorization: Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform
Nonrepudiation: Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction
Encryption: The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it
Auditing Availability
4-12Copyright © 2012 Pearson Education, Inc.
Publishing as Prentice Hall
EC Security - Defense StrategySome of the technologies used to provide EC
Security:Anti-virus: to protect a computer from virusesAnti-spy: to protect a computer from spywaresFirewall: to protect a network from
unauthorized accessSecured Socket Layer (SSL): used to encrypt
data transferred between the server and the client.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-13
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-14
The Payment RevolutionThere are different methods for online
payment:1. Using Payment Cards2. Smart Cards3. Stored-Value Cards4. Micropayment5. E-Checks6. Mobile Payment
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-15
The Payment RevolutionChoosing the E-Payment Method: Critical
factors that affect choosing a particular method of e-payment can be:IndependencePortabilitySecurity. Ease of UseTransaction FeesInternational SupportRegulations
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-16
Using Payment Cards OnlinePayment Card
Electronic card that contains information that can be used for payment purposesCredit cardsCharge cardsDebit cards
PROCESSING CARDS ONLINEAuthorization: Determines whether a buyer’s card is
active and whether the customer has sufficient fundsSettlement: Transferring money from the buyer’s to the
merchant’s account
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-17
Using Payment Cards OnlineFRAUDULENT CARD TRANSACTIONS
Key tools used in combating fraud: Address Verification System (AVS)
Detects fraud by comparing the address entered on a Web page with the address information on file with the cardholder’s issuing bank
card verification number (CVN)Detects fraud by comparing the verification number printed on the signature strip on the back of the card with the information on file with the cardholder’s issuing bank
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-18
Smart Cardssmart card
An electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the cardcontact card
A smart card containing a small gold plate on the face that when inserted in a smart card reader makes contact and passes data to and from the embedded microchip
contactless (proximity) cardA smart card with an embedded antenna, by means of which data and applications are passed to and from a card reader unit or other device without contact between the card and the card reader
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-19
Smart Cardssmart card reader
Activates and reads the contents of the chip on a smart card, usually passing the information on to a host system
smart card operating systemSpecial system that handles file management, security, input/output (I/O), and command execution and provides an application programming interface (API) for a smart card
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-20
Stored-Value Cardsstored-value card
A card that has monetary value loaded onto it and that is usually rechargeableStored-value cards come in two varieties:
Closed loop are single-purpose cards issued by a specific merchant or merchant group
Open loop are multipurpose cards that can be used to make debit transactions at a variety of retailers
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-21
E-Micropaymentse-micropayments: Small online payments,
typically under $10 can be done using :1. Aggregation2. Direct payment3. Stored value4. Subscriptions
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-22
E-Checkinge-check
A legally valid electronic version or representation of a paper checkAutomated Clearing House (ACH) Network
A nationwide batch-oriented electronic funds transfer system that provides for the interbank clearing of electronic payments for participating financial institutions
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-23
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-24
Mobile PaymentsMobile payment: payment transactions
initiated or confirmed using a person’s cell phone or smartphone
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 4-25