Cash Transaction, protocol and security in e-commerce

CASH TRANSACTION, SECURITY AND PROTOCOL IN E-COMMERCE

1.0 INTRODUCTION TO E-COMMERCE

1.1 Overview

The term "electronic commerce" or e-commerce has evolved from preliminary application of electronic shopping to mean all aspects of business and market processes enabled by the Internet and the World Wide Web technologies. Electronic commerce is also defined as any form of business or administrative transaction or information exchange that is executed using any information and communications technology (ICT).

Narrowly defined, electronic commerce means doing business online or selling and buying products and services through Web storefronts. Products being traded may be physical products such as used cars or services (e.g. arranging trips, online medical consultation, and remote education). Increasingly, they include digital products such as news, audio and video, database, software and all types of knowledge-based products. It appears then electronic commerce is similar to catalog shopping or home shopping on cable TV.

Electronic commerce is not limited to buying and selling products online. For example, a neighborhood store can open a Web store and find the world in its door step. But, along with customers, it will also find its suppliers, accountants, payment services, government agencies and competitors online. This online or digital partners demand changes in the way we do business from production to consumption, and they will affect companies who might think they are not part of electronic commerce. Along with online selling, electronic commerce will lead to significant changes in the way products are customized, distributed and exchanged and the way consumers search and bargain for products and services and consume them.

In the question to maintain market position or gain competitive advantage by streamlining operations, reducing costs and improving customer service, businesses are increasingly turning to electronic commerce. Electronic commerce or e-commerce enables organisations of all sizes and in all market sectors to improve their competitiveness. It cuts across geographic boundaries and time zones to save time and costs, to open up new market opportunities and enable even the smallest of companies to compete on a global basis. Electronic commerce is applied to established processes such as bar code scanning and electronic data interchange (EDI) as well as newer arrivals, like e-mail, the Internet, the World Wide Web and mobile electronic commerce.

Since electronic commerce covers any form of business or administrative transaction or information exchange that is executed using any information and communications technology (ICT), it embraces the three main areas of activity, namely:

business to business (B2B);
business to consumer (B2C) and
government to nation (that includes both businesses and the citizen).

This is a very wide definition and we see electronic commerce taking place in a variety of transport media, including the mobile phone, the set-top box (with digital and cable TV), as well as the PC with modem to the Internet.

Business to business activity is still, and it is believed will remain, the main area of electronic commerce activity. This covers everything from established communications between retailers and their suppliers (orders, schedules, production schedules, payments etc.), the electronic banking payment systems through to the new Internet based catalogue systems.

Business to consumer activity covers a growing range of largely Internet based sites from home banking, purchasing insurance, home shopping (including books, CDs, clothes and much more) to share dealing.

Finally, government to the nation activities fall into two main areas - the government to business communications (such as taxation of sales, licensing and electronic procurement) and the government to the citizen activities (such as national identification, income tax, employee provident fund). Development of electronic services for the citizen is one of the most challenging areas because it requires local access to facilities to be available to all, without assuming everyone has Internet access in their homes.

The Internet itself is not new, but its use as a business medium is still in its early stages. Estimates vary widely, but analysts all agree that the next few years will see an explosion in electronic commerce, fuelled in large part by the Internet. It provides a medium that is as easily useable by individuals as by organisations in both the public and private sector, opening up innovative possibilities or even impossibilities formerly, providing instant access to products and services world wide and posing challenges to business and government alike.

In short, the electronic commerce revolution is in its effects on processes. Process-oriented definition of electronic commerce offers a broader view of what electronic commerce is. Within-business processes (e.g. manufacturing, inventorying, corporate financial management, operation), and business-to-business processes (e.g. supply-chain management, bidding) are affected by the same technology and network as are business-to-consumer processes. Even government functions, education, social and political processes undergo changes.

1.2 Background

Internet technology may be new and attracting media and public attention, but business to business trading by electronic means has been heavily in use and actively developed for nearly twenty-five years. The Article Number Association (ANA), one antecedent of e centreUK, was actively involved from the start of article numbering and bar coding by helping to create the EAN International open standard language (visit http://www.ean.be). This has had a positive impact on all sectors of business and administration in all countries.

To improve further the accuracy and efficiency gains achieved, it quickly developed and introduced the first truly electronic trade message standards, which enabled a company’s computers to speak directly to other company’s computers without human intervention. Generically known as electronic data interchange (EDI), the ANA based its own system on a United Nations protocol and called it TRADACOMS. To enable companies to gain maximum advantage from TRADACOMS by being able to trade electronically with many other partners, the ANA devised, encouraged and licensed the operator of the first value added network services (VANS), which is still in use. Household names, such as Sainsbury, Tesco, Nestle and Procter & Gamble, aggressive competitors in the public eye, were amongst the earliest to appreciate the value of standard numbers used in bar codes and EDI. They all joined the ANA at the beginning in 1976 and have continued to take active roles in the development of numbering, bar coding and EDI. These member companies and many others from a range of diverse industrial and business sectors that have been involved from the earliest days of EAN numbering, bar coding and EDI are now at the forefront of electronic commerce using the latest Internet technologies.

1.3 Supply Chain Management

Supply chain management is the term generally used to describe the management of products and services from their origination to their final use. It begins with the supply of raw materials, and proceeds through manufacturing, warehousing, distribution, wholesaling and retailing.

Supply or value chain management as it is sometimes known is concerned with minimising the costs of the supply chain while maximising the value added by each of the participants. The aim is to provide the right product, in the right place, at the right time so as to maximise the value received by the purchaser or user while minimising the overall cost of the complete process.

Trading companies have realised that they can no longer operate in isolation from one another if they are to achieve more efficient processes, and initiatives such as Efficient Consumer Response (ECR) have helped to raise the awareness of sharing information throughout value chains. If companies share information about their plans for new and improved products, as well as sharing information about stockholdings, sales and forecasts it should be possible to work together far more efficiently and effectively.

As part of the process of improving the management of the supply chain it will be necessary to analyse each of its components, and decide whether certain functions need to be carried out, and if so, which company should do them. It may be sensible to contract out certain processes to third parties and they too will need to be kept fully informed about the trading process.

A common understanding of the supply chain is essential if separate organisations are to work together as a virtual enterprise, so information must be shared using open standards wherever possible. The system must able to provide unique identifiers for every trade item, every transport unit, and every location enables information to be shared between different organisations with no confusion.

In addition to using common data standards to identify all the elements of the supply chain, organisations will also use standard data formats to exchange this data electronically. These message formats enable instructions to be sent in a form that can be processed automatically, with no manual intervention. This electronic data interchange means no rekeying of data, so no errors are introduced, and responses to instructions can be immediate.

2.0 CASH TRANSACTION IN E-COMMERCE

2.1 Type of Electronic Payment in B2C Transaction

There are many types of electronic payment systems proposed or already in use, but the method of payment in e-commerce is actually similar in nature to traditional payment method - credit cards, checks and cash, which in contrast in e-commerce, will be on-line credit card payment, electronic checks and digital cash.

2.1.1 On-line Credit Card Payment

In a traditional credit card transaction, the consumer present the credit card to the merchant, the merchant verify his ability of payment with the bank. The merchant then issues a purchase slip to the consumer to endorse, which will be used by the merchant to collect funds from he bank. Monthly billing/statement will be sent to the consumer will the record of the transaction.

In on-line credit card transaction, several steps have been added to provide secure transactions and authentication, and different systems have been used which different security level and software involved. Secure Socket Layer (SSL) protocol has been used to secure the transaction between the consumer and merchant. This required the servers and browsers that support SSL protocol. However, this does not protect the data of the consumers from abused use by the merchant. CyberCash, Verifone and First Visual are among 3 systems to prevent fraud (using a credit card for other unauthorized purchases). CyberCash and Verifone use a helper application called a e-wallet (Section 2.3) for the web browser, and pass the encrypted credit card number through the merchant to its own processor/server for authentication and approval of the sale (Figure 1). This type is merely an extension of the conventional notational fund transfer. In credit card or check transactions, sensitive information is being exchanged. For example, you give your credit card to a merchant, who sends the card number through phone line and receives confirmation. Banks meanwhile receive the same information and adjust buyer's and merchant's accounts accordingly. The information being transmitted online in this case is encrypted for security. The primary example is the use of digital credit cards (e.g. CyberCash and VISA/Mastercard's SET-based transactions). This type is becoming the most common type of online payment methods because consumers are familiar with this system and merchants have extending that system to the Internet. The problem with transactional security has been overly emphasized on the traditional media (newspaper, magazine etc), but with proper caution and encryption, the Internet may be more secure than phone lines for this same old payment methods. We can't encrypt our voice when we give our credit card number over the phone, nor can us be sure who the other person is?

First Visual issues a VirtualPin to the customer who then uses it in place of the credit card number. After receiving the sales information from the merchant, First Visual converts the VirtualPin to the credit card account number to clear the purchase (Figure 2). This system uses a trusted third party who maintains all sensitive information (such as bank account and credit card numbers) for its clients, which include both buyers and sellers. When there is a transaction, order information is transmitted along with information about payment confirmation and clearing, all of which do not include sensitive information. In effect, no real financial transaction is done online. In this type of system, the information need not be encrypted since financial transactions are done completely off-line.

Figure 1 : Processing a credit card transaction on line using CyberCash / Verifone

Figure 2: Processing a credit card transaction on line using First Virtual

It can be seen that the on-line credit card transaction is even more secured than the ordinary credit card transaction because the engagement of the trusted third party (such as CyberCash or First Virtual) to read the encrypted credit card information, instead of allowing the merchant the handle the credit card processing, in this way can eliminate merchant fraud. The lack of interoperability, however, does occur in the transaction because the credit card purchase hasn't converge to a single standard. Currently, there are 2 standards being utilised in making the interoperability of e-wallet and credit card transaction, i.e. Secure Electronic Transaction (Section 2.2) developed by MasterCard and Visa, and Joint Electronic Payments Initiative (JEPI), developed by the World Wide Web Consortium an CommerceNet. JEPI enable transaction with different protocol between consumers and merchants, and support variety payment systems that the consumers want to use. On the consumers/clients' side, JEPI serves as an interface that enables a web browser and e-wallet to use a variety of payment protocol. On the merchants/servers' side, it acts between the network and transport layers to pass off the incoming transactions to the proper transport protocol (e-mail, http etc) and proper payment protocol (Figure 3).

Figure 3: JEPI involvement in payment processing

2.1.2 Electronic Checking

Financial Services Technology Corporation (FSTC) and CyberCash has developed 2 different systems for consumers to pay web merchants by electronic check. In ordinary check transaction, a paper check is a message or instruction from the consumer to consumer's bank to transfer fund from his account to the merchant's account. The message or check is given to the merchant who will present the check to the issuing bank in order to collect. After the funds are transferred, the canceled check is returned to the consumer as a proof of payment. In electronic checking, all this was done digitally on-line, by encoding the account information from the merchant's eyes, thus prevent fraud as minimum as possible. As with the SET protocol, digital certificates are used to authenticate the payer, the payer's bank and bank account.

Unlike the CyberCash's system for credit card, CyberCash in electronic checking system does not serve as an intermediate party for processing the check but allow that function to be handled directly by banks.

Electronic check system developed by FSTC gives better flexibility by offering users a choice of payment instruments that allow them to designate an electronic check as a certified check or an electronic charge card slip (Figure 4).

Figure 4: FTSC Electronic Check Transaction

This means that the user can use a single mechanism, the electronic check, to complete payments that vary according to payee's requirements. For example, you could decide to pay your utility bills by standard electronic checks, but you could designate that one of the electronic checks be delivered as a certified check in order to make a down payment on a new house. The instructions accompanying your electronic checks would be processed by the electronic payment handler (EPH) software installed at your bank, and distributed by the appropriate payment network.

Electronic checks can be delivered either by direct transmission over a network, or by electronic mail. In either case, existing banking channels can clear payments over their networks. This leads to a convenient integration of the existing banking infrastructure and the internet. Because FSTC'S plans for electronic checking include money transfers and transactions involving the National Automated Clearing House Association for transferring funds between banks, businesses could use the FSTC scheme to pay invoices from other businesses. An advantage of electronic check is that, the user can make a variety of different payments (check, certified check, ATM, and so on) using a single interface (the electronic check book) that gathers all transactions into a single account log. It also means that the consumer only has to deal with his bank, not a number of financial institutions, to make these different types of payments.

2.1.3 Digital Cash

Digital cash or e-cash is best suited for making small amount of electronic transaction in internet on real time. In the digital cash system, the consumer gives instruction to bank to issue him a string of digits and debit his account with a withdrawal equal to the value of the currency issued, resembles token. The token is validated by the bank before issued to his personal computer. When the user wish to spend the e-cash, he transmit the required amount of tokens to the web merchants, who then relays the token to bank for verification and redemption (Figure 5). After the token is redeemed, the bank will then record the serial number of the token, to prevent the consumer from using the token twice or fraud by the merchants.

Figure 5: Transaction with Digital Cash

The system developed by DigiCash utilised a scheme called blind signatures, in order to maintain the anonymity of the consumer in the internet. The system enables the consumer to obtain token from bank without the bank being able to track the consumer's name with the tokens it issues. The bank will still validate the token when it receives from the merchant for redemption but it can trace from whom the tokens originate from. This give not only security but privacy to the consumers as well.

What distinguish these systems from the other two is not simply the anonymity they afford, but the fact that what is being transferred is "value" or "money" itself. With the second type described above, some one can commit fraud by lifting your message (credit card number) by running up the charge on your account. With digital currency, intercepting a message is an outright "theft" of your property, not just information.

Thus far, there is still short of interoperability between different forms of e-cash. Only the issuing bank can redeem the token issued by it. However, the cost of electronic transaction is small and allow the merchants to charge for small amounts for each transaction without incurring much cost and losing all profits despite of the small amount of transaction.

2.2 Secure Electronic Transaction (SET)

SET Background

Since the beginning of VISA in 1970, it has worked with the financial industry to provide the innovations and leadership required to make the Visa card the most convenient, safest way to purchase goods and services anywhere. In the 70's VISA led the way in the development of the magnetic stripe standard. Today, the stripes are used in all payment cards around the world for quick authorization. In the 80's VISA led the way to establishment of an International Standard Organization (ISO) message format to provide for efficient processing standards. In 1995, VISA worked with MasterCard and Europay to publish a standard for chip cards which will provide access to multiple services and accounts all stored on one card. In 1996, the SET SECURE ELECTRONIC TRANSACTION^TM specification, also known as the SET^TM specification, and digital certificates carry on this tradition, establishing standards and practices that will help electronic commerce flourish in the coming years.

What is SET

SET stands for Secure Electronic Transaction. It is a system that will allow you to make purchase on the Internet with your credit card , without having to worry whether your credit card information and/or your personal data will be compromised. It is a protocol designed for used by other application (such as web browsers) and a standard (recommended procedures) for on-line credit card transactions on internet. It utilised a digital certificate to authenticate the identity of all the parties involved in the transaction, i.e. cardholders, merchants, banks (acquiring bank and issuing bank), and credit card processor (i.e. Visa or MasterCard).

SET SECURE ELECTRONIC TRANSACTION^TM is a specification designed to utilize technology for authenticating the parties involved in payment card purchases on any type of online network, including the Internet. SET^TM was developed by Visa and MasterCard, with participation from leading technology companies, including Microsoft, IBM, Netscape, SAIC, GTE, RSA, Terisa Systems, and VeriSign. By using sophisticated cryptographic techniques, SET will make cyberspace a safer place for conducting business and is expected to boost consumer confidence in electronic commerce. SET focuses on maintaining confidentiality of information, ensuring message integrity, and authenticating the parties involved in a transaction.

The significance of SET, over existing Internet security protocols, is found in the use of digital certificates. Digital certificates will be used to authenticate all the parties involved in a transaction. SET will provide those in the virtual world with the same level of trust and confidence that a consumer has today when making a purchase.

2.3 E-Wallet

Electronic wallets make it even simpler to shop online. It is actually a software or program together with a digital certificate to be installed in your PC. A few cardholders share the same e-Wallet. Each cardholders must have his/her own User ID and password to access and each cardholder must download their respective certificates. In Malaysia, to download the digital certificate, you must obtain a copy of e-wallet from one of the 4 local banks: RHB Bank Berhad, MayBank, Public Bank and Hong Leong Bank. When you shop with an electronic wallet, you only have to enter your billing and shipping information once. Your wallet will then instantly fill out online order forms with just a click of your mouse in your web browser.

In order to ensure your transaction is secure, we have to purchase from SET certified merchants (e.g. www.1800-mall.com). Besides Malaysian SET certified Merchants, you may also shop overseas SET certified Merchants.

If your credit card expires, your existing certificate will become void. You will have to request and download a new digital certificate once you have received your renewed card.
If your e-wallet is accidentally deleted from PC, you just have to reinstall the e-wallet and you need to download a new certificate.

If you have one PC at home and one at office, you have to install e-wallet and download certificate to each PC and download another new certificate to your account.
Responsibility of your User ID and password are extremely important. You have to keep them strictly to yourself only.

3.0 SECURITY IN E-COMMERCE

The security of the internet transaction if of vital importance to protect the internet users, may them be the consumer or merchant. Despite the reliable encryption and other technologies, which are sometimes superior to telephone and other communications networks, non-digital media are full of hyper-critical view of the Internet security. While it is unwise to play down known security risks, it is also unnecessary to exaggerate the risk of internet transaction.

The internet need to provide more security than physical markets. Probably so because the electronic marketplace lacks some elemental safeguards available in physical markets. For example, buyers have certain assurance about a seller with a retail store although that seller might be operating a bogus shop that particular moment. But bogus operations are more difficult to recognize on the Internet. Indeed, any online trading partner cannot be sure about the identity of the other person. Technologies and legal frameworks are needed to address such problems, e.g. nation-wide digital IDs.

There are a variety of barriers to the widespread acceptance of electronic commerce in today's world. Many of the greatest advantages of banking and shopping in cyberspace also hold potential pitfalls that need to be addressed.

First, recent growth in Internet usage has prompted worldwide attention to a main problem - privacy. Up to now, there have been no real safeguards to ensure that the messages you send and receive haven't been intercepted, read, or even altered by some unknown interloper since no one really runs or controls the Internet.

Second, in the emerging realm of cyberspace, the potential for fraud and deception is far greater. The ability to obtain information and data, from just about anywhere in the world is perceived by many as a benefit of the Internet. However, it does pose some practical drawbacks.

When the other "person" is merely a "appear" on a computer screen, how do you know they hold a valid account? How do you know you can trust a merchant you've never actually seen? After all, the merchant's "store" may exist only on a fraudster's hard drive. And, how can a "real" merchant feel comfortable accepting a Visa card account number without some form of identification?

For electronic commerce to flourish on the Internet, all parties need a way of verifying each other's identities - and establishing trust.

The new SET SECURE ELECTRONIC TRANSACTION^TM standard, also known as the SET^TM standard, put forth by Visa and MasterCard address all of these issues. SET will make shopping via the Internet as safe and easy as using a Visa card in your local shopping mall.

In order to conduct transactions on-line, you have to ensure that merchants are supporting security features such as Secure Socket Layers (SSL).

Advanced cryptography make SET secured. Cryptography is a method of scrambling confidential information, sending it so it can be read in its original form by the intended recipient. There are two primary methods of cryptography in use today: private key and public key. Public key cryptography is a system that encrypts information so it can arrive at its destination securely. Private key cryptography decrypts this information and makes sure the merchant is the merchant and the cardholder is the cardholder. SET uses both method to provide confidentiality of payment information and ensure payment integrity.

The SET specification prevents interception of cardholders account numbers, expiry date and payment information by unauthorized individuals through the use of proven encryption technology. Authentication of all parties to the transaction - cardholder, merchant and processing and issuing banks - is provided through the use of the digital certificate.

A digital certificate is a statement signed by an independent and trusted third party (Certificate Authority ) that contains three elements.

(a) Information about the person/company being certified.
(b) Public key information of the person/company. This certificate acts to bind the public key to the attributed information provided by the person /company.
(c) Certifying Authority's signature to add to the credibility of the certificate.

Digital Certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity, a process unparalleled by other Internet security solutions. Software vendors whose products pass SET Compliance Testing are eligible to display the SET Mark on their products, as are merchants, financial institutions, and promotional sites that utilize or advertise licensed software.

Digital certificates (also known as electronic credentials or digital IDs) are digital documents attesting to the binding of a public key to an individual or entity. They allow verification of the claim that a given public key does in fact belong to a given individual or entity. A Certificate Authority (CA) is a trusted third party organization or company that issues digital certificates. The CA is responsible for guaranteeing that the individuals or organizations granted these unique certificates are, in fact, who they claim to be.

Think of Digital IDs as the electronic equivalent of driver licenses or passports that reside in your Internet browser and e-mail software. They contain information that uniquely identifies you, and allow you to:

Digitally sign a message so your recipient knows that a message really came from you.
Encrypt a message so your intended recipient can decrypt and read its contents and attachments.

By digitally signing and encrypting your e-mail you can ensure that your confidential messages and attachments are protected from tampering, impersonation and eavesdropping. Using your Digital ID is easy with the point-and-click interfaces in all of the popular browsers and e-mail packages.

Currently, there are two digital certification authority in Malaysia, which are Digicert (M) Sdn Bhd and MSC Cybersign International Sdn Bhd.

SET™ relies on cryptography and digital certificates to ensure message confidentiality and security. Message data is encrypted using a randomly generated key that is further encrypted using the recipient's public key. This is referred to as the "digital envelope" of the message and is sent to the recipient with the encrypted message. The recipient decrypts the digital envelope using a private key and then uses the symmetric key to unlock the original message.

Software developed to the SETco specification (Sec 4.0) must perform at least the following functions:

Create a digital signature using distinct key pairs;
Generate a dual signature used to link an order message to another component; and
Verify the digital signature.

Financial institutions issue SET™ certificates for cardholders and merchants. Some of the security software are:

Altavista Firewall
Check Point Software Technologies' FireWall
Secured Network Gateway by IBM
NEC Technologies' PrivateNet
ON Guard Firewall by ON Technologies
Eagle by Raptor Systems
WatchGuard by Seattle Software Labs
BorderWare Firewall Server and Sidewinder Security Server by Secure Computing Corp.
SunScreen EFS by Sun Microsystems
Gauntlet by Trusted Information Systems
National Computer Security Association. NCSA certifies compliance with NCSA's security standards.

4.0 PROTOCOL

The SET protocol, originally developed by Visa, MasterCard and several technology partners starting in February 1996, is an advance over other Internet security technologies due to its use of digital certificates and encryption technology which enable consumers and merchants to verify the authenticity of the parties involved in a card transaction across the Internet. In addition, SET provides more secure protection of the card numbers and other confidential information sent across the Internet.

The SET protocol utilizes cryptography to provide confidentiality of information, ensure payment integrity, and identity authentication. For authentication purposes, cardholders, merchants, and acquirers will be issued digital certificates by their sponsoring organizations.

In the SET environment, there exists a hierarchy of Certificate Authorities (CA). The SET protocol specifies a method of entity authentication referred to as trust chaining. This method entails the exchange of digital certificates and verification of the public keys by validating the digital signatures of the issuing CA. This trust chain method continues all the way up to the CA at the top of the hierarchy, which is referred to as the SET Root CA. The SET Root CA is owned and maintained by SET Secure Electronic Transaction LLC.

On December 1997 a new corporate entity called SET Secure Electronic Transaction LLC (a.k.a. SETCo), was formed by Visa and MasterCard to provide the structure that will govern and direct the future development of the SET Secure Electronic Transaction^TM protocol, as well as other key functions that are required to support the implementation of this standard. In the second quarter of 1998, American Express and JCB Co., Ltd. has became full partners in SETCo as well.

The SET^TM standard provides a higher level of security for payment card transactions made over the Internet, and the combined support of the companies that make up SETCo is a strong endorsement of SET. SETCo will manage the SET specification, oversee software compliance testing through Tenth Mountain Systems, Inc. and address any issues that may arise related to the adoption of this global payment standard. SETCo participants will work together to facilitate the adoption of the SET protocol, thereby opening the Internet marketplace and providing greater security for online transactions processed across open networks such as the Internet.

As the SET 1.0 protocol was finalized, an infrastructure based on this new technology began to emerge to support large scale usage. For example, software vendors have begun to create the software that consumers, merchants and financial institutions will need in order to take advantage of the security that SET offers, and many Visa and MasterCard Member financial institutions around the world conducted limited scale pilot tests during 1997 in an effort to better understand the requirements for implementing and supporting the use of SET technology.

SETCo is focusing initially on the following two electronic commerce initiatives in support of the SET infrastructure:

The creation, management and maintenance of an Industry Root Key Certificate Authority, which will manage the Industry Root Key - a component of all software that complies with the SET protocol.
The coordination of SET Software Testing and Compliance Services, with Tenth Mountain Systems, Inc., to ensure that the software used by consumers, merchants and payment card companies is fully compliant with the published SET protocol. Only software that passes all aspects of this testing program will be eligible to display the SET trademarks.

The above-mentioned four payment institutions plan to meet on a regular basis and will focus on other SET initiatives and activities as needed. The development of new versions of the SET protocol will be initiated by SETCo with the close cooperation of technology partners and financial institutions that are willing to contribute to the joint effort.

5.0 SUMMARY

Electronic commerce or e-commerce can be defined as any form of business activities that involved community transfer by using any information and communications technology, which are assisted by computer and take place in the internet. The products being traded could be tangible goods, services or soft products like computer software. For services or soft product the products can be delivered on-line and thus the whole transaction is done digitally. Tangible goods will have to be delivered to the end users by transport or courier service, or the end users may also can pick-up the products from the nearby store.

E-commerce is successful, in someway, to minimise the cost of the supply chain while maximise the value added by each of the participants, along the evolution from row material, manufacturing, warehousing, distribution, wholesaling and retailing. efficient consumer response is able to be feedback to the merchants along with quick response from the merchant to market needs.

E-commerce is not limited to business to consumer (B2C) activities, but as well as business to business (B2B) and government to nation. In B2C e-commerce, the payment transaction is very similar to traditional transaction but merely all or most of the transaction is done digitally in the internet. Traditionally, payment is done via credit cards, checks and cash, which in contrast in e-commerce, will be on-line credit card payment, electronic checks and digital cash or e-cash.

In on-line credit card payment, secure socket layer (SSL) protocol has been used to secure the transaction with a helper application (in the customers' web browser) called e-wallet. This ensures that the transaction is secure, the sensitive information (credit card number etc.) is encrypted and allow authentication of all parties before the information is decrypted for further processing. Electronic checking, which is similar in nature to credit card, is utilised for those users without credit card. Digital cash is token that the consumers' obtain from the bank in the form of string of debit. When the consumers wish to spend the e-cash, the tokens are transmitted to the merchants who then relay the tokens to the bank (that issued the token) for redemption. The bank will then record the serial number of the token to prevent the token to be spent twice.

In e-transaction, the it is very difficult to sure about the identity of the other party without any proper counter-measure. Furthermore, since no specific body to control/run or the difficulty to control what happen on the internet, security of transaction is of vital importance in e-commerce, in order to protect the consumers and merchants and to prevent fraud and deception. Secured electronic transaction (SET) was developed by Visa and MasterCard. It is a system to ensure that the sensitive information (credit card number, etc) will not be exposed or intercepted during the transaction. Because the information is usually passed from the sender (consumer or client) to the receiver (merchant or server) through some intermediary, this information can be captured, read, tempered or even impersonated, and thus fraud may occurs. In SET, these important information is first encrypted before being sent and will only be decrypted to the trusted or designated parties. It hence requires to authenticate the identity of the party before the information can be passed and decrypted. This is done by utilising a digital certificate that issued by a trusted third party to verify the party is actually the party that he claims to be. All the parties involved, i.e. the cardholders or consumers, merchants, banks (acquiring bank and issuing bank) and credit cards processor (Visa or MasterCard), will be issued with digital certificates by their sponsoring certification authorities, so that all parties can verify each other's identities.

By introducing this security procedure, the e-commerce transaction can offer even better security as compared to conventional transaction, although the mass media often over-emphasized the risk of e-commerce. However, since e-commerce is still not developed to its final stage and there appears to be short of interoperability, efforts have to be done to standardised the system. The formation of SET Secure Electronic Transaction LLC (a.k.a SETCo) will govern and direct the development of SET protocol, ensure that the software are compliant to SET and address any issues that may arise related to the adoption of this global protocal. This will allow consumers and merchants with different software and protocol to be able to complete the transaction in the internet.

6.0 BIBLIOGRAPHY

E-commerce Security by Anup K. Ghosh, Wiley Computer Publishing
Internet Commerce by Elaine Lawrence, Brian Corbilt, Wiley & Son
Understanding E-commerce by David Kosiur, Microsoft Press
Small Business Internet by Greg Holden, IDG Books
http://ecommerce.internet.com

This page was last updated on 19 May, 2000