ECT%20455/HCI%20513%20E-Commerce%20Web%20Site%20Engineering - PowerPoint PPT Presentation

About This Presentation
Title:

ECT%20455/HCI%20513%20E-Commerce%20Web%20Site%20Engineering

Description:

American Express (blue smart card) Visa. Micropayments. echarge. ECT ... Charge Cards -- American Express; echarge. Peer-to-peer payments (between consumers) ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 39
Provided by: Susy1
Category:

less

Transcript and Presenter's Notes

Title: ECT%20455/HCI%20513%20E-Commerce%20Web%20Site%20Engineering


1
ECT 455/HCI 513 E-Commerce Web Site Engineering
  • Electronic Payment Systems
  • Internet Transaction Security

2
Online Payment Systems
  • Online payment is the foundation of systems for
    EC.
  • How does it mesh with the past and current
    currency systems?
  • credit cards, debit cards, ATM, banks
  • Political Challenges
  • What about taxes?

3
Electronic Payment Systems
  • Efficient and effective payment services accepted
    by consumers and businesses are essential to
    e-commerce.
  • Requirements
  • Convenient for web purchasing
  • Transportable over the network
  • Strong enough to thwart electronic interference
  • Cost-effective for extremely low-value
    transactions

4
Electronic Payment Systems
  • Banking and Financial Payments
  • Bank-to-bank transfer (EFT)
  • Home Banking -- CitiBank, Wells Fargo
  • Payment through an Intermediary
  • Open Market
  • First Virtual (FirstVirtual Pin)

Both refer to their earlier business models
5
Electronic Payment Systems
  • Electronic Currency Payment Systems
  • Electronic Cash -- CyberCash, Internetcash.com
  • Electronic Checks -- NetCheque
  • e-Wallets (Visa)
  • Smart Cards
  • American Express (blue smart card)
  • Visa
  • Micropayments
  • echarge

6
More
  • Retailing Payment Systems
  • Credit Cards -- Visa or MasterCard
  • Private Label Credit/Debit Cards
  • Charge Cards -- American Express echarge
  • Peer-to-peer payments (between consumers)
  • PayPal (billpoint)

7
Credit-Card Transactions
  • Popular form of payment for online purchases
  • Resistance due to security concerns
  • Many cards offer capabilities for online and
    offline purchases
  • Prodigy Internet Mastercard
  • American Express Blue

8
Online Credit-Card Transaction
  • To accept credit-card payments, a merchant must
    have a merchant account
  • Traditional merchant accounts accept only POS
    (point-of-sale) transactions
  • Transactions that occur when you present your
    credit card at a store
  • Card-not-present (CNP) transaction
  • Merchant does not see actual card being used in
    the purchase
  • Authentication
  • The person is, in fact, who they say they are

9
Credit-Card Transaction Enablers
  • Credit-Card Transaction Enablers
  • Companies that have established business
    relationships with financial institutions that
    will accept online credit-card payments for
    merchant clients
  • Trintech
  • Cybercash (Verisign)

10
E-Wallets
  • E-wallets
  • Keep track of your billing and shipping
    information so that it can be entered with one
    click at participating sites
  • Store e-checks, e-cash and credit-card
    information
  • Credit-card companies offer a variety of
    e-wallets
  • Visa e-wallets
  • MBNA e-wallet allows one-click shopping at member
    sites
  • A group of e-wallet vendors have standardized
    technology with Electronic Commerce Modeling
    Language (ECML)

11
Digital Currency
  • Digital cash
  • Stored electronically, used to make online
    electronic payments
  • Similar to traditional bank accounts
  • Used with other payment technologies (digital
    wallets)
  • Alleviates some security fears online credit-card
    transactions
  • Allows those with no credit cards to shop online
  • Merchants accepting digital-cash payments avoid
    credit-card transaction fees

12
Smart Cards
  • Smart card
  • Card with computer chip embedded on its face,
    holds more information than ordinary credit card
    with magnetic strip
  • Contact smart cards
  • To read information on smart cards and update
    information, contact smart cards need to be
    placed in a smart card reader
  • Contactless smart cards
  • Have both a coiled antenna and a computer chip
    inside, enabling the cards to transmit
    information
  • Can require the user to have a password, giving
    the smart card a security advantage over credit
    cards
  • Information can be designated as "read only" or
    as "no access"
  • Possibility of personal identity theft

13
Internet security
  • Consumers entering highly confidential
    information
  • Number of security attacks increasing
  • Four requirements of a secure transaction
  • Privacy information not read by third party
  • Integrity information not compromised or
    altered
  • Authentication sender and receiver prove
    identities
  • Non-repudiation legally prove message was sent
    and received
  • Availability
  • Computer systems continually accessible

14
Secret-key Cryptography
  • Encrypting and decrypting a message using a
    symmetric key

                                               
15
Secret-key Cryptography
  • Distributing a session key with a key
    distribution center

16
Secret-key Cryptography
  • Secret-key cryptography
  • Same key to encrypt and decrypt message
  • Sender sends message and key to receiver
  • Problems with secret-key cryptography
  • Key must be transmitted to receiver
  • Different key for every receiver
  • Key distribution centers used to reduce these
    problems
  • Generates session key and sends it to sender and
    receiver encrypted with the unique key
  • Encryption algorithms
  • Dunn Encryption Standard (DES), Triple DES,
    Advanced Encryption Standard (AES)

17
Key Management
  • Key management
  • Handling and security of private keys
  • Key generation
  • The process by which keys are created
  • Must be truly random

18
Public Key Cryptography
  • Public key cryptography
  • Asymmetric two inversely related keys
  • Private key
  • Public key
  • If public key encrypts only private can decrypt
    and vice versa
  • Each party has both a public and a private key
  • Either the public key or the private key can be
    used to encrypt a message
  • Encrypted with public key and private key
  • Proves identity while maintaining security
  • RSA public key algorithm www.rsasecurity.com

19
Public Key Encryption and Decryption
20
Public Key Cryptography
  • Authentication with a public-key algorithm

21
Digital Signatures
  • Digital signature
  • Authenticates senders identity
  • Run plaintext through hash function
  • Gives message a mathematical value called hash
    value
  • Hash value also known as message digest
  • Collision
  • Occurs when multiple messages have same hash
    value
  • Encrypt message digest with private-key
  • Send signature, encrypted message (with
    public-key) and hash function
  • Timestamping
  • Binds a time and date to message, solves
    non-repudiation
  • Third party, time-stamping agency, timestamps
    messages

22
Using a digital signature to validate data
integrity
23
Digital Certificate
  • A certificate is an electronic document used to
    identify an individual, a server, a company, or
    some other entity and to associate that identity
    with a public key.
  • Public-key cryptography uses certificates to
    address the problem of impersonation
  • Certificate authorities (CAs) are entities that
    validate identities and issue certificates. They
    can be either independent third parties or
    organizations running their own
    certificate-issuing server software

24
Digital Certificate
  • A digital certificate includes
  • the public key
  • the name of the entity it identifies
  • an expiration date
  • the name of the CA that issued the certificate
  • a serial number, and other information. Most
    importantly, a certificate always includes the
    digital signature of the issuing CA.
  • The CA's digital signature allows the certificate
    to function as a "letter of introduction" for
    users who know and trust the CA but don't know
    the entity identified by the certificate.

25
Encryption Transaction SecuritySecret vs.
Public Key Encryption
  • Secret-Key Encryption (single key)
  • Symmetric encryption, DES
  • Use a shared secret key for encryption and
    decryption
  • Key distribution disclosure
  • fast, for bulk data encryption
  • Public-Key Encryption (Pair of keys)
  • Asymmetric encryption, RSA (Rivest, Shamin,
    Adlemann)
  • Private/Public keys
  • Need digital certificates and trusted 3rd parties
  • Slower
  • For less demanding applications

26
Client Authentication
  • Password-Based Authentication.
  • A server might require a user to type a name and
    password before granting access to the server.
  • The server maintains a list of names and
    passwords if a particular name is on the list,
    and if the user types the correct password, the
    server grants access.
  • Certificate-Based Authentication.
  • Client authentication based on certificates is
    part of the SSL protocol.
  • The client digitally signs a randomly generated
    piece of data and sends both the certificate and
    the signed data across the network.
  • The server uses techniques of public-key
    cryptography to validate the signature and
    confirm the validity of the certificate

27
Using a password to authenticate a client to a
server
28
Using a certificate to authenticate a client to
a server
29
Public Key Infrastructure, Certificates and
Certification Authorities
  • Public Key Infrastructure (PKI)
  • Integrates public key cryptography with digital
    certificates and certification authorities
  • Digital certificate
  • Digital document issued by certification
    authority
  • Includes name of subject, subjects public key,
    serial number, expiration date and signature of
    trusted third party
  • Verisign (www.verisign.com)
  • Leading certificate authority
  • Periodically changing key pairs helps security

30
SET Secure Electronic Transaction
  • The SET protocol is a collection of encryption
    and security specification used as an
    industry-wide, open standard for ensuring secure
    payment transaction over the Internet.
  • A payment protocol to accelerate development of
    e-commerce and to bolster consumer confidence

31
SET Secure Electronic Transaction
  • SET establishes a method for interoperability of
    secure transactions software over multiple,
    popular hardware platforms and operating systems
  • Developed by Visa and MasterCard, with GTE, IBM,
    Microsoft, Netscape, SAIC, Terisa Systems and
    Verisign.
  • Based on encryption technology from RSA Data
    Security.

32
SET Secure Electronic Transaction
  • Use digital certificates to authenticate all the
    parties involved in a transaction
  • SET-compliant software validates both merchant
    and cardholder before exchange of information
  • Employs public-key encryption and digital
    signature
  • Complete documentation in visa.com

33
Secure Electronic Transaction (SET)
  • SET protocol
  • Designed to protect e-commerce payments
  • Certifies customer, merchant and merchants bank
  • Requirements
  • Merchants must have a digital certificate and SET
    software
  • Customers must have a digital certificate and
    digital wallet
  • Digital wallet
  • Stores credit card information and identification
  • Merchant never sees the customers personal
    information
  • Sent straight to banks
  • Microsoft Authenticode
  • Authenticates file downloads
  • Informs users of the downloads author

34
Advantages of SET Over Channel Encryption
  • Participants are authenticated via certificates
  • Financial institutions provide assurance, not
    software
  • SET allows a wallet to clearly distinguish a
    payment from other uses of web forms
  • SET prevents terminated merchants from obtaining
    account information (three party transaction)

35
Merchant Benefits of SET
  • More sales
  • Increased trust in merchant
  • Visa global acceptance
  • Cost Savings
  • Fewer losses from chargebacks
  • Assured payment
  • Reduced overhead
  • Automated payment process

36
Secure Sockets Layer (SSL)
  • A transport-level technology for authentication
    and data encryption between a Web server and a
    Web browser.
  • SSL negotiates point-to-point security between a
    client and a server.
  • SSL secures the routes of Internet communication,
    but it does not protect you from unscrupulous or
    careless people.
  • Source www.Netscape.com
  • Use Public Key
  • Do not protect private information.

37
Secure Sockets layer (SSL)
  • SSL
  • Uses public-key technology and digital
    certificates to authenticate the server in a
    transaction
  • Protects information as it travels over Internet
  • Does not protect once stored on receivers server
  • Peripheral component interconnect (PCI) cards
  • Installed on servers to secure data for an SSL
    transaction

38
SET versus SSL
  • SET
  • Three party protocol
  • Application protocol
  • Trust requirement All participants have been
    authenticated for a specific role in payment card
    transaction processing
  • SSL
  • Two party protocol
  • TCP/IP Communication protocol
  • Trust requirement communicating with a trustable
    server
Write a Comment
User Comments (0)
About PowerShow.com