1 (c) David Strom and Stephanie Denny, 1998 Internet Commerce: Understanding Payments, Security and...

(c) David Strom and Stephanie Denny, 1998

1

Internet Commerce:Understanding Payments, Security and Storefronts

presented by:

David StromPort Washington NY USA

[email protected], +1 (516) 944-3407


2

Why This Tutorial

A successful web storefront must accommodate the common forms of electronic payment in use today

Good storefront design and tactics will increase sales

Tough to evaluate various payment systems, standards and products


3

What This Course is Not About

Mathematics of Public Key Cryptography In-depth discussion of Visa® and

MasterCard® operating regulations for eCommerce

Legal advice for eCommerce issues related to operating a web storefront

Writing your own storefront systems from scratch

In-depth on security issues


4

For future reference

Copy of this presentation (Powerpoint) and resources: www.strom.com/pubwork/ecommerce


5

Course Topics

Good and bad web storefront design, defining successful eCommerce ventures

What are relevant eCommerce standards and why should I care?

Overview and demonstration of payment systems that are working on the Internet today

Choosing service providers or suites Installing and operating your own

storefront


6

Course Approach

Overview of major payment systems and storefront products

Give real-life examples and online demos Help relate information to your own

situation Provide insight into different

approaches, technologies Discuss pros and cons of each Multiple Q&A sessions


7

My Background

I’ve been involved in the Internet for some time

Have used most of the products we demonstrate

Have consulted to a few of the vendors, but still have strong opinions


8

My Beliefs

My perspective is from the consumer’s viewpoint, as well as from the merchant’s

I believe that eCommerce is the next evolutionary step in the web

Most eCommerce has had accidental success to date


9

Topic 1: Introduction to Internet Marketing

Advantages and disadvantages Speed of adoption is immense! Different kinds of approaches


10

Internet Marketing

Look good to the public, be on the cutting edge

Supplement traditional channels, be real-time

Focus on global niches, be high-content

Avoid the trailing edge, the competition is already doing it


11

Advantages

Direct, one-to-one marketing opportunity Allows you to learn useful information

and build customer relationships Relatively inexpensive medium compared

to advertising, direct mail or telemarketing

Capacity to be a major distribution channel

Results are measurable, sometimes


12

Challenges

Most say that eCommerce is taking off, just differ on the rate!

How do we convince the general public that they will really like eCommerce?

Focus initially has been on business-to-business uses


13

Obstacles to Wide Deployment

Easy forms of payment Trust in the system Perceived benefits outweigh the risk

(What’s in it for me?) Technology and infrastructure still

primitive


14

One Example: Domain Names!

Typo.net AmericaOffline.com Sell ad space on things like:

amazom.com www.eartlink.net

Is the Internet a great place or what?


15

Time To Reach a Mass Market

VCRs: 30 years TV: 25 years Cell phones: 15 years Credit cards, ATMs: 10 years Internet usage: <10 years!!


16

Some Conclusions

Consumer control of privacy is essential most folks simply want the choice of opting

out The granularity of control must be fine,

e.g., over number and frequency; over categories of interests; and/or over (indirect) dissemination to third-parties

Regardless, there are likely legal issues, when maintaining/using a consumer database


17

Topic 2: What Becomes Success?

Overview of eCommerce market Review physical storefront success

factors Propose some definitions Define success for the web Draw up five eCommerce principles


18

Overview of eCommerce Market

Predictions Success factors Five principles


19

eCommerce Revenue Predictions are Wide-Ranging

Source 1996 (B$US) 2000 est. (B$ US)

IDC $2.2 94

Forrester 1.4 117

Jupiter .7 15.6

Dataquest 6.4 56


20

Not to mention all the PC sales

Gateway sells $4MM /day Dell sells $5MM/day Compaq sells $6MM/day (including

resellers) That’s $4 Billion/yr right there!


21

Let’s Keep Our Perspective

Size of US movie industry -- $6B! Size of adult video rentals - $6B! Total US music sales -- $6B!

(Forrester says $288M in 1998 online music+books)


22

Ticketmaster

US$5 million/month via the web in sales

Started 11/96 Generating lots of new buyers, who

wouldn’t ordinarily use their service


23

Then there is Disney.com

Web site Daily Blast signing up 15k members/month

Sales via web are equal to 3x-5x of physical Disney store!


24

And of Course, There is the Porn Industry

“However, extensive interviews with adult site owners yield a picture of a highly charged market of approximately 10,000 sites generating about $1 billion in revenue per year, most through electronic credit card transactions.”

From Interactive Week


25

Sad State of Today’s eCommerce Marketplace

Poor quality tools Hard-to-find stores Limited payment methods Credit card snooping perceptions Older browser versions can’t view

latest sites


26

Case in Point: Buying a Bike Rack

Item not carried: outdated catalog Telesales not familiar with web No cross-sell or substitutions online Needed three phone calls to complete

purchase


27

Let’s Learn From the “Real World”

Compare what works for physical stores

Try to extend to the web


28

Critical Success Factors for Physical Storefronts

Location Branding Good service Good product selection Proper pricing and margins Traffic


29

First Problem:

None of these translate on the ‘net!


30

Now Try to Agree on Definitions for Web Stores

What determines a good location? Position on a search page Nearness to popular destination Ad on a popular server

What determines branding? Memorable domain name Popular search category destination


31

An Example of bad location: Montana Meats

www.imt.net/~lingerie/buffalo/buffalo.html Can’t they afford their own domain

name? www.company.com/~anything is BAD

NEWS!


32

Another Case: Buying Toner and Batteries

www.cartridgesusa.com, www.batterybarn.com Catalog shows pictures of parts Easy to find relevant item But payment acknowledgement

incomplete


33

Determining Traffic

Hard to do -- is it hits, page views, registered users?

[HITS = How Idiots Track Success] Hard to measure -- do you count gifs?

Use log files? No general agreement on any metrics!


34

Traditional Advertising Doesn’t Apply Anymore

Can’t measure anything Every site has its own banner sizes The Web is not TV


35

One Working Definition of Success:

SURVIVAL! If a site is still running after 12

months, and getting more traffic, it is a success.


36

Does a site actually have to sell something?

Many actual eCommerce sites don’t do the complete transaction (Cisco)

Require faxes or telephone calls! Some merely have catalogs A good example: Singapore Power

Authority www.spower.com.sg/readmeter.cgi?cmd=form


37

Good eCommerce Examples

Easy to find merchandize Good service Individual customization is key Simple navigation Make payments easy


38

AMP Connect

Have customers in 100 countries Speak many languages Produce 400 catalogs covering

135,000 items Mailings cost US$7MM/yr Fax back cost US$800,000/yr But you can’t buy anything directly!


39

Solution: “Step Searching”

Saqqara.com software to enhance Oracle database

Provide user feedback as they type in the query

Show how many matches in the database Different mechanisms for searching:

by part number by alphabetical names by part family by picture even


40

AMP connect.ampincorporated.com


41

AMP Connect (con’t)

And can set to list parts that are available in specific countries!

Updated daily with over 200 item changes

Detailed drawings saves time for customers to pick the right item

Saved AMP over US$5MM in production costs

Saved US$1MM in translation costs


42

First Principle of eCommerce:

Make it easy to buy!


43

Amazon.com

Services frequent readers with a variety of programs Editorial comments If you liked this book, you’ll like... Notification of new books by author, topic Simplified “1 Click” ordering

Uses simple pages and email Associates program for commission kickbacks Gift certificates via email And ... lots of books to choose from


44

Amazon


45

Update your directories!

This one is almost a year old www.asiapage.com/alist.html#jewellery


46

Second Principle of eCommerce:

Deliver solid service!


47

Dell

Most notable site for computer buyers Customize the features you want via a

web form Simplifies and personalizes the

shopping experience WYSIWYB (buy) >US$5MM/day in sales!


48

Dell


49

Canadiantire.com

eFlyer uses email notification along with web forms

Customize exactly what coupons and deals are sent to you


50

Third Principle of eCommerce:

Individual customization is key


51

BMW Motors

Example of what not to do Use gratuitous graphics Cheesy low-res videos Toys, not tools


52

BMW


53

Compare with Subaru

Find specific information about each car

Can price options to your particular needs


54

A better example: fishing licenses

Simple, quick, and does the job with a minimum of clutter

www.permit.com


55

Fourth Principle of eCommerce:

Make navigation simple! Use small graphics, site maps, indexes Avoid graphics just to display text Avoid plug-ins to complete purchase

process Avoid link and button clutter, frames


56

How NOT to Design a Payment Screen

www.netmar.com/new/norderform.shtml


57

Common mistakes with payments

Provide too few or too many order confirmation pages

Confusing methods and misplaced buttons on order page

Make it hard for customers to buy things

Don’t make your customers read error screens


58

Fifth Principle of eCommerce:

Make payments easy!


59

Topic 3: eCommerce Standards

SSL (encrypted transactions) SET (authenticate buyers) OFX (bill presentment) OBI (exchange purchase orders)


60

Some Disclaimers

Standards are still in motion Multiple approaches means they don’t

always work as intended May be eclipsed by events (eg, SET)

and consumer behavior Moral: lots of programming still

required!


61

SSL: Encrypt Transactions

Why encrypt? Principles of cryptosystems Understand certificate management


62

Why Encrypt? TRUST!

Ensure your customer is authorized to use his account

Customer wants to make sure you are the legit seller

Ensure payment is received Ensure goods are received


63

Four Principles of Cryptosystems

Privacy of message contents Authentication of parties involved Integrity of data transmitted Non-repudiation of transactions


64

Privacy

Privacy means that the message contents cannot be seen by anyone but the intended parties

Accomplished through the use of encryption


65

Authentication

Authentication means that each party involved in the transaction is identified as legitimate

Accomplished through the use of certificates A certificate is a notarized public key (like

a passport or a driver’s license) Issued by a trusted third party called a

Certificate Authority Binds the certificate owner to the public

key within the certificate


66

Integrity

Integrity of data means that it cannot be altered by anyone during transmission, to avoid a “man in the middle” attack

Encryption allows only the intended recipient to open the digital envelope

A digital envelope (or ”hash”) = contents of an encrypted message + digital signature


67

Non-repudiation

Non-repudiation means both parties to the transaction are ensured that the message is genuine and cannot be disputed

Parties are identified with certificates that have been notarized by a trusted Certificate Authority

It will be much harder for customers to claim they never placed the order


68

Why Should You Get a Certificate?

You want those who visit your web site to know you are a legitimate business

A certificate is required to operate a secure server (SSL)


69

Certificate Authorities (CAs)

Trusted third parties, similar to notaries

Can be external or internal (server is managed within your own company)

Choice of a CA may depend on your merchant server software


70

Public Key Cryptography

Public keys are shared and widely distributed Private keys are kept secret by the holder of the

key Both pairs of keys are required to complete

secure transaction

Customer’sPrivate Key

Customer’sPublic Key

Merchant’sPublic Key

Merchant’sPrivate Key


71

Public and Private Key Pairs

A public key is disclosed and widely distributed with no adverse affects

Used to encrypt or decrypt information Works only in conjunction with its

paired private key


72


A private key is held and used only by its owner

If a private key is compromised, it must be replaced immediately Today’s real-world example: lost or stolen

credit cards must be blocked and replaced


73


Real-world example: Dual control of keys for your safe deposit box — it can only be opened with two keys — yours as well as the bank’s


74

Steps in Certificate Creation

Refer to you server software documentation for selection of a CA and instructions

Generally, you will do the following: Generate a key pair of public and private keys Send the public key and other information to CA CA verifies information provided Upon verification, CA creates a certificate

containing public key and expiration date The Certificate is sent back to applicant and may

be posted publicly, if appropriate


75

Examples of Certificate Authorities

VeriSign www.Verisign.com

GTE CyberTrust Solutions, Inc. www.cybertrust.gte.com

Thawte Consulting www.thawte.com


76

Certificate Creation

Demo of key generation and certificate request


77

Different Classes of Certs

Class 1 (unambiguos name, email, PIN/encryption recommended)

Class 2 (adds address check for US/Canada, required PIN/encryption)

Class 3 (adds document check, recommends tokens)


78

Certificate Management

Once public key certificates are issued, they must be managed to maintain integrity They contain expiration dates They may be revoked for various reasons Upon expiration, certificates must be

renewed or reissued This is a consideration for using an

external CA, as opposed to managing an internal CA


79

How is this accomplished?

Secure servers and browsers Capable of strong encryption (up to 128 bit) 40 bit encryption is no longer considered

adequate for financial transactions Digital certificates

Ensure the identity of the certificate holder

Also called digital IDs The common protocol in use today is

Secure Sockets Layer (SSL)


80

Secure Sockets Layer Protocol (SSL)

Authenticates the merchant server Merchant Certificate obtained from trusted

Certificate Authority Provides privacy through encryption of

the message for both the sender and receiver Secure “pipe” negotiates maximum

encryption compatible at browser and server for each message transmitted

Ensures integrity of data transmitted Message authenticity check (algorithm)


81


https:// in the URL = a secure connection SSL allows customers to verify who the

merchant is The merchant’s digital ID does not certify

the integrity of the merchant

Merchant’s Certificate (Digital ID) can be viewed by any secure browser


82


SSL encrypts the customer order, which includes the payment information

This data is sent from the customer to the merchant via a secure “pipe”

Customer Order withPayment Information

Encryptedorder sent

Customer order decryptedat merchant server


83

What SSL Doesn’t Encrypt

Once the data arrives on the secure server, it could be stored in an insecure location!

Or if someone has physical access to your desktop or server


84

SSL: How do you get a certificate for your merchant server?

Apply to Certificate Authority Instructions built into merchant server

software You will be asked to provide valid

business license and other ID Cost is dependent upon level of

certification


85

Encryption Strength

It is illegal to export outside the US products containing encryption that is stronger than 40 bits

It is not illegal to use encryption stronger than 40 bits internationally

Financial institutions do not consider 40-bit encryption adequate for Internet transactions


86

Encryption Strength

Newer browser and server software are capable of 128-bit encryption

128-bit encryption is exponentially stronger than 40-bit encryption


87

SET: Authenticate Buyers

What is the protocol How it works Advantages and disadvantages


88

What is SET protocol?

Secure Electronic Transaction protocol is a common standard that was developed jointly by Visa, MasterCard and other partners to ensure the processing of secure transactions.

Based on RSA encryption Uses public and private key pairs that

have a mathematical relationship


89

How is SET Different from SSL?

Digital certificates for SET will be payment-specific Merchants will be certified as legitimate to accept

branded payment card transactions Cardholders will be certified as valid account holders Merchants will not see customer’s account number (it

will only be passed to the acquirer)


90

How is SET Different from SSL?

Customer’s Digital IDrelated to a specific account

+ Customer Order info

Merchant Server gets Customer’s Digital IDminus the account number + Customer Order

Acquirer gets order receipt +Customer’s Digital ID with account number

With SET:


91

The Mechanics of SET

(1) Payment info sent from user to merchant (2) Merchant confirms, fees charged (3) Transaction to bank, funds

debited/credited (4) Merchant sends item to user (from

Computerworld)


92

How Will Certificates (Digital IDs) be Issued for eCommerce?

Hierarchy of trust for certificate issuance Visa and MasterCard will designate a

Certificate Authority to hold the Trusted Root Merchants will obtain certificates from banks’

or acquirers’ Certificate Authority, then store on SET server software

Cardholders will obtain certificates (digital IDs) from their banks’ Certificate Authority, then store in electronic wallet


93

MasterCard® Example of a SET Transaction

http://www.mastercard.com/set/screen1.html


94




95




96




97




98

SSL vs. SET

SSL Server authentication

Merchant certificate as legitimate business

Possible for client authentication Not tied to payment method

Privacy Encrypted message to

merchant includes account number

Integrity Message authenticity check

(MAC)

SET Server authentication

Merchant certificate tied to accept payment brands

Customer authentication Digital certificate tied to

certain payment method Privacy

Encrypted message does not pass account number to merchant

Integrity Hash/message envelope


99

SET — the Answer to eCommerce

SET has been proposed as the answer to secure and interoperable eCommerce It is not currently mandated by Visa and

MasterCard There are big implementation issues for all

concerned The SET protocol is definitely more

secure than SSL However...


100

SET — the Answer to eCommerce

Implementation of SET has some big drawbacks: Lack of interoperability among systems Management of public key infrastructure Distribution of digital certificates requires

action on the part of the consumer And who will pay for all this? Meanwhile, eCommerce goes on


101

The Future of SET

Non-repudiation of transactions through digital certificates for both merchant and customer

SET may be the industry standard for payments, but yet to be implemented

It will be far more difficult for a customer to claim no knowledge of a transaction

Many demonstrations this fall and winter


102

Electronic Bill Presentment

Saves on paper (typical bill cost $1 in postage and processing, EBP saves half) but requires lots of coordinated systems

Can show bills with nice fonts, interactive applications

Is separate process from the actual payment system


103

Electronic Bill Presentment Issues

Does the processor use EBP with merchant bank?

Can users browsers support these new applications Java applets Active X controls etc.

Reconciliation requires access to both dispute and payout information


104

Microsoft’s MSFDC

A means to standardize on presentment

All customer data maintained by MSFDC

Have both web-based access and special consumer-based software

Former “Marble” server, read white paper at: www.microsoft.com/finserv/marblewp.htm

Requires NT, SQL Server, IIS, etc.


105

Other EBP efforts

Open Financial Exchange (www.ofx.net)

www.Integrion.Net CheckFree’s E-Bill

(getbills.checkfree.com)


106

eBill

Most popular and in widest practice Schwab and Intuit/Quicken are

supporters Most threatened by MSFDC


107

OFX

Started with Intuit Trying to standarize on too much at

once: data transfers account inquiries financial applications and transactions

Verisign Financial Server (US$1200) digitalid.verisign.com/ofxIntro.htm


108

Integrion

Banking-intensive plus IBM No other software supporter, BUT… Combining forces with CheckFree Trying to establish their “Gold

Standard” vs. OFX Leave choice of how much customer

data is maintained up to the merchant


109

What about OBI?

Open Buying on the Internet A bunch of standards: SSL, X12 EDI,

X.509 PKI Exchange of purchase order info Unresolved issues:

who owns the catalog? how much infrastructure is really needed? knitting together a solid solution is more

than enumerating standards!


110

Topic 4: Introduction to Payment Systems

Structure, properties and roles Different devices

Credit Cards Electronic Wallets CyberCash

Setting up a merchant account Privacy issues


111

Payment Basics

Issuer Acquirer

ConsumerAccess Point

MerchantAccess Point

BANK

Consumer Merchant

• deposit & withdrawal• transaction status inquiry• authentication• problem resolution

• purchase & refund• transaction status inquiry• authentication• problem resolution


112

Hierarchy

Payment System (clearing house) Clearing house between acquirers and issuers

Acquirer (third-party processor) Authorizes, processes and settles for

merchant bank Merchant Bank

Accepts merchant deposit Merchant

Accepts authorized cardholder transaction


113

Difference Payment Pieces

System: provides processing and settlement of transactions

Gateway: software/services to support eCommerce merchants, acquirers

Device: initiates transaction from credit/debit card


114

Attributes of Superior Payment Systems

Universal, world-wide acceptance Recognized value Reliability of transactions Ease of use to customer Capacity for quick settlement and

collection


115

Requirements

Mass appeal Easy payment by the customer Have acceptable risk to bank and

merchant Accommodate changes, cancellations

and returns


116

Let’s Consider the Customer

Changes the order Doesn’t fill out all fields even when

asked Mistype credit card and other data Cancels order entirely or never

finishes order process


117

Objectives in Offering Payment Choices

Customers like choices, but remember: they are here to buy stuff!

Make it safe for everyone involved: customer, merchant, and banks

Consider how easy it is for your customer to use, not just how easy it is for you to manage

Payments in a virtual world should imitate those in the real world


118

Properties of Payment Systems

Transaction cost Transaction directionality Real-time authorization/validation System scalability Privacy


119

Three Real-World Examples

Cost Direction Validation Scale Privacy

Cash very low two-way no extreme yes

Check low one-way maybe high no

Card moderate one-way yes high no


120

Other Properties

How much software does the buyer need to install? Does it come with the desktop operating

system? Does it come with the browser or other

software? What third-party clearinghouse is used?

Provide trusted relationships Reduce risk, complexity in processing


121

Virtual Money is the Currency of the Future

That future is already here This idea is scary to many people

Consumers (they can’t “see” it) Banks (many bankers don’t understand it) Acquirers (they want to know the

difference) The Government (they can’t control it)

It is not unlike MO/TO transactions today


122

The Way Things are on the Web Today

Some payments are authorized off-line, through traditional POS terminals E-mail message to customer later

(hopefully), confirming order and shipping information

Many merchant servers connect with payment authorization systems Authorization is real-time during the web

session, and the sale is completed with secure server and browser software


123

The Way Things are on the Web Today: Secure and Un-Secure

Secure transactions via secure browsers and servers with SSL

Un-secure transactions with lack of proper encryption (account numbers sent “in the clear”) via e-mail messages

Un-secure transactions due to “export” versions of browser and/or server software


124

The Way Things are on the Web Today

Secure transactions do not guarantee the validity of the customer account information A high percentage of credit charge-backs

for MO/TO transactions are for “merchandise not received”

Address verification services can help protect you, and in some cases are required


125

Examples of Payment Systems (Clearing Houses)

Federal Reserve System for clearing checks

Visa and MasterCard transaction networks

American Express Novus (Discover)


126

Examples of Acquirers (Processors)

First Data Corp. Paymentech National Data Corp. Bank of America Merchant Services Many processors (acquirers) process

multiple brands as part of their service


127

Internet Payment Devices

Credit cards, debit cards Off-line accounts Electronic cash Electronic checks


128

transmit “16+4” over the Internet?

buyer encrypts? buyer confirms?

synchronous? off-line aliasplaintextmerchant decrypts?

buyer signs? CyberCash SET

GlobeID VirtualPIN

SSLS-HTTPPGP

yes

yes

yes

yes

yes

yes

no no

no

no no

no

A Taxonomy of Approaches


129

Different Ways to Capture Customer

Online Post-authorization Batch


130

Online Capture

Happens simultaneously with authorization of transaction

Fastest method of capture for online merchants who can guarantee same-day shipment of goods


131

Post-Authorization Capture

Capture is a separate step from authorization of transaction; post-auth message instructs bank to capture transaction

Example of use is for delayed shipping of merchandise


132

Batch Capture

Transactions are captured in a batch mode after authorization (like post-auth capture)

Multiple authorizations are submitted at one time for capture

The batch is transmitted through gateway (CyberCash) to the bank for funds transfer and merchant account reconciliation


133

Credit cards, debit cards

JCB, Visa, MasterCard, Discover, American Express

Buyer gets card from issuing bank Merchant is sponsored by acquiring

bank Merchant knows buyer and authorizes

payment


134

How Credit Cards Work

Transactions authorized against customer’s line of credit at issuer (promise to pay)

At point of settlement, cardholder’s account is charged and merchant’s account is credited

Transactions subject to chargeback to merchant under certain conditions Lack of proper authorization Lack of proper identification / address

verification


135

buyer merchanttrans

16+4 16+4

Plaintext Transaction Process


136

S-HTTP/SSL Features

Supply 16+4 in encrypted form Require merchant to have a cert signed

by a trusted third-party Requirement of client-side cert is a trade-

off: yes: buyer must “register” before making

purchase (S-HTTP, SSLv3); or, no: no assurance as to buyer’s identity (SSL)

Merchant site becomes a credit card repository


137

buyer merchanttrans

E(16+4) 16+4

SSL Transaction Process


138

“Off-line” Accounts

Electronic wallets CyberCash® Wallet Microsoft® Wallet Verifone® vWALLETSM

GlobeSET Wallet All these may provide access to credit,

debit, e-cash or electronic check accounts


139

“Off-line” Account Services

Credit card and other account numbers are stored by the service provider in a database, and are not transmitted to the merchant

Instead, a “PIN” is used by the customer at the point of purchase (cross-reference for actual account number)

Consumer must initiate account set-up in advance of making any purchases


140

How Electronic Wallets Work Today

Consumer must initiate request for electronic “wallet” software

Credit card or other account numbers are given to provider one time before any purchases are made

Account numbers, stored by provider in a database, are not transmitted; instead, a “PIN” is used to pay

Closed system: only available to participating merchants and cardholders who have signed up in advance


141

How Electronic Wallets Will Work in the Future

With SET protocol, will contain digital IDs with encrypted account information

Since digital IDs will be tied to specific accounts, wallets will keep track of all that information

At that point, wallets will be widely distributed and universally accepted


142

Interoperability is the Key

Wallets will become widely used when the following events occur: Mass distribution of wallets to consumers

is easily made Will be accepted by all merchants,

regardless of wallet brand or payment brand


143

Visa® Example of Electronic Wallet

www.visa.com/cgi-bin/vee/nt/sec/no_shock/virt_wallet_L.html?2+0


144

Visa® Example of Wallet Registration (Digital ID)

www.visa.com/cgi-bin/vee/nt/sec/no_shock/registering_L.html


145

Other Wallet Examples

GlobeSET Microsoft Wallet (in Win98, IE 4.01)

(both SSL and SET)


146

Some Problems with Wallets

Not transferable to other wallets or other PCs

Not available for use at many web storefronts

Just solve a small part of the overall payment process


147

CyberCash System

Three systems: CyberCash, CyberCoin, CyberCheck

CyberCash operates a gateway between acquirer and the Internet

Merchants given the choice of capture via: SSL; or the CyberCash Wallet

If wallet-based, merchant doesn’t see 16+4


148

How It Works

Buyer’s wallet receives invoice from merchant’s server

Buyer’s wallet sends sales order to merchant’s server: signed with buyer’s public key; and, includes 16+4 encrypted with gateway’s

public key


149

How It Works (cont.)

Merchant sends transaction to gateway: signed with merchant’s public key; and, includes buyer’s sales order

Gateway verifies signature, and: decrypts 16+4 using its private key; submits transaction into credit card

network; and, returns results to merchant who tells buyer


150

buyer merchantE(16+4)

3rd-partyS(trans)

E(16+4)

S(trans)

16+4

trans

CyberCash System Transaction Process


151

CyberCash System Properties

Cost Direction Validation Scale Privacy

modest one-way yes modest no


152

What’s in a CyberCash Wallet?

Credit card accounts Debit card accounts PayNow™ check service (for electronic

payments from checking account; like debit cards)

CyberCoin account (for “micro-payments”)


153

CyberCash Secure Internet Credit Card Payment

http://a.dn.cybercash.com/cybercash/info/sixsteps.html


154

CyberCash as a Merchant Service Provider

CyberCash provides the merchant with CashRegister software to authorize and process payments

CyberCash is neither an acquirer nor a bank, but is a provider of payment software for eCommerce (a gateway)

CyberCash provides an advanced level of encryption for financial information passed from their database to acquirers (not SSL)


155

CyberCash CashRegister® Software

Integrates with a variety of operating systems and merchant storefront software

Can be used with or without consumer wallets

Non-wallet transactions use SSL $500 initial fee, $50/month plus 10

cents/transaction Some programming required perl (Unix) or

VBScript (NT)


156

CyberCash CashRegister® Software

However, you must still arrange for a merchant deposit account with your bank or independent service provider

If you are having trouble setting up a merchant account with a bank, contact CyberCash for assistance


157

Credit Card Payment Demo

Credit card transaction with CyberCash — No Wallet

CyberCash Wallet transaction


158

CyberCash Benefits

CashRegister Software is free to merchant Supports wallet and non-wallet payments No additional charges to merchant — fees

to CyberCash are paid by acquirers CyberCash is presently the largest gateway

service provider for Internet merchants Their products will evolve


159

Electronic Cash (e-cash)

CyberCoin®

Service of CyberCash, part of Wallet Currently available with Microsoft Wallet

Mondex®

Licensed by MasterCard International, Inc. Smart card-based system

Digicash®


160

Mark Twain Bank is Worth Looking At: www.marktwain.com/digifaq.html#Help

Look at their customer support disclaimer —they get an “A” for honesty!


161

SSL Payment Systems

ICVerify, www.icverify.com PCAuthorize, www.tellan.com Worldpay/PSI, www.psi.net/worldpay AuthorizeNet, www.authorizenet.com Internet Secure, www.internetsecure.com Check out www.ihtmlmerchant.com/creditcard.htm


162

Other Merchant Providers to Consider

Online Financial Services (OFS) http://ofs.web-charge.com/signup1.html

Internet Secure www.internetsecure.com

Redi Check / Redi Charge www.redi-check.com

Merchant Account Services Provo, Utah 1-801-765-1111


163

ICVerify Process

Customer submits 16+4 through SSL browser connection

Merchant swre records to a file ICVerify submits to bank ICVerify receives response from bank,

creates answer file Merchant swre retrieves answer, sends

response to customer No per transaction fee!


164

Supported Merchant Servers for ICVerify

MS Site Server Commerce Oracle Payment Mercantec SoftCart Internet Factory Merchant InterShop Online


165

ICVerify Demo

www.icverify.com/library/downloads/icvdemo20.html


166

Setting up Merchant Account

Providers to consider How to compare services Choices in setting up account, fees


167

All Merchant Providers Are Not the Same

Compare services Which cards do they authorize? Do they provide electronic check services? Do they provide check guarantee services?

Compare prices Start-up fees Monthly discount fees Other service fees (per transaction) Statement generation fees


168

Choices for Setting Up a Merchant Account

Go to your local bank and set up your own merchant account -- If they’ll take you, this may give you the best discount rate

Join Costco warehouse membership store, Executive Membership is $125, <2% plus 25 cents/transaction (www.costco.com/exec/credit.html)

Contract with CSP and process through them Buy a software suite that includes merchant

account set-up


169

Range of Credit Card Fees

Your Bank

Discount Rate: 1.5% - 5.0%

CSP

Application Fee: $100 - $300

Discount Rate: 1.5% - 5.0%Per Transaction: .20 - .30Monthly Fee: $10 - $25(service / statement fee)Chargeback Fee: Up to $25Chargeback Reserves:

Up to 10% of sales, for up to six months


170

Regulations governing electronic commerce transactions

Visa / MasterCard Operating Regs Credit Card Rules for acquirers and

merchants Fair Credit Billing Act

Debit Card Rules Regulation E

Consumer Telephone Protection Act Can Internet Protection Act be far behind?

Privacy Principles Yet to be mandated, but inevitable; and

generally a good idea


171

What About Privacy?

Anonymity issues Confidentiality issues Disclosure issues

Name and address info Disclosure of transaction to a third party

Merchant’s identity


172

Privacy Issues for the Consumer

Most people just want to be asked for their permission

Your customers don’t object so much if you use their information to sell them other products you may offer

But many object if you sell or rent their names to someone else


173

“Data Mining”: How much is enough?

You have the opportunity to build a customer database for future sales

To what degree do you slice and dice? If you slice too fine, are you missing

opportunities? This leads to more privacy issues


174

Topic 5: Choosing the Right eCommerce Path


175

Three Approaches:

Outsource to a CSP Buy suite of software DIY


176

Find an CSP

More ISPs are offering eCommerce solutions

Have to use their software standards and payment schemes

Could be pricey Just catching on in USA


177

Evaluating CSPs

Do they offer storefront design? Have in-house programmers? Hosting of your own web server

machine? How many payment systems do they

support? What kinds of accounting reports do

they offer?


178

The Catch-22 of CSPs:

To be successful, a provider has to promote his products via the Internet and have detailed descriptions on their own web sites!

But try to find this information isn’t easy.


179

Some CSP Examples

www.psi.net/web/ecommerce.shtml www.Best.com/bizcomm.html www.Brainlink.com/html/saleslink.htm www.Earthlink.net/company/webservices.html IBM: mypage.ihost.com www.Netcom.com business.Mindspring.com/prod-svc/smbiz/ www.Mindrush.com/ www.outer.net/ONCommerce (OuterNet)


180

Price Comparison for CSP hosting

Provider Setup fee (US$) Monthly fee(US$)

Plan name,paymentoptions

IBM 260 55 Bronze, creditcards

Earthlink 624 194 Premium Plus

Netcom 450 300 Commerce Site,credit cards

Mindspring 175 324 CommercialAdvantage,credit cards,Cybercash


181

Price Comparison assumptions

10 Mb disk storage Single email account InterNIC $100 fee included for domain

name


182

New CSP Approaches:

GeoShop ViaWeb/Yahoo iCat Encanto Tripod


183

GeoShop

Builds on GeoCities “communities” but for merchants (www.geocities.com/join/geoshops)

$25/month for just commercial listings $180/month (or more!) for actual

transactions working with Internet Commerce Services

Corp. who uses Open Market Transact servers


184

ViaWeb/Yahoo

$100/month (<50 items) or $300/month options

CyberCash processing $500 setup Solid reporting and admin options


185

iCat Commerce Online Hosting Solution

Free for <10 items, $99/mo. for 100 items

No per-transaction fees Email and browser-based notifications

of purchase completion Advanced items like upsell, featured

products, cybercash gateways


186

Encanto

Turnkey server/software for under $2000! Payment gateway included ($50 initial,

$20/month) Web storefront, shopping cart, catalog

system Secure cert required All managed via browser, steps are

clearly documented Demo at www.encanto.com/ego/demo


187

One Way to Support Lots of Payment Systems

Wired-2-Shop www.wired-2-shop.com/TestDrive/Admin/PaymentList.asp


188

The Suite Approach

Leading contenders What is part of the suite and what

isn’t Prices and platforms


189

Popular eCommerce SuitesVendor, Product Version Price Platform

ICatElec Comm Suite

3.0 $3500 -$10,000

NT, 95,Solaris, Irix

IBMNet.Commerce

3.1 $5000 -$20,000

NT, AIX,Solaris,AS/ 400,S/ 390

MicrosoftSiteServer Commerce

3.0 $4600 NT

IBM/ LotusDomino Merchant

2.0 $3500 -$9000

NT


190

Popular eCommerce Suites (con’t)

Vendor, Product Version Price Platform

OM TransactOpen Market

4.0 $250,000 Unix

Intershop OnlineIntershop

3.0 $5000 NTUnix

WebSite ProO'Reilly

2.3 $800 NT, 95


191

Four Typical Elements

Catalog Storefront designer Ordering/inventory system Shopping cart/check out system


192

The Cold Hard Reality of Suites

Suites are nothing more than collection of products

Lack integration among various elements

Difficult to setup, customize, and use Require you to live “inside” their

structure Limited payment options Sounds like early MS Office


193

Payment Systems Included in Each Suite

Microsoft: Verifone, Buy Now IBM (Net.Commerce): Verifone, SET/eTill Domino Merchant: CyberCash, Verifone iCat: CyberCash, CheckFree, others OpenMarket: Verifone WebSite Pro: IC Verify, PC Authorize,

CyberCash, others Intershop: CyberCash, ICVerify, others


194

Sample Stores Included in Each Suite

Microsoft: 4 stores IBM: eMall, simple and advanced

sample stores Domino: 1 store iCat: 1 hardware store OpenMarket: none WebSite Pro: 1 bookstore Intershop: 3 stores


195

Databases Supported in Each Suite

Microsoft: SQL Server IBM: DB2 Domino: Notes iCat: 4D, Sybase SQL Anywhere WebSite: Access Intershop: Sybase SQL 11


196

Dealing With ODBC

Have to understand how to set up data sources

Intimate knowledge of your data structure

Re-install ODBC drivers at least once! Best to start with built-in database


197

Store Wizards Included in Each Suite

Net.Commerce (the best) WebSite Pro (but doesn’t do much) Intershop (various wizards) MS Commerce (although you’ll really

need to know COM!)


198

Tips

Don’t install anything before making sure you have everything!

Downloads for free, but they expire Can you export existing files to these

systems?

Don’t install anything before making sure you have everything!

Downloads for free, but they expire Can you export existing files to these

systems?


199

WebSite Professional website.ora.com

Version 2, shipping since 9/97 US$799! NT (or 95) Supports seven different payment

processors: SSL, CyberCash One sample store (bookstore)


200

Sample storefront

http://merchant.inline.net/admin/


201

WebSite Configuration Sheet


202

Store Properties

Only can operate a single payment system

Run on a series of Access databases Built-in tax table, but for N.Americans! Well documented data structures in

typical O’Reilly fashion


203

Recommendations

Lowest priced suite by far! iHTML is robust, but will take some

learning Nice store setup and organization of

catalog Good low-end solution


204

Intershop

demo at 207.90.184.82 (admin/admin for store)

Includes Sybase SQL 11 US$5000, includes 3 mos. support


205

Seven Different Managers

Catalog Products Store Purchases Inventory Customers Admin


206

Characteristics

Everything managed via browser, which can get tedious

But you already have a database behind it


207

Payment Options galore


208

Recommendations

Most flexible payment options of any suite

Better at processing orders than site creation

Not good for large catalogs


209

Microsoft SiteServer Commerce

Still evolving More of a development platform than

a suite Closely tied to IIS, SQL Server et al.


210

Shopping with MS Commerce


211

Recommendations

If you are going to use any other MS apps

If you believe developers will follow If you must stay on the cutting edge of

MS products Use with ClearCommerce.com front

end if possible


212

Commerce Server Specifics

NT, fast Pentium with 128 M RAM essential

US$5000 www.microsoft.com/commerce


213

iCat Electronic Commerce Suite

Two different versions: Standard and Pro

Pro (also runs on Solaris, Irix) and multi-user database, performance enhancements, wider payment options


214

iCat Process

Use four-step process Make changes to staging db Use designer and built-in catalog Then post changes to production db


215

Recommendations

No wizards, all browser-based forms Tedious but straightforward Lots of third-party add-on tools Best for people new to db or the ‘net Best if you don’t have computer-based

accounting system yet Used in their own hosting service


216

iCat Specifics

NT, fast Pentium with 128 M of RAM US$9000 for professional version www.icat.com


217

IBM Net.Commerce


218

Included

IBM’s Go Web Server DB2 database Shopping trolley system Credit card verifier, eTill software


219

Several ways to setup your store

Use nine-step wizard with populated catalog

Use wizard with empty catalog Start from scratch Import existing databases


220

Recommendations

Great if you already use DB2 for inventories

Most security-conscious suite More depth than iCat Start with all IBM defaults to save

time


221

Net.Commerce Specifics

NT, fast Pentium with 64 M of RAM AIX, 390, OS/400, Solaris US$5000 Basic, $20,000 Pro www.internet.ibm.com/net.commerce


222

Latest features

“Intelligent Catalog” Java-based wizards to setup and

manage store Recognizes shopping preferences and

upsells Improved SET payment server, ad

tracking partnerships Integration with Domino Merchant Screencam demo


223

Domino Merchant v2.0

Uses Notes server, but not Notes clients

Payments, catalogs, wizards galore Easiest to setup, difficult to add

products A good entry-level product for now Screencam demo


224

OpenMarket

High end solution Worldnet offers hosting of OM servers Still needs customization!


225

Recommendations

If you can afford it .... Really the price covers lots of

consulting time High transactions and throughput

needs Use with Icoms.com front end service

($1000 + $100/month)


226

OpenMarket Specifics

Various Unix US$250,000 and up! www.openmarket.com


227

Isn’t somebody missing from the suite party?

Netscape Oracle


228

Topic 6: Installing and Operating Your Own Storefront

What you need to know What you need to buy


229

One DIY solution

IIS PerlShop shopping cart ClearCommerce CSP First American Payment Systems Verisign certificates Fees: $800 setup, $500/yr, $50/month What took longest to work: perl

scripts to make credit card payments!


230

The 90s Help Wanted

Wanted: Webmaster Required skills: High proficiency in

various web based programming, development tools, CGI, cookies, DNS, eCommerce, FTP, HTML 2.0 through 3.02, IIS Server admin, Javascript, Java, MS SQL, Netscape server admin, NT Server admin, perl, Unix admin, web security


231

You Need to be a Superhero:

Part web designer Internet technologist SQL database admin Payment system maven


232

Things You’ll Need to Discover

Are your sales and marketing staff web-savvy?

Is your accounting system adaptable to web purchases?

How do you reconcile these accounts? Does your business owner understand

Internet culture? Can anyone find you


233

The Most Under-rated Skill:

PATIENCE!


234

Do it Yourself Path

Traditional merchant banking approach

More risk, especially when your payment system is on the ‘net


235

Steps Involved for DIY’ers

Get a web server Get merchant software Integrate with your back end systems

catalogs inventory customer accounts

Be prepared to do lots of coding


236

Components Needed to Operate a Web Storefront

Database of items to sell and current inventories

Secure web server Searchable catalog server Connections to backend payments and

financial servers Shopping cart system Checkout/payment system Don’t forget about security!


237

Which Database Server?

Pick before anything else Core of your store revolves around the

database: inventory system accounting system catalog system


238

Database Server Recommendations

Use existing client/server db if possible

SQL Server: best with MS tools Oracle: if you know pSQL already Informix: all other situations


239

Database/web Tools

Develop your own forms Query your database Develop your own catalog


240

Why is a Catalog Important?

Your customers view of your store Current with your own inventory and

offerings Don’t want to sell what you don’t have See catalog resources page


241

Another choice: outsourced catalog!

ShopSite/Open Market IBM Home Page Creator mypage-

products.ihost.com (N. America only) Mindspring with Mercantec


242

ShopSite demo

www.reliablehost.com/cgi-bin/bo/start.cgi username: test8 password: test


243

Tool Recommendations

Cold Fusion, www.allaire.com Sapphire/Web, www.bluestone.com


244

Which Web Server?

Hundreds to choose from Must support SSL and/or SHTTP Platform isn’t important, really


245

Get Your Certificates in Order

Bring up form inside web server Send to CA on letterhead with credit

card (!) Receive cert from CA Install on your web server


246

What can a Shopping cart do?

Simplify ordering process Track multiple purchases for a single

visitor Display items purchased Calculate total prices, tax, shipping

charges Track item attributes (colors, styles,

sizes)


247

Different Shopping cart Methods

Account-based Cookie-based; see www.cookiecentral.com

Encoded URLs


248

Shopping cart Programs

S-Mart: www.rcinet.com/~brobison/scripts

Minishop: www.egrafx.com/minishop mvend: www.iac.net/~mikeh/mvend.html PerlShop: www.arpanet.com/perlshop


249

Commercial Programs

Internet Shopping Cart Server: www.webisland.com/cart

Rent-A-Cart: www.rent-a-cart.com CyberCart: www.lobo.net/~rtweb AutoCart: www.autocart.com/Autocart WebCart: www.staff.net/webcart.html SoftCart: www.mercantec.com WWWOrder: www.virtualcenter.com/scripts2/WWWOrder.html


250

Shopping cart Example www.asizip.com (SoftCart)

Shopping basket Cookies to track purchases Simple navigation


251

Payment Choices

Use gateway (CyberCash, ICVerify) or service provider?

Do you need support for multiple currencies?

Do you have to host your store elsewhere?

Do you understand the fee structure?


252

Again, Merchant Providers Differ

Compare services Which cards do they authorize? Do they provide electronic check services? Do they provide check guarantee services?

Compare prices Start-up fees Monthly discount fees Other service fees (per transaction) Statement generation fees


253

WorldPay and PSI

Multicurrency payments >100 for product prices 16 different ones for settlement

Have to host your web at PSI Includes SoftCart and iCat software as

well US$1000 + US$1400/yr


254

WorldPay Demo

www.worldpay.com/demo/store.html


255

Prices of Typical Products

Product Type PriceInex Accounting US$6000SoftCart Shopping Cart 900MallManager Catalog 2000WebCatalog Catalog 1600Saqqara Search tool 700VPOS Payment server 2500WebMate Development tool 750


256

Inex Demo

Financial backend strength Store front and some aspects of suite www.inex.com


257

Don’t forget about sales tax and VAT!

Make use of software from Taxware.com

Some of the catalogs and suites have databases to deal with this

But you have to create them from scratch


258

Dealing with search engines

Some use <META>, some use <TITLE> Keep descriptions at top of your home

page short and sweet Review information on SearchEngineWatch.com

Web Review article: webreview.com/97/10/17/webmaster


259

Don’t Forget About Security

Make sure you protect your web site! See “Ten ways” article from Winn

Schwartau See “Eight Steps to Minimize Fraud”

article Limit access, isolate servers, lock down

scripts, so forth See www.nwfusion.com/netresources/0202hack1.html and www.scambusters.org/Scambuster23.html


260

Putting Together Your Own Solution

SQL Server database CyberCash payment system WebCatalog 3.0 (supports CCash) IIS web server Total price: <US$10,000


261

Conclusions

eCommerce crosses many different skill sets

Software is still too dicey in many areas

Standards aren’t much use right now Suites don’t offer much in the way of

integration DIY may be the best solution


262

Acronyms

B2B Business to business CSP Commerce Service Provider DIY Do It Yourself EBP Electronic Bill Presentment URLs Universal Resource Locator SSL Secure Sockets Layer OFX Open Financial Exchange SHTTP Secure web protocol HTTP


263

More Acronyms

ACH Automated Clearing House CA Certificate Authority ISP Independent Service Provider MAC Message Authenticity Check MICR Magnetic Ink Character Recognition MO/TO Mail Order/Telephone Order NACHA National Automated Clearing House

Association PIN Personal Identification Number PKC Public Key Cryptography POS Point of Sale RSA Rivest, Shamir and Adleman


264

Thanks!

Review, Q&A David Strom +1 516 944 3407 [email protected]

1 (c) David Strom and Stephanie Denny, 1998 Internet Commerce: Understanding Payments, Security and...

Documents

Transcript of 1 (c) David Strom and Stephanie Denny, 1998 Internet Commerce: Understanding Payments, Security and...