UNIT I

INTRODUCTION TO E COMMERCE

Electronic Markets:
The principle function of an electronic market is to facilitate the
search for the required product or service. Airline booking systems
are an example of an electronic market.

Electronic Data Interchange (EDI):

EDI provides for the efficient transaction of recurrent trade exchanges
between commercial organizations. EDI is widely used by, for
example, large retail groups and vehicle assemblers when trading with
their suppliers.

Internet Commerce
The Internet (and similar network facilities) can be used for
advertising goods and services and transacting one-off deals.Internet
commerce has application for both business-to-business and business
to consumer transactions.
Fig 1.1 : The three categories of E Commerce

The Scope of Electronic Commerce

Electronic Commerce (e-Commerce) is a term popularized by the
advent of commercial services on the Internet. Internet e-Commerce is
however, only one part of the overall sphere of
e-Commerce. The commercial use of the Internet is perhaps typified
by once-off sales to consumers. Other types of transactions use other
technologies. Electronic Markets (EMs) are in use in a number of
trade segments with an emphasis on search facilities and Electronic
Data Interchange (EDI) is used for regular and standardized
transactions between organizations. The
mainstream of e-Commerce consists of these three areas; these are
represented as a diagram in Figure 1.1 and outlined in a little more
detail below.
Electronic Markets
An electronic market is the use of information and communications
technology to present a range of offerings available in a market
segment so that the purchaser can compare the prices (and other
attributes) of the offerings and make a purchase decision. The usual
example of an electronic market is an airline booking system.

Electronic Data Interchange (EDI)

EDI provides a standardized system for coding trade transactions so
that they can be communicated directly from one computer system to
another without the need for printed
orders and invoices and the delays and errors implicit in paper
handling. EDI is used by organizations that make a large number of
regular transactions. One sector where EDI is
extensively used is the large supermarket chains, which use EDI for
transactions with their suppliers.

Internet Commerce
Information and communications technologies can also be used to
advertise and make once-off sales of a wide range of goods and
services. This type of e-Commerce is typified by the commercial use
of the Internet. The Internet can, for example, be used for the
purchase of books that are then delivered by post or the booking of
tickets that can be picked up by the clients when they arrive at the
event. It is to be noted that the Internet is not the
only technology used for this type of service and this is not the only
use of the Internet in e-Commerce.

Usage of Electronic Markets

Electronic markets are exampled by the airline booking
systems.Electronic markets are also used in the financial and
commodity markets and again the dealing is done via intermediaries;
to buy
stocks and shares a member of the public uses the services of a
stockbroker. Arguably the use of electronic markets has served the
customer well. With the assistance of a good travel agent the
airline customer can be informed of all the flights available for an
intended journey and then select, on the basis of
price,convenience,loyalty scheme, etc. the flight that they wish to
book.

Advantages and Disadvantages of Electronic Markets

The advantages of an electronic market to the customer are self
evident.
Using an airline booking system, for example, there is a screen that
shows all the flights from (say) New York to Los Angeles and the
consumer can make an informed choice without
having to spend time and effort finding out which airlines fly that
route and then contacting each of the airlines to obtain flight times,
price and availability details. Once a flight is selected the system
facilitates the booking of that flight, paying the fare and printing the
ticket.
For the seller the advantages are less evident. The seller that is the
most competitive may do well, the electronic market makes available
information on their product and the advantage of that offering should
be apparent. Less competitive suppliers are likely to be forced into
price. Reductions and the competitive effect may force all suppliers to
cut prices, possibly below the level at which it is possible to make a
profit (as in the case on some air transport routes).
Fig 1.2: Basic transactions in EDI
The above figure shows the basic transactions which take place
between two business organizations. Let’s see the benefits when these
transactions are not taking manually but through computer systems
and that is known as EDI.
The Benefits of EDI
EDI can bring a number of advantages to the organizations that use it.
It should save considerable time on the exchange of business
transactions and has the potential for considerable savings in costs.
EDI can be simply used to replace paper transactions with electronic
transactions – this is the normal route taken in the initial installation
of EDI. The full advantage of EDI is only realized when business
practices are restructured to make full use of the potential of EDI;
when EDI is used as an enabling technology to change the way the
business operates–just-in-time (JIT) manufacture and quick response
supply being prime examples of where EDI is used as an enabling
technology to gain competitive advantage.
The direct advantages of EDI include:
Shortened Ordering Time
Paper orders have to be printed, enveloped and sent out by the
customer’s post room, passed through the postal service, received by
the supplier’s post room, and input to the supplier’s order processing
system. To achieve all this, reliably, in under three days would be to
do very well. EDI orders are sent straight into the network and the
only delay is how often the supplier retrieves messages from the
system. Orders can be in the supplier’s system within a day, or if there
is urgency the messages can be retrieved more frequency, for example
every hour.
Cost Cutting
The use of EDI can cut costs. These include the costs of stationery
and postage but these will probably be fully matched by the costs of
running the EDI service. The principle saving from the use of EDI is
the potential to save staff costs. The obvious example of this is that if
the orders are directly input to the system there is no need for an order
entry clerk. Note also that seasonal peak, staff holidays, etc. no longer
create a backlog in the order entry area. The cost saving need to be
offset against the system development and network casts.
Elimination of Errors
Keying any information into a computer system is a source of errors
and keying paper orders into the order processing system is no
exception. EDI eliminates this source of errors. On the down side,
there is no order entry clerk who might have spotted errors made by
the customer – the customer will get what the customer asked for.
Fast Response
With paper orders it would be several days before the customer was
informed of any supply difficulty, such as the product is out of stock.
With alternative product to be ordered or an alternative supplier to be
used.
Accurate Invoicing
Just like orders, invoices can be sent electronically. EDI invoices have
similar advantages to EDI orders in saved time and avoided errors.
However, the major advantage in EDI invoices is that they can be
automatically matched against the original order and cleared for
payment without the sort of queries that arise when paper invoices are
matched to orders.
EDI Payment
Payment can also be made by EDI. The EDI payment system can also
generate an EDI payment advice that can be electronically matched
against the relevant invoices, again avoiding query and delay.

Indirect advantages of the use of EDI can be:

Reduced Stock Holding
The ability to order regularly and quickly reduces the amount of
goods that need to be kept in a store room or warehouse at the shop or
the factory. For many JIT manufacture and quick response supply
systems stockholding is eliminated altogether with goods being
delivered only as they are needed. Reduced stock holding cuts the
cost of warehousing, the double handling goods (into store and then
out again onto the factory or shop) and the capital requirement to pay
for the goods that are just sitting in store.
Cash Flow
Speeding up the trade cycle by getting invoices out quickly, and
directly matched to the corresponding orders and deliveries, can
and should speed up payments and hence improve cash flow.
Elimination of most invoice queries can be particularly significant
in reducing delays in payments.
Business Opportunities
There is a steady increase in the number of customers, particularly
large, powerful customers, that will only trade with suppliers that
do business via EDI. Supermarkets and vehicle assemblers are
prime examples. Being ready and able to trade electronically can be
an advantage when competing for new business.
Customer Lock-in
An established EDI system should be of considerable advantage
to both customer and supplier. Switching to a new supplier
requires that the electronic trading system and trading relationship
be redeveloped, a problem to be avoided if a switch of supplier is
not essential.
To gain these advantages EDI has to be seen as an investment
there are costs upfront and the payback is longer term. The costs is
the set up of the EDI system (hardware, software and network)
and the time required to establish agreements with trading partners.
The savings only start when there is a significant volume of
business transacted using EDI, a point that is called the ‘critical
mass’ in the jargon of EDI.

Summary:
Electronic Commerce (e-Commerce) is a general concept
covering any form of business transaction or information
exchange executed using information and communication
technologies (ICTs).
E-Commerce takes place between companies, between
companies and their customers, or between companies and
public administrations.
Electronic Commerce includes electronic trading of goods,
services and electronic material.
An electronic market is the use of information and
communications technology to present a range of offerings
available in a market segment so that the purchaser can
compare the prices (and other attributes) of the offerings
and make a purchase decision.
EDI provides a standardized system for coding trade
transactions so that they can be communicated directly from
one computer system to another without the need for
printed orders and invoices and the delays and errors implicit
in paper handling.
Information and communications technologies can also be
used to advertise and make once-off sales of a wide range of
goods and services. This type of e-Commerce is typified by
the commercial use of the Internet.

Introduction
Categories of E commerce
Benefits and limitations of E Commerce
 Comparison between Traditional Commerce and
Ecommerce
Summary

Objectives

Describe the categories of E commerce

Describe the benefits and limitations of E Commerce
In the previous lecture we divided the applications of E commerce
in three categories, today we will divide categorize E commerce
according to the parties involved in the business.
· Business-to-business (B2B). Most of EC today is of this
type. It includes the EDI transactions described earlier and
electronic market transactions between organizations.
Business-to-consumer (B2C). These are retailing
transactions with individual shoppers. The typical shopper at
Amazon.com is a consumer, or customer.
Consumer-to-consumer (C2C). In this category consumer
sells directly to consumers. Examples are individuals selling
in classified ads (e.g., www.clas-sified2000.com) and selling
residential property, cars, and so on. Advertising personal
services on the Internet and selling knowledge and expertise
is another example of C2C. Several auction sites allow
individuals to put items up for auctions. Finally, many
individuals are using intranets and other organizational
internal networks to advertise items for sale or services.
Consumer-to-business (C2B). This category includes
individuals who sell products or services to organizations, as
well as individuals who seek sellers, interact with them, and
conclude a transaction.
Nonbusiness EC. An increased number of nonbusiness
institutions such as academic institutions, not-for-profit
organizations, religious organizations, social organizations,
and government agencies are using various types of EC to
reduce their expenses (e.g., improve purchasing) or to
improve their operations and customer service. (Note that in
the previous categories one can usually replace the word
business with organization.)
Intrabusiness (organizational) EC. In this category we
include all internal organizational activities, usually
performed on intranets, that involve exchange of goods,
services or information. Activities can range from selling
corporate products to Employees to online training and cost
reduction activities.
Everything has its pros and cons, same is with E Commerce, lets
have a look.
Benefits and Limitations
The Benefits of EC
Few innovations in human history encompass as many potential
benefits as EC does. The global nature of the technology, low
cost, opportunity to reach hundreds of millions of people
(projected within 10 years), interactive nature, variety of
possibilities, and resourcefulness and rapid growth of the
supporting infrastructures (especially the Web) result in many
potential benefits to organizations, individuals, and society. These
benefits are just starting to materialize, but they will increase
significantly as EC expands.

Benefits to Organizations
The benefits to organizations are as follows:
Electronic commerce expands the marketplace to national
and international markets. With minimal capital outlay, a
company can easily and quickly locate more customers, the
best suppliers, and the most suitable business partners
worldwide. For example, in 1997, Boeing Corporation
reported a savings of 20 percent after a request for a proposal
to manufacture a subsystem was posted on the Internet. A
small vendor in Hungary answered the request and won the
electronic bid. Not only was the subsystem cheaper, but it
was delivered quickly.
Electronic commerce decreases the cost of creating, processing,
distributing, storing, and retrieving paper-based information. For
example, by introducing an electronic procurement system,
companies can cut the purchasing administrative costs by as much as
85 percent. Another example is benefit payments. For the U.S. federal
government, the cost of issuing a paper check is 430. The
cost of electronic payment is 20.
Ability for creating highly specialized businesses. For example, dog
toys which can be purchased only in pet shops or department and
discounte stores in the physical world, are sold now in a specialized
www.dogtoys.com (also see www.cattoys.com).
Electronic commerce allows reduced inventories and
overhead by facilitating “pull”-type supply chain
management. In a pull-type system the process starts from
customer orders and uses just-in-time manufacturing.
The pull-type processing enables expensive customization
of products and services, which provides competitive
advantage to its implementers. A classic example is Dell
Computer Corp., whose case will be described later.
Electronic commerce reduces the time between the outlay of
capital and the receipt of products and services.
Electronic commerce initiates business processes
reengineering projects. By changing processes, productivity
of salespeople, knowledge workers, and administrators can
increase by 100 percent or more.
Electronic commerce lowers telecommunications cost-the
Internet is much cheaper than VANs.
Other benefits include improved image, improved customer
service, newfound business partners, simplified processes,
compressed cycle and delivery time, increased productivity,
eliminating paper, expediting access to information, reduced
transportation costs, and increased flexibility.
Benefits to Consumers
The benefits of EC to consumers are as follows:
Electronic commerce enables customers to shop or do other
transactions 24 hours a day, all year round, from almost any
location.
Electronic commerce provides customers with more choices;
they can select Electronic commerce frequently provides
customers with less expensive products and services by
allowing them to shop in many places and conduct quick
comparisons.
In some cases, especially with digitized products, EC allows
quick delivery.
Customers can receive relevant and detailed information in
seconds, rather than days or weeks.
Electronic commerce makes it possible to participate in
virtual auctions.
Electronic commerce allows customers to interact with other
customers in electronic communities and exchange ideas as
well as compare experiences.
Electronic commerce facilitates competition, which results in
substantial discounts.
Benefits to Society
The benefits of EC to society are as follows:
Electronic commerce enables more individuals to work at
home and to do less traveling for shopping, resulting in less
traffic on the roads and lower air pollution.
Electronic commerce allows some merchandise to be sold at
lower prices, so less affluent people can buy more and
increase their standard of living.
Electronic commerce enables people in Third World
countries and rural areas to enjoy products and services that
otherwise are not available to them.
This includes opportunities to learn professions and earn
college degrees.
Electronic commerce facilitates delivery of public services,
such as health care, education, and distribution of
government social services at a reduced cost and/or
improved quality. Health-care services, for example, can reach
patients in rural areas.

The limitations of EC can be grouped into technical and

nontechnical categories.
Technical Limitations of EC
The technical limitations of EC are as follows:
There is a lack of system security, reliability, standards, and
some communication protocols.
There is insufficient telecommunication bandwidth.
The software development tools are still evolving and
changing rapidly.
It is difficult to integrate the Internet and EC software with
some existing applications and databases.
Vendors may need special Web servers and other
infrastructures, in addition to the network servers.
Some EC software might not fit with some hardware, or
may be incompatible with some operating systems or other
components.
As time passes, these limitations will lessen or be overcome;
appropriate planning can minimize their impact.
NonTechnical Limitations
Of the many nontechnical limitations that slow the spread of
EC, the following are the major ones.
Cost and justification The cost of developing EC in-house
can be very high, and mistakes due to lack of experience may
result in delays. There are many opportunities for
outsourcing, but where and how to do it is not a simple
issue. Furthermore, to justify the system one must deal with
some intangible benefits (such as improved customer service
and the value of advertisement), which are difficult to
quantify.
Security and privacy These issues are especially important in
the B2C area, especially security issues which are perceived to
be more serious than they really are when appropriate
encryption is used. Privacy measures are constantly improved.
Yet, the customers perceive these issues as very important,
and, the EC industry has a very long and difficult task of
convincing customers that online transactions and privacy
are, in fact, very secure.
Lack of trust and user resistance Customers do not trust an
unknown faceless seller (sometimes they do not trust even
known ones), paperless transactions, and electronic money.
So switching from physical to virtual stores may be difficult.
Other limiting factors. Lack of touch and feel online. Some
customers like to touch items such as clothes and like to
know exactly what they are buying.
Many legal issues are as yet unresolved, and government
regulations and standards are not refined enough for many
circumstances.
Electronic commerce, as a discipline, is still evolving and
changing rapidly. Many people are looking for a stable area
before they enter into it.
There are not enough support services. For example,
copyright clearance centers for EC transactions do not exist,
and high-quality evaluators, or qualified EC tax experts, are
rare.
In most applications there are not yet enough sellers and
buyers for profitable
Electronic commerce could result in a breakdown of human
relationships.
Accessibility to the Internet is still expensive and/or
inconvenient for many potential customers. (With Web TV,
cell telephone access, kiosks, and constant media attention,
the critical mass will eventually develop.)
Despite these limitations, rapid progress in EC is taking place. For
example, the number of people in the United States who buy and
sell stocks electronically increased from 300,000 at the beginning
of 1996 to about 10 million in fall 1999. As experience accumulates
and technology improves, the ratio of EC benefits to costs will
increase, resulting in a greater rate of EC adoption. The potential
benefits may not be convincing enough reasons to start EC activities
Summary:
We can categorize E commerce according to the parties
involved in the business like B2B, B2C, C2C and C2B
The benefits of E Commerce to Organizations include
expansion of the marketplace to national and international
markets, decreases in the cost of creating, processing,
distributing, storing, and retrieving paper-based
information, reduction in inventories
E commerce enables customers to shop or do other
transactions 24 hours a day and provides customers with
more choices
Electronic commerce facilitates delivery of public services,
such as health care, education, and distribution of
government social services at a reduced cost and/or
improved quality
Limitations of E Commerce can be technical like lack of
system security, reliability, standards, and some
communication protocols and non technical limitations like
the cost involve in developing in house E Commerce and the
security of data

UNIT – II

COMPUTER NETWORK

A computer network is an interconnection of various computer systems

located at different places. In computer network two or more computers are
 linked together with a medium and data communication devices for the
purpose of communicating data and sharing resources. The computer that
provides resources to other computers on a network is known as server. In
the network the individual computers, which access shared network
resources, are known as workstations or nodes.

Computer Networks may be classified on the basis of geographical area in

two broad categories.

1. Local Area Network (LAN)

2. Wide Area Network (WAN)

Local Area Network

Networks used to interconnect computers in a single room, rooms within a

building or buildings on one site are called Local Area Network (LAN). LAN
transmits data with a speed of several megabits per second (106 bits per
second). The transmission medium is normally coaxial cables.

LAN links computers, i.e., software and hardware, in the same area for the
purpose of sharing information. Usually LAN links computers within a limited
geographical area because they must be connected by a cable, which is quite
expensive. People working in LAN get more capabilities in data processing,
work processing and other information exchange compared to stand-alone
computers. Because of this information exchange most of the business and
government organisations are using LAN.

Major Characteristics of LAN

 Every computer has the potential to communicate with any other

computers of the network
 high degree of interconnection between computers
  easy physical connection of computers in a network
 inexpensive medium of data transmission
 high data transmission rate

Advantages

 The reliability of network is high because the failure of one

computer in the network does not effect the functioning for other computers.
 Addition of new computer to network is easy.
 High rate of data transmission is possible.
 Peripheral devices like magnetic disk and printer can be shared by other
computers.

Disadvantages

 If the communication line fails, the entire network system breaks down.

Use of LAN

Followings are the major areas where LAN is normally used

 File transfers and Access

 Word and text processing
 Electronic message handling
 Remote database access
 Personal computing
 Digital voice transmission and storage

Wide Area Network

The term Wide Area Network (WAN) is used to describe a computer network
spanning a regional, national or global area. For example, for a large company
the head quarters might be at Delhi and regional branches at Bombay, Madras,
Bangalore and Calcutta. Here regional centers are connected to head quarters
through WAN. The distance between computers connected to WAN is larger.
Therefore the transmission medium used are normally telephone lines,
microwaves and satellite links.

Characteristics of WAN

Followings are the major characteristics of WAN.

1. Communication Facility: For a big company spanning over different parts

of the country the employees can save long distance phone calls and it
overcomes the time lag in overseas communications. Computer conferencing
is another use of WAN where users communicate with each other through
their computer system.
2. Remote Data Entry: Remote data entry is possible in WAN. It means
sitting at any location you can enter data, update data and query other
information of any computer attached to the WAN but located in other cities.
For example, suppose you are sitting at Madras and want to see some data of
a computer located at Delhi, you can do it through WAN.
3. Centralised Information: In modern computerised environment you will
find that big organisations go for centralised data storage. This means if the
organisation is spread over many cities, they keep their important business
data in a single place. As the data are generated at different sites, WAN
permits collection of this data from different sites and save at a single site.

Examples of WAN
1. Ethernet: Ethernet developed by Xerox Corporation is a famous example of
WAN. This network uses coaxial cables for data transmission. Special
integrated circuit chips called controllers are used to connect equipment to
the cable.
2. Aparnet: The Aparnet is another example of WAN. It was developed at
Advanced Research Projects Agency of U. S. Department. This Network
connects more than 40 universities and institutions throughout USA and
Europe.

Difference between LAN and WAN

1. LAN is restricted to limited geographical area of few kilometers. But

WAN covers great distance and operate nationwide or even worldwide.

2. In LAN, the computer terminals and peripheral devices are

connected with wires and coaxial cables. In WAN there is no physical
connection. Communication is done through telephone lines and satellite links.

3. Cost of data transmission in LAN is less because the transmission

medium is owned by a single organisation. In case of WAN the cost of data
transmission is very high because the transmission medium used are hired,
either telephone lines or satellite links.
 INTERNET

The Internet is a network of networks. Millions of computers all over the

world are connected through the Internet. Computer users on the Internet can
contact one another anywhere in the world. If your computer is connected to
the Internet, you can connect to millions of computers. You can gather
information and distribute your data. It is very much similar to the telephone
connection where you can talk with any person anywhere in the world.

In Internet a huge resource of information is accessible to people across the

world. Information in every field starting from education, science, health,
medicine, history, and geography to business, news, etc. can be retrieved
through Internet. You can also download programs and software packages
from anywhere in the world. Due to the tremendous information resources the
Internet can provide, it is now indispensable to every organisation.

Origin of Internet

In 1969 Department of Defence (DOD) of USA started a network called

ARPANET (Advanced Research Projects Administration Network) with one
computer at California and three at Utah. Later on other universities and R & D
institutions were allowed to connect to the Network. APARNET quickly grew
to encompass the entire American continent and became a huge success. Every
university in the country wanted to become a part of ARPANET. So the
network was broken into two smaller parts MILNET for managing military sites
and ARPANET (smaller) for managing non-military sites. Around 1980,
NSFNET (National Science Foundation Network) was created. With the
advancement of modern communication facilities, other computers were also
allowed to be linked up with any computer of NSFNET. By 1990 many
computers were looking up to NSFNET giving birth to Internet.

How Internet functions

Internet is not a governmental organisation. The ultimate authority of the

Internet is the Internet Society. This is a voluntary membership organisation
whose purpose is to promote global information exchange. Internet has more
than one million computers attached to it.

E-mail

E-mail stands for electronic mail. This is one of the most widely used features
of Internet. Mails are regularly used today where with the help of postage stamp
we can transfer mails anywhere in the world. With electronic mail the service is
similar. But here data are transmitted through Internet and therefore within
minutes the message reaches the destination may it be anywhere in the world.
Therefore the mailing system is excessively fast and is being used widely for
mail transfer.

UNIT -III

Topic:
Introduction
Types of Electronic Payment Systems
Types of digital tokens
Discuss E-Cash
Summary

Objectives
Understand what is an Electronic Payment System
Describe e-cash as one of the Electronic Payment Systems
All of you might have heard the term “ Electronic Payment”. As
the name is suggesting it means making payments electronically
i.e. through computer and telecommunication components.
Let’s Discuss this in more Detail
Types of Electronic Payment Systems
Electronic payment systems are proliferating in banking, retail,
health care, on-line markets, and even government-in fact, anywhere
money needs to change hands. Organizations are motivated by
the need to deliver products and services more cost effectively and
to provide a higher quality of service to customers. This section
will briefly describe the pertinent developments in various
industries to provide an overall picture of electronic payment
systems of the past and present.
Research into electronic payment systems for consumers can be
traced back to the 1940s, and the first applications-credit
cardsappeared
soon after. In the early 1970s, the emerging electronic
payment technology was labeled electronic funds transfer (EFT).
EFT is defined as “any transfer of funds initiated through an
electronic terminal, telephonic instrument, or computer or magnetic
tape so as to order, instruct, or authorize a financial institution to
debit or credit an account.” EFT utilizes computer and
telecommunication components both to supply and to transfer
money or financial assets.
Transfer is information-based and intangible. Thus EFT stands
in marked contrast to conventional money and payment modes
that rely on physical delivery of cash or checks (or other paper
orders to pay) by truck, train, or airplane. Work on EFT can be
segmented into three broad categories:
Banking and Financial Payments
Large-scale or wholesale payments (e.g., bank-to-bank
transfer)
Small-scale or retail payments (e.g., automated teller machines
and cash dispensers)
Home banking (e.g., bill payment)
Retailing Payments
Credit cards (e.g., VISA or MasterCard)
Private label credit/debit cards (e.g., J.C. Penney Card)
Charge cards (e.g., American Express)
On-line electronic commerce payments
Token-based payment systems
Electronic cash (e.g., DigiCash)
Electronic checks (e.g., NetCheque)
Smart cards or debit cards (e.g., Mondex Electronic Currency Card)

· Credit card-based payment systems

Encrypted credit cards (e.g., World Wide Web formbased
encryption) Third-party authorization numbers (e.g., First Virtual)
Period Innovation
700BC Earliest coins produced in western Turkey to pay
mercenaries or taxes.
1400 First banks open, in Italy and Catalonia, honoring
checks against cash reserves.
1694 The Bank of England opens, creating deposits on the
- principle that not all deposit receipts will be presented
for redemption simultaneously. The bank
monopolizes the issuing of bank notes.
1865 A sample of payments into British banks shows, that
97 percent are made by check.
1887 The phrase credit card is coined in Looking Backward, a
novel by Edward Bellamy.
1880-1914 Heyday of the gold standard as major currencies are
pegged to gold at fixed rates.
1945 Bretton Woods agreement links currencies to gold via
their fixed parities with the U.S. dollar.
1947 Flatbush National Bank issues first general purpose
credit card, for use in select New York shops.
1950 Diners Club Charge Card introduced mid 1950s The
development of magnetic ink character recognition
(MICR), facilitating more timely processing of checks,
sealed the check’s standing as the preferred noncash
payment option.
1958 BankAmerica, in Fresno, California, executes the first
mass mailing of credit cards.
1967 Westminster Bank installs first automated teller
machine at Victoria, London, branch.
1970 The New York Clearing House launches CHIPS the
Clearing House Interbank Payments System-which
provides U.S.-dollar funds-transfer and transaction
settlements on-line and in real time.
late 1970s Chemical Bank launches its Pronto system providing
3000 computer terminals to customers’ homes linked
to its central computers bv telephone.
It offers a range of facilities: balance inquiries, money transfers
between Chemical Bank accounts, jind bill payments to selected
local stores.The stumbling block for first-generation home
banking systems in general was who is to pay for the terminals at
home.
1985 Electronic data interchange (EDI) extensively used in
bank-to-bank payment systems.
1994 Digital cash trials by DigiCash of Holland conducted
on-line.
1995 Mondex electronic currency trials begin in Swindon,
England.
Let’s discuss various types of Electronic payment systems.
Firstly we will have a look on “Electronic Tokens”.
Digital Token-Based Electronic Payment Systems
None of the banking or retailing payment methods are completely
adequate in their present form for the consumer oriented ecommerce
environment. Their deficiency is their assumption that
the parties will at some time or other be in each other’s physical
presence or that there will be a sufficient delay in the payment
process for frauds, overdrafts, and other undesirables to be
identified and corrected. These assumptions may not hold for
ecommerce and so many of these payment mechanisms are being
modified and adapted for the conduct of business over networks.
Entirely new forms of financial instruments are also being
developed. One such new financial instrument is “electronic
tokens” in the form of electronic cash/money or checks.
Electronic tokens are designed as electronic analogs of various
forms of payment backed by a bank or financial institution. Simply
stated, electronic tokens are equivalent to cash that is backed by a
bank.
Electronic Tokens are of Three Types:
1. Cash or real-time. Transactions are settled with the
exchange of electronic currency. An example of on-line
currency exchange is electronic cash (e-cash).
2. Debit or prepaid. Users pay in advance for the privilege of
getting information. Examples of prepaid payment
mechanisms are stored in smart cards and electronic purses
that store electronic money.
3. Credit or postpaid. The server authenticates the customers
and verifies with the bank that funds are adequate before
purchase. Examples of postpaid mechanisms are credit/
debit cards and electronic checks.
The following sections examine these methods of on-line
payment. But we must first understand the different viewpoints
that these payment instruments bring to electronic commerce.
Here are four dimensions that are useful for analyzing the different
initiatives.
1. The nature of the transaction for which the instrument is
designed, Some-tokens are-specifically designed to handle
micro payments, that is, payments for small snippets of
information. Others are designed for more traditional
products. Some systems target specific niche transactions;
others seek more general transactions. The key is-to identify
the parties involved, the average amounts, and the purchase
interaction.
2. The means of settlement used. Tokens must be backed by
cash, credit, elec-tronic bill payments (prearranged and
spontaneous), cashier’s checks, lOUs, letters and lines of
credit, and wire transfers, to name a few. Each option incurs
trade-offs among transaction speed, risk, and cost. Most
transaction settlement methods use Credit cards, while
others use other proxies for value, effectively creating
currencies of dubious liquidity and with interesting tax, risk,
and float implications.
3. Approach to security, anonymity, and authentication.
Electronic tokens vary in the protection of privacy and
confidentiality of the transactions. Some may be more open
to potentially prying eyes-or even to the participants
themselves. Encryption can help with authentication, non
reputability, and asset management.
4. The question of risk. Who assumes what kind of risk at
what time? The tokens might suddenly become worthless
and the customers might have the currency that nobody will
accept. If the system stores value in a smart card, consumers
may be exposed to risk as they hold static assets. Also
electronic tokens might be subject to discounting or
arbitrage. Risk also arises if the transaction has long lag times
between product delivery and payments to merchants. This
exposes merchants to the risk that buyers don’t pay-or vice
versa that the vendor doesn’t deliver.
Let’s discus Electronic cash (e-cash) which is a new concept in
online
payment systems because it combines computerized convenience with
security and privacy that improve on paper cash. Its versatility opens
up a host of new markets and applications.E-cash presents some
interesting characteristics that should make it an attractive alternative
for payment over the Internet.
Electronic Cash (E-cash)
E-cash focuses on replacing cash as the principal, payment vehicle
in consumer-oriented electronic payments. Although it may be
surprising to some, cash is still the most prevalent consumer
payment instrument even after thirty years of continuous
developments in electronic payment systems.
Cash remains the dominant form of payment for three
reasons:
(1) lack of trust in the banking system,
(2) inefficient clearing and settlement of non-cash transactions,
arid
(3) negative real interest rates paid on bank deposits.
These reasons seem like issues seen primarily in developing
countries. Not true. Even in the most industrialized countries,
the ratio of notes and coins in circulation per capita is quite large
and is estimated to range from $446 to $2748. Consider the
situation in two of the most industrialized nations in world: the
United States and the United Kingdom. In the United States,
there supposedly was about $300 billion of notes and coins in
circulation in 1992. Interestingly, this .number is not shrinking
but growing at approximately 8 percent per year. Deposits by
check are growing by only 6 percent per year. It has been reported
that in the United Kingdom about a quarter of all “spontaneous”
payments over 100 pounds sterling are still made with cash. For
payments under five pounds sterling, the percentage is 98 percent
. The predominance of cash indicates an opportunity for innovative
business practice that revamps the purchasing process where
consumers are heavy users of cash. To really displace cash, the
electronic payment systems need to have some qualities of cash
that current credit and debit cards lack. For example, cash is
negotiable, meaning it can be given or traded to some-one else.
Cash is legal tender, meaning the payee is obligated to take it. Cash
is a bearer instrument, meaning that possession is prima facie
proof of ownership. Also, cash can be held and used by anyone
even those who don’t have a bank account, and cash places no risk
on the part of the acceptor that the medium of exchange may not
be good.
Now compare cash to credit and debit cards. First, they can’t be
given away because, technically, they are identification cards owned
by the issuer and restricted to one user. Credit and debit cards are
not legal tender, given that merchants have the right to refuse to
accept them. Nor are credit and debit cards bearer instruments;
their usage requires an account relationship and authorization
system. Similarly, checks require either personal
knowledge of the payer or a check guarantee system. Hence, to
really create a novel electronic payment method, we need to do
more than recreate the convenience that is offered by credit and
debit cards. We need to develop e-cash that has some of the
properties of cash.
Properties of Electronic Cash
Of the many ways that exist for implementing an e-cash system,
all must incorporate a few common features. Specifically, e-cash
must have the following four properties: monetary value,
interoperability, irretrievability, and security.
E-cash must have a monetary value, bank authorized credit, or
a bank-certified cashier’s check. When e-cash created by one bank is
accepted by others, reconciliation must occur without any problems.
Stated, another way, e-cash without proper bank certification carries
the risk that when deposited, it might be returned for insufficient
funds.
E-cash must be interoperable-that is, exchangeable as payment
for other e-cash, paper cash, goods or services, lines of credit,
deposits in banking accounts, bank notes or obligations, electronic
benefits transfers, and the like. Most e-cash proposals use a single
bank. In practice, multiple banks are required with an international
clearinghouse that handles the exchange-ability issues because all
customers are not going to be using the same bank or even be in
the same country.
E-cash must be storable and retrievable. Remote storage and
retrieval (e.g., from a telephone or personal communications
device) would allow users to exchange e-cash (e.g., withdraw from
and deposit into banking accounts) from home or office or while
traveling. The cash could be stored on a remote computer’s memory,
in smart cards, or in other easily transported standard or
specialpurpose
devices. Because it might be easy to create counterfeit cash
that is stored in a computer, it might be preferable to store cash on
a dedicated device that cannot be altered. This device should have
a suitable interface to facilitate personal authentication using
passwords or other means and a display so that the user can view
the card’s contents. One example of a device that can store e-cash
is the Mondex card-a pocket-sized electronic wallet.
E-cash should not be easy to copy or tamper with while being
exchanged; this includes preventing or detecting duplication and
double-spending. Counterfeiting poses a particular problem, since
a counterfeiter may, in the Internet environment, be anywhere in
the world and consequently be difficult to catch without
appropriate international agreements.
Detection is essential in order to audit whether prevention is
working. Then there is the tricky issue of double spending. For
instance, you could use your e-cash simultaneously to buy
something in Japan, India, and England. Preventing double
spending from occurring is extremely difficult if multiple banks
are involved in the transaction. For this reason, most systems rely
on post-fact detection and punishment. Now we will see the
concept of Electronic Cash actually works.
Electronic Cash in Action
Electronic cash is based on cryptographic systems called “digital
signatures”. This method involves a pair of numeric keys (very
large integers or numbers) that work in tandem: one for locking
(or encoding) and the other for unlocking (or decoding). Messages
encoded with one numeric key can only be decoded with the other
numeric key and none other. The encoding key is kept private and
the decoding key is made public. By supplying all customers (buyers
and sellers) with its public key, a bank enables customers to decode
any message (or currency) encoded with the bank’s private key. If
decoding by a customer yields a recognizable message;” the
customer can be fairly confident that only the bank could have
encoded it. These digital signatures are as secure as the mathematics
involved and have proved over .the past two decades to be more
resistant to forgery than handwritten signatures. Before e-cash can
be used to buy products or ser-vices, it must be procured from a
currency server.
Purchasing E-cash from Currency Servers
The purchase of e cash from an on-line currency server (or bank)
involves two steps:
(1) establishment of an account and
(2) maintaining enough money in the account to back the
purchase.
Some customers might prefer to purchase e-cash with paper
currency, either to maintain anonymity or because they don’t have
a bank account. Currently, in most e-cash trials all customers must
have an account with a central on-line bank. This is overly restrictive
for international use and multi-currency transactions, for customers
should be able to access and pay for foreign services as well as local
services. To support this access, e-cash must be available in multiple
currencies backed by several banks. A service provider in one country
could then accept tokens of various currencies from users in many
different countries, redeem them with their issuers, and have the
funds transferred back to banks in the local country. A possible
solution is to use an association of digital banks similar to
organizations like VISA to serve as a clearinghouse for many
credit card issuing banks.
And finally, consumers use the e-cash software on the computer
to generate a random number, which serves as the “note.” In
exchange for money debited from the customer’s account, the
bank uses its private key to digitally sign the note for the amount
requested and transmits the note back to the customer.The network
currency server, in effect, is issuing a “bank note,” with a serial
number and a dollar amount. By digitally signing it, the bank is
committing itself to back that note with its face value in real
dollars.This method of note generation is very secure, as neither
the customer (payer) nor the merchant (payee) can counterfeit the
bank’s digital signature (analogous to the watermark in paper
currency). Payer and payee can verify that the payment is valid, since
each knows the bank’s public key. The bank is protected against
forgery, the payee against the bank’s refusal to honor a legitimate
note, and the user against false accusations and invasion of privacy.
How does this Process Work in Practice?
In the case of DigiCash, every person using e-cash has an e-cash
account at a digital bank (First Digital Bank) on the Internet.
Using that account, people can withdraw and deposit e-cash. When
an e-cash withdrawal is made, the PC of the e-cash user calculates
how many digital coins of what denominations are needed to
withdraw the requested amount. Next, random serial numbers
for those coins will be generated and the blinding (random
number) factor will be included. The ‘ “ result of these calculations
will be sent to the digital bank. The bank will encode the blinded
numbers with its secret key (digital signature) and at the same
time debit the account of the client for the same amount. The
authenticated coins are sent back to the user and finally the user
will take out the blinding factor that he or she introduced earlier.
The serial numbers-plus their signatures are now digital coins;
their value is guaranteed by the bank. Electronic cash can be
completely anonymous. Anonymity allows free-dom of usage—
to buy illegal products such as drugs or pornographic material or
to buy legal product and services. This is accomplished in the
following manner. When the e-cash software generates a note, it
masks the original number or “blinds” the note using a random
number and transmits it to a bank. The “blinding” carried out by
the customer’s software makes it impossible for anyone to link
payment to payer. Even the bank can’t connect the signing with
the payment, since the customer’s original note number was
blinded when it was signed. In other words, it is a way of creating
anonymous, untraceable currency. What makes it even more
interesting is that users can prove unequivocally that they did or
did not make a particular payment. This allows the bank to sign
the “note” without ever actually knowing how the issued currency
will be used. For those readers who are mathematically inclined,
the protocol behind blind signatures is presented.
The customer’s software chooses a blinding factor, R,
independently and uniformly at random and presents the bank
with (XR)E (mod PQ),where X is the note number to be signed
and £ is the bank’s public key.
1. The bank signs it: (XRE)D = RXD (mod PQ). D is the
bank’s private key.
2. On receiving the currency, the customer divides out the
blinding factor: (RXD)/R = XD (mod PQ).
3. The customer stores XD, the signed note that is used to pay
for the purchase of products or services. Since R is random,
the bank cannot deter-mine X and thus cannot connect the
signing with the subsequent payment. While blinding works
in theory, it remains to be seen how it will be used in the real
business world.
Summary:
Electronic payment means making payments electronically i.e.
through computer and telecommunication components.
Electronic tokens are designed as electronic analogs of
various forms of payment backed by a bank or financial
institution.
Electronic tokens are of three types: Cash or real-time,
Debit or prepaid and Credit or postpaid.
Electronic cash is based on cryptographic systems called
“digital signatures”.

Topic:
Introduction
Digital currency
Limitations of E-cash
Summary

Objectives
Understand how to use e-cash
Describe the various issues that may arise in the organization
due to the use of e-cash
Let’s purchase something on the Internet using Digital Currency.
Using the Digital Currency
Once the tokens are purchased, the e-cash software on the customer’s
PC stores digital money undersigned by a bank. The user tan
spend the digital-money of any shop accepting e-cash, without
having to open an account there first or-having to transmit credit
card numbers. As soon as the customer wants to make a payment,
the software collects the necessary amount from the stored tokens.
Two Types of Transactions are Possible: Bilateral and Trilateral.
Typically, transactions involving cash are bilateral or two-party
(buyer and seller) transactions, whereby the merchant checks the
veracity of the note’s digital signature by using the bank’s public
key. If satisfied with the payment, the merchant stores the digital
currency on his machine and deposits it later in the bank to redeem
the face value of the note. Transactions involving financial
instruments other than cash are usually trilateral or three-party
(buyer, seller, and bank) transactions, whereby the “notes” are
sent to the merchant, who immediately sends them directly to the
digital bank. The bank verifies the validity of these “notes” and that
they have not been spent before.
The account of the merchant is credited. In this case, every “note”
can be used only once. In many business situations, the bilateral
transaction is not feasible because of the potential for double
spending, which is equivalent to bouncing a check. Double
spending becomes possible because it is very easy to make copies
of the e-cash, forcing banks and merchants to take extra
precautions. To uncover double spending, banks must compare
the note passed to it by the merchant against a database of spent
notes .Just as paper currency is identified with a unique serial
number, digital cash can also be protected. The ability to detect
double spending has to involve some form of registration so
that all “notes” issued globally can be uniquely identified. However,
this method of matching notes with a central registry has problems
in the on-line world. For most systems, which handle high volumes
of micro payments, this method would simply be too expensive.
In addition, the problem of double spending means that banks
have to carry added overhead because of the constant checking
and auditing logs. Double spending would not be a major problem if
the need for anonymity were relaxed. In such situations, when the
consumer is issued a bank note, it is issued to that person’s unique
license. When he or she gives it to somebody else, it is transferred
specifically to that other person’s license.
Each time the money changes hands, the old owner adds a tiny bit
of information to the bank note based on the bank note’s serial
number and his or her license. If somebody attempts to spend
money twice, the bank will now be able to use the two bank notes
to determine who the cheater is. Even if the bank notes pass
through many different people’s hands, whoever cheated will get
caught, and none of the other people will ever have to know. The
downside is that the bank can tell precisely what your buying
habits are since it can check the numbers on the e-cash and the
various merchant accounts that are being credited. Many people
would feel uncomfortable letting others know this personal
information.
Drawback of E-cash
One drawback of e-cash is its inability to be easily divided into
smaller amounts. It is often necessary to get small denomination
change in business transactions. A number of variations have
been developed for dealing with the “change” problem. For the
bank to issue users with enough separate electronic “coins” of
various denominations would be cumbersome in communication
and storage. So would a method that required payees to return
extra change. To sidestep such costs, customers are issued a single
number called an “open check” that contains multiple
denomination values sufficient for transactions up to a prescribed
limit. At payment time, the e-cash software on the client’s computer
would create a note of the transaction value from the “open check.”
Let’s see how the business organizations gain from e-cash and
how sometimes it can create problems.
Business Issues and Electronic Cash
Electronic cash fulfills two main functions: as a medium of
exchange and as a store of value. Digital money is a perfect medium
of exchange. By moving monetary claims quickly and by effecting
instant settlement of transactions, e-cash may help simplify the
complex interlocking credit and liabilities that characterize today’s
commerce. For instance, small businesses that spend months
waiting for big customers to pay their bills would benefit hugely
from a digital system in which instant settlement is the norm.
Instant settlement of micro payments is also a tantalizing
proposition.
The controversial aspects of e-cash are those that relate to the
other role, as a store of value. Human needs tend to require that
money take a tangible form and be widely accepted, or “legal tender”.
In most countries, a creditor by law cannot refuse cash as settlement
for a debt. With the acceptability of cash guaranteed by law, most
people are willing to bank their money and settle many of their
bills by checks and debits, confident that, barring a catastrophe,
they can obtain legal tender (cash) on demand. If e-cash had to be
convertible into legal tender on demand, then for every unit there
would have to be a
unit of cash reserved in the real economy: or, to look at it the
other way round, there would be cash in the real world for which
digital proxies were created and made available. This creates
problems, because in an efficient system, if each e-cash unit
represents a unit of real cash, then positive balances of e-cash will
earn no interest; for the interest they might earn would be offset
by the interest foregone on the real cash that is backing them.
The enormous currency fluctuations in international finance
pose another problem. On the Internet, the buyer could be in
Mexico and the seller in the United States. How do you check-that
the party in Mexico is giving a valid electronic currency that has
suitable backing? Even if it were valid today, what would happen
if a sudden devaluation occurs such as the one in December 1994
where the peso was devalued 30 percent overnight. Who holds
the liability, the buyer or the seller? These are not technological
issues but business issues that must be addressed for large-scale
bilateral transactions to occur. Unless, we have one central bank
offering one type of electronic currency, it is very difficult to see
ecash
being very prominent except in narrow application domains.
From a banker’s point of view, e-cash would be a mixed blessing.
Because they could not create new money via lending in the digital
world, banks would see electronic money as unproductive. They
might charge for converting it, or take a transaction fee for issuing
it, but on-line competition would surely make this a low-profit
affair. In the short term, banks would probably make less from
this new business than they would lose from the drift of customers
away from traditional services. It seems unlikely that e-cash would
be allowed to realize its potential for bypassing the transaction
costs of the foreign exchange market. If you pay yen for e-cash in
Osaka and buy something from a merchant based in New York
who cashes them for francs, a currency conversion has taken place.
That, however, is an activity toward which most governments feel
highly defensive; and if e-cash started to bypass regulated foreign
exchange markets by developing its own gray market for settlement,
then governments might be provoked into trying to clamp down
on it. Because of these obstacles, e-cash in its early forms may be
denominated in single currencies and exchanged at conventional
market rates.
Next we will see the risks involved while doing the transactions
involving the use of e-cash.
Operational Risk and Electronic Cash
Operational risk associated with e-cash can be mitigated by
imposing constraints, such as limits on
(1) the time over which a given electronic money is valid,
(2) how much can be stored on and transferred by electronic
money
(3) the number of exchanges that can take place before a money
needs to be redeposit with a bank or financial institution,
and
(4) the number of such transactions that can be made during a
given period of time.
These constraints introduce a whole new set of
implementation issues For example, time limits could be set
beyond which the electronic money, would expire and become
worthless. The customer would have to redeem or exchange the
money prior to the expiration deadline. For this feature to work;
electronic money would have to be time-stamped, and time would
have to be synchronized across the network to some degree of
precision. The objective of imposing constraints is to limit the
issuer’s liability. A maximum upper limit could be imposed on
the value that could be assigned to any single transaction or that
could be transferred to the same vendor within a given period of
time. Since the user’s computer could be programmed to execute
small transactions continuously at a high rate over the network, a
strategy of reporting transactions over a certain amount would be
ineffective for law enforcement. However, a well-designed system
could enforce a policy involving both transaction size and value
with time. For example, an “anonymous coin-purse” feature might
be capable of receiving or spending no more than $500 in any
twenty-four hour period. Alternatively, the “rate ceiling” for the
next twenty-four hours could be made dependent on the rate of
use or on the number of exchanges that could be permitted before
any electronic money would have to be redeposit in a bank or
financial institution and reissued.
Finally, exchanges could also be restricted to a class of services or
goods (e.g., electronic benefits could be used only for food,
clothing, shelter, or educational purposes). The exchange process
should allow payment to be withheld from the seller upon the
buyer’s instructions until the goods, or services are delivered within
a specified time in the future.
Conversely, it should allow delivery to be withheld upon the seller’s
instructions until payment is received. The next section deals with
the legal aspects of e-cash and the impact of e-cash on taxation.
Legal Issues and Electronic Cash
Electronic cash will force bankers and regulators to make tough
choices that will shape the form of lawful commercial activity
related to electronic commerce. As a result of the very features that
make it so attractive to many, cash occupied an unstable and
uncomfortable place within the existing taxation and law
enforcement systems. Anonymous and virtually untraceable, cash
transactions today occupy a place in a kind of underground
economy. This underground economy is generally confined to
relatively small scale transactions because paper money in large
quantities is cumbersome to use and manipulate-organized crime
being the obvious exception. As long as the transactions fare
small in monetary value, they are tolerated by the government as
an unfortunate but largely insignificant by-product of the modern
commercial .state. As transactions get larger the government
becomes more suspicious and enlists the aid of the banks, through
the various currency reporting laws, in reporting large
disbursements of cash so that additional oversight can be ordered.

Consider the Impact of E-Cash on Taxation.

Transaction based taxes (e.g., sales taxes) account for a significant
portion of state and local government revenue. But if e-cash really
is made to function the way that paper money does, payments we
would never think of making in cash-to buy a new car, say, or as
the down payment on a house-could be made in this new form
of currency because there would be no problem of bulk and no
risk of robbery. The threat to the government’s revenue flow is a
very real one, and officials in government are starting to take
cognizance of this development and to prepare their responses.
To prevent an underground economy, the government through
law may prevent a truly anonymous and untraceable e-cash system
from developing. But that raises its own problems because the
vision of “Big Brother” rears its ugly head. Just as powerful
encryption schemes permit the design of untraceable e-cash
systems, so, too, do powerful electronic record-keeping tools permit
the design of traceable systems-systems in which all financial
transactions are duly recorded in some database, allowing those with
access to know more about an individual than anyone could know
today. Anything that makes cash substantially easier to use in a
broader range of transactions holds the potential to expand this
underground economy to proportions posing ever more serious threats
to the existing legal
order. Under the most ambitious visions of e-cash, we would see
a new form of currency that could be freely passed off from one
computer to another with no record, yet incapable of being forged.
A consumer could draw such e-cash electronically from his or her
bank. The bank would have a record of that transaction, just as a
withdrawal or check is recorded now. But after that, the encrypted
e-cash file could be handed off without the knowledge of anyone
but the par-ties to the transaction.
However, as the politics and business play out, the technology is
forcing legal, as issues to be reconsidered. The question e-cash
poses is not, “Should the law take notice of this development?”but
rather, “How can it not?”
By impacting revenue-raising capabilities, e-cash cannot escape
government scrutiny and regulation; but it is going to take some
serious thinking to design a regulatory scheme that balances
personal privacy, speed of execution, and ease of use. Without a
functioning system, what the government will do remains a mystery.
Moreover, it is not even clear yet that the market as a whole will
adopt an anonymous e-cash standard. For now, we are mainly
watching and trying to educate ourselves about the likely path of
the transition to electronic cash.
Summary:
One drawback of e-cash is its inability to be easily divided
into smaller amounts.
One of the business issues while using Electronic Cash is
that it can’t take tangible form.
The enormous currency fluctuations in international finance
pose another problem in business while using e-cash
Operational risk associated with e-cash can be mitigated by
imposing constraints, such as limits on
(1)the time over which a given electronic money is valid,
(2) how much can be stored on and transferred by
electronic money
(3)the number of exchanges that can take place before a
money needs to be redeposit with a bank or financial
institution, and
(4)the number of such transactions that can be made
during a given period of time.
The use of e-cash can cause threat to the government’s
revenue flow.

Topic:
Introduction
Discuss Electronic cheque, smart card, Credit Cards
Advantages of Electronics cheques
Electronic Purses and Debit Cards
Summary

Objectives
Understand what is an “Electronic Check”
Describe the use of Smart cards and Credit cards
Another type of Electronic Payment scheme that we are going to
discuss today is “Electronic Checks”. This scheme is basically for
those people who don’t prefer to pay by cash.
Electronic Checks
Electronic checks are another form of electronic tokens. They are
designed to accommodate the many individuals and entities that
might prefer to pay on credit or through some mechanism other
than cash. In the model shown in Fig. 14.1, buyers must
register with a third-party account server before they are able to
write electronic checks. The account server also acts as a billing
service. The registration procedure can vary depending on the
particular account server and may require a credit card or a bank
account to back the checks. Once registered, a buyer can then contact
sellers of goods and services. To complete a transaction, the buyer
sends a check to the seller for a certain amount of money. These
checks may be sent using e-mail or other transport methods. When
deposited, the
check authorizes the transfer of account balances from the account
against which the check was drawn to the account to which the
check was deposited. The e-check method was deliberately created
to work in much the same way as a conventional paper check. An
account holder will issue an electronic document that contains the
name of the payer, the name of the financial institution, the
payer’s account number, the name of the payee and amount of
the check. Most of the information is in uncoded form. Like a
paper check, an e-check will bear the digital equivalent of a signature:
a computed number that authenticates the check as coming from
the owner of the account. And, again like a paper check, an e-check
will need to be endorsed by the payee, using another electronic
signature, before the check can be paid. Properly signed and
endorsed checks can be electronically exchanged between financial
institutions through electronic clearinghouses, with the
institutions using these endorsed checks as tender to settle accounts.
The specifics of the technology work in the following manner:
On receiving the check, the seller presents it to the accounting
server for verification and payment. The accounting server verifies
the digital signature on the check using any authentication scheme.
A user’s digital “signature” is used to create one ticket-a checkwhich
the seller’s digital “endorsement” transforms into another-an order to
a bank computer for fund transfer. Subsequent endorsers add
successive layers of information onto the tickets, precisely as a large
number of banks may wind up stamping the back of a check along its
journey through the system.
Figure 14.1 Payment transaction sequence in an electronic check
system
Let’s see the advantages of Electronic checks.
Electronic checks have the following advantages:
They work in the same way as traditional checks, thus
simplifying customer education.
Electronic checks are well suited for clearing micro payments;
their use of conventional cryptography makes it much faster
than systems based on public-key cryptography e-cash).
Electronic checks create float and the availability of float is an
important requirement for commerce. The third-party
accounting server can make money by charging the buyer or
seller a transaction fee or a flat rate fee, or if can act as a bank
and provide deposit accounts and make money on the
deposit account pool.
Financial risk is assumed by the accounting server and may
result in easier acceptance. Reliability and scalability are
provided by using multiple accounting servers. There can be
an inter account server protocol to allow buyer and seller to
“belong” to different domains, regions, or countries. You
all must agree that the major issue of concern while doing
paying is security. In the next section we will discuss one of
the Electronic Payment Systems that is more secure as
compared to the above discussed schemes.

Smart Cards and Electronic Payment Systems

The enormous potential of electronic tokens is currently stunted
by the lack of a widely accepted and secure means of transferring
money on-line. In spite of the many prototypes developed, we
are a long way from a universal payment system because merchants
and banks have to be signed up and a means has to be developed
to transfer money. Such a system moreover must be robust and
capable of handling a large number of transactions and will require
extensive testing and usage to iron out all the bugs.
In the meantime, thousands of would-be sellers of electronic
commerce services have to pay one another and are actively looking
for payment substitutes. One such substitute is the smart card.
Smart cards have been in existence since the early 1980s and hold
promise for secure transactions using existing infrastructure. Smart
cards are credit and debit cards and other card products enhanced
with microprocessors capable of holding more information than
the traditional magnetic stripe. The chip, at its current state of
development, can store significantly greater amounts of data,
estimated to be 80 times more than a magnetic stripe. Industry
observers have predicted that, by the year 2000, one-half of all
payment cards issued in the world will have embedded
microprocessors rather than the simple magnetic stripe.
The smart card technology is widely used in countries such as
France, Germany, Japan, and Singapore to pay for public phone
calls, transportation/ and shopper loyalty programs. The idea has
taken longer to catch on in the United States, since a highly reliable
and fairly inexpensive telecommunications system has favored
the use of credit and debit cards. Smart cards are basically of two
types:
Relationship-based smart credit cards
Electronic purses. Electronic purses, which replace money,
are also known as debit cards and electronic money.
Relationship-Based Smart Cards
Financial institutions worldwide are developing new methods to
maintain and expand their services to meet the needs of increasingly
sophisticated and technically smart customers, as well as to meet
the emerging payment needs of electronic commerce. Traditional
credit cards are fast evolving into smart cards as consumers demand
payment and financial services products that are user-friendly,
convenient, and reliable.
A relationship-based smart card is an enhancement of existing
card ser-vices and/or the addition of new services that a financial
institution delivers to its customers via a chip-based card or other
device. These new services may include access to multiple financial
accounts, value-added marketing programs, or other information
cardholders may want to store on their card. The chip-based card
is but one tool that will help alter mass marketing techniques to
address each individual’s specific financial and personal
requirements. Enhanced credit cards store cardholder information
including name, birth date, personal shopping preferences, and
actual purchase records.
This information will enable merchants to accurately track consumer
behavior and develop promotional programs designed to increase
shopper loyalty.Relationship-based products are expected to offer
consumers far greater options, including the following:
Access to multiple accounts, such as debit, credit,
investments or stored value for e-cash, on one card or an
electronic device
A variety of functions, such as cash access, bill payment,
balance inquiry, or funds transfer for selected accounts
Multiple access options at multiple locations using multiple
device types, such as an automated teller machine, a screen
phone, a personal computer, a personal digital assistant
(PDA), or interactive TVs Companies are trying to
incorporate these services into a personalized banking
relationship for each customer. They can package financial
and non financial services with value-added programs to
enhance convenience, build loyalty and retention, and attract
new customers. Banks are also attempting to customize
services on smart cards, offering a menu of services similar
to those that come up on ATM screens. As with credit
cards/banks may link up with health care
providers,telephone companies, retailers, and airlines to offer
frequent shopping and flyer programs and other services.
Electronic Purses and Debit Cards
Despite their increasing flexibility, relationship-based cards are credit
based and settlement occurs at the end of the billing cycle. There
remains a need for a financial instrument to replace cash. To meet
this need, banks, credit card companies, and even government
institutions are racing to introduce “electronic purses,” walletsized
smart cards embedded with programmable microchips that
store sums of money for people to use instead of cash for
everything from buying food, to making photocopies, to paying
subway fares.
The Electronic Purse Works in the Following Manner.
After the purse is loaded with money, at an ATM or through the
use of an inexpensive special telephone, it can be used to pay for,
say, candy in a vending machine equipped with a card reader. The
vending machine need only verify that a card is authentic and there
is enough money available for a chocolate bar. In one second, the
value of the purchase is deducted from the balance on the card
and added to an e-cash box in the vending machine. The remaining
balance on the card is displayed by the vending machine or can be
checked at an ATM or with a balance-reading device. Electronic
purses would virtually eliminate fumbling for change or small
bills in a busy store or rush-hour toll booth, and waiting for a
credit card purchase to be approved. This allows customers to pay
for rides and calls with a prepaid card that “remembers” each
transaction. And when the balance on an electronic purse is
depleted, the purse can be recharged with more money. As for the
vendor, the receipts can be collected periodically in person—or,
more likely, by telephone and transferred to a bank account. While
the technology has been available for a decade, the cards have been
relatively expensive, from $5 to $10. Today the cards cost $1, and
special telephones that consumers could install at home to recharge
the cards are projected to cost as little as $50. A simple card reader
would cost a merchant less than $200.
Summary:
Electronic checks are another form of electronic tokens. They
are designed to accommodate the many individuals and entities that
might prefer to pay on credit or through some mechanism other than
cash.
Electronic checks are well suited for clearing micro payments;
their use of conventional cryptography makes it much faster
than systems based on public-key cryptography
Electronic checks create float and the availability of float is an
important requirement for commerce
Smart cards are credit and debit cards and other card products
enhanced with microprocessors capable of holding more
information than the traditional magnetic stripe
Smart cards are basically of two types:

Topic:
Introduction
Credit Card-Based Electronic Payment Systems
Encryption in Credit Cards
Summary

Objectives
Understand why payment by Credit card is more secure than
other Electronic Payment Systems
To avoid the complexity associated with digital cash and electronic
checks, consumers and vendors are also looking at credit card
payments on the Internet as one possible time-tested alternative.
Let’s discuss how the payment is made online using credit cards.
Credit Card-Based Electronic Payment Systems
There is nothing new in the basic process. If consumers want to
purchase a product or service, they simply send their credit card
details to the service provider involved and the credit card
organization will handle this payment like any other.
We can break credit card payment on on-line networks into
three basic categories:
1. Payments using plain credit card details. The easiest
method of payment is the exchange of unencrypted credit
cards over a public network such as telephone lines or the
Internet. The low level of security inherent in the design of
the Internet makes this method problematic (any snooper
can read a credit card number, and programs can be created to
scan the Internet traffic for credit card numbers and send the
numbers to its master). Authentication is also a significant
problem, and the vendor is usually responsible to ensure
that the person using the credit card is its owner. Without
encryption there is no way to do this.
2. Payments using encrypted credit card details. It would
make sense to encrypt your credit card details before sending
them out, but even then there are certain factors to consider.
One would be the cost of a credit card transaction itself. Such
cost would prohibit low-value payments (micro payments)
by adding costs to the transactions.

3. Payments using third-party verification. One solution to

security and verification problems is the introduction of a
third party: a company that collects and approves payments
from one client to another. After a certain period of time,
one credit card transaction for the total accumulated amount
is completed.
First Virtual Holdings:San Diego-based start-up offers an
Internet payment system to process credit card transactions
on the Internet. It’s allied with ED& for data processing and
First USA Merchant Services in Dallas for card processing
services.
Interactive Transactions Partners Joint venture of EDS,
France Telecom, USWest, and H&R Block for home banking and
electronic payment services.
MasterBanking A home banking service started by MasterCard
and Checkfree Corp., an on-line payments processor.
VISA :Interactive VISA International acquired US Order, a
screen phone manufacturer. VISA Interactive has signed up more
than 30 banks, including NationsBank.
Block Financial :This H&R Block unit owns Managing Your
Money personal-finance software and CompuServe. Provides
electronic-banking services for VISA member banks.
Prodigy Teaming up with Meridian Bank and others to offer PCbased
home banking via its online service.

Table 15.1 Players in On-Line Credit Card Transaction

Processing
Let’s see how the payment by credit card is more secure as compared
to other schemes.
Encryption and Credit Cards
Encryption is instantiated when credit card information is entered
into a browser or other electronic commerce device and sent securely
over the net-work from buyer to seller as an encrypted message.
This practice, however, does not meet important requirements
for an adequate financial system, such as non refutability, speed,
safety, privacy, and security. To make a credit card transaction truly
secure and nonrefutable, the following sequence of steps must
occur before actual goods, services, or funds flow:
1. A customer presents his or her credit card information (along
with an authenticity signature or other information such as
mother’s maiden name) securely to the merchant.
2. The merchant validates the customer’s identity as the owner
of the cred-it card account.
3. The merchant relays the credit card charge information and
signature to its bank or on-line credit card processors.
4. The bank or processing party relays the information tot the
customer’s; bank for authorization approval.
5. The customer’s bank returns the credit card data, charge
authentication, and authorization to the merchant.
In this scheme, each consumer and each vendor generates a public
key and a secret key. The public key is sent to the credit card
company
and put on its public key server. The secret key is reencrypted with
a password, and the unencrypted version is erased. To steal a credit
card, a thief would have to get access to both a consumer’s encrypted
secret key and password. The credit card company sends the
consumer a credit card number and a credit limit. To buy something
from vendor X, the consumer sends vendor X the message, ‘It is now
time T. I am paying Y dollars to X for item Z,” then the consumer
uses his or her password to sign the message with the public key. The
vendor will then sign the message with its own secret key and send it
to the
credit card company, which will bill the consumer for Y dollars
and give the same amount (less a fee) to X. (See Fig.15.1)
Nobody can cheat this system. The consumer can’t claim that he
didn’t agree to the transaction, because he signed it (as in everyday
life). The vendor can’t invent fake charges, because he doesn’t have
access to the consumer’s key. He can’t submit the same charge
twice, because the consumer included the precise time in the
message. To become useful, credit Card systems will have to
develop distributed key servers and card checkers.
Otherwise, a con-centrated attack on these sites could bring the
system to a halt.
Support for Privacy Enhanced Mail (PEM) and Pretty Good Privacy
(PGP) encryption has been built into several browsers. Both of
these schemes can be substantially bolstered with the addition of
encryption to defeat snooping attacks. Now any vendor can create
a secure system that accepts credit card numbers in about an hour.
Third-Party Processors and Credit Cards
In third-party processing, consumers register with a third party on
the Internet to verify electronic micro transactions. Verification
mechanisms can be designed with many of the
attributes of electronic tokens, including anonymity. They differ
from electronic token systems in that
(1) they depend on existing financial instruments and
(2) they require the on-line involve-ment of at least one
additional party and, in some cases, multiple parties to
ensure extra security. However, requiring an on-line thirdparty
connection for each transaction to different banks could
lead to processing bottlenecks that could undermine the goal
of reliable use. Companies that are already providing thirdparty
payment are referred to as on-line third-party processors
(OTPPs) since both methods are fairly similar in
nature.OTPPs have created a six-step process that they
believe will be a fast and efficient way to buy information online:
1. The consumer acquires an OTPP account number by filling out a
registration form.This will give the OTPP a customer information
profile that is backed by a traditional financial instrument such as a
credit card.
2. To purchase an article, software, or other information online, the
consumer requests the item from the merchant by quoting her
OTPP account number. The purchase can take place in one of two
ways: The consumer can automatically authorize the “merchant”
via browser settings to access her OTPP account and bill her, or she
can type in the account information.
3. The merchant contacts the OTPP payment server with the
customer’s account number.
4. The OTPP payment server verifies the customer’s account number
of the vendor and checks for sufficient funds.
5. The OTPP payment server sends an electronic message to the
buyer. This message could be an automatic WWW form that is sent
by the
OTPP server or could be a simple e-mail. The buyer responds to the
form or e-mail in one of three ways: Yes, I agree to pay; No, I
will not pay; or Fraud, I never asked for this.
6. If the OTPP payment server gets a Yes from the customer, the
merchant is informed and the customer is allowed to download the
material immediately.
7. The OTPP will not debit the buyer’s account until it receives
confirmation of purchase completion. Abuse by buyers who receive
information or a product and decline to pay can result in account
suspension.To use this system, both customers and merchant must
be registered with the OTPP. An on-line environment suitable for
micro transactions will require that many of the preceding steps
be automated. World Wide Web browsers capable of encryption can
serve this purpose.
Here the two key servers are merchant server and payment server .
Users first establish an account with the payment server.
Then, using a client browser, a user makes a purchase from a
merchant server by clicking on a payment URL (hyper-Links), which
is
attached to the product on a WWW page. Unknown to the customer,
the payment URL encodes the following details of purchase: price of
item, target URL (for hard goods, this URL is usually an order status
page; for information goods. Points to the information customers are
purchasing), and duration (for information goods, it specifies how
long customers can get access to the target URL).
Payment URLs send the encoded information to the payment
server. In other words, the payment URL directs the customer’s
browser to the payment server, which authenticates the user by
asking her for the account number and other identification
information. If the information entered by the customer is valid
and funds are available, the payment server processes the payment
transaction. The payment server then redirects the user’s browser
(using an HTTP redirect operation) to the purchased item with an
access URL, which encodes the details of the payment transaction
(the amount, what was purchased, and duration). The access URL
is effectively-a digital invoice that has been stamped “paid” by the
payment server. It provides evidence to the merchant that the user
has paid for the information and provides a receipt that grants the
user access. The access URL is the original target URL sent by the
merchant’s server, with additional fields that contain details of
the access: expiration time (optional), user’s address (to prevent
sharing). The merchant runs an HTTP server that is modified to
process access URLs (HTTP redirects). The server checks the
validity of the URL and grants access if the expiration time has
not passed. If access has expired, the server returns a page that
may give the user an opportunity to repurchase the item. The
payment system can also generate access URLs in a format that can
be parsed by CGI scripts running on an unmodified HTTP server.
Once a customer is authenticated, the payment is automatically
processed. The payment server implements a modular payment
architecture where accounts can be backed by different types of
financial instruments, credit card accounts, prepaid accounts, billed
accounts, debit cards, and other payment mechanisms. For credit
card accounts, the payment system has a real-time connection to
the credit card clearing network. The system can authorize payment
in real time based on the profile of the transaction and the user.
The system supports small transactions by accumulating them
and settling them in aggregate. All transactions are recorded in a
user’s on-line statement.
The statement is a summary of recent purchases, and each
summary line is a hypertext link. For information
goods, this is a link back to the purchased item. If access has
expired, the merchant’s server will give the user the opportunity
to repurchase the item. For non information goods, the link may
point to an order status or summary page.

Figure 15.2 On-line payment process using a third-party processor

Summary:
Electronic checks are another form of electronic tokens. They
are designed to accommodate the many individuals and
entities that might prefer to pay on credit or through some
mechanism other than cash.
The enormous potential of electronic tokens is currently
stunted by the lack of a widely accepted and secure means of
transferring money on-line.
Smart cards are credit and debit cards and other card products
enhanced with microprocessors capable of holding more
information than the traditional magnetic stripe.
Smart cards are basically of two types: Relationship-based
smart credit cards and Electronic purses.
Encryption is instantiated when credit card information is entered
into a browser or other electronic commerce device and sent securely
over the net-work from buyer to seller as an encrypted message.
Topic:
Introduction
Advantages and disadvantages of Credit Cards
Managing Credit Risk
Summary
Objectives
Understand the advantages and disadvantages if using Credit cards
Describe the infrastructure required to support Credit Card
Processing
In the previous lectures we have learnt a lot about the use of
Credit cards. Also we have seen the security aspect of using the
credit cards. Today we will take a look at what are the Business
Pros and Cons of Credit Card-Based Payment.
Third-party processing for credit cards, entails a number of pros
as well as cons These companies are chartered to give credit accounts
to individuals and act as bill collection agencies for businesses.
Consumers use credit cards by presenting them for payment and
then paying an aggregate bill once a month. Consumers pay either
by flat fee or individual transaction charges for this service.
Merchants get paid for the credit card drafts that they submit to
the credit card company. Businesses get charged a transaction charge
ranging from 1 percent to 3 percent for each draft submitted.
Credit cards have advantages over checks in that the credit card
company assumes a larger share of financial risk for both buyer
and seller in a transaction. Buyers can sometimes dispute a charge
retroactively and have the credit card company act on their behalf.
Sellers are ensured that they will be paid for all their sales-they
needn’t worry about fraud. This translates into a convenience for
the buyer, in that credit card transactions are usually quicker and
easier than check (and sometimes even cash) transactions.
One disadvantage to credit cards is that their transactions are not
anonymous, and credit card companies do in fact compile valuable
data about spending habits.
Record keeping with credit cards is one of the features
consumers value most because of disputes and mistakes in
billing. Disputes may arise because different services may have
different policies. For example, an information provider might
charge for partial delivery of a file (the user may have abandoned
the session after reading part of the file), and a movie distributor
might charge depending on how much of the video had been
downloaded. The cause of interrupted delivery needs to
be considered in resolving disputes (e.g., intentional customer
action versus a problem in the network or provider’s equipment).
In general, implementing payment policies will be simpler when
payment is made by credit rather than with cash.
The complexity of credit card processing takes place in the
verification phase, a potential bottleneck. If there is a lapse in
time between the charging and the delivery of goods or services
(for example, when an airline ticket is purchased well in advance
of the date of travel), the customer verification process is simple
because it does not have to be done in real time. In fact, all the
relaying and authorizations can occur after the customer-merchant
transaction is completed, unless the authorization request is denied.
If the customer wants a report (or even a digital airline ticket),
which would be downloaded into a PC or other information
appliance immediately at the time of purchase, however, many
message relays and authorizations take place in real time while the
customer waits. Such exchanges may require many sequence-specific
operations such as staged encryption and decrying and exchanges
of cryptographic keys.
Encryption and transaction speed must be balanced,however,
as research has show that on-line users get very impatient and
typically wait for 20 seconds before pursuing other actions. Hence,
on-line credit card users must find the process to be accessible,
simple, and fast. Speed will have design and cost implications, as
it is a function of network capabilities, computing power, available
at every server, and the specific form of the transaction. The
infrastructure supporting the exchange must be reliable. The user
must feel confident that the supporting payment infrastructure
will be available on demand and that the system will operate
reasonably well regardless of component failures or system load
conditions. The builders and providers of this infrastructure are
aware of customer requirements and are in fierce competition to
fulfill those needs.
There is also no question that banks and other financial institutions
must resolve many key issues before offering on-line processing
services in e-com-merce markets. Should they go it alone or form
a partnership- and with whom? What technology to use? What
services to offer?Which consumers are interested and who should
be targeted? A wide variety of organizations are jumping into the
fray. Regional electronic funds transfer (EFT) networks, credit card
associations, equipment vendors, data processors, software
developers, bill payment companies, and telecommunications
providers are all wooing banks with the goal of building the
transaction processing infra-structure on the Internet .
Infrastructure for On-Line Credit Card Processing
Competition among these players is based on service quality, price,
processing system speed, customer support, and reliability. Most
third-party processors market their services directly to large regional
or national merchants rather than through financial institutions
or independent sales organizations.
Barriers to entry include
(1) large initial capital requirements,
(2) ongoing expenses related to establishing and maintaining an
electronic transaction processing network,
(3) the ability to obtain competitively priced access to an existing
network, and
(4) the reluctance of merchants to change processors. What
exactly is at stake here? A lot. In the emerging world of
ecommerce,, the companies that own the transaction
infrastructure will be able to charge a fee, much as banks do
today with ATMs. This could be extremely profitable.
Microsoft, VISA, and other companies understand that they
have to do something. If they wait for a clear path to emerge,
it will be “too little too late.” They know all too well that
ecommerce transaction architectures (similar to MS-DOS or
Windows) on which other e-commerce applications are
developed will be very profitable.
Many companies are developing advanced electronic services for
home-based financial transactions, and software companies are
increasingly allying with banks to sell home banking. Eventually,
the goal would be to offer everything from mutual funds to
brokerage services over the network. Many banks are concerned
about this prospect and view it as an encroachment on their turf.
After years of dabbling, mostly unsuccessfully, with remote
banking, banking is receiving a jarring message: Get wired or lose
customers.
The traditional roles are most definitely being reshuffled, and
electronic payment on the Internet can have a substantial effect on
transaction processing in the “real” (non electronic) world.
According to some estimates, trans-action processing services
account, for as much as 25 percent of non interest income for
banks, so banks clearly stand to lose business. Why banks are on
the defensive is obvious if we look at banking in the last ten years.
A decade ago, banks processed 90 percent of all bank card
transactions, such as VISA and MasterCard. Today, 70 percent of
those transactions are processed by nonbanks such as First Data
Resources. If software companies and other interlopers become
electronic toll-takers, banks could become mere homes for deposits,
not the providers of lucrative value-added services.
Even more worrisome, banks could lose the all-important direct
link to be the customer’s primary provider of financial services
that lets them hawk profitable services. The effect of electronic
commerce on the banking industry has been one of total
confusion. To be fair, things are happening so fast in this area that
it’s hard to keep up with it all. Let’s see some of the risks involved
in the Electronic Payment System.
Risks from Mistake and Disputes: Consumer Protection
Virtually all electronic payment systems need some ability to keep
automatic records, for obvious reasons. From a technical
standpoint, this is no problem for electronic systems. Credit and
debit cards have them and even the paper-based check creates an
automatic record. Once information has been captured
electronically, it is easy and inexpensive to keep (it might even cost
more to throw it away than to keep it). For example, in many
transaction processing systems, old or blocked accounts are never
purged and old transaction histories can be kept forever on
magnetic tape. Given the intangible nature of electronic transactions
and dispute resolution relying solely on records, a general law of
payment dynamics and banking technology might be: No data
need ever be discarded. The record feature is an after-the-fact
transcription of what happened, created without any explicit effort
by the transaction parties. Features of these automatic records
include
(1) permanent storage;
(2) accessibility and traceability;
(3) a pay-ment system database; and
(4) data transfer to payment maker, bank, or monetary authorities.
The need for record keeping for purposes of risk management
conflicts with the transaction anonymity of cash. One can say that
anonymity exists today only because cash is a very old concept,
invented long before the computer and networks gave us the
ability to track everything. Although a segment of the payment
making
public will always desire transaction anonymity, many believe that
anonymity runs counter to the public welfare because too many tax,
smuggling, and/or money laundering possibilities exist. The
anonymity issue raises the question: Can electronic payments hap-pen
without an automatic record feature? Many recent payment systems
seem to be ambivalent on this point. For instance, the Mondex
electronic purse touts equivalence with cash, but its electronic wallets
are designed to hold automatic records of the card’s last twenty
transactions with a statement built in. Obviously, the card-reading
terminals, machines, or
telephones could all maintain records of all transactions and they
probably ultimately will. With these records, the balance on any
smart card could be reconstructed after the fact, thus allowing for
additional protection against loss or theft. This would certainly
add some value versus cash. In sum, anonymity is an issue that
will have to be addressed through regulation covering consumer
protection in electronic transactions. There is considerable debate
on this point. An anonymous payment system without automatic
record keeping will be difficult for bankers and governments to
accept. Were the regulation to apply, each transaction would have
to be reported, meaning it would appear on an account statement
making mistakes and disputes easier to resolve. However,
customers might feel that all this record keeping is an invasion of
privacy resulting in slower than expected adoption of electronic
payment systems. The next risk involved is the privacy of the
customer making a purchase.

Managing Information Privacy

The electronic payment system must ensure and maintain privacy.
Every time one purchases goods using a credit card, subscribes to
a magazine or accesses a server, that information goes into, a
database somewhere. Furthermore, all these records can be linked
so that they constitute in effect a single dossier.This dossier would
reflect what items were bought and where and when. This violates
one the unspoken laws of doing business: that the privacy of
customers should be protected as much as possible. All details of
a consumer’s payments can be easily be aggregated: Where, when,
and sometimes what the consumer buys is stored. This collection
of data tells much about the person and as such can conflict with
the individual’s right to privacy. Users must be assured that
knowledge of transactions will be confidential, limited only to the
parties involved and their designated agents (if any).Privacy must
be maintained against eavesdroppers on the network and against
unauthorized insiders. The users must be assured that they cannot
be easily duped, swindled, or falsely implicated in a fraudulent
transaction. This protection must apply throughout the whole
transaction protocol by which a good or service is purchased and
delivered. This implies that, for many types of transactions, trusted
third-party agents will be needed to vouch for the authenticity and
good faith of the involved parties..
Managing Credit Risk
Credit or systemic risk is a major concern in net settlement systems
because a bank’s failure to settle its net position could lead to a
chain reaction of bank failures. The digital central bank must
develop policies to deal with this possibility. Various alternatives
exist, each with advantages and disadvantages. A digital central
bank guarantee on settlement removes the insolvency test from
the system because banks will more readily assume credit risks
from other banks. Without such guarantees the development of
clearing and settlement systems and money markets-may be impeded.
A
middle road is also possible, for example, setting controls on
bank exposures (bilateral or multilateral) and requiring collateral.
If the central bank does not guarantee settlement, it must define,
at least internally, the conditions and terms for extending liquidity
to banks in connection with settlement.
Despite cost and efficiency gains, many hurdles remain to the
spread of electronic payment systems. These include several factors,
many non technical in nature, that must be addressed before any
new payment method can be successful. Let’s see what are the
hurdles we have to pass for successful implementation of
Electronic Payment Systems.
Designing Electronic Payment Systems
Privacy. A user expects to trust in a secure system; just as the
telephone is a safe and private medium free of wiretaps and
hackers, electronic communication must merit equal trust.
Security. A secure system verifies the identity of two-party
transactions through “user authentication” and reserves
flexibility to restrict information/services through access
control. Tomorrow’s bank robbers will need no getaway cars
just a computer terminal, the price of a telephone call, and a
little ingenuity. Millions of dollars have been embezzled by
computer fraud. No systems are yet fool-proof, although
designers are concentrating closely on security.
Intuitive interfaces. The payment interface must be as easy to
use as a telephone. Generally speaking, users value
convenience more than anything.
Database integration. With home banking, for example, a
customer wants to play with all his accounts. To date,
separate accounts have been stored on separate databases.
The challenge before banks is to tie these databases together
and to allow customers access to any of them while keeping
the data up-to-date and error free.
Brokers. A “network banker”-someone to broker goods and
services, settle conflicts, and facilitate financial transactions
electronically-must be in place.
One fundamental issue is how to price payment system
service. For example, should subsidies be used to encourage
users to shift from one form of payment to another, from
cash to bank payments, from paper-’based to e-cash. The
problem with subsidies is the potential waste of resources,
as money may be invested in systems that will not be used.
Thus investment in systems not only might not be recovered but
substantial ongoing operational subsidies will also be necessary.
On the other hand, it must be recognized that
without subsidies, it is difficult to price all services affordably. ·
Standards. Without standards, the welding of different payment
users into different networks and different systems is impossible.
Standards enable interoperability, giving users the ability to buy
and receive information, regardless of which bank is managing
their money. None of these hurdles are insurmountable. Most
will be jumped within the next few years. These technical problems,
experts hope, will be solved as technology is improved and
experience is gained. The biggest question concerns how customers
will take to a paperless and (if not cashless) less-cash world.
Summary:
Credit cards have advantages over checks in that the credit
card company assumes a larger share of financial risk for
both buyer and seller in a transaction.
One disadvantage to credit cards is that their transactions are
not anonymous, and credit card companies do in fact
compile valuable data about spending habits.
Record keeping with credit cards is one of the features
consumers value most because of disputes and mistakes in
billing.
The electronic payment system must ensure and maintain
privacy, security, Intuitive interfaces, Brokers and Standards.

UNIT IV
Topic:
Introduction
Technical elements of an EDI
EDI Standards
Summary

Objectives
Understand details of the technical elements of an EDI
system:
EDI Standards
EDI as discussed before stands for Electronic Data Interchange.
This is one of the applications of E Commerce which makes
Business to Business transactions possible over a network.
Electronic data interchange (EDI) is a technology poised for
explosive growth in use as the Internet provides an affordable
way for businesses to connect and exchange documents with
customers and suppliers of any size. EDI is the electronic exchange
of business documents, data, and other information in a
publicstandard
format. It cuts the cost of managing business-to-business transactions
by eliminating the need for labor-intensive manual generation and
processing of documents.
In this lecture we will discuss the EDI standards, the EDI networks
and the EDI software that interfaces these two elements and the
business applications. These elements together with the EDI
Agreement are covered in detail in this lecture.
Let’s start with EDI Standards.
EDI Standards
At the heart of any EDI application is the EDI standard. The
essence of EDI is the coding and structuring of the data into a
common and generally accepted format -anything less is
nothing more than a system of file-transfers. Coding and
structuring the documents for business transactions is no easy
matter. There have been a number of EDI standards developed
in various industry sectors or within a specific country and there
are complex committee structures and procedures to support them.
Following on from the various sectorial and national EDI
standards is the United Nations (UN) EDI Standard:
EDIFACT. This is the standard that should be adopted for any
new EDI application.
Now the question arises why we require EDI standards? EDI
provides an electronic linkage between two trading partners.
Business transactions are output from the sending
computer system, transmitted or transported in electronic format
and input into the second, receiving computer system. The
computer systems that exchange data need a common format;
without a common format the data is meaningless. Two
organizations that exchange data can, with relative ease, agree a
format that meets their mutual needs. As the network of exchanges
develops then the number of organizations needing to be party
to the agreement grows.
To illustrate this, assume a network of three customers (say
supermarkets) ordering goods from four suppliers (food
manufacturers), see Figure 8.1.

Fig. 8.1 Interchanges between Customers and Suppliers.

The network in Figure 8.1 has 12 separate interchanges. It is unlikely
that each of these exchanges would have its own format but it is
perfectly possible that each customer would have developed its
own standards (giving each supplier three separate standards to
cope with). It is also possible that new exchanges added to the
system will have requirements not envisaged when the data
formats were originally agreed; this would require a change to the
existing standard or the introduction of an additional standard.
The overall picture is one of unnecessary complexity and
incompatibility.
EDI standards overcome these difficulties. The EDI standard
provides, or attempts to provide, a standard for data interchange
that is:
Ready formulated and available for use;
Comprehensive in its coverage of the data requirements for
any given transaction;
Independent of hardware and software;
Independent of the special interest of any party in the
trading network.

ELECTRONIC DATA INTERCHANGE

EDI Standards provide a common language for the interchange

of standard transactions.
Most of the work on EDI standards has been concerned with the
interchange of trade documentation and financial transactions
but the principle applies to any interchange where the data can be
systematized and codified. EDI standards are used for the
interchange of information as diverse as weather station readings
and school exam results.
Now let’s see how the various standards evolve.
National and Sectorial Standards
Evolution of EDI Standards
The first EDI standards evolved from the formats used for
file transfer of data between computer applications. The
evolution of EDI standards can be seen as having three
stages (although in practice it was and is somewhat more
complex than that):
1. The first formats that might properly be called EDI were
developed by organizations that had to process data from a
large number of customer organizations. The data recipients
set the standard and the customers conformed to it.
2. The concept of EDI as an application independent
interchange standard evolved and several industry sector and
/ or national standards bodies developed EDI standards to
meet the needs of a specific user community.
3. The requirements of international and cross sector trade
meant that the sector and national standards were becoming
an impediment to the further development of electronic
trading. EDIFACT was developed, under the auspices of the
United Nations (UN), as a universal standard for commercial
EDI.
Early EOI Applications
An example of an early EDI application in the UK was the BAGS
system:
BACS was and is a consortium of the major banks that provides
an automated clearing service for the transfer of money between
bank accounts. Many organisations that made a
significant number of payments (including the pay-roll) use this
service.
Users of the BAGS system recorded the information they would
have printed as cheques on a computer file in accordance with the
format required by BAGS. The data was then sent to BAGS where
the payments were processed without the delay, expense and risk
of paper documents and manual data input.
The use of the system was made much easier by the availability,
for most types of computer, of standard software that output
the payment data in the required format.
In the early days the computer file would be recorded on a magnetic
tape and couriered to the BAGS headquarters. Subsequently an
online submission facility was added to the service.
Sector and National EDI Standards
The use of EDI on systems such as BAGS and the more general
use of online systems demonstrated the potential of EDI for the
exchange of general business documents. A number of trade
sector organizations understood this potential and developed
EDI formats for use in their sector. Some of the more notable
examples are:
ODETTE
An EDI format developed for, and widely used in, the European
motor industry. ODETTE stands for theOrganisation for Data
Exchange by Teletransmission in Europe. ODETTE was predated
by VGA, a standard developed, and still used, by the German
motor industry. The motor industry is planning to move from
VGA and ODETTE to EDIFACT when the standards are stable
and their requirements are fully met.
One problem they have is that the EDIFACT standard, with its
wider application and more bureaucratic procedures, is slower to
react to evolving needs than is the case with the sector based
ODETTE standard.
Tradacoms
A UK EDI standard for general trade developed by the ANA
(Article Numbering Association) in 1982. TRADACOMS evolved
to become the predominate UK EDI standard with widespread
application in the retail and catering trades (this was in the late
1980’s / early 1990’s when Britain accounted for half the European
EDI activity). Other European countries also developed their own
standards for retail / general trade; examples of such standards
are SEDAS in Germany and GENCOD in France. TRADACOMS
and the other national standards mentioned here are looking to
evolve to, or convert to EDIFACT - a slow process given the
investment in the existing standards.
(The ANA is the body responsible for the allocation and
administration of the product codes used for the bar codes on
grocery and other items -product coding has an important role to
play in EDI systems).
Ansi X12
EDI in North America developed with differing standards in the
various business sectors. Examples of such standards are UCS
for the grocery industry and ORDERNET for the
pharmaceutical trade (Sokol, 1989). Electronic trade had developed
rapidly in North America and the problems of cross sector trade
were becoming apparent. The problem was taken up by the
American National Standards Institute (ANSI) and X12 was
developed as a national standard with the aim of replacing the
various sector standards.
The International EDI Standard
As already outlined, EDI developed in closed user communities
within trade sectors and / or national boundaries. The use of
sector and national standards for this type of trade was
satisfactory. However, as electronic trade developed to cover wider
trading relationships there is a growing problem of trade between
organisations using different EDI standards.
In addition to the problem of cross sector trade there is a desire to
use EDI for international trade. This (sensibly) requires a common
format for the exchange of the standard business forms (order,
invoice, etc.) between organisations in differing countries.
International trade also requires a great deal of additional
documentation for shipping, customs authorities, international
credit arrangements, etc. - all of this is potentially electronic and
obviously a common format is very desirable. To facilitate this
cross sector and international development of EDI the EDIFACT
standard has been, and is being, developed.
EDIFACT is the United Nations standard of Electronic Data
Interchange for Administration, Commerce and
Transport.The EDIFACT standard was born, in the mid-1980s
out of a United Nations Economic Commission for Europe
(UNECE) committee and is supported by the Commission of
the European Union.
Underlying the EDIFACT initiative are various UN attempts to
standardize on trade documentation. These specify, for example,
standards for the layouts of invoices (a provision of some
importance for organisations processing many hundreds, of
invoices from numerous sources). Notable amongst the standards
documentation is the UN Trade Data Element Directory, a subset
of which forms the EDIFACT Data Element Directory.
EDIFACT effectively assumed a world role when the Americans
accepted it as the world standard (while retaining their own ANSI
X12 standard for domestic use in the short term):
The acceptance by the North Americans of EDIFACT as the
international standard was somewhat surprising. ANSI had done
a lot of development work on the X12 standard and
EDIFACT was, at that time, essentially a European standard.
Since 1988 the use of EDI has been vigorously promoted by the
European Union (EU) through its TEDIS programme. TEDIS
has promoted EDI through sectorial organisations but has also
emphasised intersectorial trade. EDIFACT is seen as the common
standard and as vital for electronic trade within the ‘single market’
- funds have been made available for industry sectors to change
from their existing EDI standard to EDIFACT.
EDIFACT has been adopted as the EDI standard of choice by
countries and sectors new to EDI. In Europe, countries such as
the Netherlands, Denmark and Norway have been noted for their
recent development of EDI with EDIFACT as the predominate
standard. Electronic trade is also developing outside Europe and
North America; Australia and Singapore have been much written
about with EDIFACT being the standard of choice. The
importance of a single international standard has been recognised
by many sectors currently using their own EDI standards. Many
sector and national standards are been replaced or are ‘evolving’
towards the EDIFACT standard -included in this process are
ODETTE, TRADACOMS and ANSI X12, a development already
mentioned above.
The EDIFACT Standard
The EDIFACT standard, like all other EDI standards, is about
the exchange of (electronic) documents - for EDIFACT each
document type is referred to as a message. For trade purposes the
documents include order, dispatch advice, invoice, payment order
and remittance advice.For transmission purposes EDIFACT
messages are sent in an electronic envelope known as an
interchange. Note this is the data standard and is separately defined
from any enveloping requirement of the transmission protocol.
Within that interchange there may well be a number of messages.
Messages equate to the trade documents and order and invoice are
prime examples.
The messages themselves are made up of a series of data segments.
Data segments encode a single aspect of the trade document, for
instance the order date or the buyers name and address. Each
EDIFACT message specifies a great number of data segments
and individual data segments may be .components of a number
of messages. The users of the message select the data segments
that are applicable to their particular needs.
Data segments are, in turn/made up of tag and a number of data
items. The tag identifies the data segment and the data elements
give the codes and / or values required in the document (message).
The data elements include the codes and values for items such as
date and address code but they are frequently used in combination
with type or qualifier data items to specify the format of the data
and its use; for instance a date could be the order date and be in
eight digit century format. The requirement to use data elements
together forms a composite data element. This structure of the
EDIFACT message is shown in Figure 8.2. The function groups
have been omitted; these are an intermediary level between the
interchange and the message but they are not normally
implemented.
Fig. 8.2 EDIFACT Structure Chart (Simplified).
Coding Standards
The EDI standard provides the common format for the message
but just as important is the ability to correctly interpret the data
held within that format. Data in computer systems normally has
a code as a key. Computer systems have codes for customers,
suppliers, products and so on. For EDI it is preferable to send the
codes rather than the associated names, addresses and descriptions.
The use of codes cuts down the size of the transmitted message
and, provided the codes are mutually agreed, they can be used to
match the appropriate records in the receiving computer system.
EAN/UPC Codes
For the grocery and general retail trade there are standard systems
of coding. These are used for bar codes on merchandise and to
identify address points within the participating organisations; they
are also used in EDI messages. The two main systems are:
EAN European Article Number
UPC Universal Product Code (American)
The coding systems are administered by the national Article
Numbering Associations (ANA). These organizations have also
been closely involved in the development of EDI; the British
ANA developed the Tradacom EDI standard that was discussed
earlier in this chapter.
The EAN and the UPC systems are similar. The EAN is a 13 digit
code with a two digit country code whereas the UPC is a 12 digit
code with only a single digit for the country. The makeup of the
EAN code is shown in Figure 8.3.
Fig. 8.3 EAN Coding System.
The check digit calculation, for the product code, uses a modulus
10 algorithm. This is calculated by multiplying alternative digits,
of the code, by 1 and 3 respectively. The results of these
multiplications are summed and the check digit is the difference
between that sum and the next highest multiple of 10, see Figure
8.4.

Fig. 8.4 EAN Checkdigit Calculation.

For very small items, eight digit (EAN-8) codes can be allocated.
This is so that the smaller bar code can be printed on individual
items.
The EAN code in the example above is a product code for a 420
gram tin of Heinz Baked Beans. Each Heinz product has the
same manufacturers’ prefix but a different item code allocated by
the company, for example:
Baked Beans - 420 gram tin: 50 00157 00171 9
Cream of Tomato Soup - 300 gram tin: 5000157 00207 5
Baked Beans - 205 gram tin: 50 00157 00023 1
In the EDI Order message these codes can be used in the order
line, e.g. the line: LIN+1++5000157001719:EN’ EAN address
point codes are used in EDI messages to identify the sender and
receiver of the message. Address point codes are similar to the
product code; the country and manufacturer’s prefix are the same
as for the companies products but the check digit calculation differs
for the two usages. The sender of the order may wish to specify a
number of locations, for instance an order, in addition to the
buyer and supplier, might identify: The Delivery Point - the
warehouse where the goods will be delivered; The Invoice Point -
the head office where the invoice is to be sent.
The EDIFACT order message provides for up to 20 name and
address segments (NAD) to be sent in an order.
Generic Products
EAN codes are appropriate for ordering branded products. They
are not applicable where the requirement is for a generic product.
This circumstance may not arise when baked beans are ordered
(we all tend to have our preferences for a particular brand) but the
order might be for:
A generic product, e.g. red biros (any old red biros), or
A commodity product, e.g. sheet steel or paper.
Product coding in these circumstances is either agreed between
customer and supplier or there is an agreement on an industry
sector basis. The paper and board trade is one such industry where
coding conventions have been agreed -to specify grams / sq. cm,
direction of fibre, size of sheet, etc. Coupled with such a convention
is the need for an understanding of the ‘pack quantity’. It is
unfortunate if an order for 1,000 sheets of paper is interpreted as
an order for 1,000 reams (and it has happened!).
Summary:
The essence of EDI is the coding and structuring of the data
into a common and generally accepted format -anything less
is nothing more than a system of file-transfers.
The first EDI standards evolved from the formats used for
file transfer of data between computer applications.
An example of an early EDI application in the UK was the
BAGS system
To facilitate the cross sector and international development
of EDI the EDIFACT standard has been, and is being,
developed. EDIFACT is the United Nations standard of
Electronic Data Interchange for Administration, Commerce
and Transport
Topic:
Introduction
EDI Network
Summary

Objectives
Understand details of the technical elements of an EDI
system:
EDI Networks
After discussing about EDI standards and coding let’s see how
the transmission of electronic data takes place and what are the
requirements for this electronic transmission.
EDI Communications
The EDI standard specifies the syntax for the coding of the
electronic document, it does not specify the method of
transmission. The transmission of the electronic document can
be:
A magnetic tape or diskette that is posted or dispatched
using a courier service.
A direct data communications link.
A value added data service (VADS), also known as a value
added network (VAN).
The physical transfer of magnetic tape or diskette is one way of
transmitting EDI messages. However, one of the advantages of
EDI is speed of transmission and this is hardly facilitated by the
physical transportation of the diskette or tape. For this, and other
reasons, this way of transmitting EDI is declining in popularity.
The use of direct data communications links is the second
possibility. It can be appropriate for trading relationships where
there are large data volumes or where there are only one or two
trading partners involved. It does, however, have a number of
complications. It presumes that the trading partners agree
transmission times, protocols and line speeds – requirements
that become complex when there are several trading partners, some
of them involved in a number of trading relationships. The final
possibility is the use of a VADS. These can provide a number of
facilities but the essential is the use of postboxes and mailboxes
to provide ‘time independence’ and ‘protocol independence’. The
facilities of a VADS are further discussed in the following sections.
Postboxes and Mailboxes
The basic facility of a VADS is a post and forward network. This
network is centered on a computer system with communications
facilities. For each user of the system there are two files:
The postbox - where outgoing messages are placed.
The mailbox - where incoming messages can be picked up.
Taking the trading network shown at Figure 12.1, the postbox
and mailbox arrangement of the VADS would be as shown at
Figure 9.1.

Fig. 9.1 VADS – Postbox and Mailbox Files.

If Sava store, for example, needed to place orders for bread, meat
and vegetables then it formats an EDI interchange containing a
number of orders for those three suppliers. The sequence of
events would then be:
Sava Store establishes a communication link to the VADS
system. Sava Store makes extensive use of the system and
has a leased line communications link.
The VADS computer system inspects postboxes, unpacks
the interchanges, moves any available messages (orders in
this case) to the mailbox of the intended recipients and
repackages them as new interchanges. The inspection of
postboxes is frequent and, to all intents and purposes, the
interchanges are immediately available to the recipient.
The users of the system establishes a communication link
to the VADS system at their convenience. Best Bread is the
first user of the system to come online, in this case the
communications link is a dial-up line.
Best Bread inspects its mailboxes for new interchanges. On
finding the order from Sava Store (and possibly further
interchanges from other customers) it causes them to be
transmitted to its own order processing system.
The EDI interchange is then available for processing in the user’s
application. See Figure 9.2 for a diagram of this interchange taking
place.

ELECTRONIC DATA INTERCHANGE

Fig. 9.2 VADS – Example Interchange.

The post-box / mailbox system is also referred to as a ‘store and
forward’ system. The two principle advantages of such a system
are:
Time Independence
The sending and receipt of the interchange are synchronous. The
two processes can be carried out at the convenience of the users
involved. The first user may send all its EDI transmissions, to all
its trading partners, in a single batch, at the end of its overnight
processing run. The individual interchange can then be picked up
by the trading partners, at their individual convenience.
Protocol Independence
The type of communications link to be used is an option available
to each user of the VADS system. Low volume users will probably
opt for a dial-up modern link whereas high volume users may
well use a leased line or a packet switching network. The VADS
supplier makes available a wide variety of communications facilities
and has the ability to handle a range of protocols. The transmission
protocol envelope is stripped off incoming interchanges leaving
just the EDI interchange.Interchanges are then re-enveloped with
the transmission protocol appropriate to the recipient when they
are retrieved from the mailbox.
Value Added Data Services
A number of organizations have set out to provide VADS. The
basic and most important facility of the VADS is the postbox /
mailbox provision. There are, however, a number of further
facilities that can be made available; some or all of them may be
provided by any particular VADS provider.
Trading Community
An established EDI VADS will have a large number of clients all
with an interest in electronic trade. There is a tendency for
organisations in a particular trade sector to concentrate on one
particular VADS (there are instances of formal agreements between
a trade sector organisation and a VADS). Joining the appropriate
VADS can ease access to new electronic trading partners.
Inter-network Connections
A VADS facilitates trade between partners that subscribe to the
same VADS but not between partners that might be using different
VADS services - not infrequently organisations have joined more
than one VADS to overcome this problem. A number of the
VADS have made inter-network agreements that provide for the
passing of interchanges between them.
International Connections
Many VADS are nationally based with a single computer service
providing the switching service - a set-up that is appropriate for
domestic trade. A number of the VADS’s are part of international
organisations or have alliances with VADS’s in other countries
thus facilitating international trade.
Privacy, Security and Reliability
A commonly expressed concern by EDI users is the privacy of the
system and the security of their messages (a concern that can seem
exaggerated given the relative insecurity of the postal system that
EDI might be replacing).Privacy provisions will normally include
user-id / password protection, of postboxes and mailboxes. The
setting up of a trading relationship can also be under user control
with both users required to enter the appropriate control message
before the exchange of message can take place. The EDI message
can also be encrypted or can include an electronic signature
(provisions that are not dependant on the VADS).
Security will be built into the VADS system - it is important to the
users and to the reputation of the VADS that messages are not
lost. The service must also be reliable - the VADS should have an
appropriate hardware and software configuration so that it can
ensure the continuous availability of its service.
Message Storage and Logging
Users of the VADS would normally have control over the retrieval
and retention of messages in their mailbox. New messages can be
called off selectively or in total. Once a message has been called off
it will be marked as no longer new but it can still be retained in the
mailbox (and it is worthwhile making use of this facility until the
message is secure in the users system).
As part of its service provision the VADS may well have a message
logging facilities. This provides an audit trail of when the message
arrived in the VADS, when the recipient retrieved it and when it
was eventually deleted. A useful provision should messages be
lost - the result of an enquiry is normally to prove a fault in one of
the users systems / procedures rather than any fault in the operation
of the VADS.
Message Validation
A number of VADS will provide a service that validates EDI
messages for conformance with the chosen EDI standard and
returns an invalid interchange. This service is optional and normally
incurs an extra charge.
Local Access
VADS, despite their alternative name of Value Added Network
are message switching services, not network services. The cost of
the connection from the user to the VADS can be reduced by
using a local access node or a packet switching service. The time
independence provided by the VADS gives the user the option
of accessing the service when cheap rate telephone charges apply.
Charges
The VADS is a commercial organisation and charges for its services.
The charges tend to be a combination of :
Subscription A monthly or annual subscription.
Usage charge:A charge for the number of characters transmitted.
Differing VADS apply these charges in differing combinations - in
theory a user could select the VADS with the charging structure
that gave it most advantage - in practice users choose the VADS
already used by their trading partners. For the Pens and Things
example, the VADS that is most likely to be adopted is that already
used by Packaging Solutions.
Software and Consultancy
Network providers tend to have considerable experience in EDI
and an interest in promoting its widespread adoption. Most
VADS providers supply (or sell) EDI software that provides for
easy access to their own network. These VADS providers will also
provide consultancy and training - the basic provision concerns
the use of the software and the network but there can also be
consultancy on the business use of EDI within the organisation.
Summary:
Electronic Data Interchange is one of the applications of E
Commerce which makes Business to Business transactions
possible over a network.
EDI standards are required so that the computer systems
can exchange data in a common format.
EDIFACT is the United Nations standard of Electronic
Data Interchange for Administration, Commerce and
Transport.
VADS stands for Value Added Data Services. The basic
facility of a VADS is a post and forward network which is
Time and Protocol independent. VADS is also known as
VAN (Value Added Network).

Topic:
Introduction
EDI Implementation
Summary

Objectives
Understand details of the technical elements of an EDI system:
EDI Implementation
Now we will discuss the physical implementation of VADS. EDI
in the Internet.
Recently a number of organisations have started using the Internet
as an EDI VADS. Using the Internet provides the basic store and
forward facilities but not necessarily the other features of a VADS
service that are listed above. Security and reliability are two of the
major concerns, unlike the traditional VADS, the Internet does
not guarantee the safe delivery of any data you send into it. The
plus side of using the Internet is that it is cheaper than any of the
commercial networks that provide specific EDI VADS services.
EDI Implementation
The final technical element of the EDI system is the EDI software.
If a company is to send an order from its production control
system to Packaging Solutions it needs to code that order into the
agreed EDI standard and ‘squirt’ it into the chosen VADS. To
pick up the order at the other end, Packaging Solutions has a
similar need to extract the data from the network and to decode
the data from the EDI message into its order processing system.
The coding / decoding of the EDI message and the interfacing
with the VADS is normally achieved using EDI Software. The
overall picture is summarized in Figure 10.1.

Fig. 10.1 Sending an order using EDI Software.

EDI Software
The EDI software is normally bought in from a specialist supplier.
There are a number of software houses supplying EDI solutions
or the EDI software may come from: · A major trading partner -
the trading partner may supply the software or recommend a
third party supplier.
The VADS supplier.
As part of application package, e.g. packaged software for
production control, order processing or accounting may
include EDI software as an integral feature or as an optional
module.
A third party. An example of this is that a number of banks
provide EDI solutions that include the collection of and
accounting for electronic payments. Obtaining EDI software
from an ‘interested’ party has both advantages and
disadvantages. If the software is, for example, bought from
the VADS supplier then, hopefully, there would not be any
problem interfacing with the chosen network but using an
additional VADS or switching to a new network supplier
may be more problematic.
The basic functions of the EDI Software are the two already
outlined, namely:
Coding business transactions into the chosen EDI Standard;
Interfacing with the VADS.
Many EDI software suppliers provide additional functions.These
may include:
A trading partner database integrated into the EDI
Software.This can provide for code translation (e.g. internal
customer codes to a trade sector standard code) and / or for
the specification of the EDI requirements of each trading
partner;
Support of multiple EDI Standards. The selection of the
appropriate standard may be determined by the trading
partner database;
Sophisticated facilities to ease the formatting of internal
application data to and from the EDI Standard. ‘Drag and
drop’ interfaces are available for this purpose. Various EDI
Software suppliers have associations with the large suppliers
of business applications (production planning, order
processing, etc.) and provide standardised interfaces to those
packages;
Facilities for transactions to be sent by fax or e-Mail to
customers that do not use EDI. The identification of such
customers may be determined by the trading partner
database;
Interfacing with a variety of EDI VADS (including the
Internet). The selection of the appropriate VADS may be
determined by a trading partner database;
The option to encrypt the EDI Message;
Facilities for the automatic acknowledgement of the EDI
message;
Message tracking and an audit trail of messages sent and
received;
Direct input and printed output of EDI transactions
allowing free standing EDI Operation-in effect the EDI
system provides the service of a fax machine.
EDI Software is available on a variety of platforms from the basic
PC up to a mainframe system. As with all classes of software the
price varies: the basic PC packages starting at (say) 500 pounds
sterling / 800 US dollars and the price then goes up from there for
the larger machines, additional facilities and services such as
consultancy. For some EDI software the support of each standard
and / or VADS is an additional plugin that is paid for separately.
Yearly maintenance charges, that include updates as the new
versions of the EDI Standards are released, tend to be quite hefty.
At the top of the range is the concept of an EDI Corporate
Interface. This software, often mounted on its own, mid range,
machine acts as a central clearing house for all the e-Commerce
transactions of a large organisation. The external interfaces can
link to several EDI VADS’s and translate to a variety of EDI
Standards to meet the needs of a large number of trading partners.
The internal interfaces can link to a number of business systems
such as order processing and accounts payable,possibly systems
that are replicated across the various divisions of the organisation.
The system can also be used for intra organizational transactions
- if the interface for external customers and suppliers uses EDI,
why not use the same interfaces for trades between divisions of
the organisation.
EDI Integration
EDI software will do its job well at a relatively modest price. What
pre-packaged EDI software cannot do is automatically integrate
with the business application and a comprehensive solution to
this requirement can take a lot of time and cost a lot of money.
The simple way to implement EDI is not to link the EDI software
and the applications - a set-up sometimes referred to as EDI-Fax
or EDInterruptus. This is, a course, followed by
many organisations when they first start and persisted with by
many small organisations who are only ‘doing EDI’ because a
large trading partner has told them to. In this mode of operation:
Incoming EDI messages are printed out from the EDI
software and then manually keyed into the business
application that they are intended for;
Outgoing EDI messages are extracted from the business
application and typed into the EDI software for formatting
and onward transmission.
The use of EDI in this way ensures that the transactions get
through quickly (hence the term EDI-Fax) but it rules out any of
the other advantages of using EDI. For full integration of the
business application and the EDI Software there needs to be an
interface to transfer data from the business application to the EDI
software and vis a versa. To ease this process, most EDI software
provides for a ‘flat file’ interface. If the data to be sent is (say) an
order then the business application can be modified so that:
The supplier record in the order processing system has an
indicator to say that its orders are to be sent via EDI;
The order print run is modified so that orders for EDI
capable suppliers are not printed;
An additional run is included to take the orders from the
EDI capable suppliers and format the data onto the flat file;
The flat file is accessed by the EDI software and, using user
supplied parameters, the order data is formatted into the
required EDI standard and posted into the VADS.
The reverse process is used for incoming EDI messages. This will
involve the creation of a batch input routine to run in parallel with
the online facilities utilized by most business
applications. The additional worry with incoming EDI messages
is validation. For orders, invoices and any other data manually
input into a business application there will be (or should be)
comprehensive primary and secondary validation built into the
system and there is a human operator there to deal with any
queries.
For EDI messages there will not be any input errors at the receiving
end but there is(normally) no guarantee that the data sent by the
trading partner is correct or acceptable. Arguably the EDI routines
taking input messages need all the same validation checks as the
equivalent manual input routines and there needs to be procedures
for correcting the problems or informing the trading partner and
getting them to transmit a corrected message.
EDI Operation
Once the EDI system is set-up it, like any other data processing
systems, needs careful and systematic operation. A big difference
between electronic transactions and their paper equivalents is that
with electronic transactions there is no paperwork to fall back on
should anything go wrong. In these circumstances, therefore, it is
sensible to keep a security copy of all incoming transactions -
preferably in their EDI format as soon as they enter the system.
This then gives a fall-back position should any data be lost or
corrupted and is an aid to the diagnosis of any problems.
The second aspect to EDI operation is how often should the
system be run. EDI has been implemented, in part at least, to cut
down transaction cycle time and there is no point in reintroducing
unnecessary delays. For many organisations a daily download from
the mailbox and processing run is sufficient - however, this is not
entirely satisfactory if the daily run is timed for an hour before a
major trading partner sends out their daily orders. In some
circumstances, such as just-in-time manufacture in the vehicle
assembly business, cycle times can be as short as one hour and
obviously order processing needs to be very frequent / real-time.
Sample EDI Application
WebLogic Integration provides an EDI sample application that
demonstrates how WebLogic Integration with the EDI Connect
for WebLogic Integration add-on can be used to exchange EDI
purchase-order information over a VAN. In the sample application,
a supplier trading partner uses the EDI integration functionality
of WebLogic Integration to connect to a buyer over a VAN.
The interactions between the buyer and supplier occur in the
following sequence:
1. A buyer trading partner submits an EDI purchase order,
over a VAN to the supplier.
2. The EDI-to-XML transformation engine bundled with
Power.Server! converts the purchase order to XML.
3. The XML document triggers a business process in the
supplier application. The business process generates an XML
purchase order acknowledgment.
4. The supplier forwards the acknowledgment to the
transformation engine which converts it to EDI, and then
forwards it over a VAN to the buyer.
Summary:
A number of organisations have started using the Internet
as an EDI VADS
Unlike the traditional VADS, the Internet does not
guarantee the safe delivery of any data you send into it
The plus side of using the Internet is that it is cheaper than
any of the commercial networks that provide specific EDI
VADS services.
The coding / decoding of the EDI message and the
interfacing with the VADS is normally achieved using EDI
Software
For full integration of the business application and the EDI
Software there needs to be an interface to transfer data from
the business application to the EDI software and vis a versa.
A big difference between electronic transactions and their paper
equivalents is that with electronic transactions there is no paperwork
to fall back on should anything go wrong. In these circumstances,
therefore, it is sensible to keep a security copy of all incoming
transactions
Topic:
Introduction
EDI Agreement
EDI security issues
Summary

Objectives
After this lecture the students will be able to:
Understand details of the technical elements of an EDI
system:
EDI Agreements
EDI Security
After discussing how the EDI is being implemented it is clear that
a large organization that processes many electronic transactions is
going to need its own EDI set-up. There are, however, many
small companies that are dragged into EDI trade by a large trading
partner but for who the set-up and running costs of an EDI
facility would outweigh the benefits. For these organizations there
are a number of alternatives as discussed below:
EDI Alternatives
The low cost, PC based, free-standing EDI facility.
Making use of an EDI clearing house. To do this the
company contract for their EDI messages to be sent to a
clearing house who decode them, print them out and then
post or fax them on. The British Post Office is an example
of an organisation that provides this service.
Internet access via a clearing house. This is an update on the
EDI-Post service outlined above where a clearing house is
used but the inward and outward transactions are
transmitted between the end user and the clearing house and
accessed by the client using a standard web browser.
As you know setting up an EDI system requires a lot of discussion
with trading partners. Manual systems rely a lot on the
understanding of the people involved; when these interchanges
are automated there is no understanding between the machines -
they just do what they are told (well they do on a good day!).
The introduction of EDI may also be part of a wider process of
business processing re-engineering that makes the effective
operation of the supply chain much more crucial to successful
business operation. Traditional logistics had buffer stocks in the
factory’s parts warehouse or the retailer’s regional depot and stock
room. In just-in-time manufacture and quick response supply
these buffer stocks are eliminated - this reduces the capital
employed and avoids the need to double handle goods. Without
these buffer stocks the EDI systems become crucial -the orders
need to be delivered on time or cars will be made
with missing wheels and there will be no cornflakes on the shelves
in the supermarket. Hence to achieve a successful, electronically
controlled supply chain, businesses have to talk. They need to
agree the nature of the business that is to be done electronically,
the technical details of how it is to be undertaken and the procedures
for resolving any disputes that arise.
EDI Interchange Agreements
The appropriate way to document the details of a trading
arrangement between electronic trading partners is an EDI
Interchange Agreement. The agreement makes clear the trading
intentions of both parties, the technical framework for the
transactions and the procedures to be followed in the event of a
dispute. The EDI Agreement is a document, normally on paper,
and signed by both trading partners before electronic trading
begins. The first requirement of the agreement is to establish the
legal framework. This has a special significance as most business
law relates to paper based trading and how that law should apply
to the less tangible form of an electronic message is not always
clear (although a number of countries are updating their legal
provisions to take account of electronic trade). This point is made
in the commentary that is included in the European
Model Electronic Data Interchange (EDI) Agreement (EUIA):
‘For EDI to be a successful alternative to paper trading, it is essential
that messages are accorded a comparable legal value as their paper
equivalent when the functions effected in an electronic environment
are similar to those effected in a paper environment, and where all
appropriate measures have been taken to secure and store the
data.’

The EU-IA, in the text of the Agreement, Includes the Clause:

The parties, intending to be legally bound by the Agreement,
expressly waive any right to contest the validity of a contract
effected by the use of EDI in accordance with the terms and
conditions of the Agreement on the sole grounds that it was
effected by EDI.’And the agreement also specifies:
The point in its transmission and processing at which a
message will be deemed to be legally binding - the usually
accepted standard is that the ‘document’ achieves legal status
when it arrives at the receiving party, the ‘reception rule’.
The timescale for processing EDI massages. One purpose
of EDI is to speed up the trade cycle and this is not achieved
if messages are not reliably processed within an agreed
timescale.
The time that copies of the message will be retained (a
default of three years is provided for by the EU-IA but
many member states require longer periods, e.g. seven or ten
years).
The procedure for settling any disputes. The EU-IA
suggests a choice between arbitration by a named
organisation, e.g. a chamber of commerce appointed
arbitration chamber, or by recourse to the judicial process.
The legal jurisdiction in which, any disputes should be
settled. In addition to the legal (or legalistic) aspects of the
agreement it is important to specify the technical
requirements. These requirements include:
The coding systems that will be used for identifying entities
such as organisations and products and attributes such as
quantities.
The EDI standard that is to be employed and, within that,
the messages and data segments that will be used. Updating
of message standards as new versions are released is an issue
that also needs to be covered.
The network that is to be used - including details of
scheduling and protocol where a post and forward network
is not to be employed.
Model agreements are available from various parties, including
trade organisations, and references to example agreements can be
found on the web pages that accompany this book.
Another major issue of concern is the privacy and security of the
messages and their exchange. Let’s discuss how to protect the data
while it is being transferred from one place to another.
EDI Security
The first point is to ensure that interchange of messages is reliable.
In the first instance this is a matter of procedures at both ends of
the trading agreements. Procedures, rigid procedures, are required
to ensure that all the processes are run and that they reach their
successful conclusion - an old-fashioned requirement called ‘data
processing standards’. Procedures are particularly important where
operations are manual (as opposed to being controlled by job
control programs (JCP) run under the appropriate operating
system). Particular attention is needed if the EDI software is run
on a separate machine (say a PC) and the application software
operates in a mainframe or similar environment; it is vital that all
the data received on the EDI machine is passed to and processed
(once only!) on the mainframe and that outgoing data is reliably
processed in the reverse direction.
Further aspects of security are:
Controls in the EDI Standards:
EDI Standards include controls designed to protect against errors
in, and corruption of, the message. The sort of thing that is
provided is for segment counts in the message and message counts
in the interchange.
Controls in the Transmission Protocol:
Transmission protocols include protection, such as longitudinal
control totals, to detect any data corruption that occurs during
transmission. Where corruption is detected the network system
occasions a retransmission without the need for outside
intervention.
Protection against Tampering:
Where there-is concern that the transmission might be intercepted
and modified it can be protected by a digital signature. This is
designed to ensure that the message received is exactly the same as
the message sent and that the source of the message is an
authorized trading partner.
Privacy of Message:
Where the contents of the message are considered sensitive the
privacy of the message can be protected, during transmission, by
encrypting the data.
Non-Repudiation:
One potential problem is that the recipient of the message might
deny having received it; the electronic equivalent of the idea that
the unpaid invoice must have got ‘lost in the post’.
One way out of this is to use the receipt acknowledgement
messages (see below) but the other alternative is a ‘trusted third
party’. The ‘trusted third party’ can be the VADS supplier or, if
you don’t trust them, some other organisation. The role of the
third party is to audit trail all transactions (a role the VADS provider
is ideally positioned to fulfill) and to settle any dispute about
what messages were sent and what messages were received.
One aspect of security provided for by the EDI standard is the
receipt acknowledgement message. This is a transaction specific
message sent out by the receiving system to acknowledge each
message, order or whatever. Trading partners that use receipt
acknowledgement messages need to be clear about the level of
security (guarantee) implied by the receipt of the acknowledgement.
The EDI acknowledgement message can be:
Automatically generated by the EDI Software (Physical
Acknowledgement). It informs the sender that the message
has arrived but there is no guarantee that it is passed to the
application for processing or that it is a valid transaction
within the application.
Coded into the application to confirm that it is in the system
for processing.
Produced by the application once the message is processed to
confirm that the message was valid and possibly to give
additional information such as stock allocation and expected
delivery date (Logical Acknowledgement).
The need for security in an EDI system needs to be kept in
proportion; after all EDI is very probably replacing a paper based
system where computer output orders, without signatures, were
bunged in the post and eventually manually keyed in by an order
entry clerk. Transmission and EDI message controls are automatic.
Checks over and above that all come at a cost; encryption and
digital signatures both require extra software and procedures;
message acknowledgements require additional software to generate
the message and to match it to the original transaction on the
other side of the trading relationship. EDI orders and invoices
for regular transaction of relatively low cost supplies do not justify
too heavy an investment in privacy and security – if an extra load
of cornflakes arrives at the supermarket distribution centre it ca be
sorted out on the phone and the error will probably be in the
warehouse, not the EDI system (whatever the supplier tells the
customer!).
EDI payments require more care; normally the payment transaction
is sent to a bank (with its own procedures) with the payment
advice being sent to the trading partner. The overall facilities for
EDI privacy and security are summed up in Figure 11.1

Fig. 11.1 EDI Privacy and Security

The overall EDI technical setup is summarized in fig 11.2
Fig 11.2 EDI summary

Summary:
There are number of alternatives instead of setting own
EDI setup like the low cost, PC based, free-standing EDI
facility, making use of an EDI clearing house, Internet access
via a clearing house.
The appropriate way to document the details of a trading
arrangement between electronic trading partners is an EDI
Interchange Agreement
The security aspects in EDI are Controls in the EDI
Standards, Controls in the Transmission Protocol,
Protection against Tampering, Privacy of Message,
Nonrepudiation

Topic:
Introduction
Various preventive measures for computer
Cryptography
Data Encryption Standard (DES)
Summary

Objectives:
Describe some security measures to prevent the Computer
Systems from various threats in a network .
The incredible growth of the Internet has excited businesses and
consumers alike with its promise of changing the way we live and
work. But a major concern has been just how secure the Internet
is, especially when you’re sending sensitive information through
it.
Let’s face it, there’s a whole lot of information that we don’t want
other people to see, such as:
Credit-card information
Social Security numbers
Private correspondence
Personal details
Sensitive company information
Bank-account information
Information security is provided on computers and over the
Internet by a variety of methods. A simple but straightforward
security method is to only keep sensitive information on removable
storage media like floppy disks. But the most popular forms of
security all rely on encryption , the process of encoding
information in such a way that only the person (or computer)
with the key can decode it.
In the Key of...
Computer encryption is based on the science of cryptography,
which has been used throughout history. Before the digital age,
the biggest users of cryptography were governments, particularly
for military purposes. The existence of coded messages has been
verified as far back as the Roman Empire. But most forms of
cryptography in use these days rely on computers, simply because
a human-based code is too easy for a computer to crack.
Most computer encryption systems belong in one of two
categories. Broadly speaking, there are two types of encryption
methods:
Secret-key cryptography
Public-key cryptography
Secret-Key Cryptography
Secret-key cryptography the use of a shared key for both encryption
by the transmitter and decryption by the receiver. Shared-key
techniques suffer from the problem of key distribution, since
shared keys must be securely’ distributed to each pair of
communicating parties. Secure-key distribution becomes
cumbersome in large networks.
To illustrate secret key cryptography, A encrypts a message with a
secret key and e-mails the encryption message to B. On receiving
the message, B checks the header to identify the sender, then
unlocks his electronic key storage area and takes out the duplicate
of the secret key. B then uses the secret key to decrypt the message.
The Achilles heel of secret-key cryptography is getting the sender
and receiver to agree on the secret key without a third party finding
out. This is difficult because if A and B are in separate sites, they
must trust not being overheard during face-to-face meetings or
over a public messaging system (a phone system, a postal service)
when the secret key is being exchanged. Anyone who overhears or
intercepts the key in transit can later read all encrypted messages
using that key. The generation, transmission, and storage of keys
is called key management; all cryptosystems must deal with key
management issues. Although the secret-key method is quite
feasible and protocol for one-on-one document interchange, it
does not scale. In a business environment where a company deals
with thousands of on-line customers, it is impractical to assume
that key management will be flawless. Hence, we can safely assume
that secret-key cryptography will not be a dominant player in
ECommerce
given its difficulty providing secure key management.
Data Encryption Standard (DES)
A widely-adopted implementation of secret-key cryptography is
Data Encryption Standard (DES). The actual software to perform
DES is readily available at no cost to anyone who has access to the
Internet. DES was introduced in 1975 by IBM, the National Security
Agency (NSA), and the National Bureau of Standards (NBS) (which
is now called NIST). DES has been extensively researched and
studied over the last twenty years
and is definitely the most well-known and widely used
cryptosystem in the world. DES is secret-key, symmetric
cryptosystem: When used for communication, both sender and
receiver must know the same secret key, which is used both to
encrypt and decrypt the message. DES can also be used for single
user encryption, for example, to store files on a hard disk in
encrypted form. In a multiuser environment, however, secure-key
distribution becomes difficult; public-key cryptography, discussed
in the next subsection, was developed to solve this problem.
DES operates on 64-bit blocks with a 56-bit secret key. Designed
for hardware implementation, it operation is relatively fast and
works well for large bulk documents or encryption. Instead of
defining just one encryption algorithm, DES defines a whole
family of them. With a few exceptions, a different algorithm is
generated for each secret key. This means that everybody can be
told about the algorithm and your message will still be secure.
You just need to tell others your secret key a number less than 256.
The number 256 is also large enough to make it difficult to break
the code using a brute force attack (trying to break the cipher by
using all possible keys).
DES has withstood the test of time. Despite the fact that its
algorithm is well known, it is impossible to break the cipher without
using tremendous amounts of computing power. A new
technique for improving the security of DES is triple encryption
(Triple DES), that is, encrypting each message block using three
different keys in succession. Triple DES, thought to be equivalent
to doubling the key size of DES, to 112 bits, should prevent
decryption by a third party capable of single-key exhaustive search.
Of course, using triple-encryption takes three times as long as
single-encryption DES. If you use DES three times on the same
message with different secret keys, it is virtually impossible to
break it using existing algorithms.. Over the past few years several
new, faster symmetric algorithms have been developed, but DES
remains the most frequently used.
Public Key Cryptography
A more powerful form of cryptography involves the use of public
keys. Public-key techniques involve a pair of keys; a private key and
a public key associated with each user. Information encrypted by
the private key can be decrypted only using the corresponding
public key. The private key, used to encrypt transmitted information
by the user, is kept secret. The public key is used to decrypt
information at the receiver and is not kept secret. Since only the
bona fide author of an encrypted message has knowledge of the
private key, a successful decryption using the corresponding public
key verifies the identity of the author and ensures message integrity.
Public keys can be maintained in some central repository and
retrieved to decode or encode information. Public key techniques
alleviate the problem of distribution of keys
Let’s examine How this Process Works:
Each party to a public-key pairing receives a pair of keys, the public
key and the private key. When A wishes to send a message to B, A
looks up B’s public key in a directory, A then uses the public key to
encrypt the message and mail it to B. B uses the secret private key
to decrypt the message and read it. Anyone can send an encrypted
message to B but only B can read it. Unless, a third party, say C, has
access to B’s private key, it is impossible to decrypt the message
sent by A. This ensure confidentiality.
Clearly, one advantage of public key cryptography is that no one
can figure out the private key from the corresponding public key.
Hence, the key management problem is mostly confined to the
management of private keys. The need for sender and receiver to
share secret information over’ public channels is completely
eliminated: All transactions involve only public keys, and no private
key is ever transmitted or shared; The secret key never leaves the
user’s Pc. Thus a sender can send, a confidential message merely by
using public information and that message can be decrypted only
with a private key in the sole possession of the intended recipient.
Furthermore, public-key cryptography can be used for sender
authentication, known as digital signatures. Here’s how
authentication is achieved using public-key cryptography: A, to
digitally sign a document, puts his private key and the document
together and performs a computation on the composite (key +
document) to generate a unique number called the digital signature.
For instance, when an electronic document, such as an order form
with a credit card number, is run through the method, the output
is a unique “fingerprint” of the document. This “fingerprint” is
attached to the original message and further encrypted with the
signer A’s private key. The result of the second encryption is then
sent to B, who then first decrypts the document using Ks public
key. B checks whether the message has been tampered with or is
coming from a third party C, posing as A.
To verify the signature, B does some further computation
involving the original document, the purported signature, and
Ks public key. If the results of the computation generate a
matching “finger-print” of the document, the digital signature is
verified as genuine; otherwise, the signature may be fraudulent or
the message altered, and they are discarded. This method is the
basis for secure e-Commerce, variations of which are being
explored by several companies.
Several implementations of these popular encryption techniques
are currently employed. In public-key encryption, the RSA
implementation dominates and is considered very secure, but
using it for overseas traffic conflicts With the US government’s
position on export of munitions technology of military
importance. Clearly, the government has not reckoned with the
Internet data flow.
Summary:
The most popular forms of security all rely on encryption,
the process of encoding information in such a way that only
the person (or computer) with the key can decode it.
There are two types of encryption methods:
Secret-key cryptography and Public-key cryptography
Secret-key cryptography the use of a shared key for both
encryption by the transmitter and decryption by the receiver
A widely-adopted implementation of secret-key
cryptography is Data Encryption Standard (DES)
A more powerful form of cryptography involves the use of
public keys. Public-key techniques involve a pair of keys; a
private key and a public key associated with each user.
Information encrypted by the private key can be decrypted
only using the corresponding public key

RSA and Public-Key Cryptography

RSA is a public-key cryptosystem for both encryption and
authentication developed in 1977 by Ron Rivest, Adi Shamir, and
Leonard Adleman. RSA system uses a matched pair of encryption
and decryption keys, each, per-forming a one way transformation
of the data. RSA is also developing digital signatures, which are
mathematical algorithms that encrypt an entire document. The
security of RSA is predicated on the fact that it is extremely difficult
even for the-fastest computers-to factor large numbers that are
the products of two prime numbers (keys), each greater than
2112. RSA is important because it enables digital Signatures, which
can be used to authenticate electronic documents the same way
handwritten signatures are used to authenticate paper documents.
Here’s how. a digital signature works for an electronic document
to be sent from the sender X to the receiver Y: X runs a: program
that uses a hash algorithm to generate a digital fingerprint-a pattern
of bits that uniquely identifies a much larger pattern of bits-for
the document and encrypts the fingerprint with his private key.
This is X’s digital signature, which is transmitted along with the
data. Y decrypts the signature with X’s public key and runs the
same hash program on the document. If the digital fingerprint
output by the hash program does not match the fingerprint sent
by X (after that has been decrypted), then the signature is invalid.
If the fingerprints do match, however, then Y can be quite sure
that the digital signature is authentic. If the document were altered
en route, the fingerprints will not match (the output from the
hash programs will be different) and the receiver will know that
data tampering occurred. If the sender’s
signature has been forged (encrypted with the wrong private key),
the fingerprints’ won’t match either. Therefore the digital signature
verifies both the identity of the sender and the authenticity of the
data in the document.
The use of RSA is undergoing a period of rapid expansion and
may bec0me ubiquitous. It is currently used in a wide variety of
products, plat-forms, and industries around the world. It is being
incorporated into the World Wide Web browsers such as NetScape,
giving it a wider audience. In hardware, RSA can be found in
secure telephones, on Ethernet network cards, and on smart cards.
Adoption of RSA seems to be proceeding more quickly for
authentication (digital signatures) than for privacy (encryption),
Perhaps in part because products for authentication are easier to
export than those for privacy.
Mixing RSA and DES
RSA allows two important functions not provided by DES:
Secure key exchange without prior exchange of keys, and
Digital signatures.
For encrypting messages, RSA and DES are usually
combined as follows:
first the message is encrypted with a random DES key, then,
before being sent over an insecure communications channel,
the DES key is encrypted with RSA.
Together, the DES-encrypted message and the RSAencrypted
DES key are sent. This protocol is known as an
RSA digital envelope.
Why not just use RSA to encrypt the whole message and not use
DES at all? Although RSA may be fine for small messages, DES
(or another cipher) is preferable for larger messages due to its
greater speed. In some situations, RSA is not necessary and DESkey
agreement can take place (the two-user environment; for
example, if you want to keep your personal files encrypted, just
do so with DES using, say, a password as the DES key.
RSA, and public key cryptography in general, is best suited for a
multiuser environment. Also, any system in which digital
signatures are desired needs RSA or some other public-key system.
Digital Public-Key Certificates
The most difficult aspect of creating an effective multiparty
transaction sys-tem is the distribution of public keys. Because the
keys are intended to. be public and widely distributed, secrecy is
not a concern; anyone should be able to get a copy of a public key.
Rather, the primary concern is authenticity. An impostor could
easily create a private / public key pair and distribute the public key,
claiming it belonged to someone else.
For instance, if A in England is doing business with B in Canada
and wants to encrypt information so that only B can read it, A
must first get the public key of B from a key directory.
That’s where the problem lies. There is nothing that says that this
public key information is valid and not a forgery put there by C
impersonating B. One solution to this problem is a public-key
certificate. A public-key certificate is a data structure, digitally signed
by a certification authority (also known as the certificate issuer),
that binds a public-key value to the identity of the entity holding
the corresponding private key. The latter entity is known as the
subject of the certificate. In essence, a certificate is a copy of a
public key and an identifier (number), digitally signed by a trusted
party. The problem is then transformed into finding a trusted
third party to create these certificates. A public-key user needs to
obtain and validate a certificate containing the required public key.
This is where it gets complicated. If the public-key user does not
already have a copy of the public key of the trusted party that
signed by one certificate, then the user may need an additional
certificate to get that public key- In such cases, a chain of multiple
certificates may be needed, comprising a certificate of the publickey
owner signed by one certification authority. and additional
certificates of certification authorities signed by other certification
authorities.

Clipper Chip
Clipper is an encryption chip developed as part of the Capstone
project. Announced by the White House in April 1993, Clipper
was designed to balance the competing concerns of federal law
enforcement agencies with those of private citizens and industry.
Law enforcement agencies wish to have access-for example, by
wire-tapping-to the communications of suspected criminals, and
these needs are threatened by secure cryptography. Clipper
technology attempts to balance these needs by using escrowed
keys. The idea is that communications would be encrypted with a
secure algorithm, but the keys would be kept by one or more third
parties (the “escrow agencies”) and made available to law
enforcement agencies when authorized by a court-issued warrant.
Thus, for example, personal communications would be
impervious to recreational eavesdroppers and commercial
communications would be impervious to industrial espionage,
and yet the FBI could listen in on suspected terrorists or gangsters.
Skipjack, designed by the NSA, is the encryption algorithm
contained in, the clipper chip. It uses One 80-bit key to encrypt and
decrypt 64-bit blocks of data. Skipjack can be used in the same way
as DES and may be more secure than , DES, since it uses 80-bit
keys and scrambles the data for 32 steps, or “rounds”; by contrast,
DES uses 56-bit keys and scrambles the data for only 16 rounds.
The details of Skipjack are classified .The decision not to make the
details of the algorithm publicly available has been widely criticized,
and many are suspicious that Skipjack is not secure, either due to
design oversight or to deliberate introduction of a secret trapdoor.
By contrast, the many failed attempts to find weaknesses in DES
over the years have made people confident in the security of DES.
Since Skipjack is not public, the same scrutiny cannot be applied,
and thus a corresponding level of confidence may not arise.
Aware of such criticism, the government invited a small group of
independent cryptographers to examine the Skiplack algorithm.
Their report stated that, although their study was too limited to
reach a definitive conclusion, they nevertheless believe that Skipjack
is secure. Another consequence of Skipjack’s classified status is
that it cannot be implemented in software, but only in hardware
by government-authorized chip manufacturers.
Summary:
RSA is a public-key cryptosystem for both encryption and
authentication developed in 1977 by Ron Rivest, Adi Shamir,
and Leonard Adleman.
A public-key certificate is a data structure, digitally signed by a
certification authority (also known as the certificate issuer),
that binds a public-key value to the identity of the entity
holding the corresponding private key
The idea behind the clipper is that communications would
be encrypted with a secure algorithm, but the keys would be
kept by one or more third parties (the “escrow agencies”) and
made available to law enforcement agencies when authorized
by a court-issued warrant

UNIT - V

Topic:
Introduction
Firewall
Various Anti Viruses
Summary

Objectives:
Describe some security measures to prevent the Computer
Systems from various threats in a network
In the previous lecture we discussed Cryptography technique to
provide security of data in a network. Today we will take a look on
other techniques which can further enhance the security.
Firewall
If you have been using the Internet for any length of time, and
especially if you work at a larger company and browse the Web
while you are at work, you have probably heard the term firewall
used. For example, you often hear people in companies say things
like, “I can’t use that site because they won’t let it through the
firewall.”
If you have a fast Internet connection into your home (either a
DSL connection or a cable modem), you may have found yourself
hearing about firewalls for your home network as well. It turns
out that a small home network has many of the same security
issues that a large corporate network does. You can use a firewall
to protect your home network and family from offensive Web
sites and potential hackers.
Basically, a firewall is a barrier to keep destructive forces away from
your property. In fact, that’s why its called a firewall. Its job is
similar to a physical firewall that keeps a fire from spreading from
one area to the next. As you read through this article, you will learn
more about firewalls, how they work and what kinds of threats
they can protect you from.
What It Does
A firewall is simply a program or hardware device that filters the
information coming through the Internet connection into your
private network or computer system. If an incoming packet of
information is flagged by the filters, it is not allowed through.
Let’s say that you work at a company with 500 employees. The
company will therefore have hundreds of computers that all have
network cards connecting them together.
In addition, the company will have one or more connections to
the Internet through something like T1 or T3 lines. Without a
firewall in place, all of those hundreds of computers are directly
accessible to anyone on the Internet. A person who knows what
he or she is doing can probe those computers, try to make FTP
connections to them, try to make telnet connections to them and
so on. If one employee makes a mistake and leaves a security hole,
hackers can get to the machine and exploit the hole.
With a firewall in place, the landscape is much different. A company
will place a firewall at every connection to the Internet (for example,
at every T1 line coming into the company). The firewall can
implement security rules. For example, one of the security rules
inside the company might be:
Out of the 500 computers inside this company, only one of them
is permitted to receive public FTP traffic. Allow FTP connections
only to that one computer and prevent them on all others. A
company can set up rules like this for FTP servers, Web servers,
Telnet servers and so on. In addition, the company can control
how employees connect to Web sites, whether files are allowed to
leave the company over the network and so on. A firewall gives a
company tremendous control over how people use the network.
Firewalls use one or more of three methods to control traffic
flowing in and out of the network:
Packet filtering - Packets (small chunks of data) are
analyzed against a set of filters. Packets that make it through
the filters are sent to the requesting system and all others are
discarded.
Proxy service - Information from the Internet is retrieved
by the firewall and then sent to the requesting system and
vice versa.
Stateful inspection - A newer method that doesn’t examine
the contents of each packet but instead compares certain key
parts of the packet to a database of trusted information.
Information traveling from inside the firewall to the outside is
monitored for specific defining characteristics, then incoming
information is compared to these characteristics. If the comparison
yields a reasonable match, the information is allowed through.
Otherwise it is discarded
What It Protects You From
There are many creative ways that unscrupulous people use to
access or abuse unprotected computers:
Remote login - When someone is able to connect to your
computer and control it in some form. This can range from
being able to view or access your files to actually running
programs on your computer.
Application backdoors - Some programs have special
features that allow for remote access. Others contain bugs
that provide a backdoor, or hidden access, that provides
some level of control of the program.
SMTP session hijacking - SMTP is the most common
method of sending e-mail over the Internet. By gaining
access to a list of e-mail addresses, a person can send
unsolicited junk e-mail (spam) to thousands of users. This
is done quite often by redirecting the e-mail through the
SMTP server of an unsuspecting host, making the actual
sender of the spam difficult to trace.
Operating system bugs - Like applications, some operating
systems have backdoors. Others provide remote access with
insufficient security controls or have bugs that an experienced
hacker can take advantage of.
Denial of service - You have probably heard this phrase
used in news reports on the attacks on major Web sites. This
type of attack is nearly impossible to counter. What happens
is that the hacker sends a request to the server to connect to
it. When the server responds with an acknowledgement and
tries to establish a session, it cannot find the system that
made the request. By inundating a server with these
unanswerable session requests, a hacker causes the server to
slow to a crawl or eventually crash.
E-mail bombs - An e-mail bomb is usually a personal
attack. Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot accept
any more messages.
Macros - To simplify complicated procedures, many
applications allow you to create a script of commands that
the application can run. This script is known as a macro.
Hackers have taken advantage of this to create their own
macros that, depending on the application, can destroy your
data or crash your computer.
Viruses - Probably the most well-known threat is computer
viruses. A virus is a small program that can copy itself to
other computers. This way it can spread quickly from one
system to the next. Viruses range from harmless messages to
erasing all of your data.
Spam-Typically harmless but always annoying, spam is the
electronic equivalent of junk mail. Spam can be dangerous
though. Quite often it contains links to Web sites. Be careful
of clicking on these because you may accidentally accept a
cookie that provides a backdoor to your computer.
Redirect bombs - Hackers can use ICMP to change (redirect)
the path information takes by sending it to a different router.
This is one of the ways that a denial of service attack is set
up.
Source routing - In most cases, the path a packet travels
over the Internet (or any other network) is determined by the
routers along that path. But the source providing the packet
can arbitrarily specify the route that the packet should travel.
Hackers sometimes take advantage of this to make
information appear to come from a trusted source or even
from inside the network! Most firewall products disable
source routing by default.
Some of the items in the list above are hard, if not impossible, to
filter using a firewall. While some firewalls offer virus protection,
it is worth the investment to install anti-virus software on each
computer. And, even though it is annoying, some spam is going
to get through your firewall as long as you accept e-mail.
The level of security you establish will determine how many of
these threats can be stopped by your firewall. The highest level of
security would be to simply block everything. Obviously that defeats
the purpose of having an Internet connection. But a common
rule of thumb is to block everything, then begin to select what
types of traffic you will allow. You can also restrict traffic that
travels through the firewall so that only certain types of
information, such as e-mail, can get through. This is a good rule
for businesses that have an experienced network administrator
that understands what the needs are and knows exactly what traffic
to allow through. For most of us, it is probably better to work
with the defaults provided by the firewall developer unless there is
a specific reason to change it. One of the best things about a
firewall from a security standpoint is that it stops anyone on the
outside from logging onto a computer in your private network.
While this is a big deal for businesses, most home networks will
probably not be threatened in this manner. Still, putting a firewall
in place provides some peace of mind.
Proxy Application Gateways
A proxy application gateway is a special server that typically runs
on a firewall machine. Their primary use is access to applications
such as the World. Wide Web from within a secure perimeter (Fig
22.1) Instead of talking directly to external WWW servers, each
request from the client would be routed Wed to a proxy on the
firewall that is defined by the user. The proxy knows how to get
through the firewall. An application level proxy makes a firewall
safely permeable for users in an organization, without creating a
potential security hole through which hackers can get into corporate
networks. The proxy waits for a request from inside the firewall,
forwards the request to the remote server
outside the firewall, reads the response, and then returns it to the
client. In the usual case, all clients within a given subnet use the
same proxy. This makes it possible for the proxy to execute efficient
caching of documents that are requested by a number of clients.
Proxy gateways have several advantages. They allow browser
programmers to ignore the complex networking code necessary
to support every firewall protocol and concentrate on important
client issues. For instance, by using HTTP between the client and
proxy, no protocol functionality is lost, since FTP, Gopher, and
other Web Protocols map well into HTTP methods. This feature
is invaluable, for users needn’t have separate, specially modified
FTP, Gopher, and WAIS clients to get through a firewall-– a single
Web client with a proxy server handles all of these cases.
Proxies can manage network functions. Proxying allows for creating
audit trails of client transactions/including client IP address, date
and time, byte count, and success code. Any regular fields and
meta-information fields in a transaction are candidates for logging.
The proxy also can control access to services for individual
methods, host and domain, and the like. Given this firewall design
in which the proxy acts as an intermediary, it is natural to design
security-relevant mediation within the proxy. Proxy mediation
helps mitigate security concerns by
(1) limiting dangerous subsets of the HTTP protocol (a site’s
security policy may prohibit the use of some of HTTP’s
methods);
(2) enforcing client and/or server access to designated hosts (an
organization should have the capability to specify acceptable
web sites);
(3) implementing access control for network services that is lost
when the proxy is installed (to restore the security policy
enforced by the firewall); and
(4) checking various protocols for well-formed commands. A
bug existed in a previous version of the Mosaic browser that
permitted servers to download a “Trojan horse” URL to the
client that would cause the client to run an arbitrary program.
The proxy must be in a position to filter dangerous URLs and
malformed commands.

What is antivirus software?

Antivirus software is a program that either comes installed on
your computer or that you purchase and install yourself. It helps
protect your computer against most viruses, worms, Trojans, and
other unwanted invaders that can make your computer “sick.”
Viruses, worms, and the like often perform malicious acts, such as
deleting files, accessing personal data, or using your computer to
attack other computers.
Why should I use antivirus software?
You can help keep your computer healthy by using antivirus
software. Remember to update your antivirus software regularly.
These updates are generally available through a subscription from
your antivirus vendor.
Regular Backups
This poster reminds each computer user of their responsibility to
make regular backups to protect their computer data. The task of
backing up the data found on your computer is often the most
overlooked and “hardly ever done until its too late” action within
the computer end-user community. With the software tools now
available, it no longer is the arduous task that is once was a few
years ago... There is no excuse not to backup your data - do it now,
don’t wait until its too late! Once your system is in use, your next
consideration should be to back up the file systems, directories,
and files. Files and directories represent a significant investment of
time and effort.
At the same time, all computer files are potentially easy to change
or erase, either intentionally or by accident. If you take a careful
and methodical approach to backing up your file systems, you
should always be able to restore recent versions of files or file
systems with little difficulty.
Note: When a hard disk crashes, the information contained on
that disk is destroyed. The only way to recover the destroyed data
is to retrieve the information from your backup copy.
There are several different methods of backing up. The most
frequently used method is a regular backup, which is a copy of a
file system, directory, or file that is kept for file transfer or in case
the original data is unintentionally changed or destroyed. Another
form of backing up is the archive backup; this method is used for
a copy of one or more files, or an entire database that is saved for
future reference, historical purposes, or for recovery if the original
data is damaged or lost. Usually an archive is used when that
specific data is removed from the system.
Summary:
A firewall is simply a program or hardware device that filters the
information coming through the Internet connection into your
private network or computer system. If an incoming packet of
information is flagged by the filters, it is not allowed through.
Firewalls use one or more of three methods to control traffic
flowing in and out of the network: Packet filtering, Proxy
service, Stateful inspection
Firewall protects from Remote login, Application
backdoors, Operating system bugs, Denial of service,Email
bombs, Virus
A proxy application gateway is a special server that typically
runs on a firewall machine. Instead of talking directly to
external WWW servers, each request from the client would
be routed Wed to a proxy on the firewall that is defined by
the user. The proxy knows how to get through the firewall.
Antivirus software is a program that either comes installed
on your computer or that you purchase and install yourself.
It helps protect your computer against most viruses, worms,
Trojans, and other unwanted invaders that can make your
computer “sick.”

Topic:
Introduction
Ethical, Social, and Political issues in ECommerce
Summary

Objectives:
Understand Ethical, Social, and Political issues in ECommerce
Defining the rights of people to express their ideas and the
property rights of copyright owners are just two of many ethical,
social, and political issues raised by the rapid evolution of
ecommerce.
These questions are not just ethical questions that we as individuals
have to answer; they also involve social Institutions such as family,
schools, and business firms. And these questions have obvious
political dimensions because they involve collective choices about
how we should live and what laws we would like to live under.
In this lecture we discuss the ethical, social, and political issues
raised in e-commerce, provide a framework for organizing the
issues, and make recommendations for managers who are given
the responsibility of operating e-commerce companies within
commonly accepted standards of appropriateness.
Understanding Ethical, Social, And Political Issues In E-Commerce
Internet and its use in e-commerce have raised pervasive ethical,
social and political issues on a scale unprecedented for computer
technology. Entire sections of daily newspapers and weekly
magazines are devoted to the social impact of the Internet. Why is
this so? Why is the Internet at the root of so many contemporary
controversies? Part of the answer lies in the underlying features of
Internet technology and the ways in which it has been exploited
by business firms. Internet technology and its use in e-commerce
disrupts existing social and business relationships and understandings.
Instead of considering the business consequences of each unique
feature, here we examine the actual or potential ethical, social,
and/or political consequences of the technology (see Table 23.1).
We live in an “information society,” where power and wealth
increasingly depend on information and knowledge as central
assets. Controversies over information are often in fact
disagreements over power, wealth, influence, and other things
thought to be valuable. Like other technologies such as steam,
electricity, telephones, and television, the Internet and e-commerce
can be used to achieve social progress, and for the most part, this
has occurred. However, the same technologies can be used to
commit crimes, despoil the environment, and threaten cherished
social values. Before automobiles, there was very little interstate
crime and very little federal jurisdiction over crime. Likewise with
the Internet: Before the Internet, there was very little “cyber crime.”
Many business firms and individuals are benefiting from the
commercial development of the Internet, but this development
also exacts a price from individuals, organizations, and
societies.These costs and benefits must be carefully considered by
those seeking to make ethical and socially responsible decisions in
this new environment. The question is: how can you as a manager
make reasoned judgments above what your firm should do in a
number of e-commerce areas- from securing the privacy of your
customer’s click stream to ensuring the integrity of your company
domain name?
The major ethical, social, and political issues that have developed
around e-commerce over the past seven to eight years can be loosely
categorized into four major dimensions: information rights,
property rights, governance, and public safety and welfare as shown
in Fig 23.1Some of the ethical, social, and political issues raised in
each of these areas include the following:
Information rights: What rights to their own personal
information do individuals have in a public marketplace, or
in their private homes, when Internet technology make
information collection so pervasive and efficient? What
rights do individuals have to access information about
business firms and other organizations?
Property rights: How can traditional intellectual property
rights be enforced in an internet world where perfect copies
of protected works can be made and easily distributed
worldwide in seconds?
Governance: Should the Internet and e-commerce be
subject to public laws? And if so, what law-making bodies
have jurisdiction - state, federal, and/or international?
Public safety and welfare: What efforts should be
undertaken to ensure equitable access to the Internet and
ecommerce channels? Should governments be responsible
for ensuring that schools and colleges have access to the
Internet? Is certain online content and activities - such as
pornography and gambling - a threat to public safety and
welfare? Should mobile commerce be allowed from moving
vehicles?
To illustrate, imagine that at any given moment society and
individuals are more or less in an ethical equilibrium brought
about by a delicate balancing of individuals, social organizations,
and political institutions. Individuals know what is expected of
them, social organizations such as business firms know their
limits, capabilities, and roles and political institutions provide a
supportive framework of market regulation, banking and
commercial law that provides sanctions against violators.Now,
imagine we drop into the middle of this calm setting a powerful
new technology such as the Internet and e-commerce.
Suddenly individuals, business firms, and political institutions
are confronted by new possibilities of behavior. For instance,
individuals discover that they can download perfect digital copies
of music tracks, something which, under the old technology of
CDs, would have been impossible. This can be done, despite the
fact that these music tracks still “belong” as a legal matter to the
owners of the copyright - musicians and record label companies.
The introduction of the Internet and e-commerce impacts
individuals, societies, and political institutions. These impacts can
be classified into four moral dimensions: property rights,
information rights, governance, and public safety and welfare Then
business firms discover that they can make a business out of
aggregating these musical tracks - or creating a mechanism for
sharing musical tracks- even though they do not “own” them in
the traditional sense. The record companies, courts, and Congress
were not prepared at first to cope with the onslaught of online
digital copying. Courts and legislative bodies will have to make
new laws and reach new judgments about who owns digital
copies of copyrighted works and under what conditions such
works can be “shared.” It may take years to develop new
understandings, laws, and acceptable behavior in just this one area
of social impact. In the meantime, as an individual and a manager,
you will have to decide what you and your firm should do in legal
“grey”- areas, where there is conflict between ethical principles, but
no c1ear-cutural guidelines. How can you make good decisions in
this type of situation?
Before reviewing the four moral dimensions of e-commerce in
greater depth, we will briefly review some basic concepts of ethical
reasoning that you can use as a guide to ethical decision making,
and provide general reasoning principles about social political
issues of the Internet that you will face in the future.
Fig 23.1 The Moral Dimensions of an Internet Society
Let’s take a look on what are Ethics, What is an Ethical dilemma
and what are the Ethical principles which we can follow in order to
come out of the ethical dilemma.
Basic Ethical Concepts: Responsibility Accountability, and
Liability
Ethics is at the heart of social and political debates about the
Internet. Ethics is the study of principles that individuals and
organizations can use to determine right and wrong courses of
action. It is assumed in ethics that individuals are free moral agents
who are in a position to make choices. When faced with alternative
courses of action, what is the correct moral choice?
Extending ethics from individuals to business firms and even
entire societies can be difficult, but it is not impossible. As long as
there is a decision-making body or individual (such as a Board of
Directors or CEO in a business firm or a governmental body in a
society), their decisions can be judged against a variety of ethical
principles. If you understand some basic ethical principles, your
ability to reason about larger social and political debates will be
improved. In western culture, there are ability and liability principles
that all ethical schools of thought share: responsibility,
accountliability.
Respons1nility means that as free moral agents, individuals,
organizations and societies are responsible for the actions they
take. Accountability means that individuals, organizations, and
societies should be held accountable to others for the consequences
of their actions. The third principle -liability - extends the concepts
of responsibility and accountability to the area of law. Liability is a
feature of political systems in which a body of law is in place that
permits individuals to recover the damages done to them by other
actors, systems, or organizations. Due process is a feature of law
governed societies and refers to a process in which laws are known
and understood and there is an ability to appeal to higher authorities
to ensure that the laws have been applied correctly.
Analyzing Ethical Dilemmas
Ethical, social, and political controversies usually present themselves
as dilemmas. A dilemma is a situation in which there are at least
two diametrically opposed actions, each of which supports a
desirable outcome. When confronted with a situation that seems
to present ethical dilemmas, how can you analyze and reason
about the situation? The following is a fivestep process that should
help.
1. Identify and describe clearly the facts. Find out who did
what to whom, and where, when, and how. In many
instances, you will be surprised at the errors in the initially
reported facts, and often you will find that simply getting the
facts straight helps define the solution. It also helps to get
the opposing parties involved in an ethical dilemma to agree
on the facts.
2. Define the conflict or dilemma and identify the higher
order value involved. Ethical, social, and political issues
always reference higher values. Otherwise, there would be no
debate. The parties to a dispute all claim to be pursuing
higher values (e.g., freedom, privacy, protection of property,
and the -enterprise system). For example, DoubleClick and
its supporters argue that their tracking of consumer
movements on the Web increases market efficiency and the
wealth of the entire society. Opponents argue this claimed
efficiency comes at the expense of individual privacy, and
DoubleClick should cease its or offer Web users the option
of not participating in such tracking.
3. Identify the stakeholders. Every ethical, social, and political
issue has stakeholders: players in the game who have an
interest in the outcome, who have its vested in the situation,
and usually who have vocal opinions. Find out the identity
of these groups and what they want. This will be useful later
when designing a solution.
4. Identity the options that you can reasonably take. You
may find that none of the options satisfies all the interests
involved, but that some options do a better job than others.
Sometimes, arriving at a “good” or ethical solution may not,
always be a balancing of consequences to stakeholders.
5. Identify the potential consequences of your
options.Some options may be ethically correct, but
disastrous from other points of view. Other options may
work in this one instance, but not in other similar instances.
Always ask yourself, “what if I choose this option
consistently over time?” Once your analysis is complete, you
can refer to the following well established ethical principle to
help decide the matter.
Candidate Ethical Principles
Although you are the only one who can decide which among
many ethical principles you will follow and how you will prioritize
them, it is helpful to consider some ethical principles with deep
roots in many cultures that have survived throughout recorded
history.
The Golden Rule: Do unto others as you would have them
do unto you. Putting yourself into the place of others and
thinking of yourself as the object of the decision can help
you think about fairness in decision making.
Universalism: If an action is not right for all situations,
then it is not right for any specific situation (Immanuel
Kant’s categorical imperative). Ask yourself, “If we adopted
this rule in every case, could the organization, or society,
survive?”
Slippery Slope: If an action cannot be taken repeatedly, then
it is not right to take at all (Descartes’ rule of change). An
action may appear to work in one instance to solve a
problem, but if repeated, would result in a negative
outcome. In plain English, this rule might be stated as “once
started down a slippery path, you may not be able to stop.”
Collective Utilitarian Principle: Take the action that
achieves the greater value for all of society. This rule assumes
you can prioritize values in a rank order and understand the
consequences of various courses of action.
Risk Aversion: Take the action that produces the least harm,
or the least potential cost. Some actions have extremely high
failure costs of very low probability e.g., building a nuclear
generating facility in an urban area) or extremely high failure
costs of moderate probability (speeding and automobile
accidents). Avoid the high-failure cost actions and choose
those actions whose consequences would not be
catastrophic, even if there were a failure.
No Free Lunch: Assume that virtually all tangible and
intangible objects are owned by someone else unless there is
a specific declaration otherwise. (This is the ethical “no free
lunch” rule.) If something someone else has created is useful
to you, it has value and you should assume the creator wants
compensation for this work.
The New York Times Test (Perfect Information Rule):
Assume that the result of your decision on a matter will be
the subject of the lead article in the New York Times the next
day. Will the reaction of readers be positive or negative?
Would your parents, friends, and children be proud of your
decision? Most criminals and unethical actors assume
imperfect information, and therefore they assume the
decisions and actions will never be revealed. When making
decisions involving ethical dilemmas, it is wise to assume
perfect information markets.
The Social Contract Rule: Would you like to live in a
society where the principle you are supporting would become
an organizing principle of the entire society? For instance,
you might think it is wonderful to download illegal copies
of music tracks, but you might not want to live in a society
that did not respect proper:’ rights, such as your property
rights to the car in your driveway, or your rights to a term
paper or original art. None of these rules is an absolute
guide, and there are exceptions and logical difficulties with all
these rules. Nevertheless, actions that do not easily pass these
guide-lines deserve some very close attention and a great deal
of caution because the appearance of unethical behavior may
do as much harm to you and your company as the actual
behavior.
Now that you have an understanding of some basic ethical
reasoning concept, let’s take a closer look at each of the major
types of ethical, social, and political debates that have arisen in
ecommerce.
Privacy and Information Rights
The Internet and the Web provide an ideal environment for
invading the personal pri-vacy of millions of users on a scale
unprecedented in history. Perhaps no other recent -issue has raised
as much widespread social and political concern as protecting the
privacy of over 160 million Web users in the United States alone.
The major ethical issues related to ecommerce and privacy includes
the following: Under what conditions should we invade the privacy
of others? What legitimates intruding into others lives through
unobtrusive surveillance, market research, or other means? The
major social issues related to e-commerce and privacy concern the
development of “exception of privacy” or privacy norms, as well
as public attitudes. In what areas of should we as a society encourage
people to think they are in “private territory” as opposed to public
view? The major political issues related to ecommerce and privacy
concern the development of statutes that govern the relations
between record keepers and individuals.
How should organizations - public and private –who are reluctant
to remit the advantages that come from the unfettered flow of
information on individuals - be restrained, if at all? In the following
section, we will look first at the various practices of e-commerce
companies that pose a threat to privacy.

Information Collected At E-Commerce Sites

Almost all (97%) Web sites collect personally identifiable
information and use cookies to track the click stream behavior of
visitors on the site.
Personally identifiable information (PH) is any data that can
be used to identify, locate, or contact an individual. As describe
below, advertising networks track the behavior of consumers across
thousands of popular sites, not just at one site. In addition,
most sites collect anonymous information composed of
demographic and behavioral information that does not include
any personal identifiers. For instance, sites collect Information
about age, occupation, income, zip code, ethnicity, and other data
that place a cookie on your hard drive to identify you by numberbut
not by name.
Table 23.1 lists many of the personal identifiers routinely
collected by online e-commerce sites. Table 23.2 illustrates some
of the major ways online firms gather information about
consumers.

Table 23.1 Personal Information Collected by E Commerce Sites

Fig 23.2 The Internet’s major Personally identifiable

Information Gathering Tools
Profiling: Privacy And Advertising Networks
A majority (57 %) of all Web sites, and 78 % of the most popular
100 sites allow third parties-including advertising networks such
as Adforce, Avenue A, DoubleClick, Engage, L90, MatchLogic,
and 24/7 Media (these firms constitute about 90 % of the network
advertising industry)- to place cookies on a visitor’s hard drive in
order to engage in profiling.
Profiling is the creation of digital images that characterize online
individual and group behavior. An advertising network such as
24/7 Media maintains over 60 million anonymous profiles and
more than 20 million personal profiles. DoubleClick maintains
over 100 million anonymous profiles.
Anonymous profiles identify people as belonging to highly
specific and targeted groups, for example, 20-30-year-old males,
with college degrees and incomes greater than $30,000 a year, and
interested in high fashion clothing.
Personal profiles add a personal e-mail address, postal address,
and/or phone number to behavioral data. Increasingly, online
firms are attempting to link their online profiles to offline
consumer data collected by the established retail and catalog firms.
In the past, individual stores collected data on customer movement
through a single store in order to understand consumer behavior
and alter the design of stores accordingly. Also, purchase and
expenditure data was gathered on consumers purchasing from
multiple stores - usually long after the purchases were made - the
data was used to target direct mail
and in-store campaigns, and mass media advertising. The online
advertising networks have added several new dimensions to
established offline marketing techniques. First, they have the ability
to precisely track not just consumer purchases but all browsing
behavior on the Web at thousands of most popular member sites,
including browsing book lists, filling out preference forms, and
viewing content pages. Second, they create the ability to dynamically
-adjust what the shopper sees on screen - including prices. Third,
they create the ability to build and continually refresh highresolution
data images or behavioral profiles of consumers . What’s
different about advertising networks is the scope and- intensity
of the data dragnet, and the ability to manipulate the shopping
environment to the advantage of the merchant. Most of this
activity occurs in the background without the knowledge of the
shopper, and it occurs dynamically online in less than a second.
Online consumer Joe Smith goes to a Web site that sells sporting
goods. He clicks on the pages for golf bags. While there, he see a
banner ad, which he ignores as it does not interest him. The ad
was placed by USA and Network. He then goes to a travel site and
enters a search on “Hawaii” the USAad Networks serves ads on
this site, and Joe sees an ad for rental cars there. Joe then visits an
online bookstore and browses through books about he worlds
best golf courses. USAad Network serves ads there as well. A
week later, Joe visits his favorite online news site, and notices an
ad for golf vacation packages in Hawaii. Delighted, he clicks on the
ad, which was served by USAad Network. Later, Joe begins to
wonder whether it was a coincidence that this particular ad appeared
and, if not, how it happened. The sample online profile illustrates
several features of such profiles.
First, the profile created for Joe Smith was completely anonymous
and did not require any per-sonal information such as a name, email
address, or social security number. Obviously, this profile
would be more valuable if the system did have personal
information because men Joe could be sent e-mail marketing.
Second, ad networks do not know who is operating the browser.
If other members of Joe’s family used the same computer to
shop the Web, they would be exposed to golf vacation ads, and
Joe could be exposed to ads more appropriate to his wife or
children. Third, profiles are usually very imprecise, the result of
“best guesses” and just plain guesses. Profiles are built using a
product/service scoring system that is not very detailed, and as a
result the profiles are crude.
In the above example, Joe is obviously interested in golf and
travel because he intentionally expressed these interests. However,
he may have wanted to scuba dive in Hawaii, or visit old friends,
not play golf. The profiling system in the example took a leap of
faith that a golf vacation in Hawaii is what Joe really wants.
Sometimes these guesses work, but there is considerable evidence
to suggest that simply knowing Joe made an inquiry about Hawaii
would be sufficient to sell him a trip to Hawaii for any of several
activities and the USAad Network provided little additional value.
As a result of the crudeness of the profiles, marketers have been
unwilling to pay premium prices for highly targeted, profile-based
ads, preferring instead to use more obvious and less expensive
techniques such as placing travel ads on travel sites and golf ads
on golf sites.
Network advertising firms argue that Web profiling benefits both
consumers and businesses. Profiling permits targeting of ads,
ensuring that consumers see advertising mostly for products and
services in which they are actually interested. Business benefit by
not paying for wasted advertising sent to consumers who have no
interest in their product or service. The industry argues that by
increasing the effectiveness of advertising, more advertising
revenues go to the Internet, which in turn subsidizes free content
on the Internet. Last, product designers and entrepreneurs benefit
by sensing demand for new products and services by examining
user searches and profiles.
Critics argue that profiling undermines the expectation of
anonymity and privacy that most people have when using the
Internet, and change what should be a private experience into one
where an individual’s every move is recorded. As people become
aware that their every move is being watched, they will be far less
likely to explore -sensitive topics, browse pages, or read about
controversial issues. In most cases, the profiling is invisible to
users, and even hidden. Consumers are not notified that profiling
is occurring. Prof1ling permits aggregating data on hundreds or
even thousands of unrelated sites on the Web.
The cookies placed by ad networks are persistent. Their tracking
occurs over an extended period of time and resumes each time the
individual on to the Internet. This click stream data is used to
create profiles that can include hundreds of distinct data fields for
each consumer. Associating so-called anonymous profiles with
personal information is fairly easy, and companies can change
policies quickly without informing the consumer.
Some critics believe profiling permits weblining – charging some
customers more money for products services based on their
prof1les.
Although the information gathered by network advertisers is often
anonymous, in many cases, the profiles derived from tracking
consumers’ activities on the Web are linked or merged with
personally identifiable information. DoubleClick and other
advertising network firms have attempted to purchase offline
marketing firms that collect offline consumer data for the purpose
of matching offline and online behavioral data at the individual
level. However, public reaction was so negative that no network
advertising firms publicly admit to matching offline PH with online
profile data. Nevertheless, client Web sites encourage visitors to
register for prizes, benefits, or content access in order to capture
personal information such as e-mail addresses. Anonymous
behavioral data is far more valuable if it can be linked with offline
consumer behavior, e-mail addresses, and postal addresses. This
consumer data can also be combined with data on the consumers’
offline purchases, or information collected directly from consumers
through surveys and registration forms.
As the technology of connection to the Internet for consumers
moves away from telephone modems where IP addresses are
assigned dynamically, and toward static assigned IP addresses used
by DSL and cable modems, then connecting anonymous prof1les
to personal names and e-mail addresses will become easier and
more prevalent.
From a privacy protection perspective, the advertising network
raise issues about who will see and use the information held by
private companies, the absence of consumer control over the use
of the information, the lack of consumer choice, the notice, and
the lack of review and amendment procedures. The pervasive and
largely unregulated collection of personal information online fears
and opposition among consumers. In recent surveys, 92%oeholds
said they do not trust online companies to keep their personal
information confidential, and 82 % agreed that the government
should regulate how online companies use personal information.
One result of the lack of trust toward online firms specific fears
of privacy invasion is a reduction in online purchases. An estimated
$3 billion was lost in 2000 sales, and $18 billion will be lost in
2002 online sales if nothing is done to allay consumer fears.
Concerns about online privacy have led to two types of regulatory
efforts: governmental regulation by federal and state agencies and
private self-regulation efforts led by industry groups. But before
considering these efforts to preserve and maintain privacy, we
should first take a more in-depth look at the concept of privacy.
The Concept of Privacy
Privacy is the moral right of individuals to be left alone, free from
surveillance or interference from other individuals or organizations,
including the state. Privacy is a girder supporting freedom: Without
the privacy required to think, write, plan, and associate
independently and without fear, social and political freedom is
weakened, and perhaps destroyed. Information privacy is a subset
of privacy. The right to information privacy includes both the
claim that certain information should not be collected at all by
governments or business firms, and the claim of individuals to
control over personal of whatever information that is collected
about them. Individual control over personal information is at
the core of the privacy concept.
Due process also plays an important role in defining privacy. The
best statement of due process in record keeping is given by the
Fair Information Practices doctrine developed in the early 1970s
and extended to the online privacy debate in the late 1990s
(described below).
Privacy claims-and thinking about privacy - mushroomed in,
the United States at the end of the nineteenth century as the
technology of photography and tabloid claim of individuals to
journalism enabled the invasion of the heretofore private lives of
wealthy industrialists. For most of the twentieth century, however,
privacy thinking and legislation focused on restraining the
government from collecting and using personal information.With
the explosion in the collection of private personal information by
Web-based marketing firms since 1995, privacy concerns are
increasingly directed toward restraining the activities of private
firms in the collection and use of in forma-tion on the
Web. Claims to privacy are also involved at the workplace:
Millions of employees are subject to various forms of electronic
surveillance that in many cases is enhanced by firm Intranets and
Web technologies. For instance, 38% o f employers monitor
employee e-mail, and 30% monitor employee computer files.
Legal Protections
In the United States, Canada, and Germany, rights to privacy are
explicitly granted in or can be derived from, founding documents
such as constitutions, as well as in specific statutes. In England
and the United States, there is also protection of privacy in the
common law, a body of court decisions involving torts or personal
injuries. For instance, in the United States, four privacy-related
torts have been defined in court decisions involving claims of
injury to individuals caused by other private parties intrusion on
solitude, public disclosure of private facts, publicity placing a
person in a false light, and appropriation of a person’s name or
likeness (mostly concerning celebrities) for a commercial purpose.
In the United States, the claim to privacy against government
intrusion is protected primarily by the First Amendment
guarantees of freedom of speech and association and the Fourth:
Amendment protections against unreasonable search and seizure
of one’s personal documents or home, and the Fourteenth
Amendment’s guarantee of due process.
In addition to common law and the Constitution, there are both
federal laws and state laws that protect individuals against
government intrusion and in some cases define privacy rights visa-
vis private organizations such as financial, education~, and media
institutions (cable television and video rentals)
Summary:
Internet and its use in e-commerce have raised pervasive
ethical, social and political issues on a scale unprecedented for
computer technology.
The major ethical, social, and political issues that have
developed around e-commerce over the past seven to eight
years can be loosely categorized into four major dimensions:
information rights, property rights, governance, and public
safety and welfare.
Ethics is at the heart of social and political debates about the
Internet. Ethics is the study of principles that individuals
and organizations can use to determine right and wrong
courses of action