UNIT 3: INTRODUCTION TO ELECTRONIC BUSINESS

Contents
3.0 Introduction
3.1 Objective
3.2 What is Electronic Commerce?
3.3 What is Intranet? Extranet?
3.4 Types of Electronic Commerce
3.5 Interchange (EBDI)
3.6 Electronic Payment System and Electronic Fund Transfer
3.7 Conventional and Electronic Payment Prior to Internet
3.8 Online Payments
3.9 E-Cash
3.10 Cryptography and Public Key Infrastructure
3.11 Summary
3.12 Answers to Check Your Progress
3.13 Glossary

3.0 INTRODUCTION

The word electronic now days, has become a prefix of many activities. Such as E government,
E administration, E justice… but from these, one is prevalent. That is E commerce.
commerce. A great
many of the business transactions in today's business environment are transmitted over some
type of electronic network. The net work may be very small and involve only a handful of
computers within a single business, or it may be so large that it encompasses the entire globe.
Either way, electronic net works are groups of computers that are connected together
electronically. They make it possible for companies to conveniently assemble transaction data
and distribute information across multiple physical locations. This unit provides accountants
with a basic understanding of data communications and network technologies so that they can
actively participate in planning, designing and managing the use of networks to carry out
electronic commerce.

92
3.1 OBJECTIVES

After careful reading of the unit, the reader must be able to:

 describe what electronic commerce is and discuss its effect on business processes
 describe the information technology components required to conduct electronic
commerce
 describe intranets and explain how they are made secure.

3.2 WHAT IS ELECTRONIC COMMERCE?

3.2.0 Overview

The term "electronic commerce" has evolved from its meager notion of electronic shopping to
mean all aspects of business and market processes enabled by the Internet and the World
Wide Web technologies.

Electronic commerce could be defined from different angles according to its uses and
applications.

3.2.1 Objectives

After reading, this section the reader must be able to

 understand what electronic commerce is and describe how it works.

3.2.2 Electronic Commerce as Online Selling

Narrowly defined, electronic commerce means doing business online or selling and buying
products and services through Web storefronts. Products being traded may be physical
products such as used cars or services (e.g. arranging trips, online medical consultation, and
remote education). Increasingly, they include digital products such as news, audio and video,
database, software and all types of knowledge-based products. It appears then electronic
commerce is similar to catalog shopping or home shopping on cable TV.

93
3.2.3 Electronic Commerce as a Market

Electronic commerce is not limited to buying and selling products online. For example, a
neighborhood store can open a Web store and find the world in its door step. But, along with
customers, it will also find its suppliers, accountants, payment services, government agencies
and competitors online. This online or digital partner’s demand changes in the way we do
business from production to consumption, and they will affect companies who might think
they are not part of electronic commerce. Along with online selling, electronic commerce will
lead to significant changes in the way products are customized, distributed and exchanged and
the way consumers search and bargain for products and services and consume them.

In short, the electronic commerce revolution is in its effects on processes.

processes. Process-oriented
definition of electronic commerce offers a broader view of what electronic commerce is.
Within-business processes (e.g. manufacturing, inventorying, corporate financial
management, operation), and business-to-business processes (e.g. supply-chain management,
bidding) are affected by the same technology and network as are business-to-consumer
processes. Even government functions, education, social and political processes undergo
changes.

Learning activity 1

1. What is electronic commerce?

___________________________________________________________________________
___________________________________________________________________________

3.3 WHAT IS INTRANET? EXTRANET?

3.3.0 Overview
Intranets and extranets have become en vogue. Intranets and extranets share the common
protocol (TCP/IP) and Web technologies with the Internet. Intranet is a closed, business-
wide network, but it uses open standards such as TCP/IP instead of proprietary protocols
traditionally used for LANs (local area networks, usually hard-wired) and WANs (wide area

94
networks, usually LANs connected by cable, telephone and wireless networks). Extranet is a
private WAN running on public protocols. That is, an extranet is a virtual private network
among private parties based on open network and protocols. To assure security and privacy,
an extranet relies on secured channel using tunneling protocols and digital ID. In a way,
extranet is a private street built on public land (although costs may be borne by private
parties).

3.3.1 Objectives
After careful reading of this section, the reader must be able to:
 understand the intranets and extranets

3.3.2 What is the electronic marketplace?

Electronic markets ordinarily refer to online trading and auctions, for example, online stock
trading markets, online auction for computers and other goods. The electronic marketplace
refers to the emerging market economy where producers, intermediaries and consumers
interact electronically or digitally in some way. The electronic marketplace is a virtual
representative of physical markets. The economic activities undertaken by this electronic
marketplace collectively represent the digital economy.
economy. Electronic commerce, broadly
defined, is concerned with the electronic marketplace. The electronic marketplace resembles
physical markets (the one we know) in many aspects. As in physical markets, components of
the digital economy include:

 players (market agents such as firms, suppliers, brokers, shops and consumers)
 Products (goods and services ;) and processes (supply, production, marketing,
competition, distribution, consumption, etc.).

The difference is that, in the electronic marketplace, at least some of these components are
electronic, digital, virtual or online (whichever is convenient). For example, a digital player
is someone with an email or a Web page. Purely "physical" sellers may be selling a digital
product, e.g. digital CD-ROM. One that sells physical products at a physical store may offer
product information online (thereby allowing consumers to "search online"), while
production, ordering, payment and delivery are done conventionally. Currently, the emphasis

95
is on the core of the electronic marketplace where everything (i.e. all value chains or business
activities) is online. But, if any aspect of your business or consumption dwells upon the digital
process, you are already part of the electronic marketplace. That is, almost all of us are
already players in the electronic marketplace!

3.3.3 How is the electronic marketplace different from physical markets?

On the surface, the electronic marketplace appears to be something of a perfect market, where
there are numerous, worldwide sellers and buyers, who in turn have bountiful information
about the market and products, and where no intermediaries are necessary. Such a market is
very competitive and efficient (with no need to regulate or intervene arbitrarily).

However, closer looks indicate that consumer searches are not very efficient (due to the cost
of having a complete, easily searchable database, and because sellers may not provide all
information necessary). Although wholesalers and retail outlets may not be needed, other
types of intermediaries appear to be essential for the electronic market to function adequately
(e.g. certification authorities, electronic malls who guarantee product quality, mediators for
bargaining and conflict resolution, etc.). All these brokers add transaction costs. Will prices be
lower?

Digital products are highly customizable due to its transmutability,

transmutability, i.e. easy to revise,
reorganize and edit. With information about consumer tastes, products will be differentiated
(or "customized", e.g. custom news). The number of potential sellers may be low, or even
only one, in a highly differentiated and segmented market, and the price will tend to
approach the maximum price the buyer is willing to pay. (In economic terms, sellers practice
"first degree or perfect" price discrimination, which is exact opposite to the result we get in a
perfectly competitive market.)

Electronic market also results in “zero

“zero marginal cost".
cost". That is to say that digital product will
be priced at zero (given out free) because their reproduction costs will be minimal. But this is
true only if (1) the marginal cost is really approaching zero and (2) there is effective
competition among sellers. In short, the marginal cost of a digital product may be substantial.
Even when it is close to zero, prices in a non-competitive market will be determined more by

96
demand (or the buyer's willingness to pay) than by marginal cost. Unless we think all
information and digital products are of no value, they will never be priced at zero by sellers
with market power. (Giving out free products today does not mean that sellers are doing it
because the costs are zero or that they will continue to do so when they monopolize the
market.)

Learning activity 2

1. What is intranet?

_____________________________________________________________________
_____________________________________________________________________

2. What is extranet?

_____________________________________________________________________
_____________________________________________________________________

3.4 TYPES OF ELECTRONIC COMMERCE

3.4.0 Overview

Electronic commerce takes different forms depending on the nature of parties those who take
part in the transaction process. Some of the common types of E commerce are discussed as
follows:

3.4.1 Objectives

After careful reading of this section the reader must be able to :

 understand the common types of electronic commerce

97
3.4.2 Business-to-Consumer (B2C)

When most people think of electronic commerce, they think of business-to- consumer
relationships. Indeed, you may regularly participate in this form of electronic commerce,
buying books or music from a company like Amazon.com. Businesses-to-consumer electronic
commerce receives a great deal of attention in the press, and it is a large and ever-growing
market.

Business-to-consumer electronic commerce transactions are relatively simple. For example, a

consumer will visit a company's web site, browse through their offerings, place an order, and
pay for the purchase at the same time the sale occurs, usually with a credit card. The company
then ships the goods and the transaction is completed.

An important issue in business-to-consumer electronic commerce is trust. Consumers want to

know that a company's web site represents that the company has procedures in place to
safeguard their personal information. In responses to such concerns, a number of
organizations offers services designed to provide assurances about the company behind a web
site describe one such service, called Web Trust, which was developed by the AICPA.

3.4.3 Business-to-Business (B2B)

Electronic commerce is not limited to business-to-consumer transactions, however. Indeed,

the volume of business-to-business electronics commerce is many times larger than that of
business-to-consumer transactions. Moreover, although there are many similarities between
business-to-consumer and business -to-business electronic commerce, there are also some
important differences. First, with the exception of miscellaneous purchase, most business
engages in transactions with companies with whom they have established ongoing
relationships. For example, automobile manufacturers have preferred suppliers for such items
as car seats, brakes, and tires. Thus, because most transactions take place between companies
that know each other, there is less need in business-to-business electronic commerce for web
assurance service like Web Trust.

98
Business-to business electronic commerce also differs from business-to-consumer electronic
commerce in its emphasis on accountability and control. As result, a business transaction
between companies have traditionally involved the exchange of a number of documents, such
as purchase orders, bills of lading, receiving reports, and invoices. Various approval steps are
also built in to the process. Buyers and sellers may have relationships with different
transportation companies and, therefore, may have to negotiate which carrier to use. Sellers
frequently extend direct credit to the costumer, and often bill them periodically for all sales
transactions made during that time period. Customers remit payments to the seller, who must
then reconcile the payments received against outstanding sales invoices.

All of this adds complexity. Traditionally, it also involves the processing of large volumes of
paper documents. Business-to-business electronic commerce still requires much of the same
information to be exchanged between companies, but now that information is exchanged
electronically instead of via paper documents. Thus, business-to-business electronic
commerce requires electronic data interchange capabilities.

Learning activity 3

1. What are the common types of electronic commerce?

__________________________________________________________________________________________
__________________________________________________________________________________________

3.5 ELECTRONIC BUSINESS DATA INTERCHANGE (EBDI)

3.5.0 Overview

The electronic exchanging of business documents between and within large companies is a
routine affair. Electronic Business data Interchange (EBDI) encompasses the exchange
through electronic communications of all forms of business documents, including:
1. Electronic mail (E-mail) The transfer of message (text mail) and files (e.g.
graphic plans and drawings, legal documents, and databases).

99
 2. Electronic Data Interchange (EDI) and Trade Data Interchange (TDI) the
computer-to- computer transfer of purchase orders, sales orders, inventory advices,
shipping schedules, and other financial documents.
3. Electronic Funds Transfer (EFT) The transfer of money.

3.5.1 Objectives

After careful reading of this section, the reader must be able to:

 explain the concept of electronic business data interchange

3.5.2 Electronic Mail (E-mail)

E-mail involves the sending of text and files via electronic communications. Almost any kind
of information can be sent as E-mail, including accounting transactions. The specific software
for formatting, sending, and receiving E-mail messages and files varies from one network to
the next. E-mail standards were discussed in Chapter 3, and an example of E-mail and
accounting transactions is given in the discussion that follows a few paragraphs below.

3.5.3 Electronic Data Interchange (EDI)

By some estimates, 7 percent of all corporate spending is dedicated to sending invoices,
processing purchase and sales orders, and related expenses. According to analysts, these costs
can be cut in half by EDI. A good example of cost savings resulting from EDI is the First
National Bank of Chicago, which claims that because of EDI it saves over $ 1 million a year
in forms and supplies. Overall there are four typical benefits resulting from EDI:
1. Cost savings
2. Minimizing errors
3. The ability to complete transactions quickly
4. Adaptability to new forms of business
5. Helps organizations to reduce cycle time.

100
 (EDI)

 Reaping the full benefits of EDI

requires that it be fully integrated with
the company’s AIS.

EDI
Company
Suppliers
Purchase orders AIS
EDI
Customers Customer orders
©2003 Prentice Hall Business Publishing, 3-13
Accounting Information Systems, 9/e, Romney/Steinbart

Costs are reduced by eliminating paperwork. Errors are minimized by reducing the amount of
human data entry. For example, when one company electronically sends a purchase order to
an EDI trading partner, the partner uses the incoming purchase order to automatically
generate a sales order. This contrasts with the typical non-EDI purchase/sales transaction, in
which the trading partner must manually key in the sales order.

A third benefit of EDI is that it allows companies to complete transactions more quickly.
Digital Electronics Company, for example, was able to cut the administrative cycle for its
inventories from five weeks to only three days. This sort of time saving makes a company
more competitive. It also helps companies to reduce their inventories and implement just-in-
time (JIT) delivery.

The fourth benefit of EDI is that it allows companies to rapidly take advantage of new
business opportunities. With EDI, new business relationships can rapidly be formed by
establishing EDI communication links. Once these links are established, bids and purchase
orders can be exchanged quickly in standard EDI format.

How an EDI System Works. Before two companies interchange documents between each
other, both companies must sigh an EDI partnership agreement that sets forth in legal terms

101
how electronic business will be transacted. Some of the elements of this agreement specify the
following:

1. The medium through which EDI messages are transmitted. Examples include standard
telephone lines, satellite links, ISDN, and vendors of public packet-switching services.
2. The standardize computer formats to be used for various documents (e.g., purchase orders,
invoices, and so on).
3. The security measures.
4. Acknowledgement procedures.
5. Error-handling procedures.
Once the EDI agreement is in effect, the parties can send and receive EDI documents in one
of three ways, as governed by their agreement:
1. Directly through direct company-to-company communications.
2. Indirectly through public networks such as SPRINTNET, TYMNET, MCI, and
AT&T.
3. Indirectly through a third party that supplies EDI services, or through their own
computer systems using third-party turnkey systems.
If the companies send and receive EDI documents directly through company-to-company
communications (e.g., standard phone lines, VSAT, or ISDN), both companies must use the
appropriate translation and communication software. The translation software converts in-
house documents to and from the agreed upon standardized EDI format, and the
communication software sends and receives the EDI documents. Many software packages are
available for personal computers and mainframes that provide the needed communications
and translations services. Examples include American Business Computer's Electronic Data
Exchange PC/Mini and Supply Tech Inc.'s STX. 12 for the Mainframe. Some software
packages even integrate EDI with other functions such as MRP and EFT.

The second alternative is for two companies to send and receive documents indirectly through
a public value added network (VAN) such as SPRINTNET or MCI. One way to implement
this approach is to send and receive EDI messages through the VAN's E-mail system using
the OSIX, 400 E-mail protocols. The OSI X,400 E-mail protocol is a very widely accepted
broad protocol for the transfer of mail messages, text files, binary files, and graphics. Users of

102
VAN systems still must have their own translation and communication software: the VAN
simply provides the means to transfer EDI messages from one company to another.

The final alternative is to use a third-party turnkey system. Third-party EDI vendors provide a
full range of communication and translation products and services. Examples of major
vendors for EDI products and services include general Electric Information Services (GEIS),
Digital Electronics Corporation (DEC), Western Union, and IBM. For example, as a
component of its Network application Support and DEC net architecture, DEC provides
DEC/EDI, a comprehensive EDI software system. DEC/EDI runs on a single DEC VAX
computer or can be distributed across a network of VAX computers. This software consists of
three servers:

1. The DEC/EDI Communications Server

2. The DEC/EDI Translation Server
3. The DEC/EDI Application Server

The Communication Server automatically sends and receives EDI information. The company
has a wide range of communication options, including direct X.400 company-to-company
messaging, as well as multiple VANs, such as AT&T and MCI, and their X.400 services. All
incoming and outgoing EDI messages are automatically logged to disk.
The Translation Server supports automatic translations from and into a wide variety of
translation formats, including those widely used in the United States and Europe. Standards
for translation formats are discussed below.

The Application Server consists of a set of application-callable program routines that the
accounting (or other) application can use to access incoming messages or send outgoing
messages.
Here is an example of Edi how it works in a retailing firm:
Assume the following:
1. All sales come from purchase order system terminals
2. An inventory server automatically sends requisitions to the accounting application
server when inventories are low.

103
Assume that the accounting application server receives a request from the inventory server to
order more goods. The application server then automatically generates a purchase order and
sends it to the translation server, indicating the desired vendor and EDI format. Next, the
translation server automatically converts the document into the vendor's EDI format and sends
it to the communication server. The communication server then sends the purchase order to
the vendor. Later, when an order confirmation is received from the vendor, the
communication server forwards the incoming message to the accounting server, which then
logs the confirmation into the purchasing database. This entire transaction might take as short
a time as five or ten minutes, or less.

Less sophisticated companies might use simpler methods that require more human
intervention. For example, instead of the inventory and accounting servers, the company
might use various electronic mailboxes. That is, the inventory department might send the
requisition to the purchasing department via electronic mail. The purchasing department
might then review and approve the requisition, and then send an electronic purchase order to
the translation server. The rest of the transaction would be automatic.

In an even simpler approach, a company might key in the purchase order, manually run a
program to convert it to EDI format, and then manually send the EDI message to the vendor
via electronic mail. The purchasing department might even need to manually call the vendor's
computer in order to send the message.

In general, EDI is made more effective by integrating it with other systems in the company.
Further, EDI integrates especially well with EFT, providing for instant payment to vendors.
EDI Standards
Public EDI standards have been developed to facilitate the electronic exchange of business
data between independent companies. Such standards provide a common architecture for data
interchange while ensuring that individual companies can maintain their own proprietary
formats for internal processing of data. Some companies have gone step further and adopted
EDI standards for internal use.

104
3.5.3.1 EDI standards
In the United States and Canada, the most commonly-used standard is American National
Standards Institute (ANSI) Standard X.12. In Europe the most popular EDI standard is
EDIFACT. Further, many industries have developed their own standards.
Other standards for the respective industries have been developed:

 The chemical industry most commonly uses CDIX

 The grocery and warehousing uses WINS/UCS

 The electrical industry uses EDIX

 The automotive industry uses ODETTE.

Learning activity 4
1. What is EBDI?
________________________________________________________________________
________________________________________________________________________

2. What are the advantages of EDI?

________________________________________________________________________
________________________________________________________________________

3.6 ELECTRONIC PAYMENT SYSTEM AND ELECTRONIC FUND TRANSFER

3.6.0 Overview

Electronic Funds Transfer (EFT) or payment is a large group of methods for sending
informational messages that electronically effect economic exchanges. Overall, EFT is similar
to EDI in that it mainly involves sending an electronic message from one place to another.
EFT is also similar to EDI in that it is also heavily influenced by public messaging standards.

105
3.6.1 Objectives

After careful reading of this section, the reader must be able to:

 describe electronic payment system and fund transfer

3.6.2 Electronic Fund Transfer

3.6.2.1 Electronic Funds Transfer

Electronic Funds Transfer (EFT) is a large group of methods for sending informational
messages that electronically effect economic exchanges. Overall, EFT is similar to EDI in that
it mainly involves sending an electronic message from one place to another. EFT is also
similar to EDI in that it is also heavily influenced by public messaging standards.

EFT Messaging Standards: Some of the major EFT message formats are shown in figure 1.
In practice, CCD Plus is probably the most widely recognized standard used among banks.
However, some banks also recognize CTX, making it possible for corporate EDI systems to
communicate directly with their banks’ systems.

First Interstate of Los Angeles is an example of a bank that accepts EDI instructions for
payment. The retailer desiring to pay a supplier sends a request for payment to First Interstate
in ANSI 820 format. The bank then converts the ANSI 820 payment message into a CTX
message and sends it to the supplier’s bank, possibly through a VAN. The supplier’s bank can
then send the supplier either an electronic or printed copy of the message.

In this example, two types of message exchanges take place. The first message, the
company’s request for payment, is an example of a retail EFT message. The second message,
the bank-to-bank transfer of funds, is an example of a wholesale EFT message, the bank-to-
bank transfer of funds, is an example of a wholesale EFT message. There is also a third type
of EFT message exchange, the public or private message exchange. All three major types of
EFT messages are summarized as follows:

106
 EFT Message Standard Description
Cash Concentration and A messaging format used for transferring funds into a central
Disbursement (CCD) account. Messages contain a maximum of 94 characters.
CCDPLUS An enhanced version of CCD that packs more information into
the 94-character message. This format is sponsored by the
National Automated Clearing House Association (NACHA).
Corporate Trade Payment A messaging format capable of including over 5,000 lines of
(CTP) information in a single transaction (i.e., message). This format
is used by Sears to pay its suppliers.
Corporate Trade Exchange A NACHA-supported messaging format that is compatible
(CTX) with ANSI 820, a format compatible with ANSI x.14 and
capable of carrying detailed remittance-advice information
such as purchase order numbers, product descriptions, and so
on.
Figure 1: EFT Message Formats

EFT Message Type Message Purpose

Wholesale EFT For the immediate transfer of funds from one bank to
another.
Retail EFT For a company to send a request for payment to its bank.
Public and Private Message For one bank to send instructions to another bank
Exchanges regarding the transfer of funds.

Wholesale EFT System:

System: The immediate transfer of funds from one financial institution to
another is accomplished through wholesale EFT. This type of funds transfer is made between
banks that have memberships (i.e., credit accounts) with some common central bank that acts
as an automated clearing house (ACH) for EFT transactions. When one member bank
wishes to send funds to another member bank, it sends a message to the central bank
requesting that its account with the central bank be charged and that the other bank’s account
be credited. The central bank then forwards the message to the bank receiving the funds. The
entire process typically takes ten minutes or less.

107
Most U.S. banks use one or more of three clearing house systems for wholesale EFT: the
Federal Reserve System (Fed Wire), the Clearing House Inter bank Payment System
(CHIPS), or the Clearing House Automated Payment System (CHAPS).

Fed Wire is used to transfer funds between members of the Federal Reserve System. One
member bank sends funds to another member bank by sending a Fed Wire message to its
district Federal Reserve Bank. The Federal Reserve then charges the account of the sending
bank and credits the account of the receiving bank, and then automatically forwards the
message to the receiving bank. All member banks must settle up with the Federal Reserve at
the end of each business day. Banks that receive more Fed Wire funds than they send in a
given day are said to be in a net receiving position. On the other hand, banks that send more
Fed Wire funds than they receive in a given day are said to be in a net paying position. Banks
in a net paying position settle their account with the Federal Reserve by remitting funds.
Those in a net receiving position settle their account by receiving funds from the Federal
Reserve.

The Fed Wire message format allows the sending bank to include a customer account number.
The receiving banks uses this account number as a basis for adding the incoming funds to the
designated customer’s account.

CHIPS are an ACH system used to transfer Eurodollar payments between U.S. and non-U.S.
financial institutions. Its central clearing house is in New York. Many CHIPS participant,
called settling banks, settle their accounts with CHIPS at the end of each day through their
Federal Reserve Accounts. Banks that do not settle through a Federal Reserve Account are
called non-settling banks. Such banks settle their daily accounts with CHIPS through a bank
that is a settling bank rather than through the Federal Reserve.

CHAPS are a clearing house system based in England. Settlements are effected through the
Bank of England.
Retail EFT System: There are many systems that allow companies and consumers to send
EFT instructions to their banks. Some of these systems are as follows:
Telephone wire transfers
Telephone payment systems

108
 Preauthorized payment systems
Point-of-sale (POS) systems
Automated teller machines (ATMs)
In a telephone wire transfer, the company (or consumer) places a telephone call to its bank,
provides an appropriate identification number, and gives verbal instructions for an EFT
payment. The bank charges the company’s (or consumer’s) account and then performs theft
transaction through whatever means is convenient.
In a telephone payment system, commonly referred to as a pay-by-phone system,
system,
companies (or consumers) can call their bank and give verbal or computer instructions for
making payments to particular merchants. A good example is Chase Manhattan’s pay-by-
phone service, in which banks customers make telephone calls to the bank and provide
information for payees (e.g., payee name, account number, and payee address). The bank then
sends a letter to the payee verifying the account information. When this process is complete,
the bank customer can thereafter call it eh bank anytime (either by voice or by computer),
give a prearranged password and payee code, and instruct the bank to pay an amount due to
the payee. The bank will then make an EFT payment to the payee on the customer’s behalf, or
if this is not possible, send the payee a check through the mail with memorandum requesting
that the customer’s account be credited.

In a preauthorized payment system, the bank customer gives the bank standing instructions
for automatically making recurring payments. The bank then makes the payments in the same
manner as that of pay-by-phone systems. Many pay-by-phone systems allow their customers
to make preauthorized payments.

In a POS system, the company typically scans the customer’s debit or credit card and
receives immediate authorization for the sale. The company’s bank account is credited the
next business day after the sale.

ATMs are similar to POS systems. They work with both debit and credit cards and allow
customers to make deposits, withdrawals, balance inquiries, transfers, and cash advances.
Many ATMs are linked together in national or international packet-switched networks.
Customers can make cash withdrawals at any ATM in the network. Transactions typically
take effect the next business day.

109
Public and Private Message Exchanges: Some message systems are directed toward
sending instructions to effect the transfer of funds. The transfer of funds typically does not
take place simultaneously with the message’s transmission. In many cases a private bank is
used as a clearing house.

These types of systems are called public and private message exchanges (PPME).
Telex and SWIFT (The Society for Worldwide Inter bank Financial Telecommunication) are
PPMEs. Telex is a very old system for the worldwide sending of hard copy messages, and is
sometimes used by smaller banks that cannot afford more expensive systems. The problem
with this method is that authenticating messages involves a complex and time-consuming
process.

SWIFT is often used by U.S. banks to effect overseas transfers. Assume for example that a
company in Geneva, Switzerland wants to send an EFT to a company in Pittsburgh,
Pennsylvania. Assume that both companies have accounts in the XYZ bank in New York
City. The sending bank would send a SWIFT message to the Pittsburgh bank through the
XYZ bank in New York City, which would act as a clearing house. SWIFT can also interface
with Fed Wire.

3.6.2.2 Money Transfer Through Swift

Society for world wide Inter bank Financial Transfer (SWIFT) is a Belgium based company
that manages the transfer of money across banks found in more than 200 countries. The
emergence of SWIFT has totally replaced the telex transfer except in some developing
countries.

SWFIT applies several types of message Transfer (MT) standards to execute financial transfer
among banks. Each bank once become a member of the SWFIT society will be given a
SWIFT code. Banks having different branches, each operating independently, will have an
additional suffix on the main SWIRT code. For instance The Constriction Bank of China does
have more than seven hundred SWIFT codes. Now days SWIFT financial transfer is
overtaking the us based FEDWIRE, CHAPS and CHIPS transfers. These are non- existent in
developing countries.

110
3.6.2.3 Message Transfer Standards (MT)

Money transferred through SWIFT is conducted by using several types of message transfer
standards (MTs) according to the correspondence relationship of the involved banks. Further
more each message transfer contains it’s own field number, field title and field character and
each of this field property implies different meaning for the transmitting banker.

Some of the most frequently used message types are described as follows:

Message type Message purpose

MT 400 to transfer money when both the advising and reemitting
Bank are the same (i.e. the correspondent)
MT 202 to transfer money, when the remitting bank is not a
Correspondent
MT 103 to transfer moneys, when the remitting party is not a
bank.
MT 700 to transmit letter of credit instrument.
MT 199 A free format message to communicate non financial
Message.
MT 299 A free format message type.
MT 799 used to transmit amendments to L/C terms.

For example the message format MT103 shown on appendix 1 was prepared to transfer 5,710
U.S Dollar. It contains different fields such as field 57A. it is always used to record the bank
for which the fund will be paid and the receiver’s bank account is found. In this case it is
CVM TECGNKOLOGY INC. and their banks is WACHOIVA BANK NA and its SWIFT
code is PNBUS33. If for example the SWIFT code was not able to determine it is not a
problem. The field 57 instead of being 57A it would be changed to 57D or 57K and a normal
bank address such as P.O. Box and street name would be recorded instead of SWIFT code.

Each SWIFT address contains a minimum of eight characters each two characters starting
from the last signifies city code, country code, bank code and some times branch code of any.

111
Any bank in Addis Ababa, for instance, will have a suffix of ETAAA where as a bank in
Dubai will contain AEAA suffix in it’s SWIFT code.

3.6.2.4 Procedures in SWIFT transfer in a specific private bank

Bankers in international banking division after completing all the necessary paper work will
prepare the appropriate message type such as from shown above. He /she will then record the
appropriate data on the appropriate fields on the SWIFT window, which operates like a DOS.

Then the message will be signed by two officials to double-check its technical correctness.
The original message will be designated, in the left side, as HCPY to refer as “HARD
COPY”.

The double-signed message will be sent o SWIFT department with an extra copy. The copy of
the HCPY will be signed and returned back to the message preparing party to ensure the
appropriate person in the SWIFT department received it.

After the message is transferred to the correspondent bank abroad. The system it self generate
the exact copy of the delivered message with a mark ACK (Acknowledgment copy) in the left
side. This ensures the message was delivered and received by the advising bank abroad and
repudiation is eliminated.

Learning activity 5
1. What are the different types of electronic payment system? Discuss them
___________________________________________________________________________
___________________________________________________________________________

3.7 CONVENTIONAL AND ELECTRONIC PAYMENT PRIOR TO INTERNET

112
3.7.0 Overview

In this section, we will be looking at the mode of payments used prior to internet and see in
detail the payment mechanisms used with the help of internet.

3.7.1 Objectives

After careful reading of this section, the reader must be able to:

 understand electronic and conventional payment systems.

A) Cash

Cash currently represents 80 percent of day -to -day transactions. Being versatile, its use does
not require a financial intermediary, and it can be converted at a rate close to its announced
value as long as it has a serious central bank, Government and developed economy behind it.
The dollar, as the most usable and accepted cash in the world, sometimes even, pushes out
local currencies from circulation-the well-known phenomenon of dollarization seen in many
third world economies. In the latter, cash is used in all domains, including inter- enterprise
payments, predominantly within the framework of the informal economy. Luck of trust and
propensity to hide incomes from tax authorities could keep cash for quite sometime as an
important traditional payment method. Servicing both traditional and Internet based
commerce in those countries, cash continues to be an important payment instrument in
business-to-consumer and person-to-person low-value transactions.

Cash is not with out its problems, however. The costs incurred by central banks to produce
and maintain the national stock of notes and coin greatly exceed the seignior age revenues for
the right of issuing them. It is open to attack from counterfeiters. It can be stolen. Its
anonymity makes it attractive to citizens who wish to keep their transactions private, it is
equally attractive to organized crime, and its use in large value transactions is often associated
with tax evasion or money laundering.

B) Money orders, checks, drafts, notes, bills of exchange

113
Higher value transactions need more security than cash can provide. Hence the importance of
modern financial intermediaries transferring value mainly for their clients through proprietary
electronic means of communications or so called intranets. These modes of payment involve
money orders, i.e. bank transfers on the orders of clients, or documents issued in paper and
electronic forms, mainly by banks, such as checks, drafts, bills of exchange, promissory notes,
documentary collections and credits.

Drafts and notes might be issued for immediate payment (sight draft) or represent a promise
to pay at some future date and hence giving a financing opportunity to the debtor (term draft).
Drafts, including bills of exchange (instructions to pay) and promissory notes (promises to
pay), are negotiable, i.e. they are transferable instrument where the beneficiary (normally a
company) might thought the secondary market (acceptance market) discount the instrument
and pass the right to collect to another beneficiary (normally a financial intermediary). The
latter might then opt to resell the portions of an underwritten risk to other financial
intermediaries (forfeiting market). After wards the debit instrument might have its own
autonomous life, i.e. change hands in the secondary market until the payee honors the debt.

Drafts and notes are instructions to the payer’s bank or a promise to transfer funds to the
payee. They are fundamentally dependent on the presence of financial intermediaries, usually
banks, as well as clearing and statement mechanisms created by the latter. The bill of
exchange is a similar instrument and is widely used to finance trade in so called documentary
collection.

The check and other negotiable money instruments can be used as payment vehicles to
transfer values of any amount. They involve at least one financial intermediary and might be
associated with a considerable amount of paper processing, i.e. elapsed time and transaction
costs. This effectively makes them impractical for very small transactions. The checks, as a
promise to pay, depend on quite a degree of trust being established beforehand between the
two parties. The seller in this case might demand evidence of an asset, collateral or surety
from the buyer and will try to include the right to realize the collateral in a contract. It is
important also to mention the risk associated with “non sufficient fund” (NSF) or a “returned-
item” or bounced checks. Even though the incidence of checks being returned is very small,

114
the fact that it can happen at all makes the risk associated with checks rather high for many
transactions, particularly where goods are delivered immediately and to high-risk destinations.

C) Electronic payment prior to Internet

Where the bank details of the payee are known in advance, it is possible to make electronic
transfers between bank accounts using the so-called automated clearing-house (ACH)
networks. In fact in the United States and Canada funds can be “pushed” as well as “pulled”
by ACH debits and credits. These organizations grew out of the systems that were developed
to process checks clearing and are now used by consumers for recurrent payments to regular
service providers (utilities, telephone, residential charges, etc) in the form of direct debits.
They are also used extensively by business to pay their regular suppliers and by Governments
to issue all kinds of payments to individuals and corporations. In the United States, the
system is operated by the National Electronic Payments Association (NACHA), and most
countries in the developed world have a similar system. Indeed it is quite common to have
multiple systems of this sort operating in a single country- some operated by the central bank,
and others by consortium of leading banks.

In 1999, the average value of a payment made through the ACH system was approximately
$1,500 and settlement was made overnight. Where the value of the transaction is significantly
larger, a different class of payment method is typically used which is referred to as a ‘wire
transfer’. One example of this is the FEDWIRE system operated by the Federal Reserve in
the United States. This offers the facility to make immediate payments, with settlements
performed by transferring funds between accounts maintained by the member banks with the
Federal Reserve. In 1999, the average value of each transaction in the FEDWIRE system was
$4.3 million. It is thus used principally for major business-to-business and also business- to-
Government transfers.

When such payments are to be made internationally, the messages relating to wire transfers
are typically carried on the networks of the Society for Worldwide Inter bank Financial
Telecommunications (S.W.I.F.T), a huge bank cooperative including 7,000 financial
institutions from 190 countries. The magnitude of payment and transfer traffic in the

115
S.W.I.F.T. proprietary electronic system or Internet is impressive, exceeding $5 trillion daily,
with the settlement and risk management functions being handled by correspondent bank
relationships.

D) Debit and credit cards

One can find the roots of credit cards in the establishment of ‘shoppers plates’ aimed at
simplifying payments for affluent customers of retail establishments. The possibility of
transmitting communications electronically gave a huge boost to the card industry in recent
decades. As a result, an enormously popular, globally acceptable payment instrument has
emerged embodied a plastic card with a magnetic strip making it possible, through various
electronic devices, to identify the card number and receive authorization from the bank to
make the payment.

For the system to operate, the potential cardholder must approach a ‘card issuing’ bank or
company and get a physical card that will allow transactions to be made. In some cases it
involves opening a related bank account. With out appropriate restrictions the possession of a
card confers unlimited spending power on its owner. In the majority of cases, through, the
card issuing bank will assign a ‘credit- limit’ to the cardholder based on an examination of his
credit worthiness. The cardholder can either retrieve cash using automatic telling machines
(ATM) at banks or card associations or purchase goods and services from merchants
electronically linked either with the authorizing card association or the bank.

While a debit card involves direct pulling of money from an account and is limited by the
availability of money in the account, a credit card gives the possibility of a credit limit and
hence short-term financing for a cardholder. Hence credit card fees are much higher than
those for debit cards. To some extent, a debit card is similar to an electronic version of a
check. Typically, the debit cardholder needs to enter a pin (his individual code) at the point of
sale, verifying at least that the card is not stolen and whether sufficient funds are available. In
the case of credit cards, merchants demand a written signature from a cardholder, which they
normally compare with that on the card. So far, the more popular card-related payment mode
is the credit card.

116
In most developed countries, the process of acquiring a card is quite routine and indeed,
customers are often bombarded by advertising from different companies offering them credit
cards. In the majority of developing countries though, the card infrastructure is
underdeveloped, credit cards are sometimes hard to get, and in some countries tight
restrictions are placed on their usage. Those restrictions derive from exchange controls in
countries with scarce foreign exchange reserves and suffering from various forms of capital
flight.

At the other side of each credit card transaction is a “merchant”. Once again, achieving “credit
card merchant” status involves opening an account with a bank that will ‘acquire’ transactions
on behalf of the business. Once the account set up, the merchant has the ability to charge
arbitrary amounts to any credit card that has been issued anywhere in the world. Clearly, this
represents a major opportunity for fraud in the short term, and acquiring banks will often
subject a business to strict checks before permitting them to operate as a merchant,
particularly if they intend to carry out business across the Internet. In the United States, these
checks are not very stringent, but they are much more so in most European countries, whilst
in some developing countries, companies may have extreme difficulty in gaining credit-card
merchant status. In developing countries or regions where telecommunications facilities are
not available or where dial-up telephone connections are very expensive, the authorization
step may just be a simple check of the credit card number against a periodically updated
blacklist. Often merchants operate under quite complex policies to balance the risk of fraud
against the cost of verifying the transaction. This may involve going through authorizations
only where a transaction value exceeds a 'floor-limit' or carrying out an online authorization
randomly for one in every 10 transactions. The costs involved in processing credit card
transactions are considerable. Typically, these are recovered by a per- transaction levy on the
merchant. The charges depend on the acquiring bank and also on the level of risk associated
with the business.

When a credit card transaction is made, the cardholder presents the card details to the
merchants. The merchant can authorize the transaction prior to actually making it.

117
This is done through a connection either directly to the merchant’s acquiring bank or to a
technology provider acting on its behalf. The acquiring bank can authorize this transaction
using a financial network, which has access to the data of card –issuing banks worldwide. The
transaction can have two steps - an authorization step (this is used frequently by hotels at the
beginning of a guest’s visit) and a later ‘capture’ step where the previously authorized
transaction is completed. Alternatively an authorization and- capture step can do everything in
a single action.

One credit-card usage scenario that is interesting because it serves as the background for
Internet credit card transactions is the so-called Mail Order Telephone Order (MOTO)
transaction. Under this scenario, merchants are allowed to accept orders by post or over the
telephone, with the customer simply quoting the credit card details verbally. Under this
scenario –also called "Card-Not-Present" –the merchant is unable to tell if the customer has
the card in his or her possession nor can the signature be verified. Some simple safeguards are
put in place regarding the address to which the goods can be dispatched and, in the event of
the customer later discovering the transaction, the merchant must bear the cost.

The costs involved in processing credit card transactions are considerable. Typically, a
merchant that has been trading profitably for years will be able to negotiate a better rate than a
start-up company. Any company that trades on the Internet is regarded as being ‘risky’ and is
typically subject to higher charges. Generally there is a fixed fee of around $0.10-0.50and a
percentage of the transaction of around 1-5 Percent. This effectively means that credit card
transactions are not worthwhile for transactions less than $10.

The great strength of credit cards is their global acceptability. Since the processing of
transactions across the financial networks, takes care of the currency conversion, merchants
will receive funds in their local currency while the cardholder is levied in his own currency.
Naturally the country of cardholder should accept currency convertibility at least on current
account. The global recognition of the two major brands (Visa and Master card) and also
others such as American Express, Diners club, Europay and Discover reassures merchants
that the payment will be honored. On the downside, rogue cardholders and rogue merchants

118
quite easily perpetrate fraud, particularly where the authorization process does not go online
to verify each transaction with the issuing bank.

The two leading brand names are Visa and Master card, which account for 75 percent of the
general-purpose credit and charge cards market. Like S.W.I.F.T. they are associations
involving mainly banks. At the same time they have very strict procedures for accepting a
bank as a Visa or MasterCard issuing member bank. One of the principal reasons for the
success of these two ‘card associations’ is that they are owned and operated by banks from all
over the world. It is these local banks that manage the relationship with the cardholders,
while the card associations provide the global branding and also the common infrastructure
that registers the payments traffic and links the banks that operate the system with the
merchants and consumers. Other card issuers with much smaller shares of the market include
American Express, Diners Club (owned respectively by American Express bank and
Citibank),

E) Bank protected payments

Where trust is a problem, a planned transaction or project may be at risk, and delays or even
defaults may occur in dispatching goods and services as well as in reciprocal flows of
payments. In such a case, the parties may have to resort to various systems of third party
protection by banks, credit insurers, factors and others. The financial services sector has
developed an array of risk management instruments including bank, insurance, and derivative
and combined products. Some typical examples are described below.

A basic example of bank –related protection could be check guarantee cards, which indemnify
the payer against risks as long as the transaction size is small and some fairly rudimentary
security checks are made at the time of the transfer. For larger transactions, a costumer’s bank
will often sign the check itself, converting a simple check in to a casher’s check (drown on
itself) or teller’s check (drown on another bank). Those instruments are also called bank
drafts.

In more risky situations, sellers accept only the so called letter of credit (L/C), which is an
obligation of the buyers bank to pay to the seller’s bank on condition of strict adherence by

119
the seller and its bank to the related documentary requirements (bill of lading, certificate of
origin, commercial invoice, packing list, cargo insurance, other certificates, etc). That is why
the L/C is also called documentary credit. The L/C is stricter in its requirements that
documentary collection based on instrument like bills of exchange. In a similar arrangement
called factoring, the factor (usually a specialized department of a bank) discounts sellers’
receivable mainly with out recourse to the seller. Meanwhile the correspondent and related to
the buyer factor handles the payment and related risks.

Learning activity 6

1. What are the different conventional and electronic payments?

___________________________________________________________________________
___________________________________________________________________________

2. What is the difference between debit and credit card?

___________________________________________________________________________
___________________________________________________________________________

3.8 ONLINE PAYMENTS

3.8.0 Overview

Online payment is defined as all payments where the transaction information is transmitted
electronically, the payer and the payee are directly involved in the transaction, and the
necessary information to authorize the payment is part of the transaction information
exchange between the payer and the payee. Some times the term online payments relates only
to the electronic transfer of funds over public or private networks based on the Internet and
related technologies.

Thus, this section will first look in to business to consumer (B2C) online payments and will
then analyze business-to-business (B2B) online payments mechanisms. The presentation of

120
those methods under either the B2C or the B2B heading does not preclude their applicability
for any purpose but merely reflects their main area of use at present.

3.8.1 Objectives

After careful reading of this section, the reader must be able to:

 explain online payments such as B2C, B2B

3.8.2 Business to consumer (B2C) online payments

B2C e-commerce, which started from just a trickle in 1995, grew dramatically to some where
between $23 billion and $ 109 billion in 2000. Some of the sectors that proved popular
include books (e.g. amazon.com), apparel (Land’s End, Gap, Victoria's secret), computer
products (Dell, Gateway) and travel (Expedia, Price line).

Starting from credit card payments through Internet, online payments are evolving into a
system where payers might use smart cards combining the functions of all cards and
electronic cash or electronic checks, with encrypted electronic signatures or other modes of
secure identification of the payer and payee. These systems are used both in B2C and B2B
payments. However, credit cards were the first online payment instruments and the security in
Internet was challenged when credit card holders giving credit card numbers on the Internet
were subjected to serious risks from hackers. In fact the analysis of various modes of online
payments in this section contains detailed descriptions of different systems defending the
security of the payer.

3.8.2.1. Online payments by credit and debit cards

For various reasons, the most natural way for a consumer to make a purchase over the Internet
in the absence of other widely accepted alternatives is to use a credit card. A precedent had
already been set over a number of years by catalogue shoppers. Business rules, including the
MOTO rules referred to earlier, had been developed to handle transactions where card details
were given to the merchant either on a printed order form or over the telephone and there was

121
no possibility to identify the cardholder by at least asking him to sign in the presence of the
merchant. For the majority of international shoppers, the currency convertibility problem was
solved, and there were already large numbers of people worldwide who could make and
accept payments without the need for any sign-up procedure.

The earliest web purchases were made either by in securely transferring the credit card details
in a web dialogue or by resorting to a separate e-mail exchange to complete the payment. The
credit card companies were not happy about this method of conveying the details, and the
advice they issued to consumer and merchants was not to us credit cards on the Internet unit
new technologies were developed to allow it to be done securely. However, the market
largely ignored that advice.

3.8.2.2. Secure Socket Layer (SSL)

A stopgap solution arrived in 1995, when Netscape incorporated support in its Internet
browser's software for a technology standard called the Secure Socket Layer (SSL). SSL is
still the dominant mode of online payments, especially by credit cards.

A merchant wishing to use SSL to protect credit card transaction must apply to a recognized
X.509 Certification Authority to be issued with a certificate. All Internet browser software
comes pre configured to trust the 20 or so most common certification authorities operating
worldwide. A user browsing the merchant's site will interact normally until it comes to the
point where the credit card details are to be transferred across the link. At this point, the
user’s browser will be directed to a web page that starts with HTTPS rather- than the usual
HTTP. This is a signal to the browser to start a special security dialogue with the browser in
which two things happen. First, the merchant proves that he represents the business to which
the X.509 certificate is issued, and secondly he agrees on a session encryption key that is used
to protect the credit card details and any other financially sensitive information from being
intercepted by attackers as they travel across the Internet.

Thus the cardholder is afforded some protection in terms of confirmation that the merchant to
whom he is giving his card details exists as a bona fide business, or at least did at the time the
certificate was issued. Both the cardholder and the merchant are also protected from

122
eavesdroppers capturing the credit card details from an insecure Internet link. For, the
merchant there is no protection in terms of ensuring that the card is not being used by
someone other than cardholder, and if the latter denies making the transaction, there is way of
proving otherwise. The cardholder has no protection against a merchant who may retain the
card details and subsequently charge multiple transactions against the account. If the
merchant site stores the card details online, they make themselves vulnerable to attackers
breaking into their site to gain access to those details.

In order to streamline the process of making credit card transactions and also to allow each
individual transaction to be authorized, merchants generally equip themselves with an online
connection to their acquiring bank or to an entity operating on its behalf. This process has
been taken further by companies which operate links to the financial network on behalf of
many hundreds of online merchants. Using their services, the B2C merchant can interact with
transect’s web site during the purchase to get authorization and complete the transaction in
real time. Merchants are required to hold accounts in developed country banks, and
transactions are denominated in US dollars or other leading hard currencies. Every other
component of the system, including the merchant web site can, be located elsewhere.

3.8.2.3 Secure Electronic Transaction (SET)

Although the use of SSL, with or without online authorization, is for the moment the most
common means of making credit card transactions, a more advanced technology is available
in the form of a security standard called Secure Electronic Transaction (SET). This was
developed principally by the two major credit card companies, Visa and MasterCard, in 1996,
with the support of many major technology providers, including IBM, and other card brands
including American Express. It is a comprehensive solution to all the practical risks that are
encountered in any credit card transaction. SET was introduced primarily to prevent rogue
merchants from misusing credit card information. It hides the credit card number from the
merchant but leaves him with the important ability to verify that the card is good and that the
authorization is good.

123
Special wallet software is used by the cardholder that is partially or totally integrated into the
web browser's wallet software. The wallet software is loaded with the card details and also
with a certificate that is issued to the cardholder by the issuing bank. When a credit card
transaction is to be made, the wallet software composes an encrypted payment request which
is sent via a SET module running on the merchant’s web site and from there to an SET
payment gateway run either by each acquiring bank or by the credit card company itself. The
SET standard underwent a one year public review period and is thought to be highly secure
and efficient at guarding against all anticipated risks due to stolen cards, rogue merchant and
rogue cardholders.

The main problem with SET lies in its complexity. Three independent pieces of software need
to be in place and working together well before a single transaction can be carried out, and
certificates must be issued to each of the three parties (buyer, seller, bank) to allow them to
securely identify each other. Banks began to pilot SET at the beginning of 1997, but this was
done mostly on a regional basis (which does not fit well with the global way in which the
Internet operates) and these pilots achieved limited success in terms of persuading large
populations of users and merchants to change over to the new system. As of early 2001, SET
has still achieved little market penetration and its proponents are beginning to experiment
with so-called ‘light’ version of the standard that involves less complexity.

Learning activity 7

1. Explain the online payment using credit and debit card?

________________________________________________________________
________________________________________________________________

3.9 E –CASH

3.9.0 Overview

124
The World Wide Web has potential to become a highly efficient electronic marketplace for
goods and services. When payments are effected electronically, there is always a risk that
organizations may resort to gathering information relating individuals with the amounts that
they have spent, locations involved and types of good purchased. Misuse of such information
can give rise to serious breaches of personal privacy[18]. If a payment system for the WWW
is to receive widespread support, it must offer its users some form of protection against the
gathering of such information. The most effective method of achieving this is to implement a
form of electronic cash, where the coins’ being spent cannot be linked with their owner. This
gives rise to a secondary problem in that since the coin is an electronic quality that is easily
duplicated, such a payment system must guard against the coin being spent more than once. It
should not be possible for an attacker to bypass the system or to falsely obtain monetary value
from it.

At the time of writing, it has been estimated that there may be over 30 million users of the
Internet spread across 96 different countries using over 6.6 million host computers, and these
figures are rising very rapidly. This means that an effective electronic payment system must
be highly scaleable. In practice, the system must support large numbers of buyers and sellers
affiliated to many different banks. The problem of detection of double spending is particularly
acute, and solutions must be found that allow for large numbers of payments to take place
without requiring unreasonably large databases to be maintained. In the following section, we
discuss related work on two systems for electronic payment and go on to propose a new set of
protocols that surmounts some of their inherent problems.

Electronic cash is the electronic equivalent of real paper cash, and can be implemented using
public-key cryptography, digital signatures, and blind signatures. In an electronic cash system
there is usually a bank, responsible for issuing currency, customers who have accounts at the
bank and can withdraw and deposit currency, and merchants who will accept currency in
exchange for goods or a service. Every customer, merchant, and bank has its own
public/private key pair. The keys are used to encrypt, for security, and to digitally sign, for
authentication, blocks of data that represent coins. A bank digitally signs coins using its
private key. Customers and merchants verify the coins using the bank's widely available

125
public key. Customers sign bank deposits and withdrawals with their private key, and the
bank uses the customer's public key to verify the signature.

3.9.1 Objectives

After careful reading of this section, the reader must be able to:

 explain how E-cash works

3.9.2 E cash Vs Digital (Digi) Cash

E-cash is a fully anonymous electronic cash system, from a company called Digi-cash, whose
managing director is David Chaum, the inventor of blind signatures and many electronic cash
protocols. It is an on-line software solution, which implements fully anonymous electronic
cash using blind signature techniques.

The E-cash system consists of three main entities:

 Banks that mint coins validate existing coins and exchange real money for E-cash.
 Buyers who have accounts with a bank, from which they can withdraw and deposit E-
cash coins.
 Merchants who can accept E-cash coins in payment for information, or hard goods. It
is also possible for merchants to run a pay-out service where they can pay a client E-
cash coins.

E-cash is implemented using RSA public-key cryptography. Every user in the system has
their own public/private key pair. Special client and merchant software is required to use the
E-cash system. The client software is called a "cyber wallet" and is responsible for
withdrawing and depositing coins from a bank, and paying or receiving coins from a
merchant.

3.9.3 Withdrawing E-cash Coins

126
To make a withdrawal from the bank, the user's cyber wallet software calculates how many
digital coins of what denominations are needed to withdraw the requested amount. The
software then generates random serial numbers for these coins. The serial numbers are large
enough so that there is very little chance that anyone else will ever generate the same serial
numbers. Using a 100-digit serial number usually guarantees this. The serial numbers are then
blinded using the blind signature technique. This is done by multiplying the coins by a
random factor. The blinded coins are then packaged into a message, digitally signed with the
user's private key, encrypted with the bank's public key, and then sent to the bank. The
message cannot be decrypted by anyone but the bank.

When the bank receives the message, it checks the signature. The withdrawal amount can then
be debited from the signature owner's account. The bank signs the coins with a private key.

After signing the blind coins, the bank returns them to the user, encrypted with the user's
public key. The user can then decrypt the message, and unblind the coins by dividing out the
blinding factor. Since the bank couldn't see the serial numbers on the coins it was signing
there is no way to now trace these coins back to the user who withdrew them. In this way the
cash is fully anonymous.

3.9.4 Spending E-cash

To spend Ecash coins, the user starts up their cyberwallet software and a normal Web client
and then browses the Web till they find a merchant shop selling goods. The Ecash software
can be used with any existing Web client and Web server software. A merchant shop is
simply a HTML document with URLs representing the items for sale. To buy an item the user
selects the URL representing that item. The following steps then occur as shown in Figure 1.

127
Figure 1: Making a purchase with E-cash
1. The user's Web client sends a HTTP message requesting the URL to the Merchant's
normal Web server. This URL will invoke a Common Gateway Interface (CGI)
program[19].
2. The CGI program invoked will be the merchant E-cash software, and it will be passed
details of the item selected encoded in the URL. The location of the buyer's host
machine will also be passed in an environment variable from the server to the
merchant E-cash software.
3. The merchant software, now contacts the buyer's wallet using a TCP/IP connection,
asking it for payment.
4. When the cyber wallet receives this request, it will prompt the user, asking them if
they wish to make the payment. If they agree, the cyber wallet will gather together the
exact amount of coins and send this as payment to the merchant. The coins will be
encrypted with the merchant's public key so that only the merchant can decrypt them:

If they disagree or do not have the exact denominations necessary to make a correct
payment, the merchant is sent a payment refusal message.

128
 5. When the merchant receives the coins in payment, he must verify that they are valid
coins, and have not been double spent. To do this he must contact the bank, as only the
minting bank can tell whether coins have been spent before or not. Thus the merchant
packages the coins, signs the message with his private key, encrypts the message with
the bank's public key, and sends it to the bank.
6. The bank validates the coins by checking the serial numbers with the large on-line
database of all the serial numbers ever spent and returned to the bank. If the numbers
appear in the database then they are not valid, since they have been spent before. If the
serial numbers don't appear in the database, and have the bank's signature on them,
then they are valid. The values of the coins are credited to the merchant's account. The
coins are destroyed, and the serial numbers added to the database of spent coins. Thus,
coins are good for one transaction only. The bank notifies the merchant of the
successful deposit.
7. Since the deposit was successful, the merchant was paid, and a signed receipt is
returned to the buyer's cyber wallet.
8. The purchased item, or an indication of successful purchase of hard goods, is then sent
from the merchant E-cash software to the Web Server.
9. The Web server forwards this information to the buyer's Web client.

E-cash client and merchant software is available for many platforms. Currently no real money
is used in the system, but an E-cash trial with 10,000 participants, each being given 100
"cyber bucks" for free has been running since late 1994. There are many samples Web shops
at which to spend cyber bucks.

3.9.5 Advantages and Failings

The strengths of E-cash are its full anonymity and security. The electronic cash used is
untraceable, due to the blind signatures used when generating coins.

By employing secure protocols using RSA public key cryptography, the E-cash system is safe
from eavesdropping, and message tampering. Coins cannot be stolen while they are in transit.

129
However, the protection of coins on the local machine could be strengthened by password
protection and encryption.

The main problem with E-cash may be the size of the database of spent coins. If a large
number of people start using the system, the size of this database could become very large and
unmanageable. Keeping a database of the serial number of every coin ever spent in the system
is not a scalable solution. Digi-cash plans to use multiple banks each minting and managing
their own currency with inter-bank clearing to handle the problems of scalability. It seems
likely that the bank host machine has an internal scalable structure so that it can be set up not
only for a 10,000-user bank, but also for a 1,000,000-user bank. Under the circumstances, the
task of maintaining and querying a database of spent coins is probably beyond today's state-
of-the-art database systems.

3.9.6 Smart cards combining e-cash and e-cards

In conventional bank-mediated transactions, the trend for retail point-of-sale systems is away
from paper-based instrument such as cash and checks and towards electronic payment
effected with a card. Most of the cards in use today are based on magnetic strip technology
with some rudimentary account identifying information recorded (insecurely) on a magnetic
strip on the back of the card.

The banking industry is in the process of transitioning to next generation of payment cards
based on the smart card or chip card technology. The main catalysts of this process include
the card associations such as Visa, Master card and Euro pay who are actively pushing their
bank members towards the adoption of Smart cards. At the same time equipping the merchant
with a combined magnetic strip and Smart card reader device incurs additional expenses.
There is also the risk factor that is peculiar to each country or region. The nature of the
customer/ merchant base or the availability of an inexpensive network or telecom services to
enable online authorization strongly influence the credit card assertions' plans to introduce
new non-magnetic strip i.e. smart card technology.

The smart card is a plastic card with a chip securely embedded in the card. When inserted in
to a card reader, this chip powers up and is able to have electronic dialogues with the card

130
reader device. One advantages of the chip is that it can carry 100 times more information
than the traditional card in a form that cannot be copied. The chip on the card encrypts data
before sending it to the card reader, making it very difficult to break the security, while secret
quantities like cryptographic keys never leave the card. Another advantages which partially
derives from the first is the possibility to have various functions in one chip, including the
functions of credit, debit and prepaid cards, as well as the functions of secure Internet
shopping, mass transit applications identification services merchant loyalty programmers etc.
Thus, by having just one smart card the client can run multiple operations with his bank and
third parties. On the down side, the cards are more expensive to produce and are vulnerable to
attacks from card reader hardware that has been subverted.

The electronic purse is related to electronic money or prepaid card related applications and
could be a part of chip-card technology. Here value is lorded into the smart card for later
spending. There are two main efforts on going in this area, the first by Mondex International
and the second by a consortium led by Visa called the Common Electronic Purse
Specification (CEP). The difference between the Modex system and the Visa/CEPS initiative
is that Mondex doesn't require overnight transaction bank clearing. The value is immediate
and saves the banks from processing a massive volume of petty cash transfer transactions. Of
the two, the Mondex effort is more mature and has been common use since 1992.The Modex
system offers a means of transferring value from one card to another. A person can transfer
value from his card to that of his friend by simply inserting both cards in to hand-held value-
transfer terminal. Similarly bricks-and-mortar merchants can use a point of sale terminal
containing a merchant card into which the buyer inserts the Mondex card to allow the transfer
to take place. The Mondex card is currently licensed in over 80 countries around the world,
including several in Sub-Saharan Africa. Pilot experiments have been conducted on the use of
this system to purchase across the Internet, but no large-scale scheme has yet been attempted.

In 2000, all major credit card associations rushed to announce their new smart card initiatives.
It is interesting to note that the strength of Mondex pushed MasterCard, which normally
cooperates with Visa, to strike up a partnership with the former and thus promote
MasterCard's own new chip operating system, platform called Multos or the complete chip
solution. Mondex international in London developed the Multos operating system, referred to

131
in the technical press as “the widows of smart cards”. It is currently the base operating
technology of the Mondex purse smart card and the American Express Blue (smart) card.

Meanwhile American Express and Compaq have linked their smart card programs by using
American Express blue cards together with the Compaq Smart Card keyboard suitable
primarily for individuals and small businesses. In December 2000, Visa in turn launched
together with IBM and Phillips Semiconductors, its low-cost smart cards supported by four
major smart card manufacturers. The so-called Visa Price Breakthrough is proposing to its
member banks open platform multi-application smart cards for a price of three dollars instead
of the average price of a microprocessor chip cards of around six dollars. Based on Java Card
2.1 and the Open Platform 2.0 specification, the card initially proposes credit/debit functions
and other applications. The latter could be loaded in the read-only memory (ROM), while
there will also be room for other multiple applications in the so-called erasable memory
compartment (EEPROM), giving issuer banks the possibility of proposing secure Internet
access, loyalty programs and other options.

One of the difficulties of using smart card based payment methods for e-commerce is that
each user terminal must be equipped with a smart card reader. Although many thought that
this hardware would become part of a standard specification PC, this has not yet happened.
Nevertheless, Visa has announced that smart cards will represent more than 30 percent of its
cards in five years and 70 percent in 10 years. Although that statement seems for the moment
to be a bit strong, the pace of technological advance and the pressure to address the issue of
fraud might create smart card momentum.

3.9.7 Internet Banking

In many OECD countries, bank customers are more and more encouraged to use the Internet
for all their bank related operations. A client operating through a PC linked to Internet opens
the special e-banking site of his bank and then, using a set of special secure numbers, gets
access to his bank accounts and has the opportunity to consult them, as well as to make all
necessary payments and transfers from his personal accounts. For example, in the case of
UBS E- banking, the client enters his e-banking contract number, the password in numbers

132
(PIN) and an individual number for each transaction. When the transaction numbers are
exhausted, the bank sends him a new set of numbers for his individual transfer sessions. The
downloaded bank software program can also be utilized offline, for example for preparing the
payment orders offline and then making the actual order online. The client receives all
numbers separately, mainly by mail. The bank also provide clients with similar facilities in its
premises so that clients can use bank equipment such as an ATM or a special facility linked to
the main terminal facility called MultiMate, permitting them to effect the same account
examination, payment and transfer operations without consulting the bank staff. Variations of
above model are proposed to their clients by many banks in OECD and some emerging
economies.

3.9.8 Financial Electronic Fund Transfer (Fedi)

Although, almost all banks can send and receive funds through the ACH network, not every
bank possesses the EDI capabilities to process the accompanying remittance data.
Consequently, many companies have had to use one network for EFT and a separate network
for EDI. This complicates the seller’s task of properly crediting customer accounts for
payments, because information about the total amount of funds received arrives separately
from information about which invoices that payment should be applied against. Similarity, the
buyer's system must send information about payments to two different parties. The ideal
solution is to integrate EFT with EDI, which is referred to as; financial electronic data
interchange (FEDI). With FEDI, the buyer's AIS can send both remittance data and funds
transfer instructions in one package. Similarly, the seller's AIS receive both the remittance
data and funds at the same time.

The full benefits of FEDI are realized when both the buyer's and seller's banks are EDI-
capable. In this case, the buyer's AIS send one message, containing both the remittance data
and EFT instructions, to its bank. The buyer's bank forwards that message to the seller's bank,
which credits the seller's account and then sends the remittance data and the notification of the
funds transfer together to the seller.

133
Even if the seller's bank is not EDI-capable, however, the buyer still has two ways to
implement FEDI. If the buyer's bank is EDI-capable, the buyer can still send the remittance
data and funds transfer instructions together in one message to its bank. Alternatively, the
buyer can contract with a financial-value added network (FVAN) to implement FEDI. A
FVAN is an independent organization that offers specialized hard ware and soft ware to
enable the linking of various EDI networks with the ACH network used by the banking
system for EFT. In this case, the buyer's AIS send the remittance data and funds transfer
instructions together to the FVAN. The FVAN translates the payment instructions from EDI
format into ACH format and sends that information to the buyer's bank. The buyer's bank
then makes a traditional EFT payment (an ACH credit) to the seller's bank. At the same time,
the FVAN sends the remittance data to the seller in EDI format. Note that the seller receives
the EFT and EDI portions separately, thus, both must contain a common reference number to
facilitate proper matching. Consequently, although the buyer realizes the full advantage of
FEDI under this arrangement, the seller does not.

Learning activity 8

1. What are the components of E-cash?

___________________________________________________________________________
___________________________________________________________________________

2. What are the advantages and problems with E-cash

___________________________________________________________________________
___________________________________________________________________________

3.10 CRYPTOGRAPHY AND PUBLIC KEY INFRASTRUCTUR

3.10.0 Overview

If the confidentiality or accuracy of information is of any value at all, it should be protected to

an appropriate level. If the unauthorized disclosure or alteration of the information could

134
result in any negative impact, it should be secured. These are simple and widely accepted
facts. However, the means to achieve the requisite protection are usually far from obvious.

A number of mechanisms are commonly employed:

 Controlling access to the computer system or media. For instance, through 'logon'
authentication (e.g.: via passwords).
 Employing an access control mechanism (such as profiling)
 Restricting physical access (e.g.: keeping media locked away or preventing access to
the computer itself).

All these approaches can be valuable and effective, but equally all can have serious
shortcomings. A more fundamental approach to data security is cryptography.

Conventional access control mechanisms can often be bypassed (for instance via hacking). In
addition, what if data has to be transmitted, or if the data media (e.g.: floppy disk) has to be
moved outside the secure environment? What if a number of people are sharing the computer
environment? Cryptography (encryption and decryption) is a technique designed to protect
information in all such situations.

3.10.1 Objectives

After careful reading of this section, the reader must be able to:

 explain the use of cryptography as a security mechanism

3.10.2 Encryption and Decryption

Encryption is the science of changing data so that it is unrecognizable and useless to an

unauthorized person. Decryption is changing it back to its original form.

The most secure techniques use a mathematical algorithm and a variable value known as a
'key'.

135
The selected key (often any random character string) is input on encryption and is integral to
the changing of the data. The EXACT same key MUST be input to enable decryption of the
data.

This is the basis of the protection.... if the key (sometimes called a password) is only known
by authorized individual(s), the data cannot be exposed to other parties. Only those who know
the key can decrypt it. This is known as 'private key' cryptography, which is the most well
known form.

Other uses of cryptography

Many techniques also provide for detection of any tampering with the encrypted data. A
'message authentication code' (MAC) is created, which is checked when the data is decrypted.
If the code fails to match, the data has been altered since it was encrypted. This facility has
many practical applications. Such as, for concluding a contract among business partners.

3.10.2.1 Key Management

As the entire operation is dependent upon the security of the keys, it is sometimes appropriate
to devise a fairly complex mechanism to manage them.

Where a single individual is involved, often direct input of a value or string will suffice. The
'memorized' value will then be re-input to retrieve the data, similar to password usage.

136
Sometimes, many individuals are involved, with a requirement for unique keys to be sent to
each for retrieval/decryption of transmitted data. In this case, the keys themselves may be
encrypted. A number of comprehensive and proven key management systems are available for
these situations.

Cryptography key basics

The two components required to encrypt data are an algorithm and a key. The algorithm
generally known and the key are kept secret.

The key is a very large number that should be impossible to guess, and of a size that makes
exhaustive search impractical.

In a symmetric cryptosystem, the same key is used for encryption and decryption. In an
asymmetric cryptosystem, the key used for decryption is different from the key used for
encryption.

The key pair

In an asymmetric system the encryption and decryption keys are different but related. The
encryption key is known as the public key and the decryption key is known as the private key.
The public and private keys are known as a key pair.

Where a certification authority is used, remember that it is the public key that is certified and
not the private key. This may seem obvious, but it is not unknown for a user to insist on
having his private key certified!

Key component

Keys whenever possible should be distributed by electronic means, enciphered under

previously established higher-level keys. There comes a point, of course when no higher-level
key exists and it is necessary to establish the key manually.

137
A common way of doing this is to split the key into several parts (components) and entrust the
parts to a number of key management personnel. The idea is that none of the key parts should
contain enough information to reveal anything about the key itself.

Usually, the key is combined by means of the exclusive-OR operation within a secure
environment.

In the case of DES keys, there should be an odd number of components, each component
having odd parity. Odd parity is preserved when all the components are combined. Further,
each component should be accompanied by a key check value to guard against keying errors
when the component is entered into the system.

A key check value for the combined components should also be available as a final check
when the last component is entered.

A problem that occurs with depressing regularity in the real world is when it is necessary to
re-enter a key from its components. This is always an emergency situation, and it is usually
found that one or more of the key component holders cannot be found. For this reason, it is
prudent to arrange matters so that the components are distributed among the key holders in
such a way that not all of them need to be present.

For example, if there are three components (C1, C2, C3) and three key holders (H1, H2, H3)
then H1 could have (C2, C3), H2 could have (C1, C3) and H3 could have (C1, C2). In this
arrangement any two out of the three key holders would be sufficient.

In more sophisticated systems, the components may be held on smart cards.

3.10.2.2 Cryptographic Algorithms

There are of course wide ranges of cryptographic algorithms in use. The following are
amongst the most well known;

DES
This is the 'Data Encryption Standard'. Developed by The American National Standards

138
Institute (ANSI). This method of encryption is incorporated in to many readily available
software products. This is a cipher that operates on 64-bit blocks of data, using a 56-bit key. It
is a 'private key' system. With a 56 bit key there are 70 quadrillion possible combinations for
someone to guess. Single key DES is relatively faster than public key encryption but not as
safe.

This type of cryptography also deals with authentication, the main technique being the
creation and verification of message authentication codes (MACs).
(MACs).

 The main techniques are: 

are: 

 Block Ciphers
 Stream Ciphers
 Message Authentication Codes  

Block Ciphers 
Ciphers 

A block cipher transforms a fixed-length block of plaintext into a block of cipher text of the
same length, using a secret key. To decrypt, the reverse process is applied to the cipher text
block using the same secret key.

 In the case of DES, the block size is 64 bits (8 bytes) and the key is 56 bits presented as 8
bytes, the low order bit of each byte being ignored. It is usual to set every 8 th bit so that each
byte contains an odd number of set bits. This process is known as DES key parity adjustment.

To use a block cipher to encrypt data of arbitrary length, we can use one of the following
techniques (or modes of operation):

 Electronic Code Book (ECB)

 Cipher Block Chaining (CBC)
 Cipher Feedback (CFB)
 Output Feedback (OFB)

139
Most good block ciphers transform the secret key into a number of sub keys and the data is
encrypted by a process that has several rounds (iterations) each round using a different sub
key. 
key.  The set of sub keys is known as the key schedule. 
schedule.  In the case of DES the secret key is
transformed into 16 sub keys and consequently DES takes 16 rounds to perform an
encryption. 
encryption. 

Electronic Code Book

In ECB mode, each block of data is encrypted independently. If we take eK(D) to mean
“encrypt block D with key K”, then the plaintext D1,D2,D3,…..,Dn is encrypted as
eK(D1),eK(D2),….,eK(Dn).The trouble with ECB mode is that plaintext patterns show up in
the cipher text, because each identical block of plaintext gives an identical block of cipher
text. This can lead to attacks based on rearranging, deleting or repeating cipher text blocks.
ECB mode should only be used for encrypting very small blocks of data such as keys.

Cipher Block Chaining

In CBC mode each plaintext block is XOR’d with the previous ciphertext block before it is
encrypted. Because there is no previous ciphertext for the first block, an 8-byte block known
as the Initial Chaining Value (ICV) is used to start the process.

Patterns in the plaintext are hidden by the exclusive-OR. 

exclusive-OR.  The ICV should be different for any
messages encrypted with the same key, but it does not have to be kept secret and can be
transmitted with the encrypted text.

If the total length of the plaintext is not a multiple of 8, it is necessary to deal with the final
short block. 
block.  The obvious way to do this is to pad out the last block to 8 bytes, but the final
block must contain a count of the number of filler bytes, so the message length is always
increased by a maximum of 8 bytes. 
bytes.  If this increase in length is not acceptable, a solution is
to XOR the short block by re-enciphering the last complete cipher text block (or, if there isn’t
one, the ICV).

140
Cipher Feedback

In CFB mode the previous ciphertext block is encrypted and is XOR’d with the plaintext to
give the current ciphertext block. As with CBC mode, an ICV is needed to start the process. 
process. 

As well as full 64-bit feedback, it is possible to define 1-bit, 2-bit, and up to 63-bit cipher
feedback. In software implementations there is no advantage over CBC mode, though CFB is
often used in link encryption devices.

Output Feedback 
Feedback 

OFB is similar to CFB mode except that the cipher text XOR’d with each plaintext block is
independent of the plaintext and cipher text and is produced by repeatedly encrypting the
ICV. 
ICV. 

The advantage of OFB mode is that transmission errors are not propagated and do not affect
decryption of blocks that follow. 
follow.  It is therefore a useful method for encryption of satellite
links where re-transmission of a corrupted message would be inconvenient.

Stream Ciphers

Stream ciphers are typically much faster than block ciphers. A stream cipher generates a key
stream (a sequence of bits or bytes used as a key). The plaintext is combined with the key
stream, usually with the XOR operation.

Generating the key stream may be independent of the plaintext and cipher text, to give a
synchronous stream cipher. Alternatively, it may depend on the cipher text, in which case the
stream cipher is self-synchronizing.
self-synchronizing. Nearly all stream cipher is of the synchronous type.

There is no “standard” stream cipher, and in general, stream ciphers are best avoided. Certain
modes of operation of a block cipher transform it into a key stream generator and so any block
cipher can be used as a stream cipher. Examples are DES in CFB or OFB modes or over
single key DES.

141
In a Private Key system (also called secret key or symmetric key), both the sender and the
receiver have access to the same key. A disadvantage of this system is that if the secrecy of
the key is compromised, the system loses its effectiveness. Since secrecy is most likely to be
compromised when the keys are initially delivered to the sender and the receiver, great care
should be taken to see that they are not intercepted when delivered.

Researchers and encryption developers are working on a 128-bit encryption system that will
be many times harder to break than the 56-bit system. Private key encryption systems are best
suited for use within an organization or between closely related organizations. They are based
on software and are up to 100 times faster than public key systems. However, private key
systems are not appropriate for most electronic commerce applications, since both parties in a
transaction must have access to the same private key. This means that (1) everyone who does
business with a particular company must have the same key. Which would negate the value of
the system, or (2) there must be a separate key for each company you do business with, which
would be confusing and very difficult to track.

Other types of cryptographic algorithms include:

RSA
RSA is a public-key system designed by Rivest, Shamir, and Adleman.

HASH
A 'hash algorithm' is used for computing a condensed representation of a fixed length
message/file. This is sometimes known as a 'message digest', or a 'fingerprint'..

MD5
MD5 is a 128 bit message digest function. It was developed by Ron Rivest.

SHA-1
SHA-1 is a hashing algorithm similar in structure to MD5, but producing a digest of 160 bits
(20 bytes).Because of the large digest size, it is less likely that two different messages will
have the same SHA-1 message digest. For this reason SHA-1 is recommended in preference
to MD5.

142
HMAC
HMAC is a hashing method that uses a key in conjunction with an algorithm such as MD5 or
SHA-1. Thus one can refer to HMAC-MD5 and HMAC-SHA1.

  The advantage of traditional cryptography is that it is usually much faster than public-key.
This is because DES involves transmission of the key through un protected channel, therefore
there is a difficulty of finding a secure means to send the key. By using faster processing
capabilities it could be intercepted by unauthorized hackers. An individual who can intercept
the data might also intercept the key. Due to this PKI is superior cryptography.

3.10.2.4 Public Key Infrastructure

There I s no accepted definition of PKI (public key infrastructure), but loosely defined it is a
collection of services, standards and protocols for supporting public key applications.
Among the services a PKI can be expected to provide is the management of public keys via
the use of the following components:
 Registration authority (RA): register details of the new PKI user.
 Certification authority (CA): issue and/or cancel the certificate of user public keys.
 Verification authority (VA): determine whether a certificate is valid if so for what
purpose.

Digital certificate and digital signature

Certificates: are the technical devices that ensure the identity of the sender and thus further
establish trust between communicating parties in the internet.

A certificate is composed of two parts, the public key and digital signature. A certificate is
developed by International Organization for Standardization (ISO)
In a standard called x.509.

Types of digital certificates

Identifying certificate: formally ties the sender of the certificate to that sender’s public key. It
also verifies the identity of the sender using an electronic message from the certificate
authority to the person identified on the certificate.

143
Authorizing certificates: provides the message receiver with more verified detail information
about the individual who’s sending the message. An authorizing certificate came into
existence so as to prove certain information about the sender. Such as, viability and
legitimacy of the receiver.

Transactional certificate: provides message receiver with information about the actual
transaction itself. For instance, if a legal document needs to be signed in the presence of a
lawyer, the person can digitally sign the document and provide a copy of his or her personal
public key, and then have the lawyer encrypt the entire message with the lawyer’s private key.

Digital signature
Digital signatures are the identity stamps that travel with the internet message. Like a hand
signature, it serves to identify its originator. A digital signature contains the verified identity
of the subject, with such attributes as the name, employer address, and very importantly the
certificate issuing party. If properly used, digital signatures that use an encryption key and
verify the identity of the party are legally binding.

A digital signature transforms the message that is signed so that anyone who reads it can be
sure of who sent it . These signatures employ a secret key used to sign messages and a public
one used to verify them. Only a message signed with the private key can be verified by means
of the public one. Thus, if a sender wants to send a signed message to a receiver in some other
place, he/she transforms it using a private key, and the receiver applies the public key to make
sure that it was she who sent it. The best methods known for producing forged signatures
would require many years, even using computers billions of times faster than those now
available.

Because digitally signed documents, once encrypted could not be decrypted, there is no
chance of forgery once signed.

Certification Authorities
A certification authority is a third party who acts as a trusted source providing the identity of
the parties trying to communicate. A Certification Authority is the responsible party that
issues official documents that ensures to others that the certificate holder is truly a certain
person who is claiming is. It issues and manages digital certificates.

144
Tasks of the certificate authority:
 It verifies the identity of an individual using the traditional license and ID procedure.
 Issue a digital certificate that designates a private and public key.
 Manages any changes and duration of a digital certificate and make notification of
expired certificates. Normally digital certificates are issued for a certain period of time
and there after expires. Furthermore, any change on the certificate expires the original
certificate.

The question now is how much trust could be placed on the certification authority? Because
sometimes parties in need of other’s decryption keys act as a certificate authority and commit
bribe.

To minimize such risks the certification authority issues a certificate practice statement, a
legal document that explains in detail the identity of the user. The certification authority will
also publish a general certificate policy that is sent with the digital signature. This policy
helps accompany to the amount of trust to place on someone else’s digital signature and
certification authority. The most common certification authorities in US are, VERISIGN,
CYBERTRUST, ENTRUST, XCERT, and IBM.

In addition to certification authorities, another party called registration authority is also

involved in users of PKI. Registration authority serves as a go- between/contact point among
the certificate user and certification authority.

Using a registration authority has several advantages, such as separation of identification and
certificate issuing tasks. It also acts as a liaison between the certificate user and the
certification authority.

To prove non-denial of messages i.e. messages have been created and received in a specific
date and time, a digital stamp function is performed.

A digital stamp functions in away by sending the copy of the message in unreadable format to
the certification authority. Then the certification authority send the message to the receiver
and send a certificate confirming the receipt of the message by specifying the date and time.

145
Procedures in PKI
The sender of the message will have both private and public keys. then he/she will send to the
receiver the public key by which the receiver encrypt a message and send it back for
verification. A message encrypted by public key can only be decrypted using private key,
which is found only in the hands of the sender. Using the private key using the private key the
sender decrypt the message and send it back.

By this confidentiality of message could be assured. However, a company could receive an

encryption message from a wrong party by a fictitious name, since the public key was once
made public. Therefore the identity of the other party must be assured.

Learning activity 9

1. What is cryptography?
________________________________________________________________________
________________________________________________________________________
2. What is digital certificate?
________________________________________________________________________
________________________________________________________________________

Check Your Progress

1. Sending remittance data and payments together electronically is referred to as
A. EDI
B. EFT
C. FVAN
D. FEDI
2. Which of the following is not a control issue associated with electronic commerce?
A. invalid transaction
B. unauthorized transactions
C. lack of an audit trail
D. loss of confidentiality
3. A network used to implement FEDI is
A. the internet

146
 B. an FVAN
C. an intranet
D. an extranet
4. Which approach to encryption is the most secure for a server that deals with many
unknown clients?
A. public key encryption
B. secret key encryption
C. digital signature
D. none
5. Which of the following is used to store digital cash on a personal computer?
A. electronic digest
B. digital signing unit
C. virtual cash transporting system
D. none
6. Which of the following statements is true regarding digital signatures?
A. they require the related message to be encrypted
B. they do not require the related message to be encrypted
C. they require the use of message digests
D. none

3.11 SUMMARY

Today many business transactions are conducted over electronic networks that are over
groups of computers linked together electronically. Networks can be classified according to
the distance they span. Hence, networks can be classified as local, metropolitan or wide area.
The internet is the largest wide are network available today. the internet allows many different
computers to communicate via the IP protocols. Each computer on the internet is assigned a
unique address called the IP number. IP numbers can be either dynamic or fixed. .dynamic
addresses are normally assigned for temporary use; that is for a single communications
session. Fixed addresses are assigned for permanent use.

147
Intranets are basically in house miniature (small) versions of the internet. They are typically
protected from the out side world by firewalls, which restrict access to authorized individuals
and are used for authorized business.

On the internet, information security is achieved in part through encryption technology. Secret
key encryption is some times used to encrypt messages, but it does not provide a way for the
secret key to be sent from the sender of a message to the receiver. Public key encryption,
however allows messages to be sent using only public keys. The recipient's public key is used
to encrypt a message. That person's private key is then used for decryption.

Digital signatures are a means of positively guaranteeing the identity of the sender of a
message with out requiring that the message be encrypted.

Answers to learning activities

Learning activity 1

1. What is electronic commerce?

E-commerce (business) refers to all uses of advances in information technology (IT),

particularly networking and communications technology, to improve the ways in
which an organization performs all of its business processes.

 E-commerce (business) encompasses an organization’s external interactions with its

Suppliers, Customers, Investors, Creditors, The government, Media.
 E-commerce (business) includes the use of IT to redesign its internal processes.
 For organizations in many industries, engaging in e-business is a necessity.
 Engaging in e-business in and of itself does not provide a competitive advantage.
 However, e-business can be used to more effectively implement its basic strategy and
enhance the effectiveness and efficiency of its value-chain activities.

148
Learning activity 2

1. What is intranet?

Intranet is a closed, business-wide network, but it uses open standards such as TCP/IP instead
of proprietary protocols traditionally used for LANs (local area networks, usually hard-wired)
and WANs (wide area networks, usually LANs connected by cable, telephone and wireless
networks).

The term Intranet refers to internal networks that connect to the main Internet

2. What is extranet?

Extranet is a private WAN running on public protocols. That is, an extranet is a virtual private
network among private parties based on open network and protocols. To assure security and
privacy, an extranet relies on secured channel using tunneling protocols and digital ID. In a
way, extranet is a private street built on public land (although costs may be borne by private
parties).
Extranets link the intranets of two or more companies.
 The Internet is an international network of computers (and smaller
networks) all linked together.
 What is the Internet’s backbone?
– the connections that link those computers together
 Portions of the backbone are owned by the major Internet service providers
(ISPs).

Learning activity 3

1. What are the common types of electronic commerce?

 Business to Consumers (B2C): Interactions between individuals and organizations.

 Business to Business (B2B): Inter-organizational e-business.

149
 Type of E-Business Characteristics

B2C  Organization-individual
 Smaller dollar value
 One-time or infrequent
transactions

 Relatively simple
B2B  Inter-organizational
 Larger dollar value
B2G
 Established, on-going relationships
 Extension of credit by seller to
B2E
customer

 More complex

Learning activity 4
1. What is EBDI?
Electronic Business data Interchange (EBDI) encompasses the exchange through electronic
communications of all forms of business documents, including:
1. Electronic mail (E-mail) The transfer of message (text mail) and files (e.g.
graphic plans and drawings, legal documents, and databases).
2. Electronic Data Interchange (EDI) and Trade Data Interchange (TDI) the
computer-to- computer transfer of purchase orders, sales orders, inventory
advices, shipping schedules, and other financial documents.
3. Electronic Funds Transfer (EFT) The transfer of money.

2. What are the advantages of EDI?

Overall the following are typical benefits resulting from EDI:

150
 1. Cost savings
2. Minimizing errors
3. The ability to complete transactions quickly
4. Adaptability to new forms of business
5. Helps organizations to reduce cycle time.

Learning activity 5
1. What are the different types of electronic payment system? Discuss them
Refer to section 3.6 of the unit for detail coverage.
Electronic Funds Transfer (EFT) or payment is a large group of methods for sending
informational messages that electronically effect economic exchanges. Overall, EFT is similar
to EDI in that it mainly involves sending an electronic message from one place to another.
EFT is also similar to EDI in that it is also heavily influenced by public messaging standards.

Learning activity 6

1. What are the different conventional and electronic payments?

Refer to section 3.7 of the unit for the answers.

2. What is the difference between debit and credit card?

Refer to section 3.7 of the unit for detail coverage

 Debit card is used to pay from the saving accounts of the card holder
 Credit card is used to give credit to the card holder as per the arrangement made
between the service provider and the card holder.
For learning activity 7, 8, and 9 refer to the related sections of the unit.

3.12 ANSWERS TO CHECK YOUR PROGRESS

151
1. D. 2. C. 3. B. 4. A. 5. D. 6. B.

3.13 GLOSSARY

Cryptanalysis: various techniques for analyzing encrypted messages for purposes of

decoding them with out legitimate authorization

Digital cash: money created when a bank attaches its digital signature to a note promising to
pay the bearer some amount of money.

Digital certificate: a digitally signed document issued by a certification authority that attests
to the ownership of a public key by a particular organization.

Electronic wallet: a computer program that keeps track of the various keys and items of
information associated with digital money.

Encryption: use of a password or digital key to scramble a readable (plain text) messages
into an unreadable (cipher text) message.

Firewall: limits access to information on the company's servers from the rest of the world

152