380 likes | 580 Vues
E-Commerce. Dr.R.BASKARAN Senior Lecturer Department of Computer Science and Engineering, Anna University, Chennai – 600025. baaski@cs.annauniv.edu. UNIT IV Transaction. Transaction.
E N D
E-Commerce Dr.R.BASKARAN Senior Lecturer Department of Computer Science and Engineering, Anna University, Chennai – 600025. baaski@cs.annauniv.edu Dr.R.BASKARAN,DCSE
UNIT IV Transaction Dr.R.BASKARAN,DCSE
Transaction • A transaction is an agreement, communication, or movement carried out between separate entities or objects, often involving the exchange of items of value, such as information, goods, services and money. • Financial transaction • Real estate transaction • Transaction cost • Database transaction • Atomic database transaction • Transaction processing • POS Transaction Dr.R.BASKARAN,DCSE
ELECTRONIC FUND TRANSFER • Electronic funds transfer or EFT refers to the computer-based systems used to perform financial transactions electronically. • The term is used for a number of different concepts: • Cardholder-initiated transactions, where a cardholder makes use of a payment card • Direct deposit payroll payments for a business to its employees, possibly via a payroll services company • Direct debit payments from customer to business, where the transaction is initiated by the business with customer permission Dr.R.BASKARAN,DCSE
ELECTRONIC FUND TRANSFER • Electronic bill payment in online banking, which may be delivered by EFT or paper check • Transactions involving stored value of electronic money, possibly in a private currency • Wire transfer via an international banking network (generally carries a higher fee) • Electronic Benefit Transfer Dr.R.BASKARAN,DCSE
EPOS • Electronic Point of Sale – most larger shops have EPOS terminals. • They are the cash registers which also act as terminals to a main computer system • They produce itemised receipts. • When you go to the cashier they often scan a bar code or tag into a machine. This records the sale, identifies the item being sold and sometimes updates a stock list. Dr.R.BASKARAN,DCSE
EFTPOS • Electronic Funds Transfer at Point Of Sale – These are similar to EPOS terminals but with extra features that allow transfers of funds from customer bank accounts directly into the shop’s bank account when a credit or debit card is used. • It is electronic processing system for credit cards, debit cards and charge cards. Dr.R.BASKARAN,DCSE
CARD BASED EFT • EFT may be initiated by a cardholder when a payment card such as a credit card or debit card is used. • This may take place at an automated teller machine (ATM) or point of sale (POS), or when the card is not present, which covers cards used for mail order, telephone order and internet purchases. • Card-based EFT transactions are often covered by the ISO 8583 standard. Dr.R.BASKARAN,DCSE
TRANSACTION TYPES • Sale: where the cardholder pays for goods or service • Refund: where a merchant refunds an earlier payment made by a cardholder • Withdrawal: the cardholder withdraws funds from their account, e.g. from an ATM. The term Cash Advance may also be used, typically when the funds are advanced by a merchant rather than at an ATM • Deposit: where a cardholder deposits funds to their own account (typically at an ATM) • Cashback: where a cardholder withdraws funds from their own account at the same time as making a purchase Dr.R.BASKARAN,DCSE
TRANSACTION TYPES • Inter-account transfer: transferring funds between linked accounts belonging to the same cardholder • Payment: transferring funds to a third party account • Enquiry: a transaction without financial impact, for instance balance enquiry, available funds enquiry, linked accounts enquiry, or request for a statement of recent transactions on the account • E top-up: where a cardholder can use a device (typically POS or ATM) to add funds (top-up) their pre-pay mobile phone • Mini-statement: where a cardholder uses a device (typically an ATM) to obtain details of recent transactions on their account • Administrative: this covers a variety of non-financial transactions including PIN change Dr.R.BASKARAN,DCSE
AUTHORISATION • EFT transactions require communication between a number of parties. • When a card is used at a merchant or ATM, the transaction is first routed to an acquirer, then through a number of networks to the issuer where the cardholder's account is held. • A transaction may be authorised offline by any of these entities through a stand-in agreement. • Stand-in authorisation may be used when a communication link is not available, or simply to save communication cost or time. • Stand-in is subject to the transaction amount being below agreed limits, known as floor limits. Dr.R.BASKARAN,DCSE
AUTHORISATION • These limits are calculated based on the risk of authorising a transaction offline, and thus vary between merchants and card types. • Offline transactions may be subject to other security checks such as checking the card number against a 'hotcard' (stolen card) list, velocity checks (limiting the number of offline transactions allowed by a cardholder) and random online authorisation. • Before online authorisation was standard practice and credit cards were processed using manual vouchers, each merchant would agree a limit ("floor limit) with his bank above which he must telephone for an authorisation code. • If this was not carried out and the transaction subsequently was refused by the issuer ("bounced"), the merchant would not be entitled to a refund. Dr.R.BASKARAN,DCSE
AUTHENTICATION • EFT transactions may be accompanied by methods to authenticate the card and the card holder. • The merchant may manually verify the card holder's signature, or the card holder's Personal identification number (PIN) may be sent online in an encrypted form for validation by the card issuer. • Other information may be included in the transaction, some of which is not visible to the card holder (for instance magnetic stripe data), and some of which may be requested from the card holder (for instance the card holder's address or the CVV2 value printed on the card). Dr.R.BASKARAN,DCSE
FIRST VIRTUAL PAYMENT SYSTEM • First Virtual Holdings was a company formed in early 1994 to facilitate Internet commerce. • The first product offering from First Virtual was an Internet payment system, which was developed quietly and publicly announced as a fully-operational open Internet service on October 15, 1994. • First Virtual provided most of the features of both eBay and PayPal before those companies existed. • Key people behind First Virtual were Nathaniel Borenstein, Marshall Rose, Einar Stefferud, and Lee Stein. Dr.R.BASKARAN,DCSE
FIRST VIRTUAL PAYMENT SYSTEM • "The First Virtual approach is to create an automatic authorization system that requires no previous relationship between buyer and seller. In the era of electronic commerce, the new system may herald a shift comparable to the transition a generation ago, when the members-only department store credit card gave way to use-anywhere cards like Visa and Mastercard.” • "The new company, based in San Diego, is the brainchild of Lee Stein, a San Diego lawyer and accountant who is its president, and three computer scientists long involved with the Internet global web of computer networks. First Virtual's big partners are Electronic Data Systems Inc., a division of General Motors, and First USA, a fast-growing credit card company in Dallas that will issue a Visa card for the new service." Dr.R.BASKARAN,DCSE
INTERNET EXCHANGE POINT • IXP = Internet Exchange Point • Places where ISPs come to interconnect with each other – “clearing house” for Internet traffic • Keep local traffic local “IXPs are the keystone of the entire Internet economy.” - Cisco Systems Dr.R.BASKARAN,DCSE
INTERNET EXCHANGE POINT • An Internet exchange point (IX or IXP) is a physical infrastructure that allows different Internet service providers (ISPs) to exchange Internet traffic between their networks (autonomous systems) by means of mutual peering agreements, which allow traffic to be exchanged without cost. • IXPs reduce the portion of an ISP's traffic which must be delivered via their upstream transit providers, thereby reducing the Average Per-Bit Delivery Cost of their service. • The primary purpose of an IXP is to allow networks to interconnect directly, via the exchange, rather than through one or more 3rd party networks. • The advantages of the direct interconnection are numerous, but the primary reasons are cost, latency, and bandwidth. Dr.R.BASKARAN,DCSE
Local Infrastructure Gateways Local ISPs Internet Exchange Point Dr.R.BASKARAN,DCSE
IXP Benefits • Better quality • Cash savings • Added value • New revenue opportunities Dr.R.BASKARAN,DCSE
CYBER CASH • CyberCash, Inc. was an internet payment service for electronic commerce, headquartered in Reston, Virginia. • It was founded in August 1994 by Daniel C. Lynch (who served as chairman), William N. Melton (who served as president and CEO, and later chairman), Steve Crocker (Chief Technology Officer), and Bruce G. Wilson. • The company initially provided an electronic wallet software to consumers and provided software to merchants to accept credit card payments. • Later they also offered "CyberCoin", a micropayment system modeled after the NetBill research project at Carnegie Mellon University, which they later licensed. Dr.R.BASKARAN,DCSE
CYBER CASH • In 1995, the company proposed RFC 1898, CyberCash Credit Card Protocol Version 0.8. • The company went public on February 19, 1996 with the symbol "CYCH" and its shares rose 79% on the first day of trading. • In 1998, CyberCash bought another online credit card processing company, ICVerify. In January 2000, a teenage Russian hacker nicknamed "Maxus" announced he had cracked CyberCash's ICVerify application; the company denied this. • On January 1, 2000, CyberCash fell victim to the Y2K Bug, causing double recording of credit card payments through their system. Dr.R.BASKARAN,DCSE
SECURITY MODEL • A computer security model is a scheme for specifying and enforcing security policies. • A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all. • In computer security, an access control list (ACL) is a list of permissions attached to an object. • The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. • In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY. Dr.R.BASKARAN,DCSE
ACL BASED SECURITY MODEL • A computer security model is a scheme for specifying and enforcing security policies. • A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all. • In computer security, an access control list (ACL) is a list of permissions attached to an object. • The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. • In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY. Dr.R.BASKARAN,DCSE
CONSUMER PROTECTION • 'Consumer protection' is a form of government regulation which protects the interests of consumers. • For example, a government may require businesses to disclose detailed information about products—particularly in areas where safety or public health is an issue, such as food. Consumer protection is linked to the idea of consumer rights (that consumers have various rights as consumers), and to the formation of consumer organizations which help consumers make better choices in the marketplace. • Consumer interests can also be protected by promoting competition in the markets which directly and indirectly serve consumers, consistent with economic efficiency, but this topic is treated in Competition law. • Consumer protection can also be asserted via non-government organizations and individuals as consumer activism. Dr.R.BASKARAN,DCSE
VIRTUAL TERMINAL • In open systems, a virtual terminal (VT) is an application service that: • Allows host terminals on a multi-user network to interact with other hosts regardless of terminal type and characteristics, • Allows remote log-on by local area network managers for the purpose of management, • Allows users to access information from another host processor for transaction processing, • Serves as a backup facility. • ITU-T defines a virtual terminal protocol based on the OSI application layer protocols. However, the virtual terminal protocol is not widely used on the Internet. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. • The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. • Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • BASIC PRINCIPLES • Key concepts - For over twenty years information security has held that confidentiality, integrity and availability (known as the CIA Triad) are the core principles of information security. • CONFIDENTIALITY • INTEGRITY • AVAILABILITY • AUTHENTICITY • NON-REPUDIATION Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • CONFIDENTIALITY • Ensures that only an authorised person can access the protected data of a message • It is the property of preventing disclosure of information to unauthorized individuals or systems. • INTEGRITY • Ensures that transmitted messages are not manipulated during transmission • Integrity means that data cannot be modified without authorization. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • AVAILABILITY • Information system to serve its purpose, the information must be available when it is needed. • This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. • AUTHENTICITY • In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated.). Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • NON-REPUDIATION • Ensures that a person cannot falsely deny later that he send a message • In law, non-repudiation implies one's intention to fulfill their obligations to a contract. • It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • RISK MANAGEMENT • The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.“ • the process of risk management is an ongoing iterative process. It must be repeated indefinitely. • the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • ISO/IEC 27002:2005 - risk assessment • security policy, • organization of information security, • asset management, human resources security, • physical and environmental security, • communications and operations management, • access control, • information systems acquisition, • development and maintenance, • information security incident management, • business continuity management, and • regulatory compliance. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • CONTROLS • Administrative • consist of approved written policies, procedures, standards and guidelines. • Laws and regulations created by government bodies are also a type of administrative control because they inform the business. • Administrative controls form the basis for the selection and implementation of logical and physical controls. Dr.R.BASKARAN,DCSE
SECURITY CONSIDERATIONS • CONTROLS • Logical • use software and data to monitor and control access to information and computing systems. • principle of least privilege - an individual, program or system process is not granted any more access privileges than are necessary to perform the task. • Physical • monitor and control the environment of the work place and computing facilities. • separation of duties - an individual can not complete a critical task by himself. Dr.R.BASKARAN,DCSE
SECURITY GOVERNANCE • "Governing for Enterprise Security (GES)", defines characteristics of effective security governance. • An Enterprise-wide Issue. • Leaders are Accountable. • Viewed as a Business Requirement. • Risk-based. • Roles, Responsibilities, and Segregation of Duties Defined. • Addressed and Enforced in Policy. • Adequate Resources Committed. • Staff Aware and Trained. • A Development Life Cycle Requirement. • Planned, Managed, Measurable, and Measured. • Reviewed and Audited. • CLIENT APPLICATION Dr.R.BASKARAN,DCSE