| ELECTRONIC COMMERCE: On-Line Ordering and Digital Money
Second Edition |
|
Electronic Payment Methods
"A New Way to Pay Old Debts" - Phillip Massinger (play title, 1632)
Updating Traditional Transactions
The typical modern consumer uses a handful of different methods to pay for goods and services on a regular basis:
This list is far from complete, leaving out choices like debit cards, money orders and bank checks, traveler's checks, barter systems, tokens, and other instruments used by consumers - organizations have their own instruments available, including purchase orders, lines of credit, and others. However, most consumer transactions can be handled by cash, credit cards, or personal checks.
Internet-based electronic commerce methods also focus on secure transmission of credit card information, electronic checking and digital currencies.
NOTE: Credit cards like MasterCard, Visa, and Discover allow consumers to extend themselves credit on purchases; charge cards like the American Express card do not extend credit. Debit cards are tied to checking accounts, and the amounts charged are debited immediately from the account. However, for the purposes of electronic transactions they are used similarly, and for the purposes of this book the term "credit card" should be taken to cover all credit-card-like plastic payment tokens (unless otherwise specified).
Adapting Existing Methods
Credit cards are the easiest method of the three to adapt to online transactions, in part because people are already accustomed to using them remotely, whether for telephone transactions or for mail orders. Credit card transactions simply require that the consumer provide a valid credit card number and expiration date (and often a billing address) when placing an order - that information can be, and often has been, provided through standard Internet applications like e-mail. This exposes the credit card to eavesdroppers monitoring for sequences of digits specific to credit cards along the message's route. Although I have not heard of any actual instance of an eavesdropper stealing credit information in this way, it is definitely possible. Securing Internet credit card transactions can be as simple as applying secure encryption (as described in Chapter 2).
Adapting cash for use over an open network is considerably harder, in part because most people associate cash with the physical exchange of currency, but doing so makes it possible to spend anonymously.
There are other problems to solve in the process of digitizing cash, where actual currency is replaced by digital "coins" represented as chunks of data. These will be discussed in greater detail in Chapter 8, but one of the most prominent schemes uses public key encryption as well as digital signatures, deployed within a framework managed by a central bank.
Checking across a network is conceptually simpler to grasp, in part because the check itself is simply a document with very specific information (bank, account number, payee, and dollar amount) which has been signed by the account holder. Turning a hard-copy check into an electronic check requires that the electronic check be transmitted securely and signed digitally. In some ways the process is similar to digitizing cash, but is simpler because there is no need to even consider the anonymity of the person "writing" the check.
Building a Commercial Environment
It's one thing to engineer and implement a technique for making purchases electronically, and another to make it useable and accessible. So much commercial activity is centered on the World Wide Web because it seems to provide an easily accessible forum for merchants to display and distribute their products, and an easily accessible environment for consumers to shop and make purchases. Since the World Wide Web was not designed for commerce but for information publishing, making it safe for commerce requires adding on security features and protocols, to be described in Chapter 4. These techniques only make it possible to transmit information securely - they do not address transmission of payments, nor do they do anything to further the transaction once payment information has been received.
An online commerce environment must go beyond the simple transmission of payment information, but it must start there, usually
with an Internet server capable of transmitting data securely. Although the payment information is usually the only portion of the transaction that must actually be transmitted securely, some systems offer methods of guaranteeing information such as shipping instructions, offering prices, and other order information through digital signatures. Security goes beyond encryption of ordering information, however, and it is necessary to guard against criminals who masquerade online as merchants authorized to accept consumer credit card information. Even more important is to secure the merchant's server system where credit information is collected.
As an entire solution, the commerce environment should be as flexible as possible, accepting different payment methods consistent with the market and the business. Next, it should help the merchant collect information about customer (wherever relevant and possible). It should be integrated into the general business environment, generating actions to be taken as a result of the order:
Some merchants will be able to do business on the Internet simply by purchasing and installing a secure World Wide Web server, and manually processing orders received over the Internet in the same way they process mail or telephone orders. Merchants who do not expect a large volume of orders from the Internet will prefer to operate in this way, since it costs less than the more holistic approaches - however, merchants wishing to maximize the benefit of selling online will invest in a more complete commercial environment. Secure servers and related commerce environment products are discussed in more detail in Chapter 7.
Offline and Online Transactions
In general, direct commerce solutions that use the Internet directly to transmit transaction information protect that information with some kind of encryption method. This neutralizes what is perceived to be, but actually isn't, the greatest threat to Internet transactions - the eavesdropper. Data encrypted with a sufficiently strong method is immune to likely threats (the cost of computer resources required to decrypt your credit card number ranges from millions of dollars to many billions of dollars, depending upon whether the decryption must be complete in a matter of decades or faster). There are easier ways to steal credit card numbers.
However, it is not strictly necessary to transmit any sensitive information over open networks when there are much more secure channels that can be used to carry sensitive information. For example, many people feel more comfortable discussing business with associates in person than discussing business over a telephone. Barring the relatively extreme instances of those whose business is under government scrutiny, personal conversations inspire a high level of confidence that no one is listening in: Eavesdroppers in most cases would most likely be noticed.
Although telephone conversations have a greater potential for eavesdropping (legal and illegal taps, someone listening in on an extension, cellular and cordless phone scanners), with a minimum of care a telephone conversation can be relatively secure. The same type of consideration can be applied to fax transmissions, as well as to postal mail and other delivery services. The result is that there are other channels across which sensitive information can be sent. Some Internet commerce solutions take advantage of the relative security of these alternative media to eliminate the need for software security solutions.
These solutions require that the consumer make a telephone call, send a fax, or send a hard copy with sensitive information like credit card numbers, consumer names, and billing and shipping addresses.
Secure Online Transaction Models
It may be simplest to contract with some other company, like an electronic mall operator, Internet service provider, or some other organization, to manage servers, orders, and content. However, that company itself must use some method or methods of accepting and processing orders. As has been mentioned, the simplest method of doing direct business online on the Internet is to set up a secure World Wide Web server, then create content pages and program forms to take orders.
Secure Web Servers
The current battle for domination of the secure World Wide Web server and Internet browser markets is between Netscape and Microsoft. However, Web browsers and servers from any vendor are expected to interoperate with the servers and browsers of any other vendor - this is the whole point behind using Internet standards. (The Netscape and Microsoft secure servers and browsers will be discussed in greater detail in Chapter 7.)
A secure World Wide Web server must, by definition, support some type of security protocol. At the moment, the two most important of these are the Secure Hypertext Transport Protocol (S-HTTP) and the Secure Sockets Layer (SSL), which was initially developed by Netscape and offered to the Internet community as a proposed standard in 1995. These protocols, as well as some others, will be discussed in greater detail later in this chapter and in Chapter 4. However, one of their primary advantages is their relative unobtrusiveness to the consumer using an SSL- or S-HTTP - enabled browser.
Secure Server Purchasing
The resulting browser/server interaction is, to the consumer, very closely mapped to the interaction that occurs when a consumer makes a purchase from a catalog. The consumer browses through graphical and textual descriptions of the merchant's products, selects a purchase,
and usually clicks on a button that says something like "BUY NOW" to make a purchase. If the consumer is using a secure browser supported by the secure server, that button will produce a form on the consumer's screen, which the consumer must complete. Delivery and payment information will usually be required, and at some point after this information has been provided the product will be delivered. If the customer is using a browser that is not secure or that uses a protocol not supported by the server, then some other method must be employed to consummate the transaction (alternative methods will be discussed later in this chapter).
Delivery information represents name, address, delivery address, e-mail address, and any other information necessary or desirable to deliver the product. If the product happens to be a physical item, then a physical destination, preferred shipper, and telephone number may be necessary. If the product is a digital item, then it may be transmitted directly to the consumer via the browser, by e-mail, or through some other application such as file transfer.
Secure Server Selling
Merchants want to make it economical, pleasant, and easy for consumers to buy their products, and doing so with a secure Web server is no different. There is a broad spectrum of options to choose from to balance price against a pleasing shopping experience; these issues are beyond the scope of this book - but ease of use is definitely a factor for the consumer using a secure browser.
First, the merchant needs to publish product offerings on the Internet with a secure server. Servers are available that support SSL, S-HTTP, and both. Because the Internet is an open network, based strictly on the proper and widespread implementation of standards, it doesn't make sense for merchants to limit their potential customers by using only one standard. By supporting both SSL and S-HTTP, they support transactions with consumers whose browser uses either of those standards.
However, the merchant must go beyond merely setting up the server. As with mail orders, there must be a mechanism for processing the information contained on an order form. The Internet programming community has created and offers several utilities to manipulate data. One of the first was the Common Gateway Interface (CGI), which uses scripts or lines of code to perform different tasks. More recently, Java and ActiveX have arrived on the market, offering growing levels of sophistication and power in managing data between users and the Web sites they are visiting. World Wide Web forms prompt the consumer for some kind of information, and on receipt of the form, either the data is reported back to a data base, or the Web site massages the data, with CGI, ActiveX, or Java to take the user through another task.
In the simplest case, the information provided by the consumer might be dumped into a data file to be manually processed later. The merchant would go through this file, processing credit card information and shipping the product off to the indicated delivery address. This may be an acceptable solution for low-volume applications - merchants who do not anticipate a large flow of online transactions, for instance. It is not acceptable where the product sold is digital in nature: If the product is delivered immediately, there is no guarantee for the merchant that the payment information is correct, but waiting to ship the digital product may not be acceptable to the consumer who assumes immediate delivery.
More often, the merchant will use interfaces of some type to automate transactions. For example, banks, credit card clearing organizations, and credit card companies are all increasingly willing to authorize transactions executed over the Internet. Companies selling physical products over the Internet use e-mail confirmations and shipping notices to keep customers up to date on the status of orders, and all merchants can use network applications to notify their internal organization of orders.
Required Facilities
The merchant must understand (and the educated consumer should understand) that purchasing products over the Internet requires a
significant investment in software, hardware, and services. Surprisingly, the software and hardware components are probably the smallest part of the investment, while the "services" can be acquired from any number of different providers.
The majority of Internet merchants will be unlikely to set up their own secure servers, because doing so can be complicated for the Internet novice, and also because there are so many companies now offering such services. However, merchants who are aware of what their options are can be smarter consumers of these services, and customers who are aware of how their online orders are processed can be smarter online consumers.
Hardware
Technically, any computer that can run an implementation of TCP/IP (including a World Wide Web server program) and that can be connected to the Internet can be a World Wide Web server. More realistically, the system should have a great deal of processing power to handle many simultaneous or near-simultaneous requests for information. It should have a hard disk sufficiently large to store all the information to be published in the Web server as well as system software. It should have a sufficiently fast Internet connection to support the maximum expected load on the system. And, it should have security features sufficient to protect it from unauthorized access. Perhaps surprisingly, a graphical user interface, or any graphics capability, is not technically necessary on the server - it does not have to display any information locally, but rather sends and receives data across the Internet.
In practice and at a minimum, this translates to a fast, current personal computer capable of running an operating system such as Windows NT (or possibly Windows 95), using an Ethernet connection to an Internet router. A UNIX workstation or PC-architecture server system is preferred, though. The Internet connection itself should probably be at least a dedicated telephone line running at 56 Kbps (thousands of bits per second). Internet routers are often included in
Internet service packages, but they are often simply fast personal workstations with special networking software and hardware.
Some organizations using the Internet may prefer to simply get a server and an Internet connection, and leave their internal networks out of the loop. However, those who do opt to connect their organizational networks to the Internet along with their Web server will almost certainly want to invest in some kind of firewall architecture to protect their network from intruders. This is likely to add to the cost of the hardware required for an Internet connection, but is necessary whether they are running a Web server or not.
There is also a blossoming software industry enabling the presentation of data already existing on an internal computer system in a Web server without reentering the data. This will be very useful for companies looking to offer online order processing of inventories experiencing a high level of turnover.
Total initial cost, depending on the systems selected, can be anywhere from $1000 on up. A typical implementation, using a low-end PC server/high-end personal workstation, should cost somewhere between $4000 and $10,000, including router, network cards, and cable.
Software
As mentioned earlier, a TCP/IP implementation is necessary for the Web server. This may be built in to the operating system, or it may be a part of the Web server package, but in any case it is necessary. Likewise, a Web server package is required. This is the software that responds to requests from browsers on the Internet and sends out the desired information. Security, as mentioned before, should be part of the operating system.
Savvy system administrators make sure that there is no other software on Internet servers. This guarantees that if an intruder should compromise that system, no software is available to the intruder for further mischief. For example, network software installed and
configured on a server allowing access to organizational data could be used by an intruder to access, modify, or delete that information.
Services
The raw materials are relatively cheap, but the knowledge of how to put it all together is (at least right now) expensive. And there is quite a handful of different things that need to get done to set up a server:
Obtaining Internet service is simply the process of getting connected to the Internet, and keeping that access up and running. In some ways it is comparable to getting a telephone connection - the ISP simply offers connectivity, not content.
Some Internet service providers will also manage your link and your server hardware. This should mean they will keep the systems up and running and manage access to and from those systems. This often includes security and firewall services.
Creating and maintaining Web server content is critical and is a task often farmed out to consultants. While this approach may be effective for getting a Web site online quickly, maintaining and updating content must be an ongoing task. Fortunately, there are many tools available to make Web authoring easy, and these will tend to drive down the cost of managing Web content.
Finally, transactions using credit cards must be settled. Most people will be familiar with the "swipe" machines used in stores where credit cards are accepted. These transmit information about the transaction to a clearing company, which then provides an authorization code indicating whether the transaction will be processed. This same process can be linked to a secure Web server, for a price. This is just
one of the services included in online commercial environments, to be discussed later in this chapter and in Chapter 7.
Electronic Malls
Setting up a Web site for buying and selling can be complicated and expensive; it is not for everyone. However, some companies have been setting up electronic, or virtual, or online malls. The shopping mall is a familiar and comfortable model for consumers and merchants, and it is relatively straightforward to simulate using the World Wide Web. Mall operators allow individual merchants to "rent space" on the mall. The financial arrangements may vary, but generally include some kind of monthly charge, charges for storage space required, and also usually some charge for each transaction.
As with other Internet commerce service providers, digital malls provide a way for individual merchants to sell online without having to assemble all the parts themselves. The parts are still all there, and merchants investigating online commerce options should consider the systems and networking expertise of the service provider as well as the commercial facilities.
Online Commercial Environments
As should be apparent from the preceding discussion, simply having a secure World Wide Web server is far from a complete online commerce solution for merchants (although having a secure World Wide Web browser can be a complete solution for the online consumer). There is an entire "back end" infrastructure needed to support electronic sales and fulfillment. This includes links to credit card authorization networks, as well as integrating alternative payment methods into the solution. Merchants maximize their potential sales by making it easy for all customers to buy, and this includes accepting different payment methods.
Companies offering online commerce environments strive to produce an integrated and complete solution for Internet merchants. This may include software tools for creating World Wide Web documents and commercial offerings, secure Web server software, Web site management tools, and links to commercial transaction settlement services for credit cards as well as other digital payment methods.
Merchant Requirements
As part of the ability to sell products electronically, the online commercial environment should provide at least some of the following abilities:
Online commerce environment vendors must offer at least some of these functions because they are necessary to transact business online. Many of the functions described in the preceding section (Required Facilities) may also be provided in an online commerce environment,
but these are offered as a convenience to merchants - the merchant can just as easily supply its own facilities, or contract them out to some other vendor.
Customer Requirements
The successful online commerce environment makes no demands at all on the customer, other than requiring the ability to access the online sales facility and the intention to buy something offered. However, the environment should permit the customer to use whatever payment method is desired, consistent with good business practice. In practice this means major credit cards, as well as an appropriate selection of electronic payment methods.
Customers, like merchants, will want some kind of audit trail or account statements, particularly when purchasing information products. The ability to provide receipts, monthly billing statements, and account status reports will be important to customers evaluating online business partners.
Chapter 7 will discuss an online commercial environment that includes some of these services.
Digital Currencies and Payment Systems
While secure commerce servers are intended to protect transaction data being sent over the Internet, digital currencies and other types of digital payment mechanisms are intended to carry value in a protected digital form over the Internet. Digital currencies and payment systems do not necessarily compete against secure Internet servers or commercial environments, but can complement such products by adding another way to exchange values.
Two approaches are taken by companies offering this type of service. One is to link a customer payment method (credit card, checking account, or some other source of funds) to an online identity, managed by the service provider. Merchants selling to a participating customer can then authenticate the payment information through the service provider, who may also provide authorization and clearing services. This type of service may seem to overlap somewhat with commerce environment services. The difference is that the payment system usually requires participants to register in some way with the payment system sponsor, while commerce environments usually permit the customer to use a credit card or a payment system. The payment method may also become merged into the applications themselves as new protocols are introduced which define procedures for transacting business using existing, nondigital payment methods.
The CyberCash and First Virtual payment systems are discussed in greater detail in Chapter 6.
Digital checking can also take advantage of the same techniques, in much the same way that debit cards are used the same way as credit cards - consumers present the card to the merchant, who must get an authorization for the purchase. The charges are paid immediately out of the consumer's checking account, rather than at the end of the monthly billing cycle.
A different approach is used for actual digital currencies, as opposed to payment systems. Usually, anyone can participate by opening an account with a financial institution offering digital currency service. Client software is used to withdraw money from the account, check on balances, and maintain a "digital wallet" that holds the value on the participant's computer. Cash exchanges between a user and the bank use the same types of cryptographic technologies described in Chapter 2. Digital signatures guarantee cash transfers, and transactions may be encrypted.
New technologies for transfering cash without hard currency or a traditional check are also appearing on the market and will be covered in Chapter 8.
Offline Secure Processing
All of the options discussed so far in this chapter require some type of online security, whether it is a secure channel between the customer and the merchant or encryption of some or all data sent from one application to another. As entrepreneurs and developers investigated the methods for doing business online, it became apparent that there were two general approaches:
It has been argued that by taking the sensitive data out of the online Internet loop, companies can provide relatively secure commercial services on the Internet without the costs associated with implementing a secure channel or secure payment protocol. Most important is that implementing this type of system independently of the underlying application means that the end user - the customer - does not have to upgrade or buy any special software to support new security protocols. All existing channels are capable of supporting commerce, whether through a World Wide Web server, file transfer or terminal emulation, or even e-mail. What's more, any future application or network can also be supported just as easily, with no need for modification.
This approach was first used by First Virtual Holdings Incorporated in 1994 and is described in more detail in Chapter 6. In this approach, customers must telephone, fax, or mail (all relatively secure, or at least familiar, methods) their credit card payment and shipping address information to the sponsoring organization. They are then provided with an account ID, which they can use to order goods from participating merchants. The information about an order, including order status, can be transmitted in the clear, while the sensitive information, such as payment information, is kept entirely offline.
Although this approach has some interesting and attractive features, it is not likely to dominate the electronic commerce world. It is likely to continue to be used in certain specialty and niche markets, but some assumptions that motivated this approach are proving wrong. For example, as larger numbers of new Internet users come online, it becomes easier to implement new Internet browsers supporting commercial security features. Also, the United States government is granting export licenses for some electronic commerce applications of varying strength.
Private Data Networks
The use of the Internet for the exchange of business data is a growing, unstoppable trend. Internet-based transactions are in the future for most, if not all, companies. However, many companies are still reluctant to use the "open" Internet to conduct mission-critical business transactions. A genuine problem faces many companies, as they want to groom existing systems and bring on new applications, but do not want to close out future possibilities. An alternative is available.
A solution for many companies may lie in the use of private data networks to pass Internet data. For example, a large distribution company clearly sees the Internet as a transaction medium in the next few years. They are proceeding with plans to build an online catalog and order processing application but, at first, will not hook it to the Internet. Instead, they will connect it to a private third-party network.
This is not a new technology. For years, companies such as CompuServe, Advantis, AT&T, and, more recently, BBN Planet have offered private data networks for companies that are looking for a large network, but would like to avoid the cost of building such a network from scratch.
In this scenario, users access the application and information with a standard Internet browser, and the distribution company will employ all of the required security methods, including firewalls, secure browser support, and electronic commerce servers. The only difference is that when the customers connect to the distribution company, they will dial a toll-free number and be connected to a third-party company, which will in turn be connected to the distribution company. The third party will have a network in place that functions exactly like the Internet, but that will not be accessible to the general public.
In the future, management opinions may change, the nature of the application may change or new Internet technologies could be deployed, and the company will have the option of connecting the application to the open Internet.
© 1996-2003 Charles River Media. All Rights Reserved