Chapter 4

E-commerce Security
and Payment Systems
Learning Objectives
5.1 Identify the Dimensions of E-Commerce Security.
5.2 Describe Security Threats.
5.3 Describe Securing Channels of Communication.
5.4 Identify Different Types of Payment systems.

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Dimensions of E-Commerce Security (1- 2 )
. There are six key dimensions to e-commerce security:
integrity, nonrepudiation, authen- ticity, confidentiality,
privacy, and availability.
Integrity: the ability to ensure that information being
displayed on a website or transmitted or received over the
Internet has not been altered in any way by an unauthorized
party.
• Nonrepudiation: the ability to ensure that e commerce
participants do not deny (i.e., repudiate) their online
actions.
Authenticity: the ability to identify the identity of a
person or entity with whom you are dealing on the
Internet.
Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Dimensions of E-Commerce Security (2- 2 )
• Confidentiality: the ability to ensure that messages and
data are available only to those who are authorized to view
them.
• Privacy: the ability to control the use of information about
oneself. E-commerce merchants have two concerns
related to privacy. They must establish internal policies that
govern their own use of customer information, and they
must protect that information from illegitimate or
unauthorized use. For example, if hackers break into an e-
commerce site and gain access to credit card or other
information, this

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
What Is Good E-commerce Security
• To achieve highest degree of security
– New technologies
– Organizational policies and procedures
– Industry standards and government laws
• Other factors
– Time value of money
– Cost of security vs. potential loss
– Security often breaks at weakest link

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
 Figure 5.1The E-commerce Security
Environment

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Table 5.1Customer and Merchant Perspectives on
the Different Dimension of E-Commerce Security

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
The Tension Between Security and
Other Values
• Can there be too much security? The answer is yes.
Contrary to what some may believe, security is not an
unmitigated good. Computer security adds overhead and
expense to business operations, and also gives criminals
new opportunities to hide their intentions and their crimes.
• Security versus Ease of Use: There are inevitable
tensions between security and ease of use. When
traditional merchants are so fearful of robbers that they do
business in shops locked behind security gates, ordinary
customers are discouraged from walking in. The same can
be true with respect to e-commerce. In general, the more
security measures added to an e-commerce site, the more
difficult it is to use and the slower the site becomes.

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Security Threats in the
E-commerce Environment

• From a technology perspective, there are three

key points of vulnerability when dealing with e-
commerce:

• the client,

• the server, and

• the communications pipeline(Internet communications

channels).

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Figure 5.2 Atypical E-commerce
Transaction

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Figure 5.3 Vulnerable Points in an E-
commerce Transaction

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Most Common Security Threats in the E-
commerce Environment
• Malicious code (malware, exploits) includes a variety of
threats such as viruses, worms, Trojan horses, and bots
– Drive-by downloads
– Viruses
– Worms
– Ransom ware
– Trojan horses
– Backdoors
– Bots, botnets
– Threats at both client and server levels

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Most Common Security Threats (cont.)
• In addition to malicious code, the e-commerce security
environment is further challenged by
• potentially unwanted programs (PUPs), also sometimes
referred to as potentially unwanted applications (PUAs), such as:
– Browser parasites( a program that can monitor and change the
settings of a user’s browser)
– Adware (a PUP that serves pop-up ads to your computer).
– Spyware( a program used to obtain information such as a user’s
keystrokes, e-mail, instant messages, and so on).

• Phishing (exploitation of human fallibility and gullibility to distribute malware)

– Social engineering
– E-mail scams
– Spear-phishing
– Identity fraud/theft

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Most Common Security Threats (cont.)
• Hacking , hacker an individual who intends to gain
unauthorized access to a computer system.
– Hackers vs. crackers( within the hacking community, a term
typically used to denote a hacker with criminal intent).
– Types of hackers: White, black, grey hats
• Hacktivism : The practice of promoting a political agenda
by hacking, especially by defacing or disabling websites.
• Credit card fraud/theft :is one of the most feared occurrences on the
Internet. Fear that credit card information will be stolen prevents users
from making online purchases in many cases.
• . Spoofing (involves attempting to hide a true identity by using
someone else’s e-mail or IP address)and pharming.

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Technology Solutions
• Protecting Internet communications.
• Encryption: the process of transforming plain text or data into cipher text that cannot
be read by anyone other than the sender and the receiver. The purpose of encryption is

• (a) to secure stored information and/

• (b) to secure information transmission

. Securing channels of communication

– SSL(Secure Sockets Layer ), VPNs(Virtual Private
Networks )
• Protecting networks
– Firewalls
• Protecting servers and clients

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Figure 5.4 Tools Available to Achieve
Site Security

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Symmetric Key Encryption
• (secret key cryptography) both the sender and the receiver use the
same key to encrypt and decrypt the message. Modern encryption
systems are digital
• Requires different set of keys for each transaction
• Strength of encryption :the strength of modern security protection is
measured in terms of the length of the binary key used to encrypt the
data..
• Data Encryption Standard (DES) :developed by the National Security
Agency (NSA) and IBM. Uses a 56-bit encryption key
• Advanced Encryption Standard (AES)
– Most widely used symmetric key encryption
– Uses 128-, 192-, and 256-bit encryption keys

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Public Key Encryption
• Uses two mathematically related digital keys
– Public key (widely disseminated)
– Private key (kept secret by owner)

• Both keys used to encrypt and decrypt

message
• Once key used to encrypt message, same key
cannot be used to decrypt message
• Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt
it
Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Figure 5.5 Public Key Cryptography: A Simple
Case

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Protecting Networks
• Once you have protected communications as well as possible, the
next set of tools to consider are those that can protect your
networks, as well as the servers and clients on those networks.
• Firewall : refers to either hardware or software that filters
communication packets and prevents some packets from entering
the network based on a security policy
– Hardware or software
– Uses security policy to filter packets
– Two main methods:
▪ Packet filters
▪ Application gateways
• Proxy servers (proxies): software server that handles all
communications originating from or being sent to the Internet, acting
as a spokesperson or bodyguard for the organization

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Figure 5.8 Firewalls and Proxy Servers

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Protecting Servers and Clients
• Once you have protected communications as well as possible, the next
set of tools to consider are those that can protect your networks, as well
as the servers and clients on those networks.
• Protecting Networks: Once you have protected communications as
well as possible, the next set of tools to consider are those that can
protect your networks, as well as the servers and clients on those
networks .
• Operating system security enhancements
– Upgrades, patches

• Anti-virus software
– Easiest and least expensive way to prevent threats to system
integrity
– Requires daily updates

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Management Policies, Business
Procedures, and Public Laws
• In order to minimize security threats, e-commerce firms must develop a
coherent corporate policy that takes into account the nature of the risks,
the information assets that need protecting, and the procedures and
technologies required to address the risk, as well as implementation and
auditing mechanisms.
• Worldwide, companies spend more than $65 billion on security
hardware, software, services

• Managing risk., includes:

– Technology
– Effective management policies
– Public laws and active enforcement

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Types of Payment Systems
• For the most part, existing payment mechanisms such as cash, credit cards,
debit cards, checking accounts, and stored value accounts have been able to
be adapted to the online environment, albeit with some significant limitations
that have led to efforts to develop alternatives.

• Cash
– Most common form of payment
– Instantly convertible into other forms of value
– No float
• Checking transfer
– Second most common payment form in United States
• Credit card
– Credit card associations
– Issuing banks
– Processing centers

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Types of Payment Systems (cont.)
• Stored value:
– Funds deposited into account, from which funds are
paid out or withdrawn as needed
– Debit cards, gift certificates
– Peer-to-peer payment systems
• Accumulating balance:
– Accounts that accumulate expenditures and to which
consumers make period payments
– Utility, phone, American Express accounts

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Payment System Stakeholders
• Consumers
– Low-risk, low-cost, refutable, convenience, reliability
• Merchants account: a bank account that allows companies to
process credit card payments and receive funds from those
transactions.
– Low-risk, low-cost, irrefutable, secure, reliable
• Financial intermediaries
– Secure, low-risk, maximizing profit
• Government regulators
– Security, trust, protecting participants and enforcing
reporting

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
E-commerce Payment Systems
• Credit cards: Because credit and debit cards are the dominant form of online
payment, it is important to understand how they work and to recognize the
strengths and weaknesses of this payment system.

• 42% of online payments in 2013 (United States)

• Debit cards
– 29% online payments in 2013 (United States)
• Limitations of online credit card payment
– Security, merchant risk
– Cost
– Social equity

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Figure 5.10 How an Online Credit
Transaction Works

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
Alternative Online Payment Systems
• Online stored value systems: permits consumers to make
instant, online payments to merchants and other individuals based on
value stored in an online account
– Based on value stored in a consumer’s bank, checking,
or credit card account
– Example: PayPal
• Other alternatives:
– Amazon Payments
– Google Checkout
– Bill Me Later
– WUPay, Dwolla, Stripe

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved
 Mobile Payment Systems
Mobile payment systems: are the fastest growing
component of alternative payments. Use of mobile phones as
payment devices established in Europe, Japan, South Korea.
Near field communication (NFC):a set of short-range wire-
less technologies used to share information among devices.
Short-range (2”) wireless for sharing data between devices
Expanding in United States
– Google Wallet
▪ Mobile app designed to work with NFC(Near field
communication) chips
– PayPal
– Square

Copyright © 2020, 2019, 2018 Pearson Education, Inc. All Rights Reserved