E- Commerce transactions And Shopping Cart

1
E- Commerce transactions And Shopping Cart

• ERDEM OZDEN
• INBS 510 ANNA STORY
• APRIL 16, 2002

2
Online Credit Card Fraud Stats

• Global online purchases will reach 310 billion
  in 2005.
• Online credit card fraud will cost 9 billion in
  2001.
• Widespread use of anti-fraud technology will
  reduce online payment fraud to 5.7 billion by
  2005, from a potential 15.5 billion.
• Fraud was 19 times higher online, than with brick
  and mortar stores in 2001.
• Source Meridien Research

3
How Consumers View Authentication

• 47 are now comfortable with registering on web
  sites by providing personal information.
• 80 said they would be open to additional
  authentication measures to make online purchases
  more secure.
• 50 said they would be open to using a personal
  identification number (PIN).
• 32 said they would be willing to type in a
  portable password created by a credit card
  company.
• 42 said they are annoyed at having to
  remember different passwords for different sites.
• Source Jupiter Media Metrix

4
SHOPPING CYCLE

• Online Store The merchant sets up an online
  store.
• Bank Account The merchant registers with a bank
  to authorize transactions.
• Product Selection Customers browse products by
  product category, or by text search.
• Shopping Cart Customers view and change the
  contents of their shopping cart.
• Customer Registration Registration is needed
  when customers make a purchase.
• Check Out The customer may verify or change
  items, and then proceed with their purchase.
• Credit Card Authorization The customer submits
  credit card information for authorization.
• Order Processing After credit card
  authorization, the merchant sends the product.

5
Online Credit Card Transaction
Shopping Cart
1. Customer Proceeds to Check out.
Calculate Totals
2. Shipping, tax added for total amount.
Get User Info
3. Customers address, telephone information.
5. If the CC is Declined Get New CC.
Enter Credit Card Information
4. Customers credit card information.
No
Enough Funds
Card Refused
5. If the CC is Authorized Process Order.
Yes
Failed
Card Authorized
E-mail Customer
E-mail Customer
6
SHOPPING SERVICES

• One-click Buy CC data is stored in database,
  and used for instant purchases.
• Personalization Some merchants offer
  personalized services like special offers, and
  
• recommendations, for registered
  customers.
• Order Tracking The customers monitor order
  status by using the order ID.
• Save your cart Customers save their cart and
  complete the transaction at a later date.
• E-mail Verification The customers receive
  emails about news, special events,
• recommendations, and the recent order.

7
SHOPPING CARTS

• Keep the process simple.
• Include tax and shipping costs to display the
  exact charges.
• Tell customers how many steps are involved.
• Add gift option before the checkout.
• Put policy information in pop-up windows.
• Dont force registration. Customers lose patience
  fast.
• Offer multiple shipping options.
• Limit the checkout process with five to six
  steps.

8
Personalization
Homepage
Yes
No
User Selects New Or Returning User
Retrieve Preferences
Cookie?
User Selects New User
User Selects Returning User
Database
User Enters ID Password
User Enters User Information
Cookie Set Return Homepage
Create Personal Page
Database
No
User Exists?
Register
Yes
Cookie Set Return Homepage
9
CHARGE-BACK
CARDHOLDER
1. Cardholder calls Issuer Bank for fraud.
4. Issuer Bank gives cardholders credit.
ISSUER BANK
2. Issuer Bank calls Acquirer Bank.
3. Acquirer Bank debits merchant account.
Additional penalty, or cancels agreement.
ACQUIRER BANK
Merchant Account
10
FRAUD

• Lower consumer confidence.
• Higher cost of transactions and loss of revenue
  for merchants.
• Higher costs of services for financial
  institutions.
• Image damage to the credit card companies and
  issuers.
• Charge-back fraud has slowed the growth of
  e-commerceNothing is going to happen until
  credit card companies can positively authenticate
  every consumer buying from a website.
• Theodore Lacobuizo, Senior Analyst,
  TowerGroup

11
SECURITY THREAT

• Employee Theft Employee steals data. This is
  the largest threat.
• Trojan Horse Can be used for snooping.
  Frequently used in a virus attack.
• Hacking Breaking into a system. Trojan horses
  used for returning to server.
• Social Engineering Hackers act like a network
  engineer.
• Buffer Overflow Cause an overflow condition. May
  grant root access.
• Cracking Breaking into system to steal things.
• Password Fishing Trying to log in with common
  passwords.
• Snooping Use of a software program to intercept
  data.
• Application Attack Force application to
  fall-over, and root access to system.

12
Secure Electronic Transaction (SET)

• Development of Visa and MasterCard.
• Certificate-based system.
• Digital signatures to replace the handwritten
  signatures.
• Cardholder software is required.
• Digital certificates are installed on consumers
  PC.
• Expensive.
• Complex structure.
• Because of its complexity, and cost, SET usage
  was limited.

13
Secure Sockets Layer (SSL)

• Created by Netscape.
• Simple to implement.
• Implemented in Transport Layer (TLS).
• Supports most of the browsers and Web servers.
• Widely used in Web transactions.
• Uses digital certificates.

14
Secure Sockets Layer (SSL)
BROWSER
SERVER
1. Browser sends SSL request massage.
2. Server responds by sending its certificate.
3. Browser verifies that the certificate is valid.
4. Browser sends one time session key.
5. Server decrypts the massage with its private
key.
6. Source exchanges with symmetric encryption.
15
Web Server Certificates

• The certificate, which contains the Web servers
  public key, will be used by the browser to
• Authenticate the identity of a Web site.
• Contain the Web servers public key.
• Encrypt information for the server using SSL.
• Certification Authority (CA) Certificates
• CA Certificates are issued by a trusted third
  party called a Certification Authority (CA).
• CA validates the certificate holders identity.

16
Visa Payer Authentication Service (VPAS)

• New payer authentication service from VISA.
• Based on a protocol known as 3-D Secure.
• Announced in 2001.
• 3-D refers to the three domains
• Issuers
• Acquirers
• Transaction Communication

17
How VPAS Works
1. Cardholder selects buy.
2. Merchant queries Visa for account data.
Cardholder
Merchant
3. Visa checks CAD for customer data.
Card Association Directory
Merchant Requests Authorization
Issuer Access Control Server
4. Issuer ACS validates password, digitally
signs response, transmits copy to Authentication
History Server
5. Merchant verifies signature, and sends
authorization request.
18
MasterCard Secure Payment Application (SPA)

• MasterCards security solution.
• It requires participation by the card issuer and
  the merchant.
• Cardholder has to download a wallet application
  from the issuer.
• Deployment of SPA will be through server-based
  electronic wallets.
• Wallet will automatically fill out payment
  information on the online order form.
• Includes a unique cardholder authentication value
  for each transaction.
• Scheduled to the second quarter of 2002.

19
Address Verification Service (AVS)

• Designed for mail-order and telephone order
  environments.
• Checks first 4 numeric digits of address and zip
  code.
• Merchant receives response codes, detailing
  degree of match.
• AVS does not guarantee charge-back protection.
• Data used is not always current.
• Only used in U.S., U.K., Germany, Austria and
  Switzerland.
• May result in false rejection of valid orders.