CHAPTER FIVE:

E-COMMERCE SECURITY AND PAYMENT SYSTEMS

LEARNING OBJECTIVES

1. Understand the scope of e-commerce crime and security problems, the key dimensions of e-
commerce security, and the tension between security and other values.
2. Identify the key security threats in the e-commerce environment.
3. Describe how technology helps secure Internet communications channels and protect
networks, servers, and clients.
4. Appreciate the importance of policies, procedures, and laws in creating security.
5. Identify the major e-commerce payment systems in use today.
6. Describe the features and functionality of electronic billing presentment and payment systems.
I. UNDERSTAND THE SCOPE OF E-COMMERCE CRIME AND SECURITY
PROBLEMS, THE KEY DIMENSIONS OF E-COMMERCE SECURITY, AND
THE TENSION BETWEEN SECURITY AND OTHER VALUES.

THE E-COMMERCE SECURITY ENVIRONMENT

For most law-abiding citizens, the Internet holds the promise of a huge and convenient global
marketplace, providing access to people, goods, services, and businesses worldwide, all at a bargain
price.

THE SCOPE OF THE PROBLEM

Cybercrime is becoming a more significant problem for both organizations and consumers. Bot
networks, DDoS attacks, Trojans, phishing, ransomware, data theft, identity fraud, credit card fraud,
and spyware are just some of the threats that are making daily headlines. Social networks also have
had security breaches.

WHAT IS GOOD E-COMMERCE SECURITY?

What is a secure commercial transaction? Anytime you go into a marketplace you take risks, including
the loss of privacy (information about what you purchased). Your prime risk as a consumer is that you
do not get what you paid for. As a merchant in the market, your risk is that you don’t get paid for
what you sell. E-commerce merchants and consumers face many of the same risks as participants in

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
traditional commerce, albeit in a digital environment. Theft is theft, regardless of whether it is digital
theft or traditional theft.

To achieve the highest degree of security possible, various technologies are available and should be
used. But these technologies by themselves do not solve the problem. Organizational policies and
procedures are required to ensure the technologies are not subverted. Finally, industry standards
and government laws are required to enforce payment mechanisms, as well as to investigate and
prosecute violators of laws designed to protect the transfer of property in commercial transactions.

Dimensions of E-Commerce Security

There are six key dimensions to e-commerce security:

1. Integrity refers to the ability to ensure that information being displayed on a website, or
transmitted or received over the Internet, has not been altered in any way by an unauthorized
party.
2. Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e.,
repudiate) their online actions.
3. Authenticity refers to the ability to identify the identity of a person or entity with whom you
are dealing on the Internet.
4. Confidentiality refers to the ability to ensure that messages and data are available only to those
who are authorized to view them. Confidentiality is sometimes confused with privacy.
5. Privacy refers to the ability to control the use of information a customer provides about
himself or herself to an e-commerce merchant.
6. Availability refers to the ability to ensure that an e-commerce site continues to function as
intended.

The Tension Between Security and Other Values

✓ Security versus Ease of Use:

There are inevitable tensions between security and ease of use. In general, the more security measures
added to an e-commerce site, the more difficult it is to use and the slower the site becomes.

✓ Public Safety and the Criminal Uses of the Internet:

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
There is also an inevitable tension between the desires of individuals to act anonymously (to hide their
identity) and the needs of public officials to maintain public safety that can be threatened by criminals
or terrorists.

2. IDENTIFY THE KEY SECURITY THREATS IN THE E-COMMERCE

ENVIRONMENT.

From a technology perspective, there are three key points of vulnerability when dealing

with e-commerce:

1. The client,
2. The server, and
3. The communications pipeline

Malicious Code

Malicious code (sometimes referred to as “malware”) includes a variety of threats such as viruses,
worms, ransomware, Trojan horses, and bots. Some malicious code, sometimes referred to as an
exploit, is designed to take advantage of software vulnerabilities in a computer’s operating system,
web browser, applications, or other software components.

• Exploit kits are collections of exploits bundled together and rented or sold as a commercial
product, often with slick user interfaces and in-depth analytics functionality.
• A drive-by download is malware that comes with a downloaded file that a user intentionally
or un A virus is a computer program that has the ability to replicate or make copies of itself,
and spread to other files. intentionally requests.
• Viruses are often combined with a worm. Instead of just spreading from file to file, a worm
is designed to spread from computer to computer.
• Ransomware is a type of malware (often a worm) that locks your computer or files to stop
you from accessing them.
• A Trojan horse appears to be benign, but then does something other than expected.
• A backdoor is a feature of viruses, worms, and Trojans that allows an attacker to remotely
access a compromised computer.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
 • Bots (short for robots) are a type of malicious code that can be covertly installed on your
computer when attached to the Internet.
• Botnets are collections of captured computers used for malicious activities such as sending
spam, participating in a DDoS attack or credential stuffing campaign (malicious login
attempts), stealing information from computers, and storing network traffic for later analysis.
• Potentially unwanted program (PUP) program that installs itself on a computer, typically
without the user’s informed consent.
• Adware is typically used to call for pop-up ads to display when the user visits certain sites.
• Browser parasite a program that can monitor and change the settings of a user’s browser.
• Crypto jacking installs a browser parasite that sucks up a computer’s processing power to
mine cryptocurrency without the user’s knowledge or consent.
• Spyware a program used to obtain information such as a user’s keystrokes, e-mail, instant
messages, and so on.
• Social engineering relies on human curiosity, greed, gullibility, and fear in order to trick
people into taking an action that will result in the downloading of malware.
• Phishing is any deceptive, online attempt by a third party to obtain confidential information
for financial gain.
• A hacker is an individual who intends to gain unauthorized access to a computer system.
Within the hacking community, the term cracker is typically used to denote a hacker with
criminal intent, although in the public press, the terms hacker and cracker tend to be used
interchangeably.
• Cybervandals intentionally disrupting, defacing, or even destroying a site.
• Hacktivism cybervandals and data theft for political purposes.
• A data breach occurs whenever organizations lose control over corporate information,
including the personal information of customers and employees, to outsiders.
• Credential stuffing is a brute force attack which hackers launch via botnets and automated
tools using known user name and password combinations (referred to as combo lists)
obtained from data breaches.
• Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP
address.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
 • Pharming automatically redirecting a web link to an address different from the intended
one, with the site masquerading as the intended destination.
• Spam (junk) websites also referred to as link farms; promise to offer products or services,
but in fact are just collections of advertisements.
• Sniffer a type of eavesdropping program that monitors information traveling over a network
• A man-in-the-middle (MitM) attack also involves eavesdropping but is more active than a
sniffing attack, which typically involves passive monitoring.
• In a Denial of Service (DoS) attack, hackers flood a website with useless pings or page
requests that inundate and overwhelm the site’s web servers.
• A Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of
computers to attack the target network from numerous launch points.
• SQL injection attack takes advantage of poorly coded web application software that fails to
properly validate or filter data entered by a user on a web page.
• A zero-day vulnerability is one that has been previously unreported and for which no
patch yet exists.

Protecting Internet Communications

Encryption is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the receiver.

The purpose of encryption is (a) to secure stored information and (b) to secure information
transmission. Encryption can provide four of the six key dimensions of e-commerce security
referred to

1. Message integrity—provides assurance that the message has not been altered.
2. Nonrepudiation—prevents the user from denying he or she sent the message.
3. Authentication—provides verification of the identity of the person (or computer) sending
the message.
4. Confidentiality—gives assurance that the message was not read by others.

A key (or cipher) is any method for transforming plain text to cipher text.

Substitution cipher every occurrence of a given letter is replaced systematically by another letter
Transposition cipher the ordering of the letters in each word is changed in some systematic way
Ust. Mohamed Salad
+252617076666
mohasalad@just.edu.so
Symmetric key cryptography (secret key cryptography) both the sender and the receiver use the
same key to encrypt and decrypt the message.

Data Encryption Standard (DES) developed by the National Security Agency (NSA) and IBM.
Uses a 56-bit encryption key Advanced Encryption Standard (AES) the most widely used symmetric
key algorithm, offering 128-, 192-, and 256-bit keys public key cryptography two mathematically
related digital keys are used: a public key and a private key.

The private key is kept secret by the owner, and the public key is widely disseminated. Both keys
can be used to encrypt and decrypt a message. However, once the keys are used to encrypt a
message, that same key cannot be used to unencrypt the message

4. APPRECIATE THE IMPORTANCE OF POLICIES, PROCEDURES, AND

LAWS IN CREATING SECURITY.

A Security Plan: Management Policies

The key steps in developing a solid security plan
1. Perform risk assessment
2. Develop security policy
3. Develop implementation plan
4. Create security organization
5. Perform a security audit
A security plan begins with risk assessment—an assessment of the risks and points of vulnerability.
Based on your quantified list of risks, you can start to develop a security policy—a set of
statements prioritizing the information risks, identifying acceptable risk targets, and identifying the
mechanisms for achieving these targets.
Implementation plan the action steps you will take to achieve the security plan goals.
Security organization educates and trains users, keeps management aware of security threats and
breakdowns, and maintains the tools chosen to implement security
Access controls determine who can gain legitimate access to a network.
Authentication procedures include the use of digital signatures, certificates of authority, public key
infrastructure, and multifactor authentication tools.
Multi-factor authentication (MFA) tools require users to have multiple credentials to verify their
identity.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
Two-factor authentication (2FA) subset of MFA that requires two credentials, often used in
conjunction biometrics the study of measurable biological or physical characteristics.
Authentication procedures include the use of digital signatures, certificates of authority, public key
infrastructure, and multifactor authentication tools.
Multi-factor authentication (MFA) tools require users to have multiple credentials to verify their
identity two-factor authentication (2FA) subset of MFA that requires two credentials, often used in
conjunction
Biometrics the study of measurable biological or physical characteristics.
Security token physical device or software that generates an identifier that can be used in addition
to or in place of a password
Authorization policies determine differing levels of access to information assets for differing levels
of users
Authorization management system establishes where and when a user is permitted to access
certain parts of a website

Security audit involves the routine review of access logs (identifying how outsiders are using the
site as well as how insiders are accessing the site’s assets)

THE ROLE OF LAWS AND PUBLIC POLICY

The public policy environment today is very different from the early days of e-commerce.

• The net result is that the Internet is no longer an ungoverned, unsupervised, self-controlled
technology juggernaut.
• Voluntary and private efforts have played a very large role in identifying criminal hackers and
assisting law enforcement.
• Since 1995, as e-commerce has grown in significance, national and local law enforcement
activities have expanded greatly.
• New laws have been passed that grant national, state, and local authority’s new tools and
mechanisms for identifying, tracing, and prosecuting cybercriminals.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
5. IDENTIFY THE MAJOR E-COMMERCE PAYMENT SYSTEMS IN USE
TODAY.
For the most part, existing payment mechanisms such as cash, credit cards, debit cards, checking
accounts, and stored value accounts have been able to be adapted to the online environment.
In addition, new types of purchasing relationships, such as between individuals online, and new
technologies, such as the development of the mobile platform, have also created both a need and an
opportunity for the development of new payment systems.
MAJOR TRENDS IN E-COMMERCE PAYMENTS 2020–2021
• Payment by credit and/or debit card remains the dominant form of online payment.
• Online payment volume surges in early 2020 due to the Covid-19 pandemic.
• Mobile retail adoption and payment volume skyrockets.
• PayPal remains the most popular alternative payment method online.
• Apple, Google, and Samsung extend their reach in mobile payment apps.
• Growing convergence in the online payment’s marketplace: large banks enter the mobile
wallet and P2P payments market with apps such as Zelle, while Apple introduces a credit
card and Google announces a plan to offer checking accounts.
• Mobile P2P payment systems such as Venmo, Zelle, and Square Cash take off. Most mobile
wallets also offer P2P payments
ONLINE CREDIT CARD TRANSACTIONS
Online credit card transactions are processed in much the same way that in-store purchases are, with
the major differences being that online merchants never see the actual card being used, no card
impression is taken, and no signature is available.
A merchant account is simply a bank account that allows companies to process credit card
payments and receive funds from those transactions.
There are five parties involved in an online credit card purchase:
1. Consumer,
2. Merchant,
3. Merchant bank (sometimes called the “acquiring bank”), and
4. Clearing House
5. The consumer’s card issuing bank.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
PCI-DSS Compliance
The PCI-DSS (Payment Card Industry-Data Security Standard) is a global data security standard
instituted by the five major credit card companies (Visa, MasterCard, American Express, Discover,
and JCB).
Limitations of Online Credit Card Payment Systems
There are a number of limitations to the existing credit card payment system. The most important
limitations involve security, merchant risk, administrative and transaction costs, and social
equity.
ALTERNATIVE ONLINE PAYMENT SYSTEMS
The limitations of the online credit card system have opened the way for the development of a
number of alternative online payment systems.

Chief among them is PayPal. PayPal (purchased by eBay in 2002 and then spun-off as an
independent company again in 2015). PayPal is an example of an online stored value payment
system, which permits consumers to make online payments to merchants and other individuals

using their bank account or credit/debit cards.

MOBILE PAYMENT SYSTEMS: YOUR SMARTPHONE WALLET

Mobile payment systems are the fastest growing component of alternative payments.

There are three primary types of mobile wallet apps:

1. Universal proximity wallets: such as Apple Pay, Google Pay, and Samsung Pay, that can
be used at a variety of merchants for point-of-sale transactions if the merchant supports that
service (e.g., has an Apple merchant app and can accept such payments), are the most-well
known and common type.
2. Branded store proximity wallets: are mobile apps that can be used only at a single
merchant. For instance, Walmart, Tesco, and Starbucks all have very successful mobile wallet
apps.
3. P2P apps: such as Venmo and Square Cash, are used for payments among individuals who
have the same app.

Quick Response (QR) code technology: uses a mobile app to generate a two dimensional code
that merchant scans and enables payment amount to be deducted from customer’s mobile wallet.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so
BLOCKCHAIN AND CRYPTOCURRENCIES

Blockchain is a technology that enables organizations to create and verify transactions on a

network nearly instantaneously without a central authority.

Why Blockchain?

Because, traditionally, organizations maintained their own transaction processing systems on their
own databases, and used this record of transactions to keep track of orders, payments, production

A blockchain system is a transaction processing system that operates on a distributed

and shared database (called a peer-to-peer or P2P computer network) rather than a single

organization’s database schedules, and shipping.

6. DESCRIBE THE FEATURES AND FUNCTIONALITY OF ELECTRONIC

BILLING PRESENTMENT AND PAYMENT SYSTEMS.

Electronic billing presentment and payment (EBPP) systems are systems that enable the
online delivery and payment of monthly bills. EBPP services allow consumers to view bills
electronically using either their desktop PC or mobile device and pay them through electronic funds
transfers from bank or credit card accounts.

EBPP BUSINESS MODELS

There are four EBPP business models:

1. Online banking,
2. Biller-direct,
3. Mobile, and
4. Consolidator.

Ust. Mohamed Salad

+252617076666
mohasalad@just.edu.so