E- Commerce transactions And Shopping Cart ERDEM OZDEN INBS 510 ANNA STORY APRIL 16, 2002

Online Credit Card Fraud Stats Global online purchases will reach $310 billion in 2005. Online credit card fraud will cost $9 billion in 2001. Widespread use of anti-fraud technology will reduce online payment fraud to $5.7 billion by 2005, from a potential $15.5 billion. Fraud was 19 times higher online, than with brick and mortar stores in 2001. Source: Meridien Research

How Consumers View Authentication 47% are now comfortable with registering on web sites by providing personal information. 80% said they would be open to additional authentication measures to make online purchases more secure. 50% said they would be open to using a personal identification number (PIN). 32% said they would be willing to type in a portable password created by a credit card company. 42% said they are “annoyed” at having to remember different passwords for different sites. Source: Jupiter Media Metrix

SHOPPING CYCLE Online Store: The merchant sets up an online store. Bank Account: The merchant registers with a bank to authorize transactions. Product Selection: Customers browse products by product category, or by text search. Shopping Cart: Customers view and change the contents of their shopping cart. Customer Registration: Registration is needed when customers make a purchase. Check Out: The customer may verify or change items, and then proceed with their purchase. Credit Card Authorization: The customer submits credit card information for authorization. Order Processing: After credit card authorization, the merchant sends the product.

Online Credit Card Transaction 1. Customer Proceeds to Check out. Shopping Cart 2. Shipping, tax added for total amount. Calculate Totals 3. Customer’s address, telephone information. Get User Info 5. If the CC is Declined Get New CC. 4. Customer’s credit card information. Enter Credit Card Information No 5. If the CC is Authorized Process Order. Enough Funds Card Refused Yes Failed Card Authorized E-mail Customer E-mail Customer Online Credit Card Transaction

SHOPPING SERVICES One-click Buy : CC data is stored in database, and used for instant purchases. Personalization : Some merchants offer personalized services like special offers, and recommendations, for registered customers. Order Tracking : The customers monitor order status by using the order ID. Save your cart : Customers save their cart and complete the transaction at a later date. E-mail Verification : The customers receive emails about news, special events, recommendations, and the recent order.

SHOPPING CARTS Keep the process simple. Include tax and shipping costs to display the exact charges. Tell customers how many steps are involved. Add gift option before the checkout. Put policy information in pop-up windows. Don’t force registration. Customers lose patience fast. Offer multiple shipping options. Limit the checkout process with five to six steps.

Personalization Homepage Yes No Retrieve Preferences Cookie? User Selects New Or Returning User User Selects New User User Selects Returning User Database User Enters ID Password Cookie Set Return Homepage User Enters User Information Create Personal Page Database No Register User Exists? Yes Cookie Set Return Homepage Personalization

1. Cardholder calls Issuer CHARGE-BACK CARDHOLDER 1. Cardholder calls Issuer Bank for fraud. 4. Issuer Bank gives cardholder’s credit. 2. Issuer Bank calls Acquirer Bank. ISSUER BANK 3. Acquirer Bank debits merchant account. Additional penalty, or cancels agreement. ACQUIRER BANK Merchant Account

FRAUD Lower consumer confidence. Higher cost of transactions and loss of revenue for merchants. Higher costs of services for financial institutions. Image damage to the credit card companies and issuers. “Charge-back fraud has slowed the growth of e-commerce…Nothing is going to happen until credit card companies can positively authenticate every consumer buying from a website.” Theodore Lacobuizo, Senior Analyst, TowerGroup

SECURITY THREAT Employee Theft: Employee steals data. This is the largest threat. Trojan Horse: Can be used for snooping. Frequently used in a virus attack. Hacking : Breaking into a system. Trojan horses used for returning to server. Social Engineering: Hackers act like a network engineer. Buffer Overflow: Cause an overflow condition. May grant root access. Cracking: Breaking into system to steal things. Password Fishing: Trying to log in with common passwords. Snooping: Use of a software program to intercept data. Application Attack: Force application to fall-over, and root access to system. Employee Theft: Employee steals data. This is the largest threat, as usually organizations don’t focus on employee theft. This is the most difficult problem for the organizations. Help desk operators, and system administrators have access to personal data, which makes it too hard to implement a security policy. Hacking : Breaking into a system. Frequently, Trojan horses or other programs are left lying around so the hacker can return to the server using some other method. Social Engineering: Hackers act like a network engineer, and ask for a password. This is the largest problem. Reverse Engineering: Victim calls the hacker for help. When computer is disabled, a new sign appears saying to call a telephone number for IT help. Employee calls hacker for help. Cracking: Breaking into system to steal things. Password Fishing: Trying to log into a system by attempting common passwords. Snooping: Use of a software program to intercept data. Application Attack: Force application to fall-over and acquire ‘root’ access to system. Trojan Horse: Can be used for snooping. Typically a program that diverts information or has some additional functions. Frequently used in a virus attack.

Secure Electronic Transaction (SET) Development of Visa and MasterCard. Certificate-based system. Digital signatures to replace the handwritten signatures. Cardholder software is required. Digital certificates are installed on consumer’s PC. Expensive. Complex structure. Because of its complexity, and cost, SET usage was limited.

Secure Sockets Layer (SSL) Created by Netscape. Simple to implement. Implemented in Transport Layer (TLS). Supports most of the browsers and Web servers. Widely used in Web transactions. Uses digital certificates.

Secure Sockets Layer (SSL) BROWSER 1. Browser sends SSL request massage. SERVER 2. Server responds by sending it’s certificate. 3. Browser verifies that the certificate is valid. 4. Browser sends one time session key. 5. Server decrypts the massage with it’s private key. 6. Source exchanges with symmetric encryption.

Web Server Certificates The certificate, which contains the Web server’s public key, will be used by the browser to: Authenticate the identity of a Web site. Contain the Web server’s public key. Encrypt information for the server using SSL. Certification Authority (CA) Certificates CA Certificates are issued by a trusted third party called a Certification Authority (CA). CA validates the certificate holders’ identity.

Visa Payer Authentication Service (VPAS) New payer authentication service from VISA. Based on a protocol known as 3-D Secure. Announced in 2001. “3-D” refers to the three domains Issuers Acquirers Transaction Communication

How VPAS Works Cardholder Merchant Card Association Directory Merchant 1. Cardholder selects ’buy’. 2. Merchant queries Visa for account data. Cardholder Merchant 3. Visa checks CAD for customer data. Card Association Directory Merchant Requests Authorization Issuer Access Control Server 5. Merchant verifies signature, and sends authorization request. 4. Issuer ACS validates password, digitally signs response, transmits copy to Authentication History Server

MasterCard Secure Payment Application (SPA) MasterCard’s security solution. It requires participation by the card issuer and the merchant. Cardholder has to download a wallet application from the issuer. Deployment of SPA will be through server-based electronic wallets. Wallet will automatically fill out payment information on the online order form. Includes a unique cardholder authentication value for each transaction. Scheduled to the second quarter of 2002.

Address Verification Service (AVS) Designed for mail-order and telephone order environments. Checks first 4 numeric digits of address and zip code. Merchant receives response codes, detailing degree of match. AVS does not guarantee charge-back protection. Data used is not always current. Only used in U.S., U.K., Germany, Austria and Switzerland. May result in false rejection of valid orders.