1. E-Business Systems Architecture Ahmed Salah ahmed.salah@mcit.gov.eg

2.  E-commerce Architecture  Three-tier client/server architecture  Peer-to-peer architecture  Basic security issues  E-payment systems

3. Customer Seller Web Browser HTTP Web- Application Server Product- Data bank Customer- Data bank Data Server Tier 1 Tier 2 Tier 3 First tier : user system interface where user services (such as session, text input, dialog, and display management) reside. Middle tier : application that controls transactions and shares business logic, computations, and a data retrieval engine. Third tier : database management server.

4. Web Browser HTTP Customer Seller Product- Data bank Customer- Data bank Data Server Tier 1 Tier 2 Tier 3 Web Server Application Server

5. Web Browser HTTP Customer Seller Product- Data bank Customer- Data bank Data Server Tier 1Tier 3 Data Application logic Presentation Web application Web Server Tier 2 Tier 1 Tier 2 Tier 3

6.  Create a Web site including an order form  Web site can E-mail or fax orders  Process orders and payments offline  Fast, easy, and cheap to setup  Data is not secure ClientServer Orders

7.  Convert to a Merchant Server (storefront)  Get server Certificate for SSL  Signup with a Payment Gateway Client Browser Merchant Server Orders Payment Gateway

8. Web- Application Server Catalog Page Generation Order Data Capture Static Web pages Catalog data Order data Credit Card Info.

9. Systems are more complicated:  Separate applications by function  Catalog  Content management  Transaction processing  Split implementations for security

10. Web Server Customer Mgmt. Catalog database Customer data Order data Catalog Application Payment data Order Capture Order Processing Data Mgmt. Payment Processing Fulfillment Customer Service Static Web pages Application Server

11.  Products (physical or digital) /services  Website, catalog, content management  Marketing  Getting orders  Payment  Fulfillment  Customer services  Integration

12. AttractInteractActReact Marketing Generate and keep customer interest Convert interest to orders Manage Orders Service Customers Catalog sales Content mgmt. Order capture Payment Fulfillment After-sale services Order tracking Web site design

13. “On the Internet, no one knows you’re a dog!”

14.  Authentication: how do sender/receiver prove their identities.  Authorization : when and which users can gain access to parts of the system.  Integrity : assure that information is not altered or corrupted.  Privacy and confidentiality : assure that your information is not shared without your knowledge.

15.  Passwords  Firewall  Cryptography Mathematics based methods to encrypt and decrypt data.  Secret key or symmetric encryption (algorithms : DES, Triple DES, AES)  Public key or asymmetric encryption (algorithm :RSA)  Digital Signature, Digital Certificate (authentication techniques based on encryption)  Protocols : SSL (Secure Sockets Layer), SET (Secure Electronic Transaction)

16.  Evaluate risks and identify:  Resources to protect ▪ information, programs, etc.  Legitimate access requirements  Threats and type of attacks  Access paths to protect ▪ Internet, dial-up ports, physical, etc.

17.  Paying with credit cards online  Consumers were extremely reluctant to use their credit card numbers on the Web  This is changing because: ▪ Many of people more aware of security measures that should be taken to avoid fraud. ▪ 85% of the transactions that occur on the Web are B2B rather than B2C (credit cards are rarely used in B2B transactions)

18.  Four parties involved in e-payments  Issuer ▪ Customers must obtain e-payment accounts from an issuer ▪ Issuers are usually involved in authenticating a transaction and approving the amount involved  Customer/payer/buyer  Merchant/payee/seller  Regulator

19.  Key issue of trust must be addressed  PAIN ▪ Privacy ▪ Authentication and authorization ▪ Integrity ▪ Nonrepudiation  Characteristics of successful e- payment methods  Interoperability and portability  Security  Ease of use  Transaction fees

20.  Public key infrastructure (PKI)  a scheme for securing e-payments using public key encryption and various technical components  Foundation of many network applications:  Supply chain management  Virtual private networks  Secure e-mail  Intranet applications

21.  Public key encryption Encryption (cryptography) -The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time consuming for an unauthorized person to unscramble (decrypt).

22.  All encryption has four basic parts:  Plain text ▪ an unencrypted message in human-readable form  Cipher text ▪ a plaintext message after it has been encrypted into unreadable form  Encryption algorithm ▪ the mathematical formula used to encrypt the plaintext into ciphertext and vice versa  Key ▪ the secret code used to encrypt and decrypt a message

23.  Two major classes of encryption systems:  Symmetric (private key) ▪ Used to encrypt and decrypt plain text ▪ Shared by sender and receiver of text  Asymmetric (public key) ▪ Uses a pair of keys ▪ Public key to encrypt the message ▪ Private key to decrypt the message

24.  Public key encryption  method of encryption that uses a pair of keys ▪ a public key to encrypt a message and a private key (kept only by its owner) to decrypt it, or vice versa  Private key ▪ secret encryption code held only by its owner  Public key ▪ secret encryption code that is publicly available to anyone

28.  Digital signatures  an identifying code that can be used to authenticate the identity of the sender of a message or document Used to: ▪ Authenticate the identity of the sender of a message or document ▪ Ensure the original content of the electronic message or document is unchanged

29.  Digital Signatures—how they work: 1. Create an e-mail message with the contract in it 2. Using special software, you “hash” the message, converting it into a string of digits (message digest) 3. You use your private key to encrypt the hash of your digital signature

30. 4. E-mail the original message along with the encrypted hash to the receiver 5. Receiver uses the same special software to hash the message they received 6. Receiver uses your public key to decrypt the message hash that you sent. If their hash matches the decrypted hash, then the message is valid

31.  Digital certificates  verification that the holder of a public or private key is who he or she claims to be  Certificate authorities (CAs)  third parties that issue digital certificates Name : “Richard” key-Exchange Key : Signature Key : Serial # : 29483756 Other Data : 10236283025273 Expires : 6/18/04 Signed : CA’s Signature

32.  Secure socket layer (SSL)  protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality  Transport Layer Security (TLS)  as of 1996, another name for the Secure Socket Layer protocol

33.  Payment cards: electronic cards that contain information that can be used for payment purposes  Credit cards—provides holder with credit to make purchases up to a limit fixed by the card issuer  Charge cards—balance on a charge card is supposed to be paid in full upon receipt of monthly statement  Debit card—cost of a purchase drawn directly from holder’s checking account (demand-deposit account)

34.  The Players  Cardholder  Merchant (seller)  Issuer (your bank)  Acquirer (merchant’s financial institution, acquires the sales slips)  Card association (VISA, MasterCard)  Third-party processors (outsourcers performing same duties formerly provided by issuers, etc.)

36.  Credit card gateway  an online connection that ties a merchant’s systems to the back- end processing systems of the credit card issuer  Virtual credit card  an e-payment system in which a credit card issuer gives a special transaction number that can be used online in place of regular credit card numbers

37.  Security risks with credit cards  Stolen cards  Repudiation by the customer: authorizes a payment and later denies it  Theft of card details stored on merchant’s computer: isolate computer storing information so it cannot be accessed directly from the Web

38.  Purchasing cards  Special purpose payment cards issued to a company’s employees to be used solely for purchasing specific materials and services up to a preset dollar limit

39.  Benefits of using purchasing cards  Productivity gains  Bill consolidation  Preferred pricing  Management reports  Control

41.  Smart card  an electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card

42.  Categories of smart cards  Contact card ▪ a smart card containing a small gold plate on the face that when inserted in a smart-card reader makes contact and so passes data to and from the embedded microchip  Contactless (proximity) card ▪ a smart card with an embedded antenna, by means of which data and applications are passed to and from a card reader unit or other device

43.  Securing smart cards  Theoretically, it is possible to “hack” into a smart card ▪ Most cards can now store the information in encrypted form ▪ Same cards can also encrypt and decrypt data that is downloaded or read from the card  Cost to the attacker of doing so far exceeds the benefits

44.  Important applications of smart card use:  Financial  Information technology  Health and social welfare  Transportation  Identification

45.  E-cash  the digital equivalent of paper currency and coins, which enables secure and anonymous purchase  Micropayments  small payments, usually under $10

46.  Mobile payments Vodafone “m-pay bill” system that enables wireless subscribers to use their mobile phones to make their payments  Qpass (qpass.com) Charges to qpass account, are charged to a specified credit card on a monthly basis

47.  Loyalty programs online  B2C sites spend hundreds of dollars acquiring new customers  Payback only comes from repeat customers who are likely to refer other customers to a site  Electronic script  a form of electronic money (or points), issued by a third party as part of a loyalty program; can be used by consumers to make purchases at participating stores

48.  Person-to-person (P2P) payments  e-payment schemes (such as paypal.com) that enable the transfer of funds between two individuals  Repaying money borrowed  Paying for an item purchased at online auction  Sending money to students at college  Sending a gift to a family member

49.  Letters of credit (LC)  a written agreement by a bank to pay the seller, on account of the buyer, a sum of money upon presentation of certain documents

50.  Benefits to sellers  Credit risk is reduced  Payment is highly assured  Political/country risk is reduced  Benefits to buyer  Allows buyer to negotiate for a lower purchase price  Buyer can expand its source of supply  Funds withdrawn from buyer’s account only after the documents have been inspected by the issuing bank

51.  E-check: the electronic version or representation of a paper check  Eliminate need for expensive process reengineering and takes advantage of the competency of the banking industry  eCheck Secure (from vantaguard.com) and checkfree.com provide software that enables the purchase of goods and services with e-checks  Used mainly in B2B

52.  Choose a successful EB site:  Can you describe how the site is secured?  Describe the website e-payment system