Escolar Documentos
Profissional Documentos
Cultura Documentos
The merchant e-busines model is the online version of you local store. If you can name it you
can find an online store selling it. Some of these may have a brick and mortar store and an
Internet store, but the great majority are solely online.
They accept online payment methods and ship the merchandise to the customer, or they use a 3rd
party online shipping and warehousing service. These companies warehouse and ship goods
directly to the customer on your behalf, meaning no product handling or postage for you!
knowledge and will use Ecommerce business models, other than their specialized information, to
create revenue.
Security in E-Commerce
authentication: sender and recipient must prove their identities to each other.
What about authentication? How does a customer know that the website receiving sensitive
information is not set up by some other party posing as the e-merchant? They check the digital
certificate. This is a digital document issued by the CA (certification authority: Verisign, Thawte,
etc.) that uniquely identifies the merchant. Digital certificates are sold for emails, e-merchants
and web-servers.
Transactions
Sensitive information has to be protected through at least three transactions:
credit card details supplied by the customer, either to the merchant or payment gateway.
Handled by the server's SSL and the merchant/server's digital certificates.
credit card details passed to the bank for processing. Handled by the complex security
measures of the payment gateway.
order and customer details supplied to the merchant, either directly or from the payment
gateway/credit card processing company. Handled by SSL, server security, digital
certificates (and payment gateway sometimes).
The SSL certificate is issued to the server by a certificate authority authorized by the
government. When a request is made from the shopper's browser to the site's server using
https://..., the shopper's browser checks if this site has a certificate it can recognize. If the
site is not recognized by a trusted certificate authority, then the browser issues a warning
as shown.As an end-user, you can determine if you are in SSL by checking your browser.
For example, in Mozilla Firefox, the secure icon is at the top in the URL entry field
Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's
computer and the site's server. When an SSL-protected page is requested, the browser
identifies the server as a trusted entity and initiates a handshake to pass encryption key
information back and forth. Now, on subsequent requests to the server, the information
flowing back and forth is encrypted so that a hacker sniffing the network cannot read the
contents.
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting
private documents via the Internet. SSL uses a cryptographic system that uses two keys to
encrypt data a public key known to everyone and a private or secret key known only to
the recipient of the message. Both Netscape Navigator and Internet Explorer support
SSL, and many Web sites use the protocol to obtain confidential user information, such as
credit card numbers. By convention, URLs that require an SSL connection start with
https: instead of http:.
Each SSL Certificate consists of a public key and a private key. The public key is used to
encrypt information and the private key is used to decipher it. When a Web browser points to a
secured domain, a Secure Sockets Layer handshake authenticates the server (Web site) and the
client (Web browser). An encryption method is established with a unique session key and secure
transmission can begin. True 128-bit SSL Certificates enable every site visitor to experience the
strongest SSL encryption available to them.
How Authentication Works
Imagine receiving an envelope with no return address and a form asking for your bank account
number. Every VeriSign SSL Certificate is created for a particular server in a specific domain
for a verified business entity. When the SSL handshake occurs, the browser requires
authentication information from the server. By clicking the closed padlock in the browser
window or certain SSL trust marks (such as the VeriSign Secured Seal), the Web site visitor
sees the authenticated organization name. In high-security browsers, the authenticated
organization name is prominently displayed and the address bar turns green when an Extended
Validation SSL Certificate is detected. If the information does not match or the certificate has
expired, the browser displays an error message or warning.
organizational identity. The high-security Web browsers address bar turns green and reveals the
name of the organization that owns the SSL Certificate and the SSL Certificate Authority that
issued it. Because VeriSign is the most recognized name in online security, VeriSign SSL
Certificates with Extended Validation will give Web site visitors an easy and reliable way to
establish trust online.
emcrypts, the other key pair can decrypt. The key pair is based on prime numbers and their
length in terms of bits ensures the difficulty of being able to decrypt the message without the key
pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other
key (the public key) to everybody. Anybody can send you an encrypted message, that only you
will be able to decrypt. You are the only one to have the other key pair, right? In the opposite ,
you can certify that a message is only coming from you, because you have encrypted it with you
private key, and only the associated public key will decrypt it correctly. Beware, in this case the
message is not secured you have only signed it. Everybody has the public key, remember!
One of the problem left is to know the public key of your correspondent. Usually you will ask
him to send you a non confidential signed message that will contains his publick key as well as a
certificate.
Message-->[Public Key]-->Encrypted Message-->[Private Key]-->Message
other parties finding out what that key is. However, the fact that it must be shared between both
parties opens the door to third parties intercepting the key. This type of encryption technology is
called symmetric encryption, while public key encryption is known as asymmetric encryption.
A "key" is simply a small bit of text code that triggers the associated algorithm to encode or
decode text. In public key encryption, a key pair is generated using an encryption program and
the pair is associated with a name or email address. The public key can then be made public by
posting it to a key server, a computer that hosts a database of public keys. Alternately, the public
key can be discriminately shared by emailing it to friends and associates. Those that possess your
public key can use it to encrypt messages to you. Upon receiving the encrypted message, your
private key will decrypt it.
Public key encryption is especially useful for keeping email private. Any stored messages on
mail servers, which can persist for years, will be unreadable, and messages in transit will also be
unreadable. This degree of privacy may sound excessive until one realizes the open nature of the
Internet. Sending email unencrypted is akin to making it public for anyone to read now or at
some future date. United States law does not recognize email as a protected or private form of
communication, unlike a telephone call or letter.
A cryptographic system that uses two keys -- a public key known to everyone and a private or
secret key known only to the recipient of the message. When John wants to send a secure
message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key
to decrypt it.
An important element to the public key system is that the public and private keys are related in
such a way that only the public key can be used to encrypt messages and only the corresponding
private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the
private key if you know the public key.
Public-key systems, such as Pretty Good Privacy (PGP), are becoming popular for transmitting
information via the Internet. They are extremely secure and relatively simple to use. The only
difficulty with public-key systems is that you need to know the recipient's public key to encrypt a
message for him or her. What's needed, therefore, is a global registry of public keys, which is one
of the promises of the new LDAP technology.
Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman.
For this reason, it is sometime called Diffie-Hellman encryption. It is also called
asymmetric encryption becauWhat is public key encryption?
Public key encryption (PKE) uses a system of two keys:
a private key, which only you use (and of course protect with a well-chosen,
carefully protected passphrase); and
a public key, which other people use. Public keys are often stored on public
key servers.
A document that is encrypted with one of these keys can be decrypted only with the other key in
the pair.
For example, let's say that Alice wants to send a message to Bob using PGP (a popular public
key encryption system). She encrypts the message with Bob's public key and sends it using her
favorite email program. Once the message is encrypted with Bob's public key, only Bob can
decrypt the message using his private key. Even major governments using supercomputers would
have to work for a very long time to decrypt this message without the private key.
se it uses two keys instead of one key (symmetric encryption).
Assume that a customer has a SET-enabled browser such as Netscape or Microsoft's Internet
Explorer and that the transaction provider (bank, store, etc.) has a SET-enabled server.
1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is
some kind of bank.
2. The customer receives a digital certificate. This electronic file functions as a credit card
for online purchases or other transactions. It includes a public key with an expiration
date. It has been through a digital switch to the bank to ensure its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include
the merchant's public key and the bank's public key.
4. The customer places an order over a Web page, by phone, or some other means.
5. The customer's browser receives and confirms from the merchant's certificate that the
merchant is valid.
6. The browser sends the order information. This message is encrypted with the merchant's
public key, the payment information, which is encrypted with the bank's public key
(which can't be read by the merchant), and information that ensures the payment can only
be used with this particular order.
7. The merchant verifies the customer by checking the digital signature on the customer's
certificate. This may be done by referring the certificate to the bank or to a third-party
verifier.
8. The merchant sends the order message along to the bank. This includes the bank's public
key, the customer's payment information (which the merchant can't decode), and the
merchant's certificate.
9. The bank verifies the merchant and the message. The bank uses the digital signature on
the certificate with the message and verifies the payment part of the message.
10. The bank digitally signs and sends authorization to the merchant, who can then fill the
order.
M-commerce (mobile commerce) is the buying and selling of goods and services through
wireless handheld devices such as cellular telephone and personal digital assistants (PDAs).
Known as next-generation e-commerce, m-commerce enables users to access the Internet
without needing to find a place to plug in. The emerging technology behind m-commerce, which
is based on the Wireless Application Protocol (WAP), has made far greater strides in Europe,
where mobile devices equipped with Web-ready micro-browsers are much more common than in
the United States.
In order to exploit the m-commerce market potential, handset manufacturers such as Nokia,
Ericsson, Motorola, and Qualcomm are working with carriers such as AT&T Wireless and Sprint
to develop WAP-enabled smart phones, the industry's answer to the Swiss Army Knife, and ways
to reach them. Using Bluetooth technology, smart phones offer fax, e-mail, and phone
capabilities all in one, paving the way for m-commerce to be accepted by an increasingly mobile
workforce.
As content delivery over wireless devices becomes faster, more secure, and scalable, there is
wide speculation that m-commerce will surpass wireline e-commerce as the method of choice for
digital commerce transactions. The industries affected by m-commerce include:
Financial services, which includes mobile banking (when customers use their handheld
devices to access their accounts and pay their bills) as well as brokerage services, in
which stock quotes can be displayed and trading conducted from the same handheld
device
Telecommunications, in which service changes, bill payment and account reviews can all
be conducted from the same handheld device
Service/retail, as consumers are given the ability to place and pay for orders on-the-fly
Information services, which include the delivery of financial news, sports figures and
traffic updates to a single mobile device
IBM and other companies are experimenting with speech recognition software as a way to ensure
security for m-commerce transactions.
PayPal is an e-commerce business allowing payments and money transfers to be made through
the Internet. ... PayPal is an e-commerce business allowing payments and money transfers to be
made through the Internet. PayPal serves as an electronic alternative to traditional paper methods
such as checks and money orders.
A PayPal account can be funded with an electronic debit from a bank account or by a credit card.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own
PayPal deposit account or request a transfer to their bank account. PayPal is an example of a
payment intermediary service that facilitates worldwide e-commerce.
PayPal performs payment processing for online vendors, auction sites, and other commercial
users, for which it charges a fee. It sometimes also charges a transaction fee for receiving money
(a percentage of the amount sent plus an additional fixed amount). The fees charged depend on
the currency used, the payment option used, the country of the sender, the country of the
recipient, the amount sent and the recipient's account type.[2] In addition, eBay purchases made
by credit card through PayPal may incur a "foreign transaction fee" if the seller is located in
another country, as credit card issuers are automatically informed of the seller's country of origin.