Electronic Commerce Tutorial
Application Security Testing: An Integral Part of DevOps
written by Bob Browning
The Internet is a different sales medium with some direct sales and some retail characteristics. Marketers will have to learn new skills and attitudes to be successful.
Any e-commerce solution needs to be functional and secure. Planning is vital, and other papers in this series discuss the business and technical issues that have to be addressed at the planning stage.
Electronic commerce over the Internet is predicted to grow at an ever-increasing rate over the next few years, with on-line sales already heading for several billion. Many companies are using this new sales channel, and a few retailers now have established major on-line sales sites. There have been some successes, particularly in technology, business-to-business and niche markets.
This paper has been produced to summarise the basics of electronic commerce, covering on-line catalogues and on-line purchasing. We have not attempted to review the subject of Electronic Document Interchange (EDI) which is clearly related, but is a very specialised subject.
The Market in the UK and Europe
The NOP organisation publishes survey results on its Web site. The following quotes are from that source:
- Home shopping is still at an embryonic stage in all three countries. Approximately 10% of Web users in France, Germany and Britain have shopped on-line in the last four weeks.
- The NOP findings indicate that, as a proportion of the total adult population, the percentage of people who have used the Web in the past four weeks is highest in Britain and Germany. France currently has the smallest proportion of Internet users with relation to its total adult population - 6 per cent (2.87 million people).
The criterion of having purchased in the last four weeks is a little rigid, and most users will purchase less frequently than this. US studies indicate up to 25% of Internet users shop on-line, so the UK 'Internet Shopping' population is probably in the half to one million range.
However the potential figure may be much higher. In a recent survey more than half of those surveyed said they had no qualms about using their credit card over the Internet. So there may be as many as 2-3 million people who would purchase if the sales proposition is right. This research was carried out by leading market research company BMRB, for Internet Monitor.
In mass-market terms this may still be considered low, and merchants selling low-value items may not find that they generate the volume of business to justify a large expensive site. Any projects of this nature, such as supermarket sites, are experimental at this stage.
There are however profitable e-commerce operations in niche areas, business-to-business or export markets. For example, Textor Webmasters Ltd has been building a successful business intelligence site in partnership with CMS. Initial growth was slow, but now with the benefit of three years of experience and development the enterprise is profitable and has a very respectable turnover.
We recommend that merchants with the right product line and a good business plan start now with this sales channel. In most cases expect slow but steady growth rather than an immediate 'pot of gold'. Establish a beachhead now and grow your Internet presence so that when the market takes off - which it will - you are ready to take advantage of the opportunities that present themselves.
The Worldwide Market
The total figure worldwide for Internet users is in the region of 200 million. Clearly anyone wishing to export should look at the Internet as a sales channel.
Selling on the Internet
Marketing versus Selling Web Sites
Most companies with an Internet presence have a straightforward marketing site. The objective of the site is to supplement traditional marketing activities, perhaps give additional information, and generally promote the company. There is often a reluctance to give complete product details because the objective is to induce visitors to call or write to the company for more information and thus establish contact.
A selling site is different. The objective is to close the sale electronically with payment (and sometimes delivery) made over the Internet. This type of site will be designed to include comprehensive product information, as visitors will be expected to make a purchasing decision based on the information presented.
Such sites generally have three sections:
- Marketing and added value information. This is aimed at attracting customers, giving them a feel for the contents, and giving them confidence in the retailer.
- The catalogue. Detailed information on product benefits, specifications, and pricing.
- Order processing. This will include a method for specifying and paying for the order. More advanced systems may have a method for the customer to go back into the system to check progress and delivery of the order.
The true electronic commerce site will have all three components in some degree.
Such sites may be stand-alone, or may form part of a larger retailing site called a ‘shopping mall’.
Internet shopping malls were set up early in the development of Internet commerce. A shopping mall has a standardised environment into which several merchants are held in a single Web site. They offer advantages to a new on-line merchant:
- A standard environment for setting up the catalogue and arranging payment.
- Someone else is arranging for promotion of the mall as a whole.
- In the UK, where the payment processing has historically been a problem, it has meant a trouble-free credit card collection mechanism.
However these benefits have not generally materialised. Malls work in the real world because there is something that attracts visitors, generally a large department store. Once visitors arrive, park their cars and start shopping, it is convenient for them to shop at other merchants in that same locality. The Internet is not like this. It is as easy to visit another shop anywhere in the world as the ‘next’ shop in a virtual mall. People shopping for books are going to search for book sites. If they browse, it is the list of matches to their requirements from a search engine, not an on-line shopping mall.
From the infrastructure point of view, catalogue software and payment processing is now more widely available. Many merchants who started out in a shopping mall have graduated to a stand-alone site.
Building the Business
It is not enough to simply set up the catalogue and electronic commerce programs. ‘Build it and they will come’ has never been an approach that works on the Internet. The site must be promoted both on the Internet and via traditional means.
The biggest single source of visitors is also the cheapest. Registering with a few major search engines will generate over half, perhaps as much as 75% of your potential total traffic.
Other techniques are:
- Negotiating links with other Web sites
- Traditional marketing and PR
- Advertising on search engines and other high traffic sites
- Associate programs by which sites that refer visitors get a commission on sales.
Once the site is built and registered, look for other ways of building business such as special offers. Visitors can be tracked through the site and offers customised to their interests. These techniques are in their infancy, but are being developed rapidly.
Is this direct marketing?
Direct marketers should also not make the mistake of equating the number of Internet users with a mail shot of that size. If there are 2-3 million potential Internet shoppers in the UK, a Web site is not like a mail shot to 2 million people. Only a tiny fraction of these will ever find your Web site and see it at all. The good news is that they will by and large be people interested in your product.
Direct marketers often have difficulty with handling on-line catalogues. The fact of the matter is that if someone visits a site and decides not to purchase, then that is the end of the matter. If someone is sent a catalogue or brochure and decides not to purchase, the merchant can re-send the catalogue, follow up by telephone, and so on. Direct marketers are often loath to lose the degree of control implied in traditional methods.
Is this one-to-one marketing?
Internet selling is not retail, and it is not direct marketing. It has its own characteristics, which are evolving as the technology develops. As we learn more about this area we are finding new innovative ways of building the business, which are unique to this medium. Increasingly we are looking for ways to build a one-to-one relationship with customers using the Internet.
This has to be done carefully. You might be able to tell that you have a repeat visitor, but that person might not like the idea that someone is keeping track of his or her movements. By all means keep records of visitors' preferences so you can present them with the right special offers when they return. But be subtle - or preferably do this by consent.
This new world will require new attitudes and new marketing skills. It may not be right for every business, but when it is appropriate it can offer a low-cost channel with an outlet in virtually every country in the world.
The On-line Catalogue
The key to a good electronic commerce site is to provide an environment that makes it easy for the customer to navigate through the catalogue of products and ultimately make a purchase. How does this work? In the following section, we take a look at the purchase cycle from the point of view of the customer.
The customer must be able to find the product they need without going through endless levels of indexes or menus. The visitor should be able to get to the product they need with very few clicks.
80% of visitors to any site will take one look at the page they arrive on and then leave. It has been estimated that you lose 20% of visitors every time you ask them to link to a new page. Good navigation is essential.
The information must be comprehensive once the customer has located the product of interest. Provide pictures and diagrams to help the customer understand what is being offered.
The Shopping Cart
When the catalogue is small (say less than 20 items), a simple order form will often do the job. However on larger sites the customer will flag products during this browsing session to be added to an electronic ‘shopping cart’. At any point the customer can review the contents of the cart, the cost and so on. This makes it easy for the customer to browse the site selecting products as they go.
When the shopping session is complete, the customer clicks on a hyperlink which takes him or her to the checkout page.
At this stage the customer is presented with a list of the goods marked for purchase, the total cost, shipping, handling, tax, etc. The customer can then add shipping instructions, name, address and so on.
The customer is normally given a range of payment options, and some of the more common are discussed in more detail below. The most common is to use a credit card, and the customer enters the card number, name on the card and expiry date.
At this stage the Web site should switch to secure mode. The technology normally used is called SSL (Secure Socket Layer). This means that all communication with the server is encrypted in such a way that eavesdroppers cannot (without disproportionate difficulty) steal the credit card information. We shall discuss this further later, but it is important for customer confidence that the site switches to secure mode as soon as credit card information is requested.
The customer will get visual warning from his or her Web browser that they are in secure mode, a blue key and blue line in Netscape or a padlock symbol in Internet Explorer. There are some older browsers that don’t support SSL but most do.
This technology is widely used and quite well understood by Internet users. Most articles on e-commerce rightly emphasise the need for customers only to give up confidential information in a secure session, and users will look out for it. We believe that it is essential.
It is worth mentioning at this stage that a secure server is not absolutely necessary for bank-approved (and indeed very secure) e-commerce. There is a new British e-commerce product that uses its own Java-based encryption, and therefore does not need a secure server environment.
There are practical benefits here, and the solution is very cost effective and does not require more than a standard Internet server operation. The important issue here in our opinion is that the customer does not get the visual feedback from a secure session (the blue key in Netscape or the padlock symbol in Explorer). So irrespective of the technical merits of this solution, we believe it could adversely affect customer confidence.
It is not enough to be secure - you must be seen to be secure.
More on security later.
Payment and Order Processing
There are a number of catalogue Web sites being run by UK companies, varying from large sophisticated book retailers to small ‘mom and pop’ operations. The most popular payment mechanism is payment by credit card, and clearly such payments must be secure. However in a review of a number of such sites, we found that only a minority offered credit card payment over a secure link.
Other options are:
- Credit cards over an insecure link
- Purchase orders only
- Purchaser contacted later by phone or post
- Purchaser prints form and faxes it
The few sites that accept credit card information over an insecure link are almost certainly in violation of their agreement with the bank that is accepting their payments. They are also taking on the business risk of fraud. The risk does not stop at the bank but gets passed on to the merchant. .
Issues for these sites are:
- Perceived non-availability of secure payment methods. We discuss payment methods and security issues below.
- Inability of the design shop that developed the Web site to implement a complex catalogue or secure payment system.
- Difficulty in finding a commercial Web site hosting operation that will offer a suitable secure environment.
- Perceived cost of setting up a merchant server.
Most of these issues are perception rather than reality. There is no reason why a merchant should not be able to offer a fully functional catalogue site with a proper secure payment mechanism. This can be done very cost-effectively.
What is involved in credit card processing?
The steps in credit card processing are as follows.
The merchant must first obtain authorisation for the charge from the merchant’s credit card processing company. Authorisation simply means that the card has not been reported stolen, and there is sufficient credit on the card. It results in the customer’s credit limit being temporarily reduced by the value of the transaction.
There are two ways in which authorisation may be obtained:
- Manual: The merchant downloads details of the sale from the computer that is acting as Web server. The merchant then requests authorisation using their normal method such as a point of sale (POS) terminal or PC program.
- Automatic: The server software communicates directly with the credit card processing company computer and arranges authorisation on-line.
Clearly option 2 is preferred, but this is more complex and the costs are greater.
The final stage is for the credit card to be debited. This can happen at the same time as authorisation, provided that the merchant guarantees that delivery will take place within a certain fixed time. Otherwise capture should take place when the goods are shipped.
If the merchant's business is such that capture can take place immediately, then this can also happen automatically. Otherwise a second manual process is required.
Regretably, there is sometimes a further stage at which the customer is dissatisfied and arranges for the transaction to be cancelled. Because many Internet sales are made to overseas customers, many banks perceive that there is an increased risk of chargebacks. It has been reported that some merchants will not accept orders to Russia because of the frequency of chargeback.
Note that the fact that a payment has been authorised by the bank does not provide any protection against chargeback.
Other Payment Methods
The discussion above has concentrated on credit card payments because they are the most efficient for most purchases.
However there are a number of alternatives, and you should offer as many of these on your site if you can, for example fax and telephone ordering should almost always be offered.
Simply printing an order form and faxing it to the merchant is feasible and reasonably secure. The form can be the secure order form - simply offer this as an option in the text.
Offer customers the option of calling in their order, using the order form as a prompt. Many will prefer this, and the order form will be useful in confirming product codes and prices.
Whereas credit cards are fine for significant purchases, they are not efficient for a purchase of only a few pence (a micro-payment). There are systems being developed which operate like an electronic purse which can be recharged using traditional payment mechanisms. The purse can be depleted without formality for these small payments. Micro-payment systems are seen as a significant future development. The main players are:
- Mondex – originally developed in the UK but now operated by Master Card. This relies on the use of SmartCards to hold the value, and payments can be made from card to card without any intermediary. This makes the Mondex card a powerful substitute for cash, and with cheap smart card readers becoming available for PCs, a very acceptable Internet payment method.
- Visa Cash has been developed by Visa.
- Cybercash already has an electronic wallet concept to retain credit card information and pass it securely to a merchant (see below). This concept can readily be extended to electronic cash for micro-payments.
- Ecash is an early cash system, which is unlikely to survive in competition with giants like Visa.
Remember that micro-payment systems are often seen as less secure than other payment methods. For example the smart card can be stolen, like a real wallet. A trade off against security is part of the concept. For this reason there will normally be an upper limit to transaction and wallet sizes.
Proprietary Payment Systems
These were developed before secure server technology was widely available. They operate in different ways.
- Cybercash uses an ‘electronic wallet’ to hold credit card details and to transmit them securely using their own encryption software.
- First Virtual uses a system of e-mail messages to confirm the sale.
The problem with all of these proprietary systems is that they require the user to do something to set themselves up, either to install special software or to register with the organisation.
These are quite possible and are in use in the USA.
For business purchases a purchase order would be appropriate.
Why is the Internet different?
There is a widely perceived risk attached to payments made via the Internet, and this perception is in some circumstances justified. This is not like making a phone call or sending a fax. The information sent from the customer to the Web server may pass through many different stages before being delivered. The information is in digital form, and at any stage an unauthorised individual may scan every message looking for credit card numbers (which are easily identified).
The difference between this process and a telephone call or fax is that the scanning process can be automated. It is as easy to check every message as to check a single one.
Secure Socket Layer (SSL)
It is therefore essential that traffic be scrambled (or encrypted), and the standard SSL protocol developed by Netscape provides a high level of protection. The US government views encryption technology as munitions, and therefore the only version of SSL available worldwide is the relatively weak 40-bit version. However, this version is quite strong enough to protect against automated scanning as described above, as it takes over an hour to crack one message.
Browsers that support this technology indicate that a secure session is in progress by showing a dialog box, or in the case of Netscape Navigator by showing a blue key on the screen.
Beyond the Blue Key
Even if the customer is protected by SSL technology, it is clearly important that the information remain secure.
Once stored on the Web server, and before being passed to the merchant, the information is at risk from someone breaching security on the server and examining the files. Protection from this can be provided by either:
- Encrypting the information stored on the server
- Using a ‘firewall’ to protect the information. A firewall is a device (or a piece of software) which limits access to a server to specific types, such as ‘Web traffic only’. An important UK acquiring bank (Barclays) insists that credit card data be held behind a firewall.
The further stage of sending the information to the credit card processor, and to the merchant must similarly be protected.
The ‘blue key’ which Netscape Navigator provides to show that a secure session is under way is therefore no guarantee of total security, and the reputation of the merchant (or the payment process) is also important.
In an attempt to overcome these weaknesses, the industry has developed the SET specification. SET stands for Secure Electronic Transactions.
The SET standard has been developed to protect payment instructions in transit. A discussion of SET is outside the scope of this document, and we recommend that anyone interested in this subject download the SET business description document from (e.g.) the Visa site (http://www.visa.com).
SET is expected to become operational in 1998. However progress is slow. For SET to provide the ultimate level of security it will be necessary for each cardholder to be issued a ‘digital certificate’ by their credit card issuer. This presents significant logistical problems, and is unlikely to be rolled out in less than 3-4 years. There are a number of unresolved issues here which deserve a paper of their own!
You may need authorisation to be made on-line:
- Because you are delivering the product immediately over the Internet.
- Because you want to bypass the manual effort of keying the information into your bank terminal.
- Because you want to protect yourself from fraud. Much credit card fraud happens at the merchant. If the credit card information is handled by the computer, the chance of in-house fraud is reduced.
Generally speaking, connecting your computer directly to the bank is a very expensive option. You can however go through a number of payment gateway services. There is a list of services on the Textor Webmasters Ltd Web site.
These services interface with your Web application in some way to create the link to the bank.
If you are using shopping cart software then it has to be interfaced to the gateway. For example we have interfaced our primary product (Shopsite) to a leading gateway service (DataCash). This is never going to be a straightforward thing to do and it is important that when signing up to a gateway service you are sure that they can interface to the software you need.
If you are using a simple order form with no shopping cart then the form can possibly be handled by the gateway operation, eliminating the need for a secure server.
Commerce Service Providers
The most complex type of service is called a Commerce Service Provider (CSP). A CSP offers a complete shopping cart and back-office environment which can be used by a catalogue running on their or another server. The CSP uses complex ‘industry strength’ software - of which the market leader is Transact, produced by Open Market.
The unique feature of Transact is that the product details can all be held on a catalogue Web site on a non-secure server. They do not have to be held in a product file on the secure server, but can just be built into the Web site. When the customer presses the order button, all the product details are passed to the shopping cart software at that time. What is more, they are passed in a fraud-resistant way guaranteed by security keys.
This has a number of important implications, and is one reason why Transact carries a six-figure price tag. One of these implications is that a company can offer Transact as a utility that can be tapped by merchants without requiring any sort of complex product file-maintenance operation. The merchant needs only a simple piece of software to create a security key against each product offering.
A further implication is that there is no real upper limit on the size of a catalogue, and because of the strong software involved there are no real transaction volume limits.
There are about four Transact-based CSPs in the UK today. Because of the significant investment required these are all major organisations.
Shopsite, offered by Textor Webmasters Ltd, is an Open Market product and an interface between Shopsite and Transact is promised. This gives merchants who purchase Shopsite a good expected upgrade path to Transact if the volume of business warrants or if they feel that a major support organisation is required.
Planning is an important part of this type of business, as it is with any business venture. We suggest three main stages to the process:
Make sure you understand the market, and that you understand the business processes that you need to implement. Select a project manager and ensure that project disciplines are in place. Produce a first-cut budget.
Identify the technical requirements you will need to satisfy. Draw up short lists of products and services. Refine the budget.
Selection / Procurement
Finally, select the products and services you need to start the project.
It may seem obvious but it is important to procure products and services only after the business and technical investigations have been complete. Businesses that start by (for example) selecting a software product or a service provider before the business requirements are clear are in danger of not meeting those requirements.
Electronic commerce is a new form of marketing with a predicted explosive growth over the next few years. The technology underlying the market is quite complex, and will become more so as new payment methods and Web technologies come on stream. The marketing approach is also new and different. The key to success is to find innovative ways to use that technology to attract customers and build business.
This paper is intended to give an overview of the most important concepts in electronic commerce. Other papers in this series will:
- Give guidelines for the business requirements study.
- Give some guidelines for the technical requirements study.
- List some guidelines for creating a successful site.
Now is a good time to enter this market at a relatively low cost, to learn how the market works, and be ready to take advantage of new opportunities as they arise.
This Electronic Commerce Tutorial is presented in three sections. Click one of the links below to continue reading.
- Electronic Commerce Primer
- Planning for Electronic Commerce: Business Issues
- Selecting an Electronic Commerce Solution
This Electronic Commerce Tutorial is courtesy of Textor Webmasters Ltd. Textor are located in a leafy suburb of London, and are one of the most innovative Internet shops in the UK. They specialize in electronic commerce.
Bob Browning is the President of Textor Webmasters Ltd., a London Internet consultancy that specializes in electronic commerce.
This article originally appeared on WebDevelopersJournal.com.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...