Internet Commerce: Understanding Payments, Security and
Download
Report
Transcript Internet Commerce: Understanding Payments, Security and
Internet Commerce:
Understanding Payments, Security and
Storefronts
presented by:
David Strom, [email protected],
www.strom.com
1
(c) David Strom, 1998
Why This Tutorial
A
successful web storefront must accommodate
the common forms of electronic payment in use
today
Good storefront design and tactics will increase
sales
Tough to evaluate various payment systems,
standards and products
2
(c) David Strom, 1998
What This Course is Not About
Mathematics
of Public Key Cryptography
In-depth discussion of Visa® and MasterCard®
operating regulations for eCommerce
Legal advice for eCommerce issues related to
operating a web storefront
Writing your own storefront systems from
scratch
In-depth on security issues
3
(c) David Strom, 1998
Course Topics
Introduction
to Internet marketing
Good and bad web storefront design, defining
successful eCommerce ventures
What are relevant eCommerce standards and
why should I care?
Overview and demonstration of payment
systems that are working on the Internet today
4
(c) David Strom, 1998
Course Topics-- continued
Choosing
the Right eCommerce Path: malls,
suites, or do it yourself
Installing and operating your own storefront
5
(c) David Strom, 1998
Course Approach
Overview
of major payment systems and
storefront products
Give real-life examples and online demos
Help relate information to your own situation
Provide insight into different approaches,
technologies
Discuss pros and cons of each
Multiple Q&A sessions
6
(c) David Strom, 1998
My Background
I’ve
been involved in the Internet for some time
Have used most of the products we demonstrate
Have consulted to a few of the vendors, but still
have strong opinions
7
(c) David Strom, 1998
My Beliefs
My
perspective is from the consumer’s
viewpoint, as well as from the merchant’s
I believe that eCommerce is the next
evolutionary step in the web
Most eCommerce has had accidental success to
date
8
(c) David Strom, 1998
My Perspective on the Internet
Historically,
it will have as profound an effect
on humanity as did the invention of the
printing press
It is a mass communication medium, but
different because it is two-way and feedback is
instantaneous
Commercially, it is another channel for sales
and distribution
9
(c) David Strom, 1998
The Internet is Chaotic
We
need e-systems that are not bounded by
hierarchy or rigidity
It resists the imposition of structure or
ownership
It has many different species of products and
services
Many will die
Some will adapt and grow
Some will involve eCommerce
10
(c) David Strom, 1998
Topic 1: Introduction to Internet
Marketing
Advantages
and disadvantages
Speed of adoption is immense!
Different kinds of approaches
11
(c) David Strom, 1998
Internet Marketing
Look
good to the public,
be on the cutting edge
Supplement
be real-time
Focus
12
on global niches,
be high-content
Avoid
traditional channels,
the trailing edge,
the competition is already doing it
(c) David Strom, 1998
Advantages
Direct,
one-to-one marketing opportunity
Allows you to learn useful information and
build customer relationships
Relatively inexpensive medium compared to
advertising, direct mail or telemarketing
Capacity to be a major distribution channel
Results are measurable, sometimes
13
(c) David Strom, 1998
Challenges
Most
say that eCommerce is taking off, just
differ on the rate!
How do we convince the general public that
they will really like eCommerce?
Focus initially has been on business-to-business
uses
14
(c) David Strom, 1998
Obstacles to Wide Deployment
Easy
forms of payment
Trust in the system
Perceived benefits outweigh the risk (What’s in
it for me?)
Technology and infrastructure still primitive
15
(c) David Strom, 1998
Adoption Curves
Credit
cards, ATMs: 10 years
Cell phones: 15 years
TV: 25 years
VCRs: 30 years
Internet usage: <10 years!!
16
(c) David Strom, 1998
Different Types of Internet
Marketing
Demand
creation
Consumer pull
Provider push
17
(c) David Strom, 1998
Demand Creation
Product
selection is costly, so we want to:
reduce the time to find the product; and/or,
increase the customization of the product
A
successful Internet presence:
creates demand for more sales; and,
these sales are incremental
18
(c) David Strom, 1998
“Consumer Pull” Marketing
Web
sites are the Internet version of
infomercials:
synchronous interaction, consumer initiated
Great
fun watching:
sites trying to attract and retain viewers; and,
folks trying to interpret click-throughs, hits, etc.
Interactive
and transactional ads become more
popular
19
(c) David Strom, 1998
“Provider Push” Marketing
Some
interact with the consumer at checkout time to buy
more stuff
The
web sites do “upsells”, i.e.,
focus is on the current purchase,
and “blue light” specials
But,
the next step requires an asynchronous
interaction...
20
(c) David Strom, 1998
More “Provider Push” Marketing
E-mail
provides the ability to do “outcalls”,
interact with the consumer on a regular basis
The
focus is on purchase history
The best consumer relationships are one-onone, hence the value of direct marketing
21
(c) David Strom, 1998
Some Conclusions
Consumer
control of privacy is essential
most folks simply want the choice of opting out
The
granularity of control must be fine, e.g.,
over number and frequency;
over categories of interests; and/or
over (indirect) dissemination to third-parties
Regardless,
22
there are likely legal issues,
when maintaining/using a consumer database
(c) David Strom, 1998
Topic 2: What Becomes Success?
Overview
of eCommerce market
Review physical storefront success factors
Propose some definitions
Define success for the web
Draw up five eCommerce principles
23
(c) David Strom, 1998
Overview of eCommerce Market
Predictions
Success
factors
Five principles
24
(c) David Strom, 1998
eCommerce Revenue Predictions
are Wide-Ranging
Source
1996 (B$US)
2000 est. (B$ US)
IDC
$2.2
94
Forrester
1.4
117
Jupiter
.7
15.6
Dataquest
6.4
56
25
(c) David Strom, 1998
And Not Very Believable
IDC
says the web will become a mass market in
the US by 12/98!
With 100 million users!
Let’s not confuse web users with eCommerce
BUYERS!
26
(c) David Strom, 1998
Let’s Keep Our Perspective
Size
of US movie industry -- $6B!
Size of adult video rentals - $6B!
Total US music sales -- $6B!
27
(c) David Strom, 1998
Ticketmaster
US$5
million/month via the web in sales
Started 11/96
Generating lots of new buyers, who wouldn’t
ordinarily use their service
28
(c) David Strom, 1998
Then there is Disney.com
Web
site Daily Blast signing up 15k
members/month
Sales via web are equal to 3x-5x of physical
Disney store!
29
(c) David Strom, 1998
And of Course, There is the Porn
Industry
“However,
extensive interviews with adult site
owners yield a picture of a highly charged
market of approximately 10,000 sites generating
about $1 billion in revenue per year, most
through electronic credit card transactions.”
30
From Interactive Week
(c) David Strom, 1998
Sad State of Today’s eCommerce
Marketplace
Poor
quality tools
Hard-to-find stores
Limited payment methods
Credit card snooping perceptions
Older browser versions can’t view latest sites
31
(c) David Strom, 1998
Case in Point: Buying a Bike Rack
Item
not carried: outdated catalog
Telesales not familiar with web
No cross-sell or substitutions online
Needed three phone calls to complete purchase
32
(c) David Strom, 1998
Let’s Learn From the “Real
World”
Compare
what works for physical stores
Try to extend to the web
33
(c) David Strom, 1998
Critical Success Factors for
Physical Storefronts
Location
Branding
Good
service
Good product selection
Proper pricing and margins
Traffic
34
(c) David Strom, 1998
First Problem:
None
35
of these translate on the ‘net!
(c) David Strom, 1998
Now Try to Agree on Definitions
for Web Stores
What
determines a good location?
Position on a search page
Nearness to popular destination
Ad on a popular server
What
determines branding?
Memorable domain name
Popular search category destination
36
(c) David Strom, 1998
An Example of bad location:
Montana Meats
www.imt.net/~lingerie/buffalo/buffalo.html
Can’t
they afford their own domain name?
www.company.com/~anything is BAD NEWS!
37
(c) David Strom, 1998
Another Case: Buying Toner and
Batteries
www.cartridgesusa.com, www.batterybarn.com
Catalog
shows pictures of parts
Easy to find relevant item
But payment acknowledgement incomplete
38
(c) David Strom, 1998
Determining Traffic
Hard
to do -- is it hits, page views, registered
users?
[HITS = How Idiots Track Success]
Hard to measure -- do you count gifs? Use log
files?
No general agreement on any metrics!
39
(c) David Strom, 1998
Traditional Advertising Doesn’t
Apply Anymore
Can’t
measure anything
Every site has its own banner sizes
The Web is not TV
40
(c) David Strom, 1998
One Working Definition of
Success:
SURVIVAL!
If
a site is still running after 12 months, and
getting more traffic, it is a success.
41
(c) David Strom, 1998
Does a site actually have to sell
something?
Many
actual eCommerce sites don’t do the
complete transaction (Cisco)
Require faxes or telephone calls!
Some merely have catalogs
A good example: Singapore Power Authority
www.spower.com.sg/readmeter.cgi?cmd=form
42
(c) David Strom, 1998
Good eCommerce Examples
Easy
to find merchandize
Good service
Individual customization is key
Simple navigation
Business-to-business focus
43
(c) David Strom, 1998
AMP Connect
Have
customers in 100 countries
Speak many languages
Produce 400 catalogs covering 135,000 items
Mailings cost US$7MM/yr
Fax back cost US$800,000/yr
But you can’t buy anything directly!
44
(c) David Strom, 1998
Solution: “Step Searching”
Saqqara.com
software to enhance Oracle
database
Provide user feedback as they type in the query
Show how many matches in the database
Different mechanisms for searching:
by part number
by alphabetical names
by part family
by picture even
45
(c) David Strom, 1998
AMP
connect.ampincorporated.com
46
(c) David Strom, 1998
AMP Connect (con’t)
And
can set to list parts that are available in
specific countries!
Updated daily with over 200 item changes
Detailed drawings saves time for customers to
pick the right item
Saved AMP over US$5MM in production costs
47
(c) David Strom, 1998
Save in Translation Costs
AMP
catalog in several languages
Translation cost was US$100,000
Versus US$1.5MM to produce separate
translations of print editions
48
(c) David Strom, 1998
Silicon Investor
www.techstocks.com
Difficult
to find anything
Incomplete database of companies
Companies are arranged poorly
49
(c) David Strom, 1998
First Principle of eCommerce:
It
50
is easy to find what you are selling!
(c) David Strom, 1998
Amazon.com
51
Services frequent readers with a variety of programs
Editorial comments
If you liked this book, you’ll like...
Notification of new books by author, topic
Simplified “1 Click” ordering
Uses simple pages and email
Associates program for commission kickbacks
Gift certificates via email
And ... lots of books to choose from
(c) David Strom, 1998
Amazon
52
(c) David Strom, 1998
Update your directories!
This
one is almost a year old
www.asiapage.com/alist.html#jewellery
53
(c) David Strom, 1998
Non-secure servers
Many
SG sites collect credit cards on them
www.asiapage.com/goodwood
54
(c) David Strom, 1998
Second Principle of eCommerce:
Deliver
55
solid service!
(c) David Strom, 1998
Dell
Most
notable site for computer buyers
Customize the features you want via a web form
Simplifies and personalizes the shopping
experience
WYSIWYB (buy)
>US$1MM/day in sales!
56
(c) David Strom, 1998
Dell
57
(c) David Strom, 1998
Canadiantire.com
eFlyer
uses email notification along with web
forms
Customize exactly what coupons and deals are
sent to you
58
(c) David Strom, 1998
Third Principle of eCommerce:
Individual
59
customization is key
(c) David Strom, 1998
BMW Motors
Example
of what not to do
Use gratuitous graphics
Cheesy low-res videos
Toys, not tools
60
(c) David Strom, 1998
BMW
61
(c) David Strom, 1998
Compare with Subaru
Find
specific information about each car
Can price options to your particular needs
62
(c) David Strom, 1998
How NOT to Design a Payment
Screen
63
www.netmar.com/new/norderform.shtml
(c) David Strom, 1998
How NOT to take advantage of
bandwidth
www.clickdiz.com
Two
different pages, one for SG ONE, one for
all others
But SG ONE page has just heavy graphics -why?
64
(c) David Strom, 1998
A better example: fishing licenses
Simple,
quick, and does the job with a
minimum of clutter
65
www.permit.com
(c) David Strom, 1998
Fourth Principle of eCommerce:
Make
navigation simple!
Use small graphics, site maps, indexes
Avoid clutter, frames
66
(c) David Strom, 1998
Int’l Commerce Exchange System
Matches
overstocked sellers with buyers
B2B exclusively
Uses faxes to notify potential customers
67
(c) David Strom, 1998
ICES www.icesinc.com
68
(c) David Strom, 1998
Fifth Principle of eCommerce:
Business-to-business
69
focus
(c) David Strom, 1998
Topic 3: eCommerce Standards
SSL
(encrypted transactions)
SET (authenticate buyers)
OFX (bill presentment)
OBI (exchange purchase orders)
70
(c) David Strom, 1998
Some Disclaimers
Standards
are still in motion
Multiple approaches means they don’t always
work as intended
May be eclipsed by events (eg, SET) and
consumer behavior
Moral: lots of programming still required!
71
(c) David Strom, 1998
SSL: Encrypt Transactions
Why
encrypt?
Principles of cryptosystems
Understand certificate management
72
(c) David Strom, 1998
Why Encrypt? TRUST!
Ensure
your customer is authorized to use his
account
Customer wants to make sure you are the legit
seller
Ensure payment is received
Ensure goods are received
73
(c) David Strom, 1998
Four Principles of Cryptosystems
Privacy
of message contents
Authentication of parties involved
Integrity of data transmitted
Non-repudiation of transactions
74
(c) David Strom, 1998
Privacy
Privacy means that the message contents cannot
be seen by anyone but the intended parties
Accomplished through the use of encryption
75
(c) David Strom, 1998
Authentication
Authentication means that each party involved
in the transaction is identified as legitimate
Accomplished through the use of certificates
A certificate is a notarized public key (like a passport
or a driver’s license)
Issued by a trusted third party called a Certificate
Authority
Binds the certificate owner to the public key within
the certificate
76
(c) David Strom, 1998
Integrity
Integrity of data means that it cannot be altered
by anyone during transmission, to avoid a
“man in the middle” attack
Encryption allows only the intended recipient
to open the digital envelope
A digital envelope (or ”hash”) = contents of an
encrypted message + digital signature
77
(c) David Strom, 1998
Non-repudiation
Non-repudiation means both parties to the
transaction are ensured that the message is
genuine and cannot be disputed
Parties are identified with certificates that have
been notarized by a trusted Certificate
Authority
It will be much harder for customers to claim
they never placed the order
78
(c) David Strom, 1998
Why Should You Get a
Certificate?
You want those who visit your web site to know
you are a legitimate business
A certificate is required to operate a secure
server (SSL)
79
(c) David Strom, 1998
Certificate Authorities (CAs)
Trusted third parties, similar to notaries
Can be external or internal (server is managed
within your own company)
Choice of a CA may depend on your merchant
server software
80
(c) David Strom, 1998
Public and Private Key Pairs
A
public key is disclosed and widely
distributed with no adverse affects
Used to encrypt or decrypt information
Works only in conjunction with its paired
private key
81
(c) David Strom, 1998
Public and Private Key Pairs
A
private key is held and used only by its
owner
If a private key is compromised, it must be
replaced immediately
82
Today’s real-world example: lost or stolen credit
cards must be blocked and replaced
(c) David Strom, 1998
Public and Private Key Pairs
Real-world
example: Dual control of keys for
your safe deposit box — it can only be opened
with two keys — yours as well as the bank’s
83
(c) David Strom, 1998
A Digital Certificate (or Digital
ID) is a Notarized Public Key
The
Certificate Authority is the Notary
You can create a key pair through server,
browser or wallet software
You send the public key to the Certificate
Authority
84
(c) David Strom, 1998
A Digital Certificate (or Digital
ID) is a Notarized Public Key
Your
public key is digitally signed and returned
as the certificate
Your private key remains embedded in your
software
85
(c) David Strom, 1998
Public Key Cryptography
Customer’s
Private Key
86
Customer’s
Public Key
Merchant’s
Public Key
Merchant’s
Private Key
Public keys are shared and widely distributed
Private keys are kept secret by the holder of the key
Both pairs of keys are required to complete secure
transaction
(c) David Strom, 1998
Steps in Certificate Creation
Refer to you server software documentation for
selection of a CA and instructions
Generally, you will do the following:
Generate a key pair of public and private keys
Send the public key and other information to CA
CA verifies information provided
Upon verification, CA creates a certificate containing
public key and expiration date
The Certificate is sent back to applicant and may be
posted publicly, if appropriate
87
(c) David Strom, 1998
Examples of Certificate
Authorities
VeriSign
www.Verisign.com
GTE
www.cybertrust.gte.com
Thawte Consulting
88
CyberTrust Solutions, Inc.
www.thawte.com
(c) David Strom, 1998
Certificate Creation
89
Demo of key generation and certificate request
(c) David Strom, 1998
Certificate Management
Once public key certificates are issued, they
must be managed to maintain integrity
They contain expiration dates
They may be revoked for various reasons
Upon expiration, certificates must be renewed or
reissued
90
This is a consideration for using an external CA,
as opposed to managing an internal CA
(c) David Strom, 1998
How is this accomplished?
Secure
servers and browsers
Capable of strong encryption (up to 128 bit)
40 bit encryption is no longer considered adequate
for financial transactions
Digital
certificates
Ensure
the identity of the certificate holder
Also called digital IDs
The
common protocol in use today is Secure
Sockets Layer (SSL)
91
(c) David Strom, 1998
Secure Sockets Layer Protocol
(SSL)
Authenticates
the merchant server
Merchant Certificate obtained from trusted
Certificate Authority
Provides
privacy through encryption of the
message for both the sender and receiver
Secure “pipe” negotiates maximum encryption
compatible at browser and server for each message
transmitted
Ensures
92
integrity of data transmitted
Message authenticity check (algorithm)
(c) David Strom, 1998
Secure Sockets Layer Protocol
(SSL)
Merchant’s Certificate (Digital ID) can be viewed by any secure browser
https://
in the URL = a secure connection
SSL allows customers to verify who the
merchant is
The merchant’s digital ID does not certify the
integrity of the merchant
93
(c) David Strom, 1998
Secure Sockets Layer Protocol
(SSL)
Customer Order with
Payment Information
Encrypted
order sent
SSL
Customer order decrypted
at merchant server
encrypts the customer order, which
includes the payment information
This data is sent from the customer to the
merchant via a secure “pipe”
94
(c) David Strom, 1998
What SSL Doesn’t Encrypt
Once
the data arrives on the secure server, it
could be stored in an insecure location!
Or if someone has physical access to your
desktop or server
95
(c) David Strom, 1998
SSL: How do you get a certificate
for your merchant server?
Apply
to Certificate Authority
Instructions built into merchant server software
You
will be asked to provide valid business
license and other ID
Cost is dependent upon level of certification
96
(c) David Strom, 1998
Encryption Strength
It
is illegal to export outside the US products
containing encryption that is stronger than 40
bits
It is not illegal to use encryption stronger than
40 bits internationally
Financial institutions do not consider 40-bit
encryption adequate for Internet transactions
97
(c) David Strom, 1998
Encryption Strength
Newer
browser and server software are capable
of 128-bit encryption
128-bit encryption is exponentially stronger
than 40-bit encryption
98
(c) David Strom, 1998
Encryption Strength
We’ve
all heard about the case where 40-bit
encryption was broken in eight days
Estimated cost of effort was $10,000
99
(c) David Strom, 1998
Encryption Strength
According
to Netscape, it would cost
US$5,600,000,000,000,000,000,000,000,000,000
(approximately) to crack a single session in
eight days with 128-bit encryption
100
(c) David Strom, 1998
SET: Authenticate Buyers
What
is the protocol
How it works
Advantages and disadvantages
101
(c) David Strom, 1998
What is SET protocol?
Secure
Electronic Transaction protocol is a
common standard that was developed jointly by
Visa, MasterCard and other partners to ensure
the processing of secure transactions.
Based on RSA encryption
Uses public and private key pairs that have a
mathematical relationship
102
(c) David Strom, 1998
How is SET Different from SSL?
Digital
certificates for SET will be paymentspecific
Merchants will be certified as legitimate to accept
branded payment card transactions
Cardholders will be certified as valid account holders
Merchants will not see customer’s account number (it
will only be passed to the acquirer)
103
(c) David Strom, 1998
How is SET Different from SSL?
With SET:
Merchant Server gets Customer’s Digital ID
minus the account number + Customer Order
Customer’s Digital ID
related to a specific account
+ Customer Order info
Acquirer gets order receipt +
Customer’s Digital ID with account number
104
(c) David Strom, 1998
How Will Certificates (Digital
IDs) be Issued for eCommerce?
Hierarchy
of trust for certificate issuance
Visa and MasterCard will designate a Certificate
Authority to hold the Trusted Root
Merchants will obtain certificates from banks’ or
acquirers’ Certificate Authority, then store on SET
server software
Cardholders will obtain certificates (digital IDs)
from their banks’ Certificate Authority, then store in
electronic wallet
105
(c) David Strom, 1998
MasterCard® Example of a
SET Transaction
http://www.mastercard.com/set/screen1.html
106
(c) David Strom, 1998
MasterCard® Example of a
SET Transaction
http://www.mastercard.com/set/screen2.html
107
(c) David Strom, 1998
MasterCard® Example of a
SET Transaction
http://www.mastercard.com/set/screen3.html
108
(c) David Strom, 1998
MasterCard® Example of a
SET Transaction
http://www.mastercard.com/set/screen4.html
109
(c) David Strom, 1998
MasterCard® Example of a
SET Transaction
http://www.mastercard.com/set/screen5.html
110
(c) David Strom, 1998
SSL vs. SET
SSL
Server authentication
111
Not tied to payment method
Encrypted message to
merchant includes account
number
Message authenticity check
(MAC)
Digital certificate tied to
certain payment method
Privacy
Merchant certificate tied to
accept payment brands
Customer authentication
Integrity
Privacy
Merchant certificate as
legitimate business
Possible for client
authentication
SET
Server authentication
Encrypted message does not
pass account number to
merchant
Integrity
(c) David Strom, 1998
Hash/message envelope
SET — the Answer to eCommerce
SET
has been proposed as the answer to secure
and interoperable eCommerce
It is not currently mandated by Visa and MasterCard
There are big implementation issues for all
concerned
The
SET protocol is definitely more secure than
SSL
However...
112
(c) David Strom, 1998
SET — the Answer to eCommerce
Implementation
of SET has some big
drawbacks:
Lack of interoperability among systems
Management of public key infrastructure
Distribution of digital certificates requires action on
the part of the consumer
And
who will pay for all this?
Meanwhile, eCommerce goes on
113
(c) David Strom, 1998
The Future of SET
Non-repudiation
of transactions through digital
certificates for both merchant and customer
SET may be the industry standard for payments,
but yet to be implemented
It will be far more difficult for a customer to
claim no knowledge of a transaction
114
(c) David Strom, 1998
Some New Credit Card Operating
Regs You Should Know About
For
both Visa and MasterCard:
Effective April 1, 1998 electronic commerce
transactions using unsecured protocol are subject to
higher interchange rates for the acquirer, which
translates into higher discount rates for the merchant
Secure protocols are defined in the regs as “channel
encrypted” (SSL) or SET
115
(c) David Strom, 1998
Electronic Bill Presentment
Saves on paper but requires lots of coordinated
systems
Can show bills with nice fonts, interactive
applications
Is separate process from the actual payment
system
116
(c) David Strom, 1998
Electronic Bill Presentment Issues
Does the processor use EBP with merchant
bank?
Can users browsers support these new
applications
Java applets
Active X controls etc.
117
Reconciliation requires access to both dispute
and payout information
(c) David Strom, 1998
Microsoft’s MSFDC
A means to standardize on presentment
Have both web-based access and special
consumer-based software
Former “Marble” server, read white paper at:
www.microsoft.com/finserv/marblewp.htm
118
Requires NT, SQL Server, IIS, etc.
(c) David Strom, 1998
Other EBP efforts
Open Financial Exchange (www.ofx.net)
www.Integrion.Net
CheckFree’s E-Bill (getbills.checkfree.com)
119
(c) David Strom, 1998
eBill
Most
popular and in widest practice
Schwab and Intuit/Quicken are supporters
Most threatened by MSFDC
120
(c) David Strom, 1998
OFX
Started
with Intuit
Trying to standarize on too much at once:
data transfers
account inquiries
financial applications and transactions
Verisign
Financial Server (US$1200)
digitalid.verisign.com/ofxIntro.htm
121
(c) David Strom, 1998
Integrion
Banking-intensive
plus IBM
No other software supporter, BUT…
Combining forces with CheckFree
Trying to establish their “Gold Standard” vs.
OFX
122
(c) David Strom, 1998
What about OBI?
Open
Buying on the Internet
A bunch of standards: SSL, X12 EDI, X.509 PKI
Exchange of purchase order info
Unresolved issues:
who owns the catalog?
how much infrastructure is really needed?
knitting together a solid solution is more than
enumerating standards!
123
(c) David Strom, 1998
Topic 4: Introduction to Payment
Systems
Structure,
properties and roles
Different devices
Credit Cards
Electronic Wallets
CyberCash
First Virtual
Digicash
Setting
up a merchant account
Privacy issues
124
(c) David Strom, 1998
Payment Basics
Issuer
Consumer
Access Point
Acquirer
BANK
Merchant
Access Point
• deposit & withdrawal
• transaction status inquiry
• authentication
• problem resolution
Consumer
125
• purchase & refund
• transaction status inquiry
• authentication
• problem resolution
(c) David Strom, 1998
Merchant
Hierarchy
Payment
Clearing house between acquirers and issuers
Acquirer
System (clearing house)
(third-party processor)
Authorizes, processes and settles for merchant bank
Merchant
Bank
Accepts merchant deposit
Merchant
126
Accepts authorized cardholder transaction
(c) David Strom, 1998
Difference Payment Pieces
System:
provides processing and settlement of
transactions
Gateway: software/services to support
eCommerce merchants, acquirers
Device: initiates transaction from credit/debit
card
127
(c) David Strom, 1998
Attributes of Superior Payment
Systems
Universal,
world-wide acceptance
Recognized value
Reliability of transactions
Ease of use to customer
Capacity for quick settlement and collection
128
(c) David Strom, 1998
Requirements
Mass
appeal
Easy payment by the customer
Have acceptable risk to bank and merchant
Accommodate changes, cancellations and
returns
129
(c) David Strom, 1998
Let’s Consider the Customer
Changes
the order
Doesn’t fill out all fields even when asked
Mistype credit card and other data
Cancels order entirely or never finishes order
process
130
(c) David Strom, 1998
Objectives in Offering Payment
Choices
Customers
like choices, but remember: they are
here to buy stuff!
Make it safe for everyone involved: customer,
merchant, and banks
Consider how easy it is for your customer to
use, not just how easy it is for you to manage
Payments in a virtual world should imitate
those in the real world
131
(c) David Strom, 1998
Properties of Payment Systems
Transaction
cost
Transaction directionality
Real-time authorization (a.k.a. validation)
System scalability
Privacy
132
(c) David Strom, 1998
Three Real-World Examples
Cost
Direction Validation
Cash very low two-way
Check
low
one-way
Card moderate one-way
133
Scale
Privacy
no
extreme
yes
maybe
high
no
yes
high
no
(c) David Strom, 1998
Other Properties
How
much software does the buyer need to
install?
Does it come with the desktop operating system?
Does it come with the browser or other software?
What
third-party clearinghouse is used?
Provide trusted relationships
Reduce risk, complexity in processing
134
(c) David Strom, 1998
Virtual Money is the Currency of
the Future
That
future is already here
This idea is scary to many people
Consumers (they can’t “see” it)
Banks (many bankers don’t understand it)
Acquirers (they want to know the difference)
The Government (they can’t control it)
It
135
is not unlike MO/TO transactions today
(c) David Strom, 1998
The Way Things are on the Web
Today
Some
payments are authorized off-line, through
traditional POS terminals
E-mail message to customer later (hopefully),
confirming order and shipping information
Many
merchant servers connect with payment
authorization systems
136
Authorization is real-time during the web session,
and the sale is completed with secure server and
browser software
(c) David Strom, 1998
The Way Things are on the Web
Today: Secure and Un-Secure
Secure
transactions via secure browsers and
servers with SSL
Un-secure transactions with lack of proper
encryption (account numbers sent “in the
clear”) via e-mail messages
Un-secure transactions due to “export” versions
of browser and/or server software
137
(c) David Strom, 1998
The Way Things are on the Web
Today
Secure
transactions do not guarantee the
validity of the customer account information
A high percentage of credit charge-backs for MO/TO
transactions are for “merchandise not received”
Address verification services can help protect you,
and in some cases are required
138
(c) David Strom, 1998
Examples of Payment Systems
(Clearing Houses)
Federal
Reserve System for clearing checks
Visa and MasterCard transaction networks
American Express
Novus (Discover)
139
(c) David Strom, 1998
Examples of Acquirers
(Processors)
First
Data Corp.
Paymentech
National Data Corp.
Bank of America Merchant Services
Many processors (acquirers) process multiple
brands as part of their service
140
(c) David Strom, 1998
Internet Payment Devices
Credit
cards, debit cards
Off-line accounts
Electronic cash
Electronic checks
141
(c) David Strom, 1998
A Taxonomy of Approaches
transmit “16+4” over the Internet?
no
yes
yes
buyer encrypts?
buyer signs?
yes
S-HTTP
PGP
142
no
yes
no
merchant decrypts?
yes
buyer confirms?
plaintext
no
synchronous?
yes
CyberCash
SET
GlobeID
SSL
(c) David Strom, 1998
no
off-line alias
no
VirtualPIN
Different Ways to Capture
Customer
Online
Post-authorization
Batch
143
(c) David Strom, 1998
Online Capture
Happens
simultaneously with authorization of
transaction
Fastest method of capture for online merchants
who can guarantee same-day shipment of goods
144
(c) David Strom, 1998
Post-Authorization Capture
Capture
is a separate step from authorization of
transaction; post-auth message instructs bank to
capture transaction
Example of use is for delayed shipping of
merchandise
145
(c) David Strom, 1998
Batch Capture
Transactions
are captured in a batch mode after
authorization (like post-auth capture)
Multiple authorizations are submitted at one
time for capture
The batch is transmitted through gateway
(CyberCash) to the bank for funds transfer and
merchant account reconciliation
146
(c) David Strom, 1998
Credit cards, debit cards
JCB,
Visa, MasterCard, Discover, American
Express
Buyer gets card from issuing bank
Merchant is sponsored by acquiring bank
Merchant knows buyer and authorizes payment
147
(c) David Strom, 1998
How Credit Cards Work
Transactions
authorized against customer’s line
of credit at issuer (promise to pay)
At point of settlement, cardholder’s account is
charged and merchant’s account is credited
Transactions subject to chargeback to merchant
under certain conditions
Lack of proper authorization
Lack of proper identification / address verification
148
(c) David Strom, 1998
Plaintext Transaction Process
buyer
149
trans
16+4
merchant
(c) David Strom, 1998
16+4
S-HTTP/SSL Features
Supply 16+4 in encrypted form
Require merchant to have a cert signed by a
trusted third-party
Requirement of client-side cert is a trade-off:
yes: buyer must “register” before making purchase
(S-HTTP, SSLv3); or,
no: no assurance as to buyer’s identity (SSL)
150
Merchant site becomes a credit card repository
(c) David Strom, 1998
SSL Transaction Process
buyer
151
trans
E(16+4)
merchant
(c) David Strom, 1998
16+4
“Off-line” Accounts
Electronic
wallets
CyberCash® Wallet
Microsoft® Wallet
Verifone® vWALLET
SM
First
Virtual®
All these may provide access to credit, debit,
e-cash or electronic check accounts
152
(c) David Strom, 1998
“Off-line” Account Services
Credit
card and other account numbers are
stored by the service provider in a database, and
are not transmitted to the merchant
Instead, a “PIN” is used by the customer at the
point of purchase (cross-reference for actual
account number)
Consumer must initiate account set-up in
advance of making any purchases
153
(c) David Strom, 1998
How Electronic Wallets Work
Today
154
Consumer must initiate request for electronic “wallet”
software
Credit card or other account numbers are given to
provider one time before any purchases are made
Account numbers, stored by provider in a database, are
not transmitted; instead, a “PIN” is used to pay
Closed system: only available to participating
merchants and cardholders who have signed up in
advance
(c) David Strom, 1998
How Electronic Wallets Will
Work in the Future
With
SET protocol, will contain digital IDs with
encrypted account information
Since digital IDs will be tied to specific
accounts, wallets will keep track of all that
information
At that point, wallets will be widely distributed
and universally accepted
155
(c) David Strom, 1998
Interoperability is the Key
Wallets
will become widely used when the
following events occur:
Mass distribution of wallets to consumers is easily
made
Will be accepted by all merchants, regardless of
wallet brand or payment brand
156
(c) David Strom, 1998
Some Problems with Wallets
Not transferable to other wallets
Not available for use at all web storefronts
For eCash products, money must be moved into
wallet from another account prior to use:
There may be a hold of up to seven days before the
funds can be used
If your hard disk crashes, you lose the money in that
account
Storage of cash in your wallet = float for your wallet
provider!
157
(c) David Strom, 1998
Visa® Example of Electronic
Wallet
www.visa.com/cgi-bin/vee/nt/sec/no_shock/virt_wallet_L.html?2+0
158
(c) David Strom, 1998
Visa® Example of Wallet
Registration (Digital ID)
www.visa.com/cgi-bin/vee/nt/sec/no_shock/registering_L.html
159
(c) David Strom, 1998
CyberCash System
Three
systems: CyberCash, CyberCoin,
CyberCheck
CyberCash operates a gateway between acquirer
and the Internet
Merchants given the choice of capture via:
SSL; or
the CyberCash Wallet
If
160
wallet-based, merchant doesn’t see 16+4
(c) David Strom, 1998
How It Works
Buyer’s
wallet receives invoice from merchant’s
server
Buyer’s wallet sends sales order to merchant’s
server:
signed with buyer’s public key; and,
includes 16+4 encrypted with gateway’s public key
161
(c) David Strom, 1998
How It Works (cont.)
Merchant
sends transaction to gateway:
signed with merchant’s public key; and,
includes buyer’s sales order
Gateway
verifies signature, and:
decrypts 16+4 using its private key;
submits transaction into credit card network; and,
returns results to merchant who tells buyer
162
(c) David Strom, 1998
CyberCash System Transaction
Process
buyer
S(trans)
E(16+4)
163
merchant
S(trans)
E(16+4)
(c) David Strom, 1998
3rd-party
trans
16+4
CyberCash System Properties
C ost
m odest
164
D irection V alidation
one-w ay
yes
(c) David Strom, 1998
Scale
P rivacy
m odest
no
What’s in a CyberCash Wallet?
Credit
card accounts
Debit card accounts
PayNow™ check service (for electronic payments
from checking account; like debit cards)
CyberCoin account (for “micro-payments”)
165
(c) David Strom, 1998
CyberCash Secure Internet Credit
Card Payment
http://a.dn.cybercash.com/cybercash/info/sixsteps.html
166
(c) David Strom, 1998
CyberCash as a Merchant Service
Provider
CyberCash
provides the merchant with
CashRegister software to authorize and process
payments
CyberCash is neither an acquirer nor a bank,
but is a provider of payment software for
eCommerce (a gateway)
CyberCash provides an advanced level of
encryption for financial information passed
from their database to acquirers (not SSL)
167
(c) David Strom, 1998
CyberCash Merchant Services
Interactive
Billing and Payment
Enables presentment, payment and posting of bills
on the Internet (single or recurring transactions)
Works with PayNow (e-check), credit card or
CyberCoin® services
Can be used for business-to-business as well as
consumer payments
168
(c) David Strom, 1998
CyberCash CashRegister®
Software
Makes
all their payment services work
Integrates with a variety of operating systems
and merchant storefront software
Can be used with or without consumer wallets
Non-wallet transactions are SSL-encrypted, and
do not require consumer action in advance
169
(c) David Strom, 1998
CyberCash CashRegister®
Software
However,
you must still arrange for a merchant
deposit account with your bank or independent
service provider
If you are having trouble setting up a merchant
account with a bank, contact CyberCash for
assistance
170
(c) David Strom, 1998
Credit Card Payment Demo
Credit
card transaction with CyberCash —
No Wallet
CyberCash Wallet transaction
171
(c) David Strom, 1998
Credit Card Settlement with
CyberCash Transactions
Card
data is captured for transmission in one of
three ways:
Online Capture — simultaneous with authorization
Post-Authorization Capture
Batch Capture
Method
of capture is determined by your
merchant bank and their acquirer
172
(c) David Strom, 1998
CyberCash Benefits
CashRegister
Software is free to merchant
Supports wallet and non-wallet payments
No additional charges to merchant — fees to
CyberCash are paid by acquirers
CyberCash is presently the largest gateway
service provider for Internet merchants
Their products will evolve
173
(c) David Strom, 1998
First Virtual Services
Today
we will focus only on First Virtual’s
payment service, which uses the VirtualPIN
SM
VirtualPIN is an alias for credit or debit card
Account number is not transmitted on the Web, but
store credit card information off-line (PIN is a crossreference number)
Also requires a personal Internet e-mail address
174
(c) David Strom, 1998
VirtualPIN
www.fv.com
System: operational in 1994
Financial Institutions:
First Data, First USA, GE Capital
PKC is optional, but based on PGP
Two kinds of accounts: pioneer and express
175
(c) David Strom, 1998
FV Merchant Pioneer Accounts
Minimal
start-up cost allows for anyone to start
a business and sell on the Internet
Does not require that you already have a
merchant credit card account
Drawback: There is a holding period of 90 days
for each transaction before merchant receives
payment (to cover risk of chargebacks)
176
(c) David Strom, 1998
FV Merchant Express Accounts
For
merchants who already accept credit cards
Requires solid financial history and excellent
credit record
Existing merchant account must have low
chargeback rate
Payout period is four days after transaction is
processed
Application Fee: $350 non-refundable
177
(c) David Strom, 1998
VirtualPIN Properties
C ost
m odest
178
D irection V alidation
one-w ay
m aybe
(c) David Strom, 1998
Scale
P rivacy
m odest
yes
VirtualPIN Features
Originally tailored for software downloads,
Also supports hard-goods,
in which merchant carries risk of non-payment
in which issuer authorization triggers shipment
Acts as a “factor” for pioneer service,
but imposes 91-day wait to minimize fraud
Performs
179
accumulation of small charges,
depending on business relationship with merchant
(c) David Strom, 1998
Electronic Cash (e-cash)
CyberCoin®
Service of CyberCash, part of Wallet
Currently available with Microsoft Wallet
Mondex®
Licensed by MasterCard International, Inc.
Smart card-based system
Digicash®
180
(c) David Strom, 1998
DigiCash’s Ecash
www.digicash.com/ecash/
System:
trial in 1995; and,
live in 1996
Multiple
participating Ecash issuers:
DE: Deutsche Bank
FI: EUnet of Finland
US: Mark Twain Bank
181
(c) David Strom, 1998
Ecash Features
Issuing
banks convert funds into Ecash
Digital signatures bind issuer to Ecash
Ecash is transferable among third-parties
Issuing banks redeem Ecash,
182
and responsible for detecting double-spending
(c) David Strom, 1998
How It Works
Buyer’s
wallet generates token
token is transmitted to issuer
Issuer debits amount from buyer’s account,
signs token, and sends it back to buyer
Buyer sends token to merchant
Merchant’s wallet transmits token to issuer
Buyer and merchant have relationship with the
same financial institution
183
(c) David Strom, 1998
Ecash Properties
C ost
low
184
D irection V alidation
tw o-w ay
yes
(c) David Strom, 1998
Scale
Privacy
m odest
yes
Buyer Impact
Buyer
must establish Ecash account
Buyer must “provision” wallet software
Desktop crashes a concern
185
(c) David Strom, 1998
Merchant Impact
Identical
186
to buyer impact:
Ecash is a peer-to-peer system (bi-directional)
(c) David Strom, 1998
Financial Institution Impact
Biggest
risk is disclosure of secret key
Because buyer generates token,
storage subsystem is more complex; so,
overall system is likely less scalable
187
(c) David Strom, 1998
Mark Twain Bank is Worth Looking At:
www.marktwain.com/digifaq.html#Help
Look at their customer support disclaimer —they get an “A” for honesty!
188
(c) David Strom, 1998
Payment Systems for SSL
ICVerify, www.icverify.com
Worldpay/PSI www.psi.net/worldpay
Service providers
189
(c) David Strom, 1998
Other Merchant Providers to
Consider
Online
Financial Services (OFS)
http://ofs.web-charge.com/signup1.html
Internet
www.internetsecure.com
Redi
Secure
Check / Redi Charge
www.redi-check.com
Merchant
190
Account Services
Provo, Utah 1-801-765-1111
(c) David Strom, 1998
ICVerify Process
Customer submits 16+4 through SSL browser
connection
Merchant swre records to a file
ICVerify submits to bank
ICVerify receives response from bank, creates
answer file
Merchant swre retrieves answer, sends response to
customer
No per transaction fee!
191
(c) David Strom, 1998
Supported Merchant Servers for
ICVerify
MS Merchant, Commerce
Oracle Payment
Mercantec SoftCart
Internet Factory Merchant
InterShop Online
192
(c) David Strom, 1998
ICVerify Demo Download
193
www.icverify.com/library/downloads/icvdemo20.
html
(c) David Strom, 1998
Setting up Merchant Account
Providers
to consider
How to compare services
Choices in setting up account, fees
194
(c) David Strom, 1998
All Merchant Providers Are Not
the Same
Compare
services
Which cards do they authorize?
Do they provide electronic check services?
Do they provide check guarantee services?
Compare
prices
Start-up fees
Monthly discount fees
Other service fees (per transaction)
Statement generation fees
195
(c) David Strom, 1998
Four Choices for Setting Up a
Merchant Account
Join
an eMall and process through them
Contract with an independent service provider
(ISP)
Buy a software suite that includes merchant
account set-up
Go to your local bank and set up your own
merchant account
196
If they’ll take you, this may give you the best
discount rate
(c) David Strom, 1998
Range of Credit Card Fees
Your Bank
eMall or ISP Provider
Discount Rate: 1.5% - 5.0%
Application Fee: $100 - $300
Discount Rate: 1.5% - 5.0%
Per Transaction:
.20 - .30
Monthly Fee:
$10 - $25
(service / statement fee)
Chargeback Fee: Up to $25
Chargeback Reserves:
Up to 10% of sales, for up
to six months
197
(c) David Strom, 1998
Regulations governing electronic
commerce transactions
Visa
/ MasterCard Operating Regs
Credit Card Rules for acquirers and merchants
Fair Credit Billing Act
Debit Card Rules
Regulation E
Consumer
Can Internet Protection Act be far behind?
Privacy
198
Telephone Protection Act
Principles
Yet to be mandated, but inevitable; and generally a
good idea
(c) David Strom, 1998
What About Privacy?
Anonymity
issues
Confidentiality issues
Disclosure issues
199
Name and address info
Disclosure of transaction to a third party
Merchant’s identity
(c) David Strom, 1998
Privacy Issues for the Consumer
Most
people just want to be asked for their
permission
Your customers don’t object so much if you use
their information to sell them other products
you may offer
But many object if you sell or rent their names
to someone else
200
(c) David Strom, 1998
“Data Mining”: How much is
enough?
You
have the opportunity to build a customer
database for future sales
To what degree do you slice and dice?
If you slice too fine, are you missing
opportunities?
This leads to more privacy issues
201
(c) David Strom, 1998
Topic 5: Choosing the Right
eCommerce Path
202
(c) David Strom, 1998
Four Approaches:
Join
an eMall
Outsource to an ISP
Buy suite of software
DIY
203
(c) David Strom, 1998
Joining an eMall
Only
if you don’t have any in-house
programming staff
Don’t want or can’t trust consultants to do it for
you
Want someone else to handle payment
processing
Don’t care whether your store is tied into your
own financial system
204
(c) David Strom, 1998
The Mall of eMalls
malls.com,
205
of course!
(c) David Strom, 1998
Different Kinds of eMalls
Collection
of independent links elsewhere
Landlord/hosting provider
Become a sales representative for an eMall and
Make Money Fast!
206
(c) David Strom, 1998
Evaluating eMalls
Do
they offer storefront design?
Have in-house programmers?
Hosting of your own web?
How many payment systems do they support?
What kinds of accounting reports do they offer?
Who are the other tenants and do you like
them?
207
(c) David Strom, 1998
The Truth about Internet Malls
Read
your contract
Check your site for errors
Evaluate your content
Measure your results
Promote your site
(from
www.netrageous.com/reports/thetruth.html)
208
(c) David Strom, 1998
Reasons Not to Join an eMall:
You
know and like perl
Don’t have to take payment via the web
Want complete control over your site
209
(c) David Strom, 1998
The Results So Far Haven’t Been
Encouraging
Many
store owners haven’t sold anything from
the mall!
Over 90% dissatisfied with mall operator
Basic HTML errors and unresponsive staff to fix
problems
210
(c) David Strom, 1998
The Catch-22 of eCommerce:
To
be successful, a software vendor has to
promote his products via the Internet.
But this means eating one’s own dog food!
211
(c) David Strom, 1998
Leading USA eMalls
Vendor, location
Number of stores
ViaWeb
www.viaweb.com
Internet Mall
www.internetmall.com
Blue Money
www.bluemoney.com
$100/month, all done with
a browser
$150 + $15/mo, % of each
transaction
Outsourced payments and
catalogs
212
(c) David Strom, 1998
Find an ISP
More
ISPs are offering eCommerce solutions
Have to use their software standards and
payment schemes
Could be pricey
Just catching on in USA
213
(c) David Strom, 1998
Some Examples
214
www.psi.net/web/ecommerce.shtml
www.Best.com/bizcomm.html
www.Brainlink.com/html/saleslink.htm
www.Earthlink.net/company/webservices.html
IBM: mypage.ihost.com
www.Netcom.com
business.Mindspring.com/prod-svc/smbiz/
www.Mindrush.com/
www.outer.net/ONCommerce (OuterNet)
(c) David Strom, 1998
Price Comparison for ISP hosting
Provider
Setup fee (US$) Monthly fee
(US$)
IBM
260
55
Earthlink
624
194
Netcom
450
300
Mindspring
175
324
215
(c) David Strom, 1998
Plan name,
payment
options
Bronze, credit
cards
Premium Plus
Commerce Site,
credit cards
Commercial
Advantage,
credit cards,
Cybercash
Price Comparison assumptions
10
Mb disk storage
Single email account
InterNIC $100 fee included for domain name
216
(c) David Strom, 1998
New Approaches: GeoShop,
Tripod
Builds
on GeoCities “communities” but for
merchants (www.geocities.com/join/geoshops)
$25/month for just commercial listings
$180/month (or more!) for actual transactions
working with Internet Commerce Services Corp. who
uses Open Market Transact servers
Tripod
will offer something similar this
summer
217
(c) David Strom, 1998
One Way to Support Lots of
Payment Systems
Wired-2-Shop
www.wired-2shop.com/TestDrive/Admin/PaymentList.asp
218
(c) David Strom, 1998
The Suite Approach
Leading
contenders
What is part of the suite and what isn’t
Prices and platforms
219
(c) David Strom, 1998
Popular eCommerce Suites
Vendor, Product
Version
Price
Platform
ICat
Elec Comm Suite
3.0
$9000
NT, 95
IBM
Net.Commerce
3.0
$5000
NT, AIX
Microsoft
SiteServer Commerce
3.0
$5000
NT
220
(c) David Strom, 1998
Popular eCommerce Suites (con’t)
Vendor, Product
Version
Price
Platform
OM Transact
Open Market
2.3
$250,000
Unix
Intershop Online
Intershop
3.0
$5000
NT
Unix
WebSite Pro
O'Reilly
2.0
$800
NT, 95
221
(c) David Strom, 1998
Four Typical Elements
Catalog
Storefront
designer
Ordering/inventory system
Shopping cart/check out system
222
(c) David Strom, 1998
The Cold Hard Reality of Suites
Suites
are nothing more than collection of
products
Lack integration among various elements
Difficult to setup, customize, and use
Require you to live “inside” their structure
Limited payment options
Sounds like early MS Office
223
(c) David Strom, 1998
Payment Systems Included in
Each Suite
Microsoft:
Verifone, Buy Now
IBM: Verifone, SET, eTill
iCat: None (but many third parties)
OpenMarket: Verifone
WebSite Pro: InternetSecure, CyberCash
Intershop: CyberCash, ICVerify, others
224
(c) David Strom, 1998
Sample Stores Included in Each
Suite
Microsoft:
4 stores
IBM: eMall, simple and advanced sample stores
iCat: 1 hardware store
OpenMarket: none
WebSite Pro: 1 bookstore
Intershop:3 stores
225
(c) David Strom, 1998
Databases Supported in Each
Suite
Microsoft:
SQL Server
IBM:
DB2
iCat: 4D, Sybase SQL Anywhere
WebSite: Access
Intershop: Sybase SQL 11
226
(c) David Strom, 1998
Dealing With ODBC
Have
to understand how to set up data sources
Intimate knowledge of your data structure
Re-install ODBC drivers at least once!
Best to start with built-in database
227
(c) David Strom, 1998
Store Wizards Included in Each
Suite
WebSite
Pro (but doesn’t do much)
Intershop (various wizards)
net.Commerce v3
MS Commerce
create appearance
navigation
registration, check out flows
payment methods
228
(c) David Strom, 1998
Tips
Don’t
install anything before making sure you
have everything!
Downloads for free, but they expire
Can you export existing files to these systems?
229
(c) David Strom, 1998
WebSite Professional
website.ora.com
Version
2, shipping since 9/97
US$799!
NT
(or 95)
Supports Cybercash OR Internet Secure (Visa,
MC)
One sample store (bookstore)
230
(c) David Strom, 1998
Sample storefront
http://merchant.inline.net/admin/
231
(c) David Strom, 1998
WebSite Configuration Sheet
232
(c) David Strom, 1998
Store Properties
Only
can operate a single payment system
Run on a series of Access databases
Built-in tax table, but for N.Americans!
Well documented data structures in typical
O’Reilly fashion
233
(c) David Strom, 1998
Recommendations
Lowest
priced suite by far!
iHTML is robust, but will take some learning
Nice store setup and organization of catalog
Good low-end solution
See Infoworld review
234
(c) David Strom, 1998
Intershop
demo
at presentation.intershop.com
(admin/admin for store)
Includes Sybase SQL 11
US$5000, includes 3 mos. support
235
(c) David Strom, 1998
Seven Different Managers
Catalog
Products
Store
Purchases
Inventory
Customers
Admin
236
(c) David Strom, 1998
Characteristics
Everything
managed via browser, which can get
tedious
But you already have a database behind it
237
(c) David Strom, 1998
Payment Options galore
238
(c) David Strom, 1998
Recommendations
Most
flexible payment options of any suite
Better at processing orders than site creation
Not good for large catalogs
239
(c) David Strom, 1998
Microsoft SiteServer Commerce
Still
evolving
More of a development platform than a suite
Closely tied to IIS, SQL Server et al.
240
(c) David Strom, 1998
Shopping with MS Commerce
241
(c) David Strom, 1998
MS Commerce
242
(c) David Strom, 1998
Recommendations
If
you are going to use any other MS apps
If you believe developers will follow
If you must stay on the cutting edge of MS
products
243
(c) David Strom, 1998
Commerce Server Specifics
NT,
fast Pentium with 128 M RAM essential
US$5000
www.microsoft.com/commerce
244
(c) David Strom, 1998
iCat Electronic Commerce Suite
245
(c) David Strom, 1998
iCat Process
Use
four-step process
Make changes to staging db
Use designer and built-in catalog
Then post changes to production db
246
(c) David Strom, 1998
Create Your Database
Can
use bundled Sybase SQL Anywhere
Enter upsells, promotions, and discounts
247
(c) David Strom, 1998
Design Your Templates
Look
and feel of storefront
Design views of catalog
248
(c) David Strom, 1998
Setup Your Hard Disk
Locate
your files
Setup your web server
249
(c) David Strom, 1998
Set Misc. Options
Matching
sales tax rates to zip codes
Use registration and indexing tools
250
(c) David Strom, 1998
iCat Demo Catalogs
www.icat.com/catalogs/democats.htm
Demonstrate
variety of options
Several different stores to view
251
(c) David Strom, 1998
Recommendations
No
wizards, all browser-based forms
Tedious but straightforward
Lots of third-party add-on tools
Best for people new to db or the ‘net
Best if you don’t have computer-based
accounting system yet
252
(c) David Strom, 1998
iCat Specifics
NT,
fast Pentium with 128 M of RAM
US$9000 for professional version
www.icat.com
253
(c) David Strom, 1998
IBM Net.Commerce
254
(c) David Strom, 1998
Included
IBM’s
Go Web Server
DB2 database
Shopping trolley system
Credit card verifier, eTill software
255
(c) David Strom, 1998
Several ways to setup your store
Use
nine-step wizard with populated catalog
Use wizard with empty catalog
Start from scratch
Import existing databases
256
(c) David Strom, 1998
Recommendations
Great
if you already use DB2 for inventories
Most security-conscious suite
More depth than iCat
Start with all IBM defaults to save time
257
(c) David Strom, 1998
Net.Commerce Specifics
NT,
fast Pentium with 64 M of RAM
AIX, 390, OS/400, Solaris
US$5000 Basic, $20,000 Pro
www.internet.ibm.com/net.commerce
258
(c) David Strom, 1998
New in version 3.1
“Intelligent
Catalog”
Java-based wizards to setup and manage store
Recognizes shopping preferences and upsells
New SET payment server but not worth using
Integration with Domino Merchant
Screencam demo
259
(c) David Strom, 1998
Domino Merchant v2.0
Uses
Notes server, but not Notes clients
Payments, catalogs, wizards galore
Easy to setup, difficult to add products
A good entry-level product for now
Screencam demo
260
(c) David Strom, 1998
OpenMarket
High
end solution
Worldnet offers hosting of OM servers
Still needs customization!
261
(c) David Strom, 1998
Recommendations
If
you can afford it ....
Really the price covers lots of consulting time
High transactions and throughput needs
262
(c) David Strom, 1998
OpenMarket Specifics
Various
Unix
US$250,000 and up!
www.openmarket.com
263
(c) David Strom, 1998
Do it Yourself Path
Traditional merchant banking approach
More risk, especially when your payment
system is on the ‘net
264
(c) David Strom, 1998
Steps Involved for DIY’ers
Get a web server
Get merchant software
Integrate with your back end systems
catalogs
inventory
customer accounts
265
Be prepared to do lots of coding
(c) David Strom, 1998
The 90s Help Wanted
Wanted:
Webmaster
Required skills: High proficiency in various
web based programming, development tools,
CGI, cookies, DNS, eCommerce, FTP, HTML 2.0
through 3.02, IIS Server admin, Javascript, Java,
MS SQL, Netscape server admin, NT Server
admin, perl, Unix admin, web security
266
(c) David Strom, 1998
One DIY solution
IIS
PerlShop
shopping cart
OuterNet Commerce ISP hosting site
First American Payment Systems
Verisign certificates
Fees: $800 setup, $500/yr, $50/month
What isn’t working: perl scripts to make credit
card payments!
267
(c) David Strom, 1998
Topic 6: Installing and Operating
Your Own Storefront
What
you need to know
What you need to buy
268
(c) David Strom, 1998
You Need to be a Superhero:
Part
web designer
Internet technologist
SQL database admin
Payment system maven
269
(c) David Strom, 1998
Things You’ll Need to Discover
Are
your sales and marketing staff web-savvy?
Is your accounting system adaptable to web
purchases?
How do you reconcile these accounts?
Does your business owner understand Internet
culture?
Can anyone find you
270
(c) David Strom, 1998
Dealing with search engines
Some
use <META>, some use <TITLE>
Keep descriptions at top of your home page
short and sweet
Web Review article:
webreview.com/97/10/17/webmaster
271
(c) David Strom, 1998
The Most Under-rated Skill:
PATIENCE!
272
(c) David Strom, 1998
Components Needed to Operate a
Web Storefront
Database
of items to sell and current inventories
Secure web server
Searchable catalog server
Connections to backend payments and financial
servers
Shopping cart system
Checkout/payment system
Don’t forget about security!
273
(c) David Strom, 1998
Which Database Server?
Pick
before anything else
Core of your store revolves around the database:
inventory system
accounting system
catalog system
274
(c) David Strom, 1998
Database Server
Recommendations
Use
existing client/server db if possible
SQL Server: best with MS tools
Oracle: if you know pSQL already
Informix: all other situations
275
(c) David Strom, 1998
Database/web Tools
Develop
your own forms
Query your database
Develop your own catalog
276
(c) David Strom, 1998
Why is a Catalog Important?
Your
customers view of your store
Current with your own inventory and offerings
Don’t want to sell what you don’t have
277
(c) David Strom, 1998
Catalog Software
Cadis.com,
US$1500
Centor.com, US$50,000
Dataware.com, US$1800
Elekom.com, US$25,000
Isadra.com, US$10,000
278
(c) David Strom, 1998
Other catalogs
Product
Price range
Icat (www.icat.com)
US$3-10,000
Intershop
(www.intershop.com)
CatSmart
3-8,000
WebCatalog (www.pacificcoast.com)
Cat@log
(www.thevisionfactory.com)
Impulse (www.inetrep.com)
2500
279
10,000
3-4000
<$1000
(c) David Strom, 1998
Another choice: outsourced
catalog!
ShopSite
IBM
Home Page Creator mypage-products.ihost.com
(N. America only)
Mindspring with Mercantec
280
(c) David Strom, 1998
ShopSite demo
www.reliablehost.com/cgi-bin/bo/start.cgi
username:
test8
password: test
281
(c) David Strom, 1998
Tool Recommendations
Cold
Fusion, www.allaire.com
Sapphire/Web, www.bluestone.com
282
(c) David Strom, 1998
Which Web Server?
Hundreds
to choose from
Must support SSL and/or SHTTP
Platform isn’t important, really
283
(c) David Strom, 1998
Get Your Certificates in Order
Bring
up form inside web server
Send to CA on letterhead with credit card (!)
Receive cert from CA
Install on your web server
284
(c) David Strom, 1998
What can a Shopping cart do?
Simplify
ordering process
Track multiple purchases for a single visitor
Display items purchased
Calculate total prices, tax, shipping charges
Track item attributes (colors, styles, sizes)
285
(c) David Strom, 1998
Different Shopping cart Methods
Account-based
Cookie-based;
Encoded
286
see www.cookiecentral.com
URLs
(c) David Strom, 1998
Shopping cart Programs
S-Mart:
www.rcinet.com/~brobison/scripts
Minishop: www.egrafx.com/minishop
mvend: www.iac.net/~mikeh/mvend.html
PerlShop: www.arpanet.com/perlshop
287
(c) David Strom, 1998
Commercial Programs
Internet Shopping Cart Server:
www.webisland.com/cart
Rent-A-Cart: www.rent-a-cart.com
CyberCart: www.lobo.net/~rtweb
AutoCart: www.autocart.com/Autocart
WebCart: www.staff.net/webcart.html
SoftCart: www.mercantec.com
WWWOrder:
www.virtualcenter.com/scripts2/WWWOrder.htm
l
288
(c) David Strom, 1998
Shopping cart Example
www.asizip.com (SoftCart)
Shopping basket
Cookies to track purchases
Simple navigation
289
(c) David Strom, 1998
Payment Choices
Use
gateway (CyberCash, ICVerify) or service
provider?
Do you need support for multiple currencies?
Do you have to host your store elsewhere?
Do you understand the fee structure?
290
(c) David Strom, 1998
Again, Merchant Providers Differ
Compare
services
Which cards do they authorize?
Do they provide electronic check services?
Do they provide check guarantee services?
Compare
prices
Start-up fees
Monthly discount fees
Other service fees (per transaction)
Statement generation fees
291
(c) David Strom, 1998
WorldPay and PSI
Multicurrency payments
>100 for product prices
16 different ones for settlement
Have to host your web at PSI
Includes SoftCart and iCat software as well
US$1000 + US$1400/yr
292
(c) David Strom, 1998
WorldPay Demo
293
www.worldpay.com/demo/store.html
(c) David Strom, 1998
Prices of Typical Products
Product
Inex
SoftCart
MallManager
WebCatalog
Saqqara
VPOS
WebMate
294
Type
Accounting
Shopping Cart
Catalog
Catalog
Search tool
Payment server
Development tool
(c) David Strom, 1998
Price
US$6000
900
2000
1600
700
2500
750
Inex Demo
Financial
backend strength
Store front and some aspects of suite
www.inex-corp.com
295
(c) David Strom, 1998
Don’t Forget About Security
Make
sure you protect your web site!
See “Ten ways” article from Winn Schwartau
Limit access, isolate servers, lock down scripts,
so forth
See
www.nwfusion.com/netresources/0202hack1.htm
l
296
(c) David Strom, 1998
What About Web Server Load
Balancing?
Resonate,
HydraWeb, Cisco
IBM Interactive Network Dispatcher,
www.ics.raleigh.ibm.com/netdispatch
Packeteer PacketShaper, www.packeteer.com
Others at
www.techweb.com/se/directlink.cgi?NWC199708
01S0026
297
(c) David Strom, 1998
Putting Together Your Own
Solution
Mercantec
shopping cart
SQL Server database
ICVerify payment system
WebCatalog
IIS web server
Total price: <US$10,000
298
(c) David Strom, 1998
Don’t Forget the Process and
People
Put
together policies and procedures book that
describe what you did
Gather forms for your business partners to sign
up for ISPs if needed
Document how to make changes to your
product catalog via the web
Approach your trading partners with solutions,
not problems!
299
(c) David Strom, 1998
Conclusions
eCommerce
crosses many different skill sets
Software is still too dicey in many areas
Standards aren’t much use right now
Suites don’t offer much in the way of
integration
DIY may be the best solution
300
(c) David Strom, 1998
Summary
If
all this information seems overwhelming...
New environments are always scary
Awareness and curiosity are the keys to taking
advantage of new opportunities
You don’t have to know everything about it —
you just need to know where to get the answers.
“Everyone is ignorant, only on different subjects.”
-- Will Rogers
301
(c) David Strom, 1998
Some eCommerce Resources
302
Web Review article on NT, Mac Suites:
webreview.com/98/01/23/feature/
Windows Sources reviews of 3 eCommerce suites:
web1.zdnet.com/wsources/content/0697/ntadmin.html
My Infoworld reviews
www.strom.com/pubwork/iworld.html
www.webcompare.com, all the web servers you could
ask for
PC Magazine review of various products
www5.zdnet.com/products/content/pcmg/1620/pcmg0
024.html
(c) David Strom, 1998
Useful SET References
www.dc.net/gtill/set1.htm
Gregory J. Till, US Treasury Dept. attorney
Document details the implications of SET for
merchants
www.visa.com
www.mastercard.com
www.setco.org
303
(c) David Strom, 1998
Useful Cryptography References
www.rsa.com
www.counterpane.com
www.pipeline.com
304
Richard Field, Esq. (US attorney specializing in
payment systems and electronic commerce)
(c) David Strom, 1998
Merchant Payment References
www.cybercash.com
www.firstdatacorp.com
www.firstvirtual.com
305
(c) David Strom, 1998
History of money References
www.frbsf.org
www.firstdatacorp.com
www.mastercard.com
306
(c) David Strom, 1998
For future reference
Copy
of this presentation (Powerpoint):
www.strom.com/pubwork/tokyo98.ppt
And resources:
www.strom.com/pubwork/ecommerce
307
(c) David Strom, 1998
Acronyms
B2B
Business to business
DIY Do It Yourself
EBP Electronic Bill Presentment
URLs Universal Resource Locator
SSL Secure Sockets Layer
OFX Open Financial Exchange
SHTTP Secure web protocol HTTP
308
(c) David Strom, 1998
More Acronyms
309
ACH
CA
ISP
MAC
MICR
MO/TO
NACHA
PIN
PKC
POS
RSA
Automated Clearing House
Certificate Authority
Independent Service Provider
Message Authenticity Check
Magnetic Ink Character Recognition
Mail Order/Telephone Order
National Automated Clearing House Association
Personal Identification Number
Public Key Cryptography
Point of Sale
Rivest, Shamir and Adleman
(c) David Strom, 1998
Thanks!
Review
Q&A
David
Strom
+1 516 944 3407
[email protected]
310
(c) David Strom, 1998