Merchant Ecommerce Business Model

The merchant e-busines model is the online version of you local store. If you can name it you
can find an online store selling it. Some of these may have a brick and mortar store and an
Internet store, but the great majority are solely online.
They accept online payment methods and ship the merchandise to the customer, or they use a 3rd
party online shipping and warehousing service. These companies warehouse and ship goods
directly to the customer on your behalf, meaning no product handling or postage for you!

Advertising Ecommerce business model

The advertising e-business model is based on your daily newspapers and monthly magazines,
You collect revenue either by renting a small space on your pages or getting paid for every click
on the ad.
Google adsense is a perfect example of this. There are many paths out there regarding online
advertising company for you to explore.
Advertising should always be targeted directly at the readers to compliment your websites
content, most advertising companies are good at doing this job for you, but I am still amazed at
how many sites get it wrong!

Affiliate Ecommerce business model

The affiliate e-business model is based on commission sales. You do not have to buy the product
to resell, and you are not involved in the handling or shipping. All of this is done by the parent
company. You simply redirect the customer from your own website to the product on the parent
companies website and if they make a purchase you earn a commission.
Amazon is a good example of a parent company. They were, infact, the first company to use this
method of selling, allowing anyone to sell and get commission through Amazons merchandise.
There are many reputable affiliate programs for you to join and earn commissions from.

Brokerage Ecommerce business model

The Brokerage e-business model is a website that brings two parties together to conduct
business, The best example of this is online auctions like Ebay. However it is not limited to
online auctions, Online Real estate, business brokers, boat brokers etc also use this method. They
generally collect a fee for their service which can be worked out with a percentage base or a set
fee.

Information Ecommerce business model

The Information e-business model is based largely around specialized information on a particular
subject. These websites can attract a large following of people interested in their specific field of

knowledge and will use Ecommerce business models, other than their specialized information, to
create revenue.

Subscription Ecommerce business model

In the Subscription e-business model customers pay a set fee on a monthly or yearly basis to get
access to the products or services of the company. Some good examples of this model are online
newspapers or magazines, adult websites, and Internet service providers.

Security in E-Commerce

privacy: information must be kept from unauthorized parties.

integrity: message must not be altered or tampered with.

authentication: sender and recipient must prove their identities to each other.

non-repudiation: proof is needed that the message was indeed received.

Privacy is handled by encryption. In PKI (public key infrastructure) a message is encrypted by a

public key, and decrypted by a private key. The public key is widely distributed, but only the
recipient has the private key. For authentication (proving the identity of the sender, since only the
sender has the particular key) the encrypted message is encrypted again, but this time with a
private key. Such procedures form the basis of RSA (used by banks and governments) and PGP
(Pretty Good Privacy, used to encrypt emails).
Unfortunately, PKI is not an efficient way of sending large amounts of information, and is often
used only as a first step to allow two parties to agree upon a key for symmetric secret key
encryption. Here sender and recipient use keys that are generated for the particular message by a
third body: a key distribution center. The keys are not identical, but each is shared with the key
distribution center, which allows the message to be read. Then the symmetric keys are encrypted
in the RSA manner, and rules set under various protocols. Naturally, the private keys have to be
kept secret, and most security lapses indeed arise here.

:Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. To vastly simplify matters (as
throughout this page), a plain text message is run through a hash function and so given a value:
the message digest. This digest, the hash function and the plain text encrypted with the recipient's
public key is sent to the recipient. The recipient decodes the message with their private key, and
runs the message through the supplied hash function to that the message digest value remains
unchanged (message has not been tampered with). Very often, the message is also timestamped
by a third party agency, which provides non-repudiation.

What about authentication? How does a customer know that the website receiving sensitive
information is not set up by some other party posing as the e-merchant? They check the digital
certificate. This is a digital document issued by the CA (certification authority: Verisign, Thawte,
etc.) that uniquely identifies the merchant. Digital certificates are sold for emails, e-merchants
and web-servers.

:Secure Socket Layers

Information sent over the Internet commonly uses the set of rules called TCP/IP (Transmission
Control Protocol / Internet Protocol). The information is broken into packets, numbered
sequentially, and an error control attached. Individual packets are sent by different routes.
TCP/IP reassembles them in order and resubmits any packet showing errors. SSL uses PKI and
digital certificates to ensure privacy and authentication. The procedure is something like this: the
client sends a message to the server, which replies with a digital certificate. Using PKI, server
and client negotiate to create session keys, which are symmetrical secret keys specially created
for that particular transmission. Once the session keys are agreed, communication continues with
these session keys and the digital certificates.

:PCI, SET, Firewalls and Kerberos

Credit card details can be safely sent with SSL, but once stored on the server they are vulnerable
to outsiders hacking into the server and accompanying network. A PCI (peripheral component
interconnect: hardware) card is often added for protection, therefore, or another approach
altogether is adopted: SET (Secure Electronic Transaction). Developed by Visa and Mastercard,
SET uses PKI for privacy, and digital certificates to authenticate the three parties: merchant,
customer and bank. More importantly, sensitive information is not seen by the merchant, and is
not kept on the merchant's server.
Firewalls (software or hardware) protect a server, a network and an individual PC from attack by
viruses and hackers. Equally important is protection from malice or carelessness within the
system, and many companies use the Kerberos protocol, which uses symmetric secret key
cryptography to restrict access to authorized employees.

Transactions
Sensitive information has to be protected through at least three transactions:

credit card details supplied by the customer, either to the merchant or payment gateway.
Handled by the server's SSL and the merchant/server's digital certificates.
credit card details passed to the bank for processing. Handled by the complex security
measures of the payment gateway.
order and customer details supplied to the merchant, either directly or from the payment
gateway/credit card processing company. Handled by SSL, server security, digital
certificates (and payment gateway sometimes).

Secure Socket Layer (SSL)

The SSL certificate is issued to the server by a certificate authority authorized by the
government. When a request is made from the shopper's browser to the site's server using
https://..., the shopper's browser checks if this site has a certificate it can recognize. If the
site is not recognized by a trusted certificate authority, then the browser issues a warning
as shown.As an end-user, you can determine if you are in SSL by checking your browser.
For example, in Mozilla Firefox, the secure icon is at the top in the URL entry field

Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's
computer and the site's server. When an SSL-protected page is requested, the browser
identifies the server as a trusted entity and initiates a handshake to pass encryption key
information back and forth. Now, on subsequent requests to the server, the information
flowing back and forth is encrypted so that a hacker sniffing the network cannot read the
contents.

Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting
private documents via the Internet. SSL uses a cryptographic system that uses two keys to
encrypt data a public key known to everyone and a private or secret key known only to
the recipient of the message. Both Netscape Navigator and Internet Explorer support
SSL, and many Web sites use the protocol to obtain confidential user information, such as
credit card numbers. By convention, URLs that require an SSL connection start with
https: instead of http:.

How Encryption Works

Imagine sending mail through the postal system in a clear envelope. Anyone with access to it can
see the data. If it looks valuable, they might take it or change it. An SSL Certificate establishes a
private communication channel enabling encryption of the data during transmission. Encryption
scrambles the data, essentially creating an envelope for message privacy.

Each SSL Certificate consists of a public key and a private key. The public key is used to
encrypt information and the private key is used to decipher it. When a Web browser points to a
secured domain, a Secure Sockets Layer handshake authenticates the server (Web site) and the
client (Web browser). An encryption method is established with a unique session key and secure
transmission can begin. True 128-bit SSL Certificates enable every site visitor to experience the
strongest SSL encryption available to them.
How Authentication Works
Imagine receiving an envelope with no return address and a form asking for your bank account
number. Every VeriSign SSL Certificate is created for a particular server in a specific domain
for a verified business entity. When the SSL handshake occurs, the browser requires
authentication information from the server. By clicking the closed padlock in the browser
window or certain SSL trust marks (such as the VeriSign Secured Seal), the Web site visitor
sees the authenticated organization name. In high-security browsers, the authenticated
organization name is prominently displayed and the address bar turns green when an Extended
Validation SSL Certificate is detected. If the information does not match or the certificate has
expired, the browser displays an error message or warning.

Why Authentication Matters

Like a passport or a drivers license, an SSL Certificate is issued by a trusted source, known as
the Certificate Authority (CA). Many CAs simply verify the domain name and issue the
certificate. VeriSign verifies the existence of your business, the ownership of your domain name,
and your authority to apply for the certificate, a higher standard of authentication.
VeriSign Extended Validation (EV) SSL Certificates meet the highest standard in the Internet
security industry for Web site authentication as required by CA/Browser Forum. EV SSL
Certificates give high-security Web browsers information to clearly display a Web sites

organizational identity. The high-security Web browsers address bar turns green and reveals the
name of the organization that owns the SSL Certificate and the SSL Certificate Authority that
issued it. Because VeriSign is the most recognized name in online security, VeriSign SSL
Certificates with Extended Validation will give Web site visitors an easy and reliable way to
establish trust online.

What is SSL and what are Certificates?

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions
between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA),
to identify one end or both end of the transactions. This is in short how it works.
1. A browser requests a secure page (usually https://).
2. The web server sends its public key with its certificate.
3. The browser checks that the certificate was issued by a trusted party (usually a trusted
root CA), that the certificate is still valid and that the certificate is related to the site
contacted.
4. The browser then uses the public key, to encrypt a random symmetric encryption key and
sends it to the server with the encrypted URL required as well as other encrypted http
data.
5. The web server decrypts the symmetric encryption key using its private key and uses the
symmetric key to decrypt the URL and http data.
6. The web server sends back the requested html document and http data encrypted with the
symmetric key.
7. The browser decrypts the http data and html document using the symmetric key and
displays the information.
Several concepts have to be understood here.

1.2.1. Private Key/Public Key:

The encryption using a private key/public key pair ensures that the data can be encrypted by one
key but can only be decrypted by the other key pair. This is sometime hard to understand, but
believe me it works. The keys are similar in nature and can be used alternatively: what one key

emcrypts, the other key pair can decrypt. The key pair is based on prime numbers and their
length in terms of bits ensures the difficulty of being able to decrypt the message without the key
pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other
key (the public key) to everybody. Anybody can send you an encrypted message, that only you
will be able to decrypt. You are the only one to have the other key pair, right? In the opposite ,
you can certify that a message is only coming from you, because you have encrypted it with you
private key, and only the associated public key will decrypt it correctly. Beware, in this case the
message is not secured you have only signed it. Everybody has the public key, remember!
One of the problem left is to know the public key of your correspondent. Usually you will ask
him to send you a non confidential signed message that will contains his publick key as well as a
certificate.
Message-->[Public Key]-->Encrypted Message-->[Private Key]-->Message

1.2.2. The Certificate:

How do you know that you are dealing with the right person or rather the right web site. Well,
someone has taken great length (if they are serious) to ensure that the web site owners are who
they claim to be. This someone, you have to implicitly trust: you have his/her certificate loaded
in your browser (a root Certificate). A certificate, contains information about the owner of the
certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource
location or Distinguished Name (DN) which includes the Common Name (CN) (web site address
or e-mail address depending of the usage) and the certificate ID of the person who certifies
(signs) this information. It contains also the public key and finally a hash to ensure that the
certificate has not been tampered with. As you made the choice to trust the person who signs this
certificate, therefore you also trust this certificate. This is a certificate trust tree or certificate
path. Usually your browser or application has already loaded the root certificate of well known
Certification Authorities (CA) or root CA Certificates. The CA maintains a list of all signed
certificates as well as a list of revoked certificates. A certificate is insecure until it is signed, as
only a signed certificate cannot be modified. You can sign a certificate using itself, it is called a
self signed certificate. All root CA certificates are self signed.

Public Key Encryption

Public key encryption refers to a type of cypher architecture known as public key cryptography
that utilizes two keys, or a key pair), to encrypt and decrypt data. One of the two keys is a public
key, which anyone can use to encrypt a message for the owner of that key. The encrypted
message is sent and the recipient uses his or her private key to decrypt it. This is the basis of
public key encryption.
Public key encryption is considered very secure because it does not require a secret shared
key between the sender and receiver. Other encryption technologies that use a single shared key
to both encrypt and decrypt data rely on both parties deciding on a key ahead of time without

other parties finding out what that key is. However, the fact that it must be shared between both
parties opens the door to third parties intercepting the key. This type of encryption technology is
called symmetric encryption, while public key encryption is known as asymmetric encryption.
A "key" is simply a small bit of text code that triggers the associated algorithm to encode or
decode text. In public key encryption, a key pair is generated using an encryption program and
the pair is associated with a name or email address. The public key can then be made public by
posting it to a key server, a computer that hosts a database of public keys. Alternately, the public
key can be discriminately shared by emailing it to friends and associates. Those that possess your
public key can use it to encrypt messages to you. Upon receiving the encrypted message, your
private key will decrypt it.
Public key encryption is especially useful for keeping email private. Any stored messages on
mail servers, which can persist for years, will be unreadable, and messages in transit will also be
unreadable. This degree of privacy may sound excessive until one realizes the open nature of the
Internet. Sending email unencrypted is akin to making it public for anyone to read now or at
some future date. United States law does not recognize email as a protected or private form of
communication, unlike a telephone call or letter.
A cryptographic system that uses two keys -- a public key known to everyone and a private or
secret key known only to the recipient of the message. When John wants to send a secure
message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key
to decrypt it.
An important element to the public key system is that the public and private keys are related in
such a way that only the public key can be used to encrypt messages and only the corresponding
private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the
private key if you know the public key.
Public-key systems, such as Pretty Good Privacy (PGP), are becoming popular for transmitting
information via the Internet. They are extremely secure and relatively simple to use. The only
difficulty with public-key systems is that you need to know the recipient's public key to encrypt a
message for him or her. What's needed, therefore, is a global registry of public keys, which is one
of the promises of the new LDAP technology.
Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman.
For this reason, it is sometime called Diffie-Hellman encryption. It is also called
asymmetric encryption becauWhat is public key encryption?
Public key encryption (PKE) uses a system of two keys:

a private key, which only you use (and of course protect with a well-chosen,
carefully protected passphrase); and
a public key, which other people use. Public keys are often stored on public
key servers.

A document that is encrypted with one of these keys can be decrypted only with the other key in
the pair.
For example, let's say that Alice wants to send a message to Bob using PGP (a popular public
key encryption system). She encrypts the message with Bob's public key and sends it using her
favorite email program. Once the message is encrypted with Bob's public key, only Bob can
decrypt the message using his private key. Even major governments using supercomputers would
have to work for a very long time to decrypt this message without the private key.
se it uses two keys instead of one key (symmetric encryption).

Digital Signature and

Verification
Digital signature is a mechanism by which a message is authenticated i.e. proving that a
message is effectively coming from a given sender, much like a signature on a paper
document. For instance, suppose that Alice wants to digitally sign a message to Bob. To do
so, she uses her private-key to encrypt the message; she then sends the message along with
her public-key (typically, the public key is attached to the signed message). Since Alices
public-key is the only key that can decrypt that message, a successful decryption constitutes
a Digital Signature Verification, meaning that there is no doubt that it is Alices private key
that encrypted the message.

What is a digital signature?

A digital signature is the electronic equivalent of a handwritten signature, verifying the
authenticity of electronic documents. In fact, digital signatures provide even more security than
their handwritten counterparts.
More often than not a digital signature uses a system of public key encryption to
verify that a document has not been altered.

What does PKE have to do with digital signatures?

Digital signatures often use a public key encryption system. Consider Alice and Bob again: how
can Bob be sure that it was really Alice who sent the message, and not the criminally-minded
Eve pretending to be Alice?
This is where digital signatures come in. Before encrypting the message to Bob, Alice can sign
the message using her private key; when Bob decrypts the message, he can verify the signature
using her public key. Here's how it works:

1. Alice creates a digest of the message a sort of digital fingerprint. If the

message changes, so does the digest.
2. Alice then encrypts the digest with her private key. The encrypted digest is
the digital signature.
3. The encrypted digest is sent to Bob along with the message.
4. When Bob receives the message, he decrypts the digest using Alice's public
key.
5. Bob then creates a digest of the message using the same function that Alice
used.
6. Bob compares the digest that he created with the one that Alice encrypted. If
the digests match, then Bob can be confident that the signed message is
indeed from Alice. If they don't match, then the message has been tampered
with or isn't from Alice at all.

Original message ->

Message digest(through hashing by the
software)->
Message digest encrypted using the private
key->
digital signature
Secure Electronic Transaction (SET) is a system for ensuring the security of financial
transactions on the Internet. It was supported initially by Mastercard, Visa, Microsoft, Netscape,
and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is
conducted and verified using a combination of digital certificates and digital signatures among
the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and
confidentiality. SET makes use of Netscape's Secure Sockets Layer (SSL), Microsoft's Secure
Transaction Technology (STT), and Terisa System's Secure Hypertext Transfer Protocol (SHTTP). SET uses some but not all aspects of a public key infrastructure (PKI).
Here's how SET works:

Assume that a customer has a SET-enabled browser such as Netscape or Microsoft's Internet
Explorer and that the transaction provider (bank, store, etc.) has a SET-enabled server.
1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is
some kind of bank.
2. The customer receives a digital certificate. This electronic file functions as a credit card
for online purchases or other transactions. It includes a public key with an expiration
date. It has been through a digital switch to the bank to ensure its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include
the merchant's public key and the bank's public key.
4. The customer places an order over a Web page, by phone, or some other means.
5. The customer's browser receives and confirms from the merchant's certificate that the
merchant is valid.
6. The browser sends the order information. This message is encrypted with the merchant's
public key, the payment information, which is encrypted with the bank's public key
(which can't be read by the merchant), and information that ensures the payment can only
be used with this particular order.
7. The merchant verifies the customer by checking the digital signature on the customer's
certificate. This may be done by referring the certificate to the bank or to a third-party
verifier.
8. The merchant sends the order message along to the bank. This includes the bank's public
key, the customer's payment information (which the merchant can't decode), and the
merchant's certificate.
9. The bank verifies the merchant and the message. The bank uses the digital signature on
the certificate with the message and verifies the payment part of the message.
10. The bank digitally signs and sends authorization to the merchant, who can then fill the
order.
M-commerce (mobile commerce) is the buying and selling of goods and services through
wireless handheld devices such as cellular telephone and personal digital assistants (PDAs).
Known as next-generation e-commerce, m-commerce enables users to access the Internet
without needing to find a place to plug in. The emerging technology behind m-commerce, which
is based on the Wireless Application Protocol (WAP), has made far greater strides in Europe,
where mobile devices equipped with Web-ready micro-browsers are much more common than in
the United States.
In order to exploit the m-commerce market potential, handset manufacturers such as Nokia,
Ericsson, Motorola, and Qualcomm are working with carriers such as AT&T Wireless and Sprint
to develop WAP-enabled smart phones, the industry's answer to the Swiss Army Knife, and ways
to reach them. Using Bluetooth technology, smart phones offer fax, e-mail, and phone

capabilities all in one, paving the way for m-commerce to be accepted by an increasingly mobile
workforce.
As content delivery over wireless devices becomes faster, more secure, and scalable, there is
wide speculation that m-commerce will surpass wireline e-commerce as the method of choice for
digital commerce transactions. The industries affected by m-commerce include:

Financial services, which includes mobile banking (when customers use their handheld
devices to access their accounts and pay their bills) as well as brokerage services, in
which stock quotes can be displayed and trading conducted from the same handheld
device
Telecommunications, in which service changes, bill payment and account reviews can all
be conducted from the same handheld device

Service/retail, as consumers are given the ability to place and pay for orders on-the-fly

Information services, which include the delivery of financial news, sports figures and
traffic updates to a single mobile device

IBM and other companies are experimenting with speech recognition software as a way to ensure
security for m-commerce transactions.
PayPal is an e-commerce business allowing payments and money transfers to be made through
the Internet. ... PayPal is an e-commerce business allowing payments and money transfers to be
made through the Internet. PayPal serves as an electronic alternative to traditional paper methods
such as checks and money orders.
A PayPal account can be funded with an electronic debit from a bank account or by a credit card.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own
PayPal deposit account or request a transfer to their bank account. PayPal is an example of a
payment intermediary service that facilitates worldwide e-commerce.
PayPal performs payment processing for online vendors, auction sites, and other commercial
users, for which it charges a fee. It sometimes also charges a transaction fee for receiving money
(a percentage of the amount sent plus an additional fixed amount). The fees charged depend on
the currency used, the payment option used, the country of the sender, the country of the
recipient, the amount sent and the recipient's account type.[2] In addition, eBay purchases made
by credit card through PayPal may incur a "foreign transaction fee" if the seller is located in
another country, as credit card issuers are automatically informed of the seller's country of origin.