Broad Issues in Security - Security is a freedom from danger or risk, personal or monetary. On the Internet, the issue revolves around the transmittal, use, and storage of data.

The key issue for consumers is: can they engage in online transactions without fear of financial loss, invasion of their privacy or identity theft? Some specific concerns are:

• Children
• Your Company is legitimate
• Identity theft
• Information privacy from volunteered information
• Junk mail and Spam
• Won't recieve product or order
• Your company will sell or rent customer's private info
• Cookies
• Adware, spyware and content hijacking programs: Keyloggers, Data-harvesting software programmed to gather e-mail addresses, etc.
• Viruses, data mining (privacy-invasive software)
• Hidden costs
• Accidently commit to a purchase
• Return policy and refunds

For the seller, the key issues are to:

• assure validity and safety of the transmitted and stored data,
• assuring receipt of goods by the customer,
• assuring receipt of payment, and
• gaining customer confidence.

Some specific concerns and their solutions are:

You can see that an online business needs to concern itself with a variety of issues to ensure secure online commerce transaction and to gain consumer confidence.

The Internet and M.O.T.O./Secure E-Commerce Transactions - With the Internet you can promote, advertise, take orders, exchange email communications and conduct business under the M.O.T.O. protocol (mail order, telephone order), and have  the same security issues as any other Brick & Mortar retail or wholesale business regarding your purchase choices, phone and address info, etc.
Concerns:

• collection and use of personal information
• trust in the merchant and employees
• the information sits somewhere in "storage"

Add Credit Cards - By adding credit cards you introduce a level of complexity and security. Whether doing business by Internet or Brick & Mortar, you are using credit cards as a means of payment. The merchant has the credit card in hand and "swipes" it or enters it by keypad.
http://www.cabrillo.edu/~dambrosini/188Web/classsessions/cash.htm

Both the customer and the merchant want:

• real time credit card processing
• real time order fulfillment

Establish a Credit Card Internet Merchant Account.  This is necessary for any merchant whether online or Brick & Mortar. Most banks require a special "online merchant" account (an Internet credit card clearing house), so don't assume an account you already have, your normal merchant account, will work. $ fees variable by bank.

Register a domain name - cost $20 to $100 every two years and is necessary for secure server service at pretty much all web hosts.

SSL - for transmission and storage of data. SSL was created by Netscape in order to send data securely through the Internet. Secure Sockets Layer is a private key encryption technology that scrambles a message so that only the recipient (the merchant) can unscramble it. The customer's browser and the Web server at the merchants ISP must be enabled to exchange user ID's provided by a third party that ensure that  the merchant is who they say they are before the information can be unscrambled. This ID is called a digital certificate. Verisign is one such third party. This is the open lock or key icon you see on your browser screen. There is a cost of $400 per server and $300 annual renewal fee.
Plusses:

• Standardized, much more secure than phone, mail, email, fax.
• No eavesdropping
• Info goes where it is intended to go
• Emotional security
• Stored (sits) on a server in encrypted form
• Netscape and Internet Explorer

• Someone could literally steal the server or backup tapes
• An operator could print, email or send out info
• Merchant fraud
• How secure is it really?

- for secure electronic transactions. Secure Electronic Transaction is a developing technology that goes a step further than SSL. It verifies the identity of the consumer and thus helps protect the merchant from fraud. It was jointly developed by Visa and MasterCard. It uses digital certificates to identify both the buyer and seller and then encrypts the information. The credit card number and digital certificate information goes directly to the credit card issuer for verification and billing. The merchant never sees the information.

Encryption - Encryption is the scrambling of data into a code. The process or encryption system involves the creation of a 1) the text message/data 2) the cipher (code such as "add 8 to each letter) 3) an electronic key (to encrypt the message called a public key  and a key to decrypt the message called the private key ) 4) the cipher text/data created by the key. Public and Private Keys - Usually two keys are used, one to encrypt and one to decrypt the message. The key system can be designed to create a different cipher message each time it is used, even when applied to the same message, thus adding an additional layer of security. Usually the public key is widely available and the private key is created and then discarded with each use. This system is known as PPG or Pretty Good Privacy (Phillip Zimerman)

Digital Signatures, Digital Certificates, Certificate Authorities - Digital Signatures are encrypted authentications that verify that a particular person originated a message and that the message wasn't changed during transmission and reception. Digital Certificates are used to ensure that the sender is who he or she claims to be and provides encryption keys for replies. Digital certificates include identification information and the name of the holder (i.e. URL, email, name, public key, name of the certificate issuer, a serial number, a start and end date for the certificate's validity, etc.). Thay are issued by a "certification authority" that acts as a trusted third party (like an agent, in this case Verisgn is an example) and are paid for by the E-tailer. They are matched to small electronic files that keep track of people, information and merchandise relationships.

Cookies - Small files created by server run scripts when the customer logs onto a site and then stored on the customers computer (client side) for a defined time period. The Website puts it on your computer so that it can remember things about you for later use. Specifically, these files identify the customer's computer, the customer's preferences, and other  information given by the customer to the Website so that the site recognizes you. Thus, the Website can create custom pages, recall information and save the customer the trouble of reentering information when visiting that site. They also can be used to track your navigation patterns and buying habits.

Real Time Credit Card Transactions - need an additional participant, a Merchant Service Company or Gateway (a.k.a. cash settlement provider) like CyberCash or other types of "merchant service" companies to handle the actual funds transfers between the credit cards company banks and your bank. Cost of about $100 monthly fee plus the credit card company transaction fees.
http://www.cybercash.com/

Secure Server - Your ISP provides you with a secure server, one that uses SSL and/or SET for a cost of $10-$75 per month. An option is to setup your merchant site on non-secure server space that is less costly in fees and bandwidth and switch to the secure server when the sensitive data is ready to be submitted. The switch occurs when the customer goes to the secure page of your web site, probably your order form. Only that page or a few pages of your site are housed on the secure server. So, most of your site would remain at the regular server. You may save a little money this way as secure server space is generally more expensive. ($20-40 per month?)
 

Thus there are three levels of eCommerce - with steps up, increasing security, in each case.

• Web Site using MOTO, fax and email
• Web Site using Secure Servers - may need to purchase "Off the Shelf" software for $5-30 per month ISP/host fee plus one time software purchase of $0-895 or perhaps much higher.
• Web Site hosted by eCommerce intermediary stores - AT&T Secure Buy, Yahoo! Store, Icat, Virtual Spin, Stores on the Web, etc. Cost about $100-300 monthly plus transaction fees. Your site probably isn't movable.

Have a Customer Security Plan - There are two parts to a security plan, 1) technology and 2) confidence building.You're site, the data transmittal and storage are all securely handled. But what are you doing to ease the mind of your customers?

Technology - 

• Firewalls
• Encryption
• Passwords
• Access Control Lists
• Digital Certificates
• Monitor Active Content (assure that downloaded content comes from secure sources)
• Secure Server Technology
• Authentication Software
• Hidden "signatures" and Watermarks
• Physical Security

Customer Confidence - 

• Have a security statement in key places - home page, order form page, etc.
• Have a "privacy policy" regarding use of information volunteered and collected.
  • http://klove.com/privacy.asp
  • http://pages.ebay.com/help/community/png-priv.html
  • http://www.amazon.com/exec/obidos/tg/browse/-/468496/104-8984417-951916
  • http://www.salememail.com/subscribe/privacypolicy.asp
• Have a link to a fuller explanation and statement
• Use the correct buzz words and jargon - privacy, confidentiality, trust, assurance, valued relationship
• Offer interaction and choice - let the customer buy in to the trust by selecting to include themselves and their information for less risky things like online newsletters
• Use icons and symbols to subtlety reinforce the secure nature of your site

Some Guidelines:

• Give information when need and where it is needed on site
• Put some infomation or links to it in prominent, useful placement on the home page
• Don't obscure the task the customer is performing
• Don't clutter the page
• Open new browser windows for some information needs
• Test the Site and the privacy features with users
• Compare your privacy plan with other eCommerce sites plans
• Use endnotes