Security Security is an essential part of any transaction that takes place over the internet. Customers will lose his/her faith in e-business if its security is compromised. Following are the essential requirements for safe e-payments/transactions − Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted during the transmission. Integrity − Information should not be altered during its transmission over the network. Availability − Information should be available wherever and whenever required within a time limit specified. Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required information. Non-Repudiability − It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt. Encryption − Information should be encrypted and decrypted only by an authorized user. Auditability − Data should be recorded in such a way that it can be audited for integrity requirements. Security Protocols in Internet Secure Socket Layer (SSL) It is the most commonly used protocol and is widely used across the industry. It meets following security requirements − Authentication Encryption Integrity Non-reputability "https://" is to be used for HTTP urls with SSL, where as "http:/" is to be used for HTTP urls without SSL. Secure Hypertext Transfer Protocol (SHTTP) SHTTP extends the HTTP internet protocol with public key encryption, authentication, and digital signature over the internet. Secure HTTP supports multiple security mechanism, providing security to the end-users. SHTTP works by negotiating encryption scheme types used between the client and the server. Secure Electronic Transaction It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it is the best security protocol. It has the following components − Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to make secure purchases online via point and click interface. Merchant Software − This software helps merchants to communicate with potential customers and financial institutions in a secure manner. Payment Gateway Server Software − Payment gateway provides automatic and standard payment process. It supports the process for merchant's certificate request. Certificate Authority Software − This software is used by financial institutions to issue digital certificates to card holders and merchants, and to enable them to register their account agreements for secure electronic commerce. Digital signatures are used to authenticate the identity of the sender. It is like signing a message in electronic form. A digital signature is a protocol that produces the same effect as a real signature. It is a mark that only the sender can make and other people can easily recognize that it belongs to the sender. A digital signature is also used to confirm agreement to a message. A digital signature must be unforgeable and authentic. In a digital signature process, the sender uses a signing algorithm to sign the message. The message and the signature are sent to the receiver. The receiver receives the message and the signature and applies the verifying algorithm to the combination. If the result is true, the message is accepted otherwise it is rejected. A conventional signature is like a private key belonging to the signer of the document. The signer uses it to sign documents. The copy of the signature on a file is like a public key so anyone can use it to verify a document to compare it to the original signature. In digital signature the signer uses her private key applied to a signing algorithm to sign the document. The verifier uses the public key of the signer applied to verifying algorithm to verify the sign. When a document is signed anyone her public key to sign the document because anyone could forge her signature. Digital signatures have assumed great significance in the modern world of web-commerce. Many countries have made provisions for recognizing digital signature as a valid authorization mechanism like paperbased signatures Digital Certificate A digital certificate, also known as a public key certificate, is used to cryptographically link ownership of a public key with the entity that owns it. Digital certificates are for sharing public keys to be used for encryption and authentication. Digital certificates include the public key being certified, identifying information about the entity that owns the public key, metadata relating to the digital certificate and a digital signature of the public key the certificate issuer created. The distribution, authentication and revocation of digital certificates are the primary functions of the public key infrastructure (PKI), the system that distributes and authenticates public keys. Public key cryptography depends on key pairs: one private key to be held by the owner and used for signing and decrypting and one public key that can be used for encrypting data sent to the public key owner or authenticating the certificate holder's signed data. The digital certificate enables entities to share their public key so it can be authenticated. Digital certificates are used in public key cryptography functions most commonly for initializing Secure Sockets Layer (SSL) connections between web browsers and web servers. Digital certificates are also used for sharing keys used for public key encryption and authentication of digital signatures. All major web browsers and web servers use digital certificates to provide assurance that unauthorized actors have not modified published content and to share keys for encrypting and decrypting web content. Digital certificates are also used in other contexts, online and offline, for providing cryptographic assurance and data privacy. Digital certificates that are supported by mobile operating environments, laptops, tablet computers, internet of things (IoT) devices, and networking and software applications help protect websites, wireless networks and virtual private networks. Digital certificates vs. digital signatures Public key cryptography supports several different functions, including encryption and authentication, and enables a digital signature. Digital signatures are generated using algorithms for signing data so a recipient can irrefutably confirm the data was signed by a particular public key holder. Digital signatures are generated by hashing the data to be signed with a one-way cryptographic hash; the result is then encrypted with the signer's private key. The digital signature incorporates this encrypted hash, which can only be authenticated, or verified, by using the sender's public key to decrypt the digital signature and then running the same oneway hashing algorithm on the content that was signed. The two hashes are then compared. If they match, it proves that the data was unchanged from when it was signed and that the sender is the owner of the public key pair used to sign it. A digital signature can depend on the distribution of a public key in the form of a digital certificate, but it is not mandatory that the public key be transmitted in that form. However, digital certificates are signed digitally, and they should not be trusted unless the signature can be verified. Encryption is the process of taking plain text, like a text message or email, and scrambling it into an unreadable format — called “cipher text.” This helps protect the confidentiality of digital data either stored on computer systems or transmitted through a network like the internet. When the intended recipient accesses the message, the information is translated back to its original form. This is called decryption. To unlock the message, both the sender and the recipient have to use a “secret” encryption key — a collection of algorithms that scramble and unscramble data back to a readable format.