B.Com.(Hons.)/B.Com.(P.) Semester-III/IV SKILL ENHANCEMENT COURSE (SEC) E-COMMERCE Unit I-V SCHOOL OF OPEN LEARNING UNIVERSITY OF DELHI Department of Commerce Graduate Course E-Commerce Study Material : Unit I-V Contents Unit-I : E-Commerce Unit-II Lesson 1 Lesson 2 : Online Business Transactions Rationale of transacting online : e-marketing, e-tailing, Online Services, e-auctions, Online Portal Unit-III Unit-IV Lesson 1 Lesson 2 Unit-V Lesson 1 Lesson 2 Lesson 3 Lesson 4 : Website Designing Introduction to HTML tags and attributes: Text formatting, fonts, hypertext links, tables, images, lists, forms, cascading style sheets : E-payment System-payment Methods- Debit card, Credit card, Smart cards, E-Money, E-Wallets : Automated Clearing House : Security and Legal Aspects of E-commerce: E-commerce security – meaning and issues : Information Technology Act 2000- provisions related to offences, secure electronic records, digital signatures, penalties and adjudication : Duties of Subscribers : Penalties and Adjudication Editor : K.B. Gupta Written by: Sumita Jain SCHOOL OF OPEN LEARNING University of Delhi 5, Cavalry Lane, Delhi-110007 UNIT I E-COMMERCE Introduction to E-Commerce Concepts and significance of E-commerce, Driving forces of E-commerce, E-commerce business models - key elements of a business model and categories, Mechanism Dynamics of World Wide Web and internet- evolution and features; Design and launch of E-commerce website - decisions regarding Selection of hardware and software; Outsourcing vs in house development of a website Introduction to E-Commerce Concepts and significance of E-commerce E-commerce is a technology-mediated exchange between parties (individuals or organizations) as well as the electronically based intra-or inter-organizational activities that facilitate such exchanges. It has been defined broadly as the transacting of business over the Web. Just as the 80’s and early 90’s were characterized by the businesses achieving greater efficiencies within their organization using information technology, the last half of this decade is seeing a new wave of increased efficiencies by extending the information technology to the Web, both to the trading partners, as well as to end consumers. While efficiencies lead to increased profitability, the Web offers other advantages, such as a greater reach, shorter-term relationships, one-to-one marketing, reintermediation, disintermediation etc. which are either difficult, or impossible to do in the traditional physical economy. Obviously, electronic commerce will first pass through the phase of “electrification” of current trading practices, and only later evolve into something radically different from its physical counterpart. E-commerce, or electronic commerce is an emerging concept that describes the process of buying and selling or exchanging of products, services and information via computer network including the Internet. It includes all inter-company and intracompany functions (such as marketing, finance, manufacturing, selling, and negotiation) that enable commerce and use electronic mail, EDI, file transfer, fax, video conferencing, workflow, or interaction with a remote computer. E-Business describes the broadest definition of EC. It includes customer service and intra business tasks. It is frequently used interchangeably with EC E-commerce, or electronic commerce is defined as “the conducting of business communication and transactions over networks and through computers”. E-commerce can be defined from various perspectives as: 1 Communications perspective: From a communication perspective, ecommerce is the delivery of goods, services, information or payments over computer networks, telephone lines or any other electronic means. Business perspective: From a business perspective, e-commerce is the application of technology toward the automation of business transactions. Service perspective: From a service perspective, e-commerce is a tool that addresses the desire of firms, consumers and management to cut service costs while improving the quality of goods and increasing speed of service delivery. Commercial (trading) perspective: From a commercial perspective, ecommerce provides the capability of buying and selling products, services and information on the Internet and via other online services. Learning perspective: From a learning perspective, e-commerce is an enabler of online training and education in schools, universities, and other organizations. Collaborative perspective: From a collaborative perspective, e-commerce is the framework of inter- and intra-organizational collaboration. Community perspective: From a community perspective, e-commerce provides a gathering place for community members to learn transact and collaborate E-Commerce has opened new opportunities for 1. Producers 2. Wholesalers and distributors 3. Big retailers 4. Small entrepreneurs. E-Commerce The emergence of electronic commerce started in the early 1970s with the earliest example electronic funds transfer (EFT), which allows organizations to transfer funds between one another electronically. Then another technology electronic interchange (EDI) was introduced. It helps to extend inter business transactions from financial institutions to other types of business and also provides transactions and information exchanges from suppliers to the end customers. However, the early system development was limited to special networks such as large corporations and financial institutions, which are costly and complex to administer for small business. So EDI was not widely accepted as expected. Driving forces of E-commerce E-Commerce Drivers There are five drivers that promote e-commerce. These are : 2 Digital convergence: The digital revolution has made it possible for almost all digital devices to communicate with one another. The Internet’s massive growth during the past 10 years, which is completely a creation of market forces, will continue. Ubiquity: Today’s e-commerce is available to anyone, anywhere, in the world, 24 hours a day, 7 days a week. E-commerce ties together the industrial sector, merchants, the service sector, and the content provider using text, multimedia, video, and other technologies. Changes in organizations: More and more today’s business empower frontline workers to do the kind of work once performed by junior management. A trend also is developing toward partnering owners and managers across departments to develop a chain of relationships that adds value to the enterprise. Information Density: Global competitions and the proliferation of products and services worldwide have added unusual pressure to keep a close watch on operating costs and maximize profit margins. E-commerce addresses their concerns quickly, efficiently, and at a low cost. Personalization/Customization: Today’s customers are collectively demanding higher quality and better performance, including a customized way of producing delivering, and paying for goods and services. Mass customization puts pressure on firms to handle customized request on a mass-market scale. E-Commerce Business models-key elements of a business model & categories Electronic commerce Business Model has been divided into four distinct categories Categories of E-Commerce Business Models Business Models of E-Commerce B2B B2C C2B C2C B2G Fig.1.2 Categories of E-commerce. B2B: Companies can conveniently and Quickly check their suppliers inventory or make instant purchases. [Portals linking different business firms or different parts of a business]. B2C: B2C is selling of goods and services to a customer and the transaction take place through Internet. In this model sellers sell products and services directly to 3 customers B2C e-business models include virtual moles which are websites include virtual males which are websites that host many on line transactions. B2C ecommerce refers to the buying and selling of goods via the web retailers to web customer. (Products or Services directly to consumers) Consumers set prices and companies bid to offer products and services. C2B : Also called supply chain management or “demand collection model, enables buyed to name their own prices, often binding for a specific good or service generating demand. The web site collect the demand bids and then offers the bids to the participating sellers. C2C : C2C E-Commerce allows unknown, contrasted parties to sell goods and services to one another. (Consumers to buy and sell from each other through a quotation). Mechanism Dynamics of World Wide Web and internet-evolution and features With the progress of Internet technology and a highly developed global Internet community, a strong foundation of prosperous electronic commerce continues to be built. During the 1990s, the Internet was opened for commercial use; it was also the period that users started to participate in World Wide Web (WWW), and the phenomenon of rapid personal computer (PCs) usage growth. Due to the rapid expansion of the WWW network; e-commerce software; and the peer business competitions, large number, of dot-corns and Internet starts-ups appeared. Integrated with the commercialization of the Internet, Web invention, and PC networks these three important factors made electronic commerce possible and successful. Framework of E-Commerce E-commerce is not just having a web site, but EC is more than that. There are no. of applications. 4 Public policy legal & privacy issues Technical standards for electronic documents, multimedia & n/w protocols of EC such as home banking, online shopping, finding a job etc. To execute these applications, it is necessary to have supporting information and organizational infrastructure. The EC applications are supported by infrastructures. Their implementation is dependent on four major areas (shown as supporting pillars) people, public policy, technical standards and protocols, and other organizations. The EC management coordinates the applications, infrastructures, and pillars. It also includes Internet marketing and advertisement. Design and launch of E-commerce website - decisions regarding Selection of hardware and software For Design and launch of Website there are many decisions not only software and hardware but also for payment mechanism, cost of ship integration using credit card / debit card, Order are delivered with delivery company and most important is payment methods like cash on delivery, payment by UPI’s, debit card , credit card. These points are very important— 1. Payment: This Company provides the different payment methods as credit card, debit card or cash on delivery. 2. Time: Orders arc delivered within 24 hours. 3. Cost: Shipping is not free of cost 4. Integration: Ease Integration using credit and debit cards. 5. Scalability: Only in India. 6. Customization: Ease Customization, Registration to dcalsandycu.com is free User pay only hilled when purchase a deal from Deals and You Company. 7. Challenges: Deals and you Company makes no warranty for the quality, safety, usability, or other aspecd of the product or service marketed through Deals and You. 8. Platform: E-mail support and Phone support. 9. Hardware: servers used for online order for 24x7. Big companies uses clouds for fast access of data at any time any where. 10. Software: software must be easy for customers and must be customer friendly. Today most of the software’s are used in mobile. So mobile apps must be easier and consumer friendly. Some of the popular mobile apps are: 1. Amazon 2. Flipkart 5 3. Mintra 4. Jio Mart Outsourcing VS in house Development of a website Website Development In house Development Outsourcing Website can be maintained by two popular methods: 1. Outsourcing 2. In house Development 1. Outsourcing: This way website maintained by expert and professionals and all they need money to maintain the website. If the business type is small then this method is very good but in case of large volume of business then the other method will be better. 2. In house Development: In house development is used when all the professionals and experts worked for their own company in which they are working and provide services to all outside as a out outsourcing company. Summary The emergence of electronic commerce started in the early 1970s with the earliest example electronic funds transfer (EFT), which allows organizations to transfer funds between one another electronically. Then another technology electronic el interchange (EDI) was introduced. It helps to extend inter business transactions from financial institutions to other types of business and also provides transactions and information exchanges from suppliers to the end customers. However, the early earl system development was limited to special networks such as large corporations and financial institutions, which are costly and complex to administer for small business. So EDI was not widely accepted as expected. 6 Exercise 1. Mix and Match Companies can conveniently and Quickly B2C: check their suppliers inventory or make instant purchases. is selling of goods and services to a customer B2B : and the transaction take place through Internet. In this model sellers sell products and services directly to customers B2C ebusiness models include virtual moles which are websites include virtual males which are websites that host many on line transactions. B2C e-commerce refers to the buying and selling of goods via the web retailers to web customer. Also called supply chain management or demand collection model C2C: E-Commerce allows unknown, contrasted parties to sell goods and services to one another. C2B : Ans. 1(2), 2(1), 3(4), 4(3) 2. Fill in the blanks 1. E-Business describes the broadest definition of EC. It includes customer service and intra business tasks. It is frequently used …………….. 2. …………….is defined as the conducting of business communication and transactions over networks and through computers. 3. Servers used for online order for 24x7. Big companies uses clouds for fast access of data at ……….. 4. Software must be easy for customers and must be customer friendly. Today most of the software’s are used in mobile. …………..must be easier and consumer friendly. Ans: 1. interchangeably with EC; 2. Electronic commerce; 3. any time any where; 4. So mobile apps 3. Find the statements True and False 1. From a business perspective, e-commerce is not the application of technology toward the automation of business transactions. 7 2. From a service perspective, e-commerce is a tool that addresses the desire of firms, consumers and management to cut service costs while not improving the quality of goods and increasing speed of service delivery. 3. From a commercial perspective, e-commerce provides the capability of buying and selling products, services and information on the Internet and via other online services. 4. From a learning perspective, e-commerce is an enabler of online training and education in schools, universities, and other organizations. Ans: 1. False 2. False 3. True 4. True 4. Short and long Questions 1. Define E-Commerce ....................................................................................................................................... ....................................................................................................................................... ....................................................................................................................................... 2. Driving forces of E-Commerce ....................................................................................................................................... ....................................................................................................................................... ....................................................................................................................................... 3. E-Commerce Model ....................................................................................................................................... ....................................................................................................................................... ....................................................................................................................................... 4. Design and Launch of E-Commerce ....................................................................................................................................... ....................................................................................................................................... ....................................................................................................................................... 5. Outsourcing vs in house website ....................................................................................................................................... ....................................................................................................................................... ....................................................................................................................................... 8 LESSON-1 UNIT II Online Business Transactions Rationale of transacting online Online Business Transactions Rationale of transacting online, E-commerce applications in various industries (banking, insurance, payment of utility bills and others), Online Business Transactions Rationale of transacting online E-Business Transactions involves changes in an organizations business and functional processes with the application of technologies, philosophies and computing paradigms of the new digital economy. It is an internet initiative which transforms business relationship. It includes all aspects of e-commerce. With the help of e-business solutions, the companies have succeeded in developing their technology and increasing their turnover. Together e-business and E-commerce have helped create a systems of applications and utilities whereby money, information and services can be exchanged via the web. It is important to align the main business of the firm the e-business strategy of the firm in order to succeed. Business Models of E-Commerce To transform the scenario of the business, there are various models of e-commerce, which are being proposed to establish an electronic link between the business and consumers. These models have brought business and consumer closer to each other & transformed the way of conducting the business drastically. Business models are being classified as following: Business to Consumer (B2C) Business to Business (B2B) Consumer-to-Consumer or Peer-toPeer (C2C/P2P) Consumer-to-Business (C2B) Business to Government (B2G). Business-to-Consumer (B2C) When conducting business over the Internet, there are several different transaction or business models that exist within the world of E-Business. One of the most common models in E-Commerce is the Business-To-Consumer (B2C) model. Business to Consumer commerce (B2C), “applies to any business or organization that sells its products or services to consumers over the internet for their own use”. In other words, it provides a direct sale between the supplier and in the individual consumer. B2C E-Commerce involves what is known as electronic retailing or e-tailing. E-tailing involves online retail sales. E-tailing makes it easier for a manufacturer to sell directly to a customer, cutting out the need for an intermediary (retailer). With B2C transactions there is no need for retailers and therefore, no need for a physical store from which to distribute products. An electronic or Web storefront refers to a single company web site where products and services are sold. Customers can browse online catalogs or electronic storefronts when it best suits them. B2C commerce created much hype when it first took off. The first noticeable success arrived around 1995, When companies like eBay.com 9 and amazon.com were launched. When the success of these companies took off, many other imitations were born. However, the market turned sour and many of the B2C companies crashed. The main thing which are browsed and sell well over the internet include: 1. Computer hardware and software: While hardware is most popular, more and more people buy software online as well. 2. Consumer electronics: The second largest product category sold online. Digital cameras, printers, scanners, and wireless devices (Mobile phones) are some of the electronics bought online. E-commerce applications in various industries (banking, insurance, payment of utility bills and others) Major Activities of B2C E-Commerce There are various kind of activities involved in conducting B2C E-Commerce which are depicted in the Fig. 2.1: Advantage of Internet auctions: Convenience : it gives the participants convenience, as bidder can stay at this home or office and still participate in the bidding just as in traditional auctions. In addition, it is also more convenient for a bidder to find more about the good being auctioned. Flexibility : Traditional auctions allow only synchronous bidding requiring all bidders to participate at the same time. In contrast, Internet auctions allow asynchronous bidding to participate at the same time. In contrast, internet auctions allow asynchronous bidding lasting days or weeks, which offers more flexibility to the bidders. Increased reach: the potential of reach of an internet based auction site is global and thus the market for auctioned good is very large. Economical to operate: these are cheaper to run as lot of costs relating to infrastructure required for a conventional auction system is not necessary for this. Disadvantages of Internet auctions Inspection of goods: In an Internet based auction, it is not possible to physically inspect the goods. The bidders have to rely on the information provided or sometimes, may have to rely on some electronic images of the goods on auction. Potential for fraud: internet bidder has to gust that the seller would actually send the good for which he paid. 10 Also the payments are made by providing credit card details through the internet, which may always safe. Banking : Transfer of money from one bank to another using various methods 1. Online Banking (i) NEFT (ii) RTGS (i) NEFT - The acronym “NEFT” stands for National Electronic Funds Transfer. Funds arc transferred to the credit account with the other participating Bank using RBI’s NEFT service. RBI acts as the service provider and transfers the credit to the other bank’s account. (ii) RTGS - The acronym “RTGS” stands for Real Time Gross Settlement. The RTGS system facilitates transfer of funds front accounts in one bank to another on a “real time” and on “gross settlement” basis. The RTGS system is the fastest possible inter bank money transfer facility available through secure banking channels in India. Payment of Insurance Instalments, Payment of utility bills and others can be easly done using various methods 1. Debit Card 2. Credit Card 3. UPI App 3.1 Paytm 3.2 Mobiwik 3.3 Jio 4. Cash 5. NEFT 6. RTGS 11 Problems with the traditional payment systems There are many problems with the traditional pay men! systems that are leading till its fade out. Some of them arc enumerated below: Lack of Convenience: Traditional payment systems require the consumer to either send paper cheques by snail- mail or require him/her to physically come over and sign papers before performing a transaction. This may lead to annoying Circumstances sometimes. Lack of Security: This is because tile consumer has to send all confidential data on a paper, which is not encrypted. that ton by post where it may he read by anyone Lack of Coverage: When will talk in terms or current businesses, they span many countries or states.These business houses need faster transactions everywhere. This is not possible without the bank having branch near all of the companies offices. This statement is self-explanatory. Lack of Eligibility: Not all potential buyers may have a hank account lack of support for micro-transactions: Many transactions done 011 the Internet arc of very low cost though they, involve data flow between two countries in two countries The same if done on paper may not be feasible at all. To overcome the problems of drawbacks of traditional payment systems several new electronic payment systems arc developed like e-Cash, E-Cheques, credit cards, smarts cards etc. Electronic Payment System (EPS) Electronic payment systems arc online payment systems. The goal 01' their development is to create analogs of checks and cash on the internet. Features of EPS An EPS implements all or some of the following features: 1. Protecting customers from merchant’s fraud by keeping credit card numbers unknown to merchants 2. Allowing people without credit cards to engage in online transactions. 3. Protecting confidentiality of customers. 4. In some cases providing anonymity of customers (“electronic cash”). For online shopping, almost everyone loves the convenience of online payments rather than the burdensome task of mailing funds for a purchase. As a business owner, you also can experience a huge decrease 111 the time it takes 10 get your funds into your hands. 12 In order for payment processing to work successfully, multiple entities have to he working in a coordinated or compatible system. Here are some of the entities involved • Customer gateway • Hank clearinghouse • Merchant Types of Electronic Payment Systems There are various kinds of payment systems available for the electronic transaction like electronic tokens, e-cash. e-chequcs. Now,’ let’s discuss these systems and associated issues in detail: 1. Electronic Tokens: An electronic token is a digital analog of “carious forms of payment backed by a hank or financial institution. There are two types of tokens: (a) Real Time Tokens (Pre-paid tokens): These are exchanged between buyer and seller, their users pre-pay for tokens that serve as currency. Transactions arc settled with the exchange of these tokens. Examples of these are DigiCash, Debit Cards etc. (b) Post Paid Tokens: These are used with fund transfer Instructions between the buyer and seller. Examples Electronic cheques. Credit card data etc. 2. Electronic or Digital Cash: This combines computerized convenience with security and privacy that improve upon paper cash. Cash is still the dominant form of payment as: The consumer still mistrusts the banks. The non-cash transactions arc inefficiently cleared. In addition due to negative real interests rates on bank deposits. Some qualities of cash are: • Cash is a legal tender i.e. payee is obligatory to take it • It is negotiable i.e. call he given or traded to someone else. • It is a bearer instrument i.e. possession is proof of ownership • It can be held & used by anyone, even those without a bank certificate. • It places no risk on part of acceptor. The Following are the limitations of Debit and Credit Cards: • They are identification cards owned by the issuer & restricted to one user i.e. cannot be given away. • They are not legal tender • Their usage requires an account relationship and authorization system. Properties of Digital Cash Properties of Digital Cash are: 13 • Must have a monetary value: It must be backed by cash (currency) bank authorized credit or a bank certified an aut cashier’s check. • Must be interoperable or exchangeable: Must be interoperable or exchangeable as payment for other digital cash, paper cash, goods services, lines of credit bank notes or obligations, electronic benefit transfers and the like. • Must be storable and retrievable: Cash could be stored on a remote computer’s memory, in smart cards, or on other easily transported standard or special purpose devices. Remote storage or retrieval would allow users to exchange digital cash from home or office or while traveling • Should not be easy to copy or tamper with while it is being exchanges. This is achieved by using the following technologies, these are nothing but new and very efficient versions of the old art of cryptography. Digital cash is based on cryptographic systems called “Digital Signatures” Similar to the signatures used by banks on paper cheques to authenticate a customer. Purchase of digital cash from an online currency server (or bank) involves 2 steps: (i) Establishment of an account :in this step we are given unique digital number which also become, our digital signature. As it is a number known only to the customer and the bank, forgery, which may be done in paper cheques becomes very difficult. (ii) Maintenance of sufficient money in the account is required to back any purchase. 3. Electronic Cheques: The electronic cheques are modeled on paper checks, except that they arc initiated electronically. They use digital signatures for signing and endorsing and require the use of digital certificates to authenticate the payer, the payer’s bank and bank account. They are delivered either by direct transmission using telephone lines or by public networks such as the internet. Benefits of electronic Cheques: Some benefits of electronic cheques arc • Well suited for clearing micro payments. Conventional cryptography of e-cheques makes them easier to process than systems based on public key cryptography (like digital cash). • They can serve corporate markets. Firms can use them in more cost-effective manner. • They’ create float and the availability float is an important requirement of Commerce 14 4. Credit Card Fig. 6.1. Credit Card and its Machine. A credit card IS an instrument of payment, which enables the cardholder to obtain either goods or services from merchants where arrangements have be been made to reimburse the merchant. The outstanding amount is payable by the cardholder to the bank over a specified period which carries a fixed amount of interest also. It is a source of revolving credit. A number of parties arc involved in credit card transaction ansaction and there is a contract between till: card issuer and the card holder whereby the card holder is allowed to make use of the card at specified retail outlets (membership establishment) to pay for the goods and services. There is also another separ separate agreement between the card organization and the member establishments. When a credit holder makes purchases from specified retail outlets, the retail outlets make out bills to the account of the cardholder and obtain payment from the card. organization which in turn makes a monthly hill to the hank which issued the Gird. The hank makes payments ill the debit of customer’s account subsequently. The whole process takes about 30 to 40 days and during this period the card holder enjoys credit. How Credit Card Works Credit cards work in all ee-government government application as they work in the physical world. Citizens enter credit card information into a Web application to pay for good or services. Government credit card application should invoke required data and bbusiness-rule edits to validate online data elements. Some of the edits could include user name, password, merchant ID, account number. expiration date, amount, and customer customer-billing data. Once the validity of required data has passed the credit card applic application edits, the authenticity of the cardholder’s card ll and account number must be validated. and the Transaction amount must be within the cardholder’s credit limits. Processor Processor- required elements could could include merchant ID, account number, expirat expiration ion date, amount. Customer-billing billing data, card type, and Card Verification Value (CVV). When all required edits are passed, the transaction is transmitted to the credit card processor and associated networks for authorization. The credit card-processing processing network returns an authorization app pproval, which indicates that the credit cardd is valid and the 15 all1o~mt IS within the cardholder’s credit limit. A denial code will be returned when the credit card cannot be authenticated or credit limits have been exceeded. exceed The opportunity to use another card or some other payment option might be offered Fig. 6.2. Working of Credit Card. 5. Debit Card: Debit cards are also known as check cards, Debit cards look like credit cards or Automated Teller Machine (ATM) cards, but they operate like cash or personal checks. Debit. cards are different from credit cards. While a credit card is a way to “pay later,” a debit card IS a way to “pay now.” When a debit card is used, money’ is quickly deducted from the related checking orr savings account. Debit cards are accepted at many locations, including grocery stores, retail stores, gasoline stations, and restaurants. Debit cards can be used anywhere merchants display the card’s brand name or logo. Debit cards offer an alternative alternati to carrying a checkbook or cash. In the Following picture basic components of ATM Machine are shown through which we can carry out the various kinds of transactions like Balance Enquiry, Cash Withdrawal, Cash deposition, online payments, Mini statements tatements & on line recharge of prepaid mobile cards of Hutch, Airtel etc. It has the following components like; • Signage • Transaction Screen • Card Reader • Receipt Printer • Audio Port Cassette options Envelope options (for cash deposition in some machines) • 16 Fig. 6.3. ATM Machine. Debit means “subtract.” When a debit card is used. money is subtracted from the relined hank account. Debit cards allow only the amount in the bank account to be spent and provide for quick transaction between merchants and personal bank accounts. “Online” debit cards are usually enhanced ATM cards that work in the same manner as an ATM transaction, allowing for an immediate electronic transfer of money’ from a consumer’s bank account to a merchant’s bank account. To access an account at a store terminal, a PIN must he entered, just as an ATM transaction. giving the system authorization to check an account to sec if it contain.” enough money to cover the transaction. The main advantages of debit cards are: (a) There is no need to carry cash. (b) It is quick and less complicated than using a cheque. (c) it can also be used for withdrawals of cash. (d) Its holders can have a record of the transactions in his bank statement which will enable him to plan and control the expenditure (e) It can he issued to any individual without assessing credit worthiness Advantages of Electronic Payment System The various factors that have leaded the financial institutions to make use of electronic payments arc: 1. Decreasing technology cost: The technology used in the networks is decreasing day by day, which IS evident from the fact that computers are now dirt-cheap and Internet is becoming free almost everywhere in the world 17 2. Reduced operational and processing cost: Due to reduced technology cost the processing cost of various commerce activities becomes very less A very simple reason to prove thiS is the fact that in electronic transactions we save both paper and time. 3. Increasing online commerce: The above two factors have lead many institutions to go online and many other are following them. Fig. 6.4. Electronic Payment System. Problems in implementing EPS: The problems in implementing electronic payment systems, especially’ anonymous electronic money, arc: 1. Preventing double spending: ding: copying the “many” and spending it several times. This is especially hard to do with anonymous money. 2. Making sure that neither the customer nor the merchant can make all unauthorized transaction. 3. Preserving customer’s confidentiality without aallowing llowing customer’s fraud. Electronic Payment is a financial exchange that takes place online between buyers and sellers. The content of this exchange is usually some form of digital financial instrument (such as encrypted credit card numbers. electronic cheques or digital cash) that is backed by a hank or an intermediary or by a legal tender. Risks Associated With Electronic Payments Electronic payments are steadily replacing traditional vehicles like currency and the -paper check as a preferred means of payment in the World. The volume growth of electronic payments and the wider array of payment vehicles now in common use has made managing the risk” ussoci.ncd with these payments more important than ever to consumers, businesses, financial institutions. and the economy is a whole. The notion of security of payment is clearly insufficient 10 provide appropriate conceptual framework for technical and institutional design of Internet payment systems. 18 There is a need for a broader approach of risk management Such approach recognizes that electronic payment entails a series of interrelated risks: financial risks. technological risks, operational risks, and legal risks. Some of those risks are generic to banking business, others arc specific to electronic payments. such as interception of messages, break-in into security infrastructure. Operational Risk: Operational risk arises from the potential for loss due to significant deficiencies in system reliability or integrity. Security considerations are paramount. as banks may be subject to external or internal attacks on their systems Of products. Operational risk can also arise from customer misuse, and from inadequately designed or implemented electronic banking and electronic money systems. Many of the specific possible manifestations of these risks apply to both electronic banking and electronic money. Credit Risk: Credit risk is the risk that a counter party will not settle an obligation for full value, either when due or at any time thereafter. Banks engaging in electronic banking activities may extend credit via non-traditional channels, and expand their market beyond traditional geographic boundaries Inadequate procedures to determine the creditworthiness of borrowers applying for credit via remote banking procedures could heighten credit risk for hanks. Banks engaged in electronic bill payment programs may face credit risk if a third party intermediary bib to carry out its obligations with respect to payment. Banks that purchase electronic money from an issuer in order to resell it to customers arc also exposed to credit risk in the event the issuer defaults on its obligations to redeem the electronic money Legal Risk: Legal risk arises from violations of: or non-conformance with laws, rules, regulations. or prescribed practices, or when the legal rights and obligations of panics to a transaction arc not well established. Given the relatively new nature of many retail electronic banking and electronic money activities, rights and obligations of parties to such transactions are, in some cases, uncertain. l-or example, application of some consumer protection rules to electronic banking and electronic money activities in some countries may not he clear. In addition, legal risk may arise from uncertainty about the validity of some agreements formed via electronic media Electronic money schemes may he attractive to money launderers if the systems offer liberal balance and transaction limits, and provide for limited audit ability of transaction Application of money laundering rules may be inappropriate for some forms of electronic payments. Because electronic banking can be conducted remotely, banks may face increased difficulties in applying traditional methods to prevent and detect criminal activity. Banks engaging in electronic bankding and electronic money activities can face legal risk with respect to customer disclosures and privacy protection. Customers who have not been adequately informed about their rights and obligations may bring suit 19 against a bank. Failure to provide adequate privacy protection may also subject a bank to regulatory sanctions in some countries. Banks choosing 40 enhance customer service by linking their Internet sill’s to other sites also can face legal risks A hacker may use the linked site to defraud a hank customer, and the bank could face litigation from the customer. As electronic commerce expands, banks may seek to play a role in electronic authentication systems. such as those using digital certificates. The role of a certification authority may expose a bank to legal risk. For example, a bank acting as a certification authority may be liable for financial losses incurred by parties relying on the certificate. In addition, legal risk could arise if hanks participate in new authentication systems and rights and obligations arc not clearly’ specified in contractual agreements. Risk Management Options for E-Payment The rapid pace of technological innovation is likely to change till’ nature and scope of risks banks face in electronic money and electronic banking. Supervisors expect banks to have processes that enable bank management to respond to current risks, and to adjust to new risks. A risk management process that includes the three basic elements of assessing risks, controlling risk exposure, and monitoring risks will help banks and supervisors attain these goals. Banks may employ such a process when committing to new electronic banking and electronic money activities. and as they’ evaluate existing commitments to these activities. It is essential that banks have a comprehensive risk management process ill place that is subject to appropriate oversight by the board of directors and senior management. As new risks in electronic banking and electronic money activities arc identified and assessed the board and senior management must be kept informed of these changes. Prior to any new activity being commenced a comprehensive review should be conducted so that senior management call ensure that the risk management process is adequate to assess, control and monitor any risks arising from till’ proposed new activity. Assessing risks: Assessing risks is all ongoing process. It typically involves three steps. First a hank may engage in a rigorous analytic process 10 identify risks and, where possible, to quantify them. In the event risks cannot be quantified, management may, still identify how potential risks can arise and the steps it has taken to deal with and limit those risks Bank management should form a reasonable and defensible judgments of the magnitude of any risk with respect to both the impact it could have on the bank (including the maximum potential impact), and the probability that such an event will occur. A second step in assessing risk is for the board of directors or senior management to determine the bank’s risk tolerance. based on an assessment of the losses the bank can afford to sustain in the event a given problem materializes Finally, management can compare its risk tolerance with its assessment or till’ magnitude of a risk to ascertain if the risk exposure fits within the tolerance limits. 20 Managing and controlling risks: Having made an assessment of risks and its risk tolerance, Bank management should take steps to manage and control risks. This phase of a, I risk management process include, activities such as implementing security policies and measures. co-coordinating internal communication, evaluating anti upgrading products and services, implementing measures to ensure that outsourcing risks are controlled and managed, providing disclosures and customer education, and developing contingency plans. Senior management should ensure that staff.” responsible for enforcing risk limits have authority independent from the business unit undertaking the electronic banking or electronic money activity. Banks increase their ability to control and manage the various risks inherent in any activity when policies and procedures arc set out in written documentation and made available to all relevant staff. Security policies and measures : Security is the combination of systems. applications, and internal controls used to safeguard the integrity, authenticity, and confidentiality of data and operating processes. Proper security relics on the development and implementation of adequate security policies and security measures for processes within the bank, and for communication between the bank and external parties. A security policy states management’s intentions to support information security’ and provides an explanation of the bank’s security organization. It also establishes guidelines that define the bank’s security risk tolerance. The policy may define responsibilities for designing, implementing. and enforcing information security measures, and it may establish procedures to evaluate policy compliance, enforce disciplinary measures, and report security violations. Security measures are combinations of hardware and software tools, and personnel management, which contribute to building secure systems and operations. Senior management should regard security’ as a comprehensive process that is only as strong as the weakest link in the process. Banks can choose from a variety of security measures to prevent or mitigate external and internal attacks and misuse of electronic banking and electronic money. Such measures include, for example, encryption, passwords. firewalls virus controls, and employee screening. Encryption is the use of cryptographic algorithms to-encode clear text data into cipher text to prevent unauthorized observation and passwords, pass phrases, personal identification numbers. hardware-based tokens. and biometrics arc techniques for controlling access and identifying users. Monitoring risks: Ongoing monitoring is an important aspect of any risk management process. For electronic banking and electronic money activities, monitoring is particularly’ important both because the nature of the activities are likely to change rapidly as innovations occur, and because of the reliance of some products on the use of open networks such as the Internet. Two important-elements of monitoring are system testing and auditing. 21 System testing and surveillance: Testing of systems operations can help detect unusual activity patterns and avert major system problems, disruptions, and attacks. Penetration testing focuses upon the identification. isolation. and confirmation of flaws in the design and implementation of security mechanisms through controlled attempts to penetrate a system outside normal procedures. Surveillance is a form of monitoring in which software and audit applications are use to track activity. Auditing: Auditing (internal and external) provides an important independent control mechanism for detecting deficiencies and minimizing risks in the provision of electronic banking and electronic money services. The role of an auditor is 10 ensure that appropriate standards, policies, and procedures an: developed, and that the bank consistently adheres to them. Audit personnel must have sufficient specialized expertise to perform an accurate review’, An internal auditor should be separate and independent from employees making risk management decisions. To augment internal audit, management may seek qualified external auditors. such as computer security consultants or other professionals with relevant expertise, to provide an independent assessment of the electronic banking or electronic money activity Identification, confidentiality and payment integrity Payments on the Internet need to three major broad conditions: • Firstly, each party involved ill the transaction must he sure that its counterpart is exactly what she tells She is in other words, people involved must be identified. • Secondly, data exchanged between buyers and sellers must remain confidential. • Finally, buyers must be certain that the information they get about the payment (regardless of the underlying value) arc reliable Those three conditions can be met by the use of encryption technology. The main issue there is the migration from private to public key cryptography. Advantages of the latter are well known: employing a public key system, it is possible for a user to receive encrypted messages from an entity he has not met and with whom he has no on-going relationship. The public key system also offers the possibility to create unique and hard-to-imitate electronic signatures. Summary • Online shopping could he defined as the buying and selling of goods over the I nternet Just about anything can be purchased over the internet • An electronic token is a digital analog of various forms of payment hacked by a bank or financial institution. • Electronic or Digital Cash combines computerized convenience with security and privacy that improve upon paper cash. 22 • The electronic cheques are modeled on paper checks, except that they are initiated electronically • A credit card is an instrument of payment, which enables the cardholder to obtain either goods or services from merchants where arrangements have been made to reimburse the merchant • Debit cards are also known as check cards. Debit cards look like credit cards or Automated Teller Machine (ATM) cards, but they operate like cash or personal checks • Electronic payment systems are online payment systems. The goal of their development is to create analogs of checks and cash on the Internet. • The volume growth of electronic payments and the wider array of payment vehicles now in common use has made managing the risks associated with these payments more important than ever to consumers, businesses, financial institutions, and the economy as a whole. • A payment gateway is a separate service and acts as an intermediary between the merchants’ shopping cart and all the financial networks involved with the transaction, including the customers’ credit card issuer and your merchant account. • Benefits of payment gateway include security, encryption, back-up redundancy and latest technology. • Internet banking” refers to systems that enable bank customers to access accounts and general information on bank products and services through a personal computer (PC) or other intelligent device. • Inter Bank Transfer is a special service that allows you to transfer funds electronically to accounts in other banks in India through NEFT and RTGS. • Numerous factors like competitive cost, customer service, and demographic considerations - are motivating banks to evaluate their technology and assess their electronic commerce and Internet banking strategies. • Types of internet banking include informative, communicative and transactional. • Internet banking may involve the risks like credit risk, interest rate risk, liquidity risk, price risk, foreign exchange risk, transaction risks and reputation risks etc. • As cryptography converts plain text in encrypted form (cipher text), it is very useful for securing data on communication channels • Secure Electronic Transaction (SET) is a standard that enable secure credit card transactions on the Internet. • There are different kind of techniques and methodologies which arc available for authentication of an electronic banking product or service like shared secrets, l JSB Token device, smart cards, password generating token, biometrics etc 23 Exercises 1. What are the problems with traditional payment systems? 2. Explain the following types of electronic payment system in brief: • electrnic tokens • e-cash • e-cheques • Smart cards • credit cards • Debit cards 3. Explain various features and advantages of electronic payment 4. What are problems in implementing Electronic payment system. 5. Explain various types of risks associated with electronic payment system. 6. What is Internet banking? Explain different types of risks assoc 7. What is SET’) 8. Explain different types of authentication techniques, processes for authentication of an electronic banking or service. 24 LESSON-2 e-marketing, e-tailing, Online Services, e-auctions, Online Portal e-marketing e-tailing, online services, e-auctions, online portal, Online shopping online learning, e-publishing and e-entertainment e-marketing Information Technology (IT) revolution has been widely touted as having equal if not greater impact on us than the industrial revolution. Till: application of electronic commerce or c-commerce has led to many changes in the way business is conducted. By definition electronic commerce or c-commerce is the purchasing or selling of goods or services and till’ transfer of funds in any way using electronic communications in intercompany and intra-company business activities. All e-commerce solution is a solution to conduct business using technology, through an intra-. extra- or Internet solution. There are two types of e-commerce Business-to-consumer (B2C) e-commerce involving companies selling products or services to individuals; and business- to-business c-commerce (B2B), in which companies sell to other businesses. E-business, is all umbrella term that includes e-commerce and refers 10 the use or the Internet and private intranet to transform a company’s value chain (i.c. internal processes, supplier and partner interactions, and customer relationships) with the ultimate goal of creating value for customers. A firm with an effective e-business strategy develops the capabilities needed to improve the flow of information and business intelligence among partners suppliers, employees and customers. It also aims to solve problems for all panics that comprise its extended value chain. Moving a business to the Internet is a sound strategy for increasing business volume making a business instantly international and opening up possibilities that can never exist in the “real world”. It doesn’t matter even if business arc small and localized. Going international will facilitate better support since c-commerce solutions will make it a 24×7 25 business. A business with a strong Internet presence can reduce staffing and office space overhead which can result in 1110re competitive pricing (If services and products. The internet can provide a more economical form of advertising. A website with c-commerce capabilities actually draws people back; building brand loyalty and awareness which is rare III mainstream advertising. Integrated payments with Banking and Accounting arc possible thereby providing robust support for accounting systems. In e-commerce, the interaction with the system takes place in almost real time and therefore allows till’ customer or bidder to respond more quickly and reduces the lag time between discussion and purchase. TRADE CYCLE A trade cycle is the Series of exchanges. between a customer and supplier that take place when a commercial exchange is executed. A general trade cycle consists of four phases. These are described below: 1. Pre-Sales: This Phase consists or venous tasks in finding a supplier and agreeing the terms This phase can he further classified in: • Search – finding a supplier • Negotiate – agreeing the terms of trade 2. Execution: This Phase consist-, of various tasks in selecting goods and delivery. This phase can be further classified in’ • Order • Delivery taking 3. Settlement: This Phase consists of venous tasks ill invoice (if any) and payment. This phase can be further classified in: • Invoice • Payment 4. After-Sales: This Phase consists of various tasks in following up complaints or providing maintenance. Generic Trade cycles Three generic trade cycles can be identified: • Repeat trade cycle: These trade cycles contains regular, repeat transactions between commercial trading partners. • Credit trade cycle: These trade cycle contains irregular transactions in once-off trading relationship (commercial or reatil) 26 Trade Cycle: Repeat Credit Cash Search Pre-Sale Negotiate Execution Deliver Invoice Settlement Payment After Sale After Sales Fig. 7.1. Generic Trade Cycles Nature of Trade Cycle For business-to-business transactions the trade cycle typically involves the provision of credit with execution preceding settlement whereas in consumer-to-business these two steps are typically co-incident. The nature of the trade cycle can indicate the e-Commerce technology most suited to the exchange. On this basis Business transaction are classified as following: • Commercial transactions that are repeated on a regular basis, such as supermarkets EDI is the e-Commerce technology appropriate to these exchange, as shown below. Search Pre-Sale Negotiate Deliver Execution EDI Invoice Settlement After Sale After Sales Fig. 7.2. EDI Trade Cycle. 27 • Consumer transactions tend to be once off (or at least vary each time) and payment is rnade at the time of the order. Internet e-Commerce is the technology for these exchanges, as shown below: Search Pre-Sale Order Deliver Execution After Sale Payment After Sales Settlement Fig 7.3. Consumer E –Commerce • The third generic trade cycle is the non-repeating commercial trade cycle and Internet e-commerce an electronic market is the appropriate e-technology for this. SUPPLY CHAIN Supply chain is a network of facilities and distribution options that performs ,the functions of procurement or materials (from supplier), transformation of these materials into intermediate and finished products (manufacturing}, and the distribution of these -finished products In customers (to customer). This network adds value for customers through the manufacture and delivery of products. Supplier Manufacturer Customer A supply chain, logistics network, or supply network is a coordinated system of entities, activities, information and resources involved in moving a product or service from supplier to customer. Fig 7.4 Supply Chain The entities of a supply chain typically consist o! manufacturers service providers distributors, and retail outlets, Supply chain activities transform raw materials and components into a finished product. The primary objective of supply chain management is to fulfill customer demands through the most efficient use of resources. In today’s rapidly changing business environment, ever-greater demand- are being placed on business • to provide products and services quicker 28 • with greater added value • to the correct location • with no relevant inventory position Customers want more quality, design, innovation, choice, convenience and service, and they want to spend less money, effort, time and risk. The supply chain of a company consists of different departments, ranging from procurement of materials to customer service. Supply Chain Management means transforming a company’s “supply chain” into an optimally efficient, customer-satisfying process, where the effectivity of the whole supply chain is more important than the effectivity of each individual department. The capabilities of Internet technology will change the way we do business with our suppliers and customers as well as change the face of business; in its process and techniques and in the definition of business itself.” * Porter’s Value Chain Model To better understand the activities through which a firm develops a competitive advantage and creates shareholder value, it is useful to separate the business system into a series or value-generating activities referred to as the value chain. In his 1985 book Competitive Advantage, Michael Porter introduced a generic value chain model that comprises a sequence of found to be common to a wide range of firms. Porter identified primary and support activities as shown in the following diagram: support activities Firm Infrastructure Human Resource Management Technology Development Inbound Logistics Operations Outbound Logistics Marketing & Sales Service primary activities Fig 7.5 Porter’s Value Chain Model. The primary value chain activities arc: • Inbound Logistics: the receiving and warehousing of raw materials. and then distribution to manufacturing, as they are required. • Operations: (Production) the processes of transforming inputs into finished products and services. 29 • Outbound Logistics: the warehousing and distribution of finished goods. • Marketing & Sales: the identification or customer needs and the generation sales • Service: the support of customers after the products and services arc sold to them. These primary activities arc supported by (Support activities): • The infrastructure of the firm: organizational structure, control systems, company culture. etc • Human resource management: development. and compensation • Technology development: technologies 10 support value-creating activities. • Procurement: purchasing inputs such as materials, supplies, and equipment. employee recruiting, hiring, training, Linked value chains Value chain activities are not isolated from one another. Rather, one value chain activity often affects the cost or performance of other ones. Linkages may exist between primary activities and also between primary and support activities. interrelationships among business units form the basis for a horizontal strategy. Such business unit interrelationships can be Identified by a value chain analysis Outbound Logistics Inbound Logistics Outbound Logistics Operations Inbound Logistics Fig 7.6. Linked Value Inbound Logistics – form Suppliers Outbound Logistics – from Customers Role of Electronic Commerce in Value Chain The capability of Internet technology will change the way we do business with our suppliers and customers, as well as change the face of business. As you know: • Intranet IS a secured network of web pages and applications, which can be accessed by anyone within a company firewall. • Internet is a collection of servers and networks, which allow users access to information and applications outside of the company firewall. • Extranet is a collaborative [private/secure] network that uses Internet technology to link businesses with their suppliers, customers, or partners that share: common goals. 30 • E-Commerce is buying and selling electronically. And E-Business is using the capabilities of Internet technology to conduct business electronically E-commerce enhances value chain by providing: • Electronic Value Chain: through electronic value chain, e-commerce enhances business by supporting. o Reduced tome frmae o Changed cost structures • Re-engineered Value Chain: through re-engineered value chain, e-commerce enhances business by supporting: o Just-in-time manufacture o Quick response supply o Efficient document processing • Competitive advantage: e-commerce supports a company for gaining competitive advantage. Online Marketing Online Marketing provides product boundary extension new products services creation new markets,’ channel creation. Different aspects of online marketing are discussed in detail in later part of the book. Various advantages of online marketing arc: • Market Segment Share • Customer reach 31 E-tailing 1. E- Tailing is a way of selling of goods on the Internet and many of the websites we are using for shopping online namely as amazon, flipkart, Naaptol and Jio etc. 2. It is a combination of ecommerce and retail. 3. Beneficial to the customer and the retailer. Advantages of E-tailing 1. Cost 2. Access 3. Inventory 1. Cost : The cost of the product without mediator is always less only delivery company is involved in this type of business. 2. Access : A customer has not to go anywhere. All the products shown can be deliver to his / her place only payment methods customer would like to pay for the product. 3. Inventory : Large no of variety of products are available there is not restriction of limited products. The range can be on the basis of money and age. 32 Online Services Online services with regard to E-business provides various strategies for supply chain. These are: E-Procurement E-procurement provides cross-enterprise system to system integration, electronic Catalogs. On-hue buying and selling. We would be studying about e-Procurement in detail in the later part of this chapter Various advantages of e-Procurement arc: • It enhances efficiency • It reduced cost/cycle time • It helps in contract compliance and customer reach. E-Collaboration E-Collaboration provides cross-enterprise technology/design interaction (customer & supplier). Various advantages of e-Procurement are : • Design cycle time • Design synergy, reuse • Revenue Integrated Planning/Manufacturing Integrated planning/manufacturing provides Cross-enterprise planning/execution. system to system integration, and Outsourced manufacturing visibility. Various advantages of integrated planning/manufacturing are : • Lead tome margin • Accuracy /Flexibility • Inventory levels • On-time delivery Integrated Delivery Integrated Delivery provide cross-enterprise logistics management/consignment visibility Various Advantage or integrated Delivery are • Logistics cycle rime • Reduced cost • Lead time Online Marketing Online Marketing provides product boundary extension new products services creation new markets,’ channel creation. Different aspects of online marketing are discussed in detail in later part of the book. Various advantages of online marketing arc: 33 • Market Segment Share • Customer reach E-Auctions What is E-Auctions and what is E-procurement Electronic procurement (e-Procurement) is the use of electronic tools and systems to increase efficiency and reduce costs during each stage of the purchasing process. e-Procurement can he divided in two parts direct-material procurement, in which raw materials or components needed for production arc procured from supply chain partners and Indirect material procurement in which materials that arc indirectly used arc procured (like office supplies, maintenance related materials and operation related supplies) e-Procurement for Direct Materials: As direct materials are needed for the production process, they require greater scrutiny before ordering. Organizations need to focus on different issues like the integration of suppliers, methods for integrating etc. Usually these items should he ordered in appropriate quantities as inventory of these can add further cost. e-Procurement for Indirect Materials: Indirect materials usually have low value, arc not critical to the main production process and arc ordered in high volumes. In an organization, large number of people orders these items. By ordering these items online a company can save valuable amount of money and other resources The three ways III which these materials can he procured online arc given below: • Seller silk solutions • Buyer Side solutions • Third-party solutions A buy side c-procurement Solution should be user friendly and help employees place order and purchase goods from their desktop with case. It should provide a list of preferred suppliers for each product and help reduce non-compliance with the organization’s business rule for purchasing Organizations are moving from the business to-supplier model to a trading community model. In this model, several suppliers of particular product category come together to from a vertical portal. lndiarnart.com provides one such kind of catalog. These kinds of portals represents a comprehensive catalog, which consists of the product details of all the participating suppliers. The buyers can access the catalog, compare product features and prices, select a supplier and place the order. Since price and product differentiation play an important role in influencing the buyers purchasing decision, the suppliers participating in this model should continuously improve their products and cut costs. The success of this model depends on the following factors: 34 • How well the suppliers’ networks arc integrated with each other • Whether suppliers update their catalogs at regular intervals • Whether the infrastructure is capable of handling increasing product variety and user volume. SciQuest, founded ill 199). is a online comprehensive database of over 800 suppliers with more than 650000 scientific products. SciQuest provided a wide range of services to scientists and purchasing professionals. In march 1999, SciQuest added an electronic purchasing system to its online catalog for laboratory instruments, chemicals and supplies. SciQuest streamlined the process of purchasing scientific products. It acted as a facilitator and helped scientists and suppliers access information and communicate with each other. The success of sell-side e-procurement solution depends on the supplier’s technological infrastructure, ability to integrate with different technological platforms and ability to cut costs and improve products. In recent times, several suppliers of a single product have been corning together to form vertical portals. Vertical portals are commonly seen ill industries like steel. paper and chemicals where fragmented markets and price variations make it difficult for buyers to make a purchasing decision. The best practices in e-procurement include: using a procurement card system and electronic funds transfer system, clarifying the employees’ role in the procurement process, using a strategic approach to implementation and participating in collaborative e-procurement. Collaborative r-procurement is being adopted by many companies to realize high levels of process efficiencies. The multilevel approval method in traditional organization to control procurement processes always led to operational delays. Therefore global companies established direct linkages between suppliers and employees to facilitate faster procurement of goods/services. However companies observed that employees had to spend considerable amount of time searching for suitable suppliers and procuring the required products and services from them. As individual employees searched for right supplier each time they wanted to procure goods, the process incurred heavy costs to organizations. They found that automation of the procurement process could improve the situation. It is easy to automate each procurement area or each stage in a procurement life cycle individually and obtained the stand-alone solution. But, developing separate procurement system IS not efficient and the cost of developing, implementing and maintaining them is quite high therefore, for an efficient and cost effective procurement system in an organization, it is essential to obtain an integrated solution. In this approach the purchasing department focus on controlling strategies (rather than day to day transactions) and extends it control to the accounting, finance and human resource departments in addition to production department. Under such a system, organization emphasizes uniform control across the organization, rather than on single department or a 35 branch. This -highlights the need fix a coordinated solution to resource procurement. But, the challenge that organization face is to he managed the transition from existing system to a new integrated framework An effective e-Procurement solution is one which not only employees procure goods with case but also provides the purchasing department with adequate control on their purchase decision. It should also enable integration of new system with existing system in the organization. Different types of middleware software are used for e-procurement solution for direct materials. For example, WebMethodds, a vendor provides e-procurement solution for direct materials. Drivers for e-Procurement e-Procurement has an indirect effect on cash savings by providing the access to good deals. Central government local government and strategic private sector partners arc introducing and developing c-Commerce systems for public sector purchasing for improving the procurement process. Countries like UK arc rapidly embracing electronic commerce (eCommerce). Recent studies show that the UK’ eCommerce environment is one of the strongest in the world. The latest government figures reveal that 29% UK companies bought online in 2003. up 13% from the 2002 figures. Although larger businesses are more inclined to buy online, small companies arc introducing new eCommerce technologies at an increasingly fast rate The UK government has been driving the adoption of eCommerce across the public sector since 1983. There have been many well-publicised targets for the online delivery of government services to the public, and many for the delivery of savings through implementing electronic procurement (eProcurement), a key component of eCommerce. In 2002, the OGC (UK based organization) ran an ePilots programme in order to research eProcurement system and services, and understand their applicability to Central Civil Government. This project saw seven public sector organizations implement a variety or solutions, including the first reverse auction run by the UK government. Today eProcurement is seen as a key enabler to achieving greater public sector efficiency which is high on the government’s agenda and was the goal behind. “The public sector is one’ of the biggest purchasers of goods and services in the economy. In 2001-04, the public sector of UK spent over £100bn purchasing, for example, utilities. ICT systems and services, as well as professional service, temporary labour, construction social housing, social cafe, and environmental services.” The Efficiency Review identified that the UK public sector spends over £ 100bn a year on bought-in goods and services. Furthermore, it set a target of more than £20bn of efficiency savings for delivery by 2007/8. The aim is to release this money for improved 36 delivery of frontline services to the public. Approximately one third of the savings, some [h-7hn. is expected to come from improved procurement. principally through more efficient processes and improved contracts. The ‘Quick Wins’ Approach To modernise procurement processes certain ‘e-tools’ will be required. One problem often encountered at the start of an eProcurement programme is deciding which tools to implement and in what order. Quick wins can: Establish the credibility or the eProcurement programme., and help to generate funding for the rest or the programme. “An early spend analysis will almost always uncover some areas where quick win savings can be made. These early serving can then he used to invest in a broader eProcurement programme.” Experience from case study organization suggest that the following approach is all effective way to implement an eProcurement programme: 1. Consider implementing a Government Procurement Card (GPC) programme. This Is the most obvious quick Will which can create immediate efficiency gains and achieve process savings across most low value spend. 2. Implement eAuctions as soon as possible These can generate clear cash saving for funding further investment in eProcurement 3. Implement P2P to make the procurement processes as efficient as possible and to start capturing data on spending patterns as useful management information. 4. Implement eSourcing solutions to improve professionalism of procurement staff and ongoing supplier relationships. Online Portal Online Portal for Manufacturing E-Commerce Application in Manufacturing Manufacturing is the transformation of raw materials into finished good for sale, or intermediate processes involving the production or finishing of semi-manufactures. The production of goods and services is the result of the effort of many organisations a complex web of contracts and co-operation known as the supply chain or the value system. As shown below manufacturing require- various Components (e_g. wheels. Seats, etc). Sub-assemblies (e.g. engine. gearbox. etc.) etc. as well as include transportation., storage paperwork (orders, invoices, etc.) 37 Each supply’ chain transition adds cost without adding intrinsic value. As discussed above E-Commerce can be applied to the supply chain to reduce costs or improve service. In this way e-commerce call enhance manufacturing process by : • Enhancing efficiency. • Reducing cost/cycle time • Providing accuracy and flexibility • Supporting Inventory levels E-Commerce Application in Wholesale Wholesale is the sale of goods or services in large quantities and at lower prices to someone other than consumers. Wholesale consists of the sale of goods/merchandise to retailers, to industrial. commercial, institutional, or other professional business users or to other wholesalers and related subordinated services. Sometimes called middleperson. middleman or distributor. Wholesalers frequently physically assemble, sort and grade goods in large lots, break bulk, repack and redistribute in smaller lots, for example pharmaceuticals; store, refrigerate. deliver and install goods. engage in sales promotion for their customers and label design. Problems of Traditional Wholesale System Under the impact of market forces, wholesale systems have undergone great change. With various types of enterprises entering the wholesale market, traditional wholesale companies and trading corporations arc now no longer the mainstream operators. Instead, specialized national or regional wholesale markets have emerged as major players. However, even these wholesale markets cannot compete with foreign wholesale enterprises, which employ advanced management and operation methods. The operating costs of an enterprise using wholesale markets as its distribution channel arc high. The costs include posting resident staff at the wholesale markets. setting up local warehouses, 38 and establishing distribution centers in different regions in order to cover the national market. Besides. tethered by the quality of the resident staff and geographic limitation, it is difficult for enterprises to obtain the right market information from the wholesale markets. As a result, although enterprises pay high costs, they cannot respond quickly to market demand. Further, as wholesale markets require large land supply and other supporting social resources, they create burden and wastage for the economy Nevertheless, these wholesale markets have become a major component of wholesale sector characterized by its high input and low output. Role of E-commerce in Wholesale In a sound market economy, low operating costs, access to information and quick response arc the key to success for an enterprise. Through advanced information technology, enterprises can reach out to the global market and at the same time obtain information from around the world at low cost and high speed Lower Transaction Costs. E-commerce provides a fundamental solution to the problem of diminishing profit margin and brings new opportunities to the stagnant traditional wholesale business. It supports: • Low operating costs • Access to information • Quick response • Through the Internet, wholesalers can now gain the competitive edge that could only be enjoyed by multinational companies in the past E-commerce is developing worldwide at an unprecedented speed. Network economy has made a big impact Oil traditional economy. By shortening the distance between manufacturer and consumer, e-commerce posts serious threats to intermediaries in the supply chain. It also weakens the role of traditional wholesalers. Those that are unable 10 adapt to the network economy will be hard hit, while those that make use of new technology and seek change will transform into small but powerful new players. It can be expected that wholesale in the future will operate more like a portal site of an enterprise where only information gatherers, market analysts, a small number of operation and management personnel and network technicians are visible. Compared to the existing major wholesalers that have large number of employees. they will be much smaller in scalar enquiring less staff and less physical space. However the ubiquitous and ever expanding Internet provides them with a cyberspace that will enable them to reach out to their customers throughout world easily. It also offers them a wide range of information, intermediary and business services. 39 Online Learning School of Open Learning and IGNOU are popular in online learning and all the contents are available on the website like study material , video lectures e pustakdavar online library having many facilities available for the students of School of Open Leaning students. Many books from different libraries can be collected using these library facilities. Online material of various universities can be obtain from this portal. Online learning is now very important and popular method that can be used as an when a person can access. Many online videos on the same topic are available on School of Open Learning Website. Not only regular college students of Delhi University are using, these are used by many students of other Universities also. 40 And other students related facilities are available on the same website under students heading are shown below: 41 e-Publishing and E-entertainment IMPLEMENTING ePROCUREMENT Organizations want their e-procurement system to offer maximum benefit at the lowest possible cost The general expectations of the organization from e-procurement solution are: • Quick and positive results with minimum risks • Leveraging of the huge buying potential of the organization negotiate favorable contracts from suppliers • Limiting the number of supplier by choosing only efficient companies as preferred suppliers • Adopting best practices in procurement. To obtain an e-procurement solution that meet the above expectations, The Chief Procurement Officers (CPOs) should ensure that the solution provider understands the exact requirements of the organization. The following steps may be followed to obtain the desired e-Procurement system for the organization. 42 (a) Establish e-Procurement chain goals: The first step in implementing an e-procurement is to define the objective of e-procurement. Some of the objectives of eprocurement are: to automate the purchasing process, cut costs, obtain accurate purchase reports and eliminate unauthorized purchases. (b) Construct a Procurement Audit : The organization should evaluate its existing process and determine whether it can be require some modifications. If all the purchasing information is not available at single location, or if it is not accurate or easily accessible, the procurement processes need to be modified The most widely used technique for systematic measurement of e-procurement effectiveness is Return on Asset (ROA). The formula for ROA is ROA = {(Revenues – Expanses)/ Assests} * 100 The e-procurement system can increase ROA by increasing revenues, decreasing expenses or minimizing investments in assets. Some of the performance indicator that may he used to determine the success of eprocurement are total number of employees who have procured through the system in the preceding quarter, total amount of money spent on procuring the new channel the percentage of transmutations (our of total transactions j completed using the eprocurement tools. (c) Develop supplier integration matrix. An organization cannot maintain the same kind of relationship with all its suppliers. It has to formulate It relationship strategy depending on the contribution of each supplier to the success of the company. Some suppliers produce critical components to the business and maintaining long-term relationships with is crucial to the organization’s success. (d) Select an e-procurement application : The selection of e-procurement application is critical and should be guided by factors like application should improve current procurement process, application should leverage the investments already made by the organization in ERP/SRP system and should be flexible enough to accommodate new procurement practices. (e) Focus on integration : Each area of Operating Resource Management (ORM) and the requirements of employees, buyers and suppliers should be considered in the design of the e-Procurement application. (f) Educate the staff : Educating employers is another important factor for implementing a new e-procurement system. It is the employee who will use the system and help the organization to achieve the desired improvement in the procurement chain and cost. If the employees oppose the system because of its complexity or other fears like lay-offs, then the e-procurement system will fail despite the advanced technology used and huge investments. 43 Andhra Pradesh Government envisions providing good governance by establishing a committed, Accountable, Responsive, Inspiring, Nationalist, Genuine Government – Caring Government e-Procurements is one of he vehicles that can be gainfully used in reaching the goal of CARING governance. E-Procurement.gov.in is a comprehensive einfrastructure that will help the government and the citizens realize the vision of fuelling growth via profitable B2B e-commerce. Providing a robust, proven platform used by the largest companies in India and the world, it enables trade between companies of different sizes, platform and locations. To this end,e-Procurement.gov.in will provide services like eProcurement, eTendering, eSelling and eAuctions. Fig 7.7 e-Proceurement Trends A wide variety of electronic procurement (eProcurement) tools have been developed over recent years to help organizations source. contract and purchase more efficiently and effectively. Broadly, eProcurement tools relate to two aspects of procurement: Sourcing activity; and Transactional purchasing Sourcing Activity (eSourcing) The eSourcing tools described can help buyers establish optimum contracts with suppliers, and manage them effectively, The tools include supplier databases and electronic tendering tools, evaluation, collaboration and negotiation tools. Also included arc cAuction tools and those tools which support contract management activity. Transactional Purchasing (ePurchasing) The ePurchasing tools can help procurement professionals and end users achieve more efficient processes and more accurate order details. The two aims of (a) maximising control and (b) process efficiency are the function of ePurchasing tools such as purchase -to-pay Systems, purchasing cards and electronic invoicing solutions. 44 Although the tools I~I/l broadly within these two categories, some tools can be implemented in isolation. Based on the recommendations of experienced implementers, it is suggested that: eAuction tools arc now a mature technology that can generally be implemented more quickly them other eSourcing tools. As eAucrious arc currently proving a clear “quick Will” ill cash releasing terms, their earliest implementation is strongly recommended The Government Procurement Card (GPC) is an established and widely-accepted programme. Implementing the GPC will provide most organizations with immediate process efficiency gains and the capability to better meet prompt payment targets. Therefore. in addressing eProcurement implementation we have separated eAuction from general eSourcing. and separated Procurement Cards front general ePurchasing Purchasing cards (P-cards) Purchasing cards (P-cards ) are similar in principle to smart cards used by consumer-s (for example suppliers arc paid within five days; the buyer is hilled monthly in a consolidated invoice), but with extra features which make them more suitable for business-to-business purchasing. These can include: • Controls such as restricting card use to particular commodity areas • Individual transaction values, and • Monthly expenditure limits The purchasing information provided to the buying organisation by an issuing bank on each monthly statement depends on the degree of detail automatically generated by each supplier. This call range from the supplier name date and transaction value, to line item detail against each item ordered, free text entry for the input of account codes, and VAT values. Implementing P-Cards • • Card holder- (users): P-Cards should be distributed to anyone in the organization who needs to requisition low value goods, and some services. Functionality: P-card enable each card holder to be allocated a spend limit pc. transaction and a total spend limit per month The GPC and some other P-Card programmes also enable spend to be regulated by blocking spend categories for particular users Individual transaction data is captured by the suppler at time of sale and transmitted to the issuing hank which provides the card programme. A monthly consolidated statement is provided in paper format or electronically to the purchasing organisation for approval and payment. Benefits of P- cards • Prompt payment discounts reduce the amount paid for goods and services 45 • Guaranteeing prompt payment is a significant benefit 1\) suppliers, particularly small and medium sized enterprises as it generates cash flow Increased compliance with contracts e-Auctions In an electronic reverse auction (c-Auction] potential suppliers compete online and in ‘real time’, providing prices for the goods services under auction, Prices start at one level and gradually, throughout the course or tilt: e-Auction reduce as suppler offer improved terms in order to gain the contract. E-Auctions can be based on price alone or can be weighted to account for other criteria such as quality, delivery or service levels. Electronic reverse auctions (ERA) framework Each of the eAuction service providers on the framework offers public sector organisations assistance with: Assessment or the suitability (If forthcoming contracts to the e-Auction process Advice and guidance on strategy’ and Supplier training and ‘test’ ‘ e-Auction events e-Auction benefits • Improved preparation and planning for the tendering process • Opportunity for suppliers to submit revised hid-, for a contract (ac-; opposed to the formal tendering process) • increased market knowledge for buyers and suppliers, Suppliers particularly benefit from increased awareness of competitor pricing • Provides a more level playing field for suppliers Improved quality’ of service Implementing eAuctions eAuctions do nor replace tendering: they are a part of it and provide cost-effective. fast and transparent conclusions to a full tendering process, eAuctions may’ he based on securing the lowest price. or on must economically advantageous hid (price, payment terms, supply schedules), Only those suppliers who have successfully pre-qualified (i.e. they have’ satisfied all tendering criteria such as quality processes, financial stability and environmental policies) should be invited to participate. Identifying purchases suitable for eAuctions COMPETITIVE ADVANTAGE A firm is said to possess a competitive advantage over its rivals, if sustains profits that exceed the average for its industry, The goal of much of business strategy is to achieve a sustainable competitive advantage. Michael Porter identified two basic types of competitive advantage: • Cost advantage • Differentiation advantage 46 A competitive advantage exists when the firm is able to deliver the same benefits as competitors but at a lower cost (cost advantage), or deliver benefits that exceed those of competing products (differentiation advantage). Thus, a competitive advantage enables the firm to create superior value for its customers and superior profits for itself. Fig. 7.8. A Model Competitive Advantage. Cost and differentiation advantage are known as positional advantages since they describe the firm’s position in the industry as a leader in either cost or differentiations A resource-based view emphasizes that a firm utilizes its resources and capabilities to create a competitive advantage that ultimately results on superior value creation. The following diagram combines the resource-based and positioning views It illustrate the concept of competitive advantage: Resources and Capabilities According to the resource-based view, in order to develop a competitive advantage the firm must have resources and capabilities that arc superior to those of its competitor. Without this superiority, the competitors simply could replicate what the firm v a-, doing and any advantage quickly would disappear. Resources arc the firm-specific assets useful for creating a cost or differentiation advantage and that few competitors can acquire easily, The following are some examples of such resources. • Patents and trademarks • Proprietary know-how • Installed customer base • Reputation of the firm • Brand equity Capabilities refer to the firm’s ability to utilize its resources effectively. An example of a capability is the ability to bring a product to market faster than competitors. Such capabilities are embedded in the routines of the organization and are not easily documented as procedures and thus are difficult for competitors to replicate. 47 The firm’s resources and capabilities together form its distinctive competencies. These competencies enable innovation, efficiency, quality, and customer responsiveness, all of which can be leveraged to create a cost advantage or a differentiation advantage. Cost Advantage and differentiation Advantage Competitive advantage is created by using resources and capabilities to achieve either a lower cost structure or a differentiated product. A firm positions itself in its industry through its choice of low cost or differentiation. This decision is a central component of the firm’s competitive strategy. Another important decision is how broad or narrow a market segment to trage. Porter formed a matrix using cost advantage differentiation advantage, and a broad or narrow focus to identify a set of generic strategies that the firm can pursue to create and sustain a competitive advantage. Value Creation The firm creates value by performing a series of activities that porter identified as the value chain. In addition to the firm’s own value-creation activities, the firm operates in a vale system of vertical activities including those of upstream suppliers and downstream channel members. To achieve a competitive advantage the firm must perform one or more value creating activities in a way that creates more overall value than do competitors. Superior value is created through lower costs or superior benefits to the consumer (differentiation)/ Porter’s Five Forces Model Michael Porter described a concept that has become known as the “five forces model.” This concept involves a relationship between competitors within an industry, potential competitors, suppliers, buyers and alternative solutions to the problem being addressed. We used the five forces model as a basic structure and built on it with concepts from the works of many other authors. The result was a model with over 5,000 relational links. Fig Porter’s Model for Competitive Forces. 48 While each industry involves all of these factors the relational strengths vary. Business Insight uses input from the user to create a unique model of their industry, Then thousands of “rules” are applied to evaluate hundreds of marketing and business concepts as they relate to the user’s unique circumstances. This results in a set of analyses, including: • A success potential rating in eleven key areas • A list of strategic strengths and weaknesses • Observations on strategic inconsistencies • A written critique of your strategy • A graphic analysis of key marketing concepts • A written draft of a marketing plan Online books available through various e-publishing portals 49 E-entertainment No of channels can be access using mobile , TV using jio fiber connections. Only a person have to pay only of data uses. With a wifi connection or Mobile data all the online videos can be seen. There are many apps like hotstar, netflix, jio TV and many other popluar apps helps in watching online movies and other entertainments live. 50 Online Shopping Online Shopping and Retail E-COMMERCE APPLICATION IN RETAIL Retailing involves selling products and service to consumers for their personal or family use. Department stores. discount stores and specialty stores like jewelers, toys arc all examples of retail stores. Service providers, like dentist, hotels and hair salons and online stores, like Amazon.com are also retailers. Fig 7.11 Retail Business. Many businesses. like home Depot. are both wholesalers and retailers because they sell to consumers and building contractors. Importance of Retailing As the final link between consumers and manufacturers, retailers are a vital part of the business world. Retailers all value to products by making it easier for manufactures to sell and consumers to buy. It would be very costly and time consuming for you to locate, contact and make a purchase from the manufacturer every time you wanted to buy a candy bar, a sweater or a bar of soap. Similarly, it would be very costly for the manufactures of these products to locate and distribute them to consumers individually. By bringing multitudes of manufacturers and consumers together at a single point, retailers make it possible for products to be sold, and, consequently, business to be done, Retailers also provide services that make it less risky end more fun to buy products. They have salespeople on hand who can answer questions. may offer credit, and display product so that consumers know what is available and can see it before buying. In 51 addition, retailers may provide many extra services, from personal shopping to gift wrapping to delivery, that increase the value of products and services to consumers. Role of E-commerce in Retailing Advances in technology, like the Internet. Have helped make retailing an even more challenging and exciting and exciting field in recent years. The nature of the business and the way retailing is done are currently undergoing fundamental changes, However. .retailing in some form will always be necessary. For example, even though the Internet is beginning to make it to make it possible for manufacture to sell directly to consumers, the very vastness of cyberspace will still make it very difficult for a consumer to. purchase every product he or she uses directly On-line retailers like Amazon.com. bring together assortments of products for consumers to buy in the same way that bricks and mortar retailers do. In addition. traditional retailers with physical stores will continue to be necessary. Of course, retailers, who offer personal services, like hair styling, will need to have face-toface’ interaction with the consumer. But even with products consumers often want to see touch and try them before they buy. Or, they may want product immediately and won’t want to wait for them to be shipped. Also, and perhaps most importantly, in many cases the experience of visiting the retailer is an important part of the purchase. Everything that the retailer can do to make the shopping experience pleasurable and dun can help ensure that customers come back. E-COMMERCE APPLICATION, IN SERVICE SECTOR The service sector or the service industry is one of the three main industrial categories of a developed economy, the others being the secondary industry (manufacturing and primary goods productionsuch as agriculture), and primary industry (extraction such mining and fishing). The tertiary sector of industry’ involves the provision of services 10 other businesses, as well as final consumers. Services may involve the transport, distribution and sale of goods from producer to a consumer as may happen in wholesaling and retailing , or many involve the provision of a service such as in pest control or entertainment. The goods may be transformed in the process of providing the service as as happens in the restaurant industry. However the focus is on people interacting with people and serving the customer rather than transforming physical goods. The service sector consists of the “softs’ paris of the economy such as insurance, tourism, banking, retail and education. Public utilites are often considered part of the tertiary sector as they proivide services to people, while creating the utility’s infrastructure is often considered part of the secondary sector, even though the same business may be involved in both aspects of the operation. 52 Issues for service providers Service providers bee obstacles selling services that goods-sellers rarely’ face. Services are not tangible; making it difficult for potential customer, to understand what they will receive and what value It will hold for them. Indeed some, such as consulting and investment services, offer no guarantees of the value for price paid Since the quality of most services depends largely on the quality of the individuals providing the services , it is true that boobs “people costs” are a high component of service costs. whereas manufacturer may use technology, simplification and other techniques to lower the cost of goods sold, the service provider offer faces an unrelenting pattern of increasing costs. Differentiation is often difficult. How does one choose one investment advisor over another. since they (and hotel providers. leisure companies, consultants, and others) often seem to provide indentical services? Charging a premium for services is usually an option only for the most established firms, who charge extra based upon brand recognition. Role of E-commerce in Service Sector As discussed above e-commerce cab be implemented in service sector for gaining competitive advantage by providing strategies for differentiations and cost leadership and customer satisfaction. E-commerce will improve the speed of transactions, reduce management expenditure increases cornpetitiveness and helpful in the banking, insurance and financial sector’s. and real estate, construction, telecom, tourism, postal and logistics services. E-COMMERCE IMPLEMENTATION PROBLEMS, SOLUTIONS AND POPULARITY IN MANAGING SUPPLY CHAIN: A COMPARATIVE ANAL YSIS OF DIFFERENT TO 10 INDIAN E-COMMERCE COMPANIES Here we discuss the various factors of E-commerce which manage the supply chain and also explains the Implementation of emerging E-commerce problem, solutions and popularity of different top e-commerce companies. This paper presents the comparative analysis of these top e-commerce companies through the different colored graphs. So through these graphs we can easily analyze the supply chain in online E-commerce. We are discussing about e-commerce progress level of India, the seventh-largest by geographical area, the second most populous country, and the most populous democracy in the world. Indian e-commerce space percentage is getting higher as more and more online retailers enter the market. Although this level of entry in the e-commerce market is good from a long term perspective, the challenge is that most entrepreneurs don’t have the resources or capital to wait years before they can get profits. 53 B. E-Commerce Integration Process Fig.7.12. E-Commerce Integration Process. C. E-Commerce companies This comparative analysis has done on different top 10 Indian c-commerce companies which are given below with different criteria and different features. 1. Flipkart Company: Flipkart top e-commerce website making books easily available to anyone who had internet access. Today, we are present across various categories including movies, music, games. mobiles, cameras, computers, healthcare and personal products, home appliances and electronics. The following arc the salient features: (i) Payment: E-commerce Elipkart Company provides safe and secure shopping service, all major credit and debit cards accepted, and payment also accepted by Internet Banking, Cash and Delivery and Equated Monthly Installments (EMl). (ii) Time: This c-commerce company provides 24*6 customer support-It also provides the service delivery in 3 days, for other areas. orders will be sent by sent by registered post through the Indian Postal Service which may take I -2 weeks depending on the location and distance. (iii) Cost: Flipkart provides free delivery on all items if your total order amount ix more than Rs. 200/-. Otherwise Rs. 30/- is charged as delivery charges. (iv) Integration: Eases integration because all Credit/Debit card details remain confidential and private. Flipkart trusted payment gateways use SSL encryption technology to protect the user card information. (v) Scalability: Only in India. (vi) Customization: Eases customization because user can review the status and other information of all user’s orders. whether pending or fulfilled. that you have placed with Flipkart.com. (vii) Challenges: Flipkart doesn’t deliver items internationally: there will be no warranty for mobile accessories. (viii) Platform: While it IS not necessary to have a Flipkart account to shop and purchase items, it is certainly recommended to have one. You can shop by providing just your email ID. 54 Fig. 7.13. Flipkart Company with Different Features of E-commerce. (ix) Popularity: Ranks in top 30 websites in lndia, 8,000,000visits every month, 30000 + Items shipped per day, 27 cities I with own delivery network. 2. Magazine Mall Company: Magazine mall is a property or Global Interactive Malls P. Ltd. It focused on retailing publications in an ‘e-bricks” model across India and the rest of the world. (i) Payment: E-commerce Magazine Mall Company provides payment services through all major credit and debit cards accepted, Internet Banking, mobile payment. cheque/DD. (ii) Time: (a) Standard Shipping: Activated for delivery by publishers, using regular post within 4-6 weeks of your order. (b) Premium Shipping: Activated for delivery hy us within 1 week of your order, by air courier. (iii)Cost: (a) Standard Shipping: No shipping charges apply. (b) Premium Shipping: Chargeable at Rs. 15/ issue within India (iv) Integration: Predictable delivery timelines and renewal management services, powered by CC Avenues payment enablement system – with the widest range of payment options made available to user. (v) Scalability: International shipping also available and it may apply for addresses located outside of lndia. (vi) Customization: It provides the risk of loss for such items pass to user upon dispatch. it receives communication electronically whether by email or other notices on the site or as may be sent to user. 55 (vii) Challenges: When user wants to cancel thcnromp.mv will be unable 10 refund for cancellations made alter 90 days from the date of order. There will also be a 10% service charge on the total and original value of the cancelled subscriptions. (viii) Platform: Live help support E E-mail and Phone support (ix) Popularity: This website is used regularly by the internet users. Fig. 7.14. Magazine Mall Company with Different Features of E E-commerce. commerce. 3. 20North Company: 20North Company is well on its way’ to be becoming India’s leading online retailer. At 20 North we believe that Indian consumers have interests, passions and pursuits that cannot he fulfilled with products from the humdrum mainstream of Indian retail. (i) Payment: 20North Company accep all major Cr Credit edit and Debit Cards, Demand Drafts and Money Transfer payment service using visa, Master Card or American Express card, Cheque/ DD. (ii) Time: Orders arc delivered in 5 - 15 business days based on the product and the delivery zip-code code in India and this uusually sually takes 1 to 4 working days. (iii) Cost: No free shipping. 15°/ (20 North Service Charge) +Duty + Shipping costs. (iv) Integration: Easy integration, can be combined at time or purchase with any other form of payment with no retractions. (v) Scalability: It call supply international level also but can only he purchased in Rupees (INR) (vi) Customization: 20 North supply can be combined with any other valid modes of payment to pay for a purchase. 56 (vii) Challenges: This Company does not provide w warranty arranty for any products ordered from our website. (viii) Platform: E-mail mail and only a registered user can shop at 20Nnrth. (ix) Popularity: 20Nonh.com is well on its way to becoming India’s leading online shopping portal. Fig. 7. 15. North Company with Different Features of E-commerce commerce 4. Snapdeal Company: Snapdeal Company is providing more fun fin consumer. Being India’s best daily deals website, bring up to 90% discounts on dining, health and beauty services. branded products travel and more, (i) Payment: The different payment options are Credit card, Debit card. Cash card, Internet enabled online bank account. mobile ball king. Snapdeal offers up to 90°’0 discount on products. Payment is SSL secure. (ii) Time: Most of deals carry over I month validit validity. (iii) Cost: Snap Deal offers up to 90 discount (iv) Integration: The Website requires you to register as a User by creating an Account in order to purchase coupons from the website. (v) Scalability: Only in India. (vi) Customization: User can buy th thee deal without subscribing. Just click the “Buy” button and fill email ID and mobile no. and make the payment online. This sends Snapdeal voucher over email and SMS. It also provides guarantee to replace the product voucher or refund complete amount. (vii) Challenges: This governs purchase and use of the coupons/vouchers. It also governs the access and use of the website and secures personal information of users. (viii) Platform: E-mail mail support and Phone support. 57 (ix) Popularity: Snap Deal is offering de deals als in 20 cities including Delhi. Mumhai. Bangalore. Hyderabad, Chennai, Kolkata and Pune. This site is used by the users very vast. Fig. 7.16. Snap Deal Company with Different Features of E E-commerce. commerce. 5. Deals and You Company Company: Deals and You is a group buying ying portal that feature a daily deal on the best stuff to do sec and buy in some of India’ss leading cities. (i) Payment: This Company provides the different payment methods as credit card, debit card or cash on delivery. (ii) Time: Orders arc delivered within 24 hours. (iii) Cost: Shipping is not free of cost (iv) Integration: Ease Integration using credit and debit cards. (v) Scalability: Only in India. (vi) Customization: Ease Customization, Registration to dcalsandycu.com is free User pay only hilled led when purchase a deal from Deals and You Company. (vii) Challenges: Deals and you Company makes no warranty for the quality, safety, usability, or other aspecd of the product or service marketed through Deals and You. (viii) Platform: E-mail mail support aand Phone support. (ix) Popularity: Deals and You is offering deals in various cities including Delhi. Mumbai, Bangalore, Hyderabad, Chennai, Kolkata, Pune, Ahmedabad. 58 Fig. 7.17. Deals and You Company with Different Features of E E-commerce commerce 6. Naaptol Company: Naaptol launched in January 2008, Naaptol has grown to become lndia’s leading comparison based social shopping portal, the one one-stop stop destination for all shoppers. merchants and market enthusiasts. (i) Payments: As payment against order is cleared thro through ugh Chcquc/DD or Credit Card/Internet banking order will be be- shipped immediately. (ii) Time: Delivery depends on location. (iii) Cost: Shipping is not free of cost (iv) Integration: Ease integration thing credit and debit cards. (v) Scalability: Only III II India. (vi) Customization: Ease customization (vii) Challenges: Naaptol is an online shopping portal and not a retail store, user do not have products that may be physically user can sec displays on website. No warranty of any kind regarding this webs website ite and or any materials provided on this site. (viii) Platform: E-mail mail support and Phone support (ix) Popularity: Average popularity. Fig. 7.18. Naaptol Company with Different Features of E E-commerce commerce 59 7. Fashion and You Company Company: Fashion and You Company iss key to indulge in high fashion and luxury brands at exclusive member’s only prices. (i) Payment: Payment is done by Cheque Payment. Cash on Delivery. Internet Banking. (ii) Time: Express order will be shipped within 24 hrs from the purchase. Depending upon the location where user will receive the order within 22-7 business days. Sometimes it takes between 33-4 4 weeks to deliver order from the date you make a purchase on our site. (iii) Cost: Frashion aud You levies INR 100 aS shipping charge (iv) Integration: First come first served, so make sure for purchase and log on early to bag the best deal. (v) Scalability: Only in India. (vi) Customization: Access to fashion and you sales is reserved for registered members only Membership is tree and membershi membership p is by invite only. (vii) Challenges: Once payment has been confirmed, you will be unable to make any further changes to your order (viii) Platform: Email support and SMS support (ix) Popularity: Average popularity Fig. 7.19. Fashion and You Company with Different Features of E-commerce commerce 8. Yebhi Company: This site also has variety like watches. sunglasses, mobiles, cameras. jewellery, Horne and Kitchen appliances and many more things for online shopping. (i) Payment: Payment is done by Cheque Payme Payment, nt, Cash on Delivery, Net Banking. (ii) Time: fastest shipping for customer orders as possible according to location, (iii) Cost: No any shipping charge. 60 (iv) Integration: It provides all branded products and case integration using credit and debit cards. (v) Scalability: Mostly in India and it can deliver products at international level also hut no free shipping fur that. (vi) Customization: It provides fastest shipping for our customer orders, provides widest range of choices for our customers and enables brand partners to reach the Widest audience (vii) Challenges: The refund process will he initiated once company has received the products. (viii) Platform: E-mail support, Phone support, Live support. (ix) Popularity: It carries portal catering to more than 1000 retailers across the country and best e-commerce awarded company in 2010. Fig. 7.20. Yobhi Company with Different Features of E-commerce. 9. Myntra Company: Myntra.com is raked among the top 10 e-commerce companies in India and is scaling rapidly. Myntra was started by a group of In/11M graduates in early 2007 and is headquartered in Bangalore with regional offices in New Delhi, Mumbai and Chennai. (i) Payment: This Company provides the different payment methods as credit card, debit card. cash on delivery, net banking and ITZ cash payments. (ii) Time: Myntra attempts to process every order and ships within 24 hrs. It also depends upon location within India, post ordering this should take overall 5-7 days to get delivered. (iii) Cost: Myntra offers free shipping within India on all products above Rs. 99. For international orders and orders below Rs. 99, appropriate shipping cost is charged. 61 (iv) Integration: It also provides option of CC Avenue and EBS payment gateways which process all credit card and net banking transactions- over secure encrypted connection, (v) Scalability: It can ship internationally to all major countries. (vi) Customization: Ease customization and easy to get order of products. (vii) Challenges: Coupons will be valid for 30 days and also do not support returns on interactional order shipments. (viii) Platform: E-mail support and Phone support. (ix) Popularity: In the last 3 years, Myntra has become t he [!lust popular destination for persona lived products in the country. Red Herring Global 100 winner 2010 and Awarded “Pride of India 2009-2010” award for Exceptional Business Growth by IDG Ventures. Fig. 7.21. Myntra Company with Different Features of E-commerce. 10. Indian Gifts Portal Company: Indian Gifts Portal is an online gifts super market. It offers a wide range of gift option, most of which are exclusive Indian products, right your desktop. (i) Payment: It accepts credit Card (both Indian and International). Debit Card, American Express, JCB, Discover, Diners Club. Internet Banking, Paypal. Pavmate. Done Cash Card and ITZ Cash Curd. To get detailed payments related information including Bank list of Debit Cards and Net Banking. (ii) Time: It delivers within 72 hours and it also delivers within (J working days of securing or on the approximate delivery date mentioned by user in the order. (iii) Cost: No free shipping (iv) Integration: Secure mode on the customer’s browser, using SSL (Secure Sockets Layer) to encrypt sensitive data such as credit card numbers. (v) Scalability: Both National and International Level. 62 (vi) Customization: Ease customization and used 128 bit encryption secured payment gateway. (vii) Challenges: Orders are accepted only online after securing your payment through the credit edit card information submitted by you. (viii) Platform: Only by mail process. (ix) Popularity: Average level popularity. Fig. 7.22. Indian Gifts Portal Company with Different Features of E E-commerce commerce The below given graph shows the unique users in July 2011 who have used more ee commerce website. This graph compares top 10 ee-commerce commerce companies. So we can easily that which company is used more by the users. Fig. 7.23. E--commerce Companies User in July 2011 in Lakhs. Benefits of Online travel Services for Consumers: Online travel services an: usually available 24 hourS d day and many consumers have internet access both at work and at home Other establishments such as internet cafes and schools provide access as well. A visit to a conventional service rrequire-,, travel and must take place during business hours. 63 Searching or browsing an online service site can be faster than browsing the aisles, of a physical office One can avoid crowded malls resulting in long lines, and no parking. Consumers with dial-up internet connections rather than broadband have much longer load times for content rich website and have a considerably slower online travel service experience Some consumers prefer interacting with people rather than computers because they find computers hard to use. Not all online service providers have succeeded in making their sites easy to use or reliable. On the other hand. a majority of provider’; have made it easy find the service one is looking for, as well as the price range that is acceptable making the travel experience quick and efficient. The internet has made shopping an almost effortless task In most cases merchandise must be shipped to the consumer, introducing a significant delay and potentially uncertainty about whether or not the item was actually in stock at the time of purchase. Most successful sites will say whether or no! a product in supplyYatra.com offers the ability to buy and hook tickets and hotel reservation -online. Many stores give the consumer the delivery company’s tracking number for their reservations, so they can check it- status online. A quick response time is sometimes an important factor in consumers,” choice of merchant Customers can choose the type of shipping they’ want from overnight to a few days. The quicker the delivery the higher the shipping cost. A weakness of online shopping is that even if a purchase can be made 24 hours a day the customer must often be at home during normal business hours to accept the delivery. For many professional this can be difficult, and absence at the time of delivery can result in delays. or in some cases, return of the item to the retailer. Automated delivery booths, such as DHL’s Pack station, have tried to address this problem. When shopping in a retail store, customers can handle and inspect the actual product before they purchase it. In the event of a problem with the item- it is not what the consumers ordered, or it is not what they expected- consumers are concerned with the ease with which they can return an item for the correct one or fix a refund. Consumers may need to contact the retailer, visit the post office and pay return shipping, and then wan fur a replacement or refund. Some online companies have more generous return policies to compensate for the traditional advantage of physical stores. SUMMARY • E-business, is an umbrella term that includes c-commerce and refers to the use of the Internet and private internet to transform a company’s value chain. • A trade cycle is the series of exchanges, between a customer and supplier that take place when a commercial exchange is executed. • A general trade cycle consists of four phases. These are: 64 (a) Pre-Sales (b) Execution (c) Settlement (d) After-Sales • EDI is the e-Commerce technology appropriate for the commercial transacttous that arc repeated on a regular basis. • Internet e-Commerce is the e-Commerce technology appropriate for the consumer transactions that tend to be once off. • Internet e-Commerce or an electronic market is the appropriate e-technology for the non-repeating commercial trade cycle. • Supply chain is a network of facilities and distribution options that performs the functions of procurement of materials (from supplier), transformation. Of these materials into intermediate and finished products (manufacturing), and the distribution of these finished products to customers (to customer). (e) E-commerce enhances vale chain by supporting reduced time frame, changed cost structures, Just-in-time manufacture, efficient document processing, competitive advantage etc. (f) A firm is said to possess a competitive advantage over its rivals, if sustains profits that exceed the average for its industry. (g) Michael Porter identified two basic types of competitive advantage: • Cost advantage • Differentiation advantage (h) To achieve a competitive advantage, the firm must perform one or more value creating activities in a way that creates more overall value than do competitors. (i) Electronic procurement (e-Procurement] is the use of electronic tools and systems to increase efficiency and reduce costs during each stage of the purchasing process. (j) e-Procurernent can be divided in two parts: direct-material procurement. in which raw materials or components needed for production arc procured from supply chain partners and Indirect material procurement in which materials that are indirectly used are procured. (k) The best practices in e-procurement include: using a procurement card system and electronic funds transfer system. clarifying the employees’ role in the procurement process, using a strategic approach to implementation and participating in collaborative e-procurement. 65 (i) e-Procurement has an indirect effect on cash savings by providing the access to good deals. Central government, local government and strategic private sector partners arc introducing and developing c-Commerce systems for public sector purchasing for improving the procurement process. (m) e-Auction can Improve preparation and planning for the tendering process, increase opportunity for suppliers to submit revised bids for a contract and provides a more level playing field for suppliers Improved quality of service (n) ePurchasing tools can help procurement professionals and end users achieve more efficient processes and more accurate order details (o) In this way e-commerce call he used in manufacturing, retail, wholesale and service sectors to enhance business. EXERCISES 1. What is trade cycle? Explain VIII(!IIS phases and types or trade cycle. 2. explain the use of e-commerce in cycle. 3. What is supply chain? 4. Explain Porter’s value chain model 5. What is competitive advantage? Explain Porter’s model for competitive forces 6. Explain the use of e-commerce in gaining competitive advantage. 7. Explain the role of e-commerce in manufacturing 8. Explain the role of c-commerce in wholesale. 9. Explain the role of c-commerce in retail. 10. Explain the role of c-commerce in service sector. 66 UNIT-III Website Designing Introduction to HTML tags and Attributes: Text Formatting, Fonts, Hypertext Links, Tables, Images, Lists, Forms, Cascading Style Sheets Website Designing Introduction to HTML tags and attributes: Text formatting, fonts, hypertext links, tables, images, lists, forms, cascading style sheets The full meaning of HTML is Hyper Text Markup Language, which is the most widely used language on Web to develop web pages. HTML was created by Berners-Lee in late 1991 but “HTML 2.0” was the first standard HTML specification which was published in 1995. HTML 4.01 was a major version of HTML and it was published in late 1999. Though HTML 4.01 version is widely used but currently we are having HTML-5 version which is an extension to HTML 4.01, and this version was published in 2012 < html> <body> <h1> Hello and welcome to all!</h> </body> < /html> 3.2 Attributes An attribute is used to define the characteristics of an HTML element and is placed inside the element’s opening tag. Attributes are made up of two parts: a name and a value. Attribute names and attribute values are case-insensitive. 67 1. Name is the property you want to set. For example, the paragraph <p> element in the example carries an attribute whose name is align, which you can use to indicate the alignment of paragraph on the page. 2. Value is what you want the value of the property to be set and always put within quotations. The below example shows three possible values of align attribute: left, center and right. 3.3 Text Formatting If you use a word processor, you must be familiar with the ability to make text bold, italicized, or underlined; these are just three of the ten options available to indicate how text can appear in HTML and XHTML. 3.3.1 Bold Text Anything that appears within <b>...</b> element, is displayed in bold as shown below: 68 69 3.4. Hypertext links A webpage can contain various links that take you directly to other pages and even specific parts of a given page. These links are known as hyperlinks. Hyperlinks allow visitors to navigate between Web sites by clicking on words, phrases, and images. A link is specified using HTML tag. This tag is called anchor tag and anything between the opening tag and the closing tag becomes part of the link and a user can click that part to reach to the linked document. 70 Frame : HTML frames are used to divide your browser window into multiple sections where each section can load a separate HTML document. A collection of frames in the browser window is known as a frameset. The window is divided into frames in a similar way the tables are organized: into rows and columns. 71 72 UNIT-IV E-payment, System-payment Methods–Debit Card, Credit Card, Smart Cards, E-Money, E-Wallets E-payment System-payment Methods- Debit card, Credit card, Smart cards, EMoney, E-Wallets; Digital signatures- procedures and legal position; Payment Gateways Online Banking – Concepts, importance, Electronic Fund Transfer, automated Clearing house, Automated Ledger posting. Emerging modes and systems of E-payment (MPaisa, PayPal and other digital currency); E-payments risks E-payment System-payment Methods- Debit card, Credit card, Smart cards, E-Money, E-Wallets; Debit Card : This card is used for online payment also but in this card a person must have sufficient balance in his / her account and the total payment made in one day is also specified. User of this card can withdraw upto a certain amount with the help of this card. Credit Card : This card is also used for online payment also but in this card a person must not have sufficient balance in his / her account and the total payment made in one day is also specified. User of this card can withdraw upto a certain amount with the help of this card and upto certain limit purchase can also be done without having funds into accounts. Bill of the credit card can pay after few days. Smart Card : These cards are used with Balance in hand. This means that in you card must have balance before using this card like Debit Card. Metro Smart Card, Patanjali Smart Card and Mother Dairy Smart card are best examples. E wallets : These are used for online payment using mobile phones. The following applications are very popular 1. Paytm 2. Google pay 3. UPI 4. Jio Money are the best examples. 73 Digital Signature procedures and legal position The Information Technology Act, 2000, recognizes the use of digital signature to authenticate electronic records. As such, digital signatures fulfill all statutory requirements associated with acceptance of handwritten signature. it is a block of data at the end of an electronic message that identifies the signor of an electronic message and also confirms that the said signor approved the content of that electronic message. Thus, internet contracts are authenticated by digital signature technology and become binding on the parties. The expression ‘digital signature’ means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of Section 3 [Section 2(1) (p)]. Authentication of electronic records-Any subscriber may authenticate an electronic record by affixing his digital signature. The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. Explanation- For the purposes of this sub-section, ‘hash function’ means an algorithm mapping or translation of one subsequence of bits into another, generally smaller, set known as ‘harsh result’ such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible(a) To derive or reconstruct the original electronic record from the hash result produced by the algorithm; (b) That two electronic records can produce the same hash result using the algorithm. Any person by the use of a public key of the subscriber can verify the electronic record. The private key and the public key are unique to the subscriber and constitute a functioning key pair (Section 3). In order to be called legally binding, all electronic communications or transactions must meet the following fundamental requirements: (a) Authenticity of the sender to enable the recipient to determine who really sent the message; (b) Message’ integrity, the recipient must also be able to determine whether or not the message received has been modified en route or is incomplete; and (c) Non-repudiation, the ability to ensure that the sender cannot falsely deny sending the message, nor falsely deny the contents of the message. It led to the acceptance of cryptography, a data encryption technique, which provided just that kind of data protection. Section 3 advocates the use of ‘asymmetric cryto system’ where an asymmetric key pair consisting of a public and a private key is used to encrypt 74 and decrypt the message respectively. Private Key is kept confidential and to be used by the subscriber to create the digital signature, whereas the public key is more widely known and is used by a relying party to verify the digital signature and is listed in the digital signature certificate. See fig 2 Figure 2: digital signature suing public and private keys Section 2 (1) of IT Act, 2000 defines the various terms used above in the following words: (a) Affixing digital signature- It means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature [Section 2(1) (d)]. (b) Asymmetric crypto system- It means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature [Section 2 (1) (f)]. (c) Electronic record- It means data, record or data generated, image or sound stored, received or sent in an electric form or micro-film or computer generated micro-fiche [Section 2(1) (t)]. (d) Key pair- In an asymmetric crypto system, ‘key pair’ means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key [Section 2 (1) (x)]. (e) Private key- It means the key of a key pair used to create a digital signature [Section 2(1) (zc)]. (f) Public Key- It means the key of a key pair used to verify a digital signature and listed in a Digital Signature Certificate [Section 2(1) (zd)]. (g) Subscriber- It means person in whose name the Digital Signature Certificate is issued [Section 2(1) (zg)]. 75 (h) Verify-Verify in relation to a digital signature, electronic record or public key, which its grammatical variations and cognate expressions, means to determine whether(i) The initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber; (j) The initial electronic record is retained inact or has been altered since such electronic record was so affixed with the digital signature [Section 2(1) (zh)]. Digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3; and Digital Signature Certificatemeans a Digital Signature Certificate issued under sub-section (4) of section 35.The use of digital signature for online / offline / email based transactions. The preamble of the information Technology Act, 2000, states: ‘An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication commonly referred to as “electronic commerce” which involve the use of alternatives to paper-based methods of communication and storage of information to facilitate electronic filling of documents with the Government agencies. The ‘Statement of Objects and Reasons” appended to the Information Technology Bill, 1999, explains the rationale behind the Act. It would be worthwhile here to take note of the excerpts from the said statement given below: ‘New communication systems and digital technology have made dramatic changes in the way we live. A revolution is occurring in the way people transact business. Businesses and consumers are increasingly using computers to create transit and store information in the electronic form instead of traditional paper documents. Information stored in electronic form has many advantages. It is cheaper, easier to store, retrieve and speedier to communicate. Although people are aware of these advantages, they are reluctant to conduct business or conclude any transaction in the electronic form due to lack of appropriate legal framework. The two principal hurdles which stand in the way of facilitating electronic commerce and electronic governance are the requirements as to writing and signature for legal recognition. At present, many legal provisions assume the existence of paper based records and documents and records which should bear signatures. The Law of Evidence is traditional based upon paper based records and oral testimony. Since electronic commerce eliminates the need for paper based transactions, hence to facilitate e-commerce, the need for legal changes has become an urgent necessity. International trade through the medium of e-commerce is growing rapidly in the past few years and many countries have switched over from traditional paper based commerce to e-commerce. There is a need for bringing in suitable amendments in the existing laws in our country to facilitate e-commerce. It is, therefore, proposed to provide for legal recognition of electronic records and digital signatures. The will enable the conclusion of 76 contracts and the creation of rights and obligations through the electronic medium. It is also proposed to provide for a regulatory regime to supervise the Certifying Authorities issuing Digital Signature Certificates. To prevent the possible misuse arising out of transactions and other dealings concluded over the electronic medium, it is also proposed to create civil and criminal liabilities for contravention of the provisions of the proposed legislation. With a view to facilitate Electronic Governance, it is proposed to provide for the use and acceptance of electronic records and digital signatures in the Government offices and its agencies. This will make the citizens interaction with the Government offices hassle free. The Objectives of the Information Technology Act seeks to achieve the following objectives: (i) To provide legal recognition for transactions carried out by means of electronic date interchange and other means of electronic communication, commonly referred to as ‘electronic commerce’; (ii) To facilitate the growth of e-commerce and e-governance; (iii) To provide equal treatment to users of paper-based documentation vis-a-vis electronic records; (iv) To place digital signature at par with paper signature and provide a comprehensive approach for determining the authenticity integrity of electronic signature; (v) To provide for a suitable regulatory regime to supervise the functioning of the Certifying Authorities issuing Digital Signature Certificates; (vi) To recognize electronic storage of documents or records as valid where law requires maintenance of paper records; (vii) To provide penalties and contraventions and offences; punishment for information technology (viii) To establish the Cyber Regulations Appellate Tribunal to hear appeals against the orders of Controller or Adjudication Officers; (ix) To make amendments in several legislations such as Indian Penal Code, Indian Evidence Act, etc. so as to bring them at par with the needs of the IT Act, 2000. 77 Exercise 1. Definition of Digital Signature .................................................................................................................................... .................................................................................................................................... .................................................................................................................................... .................................................................................................................................... 2. Define objectives of IT Act, 2000 .................................................................................................................................... .................................................................................................................................... .................................................................................................................................... .................................................................................................................................... 3. Define Electronic commerce .................................................................................................................................... .................................................................................................................................... .................................................................................................................................... .................................................................................................................................... Payment Gateways A payment gateway is a separate service and acts as an intermediary between the merchant’ shopping cart and all the financial networks involved with the transaction, including the customers’ credit card issuer and your merchant account. it checks for validity, encrypt transaction details, ensures they’ arc sent to the correct destination and then decrypts the responses which arc sent back to the shopping. cart. A payment gateway Gill he thought of a digital equivalent to a credit card processing terminal. A Payment Gateway is an e-commerce service ‘hat authorizes payments ebusinesses and online retailers. This L” it seamless process and your customer docs not directly interact with the gateway; as data is forwarded to the gateway via your shopping cart and a secure (SSL) connection. The shopping cart is configured via plugins to send information in J format that is acceptable to the particular gateway. How payment gateways work Payment gateways encrypt information handled through SSL (Secure socket layer). l his prevents opportunity for fraud, and adds security to the transaction process Gateways communicate with a variety of entities, including: 78 • The customer • The merchant (through their website) • Credit Card companies (by verifying information) • Internet Merchant accounts that relay order information from the gateway to the merchant’s bank account Benefits of payment gateway Benefits of having a payment gateway are: 1. Security: Gateways keep customers credit card data behind firewalls so that the merchant doesn’t have to worry about someone “hacking Jt1” 10 their system. 2. Encryption: Gateways use SSL encryption to prevent message tampering while the credit card information is being transmitted over the Internet. EMS provides the most secure encryption technology 3. Back-up redundancy: Gateways have a backup system III place to ensure that merchants can continue processing in the event of all emergency. 4. Up-to-date technology: Gateways arc services that are constantly’ upgraded to be up to date with the latest technology. And, because the gateways arc not on merchants” computers, there is no need for the merchants to upgrade their hardware. Gateways save the cost of an additional phone line that would be needed in a dial application. ISSUES OF ELECTRONIC PAYMENT TECHNOLOGY Online payment processing requires coordinating the flow of transactions among a complex network of financial institutions and processors. Fortunately. technology has simplified this process so that. with the right solution, payment processing is easy, secure, and seamless for both you and your customers. This chapter provides you with what you need to know about online payment processing issues: • Online payment processing basics • The payment processing network • How payment processing works • What you should know about fraud • What to look for in a payment processing solution • Online Payment Processing Basics: Purchasing online may seem to be quick and easy, but most consumers give little thought to the process that appears to work instantaneously For it to work correctly. merchants must connect to a network of banks (both acquiring and issuing banks), processors, and other financial institutions so that payment information provided by the customer can be routed securely and reliably’. The solution is a payment gateway that connect your online store to these institutions and processors. Because payment Information is highly sensitive, trust 79 • and confidence are essential elements of any payment transact ton This means the gateway should he provided by a company with in-depth experience in payment processing and security. The Payment Processing Network: Here’s a breakdown of the participants and elements involved in processing payments: o Acquiring hank : In the online payment processing world, an acquiring hank provides Internet merchant accounts. A merchant must open an Internet merchant account with an acquiring bank to enable online credit card authorization and payment processing. Examples of acquiring banks include Merchant solutions and most major banks. o Authorization : The process by which a customer’s credit card is verified as active and that they have the credit available to make a transaction. In the online payment processing world. an authorization also verifies that the billing information the customer has provided matches up with the information on record with their credit card company. o Credit card association: A financial institution that provides credit card services that arc branded and distributed by customer issuing banks. Examples include Visa and MasterCard. o Customer: The holder of the payment instrument-such as a credit card, debit card, or electronic check. o Customer issuing bank: A financial institution that provides a customer with a credit card or other payment instrument. Examples include Citibank and Suntrust. During a purchase, the customer issuing hank verifies that the payment information submitted to the merchant is valid and that the customer has the funds or credit limit to make the proposed purchase. o Internet merchant account: A special account with all acquiring bank that allows the merchant to accept credit cards over the Internet. The merchant typically pays a processing fee for each transaction processed, also known as the discount rate. A merchant applies for an Internet merchant account in a process similar to applying for a commercial loan The fees charged by the acquiring bank will vary. o Merchant: Someone who owns a company that sells products or services. Payment gateway: A service that provides connectivity among merchants, customers and financial networks to process authorizations and payments. The service is usually operated by a third- party provider such as VeriSign. o Processor: A large data center that processes credit card transactions and settles funds to merchants. The processor- is connected to a merchant’s site 011 behalf of an acquiring bank via a payment gateway. o Settlement: The process by which transactions with authorization codes arc sent to the processor for payment to the merchant. Settlement is a sort or electronic 80 bookkeeping procedure that causes all funds from captured transactions to be routed to the merchant’s acquiring bank for deposit. Visa and MasterCard Take Different Approaches to Authentication Online merchants could face integration hassles as they deploy forthcoming and competing credit card payer authentication technologies from Visa USA and MasterCard International Inc. The technologies, Visa’s Verified by Visa and MasterCard’s Secure Payment Applications service, take distinctly different approaches. Visa perform, authentication on the merchant site, whereas MasterCard handles it on the customer’s PC automatically, using a previously downloaded applet. As a result, merchants that accept credit cards will be required to support two authentication mechanisms. Furthermore, some observers speculate the companies’ respective systems may be no more successful in gaining market acceptance than the illfated Secure Electronic Transaction (SET) authentication protocol, a protocol spearheaded by Visa and MasterCard. Visa sweetened the bait for its system recently when it announced that online merchants using Verified by Visa will have no liability for any transactions processed by the service. Verified by Visa, also known as Visa Payer Authentication, authenticates credit card users with a password and requires no client software MasterCard and Visa, which formerly cooperated, now find fault with each other’s approaches. Visa’s service for instance, will extend transaction processing times, take customers off the merchant sites for authentication, and require complex integration. MasterCard’s service. Visa countered, amounts to a digital wallet, which consumers have been loath to use About the only thing MasterCard and Visa seem to agree on is that SET, which was launched in December I 1997, was a failure. SET required long download times for customers, used clumsy digital certificate technology, and created integration hassles for merchants and banks that issued the credit cards. It had all but faded away by late1998. But with Visa and MasterCard now going separate ways, some merchants see little reason to try authentication technology. You’re creating another layer of complication. After customers go through the trouble of giving you their credit card number, they now have the problem of remembering one more password. • How Payment Processing Works: Payment processing in the online world is similar to payment processing in the offline or “Brick and Mortar” world, with one significant exception. In the online world, UK’ card is “not present” at the transaction. This means that the merchant must take additional steps to verify that the card information is being submitted by the actual owner or tile card, Payment processing can be divided into two major phases or steps: authorization and settlement. o Payment Processing-Authorization and Settlement: Authorization verities that the card is active and that the customer has sufficient credit available to make the 81 transaction. Settlement involves transferring money from the customer’s account to the merchant’s account. o Authorization: Online Online: A customer decides to make a purchase on a merchant’s Web site, proceeds to checkout and inputs credit card information. The merchant’s Web site receives customer information and sends transaction information to the payment gateway. The payment gateway routes information to the processor. The processor sends information to the issuing bank of the customer’s credit card. The issuing bank sends the transaction result (authorization or decline) to the processor. The processor routes the transaction result to the payment gateway. The payment gateway passes result information to the merchant. The merchant accepts or rejects the transaction and ships goods if necessary Because this IS a ‘card not present” transaction, the merchant should take additional precaution. to ensure that the card has not been stolen and that the customer is the he actual owner of the card. See the “What You Should Know About Fraud” section later in this chapter for more information on preventing fraudulent transaction. o Authorization: “Brick and Mortar” Mortar”: A customer selects item(s) to purchase, brings them to a cas cashier, hier, and hands the credit card to the merchant. He merchant swipes the card and transfers transaction information to a point point-of of-sale terminal. The point-of-sale sale terminal routes information to the processor via a dial dial-up connection, the point point-of-sale terminal inal takes the place of the payment gateway in the offline world). Fig. 6.5 Customer Verification Process in Shopping Cart. 82 The processor sends information to the issuing bank of the customer’s credit card. The issuing bank sends the transaction results (authorization or decline to the processor. The point-of-sale terminal shows the merchants whether the transaction result point-of-sale terminal The point-of-sale terminal shows the merchant whether the transaction was approved or declined. The merchant tells the customer the- outcome of the transaction. If approved, the merchant has the customer sign the credit card receipt and gives the items (s) to the customer. In the example of shopping cart in which customer credentials arc verified with the customer’s database at the site, it validation of customer’s credentials goes without any error and verified by the merchant handler then it debits the customer’ bank account, credit card accordingly o Payment Processing-Settlement: The settlement process transfers authorized funds I’m a transaction from the customers bank account to the merchant’s hank account, The process is basically the same whether the transaction is conducted online or offline • What You Should Know About Fraud: Credit card fraud can he a significant problem for customers, merchants, and credit card issuers]. Liability for fraudulent transactions belongs to the credit card issuer for a card-present in-store transaction, but shifts to the merchant I’m “card not present” transactions. including transactions conducted online. This means that the merchant dues not receive payment for a fraudulent online transaction. Fortunately, there arc steps you call take to significantly limit your risk as an online merchant The following important fraud prevention steps should be adhered to: 1. Choose a payment services provider that is well-established and credible. Your provider should also have in-depth experience in and a strong track record for transaction security 2. Make sure your payment gateway provider offers real-time credit card authorization results. This ensures that the credit card has not been reported as lost or stolen ~1nJ that it is a valid card number 3. One of the simplest ways 10 reduce the risk of a fraudulent transaction is to use Address Verification Service (AVS), This matches the card holder hilling address on fill’ with the hilling address submitted to ensure that the card holder IS till” card owner. 4. Use Card Security Codes, known as CVV2 for Visa, CvVC for MasterCard and CID for American Express. For American Express, the code is a four-digit number that appears on the front of the card above the account number. For Visa 83 and Master-Card. the code is a three-digit number that appears at the end of the account number on the buck of the card. The code is not printed on any receipts and provides additional assurance that the actual card is in possession of the person submitting the transaction. As a merchant you can ask for this code on. Your online order form. Even if you do not use this for processing, simply asking for it acts as a strong deterrent against fraud. 5. Watch for multiple orders for easily resold items such as electronic goods purchased on the same credit card 6. Develop a negative card and shipping address list and cross-check transactions against it. Many perpetrators will go back to the same merchant again and again to make fraudulent transactions RECOMMENDATIONS OF THE SECURITY OF ELECTRONIC PAYMENTS SYSTEMS Here We have tried to discuss some recommendation which can give guidance to government agencies on the security aspects of acquiring electronic merchant and payment provider services and to assist them with the choice between in-housed and outsourced operations. RECOMMENDATIONS For Small Payments 1. These recommendations cover payments by clients buying low priced documents, information, etc, and clients paying accounts such as rates, license fees. etc 2. To minimize liability an agency’ should outsource both merchant and payment services. Providing there IS an adequate contract and a reliable method of updating the agency’s information nil the merchant server, essentially all liability will pass to the merchant service and payment providers who will manage the risks and who can insure against any losses. 3. It is important In note that the process of arriving at all adequate contract to achieve this end is no trivial task. Further, all agley should not assume that such a contract makes it immune from liability for every loss. It may still be liable if it fails to manage the contract in a diligent manner or if the underlying structure of the payment scheme IS flawed 4. A further point worth noting is that, even when an agency succeeds in passing liability to all external provider, it may still suffer serious embarrassment as the only political target for those suffering from a failure in a payments scheme 5. An agency which decides to retain the merchant server in-house payment services should: (a) avoid receiving client details unless encrypted by arrangement between the client and the payment provider (eg by use of the SET protocol); 84 (b) ensure (probably by seeking AISU) certification) that advice detail passed by the payment provider cannot be repudiated; and (c) install strong access control including firewalling and incident detection measures to prevent hacking of its system. (d) It is assumed that: (e) the payment provider will take the necessary steps to avoid system penetration and insure against the risk of failure; and (f) the agency will strenuously protect client details if it holds them unencrypted, including perhaps using AISEP-certified software/hardware, particularly for the communications between client and agency. 6. An agency which decides to operate both merchant and payment servers will need: • a highly reliable, preferably’ AISEP-certified, payments package and agency-tofinancial-institution communications system; • strong access control entailing the maximum possible separation (personnel, physical, and logical) between the’ merchant and payment servers; and • strong protection of both merchant and payment servers against internal and external attack. This solution involves very high security risks. Commonwealth agencies arc strongly advised to seek Defence Signals Directorate guidance; other agencies should contact their own security organizations. For Large Payments 7. It is recommended that clients instruct their banks to make the transfer of large payments directly’ to the agency’s bank and not use Internet-based payments systems. Background 8. In common with all other electronic information processing systems. payments systems are prone to disruption by people exploiting the systems’ innate vulnerabilities. Those considering employing a payments system must decide whether to accept the consequent risks. They will to need make a risk management decision balancing the business advantages of adoption against the potential losses that security failures might entail. 9. This paper examines, in generic terms, what might be described as a “retail payments systems”, ie. those designed to allow a large number of individuals or organizations to pay for goods and/or services front a provider. In a government context the payments might include (a) the cost of documents supplied electronically; (b) rates and charges for utilizes: and 85 (c) fees for the registration of businesses. 10. The risks inherent in” the various available systems are described so as to assist acquirers in making an informed decision on which system to select to meet their security requirements Threats All financial systems attract fraudsters and embezzlers. The problem typically ranges from individuals avoiding small payments or stealing small amounts to organized criminal activities involving large sums. Electronic financial systems connected 10 public networks extend the opportunities for this type of crime over what is achievable under a paper--based process by’ allowing access from anywhere in the world often with much scope for anonymity. 11. Au additional hazard associated with electronic systems is the propensity for some to regard them as an intellectual challenge. These “hackers” (who may be employees of the system owner or outsiders) are frequently very highly skilled. Also, because their motivation is not financial gain, hackers may devote far more effort to “breaking” till’ system than is commensurate with the profit that could be brought by success. In addition many seek recognition for their successes by publishing on the Internet the exploitation methods they have developed. Individuals or more organized criminal elements may then use these methods to defraud or steal. Online Banking : Concepts, importance “Internet banking” refers to systems that enable bank customers to access accounts and general information on bank products and services through a personal computer (PC) or other Intelligent device. 86 Internet banking products and services can include wholesale products for corporate custoll1e’s as well as retail and fiduciary products for consumers. Ultimately the products and services obtained through Internet banking may minor products and services offered through other bank delivery channels. Some examples of wholesale products and services Include: • Cash management. • Wire transfer. • Automated clearinghouse (ACH) transactions. • Bill presentment and payment. Examples of retail and fiduciary products and services include: • Balance inquiry. • Funds transfer. • Downloading transaction information. • Bill presentment and payment. • Loan applications. • investment activity. • Other value-added service In the past, the computer systems that made the information systems operate were rarely noticed by customers Today. Web sites, electronic mail and electronic bill presentment and payment systems arc an important way for hanks to reach their customers National banks have experimented with various forms of online banking for many years. Some of the early experimented involved closed systems where the customers accessed banks through a dial-in or cable TV connection. These systems limited a Bank potential customer base because they required out-or area customers to either incur longdistance charges on their phone bills or subscribe to a particular cable TV service to access the bank. With the widespread growth or the Internet. customer., can use this technology anywhere in the world to access a bank’s network. The Internet as an enabling technology. has made banking products and services available to more customers and eliminated geographic and proprietary systems barriers, With an expanded market Banks also may have opportunities to expand or change their product and service offerings. Electronic Fund Transfer Inter Bank Transfer is a special service that allows you to transfer funds electronically to accounts in other hanks ill India through: 87 NEFT - The acronym “NEFT” stands for National Electronic Funds Transfer. Funds arc transferred to the credit account with the other participating Bank using RBI’s NEFT service. RBI acts as the service pr provider ovider and transfers the credit to the other bank’s account. RTGS - The acronym “RTGS” stands for Real Time Gross Settlement. The RTGS system facilitates transfer of funds front accounts in one bank to another on a “real time” and on “gross settlement” bas basis. is. The RTGS system is the fastest possible inter bank money transfer facility available through secure banking channels in India. Minimum /Maximum amount for RTGS/NEFT transactions under Retail Internet Banking are following. Type Minimum Maximum RTGS Rs. 1 Lakh Rs. 5 Lakh NEFT No Limit Rs. 5 Lakh And the minimum/maximum amount for RTGS/NEFT transactions under Corporate Internet Banking are following Type Minimum Maximum RTGS Rs. 1 Lakh No Limit NEFT No Limit No Limit Under normal circumstances tthe he beneficiary bank’s branch receives the funds in real time as soon as funds are transferred by the remitting bank. The funds will be sent 10 till’ RBI within three hours of the transaction. The actual time taken to credit the beneficiary depends on thee time taken by the beneficiary bank to process the payment. Fig. 6.6 Process of Payment 88 Growth in Internet Banking Numerous factors including competitive cost, customer service, and demographic con- siderations arc motivating hanks to evaluate their technology and assess their electronic com- merce and Internet banking strategies. Many researchers expect rapid growth in customers using online banking products and services. The challenge for national bunks is to make sure the savings from Internet banking technology more than offset the costs and risks associated with conducting business in cyberspace. Marketing strategies will vary as national banks seek to expand their markets and employ lower cost delivery channels. Examiners will need to understand the strategies used and tech- nologies employed on a hank-by-bank basis to assess the risk. Evaluating a bank’s data on the use of their Web sites, may help examiners determine the bank’s strategic objectives, how well the hank is meeting its Internet banking product plan and whether the business is ex- pected to be profitable. Some of the market factors that may drive a bank’s strategy include the following: • Competition– Studies show that competitive pressure is the chief driving force behind increasing use of Internet banking technology, ranking ahead of cost reduction and revenue enhancement, in second and third place respectively. Banks sec Internet banking as a way’ to keep existing customers and attract new ones to the bank. • Cost Efficiencies– National banks can deliver banking services on the Internet at transaction costs far lower than traditional brick-and-mortar branches. The actual costs to execute a transaction will vary depending on till’ delivery channel used. For example, according to Booz, Allen & Hamilton, as of mid- 1 999, the cost to deliver manual transactions at a branch was typically more than a dollar, AT M and call center transactions cost about 25 cents, and internet transactions cost about a penny. These costs are expected to continue to decline. • National hanks have significant reasons to develop the technologic that will help them deliver banking products and services by’ the most cost-effective channels. Many hankers believe that shilling only it small portion of the estimated 19billion payments mailed annually in the U.S. to electronic delivery channels could save hanks and other businesses substantial sums of money. However. national banks should use cafe in making product decisions • Management should include in their decision making the development and ongoing costs associated with a new product or service. including the technology, marketing, maintenance and customer support functions. This will help management exercise due diligence, make more informed decisions and measure the success or their business venture. • Geographical Reach–Internet banking allows expanded customer contact through increased geographical reach and lower cost delivery channels. In fact some 89 banks are doing business exclusively via the Internet — they do not have traditional banking offices and only reach their customers online, Other financial institutions are using the Internet as an alternative delivery channel to reach existing customers and attract new customers. • Branding—Relationships building is a strategic priority of many national banks Internet banking technology and products can provide a means for national banks to develop and maintain all ongoing relationship with their customers by offering easy access to a broad array of products and services. By capitalizing on brand identification and by providing a broad array of financial services, banks hope to build customer loyalty, cross-sell, and enhance repeat business • Customer Demographics—Internet banking allows national banks to offer a wide array of options to their banking customers. Some customers will rely on traditional branches to conduct their banking business. For many, this is the most comfortable way for them to transact their banking business. Those customers place a premium on person-to-person contact. Other customers are early adopters of new technologies that arrive in the marketplace. These customers were the first to obtain PCs and the first to employ them in conducting their banking business The demographics of banking customers will continue to change. The challenge to national hanks is to understand their customer base and find the right mix of delivery channels to deliver products and services profitably to their various market segments Types of Internet Banking Understanding the various types of Internet banking products will help examiners assess the risks involved. Currently, the following three basic kinds of Internet banking are being employed in the marketplace: (a) International—This is the basic level of Internet banking. Typically, the bank has marketing information about tilt: bank’s products and services on a stand-alone server. The risk is relatively low, as informational systems typically have no path between the server and the hank’s internal network. This level of Internet banking can be provided by the bank or outsourced. While the risk III a bank is relatively low, the server or Web site may be vulnerable to alteration. Appropriate controls therefore must be in place to prevent unauthorized alterations to the bank’s server or Web site. (b) Communicative—This type of Internet banking system allows some interaction between the bank’s systems and the customer. The interaction may be limited to electronic mail, account inquiry, loan applications, or static file updates (n.uuc and address changes). Because these servers may have a path to the bank’s internal networks, the risk is higher with this configuration than with informational systems. Appropriate controls need to be in place to prevent 90 monitor and alert management of any unauthorized attempt to access the bank’s internal networks and computer systems. Virus controls also become much more critical in this environment. (c) Transactional—This level of Internet banking allows customers to execute transactions. Since a path typically exists between the server and the bank’s or outsourcers internal network, this is the highest risk architecture and must haw the strongest controls. Customer transactions can include accessing accounts paying bills, transferring funds, etc. 91 LESSON-2 UNIT IV Automated Clearing House Automated Clearing house Automated Ledger posting. Emerging modes and systems of E-payment (MPaisa, PayPal and other digital currency); E-payments risks Automated Clearing House 92 There are many key factors to understand Automated clearing house. Some of the important are mentioned below: 1. This platform is used for clearing money transfer from sender to receiver with authorization. Transfer of money in digital mode. 2. Approximately 170 member banks and 1203 sub-members banks are part of this National Automated Clearing House, ACH . 3. There are 11 million transactions done per day during the year 2019-2020 4. It has a capacity of handling 175 million transactions per day. Automated Ledger Posting 93 The Automated ledger posting helps in maintaining ledgers online. The following features of Automated ledger posting are: 1. Maintain ledgers online 2. Posting can be done automated manner 3. Trail Balance and Balance Sheet prepared with software. 4. Adjustments of pending transactions can settle with banks online. 94 Emerging modes and systems of E-payment (Mpaisa, Paypal and other digital currency) Mpaisa, Paypal and other digital currency 95 E-payment Risks Internet Banking Risks Internet banking creates new risk control challenges for national banks. From a supervisory perspective risk is the potential that events, expected or unexpected, may have an adverse impact on the banks earnings or capital. There are nnine defined categories of risk for bank supervision purposes. The risks are credit, interest rate, liquidity, price, foreign exchange, transaction, compliance, strategic, and reputation. These categories me not mutually exclusive and all of these risks are associated with Internet banking. Credit Risk: Credit risk is the risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all activities ‘‘here here success depends on counterparty, issuer, or borrower performance. It arises any time bank funds are extended, committed. invested, or otherwise exposed through actual or implied contractual agreements, whether on or off the bank’s balance sheet Internet net banking provides the opportunity for banks to expand their geographic range Customers can reach a given institution front literally anywhere in the world. In dealing with customers over the Internet. absent any personal contact. it is challenging for institutions nstitutions to verify the bonafides or their customers. which is an important element in making sound credit decisions, Verifying collateral and perfecting security agreements also can be challenging with out out-of-area area borrowers. Unless properly managed, managed Internet banking could lead to a con con- centration ill out-of-area area credits or credits within a single industry. Moreover the question of which state’s or country’s laws control all Internet relationship is still developing. Fig. 6.7 Payment Process 96 Effective management of a portfolio of loans obtained through the Internet requires that the board and management understand and control the bank’s lending risk profile and credit culture. They must assure that effective policies, processes, and practices are in place to con- trol the risk associated with such loans. Interest rate risk: Interest rate risk is the risk to earnings or capital arising from move- ments in interest rates. From an economic perspective, a bank focuses on the sensitivity of the value of its assets, liabilities and revenues to changes in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (reprising risk): from changing rate relationships among different yield curves affecting hank activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest-related options embedded in bank products (options risk). Evaluation of interest rate risk must consider the impact of complex. illiquid hedging strategies or prod- ucts, and also the potential impact that changes in interest rates will have on tee income. In those situations where trading is separate managed, this refers to structural positions and not trading portfolios. Internet banking can attract deposits. loans, and other relationships from a larger pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/ liability management systems, including the ability to react quickly to changing market condi- tions. Liquidity Risk: Liquidity risk is the risk to earnings or capital arising from a bank’s inabil- ity to meet its obligations when they come due, without incurring unacceptable losses. Li- quidity risk includes the inability to manage unplanned changes in funding sources. Liquidity risk also arises from the failure to recognize or address chances in market conditions affecting the ability of the bank to liquidate assets quickly am! with minimal loss in value. Internet banking can increase deposit volatility from customers who maintain accounts solely on the basis of rate or terms. Asset/liability and loan portfolio management systems should be appro- priate for products offered through Internet banking. Increased monitoring of liquidity and changes in deposits and loans may be warranted depending on the volume and nature of Internet account activities. Price Risk: Price risk is the risk to earnings or capital arising from changes in the value of traded portfolios of financial instruments. This risk arises from market making, dealing, and position taking in interest rate, foreign exchange, equity and commodities markets Banks may be exposed to price risk if they create or expand deposit brokering. loan sales, or securitization programs as a result of Internet banking activities. Appropriate management systems should he maintained to monitor, measure, and manage price risk if assets are actively traded. 97 Foreign Exchange Risk Foreign exchange risk is present when a loan or portfolio of loans is denominated in a foreign currency or is funded by borrowings in another currency. In some cases, banks will enter into multi-currency credit commitments that permit borrowers to select the currency they prefer to use in each rollover period. Foreign exchange risk can be intensified by political, social or economic developments. The consequences can be unfavorable if one of the currencies involved becomes subject in stringent exchange controls or is subject to wide exchange-rate fluctuations. Banks may be exposed to foreign exchange risk if they accept deposits from non-U.S. residents or create accounts denominated in currencies other than U.S. dollars. Appropriate systems should be developed if banks engage in these activities. Transaction Risk: Transaction risk is the current and prospective risk to earnings and capital an Sing from fraud, error, and the inability to deliver products or services maintain a competitive position, and manage information. Transaction risk is evident in each product and service offered and encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services. and the internal control environment. A high level of transaction risk may exist with Internet banking products, particularly if those lines of business arc not adequately planned implemented and monitored. Banks that offer financial products and services through the Internet must be able to meet their customers’ expectations. Banks must also ensure they have the right product mix and capacity to deliver accurate, timely, and reliable services to develop a high level of confidence in their brand name. Customers who do business over the Internet arc likely to have little tolerance for errors or omissions from financial institutions that do not have sophisticated internal controls to manage their Internet banking business. Likewise. customers will expect continuous availability of the product and Web pages that are easy to navigate. Software to support various Internet banking functions is provided to the customer from a verity of sources. Banks may support customers using customer-acquired or banksupplied browsers or personal financial manager (PFM) software. Good communications between hanks and their customers will help manage expectations on the compatibility of various PFM soft- ware products. Attacks or intrusion attempts on banks’ computer and network systems arc a major concern. Studies show that systems are more vulnerable to internal attacks than external, because internal system users have knowledge of the system and access. Banks should have sound preventive and detective controls to protect their Internet banking systems from exploitation both internally and externally. Contingency and business resumption planning is necessary for banks to be sure that they can deliver products and services in the event of adverse circumstances. Internet 98 banking products connected to a robust network may actually make this easier because back up capabilities can be spread over a wide geographic area. For example, if the main server is inoperable, the network could automatically reroute traffic to a back up server III a different geographical location. Security issues should be considered when the institution develops its contingency and business resumption plans. In such situations, security and internal controls at the back-up location should be as sophisticated as those at the primary processing site. High levels of system availability will be a key expectation of customers and will likely differentiate success levels among financial institutions on the Internet. National banks that offer bill presentment and payment will need a process to settle transactions between the bank, its customers and external panics. In addition to transaction risk, settlement failures could adversely affect reputation liquidity, and credit risk. Compliance Risk: Compliance risk is the risk to earnings or capital arising from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the hank’s clients may be ambiguous or untested. Compliance risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to a diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and lack of contract enforceability Most Internet banking customers will continue to use other bank delivery channels. Accordingly, national banks will need to make certain that their disclosures on Internet banking channels, including Web sites, remain synchronized with other delivery channels to ensure the delivery of a consistent and accurate message to customers. Federal consumer protection laws and regulations, including CRA and Fair Lending, arc applicable to electronic financial services operations including Internet banking. Moreover, it is important for national banks to be familiar with the regulations that permit electronic delivery of disclosures/notices versus those that require traditional hard copy notification. National banks should carefully review and monitor all requirements applicable to electronic products and services and ensure they comply with evolving statutory and regulatory requirements. Advertising and record-keeping requirements also apply to banks’ Web sites and to the products and services offered. Advertisements should clearly and conspicuously display the FDIC insurance notice, where applicable, so customers can readily determine whether a product or service is insured. Regular monitoring of hank Web sites will help ensure compliance with applicable laws, rules, and regulations. 99 Application of Bank Secrecy Act (USA) requirements to cyber banking products and services is critical. The anonymity of banking over the Internet poses a challenge in adhering to BSA standards. Banks planning to allow the establishment of new accounts 0\”(‘1’ the Internet should have rigorous account opening standards. Also, the bank should set up a control system to identify unusual or suspicious activities and, when appropriate, file suspicious activity reports (SARs). The BSA funds transfer rules also apply to funds transfers or transmittals performed over the Internet when transactions exceed $3,000 and do not meet one of the exceptions The rules require banks to ensure that customers provide all the required information before accepting transfer instructions. The record keeping requirements imposed by the rules allow banks to retain written or electronic records of the information. Strategic Risk: Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organization’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. The organization’s internal characteristics must be evaluated against the impact of economic, technological competitive, regulatory, and other environmental changes. Management must understand the risks associated with Internet banking before they make a decision to develop a particular class of business. In some cases, banks may offer new and product and services via the Internet. It is important that management understand the risks and ramifications of these decisions. Sufficient levels of technology and MIS are necessary to support such a business venture. Because many banks will compete with financial institutions beyond their existing trade area, these engaging In Internet banking must have a strong link between the technology employed and the bank’s strategic planning process. Before introducing a Internet banking product, management should consider whether the product and technology arc consistent with tangible business objectives in the bank’s strategic plan. The bank also should consider whether adequate expertise and resources are a~3Ilable to identify, monitor, and control risk in the Internet banking business. The planning and decision making process should focus on how a specific business need is met by the internet banking product, rather than focusing on the product as an independent objective. The bank’s technology experts, along with its marketing and operational executives, should contribute to the decision making and planning process. They should ensure that the plan is consistent with the overall business objectives of the bank and is within the bank’s risk tolerance. New technologies, especially the Internet 100 could bring about rapid changes in competitive forces. Accordingly, the strategic vision should determine the way the Internet banking product line is designed, implemented, and monitored. Reputation Risk: Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss, or a decline in its customer base. Reputation risk expose is present throughout the organization and” includes the responsibility I;) exercise an abundance of caution in dealing with customers and the community. A bank’s reputation can suffer if it fails to deliver on marketing claims or to provide accurate, timely services, This can include failing to adequately meet customer credit needs, providing unreliable or inefficient delivery systems, untimely responses to customer inquiries or violations of customer privacy expectations. A bank’s reputation can be damaged by Internet banking services that are poorly executed or otherwise alienate customers and the public. Well designed marketing, including disclosures, IS one way to educate potential customers and help limit reputation risk. Customers must understand what they can reasonably expect from product or service and what special risks and benefits they incur when using the system such marketing concepts need to be coordinated closely with adequate disclosure statements. A national bank should not market the bank’s Internet banking system based on features or attributes tilt’ system does not have. The marketing program must present the product fairly and accurately. National banks should carefully consider how connections to third parties arc presented on their Web sites. Hypertext links arc often used to enable a customer to link to a third party. Such links may reflect an endorsement of the third party’s products or services in the eyes of the customer. It should be clear to the customer when they have left the bank’s Web site so that there is 110 confusion about the provider of the specific products and services offered or the security and privacy standards that apply. Similarly, adequate disclosures must be made so that customers can distinguish between insured and non-insured products. National banks need to be sure that their business continuity plans include the Internet banking business. Regular testing of the business continuity plan, including communications strategies with the press and public, will help the bank ensure it can respond effectively’ and promptly to any adverse customer or media reactions. Risk Management: Financial institutions should have a technology risk management process to enable them to identify, measure, monitor, and control their technology risk exposure. Risk management of new technologies has three essential elements’ • The planning process for the use of the technology. 101 • implementation of the technology. • The means to measure and monitor risk. The OCC’s objective is to determine whether , bank is operating its Internet banking business in a safe ‘and sound manner. The occ expects banks to use a rigorous analytic process to identify, measure, monitor, and control risk. Examiners will determine whether the level of risk is consistent with the hank’s overall risk tolerance and is within the hank’s ability to manage and control. The risk planning process is the responsibility of the board and senior management. They need to possess the knowledge and skills to manage the banks use of Internet banking technology and technology-related risks. The board should review, approve, and monitor Internet banking technology-related projects that may have a significant impact on the bank’s risk profile. They should determine whether the technology and products are in line with the hank \ strategic goals and meet a need in their market. Senior management should have the skills to evaluate the technology employed and risks assumed. Periodic independent evaluations of the Internet banking technology and products by auditors or consultants can help the board and senior management fulfill their responsibilities. Implementing the technology is the responsibility of management. Management should have the skills to effectively evaluate Internet banking technologies and products, select the right mix for the bank, and sec that they are installed appropriately. If the bank does not have the expertise to fulfill this responsibility internally, it should consider contract with a vendor who specializes in this type of business or engaging, in an alliance with another provider with complementary technologies or expertise. Measuring and monitoring risk is the responsibility of management. Management should have the skills to effectively identify, measure. monitor, and control risks associated with Internet banking. The board should receive regular reports Oil the technologies employed. the risks assumed, and how those risks arc managed. Monitoring system performance is a key success factor. As part of the design process, a national bank should include effective quality assurance and audit processes in its Internet banking system. [he bank should periodically review’ the systems to determine whether they are meeting the performance standards. Internal Controls Internal controls over Internet banking systems should be commensurate with all institution’s level of risk. As in any other banking area, management has the ultimate responsibility for developing and implementing a sound system of internal controls over the bank’s Internet banking technology and products. 102 Regular audits of the control systems will help ensure that the controls arc appropriate and functioning properly. For example, the control objectives for an individual bank’s Internet banking technology and products might focus on: • Consistency of technology planning and strategic goals, including efficiency and economy of operations and compliance with corporate policies and legal requirements. • Data availability, including business recovery planning. • Data integrity, including providing for the safeguarding of assets. proper authorization of transactions. and reliability of the process and output. • Data confidentiality and privacy safeguards • Reliability of MIS. Once control objectives arc established, management has the responsibility to install the necessary internal controls to sec that the objectives are met. Management also has the responsibility to evaluate the appropriateness of the controls on a cost-benefit basis. That analysis may take into account the effectiveness of each control in a process, the dollar volume flowing through the process, and the cost of the controls. Examiners will need to understand the bank’s operational environment to evaluate the proper mix of internal controls and their adequacy. According to the Information Systems Audit and Control Association (ISACA) the basic internal control components include: • Internal accounting controls — Used to safeguard the assets and reliability of financial records. These would include transaction records and trial balances • Operational controls – Used to ensure that business objectives are being met. These would include operating plans and budgets to compare actual against planned performance. • Administrative controls – Used to ensure operational efficiency and adherence to policies and procedures. These would include periodic internal and external audits. ISACA separates internal controls into three general categories. The three control categories can he found ill the basic internal controls discussed above. • Preventive Controls—Prevent something (often an error or illegal act) from happening. An example of this type of control is logical access control software that would allow only authorized persons to access a network using a combination of a user ID and password. • Detective Controls—Identify an action that has occurred. An example would be intrusion detection software that triggers an alert or alarm. 103 • Corrective Controls—Correct a situation once it has been detected. An example would be software backups that could be used to recover a corrupted file or database. Banks or service providers offering transaction-based Internet banking products need to have a high level of controls to help manage the bank’s transaction risk. Examples of these controls could include: • Monitoring transaction activity to look for anomalies in transaction types, transaction volumes, transaction values, and time-of-day presentment. • Monitoring log—on violations or attempts to identify patterns of suspect activity including unusual requests, unusual timing, or unusual formats. • Using trap and trace techniques to identify the source of the request and match these against known customers. Regular reporting and review of unusual transactions will help identify: • Intrusions by unauthorized parties. • Customer input errors • Opportunities for customer education. SECURITY REQUIREMENT OF ELECTRONIC PAYMENT SYSTEM There are four essential security requirements for secure electronic payment which arc described below: 1. Authentication: A way to verify the buyer’s identity before payments are made. Authentication IS another issue in a Internet banking system. Transactions on the Internet or any other telecommunication network must be secure to achieve a high level of public confidence. In cyberspace, as in the physical world, customers, banks, and merchants need assurances that they will receive the service as ordered or the merchandise as requested, and that they know the identity of the person they are dealing with. Banks typically use symmetric (private key) encryption technology to secure messages and asymmetric (public/private key) cryptography to authenticate parties. Asymmetric cryptography employs two keys — a public key and a private key. These two keys are mathematically tied but one key cannot be deduced from the other. For example to authenticate that a message carne from the sender, the sender encrypts the message using their private key. Only the sender knows the private key. But, once sent, the message can be read only using the sender’s public key. Since the message can only be read using the sender’s public key, the receiver knows the message came from the expected sender Internet banking systems should employ a level of encryption that is appropriate to the level or risk present in the systems. It is established that stronger levels of 104 encryption may slow or degrade performance and, accordingly, management must balance security needs with performance and cost issues. Thus, a national hank should conduct a risk assessment in deciding upon it” appropriate level of encryption. It is not mandate a particular strength or type of encryption. Rather, it expects management to evaluate security risks, review the cost and benefit of different encryption systems, and decide on an appropriate level of encryption as a business decision. Management should be able to explain the supporting analysis for their decision. A common asymmetric cryptography system is RSA, which uses key lengths up to bits. By using the two forms of cryptography together, symmetric to protect the message and asymmetric to authenticate the parties involved, banks can secure he message and have a high level of confidence in the identity of the parties involved. See appendix B of this handbook for examples of how this technology works. Biometric devices arc an advanced form of authentication. These devices may take the form of a retina scan, finger or thumb print scan, facial scan, or voice print scan. Use of biometrics is not yet considered mainstream, but may be used by some hanks for authentication. 2. Trust: Trust is another issue in Internet banking systems. As noted in the previous discussion, public and private key cryptographic systems can be used to secure. Information and authenticate parties in transactions in cyberspace. A trusted third party is a necessary part of the process. That third party is the certificate authority. A certificate authority is a trusted third party that verifies identities in cyberspace. Some people think of the certificate authority functioning like an online notary. The basic concept is that a bank, or other third party, uses its good name to validate parties in transactions. This is similar to the historic role banks have played with letters of credit. where neither the buyer nor seller knew each other hut both parties were known to the bank. Thus the bank uses its good name to facilitate the transaction, for a fee. Banks also may need a way to validate themselves in cyberspace, as theft of identity has taken place. A proper mix of preventive, detective, and corrective controls can help protect national banks from these pitfalls. Digital certificates may play an important role in authenticating parties and thus establishing trust in Internet banking systems. Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission. 3. Privacy: Privacy is a consumer issue of increasing importance. National banks that recognize and respond to privacy issues in a proactive way make this a positive attribute for the bank and a benefit for its customers. 105 Public concerns over the proper versus ‘improper accumulation and use of personal information are likely to increase with the continued growth of electronic commerce and the internet. Providers who are sensitive to these concerns have an advantage over those who do not. 4. Non-repudiation: Non-repudiation is the undeniable proof of participation by both the sender and receiver in a transaction. It is the reason public key encryption was developed, i.e., to authenticate electronic messages and prevent denial or repudiation by the sender or receiver. Although technology has provided an answer to non-repudiation, state laws are not uniform in the treatment of electronic authentication and digital signatures. The application of state laws to these activities is a new and emerging area of the law. 5. Availability: Availability is another component in maintaining a high level of public confidence in a network environment. All or the previous components arc of little value if the network is not available and convenient to customers. Users of a network expect access to systems 24 hours per day, seven days a week. Among the considerations associated with system availability are capacity. performance monitoring, redundance, and business resumption. National banks and their vendors who provide Internet banking products and services need to make certain they have the capacity in terms of hardware and software to consistently deliver a high level of, service. In addition, performance monitoring techniques will provide management with information such as the volume of traffic, the duration of transactions, and the amount of time customers must wait for service. Monitoring capacity, downtime, and performance on a regular basis will help management assure a high level of availability for their Internet banking system. It is also important to evaluate network vulnerabilities to prevent outages due to component failures. An entire network can become inoperable when a single hardware component or software module malfunctions. Often national banks and their vendors employ redundant hardware in critical areas or have the ability to switch to alternate processing locations. The latter is often referred to as contingency planning. SECURE SOCKET LAYER (SSL) Secure Socket Layer (SSL), a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data” a public key known to everyone and a private or secret key known only to the recipient of the message. Secure Sockets Layer (SSL) is a cryptographic protocol, which provide secure communications on the Internet. 106 Fig. 6.8 The Internet is an insecure channel for message transmission. Unlike in the case or voice transmission, where the message passes through a specified path, in the case of Internet, the message passes through several network routers before reaching the destination. Moreover, the path of flow of the information packets can be altered using a dynamic routing algorithm. The packets that pass thro through ugh the network can be viewed by anyone. Hence, the Internet is certainly not suitable for transferring confidential or classified information. To ensure privacy of information, both the client and the server must run compatible security schemes. Network interactions typically lake place between a client, such as browser software running on a personal computer, and a server, such as the software and hardware used to host a website. Here, authentication is used for identifying the clients as well as the server rver in a network environment. For instance, client authentication refers to the identification of a client by a server (that is, identification of the person assumed to the using the client software). Server authentication refers to the identification of a server by a client (that is, identification of the organization assumed to be responsible for the server at a particular network address). The technologies used to provide secure channel over the web are SSL and Secure Secure-Hyper Text Transfer Protocol (S-HTTP). P). Secure Socket Layer The SSL provides end-to to-end end secure data transmission between the web server and the web client. It is sandwiched between the Transmission Control Processing/Internet Protocol (TCP/IP) and the application layer. Unlike TCP/IP that ooffers ffers only reliable racket transfer, SSL ensures secure packet transfer. The SSL layer is preceded by the TCP/IP and the data link layer. This means that, applications that use the SSL will automatically avail the services of the TCP/ IP layer; it can en ensure sure secure communication between numerous application level protocols on the Internet. SSL secures only web sessions and not e-mail mail or file transfer sessions. This is one of the reasons why confidential information like credit card numbers is not exchan exchanged ged via e-mail. e In case of SSL, though the packet can be viewed while in transit, the viewer cannot decipher the 107 contents since it is encrypted. The SSL ensures secure data transfer but is not responsible for security of data residing in the web client or server. How SSL Works’! The SSL Perform two functions — it authenticates the websites and ensures secure data transmission between the web server and the client. It achieves this either by using symmetric encryption or asymmetric encryption. In symmetric encrypt inn. a key called the private key is used both for encrypting is called the public key and the one used to decrypts is called the private key. For symmetric encryption to work, the sender and receiver should share the secret key. This is possible only’ when the sender and receiver know each other. Another problem with symmetric encryption is that it cannot cater to a large number of participants. In asymmetric encryption, two separate key’s arc used to encrypt and decrypt data. The public key is shared with the other person and the private key is known only III the person Who decrypts the data. So, the private key will remain. I secret while the public key will be known to both the parties. Asymmetric encryption authenticates the client/server by providing a secure private key to be shared between strangers and giving secure digital signatures. For example, when a customer wants to buy a book from an online hook store. the customer will like the transaction to be secure and confidential. A secure connection is initiated by the client by’ sending a “hello client” message by the client’s browser- It consists of a suite of secure protocols that the browser supports and the browser generates a random challenge string. This random challenge string is used at the closing of the initialization and check whether a secure connection is established. The set of protocols contains the key exchange algorithm that is used for agreeing to a private session key, private key encryption protocol that is used to ensure the confidentiality of the transaction and hashing algorithms for maintaining data integrity. Prior to establishing a secure connection. the SSL authenticates the server. The server will respond with a “server hello” message to the client hello message that it received earlier. This is an indication that the server supports the protocol requested by the client and generates a random connection identifier. This random connection identifier will be used to find out if a secure connection has been established or not. It is essential that the merchant’s digital certificate is endorsed by a CA whom the client trusts. Subsequently, the client compares the digital signature on the server’s certificate with the public key of the CA which is stored in the browser of the CA. The endorsed merchant’ certificates are signed using the CAs private key. The endorsement is verified by the however which compares the digital signatures with the CA’s public key. After the completion of the authentication process, the browser generates a secret key that will be shared by the client and the server. This secret key shall be used for generating key of symmetric encryption and data integrity. From here on, there is no need for asymmetric encryption. RC2, RC4 and other symmetric encryption algorithms arc 108 sufficient for the messages sent. Two sets of symmetric key pairs arc generated by the client and the server for securing incoming and outgoing messages. S-HTTP The web server provides only access protection that ensures that there is no unauthorized access. However, it does not provide any data protection data during data transfer. The passwords can be easily hacked in the absence of any protection for data transactions. The S- HTTP enables secure communication between the web server and the client. SHTTP Was developed to support several e-security technologies like symmetric encryption for data confidentiality message digest for data integrity and PKI encryption. These technologies can be used individually or in combination. S-H1TP is compatible with non secure HTTP sessions also. The secure properties arc determined during the initialization by the client and the server. It can he set to required. optional or refused. S-HTTP negotiates the secure properties through the exchange of packet headers Specific security negotiation headers are created for data packets exchanged through each web session. The definitions, if the security property is required, include the type of technology to be used the algorithms that will be supported, the direction in which the property is to he enforced (sending or receiving) and so on. If the secure property has been set to “optional.” it means that the secure property is not mandatory for making connections and if the secure property is set to ‘refuse,’ then it means that the negotiating party cannot enforce this property. Once the secure property has been set then the data is encapsulated Encapsulation is done in order to ensure confidentiality of web sessions, content, client/server authentication, and message integrity • Secure electronic transaction (SET): Secure electronic transaction (SET) is a standard protocol for securing credit card transac- tions over insecure networks specifically the Internet. SET was developed by VISA and MasterCard (involving other companies such as GTE, IBM, Microsoft and Netscape) starting in 1996. Netscape starting in 1996. Secure Electronic Transaction (SET) is a standard that enable secure credit card transactions on the Internet The SET standard has been developed to protect payment instructions in transit. A discussion of S FT is outside the scope of this document, and we recommend that anyone interested in this subject download the SET business description document from (e.g.) the Visa sue (http:/ www.visa.com). SET is expected to become operational in 1998. However progress is slow. For SET to provide the ultimate level of security it will be necessary for each cardholder to be issued a ‘digital certificate” by their credit ‘card issuer. This presents significant logistical problems, and is unlikely to be rolled out in less than 3-4 years. 109 Authentication Techniques, Processes and Methodologies There are different kind of techniques and methodologies which are available for authentication of an electronic banking product or service. Selection and use of and technique should be based upon the assessed risk associated with a particular electronic~ banking product or service. 1. Shared Secrets: Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity Passwords and PINs are the best, known shared secret. techniques but some new and different types are now being used as well. Some additional examples arc; • Questions or queries that require specific customer knowledge to answer. c g. the exact amount of the customer’s monthly mortgage payment.‘ • Customer-selected Images that must be identified or selected from a pool of Images. The customer’s selection of a shared secret normally occurs during the initial enrollment process or via an offline ancillary process. Passwords or PIN values can he chosen, questions can be chosen and responses provided. Images may be uploaded or selected. The security of shared secret processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as “static” and the risk of compromise increases over time. The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate. Shared secrets can also be used to authenticate the institution’s Web site to the customer. This is discussed ill the Mutual Authentication section. Tokens Tokens arc physical devices (something the person has) and may be part of a multifactor authentication scheme. Three types of tokens arc discussed here: the USB token device, the smart card, and the password-generating token. 2. USB Token Device: The USB token device is typically the size of a house key. It plugs directly into a computer’s USB port and therefore does not require the installation of any special hardware on the user’s computer. Once the USU token is recognized the customer IS prompted to enter his or her password (the second authenticating factor] in order to gain access to the computer system. USB tokens arc one-piece, injection-molded devices. USB tokens arc hard to duplicate and an: tamper resistant; thus. they arc a relatively secure vehicle for 110 storing sensitive data and credentials. The device has the ability to store digital certificates that can he used in a public key infrastructure (PKI) environment. The USB token is generally considered to be user-friendly’. Its small size makes it easy for the user to carry and, as noted above. it plugs into an existing USU pert: thus the need for additional hardware is eliminated. Smart Card A smart card is the size of a credit card and contains a microprocessor that enables It to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must he inserted into a compatible reader attached to the customer’s computer. If the smart card is recognized as valid (first factor), the customer is prompted to enter his or her password (second factor) to complete the authentication process. Smart cards are hard to duplicate and arc tamper resistant: thus, they are a relatively secure vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use. Their primary disadvantage as a consumer authentication devices is that they require the installation of a hardware reader and associated software drivers on the consumer’s home computer. 3. Password-Generating Token: A password-generating token produces a unique pass-code, also known as a one-time password each time it is used. The token ensures that the same OTP is not used consecutively. The OTP is displayed on a small screen on the token. The customer first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor}. The customer is authenticated if (I) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically’ generated every 60 seconds —in some systems, every 30 seconds. This very brief period is the life span of at password. OTP tokens generally last 4 to 5 years before they need to be replaced. Password-generating tokens arc secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability’, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging. BIOMETRICS Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. The process of introducing people into a biometrics based system is called “enrollment.” In enrollment, samples of data arc taken 111 from one or more physiological or physical characteristics; the samples arc converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis. Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, arc compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access. Biometric identifiers arc most commonly used as part of a multi factor authentication system. combined with a password (something a person knows) or a token (something a person has). Verification - Authenticates its users in conjunction with a smart card username or ID number. The biometric template captured is compared with that stored against the registered user either on a smart card or database for verification. Identification — Authenticates its users from the biometric characteristic alone without the use of smart cards, username or ID numbers. The biometric template is compared to all records within the database and a closest match score is returned. The closest match within the allowed threshold is deemed the individual and authenticated. The main operations a system can perform arc enrollment and test. During the enrollment, biometric information from an individual is stored. During the test, biometric information is detected and compared with the stored information. ‘Note that it is crucial that storage and retrieval of such systems themselves be secure if the biometric system is to be robust. The first block (sensor) is the interface between the real world and the system; it has to acquire all the necessary data. Most of the times it is an image acquisition system, but it can change according to the characteristics desired. The second block performs all the necessary pre- processing: it has to remove artifacts from the sensor, to enhance the Input (e.g. removing background noise), to use some kind of normalization, etc. In the third block features needed arc extracted. This step is all important step as the correct features need to be extracted in the optimal way. A vector of numbers or an image with particular properties is used to create a temple. A template is a synthesis of all the characteristics extracted from the source, in the optimal size to allow for adequate identifiability. If enrollment is being performed the template is simply stored somewhere (on a card or Within a database or both). I f a matching phase is being performed, the obtained template is password to matcher that compares H with other existing templates, estimating the distance between them using any algorithm (e.g. Hamming Distance). The matching program will analyze the template with the input. This will then he output for any specified use or purpose (e.g. entrance in a restricted area). 112 Fig. 6.9 A biometric system stem consists of • Input interface for biometric image capture • Digital signal processor for biometric image processing • Output interface to communicate the results and control access to the secured asset • Power management components for efficient power supply regulation and supervision • Memory for the storage of encrypted templates and software code • Software modules for biometric image capture reconstruction and enhancement, matching, encryption. template management etc, How Biometrics Security Works The largest share of that money (4S percent) goes for fingerprint recognition systems followed by facial recognition (12 percent). While these two are the most popular, there are other methods that analyze a person’s physical or dynamic characteristics. Physical biometric methodologies also look at the following Eyes –Examining Examining the lines of the iris or the blood vessels in the retina; Hands—Taking Taking a 3D image and measuring the height and width of bones and joints. and Skin- Analyzing surface texture and thickness of skin layers . When looking at strong authentication, you want two out of three factors something you have, something you arc and something you know. While, eyes, hands and skin are commonly used as biometric identifiers, more dynamic metho methodologies dologies also arc being introduced, such as the following: Voice – Detects vocal pitch and rhythm; Keystroke Dynamics— Analyzes the typing speed and rhythm when the user ID and password are entered; . 113 Signature—Matches the signature to one on record, as well as analyzing the speed and pressure used while writing, and Gait—Measures length of stride and its rhythm. To keep performance high and storage requirements manageable, today’s biometric technologies don’t have to store or analyze a complete picture of the body’ put or the physical feature being used. Imagine the processing power that would be needed to store a high resolution picture of someone’s face and then compare it with live image pixels by pixel. Instead, each method reduces the body part or activity to a few essential parameters and then codes the data, typically as a series of hash marks. For example, a facial recognition system may record only the shape of the nose and the distance between the eyes. That’s on the data that needs to be recorded for an individual’s passport. None of these biometric systems are infallible, of course. However, the rates of false negatives and false. positive: have markedly improved. One of the problems with fingerprint readers, for instance, is that they couldn’t distinguish between an actual fingerprint and the image of one. That’s not pure fiction. The latest fingerprint readers arc incorporating more advanced features, such as making sure the finger is a certain temperature. Everyone’s hand is different, as some arc consistently warm or cold. In addition, they can also check if there is a pulse and tell how much pressure is being applied. Such sophistication, however, has its drawbacks Authorized users may find themselves locked out even when the devices arc working properly. Why? Tiny changes, due to accidents or injuries, can change a biometrics profile rendering it effectively obsolete. The thing to keep in mind with any biometrics is that your ID docs change over time. If you cut your finger, your biometric may not be the same any more. Or your early’ morning voice is different than after talking for eight hours Elements of a biometric system A generic biometric system is comprised of the following units: 1. A sensor unit that represents the interlace between the user and the machine. This is the point where the biometric trait is acquired; 2. A processing unit where the acquired biometric is sampled, segmented and features arc being extracted. It also includes quality assurance to determine if the quality of the biometric is good enough to he used further in the process. If the quality of the acquired biometric is poor, the use may be asked to present the biometric again. 3. A database unit where all the enrolled biometric ‘templates are being stored and where the templates are being retrieved from in the authentication process; 114 4. A matching unit that compares the newly acquired biometric template with the templates stored in the database and based on decision rules determines either if the presented nted biometric is a genuine/impostor or if the user is identified or not. Kinds of Biometrics Facial Recognition A facial recognition system uses a computer algorithm to identify or verify a person from a digital image or a video frame. This is done by comparing selected facial features from the image and comparing them against a reference template usually stored in a facial database. While it’s much newer than fingerprint technology it’s gained wide usage some security applications, particularly CCTV sy systems stems and some border crossing controls. Facial recognition emphasizes features that are less susceptible to alteration. like eye sockets, cheekbones, and tile sides of the mouth, and as such is resistant to many of the Fig. 6.10 changes associated with mo most st plastic surgery and to changes that come with aging. Facial recognition is cheaper and easier to use than iris or retinal scans, in part because it’s less invasive and can generally use low speed, low resolution cameras, but it gives a higher false negative egative rate than other biometric techno logics because of the need for tightly controlled environments. A facial recognition system is sensitive to such criteria as head position and angle, movement, lighting and other factors, including the use of different ent cameras for enrollment and verification. In addition, facial recognition has certain weaknesses that limit its usefulness for fraud prevention. It cannot distinguish identical siblings, it can be defeated by pointing the camera at a high high-resolution video monitor playing a video of an authorized user, and can also he defeated by the use of a severed head. And of course there may he religious or cultural prohibitions against facial photographs in some regions of the world that will limit its voluntary upt uptake by target users. As a result of the environmental issues noted above, facial recognition’s reliabil reliability is still lower than other technologies. and usually returns a list of “close match match-es” rather than a single definitive match, as do iris and finger fingerprint print systems. A basic facial 115 recognition system can probably use a standard camera phone of 1 Mg or more, while tem-plate plate size can range from 1000 to 2000 bytes. Voice Recognition Virtually all North Americans are familiar with speech recognition, havin having come across it when trying to phone most companies nowadays. Voice recognition diners from speech recognition, in that voice recognition analyzes how you say something, versus what you say in speech recognition. Each person’s voice is unique, due to differences in the size and shape of their vocal cords, vocal cavity, tongue and nasal passages. The way an individual speaks is also determined by the complex coordination of their lips, jaw, tongue and soft palate. Voice and speech recognition” can in fact function simultaneously using the same utterance, allowing the technologies to blend seamlessly: speech recognition can be used to translate the spoken word to an ac ac-count count number, while the voice recognition verities the vocal characteristics cor correspond respond to those associated with that users account. Considered both a physiological and a behavioral biometric measure, voice recognition has good user acceptance and requires little training to use. However, while popular. low cost and capable of work working ing over any phone, it’s less accurate than other biometric systems and can entail length enrollments requiring multiple voice samples to attain a usable template. One of the biggest weaknesses of voice recognition is that it suffers tram a high reject ra rare re in noisy environments, which is a problem for outside usage. Performance can also VMV according to audio signal quality as well as variations between enrollment and verification devices, and with variations in environments (inside versus outside, vvariations ariations in background noise, etc.]. Voice changes that occur as a result of time, in in-jury, jury, cold or illness call also be as issue. Finally, voice recognition can be defeated by’ playing back a high fidelity recording, which would obviously be of great at concern to financial institutions. While voice recognition benefits from ease of usage, high user acceptance. and no need for new hardware, the impact of environmental issues upon performance renders it of low to medium accuracy, which is not likely to meet the security needs of most financial institutions. 116 Protection of mobile phone using voice recognition: At first original voice database of the user is created. This database is stored in the Flash ROM (8M) which is available inside the cell phone. Then whenever the user speaks through the cell phone part of the speech sample is taken and encoded. This processed voice of the user is compared with the original database to check the identity of the user. If the user is authorized, he is allowed to ccontinue ontinue his talk. If not the transmission is cut abruptly by making the MP in idle state. Thus the cell phone is being protected from any unauthorized user. Even if the cell phone won stolen or missed it won’t be useful for any other. person. Iris Recognition Iris recognition is a newer method of biometric authentication than analyzes the features that exist in the colored tissue surrounding the pupil such as rings, furrows, freckles and the corolla Iris patterns possess a high degree of randomness, w with each iris having: 266 unique identifiers as compared to 13 13-60 for other bio-metrics. metrics. Fig.6.12 These iris patterns, which differ even between identical twins, arc apparently stable throughout one’s life (although they will change within hours of death, preventing the use of dead eyes). The iris features and their location arc used to form what’s called the Iris Code T, which is the digital template of the iris, with an average template size of 512 bytes. Iris recognition is proving to be a highly reliabl reliablee technology, offering excellent performance with a very 100v false match rate, while being less invasive than the older retinal scans. An iris scan in in-volves volves a small moving target, located behind a curved, wet, reflecting surface, which is obscured by eyelashes and lenses, and partially occluded by eyelids that are often drooping. As a result, using the system effectively requires tightly controlled environments and a very high level of training. Iris scans require hardware that is not usually found on today’s average ceil phones. Typical cell phone cameras arc still too low in resolution for accurate iris scanning applications, and a proper iris scan 117 requires a near-in-feared illumination filter instead of the more common visible light filter found in cell phone cameras. Additionally, to prevent a picture from being able to fool the system, advanced devices may vary the light shone into the eye and watch for pupil dilation, a feature that is not currently viable on small devices like cell phones. In terms of user acceptance, the tact that iris scans are not invasive is helpful, assuming the training issues can be properly addressed. Of course there remain some negative, Orwellian connotations to the use of iris scans, but whether these concerns would also apply to developing country users is unclear. Fingerprints The use of fingerprints to identify people has been around for over a century. It ‘s the most mature biometric technology out there today, with accepted reliability and a well under- stood methodology. As such, there are many vendors of fingerprint recognition on the market today. Three of the traditional means of fingerprint recognition employ Optical, Captive Resistance/Pressure, and Thermal scanning technologies. Fig. 6.13 Finger Impression While all three have: been in use for years, with good reliability and accuracy, they do have weaknesses when faced with today’s demand for better fraud prevention in the face of more sophisticated biometric 3ppli:ations, not to mention more sophisticate d criminals. Specifically, all three of these types of finger-print scanning can be defeated in various ways such as using dead fingers or copying the last print used with adhesive film and re-presenting it to the scanner Additionally, testing has shown that the elderly, manual laborers and some Asian populations are more likely to be unable 10 enroll in some of the traditional fingerprint systems. A newer fingerprint technology. employing RF Imaging uses ultrasonic holography of the outer layer of dead skin a- well as the inner layer of live skin to create the template, rendering it nearly 100 accurate, not to mention resistant to the use of fake or dead fingers, or dirt and oil. In addition, the newer fingerprint systems use each new scan of the finger to enhance the existing template, thus making it more accurate with use over time. While fingerprints have proven to the highly reliable and accurate over the years, particularly now using RF imaging, they’re not completely infallible. They can be affected over time by such things as years of manual labor or physical injury, so there would probably be a desire to update the reference templates as and when necessary for commercial and financial applications. Other factors that can cause failure in a fingerprint scan arc cold and humidity (particularly in the older types of 118 fingerprinting), and location, angle and pres-sure of placement on the sensor (known as a platen). Other issues to consider are that the use of fingerprints requires physical contact, which can be a problem in some cultures, and the fact that finger printing’s long association with criminal justice lends itself to some privacy resistance, although this will probably ameliorate over time with increased use of biometrics and updated privacy laws. Fingerprint capture technology is easily accommodated on a cell phone, with sensor sizes ranging from 12 mm × 5 mm to about 1.5 cm x 1.5 cm, and low power and processing requirements. The fingerprint tem- plate itself ranges in size from about 256 bytes to 500 bytes. Protection of mobile phone using fingerprint recognition When user wants to purchase the mobile, the mobile manufacture has to take the finger print of the owner and it must be stored permanently in the database of the mobile. The database here can be either ROM or Smart cards, This image will he used in future for the verification of the authorized user. Whenever the user wants to operate mobile, he/she should press is thumb on the scanner. Once the scanner catch the user’s thumb it will be stored in an EPROM (temporary memory). This thumb impression is compared with original or permanent thumb impression which is stored in ROM by using image comparator. If both of the impression matches, it sends a signal to MEMS (Micro electro Mechanical system) motors which help in opening the door of the mobile. If an impression fails to match, then corresponding signal will be generated from image comparator, which in turn helps in glowing red LED (Light Emitting Diode). For this operation of buttery of 1.5 volts is required. A microcontroller can also be used to control each Lind every device. Fingerprint Security Authentic has manufactured 95% of the fingerprint biometric scanners that arc currently used in mobile phones. It’s scanners can be small and unobtrusive to look at and they have been designed-in to many mobile phones, particularly in Asia. Pantech was the first manufacturer to use fingerprint scanners to secure its mobile phones Fig.6.14 Biometric Technology Biometric Technologies Biometric tool come in a variety of forms but all confirm the identity of users by a physical characteristic, whether that is a fingerprint. the sound of their voice, the unique pattern of blood vessels ill their eyes or the shape of their face. As biometrics become less expensive, more accurate and easier to deploy than in years past 119 Fingerprints–A fingerprint looks at the patterns found on a fingertip. There are a variety of approaches to fingerprint verification, such as traditional police method, using pattern- matching devices, and things like moire fringe patterns, and. ultrasonic There. are many bio- metric technologies to suit different types of applications. To choose the right biometric to be highly fit for the particular situation, one has to navigate through some complex vendor products and keep an eye on future developments in technology and standards. Here comes a list of biometrics: This seems to be a very good choice tor in -house systems Hand geometry–This involves analyzing and measuring the shape of the hand. It might he suitable where there are mere users or where user access the system infrequently, Accuracy can be very high if desired. and flexible performance tuning and configuration can accommodate a wide range of applications. Organizations are using hand geometry readers in various scenarios, including time and attendance recording. Retina–A retina -based biometric involves analyzing the layer of blood vessels situated at the hack of the eye. This technique involves using a low intensity light source through an optical coupler to scan the unique patterns of the retina. Retinal scanning can be quite accurate but docs require the user to look into a receptacle and focus on a given point Iris–An iris-based biometric involves analyzing features found in the colored ring of tissue that surrounds the pupil. This uses a fairly conventional camera clement and requires no dose contact between the user and the read. Further, it has the potential for higher than average template-matching performance Face– Face recognition analyses facial characteristics. It requires a digital camera to develop a facial image of the user for authentication. Because facial scanning needs an extra peripheral thing: that are not included in basic PCs, it is more of a niche market for network authentication. However, the casino industry has capitalized on this technology to create a facial database of scam artists for quid detection by security! personal Signature–Signature verification analyses the way user signs his name. Signing feature such as speed velocity, and pressure are as important as the finished signature’s static shape. People are used to signatures as a means of transaction-related identity verification. Voice–Voice authentication is based on voice-to-print authentication, where complex technology transforms voice into text. Voice biometrics requires a microphone, which is availed with PCs nowadays. Voice biometrics is to replace the currently used technique such as PINs. Passwords, or account names. But voice will be a complementary technique for finger-scan technology as many people sec finger scanning as a higher authentication form. The system which is designed primarily for PDA-phone but could also be used in new generation smart phone, and Wi-Fi enabled PDAs offer three methods of biometric 120 identification. One employs the digital cameras that have becorne commonplace in mobile devices along with a face recognition application In identify the user based on their facial features. Another use voice recognition software - also detecting any asynchrony between speech and lip moments and the third verifies the handwritten signature of the user on the device’s touch screen. The three methods are used in combination to enhance the overall levels of security and liability, and most importantly They require no hardware additions to mobile devices. The secure phone platform is entirely software based. This is important if it is not to be adopted by device manufacturers as it keeps cost s down and makes implementing it much easier. There is no need to add fingerprint or iris scanners. Instead, the system uses elements that already exist in the device and which serve alternative purpose as well, while the type of verification carried out is non-intrusive for the user Watermarks have been used for centuries to prove the authenticity of bank notes. post- age stamps and documents. Now European researchers are considering them as a new tool in the fight against digital piracy and to authenticate and verify the integrity of digital media. Digital Rights Management (DRM) systems that prevent copying have raised fair use issues, however, because they not only block pirates but also prevent legitimate consumers from making back-up copies. Watermarking. in contrast, does not prevent copying, but depending on the application, can let consumers and producers know what content is authentic and what is fake, and can help authorities trace illegal copies. watermarking playing a very important role in protecting digital rights, a growing industry because of piracy. Other uses, he notes, include authenticating information and ensuring data integrity, as well as making content easier to identify’ and find. Though not a new concept, digital watermarking is starting to gain favor among content producers as one of several emerging anti-piracy measures. Earlier this year, for example, record companies Sony and Universal started embedding anonymous watermarks into songs not protected by other DRM methods. That will allow them to trace the origins of illegally copied material, potentially generating important empirical evidence on the scale of the piracy problem as they seek tighter copyright protection laws. What the record companies are doing is one application of imperceptible and robust watermarks, which arc hidden to the user and arc not eliminated if the content is tampered with, such as being compressed or reformatted in the case or a song, video or photograph. Such watermarks arc difficult, though not impossible to remove, and the WAVILA researchers wanted to gain a better understanding of how someone would go about trying to crack the watermarking algorithms. Watermarking today is where cryptography was in the 1960s and 1970s, there is still a lot of secrecy. And in some ways it is facing an even more complex challenge. Biometrics characteristics Choosing between different biometrics is not an easy task. Each biometric has its own pros and cons and the selection or a biometric for an application should depend not 121 only on its matching performance but also on other factors that determine if a biometric treat is suit- able for the application or not. The following biometric characteristics should be evaluated in the selection process of a biometric system: Universality—each person that is using the biometric system should possess the biometric trait Uniqueness—measures how well the biometric trait separates one individual from another. Permanence—measures how well a biometric trait resists aging Collectability—case of acquisition of the biometric trait without causing inconvenience to the user Performance—accuracy, speed, robustness of technology used Acceptability — degree of approval of the biometric technology by the users Circumvention — case of usc of an imitation of the biometric treat. No biometric is perfect. None of the biometrics would satisfy 100 the characteristics listed above. Depending on the application, decision makers should review the characteristics and determine which ones are a must for their organization. Biometric Systems Benefits A biometrics security system offers the following benefits: (i) It doesn’t require cooperation. Some biometric systems as face recognition, gait recognition, odor recognition or face thermograph don’t require that theuser cooperates so that the biometric is collected. Biometric systems prove useful in train stations, airports, stadiums etc., to identify wanted felons. (ii) It guarantees physical location of the user. It can be determined with certainty that the user was that the point where the biometric was collected at the time when the biometric was collected. (iii) It has high-throughput. When there is a need to identify a person from a large population, automatic biometric identification may be the only efficient solution. (iv) The biometric trait is unforgettable. Unlike the classic passwords that need to be remembered, biometric traits cannot be forgotten because they represent something that the user is: physically, behaviorally or chemically. (v) The biometric trait cannot be lost. Unlike authentication tokens. id cards or pass- words written on a piece of paper, biometric traits cannot be lost. It cannot be shared. Due to their nature biometric traits cannot he shared between users. This ensures that the user that logs in the system is the actual user and not a colleague that is trying to help. 122 (vi) It is cost efficient. Sure there will be an up front cost with the installation of the system and with user education but in the long run it proves cost efficient due to the benefits listed above. It cannot he shared and it guarantees physical location; this way no employee can help-alit a colleague that is late by punching-in in the time system on his behalf And it cannot be lost or forgotten; this way costs of reissuing new identification tokens are reduced. the desktop support time is reduced because the need of resetting passwords will he less, if any, and the down-time of the employees because they’ve got locked out from the systems is also reduced. (vii) It can provide emergency identification. In those cases when a person cannot identify itself. using a biometric system may be the only way to find his identity. It prevents identity theft. In the most cases of identity theft, the impostor used victim’s name and personal identification number to create credit card accounts and use those III his behalf. Using biometric security systems makes it practically impossible for impostors to pretend they arc somebody else. (viii) (ix) It is appealing. Most people find biometric system appealing because of the ease of use and because it is impressive how a door can be opened by just a swipe of a finger. Non-Hardware-Based One- Time-Password Scratch Card Scratch cards (something a person has) are less-expensive , “low-tech” version of the OTP generating tokens discussed previously. The card similar to a bingo card or map location look-up, usually contains numbers and letters arranged in a row-and-column for The size of the card determines the number or cells in the grid. . Used in a multifactor authentication process, the customer first enters his or her user name and password In the established manner. Assuming the information is input correctly, the customer will then be asked to input, as a second authentication factor, the characters contained in a randomly chosen cell in the grid. The customer will respond by typing in the data contained in the and cell clement that corresponds to the challenge coordinates. Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry. type of authentication requires no training and, if the card is lost, replacement is relatively easy and inexpensive. Out-of-Band Authentication Out–of-band authentication includes any technique that allows the identity of the individual originating transaction to be verified through a channel different from the one the customer IS using to initiate the transaction. This type of layered authentication has been used in the commercial banking/brokerage business for many years. For example, 123 funds transfer request purchase authorizations, or other monetary transactions are sent to the financial institution by the customer either by telephone or by fax. After the institution receives the request, a telephone call is usually made to another party within the company (If a business generated transaction) or back to the originating individual. The telephoned party IS asked tor a predetermined word phrase, or number that verifies that the transaction was legitimate and confirms the dollar amount. This layering approach the dollar amount. This layering approach precludes unauthorized transactions and Identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal point was misplaced and the amount came back as $100,000.00 In today’s environment, the methods of origination and authentication are more varied. For example, when a customer initiates an online transaction. a computer or network based server call generate a telephone call. an e-mail. or a text message. When the proper response (a verbal confirmation or an accepted-transaction affirmation) is received the transaction is consummated IP Address (Internet Protocol Address) Location and Geo-Location One technique to filter an online transaction is to know who is assigned to the requesting internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either by an Internet Service Provider or as part of the user’s network. If Issued a unique IPA that was constantly maintained on an official register, authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners. However JPAs are not owned, may change frequently, and in some cases can be spoofed. Additionally there IS no single source for associating an IPA with its current owner, and in some cases matching the two may be impossible. Some vendors have begun offering software products that identify several data elements, including location. anonymous proxies domain name, and other identifying attributes refereed to as IP” Intelligence.” The software analyzes this information in a real-time environment and checks it against multiple data sources and profiles to prevent unauthorized access. If the user’s IPA and the profiled characteristics of past sessions match information stored for identification purposes, the user is authenticated. III some instances the software will detect out-of- character details of the access attempt and quickly conclude that the user should not be authenticated Gee-location technology is another technique to limit Internet users by determining where they are or, conversely, where they are not. Geo-location software inspects and analyzes the small bits of time required for Internet communications to move through the network. These electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined for a user, they are compared with cyberspace distances for known locations. If the comparison is considered reasonable, the user’s location can be authenticated. If the distance is considered unreasonable or for some reason is not calculable, the user will not be authenticated. 124 IPA verification or gee-location may prove beneficial as one factor in a multifactor authentication strategy. However, since geo-Location software currently produces usable results only for land-based or wired communications, it may not be suitable for some wireless net- works that can also access the Internet such as cellular/digital telephones. Mutual Authentication Mutual authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. Currently, most financial institutions do not authenticate their Web sites to the customer before collecting sensitive information. One reason phishing attacks arc successful is that unsuspecting customers cannot determine they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer. Techniques for authenticating a Web site arc varied. The use of digital certificates coupled with encrypted communications (e.g. Secure Sock.et. Layer, or SSL) is one the use of shared secrets such as digital images is another. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks. Customer Verification Techniques Customer verification is a related but separate process from that of authentication. Customer verification complements the authentication process and should occur during account origination, Verification of personal information may be achieved in three ways: (a) Positive verification to ensure that material information provided by an applicant matches information available from trusted third party sources. More specifically, a financial institution can verify a potential customer’s identity by comparing the applicant’s answers to a series of detailed questions against information in a trusted database (e.g. a reliable credit report) to see if the information supplied by the applicant match information in the database . As the questions become more specific and detailed correct answers provide the financial institution with an increasing level of confidence that the applicant is who they say they say they arc. (b) Logical verification to ensure that information provided is logically consistent (e.g., do the telephone area code. ZIP code, and street address match). (c) Negative-verification to ensure that information provided has not previously been associated With fraudulent activity. For example, applicant information can be compared against fraud databases to determine whether any of the information is associated with known incidents of fraudulent behavior. In the case of commercial customers, however. the sole reliance on online electronic database comparison techniques is not adequate since certain documents (e.g.. bylaws] needed to establish an individual’s right to act on a company’s behalf are not available from 125 databases. Institutions still must rely on traditional forms of personal Identification and document validation combined with electronic verification tools. Another authentication method consists of the financial institution relying on a third party to, verify the identity of the applicant, The third party would issue the applicant an electronic credential, such as a digital certificate, that can be used by the applicant to prove lux/her Identity. The financial institution is responsible for ensuring that the third party’ uses the same level of authentication that the financial institution would use itself Few Tips for Safe Internet Banking Secure Your System • Use a personal firewall. • Always download and install authorized operating system updates, • Run and maintain an anti-virus product Oil your home computer and update regularly. • Do not run or install programmes of unknown origin. • If using a local area network (IAN) contact your administrator and seek the availability of email gateway filtering for specific tile attachments. • Do not access your bank account from computers in Internet cafes or untrusted PC’s as they may not be safe. • Never leave your PC unattended when logged to Internet banking. • Always ensure that you tog-out properly when you have finished Internet banking. Secure Your Passwords • Do not give your PIN or password to anyone else, including bank staff or Police. • If you suspect your Internet banking password has been compromised, change it as soon as possible. • Avoid using your birth date or name as your PIN or password. Passwords should be alpha numeric i.e. pencil37. • Avoid storing passwords on your computer. • Do not set up your computer so it ‘auto completes’ or saves your password i.e. do not tick the “remember this password” box • Do not use the same password on Internet banking as telephone banking. Take Care of following points • Delete without opening entails requesting personal details such as PINs or passwords legitimate financial institutions and companies will not ask you to provide PINs or passwords. 126 • Delete suspicious emails with attachments and never open the attachments. • Check for a secure connection. (Secure website addresses have https at the start. The "s' indicates secure. They will also have a 'padlock' icon on the bottom right comer. Double clicking the icon will show who owns the certificate). • Follow your own path to the site you choose - it is possible to create a link on a web page or in an email and make it look as if it is taking you to a bona fide website when it is sending you elsewhere. Your safest course is to check that you have the correct address (URL) and then type it each time into your address bar. • Consider whether the message you have received is a message that you would expect to receive -- is it one you have received from your financial institution before? (Incorrect grammar or spelling is usually an immediate indicator or J suspect email or website). • Are there related announcements on the financial institution's or company's website? • Reconcile your account(s) either on-line or by statements frequently and regularly. Suspicious? Report It If you think you may have been taken in by or received a phishing scam, or that you may have received a virus that enables someone to access your account details, report it immediately to your financial institution COMPARISON OF DIFFERENT PAYMENT GATEWAYS Ecommerce payment gateway is the access point to the online banking network. All online transactions must pass through a payment gateway to be processed. The payment gateways act as a bridge between the user’s website and the financial institutions that process the transaction. Gateways process the different transactions between user and web browser. A payment gateway authenticates and routes payment. Here we have focused on different e-commerce payment gateways, and also have a deep comparative study’, analysis of different online Gateways. An internet e-commerce payment gateway is a critical infrastructural component ensure that such transactions occur without any hitches and in total security over electronic networks. The criteria that are important while evaluating a payment gateway: We have described comparative study of different e-commerce payment systems which are; 1. CC Avenue Gateway 2. Paypal Gateway 3. DirecPay Gateway 4. EBS Gateway 5. ABC Payments Gateway 6. I JDFC Gateway 7. ICICI Payseal Gateway 8. Transected Gateway 127 Different criteria and services arc described below through the comparative study of payment gateways. All these payment gateways focus on different factors as security’, cost. support, dispute resolution, international payments, transaction time. supported hanks and tools and features. These are shown in tabulation representation. S.No. Gateways Security Cost Coustomer Care & Support Dispute Resolution 1. CC Avenue Gateway 1.Security Firewell 2. Risk Management tools 3. Fraud Filters 1.Rs. 7,500 as onetime nonrefundable set up fees 2. with 7% transaction fees for cards of 3. 4% transaction fees for net banking and mobile payments + Rs. 1200 as annual maintenance charge 1. Commerce sercive provider. 2. Real Time Transactions and response 3. Provide Technical support 4. Support for net banking transaction 5. Support 24*7 1. Stream line dispute resolution processes through the use of automated tools to prevent invalid exception exception items. PayPal Gateway 1. Dual Privacy 2. Security Key System 3. Data Encryption 4.Transa ction monitoring 5. Safer and Faster PayPal is FREE and prodects your purchases 1. Online suport 2. Multicurrency 3. Pay Pal’s support staff is organized into departments that specialize in specific customer concerns. 4.PayPal Merchant Technical supoort is rady to 1. Most carefully resolve transaction disputes 2. The PayPal Resolution Center enables you to resolve transaction issues before they become larger problems 2 128 Processing through International Payments Real-time & Transaction Time Reportints Support for Tools Multiple Features Banks offered VISA, MASTER CARD, AMERICAN EXPRESS, DINERS CLUB JCB CARDS CITY BANK DISCOVER NOVUS, CARTE BLANCHE, 1. Optimum transaction time : The transaction is completed between 30 seconds and a minute. 2. This enabless the websites to transact and accept payments online and in real time 1. HDFC 2. Bank of Rajasthan 3. ICICI 4. Kotak 5. Citibank 6. Oriental Bank of Commerce 7. Axis 8. Jammu & Kashmir 9. IDBI 10. Corporation Bank 11. Standard chartered Bank 16. Centurian Bank of Punjab 17. State Banks 18. HSBC 19. Union Bank of India 20. Punjab National Bank etc. 1. Credit card, debit cards, net banking, mobile payments. Cash cards 2. Debit card Accepted as : VISA, MASTER Card 3. Additonal Features : Live Chat, shopping cart ready, instant SMS, email Detailed Reports 1. Fast and Trustworth 2. Ideal for online auctioneers 3. The new e-transfer process takes less than a week to process a check 1. HDFC Bank 2. ICICI Bank 3. ING VYSYA 4. Axis Bank (formertly UTI Bank) 5. tandard Chartered Bank 6. State Bank of India, 7. Bank of India, 1. Product Features : Creadit Cards 2. No Debit Card Accepted 2. Additional Features : Currency conversion fee-2.5% added to the ex-change rate 3. Debit cards (also known as bank cards VISA, MASTER CARD, AMERICAN EXPRESS. EUROCARD MAESTRO assist with integrating PayPal on website. 3. D i r e c P a y 1. SSL Gate tEchnology Used way 2. Secure Data Encryption 3. verisign 128 bit SSL, IP connection and encryption tool 4. PCL certified Charges: Rs. 30,000 set up charge +7% transaction fees + annual maintnace charge 4. EBS Gateway 1. Risk monitoring 2. Highest Security PCI DSS 1.1 3. verisign 128 bit SSL Technology 4. Security Firewall USed Rs. 6000 as setup fees and 6% transaction fee + Rs. 2400 annual maintenance charge 5. ABC Payments Gateway 1. Ris managements system controls 2. Secure 1. Setup Cost Rs. 7,000 +7% transaction fees 1. One Stop Solution 2. Multi Currency 3. Quick Settlement 4. Simple Integraton 5. Services Support cost effective, cover a wide range of payment acceptance modes and rest on a robust technology platform. 24*7 support 1. Ease integration 2. MulutiCurrency support 3. Online 8. Canara Bank, 9. Union Bank of India, 10. HSBC 11. Citibank India. are accepted if they have a visa or Master Card logo. 1. DirecPay Platform is mapped against a negative database which is continuously compiled and up dated 2. It resolves the disputes 3. VeriSign secure, making it robust and free from internet dangers like phishing VISA MASTER CARD DINERS CARD 1. Fast, reliabe and secure passege for transaction data 2. Transaction status gives resonse back as message allert 1. ICICI 2. HDFC, 3. Citibank 4. State Bank of India. 1. Credi cards, Internet banking Mobile banking 2. Around 51 Debit cards Accepted 2. Online shopping. Travel portals, educational institutions, equity broking 1. It reduces the amount of time of spent researching customer inquires; and 2. Secondly.it reduces the occurrence of charge back disputes VISA MASTER CARD DINERS CARD ITZ CASH CARD 1. It usually takes between 2 and 7 seconds for transaction response 2. Transaction on real time HDFC City Bank Axis Bank ICICI Bank, Deutsche Bank, Karur Vysaya Bank, State Bank of India, Indian Overseas Bank, ING Vysaya, Corportion Bank 1. Product Features : Credit cards, debit card, net banking 2. No Debit Card Accepted 3. Additonal Features : Live Chat, shopping cart ready, instant SMS, email, Detailed reports 1. User receive the parameters / dada in either case of VISA MASTER CARD DINERS CARD 1.Less processing time. 2. Real time Response means ICICI Bank HDFC Bank Citi Bank Axis Bank IDBI Bank 1. Product Features : Credit cards, net banking 2. Debit card Accepted 129 Data encryption 3. 128 bit SSL encryption security 4. Critified secured 5. SSL technology with newest security protocols 2. Startup Technical Support cost : 100004. Offline 28000 Technical Supprot 5. Risk Minimization if any transaction is perceived as a High-Risk Transaction an immediate alert email is sent to the Sub-Merchant 6. Email alerts for suspect transactions 7. Support 24*7 trnasaction process ending successfully of falling up due to many reasons, including wrong entry of credit card number s and so on. 2. It resolves disputes through expertise and provides maximum satisfactions. Quick transaction response CBOP SBI (coming soon) PNB (Comming Soon) 3. Additional Features: Live Chat, Shopping, cart ready. instant SMS, email Detailed reports 6. HDFC Gateway 1.Secure Firewalls 2. 125 bit encryption 3. Intrusion deterction and prevention system 4. SET certification for digital signature 1. Startup Cost : 1000050000 2. transaction cost: 3.5%-6% 3. Security deposit 50000depends on Due Diligence 1. It supports as userfriendly interface 2. Real Time Risk Management 3. Automated Reconciliation support 4. Integraton of SCM modul 5. Full Bancent 24 hrs. Support If resloves disputes 2. Responssive and Trustee service VISA MASTER CARD HDFC NET BANKING 1. Secured and Easy transaction process 2. Real time basis response HDFC Bank Payment Gateway provides a single platform to support multiply payment technology 1. Product Features : Credit Cards and HDFC Net banking 2. Debit Card Accepted 3. Additional Features : Email and Telephonic support availabe 7. ICICI Payseal Gateway 1. Offers 128 bit SSl encryption 2. 280 vit RSA before passing it through an SSL pipe using 128 bit encryption Charges : Rs. 40,000 as setup fees and 5% as transaction fees. 1. Optimum Server Utilization 2. Centralized and secure data management support 3. Highly scalable and reliable support 4. Efficient Administraion 5. Support 24*7 1. It Resolves Desputes 2. Administration module facilitates extensive extensive MIS reporting and monitorinig of transactions conducted VISA MASTER CARD ICICI NET BANKING 1. The transaction information is quickly transmitted to the merchant server. 2. Fast adn Easy transaction it takes 10-15 secs. in transaction report throught ICICI Provide Single Platform for all payment gateway 1. Product Features : Credit cards, ICICI Net Banking 2. Debit card Accepted 3. Additional Features : Needs Java support for your website. 130 3. Uses a stronghold web server 4. Extensive security firewalls 8. Transecute Gateway 1. 128 bit SSL Certificate 2. Uses a symmetric key based checksum algorithm to exchange data 3 Advanced Heuristic Fraud Pattern Matching and detection engine 4. Fraud Deterction and Risk Mitigation 5. End to end Security via the Gateway Merchant 1. Setup charges; Rupees 30,000. 2. Transaction charges; 5% per transaction 3. Charge back fee: Rupees 10 transaction. 1. It provides the 1. Transaction Proof of Support Delivery 2. Multi2. It checks High value currency support Transaction 3. Instant Process Fraud Alert 3. It Mails for risky Maintains transactions Daily 4. Support Transecute 24*7 Risk Mitigation 5. No. expensive and Fraud encryption Report required 4. This Report 6. Technical support Contains Lifetime Free alerts on Various Transactions that are Perceived be risky by Our Heuristic Fraud Detection software. 5. Through Manual check these Transactions Create Minimum charge back risk. 131 web server 3. Transacton Process in Real time. VISA MASTER CARD 1. The typical integrtion time is less than an hour to get online and live 2. Transecute Merchant Tranasction Reversals Merchants can reverse transaction from the intrface. 3. Real Time Credit Card Response 1. It Provides Single Platform for all payment gateways 2. No bank payment Accepted 1. Transecute supports al VISA/Master CArd transaction and also Amex, Discover, Novus, Bank Accounts, echecks, multiply currencies. 2. No Debit Card Acepted 3. Transecure is also the only gateway to allow anytime withdrawal of your balance. LESSON-1 UNIT V Security and Legal Aspects of E-commerce: Ecommerce Security–Meaning and Issues Security and Legal Aspects of E-commerce: E-commerce security – meaning and issues; Security threats in the E-commerce environment- security intrusions and breaches, attacking methods like hacking, sniffing, cyber-vandalism etc.; Technology solutions- encryption, security channels of communication, protecting networks, servers and clients; Information Technology Act 2000- provisions related to offences, secure electronic records, digital signatures, penalties and adjudication. Security and Legal Aspects of E-commerce: E-commerce security – meaning and issues; What is E-Commerce: Electronic Commerce may include any computer mediated busi-ness process, but a common usage is to use it to describe commerce taking place using the World Wide Web as an enabling transport. For many reasons, including our areas of exper-tise and experience, we will concentrate on this definition of E-Commerce. The web is the way to do business for many reasons. Thin, ubiquitous clients, the wide availability of access and consistent interface- to many different platforms arc among the reasons to choose web solutions for many problems. In addition, the limited nature of the HTTP protocol makes security issues simpler. However, any transaction-taking place across the public Internet is open to a wide variety of security problems. In this chapter we win discuss the various issues related to e-commerce. One of the critical success factors of c-commerce is its security. Without a great degree of confidence by the customers that credit card numbers and other extremely sensitive personal information will be kept secure, c-commerce will simply not work. However, the successful functioning of e-commerce security depends on a complex interrelationship be-tween several components, including the applications development platforms, database man-agement systems, systems software and network infrastructure. E-COMMERCE SECURITY ISSUES E-commerce systems are based upon Internet use, which provides open and easy communication on a global has is. However, because the Internet is unregulated, unmanaged and uncontrolled, it introduces a wide range of risks and threat to the systems operating on it. 132 The use of the Internet means that your internal IT and c-commerce systems are poten-tially accessible by anyone, irrespective of their location. The following points outline the security’ issues related to c-commerce: • Access control: If access control is properly implemented, many other security problems, like lack of privacy, will either be eliminated or mitigated, Access con-trol ensures only those that legitimately require access to resources an: given ac-cess and those without valid access cannot have access. This includes both physical access as well as logical access to resources. Various types of threats exist .for access control. For example, being able physically to enter a building or having access to network equipment is one example of a threat. • Privacy: Privacy ensures that only authorized parties call access information in any system. The information should also not be distributed to parties that should not receive it. Issues related to privacy can be considered as a subset of Issues related to access control. Protection of privacy requires access control, however access control dea.1s with the larger picture. Due to this, the threats to privacy arc similar to that of access control. Integrity ensures that only authorized parties make changes to the documents transmitted over the network. Lack of integrity of the system can be devas-tating tor c-commerce. While the threats to integrity arc similar to the threats to access, being a threat to integrity is possible only when one has access at a level consistent with someone having the rights to alter a document. For example, If a customer places an order, and someone can access the system as the customer, they may be able to alter the contents of the order placed. • Authentication: Authentication ensures that the origin of an electronic message is correctly identified. This means having the capability to determine who sent the message and from where or which machine. Without proper authentication. It will be impossible to know who actually placed an order and whether the order placed is genuine or not. • Non-repudiation: Non-repudiation is closely related to authentication and this ensures the sender cannot deny sending a particular message and the receiver cannot deny receiving a message. If this happens infrequently, it may not significantly harm e- commerce, however, on a large scale this can be devastating. For example, if many customers receive goods and then deny placing an order, the shipping, handling and associated costs with the order can be significant for the company processing the orders. • Availability: Availability ensures that the required systems are available when needed. For an e-commerce site this means that the customer order systems are available all the time. Two major threats to availability problems are virus attacks and denial of service. 133 One complicating factor for any c-commerce venture is security for customer ill’ formation, such as credit card numbers and personal data, that most customers do not wish to have shared. Hardly a month goes by without media reports of security breaches over the Internet. Internal security problems, as well as hackers, can plague firms. Guarantees, seals of approval, testimonials, etc., can help case consumer worries since most sites lack track records. Transaction security has kept many customers from purchasing products on the Internet. Much resistance has come from privacy issues such as giving credit card number and personal information. There are continual reminders of how unsafe these practices can be, even though “secure” software programs have been developed and continue to become more protective. Foolproof systems may never be developed and, therefore, the customer is left to weigh the potential cost of privacy with the benefits of conducting business over the Internet. RISKS INVOLVED IN E-COMMERCE Some of the more common threats that hackers pose to c-commerce systems include: • Carrying out denial-of-service (DoS) attacks that stop access to authorized users of a website, so that the site is forced to offer a reduced level of service or in some cases, cease operation completely • Gaining access to sensitive data such as price lists, catalogues and valuable Intellectual property, and altering, destroying or copying it • Altering your website, thereby damaging your image or directing your customers to another site • Gaining access to financial information about your business or or your costomers, with a view to perpetrating fraud • Using viruses to corrupt your business data Impact Upon the Business All of these risks can have a significant impact upon a business running an ecommerce service. The potential business implications of u security incident include the following. • Direct financial loss as a consequence of fraud or litigation. • Consequential loss as a result of unwelcome publicity. • Criminal charges If you are found III he in breach of the Data Protection or Com-puter Misuse Ads, or other regulation on e-commerce. • Loss of market share if customer confidence is affected by a denial-or-service at-tack, or other. 134 The image presented by your business, together with the brands under which you trade, arc valuable assets. It is important to recognize that the use of e-commerce creates new ways for both image and brands to be attacked. Risks from Viruses, Trojans and Worms Viruses. Trojan horses and worms arc all computer programs that can infect computers. Viruses and worms spread across computers and networks by making copies of them-selves, usually without the knowledge of the computer user. A Trojan horse is a program that appears to be legitimate but actually contains another program or block of undesired malicious, destructive code, disguised and hidden in a block of desirable code. Trojans can be used to infect a computer with a virus. A back-door Trojan is a program that allows a remote user or hacker to bypass the normal access controls of a computer and gives them unauthorized control over it. Typi-cally a virus is used to place the back-door Trojan onto a computer, and once the computer is online, the person who sent the Trojan can run programs on the infected computer, access personal files, and modify and upload files. Security threats in the E-commerce environment- security intrusions and breaches, attacking methods like hacking, sniffing, cyber-vandalism etc.; Risks to E-commerce Systems While some viruses are merely irritants, others can have extremely harmful effects. Some of the threats that they pose to e-commerce systems include: • corrupting or deleting data on the hard disk of your server • stealing confidential data by enabling hackers to record user keystrokes enabling hackers to hijack your system and use it for their own purposes • using your computer for malicious purposes, such as carrying out a denial-ofser-vice (DoS) attack on another website • harming customer and trading partner relationships by forwarding viruses to them from your own system How do viruses spread? Viruses are able to infect computers via a number of different routes. These include via: • CDs and floppy disks containing infected documents • emails containing infected attachments • Internet worms that exploit holes in your system’s operating system when you are connected to the Internet 135 Spyware Spyware is software that is placed on your computer when you visit certain websites It is used to secretly gather information about your usage and sends it back to advertisers or other interested parties. In addition to tracking your system use, it can also slow down crash your computer. PROTECTING THE E-COMMERCE SYSTEM Securing your c-Commerce System As the use of the Internet continues to grow, website are assuming greater importance as the public face of business. Furthermore the revenues generated by ecommerce systems mean that organization are becoming ever more reliant upon them as core elements of their business. With this high level of dependency upon the services provided by e-commerce systems, it is essential that they are protected from the threats posed by hackers, viruses, fraud and denial-of-service (DoS) attacks. Identifying e-commerce Threats and Vulnerabilities It is important that you understand the risks facing your c-commerce system, and the potential Impact should any security incident arise. What are the threats? Threats to e-commerce systems can be either malicious or accidental. The procedures and controls you put in place to protect your site should help minimize both. Malicious threats could include: • Hackers attempting to penetrate a system to read or alter sensitive data • Burglars stealing a server or laptop that has unprotected sensitive data on its disk Imposters masquerading as legitimate users and even creating a website similar to yours • Authorized users downloading a web page or receiving an email with hidden active content that attacks your systems or sends sensitive information to unauthorized people You should consider potential threats to sensitive information from three angles: • Where (or who) are the potential sources of threats? • What level of expertise is the hacker likely to possess? much effort are they likely to expend in attempting preach your security? • What facilities and tools are available to them? The real threat may not be the most obvious one. Attacks from authorized users (such as a disaffected employee or partner) arc far more common than attacks by hackers. 136 Risk Assessment A risk assessment can he carried out to provide an organization with a clear understanding of the risks facing its e-commerce system and associated business processes, and the potential impact if a security incident arises. A key part of a risk assessment is defining the business’ information access require-ments. This will cover the rules of access for different groups of users. For example different rules may apply for employees, consultants managed service providers, suppliers, customers, auditors, government agencies and so on. Any analysis should also take account of how electronic transactions arc verified. How do you know that an order has actually come from a known customer” Where contracts are exchanged electronically, who can sign them and bow can it be proved which is the signed version. COMMON E-COMMERCE SECURITY TOOLS You should introduce sufficient security controls to reduce risk to c-commerce sys-tems. However these controls should not be so restrictive that they damage the employees’ performance. Some of the common security controls arc listed below. Authentication There are several techniques that can identify and verify someone seeking to access an e-commerce system. These include: • A user name and password combination, where the password can vary in length and include numbers and characters. • “Two-factor” authentication requiring something the user has (cg an authentication token) and something the user knows (eg. a personal identification number). • A digital certificate that enables authentication through the use of an individual’s unique signing key. • A person’s unique physical attribute, referred to as a biometric. This can range from a fingerprint or iris scan, through to retina or facial-feature recognition. Access Control This restricts different classes of users to subsets of information and ensures that they can only access data and services for which they have been authorized. These include using: Network restrictions to prevent access to other computer systems and networks Application controls to ensure individuals are limited in the data or service they can access 137 Changes to access privileges must be controlled to prevent users retaining them if they transfer between departments or leave the business. Encryption This technique scrambles data, and is used to protect information that is being either held on a computer or transmitted over a network. It uses technologic such as virtual private networks (VPNs) and secure socket layers (SSLs). Firewall Firewall is a hardware or software security device that filters information passing be-tween internal and external networks. It controls access to the Internet by internal users, preventing outside parties from gaining access to systems and information on the internal network. A firewall can be applied at the network level, to provide protection for multiple workstations or internal networks, or at the personal level where it is installed on an indi-vidual PC. A firewall typically takes one of two forms; Software firewall—specialized software running on an individual computer, or Network firewall—dedicated device designed to protect one or more computers Both types of firewall allow the user to define access policies for inbound connections to the computers they are protecting. Many also provide the ability to control what services (ports) the protected computers arc able to access on the Internet (outbound access), Most firewalls intended for home use come with pre-configured security’ policies from which the user chooses, and some allow the user to customize these policies for their specific needs. Firewall is a system or group of systems that enforces an access control policy between two networks.” Types of Firewalls There are three basic types of firewalls depending on 1. Whether the communication is being done between a single node and the network, or between two or more networks 2. Whether the communication is intercepted at the network layer, or at the applica-tion layer 3. Whether the communication state is being tracked at the firewall or not With regard to the scope of filtered communication there exist • Personal firewalls. a software application, which normally filters traffic entering, or leaving a single computer. 138 • Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks. Such a firewall filters all traffic entering or leaving the connected networks. Intrusion Detection The software related to intrusion detection monitor system and network activity to spot any attempt being made to gain access. If a detection system suspects an attack. it can generate an alarm, such as an e-mail alert, based upon the type of activity it has identified. Despite the sophistication of these controls, they are only as good as the people who use them. A continual awareness program is such a vital component of any security policy Preventing Problems from Viruses, Trojans and Worms Anti-virus software should be used to protect against viruses II can detect viruses, prevent access to infected files and quarantine any’ infected files. Anti-virus Software There are different types or anti-virus software: • Virus scanners - must be updated regularly, usually by connecting to the supplier’s website, in order to recognize new viruses. • Heuristics software - detects viruses by applying general rules about what viruses look like. While it does not require frequent updates, this software can be prone to giving false alarms. The threat of virus infection can be minimized by • Using a virus checker on your Internet connection to trap viruses both entering and leaving the business’ IT systems • Running virus checkers on servers to trap any viruses that have managed evade the above check • Running individual virus checkers on users’ PC’s to ensure that they have not down-loaded a virus directly, or inadvertently introduced one via a CD or floppy disk. Other Methods of Preventing Viruses Other ways of preventing of viruses include: • Installing software patches provided by the supplier of your operating system to close security loopholes that could be exploited by viruses • Using a firewall to prevent unauthorized access to your network • Avoiding download of unauthorized programs and documents from the Internet and ensuring your staff adhere to this policy your systems may still become 139 infected even if you follow the above guidelines. Make regular back-ups of your data and software so that you can replace infected files with dean copies. Virus Alerting Services Consider subscribing to a service or supplier who will provide virus alerts for you, Some arc available on a paid-for basis, while others are provided by suppliers of anti VI111S software to their customers, Spyware There is software available that scans your systems and detects known spyware pro-grams, Spyware can then be removed or quarantined. As with anti-virus software. it IS important to keep this software up-to-date. Digital Identity Digital entity is the electronic representation of a real-world entity. The term IS usually taken to mean the online equivalent of an individual human being, which participates ill electronic transactions on behalf of the person in question. However a broader definition also assigns digital identities to organizations, companies and even individual electronic devices, Various complex questions of privacy, ownership and security surround the issue of digital identity Digital identity refers to the aspect of digital technology that is concerned with the mediation of people’s experience of their own identity’ and the identity of other people and things Digital Identity is a safe personal web platform that gives the individual the power III control how they interact with the Internet and share their personal information. Each indi-vidual is assigned a personal web address that functions as a master key 10 all his or her online communication. Through a number of practical tools such as online business cards. CV, favorites, personal messages, access control etc the individual creates and have full control of their online information, With Digital Identity each individual becomes an inte-grated part of the Internet so other websites, search engines and applications automatically call interact with the online identity. The basis of Digital Identity. • is the online presence of an individual or business….gives access to online services authentication • defines the level of access to online services - authorization • is a repository of information for use by the subscriber, for the subscriber…is the first point of all online communications. 140 Technology solutions- encryption, security channels of communication, protecting networks, server servers and clients; CLIENT-SERVER SERVER NETWORK SECURITY Client server network security is one of the biggest headaches system administrators face as they balance the opposing goals of users maneuverability and easy access and site security and confidentiality of lo local cal information. According to the national center of computer data, computer security violations cost U.S businesses half a billion dollar each year, 1 he concerns are real, and doing nothing is analogous to leaving a door unlocked in a high crime neighborhood. Network security 011 the internet is a major concern for commercial organizations, especially management. Recently, the internet has raised many new security concerns. By connecting to the internet a local network organizations may be exposing it itself to the entire population on the internet. An internet connection effectively breaches the physical security pen meter of the corporate network and itself to access from other networks comprising the public internet. Fig. 4.1. Client and Server That being the case, the manager of even the most relaxed organization must pay some attention to security. For many commercial operations. security will simply be a matter of making sure that existing system features, such as passwords and privileges, are configured igured properly. They need to audit all access to the network. A system that records all log – on attempts particularly the unsuccessful ones can alert Managers to the need for stronger measures. However, where secrets are at stake or where important corporate orate assets must be made available to remote users, additional measures must be taken. Hackers can use passwords guessing, password tapping security holes programs, or common network access producers to impersonate users and thus pose a treat to the server. 141 Client server network security problems manifest themselves in three ways: 1. Physical security holes result when individuals gain unauthorized physical access to a computer. A good example would be a public workstation room, where It would be easy easy a wandering hacker to reboot a machine into single —user mode and tamper with the files, If precautions are not taken. On the network, this is also a common problem, as hackers gain access to network systems by guessing passwords of various users. 2. Software security holds result when badly written program or “privileged”, software are “compromised”’ into doing things they shouldn’t. The most famous example of this cat-egory is the “send mail” hole, which brought the internet to its knees in 198. The more recent problem was the “rlogin” hole in the IBM RS 6000 workstations, which enabled a cracker (a malicious hacker) to create a “root” shell or super user access mode. This is the highest level of access possible and could be used to delete the entire file system, or create a new account or password file resulting in incalculable damage. 3. Inconsistent usage holes result when a system administrator, enables a combination of hardware and software such that the system is seriously flawed from a security point of view the incompatibility of attempting two unconnected but useful things creates the secu-rity hole problems like this arc difficult to isolate once the system is setup and running, so it is better to carefully build the system with them in mind. This type of problem IS becom-ing common as software becomes more complex. To reduce these security threats, various protection methods arc used. at the file. level, operating systems typically offers mechanisms such as access control lists that specify the resources various users and groups are entitled to access. Protection also called authorization or access controlled — grants privileges to the system or resource by checking user specific information such as passwords the problem in the case of ecommerce is very simple : if consumers connect a computer to the internet, they can easily log into from anywhere that the network reaches, that’s a good news the bad news IS without proper access control, anyone else can too. Over the years, several protection methods have been developed: including trust based security, security through obscurity, password schemes and biometric systems. • Trust-Based Security: Quite simply trust - based security means to trust every-one and do nothing extra for nothing. It is possible not to provide access restrictions of any kind and to assume that all users arc trustworthy and competent in their use of the shared network. • Security through Obscurity: Most organizations in the mainframe era practiced a philosophy known as security through obscurity (STO) the notion that any network can be secure as long as nobody outside it’s management group is 142 provided information on a need to know basis, hiding account passwords in binary files or scripts with the presumptions that “nobody will ever find them” is a prime case of STO (somewhat like hiding the house key under the doormat and telling only family and friends in short, STO providers a false sence of security in comput-ing systems without hiding information. • Firewall and Network Security: The most commonly accepted network, protec-tion is a barrier, a firewall between the corporate network and the outside world (untrusted networks). The term firewall can mean many things to many people, but basically it is a method of placing a device - a computer or a router between the network and the internet to control and monitor all traffic between the outside world and the local networks. Typically, the device allows insiders to have full access to services on the outside while grating access from the outside only selectively, based on log - on name, password, ip address or other identifiers. Generally speaking, a firewall is a protection advice to shield vulnerable area from some form of danger. In the context of the internet, it is a system - a router, a personal computer, a host, or a collection of host — setup specifically to shield a site or subnet from protocols from the services that can be abused from the hosts point, such as sites connection to the internet, can be located to an internal gateways to provide protection for smaller collection, coasts or subnets. Firewalls come in several types and offer various levels of security, generally, firewalls operate by screening packets and for the application that pass through them, provide controllable filtering of network traffic, allow network traffic. allow restricted access to certain applications, and block access to everything, In principle, the firewall call be thought of as a pair of mechanisms: one to block in coming traffic and other to permit out going traffic, Some firewalls place a greater emphasis on blocking traffic, and others emphasis on permitting traffic. Firewalls in Practice Firewalls range from simple traffic login systems that record all network traffic flowing though the firewall in a file or database for auditing purposes to more complex methods such as IP packet, screening routers, hardened firewall hosts. and proxy application gate. ways. the simplist firewall is a packet filtering gateway of screening router, configured with filters to restrict traffic to designate addresses, screening routers also limit the type of ser-vices that can pass through them. DATA AND MESSAGE SECURITY Encryption The success or failure of an e-commerce operation hinges Oil myriad factors, including but not limited to the business model, the team, the customers, the investors, the 143 product, and the security of data transmissions and storage. Data security has taken on heightened importance since a series of high-profile “cracker” attacks have humbled popular web sites resulted in the impersonation of Microsoft employees for the purposes of digital certifica-tion, and the misuse of credit card numbers of customers at businessto-consumer c-com-merce destinations. Security is on the mind of every c-commerce entrepreneur who solicits, stores, or communicates any information that may be sensitive if lost. An arms race is underway: technologists are building new security measures while others are working to crack the security systems. One of the most effective means of ensuring data security and integrity is encryption. Encryption is, a generic term that refers to the ad of encoding data in the context so that those data can be securely transmitted via the Internet. Encryption can protect the data the simplest level by preventing other people from reading the data. In the event that some one intercepts a data transmission and manages to deceive any user identification scheme, the data that they sec appears to be gibberish without a way to decode it. Encryption tech-nologies can help in other ways as well, by establishing the identity of users (or abusers); control the unauthorized transmission or forwarding of data: verify the integrity of the data (i.e. that it has not been altered in any way); and ensure that users take responsibility for data that they have transmitted. Encryption can therefore be used either to keep communi-cations secret (defensively] or to identify people involved in communications (offensively). E-commerce systems an use the following encryption techniques: • Public key encryption or Asymmetric key-bused algorithm. This method uses one key to encrypt data and a different key to decrypt the same data. You have likely heard of this technique; it is sometimes called public key/private key encryp-tion, or something to that effect. • Symmetric key-bused algorithms, or block-and-stream ciphers. Using these ,i cipher types, your data is separated into chunks, and those chunks an: encrypted’ and decrypted based on a specific key. Stream ciphers an: used mort: predomi-nantly than block ciphers, as the chunks arc encrypted on a hit-by-bit basis This process is much smaller and Lister than encrypting larger (block) chunks of data. • Hashing, or creating a digital summary of II string or file. This is the most common way to store passwords on a system, as the passwords aren’t really what’s stored. just a hash that can’t be decrypted. The basic means of encrypting data involves a symmetric cryptosystem. In this the same key is used to encrypt and to decrypt data. Think about a regular, garden-variety code, which has only one key: two kids in a tree-house, pretending to be spies, might tell one another that their messages will be encoded according to a scheme where each number, from one to 26, refers to a letter of the alphabet (so that I = A, 2 = B. 3 = C, etc.). 144 The key refers to the scheme that helps match up the encoded information with the real message. Or perhaps the kids got a little more sophisticated, and used a computer to general!: a random match-up up of the 26 letters with 26 numbers (so that 6 = A. 13= B, 2 = C etc.). These codes might work for a while. managing to confuse a nosy younger brother who wants to know what the notes they are passing mean, but the codes arc fairly easy to crack. Much l1111re complex codex, generated by algorithms can he broken by powerful computers when only one key exists. Fig. 4.2 SOCIAL MEDIA MARKETING A process of optimizing your site/blog to be more visible in social media searches and sites, mort easily linked by other sites, and more frequently discussed online in blog posts and other social media Social Media Marketing uses podcasts. wikis, blogs. online videos, photo sharing. news sharing, message boards and post postss on social networking sites to reach a large or targeted audience Some to examples of Social Media Optimization/Marketing Techniques are as follows. • Joining relevant online communities or social networking sites to help promote your business. • Addingg RSS feeds to your website (RSS stands for Really Simple Syndication that canoe used to easily update content). • Blogging (where you add content to blogs). • Creating your own business blog What is the Difference Between SMM (Social Media marketing) and SMO (Social Media Optimization)? Social Media Optimization involves creating the right type of content and building a site that is easy to share on social social-networks networks and is friendly to social media users whereas 145 Social Media Marketing goes a step further in terms of actually promoting the content on these networks and spreading the word about your content. Why Social Media Optimization/Marketing? 1. One can reach a large number of people In a more spontaneous way without paying large advertising fees. 2. The use of blogs and social and business networking sites can increase traffic to your website from other social media websites. This in turn may increase your Page Rank, resulting in increased traffic from leading search engines. 3. Social media complements other marketing strategies such as <I paid advertising campaign. 4. You can build credibility by participating in relevant forums and responding to questions. 5. Social Media sites have information such as user profile data, which can be used to target a specific set of users for advertising. 146 LESSON-2 UNIT V Information Technology Act 2000- provisions related to offences, secure electronic records, digital signatures, penalties and adjudication. 1. Information Technology Act 2000 1.1 Introduction 1.2 Objectives 1.3 Definitions 1.4 Digital Signature 1.5 Electronic Governance 1.6 Attributes, acknowledgement and dispatch of electronic records 1.7 Summary 1.8 Exercise 1.1 Introduction The Parliament of India enacted an act called the Information Technology Act, 2000, which received the assent of the President of India on 09/06/ 2000( 6thJune,2000). It is the first Cyber Law in India. This Act is based on the resolution adopted by the General Assembly of United Nations on 30th January 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United National Commission on International Trade Law (UNCITRAL). See figure 1 Figure 1: Information Technology Act,2000 The aforesaid resolution of the General Assembly recommends that all states give favorable consideration to the Model Law on Electronic Commerce when they enact or 147 revise their laws in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information. 1.2 Objectives After the study of this chapter student will able to learn the following • Various definitions used in the act some of them are namely as Access, Addressee , adjudicating officer, Security procedure, Subscriberetc. • Authentication of electronic records • The overview of various components of IT Act 2000 • The contents of Digital Signature • The Duties of subscribers • Legal recognition of electronic records- • Legal recognition of digital signatures • Use of electronic record and digital signatures in Government and its agencies- 1.3 Definitions Section 2 of the Act, 2000, gives defining of various terms used in the Act, unless the context otherwise requires. These definitions given under different clauses of Section 2(1) are as follows: ‘Access’, with the grammatical variations and cognate expressions, means gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer, computer system or computer network; ‘Addressee’ means a person who is intended by the originator to receive the electronic record but does nto include any intermediary; ‘Adjudicating officer’ means an adjudicating officer appointed under sub-section (1) of Section 46; ‘Affixing digital signature’ with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature; ‘Appropriate Government’ means as respects any mattero Enumerated in List II of the 7th Schedule to the Constitution; o Relating to any State Law enacted under List III of the 7th schedule to the Constitution, the State Government and in any other case, the Central Government; 148 ‘Asymmetric crypto System’ means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature; ‘Certifying Authority’ means a person who has been granted a license to issue a Digital Signature Certificate under Section 24; ‘Certification practice statement’ means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates; ‘Computer’ means any electronic, magnetic optical or other high-speed data processing device or system which performs logical arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, processing, storage, computer software or communication facilities which are connected or related to the computer in a computer system or computer network; ‘Computer network’ means the interconnection of one or more computes through- o The use of satellite, microwave, terrestrial line or other communication media; and o Terminal or complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained; ‘Computer resource’ means computer, computer system, computer network, data, computer data base or software; ‘Computer system’ means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions; ‘Controller’ means the Controller of Certifying Authorities appointed under subsection (1) of section 17; ‘Cyber Appellate Tribunal’ means the Cyber Regulations Appellate Tribunal established under sub-section (1) of section 48; ‘Data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. ‘Digital signature’ means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3; 149 ‘Digital Signature Certificate’ means a Digital Signature Certificate issued under sub-section (4) of section 35; ‘Electronic form’ with reference to information, means any information generated sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device; ‘Electronic Gazette’ means the Official Gazette published in the electronic form; ‘Electronic record’ means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche; ‘Function’ in relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer; ‘Information’ includes data, text, images, sound, vice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche; ‘Intermediary’ with respect to any particular electronic message, means any persons who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message; ‘Key pair’ in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key; ‘Law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be, Regulations made by the President under Article 240, Bills enacted as President’s Act under subclauses (a) of clause (1) of Article 357 of the Constitution and includes rules, regulations, by-laws and orders issued or made there under; ‘License’ means a license granted to a Certifying Authority under Section 24; ‘Originator’ means a person who sends, generates, stores or transmits any electronic message; or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary; ‘Prescribed’ means prescribed by rules made under this Act; ‘Private key’ means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate; ‘Public key’ means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificates; ‘Secure system’ means computer hardware, software, and procedure thati) Are reasonably secure from unauthorized access and misuse; 150 ii) Provide a reasonable level of reliability and correct operation; iii) Are reasonably suited to performing the intended functions; and iv) Adhere to generally accepted security procedures; ‘Security procedure’ means the security procedure prescribed under Section 16 by the Central Government; ‘Subscriber’ means a person in whose name the Digital Signature Certificate is issued; ‘Verify’ in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions, means to determine whetheri) The initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber; ii) The initial electronic record is retained in act has been altered since such electronic record was so affixed with the digital signature. Exercise 1 Check your progress 1. Definition of Addressee ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 2. Define Subscriber ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 3. Private key and Public Key ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 151 1.4 Electronic Governance With a view to facilitate Electronic Governance, the Information Technology Act, 2000, provides for the use and acceptance of electronic records and digital signatures in the government offices and its agencies. The idea is to facilitate efficient governmentcitizen interface by giving due legal recognition to e-governance. Fig 3 see Fig 3: E Governance : using computer This will make the citizens interaction with governmental offices hassle free. The IT Act, 2000, contains the following provisions to facilitate e-governance: 1. Legal recognition of electronic records- Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, such requirements shall be in writing or in the typewriting or printed form, then, such requirements shall be in deemed to have been satisfied if such information or matter is(a) Rendered or made available in an electronic form; and (b) Accessible so as to be usable for a subsequent reference (Section 4). 2. Legal recognition of digital signatures-Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be singed or bear the signature of any person, then, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government (Section 5). 3. Use of electronic record and digital signatures in Government and its agenciesWhere any law provides for(a) The filling of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner; 152 (b) The issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; (c) The receipt or payment of money in a particular manner, then such requirement shall be deemed to have been satisfied if such filling, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. The appropriate Government may, by rules, prescribe4. Retention of electronic records- Where any law provides that documents, records or information shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, ifa) The information contained therein remains accessible so as to be usable for a subsequent reference; b) The electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; c) The details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record, are available in the electronic record. However, the above rules does not apply to any information which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received (Section 7). 5. Publication of rule, regulation, etc., in Electronic Gazette-Where anylaw provides that any rule, regulation, order, bye-laws, notification or any other matter shall be published in the Official Gazette, then, such requirement shall be deemed to have been satisfied if such rule, regulation, order, by-law, notification or any other matter is published in the Official Gazette or Electronic Gazette. Where any rule, regulation, order, by-laws, notification or any other matter is published in the Official Gazette, the date of publication shall be deemed to e the date of the Gazette which was first published in any form (Section 8). 6. No right to insist that document should be accepted in electronic form-Section 6,7 and 8 shall not confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form. The paper-based exchanges continue to be valid and binding (Section 9). 153 7. Power to make rules by Central Government in respect of digital signature- The Central Government may, for the purposes of this Act, by rules, prescribe(a) The type of digital signature; (b) The manner and format in which the digital signature shall be affixed; (c) The manner or procedure which facilitates identification of the person affixing the digital signature; (d) Control processes and procedures to ensure adequate integrity, security and confidentially of electronic records of payments; and (e) Any other matte which is necessary to give legal effect to digital signature (Section 10). Electronic Governance consists of various sections. There are 4 Schedules with Electronic Governance, issue of digital signature certificates and regulation of Certifying Authorities. Some of the key definitions used in Electronic Governance ‘Electronic Gazette’ means the Official Gazette published in the electronic form; ‘Electronic record’ means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche; ‘Function’ in relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer; ‘Information’ includes data, text, images, sound, vice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche; ‘Law’ includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be, Regulations made by the President under Article 240, Bills enacted as President’s Act under sub- clauses (a) of clause (1) of Article 357 of the Constitution and includes rules, regulations, by-laws and orders issued or made there under; Exceptions: The provisions of the IT Act, 2000, shall not be applicable to(a) A Negotiable Instrument (other than a cheque) as defined in Section 13 of the Negotiable Instrument Act, 1881; (b) A power of attorney under the Powers of Attorney Act, 1882; (c) A trust under the Indian Trusts Act, 1882; (d) A ‘will’ under the Indian Succession Act, 1925, including any other testamentary disposition by whatever name called; (e) Any contract for the sale or conveyance of immovable property or any interest in such property; 154 (f) Any such class of documents or transactions as may be notified by the Central Government in the Official Gazette [Section 1 (4)]. Exercise 3 1. Definition of electronic Governance ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... 2. Define electronic record and electronic gazette ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... 3. Explain the use of electronic record and digital signatures ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... ........................................................................................................................... 1.6 Summary The Information Technology Act, 2000, which received the assent of the President of India on 09/06/ 2000( 6thJune,2000). It is the first Cyber Law in India. This Act is based on the resolution adopted by the General Assembly of United Nations on 30th January 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United National Commission on International Trade Law (UNCITRAL). The aforesaid resolution of the General Assembly recommends that all states give favorable consideration to the Model Law on Electronic Commerce when they enact or revise their laws in view of the need for uniformity of the law applicable to alternatives to paperbased methods of communication and storage of information. ‘Access’, with the grammatical variations and cognate expressions, means gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer, computer system or computer network; ‘Addressee’ means a person who is intended by the originator to receive the electronic record but does nto include any intermediary; 155 ‘Adjudicating officer’ means an adjudicating officer appointed under sub-section (1) of Section 46; ‘Affixing digital signature’ with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature; ‘Appropriate Government’ means as respects any matter-Enumerated in List II of the 7th Schedule to the Constitution; Relating to any State Law enacted under List III of the 7th schedule to the Constitution, the State Government and in any other case, the Central Government; In order to be called legally binding, all electronic communications or transactions must meet the following fundamental requirements: Authenticity of the sender to enable the recipient to determine who really sent the message; Message’ integrity, the recipient must also be able to determine whether or not the message received has been modified en route or is incomplete; Non-repudiation, the ability to ensure that the sender cannot falsely deny sending the message, nor falsely deny the contents of the message. It led to the acceptance of cryptography, a data encryption technique, which provided just that kind of data protection. Section 3 advocates the use of ‘asymmetric cryto system’ where an asymmetric key pair consisting of a public and a private key is used to encrypt and decrypt the message respectively. Private Key is kept confidential and to be used by the subscriber to create the digital signature, whereas the public key is more widely known and is used by a relying party to verify the digital signature and is listed in the digital signature certificate. 1.6 Exercise Check your knowledge of this chapter 1. Fill in the blanks (i) the General Assembly of United Nations on 30th January 1997 regarding the Model Law on Electronic Commerce earlier adopted by ...................................... (ii) …………………….. means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. (iii) with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of …………………………… 156 (iv) Law includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be, Regulations made by the President under Article 240, Bills enacted as ………………………….. under sub- clauses (a) of clause (1) of Article 357 of the Constitution and includes rules, regulations, by-laws and orders issued or made there under. Ans. (i) United National Commission on International Trade Law (ii) data means (iii) Digital Signature (iv) President’s Act 2. State the following True or False please tick (i) Power to make rules by Central Government in respect of digital signature- The Central Government may, for the purposes of this Act, by rules is not prescribea) The type of digital signature ( ) b) The manner and format in which the digital signature shall be affixed; ( ) c) The manner or procedure which facilitates identification of the person affixing the digital signature; ( ) d) Control processes and procedures to ensure adequate integrity, security and confidentially of electronic records of payments ( ) e) Any other matte which is necessary to give legal effect to constitution ( ) (ii) Retention of electronic records- Where any law provides that documents, records or information shall be deemed to have been satisfied if such documents, records or information are not retained in the electronic form, ifa) The information contained therein remains accessible so as to be usable for a subsequent reference ( ) b) The electronic record is retained in the format in which it was duplicated generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received ( ) c) The details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record, are available in the electronic record. ( ) 157 3. In order to be called not legally binding, all electronic communications or transactions must meet the following fundamental requirements: (a) Authenticity of the sender to enable the recipient to determine who really sent the message. ( ) (b) Message’ integrity, the recipient must also be able to determine whether or not the message received has been modified en route or is incomplete. ( ) (c) Non-repudiation, the ability to ensure that the sender cannot falsely deny sending the message, nor falsely deny the contents of the message. ( ) (d) Electronic records are available in the electronic form ( ) 4. Tick one of them as it is not one of the Objectives of the Information Technology Act seeks to achieve the following objectives: (a) To provide legal recognition for transactions carried out by means of electronic date interchange and other means of electronic communication, commonly referred to as ‘electronic commerce’. ( ) (b) No growth of e-commerce and e-governance. ( ) (c) To provide equal treatment to users of paper-based documentation vis-a-vis electronic records. ( ) (d) To place digital signature at par with paper signature and provide a comprehensive approach for determining the authenticity integrity of electronic signature. ( ) Ans (i) e (ii) b (iii) d (iv)b 3. Mix and Match the following (A) with (B) (A) (B) (a) in an asymmetric crypto system, means a private Law key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key; (b) includes any Act of Parliament or of a State Key pair Legislature, Ordinances promulgated by the 158 President or a Governor, as the case may be, Regulations made by the President under Article 240, Bills enacted as President’s Act under subclauses (a) of clause (1) of Article 357 of the Constitution and includes rules, regulations, bylaws and orders issued or made there under; (c) means a license granted to a Certifying Authority Originator under Section 24; (d) means a person who sends, generates, stores or License transmits any electronic message; or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary; Ans (i) b (ii) a (iii) d (iv) c 4. Discuss the following in the form of short answers 1. State the objectives of Information Technology Act, 2000. ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 2. Comment on Certifying Authority ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 3. Comment on Certification practice statement ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 159 4. Describe Asymmetric crypto system. ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ ............................................................................................................................ 3.3 Digital Signatures Certificates Certificates serve as identity of an individual for a certain purpose, e.g. a driver's license identifies someone who can legally drive in a particular country. Likewise, a Digital Signature Certificate (DSC) can be presented electronically to prove your identity or your right to access information or services on the Internet. See figure 3.1 Fig 3.1 digital Signature A Digital Signature Certificate is an electronic document which uses a digital signature to bind togather a public key with identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to the individual. Digital certificates are the digital equivalent (i.e. electronic format) of physical or paper certificates. Examples of physical certificates are driver's licenses, passports or membership cards. A Digital Signature Certificate is an important instrument of trust identifying the subscribers over the networks. It not only confirms the identity of trust identifying the subscribers but also certifies other relevant information like the subscriber’s public key and the bona fides of the issuer of the certificate. By certifying that a particular public key actually belongs to a specified person, it makes digital signature conclusive. 160 Duties of Subscribers Section 41 to 43 of the Information Technology Act, 2000, lay down the following duties of subscribers who have obtained the Digital Signature Certificates from a Certifying Authority. Generating Key Pair- Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, the subscriber shall generate the key pair by applying the security procedure (Section 40). Acceptance of Digital Signature Certificate- A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a Digital Signature Certificate(a) to one or more persons; (b) in a repository; or Otherwise, demonstrates his approval of the Digital Signature Certificate in any manner. By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that(a) The subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; (b) All representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certifying are true; (c) All information in the Digital Signature Certificate that is within the knowledge of the subscriber is true. Control of private key- 1) every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure. 2) if the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations. The subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised (Section 42). 3.3.2 Classes of Digital Signature Certificates Digital signatures certificates can be classified in various classes subject to depending upon the requirement of assurance level and usage of DSC the following are the classes: 161 Class Description I These certificates shall be issued to individuals/private subscribers. These certificates will confirm that user’s name (or alias) and E-mail address form an unambiguous subject within the Certifying Authorities database. This level provides a basic level of assurance relevant to environments where there are risks and consequences of data compromise, but they are not considered to be of major significance. This may include access to private information where the likelihood of malicious access is not high. It is assumed at this security level users are not likely to be malicious. II These certificates will be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well- recognized consumer databases. This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial. III These certificates will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for ecommerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities. This level is relevant to environments where threats to data are high or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk. 3.3.3 Types of Digital Signature Certificates The following table provides an overview of the different types of Digital Signature Certificates. Type Description Individual Digital Individual Certificates serve to identify a person. It Signature Certificates follows that the contents of this type of certificate ( Signing Certificates) include the full name and personal particulars of an individual. These certificates can be used for signing electronic documents and emails and implementing 162 enhanced access control mechanisms for sensitive or valuable information. Server Certificates Server Certificates identify a server (computer). Hence, instead of a name of a person, server certificates contain the host name e.g. "https://nsdg.gov.in/ " or the IP address. Server certificates are used for to ensure secure communication of data over the network. Encryption Certificates Encryption Certificates are used to encrypt the message. The Encryption Certificates use the Public Key of the recipient to encrypt the data so as to ensure data confidentiality during transmission of the message. Separate certificates for signatures and for encryption are available from different CAs. 3.3.4. Certifying Authority to issue Digital Signature Certificate (Sec. 35) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government. a) Every such application shall be accompanied by such fee not exceeding twentyfive thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants'. b) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. c) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application: However, that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that : i) The applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate. 163 ii) The applicant holds a private key, which is capable of creating a digital signature. iii) The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant: 3.3.5. Representations upon issuance of Digital Signature Certificate (Sec. 36) A Certifying Authority while issuing a Digital Signature Certificate shall certify that, the information contained in it is accurate and that: a) It has complied with the provisions of this Act and the rules and regulations made there under. b) It has published the Digital Signature Certificate or otherwise made it available to such person relying on it and the subscriber has accepted it. c) The subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate. d) The subscriber's public key and private key constitute a functioning key pair. e) The information contained in the Digital Signature Certificate is accurate, and f) It has no knowledge of any material fact, which if it had been included in the Digital Signature Certificate would adversely affect the reliability of the representations made in clauses (a) to (d). 3.3.6. Suspension of Digital Signature Certificate (Sec. 37) The certifying authority which has issued a digital signature certificate may suspend such digital signature certificate: a) on receipt of a request to that effect from i) the subscriber listed in toe Digital Signature Certificate, or ii) any person duly authorized to act on behalf of that subscriber b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest. A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber. Exercise 3 1. Explain various types of digital Certificates. ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 164 2. Describe Certifying Authority to issue Digital Signature Certificate. ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 3. DescribeSuspension of Digital Signature Certificate. ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 3.4. Revocation of Digital Signature Certificate (Sec. 38) A Certifying Authority may revoke a Digital Signature Certificate issued by it: a) Where the subscriber or any other person authorized by him makes a request to that effect, or b) upon the death of the subscriber, or c) Upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company. A Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time, if it is of opinion that: i) A material fact represented in the Digital Signature Certificate is false or has been concealed. ii) A requirement for issuance of the Digital Signature Certificate was not satisfied. iii) The Certifying Authority's private key or security system was compromised in a manner materially affecting the Digital Signature Certificate's reliability. iv) The subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has been dissolved, wound-up or otherwise ceased to exist. A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter. Exercise 3 1. Describe Revoke of digital Signatures ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 165 2. Explain “Material fact represented in digital signature certificate is false”. ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 3. Describe the powers of certifying Authorities. ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 166 LESSON-3 UNIT V Duties of Subscribers 3.1 Duties of Subscribers The IT Act, 2000 specifically stipulates that any subscriber may authenticate an electronic record by affixing his digital signature. It further states that any person can verify an electronic record by use of a public key of the subscriber. This act lays down the following duties of the subscribers who have obtained the Digital signature Certificate from some certifying authority: Generating key pair (Sec. 40): Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, then the subscriber shall generate that key pair by applying the security procedure. This implies that the subscriber, i.e. the person, who is to be issued the digital signature certificate, has to generate an appropriate private key which matches the public key being allotted to him or her. Duties of subscriber of Electronic Signature Certificate (Sec. 40A): In respect of Electronic Signature Certificate the subscriber shall perform such duties as may be prescribed. Acceptance of Digital Signature Certificate (Sec. 41): A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a Digital Signature Certificate: a) To one or more persons; b) In a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that: i) The subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; ii) All representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; iii) All information in the Digital Signature Certificate that is within the knowledge of the subscriber is true. 167 Control of private key (Sec. 42): Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure. If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations. For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been com promised. Salient features of Information Technology (Amendment) Act, 2008 The Information Technology Act, 2008 has been signed by the President of India on February, 2009. A review of the amendments indicates that there are several provisions relating to data protection and privacy as well as provisions to curb terrorism using the electronic and dgital medium that have been introduced into the new Act. Some the Salient features of the Act are as follows: • The term digital signature has been replaced with electronic signature to make the act more technology neutral. • A new section has been inserted to define communication device to mean cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text video, audio or image. • A new section has been added to define cyber café as any facility from where the access to the internet is offered by any person in the ordinary course of business to the members of the public. • A new definition has been inserted for intermediary. Intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record or provides any service with respect to that recorded and includes telecom service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes, but does not include a body corporate referred to in section 43A. • A new section 10A has been inserted to the effect that contracts concluded electronically shall not be deemed to be unenforceable solely on the ground that electronic form or means was used. • The damages of Rs. One crore (approximately USD 200000) prescribed under section 43 of the earlier Act for damage to computer, computer system etc has been deleted and relevant parts of the sections have been substituted by the words, he shall be liable to pay damages by way of compensation to the persons so affected. 168 • A new section 43A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body corporate owns, controls or operates. If such body corporate is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. • A host of new sections have been added to section 66 as sections 66A to 66F prescribing punishment for offenses such as obscene electronic message transmission, identity theft, cheating by impersonation using computer resource violation of privacy and cyber terrorism. • Section 67 of the old act is amended to reduce the term of imprisonment the for publishing or transmitting absence material in electronic form to three years. • In view of the increasing threat of terrorism in the country, the new amendments include an amended section 69 giving power to the state to issue directions for interception or monitoring of decryption of any information through any computer resource. • Sect 69A and B grant powers to the state to issue directions for blocking for public access of any information through any computer resource and to authorize to monitor and collect traffic data or information through any computer resource for cyber security. • Section 79 of the old Act which exempted intermediaries has been modified to the effect that an intermediary shall not be liable for any third party information data or communication link made available or hosted by him if (a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or select the receiver hosted (b) the intermediary does not initiate the transmission or select the receiver of the transmission and select or modify the information contained in the transmission (c) the intermediary observes due diligence while discharging his duties. • Section 79 will not apply to an intermediary if the intermediary has conspired or abetted or aided or induces whether by threats or promise or otherwise in the commission of the unlawful act or upon receiving actual knowledge or on being notified that any information, data or communication link residing in or connected to a computer resource controlled by it is being used to commit an unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. • A proviso has been added to section 81 which states that the provisions of the act shall have overriding effect. The Proviso states that noting contained in the act 169 shall restrict any person from exercising any right conferred under the copyright act, 1957. Exercise 4 1. Describe Generating key pair. ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 2. Explain the term “Acceptance of Digital Signature Certificate” ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 3. Describe Information Technology Act 2008 ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... ..................................................................................................................................... 3.2 Summary The certificate can be used to verify that a public key belongs to the individual. Digital certificates are the digital equivalent (i.e. electronic format) of physical or paper certificates. Examples of physical certificates are driver's licenses, passports or membership cards. A basic level of assurance relevant consequences of data compromise, but significance. This may include access to malicious access is not high. It is assumed malicious. to environments where there are risks and they are not considered to be of major private information where the likelihood of at this security level users are not likely to be Level two is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial. 170 Level is relevant to environments where threats to data are high or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk. However, that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that the applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate. The applicant holds a private key, which is capable of creating a digital signature. The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant. Duties of subscriber of Electronic Signature Certificate (Sec. 40A): In respect of Electronic Signature Certificate the subscriber shall perform such duties as may be prescribed. Acceptance of Digital Signature Certificate (Sec. 41): A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a Digital Signature Certificate to one or more persons, In a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. 3.3 Exercise Check your process Exercise 1 (i) Certificates serve as identity of an individual for a certain purpose, e.g. a ……………………….identifies someone who can legally drive in a particular country. Likewise, a Digital Signature Certificate (DSC) can be presented electronically to prove your identity or your right to access information or services on the Internet. (ii) …………………………….can be classified in various classes subject to depending upon the requirement of assurance level and usage of DSC. (iii) However, that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that the applicant holds the private key corresponding to the ………………………to be listed in the Digital Signature Certificate. (iv) Any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, and then the subscriber shall generate that key pair by applying the security procedure. This implies that the subscriber, i.e. the person, who is to be issued the digital signature certificate, has to generate an appropriate ………………….which matches the public key being allotted to him or her. 171 Ans. (i) Driver's license (ii) Digital signatures certificates (iii) public key (iv) private key Exercise 2 Please tick the right option in the following: 1. Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may not be prescribed by the Central Government. (i) Every such application shall be accompanied by such fee not exceeding twentyfive thousand rupees as may be prescribed by the Central Government, to be paid to the CertifyingAuthority: Provided that while prescribing fees under subsection (2) different fees may be prescribed for different classes of applicants'. ( ) (ii) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. ( ) (iii)On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application: ( ) (iv) On the request of the Authority ( ) 2. A Certifying Authority while issuing a Digital Signature Certificate shall certify that, the information contained in it is accurate and that: (i) It has not complied with the provisions of this Act and the rules and regulations made there under. ( ) (ii) It has not published the Digital Signature Certificate or otherwise made it available to such person relying on it and the subscriber has accepted it. ( ) (iii)The subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate. 172 ( ) (iv) The subscriber's no public key and private key constitute a functioning key pair. ( ) (v) The information contained in the Digital Signature Certificate is accurate, and ( ) 3. A Certifying Authority may not revoke a Digital Signature Certificate which has been issued by it at any time, if it is of opinion that: i) A material fact represented in the Digital Signature Certificate is false or has been concealed. ( ) ii) No private and public key ( ) iii) A requirement for issuance of the Digital Signature Certificate was not satisfied. ( ) iv) The Certifying Authority's private key or security system was compromised in a manner materially affecting the Digital Signature Certificate's reliability. ( ) v) The subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has been dissolved, wound-up or otherwise ceased to exist. ( ) 4. By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that which statement is false: i) The subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; ii) All representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; iii) All information in the Digital Signature Certificate that is within the knowledge of the subscriber is false. Ans (1) IV (2) V (3) II (4) III 173 Exercise 3 Mix and Match (A) with (B) : (A) (B) (i) Individual Certificates serve to identify Server Certificates a person. It follows that the contents of this type of certificate include the full name and personal particulars of an individual. These certificates can be used for signing electronic documents and emails and implementing enhanced access control mechanisms for sensitive or valuable information. (ii) Server Certificates identify a server Individual Digital (computer). Hence, instead of a name Signature Certificates of a person, server certificates contain the host name e.g. "https://nsdg.gov.in/ " or the IP address. Server certificates are used for to ensure secure communication of data over the network. (iii) Encryption Certificates are used to Digital Signature encrypt the message. The Encryption Certificates use the Public Key of the recipient to encrypt the data so as to ensure data confidentiality during transmission of the message. Separate certificates for signatures and for encryption are available from different CAs. (iv) A Certificate shall not be suspended Encryption Certificates for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. Answer 1.(ii) 2. (i) 3. (iv) 4. (iii) 174 Exercise 4 Test Questions 1. Explain the Term Digital Signature with suitable example. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. 2. Explain the duties of subscribers. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. 3. Describe Digital Signature certificate ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. 4. Explain the control of private key. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. ............................................................................................................................. 175 LESSON-4 UNIT V Penalties and Adjudication 4.1 Introduction 4.2 Objectives 4.3 Penalties and adjudication 4.4 Appellate Tribunal 4.5 Offences 4.6 Summary 4.7 Exercise 1. Introduction The Act penalty is imposed by way of damages to be paid as compensation to the affected party for damage caused to any item or unauthorized access and other types of mischief. See Fig 4.1 Fig 4.1 showing Act and penalty For adjudicating of the dispute under the Information Technology Act, Section 46 was enacted which has given the power for adjudication of the crimes. The power has been given to the Secretary, Information Technology and he has power to adjudge the quantum of compensation. 4.2 Objectives After the study of this chapter student will able to learn the following • Penalties and Adjudication • Penalty for failure to furnish information, return • Residuary Penalty 176 • Adjudication - Appointment of Adjudicating Officer • Penalty for breach of Confidentiality and Privacy • Right to legal representation • Civil court not to have jurisdiction • Appeal to High court • Composition of Cyber Appellate Tribunal • Appeal to Cyber Appellate Tribunal 4.3 Penalties and Adjudication Under the Act penalty is imposed by way of damages to be paid as compensation to the affected party for damage caused to any computer, computer network etc. by introduction of computer virus, unauthorized access and other types of mischief. For adjudicating of the dispute under the Information Technology Act, Section 46 was enacted which has given the power for adjudication of the crimes. The power has been given to the Secretary, Information Technology and he has power to adjudge the quantum of compensation. 4.3.1. Penalty for damage to computer, computer system etc. (Sec. 43) If any person indulges in any of the following acts, without permission of the owner or any other person who is in charge of a computer, computer system or computer network, he shall be liable to pay damages by way of compensation to the person so affected: (a) Accesses or secures access to such computer, computer system or computer network; (b) Downloads, copies or extracts any data, computer date-base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) damages or causes to be damaged any computer, computer system or computer network, data computer data base or any other programmes residing in such computer, computer system or computer network; (e) Disrupts or causes disruption of any computer, computer system or computer network; (f) Denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means; 177 (g) Provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act. Rules or Regulations made hereunder; (h) Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network. He shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. Explanation: For the purposes of this section i) computer contaminant‖designed: means any set of computer instructions that are a) to modify, destroy, record, transmit data or programme residing within a computer system or computer network; b) by any means to usurp the normal operation of the computer, computer system or computer network; ii) Computer data-base‖ - means a representation of information knowledge, facts, concepts or instructions in text, image, audio/video that are being prepared or have been prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or system or computer network and are intended for use in a computer, computer system or computernetwork. iii) Computer virus - means any computer instruction; information, data or programme that destroys, damages degrades or adversely affects the performance of a computer. iv) damage‖- means to destroy, alter, delete, add, modify or rearrange any computer resource by any means. v) Computer source code- means the listing of programmes, computer commands, design and layout and progrmme analysis of computer resource in any form. 4.3.2. Penalty for failure to furnish information, return, etc. (Sec. 44) If any person who is required under this Act or any rules or regulations made there under to: a) Furnish any document, return or report to the Controller of the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure; b) File any return or furnish any information, books or other documents within the time specified therefore in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues; 178 c) Maintain books of account or records fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues. 4.3.3. Residuary Penalty (Sec. 45) Whoever contravenes any rules or regulations made under this Act, for the contravention of which nopenalty has been separately provided, shall be liable to pay a compensation not exceeding twenty five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty five thousand rupees. 4.3.4.Adjudication - Appointment of Adjudicating Officer (Sec. 46) For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made hereunder the Central Government shall, subject to the provisions of Subsection (3),appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer or holding an inquiry in the manner prescribed by the Central Government. The adjudicating officer shall, after giving the person referred to in Sub-section (1) a reasonable opportunity for making representation in the matter and if, on such inquiry, he is satisfied that the person that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section. No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government. Where more than one adjudicating officer are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction. 4.3.5. Powers: Every adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal under SubSection (2) of Section 58: i) All proceedings before it shall be deemed to be judicial proceedings within the meaning of Sections 193 and 228 of the Indian Penal Code (45 of 1860) ii) Shall be deemed to be a civil court for the purposes of Sections 345 and 346 of the Code of Criminal Procedure, 1973 (2 of 1974). [Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government [see section 46(1) of the Act], must have field experience with information technology and law [see section 46(3) of the Act] 179 and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A) of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a civil court [see section 46(5) of the Act] and must follow basic principles of natural justice while conducting adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority. In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court [see section 46(2) of the Act], and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences [see section 47 of the Act]. The adjudicating officer may impose penalties for any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003. It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasijudicial authority.] Factors to be taken into account by the adjudicating officer (Sec. 47) While adjudging the quantum of compensation under this Chapter, the adjudicating officer shall have due regard to the following factors, namely: a) The amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; b) The amount of loss caused to any person as a result of the default; c) The repetitive nature of the default. d) 24. Penalty for Misrepresentation (Sec. 71) e) Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any license or 86[Electronic Signature] Certificate, as the case may be, shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. f) Penalty for breach of Confidentiality and Privacy (Sec.72) g) Any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any 180 other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. h) Punishment for disclosure of Information in breach of Lawful Contract (Sec. 72A) i) Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both. j) Penalty for Publishing Electronic Signature Certificate false in Certain Particulars(Sec. 73) k) No person shall publish Electronic Signature Certificate or otherwise make it available to any other person with the knowledge that: l) a) the Certifying Authority listed in the certificate has not issued it; or m) b) the subscriber listed in the certificate has not accepted it; or n) (c) the certificate has been revoked or suspended, o) However, if the publication is for the purpose of verifying a 90[electronic signature] created prior to such suspension or revocation. Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. p) Publication for Fraudulent Purpose (Sec. 74) q) Whoever knowingly creates publishes or otherwise makes available a 91[Electronic Signature] Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Exercise 1 1. Adjudication - Appointment of Adjudicating Officer. Comment ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... 181 2. Explain the Penalty for Publishing Electronic Signature Certificate false in Certain Particulars ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... 3. Describe the Publication for Fraudulent Purpose ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... 4.4 Appellate Tribunal The IT Act, 2000 deals with the establishment of one or more Appellate Tribunals to be known as Cyber Appellate Tribunal to exercise jurisdiction, powers and authority as conferred under the act. 4.4.1 Establishment of Cyber Appellate Tribunal section 48 i. The central Government shall, by notification, establish one or more appellate tribunal to be known as the cyber regulations appellate tribunal. ii. The Central Government shall also specify, in the notification referred to in subsection (1), the matters and places in relation to which the Cyber Appellate Tribunal may exercise jurisdiction. 4.4.2. Composition of Cyber Appellate Tribunal (Sec. 49) i) The Cyber Appellate Tribunal shall consist of a Chairperson and such number of other Members, as the Central Government may, by notification in the Official Gazette, appoint: Provided that the person appointed as the Presiding Officer of the Cyber Appellate Tribunal under the provisions of this Act immediately before the commencement of the Information Technology (Amendment) Act, 2008 shall be deemed to have been appointed as the Chairperson of the said Cyber Appellate Tribunal under the provisions of this Act as amended by the Information Technology (Amendment) Act, 2008. ii) The selection of Chairperson and Members of the Cyber Appellate Tribunal shall be made by the Central Government in consultation with the Chief Justice of India. iii) Subject to the provisions of this Act 182 a) The jurisdiction, powers and authority of the Cyber Appellate Tribunal may be exercised by the Benches thereof; b) A Bench may be constituted by the Chairperson of the Cyber Appellate Tribunal with one or two Members of such Tribunal as the Chairperson may deem fit; c) The Benches of the Cyber Appellate Tribunal shall sit at New Delhi and at such other places as the Central Government may, in consultation with the Chairperson of the Cyber Appellate Tribunal, by notification in the Official Gazette, specify; d) The Central Government shall, by notification in the Official Gazette, specify the areas in relation to which each Bench of the Cyber Appellate Tribunal may exercise its jurisdiction. iv) Notwithstanding anything contained in sub-section (3), the Chairperson of the Cyber Appellate Tribunal may transfer a Member of such Tribunal from one Bench to another Bench. v) If at any stage of the hearing of any case or matter it appears to the Chairperson or a Member of the Cyber Appellate Tribunal that the case or matter is of such a nature that it ought to be heard by a Bench consisting of more Members, the case or matter may be transferred by the Chairperson to such Bench as the Chairperson may deem fit 4.4.2. Qualifications for appointment as Chairperson and Member of the Cyber Appellate Tribunal (Section 50) 1) A person shall not be qualified for appointment as a Chairperson of the Cyber Appellate Tribunal unless he is, or has been, or is qualified to be, a Judge of a High Court. 2) The Members of the Cyber Appellate Tribunal, except the Judicial Member to be appointed under sub-section (3), shall be appointed by the Central Government from amongst persons, having special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs: Provided that a person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary to the Government of India or any equivalent post in the Central Government or State Government for a period of not less than one years or Joint Secretary to the Government of India or any equivalent post in the Central Government or State Government for a period of not less than seven years. 3) The Judicial Members of the Cyber Appellate Tribunal shall be appointed by the Central Government from amongst persons who is or has been a member of the 183 Indian Legal Service and has held the post of Additional Secretary for a period of not less than one year or Grade I post of that Service for a period of not less than five years. 4.4.3. Term of office, conditions of service, etc., of Chairperson and Members (Sec. 51) 1) The Chairperson or Member of the Cyber Appellate Tribunal shall hold office for a term of five years from the date on which he enters upon his office or until he attains the age of sixty-five years, whichever is earlier. 2) Before appointing any person as the Chairperson or Member of the Cyber Appellate Tribunal, the Central Government shall satisfy itself that the person does not have any such financial or other interest as is likely to affect prejudicially his functions as such Chairperson or Member. 3) An officer of the Central Government or State Government on his selection as the Chairperson or Member of the Cyber Appellate Tribunal, as the case may be, shall have to retire from service before joining as such Chairperson or Member. S. 52. Salary, allowances and other terms and conditions of service of Chairperson and Members.—The salary and allowances payable to, and the other terms and conditions of service including pension, gratuity and other retirement benefits of, the Chairperson or a Member of the Cyber Appellate Tribunal shall be such as may be pre- scribed. 4.4.4. Salary, allowances and other terms and conditions of service of Chairperson and Members(Sec. 52) The salary and allowances payable to, and the other terms and conditions of service including pension, gratuity and other retirement benefits of, the Chairperson or a Member of the Cyber Appellate Tribunal shall be such as may be pre- scribed. 4.4.6. Powers of superintendence, direction, etc.(Sec. 52A) The Chairperson of the Cyber Appellate Tribunal shall have powers of general superintendence and directions in the conduct of the affairs of that Tribunal and he shall, in addition to presiding over the meetings of the Tribunal, exercise and discharge such powers and functions of the Tribunal as may be prescribed. 4.4.7. Distribution of business among Benches (Sec. 52B) Where Benches are constituted, the Chairperson of the Cyber Appellate Tribunal may, by order, distribute the business of that Tribunal amongst the Benches and also the matters to be dealt with the each Bench. 4.4.8. Power of Chairperson to transfer cases (Sec. 52C) On the application of any of the parties and after notice to the parties, and after hearing such of them as he may deem proper to be heard, or suo motu without such 184 notice, the Chairperson of the Cyber Appellate Tribunal may transfer any case pending before one Bench, for disposal to any other Bench. 4.4.9. Decision by majority (Sec. 52D) If the Members of a Bench consisting of two Members differ in opinion on any point, they shall state the point or points on which they differ, and make a reference to the Chairperson of the Cyber Appellate Tribunal who shall hear the point or points himself and such point or points shall be decided ac- cording to the opinion of the majority of the Members who have heard the case, including those who first heard it. 4.4.10. Filling up of vacancies (Sec.53) If, for reason other than temporary absence, any vacancy occurs in the office of the Chairperson or Member as the case may be of a Cyber Appellate Tribunal, then the Central Government shall appoint another person in accordance with the provisions of this Act to fill the vacancy and the proceedings may be continued before the Cyber Appellate Tribunal from the stage at which the vacancy is filled. 4.4.11. Resignation [Sec 54(1)] Chairperson or the member of a Cyber Appellate Tribunal may, by notice in writing under his hand addressed to the Central Government, resign his office: Provided that the said Chairperson or the member] shall, unless he is permitted by the Central Government to relinquish his office sooner, continue to hold office until the expiry of three months from the date of receipt of such notice or until a person duly appointed as his successor enters upon his office or until the expiry of his term of office, whichever is the earliest. 4.4.12. Removal [Sec. 54 (2)(3)] The Chairman or the Member of Cyber Appellate Tribunal shall not be re- moved from his office except by an order by the Central Government on the ground of proved misbehaviour or incapacity after an inquiry made by a Judge of the Supreme Court in which the Presiding Officer concerned has been informed of the charges against him and given a reasonable opportunity of being heard in respect of these charges. The Central Government may, by rules, regulate the procedure for the investigation of misbehavior or incapacity of the aforesaid Chairperson or the member. 4.4.13. Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings(Sec 55) No order of the Central Government appointing any person as the Chairperson or the member of a Cyber Appellate Tribunal shall be called in question in any manner and no act or proceeding before a Cyber Appellate Tribunal shall be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Appellate Tribunal. 185 4.4.14. Appeal to Cyber Appellate Tribunal (Sec 57) Any person aggrieved by an order made by an adjudicating officer under this Act may prefer an appeal to a Cyber Tribunal having jurisdiction in the matter. No appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. 4.4.15. Period: every appeal shall be filed within a period of forty-five days from the date on which a copy of the order made by the controller or the adjudicating officer is received by the person aggrieved and it shall be in such form and be accompanied by such fee as may be prescribed: Provided that the Cyber Appellate Tribunal may entertain an appeal after the expiry of the said period of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period. 4.4.16. Order by Tribunal: On receipt of an appeal under sub-section, the Cyber Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. The Cyber Appellate Tribunal shall send a copy of every order made by it to the parties to the appeal and to the concerned controller or adjudicating officer. The appeal filed before the Cyber Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and Endeavour shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. 4.4.17. Powers of the Cyber Appellate Tribunal (Sec. 58) The Cyber Appellate Tribunal shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908) but shall be guided by the principles of natural justice and, subject to the other provisions of this Act and of any rules, the Cyber Appellate Tribunal shall have powers to regulate its own procedure including the place at which it shall have its sittings. The Cyber Appellate Tribunal shall have, for the purposes of discharging its functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908), while trying a suit, in respect of the following matters, namely: a) Summoning and enforcing the attendance of any person and examining him on oath; b) Requiring the discovery and production of documents or other electronic records; c) Receiving evidence on affidavits; d) Issuing commissions for the examination of witnesses or documents; e) Reviewing its decisions; (f) dismissing an application for default or deciding it ex parte; g) Any other matter which may be prescribed. 186 Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a judicial proceeding within the meaning of sections 193 and 228, and for the purposes of section 196 of the Indian Penal Code and the Cyber Appellate Tribunal shall be deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 (2 of 1974). 4.4.18. Right to legal representation (Sec.59) The appellant may either appear in person or authorize one or more legal practitioners or any of its officers to present his or its case before the Cyber Appellate Tribunal. 4.4.19. Civil court not to have jurisdiction (Sec. 61) No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. 4.4.20. Appeal to High court (Sec.62) Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order: Provided that the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days. 4.4.21. Compounding of contraventions (Sec.63) Any contravention under this Act may, either before or after the institution of adjudication proceedings, be compounded by the Controller or such other officer as may be specially authorized by him in this behalf or by the adjudicating officer, as the case may be, subject to such conditions as the Controller or such other officer or the adjudicating officer may specify: Provided that such sum shall not, in any case, exceed the maximum amount of the penalty which may be imposed under this Act for the contravention so compounded. (2) Nothing in sub-section (1) shall apply to a person who commits the same or similar contravention within a period of three years from the date on which the first contravention, committed by him, was compounded. Explanation: For the purposes of this sub-section, any second or subsequent contravention committed after the expiry of a period of three years from the date on which the contravention was previously compounded shall be deemed to be a first contravention. 187 4.4.22. Recovery of Penalty (Sec. 64) Penalty imposed or compensation awarded under this Act, if it is not paid, shall be recovered as an arrear of land revenue and the license or the certificate, as the case may be, shall be suspended till the penalty is paid. Exercise 3 1. Composition of Cyber Appellate Tribunal ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... 2. Acceptance of Digital Signature Certificate ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... 3. Recovery of Penalty ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... ................................................................................................................................... 188