Uploaded by Rohan Dhyani

e commerce 4th sem

advertisement
B.Com.(Hons.)/B.Com.(P.)
Semester-III/IV
SKILL ENHANCEMENT COURSE (SEC)
E-COMMERCE
Unit I-V
SCHOOL OF OPEN LEARNING
UNIVERSITY OF DELHI
Department of Commerce
Graduate Course
E-Commerce
Study Material : Unit I-V
Contents
Unit-I
: E-Commerce
Unit-II
Lesson 1
Lesson 2
: Online Business Transactions Rationale of transacting online
: e-marketing, e-tailing, Online Services, e-auctions, Online Portal
Unit-III
Unit-IV
Lesson 1
Lesson 2
Unit-V
Lesson 1
Lesson 2
Lesson 3
Lesson 4
: Website Designing Introduction to HTML tags and attributes: Text
formatting, fonts, hypertext links, tables, images, lists, forms, cascading
style sheets
: E-payment System-payment Methods- Debit card, Credit card, Smart
cards, E-Money, E-Wallets
: Automated Clearing House
: Security and Legal Aspects of E-commerce: E-commerce security –
meaning and issues
: Information Technology Act 2000- provisions related to offences, secure
electronic records, digital signatures, penalties and adjudication
: Duties of Subscribers
: Penalties and Adjudication
Editor :
K.B. Gupta
Written by:
Sumita Jain
SCHOOL OF OPEN LEARNING
University of Delhi
5, Cavalry Lane, Delhi-110007
UNIT I
E-COMMERCE

Introduction to E-Commerce Concepts and significance of E-commerce,

Driving forces of E-commerce,

E-commerce business models - key elements of a business model and categories,

Mechanism Dynamics of World Wide Web and internet- evolution and features;

Design and launch of E-commerce website - decisions regarding Selection of
hardware and software;

Outsourcing vs in house development of a website
Introduction to E-Commerce Concepts and significance of E-commerce
E-commerce is a technology-mediated exchange between parties (individuals or
organizations) as well as the electronically based intra-or inter-organizational activities
that facilitate such exchanges. It has been defined broadly as the transacting of business
over the Web. Just as the 80’s and early 90’s were characterized by the businesses
achieving greater efficiencies within their organization using information technology, the
last half of this decade is seeing a new wave of increased efficiencies by extending the
information technology to the Web, both to the trading partners, as well as to end
consumers. While efficiencies lead to increased profitability, the Web offers other
advantages, such as a greater reach, shorter-term relationships, one-to-one marketing, reintermediation, disintermediation etc. which are either difficult, or impossible to do in the
traditional physical economy. Obviously, electronic commerce will first pass through the
phase of “electrification” of current trading practices, and only later evolve into
something radically different from its physical counterpart.
E-commerce, or electronic commerce is an emerging concept that describes the
process of buying and selling or exchanging of products, services and information via
computer network including the Internet. It includes all inter-company and intracompany functions (such as marketing, finance, manufacturing, selling, and
negotiation) that enable commerce and use electronic mail, EDI, file transfer, fax,
video conferencing, workflow, or interaction with a remote computer.
E-Business describes the broadest definition of EC. It includes customer service
and intra business tasks. It is frequently used interchangeably with EC
E-commerce, or electronic commerce is defined as “the conducting of business
communication and transactions over networks and through computers”.
E-commerce can be defined from various perspectives as:
1
 Communications perspective: From a communication perspective, ecommerce is the delivery of goods, services, information or payments over
computer networks, telephone lines or any other electronic means.
 Business perspective: From a business perspective, e-commerce is the
application of technology toward the automation of business transactions.
 Service perspective: From a service perspective, e-commerce is a tool that
addresses the desire of firms, consumers and management to cut service costs
while improving the quality of goods and increasing speed of service delivery.
 Commercial (trading) perspective: From a commercial perspective, ecommerce provides the capability of buying and selling products, services and
information on the Internet and via other online services.
 Learning perspective: From a learning perspective, e-commerce is an enabler
of online training and education in schools, universities, and other organizations.
 Collaborative perspective: From a collaborative perspective, e-commerce is
the framework of inter- and intra-organizational collaboration.
 Community perspective: From a community perspective, e-commerce
provides a gathering place for community members to learn transact and
collaborate
E-Commerce has opened new opportunities for
1. Producers
2. Wholesalers and distributors
3. Big retailers
4. Small entrepreneurs.
E-Commerce
The emergence of electronic commerce started in the early 1970s with the earliest
example electronic funds transfer (EFT), which allows organizations to transfer
funds between one another electronically. Then another technology electronic
interchange (EDI) was introduced. It helps to extend inter business transactions from
financial institutions to other types of business and also provides transactions and
information exchanges from suppliers to the end customers. However, the early
system development was limited to special networks such as large corporations and
financial institutions, which are costly and complex to administer for small business.
So EDI was not widely accepted as expected.
Driving forces of E-commerce
E-Commerce Drivers
There are five drivers that promote e-commerce. These are :
2

Digital convergence: The digital revolution has made it possible for almost all
digital devices to communicate with one another. The Internet’s massive growth
during the past 10 years, which is completely a creation of market forces, will
continue.

Ubiquity: Today’s e-commerce is available to anyone, anywhere, in the world,
24 hours a day, 7 days a week. E-commerce ties together the industrial sector,
merchants, the service sector, and the content provider using text, multimedia,
video, and other technologies.

Changes in organizations: More and more today’s business empower frontline workers to do the kind of work once performed by junior management. A
trend also is developing toward partnering owners and managers across
departments to develop a chain of relationships that adds value to the enterprise.

Information Density: Global competitions and the proliferation of products
and services worldwide have added unusual pressure to keep a close watch on
operating costs and maximize profit margins. E-commerce addresses their
concerns quickly, efficiently, and at a low cost.

Personalization/Customization: Today’s customers are collectively
demanding higher quality and better performance, including a customized way
of producing delivering, and paying for goods and services. Mass customization
puts pressure on firms to handle customized request on a mass-market scale.
E-Commerce Business models-key elements of a business model &
categories
Electronic commerce Business Model has been divided into four distinct categories
Categories of E-Commerce Business Models
Business Models of
E-Commerce
B2B
B2C
C2B
C2C
B2G
Fig.1.2 Categories of E-commerce.
 B2B: Companies can conveniently and Quickly check their suppliers inventory or
make instant purchases.
 [Portals linking different business firms or different parts of a business].
 B2C: B2C is selling of goods and services to a customer and the transaction take
place through Internet. In this model sellers sell products and services directly to
3
customers B2C e-business models include virtual moles which are websites include
virtual males which are websites that host many on line transactions. B2C ecommerce refers to the buying and selling of goods via the web retailers to web
customer.
 (Products or Services directly to consumers)
 Consumers set prices and companies bid to offer products and services.
 C2B : Also called supply chain management or “demand collection model, enables
buyed to name their own prices, often binding for a specific good or service
generating demand. The web site collect the demand bids and then offers the bids to
the participating sellers.
 C2C : C2C E-Commerce allows unknown, contrasted parties to sell goods and
services to one another.
(Consumers to buy and sell from each other through a quotation).
Mechanism Dynamics of World Wide Web and internet-evolution and
features
With the progress of Internet technology and a highly developed global Internet
community, a strong foundation of prosperous electronic commerce continues to be
built. During the 1990s, the Internet was opened for commercial use; it was also the
period that users started to participate in World Wide Web (WWW), and the
phenomenon of rapid personal computer (PCs) usage growth. Due to the rapid
expansion of the WWW network; e-commerce software; and the peer business
competitions, large number, of dot-corns and Internet starts-ups appeared. Integrated
with the commercialization of the Internet, Web invention, and PC networks these
three important factors made electronic commerce possible and successful.
Framework of E-Commerce
E-commerce is not just having a web site, but EC is more than that. There are no. of
applications.
4
Public policy legal & privacy issues Technical standards for electronic documents,
multimedia & n/w protocols of EC such as home banking, online shopping, finding a
job etc. To execute these applications, it is necessary to have supporting information
and organizational infrastructure.
The EC applications are supported by infrastructures. Their implementation is dependent
on four major areas (shown as supporting pillars) people, public policy, technical
standards and protocols, and other organizations.
The EC management coordinates the applications, infrastructures, and pillars. It also
includes Internet marketing and advertisement.
Design and launch of E-commerce website - decisions regarding
Selection of hardware and software
For Design and launch of Website there are many decisions not only software and
hardware but also for payment mechanism, cost of ship integration using credit card /
debit card, Order are delivered with delivery company and most important is payment
methods like cash on delivery, payment by UPI’s, debit card , credit card.
These points are very important—
1.
Payment: This Company provides the different payment methods as credit card,
debit card or cash on delivery.
2.
Time: Orders arc delivered within 24 hours.
3.
Cost: Shipping is not free of cost
4.
Integration: Ease Integration using credit and debit cards.
5.
Scalability: Only in India.
6.
Customization: Ease Customization, Registration to dcalsandycu.com is free
User pay only hilled when purchase a deal from Deals and You Company.
7.
Challenges: Deals and you Company makes no warranty for the quality, safety,
usability, or other aspecd of the product or service marketed through Deals and You.
8.
Platform: E-mail support and Phone support.
9.
Hardware: servers used for online order for 24x7. Big companies uses clouds for
fast access of data at any time any where.
10. Software: software must be easy for customers and must be customer friendly.
Today most of the software’s are used in mobile. So mobile apps must be easier and
consumer friendly.
Some of the popular mobile apps are:
1. Amazon
2. Flipkart
5
3. Mintra
4. Jio Mart
Outsourcing VS in house Development of a website
Website
Development
In house
Development
Outsourcing
Website can be maintained by two popular methods:
1. Outsourcing
2. In house Development
1. Outsourcing: This way website maintained by expert and professionals and all they
need money to maintain the website. If the business type is small then this method is
very good but in case of large volume of business then the other method will be
better.
2. In house Development: In house development is used when all the professionals and
experts worked for their own company in which they are working and provide
services to all outside as a out
outsourcing company.
Summary
The emergence of electronic commerce started in the early 1970s with the earliest
example electronic funds transfer (EFT), which allows organizations to transfer
funds between one another electronically. Then another technology electronic
el
interchange (EDI) was introduced. It helps to extend inter business transactions from
financial institutions to other types of business and also provides transactions and
information exchanges from suppliers to the end customers. However, the early
earl system
development was limited to special networks such as large corporations and financial
institutions, which are costly and complex to administer for small business. So EDI
was not widely accepted as expected.
6
Exercise
1. Mix and Match
Companies can conveniently and Quickly B2C:
check their suppliers inventory or make
instant purchases.
is selling of goods and services to a customer B2B :
and the transaction take place through
Internet. In this model sellers sell products
and services directly to customers B2C ebusiness models include virtual moles which
are websites include virtual males which are
websites that host many on line transactions.
B2C e-commerce refers to the buying and
selling of goods via the web retailers to web
customer.
Also called supply chain management or
demand collection model
C2C:
E-Commerce allows unknown, contrasted
parties to sell goods and services to one
another.
C2B :
Ans. 1(2), 2(1), 3(4), 4(3)
2. Fill in the blanks
1. E-Business describes the broadest definition of EC. It includes customer service and
intra business tasks. It is frequently used ……………..
2. …………….is defined as the conducting of business communication and transactions
over networks and through computers.
3. Servers used for online order for 24x7. Big companies uses clouds for fast access of
data at ………..
4. Software must be easy for customers and must be customer friendly. Today most of
the software’s are used in mobile. …………..must be easier and consumer friendly.
Ans: 1. interchangeably with EC; 2. Electronic commerce; 3. any time any where; 4. So
mobile apps
3. Find the statements True and False
1. From a business perspective, e-commerce is not the application of technology toward
the automation of business transactions.
7
2. From a service perspective, e-commerce is a tool that addresses the desire of firms,
consumers and management to cut service costs while not improving the quality of
goods and increasing speed of service delivery.
3. From a commercial perspective, e-commerce provides the capability of buying and
selling products, services and information on the Internet and via other online
services.
4. From a learning perspective, e-commerce is an enabler of online training and
education in schools, universities, and other organizations.
Ans: 1. False 2. False
3. True
4. True
4. Short and long Questions
1. Define E-Commerce
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
2. Driving forces of E-Commerce
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
3. E-Commerce Model
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
4. Design and Launch of E-Commerce
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
5. Outsourcing vs in house website
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
8
LESSON-1
UNIT II
Online Business Transactions Rationale
of transacting online
 Online Business Transactions Rationale of transacting online,
 E-commerce applications in various industries (banking, insurance, payment of utility
bills and others),
Online Business Transactions Rationale of transacting online
E-Business Transactions involves changes in an organizations business and functional
processes with the application of technologies, philosophies and computing paradigms of
the new digital economy. It is an internet initiative which transforms business
relationship. It includes all aspects of e-commerce. With the help of e-business solutions,
the companies have succeeded in developing their technology and increasing their
turnover. Together e-business and E-commerce have helped create a systems of
applications and utilities whereby money, information and services can be exchanged via
the web. It is important to align the main business of the firm the e-business strategy of
the firm in order to succeed. Business Models of E-Commerce To transform the scenario
of the business, there are various models of e-commerce, which are being proposed to
establish an electronic link between the business and consumers. These models have
brought business and consumer closer to each other & transformed the way of conducting
the business drastically. Business models are being classified as following:  Business to
Consumer (B2C)  Business to Business (B2B)  Consumer-to-Consumer or Peer-toPeer (C2C/P2P)  Consumer-to-Business (C2B)  Business to Government (B2G).
Business-to-Consumer (B2C) When conducting business over the Internet, there are
several different transaction or business models that exist within the world of E-Business.
One of the most common models in E-Commerce is the Business-To-Consumer (B2C)
model. Business to Consumer commerce (B2C), “applies to any business or organization
that sells its products or services to consumers over the internet for their own use”. In
other words, it provides a direct sale between the supplier and in the individual consumer.
B2C E-Commerce involves what is known as electronic retailing or e-tailing. E-tailing
involves online retail sales. E-tailing makes it easier for a manufacturer to sell directly to
a customer, cutting out the need for an intermediary (retailer). With B2C transactions
there is no need for retailers and therefore, no need for a physical store from which to
distribute products. An electronic or Web storefront refers to a single company web site
where products and services are sold. Customers can browse online catalogs or electronic
storefronts when it best suits them. B2C commerce created much hype when it first took
off. The first noticeable success arrived around 1995, When companies like eBay.com
9
and amazon.com were launched. When the success of these companies took off, many
other imitations were born. However, the market turned sour and many of the B2C
companies crashed. The main thing which are browsed and sell well over the internet
include: 1. Computer hardware and software: While hardware is most popular, more and
more people buy software online as well. 2. Consumer electronics: The second largest
product category sold online. Digital cameras, printers, scanners, and wireless devices
(Mobile phones) are some of the electronics bought online.
E-commerce applications in various industries (banking, insurance,
payment of utility bills and others)
Major Activities of B2C E-Commerce There are various kind of activities involved in
conducting B2C E-Commerce which are depicted in the Fig. 2.1:
Advantage of Internet auctions: Convenience : it gives the participants
convenience, as bidder can stay at this home or office and still participate in the bidding
just as in traditional auctions. In addition, it is also more convenient for a bidder to find
more about the good being auctioned. Flexibility : Traditional auctions allow only
synchronous bidding requiring all bidders to participate at the same time. In contrast,
Internet auctions allow asynchronous bidding to participate at the same time. In contrast,
internet auctions allow asynchronous bidding lasting days or weeks, which offers more
flexibility to the bidders. Increased reach: the potential of reach of an internet based
auction site is global and thus the market for auctioned good is very large. Economical to
operate: these are cheaper to run as lot of costs relating to infrastructure required for a
conventional auction system is not necessary for this. Disadvantages of Internet auctions
Inspection of goods: In an Internet based auction, it is not possible to physically inspect
the goods. The bidders have to rely on the information provided or sometimes, may have
to rely on some electronic images of the goods on auction. Potential for fraud: internet
bidder has to gust that the seller would actually send the good for which he paid.
10
Also the payments are made by providing credit card details through the internet, which
may always safe.
Banking : Transfer of money from one bank to another using various methods
1. Online Banking
(i) NEFT
(ii) RTGS
(i) NEFT - The acronym “NEFT” stands for National Electronic Funds
Transfer. Funds arc transferred to the credit account with the other
participating Bank using RBI’s NEFT service. RBI acts as the service
provider and transfers the credit to the other bank’s account.
(ii) RTGS - The acronym “RTGS” stands for Real Time Gross Settlement. The
RTGS system facilitates transfer of funds front accounts in one bank to
another on a “real time” and on “gross settlement” basis. The RTGS system
is the fastest possible inter bank money transfer facility available through
secure banking channels in India.
Payment of Insurance Instalments, Payment of utility bills and others can be easly
done using various methods
1. Debit Card
2. Credit Card
3. UPI App
3.1 Paytm
3.2 Mobiwik
3.3 Jio
4. Cash
5. NEFT
6. RTGS
11
Problems with the traditional payment systems
There are many problems with the traditional pay men! systems that are leading till its
fade out. Some of them arc enumerated below:
 Lack of Convenience: Traditional payment systems require the consumer to
either send paper cheques by snail- mail or require him/her to physically come
over and sign papers before performing a transaction. This may lead to annoying
Circumstances sometimes.
 Lack of Security: This is because tile consumer has to send all confidential data
on a paper, which is not encrypted. that ton by post where it may he read by
anyone
 Lack of Coverage: When will talk in terms or current businesses, they span many
countries or states.These business houses need faster transactions everywhere.
This is not possible without the bank having branch near all of the companies
offices. This statement is self-explanatory.
 Lack of Eligibility: Not all potential buyers may have a hank account
 lack of support for micro-transactions: Many transactions done 011 the Internet
arc of very low cost though they, involve data flow between two countries in two
countries The same if done on paper may not be feasible at all.
To overcome the problems of drawbacks of traditional payment systems several new
electronic payment systems arc developed like e-Cash, E-Cheques, credit cards, smarts
cards etc.
Electronic Payment System (EPS)
Electronic payment systems arc online payment systems. The goal 01' their
development is to create analogs of checks and cash on the internet.
Features of EPS
An EPS implements all or some of the following features:
1. Protecting customers from merchant’s fraud by keeping credit card numbers
unknown to merchants
2. Allowing people without credit cards to engage in online transactions.
3. Protecting confidentiality of customers.
4. In some cases providing anonymity of customers (“electronic cash”).
For online shopping, almost everyone loves the convenience of online payments
rather than the burdensome task of mailing funds for a purchase. As a business owner,
you also can experience a huge decrease 111 the time it takes 10 get your funds into your
hands.
12
In order for payment processing to work successfully, multiple entities have to he
working in a coordinated or compatible system. Here are some of the entities involved
•
Customer gateway
•
Hank clearinghouse
•
Merchant
Types of Electronic Payment Systems
There are various kinds of payment systems available for the electronic transaction
like electronic tokens, e-cash. e-chequcs. Now,’ let’s discuss these systems and
associated issues in detail:
1. Electronic Tokens: An electronic token is a digital analog of “carious forms of
payment backed by a hank or financial institution. There are two types of tokens:
(a) Real Time Tokens (Pre-paid tokens): These are exchanged between buyer and
seller, their users pre-pay for tokens that serve as currency. Transactions arc
settled with the exchange of these tokens. Examples of these are DigiCash, Debit
Cards etc.
(b) Post Paid Tokens: These are used with fund transfer Instructions between the
buyer and seller. Examples Electronic cheques. Credit card data etc.
2. Electronic or Digital Cash: This combines computerized convenience with security
and privacy that improve upon paper cash. Cash is still the dominant form of payment
as: The consumer still mistrusts the banks. The non-cash transactions arc inefficiently
cleared. In addition due to negative real interests rates on bank deposits. Some
qualities of cash are:
•
Cash is a legal tender i.e. payee is obligatory to take it
•
It is negotiable i.e. call he given or traded to someone else.
•
It is a bearer instrument i.e. possession is proof of ownership
•
It can be held & used by anyone, even those without a bank certificate.
•
It places no risk on part of acceptor.
The Following are the limitations of Debit and Credit Cards:
• They are identification cards owned by the issuer & restricted to one user i.e.
cannot be given away.
•
They are not legal tender
•
Their usage requires an account relationship and authorization system.
Properties of Digital Cash
Properties of Digital Cash are:
13
•
Must have a monetary value: It must be backed by cash (currency) bank
authorized credit or a bank certified an aut cashier’s check.
•
Must be interoperable or exchangeable: Must be interoperable or exchangeable
as payment for other digital cash, paper cash, goods services, lines of credit bank
notes or obligations, electronic benefit transfers and the like.
•
Must be storable and retrievable: Cash could be stored on a remote computer’s
memory, in smart cards, or on other easily transported standard or special purpose
devices. Remote storage or retrieval would allow users to exchange digital cash
from home or office or while traveling
•
Should not be easy to copy or tamper with while it is being exchanges. This is
achieved by using the following technologies, these are nothing but new and very
efficient versions of the old art of cryptography.
Digital cash is based on cryptographic systems called “Digital Signatures” Similar to
the signatures used by banks on paper cheques to authenticate a customer. Purchase of
digital cash from an online currency server (or bank) involves 2 steps:
(i) Establishment of an account :in this step we are given unique digital number
which also become, our digital signature. As it is a number known only to the
customer and the bank, forgery, which may be done in paper cheques becomes
very difficult.
(ii) Maintenance of sufficient money in the account is required to back any purchase.
3. Electronic Cheques: The electronic cheques are modeled on paper checks, except
that they arc initiated electronically. They use digital signatures for signing and
endorsing and require the use of digital certificates to authenticate the payer, the
payer’s bank and bank account. They are delivered either by direct transmission using
telephone lines or by public networks such as the internet.
Benefits of electronic Cheques:
Some benefits of electronic cheques arc
•
Well suited for clearing micro payments. Conventional cryptography of e-cheques
makes them easier to process than systems based on public key cryptography (like
digital cash).
•
They can serve corporate markets. Firms can use them in more cost-effective manner.
•
They’ create float and the availability float is an important requirement of Commerce
14
4. Credit Card
Fig. 6.1. Credit Card and its Machine.
A credit card IS an instrument of payment, which enables the cardholder to obtain
either goods or services from merchants where arrangements have be
been made to
reimburse the merchant. The outstanding amount is payable by the cardholder to the bank
over a specified period which carries a fixed amount of interest also.
It is a source of revolving credit. A number of parties arc involved in credit card
transaction
ansaction and there is a contract between till: card issuer and the card holder whereby
the card holder is allowed to make use of the card at specified retail outlets (membership
establishment) to pay for the goods and services. There is also another separ
separate agreement
between the card organization and the member establishments. When a credit holder
makes purchases from specified retail outlets, the retail outlets make out bills to the
account of the cardholder and obtain payment from the card. organization which in turn
makes a monthly hill to the hank which issued the Gird. The hank makes payments ill the
debit of customer’s account subsequently. The whole process takes about 30 to 40 days
and during this period the card holder enjoys credit.
How Credit Card Works
Credit cards work in all ee-government
government application as they work in the physical world.
Citizens enter credit card information into a Web application to pay for good or services.
Government credit card application should invoke required data and bbusiness-rule
edits to validate online data elements. Some of the edits could include user name,
password, merchant ID, account number. expiration date, amount, and customer
customer-billing
data.
Once the validity of required data has passed the credit card applic
application edits, the
authenticity of the cardholder’s card ll and account number must be validated. and the
Transaction amount must be within the cardholder’s credit limits. Processor
Processor- required
elements could could include merchant ID, account number, expirat
expiration
ion date, amount.
Customer-billing
billing data, card type, and Card Verification Value (CVV).
When all required edits are passed, the transaction is transmitted to the credit card
processor and associated networks for authorization. The credit card-processing
processing network
returns an authorization app
pproval, which indicates that the credit cardd is valid and the
15
all1o~mt IS within the cardholder’s credit limit. A denial code will be returned when
the credit card cannot be authenticated or credit limits have been exceeded.
exceed
The
opportunity to use another card or some other payment option might be offered
Fig. 6.2. Working of Credit Card.
5. Debit Card: Debit cards are also known as check cards, Debit cards look like credit
cards or Automated Teller Machine (ATM) cards, but they operate like cash or
personal checks. Debit. cards are different from credit cards. While a credit card is a
way to “pay later,” a debit card IS a way to “pay now.” When a debit card is used,
money’ is quickly deducted from the related checking orr savings account. Debit
cards are accepted at many locations, including grocery stores, retail stores,
gasoline stations, and restaurants. Debit cards can be used anywhere merchants
display the card’s brand name or logo. Debit cards offer an alternative
alternati to carrying a
checkbook or cash.
In the Following picture basic components of ATM Machine are shown through
which we can carry out the various kinds of transactions like Balance Enquiry,
Cash Withdrawal, Cash deposition, online payments, Mini statements
tatements & on line
recharge of prepaid mobile cards of Hutch, Airtel etc. It has the following
components like;
•
Signage
•
Transaction Screen
•
Card Reader
•
Receipt Printer
•
Audio Port
Cassette options
Envelope options (for cash deposition in some machines)
•
16
Fig. 6.3. ATM Machine.
Debit means “subtract.” When a debit card is used. money is subtracted from the
relined hank account. Debit cards allow only the amount in the bank account to be spent
and provide for quick transaction between merchants and personal bank accounts.
“Online” debit cards are usually enhanced ATM cards that work in the same manner
as an ATM transaction, allowing for an immediate electronic transfer of money’ from a
consumer’s bank account to a merchant’s bank account. To access an account at a store
terminal, a PIN must he entered, just as an ATM transaction. giving the system
authorization to check an account to sec if it contain.” enough money to cover the
transaction.
The main advantages of debit cards are:
(a) There is no need to carry cash.
(b) It is quick and less complicated than using a cheque.
(c) it can also be used for withdrawals of cash.
(d) Its holders can have a record of the transactions in his bank statement which will
enable him to plan and control the expenditure
(e) It can he issued to any individual without assessing credit worthiness
Advantages of Electronic Payment System
The various factors that have leaded the financial institutions to make use of
electronic payments arc:
1. Decreasing technology cost: The technology used in the networks is decreasing
day by day, which IS evident from the fact that computers are now dirt-cheap and
Internet is becoming free almost everywhere in the world
17
2. Reduced operational and processing cost: Due to reduced technology cost the
processing cost of various commerce activities becomes very less A very simple
reason to prove thiS is the fact that in electronic transactions we save both paper
and time.
3. Increasing online commerce: The above two factors have lead many institutions
to go online and many other are following them.
Fig. 6.4. Electronic Payment System.
Problems in implementing EPS: The problems in implementing electronic payment
systems, especially’ anonymous electronic money, arc:
1. Preventing double spending:
ding: copying the “many” and spending it several times. This
is especially hard to do with anonymous money.
2. Making sure that neither the customer nor the merchant can make all unauthorized
transaction.
3. Preserving customer’s confidentiality without aallowing
llowing customer’s fraud. Electronic
Payment is a financial exchange that takes place online between buyers and sellers.
The content of this exchange is usually some form of digital financial instrument
(such as encrypted credit card numbers. electronic cheques or digital cash) that is
backed by a hank or an intermediary or by a legal tender.
Risks Associated With Electronic Payments
Electronic payments are steadily replacing traditional vehicles like currency and the
-paper check as a preferred means of payment in the World.
The volume growth of electronic payments and the wider array of payment vehicles
now in common use has made managing the risk” ussoci.ncd with these payments more
important than ever to consumers, businesses, financial institutions. and the economy is a
whole.
The notion of security of payment is clearly insufficient 10 provide appropriate
conceptual framework for technical and institutional design of Internet payment systems.
18
There is a need for a broader approach of risk management Such approach recognizes that
electronic payment entails a series of interrelated risks: financial risks. technological
risks, operational risks, and legal risks. Some of those risks are generic to banking
business, others arc specific to electronic payments. such as interception of messages,
break-in into security infrastructure.
 Operational Risk: Operational risk arises from the potential for loss due to
significant deficiencies in system reliability or integrity. Security considerations are
paramount. as banks may be subject to external or internal attacks on their systems Of
products. Operational risk can also arise from customer misuse, and from
inadequately designed or implemented electronic banking and electronic money
systems. Many of the specific possible manifestations of these risks apply to both
electronic banking and electronic money.
 Credit Risk: Credit risk is the risk that a counter party will not settle an obligation for
full value, either when due or at any time thereafter. Banks engaging in electronic
banking activities may extend credit via non-traditional channels, and expand their
market beyond traditional geographic boundaries Inadequate procedures to determine
the creditworthiness of borrowers applying for credit via remote banking procedures
could heighten credit risk for hanks. Banks engaged in electronic bill payment
programs may face credit risk if a third party intermediary bib to carry out its
obligations with respect to payment. Banks that purchase electronic money from an
issuer in order to resell it to customers arc also exposed to credit risk in the event the
issuer defaults on its obligations to redeem the electronic money
 Legal Risk: Legal risk arises from violations of: or non-conformance with laws,
rules, regulations. or prescribed practices, or when the legal rights and obligations of
panics to a transaction arc not well established. Given the relatively new nature of
many retail electronic banking and electronic money activities, rights and obligations
of parties to such transactions are, in some cases, uncertain. l-or example, application
of some consumer protection rules to electronic banking and electronic money
activities in some countries may not he clear. In addition, legal risk may arise from
uncertainty about the validity of some agreements formed via electronic media
Electronic money schemes may he attractive to money launderers if the systems offer
liberal balance and transaction limits, and provide for limited audit ability of transaction
Application of money laundering rules may be inappropriate for some forms of electronic
payments. Because electronic banking can be conducted remotely, banks may face
increased difficulties in applying traditional methods to prevent and detect criminal
activity.
Banks engaging in electronic bankding and electronic money activities can face
legal risk with respect to customer disclosures and privacy protection. Customers who
have not been adequately informed about their rights and obligations may bring suit
19
against a bank. Failure to provide adequate privacy protection may also subject a bank to
regulatory sanctions in some countries.
Banks choosing 40 enhance customer service by linking their Internet sill’s to other
sites also can face legal risks A hacker may use the linked site to defraud a hank
customer, and the bank could face litigation from the customer.
As electronic commerce expands, banks may seek to play a role in electronic
authentication systems. such as those using digital certificates. The role of a certification
authority may expose a bank to legal risk. For example, a bank acting as a certification
authority may be liable for financial losses incurred by parties relying on the certificate.
In addition, legal risk could arise if hanks participate in new authentication systems and
rights and obligations arc not clearly’ specified in contractual agreements.
Risk Management Options for E-Payment
The rapid pace of technological innovation is likely to change till’ nature and scope of
risks banks face in electronic money and electronic banking. Supervisors expect banks to
have processes that enable bank management to respond to current risks, and to adjust to
new risks. A risk management process that includes the three basic elements of assessing
risks, controlling risk exposure, and monitoring risks will help banks and supervisors
attain these goals. Banks may employ such a process when committing to new electronic
banking and electronic money activities. and as they’ evaluate existing commitments to
these activities.
It is essential that banks have a comprehensive risk management process ill place that
is subject to appropriate oversight by the board of directors and senior management. As
new risks in electronic banking and electronic money activities arc identified and
assessed the board and senior management must be kept informed of these changes. Prior
to any new activity being commenced a comprehensive review should be conducted so
that senior management call ensure that the risk management process is adequate to
assess, control and monitor any risks arising from till’ proposed new activity.
Assessing risks: Assessing risks is all ongoing process. It typically involves three steps.
First a hank may engage in a rigorous analytic process 10 identify risks and, where
possible, to quantify them. In the event risks cannot be quantified, management may, still
identify how potential risks can arise and the steps it has taken to deal with and limit
those risks Bank management should form a reasonable and defensible judgments of the
magnitude of any risk with respect to both the impact it could have on the bank (including
the maximum potential impact), and the probability that such an event will occur.
A second step in assessing risk is for the board of directors or senior management to
determine the bank’s risk tolerance. based on an assessment of the losses the bank can
afford to sustain in the event a given problem materializes Finally, management can
compare its risk tolerance with its assessment or till’ magnitude of a risk to ascertain if
the risk exposure fits within the tolerance limits.
20
Managing and controlling risks: Having made an assessment of risks and its risk
tolerance, Bank management should take steps to manage and control risks. This phase
of a, I risk management process include, activities such as implementing security policies
and measures. co-coordinating internal communication, evaluating anti upgrading
products and services, implementing measures to ensure that outsourcing risks are
controlled and managed, providing disclosures and customer education, and developing
contingency plans. Senior management should ensure that staff.” responsible for
enforcing risk limits have authority independent from the business unit undertaking the
electronic banking or electronic money activity. Banks increase their ability to control
and manage the various risks inherent in any activity when policies and procedures arc set
out in written documentation and made available to all relevant staff.
Security policies and measures : Security is the combination of systems. applications,
and internal controls used to safeguard the integrity, authenticity, and confidentiality of
data and operating processes. Proper security relics on the development and
implementation of adequate security policies and security measures for processes within
the bank, and for communication between the bank and external parties.
A security policy states management’s intentions to support information security’ and
provides an explanation of the bank’s security organization. It also establishes guidelines
that define the bank’s security risk tolerance. The policy may define responsibilities for
designing, implementing. and enforcing information security measures, and it may
establish procedures to evaluate policy compliance, enforce disciplinary measures, and
report security violations.
Security measures are combinations of hardware and software tools, and personnel
management, which contribute to building secure systems and operations. Senior
management should regard security’ as a comprehensive process that is only as strong as
the weakest link in the process. Banks can choose from a variety of security measures to
prevent or mitigate external and internal attacks and misuse of electronic banking and
electronic money. Such measures include, for example, encryption, passwords. firewalls
virus controls, and employee screening. Encryption is the use of cryptographic algorithms
to-encode clear text data into cipher text to prevent unauthorized observation and
passwords, pass phrases, personal identification numbers. hardware-based tokens. and
biometrics arc techniques for controlling access and identifying users.
Monitoring risks: Ongoing monitoring is an important aspect of any risk management
process. For electronic banking and electronic money activities, monitoring is
particularly’ important both because the nature of the activities are likely to change
rapidly as innovations occur, and because of the reliance of some products on the use of
open networks such as the Internet.
Two important-elements of monitoring are system testing and auditing.
21
System testing and surveillance: Testing of systems operations can help detect
unusual activity patterns and avert major system problems, disruptions, and attacks.
Penetration testing focuses upon the identification. isolation. and confirmation of flaws in
the design and implementation of security mechanisms through controlled attempts to
penetrate a system outside normal procedures. Surveillance is a form of monitoring in
which software and audit applications are use to track activity.
Auditing: Auditing (internal and external) provides an important independent control
mechanism for detecting deficiencies and minimizing risks in the provision of electronic
banking and electronic money services. The role of an auditor is 10 ensure that
appropriate standards, policies, and procedures an: developed, and that the bank
consistently adheres to them. Audit personnel must have sufficient specialized expertise
to perform an accurate review’, An internal auditor should be separate and independent
from employees making risk management decisions. To augment internal audit,
management may seek qualified external auditors. such as computer security consultants
or other professionals with relevant expertise, to provide an independent assessment of
the electronic banking or electronic money activity
Identification, confidentiality and payment integrity
Payments on the Internet need to three major broad conditions:
•
Firstly, each party involved ill the transaction must he sure that its counterpart is
exactly what she tells She is in other words, people involved must be identified.
•
Secondly, data exchanged between buyers and sellers must remain confidential.
•
Finally, buyers must be certain that the information they get about the payment
(regardless of the underlying value) arc reliable
Those three conditions can be met by the use of encryption technology. The main
issue there is the migration from private to public key cryptography. Advantages of the
latter are well known: employing a public key system, it is possible for a user to receive
encrypted messages from an entity he has not met and with whom he has no on-going
relationship. The public key system also offers the possibility to create unique and hard-to-imitate electronic signatures.
Summary
•
Online shopping could he defined as the buying and selling of goods over the I
nternet Just about anything can be purchased over the internet
•
An electronic token is a digital analog of various forms of payment hacked by a bank
or financial institution.
•
Electronic or Digital Cash combines computerized convenience with security and
privacy that improve upon paper cash.
22
•
The electronic cheques are modeled on paper checks, except that they are initiated
electronically
•
A credit card is an instrument of payment, which enables the cardholder to obtain
either goods or services from merchants where arrangements have been made to
reimburse the merchant
•
Debit cards are also known as check cards. Debit cards look like credit cards or
Automated Teller Machine (ATM) cards, but they operate like cash or personal
checks
•
Electronic payment systems are online payment systems. The goal of their
development is to create analogs of checks and cash on the Internet.
•
The volume growth of electronic payments and the wider array of payment vehicles
now in common use has made managing the risks associated with these payments
more important than ever to consumers, businesses, financial institutions, and the
economy as a whole.
•
A payment gateway is a separate service and acts as an intermediary between the
merchants’ shopping cart and all the financial networks involved with the transaction,
including the customers’ credit card issuer and your merchant account.
•
Benefits of payment gateway include security, encryption, back-up redundancy and
latest technology.
•
Internet banking” refers to systems that enable bank customers to access accounts and
general information on bank products and services through a personal computer (PC)
or other intelligent device.
•
Inter Bank Transfer is a special service that allows you to transfer funds electronically
to accounts in other banks in India through NEFT and RTGS.
•
Numerous factors like competitive cost, customer service, and demographic
considerations - are motivating banks to evaluate their technology and assess their
electronic commerce and Internet banking strategies.
•
Types of internet banking include informative, communicative and transactional.
• Internet banking may involve the risks like credit risk, interest rate risk, liquidity risk,
price risk, foreign exchange risk, transaction risks and reputation risks etc.
•
As cryptography converts plain text in encrypted form (cipher text), it is very useful
for securing data on communication channels
•
Secure Electronic Transaction (SET) is a standard that enable secure credit card
transactions on the Internet.
•
There are different kind of techniques and methodologies which arc available for
authentication of an electronic banking product or service like shared secrets, l JSB
Token device, smart cards, password generating token, biometrics etc
23
Exercises
1. What are the problems with traditional payment systems?
2. Explain the following types of electronic payment system in brief:
•
electrnic tokens
•
e-cash
•
e-cheques
•
Smart cards
•
credit cards
•
Debit cards
3. Explain various features and advantages of electronic payment
4. What are problems in implementing Electronic payment system.
5. Explain various types of risks associated with electronic payment system.
6. What is Internet banking? Explain different types of risks assoc
7. What is SET’)
8. Explain different types of authentication techniques, processes for authentication of
an electronic banking or service.
24
LESSON-2
e-marketing, e-tailing, Online Services,
e-auctions, Online Portal
 e-marketing
 e-tailing,
 online services,
 e-auctions,
 online portal,
 Online shopping
 online learning,
 e-publishing and e-entertainment
e-marketing
Information Technology (IT) revolution has been widely touted as having equal if not
greater impact on us than the industrial revolution. Till: application of electronic
commerce or c-commerce has led to many changes in the way business is conducted. By
definition electronic commerce or c-commerce is the purchasing or selling of goods or
services and till’ transfer of funds in any way using electronic communications in intercompany and intra-company business activities.
All e-commerce solution is a solution to conduct business using technology,
through an intra-. extra- or Internet solution. There are two types of e-commerce
Business-to-consumer (B2C) e-commerce involving companies selling products or
services to individuals; and business- to-business c-commerce (B2B), in which
companies sell to other businesses.
E-business, is all umbrella term that includes e-commerce and refers 10 the use or
the Internet and private intranet to transform a company’s value chain (i.c. internal
processes, supplier and partner interactions, and customer relationships) with the ultimate
goal of creating value for customers. A firm with an effective e-business strategy
develops the capabilities needed to improve the flow of information and business
intelligence among partners suppliers, employees and customers. It also aims to solve
problems for all panics that comprise its extended value chain.
Moving a business to the Internet is a sound strategy for increasing business volume
making a business instantly international and opening up possibilities that can never
exist in the “real world”. It doesn’t matter even if business arc small and localized. Going
international will facilitate better support since c-commerce solutions will make it a 24×7
25
business. A business with a strong Internet presence can reduce staffing and office space
overhead which can result in 1110re competitive pricing (If services and products. The
internet can provide a more economical form of advertising. A website with c-commerce
capabilities actually draws people back; building brand loyalty and awareness which is
rare III mainstream advertising. Integrated payments with Banking and Accounting arc
possible thereby providing robust support for accounting systems. In e-commerce, the
interaction with the system takes place in almost real time and therefore allows till’
customer or bidder to respond more quickly and reduces the lag time between discussion
and purchase.
TRADE CYCLE
A trade cycle is the Series of exchanges. between a customer and supplier that take
place when a commercial exchange is executed. A general trade cycle consists of four
phases. These are described below:
1. Pre-Sales: This Phase consists or venous tasks in finding a supplier and agreeing the
terms This phase can he further classified in:
•
Search – finding a supplier
•
Negotiate – agreeing the terms of trade
2. Execution: This Phase consist-, of various tasks in selecting goods and
delivery. This phase can be further classified in’
•
Order
•
Delivery
taking
3. Settlement: This Phase consists of venous tasks ill invoice (if any) and payment. This
phase can be further classified in:
•
Invoice
•
Payment
4. After-Sales: This Phase consists of various tasks in following up complaints or
providing maintenance.
Generic Trade cycles
Three generic trade cycles can be identified:
• Repeat trade cycle: These trade cycles contains regular, repeat transactions
between commercial trading partners.
• Credit trade cycle: These trade cycle contains irregular transactions in once-off
trading relationship (commercial or reatil)
26
Trade Cycle:
Repeat
Credit
Cash
Search
Pre-Sale
Negotiate
Execution
Deliver
Invoice
Settlement
Payment
After Sale
After Sales
Fig. 7.1. Generic Trade Cycles
Nature of Trade Cycle
For business-to-business transactions the trade cycle typically involves the provision
of credit with execution preceding settlement whereas in consumer-to-business these two
steps are typically co-incident.
The nature of the trade cycle can indicate the e-Commerce technology most suited to
the exchange. On this basis Business transaction are classified as following:
•
Commercial transactions that are repeated on a regular basis, such as
supermarkets EDI is the e-Commerce technology appropriate to these exchange,
as shown below.
Search
Pre-Sale
Negotiate
Deliver
Execution
EDI
Invoice
Settlement
After Sale
After Sales
Fig. 7.2. EDI Trade Cycle.
27
•
Consumer transactions tend to be once off (or at least vary each time) and
payment is rnade at the time of the order.
Internet e-Commerce is the technology for these exchanges, as shown below:
Search
Pre-Sale
Order
Deliver
Execution
After Sale
Payment
After Sales
Settlement
Fig 7.3. Consumer E –Commerce
•
The third generic trade cycle is the non-repeating commercial trade cycle and
Internet e-commerce an electronic market is the appropriate e-technology for
this.
SUPPLY CHAIN
Supply chain is a network of facilities and distribution options that performs ,the
functions of procurement or materials (from supplier), transformation of these materials
into intermediate and finished products (manufacturing}, and the distribution of these
-finished products In customers (to customer). This network adds value for customers
through the manufacture and delivery of products.
Supplier
Manufacturer
Customer
A supply chain, logistics network, or supply network is a coordinated system of
entities, activities, information and resources involved in moving a product or service
from supplier to customer.
Fig 7.4 Supply Chain
The entities of a supply chain typically consist o! manufacturers service providers
distributors, and retail outlets, Supply chain activities transform raw materials and
components into a finished product. The primary objective of supply chain management
is to fulfill customer demands through the most efficient use of resources.
In today’s rapidly changing business environment, ever-greater demand- are being
placed on business
•
to provide products and services quicker
28
•
with greater added value
•
to the correct location
•
with no relevant inventory position
Customers want more quality, design, innovation, choice, convenience and service,
and they want to spend less money, effort, time and risk. The supply chain of a company
consists of different departments, ranging from procurement of materials to customer
service.
Supply Chain Management means transforming a company’s “supply chain” into an
optimally efficient, customer-satisfying process, where the effectivity of the whole
supply chain is more important than the effectivity of each individual department.
The capabilities of Internet technology will change the way we do business with our
suppliers and customers as well as change the face of business; in its process and
techniques and in the definition of business itself.” *
Porter’s Value Chain Model
To better understand the activities through which a firm develops a competitive
advantage and creates shareholder value, it is useful to separate the business system into a
series or value-generating activities referred to as the value chain. In his 1985 book
Competitive Advantage, Michael Porter introduced a generic value chain model that
comprises a sequence of found to be common to a wide range of firms. Porter identified
primary and support activities as shown in the following diagram:
support activities
Firm Infrastructure
Human Resource Management
Technology Development
Inbound
Logistics
Operations
Outbound
Logistics
Marketing
& Sales
Service
primary activities
Fig 7.5 Porter’s Value Chain Model.
The primary value chain activities arc:
•
Inbound Logistics: the receiving and warehousing of raw materials. and then
distribution to manufacturing, as they are required.
•
Operations: (Production) the processes of transforming inputs into finished
products and services.
29
•
Outbound Logistics: the warehousing and distribution of finished goods.
•
Marketing & Sales: the identification or customer needs and the generation sales
•
Service: the support of customers after the products and services arc sold to them.
These primary activities arc supported by (Support activities):
•
The infrastructure of the firm: organizational structure, control systems,
company culture. etc
•
Human resource management:
development. and compensation
•
Technology development: technologies 10 support value-creating activities.
•
Procurement: purchasing inputs such as materials, supplies, and equipment.
employee
recruiting,
hiring,
training,
Linked value chains
Value chain activities are not isolated from one another. Rather, one value chain
activity often affects the cost or performance of other ones. Linkages may exist between
primary activities and also between primary and support activities. interrelationships
among business units form the basis for a horizontal strategy. Such business unit
interrelationships can be Identified by a value chain analysis
Outbound
Logistics
Inbound
Logistics
Outbound
Logistics
Operations
Inbound
Logistics
Fig 7.6. Linked Value
Inbound Logistics
–
form Suppliers
Outbound Logistics
–
from Customers
Role of Electronic Commerce in Value Chain
The capability of Internet technology will change the way we do business with our
suppliers and customers, as well as change the face of business. As you know:
•
Intranet IS a secured network of web pages and applications, which can be
accessed by anyone within a company firewall.
•
Internet is a collection of servers and networks, which allow users access to
information and applications outside of the company firewall.
•
Extranet is a collaborative [private/secure] network that uses Internet technology
to link businesses with their suppliers, customers, or partners that share: common
goals.
30
•
E-Commerce is buying and selling electronically. And E-Business is using the
capabilities of Internet technology to conduct business electronically
E-commerce enhances value chain by providing:
•
Electronic Value Chain: through electronic value chain, e-commerce enhances
business by supporting.
o Reduced tome frmae
o Changed cost structures
•
Re-engineered Value Chain: through re-engineered value chain, e-commerce
enhances business by supporting:
o Just-in-time manufacture
o Quick response supply
o Efficient document processing
•
Competitive advantage: e-commerce supports a company for gaining
competitive advantage.
Online Marketing
Online Marketing provides product boundary extension new products services creation
new markets,’ channel creation. Different aspects of online marketing are discussed in
detail in later part of the book. Various advantages of online marketing arc:
•
Market Segment Share
•
Customer reach
31
E-tailing
1. E- Tailing is a way of selling of goods on the Internet and many of the websites we
are using for shopping online namely as amazon, flipkart, Naaptol and Jio etc.
2. It is a combination of ecommerce and retail.
3. Beneficial to the customer and the retailer.
Advantages of E-tailing
1. Cost
2. Access
3. Inventory
1. Cost : The cost of the product without mediator is always less only delivery company
is involved in this type of business.
2. Access : A customer has not to go anywhere. All the products shown can be deliver to
his / her place only payment methods customer would like to pay for the product.
3. Inventory : Large no of variety of products are available there is not restriction of
limited products. The range can be on the basis of money and age.
32
Online Services
Online services with regard to E-business provides various strategies for supply chain.
These are:
E-Procurement
E-procurement provides cross-enterprise system to system integration, electronic
Catalogs. On-hue buying and selling. We would be studying about e-Procurement in
detail in the later part of this chapter
Various advantages of e-Procurement arc:
•
It enhances efficiency
•
It reduced cost/cycle time
•
It helps in contract compliance and customer reach.
E-Collaboration
E-Collaboration provides cross-enterprise technology/design interaction (customer &
supplier). Various advantages of e-Procurement are :
•
Design cycle time
•
Design synergy, reuse
•
Revenue
Integrated Planning/Manufacturing
Integrated planning/manufacturing provides Cross-enterprise planning/execution.
system to system integration, and Outsourced manufacturing visibility. Various
advantages of integrated planning/manufacturing are :
•
Lead tome margin
•
Accuracy /Flexibility
•
Inventory levels
•
On-time delivery
Integrated Delivery
Integrated Delivery provide cross-enterprise logistics management/consignment
visibility Various Advantage or integrated Delivery are
•
Logistics cycle rime
•
Reduced cost
•
Lead time
Online Marketing
Online Marketing provides product boundary extension new products services
creation new markets,’ channel creation. Different aspects of online marketing are
discussed in detail in later part of the book. Various advantages of online marketing arc:
33
•
Market Segment Share
•
Customer reach
E-Auctions
What is E-Auctions and what is E-procurement
Electronic procurement (e-Procurement) is the use of electronic tools and systems to
increase efficiency and reduce costs during each stage of the purchasing process.
e-Procurement can he divided in two parts direct-material procurement, in which raw
materials or components needed for production arc procured from supply chain partners
and Indirect material procurement in which materials that arc indirectly used arc procured
(like office supplies, maintenance related materials and operation related supplies)
e-Procurement for Direct Materials: As direct materials are needed for the
production process, they require greater scrutiny before ordering. Organizations need to
focus on different issues like the integration of suppliers, methods for integrating etc.
Usually these items should he ordered in appropriate quantities as inventory of these can
add further cost.
e-Procurement for Indirect Materials: Indirect materials usually have low value,
arc not critical to the main production process and arc ordered in high volumes. In an
organization, large number of people orders these items. By ordering these items online a
company can save valuable amount of money and other resources The three ways III
which these materials can he procured online arc given below:
•
Seller silk solutions
•
Buyer Side solutions
•
Third-party solutions
A buy side c-procurement Solution should be user friendly and help employees place
order and purchase goods from their desktop with case. It should provide a list of
preferred suppliers for each product and help reduce non-compliance with the
organization’s business rule for purchasing
Organizations are moving from the business to-supplier model to a trading
community model. In this model, several suppliers of particular product category come
together to from a vertical portal. lndiarnart.com provides one such kind of catalog. These
kinds of portals represents a comprehensive catalog, which consists of the product details
of all the participating suppliers. The buyers can access the catalog, compare product
features and prices, select a supplier and place the order. Since price and product
differentiation play an important role in influencing the buyers purchasing decision, the
suppliers participating in this model should continuously improve their products and cut
costs. The success of this model depends on the following factors:
34
•
How well the suppliers’ networks arc integrated with each other
•
Whether suppliers update their catalogs at regular intervals
•
Whether the infrastructure is capable of handling increasing product variety and
user volume.
SciQuest, founded ill 199). is a online comprehensive database of over 800
suppliers with more than 650000 scientific products. SciQuest provided a wide range of
services to scientists and purchasing professionals. In march 1999, SciQuest added an
electronic purchasing system to its online catalog for laboratory instruments, chemicals
and supplies. SciQuest streamlined the process of purchasing scientific products. It acted
as a facilitator and helped scientists and suppliers access information and communicate
with each other.
The success of sell-side e-procurement solution depends on the supplier’s
technological infrastructure, ability to integrate with different technological platforms and
ability to cut costs and improve products. In recent times, several suppliers of a single
product have been corning together to form vertical portals. Vertical portals are
commonly seen ill industries like steel. paper and chemicals where fragmented markets
and price variations make it difficult for buyers to make a purchasing decision.
The best practices in e-procurement include: using a procurement card system and
electronic funds transfer system, clarifying the employees’ role in the procurement
process, using a strategic approach to implementation and participating in collaborative e-procurement. Collaborative r-procurement is being adopted by many companies to
realize high levels of process efficiencies.
The multilevel approval method in traditional organization to control procurement
processes always led to operational delays. Therefore global companies established direct
linkages between suppliers and employees to facilitate faster procurement of
goods/services. However companies observed that employees had to spend considerable
amount of time searching for suitable suppliers and procuring the required products and
services from them. As individual employees searched for right supplier each time they
wanted to procure goods, the process incurred heavy costs to organizations. They found
that automation of the procurement process could improve the situation.
It is easy to automate each procurement area or each stage in a procurement life cycle
individually and obtained the stand-alone solution. But, developing separate procurement
system IS not efficient and the cost of developing, implementing and maintaining them
is quite high therefore, for an efficient and cost effective procurement system in an
organization, it is essential to obtain an integrated solution. In this approach the
purchasing department focus on controlling strategies (rather than day to day
transactions) and extends it control to the accounting, finance and human resource
departments in addition to production department. Under such a system, organization
emphasizes uniform control across the organization, rather than on single department or a
35
branch. This -highlights the need fix a coordinated solution to resource procurement. But,
the challenge that organization face is to he managed the transition from existing system
to a new integrated framework
An effective e-Procurement solution is one which not only employees procure goods
with case but also provides the purchasing department with adequate control on their
purchase decision. It should also enable integration of new system with existing system in
the organization.
Different types of middleware software are used for e-procurement solution for direct
materials. For example, WebMethodds, a vendor provides e-procurement solution for
direct materials.
Drivers for e-Procurement
e-Procurement has an indirect effect on cash savings by providing the access to good
deals. Central government local government and strategic private sector partners arc
introducing and developing c-Commerce systems for public sector purchasing for
improving the procurement process.
Countries like UK arc rapidly embracing electronic commerce (eCommerce). Recent
studies show that the UK’ eCommerce environment is one of the strongest in the world.
The latest government figures reveal that 29% UK companies bought online in 2003. up
13% from the 2002 figures. Although larger businesses are more inclined to buy online,
small companies arc introducing new eCommerce technologies at an increasingly fast
rate
The UK government has been driving the adoption of eCommerce across the public
sector since 1983. There have been many well-publicised targets for the online delivery
of government services to the public, and many for the delivery of savings through
implementing electronic procurement (eProcurement), a key component of eCommerce.
In 2002, the OGC (UK based organization) ran an ePilots programme in order to
research eProcurement system and services, and understand their applicability to Central
Civil Government. This project saw seven public sector organizations implement a
variety or solutions, including the first reverse auction run by the UK government. Today
eProcurement is seen as a key enabler to achieving greater public sector efficiency which
is high on the government’s agenda and was the goal behind.
“The public sector is one’ of the biggest purchasers of goods and services in the
economy. In 2001-04, the public sector of UK spent over £100bn purchasing, for
example, utilities. ICT systems and services, as well as professional service, temporary
labour, construction social housing, social cafe, and environmental services.”
The Efficiency Review identified that the UK public sector spends over £ 100bn a
year on bought-in goods and services. Furthermore, it set a target of more than £20bn of
efficiency savings for delivery by 2007/8. The aim is to release this money for improved
36
delivery of frontline services to the public. Approximately one third of the savings, some
[h-7hn. is expected to come from improved procurement. principally through more
efficient processes and improved contracts.
The ‘Quick Wins’ Approach
To modernise procurement processes certain ‘e-tools’ will be required. One problem
often encountered at the start of an eProcurement programme is deciding which tools to
implement and in what order.
Quick wins can: Establish the credibility or the eProcurement programme., and help
to generate funding for the rest or the programme.
“An early spend analysis will almost always uncover some areas where quick win
savings can be made. These early serving can then he used to invest in a broader
eProcurement programme.”
Experience from case study organization suggest that the following approach is all
effective way to implement an eProcurement programme:
1. Consider implementing a Government Procurement Card (GPC) programme. This
Is the most obvious quick Will which can create immediate efficiency gains and
achieve process savings across most low value spend.
2. Implement eAuctions as soon as possible These can generate clear cash saving for
funding further investment in eProcurement
3. Implement P2P to make the procurement processes as efficient as possible and to
start capturing data on spending patterns as useful management information.
4. Implement eSourcing solutions to improve professionalism of procurement staff
and ongoing supplier relationships.
Online Portal
Online Portal for Manufacturing
E-Commerce Application in Manufacturing
Manufacturing is the transformation of raw materials into finished good for sale, or
intermediate processes involving the production or finishing of semi-manufactures. The
production of goods and services is the result of the effort of many organisations a
complex web of contracts and co-operation known as the supply chain or the value
system. As shown below manufacturing require- various Components (e_g. wheels.
Seats, etc). Sub-assemblies (e.g. engine. gearbox. etc.) etc. as well as include
transportation., storage paperwork (orders, invoices, etc.)
37
Each supply’ chain transition adds cost without adding intrinsic value.
As discussed above E-Commerce can be applied to the supply chain to reduce costs or
improve service. In this way e-commerce call enhance manufacturing process by :
•
Enhancing efficiency.
•
Reducing cost/cycle time
•
Providing accuracy and flexibility
•
Supporting Inventory levels
E-Commerce Application in Wholesale
Wholesale is the sale of goods or services in large quantities and at lower prices to
someone other than consumers. Wholesale consists of the sale of goods/merchandise to
retailers, to industrial. commercial, institutional, or other professional business users or to
other wholesalers and related subordinated services. Sometimes called middleperson.
middleman or distributor.
Wholesalers frequently physically assemble, sort and grade goods in large lots, break
bulk, repack and redistribute in smaller lots, for example pharmaceuticals; store,
refrigerate. deliver and install goods. engage in sales promotion for their customers and
label design.
Problems of Traditional Wholesale System
Under the impact of market forces, wholesale systems have undergone great change.
With various types of enterprises entering the wholesale market, traditional wholesale
companies and trading corporations arc now no longer the mainstream operators. Instead,
specialized national or regional wholesale markets have emerged as major players.
However, even these wholesale markets cannot compete with foreign wholesale
enterprises, which employ advanced management and operation methods. The operating
costs of an enterprise using wholesale markets as its distribution channel arc high. The
costs include posting resident staff at the wholesale markets. setting up local warehouses,
38
and establishing distribution centers in different regions in order to cover the national
market.
Besides. tethered by the quality of the resident staff and geographic limitation, it is
difficult for enterprises to obtain the right market information from the wholesale
markets. As a result, although enterprises pay high costs, they cannot respond quickly to
market demand. Further, as wholesale markets require large land supply and other
supporting social resources, they create burden and wastage for the economy
Nevertheless, these wholesale markets have become a major component of wholesale
sector characterized by its high input and low output.
Role of E-commerce in Wholesale
In a sound market economy, low operating costs, access to information and quick
response arc the key to success for an enterprise. Through advanced information
technology, enterprises can reach out to the global market and at the same time obtain
information from around the world at low cost and high speed
Lower Transaction Costs.
E-commerce provides a fundamental solution to the problem of diminishing profit
margin and brings new opportunities to the stagnant traditional wholesale business. It
supports:
•
Low operating costs
•
Access to information
•
Quick response
•
Through the Internet, wholesalers can now gain the competitive edge that could
only be enjoyed by multinational companies in the past
E-commerce is developing worldwide at an unprecedented speed. Network economy
has made a big impact Oil traditional economy. By shortening the distance between
manufacturer and consumer, e-commerce posts serious threats to intermediaries in the
supply chain. It also weakens the role of traditional wholesalers. Those that are unable 10
adapt to the network economy will be hard hit, while those that make use of new
technology and seek change will transform into small but powerful new players.
It can be expected that wholesale in the future will operate more like a portal site of
an enterprise where only information gatherers, market analysts, a small number of
operation and management personnel and network technicians are visible. Compared to
the existing major wholesalers that have large number of employees. they will be much
smaller in scalar enquiring less staff and less physical space. However the ubiquitous and
ever expanding Internet provides them with a cyberspace that will enable them to reach
out to their customers throughout world easily. It also offers them a wide range of
information, intermediary and business services.
39
Online Learning
School of Open Learning and IGNOU are popular in online learning and all the contents
are available on the website like study material , video lectures e pustakdavar online
library having many facilities available for the students of School of Open Leaning
students.
Many books from different libraries can be collected using these library facilities.
Online material of various universities can be obtain from this portal.
Online learning is now very important and popular method that can be used as an
when a person can access. Many online videos on the same topic are available on School
of Open Learning Website. Not only regular college students of Delhi University are
using, these are used by many students of other Universities also.
40
And other students related facilities are available on the same website under students
heading are shown below:
41
e-Publishing and E-entertainment
IMPLEMENTING ePROCUREMENT
Organizations want their e-procurement system to offer maximum benefit at the
lowest possible cost The general expectations of the organization from e-procurement
solution are:
•
Quick and positive results with minimum risks
•
Leveraging of the huge buying potential of the organization negotiate favorable
contracts from suppliers
•
Limiting the number of supplier by choosing only efficient companies as
preferred suppliers
•
Adopting best practices in procurement.
To obtain an e-procurement solution that meet the above expectations, The Chief
Procurement Officers (CPOs) should ensure that the solution provider understands the
exact requirements of the organization. The following steps may be followed to obtain the
desired e-Procurement system for the organization.
42
(a) Establish e-Procurement chain goals: The first step in implementing an e-procurement is to define the objective of e-procurement. Some of the objectives of eprocurement are: to automate the purchasing process, cut costs, obtain accurate
purchase reports and eliminate unauthorized purchases.
(b) Construct a Procurement Audit : The organization should evaluate its existing process
and determine whether it can be require some modifications. If all the purchasing
information is not available at single location, or if it is not accurate or easily
accessible, the procurement processes need to be modified The most widely used
technique for systematic measurement of e-procurement effectiveness is Return on
Asset (ROA). The formula for ROA is
ROA = {(Revenues – Expanses)/ Assests} * 100
The e-procurement system can increase ROA by increasing revenues, decreasing
expenses or minimizing investments in assets.
Some of the performance indicator that may he used to determine the success of eprocurement are total number of employees who have procured through the system in
the preceding quarter, total amount of money spent on procuring the new channel the
percentage of transmutations (our of total transactions j completed using the eprocurement tools.
(c) Develop supplier integration matrix. An organization cannot maintain the same kind
of relationship with all its suppliers. It has to formulate It relationship strategy
depending on the contribution of each supplier to the success of the company. Some
suppliers produce critical components to the business and maintaining long-term
relationships with is crucial to the organization’s success.
(d) Select an e-procurement application : The selection of e-procurement application is
critical and should be guided by factors like application should improve current
procurement process, application should leverage the investments already made by
the organization in ERP/SRP system and should be flexible enough to accommodate
new procurement practices.
(e) Focus on integration : Each area of Operating Resource Management (ORM) and the
requirements of employees, buyers and suppliers should be considered in the design
of the e-Procurement application.
(f) Educate the staff : Educating employers is another important factor for implementing
a new e-procurement system. It is the employee who will use the system and help
the organization to achieve the desired improvement in the procurement chain and
cost. If the employees oppose the system because of its complexity or other fears like
lay-offs, then the e-procurement system will fail despite the advanced technology
used and huge investments.
43
Andhra Pradesh Government envisions providing good governance by establishing a
committed, Accountable, Responsive, Inspiring, Nationalist, Genuine Government –
Caring Government e-Procurements is one of he vehicles that can be gainfully used in
reaching the goal of CARING governance. E-Procurement.gov.in is a comprehensive einfrastructure that will help the government and the citizens realize the vision of fuelling
growth via profitable B2B e-commerce. Providing a robust, proven platform used by the
largest companies in India and the world, it enables trade between companies of different
sizes, platform and locations. To this end,e-Procurement.gov.in will provide services like
eProcurement, eTendering, eSelling and eAuctions.
Fig 7.7 e-Proceurement Trends
A wide variety of electronic procurement (eProcurement) tools have been developed
over recent years to help organizations source. contract and purchase more efficiently and
effectively.
Broadly, eProcurement tools relate to two aspects of procurement:
Sourcing activity; and Transactional purchasing
Sourcing Activity (eSourcing)
The eSourcing tools described can help buyers establish optimum contracts with
suppliers, and manage them effectively, The tools include supplier databases and
electronic tendering tools, evaluation, collaboration and negotiation tools. Also included
arc cAuction tools and those tools which support contract management activity.
Transactional Purchasing (ePurchasing)
The ePurchasing tools can help procurement professionals and end users achieve
more efficient processes and more accurate order details. The two aims of (a) maximising
control and (b) process efficiency are the function of ePurchasing tools such as purchase
-to-pay Systems, purchasing cards and electronic invoicing solutions.
44
Although the tools I~I/l broadly within these two categories, some tools can
be implemented in isolation. Based on the recommendations of experienced
implementers, it is suggested that: eAuction tools arc now a mature technology that can
generally be implemented more quickly them other eSourcing tools. As eAucrious arc
currently proving a clear “quick Will” ill cash releasing terms, their earliest
implementation is strongly recommended
The Government Procurement Card (GPC) is an established and widely-accepted
programme. Implementing the GPC will provide most organizations with immediate
process efficiency gains and the capability to better meet prompt payment targets.
Therefore. in addressing eProcurement implementation we have separated eAuction
from general eSourcing. and separated Procurement Cards front general ePurchasing
Purchasing cards (P-cards)
Purchasing cards (P-cards ) are similar in principle to smart cards used by consumer-s
(for example suppliers arc paid within five days; the buyer is hilled monthly in a
consolidated invoice), but with extra features which make them more suitable for
business-to-business purchasing. These can include:
•
Controls such as restricting card use to particular commodity areas
•
Individual transaction values, and
•
Monthly expenditure limits
The purchasing information provided to the buying organisation by an issuing bank
on each monthly statement depends on the degree of detail automatically generated by
each supplier. This call range from the supplier name date and transaction value, to line
item detail against each item ordered, free text entry for the input of account codes, and
VAT values.
Implementing P-Cards
•
•
Card holder- (users): P-Cards should be distributed to anyone in the organization
who needs to requisition low value goods, and some services.
Functionality: P-card enable each card holder to be allocated a spend limit pc.
transaction and a total spend limit per month The GPC and some other P-Card
programmes also enable spend to be regulated by blocking spend categories for
particular users Individual transaction data is captured by the suppler at time of sale
and transmitted to the issuing hank which provides the card programme. A monthly
consolidated statement is provided in paper format or electronically to the purchasing
organisation for approval and payment.
Benefits of P- cards
•
Prompt payment discounts reduce the amount paid for goods and services
45
•
Guaranteeing prompt payment is a significant benefit 1\) suppliers, particularly
small and medium sized enterprises as it generates cash flow Increased
compliance with contracts
e-Auctions
In an electronic reverse auction (c-Auction] potential suppliers compete online and
in ‘real time’, providing prices for the goods services under auction, Prices start at one
level and gradually, throughout the course or tilt: e-Auction reduce as suppler offer
improved terms in order to gain the contract. E-Auctions can be based on price alone or
can be weighted to account for other criteria such as quality, delivery or service levels.
Electronic reverse auctions (ERA) framework
Each of the eAuction service providers on the framework offers public sector
organisations assistance with: Assessment or the suitability (If forthcoming contracts to
the e-Auction process Advice and guidance on strategy’ and Supplier training and ‘test’ ‘
e-Auction events
e-Auction benefits
•
Improved preparation and planning for the tendering process
•
Opportunity for suppliers to submit revised hid-, for a contract (ac-; opposed to the
formal tendering process)
•
increased market knowledge for buyers and suppliers, Suppliers particularly benefit
from increased awareness of competitor pricing
•
Provides a more level playing field for suppliers Improved quality’ of service
Implementing eAuctions
eAuctions do nor replace tendering: they are a part of it and provide cost-effective.
fast and transparent conclusions to a full tendering process, eAuctions may’ he based on
securing the lowest price. or on must economically advantageous hid (price, payment
terms, supply schedules),
Only those suppliers who have successfully pre-qualified (i.e. they have’ satisfied all
tendering criteria such as quality processes, financial stability and environmental policies)
should be invited to participate. Identifying purchases suitable for eAuctions
COMPETITIVE ADVANTAGE
A firm is said to possess a competitive advantage over its rivals, if sustains profits that
exceed the average for its industry, The goal of much of business strategy is to achieve a
sustainable competitive advantage.
Michael Porter identified two basic types of competitive advantage:
•
Cost advantage
•
Differentiation advantage
46
A competitive advantage exists when the firm is able to deliver the same benefits as
competitors but at a lower cost (cost advantage), or deliver benefits that exceed those of
competing products (differentiation advantage). Thus, a competitive advantage enables
the firm to create superior value for its customers and superior profits for itself.
Fig. 7.8. A Model Competitive Advantage.
Cost and differentiation advantage are known as positional advantages since they
describe the firm’s position in the industry as a leader in either cost or differentiations
A resource-based view emphasizes that a firm utilizes its resources and capabilities to
create a competitive advantage that ultimately results on superior value creation. The
following diagram combines the resource-based and positioning views It illustrate the
concept of competitive advantage:
Resources and Capabilities
According to the resource-based view, in order to develop a competitive advantage
the firm must have resources and capabilities that arc superior to those of its competitor.
Without this superiority, the competitors simply could replicate what the firm v a-, doing
and any advantage quickly would disappear.
Resources arc the firm-specific assets useful for creating a cost or differentiation
advantage and that few competitors can acquire easily, The following are some examples
of such resources.
•
Patents and trademarks
•
Proprietary know-how
•
Installed customer base
•
Reputation of the firm
•
Brand equity
Capabilities refer to the firm’s ability to utilize its resources effectively. An example
of a capability is the ability to bring a product to market faster than competitors. Such
capabilities are embedded in the routines of the organization and are not easily
documented as procedures and thus are difficult for competitors to replicate.
47
The firm’s resources and capabilities together form its distinctive competencies.
These competencies enable innovation, efficiency, quality, and customer responsiveness,
all of which can be leveraged to create a cost advantage or a differentiation advantage.
Cost Advantage and differentiation Advantage
Competitive advantage is created by using resources and capabilities to achieve either
a lower cost structure or a differentiated product. A firm positions itself in its industry
through its choice of low cost or differentiation. This decision is a central component of
the firm’s competitive strategy.
Another important decision is how broad or narrow a market segment to trage. Porter
formed a matrix using cost advantage differentiation advantage, and a broad or narrow
focus to identify a set of generic strategies that the firm can pursue to create and sustain a
competitive advantage.
Value Creation
The firm creates value by performing a series of activities that porter identified as the
value chain. In addition to the firm’s own value-creation activities, the firm operates in a
vale system of vertical activities including those of upstream suppliers and downstream
channel members.
To achieve a competitive advantage the firm must perform one or more value creating
activities in a way that creates more overall value than do competitors. Superior value is
created through lower costs or superior benefits to the consumer (differentiation)/
Porter’s Five Forces Model
Michael Porter described a concept that has become known as the “five forces
model.” This concept involves a relationship between competitors within an industry,
potential competitors, suppliers, buyers and alternative solutions to the problem being
addressed. We used the five forces model as a basic structure and built on it with
concepts from the works of many other authors. The result was a model with over 5,000
relational links.
Fig Porter’s Model for Competitive Forces.
48
While each industry involves all of these factors the relational strengths vary.
Business Insight uses input from the user to create a unique model of their industry, Then
thousands of “rules” are applied to evaluate hundreds of marketing and business concepts
as they relate to the user’s unique circumstances. This results in a set of analyses,
including:
•
A success potential rating in eleven key areas
•
A list of strategic strengths and weaknesses
•
Observations on strategic inconsistencies
•
A written critique of your strategy
•
A graphic analysis of key marketing concepts
•
A written draft of a marketing plan
Online books available through various e-publishing portals
49
E-entertainment
No of channels can be access using mobile , TV using jio fiber connections. Only a
person have to pay only of data uses.
With a wifi connection or Mobile data all the online videos can be seen. There are
many apps like hotstar, netflix, jio TV and many other popluar apps helps in watching
online movies and other entertainments live.
50
Online Shopping
Online Shopping and Retail
E-COMMERCE APPLICATION IN RETAIL
Retailing involves selling products and service to consumers for their personal or
family use. Department stores. discount stores and specialty stores like jewelers, toys arc
all examples of retail stores. Service providers, like dentist, hotels and hair salons and
online stores, like Amazon.com are also retailers.
Fig 7.11 Retail Business.
Many businesses. like home Depot. are both wholesalers and retailers because they
sell to consumers and building contractors.
Importance of Retailing
As the final link between consumers and manufacturers, retailers are a vital part of the
business world. Retailers all value to products by making it easier for manufactures to sell
and consumers to buy. It would be very costly and time consuming for you to locate,
contact and make a purchase from the manufacturer every time you wanted to buy a
candy bar, a sweater or a bar of soap. Similarly, it would be very costly for the
manufactures of these products to locate and distribute them to consumers individually.
By bringing multitudes of manufacturers and consumers together at a single point,
retailers make it possible for products to be sold, and, consequently, business to be done,
Retailers also provide services that make it less risky end more fun to buy products.
They have salespeople on hand who can answer questions. may offer credit, and display
product so that consumers know what is available and can see it before buying. In
51
addition, retailers may provide many extra services, from personal shopping to gift
wrapping to delivery, that increase the value of products and services to consumers.
Role of E-commerce in Retailing
Advances in technology, like the Internet. Have helped make retailing an even more
challenging and exciting and exciting field in recent years. The nature of the business and
the way retailing is done are currently undergoing fundamental changes, However.
.retailing in some form will always be necessary. For example, even though the Internet is
beginning to make it to make it possible for manufacture to sell directly to consumers, the
very vastness of cyberspace will still make it very difficult for a consumer to. purchase
every product he or she uses directly On-line retailers like Amazon.com. bring together
assortments of products for consumers to buy in the same way that bricks and mortar
retailers do.
In addition. traditional retailers with physical stores will continue to be necessary. Of
course, retailers, who offer personal services, like hair styling, will need to have face-toface’ interaction with the consumer. But even with products consumers often want to see
touch and try them before they buy. Or, they may want product immediately and won’t
want to wait for them to be shipped. Also, and perhaps most importantly, in many cases
the experience of visiting the retailer is an important part of the purchase. Everything that
the retailer can do to make the shopping experience pleasurable and dun can help ensure
that customers come back.
E-COMMERCE APPLICATION, IN SERVICE SECTOR
The service sector or the service industry is one of the three main industrial categories
of a developed economy, the others being the secondary industry (manufacturing and
primary goods productionsuch as agriculture), and primary industry (extraction such
mining and fishing).
The tertiary sector of industry’ involves the provision of services 10 other businesses,
as well as final consumers. Services may involve the transport, distribution and sale of
goods from producer to a consumer as may happen in wholesaling and retailing , or
many involve the provision of a service such as in pest control or entertainment. The
goods may be transformed in the process of providing the service as as happens in the
restaurant industry. However the focus is on people interacting with people and serving
the customer rather than transforming physical goods.
The service sector consists of the “softs’ paris of the economy such as insurance,
tourism, banking, retail and education.
Public utilites are often considered part of the tertiary sector as they proivide services
to people, while creating the utility’s infrastructure is often considered part of the
secondary sector, even though the same business may be involved in both aspects of the
operation.
52
Issues for service providers
Service providers bee obstacles selling services that goods-sellers rarely’ face.
Services are not tangible; making it difficult for potential customer, to understand what
they will receive and what value It will hold for them. Indeed some, such as consulting
and investment services, offer no guarantees of the value for price paid
Since the quality of most services depends largely on the quality of the individuals
providing the services , it is true that boobs “people costs” are a high component of
service costs. whereas manufacturer may use technology, simplification and other
techniques to lower the cost of goods sold, the service provider offer faces an unrelenting
pattern of increasing costs.
Differentiation is often difficult. How does one choose one investment advisor over
another. since they (and hotel providers. leisure companies, consultants, and others) often
seem to provide indentical services? Charging a premium for services is usually an
option only for the most established firms, who charge extra based upon brand
recognition.
Role of E-commerce in Service Sector
As discussed above e-commerce cab be implemented in service sector for gaining
competitive advantage by providing strategies for differentiations and cost leadership and
customer satisfaction.
E-commerce will improve the speed of transactions, reduce management expenditure
increases cornpetitiveness and helpful in the banking, insurance and financial sector’s.
and real estate, construction, telecom, tourism, postal and logistics services.
E-COMMERCE IMPLEMENTATION PROBLEMS, SOLUTIONS AND
POPULARITY IN MANAGING SUPPLY CHAIN: A COMPARATIVE ANAL
YSIS OF DIFFERENT TO 10 INDIAN E-COMMERCE COMPANIES
Here we discuss the various factors of E-commerce which manage the supply chain
and also explains the Implementation of emerging E-commerce problem, solutions and
popularity of different top e-commerce companies. This paper presents the comparative
analysis of these top e-commerce companies through the different colored graphs. So
through these graphs we can easily analyze the supply chain in online E-commerce.
We are discussing about e-commerce progress level of India, the seventh-largest by
geographical area, the second most populous country, and the most populous democracy
in the world. Indian e-commerce space percentage is getting higher as more and more
online retailers enter the market. Although this level of entry in the e-commerce market is
good from a long term perspective, the challenge is that most entrepreneurs don’t have
the resources or capital to wait years before they can get profits.
53
B. E-Commerce Integration Process
Fig.7.12. E-Commerce Integration Process.
C. E-Commerce companies
This comparative analysis has done on different top 10 Indian c-commerce companies
which are given below with different criteria and different features.
1. Flipkart Company: Flipkart top e-commerce website making books easily available
to anyone who had internet access. Today, we are present across various categories
including movies, music, games. mobiles, cameras, computers, healthcare and
personal products, home appliances and electronics. The following arc the salient
features:
(i)
Payment: E-commerce Elipkart Company provides safe and secure shopping
service, all major credit and debit cards accepted, and payment also accepted by
Internet Banking, Cash and Delivery and Equated Monthly Installments (EMl).
(ii)
Time: This c-commerce company provides 24*6 customer support-It also
provides the service delivery in 3 days, for other areas. orders will be sent by
sent by registered post through the Indian Postal Service which may take I -2
weeks depending on the location and distance.
(iii) Cost: Flipkart provides free delivery on all items if your total order amount ix
more than Rs. 200/-. Otherwise Rs. 30/- is charged as delivery charges.
(iv) Integration: Eases integration because all Credit/Debit card details remain
confidential and private. Flipkart trusted payment gateways use SSL encryption
technology to protect the user card information.
(v)
Scalability: Only in India.
(vi) Customization: Eases customization because user can review the status and
other information of all user’s orders. whether pending or fulfilled. that you
have placed with Flipkart.com.
(vii) Challenges: Flipkart doesn’t deliver items internationally: there will be no
warranty for mobile accessories.
(viii) Platform: While it IS not necessary to have a Flipkart account to shop and
purchase items, it is certainly recommended to have one. You can shop by
providing just your email ID.
54
Fig. 7.13. Flipkart Company with Different Features of E-commerce.
(ix) Popularity: Ranks in top 30 websites in lndia, 8,000,000visits every month,
30000 + Items shipped per day, 27 cities I with own delivery network.
2. Magazine Mall Company: Magazine mall is a property or Global Interactive Malls
P. Ltd. It focused on retailing publications in an ‘e-bricks” model across India and the
rest of the world.
(i) Payment: E-commerce Magazine Mall Company provides payment services
through all major credit and debit cards accepted, Internet Banking, mobile payment.
cheque/DD.
(ii) Time:
(a) Standard Shipping: Activated for delivery by publishers, using regular post
within 4-6 weeks of your order.
(b) Premium Shipping: Activated for delivery hy us within 1 week of your order,
by air courier.
(iii)Cost:
(a) Standard Shipping: No shipping charges apply.
(b) Premium Shipping: Chargeable at Rs. 15/ issue within India
(iv) Integration: Predictable delivery timelines and renewal management services,
powered by CC Avenues payment enablement system – with the widest range of
payment options made available to user.
(v) Scalability: International shipping also available and it may apply for addresses
located outside of lndia.
(vi) Customization: It provides the risk of loss for such items pass to user upon
dispatch. it receives communication electronically whether by email or other
notices on the site or as may be sent to user.
55
(vii) Challenges: When user wants to cancel thcnromp.mv will be unable 10 refund
for cancellations made alter 90 days from the date of order. There will also be
a 10% service charge on the total and original value of the cancelled
subscriptions.
(viii) Platform: Live help support E
E-mail and Phone support
(ix)
Popularity: This website is used regularly by the internet users.
Fig. 7.14. Magazine Mall Company with Different Features of E
E-commerce.
commerce.
3. 20North Company: 20North Company is well on its way’ to be
becoming India’s
leading online retailer. At 20 North we believe that Indian consumers have interests,
passions and pursuits that cannot he fulfilled with products from the humdrum
mainstream of Indian retail.
(i)
Payment: 20North Company accep all major Cr
Credit
edit and Debit Cards, Demand
Drafts and Money Transfer payment service using visa, Master Card or
American Express card, Cheque/ DD.
(ii)
Time: Orders arc delivered in 5 - 15 business days based on the product and the
delivery zip-code
code in India and this uusually
sually takes 1 to 4 working days.
(iii) Cost: No free shipping. 15°/ (20 North Service Charge) +Duty + Shipping costs.
(iv) Integration: Easy integration, can be combined at time or purchase with any
other form of payment with no retractions.
(v)
Scalability: It call supply international level also but can only he purchased in
Rupees (INR)
(vi) Customization: 20 North supply can be combined with any other valid modes of
payment to pay for a purchase.
56
(vii) Challenges: This Company does not provide w
warranty
arranty for any products ordered
from our website.
(viii) Platform: E-mail
mail and only a registered user can shop at 20Nnrth.
(ix) Popularity: 20Nonh.com is well on its way to becoming India’s leading online
shopping portal.
Fig. 7. 15. North Company with Different Features of E-commerce
commerce
4. Snapdeal Company: Snapdeal Company is providing more fun fin consumer. Being
India’s best daily deals website, bring up to 90% discounts on dining, health and
beauty services. branded products travel and more,
(i)
Payment: The different payment options are Credit card, Debit card. Cash card,
Internet enabled online bank account. mobile ball king. Snapdeal offers up to
90°’0 discount on products. Payment is SSL secure.
(ii)
Time: Most of deals carry over I month validit
validity.
(iii) Cost: Snap Deal offers up to 90 discount
(iv) Integration: The Website requires you to register as a User by creating an
Account in order to purchase coupons from the website.
(v)
Scalability: Only in India.
(vi) Customization: User can buy th
thee deal without subscribing. Just click the “Buy”
button and fill email ID and mobile no. and make the payment online. This
sends Snapdeal voucher over email and SMS. It also provides guarantee to
replace the product voucher or refund complete amount.
(vii) Challenges: This governs purchase and use of the coupons/vouchers. It also
governs the access and use of the website and secures personal information of
users.
(viii) Platform: E-mail
mail support and Phone support.
57
(ix) Popularity: Snap Deal is offering de
deals
als in 20 cities including Delhi. Mumhai.
Bangalore. Hyderabad, Chennai, Kolkata and Pune. This site is used by the
users very vast.
Fig. 7.16. Snap Deal Company with Different Features of E
E-commerce.
commerce.
5. Deals and You Company
Company: Deals and You is a group buying
ying portal that feature a
daily deal on the best stuff to do sec and buy in some of India’ss leading cities.
(i)
Payment: This Company provides the different payment methods as credit card,
debit card or cash on delivery.
(ii)
Time: Orders arc delivered within 24 hours.
(iii) Cost: Shipping is not free of cost
(iv) Integration: Ease Integration using credit and debit cards.
(v)
Scalability: Only in India.
(vi) Customization: Ease Customization, Registration to dcalsandycu.com is free
User pay only hilled
led when purchase a deal from Deals and You Company.
(vii) Challenges: Deals and you Company makes no warranty for the quality, safety,
usability, or other aspecd of the product or service marketed through Deals and
You.
(viii) Platform: E-mail
mail support aand Phone support.
(ix) Popularity: Deals and You is offering deals in various cities including Delhi.
Mumbai, Bangalore, Hyderabad, Chennai, Kolkata, Pune, Ahmedabad.
58
Fig. 7.17. Deals and You Company with Different Features of E
E-commerce
commerce
6. Naaptol Company: Naaptol launched in January 2008, Naaptol has grown to become
lndia’s leading comparison based social shopping portal, the one
one-stop
stop destination for
all shoppers. merchants and market enthusiasts.
(i)
Payments: As payment against order is cleared thro
through
ugh Chcquc/DD or Credit
Card/Internet banking order will be
be- shipped immediately.
(ii)
Time: Delivery depends on location.
(iii) Cost: Shipping is not free of cost
(iv) Integration: Ease integration thing credit and debit cards.
(v)
Scalability: Only III
II India.
(vi) Customization: Ease customization
(vii) Challenges: Naaptol is an online shopping portal and not a retail store, user do
not have products that may be physically user can sec displays on website. No
warranty of any kind regarding this webs
website
ite and or any materials provided on
this site.
(viii) Platform: E-mail
mail support and Phone support
(ix) Popularity: Average popularity.
Fig. 7.18. Naaptol Company with Different Features of E
E-commerce
commerce
59
7. Fashion and You Company
Company: Fashion and You Company iss key to indulge in high
fashion and luxury brands at exclusive member’s only prices.
(i)
Payment: Payment is done by Cheque Payment. Cash on Delivery. Internet
Banking.
(ii)
Time: Express order will be shipped within 24 hrs from the purchase.
Depending upon the location where user will receive the order within 22-7
business days. Sometimes it takes between 33-4
4 weeks to deliver order from the
date you make a purchase on our site.
(iii)
Cost: Frashion aud You levies INR 100 aS shipping charge
(iv)
Integration: First come first served, so make sure for purchase and log on early
to bag the best deal.
(v)
Scalability: Only in India.
(vi)
Customization: Access to fashion and you sales is reserved for registered
members only Membership is tree and membershi
membership
p is by invite only.
(vii) Challenges: Once payment has been confirmed, you will be unable to make any
further changes to your order
(viii) Platform: Email support and SMS support
(ix)
Popularity: Average popularity
Fig. 7.19. Fashion and You Company with Different Features of E-commerce
commerce
8. Yebhi Company: This site also has variety like watches. sunglasses, mobiles,
cameras. jewellery, Horne and Kitchen appliances and many more things for online
shopping.
(i)
Payment: Payment is done by Cheque Payme
Payment,
nt, Cash on Delivery, Net Banking.
(ii)
Time: fastest shipping for customer orders as possible according to location,
(iii) Cost: No any shipping charge.
60
(iv) Integration: It provides all branded products and case integration using credit
and debit cards.
(v)
Scalability: Mostly in India and it can deliver products at international level also
hut no free shipping fur that.
(vi) Customization: It provides fastest shipping for our customer orders, provides
widest range of choices for our customers and enables brand partners to reach
the Widest audience
(vii) Challenges: The refund process will he initiated once company has received the
products.
(viii) Platform: E-mail support, Phone support, Live support.
(ix) Popularity: It carries portal catering to more than 1000 retailers across the
country and best e-commerce awarded company in 2010.
Fig. 7.20. Yobhi Company with Different Features of E-commerce.
9. Myntra Company: Myntra.com is raked among the top 10 e-commerce companies in
India and is scaling rapidly. Myntra was started by a group of In/11M graduates in
early 2007 and is headquartered in Bangalore with regional offices in New Delhi,
Mumbai and Chennai.
(i)
Payment: This Company provides the different payment methods as credit card,
debit card. cash on delivery, net banking and ITZ cash payments.
(ii)
Time: Myntra attempts to process every order and ships within 24 hrs. It also
depends upon location within India, post ordering this should take overall 5-7
days to get delivered.
(iii) Cost: Myntra offers free shipping within India on all products above Rs. 99. For
international orders and orders below Rs. 99, appropriate shipping cost is
charged.
61
(iv) Integration: It also provides option of CC Avenue and EBS payment gateways
which process all credit card and net banking transactions- over secure
encrypted connection,
(v)
Scalability: It can ship internationally to all major countries.
(vi) Customization: Ease customization and easy to get order of products.
(vii) Challenges: Coupons will be valid for 30 days and also do not support returns
on interactional order shipments.
(viii) Platform: E-mail support and Phone support.
(ix) Popularity: In the last 3 years, Myntra has become t he [!lust popular destination
for persona lived products in the country. Red Herring Global 100 winner 2010
and Awarded “Pride of India 2009-2010” award for Exceptional Business
Growth by IDG Ventures.
Fig. 7.21. Myntra Company with Different Features of E-commerce.
10. Indian Gifts Portal Company: Indian Gifts Portal is an online gifts super market. It
offers a wide range of gift option, most of which are exclusive Indian products, right
your desktop.
(i)
Payment: It accepts credit Card (both Indian and International). Debit Card,
American Express, JCB, Discover, Diners Club. Internet Banking, Paypal.
Pavmate. Done Cash Card and ITZ Cash Curd. To get detailed payments
related information including Bank list of Debit Cards and Net Banking.
(ii)
Time: It delivers within 72 hours and it also delivers within (J working days of
securing or on the approximate delivery date mentioned by user in the order.
(iii) Cost: No free shipping
(iv) Integration: Secure mode on the customer’s browser, using SSL (Secure
Sockets Layer) to encrypt sensitive data such as credit card numbers.
(v)
Scalability: Both National and International Level.
62
(vi) Customization: Ease customization and used 128 bit encryption secured
payment gateway.
(vii) Challenges: Orders are accepted only online after securing your payment
through the credit
edit card information submitted by you.
(viii) Platform: Only by mail process.
(ix) Popularity: Average level popularity.
Fig. 7.22. Indian Gifts Portal Company with Different Features of E
E-commerce
commerce
The below given graph shows the unique users in July 2011 who have used more ee
commerce website. This graph compares top 10 ee-commerce
commerce companies. So we can
easily that which company is used more by the users.
Fig. 7.23. E--commerce Companies User in July 2011 in Lakhs.
Benefits of Online travel Services for Consumers: Online travel services an: usually
available 24 hourS d day and many consumers have internet access both at work and at
home Other establishments such as internet cafes and schools provide access as well. A
visit to a conventional service rrequire-,, travel and must take place during business hours.
63
Searching or browsing an online service site can be faster than browsing the aisles, of
a physical office One can avoid crowded malls resulting in long lines, and no parking.
Consumers with dial-up internet connections rather than broadband have much longer
load times for content rich website and have a considerably slower online travel service
experience
Some consumers prefer interacting with people rather than computers because they
find computers hard to use. Not all online service providers have succeeded in making
their sites easy to use or reliable. On the other hand. a majority of provider’; have made it
easy find the service one is looking for, as well as the price range that is acceptable
making the travel experience quick and efficient. The internet has made shopping an
almost effortless task
In most cases merchandise must be shipped to the consumer, introducing a significant
delay and potentially uncertainty about whether or not the item was actually in stock at
the time of purchase. Most successful sites will say whether or no! a product in supplyYatra.com offers the ability to buy and hook tickets and hotel reservation -online. Many
stores give the consumer the delivery company’s tracking number for their reservations,
so they can check it- status online. A quick response time is sometimes an important
factor in consumers,” choice of merchant Customers can choose the type of shipping
they’ want from overnight to a few days. The quicker the delivery the higher the shipping
cost. A weakness of online shopping is that even if a purchase can be made 24 hours a
day the customer must often be at home during normal business hours to accept the
delivery. For many professional this can be difficult, and absence at the time of delivery
can result in delays. or in some cases, return of the item to the retailer. Automated
delivery booths, such as DHL’s Pack station, have tried to address this problem. When
shopping in a retail store, customers can handle and inspect the actual product before they
purchase it.
In the event of a problem with the item- it is not what the consumers ordered, or it is
not what they expected- consumers are concerned with the ease with which they can
return an item for the correct one or fix a refund. Consumers may need to contact the
retailer, visit the post office and pay return shipping, and then wan fur a replacement or
refund. Some online companies have more generous return policies to compensate for the
traditional advantage of physical stores.
SUMMARY
•
E-business, is an umbrella term that includes c-commerce and refers to the use of the
Internet and private internet to transform a company’s value chain.
•
A trade cycle is the series of exchanges, between a customer and supplier that take
place when a commercial exchange is executed.
•
A general trade cycle consists of four phases. These are:
64
(a) Pre-Sales
(b) Execution
(c) Settlement
(d) After-Sales
•
EDI is the e-Commerce technology appropriate for the commercial transacttous that
arc repeated on a regular basis.
•
Internet e-Commerce is the e-Commerce technology appropriate for the consumer
transactions that tend to be once off.
•
Internet e-Commerce or an electronic market is the appropriate e-technology for the
non-repeating commercial trade cycle.
•
Supply chain is a network of facilities and distribution options that performs the
functions of procurement of materials (from supplier), transformation. Of these
materials into intermediate and finished products (manufacturing), and the
distribution of these finished products to customers (to customer).
(e) E-commerce enhances vale chain by supporting reduced time frame, changed
cost structures, Just-in-time manufacture, efficient document processing,
competitive advantage etc.
(f) A firm is said to possess a competitive advantage over its rivals, if sustains
profits that exceed the average for its industry.
(g) Michael Porter identified two basic types of competitive advantage:
•
Cost advantage
•
Differentiation advantage
(h) To achieve a competitive advantage, the firm must perform one or more value
creating activities in a way that creates more overall value than do competitors.
(i) Electronic procurement (e-Procurement] is the use of electronic tools and systems
to increase efficiency and reduce costs during each stage of the purchasing
process.
(j) e-Procurernent can be divided in two parts: direct-material procurement. in which
raw materials or components needed for production arc procured from supply
chain partners and Indirect material procurement in which materials that are
indirectly used are procured.
(k) The best practices in e-procurement include: using a procurement card system and
electronic funds transfer system. clarifying the employees’ role in the
procurement process, using a strategic approach to implementation and
participating in collaborative e-procurement.
65
(i) e-Procurement has an indirect effect on cash savings by providing the access to
good deals. Central government, local government and strategic private sector
partners arc introducing and developing c-Commerce systems for public sector
purchasing for improving the procurement process.
(m) e-Auction can Improve preparation and planning for the tendering process,
increase opportunity for suppliers to submit revised bids for a contract and
provides a more level playing field for suppliers Improved quality of service
(n) ePurchasing tools can help procurement professionals and end users achieve more
efficient processes and more accurate order details
(o) In this way e-commerce call he used in manufacturing, retail, wholesale and
service sectors to enhance business.
EXERCISES
1. What is trade cycle? Explain VIII(!IIS phases and types or trade cycle.
2. explain the use of e-commerce in cycle.
3. What is supply chain?
4. Explain Porter’s value chain model
5. What is competitive advantage? Explain Porter’s model for competitive forces
6. Explain the use of e-commerce in gaining competitive advantage.
7. Explain the role of e-commerce in manufacturing
8. Explain the role of c-commerce in wholesale.
9. Explain the role of c-commerce in retail.
10. Explain the role of c-commerce in service sector.
66
UNIT-III
Website Designing Introduction to HTML tags and
Attributes: Text Formatting, Fonts, Hypertext Links,
Tables, Images, Lists, Forms, Cascading Style Sheets
 Website Designing Introduction to HTML tags and attributes: Text formatting, fonts,
hypertext links, tables, images, lists, forms, cascading style sheets
The full meaning of HTML is Hyper Text Markup Language, which is the most
widely used language on Web to develop web pages. HTML was created by Berners-Lee
in late 1991 but “HTML 2.0” was the first standard HTML specification which was
published in 1995. HTML 4.01 was a major version of HTML and it was published in
late 1999. Though HTML 4.01 version is widely used but currently we are having
HTML-5 version which is an extension to HTML 4.01, and this version was published in
2012
< html>
<body>
<h1> Hello and welcome to all!</h>
</body>
< /html>
3.2 Attributes
An attribute is used to define the characteristics of an HTML element and is placed inside
the element’s opening tag. Attributes are made up of two parts: a name and a value.
Attribute names and attribute values are case-insensitive.
67
1. Name is the property you want to set. For example, the paragraph <p> element in
the example carries an attribute whose name is align, which you can use to
indicate the alignment of paragraph on the page.
2. Value is what you want the value of the property to be set and always put within
quotations. The below example shows three possible values of align attribute: left,
center and right.
3.3 Text Formatting
If you use a word processor, you must be familiar with the ability to make text bold,
italicized, or underlined; these are just three of the ten options available to indicate how
text can appear in HTML and XHTML.
3.3.1 Bold Text
Anything that appears within <b>...</b> element, is displayed in bold as shown below:
68
69
3.4. Hypertext links
A webpage can contain various links that take you directly to other pages and even
specific parts of a given page. These links are known as hyperlinks. Hyperlinks allow
visitors to navigate between Web sites by clicking on words, phrases, and images. A link
is specified using HTML tag. This tag is called anchor tag and anything between the
opening tag and the closing tag becomes part of the link and a user can click that part to
reach to the linked document.
70
Frame : HTML frames are used to divide your browser window into multiple sections
where each section can load a separate HTML document. A collection of frames in the
browser window is known as a frameset. The window is divided into frames in a similar
way the tables are organized: into rows and columns.
71
72
UNIT-IV
E-payment, System-payment Methods–Debit Card,
Credit Card, Smart Cards, E-Money, E-Wallets
 E-payment System-payment Methods- Debit card, Credit card, Smart cards, EMoney, E-Wallets;
 Digital signatures- procedures and legal position;
 Payment Gateways
 Online Banking – Concepts, importance, Electronic Fund Transfer, automated
Clearing house, Automated Ledger posting.
 Emerging modes and systems of E-payment (MPaisa, PayPal and other digital
currency);
 E-payments risks
E-payment System-payment Methods- Debit card, Credit card, Smart
cards, E-Money, E-Wallets;




Debit Card : This card is used for online payment also but in this card a person must
have sufficient balance in his / her account and the total payment made in one day is
also specified. User of this card can withdraw upto a certain amount with the help of
this card.
Credit Card : This card is also used for online payment also but in this card a
person must not have sufficient balance in his / her account and the total payment
made in one day is also specified. User of this card can withdraw upto a certain
amount with the help of this card and upto certain limit purchase can also be done
without having funds into accounts. Bill of the credit card can pay after few days.
Smart Card : These cards are used with Balance in hand. This means that in you
card must have balance before using this card like Debit Card. Metro Smart Card,
Patanjali Smart Card and Mother Dairy Smart card are best examples.
E wallets : These are used for online payment using mobile phones. The following
applications are very popular
1. Paytm
2.
Google pay
3.
UPI
4.
Jio Money are the best examples.
73
Digital Signature procedures and legal position
The Information Technology Act, 2000, recognizes the use of digital signature to
authenticate electronic records. As such, digital signatures fulfill all statutory
requirements associated with acceptance of handwritten signature. it is a block of data at
the end of an electronic message that identifies the signor of an electronic message and
also confirms that the said signor approved the content of that electronic message.
Thus, internet contracts are authenticated by digital signature technology and
become binding on the parties. The expression ‘digital signature’ means authentication
of any electronic record by a subscriber by means of an electronic method or procedure in
accordance with the provisions of Section 3 [Section 2(1) (p)].
Authentication of electronic records-Any subscriber may authenticate an
electronic record by affixing his digital signature. The authentication of the electronic
record shall be effected by the use of asymmetric crypto system and hash function which
envelop and transform the initial electronic record into another electronic record.
Explanation- For the purposes of this sub-section, ‘hash function’ means an
algorithm mapping or translation of one subsequence of bits into another, generally
smaller, set known as ‘harsh result’ such that an electronic record yields the same hash
result every time the algorithm is executed with the same electronic record as its input
making it computationally infeasible(a) To derive or reconstruct the original electronic record from the hash result
produced by the algorithm;
(b) That two electronic records can produce the same hash result using the
algorithm.
Any person by the use of a public key of the subscriber can verify the electronic
record. The private key and the public key are unique to the subscriber and constitute a
functioning key pair (Section 3).
In order to be called legally binding, all electronic communications or transactions
must meet the following fundamental requirements:
(a) Authenticity of the sender to enable the recipient to determine who really sent
the message;
(b) Message’ integrity, the recipient must also be able to determine whether or not
the message received has been modified en route or is incomplete; and
(c) Non-repudiation, the ability to ensure that the sender cannot falsely deny
sending the message, nor falsely deny the contents of the message.
It led to the acceptance of cryptography, a data encryption technique, which provided
just that kind of data protection. Section 3 advocates the use of ‘asymmetric cryto system’
where an asymmetric key pair consisting of a public and a private key is used to encrypt
74
and decrypt the message respectively. Private Key is kept confidential and to be used by
the subscriber to create the digital signature, whereas the public key is more widely
known and is used by a relying party to verify the digital signature and is listed in the
digital signature certificate. See fig 2
Figure 2: digital signature suing public and private keys
Section 2 (1) of IT Act, 2000 defines the various terms used above in the following
words:
(a) Affixing digital signature- It means adoption of any methodology or procedure
by a person for the purpose of authenticating an electronic record by means of
digital signature [Section 2(1) (d)].
(b) Asymmetric crypto system- It means a system of a secure key pair consisting
of a private key for creating a digital signature and a public key to verify the
digital signature [Section 2 (1) (f)].
(c) Electronic record- It means data, record or data generated, image or sound
stored, received or sent in an electric form or micro-film or computer generated
micro-fiche [Section 2(1) (t)].
(d) Key pair- In an asymmetric crypto system, ‘key pair’ means a private key and
its mathematically related public key, which are so related that the public key
can verify a digital signature created by the private key [Section 2 (1) (x)].
(e) Private key- It means the key of a key pair used to create a digital signature
[Section 2(1) (zc)].
(f)
Public Key- It means the key of a key pair used to verify a digital signature and
listed in a Digital Signature Certificate [Section 2(1) (zd)].
(g) Subscriber- It means person in whose name the Digital Signature Certificate is
issued [Section 2(1) (zg)].
75
(h) Verify-Verify in relation to a digital signature, electronic record or public key,
which its grammatical variations and cognate expressions, means to determine
whether(i) The initial electronic record was affixed with the digital signature by the use of
private key corresponding to the public key of the subscriber;
(j) The initial electronic record is retained inact or has been altered since such
electronic record was so affixed with the digital signature [Section 2(1) (zh)].
Digital signature means authentication of any electronic record by a subscriber by
means of an electronic method or procedure in accordance with the provisions of section
3; and Digital Signature Certificatemeans a Digital Signature Certificate issued under
sub-section (4) of section 35.The use of digital signature for online / offline / email based
transactions. The preamble of the information Technology Act, 2000, states: ‘An Act to
provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication commonly referred to as
“electronic commerce” which involve the use of alternatives to paper-based methods of
communication and storage of information to facilitate electronic filling of documents
with the Government agencies. The ‘Statement of Objects and Reasons” appended to the
Information Technology Bill, 1999, explains the rationale behind the Act. It would be
worthwhile here to take note of the excerpts from the said statement given below:
‘New communication systems and digital technology have made dramatic changes in
the way we live. A revolution is occurring in the way people transact business.
Businesses and consumers are increasingly using computers to create transit and store
information in the electronic form instead of traditional paper documents. Information
stored in electronic form has many advantages. It is cheaper, easier to store, retrieve and
speedier to communicate. Although people are aware of these advantages, they are
reluctant to conduct business or conclude any transaction in the electronic form due to
lack of appropriate legal framework. The two principal hurdles which stand in the way of
facilitating electronic commerce and electronic governance are the requirements as to
writing and signature for legal recognition. At present, many legal provisions assume the
existence of paper based records and documents and records which should bear
signatures. The Law of Evidence is traditional based upon paper based records and oral
testimony. Since electronic commerce eliminates the need for paper based transactions,
hence to facilitate e-commerce, the need for legal changes has become an urgent
necessity. International trade through the medium of e-commerce is growing rapidly in
the past few years and many countries have switched over from traditional paper based
commerce to e-commerce.
There is a need for bringing in suitable amendments in the existing laws in our
country to facilitate e-commerce. It is, therefore, proposed to provide for legal
recognition of electronic records and digital signatures. The will enable the conclusion of
76
contracts and the creation of rights and obligations through the electronic medium. It is
also proposed to provide for a regulatory regime to supervise the Certifying Authorities
issuing Digital Signature Certificates. To prevent the possible misuse arising out of
transactions and other dealings concluded over the electronic medium, it is also proposed
to create civil and criminal liabilities for contravention of the provisions of the proposed
legislation.
With a view to facilitate Electronic Governance, it is proposed to provide for the use
and acceptance of electronic records and digital signatures in the Government offices and
its agencies. This will make the citizens interaction with the Government offices hassle
free.
The Objectives of the Information Technology Act seeks to achieve the following
objectives:
(i) To provide legal recognition for transactions carried out by means of
electronic date interchange and other means of electronic communication,
commonly referred to as ‘electronic commerce’;
(ii) To facilitate the growth of e-commerce and e-governance;
(iii) To provide equal treatment to users of paper-based documentation vis-a-vis
electronic records;
(iv) To place digital signature at par with paper signature and provide a
comprehensive approach for determining the authenticity integrity of
electronic signature;
(v) To provide for a suitable regulatory regime to supervise the functioning of the
Certifying Authorities issuing Digital Signature Certificates;
(vi) To recognize electronic storage of documents or records as valid where law
requires maintenance of paper records;
(vii) To provide penalties and
contraventions and offences;
punishment
for
information
technology
(viii) To establish the Cyber Regulations Appellate Tribunal to hear appeals against
the orders of Controller or Adjudication Officers;
(ix) To make amendments in several legislations such as Indian Penal Code,
Indian Evidence Act, etc. so as to bring them at par with the needs of the IT
Act, 2000.
77
Exercise
1. Definition of Digital Signature
....................................................................................................................................
....................................................................................................................................
....................................................................................................................................
....................................................................................................................................
2. Define objectives of IT Act, 2000
....................................................................................................................................
....................................................................................................................................
....................................................................................................................................
....................................................................................................................................
3. Define Electronic commerce
....................................................................................................................................
....................................................................................................................................
....................................................................................................................................
....................................................................................................................................
Payment Gateways
A payment gateway is a separate service and acts as an intermediary between the
merchant’ shopping cart and all the financial networks involved with the transaction,
including the customers’ credit card issuer and your merchant account. it checks for
validity, encrypt transaction details, ensures they’ arc sent to the correct destination and
then decrypts the responses which arc sent back to the shopping. cart. A payment gateway
Gill he thought of a digital equivalent to a credit card processing terminal.
A Payment Gateway is an e-commerce service ‘hat authorizes payments ebusinesses and online retailers.
This L” it seamless process and your customer docs not directly interact with the
gateway; as data is forwarded to the gateway via your shopping cart and a secure (SSL)
connection. The shopping cart is configured via plugins to send information in J format
that is acceptable to the particular gateway.
How payment gateways work
Payment gateways encrypt information handled through SSL (Secure socket layer). l
his prevents opportunity for fraud, and adds security to the transaction process Gateways
communicate with a variety of entities, including:
78
•
The customer
•
The merchant (through their website)
•
Credit Card companies (by verifying information)
•
Internet Merchant accounts that relay order information from the gateway to the
merchant’s bank account
Benefits of payment gateway
Benefits of having a payment gateway are:
1. Security: Gateways keep customers credit card data behind firewalls so that the
merchant doesn’t have to worry about someone “hacking Jt1” 10 their system.
2. Encryption: Gateways use SSL encryption to prevent message tampering while the
credit card information is being transmitted over the Internet. EMS provides the most
secure encryption technology
3. Back-up redundancy: Gateways have a backup system III place to ensure that
merchants can continue processing in the event of all emergency.
4. Up-to-date technology: Gateways arc services that are constantly’ upgraded to be up
to date with the latest technology. And, because the gateways arc not on merchants”
computers, there is no need for the merchants to upgrade their hardware. Gateways
save the cost of an additional phone line that would be needed in a dial application.
ISSUES OF ELECTRONIC PAYMENT TECHNOLOGY
Online payment processing requires coordinating the flow of transactions among a
complex network of financial institutions and processors. Fortunately. technology has
simplified this process so that. with the right solution, payment processing is easy, secure,
and seamless for both you and your customers. This chapter provides you with what you
need to know about online payment processing issues:
•
Online payment processing basics
•
The payment processing network
•
How payment processing works
•
What you should know about fraud
•
What to look for in a payment processing solution
•
Online Payment Processing Basics: Purchasing online may seem to be quick and
easy, but most consumers give little thought to the process that appears to work
instantaneously For it to work correctly. merchants must connect to a network of
banks (both acquiring and issuing banks), processors, and other financial institutions
so that payment information provided by the customer can be routed securely and
reliably’. The solution is a payment gateway that connect your online store to these
institutions and processors. Because payment Information is highly sensitive, trust
79
•
and confidence are essential elements of any payment transact ton This means the
gateway should he provided by a company with in-depth experience in payment
processing and security.
The Payment Processing Network: Here’s a breakdown of the participants and
elements involved in processing payments:
o Acquiring hank : In the online payment processing world, an acquiring hank
provides Internet merchant accounts. A merchant must open an Internet merchant
account with an acquiring bank to enable online credit card authorization and
payment processing. Examples of acquiring banks include Merchant solutions
and most major banks.
o Authorization : The process by which a customer’s credit card is verified as active
and that they have the credit available to make a transaction. In the online
payment processing world. an authorization also verifies that the billing
information the customer has provided matches up with the information on record
with their credit card company.
o Credit card association: A financial institution that provides credit card services
that arc branded and distributed by customer issuing banks. Examples include
Visa and MasterCard.
o Customer: The holder of the payment instrument-such as a credit card, debit card,
or electronic check.
o Customer issuing bank: A financial institution that provides a customer with a
credit card or other payment instrument. Examples include Citibank and Suntrust.
During a purchase, the customer issuing hank verifies that the payment
information submitted to the merchant is valid and that the customer has the
funds or credit limit to make the proposed purchase.
o Internet merchant account: A special account with all acquiring bank that allows
the merchant to accept credit cards over the Internet. The merchant typically pays
a processing fee for each transaction processed, also known as the discount rate.
A merchant applies for an Internet merchant account in a process similar to
applying for a commercial loan The fees charged by the acquiring bank will vary.
o Merchant: Someone who owns a company that sells products or services.
Payment gateway: A service that provides connectivity among merchants,
customers and financial networks to process authorizations and payments. The
service is usually operated by a third- party provider such as VeriSign.
o Processor: A large data center that processes credit card transactions and settles
funds to merchants. The processor- is connected to a merchant’s site 011 behalf of
an acquiring bank via a payment gateway.
o Settlement: The process by which transactions with authorization codes arc sent to
the processor for payment to the merchant. Settlement is a sort or electronic
80
bookkeeping procedure that causes all funds from captured transactions to be
routed to the merchant’s acquiring bank for deposit.
Visa and MasterCard Take Different Approaches to Authentication
Online merchants could face integration hassles as they deploy forthcoming and
competing credit card payer authentication technologies from Visa USA
and
MasterCard
International Inc. The technologies, Visa’s Verified by Visa and
MasterCard’s Secure Payment Applications service, take distinctly different approaches.
Visa perform, authentication on the merchant site, whereas MasterCard handles it on the
customer’s PC automatically, using a previously downloaded applet.
As a result, merchants that accept credit cards will be required to support two
authentication mechanisms. Furthermore, some observers speculate the companies’
respective systems may be no more successful in gaining market acceptance than the illfated Secure Electronic Transaction (SET) authentication protocol, a protocol
spearheaded by Visa and MasterCard.
Visa sweetened the bait for its system recently when it announced that online
merchants using Verified by Visa will have no liability for any transactions processed by
the service. Verified by Visa, also known as Visa Payer Authentication, authenticates
credit card users with a password and requires no client software
MasterCard and Visa, which formerly cooperated, now find fault with each other’s
approaches. Visa’s service for instance, will extend transaction processing times, take
customers off the merchant sites for authentication, and require complex integration.
MasterCard’s service. Visa countered, amounts to a digital wallet, which consumers have
been loath to use
About the only thing MasterCard and Visa seem to agree on is that SET, which was
launched in December I 1997, was a failure. SET required long download times for
customers, used clumsy digital certificate technology, and created integration hassles for
merchants and banks that issued the credit cards. It had all but faded away by late1998.
But with Visa and MasterCard now going separate ways, some merchants see little
reason to try authentication technology. You’re creating another layer of complication.
After customers go through the trouble of giving you their credit card number, they now
have the problem of remembering one more password.
•
How Payment Processing Works: Payment processing in the online world is similar
to payment processing in the offline or “Brick and Mortar” world, with one
significant exception. In the online world, UK’ card is “not present” at the transaction.
This means that the merchant must take additional steps to verify that the card
information is being submitted by the actual owner or tile card, Payment processing
can be divided into two major phases or steps: authorization and settlement.
o Payment Processing-Authorization and Settlement: Authorization verities that the
card is active and that the customer has sufficient credit available to make the
81
transaction. Settlement involves transferring money from the customer’s account
to the merchant’s account.
o Authorization: Online
Online: A customer decides to make a purchase on a merchant’s
Web site, proceeds to checkout and inputs credit card information.
The merchant’s Web site receives customer information and sends transaction
information to the payment gateway.
The payment gateway routes information to the processor.
The processor sends information to the issuing bank of the customer’s credit card.
The issuing bank sends the transaction result (authorization or decline) to the
processor. The processor routes the transaction result to the payment gateway.
The payment gateway passes result information to the merchant.
The merchant accepts or rejects the transaction and ships goods if necessary
Because this IS a ‘card not present” transaction, the merchant should take
additional precaution. to ensure that the card has not been stolen and that the
customer is the
he actual owner of the card. See the “What You Should Know About
Fraud” section later in this chapter for more information on preventing fraudulent
transaction.
o Authorization: “Brick and Mortar”
Mortar”: A customer selects item(s) to purchase,
brings them to a cas
cashier,
hier, and hands the credit card to the merchant. He merchant
swipes the card and transfers transaction information to a point
point-of
of-sale terminal.
The point-of-sale
sale terminal routes information to the processor via a dial
dial-up
connection, the point
point-of-sale terminal
inal takes the place of the payment gateway in
the offline world).
Fig. 6.5 Customer Verification Process in Shopping Cart.
82
The processor sends information to the issuing bank of the customer’s credit card.
The issuing bank sends the transaction results (authorization or decline to the
processor. The point-of-sale terminal shows the merchants whether the transaction
result point-of-sale terminal
The point-of-sale terminal shows the merchant whether the transaction was
approved or declined.
The merchant tells the customer the- outcome of the transaction. If approved, the
merchant has the customer sign the credit card receipt and gives the items (s) to
the customer.
In the example of shopping cart in which customer credentials arc verified with
the customer’s database at the site, it validation of customer’s credentials goes
without any error and verified by the merchant handler then it debits the
customer’ bank account, credit card accordingly
o Payment Processing-Settlement: The settlement process transfers authorized
funds I’m a transaction from the customers bank account to the merchant’s hank
account, The process is basically the same whether the transaction is conducted
online or offline
•
What You Should Know About Fraud: Credit card fraud can he a significant
problem for customers, merchants, and credit card issuers]. Liability for fraudulent
transactions belongs to the credit card issuer for a card-present in-store transaction,
but shifts to the merchant I’m “card not present” transactions. including transactions
conducted online. This means that the merchant dues not receive payment for a
fraudulent online transaction. Fortunately, there arc steps you call take to significantly
limit your risk as an online merchant The following important fraud prevention steps
should be adhered to:
1. Choose a payment services provider that is well-established and credible. Your
provider should also have in-depth experience in and a strong track record for
transaction security
2. Make sure your payment gateway provider offers real-time credit card
authorization results. This ensures that the credit card has not been reported as lost
or stolen ~1nJ that it is a valid card number
3. One of the simplest ways 10 reduce the risk of a fraudulent transaction is to use
Address Verification Service (AVS), This matches the card holder hilling
address on fill’ with the hilling address submitted to ensure that the card holder
IS till” card owner.
4. Use Card Security Codes, known as CVV2 for Visa, CvVC for MasterCard and
CID for American Express. For American Express, the code is a four-digit
number that appears on the front of the card above the account number. For Visa
83
and Master-Card. the code is a three-digit number that appears at the end of the
account number on the buck of the card. The code is not printed on any receipts
and provides additional assurance that the actual card is in possession of the
person submitting the transaction. As a merchant you can ask for this code on.
Your online order form. Even if you do not use this for processing, simply asking
for it acts as a strong deterrent against fraud.
5. Watch for multiple orders for easily resold items such as electronic goods
purchased on the same credit card
6. Develop a negative card and shipping address list and cross-check transactions
against it. Many perpetrators will go back to the same merchant again and again to
make fraudulent transactions
RECOMMENDATIONS OF THE SECURITY OF ELECTRONIC PAYMENTS
SYSTEMS
Here We have tried to discuss some recommendation which can give guidance to
government agencies on the security aspects of acquiring electronic merchant and
payment provider services and to assist them with the choice between in-housed and
outsourced operations.
RECOMMENDATIONS
For Small Payments
1. These recommendations cover payments by clients buying low priced documents,
information, etc, and clients paying accounts such as rates, license fees. etc
2. To minimize liability an agency’ should outsource both merchant and payment
services. Providing there IS an adequate contract and a reliable method of updating
the agency’s information nil the merchant server, essentially all liability will pass to
the merchant service and payment providers who will manage the risks and who can
insure against any losses.
3. It is important In note that the process of arriving at all adequate contract to achieve
this end is no trivial task. Further, all agley should not assume that such a contract
makes it immune from liability for every loss. It may still be liable if it fails to
manage the contract in a diligent manner or if the underlying structure of the payment
scheme IS flawed
4. A further point worth noting is that, even when an agency succeeds in passing
liability to all external provider, it may still suffer serious embarrassment as the only
political target for those suffering from a failure in a payments scheme
5. An agency which decides to retain the merchant server in-house payment services
should:
(a) avoid receiving client details unless encrypted by arrangement between the
client and the payment provider (eg by use of the SET protocol);
84
(b) ensure (probably by seeking AISU) certification) that advice detail passed by the
payment provider cannot be repudiated; and
(c) install strong access control including firewalling and incident detection
measures to prevent hacking of its system.
(d) It is assumed that:
(e) the payment provider will take the necessary steps to avoid system penetration
and insure against the risk of failure; and
(f) the agency will strenuously protect client details if it holds them unencrypted,
including perhaps using AISEP-certified software/hardware, particularly for the
communications between client and agency.
6. An agency which decides to operate both merchant and payment servers will need:
•
a highly reliable, preferably’ AISEP-certified, payments package and agency-tofinancial-institution communications system;
•
strong access control entailing the maximum possible separation (personnel,
physical, and logical) between the’ merchant and payment servers; and
•
strong protection of both merchant and payment servers against internal and
external attack.
This solution involves very high security risks. Commonwealth agencies arc strongly
advised to seek Defence Signals Directorate guidance; other agencies should contact
their own security organizations.
For Large Payments
7. It is recommended that clients instruct their banks to make the transfer of large
payments directly’ to the agency’s bank and not use Internet-based payments systems.
Background
8. In common with all other electronic information processing systems. payments
systems are prone to disruption by people exploiting the systems’ innate
vulnerabilities. Those considering employing a payments system must decide whether
to accept the consequent risks. They will to need make a risk management decision
balancing the business advantages of adoption against the potential losses that
security failures might entail.
9. This paper examines, in generic terms, what might be described as a “retail payments
systems”, ie. those designed to allow a large number of individuals or organizations
to pay for goods and/or services front a provider. In a government context the
payments might include
(a) the cost of documents supplied electronically;
(b) rates and charges for utilizes: and
85
(c) fees for the registration of businesses.
10. The risks inherent in” the various available systems are described so as to assist
acquirers in making an informed decision on which system to select to meet their
security requirements
Threats
All financial systems attract fraudsters and embezzlers. The problem typically
ranges from individuals avoiding small payments or stealing small amounts to
organized criminal activities involving large sums. Electronic financial systems
connected 10 public networks extend the opportunities for this type of crime over
what is achievable under a paper--based process by’ allowing access from anywhere
in the world often with much scope for anonymity.
11. Au additional hazard associated with electronic systems is the propensity for some to
regard them as an intellectual challenge. These “hackers” (who may be employees of
the system owner or outsiders) are frequently very highly skilled. Also, because their
motivation is not financial gain, hackers may devote far more effort to “breaking” till’
system than is commensurate with the profit that could be brought by success. In
addition many seek recognition for their successes by publishing on the Internet the
exploitation methods they have developed. Individuals or more organized criminal
elements may then use these methods to defraud or steal.
Online Banking : Concepts, importance
“Internet banking” refers to systems that enable bank customers to access accounts and
general information on bank products and services through a personal computer (PC) or
other Intelligent device.
86
Internet banking products and services can include wholesale products for corporate
custoll1e’s as well as retail and fiduciary products for consumers. Ultimately the products
and services obtained through Internet banking may minor products and services offered
through other bank delivery channels. Some examples of wholesale products and services
Include:
•
Cash management.
•
Wire transfer.
•
Automated clearinghouse (ACH) transactions.
•
Bill presentment and payment.
Examples of retail and fiduciary products and services include:
•
Balance inquiry.
•
Funds transfer.
•
Downloading transaction information.
•
Bill presentment and payment.
•
Loan applications.
•
investment activity.
•
Other value-added service
In the past, the computer systems that made the information systems operate were
rarely noticed by customers Today. Web sites, electronic mail and electronic bill
presentment and payment systems arc an important way for hanks to reach their
customers
National banks have experimented with various forms of online banking for many
years. Some of the early experimented involved closed systems where the customers
accessed banks through a dial-in or cable TV connection. These systems limited a Bank
potential customer base because they required out-or area customers to either incur longdistance charges on their phone bills or subscribe to a particular cable TV service to
access the bank. With the widespread growth or the Internet. customer., can use this
technology anywhere in the world to access a bank’s network. The Internet as an enabling
technology. has made banking products and services available to more customers and
eliminated geographic and proprietary systems barriers, With an expanded market Banks
also may have opportunities to expand or change their product and service offerings.
Electronic Fund Transfer
Inter Bank Transfer is a special service that allows you to transfer funds electronically to
accounts in other hanks ill India through:
87
 NEFT - The acronym “NEFT” stands for National Electronic Funds Transfer. Funds
arc transferred to the credit account with the other participating Bank using RBI’s
NEFT service. RBI acts as the service pr
provider
ovider and transfers the credit to the other
bank’s account.
 RTGS - The acronym “RTGS” stands for Real Time Gross Settlement. The RTGS
system facilitates transfer of funds front accounts in one bank to another on a “real
time” and on “gross settlement” bas
basis.
is. The RTGS system is the fastest possible inter
bank money transfer facility available through secure banking channels in India.
Minimum /Maximum amount for RTGS/NEFT transactions under Retail Internet
Banking are following.
Type
Minimum
Maximum
RTGS
Rs. 1 Lakh
Rs. 5 Lakh
NEFT
No Limit
Rs. 5 Lakh
And the minimum/maximum amount for RTGS/NEFT transactions under Corporate
Internet Banking are following
Type
Minimum
Maximum
RTGS
Rs. 1 Lakh
No Limit
NEFT
No Limit
No Limit
Under normal circumstances tthe
he beneficiary bank’s branch receives the funds in
real time as soon as funds are transferred by the remitting bank. The funds will be sent 10
till’ RBI within three hours of the transaction. The actual time taken to credit the
beneficiary depends on thee time taken by the beneficiary bank to process the payment.
Fig. 6.6 Process of Payment
88
Growth in Internet Banking
Numerous factors including competitive cost, customer service, and demographic
con- siderations arc motivating hanks to evaluate their technology and assess their
electronic com- merce and Internet banking strategies. Many researchers expect rapid
growth in customers using online banking products and services. The challenge for
national bunks is to make sure the savings from Internet banking technology more than
offset the costs and risks associated with conducting business in cyberspace.
Marketing strategies will vary as national banks seek to expand their markets and
employ lower cost delivery channels. Examiners will need to understand the strategies
used and tech- nologies employed on a hank-by-bank basis to assess the risk. Evaluating
a bank’s data on the use of their Web sites, may help examiners determine the bank’s
strategic objectives, how well the hank is meeting its Internet banking product plan and
whether the business is ex- pected to be profitable.
Some of the market factors that may drive a bank’s strategy include the following:
•
Competition– Studies show that competitive pressure is the chief driving force
behind increasing use of Internet banking technology, ranking ahead of cost
reduction and revenue enhancement, in second and third place respectively. Banks
sec Internet banking as a way’ to keep existing customers and attract new ones to
the bank.
•
Cost Efficiencies– National banks can deliver banking services on the Internet at
transaction costs far lower than traditional brick-and-mortar branches. The actual
costs to execute a transaction will vary depending on till’ delivery channel used.
For example, according to Booz, Allen & Hamilton, as of mid- 1 999, the cost to
deliver manual transactions at a branch was typically more than a dollar, AT M
and call center transactions cost about 25 cents, and internet transactions cost
about a penny. These costs are expected to continue to decline.
•
National hanks have significant reasons to develop the technologic that will help
them deliver banking products and services by’ the most cost-effective channels.
Many hankers believe that shilling only it small portion of the estimated 19billion payments mailed annually in the U.S. to electronic delivery channels
could save hanks and other businesses substantial sums of money. However.
national banks should use cafe in making product decisions
•
Management should include in their decision making the development and
ongoing costs associated with a new product or service. including the technology,
marketing, maintenance and customer support functions. This will help
management exercise due diligence, make more informed decisions and measure
the success or their business venture.
•
Geographical Reach–Internet banking allows expanded customer contact through
increased geographical reach and lower cost delivery channels. In fact some
89
banks are doing business exclusively via the Internet — they do not have
traditional banking offices and only reach their customers online, Other financial
institutions are using the Internet as an alternative delivery channel to reach
existing customers and attract new customers.
•
Branding—Relationships building is a strategic priority of many national banks
Internet banking technology and products can provide a means for national banks
to develop and maintain all ongoing relationship with their customers by offering
easy access to a broad array of products and services. By capitalizing on brand
identification and by providing a broad array of financial services, banks hope to
build customer loyalty, cross-sell, and enhance repeat business
•
Customer Demographics—Internet banking allows national banks to offer a wide
array of options to their banking customers. Some customers will rely on
traditional branches to conduct their banking business. For many, this is the most
comfortable way for them to transact their banking business. Those customers
place a premium on person-to-person contact. Other customers are early adopters
of new technologies that arrive in the marketplace. These customers were the first
to obtain PCs and the first to employ them in conducting their banking business
The demographics of banking customers will continue to change. The challenge to
national hanks is to understand their customer base and find the right mix of
delivery channels to deliver products and services profitably to their various
market segments
Types of Internet Banking
Understanding the various types of Internet banking products will help examiners
assess the risks involved. Currently, the following three basic kinds of Internet banking
are being employed in the marketplace:
(a) International—This is the basic level of Internet banking. Typically, the bank has
marketing information about tilt: bank’s products and services on a stand-alone
server. The risk is relatively low, as informational systems typically have no path
between the server and the hank’s internal network. This level of Internet banking
can be provided by the bank or outsourced. While the risk III a bank is relatively
low, the server or Web site may be vulnerable to alteration. Appropriate controls
therefore must be in place to prevent unauthorized alterations to the bank’s server
or Web site.
(b) Communicative—This type of Internet banking system allows some interaction
between the bank’s systems and the customer. The interaction may be limited to
electronic mail, account inquiry, loan applications, or static file updates (n.uuc
and address changes). Because these servers may have a path to the bank’s
internal networks, the risk is higher with this configuration than with
informational systems. Appropriate controls need to be in place to prevent
90
monitor and alert management of any unauthorized attempt to access the bank’s
internal networks and computer systems. Virus controls also become much more
critical in this environment.
(c) Transactional—This level of Internet banking allows customers to execute
transactions. Since a path typically exists between the server and the bank’s or
outsourcers internal network, this is the highest risk architecture and must haw the
strongest controls. Customer transactions can include accessing accounts paying
bills, transferring funds, etc.
91
LESSON-2
UNIT IV
Automated Clearing House

Automated Clearing house

Automated Ledger posting.

Emerging modes and systems of E-payment (MPaisa, PayPal and other digital
currency);

E-payments risks
Automated Clearing House
92
There are many key factors to understand Automated clearing house. Some of the
important are mentioned below:
1. This platform is used for clearing money transfer from sender to receiver with
authorization. Transfer of money in digital mode.
2. Approximately 170 member banks and 1203 sub-members banks are part of this
National Automated Clearing House, ACH .
3. There are 11 million transactions done per day during the year 2019-2020
4. It has a capacity of handling 175 million transactions per day.
Automated Ledger Posting
93
The Automated ledger posting helps in maintaining ledgers online. The following
features of Automated ledger posting are:
1. Maintain ledgers online
2. Posting can be done automated manner
3. Trail Balance and Balance Sheet prepared with software.
4. Adjustments of pending transactions can settle with banks online.
94
Emerging modes and systems of E-payment (Mpaisa, Paypal and other
digital currency)
Mpaisa, Paypal and other digital currency
95
E-payment Risks
Internet Banking Risks
Internet banking creates new risk control challenges for national banks. From a
supervisory perspective risk is the potential that events, expected or unexpected, may
have an adverse impact on the banks earnings or capital. There are nnine defined
categories of risk for bank supervision purposes. The risks are credit, interest rate,
liquidity, price, foreign exchange, transaction, compliance, strategic, and reputation.
These categories me not mutually exclusive and all of these risks are associated with
Internet banking.
Credit Risk: Credit risk is the risk to earnings or capital arising from an obligor’s
failure to meet the terms of any contract with the bank or otherwise to perform as agreed.
Credit risk is found in all activities ‘‘here
here success depends on counterparty, issuer, or
borrower performance. It arises any time bank funds are extended, committed. invested,
or otherwise exposed through actual or implied contractual agreements, whether on or off
the bank’s balance sheet
Internet
net banking provides the opportunity for banks to expand their geographic range
Customers can reach a given institution front literally anywhere in the world. In dealing
with customers over the Internet. absent any personal contact. it is challenging for
institutions
nstitutions to verify the bonafides or their customers. which is an important element in
making sound credit decisions, Verifying collateral and perfecting security agreements
also can be challenging with out
out-of-area
area borrowers. Unless properly managed,
managed Internet
banking could lead to a con
con- centration ill out-of-area
area credits or credits within a single
industry. Moreover the question of which state’s or country’s laws control all Internet
relationship is still developing.
Fig. 6.7 Payment Process
96
Effective management of a portfolio of loans obtained through the Internet requires
that the board and management understand and control the bank’s lending risk profile and
credit culture. They must assure that effective policies, processes, and practices are in
place to con- trol the risk associated with such loans.
Interest rate risk: Interest rate risk is the risk to earnings or capital arising from
move- ments in interest rates. From an economic perspective, a bank focuses on the
sensitivity of the value of its assets, liabilities and revenues to changes in interest rates.
Interest rate risk arises from differences between the timing of rate changes and the
timing of cash flows (reprising risk): from changing rate relationships among different
yield curves affecting hank activities (basis risk); from changing rate relationships across
the spectrum of maturities (yield curve risk); and from interest-related options embedded
in bank products (options risk). Evaluation of interest rate risk must consider the impact
of complex. illiquid hedging strategies or prod- ucts, and also the potential impact that
changes in interest rates will have on tee income. In those situations where trading is
separate managed, this refers to structural positions and not trading portfolios.
Internet banking can attract deposits. loans, and other relationships from a larger pool
of possible customers than other forms of marketing. Greater access to customers who
primarily seek the best rate or term reinforces the need for managers to maintain
appropriate asset/ liability management systems, including the ability to react quickly to
changing market condi- tions.
Liquidity Risk: Liquidity risk is the risk to earnings or capital arising from a bank’s
inabil- ity to meet its obligations when they come due, without incurring unacceptable
losses. Li- quidity risk includes the inability to manage unplanned changes in funding
sources. Liquidity risk also arises from the failure to recognize or address chances in
market conditions affecting the ability of the bank to liquidate assets quickly am! with
minimal loss in value. Internet banking can increase deposit volatility from customers
who maintain accounts solely on the basis of rate or terms. Asset/liability and loan
portfolio management systems should be appro- priate for products offered through
Internet banking. Increased monitoring of liquidity and changes in deposits and loans
may be warranted depending on the volume and nature of Internet account activities.
Price Risk: Price risk is the risk to earnings or capital arising from changes in the
value of traded portfolios of financial instruments. This risk arises from market making,
dealing, and position taking in interest rate, foreign exchange, equity and commodities
markets
Banks may be exposed to price risk if they create or expand deposit brokering. loan
sales, or securitization programs as a result of Internet banking activities. Appropriate
management systems should he maintained to monitor, measure, and manage price risk if
assets are actively traded.
97
Foreign Exchange Risk
Foreign exchange risk is present when a loan or portfolio of loans is denominated in a
foreign currency or is funded by borrowings in another currency. In some cases, banks
will enter into multi-currency credit commitments that permit borrowers to select the
currency they prefer to use in each rollover period. Foreign exchange risk can be
intensified by political, social or economic developments. The consequences can be
unfavorable if one of the currencies involved becomes subject in stringent exchange
controls or is subject to wide exchange-rate fluctuations. Banks may be exposed to
foreign exchange risk if they accept deposits from non-U.S. residents or create accounts
denominated in currencies other than U.S. dollars. Appropriate systems should be
developed if banks engage in these activities.
Transaction Risk: Transaction risk is the current and prospective risk to earnings and
capital an Sing from fraud, error, and the inability to deliver products or services maintain
a competitive position, and manage information. Transaction risk is evident in each
product and service offered and encompasses product development and delivery,
transaction processing, systems development, computing systems, complexity of products
and services. and the internal control environment.
A high level of transaction risk may exist with Internet banking products, particularly
if those lines of business arc not adequately planned implemented and monitored. Banks
that offer financial products and services through the Internet must be able to meet their
customers’ expectations. Banks must also ensure they have the right product mix and
capacity to deliver accurate, timely, and reliable services to develop a high level of
confidence in their brand name.
Customers who do business over the Internet arc likely to have little tolerance for
errors or omissions from financial institutions that do not have sophisticated internal
controls to manage their Internet banking business. Likewise. customers will expect
continuous availability of the product and Web pages that are easy to navigate.
Software to support various Internet banking functions is provided to the customer
from a verity of sources. Banks may support customers using customer-acquired or banksupplied browsers or personal financial manager (PFM) software. Good communications
between hanks and their customers will help manage expectations on the compatibility of
various PFM soft- ware products.
Attacks or intrusion attempts on banks’ computer and network systems arc a major
concern. Studies show that systems are more vulnerable to internal attacks than external,
because internal system users have knowledge of the system and access. Banks should
have sound preventive and detective controls to protect their Internet banking systems
from exploitation both internally and externally.
Contingency and business resumption planning is necessary for banks to be sure that
they can deliver products and services in the event of adverse circumstances. Internet
98
banking products connected to a robust network may actually make this easier because
back up capabilities can be spread over a wide geographic area. For example, if the main
server is inoperable, the network could automatically reroute traffic to a back up server
III a different geographical location. Security issues should be considered when the
institution develops its contingency and business resumption plans. In such situations,
security and internal controls at the back-up location should be as sophisticated as those
at the primary processing site. High levels of system availability will be a key expectation
of customers and will likely differentiate success levels among financial institutions on
the Internet.
National banks that offer bill presentment and payment will need a process to settle
transactions between the bank, its customers and external panics. In addition to
transaction risk, settlement failures could adversely affect reputation liquidity, and credit
risk.
Compliance Risk: Compliance risk is the risk to earnings or capital arising from
violations of, or non-conformance with, laws, rules, regulations, prescribed practices, or
ethical standards. Compliance risk also arises in situations where the laws or rules
governing certain bank products or activities of the hank’s clients may be ambiguous or
untested. Compliance risk exposes the institution to fines, civil money penalties, payment
of damages, and the voiding of contracts. Compliance risk can lead to a diminished
reputation, reduced franchise value, limited business opportunities, reduced expansion
potential, and lack of contract enforceability
Most Internet banking customers will continue to use other bank delivery channels.
Accordingly, national banks will need to make certain that their disclosures on Internet
banking channels, including Web sites, remain synchronized with other delivery channels
to ensure the delivery of a consistent and accurate message to customers.
Federal consumer protection laws and regulations, including CRA and Fair Lending,
arc applicable to electronic financial services operations including Internet banking.
Moreover, it is important for national banks to be familiar with the regulations that permit
electronic delivery of disclosures/notices versus those that require traditional hard copy
notification. National banks should carefully review and monitor all requirements
applicable to electronic products and services and ensure they comply with evolving
statutory and regulatory requirements.
Advertising and record-keeping requirements also apply to banks’ Web sites and to
the products and services offered. Advertisements should clearly and conspicuously
display the FDIC insurance notice, where applicable, so customers can readily determine
whether a product or service is insured.
Regular monitoring of hank Web sites will help ensure compliance with applicable
laws, rules, and regulations.
99
Application of Bank Secrecy Act (USA) requirements to cyber banking products and
services is critical. The anonymity of banking over the Internet poses a challenge in
adhering to BSA standards. Banks planning to allow the establishment of new accounts
0\”(‘1’ the Internet should have rigorous account opening standards. Also, the bank
should set up a control system to identify unusual or suspicious activities and, when
appropriate, file suspicious activity reports (SARs).
The BSA funds transfer rules also apply to funds transfers or transmittals performed
over the Internet when transactions exceed $3,000 and do not meet one of the exceptions
The rules require banks to ensure that customers provide all the required information
before accepting transfer instructions. The record keeping requirements imposed by the
rules allow banks to retain written or electronic records of the information.
Strategic Risk: Strategic risk is the current and prospective impact on earnings or
capital arising from adverse business decisions, improper implementation of decisions,
or lack of responsiveness to industry changes. This risk is a function of the compatibility
of an organization’s strategic goals, the business strategies developed to achieve those
goals, the resources deployed against these goals, and the quality of implementation. The
resources needed to carry out business strategies are both tangible and intangible. They
include communication channels, operating systems, delivery networks, and managerial
capacities and capabilities. The organization’s internal characteristics must be evaluated
against the impact of economic, technological competitive, regulatory, and other
environmental changes.
Management must understand the risks associated with Internet banking before they
make a decision to develop a particular class of business. In some cases, banks may offer
new and product and services via the Internet. It is important that management understand
the risks and ramifications of these decisions.
Sufficient levels of technology and MIS are necessary to support such a business
venture. Because many banks will compete with financial institutions beyond their
existing trade area, these engaging In Internet banking must have a strong link between
the technology employed and the bank’s strategic planning process.
Before introducing a Internet banking product, management should consider whether
the product and technology arc consistent with tangible business objectives in the bank’s
strategic plan. The bank also should consider whether adequate expertise and resources
are a~3Ilable to identify, monitor, and control risk in the Internet banking business. The
planning and decision making process should focus on how a specific business need is
met by the internet banking product, rather than focusing on the product as an
independent objective. The bank’s technology experts, along with its marketing and
operational executives, should contribute to the decision making and planning process.
They should ensure that the plan is consistent with the overall business objectives of the
bank and is within the bank’s risk tolerance. New technologies, especially the Internet
100
could bring about rapid changes in competitive forces. Accordingly, the strategic vision
should determine the way the Internet banking product line is designed, implemented, and
monitored.
Reputation Risk: Reputation risk is the current and prospective impact on earnings
and capital arising from negative public opinion. This affects the institution’s ability to
establish new relationships or services or continue servicing existing relationships. This
risk may expose the institution to litigation, financial loss, or a decline in its customer
base. Reputation risk expose is present throughout the organization and” includes the
responsibility I;) exercise an abundance of caution in dealing with customers and the
community.
A bank’s reputation can suffer if it fails to deliver on marketing claims or to provide
accurate, timely services, This can include failing to adequately meet customer credit
needs, providing unreliable or inefficient delivery systems, untimely responses to
customer inquiries or violations of customer privacy expectations.
A bank’s reputation can be damaged by Internet banking services that are poorly
executed or otherwise alienate customers and the public. Well designed marketing,
including disclosures, IS one way to educate potential customers and help limit reputation
risk. Customers must understand what they can reasonably expect from product or service
and what special risks and benefits they incur when using the system such marketing
concepts need to be coordinated closely with adequate disclosure statements. A national
bank should not market the bank’s Internet banking system based on features or attributes
tilt’ system does not have. The marketing program must present the product fairly and
accurately.
National banks should carefully consider how connections to third parties arc
presented on their Web sites. Hypertext links arc often used to enable a customer to link
to a third party. Such links may reflect an endorsement of the third party’s products or
services in the eyes of the customer. It should be clear to the customer when they have
left the bank’s Web site so that there is 110 confusion about the provider of the specific
products and services offered or the security and privacy standards that apply. Similarly,
adequate disclosures must be made so that customers can distinguish between insured and
non-insured products.
National banks need to be sure that their business continuity plans include the Internet
banking business. Regular testing of the business continuity plan, including
communications strategies with the press and public, will help the bank ensure it can
respond effectively’ and promptly to any adverse customer or media reactions.
Risk Management: Financial institutions should have a technology risk management
process to enable them to identify, measure, monitor, and control their technology risk
exposure. Risk management of new technologies has three essential elements’
•
The planning process for the use of the technology.
101
•
implementation of the technology.
•
The means to measure and monitor risk.
The OCC’s objective is to determine whether , bank is operating its Internet banking
business in a safe ‘and sound manner. The occ expects banks to use a rigorous analytic
process to identify, measure, monitor, and control risk. Examiners will determine whether
the level of risk is consistent with the hank’s overall risk tolerance and is within the
hank’s ability to manage and control.
The risk planning process is the responsibility of the board and senior management.
They need to possess the knowledge and skills to manage the banks use of Internet
banking technology and technology-related risks. The board should review, approve, and
monitor Internet banking technology-related projects that may have a significant impact
on the bank’s risk profile. They should determine whether the technology and products
are in line with the hank \ strategic goals and meet a need in their market. Senior
management should have the skills to evaluate the technology employed and risks
assumed.
Periodic independent evaluations of the Internet banking technology and products by
auditors or consultants can help the board and senior management fulfill their
responsibilities.
Implementing the technology is the responsibility of management. Management
should have the skills to effectively evaluate Internet banking technologies and products,
select the right mix for the bank, and sec that they are installed appropriately. If the bank
does not have the expertise to fulfill this responsibility internally, it should consider
contract with a vendor who specializes in this type of business or engaging, in an alliance
with another provider with complementary technologies or expertise.
Measuring and monitoring risk is the responsibility of management. Management
should have the skills to effectively identify, measure. monitor, and control risks
associated with Internet banking. The board should receive regular reports Oil the
technologies employed. the risks assumed, and how those risks arc managed.
Monitoring system performance is a key success factor. As part of the design process, a
national bank should include effective quality assurance and audit processes in its Internet
banking system. [he bank should periodically review’ the systems to determine whether
they are meeting the performance standards.
Internal Controls
Internal controls over Internet banking systems should be commensurate with all
institution’s level of risk. As in any other banking area, management has the ultimate
responsibility for developing and implementing a sound system of internal controls over
the bank’s Internet banking technology and products.
102
Regular audits of the control systems will help ensure that the controls arc appropriate
and functioning properly. For example, the control objectives for an individual bank’s
Internet banking technology and products might focus on:
•
Consistency of technology planning and strategic goals, including efficiency and
economy of operations and compliance with corporate policies and legal
requirements.
•
Data availability, including business recovery planning.
•
Data integrity, including providing for the safeguarding of assets. proper
authorization of transactions. and reliability of the process and output.
•
Data confidentiality and privacy safeguards
•
Reliability of MIS.
Once control objectives arc established, management has the responsibility to install
the necessary internal controls to sec that the objectives are met. Management also has
the responsibility to evaluate the appropriateness of the controls on a cost-benefit basis.
That analysis may take into account the effectiveness of each control in a process, the
dollar volume flowing through the process, and the cost of the controls.
Examiners will need to understand the bank’s operational environment to evaluate the
proper mix of internal controls and their adequacy. According to the Information
Systems Audit and Control Association (ISACA) the basic internal control components
include:
•
Internal accounting controls — Used to safeguard the assets and reliability of
financial records. These would include transaction records and trial balances
•
Operational controls – Used to ensure that business objectives are being met.
These would include operating plans and budgets to compare actual against
planned performance.
•
Administrative controls – Used to ensure operational efficiency and adherence to
policies and procedures. These would include periodic internal and external
audits.
ISACA separates internal controls into three general categories. The three control
categories can he found ill the basic internal controls discussed above.
•
Preventive Controls—Prevent something (often an error or illegal act) from
happening. An example of this type of control is logical access control software
that would allow only authorized persons to access a network using a combination
of a user ID and password.
•
Detective Controls—Identify an action that has occurred. An example would be
intrusion detection software that triggers an alert or alarm.
103
•
Corrective Controls—Correct a situation once it has been detected. An example
would be software backups that could be used to recover a corrupted file or
database.
Banks or service providers offering transaction-based Internet banking products
need to have a high level of controls to help manage the bank’s transaction risk.
Examples of these controls could include:
•
Monitoring transaction activity to look for anomalies in transaction types,
transaction volumes, transaction values, and time-of-day presentment.
•
Monitoring log—on violations or attempts to identify patterns of suspect activity
including unusual requests, unusual timing, or unusual formats.
•
Using trap and trace techniques to identify the source of the request and match
these against known customers.
Regular reporting and review of unusual transactions will help identify:
•
Intrusions by unauthorized parties.
•
Customer input errors
•
Opportunities for customer education.
SECURITY REQUIREMENT OF ELECTRONIC PAYMENT SYSTEM
There are four essential security requirements for secure electronic payment which arc
described below:
1. Authentication: A way to verify the buyer’s identity before payments are made.
Authentication IS another issue in a Internet banking system. Transactions on the
Internet or any other telecommunication network must be secure to achieve a high
level of public confidence. In cyberspace, as in the physical world, customers,
banks, and merchants need assurances that they will receive the service as ordered
or the merchandise as requested, and that they know the identity of the person
they are dealing with.
Banks typically use symmetric (private key) encryption technology to secure
messages and asymmetric (public/private key) cryptography to authenticate
parties. Asymmetric cryptography employs two keys — a public key and a private
key. These two keys are mathematically tied but one key cannot be deduced from
the other. For example to authenticate that a message carne from the sender, the
sender encrypts the message using their private key. Only the sender knows the
private key. But, once sent, the message can be read only using the sender’s
public key. Since the message can only be read using the sender’s public key, the
receiver knows the message came from the expected sender
Internet banking systems should employ a level of encryption that is appropriate
to the level or risk present in the systems. It is established that stronger levels of
104
encryption may slow or degrade performance and, accordingly, management must
balance security needs with performance and cost issues. Thus, a national hank
should conduct a risk assessment in deciding upon it” appropriate level of
encryption. It is not mandate a particular strength or type of encryption. Rather, it
expects management to evaluate security risks, review the cost and benefit of
different encryption systems, and decide on an appropriate level of encryption as a
business decision. Management should be able to explain the supporting analysis
for their decision.
A common asymmetric cryptography system is RSA, which uses key lengths up
to bits. By using the two forms of cryptography together, symmetric to protect the
message and asymmetric to authenticate the parties involved, banks can secure he
message and have a high level of confidence in the identity of the parties
involved. See appendix B of this handbook for examples of how this technology
works.
Biometric devices arc an advanced form of authentication. These devices may
take the form of a retina scan, finger or thumb print scan, facial scan, or voice
print scan. Use of biometrics is not yet considered mainstream, but may be used
by some hanks for authentication.
2. Trust: Trust is another issue in Internet banking systems. As noted in the
previous discussion, public and private key cryptographic systems can be used to
secure. Information and authenticate parties in transactions in cyberspace. A
trusted third party is a necessary part of the process. That third party is the
certificate authority.
A certificate authority is a trusted third party that verifies identities in cyberspace.
Some people think of the certificate authority functioning like an online notary.
The basic concept is that a bank, or other third party, uses its good name to
validate parties in transactions. This is similar to the historic role banks have
played with letters of credit. where neither the buyer nor seller knew each other
hut both parties were known to the bank. Thus the bank uses its good name to
facilitate the transaction, for a fee. Banks also may need a way to validate
themselves in cyberspace, as theft of identity has taken place. A proper mix of
preventive, detective, and corrective controls can help protect national banks from
these pitfalls. Digital certificates may play an important role in authenticating
parties and thus establishing trust in Internet banking systems. Ensuring that
information will not be accidentally or maliciously altered or destroyed, usually
during transmission.
3. Privacy: Privacy is a consumer issue of increasing importance. National banks
that recognize and respond to privacy issues in a proactive way make this a
positive attribute for the bank and a benefit for its customers.
105
Public concerns over the proper versus ‘improper accumulation and use of
personal information are likely to increase with the continued growth of electronic
commerce and the internet. Providers who are sensitive to these concerns have an
advantage over those who do not.
4. Non-repudiation: Non-repudiation is the undeniable proof of participation by
both the sender and receiver in a transaction. It is the reason public key encryption
was developed, i.e., to authenticate electronic messages and prevent denial or
repudiation by the sender or receiver. Although technology has provided an
answer to non-repudiation, state laws are not uniform in the treatment of
electronic authentication and digital signatures. The application of state laws to
these activities is a new and emerging area of the law.
5. Availability: Availability is another component in maintaining a high level of
public confidence in a network environment. All or the previous components arc
of little value if the network is not available and convenient to customers. Users of
a network expect access to systems 24 hours per day, seven days a week. Among
the considerations associated with system availability are capacity. performance
monitoring, redundance, and business resumption. National banks and their
vendors who provide Internet banking products and services need to make certain
they have the capacity in terms of hardware and software to consistently deliver a
high level of, service.
In addition, performance monitoring techniques will provide management with
information such as the volume of traffic, the duration of transactions, and the
amount of time customers must wait for service. Monitoring capacity, downtime,
and performance on a regular basis will help management assure a high level of
availability for their Internet banking system.
It is also important to evaluate network vulnerabilities to prevent outages due to
component failures. An entire network can become inoperable when a single
hardware component or software module malfunctions. Often national banks and
their vendors employ redundant hardware in critical areas or have the ability to
switch to alternate processing locations. The latter is often referred to as
contingency planning.
SECURE SOCKET LAYER (SSL)
Secure Socket Layer (SSL), a protocol developed by Netscape for transmitting private
documents via the Internet. SSL uses a cryptographic system that uses two keys to
encrypt data” a public key known to everyone and a private or secret key known only to
the recipient of the message.
Secure Sockets Layer (SSL) is a cryptographic protocol, which provide secure
communications on the Internet.
106
Fig. 6.8
The Internet is an insecure channel for message transmission. Unlike in the case or
voice transmission, where the message passes through a specified path, in the case of
Internet, the message passes through several network routers before reaching the
destination. Moreover, the path of flow of the information packets can be altered using a
dynamic routing algorithm. The packets that pass thro
through
ugh the network can be viewed by
anyone. Hence, the Internet is certainly not suitable for transferring confidential or
classified information.
To ensure privacy of information, both the client and the server must run compatible
security schemes. Network interactions typically lake place between a client, such as
browser software running on a personal computer, and a server, such as the software and
hardware used to host a website. Here, authentication is used for identifying the clients
as well as the server
rver in a network environment. For instance, client authentication refers
to the identification of a client by a server (that is, identification of the person assumed to
the using the client software). Server authentication refers to the identification of a server
by a client (that is, identification of the organization assumed to be responsible for the
server at a particular network address). The technologies used to provide secure channel
over the web are SSL and Secure
Secure-Hyper Text Transfer Protocol (S-HTTP).
P).
Secure Socket Layer
The SSL provides end-to
to-end
end secure data transmission between the web server and
the web client. It is sandwiched between the Transmission Control Processing/Internet
Protocol (TCP/IP) and the application layer. Unlike TCP/IP that ooffers
ffers only reliable
racket transfer, SSL ensures secure packet transfer. The SSL layer is preceded by the
TCP/IP and the data link layer. This means that, applications that use the SSL will
automatically avail the services of the TCP/ IP layer; it can en
ensure
sure secure communication
between numerous application level protocols on the Internet. SSL secures only web
sessions and not e-mail
mail or file transfer sessions. This is one of the reasons why
confidential information like credit card numbers is not exchan
exchanged
ged via e-mail.
e
In case of
SSL, though the packet can be viewed while in transit, the viewer cannot decipher the
107
contents since it is encrypted. The SSL ensures secure data transfer but is not responsible
for security of data residing in the web client or server.
How SSL Works’!
The SSL Perform two functions — it authenticates the websites and ensures secure
data transmission between the web server and the client. It achieves this either by using
symmetric encryption or asymmetric encryption. In symmetric encrypt inn. a key called
the private key is used both for encrypting is called the public key and the one used to
decrypts is called the private key. For symmetric encryption to work, the sender and
receiver should share the secret key. This is possible only’ when the sender and receiver
know each other. Another problem with symmetric encryption is that it cannot cater to a
large number of participants.
In asymmetric encryption, two separate key’s arc used to encrypt and decrypt data.
The public key is shared with the other person and the private key is known only III the
person Who decrypts the data. So, the private key will remain. I secret while the public
key will be known to both the parties. Asymmetric encryption authenticates the
client/server by providing a secure private key to be shared between strangers and giving
secure digital signatures. For example, when a customer wants to buy a book from an
online hook store. the customer will like the transaction to be secure and confidential. A
secure connection is initiated by the client by’ sending a “hello client” message by the
client’s browser- It consists of a suite of secure protocols that the browser supports and
the browser generates a random challenge string. This random challenge string is used at
the closing of the initialization and check whether a secure connection is established. The
set of protocols contains the key exchange algorithm that is used for agreeing to a
private session key, private key encryption protocol that is used to ensure the
confidentiality of the transaction and hashing algorithms for maintaining data integrity.
Prior to establishing a secure connection. the SSL authenticates the server. The
server will respond with a “server hello” message to the client hello message that it
received earlier. This is an indication that the server supports the protocol requested by
the client and generates a random connection identifier. This random connection
identifier will be used to find out if a secure connection has been established or not.
It is essential that the merchant’s digital certificate is endorsed by a CA whom the
client trusts. Subsequently, the client compares the digital signature on the server’s
certificate with the public key of the CA which is stored in the browser of the CA. The
endorsed merchant’ certificates are signed using the CAs private key. The endorsement is
verified by the however which compares the digital signatures with the CA’s public key.
After the completion of the authentication process, the browser generates a secret key
that will be shared by the client and the server. This secret key shall be used for
generating key of symmetric encryption and data integrity. From here on, there is no need
for asymmetric encryption. RC2, RC4 and other symmetric encryption algorithms arc
108
sufficient for the messages sent. Two sets of symmetric key pairs arc generated by the
client and the server for securing incoming and outgoing messages.
S-HTTP
The web server provides only access protection that ensures that there is no unauthorized
access. However, it does not provide any data protection data during data transfer. The
passwords can be easily hacked in the absence of any protection for data transactions.
The S- HTTP enables secure communication between the web server and the client. SHTTP Was developed to support several e-security technologies like symmetric
encryption for data confidentiality message digest for data integrity and PKI encryption.
These technologies can be used individually or in combination. S-H1TP is compatible
with non secure HTTP sessions also. The secure properties arc determined during the
initialization by the client and the server. It can he set to required. optional or refused.
S-HTTP negotiates the secure properties through the exchange of packet headers
Specific security negotiation headers are created for data packets exchanged through each
web session. The definitions, if the security property is required, include the type of
technology to be used the algorithms that will be supported, the direction in which the
property is to he enforced (sending or receiving) and so on. If the secure property has
been set to “optional.” it means that the secure property is not mandatory for making
connections and if the secure property is set to ‘refuse,’ then it means that the negotiating
party cannot enforce this property. Once the secure property has been set then the data is
encapsulated Encapsulation is done in order to ensure confidentiality of web sessions,
content, client/server authentication, and message integrity
•
Secure electronic transaction (SET): Secure electronic transaction (SET) is a
standard protocol for securing credit card transac- tions over insecure networks
specifically the Internet. SET was developed by VISA and MasterCard (involving
other companies such as GTE, IBM, Microsoft and Netscape) starting in 1996.
Netscape starting in 1996.
Secure Electronic Transaction (SET) is a standard that enable secure credit card
transactions on the Internet
The SET standard has been developed to protect payment instructions in transit. A
discussion of S FT is outside the scope of this document, and we recommend that
anyone interested in this subject download the SET business description document
from (e.g.) the Visa sue (http:/ www.visa.com). SET is expected to become
operational in 1998. However progress is slow. For SET to provide the ultimate level
of security it will be necessary for each cardholder to be issued a ‘digital certificate”
by their credit ‘card issuer. This presents significant logistical problems, and is
unlikely to be rolled out in less than 3-4 years.
109
Authentication Techniques, Processes and Methodologies
There are different kind of techniques and methodologies which are available for
authentication of an electronic banking product or service. Selection and use of and
technique should be based upon the assessed risk associated with a particular
electronic~ banking product or service.
1. Shared Secrets: Shared secrets (something a person knows) are information
elements that are known or shared by both the customer and the authenticating
entity Passwords and PINs are the best, known shared secret. techniques but some
new and different types are now being used as well. Some additional examples
arc;
•
Questions or queries that require specific customer knowledge to answer. c g.
the exact amount of the customer’s monthly mortgage payment.‘
•
Customer-selected Images that must be identified or selected from a pool of
Images.
The customer’s selection of a shared secret normally occurs during the initial
enrollment process or via an offline ancillary process. Passwords or PIN values
can he chosen, questions can be chosen and responses provided. Images may be
uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for
periodic change. Shared secrets that never change are described as “static” and the
risk of compromise increases over time. The use of multiple shared secrets also
provides increased security because more than one secret must be known to
authenticate.
Shared secrets can also be used to authenticate the institution’s Web site to the
customer.
This is discussed ill the Mutual Authentication section.
Tokens
Tokens arc physical devices (something the person has) and may be part of a
multifactor authentication scheme. Three types of tokens arc discussed here: the USB
token device, the smart card, and the password-generating token.
2. USB Token Device: The USB token device is typically the size of a house key. It
plugs directly into a computer’s USB port and therefore does not require the
installation of any special hardware on the user’s computer. Once the USU token
is recognized the customer IS prompted to enter his or her password (the second
authenticating factor] in order to gain access to the computer system.
USB tokens arc one-piece, injection-molded devices. USB tokens arc hard to
duplicate and an: tamper resistant; thus. they arc a relatively secure vehicle for
110
storing sensitive data and credentials. The device has the ability to store digital
certificates that can he used in a public key infrastructure (PKI) environment.
The USB token is generally considered to be user-friendly’. Its small size makes it
easy for the user to carry and, as noted above. it plugs into an existing USU pert:
thus the need for additional hardware is eliminated.
Smart Card
A smart card is the size of a credit card and contains a microprocessor that enables It
to store and process data. Inclusion of the microprocessor enables software developers to
use more robust authentication schemes. To be used, a smart card must he inserted into a
compatible reader attached to the customer’s computer. If the smart card is recognized as
valid (first factor), the customer is prompted to enter his or her password (second factor)
to complete the authentication process.
Smart cards are hard to duplicate and arc tamper resistant: thus, they are a relatively
secure vehicle for storing sensitive data and credentials. Smart cards are easy to carry and
easy to use. Their primary disadvantage as a consumer authentication devices is that they
require the installation of a hardware reader and associated software drivers on the
consumer’s home computer.
3. Password-Generating Token: A password-generating token produces a unique
pass-code, also known as a one-time password each time it is used. The token
ensures that the same OTP is not used consecutively. The OTP is displayed on a
small screen on the token. The customer first enters his or her user name and
regular password (first factor), followed by the OTP generated by the token
(second factor}. The customer is authenticated if (I) the regular password matches
and (2) the OTP generated by the token matches the password on the
authentication server. A new OTP is typically’ generated every 60 seconds —in
some systems, every 30 seconds. This very brief period is the life span of at
password. OTP tokens generally last 4 to 5 years before they need to be replaced.
Password-generating tokens arc secure because of the time-sensitive,
synchronized nature of the authentication. The randomness, unpredictability’, and
uniqueness of the OTPs substantially increase the difficulty of a cyber thief
capturing and using OTPs gained from keyboard logging.
BIOMETRICS
Biometric technologies identify or authenticate the identity of a living person on the
basis of a physiological or physical characteristic (something a person is). Physiological
characteristics include fingerprints, iris configuration, and facial structure. Physical
characteristics include, for example, the rate and flow of movements, such as the pattern
of data entry on a computer keyboard. The process of introducing people into a
biometrics based system is called “enrollment.” In enrollment, samples of data arc taken
111
from one or more physiological or physical characteristics; the samples arc converted
into a mathematical model, or template; and the template is registered into a database on
which a software application can perform analysis.
Once enrolled, customers interact with the live-scan process of the biometrics
technology. The live scan is used to identify and authenticate the customer. The results of
a live scan, such as a fingerprint, arc compared with the registered templates stored in the
system. If there is a match, the customer is authenticated and granted access.
Biometric identifiers arc most commonly used as part of a multi factor authentication
system. combined with a password (something a person knows) or a token (something a
person has).
Verification - Authenticates its users in conjunction with a smart card username or ID
number. The biometric template captured is compared with that stored against the
registered user either on a smart card or database for verification.
Identification — Authenticates its users from the biometric characteristic alone
without the use of smart cards, username or ID numbers. The biometric template is
compared to all records within the database and a closest match score is returned. The
closest match within the allowed threshold is deemed the individual and authenticated.
The main operations a system can perform arc enrollment and test. During the
enrollment, biometric information from an individual is stored. During the test, biometric
information is detected and compared with the stored information. ‘Note that it is crucial
that storage and retrieval of such systems themselves be secure if the biometric system is
to be robust. The first block (sensor) is the interface between the real world and the
system; it has to acquire all the necessary data. Most of the times it is an image
acquisition system, but it can change according to the characteristics desired. The second
block performs all the necessary pre- processing: it has to remove artifacts from the
sensor, to enhance the Input (e.g. removing background noise), to use some kind of
normalization, etc. In the third block features needed arc extracted. This step is all
important step as the correct features need to be extracted in the optimal way. A vector of
numbers or an image with particular properties is used to create a temple. A template is a
synthesis of all the characteristics extracted from the source, in the optimal size to allow
for adequate identifiability.
If enrollment is being performed the template is simply stored somewhere (on a card
or Within a database or both). I f a matching phase is being performed, the obtained
template is password to matcher that compares H with other existing templates,
estimating the distance between them using any algorithm (e.g. Hamming Distance). The
matching program will analyze the template with the input. This will then he output for
any specified use or purpose (e.g. entrance in a restricted area).
112
Fig. 6.9
A biometric system
stem consists of
•
Input interface for biometric image capture
•
Digital signal processor for biometric image processing
•
Output interface to communicate the results and control access to the secured asset
•
Power management components for efficient power supply regulation and supervision
•
Memory for the storage of encrypted templates and software code
•
Software modules for biometric image capture reconstruction and enhancement,
matching, encryption. template management etc,
How Biometrics Security Works
The largest share of that money (4S percent) goes for fingerprint recognition systems
followed by facial recognition (12 percent). While these two are the most popular, there
are other methods that analyze a person’s physical or dynamic characteristics. Physical
biometric methodologies also look at the following
Eyes –Examining
Examining the lines of the iris or the blood vessels in the retina;
Hands—Taking
Taking a 3D image and measuring the height and width of bones and joints.
and
Skin- Analyzing surface texture and thickness of skin layers .
When looking at strong authentication, you want two out of three factors something
you have, something you arc and something you know. While, eyes, hands and skin are
commonly used as biometric identifiers, more dynamic metho
methodologies
dologies also arc being
introduced, such as the following:
Voice – Detects vocal pitch and rhythm;
Keystroke Dynamics— Analyzes the typing speed and rhythm when the user ID and
password are entered; .
113
Signature—Matches the signature to one on record, as well as analyzing the speed
and pressure used while writing, and
Gait—Measures length of stride and its rhythm.
To keep performance high and storage requirements manageable, today’s biometric
technologies don’t have to store or analyze a complete picture of the body’ put or the
physical feature being used. Imagine the processing power that would be needed to store
a high resolution picture of someone’s face and then compare it with live image pixels by
pixel.
Instead, each method reduces the body part or activity to a few essential parameters
and then codes the data, typically as a series of hash marks. For example, a facial
recognition system may record only the shape of the nose and the distance between the
eyes. That’s on the data that needs to be recorded for an individual’s passport. None of
these biometric systems are infallible, of course. However, the rates of false negatives and
false. positive: have markedly improved. One of the problems with fingerprint readers,
for instance, is that they couldn’t distinguish between an actual fingerprint and the image
of one. That’s not pure fiction. The latest fingerprint readers arc incorporating more
advanced features, such as making sure the finger is a certain temperature. Everyone’s
hand is different, as some arc consistently warm or cold. In addition, they can also check
if there is a pulse and tell how much pressure is being applied. Such sophistication,
however, has its drawbacks Authorized users may find themselves locked out even when
the devices arc working properly. Why? Tiny changes, due to accidents or injuries, can
change a biometrics profile rendering it effectively obsolete. The thing to keep in mind
with any biometrics is that your ID docs change over time. If you cut your finger, your
biometric may not be the same any more. Or your early’ morning voice is different than
after talking for eight hours
Elements of a biometric system
A generic biometric system is comprised of the following units:
1. A sensor unit that represents the interlace between the user and the machine. This
is the point where the biometric trait is acquired;
2. A processing unit where the acquired biometric is sampled, segmented and
features arc being extracted. It also includes quality assurance to determine if the
quality of the biometric is good enough to he used further in the process. If the
quality of the acquired biometric is poor, the use may be asked to present the
biometric again.
3. A database unit where all the enrolled biometric ‘templates are being stored and
where the templates are being retrieved from in the authentication process;
114
4. A matching unit that compares the newly acquired biometric template with the
templates stored in the database and based on decision rules determines either if
the presented
nted biometric is a genuine/impostor or if the user is identified or not.
Kinds of Biometrics
Facial Recognition
A facial recognition system uses a computer algorithm to identify or verify a person
from a digital image or a video frame. This is done by comparing selected facial features
from the image and comparing them against a reference template usually stored in a facial
database. While it’s much newer than fingerprint technology it’s gained wide usage some
security applications, particularly CCTV sy
systems
stems and some border crossing controls.
Facial recognition emphasizes features that are less susceptible to alteration. like eye
sockets, cheekbones, and tile sides of the mouth, and as such is resistant to many of the
Fig. 6.10
changes associated with mo
most
st plastic surgery and to changes that come with aging.
Facial recognition is cheaper and easier to use than iris or retinal scans, in part because
it’s less invasive and can generally use low speed, low resolution cameras, but it gives a
higher false negative
egative rate than other biometric techno logics because of the need for
tightly controlled environments. A facial recognition system is sensitive to such criteria
as head position and angle, movement, lighting and other factors, including the use of
different
ent cameras for enrollment and verification. In addition, facial recognition has
certain weaknesses that limit its usefulness for fraud prevention. It cannot distinguish
identical siblings, it can be defeated by pointing the camera at a high
high-resolution video
monitor playing a video of an authorized user, and can also he defeated by the use of a
severed head. And of course there may he religious or cultural prohibitions against facial
photographs in some regions of the world that will limit its voluntary upt
uptake by target
users. As a result of the environmental issues noted above, facial recognition’s reliabil
reliability is still lower than other technologies. and usually returns a list of “close match
match-es”
rather than a single definitive match, as do iris and finger
fingerprint
print systems. A basic facial
115
recognition system can probably use a standard camera phone of 1 Mg or more, while
tem-plate
plate size can range from 1000 to 2000 bytes.
Voice Recognition
Virtually all North Americans are familiar with speech recognition, havin
having come
across it when trying to phone most companies nowadays. Voice recognition diners from
speech recognition, in that voice recognition analyzes how you say something, versus
what you say in speech recognition. Each person’s voice is unique, due to differences in
the size and shape of their vocal cords, vocal cavity, tongue and nasal passages. The way
an individual speaks is also determined by the complex coordination of their lips, jaw,
tongue and soft palate. Voice and speech recognition” can in fact function
simultaneously using the same utterance, allowing the technologies to blend seamlessly:
speech recognition can be used to translate the spoken word to an ac
ac-count
count number, while
the voice recognition verities the vocal characteristics cor
correspond
respond to those associated with
that users account. Considered both a physiological and a behavioral biometric measure,
voice recognition has good user acceptance and requires little training to use. However,
while popular. low cost and capable of work
working
ing over any phone, it’s less accurate than
other biometric systems and can entail length enrollments requiring multiple voice
samples to attain a usable template. One of the biggest weaknesses of voice recognition is
that it suffers tram a high reject ra
rare
re in noisy environments, which is a problem for
outside usage. Performance can also VMV according to audio signal quality as well as
variations between enrollment and verification devices, and with variations in
environments (inside versus outside, vvariations
ariations in background noise, etc.]. Voice changes
that occur as a result of time, in
in-jury,
jury, cold or illness call also be as issue. Finally, voice
recognition can be defeated by’ playing back a high fidelity recording, which would
obviously be of great
at concern to financial institutions. While voice recognition benefits
from ease of usage, high user acceptance. and no need for new hardware, the impact of
environmental issues upon performance renders it of low to medium accuracy, which is
not likely to meet the security needs of most financial institutions.
116
Protection of mobile phone using voice recognition:
At first original voice database of the user is created. This database is stored in the
Flash ROM (8M) which is available inside the cell phone. Then whenever the user
speaks through the cell phone part of the speech sample is taken and encoded. This
processed voice of the user is compared with the original database to check the identity
of the user. If the user is authorized, he is allowed to ccontinue
ontinue his talk. If not the
transmission is cut abruptly by making the MP in idle state. Thus the cell phone is being
protected from any unauthorized user. Even if the cell phone won stolen or missed it
won’t be useful for any other. person.
Iris Recognition
Iris recognition is a newer method of biometric authentication than analyzes the
features that exist in the colored tissue surrounding the pupil such as rings, furrows,
freckles and the corolla Iris patterns possess a high degree of randomness, w
with each iris
having: 266 unique identifiers as compared to 13
13-60 for other bio-metrics.
metrics.
Fig.6.12
These iris patterns, which differ even between identical twins, arc apparently stable
throughout one’s life (although they will change within hours of death, preventing the use
of dead eyes). The iris features and their location arc used to form what’s called the Iris
Code T, which is the digital template of the iris, with an average template size of 512
bytes. Iris recognition is proving to be a highly reliabl
reliablee technology, offering excellent
performance with a very 100v false match rate, while being less invasive than the older
retinal scans. An iris scan in
in-volves
volves a small moving target, located behind a curved, wet,
reflecting surface, which is obscured by eyelashes and lenses, and partially occluded by
eyelids that are often drooping. As a result, using the system effectively requires tightly
controlled environments and a very high level of training. Iris scans require hardware that
is not usually found on today’s average ceil phones. Typical cell phone cameras arc still
too low in resolution for accurate iris scanning applications, and a proper iris scan
117
requires a near-in-feared illumination filter instead of the more common visible light filter
found in cell phone cameras. Additionally, to prevent a picture from being able to fool the
system, advanced devices may vary the light shone into the eye and watch for pupil
dilation, a feature that is not currently viable on small devices like cell phones. In terms
of user acceptance, the tact that iris scans are not invasive is helpful, assuming the
training issues can be properly addressed. Of course there remain some negative,
Orwellian connotations to the use of iris scans, but whether these concerns would also
apply to developing country users is unclear.
Fingerprints
The use of fingerprints to identify people has been around for over a century. It ‘s the
most mature biometric technology out there today, with accepted reliability and a well
under- stood methodology. As such, there are many vendors of fingerprint recognition on
the market today. Three of the traditional means of fingerprint recognition employ
Optical, Captive Resistance/Pressure, and Thermal scanning technologies.
Fig. 6.13 Finger Impression
While all three have: been in use for years, with good reliability and accuracy, they do
have weaknesses when faced with today’s demand for better fraud prevention in the face
of more sophisticated biometric 3ppli:ations, not to mention more sophisticate d
criminals. Specifically, all three of these types of finger-print scanning can be defeated in
various ways such as using dead fingers or copying the last print used with adhesive film
and re-presenting it to the scanner Additionally, testing has shown that the elderly,
manual laborers and some Asian populations are more likely to be unable 10 enroll in
some of the traditional fingerprint systems. A newer fingerprint technology. employing
RF Imaging uses ultrasonic holography of the outer layer of dead skin a- well as the
inner layer of live skin to create the template, rendering it nearly 100 accurate, not to
mention resistant to the use of fake or dead fingers, or dirt and oil. In addition, the newer
fingerprint systems use each new scan of the finger to enhance the existing template, thus
making it more accurate with use over time. While fingerprints have proven to the highly
reliable and accurate over the years, particularly now using RF imaging, they’re not completely infallible. They can be affected over time by such things as years of manual labor
or physical injury, so there would probably be a desire to update the reference templates
as and when necessary for commercial and financial applications. Other factors that can
cause failure in a fingerprint scan arc cold and humidity (particularly in the older types of
118
fingerprinting), and location, angle and pres-sure of placement on the sensor (known as a
platen). Other issues to consider are that the use of fingerprints requires physical contact,
which can be a problem in some cultures, and the fact that finger printing’s long
association with criminal justice lends itself to some privacy resistance, although this
will probably ameliorate over time with increased use of biometrics and updated privacy
laws. Fingerprint capture technology is easily accommodated on a cell phone, with sensor
sizes ranging from 12 mm × 5 mm to about 1.5 cm x 1.5 cm, and low power and
processing requirements. The fingerprint tem- plate itself ranges in size from about 256
bytes to 500 bytes.
Protection of mobile phone using fingerprint recognition
When user wants to purchase the mobile, the mobile manufacture has to take the
finger print of the owner and it must be stored permanently in the database of the mobile.
The database here can be either ROM or Smart cards, This image will he used in future
for the verification of the authorized user. Whenever the user wants to operate mobile,
he/she should press is thumb on the scanner. Once the scanner catch the user’s thumb it
will be stored in an EPROM (temporary memory). This thumb impression is compared
with original or permanent thumb impression which is stored in ROM by using image
comparator. If both of the impression matches, it sends a signal to MEMS (Micro electro
Mechanical system) motors which help in opening the door of the mobile. If an
impression fails to match, then corresponding signal will be generated from image
comparator, which in turn helps in glowing red LED (Light Emitting Diode). For this
operation of buttery of 1.5 volts is required. A microcontroller can also be used to control
each Lind every device.
Fingerprint Security
Authentic has manufactured 95% of the fingerprint biometric scanners that arc
currently used in mobile phones. It’s scanners can be small and unobtrusive to look at and
they have been designed-in to many mobile phones, particularly in Asia. Pantech was the
first manufacturer to use fingerprint scanners to secure its mobile phones
Fig.6.14 Biometric Technology
Biometric Technologies
Biometric tool come in a variety of forms but all confirm the identity of users by a
physical characteristic, whether that is a fingerprint. the sound of their voice, the unique
pattern of blood vessels ill their eyes or the shape of their face. As biometrics become less
expensive, more accurate and easier to deploy than in years past
119
Fingerprints–A fingerprint looks at the patterns found on a fingertip. There are a
variety of approaches to fingerprint verification, such as traditional police method, using
pattern- matching devices, and things like moire fringe patterns, and. ultrasonic There. are
many bio- metric technologies to suit different types of applications. To choose the right
biometric to be highly fit for the particular situation, one has to navigate through some
complex vendor products and keep an eye on future developments in technology and
standards. Here comes a list of biometrics: This seems to be a very good choice tor in
-house systems
Hand geometry–This involves analyzing and measuring the shape of the hand. It
might he suitable where there are mere users or where user access the system
infrequently, Accuracy can be very high if desired. and flexible performance tuning and
configuration can accommodate a wide range of applications. Organizations are using
hand geometry readers in various scenarios, including time and attendance recording.
Retina–A retina -based biometric involves analyzing the layer of blood vessels
situated at the hack of the eye. This technique involves using a low intensity light source
through an optical coupler to scan the unique patterns of the retina. Retinal scanning can
be quite accurate but docs require the user to look into a receptacle and focus on a given
point
Iris–An iris-based biometric involves analyzing features found in the colored ring
of tissue that surrounds the pupil. This uses a fairly conventional camera clement and
requires no dose contact between the user and the read. Further, it has the potential for
higher than average template-matching performance
Face– Face recognition analyses facial characteristics. It requires a digital camera to
develop a facial image of the user for authentication. Because facial scanning needs an
extra peripheral thing: that are not included in basic PCs, it is more of a niche market for
network authentication. However, the casino industry has capitalized on this technology
to create a facial database of scam artists for quid detection by security! personal
Signature–Signature verification analyses the way user signs his name. Signing
feature such as speed velocity, and pressure are as important as the finished signature’s
static shape. People are used to signatures as a means of transaction-related identity
verification.
Voice–Voice authentication is based on voice-to-print authentication, where complex
technology transforms voice into text. Voice biometrics requires a microphone, which is
availed with PCs nowadays. Voice biometrics is to replace the currently used technique
such as PINs. Passwords, or account names. But voice will be a complementary technique
for finger-scan technology as many people sec finger scanning as a higher authentication
form.
The system which is designed primarily for PDA-phone but could also be used in new
generation smart phone, and Wi-Fi enabled PDAs offer three methods of biometric
120
identification. One employs the digital cameras that have becorne commonplace in
mobile devices along with a face recognition application In identify the user based on
their facial features. Another use voice recognition software - also detecting any
asynchrony between speech and lip moments and the third verifies the handwritten
signature of the user on the device’s touch screen. The three methods are used in
combination to enhance the overall levels of security and liability, and most importantly
They require no hardware additions to mobile devices. The secure phone platform is
entirely software based. This is important if it is not to be adopted by device
manufacturers as it keeps cost s down and makes implementing it much easier. There is
no need to add fingerprint or iris scanners. Instead, the system uses elements that already
exist in the device and which serve alternative purpose as well, while the type of
verification carried out is non-intrusive for the user
Watermarks have been used for centuries to prove the authenticity of bank notes.
post- age stamps and documents. Now European researchers are considering them as a
new tool in the fight against digital piracy and to authenticate and verify the integrity of
digital media. Digital Rights Management (DRM) systems that prevent copying have
raised fair use issues, however, because they not only block pirates but also prevent
legitimate consumers from making back-up copies. Watermarking. in contrast, does not
prevent copying, but depending on the application, can let consumers and producers
know what content is authentic and what is fake, and can help authorities trace illegal
copies. watermarking playing a very important role in protecting digital rights, a
growing industry because of piracy. Other uses, he notes, include authenticating
information and ensuring data integrity, as well as making content easier to identify’ and
find. Though not a new concept, digital watermarking is starting to gain favor among
content producers as one of several emerging anti-piracy measures. Earlier this year, for
example, record companies Sony and Universal started embedding anonymous watermarks into songs not protected by other DRM methods. That will allow them to trace
the origins of illegally copied material, potentially generating important empirical
evidence on the scale of the piracy problem as they seek tighter copyright protection
laws. What the record companies are doing is one application of imperceptible and robust
watermarks, which arc hidden to the user and arc not eliminated if the content is tampered
with, such as being compressed or reformatted in the case or a song, video or photograph.
Such watermarks arc difficult, though not impossible to remove, and the WAVILA
researchers wanted to gain a better understanding of how someone would go about trying
to crack the watermarking algorithms. Watermarking today is where cryptography was in
the 1960s and 1970s, there is still a lot of secrecy. And in some ways it is facing an even
more complex challenge.
Biometrics characteristics
Choosing between different biometrics is not an easy task. Each biometric has its
own pros and cons and the selection or a biometric for an application should depend not
121
only on its matching performance but also on other factors that determine if a biometric
treat is suit- able for the application or not. The following biometric characteristics should
be evaluated in the selection process of a biometric system:
Universality—each person that is using the biometric system should possess the
biometric trait
Uniqueness—measures how well the biometric trait separates one individual from
another.
Permanence—measures how well a biometric trait resists aging
Collectability—case of acquisition of the biometric trait without causing
inconvenience to the user
Performance—accuracy, speed, robustness of technology used Acceptability —
degree of approval of the biometric technology by the users Circumvention — case of usc
of an imitation of the biometric treat.
No biometric is perfect. None of the biometrics would satisfy 100 the characteristics
listed above. Depending on the application, decision makers should review the
characteristics and determine which ones are a must for their organization.
Biometric Systems Benefits
A biometrics security system offers the following benefits:
(i)
It doesn’t require cooperation. Some biometric systems as face recognition,
gait recognition, odor recognition or face thermograph don’t require that theuser cooperates so that the biometric is collected. Biometric systems prove
useful in train stations, airports, stadiums etc., to identify wanted felons.
(ii)
It guarantees physical location of the user. It can be determined with certainty
that the user was that the point where the biometric was collected at the time
when the biometric was collected.
(iii)
It has high-throughput. When there is a need to identify a person from a large
population, automatic biometric identification may be the only efficient
solution.
(iv)
The biometric trait is unforgettable. Unlike the classic passwords that need to
be remembered, biometric traits cannot be forgotten because they represent
something that the user is: physically, behaviorally or chemically.
(v)
The biometric trait cannot be lost. Unlike authentication tokens. id cards or
pass- words written on a piece of paper, biometric traits cannot be lost. It
cannot be shared. Due to their nature biometric traits cannot he shared
between users. This ensures that the user that logs in the system is the actual
user and not a colleague that is trying to help.
122
(vi)
It is cost efficient. Sure there will be an up front cost with the installation of
the system and with user education but in the long run it proves cost efficient
due to the benefits listed above. It cannot he shared and it guarantees physical
location; this way no employee can help-alit a colleague that is late by
punching-in in the time system on his behalf And it cannot be lost or
forgotten; this way costs of reissuing new identification tokens are reduced.
the desktop support time is reduced because the need of resetting passwords
will he less, if any, and the down-time of the employees because they’ve got
locked out from the systems is also reduced.
(vii)
It can provide emergency identification. In those cases when a person cannot
identify itself. using a biometric system may be the only way to find his
identity.
It prevents identity theft. In the most cases of identity theft, the impostor used
victim’s name and personal identification number to create credit card
accounts and use those III his behalf. Using biometric security systems makes
it practically impossible for impostors to pretend they arc somebody else.
(viii)
(ix)
It is appealing. Most people find biometric system appealing because of the
ease of use and because it is impressive how a door can be opened by just a
swipe of a finger.
Non-Hardware-Based One- Time-Password Scratch Card
Scratch cards (something a person has) are less-expensive , “low-tech” version of
the OTP generating tokens discussed previously. The card similar to a bingo card or map
location look-up, usually contains numbers and letters arranged in a row-and-column for
The size of the card determines the number or cells in the grid. .
Used in a multifactor authentication process, the customer first enters his or her user
name and password In the established manner. Assuming the information is input
correctly, the customer will then be asked to input, as a second authentication factor, the
characters contained in a randomly chosen cell in the grid. The customer will respond by
typing in the data contained in the and cell clement that corresponds to the challenge
coordinates.
Conventional OTP hardware tokens rely on electronics that can fail through physical
abuse or defects, but placing the grid on a wallet-sized plastic card makes it durable and
easy to carry. type of authentication requires no training and, if the card is lost,
replacement is relatively easy and inexpensive.
Out-of-Band Authentication
Out–of-band authentication includes any technique that allows the identity of the
individual originating transaction to be verified through a channel different from the one
the customer IS using to initiate the transaction. This type of layered authentication has
been used in the commercial banking/brokerage business for many years. For example,
123
funds transfer request purchase authorizations, or other monetary transactions are sent to
the financial institution by the customer either by telephone or by fax. After the
institution receives the request, a telephone call is usually made to another party within
the company (If a business generated transaction) or back to the originating individual.
The telephoned party IS asked tor a predetermined word phrase, or number that verifies
that the transaction was legitimate and confirms the dollar amount. This layering
approach the dollar amount. This layering approach precludes unauthorized transactions
and Identifies dollar amount errors, such as when a $1,000.00 order was intended but the
decimal point was misplaced and the amount came back as $100,000.00
In today’s environment, the methods of origination and authentication are more
varied. For example, when a customer initiates an online transaction. a computer or
network based server call generate a telephone call. an e-mail. or a text message. When
the proper response (a verbal confirmation or an accepted-transaction affirmation) is
received the transaction is consummated
IP Address (Internet Protocol Address) Location and Geo-Location
One technique to filter an online transaction is to know who is assigned to the
requesting internet Protocol Address. Each computer on the Internet has an IPA, which is
assigned either by an Internet Service Provider or as part of the user’s network. If Issued
a unique IPA that was constantly maintained on an official register, authentication by
IPA would simply be a matter of collecting IPAs and cross-referencing them to their
owners. However JPAs are not owned, may change frequently, and in some cases can be
spoofed. Additionally there IS no single source for associating an IPA with its current
owner, and in some cases matching the two may be impossible.
Some vendors have begun offering software products that identify several data
elements, including location. anonymous proxies domain name, and other identifying
attributes refereed to as IP” Intelligence.” The software analyzes this information in a
real-time environment and checks it against multiple data sources and profiles to prevent
unauthorized access. If the user’s IPA and the profiled characteristics of past sessions
match information stored for identification purposes, the user is authenticated. III some
instances the software will detect out-of- character details of the access attempt and
quickly conclude that the user should not be authenticated
Gee-location technology is another technique to limit Internet users by determining
where they are or, conversely, where they are not. Geo-location software inspects and
analyzes the small bits of time required for Internet communications to move through the
network. These electronic travel times are converted into cyberspace distances. After
these cyberspace distances have been determined for a user, they are compared with
cyberspace distances for known locations. If the comparison is considered reasonable, the
user’s location can be authenticated. If the distance is considered unreasonable or for
some reason is not calculable, the user will not be authenticated.
124
IPA verification or gee-location may prove beneficial as one factor in a multifactor
authentication strategy. However, since geo-Location software currently produces usable
results only for land-based or wired communications, it may not be suitable for some
wireless net- works that can also access the Internet such as cellular/digital telephones.
Mutual Authentication
Mutual authentication is a process whereby customer identity is authenticated and the
target Web site is authenticated to the customer. Currently, most financial institutions do
not authenticate their Web sites to the customer before collecting sensitive information.
One reason phishing attacks arc successful is that unsuspecting customers cannot
determine they are being directed to spoofed Web sites during the collection stage of an
attack. The spoofed sites are so well constructed that casual users cannot tell they are not
legitimate. Financial institutions can aid customers in differentiating legitimate sites from
spoofed sites by authenticating their Web site to the customer.
Techniques for authenticating a Web site arc varied. The use of digital certificates
coupled with encrypted communications (e.g. Secure Sock.et. Layer, or SSL) is one the
use of shared secrets such as digital images is another. Digital certificate authentication is
generally considered one of the stronger authentication technologies, and mutual
authentication provides a defense against phishing and similar attacks.
Customer Verification Techniques
Customer verification is a related but separate process from that of authentication.
Customer verification complements the authentication process and should occur during
account origination, Verification of personal information may be achieved in three ways:
(a) Positive verification to ensure that material information provided by an applicant
matches information available from trusted third party sources. More specifically,
a financial institution can verify a potential customer’s identity by comparing the
applicant’s answers to a series of detailed questions against information in a
trusted database (e.g. a reliable credit report) to see if the information supplied by
the applicant match information in the database . As the questions become more
specific and detailed correct answers provide the financial institution with an
increasing level of confidence that the applicant is who they say they say they arc.
(b) Logical verification to ensure that information provided is logically consistent
(e.g., do the telephone area code. ZIP code, and street address match).
(c) Negative-verification to ensure that information provided has not previously been
associated With fraudulent activity. For example, applicant information can be
compared against fraud databases to determine whether any of the information is
associated with known incidents of fraudulent behavior. In the case of commercial
customers, however. the sole reliance on online electronic database comparison
techniques is not adequate since certain documents (e.g.. bylaws] needed to
establish an individual’s right to act on a company’s behalf are not available from
125
databases. Institutions still must rely on traditional forms of personal
Identification and document validation combined with electronic verification
tools.
Another authentication method consists of the financial institution relying on a third
party to, verify the identity of the applicant, The third party would issue the applicant an
electronic credential, such as a digital certificate, that can be used by the applicant to
prove lux/her Identity. The financial institution is responsible for ensuring that the third
party’ uses the same level of authentication that the financial institution would use itself
Few Tips for Safe Internet Banking
Secure Your System
•
Use a personal firewall.
•
Always download and install authorized operating system updates,
•
Run and maintain an anti-virus product Oil your home computer and update
regularly.
•
Do not run or install programmes of unknown origin.
•
If using a local area network (IAN) contact your administrator and seek the
availability of email gateway filtering for specific tile attachments.
•
Do not access your bank account from computers in Internet cafes or untrusted
PC’s as they may not be safe.
•
Never leave your PC unattended when logged to Internet banking.
•
Always ensure that you tog-out properly when you have finished Internet banking.
Secure Your Passwords
•
Do not give your PIN or password to anyone else, including bank staff or Police.
•
If you suspect your Internet banking password has been compromised, change it
as soon as possible.
•
Avoid using your birth date or name as your PIN or password. Passwords should
be alpha numeric i.e. pencil37.
•
Avoid storing passwords on your computer.
•
Do not set up your computer so it ‘auto completes’ or saves your password i.e. do not tick the “remember this password” box
•
Do not use the same password on Internet banking as telephone banking.
Take Care of following points
•
Delete without opening entails requesting personal details such as PINs or
passwords legitimate financial institutions and companies will not ask you to
provide PINs or passwords.
126
•
Delete suspicious emails with attachments and never open the attachments.
•
Check for a secure connection. (Secure website addresses have https at the start.
The "s' indicates secure. They will also have a 'padlock' icon on the bottom right
comer. Double clicking the icon will show who owns the certificate).
•
Follow your own path to the site you choose - it is possible to create a link on a
web page or in an email and make it look as if it is taking you to a bona fide
website when it is sending you elsewhere. Your safest course is to check that you
have the correct address (URL) and then type it each time into your address bar.
•
Consider whether the message you have received is a message that you would
expect to receive -- is it one you have received from your financial institution
before? (Incorrect grammar or spelling is usually an immediate indicator or J
suspect email or website).
•
Are there related announcements on the financial institution's or company's
website?
•
Reconcile your account(s) either on-line or by statements frequently and
regularly.
Suspicious? Report It
If you think you may have been taken in by or received a phishing scam, or that you
may have received a virus that enables someone to access your account details, report it
immediately to your financial institution
COMPARISON OF DIFFERENT PAYMENT GATEWAYS
Ecommerce payment gateway is the access point to the online banking network. All
online transactions must pass through a payment gateway to be processed. The payment
gateways act as a bridge between the user’s website and the financial institutions that
process the transaction. Gateways process the different transactions between user and
web browser. A payment gateway authenticates and routes payment. Here we have
focused on different e-commerce payment gateways, and also have a deep comparative
study’, analysis of different online Gateways. An internet e-commerce payment gateway
is a critical infrastructural component ensure that such transactions occur without any
hitches and in total security over electronic networks.
The criteria that are important while evaluating a payment gateway: We have
described comparative study of different e-commerce payment systems which are;
1. CC Avenue Gateway
2. Paypal Gateway
3. DirecPay Gateway
4. EBS Gateway
5. ABC Payments Gateway
6. I JDFC Gateway
7. ICICI Payseal Gateway
8. Transected Gateway
127
Different criteria and services arc described below through the comparative study of
payment gateways. All these payment gateways focus on different factors as security’,
cost. support, dispute resolution, international payments, transaction time. supported
hanks and tools and features. These are shown in tabulation representation.
S.No. Gateways
Security
Cost
Coustomer
Care &
Support
Dispute
Resolution
1.
CC
Avenue
Gateway
1.Security
Firewell
2. Risk
Management
tools
3. Fraud
Filters
1.Rs.
7,500 as
onetime
nonrefundable set
up
fees
2. with
7%
transaction
fees for
cards of
3. 4%
transaction fees
for net
banking
and
mobile
payments
+ Rs.
1200 as
annual
maintenance
charge
1. Commerce
sercive
provider.
2. Real Time
Transactions
and response
3. Provide
Technical
support
4. Support for
net banking
transaction
5. Support
24*7
1. Stream
line dispute
resolution
processes
through the
use of
automated
tools to
prevent
invalid
exception
exception
items.
PayPal
Gateway
1. Dual
Privacy
2.
Security
Key
System
3. Data
Encryption
4.Transa
ction
monitoring
5. Safer
and
Faster
PayPal is
FREE and
prodects
your
purchases
1. Online
suport
2. Multicurrency
3. Pay Pal’s
support staff
is organized
into departments that
specialize in
specific
customer
concerns.
4.PayPal
Merchant
Technical
supoort is
rady to
1. Most
carefully
resolve
transaction
disputes
2. The
PayPal
Resolution
Center
enables you
to resolve
transaction
issues
before they
become
larger
problems
2
128
Processing
through
International
Payments
Real-time &
Transaction
Time
Reportints
Support for Tools
Multiple
Features
Banks
offered
VISA,
MASTER
CARD,
AMERICAN
EXPRESS,
DINERS
CLUB
JCB
CARDS
CITY BANK
DISCOVER
NOVUS,
CARTE
BLANCHE,
1. Optimum
transaction
time : The
transaction is
completed
between 30
seconds and
a minute.
2. This
enabless the
websites to
transact and
accept
payments
online and
in real time
1. HDFC
2. Bank of
Rajasthan
3. ICICI
4. Kotak
5. Citibank
6. Oriental
Bank of
Commerce
7. Axis
8. Jammu
& Kashmir
9. IDBI
10.
Corporation Bank
11.
Standard
chartered
Bank
16.
Centurian
Bank of
Punjab
17. State
Banks
18. HSBC
19. Union
Bank of
India
20. Punjab
National
Bank etc.
1. Credit
card, debit
cards, net
banking,
mobile
payments.
Cash cards
2. Debit card
Accepted as :
VISA,
MASTER
Card
3. Additonal
Features :
Live Chat,
shopping cart
ready, instant
SMS, email
Detailed
Reports
1. Fast and
Trustworth
2. Ideal for
online
auctioneers
3. The new
e-transfer
process
takes less
than a week
to process a
check
1. HDFC
Bank
2. ICICI
Bank
3. ING
VYSYA
4. Axis
Bank
(formertly
UTI Bank)
5. tandard
Chartered
Bank
6. State
Bank of
India,
7. Bank of
India,
1. Product
Features :
Creadit Cards
2. No Debit
Card
Accepted
2. Additional
Features :
Currency
conversion
fee-2.5%
added to the
ex-change
rate
3. Debit
cards (also
known as
bank cards
VISA,
MASTER
CARD,
AMERICAN
EXPRESS.
EUROCARD
MAESTRO
assist with
integrating
PayPal on
website.
3.
D i r e c P a y 1. SSL
Gate
tEchnology
Used
way
2. Secure
Data
Encryption
3.
verisign
128 bit
SSL, IP
connection and
encryption tool
4. PCL
certified
Charges:
Rs.
30,000 set
up charge
+7%
transaction fees
+ annual
maintnace
charge
4.
EBS
Gateway
1. Risk
monitoring
2.
Highest
Security
PCI DSS
1.1
3.
verisign
128 bit
SSL
Technology
4.
Security
Firewall
USed
Rs. 6000
as setup
fees and
6%
transaction fee +
Rs. 2400
annual
maintenance
charge
5.
ABC
Payments
Gateway
1. Ris
managements
system
controls
2. Secure
1. Setup
Cost Rs.
7,000
+7%
transaction fees
1. One Stop
Solution
2. Multi
Currency
3. Quick
Settlement
4. Simple
Integraton
5. Services
Support
cost effective,
cover a wide
range of
payment
acceptance
modes and
rest on a
robust
technology
platform.
24*7 support
1. Ease
integration
2.
MulutiCurrency
support
3. Online
8. Canara
Bank,
9. Union
Bank of
India,
10. HSBC
11. Citibank India.
are accepted
if they have a
visa or
Master Card
logo.
1. DirecPay
Platform is
mapped
against a
negative
database
which is
continuously
compiled
and up
dated
2. It resolves
the disputes
3. VeriSign
secure,
making it
robust and
free from
internet
dangers like
phishing
VISA
MASTER
CARD
DINERS
CARD
1. Fast,
reliabe and
secure
passege for
transaction
data
2. Transaction status
gives
resonse back
as message
allert
1. ICICI
2. HDFC,
3. Citibank
4. State
Bank of
India.
1. Credi
cards,
Internet
banking
Mobile
banking
2. Around 51
Debit cards
Accepted
2. Online
shopping.
Travel
portals,
educational
institutions,
equity
broking
1. It reduces
the amount
of time of
spent
researching
customer
inquires;
and
2.
Secondly.it
reduces the
occurrence
of charge
back
disputes
VISA
MASTER
CARD
DINERS
CARD
ITZ CASH
CARD
1. It usually
takes
between 2
and 7
seconds for
transaction
response
2. Transaction on real
time
HDFC
City Bank
Axis Bank
ICICI
Bank,
Deutsche
Bank,
Karur
Vysaya
Bank, State
Bank of
India,
Indian
Overseas
Bank, ING
Vysaya,
Corportion
Bank
1. Product
Features :
Credit cards,
debit card,
net banking
2. No Debit
Card
Accepted
3. Additonal
Features :
Live Chat,
shopping cart
ready, instant
SMS, email,
Detailed
reports
1. User
receive the
parameters /
dada in
either case
of
VISA
MASTER
CARD
DINERS
CARD
1.Less
processing
time.
2. Real time
Response
means
ICICI Bank
HDFC
Bank Citi
Bank Axis
Bank
IDBI Bank
1. Product
Features :
Credit cards,
net banking
2. Debit card
Accepted
129
Data
encryption
3. 128
bit SSL
encryption
security
4.
Critified
secured
5. SSL
technology with
newest
security
protocols
2. Startup Technical
Support
cost :
100004. Offline
28000
Technical
Supprot
5. Risk
Minimization
if any
transaction is
perceived as a
High-Risk
Transaction an
immediate
alert email is
sent to the
Sub-Merchant
6. Email alerts
for suspect
transactions
7. Support
24*7
trnasaction
process
ending
successfully
of falling up
due to many
reasons,
including
wrong entry
of credit
card
number s
and so on.
2. It resolves
disputes
through
expertise
and
provides
maximum
satisfactions.
Quick
transaction
response
CBOP
SBI
(coming
soon)
PNB
(Comming
Soon)
3. Additional
Features:
Live Chat,
Shopping,
cart ready.
instant SMS,
email
Detailed
reports
6.
HDFC
Gateway
1.Secure
Firewalls
2. 125
bit
encryption
3.
Intrusion
deterction
and
prevention
system
4. SET
certification for
digital
signature
1. Startup
Cost :
1000050000
2.
transaction cost:
3.5%-6%
3.
Security
deposit
50000depends
on Due
Diligence
1. It supports
as userfriendly
interface
2. Real Time
Risk Management
3. Automated
Reconciliation
support
4. Integraton
of SCM modul
5. Full Bancent
24 hrs.
Support
If resloves
disputes
2.
Responssive
and Trustee
service
VISA
MASTER
CARD
HDFC NET
BANKING
1. Secured
and Easy
transaction
process
2. Real time
basis
response
HDFC
Bank
Payment
Gateway
provides a
single
platform to
support
multiply
payment
technology
1. Product
Features :
Credit Cards
and HDFC
Net banking
2. Debit Card
Accepted
3. Additional
Features :
Email and
Telephonic
support
availabe
7.
ICICI
Payseal
Gateway
1. Offers
128 bit
SSl
encryption
2. 280
vit RSA
before
passing it
through
an SSL
pipe
using
128 bit
encryption
Charges :
Rs.
40,000
as setup
fees and
5% as
transaction fees.
1. Optimum
Server
Utilization
2. Centralized
and secure
data management support
3. Highly
scalable and
reliable
support
4. Efficient
Administraion
5. Support
24*7
1. It
Resolves
Desputes
2. Administration
module
facilitates
extensive
extensive
MIS
reporting
and
monitorinig
of transactions
conducted
VISA
MASTER
CARD
ICICI NET
BANKING
1. The
transaction
information
is quickly
transmitted
to the
merchant
server.
2. Fast adn
Easy
transaction it
takes 10-15
secs. in
transaction
report
throught
ICICI
Provide
Single
Platform
for all
payment
gateway
1. Product
Features :
Credit
cards,
ICICI Net
Banking
2. Debit card
Accepted
3. Additional
Features :
Needs Java
support for
your website.
130
3. Uses a
stronghold
web
server
4.
Extensive
security
firewalls
8.
Transecute
Gateway
1. 128
bit SSL
Certificate
2. Uses a
symmetric key
based
checksum
algorithm to
exchange
data
3
Advanced
Heuristic
Fraud
Pattern
Matching and
detection
engine
4. Fraud
Deterction
and Risk
Mitigation
5. End to
end
Security
via the
Gateway
Merchant
1. Setup
charges;
Rupees
30,000.
2.
Transaction
charges;
5% per
transaction
3. Charge
back fee:
Rupees 10
transaction.
1. It
provides the
1. Transaction Proof of
Support
Delivery
2. Multi2. It checks
High value
currency
support
Transaction
3. Instant
Process
Fraud Alert
3. It
Mails for risky Maintains
transactions
Daily
4. Support
Transecute
24*7
Risk
Mitigation
5. No.
expensive
and Fraud
encryption
Report
required
4. This
Report
6. Technical
support
Contains
Lifetime Free alerts on
Various
Transactions
that are
Perceived
be risky by
Our
Heuristic
Fraud
Detection
software.
5. Through
Manual
check these
Transactions
Create
Minimum
charge back
risk.
131
web server
3.
Transacton
Process in
Real time.
VISA
MASTER
CARD
1. The
typical
integrtion
time is less
than an hour
to get online
and live
2.
Transecute
Merchant
Tranasction
Reversals
Merchants
can reverse
transaction
from the
intrface.
3. Real Time
Credit Card
Response
1. It
Provides
Single
Platform
for all
payment
gateways
2. No bank
payment
Accepted
1. Transecute
supports al
VISA/Master
CArd
transaction
and also
Amex,
Discover,
Novus, Bank
Accounts, echecks,
multiply
currencies.
2. No Debit
Card Acepted
3. Transecure
is also the
only gateway
to allow
anytime
withdrawal of
your balance.
LESSON-1
UNIT V
Security and Legal Aspects of E-commerce: Ecommerce Security–Meaning and Issues

Security and Legal Aspects of E-commerce: E-commerce security – meaning and
issues;

Security threats in the E-commerce environment- security intrusions and breaches,
attacking methods like hacking, sniffing, cyber-vandalism etc.;

Technology solutions- encryption, security channels of communication, protecting
networks, servers and clients;

Information Technology Act 2000- provisions related to offences, secure electronic
records, digital signatures, penalties and adjudication.
Security and Legal Aspects of E-commerce: E-commerce security –
meaning and issues;
What is E-Commerce: Electronic Commerce may include any computer mediated
busi-ness process, but a common usage is to use it to describe commerce taking place
using the World Wide Web as an enabling transport. For many reasons, including our
areas of exper-tise and experience, we will concentrate on this definition of E-Commerce.
The web is the way to do business for many reasons. Thin, ubiquitous clients, the wide
availability of access and consistent interface- to many different platforms arc among the
reasons to choose web solutions for many problems. In addition, the limited nature of the
HTTP protocol makes security issues simpler. However, any transaction-taking place
across the public Internet is open to a wide variety of security problems. In this chapter
we win discuss the various issues related to e-commerce.
One of the critical success factors of c-commerce is its security. Without a great
degree of confidence by the customers that credit card numbers and other extremely
sensitive personal information will be kept secure, c-commerce will simply not work.
However, the successful functioning of e-commerce security depends on a complex
interrelationship be-tween several components, including the applications development
platforms, database man-agement systems, systems software and network infrastructure.
E-COMMERCE SECURITY ISSUES
E-commerce systems are based upon Internet use, which provides open and easy
communication on a global has is. However, because the Internet is unregulated,
unmanaged and uncontrolled, it introduces a wide range of risks and threat to the systems
operating on it.
132
The use of the Internet means that your internal IT and c-commerce systems are
poten-tially accessible by anyone, irrespective of their location.
The following points outline the security’ issues related to c-commerce:
•
Access control: If access control is properly implemented, many other security
problems, like lack of privacy, will either be eliminated or mitigated, Access
con-trol ensures only those that legitimately require access to resources an: given
ac-cess and those without valid access cannot have access. This includes both
physical access as well as logical access to resources. Various types of threats
exist .for access control. For example, being able physically to enter a building or
having access to network equipment is one example of a threat.
•
Privacy: Privacy ensures that only authorized parties call access information in
any system. The information should also not be distributed to parties that should
not receive it. Issues related to privacy can be considered as a subset of Issues
related to access control.
Protection of privacy requires access control, however access control dea.1s with
the larger picture. Due to this, the threats to privacy arc similar to that of access
control. Integrity ensures that only authorized parties make changes to the
documents transmitted over the network. Lack of integrity of the system can be
devas-tating tor c-commerce. While the threats to integrity arc similar to the
threats to access, being a threat to integrity is possible only when one has access
at a level consistent with someone having the rights to alter a document. For
example, If a customer places an order, and someone can access the system as
the customer, they may be able to alter the contents of the order placed.
•
Authentication: Authentication ensures that the origin of an electronic message
is correctly identified. This means having the capability to determine who sent
the message and from where or which machine. Without proper authentication.
It will be impossible to know who actually placed an order and whether the order
placed is genuine or not.
•
Non-repudiation: Non-repudiation is closely related to authentication and this
ensures the sender cannot deny sending a particular message and the receiver
cannot deny receiving a message. If this happens infrequently, it may not
significantly harm e- commerce, however, on a large scale this can be
devastating. For example, if many customers receive goods and then deny
placing an order, the shipping, handling and associated costs with the order can
be significant for the company processing the orders.
•
Availability: Availability ensures that the required systems are available when
needed. For an e-commerce site this means that the customer order systems are
available all the time. Two major threats to availability problems are virus
attacks and denial of service.
133
One complicating factor for any c-commerce venture is security for customer ill’
formation, such as credit card numbers and personal data, that most customers do
not wish to have shared. Hardly a month goes by without media reports of
security breaches over the Internet. Internal security problems, as well as
hackers, can plague firms. Guarantees, seals of approval, testimonials, etc., can
help case consumer worries since most sites lack track records.
Transaction security has kept many customers from purchasing products on the
Internet. Much resistance has come from privacy issues such as giving credit card number
and personal information. There are continual reminders of how unsafe these practices
can be, even though “secure” software programs have been developed and continue to
become more protective. Foolproof systems may never be developed and, therefore, the
customer is left to weigh the potential cost of privacy with the benefits of conducting
business over the Internet.
RISKS INVOLVED IN E-COMMERCE
Some of the more common threats that hackers pose to c-commerce systems include:
•
Carrying out denial-of-service (DoS) attacks that stop access to authorized users
of a website, so that the site is forced to offer a reduced level of service or in
some cases, cease operation completely
•
Gaining access to sensitive data such as price lists, catalogues and valuable
Intellectual property, and altering, destroying or copying it
•
Altering your website, thereby damaging your image or directing your customers
to another site
•
Gaining access to financial information about your business or or your
costomers, with a view to perpetrating fraud
•
Using viruses to corrupt your business data
Impact Upon the Business
All of these risks can have a significant impact upon a business running an ecommerce service. The potential business implications of u security incident include the
following.
•
Direct financial loss as a consequence of fraud or litigation.
•
Consequential loss as a result of unwelcome publicity.
•
Criminal charges If you are found III he in breach of the Data Protection or
Com-puter Misuse Ads, or other regulation on e-commerce.
•
Loss of market share if customer confidence is affected by a denial-or-service
at-tack, or other.
134
The image presented by your business, together with the brands under which you
trade, arc valuable assets. It is important to recognize that the use of e-commerce creates
new ways for both image and brands to be attacked.
Risks from Viruses, Trojans and Worms
Viruses. Trojan horses and worms arc all computer programs that can infect
computers. Viruses and worms spread across computers and networks by making copies
of them-selves, usually without the knowledge of the computer user.
A Trojan horse is a program that appears to be legitimate but actually contains
another program or block of undesired malicious, destructive code, disguised and hidden
in a block of desirable code. Trojans can be used to infect a computer with a virus.
A back-door Trojan is a program that allows a remote user or hacker to bypass the
normal access controls of a computer and gives them unauthorized control over it.
Typi-cally a virus is used to place the back-door Trojan onto a computer, and once the
computer is online, the person who sent the Trojan can run programs on the infected
computer, access personal files, and modify and upload files.
Security threats in the E-commerce environment- security intrusions
and breaches, attacking methods like hacking, sniffing, cyber-vandalism
etc.;
Risks to E-commerce Systems
While some viruses are merely irritants, others can have extremely harmful effects.
Some of the threats that they pose to e-commerce systems include:
•
corrupting or deleting data on the hard disk of your server
•
stealing confidential data by enabling hackers to record user keystrokes enabling
hackers to hijack your system and use it for their own purposes
•
using your computer for malicious purposes, such as carrying out a denial-ofser-vice (DoS) attack on another website
•
harming customer and trading partner relationships by forwarding viruses to
them from your own system
How do viruses spread?
Viruses are able to infect computers via a number of different routes. These include
via:
•
CDs and floppy disks containing infected documents
•
emails containing infected attachments
•
Internet worms that exploit holes in your system’s operating system when you
are connected to the Internet
135
Spyware
Spyware is software that is placed on your computer when you visit certain websites
It is used to secretly gather information about your usage and sends it back to advertisers
or other interested parties. In addition to tracking your system use, it can also slow down
crash your computer.
PROTECTING THE E-COMMERCE SYSTEM
Securing your c-Commerce System
As the use of the Internet continues to grow, website are assuming greater
importance as the public face of business. Furthermore the revenues generated by ecommerce systems mean that organization are becoming ever more reliant upon them as
core elements of their business.
With this high level of dependency upon the services provided by e-commerce
systems, it is essential that they are protected from the threats posed by hackers, viruses,
fraud and denial-of-service (DoS) attacks.
Identifying e-commerce Threats and Vulnerabilities
It is important that you understand the risks facing your c-commerce system, and the
potential Impact should any security incident arise.
What are the threats?
Threats to e-commerce systems can be either malicious or accidental. The
procedures and controls you put in place to protect your site should help minimize both.
Malicious threats could include:
•
Hackers attempting to penetrate a system to read or alter sensitive data
•
Burglars stealing a server or laptop that has unprotected sensitive data on its disk
Imposters masquerading as legitimate users and even creating a website similar
to yours
•
Authorized users downloading a web page or receiving an email with hidden
active content that attacks your systems or sends sensitive information to
unauthorized people
You should consider potential threats to sensitive information from three angles:
•
Where (or who) are the potential sources of threats?
•
What level of expertise is the hacker likely to possess? much effort are they
likely to expend in attempting preach your security?
•
What facilities and tools are available to them?
The real threat may not be the most obvious one. Attacks from authorized users
(such as a disaffected employee or partner) arc far more common than attacks by hackers.
136
Risk Assessment
A risk assessment can he carried out to provide an organization with a clear
understanding of the risks facing its e-commerce system and associated business
processes, and the potential impact if a security incident arises.
A key part of a risk assessment is defining the business’ information access
require-ments. This will cover the rules of access for different groups of users. For
example different rules may apply for employees, consultants managed service providers,
suppliers, customers, auditors, government agencies and so on.
Any analysis should also take account of how electronic transactions arc verified.
How do you know that an order has actually come from a known customer” Where
contracts are exchanged electronically, who can sign them and bow can it be proved
which is the signed version.
COMMON E-COMMERCE SECURITY TOOLS
You should introduce sufficient security controls to reduce risk to c-commerce
sys-tems. However these controls should not be so restrictive that they damage the
employees’ performance.
Some of the common security controls arc listed below.
Authentication
There are several techniques that can identify and verify someone seeking to access
an e-commerce system. These include:
•
A user name and password combination, where the password can vary in length
and include numbers and characters.
•
“Two-factor” authentication requiring something the user has (cg an
authentication token) and something the user knows (eg. a personal identification
number).
•
A digital certificate that enables authentication through the use of an individual’s
unique signing key.
•
A person’s unique physical attribute, referred to as a biometric. This can range
from a fingerprint or iris scan, through to retina or facial-feature recognition.
Access Control
This restricts different classes of users to subsets of information and ensures that
they can only access data and services for which they have been authorized. These
include using:
Network restrictions to prevent access to other computer systems and networks
Application controls to ensure individuals are limited in the data or service they can
access
137
Changes to access privileges must be controlled to prevent users retaining them if
they transfer between departments or leave the business.
Encryption
This technique scrambles data, and is used to protect information that is being either
held on a computer or transmitted over a network. It uses technologic such as virtual
private networks (VPNs) and secure socket layers (SSLs).
Firewall
Firewall is a hardware or software security device that filters information passing
be-tween internal and external networks. It controls access to the Internet by internal
users, preventing outside parties from gaining access to systems and information on the
internal network. A firewall can be applied at the network level, to provide protection for
multiple workstations or internal networks, or at the personal level where it is installed on
an indi-vidual PC.
A firewall typically takes one of two forms;
Software firewall—specialized software running on an individual computer, or
Network firewall—dedicated device designed to protect one or more computers Both
types of firewall allow the user to define access policies for inbound connections to the
computers they are protecting. Many also provide the ability to control what services
(ports) the protected computers arc able to access on the Internet (outbound access), Most
firewalls intended for home use come with pre-configured security’ policies from which
the user chooses, and some allow the user to customize these policies for their specific
needs.
Firewall is a system or group of systems that enforces an access control policy
between two networks.”
Types of Firewalls
There are three basic types of firewalls depending on
1. Whether the communication is being done between a single node and the
network, or between two or more networks
2. Whether the communication is intercepted at the network layer, or at the
applica-tion layer
3. Whether the communication state is being tracked at the firewall or not
With regard to the scope of filtered communication there exist
•
Personal firewalls. a software application, which normally filters traffic entering,
or leaving a single computer.
138
•
Network firewalls, normally running on a dedicated network device or computer
positioned on the boundary of two or more networks. Such a firewall filters all
traffic entering or leaving the connected networks.
Intrusion Detection
The software related to intrusion detection monitor system and network activity to
spot any attempt being made to gain access. If a detection system suspects an attack. it
can generate an alarm, such as an e-mail alert, based upon the type of activity it has
identified.
Despite the sophistication of these controls, they are only as good as the people who
use them. A continual awareness program is such a vital component of any security
policy
Preventing Problems from Viruses, Trojans and Worms
Anti-virus software should be used to protect against viruses II can detect viruses,
prevent access to infected files and quarantine any’ infected files.
Anti-virus Software
There are different types or anti-virus software:
•
Virus scanners - must be updated regularly, usually by connecting to the
supplier’s website, in order to recognize new viruses.
•
Heuristics software - detects viruses by applying general rules about what
viruses look like. While it does not require frequent updates, this software can be
prone to giving false alarms.
The threat of virus infection can be minimized by
•
Using a virus checker on your Internet connection to trap viruses both entering
and leaving the business’ IT systems
•
Running virus checkers on servers to trap any viruses that have managed evade
the above check
•
Running individual virus checkers on users’ PC’s to ensure that they have not
down-loaded a virus directly, or inadvertently introduced one via a CD or
floppy disk.
Other Methods of Preventing Viruses
Other ways of preventing of viruses include:
•
Installing software patches provided by the supplier of your operating system to
close security loopholes that could be exploited by viruses
•
Using a firewall to prevent unauthorized access to your network
•
Avoiding download of unauthorized programs and documents from the Internet
and ensuring your staff adhere to this policy your systems may still become
139
infected even if you follow the above guidelines. Make regular back-ups of your
data and software so that you can replace infected files with dean copies.
Virus Alerting Services
Consider subscribing to a service or supplier who will provide virus alerts for you,
Some arc available on a paid-for basis, while others are provided by suppliers of anti
VI111S software to their customers,
Spyware
There is software available that scans your systems and detects known spyware
pro-grams, Spyware can then be removed or quarantined. As with anti-virus software. it
IS important to keep this software up-to-date.
Digital Identity
Digital entity is the electronic representation of a real-world entity. The term IS
usually taken to mean the online equivalent of an individual human being, which
participates ill electronic transactions on behalf of the person in question. However a
broader definition also assigns digital identities to organizations, companies and even
individual electronic devices, Various complex questions of privacy, ownership and
security surround the issue of digital identity
Digital identity refers to the aspect of digital technology that is concerned with the
mediation of people’s experience of their own identity’ and the identity of other people
and things
Digital Identity is a safe personal web platform that gives the individual the power
III control how they interact with the Internet and share their personal information. Each
indi-vidual is assigned a personal web address that functions as a master key 10 all his or
her online communication. Through a number of practical tools such as online business
cards. CV, favorites, personal messages, access control etc the individual creates and
have full control of their online information, With Digital Identity each individual
becomes an inte-grated part of the Internet so other websites, search engines and
applications automatically call interact with the online identity.
The basis of Digital Identity.
•
is the online presence of an individual or business….gives access to online
services authentication
•
defines the level of access to online services - authorization
•
is a repository of information for use by the subscriber, for the subscriber…is the
first point of all online communications.
140
Technology solutions- encryption, security channels of communication,
protecting networks, server
servers and clients;
CLIENT-SERVER
SERVER NETWORK SECURITY
Client server network security is one of the biggest headaches system administrators
face as they balance the opposing goals of users maneuverability and easy access and site
security and confidentiality of lo
local
cal information. According to the national center of computer data, computer security violations cost U.S businesses half a billion dollar each
year, 1 he concerns are real, and doing nothing is analogous to leaving a door unlocked in
a high crime neighborhood.
Network security 011 the internet is a major concern for commercial organizations,
especially management. Recently, the internet has raised many new security concerns. By
connecting to the internet a local network organizations may be exposing it
itself to the
entire population on the internet. An internet connection effectively breaches the physical
security pen meter of the corporate network and itself to access from other networks
comprising the public internet.
Fig. 4.1. Client and Server
That being the case, the manager of even the most relaxed organization must pay
some attention to security. For many commercial operations. security will simply be a
matter of making sure that existing system features, such as passwords and privileges, are
configured
igured properly. They need to audit all access to the network.
A system that records all log – on attempts particularly the unsuccessful ones can
alert Managers to the need for stronger measures. However, where secrets are at stake or
where important corporate
orate assets must be made available to remote users, additional
measures must be taken. Hackers can use passwords guessing, password tapping security
holes programs, or common network access producers to impersonate users and thus pose
a treat to the server.
141
Client server network security problems manifest themselves in three ways:
1. Physical security holes result when individuals gain unauthorized physical access
to a computer. A good example would be a public workstation room, where It
would be easy easy a wandering hacker to reboot a machine into single —user
mode and tamper with the files, If precautions are not taken. On the network, this
is also a common problem, as hackers gain access to network systems by
guessing passwords of various users.
2. Software security holds result when badly written program or “privileged”,
software are “compromised”’ into doing things they shouldn’t. The most famous
example of this cat-egory is the “send mail” hole, which brought the internet to
its knees in 198. The more recent problem was the “rlogin” hole in the IBM RS 6000 workstations, which enabled a cracker (a malicious hacker) to create a
“root” shell or super user access mode. This is the highest level of access
possible and could be used to delete the entire file system, or create a new
account or password file resulting in incalculable damage.
3. Inconsistent usage holes result when a system administrator, enables a
combination of hardware and software such that the system is seriously flawed
from a security point of view the incompatibility of attempting two unconnected
but useful things creates the secu-rity hole problems like this arc difficult to
isolate once the system is setup and running, so it is better to carefully build the
system with them in mind. This type of problem IS becom-ing common as
software becomes more complex.
To reduce these security threats, various protection methods arc used. at the file.
level, operating systems typically offers mechanisms such as access control lists that
specify the resources various users and groups are entitled to access. Protection also
called authorization or access controlled — grants privileges to the system or resource by
checking user specific information such as passwords the problem in the case of ecommerce is very simple : if consumers connect a computer to the internet, they can
easily log into from anywhere that the network reaches, that’s a good news the bad news
IS without proper access control, anyone else can too.
Over the years, several protection methods have been developed: including trust
based security, security through obscurity, password schemes and biometric systems.
•
Trust-Based Security: Quite simply trust - based security means to trust
every-one and do nothing extra for nothing. It is possible not to provide access
restrictions of any kind and to assume that all users arc trustworthy and
competent in their use of the shared network.
•
Security through Obscurity: Most organizations in the mainframe era practiced a
philosophy known as security through obscurity (STO) the notion that any
network can be secure as long as nobody outside it’s management group is
142
provided information on a need to know basis, hiding account passwords in
binary files or scripts with the presumptions that “nobody will ever find them” is
a prime case of STO (somewhat like hiding the house key under the doormat
and telling only family and friends in short, STO providers a false sence of
security in comput-ing systems without hiding information.
•
Firewall and Network Security: The most commonly accepted network,
protec-tion is a barrier, a firewall between the corporate network and the outside
world (untrusted networks). The term firewall can mean many things to many
people, but basically it is a method of placing a device - a computer or a router between the network and the internet to control and monitor all traffic between
the outside world and the local networks. Typically, the device allows insiders to
have full access to services on the outside while grating access from the outside
only selectively, based on log - on name, password, ip address or other
identifiers.
Generally speaking, a firewall is a protection advice to shield vulnerable area from
some form of danger. In the context of the internet, it is a system - a router, a personal
computer, a host, or a collection of host — setup specifically to shield a site or subnet
from protocols from the services that can be abused from the hosts point, such as sites
connection to the internet, can be located to an internal gateways to provide protection for
smaller collection, coasts or subnets.
Firewalls come in several types and offer various levels of security, generally,
firewalls operate by screening packets and for the application that pass through them,
provide controllable filtering of network traffic, allow network traffic. allow restricted
access to certain applications, and block access to everything, In principle, the firewall
call be thought of as a pair of mechanisms: one to block in coming traffic and other to
permit out going traffic, Some firewalls place a greater emphasis on blocking traffic, and
others emphasis on permitting traffic.
Firewalls in Practice
Firewalls range from simple traffic login systems that record all network traffic
flowing though the firewall in a file or database for auditing purposes to more complex
methods such as IP packet, screening routers, hardened firewall hosts. and proxy
application gate. ways. the simplist firewall is a packet filtering gateway of screening
router, configured with filters to restrict traffic to designate addresses, screening routers
also limit the type of ser-vices that can pass through them.
DATA AND MESSAGE SECURITY
Encryption
The success or failure of an e-commerce operation hinges Oil myriad factors,
including but not limited to the business model, the team, the customers, the investors, the
143
product, and the security of data transmissions and storage. Data security has taken on
heightened importance since a series of high-profile “cracker” attacks have humbled
popular web sites resulted in the impersonation of Microsoft employees for the purposes
of digital certifica-tion, and the misuse of credit card numbers of customers at businessto-consumer c-com-merce destinations. Security is on the mind of every c-commerce
entrepreneur who solicits, stores, or communicates any information that may be sensitive
if lost. An arms race is underway: technologists are building new security measures while
others are working to crack the security systems. One of the most effective means of
ensuring data security and integrity is encryption.
Encryption is, a generic term that refers to the ad of encoding data in the context so
that those data can be securely transmitted via the Internet. Encryption can protect the
data the simplest level by preventing other people from reading the data. In the event that
some one intercepts a data transmission and manages to deceive any user identification
scheme, the data that they sec appears to be gibberish without a way to decode it.
Encryption tech-nologies can help in other ways as well, by establishing the identity of
users (or abusers); control the unauthorized transmission or forwarding of data: verify the
integrity of the data (i.e. that it has not been altered in any way); and ensure that users
take responsibility for data that they have transmitted. Encryption can therefore be used
either to keep communi-cations secret (defensively] or to identify people involved in
communications (offensively).
E-commerce systems an use the following encryption techniques:
•
Public key encryption or Asymmetric key-bused algorithm. This method uses
one key to encrypt data and a different key to decrypt the same data. You have
likely heard of this technique; it is sometimes called public key/private key
encryp-tion, or something to that effect.
•
Symmetric key-bused algorithms, or block-and-stream ciphers. Using these ,i
cipher types, your data is separated into chunks, and those chunks an: encrypted’
and decrypted based on a specific key. Stream ciphers an: used mort:
predomi-nantly than block ciphers, as the chunks arc encrypted on a hit-by-bit
basis This process is much smaller and Lister than encrypting larger (block)
chunks of data.
•
Hashing, or creating a digital summary of II string or file. This is the most
common way to store passwords on a system, as the passwords aren’t really
what’s stored. just a hash that can’t be decrypted.
The basic means of encrypting data involves a symmetric cryptosystem. In this the
same key is used to encrypt and to decrypt data. Think about a regular, garden-variety
code, which has only one key: two kids in a tree-house, pretending to be spies, might tell
one another that their messages will be encoded according to a scheme where each
number, from one to 26, refers to a letter of the alphabet (so that I = A, 2 = B. 3 = C, etc.).
144
The key refers to the scheme that helps match up the encoded information with the real
message. Or perhaps the kids got a little more sophisticated, and used a computer to
general!: a random match-up
up of the 26 letters with 26 numbers (so that 6 = A. 13= B, 2 =
C etc.). These codes might work for a while. managing to confuse a nosy younger brother
who wants to know what the notes they are passing mean, but the codes arc fairly easy to
crack. Much l1111re complex codex, generated by algorithms can he broken by powerful
computers when only one key exists.
Fig. 4.2
SOCIAL MEDIA MARKETING
A process of optimizing your site/blog to be more visible in social media searches
and sites, mort easily linked by other sites, and more frequently discussed online in blog
posts and other social media
Social Media Marketing uses podcasts. wikis, blogs. online videos, photo sharing.
news sharing, message boards and post
postss on social networking sites to reach a large or
targeted audience
Some to examples of Social Media Optimization/Marketing Techniques are as
follows.
•
Joining relevant online communities or social networking sites to help promote
your business.
•
Addingg RSS feeds to your website (RSS stands for Really Simple Syndication
that canoe used to easily update content).
•
Blogging (where you add content to blogs).
•
Creating your own business blog
What is the Difference Between SMM (Social Media marketing) and SMO
(Social Media Optimization)?
Social Media Optimization involves creating the right type of content and building a
site that is easy to share on social
social-networks
networks and is friendly to social media users whereas
145
Social Media Marketing goes a step further in terms of actually promoting the content on
these networks and spreading the word about your content.
Why Social Media Optimization/Marketing?
1. One can reach a large number of people In a more spontaneous way without
paying large advertising fees.
2. The use of blogs and social and business networking sites can increase traffic to
your website from other social media websites. This in turn may increase your
Page Rank, resulting in increased traffic from leading search engines. 3. Social media complements other marketing strategies such as <I paid advertising
campaign.
4. You can build credibility by participating in relevant forums and responding to
questions.
5. Social Media sites have information such as user profile data, which can be used
to target a specific set of users for advertising.
146
LESSON-2
UNIT V
Information Technology Act 2000- provisions related to
offences, secure electronic records, digital signatures,
penalties and adjudication.
1. Information Technology Act 2000
1.1 Introduction
1.2 Objectives
1.3 Definitions
1.4 Digital Signature
1.5 Electronic Governance
1.6 Attributes, acknowledgement and dispatch of electronic records
1.7 Summary
1.8 Exercise
1.1 Introduction
The Parliament of India enacted an act called the Information Technology Act, 2000,
which received the assent of the President of India on 09/06/ 2000( 6thJune,2000).
It is the first Cyber Law in India. This Act is based on the resolution adopted by the
General Assembly of United Nations on 30th January 1997 regarding the Model Law on
Electronic Commerce earlier adopted by the United National Commission on
International Trade Law (UNCITRAL). See figure 1
Figure 1: Information Technology Act,2000
The aforesaid resolution of the General Assembly recommends that all states give
favorable consideration to the Model Law on Electronic Commerce when they enact or
147
revise their laws in view of the need for uniformity of the law applicable to alternatives to
paper-based methods of communication and storage of information.
1.2 Objectives
After the study of this chapter student will able to learn the following
•
Various definitions used in the act some of them are namely as Access,
Addressee , adjudicating officer, Security procedure, Subscriberetc.
•
Authentication of electronic records
•
The overview of various components of IT Act 2000
•
The contents of Digital Signature
•
The Duties of subscribers
•
Legal recognition of electronic records-
•
Legal recognition of digital signatures
•
Use of electronic record and digital signatures in Government and its agencies-
1.3 Definitions
Section 2 of the Act, 2000, gives defining of various terms used in the Act, unless the
context otherwise requires. These definitions given under different clauses of Section
2(1) are as follows:

‘Access’, with the grammatical variations and cognate expressions, means gaining
entry into, instructing or communicating with the logical, arithmetical or memory
function resources of a computer, computer system or computer network;

‘Addressee’ means a person who is intended by the originator to receive the
electronic record but does nto include any intermediary;

‘Adjudicating officer’ means an adjudicating officer appointed under sub-section
(1) of Section 46;

‘Affixing digital signature’ with its grammatical variations and cognate expressions
means adoption of any methodology or procedure by a person for the purpose of
authenticating an electronic record by means of digital signature;

‘Appropriate Government’ means as respects any mattero Enumerated in List II of the 7th Schedule to the Constitution;
o Relating to any State Law enacted under List III of the 7th schedule to the
Constitution, the State Government and in any other case, the Central
Government;
148

‘Asymmetric crypto System’ means a system of a secure key pair consisting of a
private key for creating a digital signature and a public key to verify the digital
signature;

‘Certifying Authority’ means a person who has been granted a license to issue a
Digital Signature Certificate under Section 24;

‘Certification practice statement’ means a statement issued by a Certifying
Authority to specify the practices that the Certifying Authority employs in issuing
Digital Signature Certificates;

‘Computer’ means any electronic, magnetic optical or other high-speed data
processing device or system which performs logical arithmetic and memory
functions by manipulations of electronic, magnetic or optical impulses, and includes
all input, processing, storage, computer software or communication facilities which
are connected or related to the computer in a computer system or computer network;

‘Computer network’ means the interconnection of one or more computes through-
o The use of satellite, microwave, terrestrial line or other communication media;
and
o Terminal or complex consisting of two or more interconnected computers whether
or not the interconnection is continuously maintained;
 ‘Computer resource’ means computer, computer system, computer network, data,
computer data base or software;

‘Computer system’ means a device or collection of devices, including input and
output support devices and excluding calculators which are not programmable and
capable of being used in conjunction with external files which contain computer
programmes, electronic instructions, input data and output data that performs logic,
arithmetic, data storage and retrieval, communication control and other functions;

‘Controller’ means the Controller of Certifying Authorities appointed under subsection (1) of section 17;

‘Cyber Appellate Tribunal’ means the Cyber Regulations Appellate Tribunal
established under sub-section (1) of section 48;

‘Data’ means a representation of information, knowledge, facts, concepts or
instructions which are being prepared or have been prepared in a formalized manner,
and is intended to be processed, is being processed or has been processed in a
computer system or computer network, and may be in any form (including computer
printouts magnetic or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer.

‘Digital signature’ means authentication of any electronic record by a subscriber by
means of an electronic method or procedure in accordance with the provisions of
section 3;
149

‘Digital Signature Certificate’ means a Digital Signature Certificate issued under
sub-section (4) of section 35;

‘Electronic form’ with reference to information, means any information generated
sent, received or stored in media, magnetic, optical, computer memory, micro film,
computer generated micro fiche or similar device;

‘Electronic Gazette’ means the Official Gazette published in the electronic form;

‘Electronic record’ means data, record or data generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro
fiche;

‘Function’ in relation to a computer, includes logic, control, arithmetical process,
deletion, storage and retrieval and communication or telecommunication from or
within a computer;

‘Information’ includes data, text, images, sound, vice, codes, computer
programmes, software and data bases or micro film or computer generated micro
fiche;

‘Intermediary’ with respect to any particular electronic message, means any
persons who on behalf of another person receives, stores or transmits that message or
provides any service with respect to that message;

‘Key pair’ in an asymmetric crypto system, means a private key and its
mathematically related public key, which are so related that the public key can verify
a digital signature created by the private key;

‘Law’ includes any Act of Parliament or of a State Legislature, Ordinances
promulgated by the President or a Governor, as the case may be, Regulations made
by the President under Article 240, Bills enacted as President’s Act under subclauses (a) of clause (1) of Article 357 of the Constitution and includes rules,
regulations, by-laws and orders issued or made there under;

‘License’ means a license granted to a Certifying Authority under Section 24;

‘Originator’ means a person who sends, generates, stores or transmits any electronic
message; or causes any electronic message to be sent, generated, stored or
transmitted to any other person but does not include an intermediary;

‘Prescribed’ means prescribed by rules made under this Act;

‘Private key’ means the key of a key pair used to verify a digital signature and listed
in the Digital Signature Certificate;

‘Public key’ means the key of a key pair used to verify a digital signature and listed
in the Digital Signature Certificates;

‘Secure system’ means computer hardware, software, and procedure thati) Are reasonably secure from unauthorized access and misuse;
150
ii) Provide a reasonable level of reliability and correct operation;
iii) Are reasonably suited to performing the intended functions; and
iv) Adhere to generally accepted security procedures;

‘Security procedure’ means the security procedure prescribed under Section 16 by
the Central Government;

‘Subscriber’ means a person in whose name the Digital Signature Certificate is
issued;

‘Verify’ in relation to a digital signature, electronic record or public key, with its
grammatical variations and cognate expressions, means to determine whetheri) The initial electronic record was affixed with the digital signature by the use of
private key corresponding to the public key of the subscriber;
ii) The initial electronic record is retained in act has been altered since such
electronic record was so affixed with the digital signature.
Exercise 1
Check your progress
1.
Definition of Addressee
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
2.
Define Subscriber
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
3.
Private key and Public Key
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
151
1.4 Electronic Governance
With a view to facilitate Electronic Governance, the Information Technology Act, 2000,
provides for the use and acceptance of electronic records and digital signatures in the
government offices and its agencies. The idea is to facilitate efficient governmentcitizen interface by giving due legal recognition to e-governance. Fig 3 see
Fig 3: E Governance : using computer
This will make the citizens interaction with governmental offices hassle free. The IT
Act, 2000, contains the following provisions to facilitate e-governance:
1. Legal recognition of electronic records- Where any law provides that information
or any other matter shall be in writing or in the typewritten or printed form, then,
such requirements shall be in writing or in the typewriting or printed form, then,
such requirements shall be in deemed to have been satisfied if such information
or matter is(a) Rendered or made available in an electronic form; and
(b) Accessible so as to be usable for a subsequent reference (Section 4).
2. Legal recognition of digital signatures-Where any law provides that information
or any other matter shall be authenticated by affixing the signature or any
document shall be singed or bear the signature of any person, then, such
requirement shall be deemed to have been satisfied, if such information or matter
is authenticated by means of digital signature affixed in such manner as may be
prescribed by the Central Government (Section 5).
3. Use of electronic record and digital signatures in Government and its agenciesWhere any law provides for(a) The filling of any form, application or any other document with any office,
authority, body or agency owned or controlled by the appropriate
Government in a particular manner;
152
(b) The issue or grant of any license, permit, sanction or approval by whatever
name called in a particular manner;
(c) The receipt or payment of money in a particular manner, then such
requirement shall be deemed to have been satisfied if such filling, issue,
grant, receipt or payment, as the case may be, is effected by means of such
electronic form as may be prescribed by the appropriate Government. The
appropriate Government may, by rules, prescribe4. Retention of electronic records- Where any law provides that documents, records
or information shall be deemed to have been satisfied if such documents, records
or information are retained in the electronic form, ifa)
The information contained therein remains accessible so as to be usable for a
subsequent reference;
b)
The electronic record is retained in the format in which it was originally
generated, sent or received or in a format which can be demonstrated to
represent accurately the information originally generated, sent or received;
c)
The details which will facilitate the identification of the origin, destination,
date and time of dispatch or receipt of such electronic record, are available
in the electronic record.
However, the above rules does not apply to any information which is
automatically generated solely for the purpose of enabling an electronic
record to be dispatched or received (Section 7).
5. Publication of rule, regulation, etc., in Electronic Gazette-Where anylaw
provides that any rule, regulation, order, bye-laws, notification or any other
matter shall be published in the Official Gazette, then, such requirement shall be
deemed to have been satisfied if such rule, regulation, order, by-law, notification
or any other matter is published in the Official Gazette or Electronic Gazette.
Where any rule, regulation, order, by-laws, notification or any other matter is
published in the Official Gazette, the date of publication shall be deemed to e the
date of the Gazette which was first published in any form (Section 8).
6. No right to insist that document should be accepted in electronic form-Section
6,7 and 8 shall not confer a right upon any person to insist that any Ministry or
Department of the Central Government or the State Government or any authority
or body established by or under any law or controlled or funded by the Central or
State Government should accept, issue, create, retain and preserve any document
in the form of electronic records or effect any monetary transaction in the
electronic form. The paper-based exchanges continue to be valid and binding
(Section 9).
153
7. Power to make rules by Central Government in respect of digital signature- The
Central Government may, for the purposes of this Act, by rules, prescribe(a)
The type of digital signature;
(b)
The manner and format in which the digital signature shall be affixed;
(c)
The manner or procedure which facilitates identification of the person
affixing the digital signature;
(d)
Control processes and procedures to ensure adequate integrity, security and
confidentially of electronic records of payments; and
(e)
Any other matte which is necessary to give legal effect to digital signature
(Section 10).
Electronic Governance consists of various sections. There are 4 Schedules with
Electronic Governance, issue of digital signature certificates and regulation of Certifying
Authorities.
Some of the key definitions used in Electronic Governance
‘Electronic Gazette’ means the Official Gazette published in the electronic form;
‘Electronic record’ means data, record or data generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro fiche;
‘Function’ in relation to a computer, includes logic, control, arithmetical process,
deletion, storage and retrieval and communication or telecommunication from or within a
computer;
‘Information’ includes data, text, images, sound, vice, codes, computer
programmes, software and data bases or micro film or computer generated micro fiche;
‘Law’ includes any Act of Parliament or of a State Legislature, Ordinances
promulgated by the President or a Governor, as the case may be, Regulations made by the
President under Article 240, Bills enacted as President’s Act under sub- clauses (a) of
clause (1) of Article 357 of the Constitution and includes rules, regulations, by-laws and
orders issued or made there under;
Exceptions: The provisions of the IT Act, 2000, shall not be applicable to(a) A Negotiable Instrument (other than a cheque) as defined in Section 13 of the
Negotiable Instrument Act, 1881;
(b) A power of attorney under the Powers of Attorney Act, 1882;
(c) A trust under the Indian Trusts Act, 1882;
(d) A ‘will’ under the Indian Succession Act, 1925, including any other testamentary
disposition by whatever name called;
(e) Any contract for the sale or conveyance of immovable property or any interest in
such property;
154
(f) Any such class of documents or transactions as may be notified by the Central
Government in the Official Gazette [Section 1 (4)].
Exercise 3
1.
Definition of electronic Governance
...........................................................................................................................
...........................................................................................................................
...........................................................................................................................
...........................................................................................................................
2.
Define electronic record and electronic gazette
...........................................................................................................................
...........................................................................................................................
...........................................................................................................................
...........................................................................................................................
3.
Explain the use of electronic record and digital signatures
...........................................................................................................................
...........................................................................................................................
...........................................................................................................................
...........................................................................................................................
1.6 Summary
The Information Technology Act, 2000, which received the assent of the President of
India on 09/06/ 2000( 6thJune,2000). It is the first Cyber Law in India. This Act is based
on the resolution adopted by the General Assembly of United Nations on 30th January
1997 regarding the Model Law on Electronic Commerce earlier adopted by the United
National Commission on International Trade Law (UNCITRAL). The aforesaid
resolution of the General Assembly recommends that all states give favorable
consideration to the Model Law on Electronic Commerce when they enact or revise their
laws in view of the need for uniformity of the law applicable to alternatives to paperbased methods of communication and storage of information.
‘Access’, with the grammatical variations and cognate expressions, means gaining
entry into, instructing or communicating with the logical, arithmetical or memory
function resources of a computer, computer system or computer network;
‘Addressee’ means a person who is intended by the originator to receive the
electronic record but does nto include any intermediary;
155
‘Adjudicating officer’ means an adjudicating officer appointed under sub-section (1)
of Section 46;
‘Affixing digital signature’ with its grammatical variations and cognate expressions
means adoption of any methodology or procedure by a person for the purpose of
authenticating an electronic record by means of digital signature;
‘Appropriate Government’ means as respects any matter-Enumerated in List II of the
7th Schedule to the Constitution; Relating to any State Law enacted under List III of the
7th schedule to the Constitution, the State Government and in any other case, the Central
Government;
In order to be called legally binding, all electronic communications or transactions
must meet the following fundamental requirements: Authenticity of the sender to enable
the recipient to determine who really sent the message; Message’ integrity, the recipient
must also be able to determine whether or not the message received has been modified en
route or is incomplete; Non-repudiation, the ability to ensure that the sender cannot
falsely deny sending the message, nor falsely deny the contents of the message.
It led to the acceptance of cryptography, a data encryption technique, which provided
just that kind of data protection. Section 3 advocates the use of ‘asymmetric cryto
system’ where an asymmetric key pair consisting of a public and a private key is used to
encrypt and decrypt the message respectively. Private Key is kept confidential and to be
used by the subscriber to create the digital signature, whereas the public key is more
widely known and is used by a relying party to verify the digital signature and is listed in
the digital signature certificate.
1.6 Exercise
Check your knowledge of this chapter
1.
Fill in the blanks
(i) the General Assembly of United Nations on 30th January 1997 regarding the
Model Law on Electronic Commerce earlier adopted by ......................................
(ii) …………………….. means a representation of information, knowledge, facts,
concepts or instructions which are being prepared or have been prepared in a
formalized manner, and is intended to be processed, is being processed or has
been processed in a computer system or computer network, and may be in any
form (including computer printouts magnetic or optical storage media, punched
cards, punched tapes) or stored internally in the memory of the computer.
(iii) with its grammatical variations and cognate expressions means adoption of any
methodology or procedure by a person for the purpose of authenticating an
electronic record by means of ……………………………
156
(iv) Law includes any Act of Parliament or of a State Legislature, Ordinances
promulgated by the President or a Governor, as the case may be, Regulations
made by the President under Article 240, Bills enacted as
………………………….. under sub- clauses (a) of clause (1) of Article 357 of
the Constitution and includes rules, regulations, by-laws and orders issued or
made there under.
Ans. (i) United National Commission on International Trade Law (ii) data means
(iii) Digital Signature (iv) President’s Act
2.
State the following True or False please tick
(i) Power to make rules by Central Government in respect of digital signature- The
Central Government may, for the purposes of this Act, by rules is not prescribea) The type of digital signature
( )
b) The manner and format in which the digital signature shall be affixed;
( )
c) The manner or procedure which facilitates identification of the person
affixing the digital signature;
( )
d) Control processes and procedures to ensure adequate integrity, security and
confidentially of electronic records of payments
( )
e) Any other matte which is necessary to give legal effect to constitution
( )
(ii) Retention of electronic records- Where any law provides that documents, records
or information shall be deemed to have been satisfied if such documents, records
or information are not retained in the electronic form, ifa) The information contained therein remains accessible so as to be usable for a
subsequent reference
( )
b) The electronic record is retained in the format in which it was duplicated
generated, sent or received or in a format which can be demonstrated to
represent accurately the information originally generated, sent or received
( )
c) The details which will facilitate the identification of the origin, destination,
date and time of dispatch or receipt of such electronic record, are available in
the electronic record.
( )
157
3. In order to be called not legally binding, all electronic communications or
transactions must meet the following fundamental requirements:
(a) Authenticity of the sender to enable the recipient to determine who really sent
the message.
( )
(b) Message’ integrity, the recipient must also be able to determine whether or
not the message received has been modified en route or is incomplete.
( )
(c) Non-repudiation, the ability to ensure that the sender cannot falsely deny
sending the message, nor falsely deny the contents of the message.
( )
(d) Electronic records are available in the electronic form
( )
4. Tick one of them as it is not one of the Objectives of the Information Technology
Act seeks to achieve the following objectives:
(a) To provide legal recognition for transactions carried out by means of
electronic date interchange and other means of electronic communication,
commonly referred to as ‘electronic commerce’.
( )
(b) No growth of e-commerce and e-governance.
( )
(c) To provide equal treatment to users of paper-based documentation vis-a-vis
electronic records.
( )
(d) To place digital signature at par with paper signature and provide a
comprehensive approach for determining the authenticity integrity of
electronic signature.
( )
Ans (i) e (ii) b (iii) d (iv)b
3. Mix and Match the following (A) with (B)
(A)
(B)
(a) in an asymmetric crypto system, means a private Law
key and its mathematically related public key,
which are so related that the public key can verify a
digital signature created by the private key;
(b) includes any Act of Parliament or of a State Key pair
Legislature, Ordinances promulgated by the
158
President or a Governor, as the case may be,
Regulations made by the President under Article
240, Bills enacted as President’s Act under subclauses (a) of clause (1) of Article 357 of the
Constitution and includes rules, regulations, bylaws and orders issued or made there under;
(c) means a license granted to a Certifying Authority Originator
under Section 24;
(d) means a person who sends, generates, stores or License
transmits any electronic message; or causes any
electronic message to be sent, generated, stored or
transmitted to any other person but does not
include an intermediary;
Ans (i) b (ii) a (iii) d (iv) c
4.
Discuss the following in the form of short answers
1. State the objectives of Information Technology Act, 2000.
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
2. Comment on Certifying Authority
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
3. Comment on Certification practice statement
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
159
4. Describe Asymmetric crypto system.
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
3.3 Digital Signatures Certificates
Certificates serve as identity of an individual for a certain purpose, e.g. a driver's license
identifies someone who can legally drive in a particular country. Likewise, a Digital
Signature Certificate (DSC) can be presented electronically to prove your identity or your
right to access information or services on the Internet. See figure 3.1
Fig 3.1 digital Signature
A Digital Signature Certificate is an electronic document which uses a digital
signature to bind togather a public key with identity information such as the name of a
person or an organization, their address, and so forth. The certificate can be used to verify
that a public key belongs to the individual. Digital certificates are the digital equivalent
(i.e. electronic format) of physical or paper certificates. Examples of physical certificates
are driver's licenses, passports or membership cards.
A Digital Signature Certificate is an important instrument of trust identifying the
subscribers over the networks. It not only confirms the identity of trust identifying the
subscribers but also certifies other relevant information like the subscriber’s public key
and the bona fides of the issuer of the certificate. By certifying that a particular public
key actually belongs to a specified person, it makes digital signature conclusive.
160
Duties of Subscribers
Section 41 to 43 of the Information Technology Act, 2000, lay down the following
duties of subscribers who have obtained the Digital Signature Certificates from a
Certifying Authority.
Generating Key Pair- Where any Digital Signature Certificate, the public key of
which corresponds to the private key of that subscriber which is to be listed in the Digital
Signature Certificate has been accepted by a subscriber, the subscriber shall generate the
key pair by applying the security procedure (Section 40).
Acceptance of Digital Signature Certificate- A subscriber shall be deemed to have
accepted a Digital Signature Certificate if he publishes or authorizes the publication of a
Digital Signature Certificate(a) to one or more persons;
(b) in a repository; or
Otherwise, demonstrates his approval of the Digital Signature Certificate in any
manner.
By accepting a Digital Signature Certificate the subscriber certifies to all who
reasonably rely on the information contained in the Digital Signature Certificate that(a) The subscriber holds the private key corresponding to the public key listed in the
Digital Signature Certificate and is entitled to hold the same;
(b) All representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certifying
are true;
(c) All information in the Digital Signature Certificate that is within the knowledge
of the subscriber is true.
Control of private key- 1) every subscriber shall exercise reasonable care to retain
control of the private key corresponding to the public key listed in his Digital Signature
Certificate and take all steps to prevent its disclosure. 2) if the private key corresponding
to the public key listed in the Digital Signature Certificate has been compromised, then,
the subscriber shall communicate the same without any delay to the Certifying Authority
in such manner as may be specified by the regulations.
The subscriber shall be liable till he has informed the Certifying Authority that the
private key has been compromised (Section 42).
3.3.2 Classes of Digital Signature Certificates
Digital signatures certificates can be classified in various classes subject to
depending upon the requirement of assurance level and usage of DSC the following are
the classes:
161
Class Description
I
These certificates shall be issued to individuals/private subscribers.
These certificates will confirm that user’s name (or alias) and E-mail
address form an unambiguous subject within the Certifying Authorities
database.
This level provides a basic level of assurance relevant to environments
where there are risks and consequences of data compromise, but they
are not considered to be of major significance. This may include access
to private information where the likelihood of malicious access is not
high. It is assumed at this security level users are not likely to be
malicious.
II
These certificates will be issued for both business personnel and private
individuals use. These certificates will confirm that the information in
the application provided by the subscriber does not conflict with the
information in well- recognized consumer databases.
This level is relevant to environments where risks and consequences of
data compromise are moderate. This may include transactions having
substantial monetary value or risk of fraud, or involving access to
private information where the likelihood of malicious access is
substantial.
III
These certificates will be issued to individuals as well as organizations.
As these are high assurance certificates, primarily intended for ecommerce applications, they shall be issued to individuals only on their
personal (physical) appearance before the Certifying Authorities.
This level is relevant to environments where threats to data are high or
the consequences of the failure of security services are high. This may
include very high value transactions or high levels of fraud risk.
3.3.3 Types of Digital Signature Certificates
The following table provides an overview of the different types of Digital Signature
Certificates.
Type
Description
Individual
Digital Individual Certificates serve to identify a person. It
Signature Certificates follows that the contents of this type of certificate
( Signing Certificates) include the full name and personal particulars of an
individual. These certificates can be used for signing
electronic documents and emails and implementing
162
enhanced access control mechanisms for sensitive or
valuable information.
Server Certificates
Server Certificates identify a server (computer).
Hence, instead of a name of a person, server
certificates
contain
the
host
name
e.g.
"https://nsdg.gov.in/ " or the IP address. Server
certificates are used for to ensure secure
communication of data over the network.
Encryption
Certificates
Encryption Certificates are used to encrypt the
message. The Encryption Certificates use the Public
Key of the recipient to encrypt the data so as to ensure
data confidentiality during transmission of the
message. Separate certificates for signatures and for
encryption are available from different CAs.
3.3.4. Certifying Authority to issue Digital Signature Certificate (Sec. 35)
Any person may make an application to the Certifying Authority for the issue of a
Digital Signature Certificate in such form as may be prescribed by the Central
Government.
a) Every such application shall be accompanied by such fee not exceeding twentyfive thousand rupees as may be prescribed by the Central Government, to be paid
to the Certifying Authority:
Provided that while prescribing fees under sub-section (2) different fees may be
prescribed for different classes of applicants'.
b) Every such application shall be accompanied by a certification practice statement
or where there is no such statement, a statement containing such particulars, as
may be specified by regulations.
c) On receipt of an application under sub-section (1), the Certifying Authority may,
after consideration of the certification practice statement or the other statement
under sub-section (3) and after making such enquiries as it may deem fit, grant
the Digital Signature Certificate or for reasons to be recorded in writing, reject
the application:
However, that no Digital Signature Certificate shall be granted unless the Certifying
Authority is satisfied that :
i) The applicant holds the private key corresponding to the public key to be listed in
the Digital Signature Certificate.
163
ii) The applicant holds a private key, which is capable of creating a digital
signature.
iii) The public key to be listed in the certificate can be used to verify a digital
signature affixed by the private key held by the applicant:
3.3.5. Representations upon issuance of Digital Signature Certificate (Sec. 36)
A Certifying Authority while issuing a Digital Signature Certificate shall certify that,
the information contained in it is accurate and that:
a) It has complied with the provisions of this Act and the rules and regulations
made there under.
b) It has published the Digital Signature Certificate or otherwise made it available
to such person relying on it and the subscriber has accepted it.
c) The subscriber holds the private key corresponding to the public key, listed in the
Digital Signature Certificate.
d) The subscriber's public key and private key constitute a functioning key pair.
e) The information contained in the Digital Signature Certificate is accurate, and
f) It has no knowledge of any material fact, which if it had been included in the
Digital Signature Certificate would adversely affect the reliability of the
representations made in clauses (a) to (d).
3.3.6. Suspension of Digital Signature Certificate (Sec. 37)
The certifying authority which has issued a digital signature certificate may suspend
such digital signature certificate:
a) on receipt of a request to that effect from i) the subscriber listed in toe Digital Signature Certificate, or
ii) any person duly authorized to act on behalf of that subscriber
b) if it is of opinion that the Digital Signature Certificate should be suspended in
public interest.
A Digital Signature Certificate shall not be suspended for a period exceeding fifteen
days unless the subscriber has been given an opportunity of being heard in the matter. On
suspension of a Digital Signature Certificate under this section, the Certifying Authority
shall communicate the same to the subscriber.
Exercise 3
1.
Explain various types of digital Certificates.
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
164
2.
Describe Certifying Authority to issue Digital Signature Certificate.
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
3.
DescribeSuspension of Digital Signature Certificate.
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
3.4. Revocation of Digital Signature Certificate (Sec. 38)
A Certifying Authority may revoke a Digital Signature Certificate issued by it:
a) Where the subscriber or any other person authorized by him makes a request to
that effect, or
b) upon the death of the subscriber, or
c) Upon the dissolution of the firm or winding up of the company where the
subscriber is a firm or a company.
A Certifying Authority may revoke a Digital Signature Certificate which has
been issued by it at any time, if it is of opinion that:
i) A material fact represented in the Digital Signature Certificate is false or has
been concealed.
ii) A requirement for issuance of the Digital Signature Certificate was not satisfied.
iii) The Certifying Authority's private key or security system was compromised in a
manner materially affecting the Digital Signature Certificate's reliability.
iv) The subscriber has been declared insolvent or dead or where a subscriber is a
firm or a company, which has been dissolved, wound-up or otherwise ceased to
exist.
A Digital Signature Certificate shall not be revoked unless the subscriber has been
given an opportunity of being heard in the matter.
Exercise 3
1.
Describe Revoke of digital Signatures
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
165
2.
Explain “Material fact represented in digital signature certificate is false”.
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
3.
Describe the powers of certifying Authorities.
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
166
LESSON-3
UNIT V
Duties of Subscribers
3.1 Duties of Subscribers
The IT Act, 2000 specifically stipulates that any subscriber may authenticate an
electronic record by affixing his digital signature. It further states that any person can
verify an electronic record by use of a public key of the subscriber. This act lays down the
following duties of the subscribers who have obtained the Digital signature Certificate
from some certifying authority:
Generating key pair (Sec. 40): Where any Digital Signature Certificate, the public
key of which corresponds to the private key of that subscriber which is to be listed in the
Digital Signature Certificate has been accepted by a subscriber, then the subscriber shall
generate that key pair by applying the security procedure. This implies that the
subscriber, i.e. the person, who is to be issued the digital signature certificate, has to
generate an appropriate private key which matches the public key being allotted to him or
her.
Duties of subscriber of Electronic Signature Certificate (Sec. 40A): In respect of
Electronic Signature Certificate the subscriber shall perform such duties as may be
prescribed.
Acceptance of Digital Signature Certificate (Sec. 41): A subscriber shall be deemed
to have accepted a Digital Signature Certificate if he publishes or authorizes the
publication of a Digital Signature Certificate:
a) To one or more persons;
b) In a repository, or otherwise demonstrates his approval of the Digital Signature
Certificate in any manner.
By accepting a Digital Signature Certificate the subscriber certifies to all who
reasonably rely on the information contained in the Digital Signature Certificate that:
i) The subscriber holds the private key corresponding to the public key listed in the
Digital Signature Certificate and is entitled to hold the same;
ii) All representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certificate
are true;
iii) All information in the Digital Signature Certificate that is within the knowledge
of the subscriber is true.
167
Control of private key (Sec. 42): Every subscriber shall exercise reasonable care to
retain control of the private key corresponding to the public key listed in his Digital
Signature Certificate and take all steps to prevent its disclosure. If the private key
corresponding to the public key listed in the Digital Signature Certificate has been
compromised, then, the subscriber shall communicate the same without any delay to the
Certifying Authority in such manner as may be specified by the regulations.
For the removal of doubts, it is hereby declared that the subscriber shall be liable till
he has informed the Certifying Authority that the private key has been com promised.
Salient features of Information Technology (Amendment) Act, 2008
The Information Technology Act, 2008 has been signed by the President of India on
February, 2009. A review of the amendments indicates that there are several provisions
relating to data protection and privacy as well as provisions to curb terrorism using the
electronic and dgital medium that have been introduced into the new Act. Some the
Salient features of the Act are as follows:
•
The term digital signature has been replaced with electronic signature to make
the act more technology neutral.
•
A new section has been inserted to define communication device to mean cell
phones, personal digital assistance or combination of both or any other device
used to communicate, send or transmit any text video, audio or image.
•
A new section has been added to define cyber café as any facility from where the
access to the internet is offered by any person in the ordinary course of business
to the members of the public.
•
A new definition has been inserted for intermediary. Intermediary with respect to
any particular electronic records, means any person who on behalf of another
person receives, stores or transmits that record or provides any service with
respect to that record or provides any service with respect to that recorded and
includes telecom service providers, internet service providers, web-hosting
service providers, search engines, online payment sites, online-auction sites,
online market places and cyber cafes, but does not include a body corporate
referred to in section 43A.
•
A new section 10A has been inserted to the effect that contracts concluded
electronically shall not be deemed to be unenforceable solely on the ground that
electronic form or means was used.
•
The damages of Rs. One crore (approximately USD 200000) prescribed under
section 43 of the earlier Act for damage to computer, computer system etc has
been deleted and relevant parts of the sections have been substituted by the
words, he shall be liable to pay damages by way of compensation to the persons
so affected.
168
•
A new section 43A has been inserted to protect sensitive personal data or
information possessed, dealt or handled by a body corporate in a computer
resource which such body corporate owns, controls or operates. If such body
corporate is negligent in implementing and maintaining reasonable security
practices and procedures and thereby causes wrongful loss or wrongful gain to
any person, it shall be liable to pay damages by way of compensation to the
person so affected.
•
A host of new sections have been added to section 66 as sections 66A to 66F
prescribing punishment for offenses such as obscene electronic message
transmission, identity theft, cheating by impersonation using computer resource
violation of privacy and cyber terrorism.
•
Section 67 of the old act is amended to reduce the term of imprisonment the for
publishing or transmitting absence material in electronic form to three years.
•
In view of the increasing threat of terrorism in the country, the new amendments
include an amended section 69 giving power to the state to issue directions for
interception or monitoring of decryption of any information through any
computer resource.
•
Sect 69A and B grant powers to the state to issue directions for blocking for
public access of any information through any computer resource and to authorize
to monitor and collect traffic data or information through any computer resource
for cyber security.
•
Section 79 of the old Act which exempted intermediaries has been modified to
the effect that an intermediary shall not be liable for any third party information
data or communication link made available or hosted by him if (a) the function of
the intermediary is limited to providing access to a communication system over
which information made available by third parties is transmitted or select the
receiver hosted (b) the intermediary does not initiate the transmission or select
the receiver of the transmission and select or modify the information contained in
the transmission (c) the intermediary observes due diligence while discharging
his duties.
•
Section 79 will not apply to an intermediary if the intermediary has conspired or
abetted or aided or induces whether by threats or promise or otherwise in the
commission of the unlawful act or upon receiving actual knowledge or on being
notified that any information, data or communication link residing in or
connected to a computer resource controlled by it is being used to commit an
unlawful act, the intermediary fails to expeditiously remove or disable access to
that material on that resource without vitiating the evidence in any manner.
•
A proviso has been added to section 81 which states that the provisions of the act
shall have overriding effect. The Proviso states that noting contained in the act
169
shall restrict any person from exercising any right conferred under the copyright
act, 1957.
Exercise 4
1.
Describe Generating key pair.
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
2.
Explain the term “Acceptance of Digital Signature Certificate”
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
3.
Describe Information Technology Act 2008
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
.....................................................................................................................................
3.2 Summary
The certificate can be used to verify that a public key belongs to the individual. Digital
certificates are the digital equivalent (i.e. electronic format) of physical or paper
certificates. Examples of physical certificates are driver's licenses, passports or
membership cards.
A basic level of assurance relevant
consequences of data compromise, but
significance. This may include access to
malicious access is not high. It is assumed
malicious.
to environments where there are risks and
they are not considered to be of major
private information where the likelihood of
at this security level users are not likely to be
Level two is relevant to environments where risks and consequences of data
compromise are moderate. This may include transactions having substantial monetary
value or risk of fraud, or involving access to private information where the likelihood of
malicious access is substantial.
170
Level is relevant to environments where threats to data are high or the consequences
of the failure of security services are high. This may include very high value transactions
or high levels of fraud risk.
However, that no Digital Signature Certificate shall be granted unless the Certifying
Authority is satisfied that the applicant holds the private key corresponding to the public
key to be listed in the Digital Signature Certificate. The applicant holds a private key,
which is capable of creating a digital signature. The public key to be listed in the
certificate can be used to verify a digital signature affixed by the private key held by the
applicant.
Duties of subscriber of Electronic Signature Certificate (Sec. 40A): In respect of
Electronic Signature Certificate the subscriber shall perform such duties as may be
prescribed.
Acceptance of Digital Signature Certificate (Sec. 41): A subscriber shall be deemed
to have accepted a Digital Signature Certificate if he publishes or authorizes the
publication of a Digital Signature Certificate to one or more persons, In a repository, or
otherwise demonstrates his approval of the Digital Signature Certificate in any manner.
3.3 Exercise
Check your process
Exercise 1
(i) Certificates serve as identity of an individual for a certain purpose, e.g. a
……………………….identifies someone who can legally drive in a particular
country. Likewise, a Digital Signature Certificate (DSC) can be presented
electronically to prove your identity or your right to access information or
services on the Internet.
(ii) …………………………….can be classified in various classes subject to
depending upon the requirement of assurance level and usage of DSC.
(iii) However, that no Digital Signature Certificate shall be granted unless the
Certifying Authority is satisfied that the applicant holds the private key
corresponding to the ………………………to be listed in the Digital Signature
Certificate.
(iv) Any Digital Signature Certificate, the public key of which corresponds to the
private key of that subscriber which is to be listed in the Digital Signature
Certificate has been accepted by a subscriber, and then the subscriber shall
generate that key pair by applying the security procedure. This implies that the
subscriber, i.e. the person, who is to be issued the digital signature certificate,
has to generate an appropriate ………………….which matches the public key
being allotted to him or her.
171
Ans.
(i) Driver's license (ii) Digital signatures certificates (iii) public key (iv) private key
Exercise 2
Please tick the right option in the following:
1. Any person may make an application to the Certifying Authority for the issue of
a Digital Signature Certificate in such form as may not be prescribed by the
Central Government.
(i) Every such application shall be accompanied by such fee not exceeding twentyfive thousand rupees as may be prescribed by the Central Government, to be paid
to the CertifyingAuthority: Provided that while prescribing fees under subsection (2) different fees may be prescribed for different classes of applicants'.
( )
(ii) Every such application shall be accompanied by a certification practice statement
or where there is no such statement, a statement containing such particulars, as
may be specified by regulations.
( )
(iii)On receipt of an application under sub-section (1), the Certifying Authority may,
after consideration of the certification practice statement or the other statement
under sub-section (3) and after making such enquiries as it may deem fit, grant
the Digital Signature Certificate or for reasons to be recorded in writing, reject
the application:
( )
(iv) On the request of the Authority
( )
2. A Certifying Authority while issuing a Digital Signature Certificate shall certify
that, the information contained in it is accurate and that:
(i) It has not complied with the provisions of this Act and the rules and regulations
made there under.
( )
(ii) It has not published the Digital Signature Certificate or otherwise made it
available to such person relying on it and the subscriber has accepted it.
( )
(iii)The subscriber holds the private key corresponding to the public key, listed in the
Digital Signature Certificate.
172
( )
(iv) The subscriber's no public key and private key constitute a functioning key pair.
( )
(v) The information contained in the Digital Signature Certificate is accurate, and
( )
3. A Certifying Authority may not revoke a Digital Signature Certificate which has
been issued by it at any time, if it is of opinion that:
i) A material fact represented in the Digital Signature Certificate is false or has
been concealed.
( )
ii) No private and public key
( )
iii) A requirement for issuance of the Digital Signature Certificate was not satisfied.
( )
iv) The Certifying Authority's private key or security system was compromised in a
manner materially affecting the Digital Signature Certificate's reliability.
( )
v) The subscriber has been declared insolvent or dead or where a subscriber is a
firm or a company, which has been dissolved, wound-up or otherwise ceased to
exist.
( )
4. By accepting a Digital Signature Certificate the subscriber certifies to all who
reasonably rely on the information contained in the Digital Signature Certificate
that which statement is false:
i) The subscriber holds the private key corresponding to the public key listed in the
Digital Signature Certificate and is entitled to hold the same;
ii) All representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certificate
are true;
iii) All information in the Digital Signature Certificate that is within the knowledge
of the subscriber is false.
Ans (1) IV (2) V (3) II (4) III
173
Exercise 3
Mix and Match (A) with (B) :
(A)
(B)
(i)
Individual Certificates serve to identify Server Certificates
a person. It follows that the contents of
this type of certificate include the full
name and personal particulars of an
individual. These certificates can be
used for signing electronic documents
and
emails
and
implementing
enhanced access control mechanisms
for sensitive or valuable information.
(ii)
Server Certificates identify a server Individual
Digital
(computer). Hence, instead of a name Signature Certificates
of a person, server certificates contain
the host name e.g. "https://nsdg.gov.in/
" or the IP address. Server certificates
are used for to ensure secure
communication of data over the
network.
(iii)
Encryption Certificates are used to Digital Signature
encrypt the message. The Encryption
Certificates use the Public Key of the
recipient to encrypt the data so as to
ensure data confidentiality during
transmission of the message. Separate
certificates for signatures and for
encryption are available from different
CAs.
(iv)
A Certificate shall not be suspended Encryption Certificates
for a period exceeding fifteen days
unless the subscriber has been given an
opportunity of being heard in the
matter.
Answer 1.(ii) 2. (i) 3. (iv) 4. (iii)
174
Exercise 4
Test Questions
1.
Explain the Term Digital Signature with suitable example.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
2.
Explain the duties of subscribers.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
3.
Describe Digital Signature certificate
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
4.
Explain the control of private key.
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
175
LESSON-4
UNIT V
Penalties and Adjudication
4.1 Introduction
4.2 Objectives
4.3 Penalties and adjudication
4.4 Appellate Tribunal
4.5 Offences
4.6 Summary
4.7 Exercise
1. Introduction
The Act penalty is imposed by way of damages to be paid as compensation to the affected
party for damage caused to any item or unauthorized access and other types of mischief.
See Fig 4.1
Fig 4.1 showing Act and penalty
For adjudicating of the dispute under the Information Technology Act, Section 46
was enacted which has given the power for adjudication of the crimes. The power has
been given to the Secretary, Information Technology and he has power to adjudge the
quantum of compensation.
4.2 Objectives
After the study of this chapter student will able to learn the following
•
Penalties and Adjudication
•
Penalty for failure to furnish information, return
•
Residuary Penalty
176
•
Adjudication - Appointment of Adjudicating Officer
•
Penalty for breach of Confidentiality and Privacy
•
Right to legal representation
•
Civil court not to have jurisdiction
•
Appeal to High court
•
Composition of Cyber Appellate Tribunal
•
Appeal to Cyber Appellate Tribunal
4.3 Penalties and Adjudication
Under the Act penalty is imposed by way of damages to be paid as compensation to the
affected party for damage caused to any computer, computer network etc. by introduction
of computer virus, unauthorized access and other types of mischief.
For adjudicating of the dispute under the Information Technology Act, Section 46
was enacted which has given the power for adjudication of the crimes. The power has
been given to the Secretary, Information Technology and he has power to adjudge the
quantum of compensation.
4.3.1. Penalty for damage to computer, computer system etc. (Sec. 43)
If any person indulges in any of the following acts, without permission of the owner
or any other person who is in charge of a computer, computer system or computer
network, he shall be liable to pay damages by way of compensation to the person so
affected:
(a) Accesses or secures access to such computer, computer system or computer
network;
(b) Downloads, copies or extracts any data, computer date-base or information from
such computer, computer system or computer network including information or
data held or stored in any removable storage medium;
(c) Introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer
network, data computer data base or any other programmes residing in such
computer, computer system or computer network;
(e) Disrupts or causes disruption of any computer, computer system or computer
network;
(f) Denies or causes the denial of access to any person authorized to access any
computer, computer system or computer network by any means;
177
(g) Provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of this
Act. Rules or Regulations made hereunder;
(h) Charges the services availed of by a person to the account of another person by
tampering with or manipulating any computer, computer system or computer
network. He shall be liable to pay damages by way of compensation not
exceeding one crore rupees to the person so affected.
Explanation: For the purposes of this section
i) computer contaminant‖designed:
means any set of computer instructions that are
a) to modify, destroy, record, transmit data or programme residing within a
computer system or computer network;
b) by any means to usurp the normal operation of the computer, computer
system or computer network;
ii) Computer data-base‖ - means a representation of information knowledge, facts,
concepts or instructions in text, image, audio/video that are being prepared or
have been prepared or have been prepared in a formalized manner or have been
produced by a computer, computer system or system or computer network and
are intended for use in a computer, computer system or computernetwork.
iii) Computer virus - means any computer instruction; information, data or
programme that destroys, damages degrades or adversely affects the performance
of a computer.
iv) damage‖- means to destroy, alter, delete, add, modify or rearrange any computer
resource by any means.
v) Computer source code- means the listing of programmes, computer commands,
design and layout and progrmme analysis of computer resource in any form.
4.3.2. Penalty for failure to furnish information, return, etc. (Sec. 44)
If any person who is required under this Act or any rules or regulations made there
under to:
a)
Furnish any document, return or report to the Controller of the Certifying
Authority fails to furnish the same, he shall be liable to a penalty not exceeding
one lakh and fifty thousand rupees for each such failure;
b)
File any return or furnish any information, books or other documents within the
time specified therefore in the regulations fails to file return or furnish the same
within the time specified therefore in the regulations, he shall be liable to a
penalty not exceeding five thousand rupees for every day during which such
failure continues;
178
c)
Maintain books of account or records fails to maintain the same, he shall be
liable to a penalty not exceeding ten thousand rupees for every day during which
the failure continues.
4.3.3. Residuary Penalty (Sec. 45)
Whoever contravenes any rules or regulations made under this Act, for the
contravention of which nopenalty has been separately provided, shall be liable to pay a
compensation not exceeding twenty five thousand rupees to the person affected by such
contravention or a penalty not exceeding twenty five thousand rupees.
4.3.4.Adjudication - Appointment of Adjudicating Officer (Sec. 46)
For the purpose of adjudging under this Chapter whether any person has committed a
contravention of any of the provisions of this Act or of any rule, regulation, direction or
order made hereunder the Central Government shall, subject to the provisions of Subsection (3),appoint any officer not below the rank of a Director to the Government of
India or an equivalent officer of a State Government to be an adjudicating officer or
holding an inquiry in the manner prescribed by the Central Government.
The adjudicating officer shall, after giving the person referred to in Sub-section (1) a
reasonable opportunity for making representation in the matter and if, on such inquiry, he
is satisfied that the person that the person has committed the contravention, he may
impose such penalty or award such compensation as he thinks fit in accordance with the
provisions of that section.
No person shall be appointed as an adjudicating officer unless he possesses such
experience in the field of Information Technology and legal or judicial experience as may
be prescribed by the Central Government.
Where more than one adjudicating officer are appointed, the Central Government
shall specify by order the matters and places with respect to which such officers shall
exercise their jurisdiction.
4.3.5. Powers:
Every adjudicating officer shall have the powers of a civil court which are conferred
on the Cyber Appellate Tribunal under SubSection (2) of Section 58:
i) All proceedings before it shall be deemed to be judicial proceedings within the
meaning of Sections 193 and 228 of the Indian Penal Code (45 of 1860)
ii) Shall be deemed to be a civil court for the purposes of Sections 345 and 346 of
the Code of Criminal Procedure, 1973 (2 of 1974).
[Section 46 of the Act grants the Central Government the power to appoint an
adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before
that adjudicating officer, contraventions of the Act. The adjudicating officer may be of
the Central Government or of the State Government [see section 46(1) of the Act], must
have field experience with information technology and law [see section 46(3) of the Act]
179
and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A)
of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a
civil court [see section 46(5) of the Act] and must follow basic principles of natural
justice while conducting adjudications [see section 46(2) of the Act]. Hence, the
adjudicating officer appointed under section 46 is a quasi-judicial authority.
In addition, the quasi-judicial adjudicating officer may impose penalties, thereby
vesting him with some of the powers of a criminal court [see section 46(2) of the Act],
and award compensation, the quantum of which is to be determined after taking into
account factors including unfair advantage, loss and repeat offences [see section 47 of the
Act]. The adjudicating officer may impose penalties for any of the offences described in
section 43, section 44 and section 45 of the Act; and, further, may award compensation
for losses suffered as a result of contraventions of section 43 and section 43A. The text of
these sections is reproduced in the Schedule below. Further law as to the appointment of
the adjudicating officer and the procedure attendant on all adjudications was made by
Information Technology (Qualification and Experience of Adjudicating Officers and the
Manner of Holding Enquiry) Rules, 2003.
It is clear that the adjudicating officer is vested with significant judicial powers,
including the power to enforce certain criminal penalties, and is an important quasijudicial authority.]
Factors to be taken into account by the adjudicating officer (Sec. 47)
While adjudging the quantum of compensation under this Chapter, the adjudicating
officer shall have due regard to the following factors, namely:
a)
The amount of gain of unfair advantage, wherever quantifiable, made as a result
of the default;
b)
The amount of loss caused to any person as a result of the default;
c)
The repetitive nature of the default.
d)
24. Penalty for Misrepresentation (Sec. 71)
e)
Whoever makes any misrepresentation to, or suppresses any material fact from,
the Controller or the Certifying Authority for obtaining any license or
86[Electronic Signature] Certificate, as the case may be, shall be punished with
imprisonment for a term which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.
f)
Penalty for breach of Confidentiality and Privacy (Sec.72)
g)
Any person who, in pursuant of any of the powers conferred under this Act,
rules or regulations made there under, has secured access to any electronic
record, book, register, correspondence, information, document or other material
without the consent of the person concerned discloses such electronic record,
book, register, correspondence, information, document or other material to any
180
other person shall be punished with imprisonment for a term which may extend
to two years, or with fine which may extend to one lakh rupees, or with both.
h)
Punishment for disclosure of Information in breach of Lawful Contract (Sec.
72A)
i)
Any person including an intermediary who, while providing services under the
terms of lawful contract, has secured access to any material containing personal
information about another person, with the intent to cause or knowing that he is
likely to cause wrongful loss or wrongful gain discloses, without the consent of
the person concerned, or in breach of a lawful contract, such material to any
other person, shall be punished with imprisonment for a term which may extend
to three years, or with fine which may extend to five lakh rupees, or with both.
j)
Penalty for Publishing Electronic Signature Certificate false in Certain
Particulars(Sec. 73)
k)
No person shall publish Electronic Signature Certificate or otherwise make it
available to any other person with the knowledge that:
l)
a) the Certifying Authority listed in the certificate has not issued it; or
m) b) the subscriber listed in the certificate has not accepted it; or
n)
(c) the certificate has been revoked or suspended,
o)
However, if the publication is for the purpose of verifying a 90[electronic
signature] created prior to such suspension or revocation. Any person who
contravenes the provisions of sub-section (1) shall be punished with
imprisonment for a term which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.
p)
Publication for Fraudulent Purpose (Sec. 74)
q)
Whoever knowingly creates publishes or otherwise makes available a
91[Electronic Signature] Certificate for any fraudulent or unlawful purpose shall
be punished with imprisonment for a term which may extend to two years, or
with fine which may extend to one lakh rupees, or with both.
Exercise 1
1.
Adjudication - Appointment of Adjudicating Officer. Comment
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
181
2.
Explain the Penalty for Publishing Electronic Signature Certificate false in Certain
Particulars
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
3.
Describe the Publication for Fraudulent Purpose
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
4.4 Appellate Tribunal
The IT Act, 2000 deals with the establishment of one or more Appellate Tribunals to be
known as Cyber Appellate Tribunal to exercise jurisdiction, powers and authority as
conferred under the act.
4.4.1 Establishment of Cyber Appellate Tribunal section 48
i.
The central Government shall, by notification, establish one or more appellate
tribunal to be known as the cyber regulations appellate tribunal.
ii.
The Central Government shall also specify, in the notification referred to in subsection (1), the matters and places in relation to which the Cyber Appellate
Tribunal may exercise jurisdiction.
4.4.2. Composition of Cyber Appellate Tribunal (Sec. 49)
i)
The Cyber Appellate Tribunal shall consist of a Chairperson and such number
of other Members, as the Central Government may, by notification in the
Official Gazette, appoint:
Provided that the person appointed as the Presiding Officer of the Cyber
Appellate Tribunal under the provisions of this Act immediately before the
commencement of the Information Technology (Amendment) Act, 2008 shall
be deemed to have been appointed as the Chairperson of the said Cyber
Appellate Tribunal under the provisions of this Act as amended by the
Information Technology (Amendment) Act, 2008.
ii) The selection of Chairperson and Members of the Cyber Appellate Tribunal
shall be made by the Central Government in consultation with the Chief Justice
of India.
iii) Subject to the provisions of this Act
182
a) The jurisdiction, powers and authority of the Cyber Appellate Tribunal may
be exercised by the Benches thereof;
b) A Bench may be constituted by the Chairperson of the Cyber Appellate
Tribunal with one or two Members of such Tribunal as the Chairperson may
deem fit;
c) The Benches of the Cyber Appellate Tribunal shall sit at New Delhi and at
such other places as the Central Government may, in consultation with the
Chairperson of the Cyber Appellate Tribunal, by notification in the Official
Gazette, specify;
d) The Central Government shall, by notification in the Official Gazette, specify
the areas in relation to which each Bench of the Cyber Appellate Tribunal
may exercise its jurisdiction.
iv) Notwithstanding anything contained in sub-section (3), the Chairperson of the
Cyber Appellate Tribunal may transfer a Member of such Tribunal from one
Bench to another Bench.
v)
If at any stage of the hearing of any case or matter it appears to the Chairperson
or a Member of the Cyber Appellate Tribunal that the case or matter is of such a
nature that it ought to be heard by a Bench consisting of more Members, the
case or matter may be transferred by the Chairperson to such Bench as the
Chairperson may deem fit
4.4.2. Qualifications for appointment as Chairperson and Member of the Cyber
Appellate Tribunal (Section 50)
1)
A person shall not be qualified for appointment as a Chairperson of the Cyber
Appellate Tribunal unless he is, or has been, or is qualified to be, a Judge of a
High Court.
2)
The Members of the Cyber Appellate Tribunal, except the Judicial Member to
be appointed under sub-section (3), shall be appointed by the Central
Government from amongst persons, having special knowledge of, and
professional experience in, information technology, telecommunication,
industry, management or consumer affairs: Provided that a person shall not be
appointed as a Member, unless he is, or has been, in the service of the Central
Government or a State Government, and has held the post of Additional
Secretary to the Government of India or any equivalent post in the Central
Government or State Government for a period of not less than one years or Joint
Secretary to the Government of India or any equivalent post in the Central
Government or State Government for a period of not less than seven years.
3)
The Judicial Members of the Cyber Appellate Tribunal shall be appointed by the
Central Government from amongst persons who is or has been a member of the
183
Indian Legal Service and has held the post of Additional Secretary for a period
of not less than one year or Grade I post of that Service for a period of not less
than five years.
4.4.3. Term of office, conditions of service, etc., of Chairperson and Members
(Sec. 51)
1)
The Chairperson or Member of the Cyber Appellate Tribunal shall hold office
for a term of five years from the date on which he enters upon his office or until
he attains the age of sixty-five years, whichever is earlier.
2)
Before appointing any person as the Chairperson or Member of the Cyber
Appellate Tribunal, the Central Government shall satisfy itself that the person
does not have any such financial or other interest as is likely to affect
prejudicially his functions as such Chairperson or Member.
3)
An officer of the Central Government or State Government on his selection as
the Chairperson or Member of the Cyber Appellate Tribunal, as the case may
be, shall have to retire from service before joining as such Chairperson or
Member. S. 52. Salary, allowances and other terms and conditions of service of
Chairperson and Members.—The salary and allowances payable to, and the
other terms and conditions of service including pension, gratuity and other
retirement benefits of, the Chairperson or a Member of the Cyber Appellate
Tribunal shall be such as may be pre- scribed.
4.4.4. Salary, allowances and other terms and conditions of service of Chairperson
and Members(Sec. 52)
The salary and allowances payable to, and the other terms and conditions of service
including pension, gratuity and other retirement benefits of, the Chairperson or a Member
of the Cyber Appellate Tribunal shall be such as may be pre- scribed.
4.4.6. Powers of superintendence, direction, etc.(Sec. 52A)
The Chairperson of the Cyber Appellate Tribunal shall have powers of general
superintendence and directions in the conduct of the affairs of that Tribunal and he shall,
in addition to presiding over the meetings of the Tribunal, exercise and discharge such
powers and functions of the Tribunal as may be prescribed.
4.4.7. Distribution of business among Benches (Sec. 52B)
Where Benches are constituted, the Chairperson of the Cyber Appellate Tribunal
may, by order, distribute the business of that Tribunal amongst the Benches and also the
matters to be dealt with the each Bench.
4.4.8. Power of Chairperson to transfer cases (Sec. 52C)
On the application of any of the parties and after notice to the parties, and after
hearing such of them as he may deem proper to be heard, or suo motu without such
184
notice, the Chairperson of the Cyber Appellate Tribunal may transfer any case pending
before one Bench, for disposal to any other Bench.
4.4.9. Decision by majority (Sec. 52D)
If the Members of a Bench consisting of two Members differ in opinion on any
point, they shall state the point or points on which they differ, and make a reference to the
Chairperson of the Cyber Appellate Tribunal who shall hear the point or points himself
and such point or points shall be decided ac- cording to the opinion of the majority of the
Members who have heard the case, including those who first heard it.
4.4.10. Filling up of vacancies (Sec.53)
If, for reason other than temporary absence, any vacancy occurs in the office of the
Chairperson or Member as the case may be of a Cyber Appellate Tribunal, then the
Central Government shall appoint another person in accordance with the provisions of
this Act to fill the vacancy and the proceedings may be continued before the Cyber
Appellate Tribunal from the stage at which the vacancy is filled.
4.4.11. Resignation [Sec 54(1)]
Chairperson or the member of a Cyber Appellate Tribunal may, by notice in writing
under his hand addressed to the Central Government, resign his office: Provided that the
said Chairperson or the member] shall, unless he is permitted by the Central Government
to relinquish his office sooner, continue to hold office until the expiry of three months
from the date of receipt of such notice or until a person duly appointed as his successor
enters upon his office or until the expiry of his term of office, whichever is the earliest.
4.4.12. Removal [Sec. 54 (2)(3)]
The Chairman or the Member of Cyber Appellate Tribunal shall not be re- moved
from his office except by an order by the Central Government on the ground of proved
misbehaviour or incapacity after an inquiry made by a Judge of the Supreme Court in
which the Presiding Officer concerned has been informed of the charges against him and
given a reasonable opportunity of being heard in respect of these charges. The Central
Government may, by rules, regulate the procedure for the investigation of misbehavior or
incapacity of the aforesaid Chairperson or the member.
4.4.13. Orders constituting Appellate Tribunal to be final and not to invalidate its
proceedings(Sec 55)
No order of the Central Government appointing any person as the Chairperson or the
member of a Cyber Appellate Tribunal shall be called in question in any manner and no
act or proceeding before a Cyber Appellate Tribunal shall be called in question in any
manner on the ground merely of any defect in the constitution of a Cyber Appellate
Tribunal.
185
4.4.14. Appeal to Cyber Appellate Tribunal (Sec 57)
Any person aggrieved by an order made by an adjudicating officer under this Act may
prefer an appeal to a Cyber Tribunal having jurisdiction in the matter. No appeal shall lie
to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the
consent of the parties.
4.4.15. Period: every appeal shall be filed within a period of forty-five days from the date
on which a copy of the order made by the controller or the adjudicating officer is received
by the person aggrieved and it shall be in such form and be accompanied by such fee as
may be prescribed: Provided that the Cyber Appellate Tribunal may entertain an appeal
after the expiry of the said period of forty-five days if it is satisfied that there was
sufficient cause for not filing it within that period.
4.4.16. Order by Tribunal: On receipt of an appeal under sub-section, the Cyber Appellate
Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass
such orders thereon as it thinks fit, confirming, modifying or setting aside the order
appealed against. The Cyber Appellate Tribunal shall send a copy of every order made by
it to the parties to the appeal and to the concerned controller or adjudicating officer.
The appeal filed before the Cyber Appellate Tribunal under sub-section (1) shall be
dealt with by it as expeditiously as possible and Endeavour shall be made by it to dispose
of the appeal finally within six months from the date of receipt of the appeal.
4.4.17. Powers of the Cyber Appellate Tribunal (Sec. 58)
The Cyber Appellate Tribunal shall not be bound by the procedure laid down by the
Code of Civil Procedure, 1908 (5 of 1908) but shall be guided by the principles of natural
justice and, subject to the other provisions of this Act and of any rules, the Cyber
Appellate Tribunal shall have powers to regulate its own procedure including the place at
which it shall have its sittings.
The Cyber Appellate Tribunal shall have, for the purposes of discharging its
functions under this Act, the same powers as are vested in a civil court under the Code of
Civil Procedure, 1908 (5 of 1908), while trying a suit, in respect of the following matters,
namely:
a) Summoning and enforcing the attendance of any person and examining him on
oath;
b) Requiring the discovery and production of documents or other electronic records;
c) Receiving evidence on affidavits;
d) Issuing commissions for the examination of witnesses or documents;
e) Reviewing its decisions; (f) dismissing an application for default or deciding it ex
parte;
g) Any other matter which may be prescribed.
186
Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a
judicial proceeding within the meaning of sections 193 and 228, and for the purposes of
section 196 of the Indian Penal Code and the Cyber Appellate Tribunal shall be deemed
to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of
Criminal Procedure, 1973 (2 of 1974).
4.4.18. Right to legal representation (Sec.59)
The appellant may either appear in person or authorize one or more legal
practitioners or any of its officers to present his or its case before the Cyber Appellate
Tribunal.
4.4.19. Civil court not to have jurisdiction (Sec. 61)
No court shall have jurisdiction to entertain any suit or proceeding in respect of any
matter which an adjudicating officer appointed under this Act or the Cyber Appellate
Tribunal constituted under this Act is empowered by or under this Act to determine and
no injunction shall be granted by any court or other authority in respect of any action
taken or to be taken in pursuance of any power conferred by or under this Act.
4.4.20. Appeal to High court (Sec.62)
Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may
file an appeal to the High Court within sixty days from the date of communication of the
decision or order of the Cyber Appellate Tribunal to him on any question of fact or law
arising out of such order: Provided that the High Court may, if it is satisfied that the
appellant was prevented by sufficient cause from filing the appeal within the said period,
allow it to be filed within a further period not exceeding sixty days.
4.4.21. Compounding of contraventions (Sec.63)
Any contravention under this Act may, either before or after the institution of
adjudication proceedings, be compounded by the Controller or such other officer as may
be specially authorized by him in this behalf or by the adjudicating officer, as the case
may be, subject to such conditions as the Controller or such other officer or the
adjudicating officer may specify: Provided that such sum shall not, in any case, exceed
the maximum amount of the penalty which may be imposed under this Act for the
contravention so compounded. (2) Nothing in sub-section (1) shall apply to a person who
commits the same or similar contravention within a period of three years from the date on
which the first contravention, committed by him, was compounded.
Explanation: For the purposes of this sub-section, any second or subsequent
contravention committed after the expiry of a period of three years from the date on
which the contravention was previously compounded shall be deemed to be a first
contravention.
187
4.4.22. Recovery of Penalty (Sec. 64)
Penalty imposed or compensation awarded under this Act, if it is not paid, shall be
recovered as an arrear of land revenue and the license or the certificate, as the case may
be, shall be suspended till the penalty is paid.
Exercise 3
1.
Composition of Cyber Appellate Tribunal
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
2.
Acceptance of Digital Signature Certificate
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
3.
Recovery of Penalty
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
188
Related documents
Download