References:

• L. Stein, How to Set up and Maintain a Web Server, 2nd. ed., 1997, pp. 748-749.
• [SET] Secure Electronic Transaction (SET), Specification, Book 2: Programmer’s Guide, Version 1.0, May 31, 1997.

WWW has Caused Tremendous Change to Business

• Online catalogs
• Technical support
• Product announcements
• Advertising
• Financial Information

Current Big Issues

• Secure payment schemes
• Microcent transactions

Secure Payment Schemes

Most people want a payment scheme that does not require credit card numbers to be sent.

Payment Schemes

• First Virtual
• CyberCash
• NetBill
• Digicash
• Millicent
• MasterCard's Secure Electronic Transactions (SET)

First Virtual

• Designed for low to medium priced software and fee-for-service information purchases
• Requires no special software or hardware on customer end or vendor end
• Procedure:
• Customer first sets up an account with credit card over phone
• Customer then receives a VirtualPIN (ID number)
• When customer makes a purchase on a Web page, (s)he provides their VirtualPIN instead of a credit card number.
• First Virtual will later send customer e-mail to confirm order, and customer must reply approve or disapprove. So customer can detect a fraudulent transaction if you get e-mail for a transaction you never made.
• All money transfers done off Internet
• Cost to customer is $2 annual fee, cost to vendor is $0.29 per transactions plus 2% of price.

A First Virtual Transaction

• Customer gives VirtualPIN to vendor
• Vendor verifies VirtualPIN through finger, telnet, email, or First Virtual Application Programming Interface
• Vendor emails First Virtual with VitualPIN and amount of sale
• First Virtual confirms transaction with user through email
• User answers email with 'yes', 'no', or 'fraud' (to immediately cancel VirtualPIN)
• First Virtual bills user's credit card, notifies vendor of confirmed transaction, deposits funds into vendor's account

CyberCash

• Both a debit and credit card system
• Customer intalls specialized software on his/her computer for credit card mode
• Credit card transactions permitted
• World-wide export license of 1024-bit RSA encryption algorithm
• Offers electronic coin (CyberCoin) as micropayment product ($0.25 to $10)
• Browser independent
• Netscape bundled CyberCash's CyberCoin into Netscape LivePayment

A CyberCash Transaction

• Procedure:
1. User chooses item, vendor returns invoice
2. When WWW browser requests credit card number, Cybercash software pops up a wndow requesting number.
3. Encrypted number is sent to vendor's server.
4. Vendor strips order info from payment info (credit card/account number remains encrypted)
5. Vendor forwards encrypted payment info to CyberCash Corporation
6. CyberCash decrypts and sends transaction to merchant bank, which passes credit card information to credit card vendor
7. Credit card vendor returns authorization to merchant bank
8. Merchant bank returns authorization to CyberCash
9. CyberCash sends authorization to vendor
10. Vendor passes product to consumer

• Total time (claimed by CyberCash) 15 - 20 seconds

NetBill

• Electronic commerce project developed at Carnegie Mellon
• NetBill accounts linked to conventional financial institutions
• Kerberos authentication at intermediate stages, RSA public key at final stages
• Requires 'Money Tool' software on user's machine

A NetBill Transaction

• Customer chooses item, window pops up with order info -- user clicks 'Buy'
• Vendor sends encrypted product to customer's machine
• Vendor sends verification of encrypted transport, account info and decryption key to NetBill
• NetBill confirms sufficient funds, stores key, and returns report to vendor
• Vendor sends decryption key to customer
• Customer's software decrypts product

Digicash (ecash)

• A product of Netherlands Digicash Company
• A debit system that provides an electronic checking account.
• Customers make a lump sum deposit to a bank (Mark Twain in St. Louis, EUnet of Finland) and receive "E-cash" or coins.
• From that point, coins exist on local hard drive (can be replaced like travelers checks)
• Software installed on client machine handles transactions
• Uses public-key cryptography
• Anonymous, like physical cash
• Double spending problem
• Requires special software on customer and vendor machines.

Secure Electronic Transaction (SET )

SET is an open industry protocol that details how payment card transactions on the Internet and other open networks will be secured using encryption technology and digital identification.

Vendors Supporting SET

Netscape's encryption will encode and approve credit card purchases; no additional software will be required.

E-Commerce Steps Covered by SET

• Bowsing and Shopping
• Merchant and Item Selection
• Negotiation and Ordering
• Payment Selection
• SET -> Payment Authorization and Transport
• SET -> Confirmation and Inquiry
• Delivery of Goods
• SET -> Merchant Reimbursement

Transaction Steps

1. Cardholder shops, selects item, optionally negotiates price (e.g., for merchants that match competitors' prices)
2. Cardholder sends electronic order form to merchant's server along with digitally signed payment instructions.  This step requires cardholder to possess one or more certificates.
3. Merchant requests payment authorization from the cardholder’s financial institution via an organization called an acquirer (a financial institution)."The Acquirer incorporates the authorization data into a request that is sent via a payment network for processing by the financial institution (Issuer) that issued the payment card to the cardholder." [SET]
4. Merchant ships ordered item.
5. Merchant requests payment from the cardholder’s financial institution via acquirer.

Example Software Required to Use SET

Fuji uses IBM's CommercePOINT* payment software including:

• Consumer wallet, for Internet shopping and payment
• Merchant server, which uses IBM Net.Commerce* SET-enabled system.  Uses  DB2 database in back-end.
• Acquirer gateway, which allows Fuji to capture Internet debit transactions for processing
• IBM Registry* for SET, providing certificate authority to issue digital identities to consumers and merchants

Millicent Proposal (DEC)

• 'Scrip' is electronic currency
• Each vendor issues their own scrip to brokers
• Brokers issue broker scrip to customers so customers don't need to buy each vendor's scrip
• Goal to reduce costs and increase transaction rate -- makes microcent transactions feasible

Microcent Transactions

• Online services have individual items that could be sold for a fraction of a cent
• Web pages, newspaper articles, stock prices, horoscopes, academic papers
• USA Today from Monday, Oct. 21 had roughly 126 articles and cost $0.50 = $0.0040 cents/article
• Some articles could be broken into smaller pieces

Why Microcent?

• Users more likely to create a $0.001 relationship with an unknown vendor than a $1 or $10 relationship

• Users less likely to steal content because the original is inexpensive
• Revenue goes to content provider, not (necessarily) to service provider -- stimulates quality WWW content

Against Microcents

• Current advertising model works -- easier to keep up with 100 advertisers than thousands of small microcent transactions
• Technology not available to support microcent (yet)
• Fraction of total cost of product that pays for the transaction must be small

Other Web Commerce Possibilities

• Could have usage-based pricing (Digital Silk Road includes pricing info in the protocol headers -- pay per packet)
• Pricing could be a means of Internet congestion control (are you willing to pay to get bandwidth? -- dynamically done with smart pricing)