UNIT -3 EMC

ELECTRONIC COMMERCE SECURITY AND PAYMENT METHOD.

SECURING THE BUSINESS ON INTERNET:-
Security is an essential part of any transaction that takes place over the internet.
Customers will lose his/her faith in e-business if its security is compromised. Following
are the essential requirements for safe e-payments/transactions −
• Confidentiality − Information should not be accessible to an unauthorized
person. It should not be intercepted during the transmission.
• Integrity − Information should not be altered during its transmission over the
network.
• Availability − Information should be available wherever and whenever required
within a time limit specified.
• Authenticity − There should be a mechanism to authenticate a user before giving
him/her an access to the required information.
• Non-Repudiability − It is the protection against the denial of order or denial of
payment. Once a sender sends a message, the sender should not be able to deny
sending the message. Similarly, the recipient of message should not be able to
deny the receipt.
• Encryption − Information should be encrypted and decrypted only by an
authorized user.
• Auditability − Data should be recorded in such a way that it can be audited for
integrity requirements.

Vulnerability of information on internet:-

Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it
open to attack. A vulnerability may also refer to any type of weakness in a computer
system itself, in a set of procedures, or in anything that leaves information security
exposed to a threat.

The most common computer vulnerabilities include:

• Bugs
• Weak passwords
• Software that is already infected with virus
• Missing data encryption
 • OS command injection
• SQL injection
• Buffer overflow
• Missing authorization
• Use of broken algorithms
• URL redirection to untrusted sites
• Path traversal
• Missing authentication for critical function
• Unrestricted upload of dangerous file types
• Dependence on untrusted inputs in a security decision
• Cross-site scripting and forgery
• Download of codes without integrity check.

Security Policy:-

A security policy is a written document in an organization outlining how to protect the

organization from threats, including computer security threats, and how to handle
situations when they do occur.
A security policy must identify all of a company's assets as well as all the potential
threats to those assets. Company employees need to be kept updated on the
company's security policies. The policies themselves should be updated regularly as
well.

Security policy is a definition of what it means to be secure for a system, organization or other
entity. For an organization, it addresses the constraints on behavior of its members as well as
constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For
systems, the security policy addresses constraints on functions and flow among them, constraints on
access by external systems and adversaries including programs and access to data by people.

What are three types of security policies?

Examples for this type of policy are:
• Change Management Policy.
• Physical Security Policy.
• Email Policy.
• Encryption Policy.
• Vulnerability Management Policy.
• Media Disposal Policy.
• Data Retention Policy.
• Acceptable Use Policy.
 Security Procedures And Practics:-

A security procedure is a set sequence of necessary activities that performs a

specific security task or function. ... Procedures provide a starting point for
implementing the consistency needed to decrease variation in security processes,
which increases control of security within the organization.

Information Security Practices

10 Basic Information Security Practices

• Start With Security - Limit Scope. ...
• Train Employees on Security. ...
• Inventory Devices and Eliminate Exposure to External Networks. ...
• Encrypt Sensitive Data. ...
• Use Secure Remote Access Methods. ...
• Strong, Non-Default Passwords…Plus 2FA. ...
• Enact the Principle of Least Privilege. ...
• Implement Network Segmentation.

Site Scurity:-

Website security is any action or application taken to ensure website data is not exposed
to cybercriminals or to prevent exploitation of websites in any way.

Website security protects your website from:

DDoS attacks. These attacks can slow or crash your site entirely, making it
inaccessible to visitors.
Malware. Short for “malicious software,” malware is a very common threat
used to steal sensitive customer data, distribute spam, allow cybercriminals to
access your site, and more.
Blacklisting. Your site may be removed from search engine results and flagged with a
warning that turns visitors away if search engines find malware.
Vulnerability exploits. Cybercriminals can access a site and data stored on it by
exploiting weak areas in a site, like an outdated plugin.
Defacement. This attack replaces your website’s content with a cybercriminal’s
malicious content.

Website security protects your visitors from:

Stolen data. From email addresses to payment information, cybercriminals frequently
go after visitor or customer data stored on a site.
Phishing schemes. Phishing doesn’t just happen in email – some attacks take the
form of web pages that look legitimate but are designed to trick the user into providing
sensitive information.
Session hijacking. Some cyberattacks can take over a user’s session and force them to
take unwanted actions on a site.
Malicious redirects. Certain attacks can redirect visitors from the site they intended
to visit to a malicious website.
SEO Spam. Unusual links, pages, and comments can be put on a site to confuse your
visitors and drive traffic to malicious websites.

Protecting The Network:-

Network security is any activity designed to protect the usability and integrity of your
network and data. It includes both hardware and software technologies. Effective
network security manages access to the network. It targets a variety of threats and
stops them from entering or spreading on your network.
 Types of network security
Firewalls
Firewalls put up a barrier between your trusted internal network and untrusted outside
networks, such as the Internet. They use a set of defined rules to allow or block
traffic. A firewall can be hardware, software, or both. Cisco offers unified threat
management (UTM) devices and threat-focused next-generation firewalls.
Next Generation Firewall | Webinar | Demo | Trial

Network segmentation
Software-defined segmentation puts network traffic into different classifications and
makes enforcing security policies easier. Ideally, the classifications are based on
endpoint identity, not mere IP addresses. You can assign access rights based on role,
location, and more so that the right level of access is given to the right people and
suspicious devices are contained and remediated.
Network Segmentation | Stealthwatch | Webinar | Demo | Trial

Antivirus and antimalware software

"Malware," short for "malicious software," includes viruses, worms, Trojans,
ransomware, and spyware. Sometimes malware will infect a network but lie dormant
for days or even weeks. The best antimalware programs not only scan for malware
upon entry, but also continuously track files afterward to find anomalies, remove
malware, and fix damage.
Advanced Malware Protection | Ransomware Defense | AMP4EP | Webinar | Trial

Access control
Not every user should have access to your network. To keep out potential attackers,
you need to recognize each user and each device. Then you can enforce your security
policies. You can block noncompliant endpoint devices or give them only limited
access. This process is network access control (NAC).

Cisco Identity Services Engine

Application security

Any software you use to run your business needs to be protected, whether your IT
staff builds it or whether you buy it. Unfortunately, any application may contain holes,
or vulnerabilities, that attackers can use to infiltrate your network. Application
security encompasses the hardware, software, and processes you use to close those
holes.

AppDynamics APM | Services for Security

Behavioral analytics
To detect abnormal network behavior, you must know what normal behavior looks
like. Behavioral analytics tools automatically discern activities that deviate from the
norm. Your security team can then better identify indicators of compromise that pose
a potential problem and quickly remediate threats.

Cognitive Threat Analytics | Stealthwatch | Network as a Sensor

Data loss prevention

Organizations must make sure that their staff does not send sensitive information
outside the network. Data loss prevention, or DLP, technologies can stop people from
uploading, forwarding, or even printing critical information in an unsafe manner.

Data Loss Prevention

Email security
Email gateways are the number one threat vector for a security breach. Attackers use
personal information and social engineering tactics to build sophisticated phishing
campaigns to deceive recipients and send them to sites serving up malware. An email
security application blocks incoming attacks and controls outbound messages to
prevent the loss of sensitive data.

Email Security

Intrusion prevention systems

An intrusion prevention system (IPS) scans network traffic to actively block attacks.
Cisco Next-Generation IPS (NGIPS) appliances do this by correlating huge amounts
of global threat intelligence to not only block malicious activity but also track the
progression of suspect files and malware across the network to prevent the spread of
outbreaks and reinfection.
Learn the fundamentals of IPS

Mobile device security

Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3
years, 90 percent of IT organizations may support corporate applications on personal
mobile devices. Of course, you need to control which devices can access your
network. You will also need to configure their connections to keep network traffic
private.

Mobile Device Management

Security information and event management

SIEM products pull together the information that your security staff needs to identify
and respond to threats. These products come in various forms, including physical and
virtual appliances and server software.

Identity Services Engine with SIEM (PDF - 439 KB)

VPN
A virtual private network encrypts the connection from an endpoint to a network,
often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets
Layer to authenticate the communication between device and network.

VPN and Endpoint Security Clients

Web security
A web security solution will control your staff’s web use, block web-based threats,
and deny access to malicious websites. It will protect your web gateway on site or in
the cloud. "Web security" also refers to the steps you take to protect your own
website.
Web Security | Cloud Web Security

Wireless security
Wireless networks are not as secure as wired ones. Without stringent security
measures, installing a wireless LAN can be like putting Ethernet ports everywhere,
including the parking lot. To prevent an exploit from taking hold, you need products
specifically designed to protect a wireless network.

Cisco Aironet AP Module for Wireless Security

Firewalls:-

A firewall is a system designed to prevent unauthorized access to or from a private

network. You can implement a firewall in either hardware or software form, or a
combination of both. Firewalls prevent unauthorized internet users from accessing
private networks connected to the internet, especially intranets.

What are the 3 types of firewalls?

There are three basic types of firewalls that are used by companies to protect their
data & devices to keep destructive elements out of network, viz. Packet Filters, Stateful
Inspection and Proxy Server Firewalls.

SECURING NETWORK TRANSACTION:-

The most prevalent method for paying for the things you purchase online is still the
credit card. The following list provides some tips on how to make sure your transaction
is secure. For a more extensive explanation of encryption and Internet security, check
out How Encryption Works.

• Use the latest Internet browser. The program that you use to surf the Internet
is called a browser. This software has built-in encryption capabilities that
scramble the information you send to a server. Using the most recent browser
ensures that the data is protected using the latest encryption technology. This
technology also uses a Secure Sockets Layer (SSL), which is an Internet security
 protocol used by Internet browsers and Web servers to transmit sensitive
information. The server receiving the data uses special "keys" to decode it. You
can make sure you are on an SSL by checking the URL -- the http at the
beginning of the address should have changed to https. Also, you should notice
a small lock icon in the status bar at the bottom of your browser window.
• Look for digital certificates that authenticate the entity you are dealing with.
Independent services like VeriSign will authenticate the identity of the Web site
you are visiting. Web sites that use this service (usually those that sell items or
services online) will have the VeriSign logo. By clicking on the logo, you can be
assured that the site is legitimate, rather than a clone of the legitimate company
set up to collect your personal and financial information.

• Read the privacy policy. The information you enter on the Web site should be
kept confidential. Make sure you read the company's privacy policy to ensure
that your personal information won't be sold to others. Services like Trust-
E review a company's privacy policy (for a fee) and then allow the company to
post the Trust-E logo if its privacy policy follows certain industry standards for
consumer protection.
• Only use one credit card for all of your online purchases.
• Never give out passwords or user ID information online unless you know
who you are dealing with and why they need it. Don't give it out to your
Internet service provider if you get an e-mail requesting it. This is a relatively
recent scam used to access your account and get your credit card number, along
with whatever other personal information is there.
• Keep records of all of your Internet transactions. Watch your credit card
statement for the charges and make sure they're accurate.
• After you've made purchases online, check your e-mail. Merchants often send
confirmation e-mails or other communications about your order.

Transaction Security:-
Cryptology:-

Cryptology, science concerned with data communication and storage in secure and
usually secret form. It encompasses both cryptography and cryptanalysis.
The term cryptology is derived from the Greek kryptós (“hidden”) and lógos (“word”).
Security obtains from legitimate users being able to transform information by virtue of a
secret key or keys—i.e., information known only to them. The resulting cipher, although
generally inscrutable and not forgeable without the secret key, can be decrypted by
anyone knowing the key either to recover the hidden information or to authenticate the
source. Secrecy, though still an important function in cryptology, is often no longer the
main purpose of using a transformation, and the resulting transformation may be only
loosely considered a cipher.
Cryptography (from the Greek kryptós and gráphein, “to write”) was originally the study
of the principles and techniques by which information could be concealed in ciphers and
later revealed by legitimate users employing the secret key. It now encompasses the
whole area of key-controlled transformations of information into forms that are either
impossible or computationally infeasible for unauthorized persons to duplicate or undo .

What is the difference between cryptography and cryptology?

Cryptology is the study of codes, both creating and solving them. Cryptography is the
art of creating codes. Cryptanalysis is the art of surreptitiously revealing the contents
of coded messages, breaking codes, that were not intended for you as a recipient.

Cryptographic Algorithms:-

Cryptographic algorithms are used for important tasks such as data

encryption, authentication, and digital signatures, but one problem has to be solved to
enable these algorithms: binding cryptographic keys to machine or user
identities. Public key infrastructure (PKI) systems are built to bridge useful identities
(email addresses, Domain Name System addresses, etc.) and the cryptographic keys
used to authenticate or encrypt data passing among these identities. This chapter will
explain the cryptographic background that forms the foundation of PKI systems, the
mechanics of the X.509 PKI system (as elaborated by a number of standards bodies),
practical issues surrounding the implementation of PKI systems, a number of alternative
PKI standards, and alternative cryptographic strategies for solving the problem of
secure public key distribution. PKI systems are complex systems that have proven to be
difficult to implement properly. This chapter aims to survey the basic architecture of PKI
systems and some of the mechanisms used to implement them. It does not aim to be a
comprehensive guide to all PKI standards or to contain sufficient technical detail to
allow implementation of a PKI system.

Cryptography

Jason Andress, in The Basics of Information Security, 2011

Symmetric Key Algorithms
Some of the cryptographic algorithms that are more recognizable to the general public
are symmetric key algorithms. Several of these, such as DES, 3DES, and AES, are or
have been in regular use by the U.S. government and others as standard algorithms for
protecting highly sensitive data.
DES first came into use in 1976 in the United States and has since been used by a
variety of parties globally. DES is a block cipher based on symmetric key
cryptography and uses a 56-bit key. Although DES was considered to be very secure
for some period of time, it is no longer considered to be so. In 1999, a distributed
computing project was launched to break a DES key by testing every possible key in the
entire keyspace, and the project succeeded in doing so in a little more than 22 hours.
This weakness brought about by the short key length was compensated for a period of
time through the use of 3DES (pronounced triple DES), which is simply DES used to
encrypt each block three times, each time with a different key. DES can operate in
several different block modes, including Cipher Block Chaining (CBC), Electronic Code
Book (ECB), Cipher Feedback (CFB), Output Feedback (OFB), and Counter Mode
(CTR). Each mode changes the way encryption functions and the way errors are
handled.
AES is a set of symmetric block ciphers used by the U.S. government, and now a
variety of other organizations, and is the replacement for DES as the standard
encryption algorithm for the U.S. federal government. AES uses three different ciphers:
one with a 128-bit key, one with a 192-bit key, and one with a 256-bit key, all having a
block length of 128 bits. A variety of attacks have been attempted against AES, most of
them against encryption using the 128-bit key, and most of them unsuccessful, partially
successful, or questionable altogether. At the time of this writing, the U.S. government
still considers AES to be secure. AES shares the same block modes that DES uses and
also includes other modes such as XEX-based Tweaked CodeBook (TCB) mode.
There are a large number of other well-known symmetric block ciphers, including
Twofish, Serpent, Blowfish, CAST5, RC6, and IDEA, as well as stream ciphers, such as
RC4, ORYX, and SEAL.

There are three main types of cryptographic algorithms:

(1) secret key, (2) public key, and (3) hash functions. Pick an algorithm for any one of
these types (e.g., DES, AES, RSA, MD5) and describe how it works and where it is
applied (For example SSL uses 3DES or DES) for message encryption.

Public Key Algorithms

Privacy is accomplished with public key algorithms in one of two fashions. The first
method is to only use the public key algorithm to encode plaintext into ciphertext (Figure
9.1). For example, RSA can accept a short plaintext and encrypt it directly. This is
useful if the application must only encrypt short messages. However, this convenience
comes at a price of speed. As we will see shortly, public key operations are much
slower than their symmetric key counterparts.
Figure 9.1. Public Key Encryption

The second useful way of accomplishing privacy is in a mode known as hybrid-

encryption (Figure 9.2). This mode leverages the key distribution benefits of public key
encryption, and the speed benefits of symmetric algorithms. In this mode,
each encrypted message is processed by first choosing a random symmetric key,
encrypting it with the public key algorithm, and finally encrypting the message with the
random symmetric key. The ciphertext is then the combination of the random public key
and random symmetric key ciphertexts.

Authentication protocol

An authentication protocol is a type of computer communications

protocol or cryptographic protocol specifically designed for transfer
of authentication data between two entities. It allows the receiving entity to authenticate
the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to
the connecting entity (Server to a client) by declaring the type of information needed for
authentication as well as syntax.[1] It is the most important layer of protection needed for
secure communication within computer networks.
Types:

Authentication protocols developed for PPP Point-to-Point

Protocol[edit]
Protocols are used mainly by Point-to-Point Protocol (PPP) servers to validate the identity of remote
clients before granting them access to server data. Most of them use a password as the cornerstone
of the authentication. In most cases, the password has to be shared between the communicating
entities in advance.

PAP - Password Authentication Protocol[edit]

Password Authentication Protocol is one of the oldest authentication protocols. Authentication is
initialized by the client sending a packet with credentials (username and password) at the beginning
of the connection, with the client repeating the authentication request until acknowledgement is
received.[6] It is highly insecure because credentials are sent "in the clear" and repeatedly, making it
vulnerable even to the most simple attacks like eavesdropping and man-in-the-middle based attacks.
Although widely supported, it is specified that if an implementation offers a stronger authentication
method, that method must be offered before PAP. Mixed authentication (e.g. the same client
alternately using both PAP and CHAP) is also not expected, as the CHAP authentication would be
compromised by PAP sending the password in plain-text.
CHAP - Challenge-handshake authentication protocol[edit]
The authentication process in this protocol is always initialized by the server/host and can be
performed anytime during the session, even repeatedly. Server sends a random string (usually 128B
long). The client uses password and the string received as parameters for MD5 hash function and
then sends the result together with username in plain text. Server uses the username to apply the
same function and compares the calculated and received hash. An authentication is successful or
unsuccessful.
EAP - Extensible Authentication Protocol[edit]
EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in IEEE
802.3, IEEE 802.11(WiFi) or IEEE 802.16 as a part of IEEE 802.1x authentication framework. The
latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general
authentication framework for client-server authentication - the specific way of authentication is
defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most
common are:

• EAP-MD5
• EAP-TLS
• EAP-TTLS
• EAP-FAST
• EAP-PEAP
AAA architecture protocols (Authentication, Authorization,
Accounting)[edit]
Complex protocols used in larger networks for verifying the user (Authentication), controlling access
to server data (Authorization) and monitoring network resources and information needed for billing of
services (Accounting).
TACACS, XTACACS and TACACS+[edit]
The oldest AAA protocol using IP based authentication without any encryption (usernames and
passwords were transported as plain text). Later version XTACACS (Extended TACACS) added
authorization and accounting. Both of these protocols were later replaced by TACACS+. TACACS+
separates the AAA components thus they can be segregated and handled on separate servers (It
can even use another protocol for e.g. Authorization). It uses TCP (Transmission Control Protocol)
for transport and encrypts the whole packet. TACACS+ is Cisco proprietary.
RADIUS[edit]
Remote Authentication Dial-In User Service (RADIUS) is a full AAA protocol commonly used by ISP.
Credentials are mostly username-password combination based, it uses NAS and UDP protocol for
transport.[7]
DIAMETER[edit]
Diameter (protocol) evolved from RADIUS and involves many improvements such as usage of more
reliable TCP or SCTP transport protocol and higher security thanks to TLS.[8]

Other:
Kerberos (protocol)[edit]
Kerberos is a centralized network authentication system developed at MIT and available as a free
implementation from MIT but also in many commercial products. It is the default authentication
method in Windows 2000 and later. The authentication process itself is much more complicated than
in the previous protocols - Kerberos uses symmetric key cryptography, requires a trusted third
party and can use public-key cryptography during certain phases of authentication if need be.

Digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or
documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very
strong reason to believe that the message was created by a known sender (authentication), and that
the message was not altered in transit (integrity).[1]
Digital signatures are a standard element of most cryptographic protocol suites, and are commonly
used for software distribution, financial transactions, contract management software, and in other
cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, which includes any electronic
data that carries the intent of a signature,[2] but not all electronic signatures use digital
signatures.[3][4] In some countries, including South Africa,[5] the United
States, Algeria,[6] Turkey, India,[7] Brazil, Indonesia, Mexico, Saudi
Arabia,[8] Uruguay,[9] Switzerland and the countries of the European Union,[10][11] electronic signatures
have legal significance.

Digital signatures employ asymmetric cryptography. In many instances they provide a layer of
validation and security to messages sent through a non-secure channel: Properly implemented, a
digital signature gives the receiver reason to believe the message was sent by the claimed sender.
Digital seals and signatures are equivalent to handwritten signatures and stamped seals. [12] Digital
signatures are equivalent to traditional handwritten signatures in many respects, but properly
implemented digital signatures are more difficult to forge than the handwritten type. Digital signature
schemes, in the sense used here, are cryptographically based, and must be implemented properly to
be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot
successfully claim they did not sign a message, while also claiming their private key remains secret.
Further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if
the private key is exposed, the signature is valid. Digitally signed messages may be anything
representable as a bitstring: examples include electronic mail, contracts, or a message sent via
some other cryptographic protocol.

Applications[edit]
As organizations move away from paper documents with ink signatures or authenticity stamps,
digital signatures can provide added assurances of the evidence to provenance, identity, and status
of an electronic document as well as acknowledging informed consent and approval by a signatory.
The United States Government Printing Office (GPO) publishes electronic versions of the budget,
public and private laws, and congressional bills with digital signatures. Universities including Penn
State, University of Chicago, and Stanford are publishing electronic student transcripts with digital
signatures.
Below are some common reasons for applying a digital signature to communications:

Authentication[edit]
Although messages may often include information about the entity sending a message, that
information may not be accurate. Digital signatures can be used to authenticate the source of
messages. When ownership of a digital signature secret key is bound to a specific user, a valid
signature shows that the message was sent by that user. The importance of high confidence in
sender authenticity is especially obvious in a financial context. For example, suppose a bank's
branch office sends instructions to the central office requesting a change in the balance of an
account. If the central office is not convinced that such a message is truly sent from an authorized
source, acting on such a request could be a grave mistake.

Integrity[edit]
In many scenarios, the sender and receiver of a message may have a need for confidence that the
message has not been altered during transmission. Although encryption hides the contents of a
message, it may be possible to change an encrypted message without understanding it. (Some
encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a
message is digitally signed, any change in the message after signature invalidates the signature.
Furthermore, there is no efficient way to modify a message and its signature to produce a new
message with a valid signature, because this is still considered to be computationally infeasible by
most cryptographic hash functions (see collision resistance).

Non-repudiation[edit]
Non-repudiation,[10] or more specifically non-repudiation of origin, is an important aspect of digital
signatures. By this property, an entity that has signed some information cannot at a later time deny
having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a
valid signature.
Note that these authentication, non-repudiation etc. properties rely on the secret key not having
been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked
secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation
status requires an "online" check; e.g., checking a certificate revocation list or via the Online
Certificate Status Protocol.[11] Very roughly this is analogous to a vendor who receives credit-cards
first checking online with the credit-card issuer to find if a given card has been reported lost or
stolen. Of course, with stolen key pairs, the theft is often discovered only after the secret key's use,
e.g., to sign a bogus certificate for espionage purpose.

Email Security
Email security refers to the collective measures used to secure the access and content
of an email account or service. It allows an individual or organization to protect the
overall access to one or more email addresses/accounts.
An email service provider implements email security to secure subscriber email
accounts and data from hackers - at rest and in transit.

Email security is a broad term that encompasses multiple techniques used to secure an
email service. From an individual/end user standpoint, proactive email security
measures include:

• Strong passwords
• Password rotations
• Spam filters
• Desktop-based anti-virus/anti-spam applications

Similarly, a service provider ensures email security by using strong password and
access control mechanisms on an email server; encrypting and digitally signing email
messages when in the inbox or in transit to or from a subscriber email address. It also
implements firewall and software-based spam filtering applications to restrict
unsolicited, untrustworthy and malicious email messages from delivery to a user’s
inbox.

Security Protocols For Web Commerce:-

Security and encryption in e-commerce is a growing need among companies and

marketplaces. A Check Point report assured that cybercrime will remain constant in
2019, but that its attacks will be more sophisticated and intelligent.
Encryption is one of the most effective methods of improving cybersecurity. With the first
option, sensitive customer information (user names, passwords, bank details, etc.) can
be protected through encryption. This process is not easy to explain but can be summed
up in the use of a unique code, which allows the recipient and recipient to decrypt the
data needed in the transaction. In this way, the theft of such data makes no sense to
cybercriminals, who will not be able to decipher them.

Another excellent resource for optimising security in e-commerce are security certificates.
We are talking about digital identification, capable of verifying the identity of users, as well
as their “humanity” (most cyber attacks are perpetrated by bots). SSL and SET certificates
are the most widely used and are worth studying in depth.

SSL: INFALLIBLE PROTECTION IN ONLINE DATA TRANSFER

Also known as Secure Sockets Layer, this security certificate has become one of the
must of the internet. It is used by both large companies and minority bloggers. Its
purpose is to protect your data transactions between a website (provider) and its
visitors (recipients).

Identifying sites with SSL certificates is easy: a green padlock appears in the browser,
indicating to users that all their data is secure. However, creating a secure SSL
connection requires the hosting server to have a pre-installed SSL certificate.
Fortunately for those interested, these certificates have a very low cost. Some hosting
providers even offer the free installation of Let’s Encrypt and other SSL software.

SET: SECURITY PLUS FOR YOUR MONETARY TRANSACTIONS

And if you’re wondering what secure e-commerce payment protocol you should
implement, SET is an excellent answer. The initials of this protocol correspond to
Secure Electronic Transaction. As its name indicates, it is a system to guarantee the
security of monetary transactions in digital environments.

The operation of SET is simple. Generally speaking, this protocol provides a series of
certificates and digital signatures between the consumer, the company and the
banking entity, which regulate the monetary transaction from its beginning to its end.
Considering that it was created by Visa and MasterCard in collaboration with giants
such as Microsoft, IBM or Netscape, the effectiveness of the SET protocol should not
surprise us.

TLS: THE BIG BROTHER OF THE SSL CERTIFICATE

The TLS or Transport Layer Security certificate is an evolution of the aforementioned
SSL. Its objective is to provide secure connections by encrypting data sent between
two parties. This certificate is mainly used in e-mail environments and is not
incompatible with its predecessor (in fact, they can be reconciled).

Netscape created the SSL protocol, and later the IETF (Internet Engineering Task
Force) developed the TLS. As you may have noticed, both certificates work in a similar
way, but they are not the same: the algorithms of the TSL certificate are more solid
and versatile than those of its predecessor.

HTTPS: ADDING A SECURITY LAYER TO THE CLASSIC HTTP

When we talk about HTTPS we mean Hypertext Transfer Protocol Secure. This
protocol is an evolution of the HTTP, which incorporates an extra layer of security to
the data that are sent in SSL or TLS connections. Today most digital enterprises are
carried out with HTTPS protocols, instead of HTTP, created by Eric Rescorla and Allan
M. Schiffman in 1999, which are on the way to disappear.

Due to the growing number of cyber attacks, the use of the HTTPS protocol has
become widespread since 2018. This is due to the fact that the previous HTTP had
greater weaknesses and was not as secure. Specialists recommend the use of HTTPS,
but in some cases the S-HTTP protocol may be needed.

ELECTRONIC PAYMENT SYSTEM:-

An e-payment system is a way of making transactions or paying for goods and
services through an electronic medium, without the use of checks or cash. It's also
called an electronic payment system or online payment system.

OR

E-commerce sites use electronic payment, where electronic payment refers to paperless
monetary transactions. Electronic payment has revolutionized the business processing
by reducing the paperwork, transaction costs, and labor cost. Being user friendly and
less time-consuming than manual processing, it helps business organization to expand
its market reach/expansion. Listed below are some of the modes of electronic payments
−

• Credit Card
• Debit Card
• Smart Card
• E-Money
• Electronic Fund Transfer (EFT)

Online Payment System:-

E-commerce sites use electronic payment, where electronic payment refers to paperless
monetary transactions. Electronic payment has revolutionized the business processing
by reducing the paperwork, transaction costs, and labor cost. Being user friendly and
less time-consuming than manual processing, it helps business organization to expand
its market reach/expansion. Listed below are some of the modes of electronic payments
−

• Credit Card
• Debit Card
• Smart Card
• E-Money
• Electronic Fund Transfer (EFT)

Credit Card
Payment using credit card is one of most common mode of electronic payment. Credit
card is small plastic card with a unique number attached with an account. It has also a
magnetic strip embedded in it which is used to read credit card via card readers. When
a customer purchases a product via credit card, credit card issuer bank pays on behalf
of the customer and customer has a certain time period after which he/she can pay the
credit card bill. It is usually credit card monthly payment cycle. Following are the actors
in the credit card system.

• The card holder − Customer

• The merchant − seller of product who can accept credit card payments.
• The card issuer bank − card holder's bank
• The acquirer bank − the merchant's bank
• The card brand − for example , visa or Mastercard.

Credit Card Payment Proces

Step Description

Step 1 Bank issues and activates a credit card to the customer on his/her request.

Step 2 The customer presents the credit card information to the merchant site or to the
merchant from whom he/she wants to purchase a product/service.

Step 3 Merchant validates the customer's identity by asking for approval from the card brand
company.

Step 4 Card brand company authenticates the credit card and pays the transaction by credit.
Merchant keeps the sales slip.

Step 5 Merchant submits the sales slip to acquirer banks and gets the service charges paid to
him/her.

Step 6 Acquirer bank requests the card brand company to clear the credit amount and gets
the payment.

Step 6 Now the card brand company asks to clear the amount from the issuer bank and the
amount gets transferred to the card brand company.
Debit Card
Debit card, like credit card, is a small plastic card with a unique number mapped with the
bank account number. It is required to have a bank account before getting a debit card
from the bank. The major difference between a debit card and a credit card is that in
case of payment through debit card, the amount gets deducted from the card's bank
account immediately and there should be sufficient balance in the bank account for the
transaction to get completed; whereas in case of a credit card transaction, there is no
such compulsion.
Debit cards free the customer to carry cash and cheques. Even merchants accept a debit
card readily. Having a restriction on the amount that can be withdrawn in a day using a
debit card helps the customer to keep a check on his/her spending.

Smart Card
Smart card is again similar to a credit card or a debit card in appearance, but it has a
small microprocessor chip embedded in it. It has the capacity to store a customer’s work-
related and/or personal information. Smart cards are also used to store money and the
amount gets deducted after every transaction.
Smart cards can only be accessed using a PIN that every customer is assigned with.
Smart cards are secure, as they store information in encrypted format and are less
expensive/provides faster processing. Mondex and Visa Cash cards are examples of
smart cards.

E-Money
E-Money transactions refer to situation where payment is done over the network and the
amount gets transferred from one financial body to another financial body without any
involvement of a middleman. E-money transactions are faster, convenient, and saves a
lot of time.
Online payments done via credit cards, debit cards, or smart cards are examples of
emoney transactions. Another popular example is e-cash. In case of e-cash, both
customer and merchant have to sign up with the bank or company issuing e-cash.

Electronic Fund Transfer

It is a very popular electronic payment method to transfer money from one bank account
to another bank account. Accounts can be in the same bank or different banks. Fund
transfer can be done using ATM (Automated Teller Machine) or using a computer.
Nowadays, internet-based EFT is getting popular. In this case, a customer uses the
website provided by the bank, logs in to the bank's website and registers another bank
account. He/she then places a request to transfer certain amount to that account.
Customer's bank transfers the amount to other account if it is in the same bank,
otherwise the transfer request is forwarded to an ACH (Automated Clearing House) to
transfer the amount to other account and the amount is deducted from the customer's
account. Once the amount is transferred to other account, the customer is notified of the
fund transfer by the bank.

Pre_Paid Electronic Payment Syatem:

Prepaid payment instruments are methods that facilitate purchase of goods and services against
the value stored on such instruments. The value stored on such instruments represents the value
paid for by the holder, by cash, by debit to a bank account, or by credit card.[1]
The prepaid instruments can be issued as smart cards, magnetic stripe cards, internet
accounts, online wallets, mobile accounts, mobile wallets, paper vouchers and any such instruments
used to access the prepaid amount.[1]

Categories of Prepaid Payment Instruments [edit]

The prepaid payment instruments that can be issued in the country are classified under following
categories:[1]

Closed System Payment Instruments[edit]

These are payment instruments issued by a person for facilitating the purchase of goods and
services from him/her/it.

Semi-Closed System Payment Instruments[edit]

These payment instruments are redeemable at a group of clearly identified merchants that contract
specifically with the issuer to accept the payment instrument. These instruments do not permit cash
withdrawal or redemption by the holder.

Semi-open System Payment Instruments[edit]

These are payment instruments that can be used to purchase goods and services at any card-
accepting merchant locations (Point of sale terminals). These instruments do not permit cash
withdrawal or redemption by the holder.

Open System Payment Instruments[edit]

These payment instruments can be used for purchase of goods and services and also permit cash
withdrawal at ATMs, Merchant Local Locations, and automated business correspondents.

Mobile Prepaid Instruments[edit]

These are prepaid talk time instruments issued by mobile service providers. This talk time value can
also be used to purchase 'value added service' from the mobile service provider or third-party
service providers.

Post Paid Electronic Payment System:

Post Paid payment system, plastic card, on-line transactions, concerned
bank, proformed by phones or by filling form on the website, Cyber Cash,
encrypted payment, Internet Cheques, cheques for deposit, Process
them internally, and clear and settleBetween banks, cheques handwritting
signatures.

Post Paid payment system and its type

Post Paid payment system can be devided into three catagories:

Credit Cards

Credit card is plastic card which is issued by a bank. It is issued to customers of high
credit ranking. the nesessary information is stored in meganetic form on the card. A
card holder can purchsase the item from the shop or the showrooms and need not pay
cash. he has to flash the card in machine at the place where he is making purchases.
Banks issues credit card to the customers upto a certain limit. The customers can
purchase goods/services from the authorized showrooms without carring physical cash
with them. The bills are present by the showroom to the authorized branch. this bills is
presented by the paying branch to the issuing branch. issuing branch informs
thecustomer about the debit. Banks takes nominal charges for credit cards.

Creditt cards are are used for online purchases. The merchants likes credit cards
because that they know that they are issued by issuing bank on the basis of creditability
of the sredit holder and thus, like cheques, they don't have the risk of bounced. The
customers like purchasing through credit cards because they do not get goods and
services as per the term and condition, they can cancel the transaction.

For on-line transactions, credit cards are the easiest method of payment. Credit card
payment for online transactions can be proformed by phones or by filling form on
the website.
The credit card holder has to exercise great precautions. if it is lost, an FIR should be
lodged and the concerned bank should be informed immidiatlely.
Cyber Cash

Unlike Credit card, Cyber Cash is not directly involved in handlng funds. In Cyber cash
system, after deciding what is to be purchased the customer makes payment to the
merchant through credit card without disclosing the credit card number to him. The
credit card number sent to the merchant in encrypted form. The merchant forward
the encrypted payment with his private ket to the bank's Cyber Cash getway server.
The bank's Cyber Cash getway server dycripts the information, processes the
transaction and forward it to the merchant's bank. The merchant's bank forward the
authorization request to the customer's bank. The approval or denial code sent to back
to Cyber Cash getway server which returns the approval or denial code the seller who
then passes it on the customer. This process takes 15-20 second.

Internet Cheques

A cheque is a signed paper document that order the signer's bank to pay an amunot of
money to a person spacified on the cheque or bearer from the signer's account on or
after a spacified date. Cheques passes directly from the payer to the payee, so that the
timing or the purpose of the payment are clear to the payee. The payee can deposit the
cheque in an account of his choiseor cash it. Banks operate extensive facilities to
accept cheques for deposit, Process them internally, and clear and settleBetween
banks.
The electronic Cheque or e-cheque, is based on the idea that electronic documents can
be substitued for paper and public key cryptographic signatures can be substituted for
handwrittien signatures. The e-cheques is designed to fit into current cheque practices
and system with minimum impact on payers, payees, banks and the financial system.
The payer writes a cheque by structruing an electronic document with the information
legally required to be in a cheque and cryptographically sign it. The payee receive the e-
cheque, verify the payee's signature, writes out a deposit, and signs the deposit. The
payee's bank verifies the payer's and payee's signatures, credits the paye's account and
forward the cheque for clearing and settlement. Thus credit will not be a clear credit. it
will be float or temporary credit. to be confirmed after it has been cleared by the paying
bank, in the settlement process. The paye's bank verifies the paye's signatureand debits
the paye's account. The advantages of e-cheque is that cryptographic signatures on
every e-cheque can be verified at all points, while in paper cheques handwritting
signatures are rarely verified.
 UNIT – 4

MOBILE COMMERCE :INTRODUCTION , FRAMEWORK , AND MODELS

What Is Mobile Commerce:

M-commerce (mobile commerce) is the buying and selling of goods and services through
wireless handheld devices such as smartphones and tablets. As a form of e-commerce,
m-commerce enables users to access online shopping platforms without needing to use
a desktop computer. Examples of m-commerce include in-app purchasing, mobile
banking, virtual marketplace apps like the Amazon mobile app or a digital wallet such as
Apple Pay, Android Pay and Samsung Pay.

Over time, content delivery over wireless devices has become faster, more secure and
scalable. As of 2017 the use of m-commerce accounted for 34.5% of e-commerce
sales. The industries affected most by m-commerce include:

• Financial services, which includes mobile banking (when customers use their
handheld devices to access their accounts and pay their bills) as well as brokerage
services, in which stock quotes can be displayed and trading conducted from the
same handheld device.

• Telecommunications, in which service changes, bill payment and account reviews

can all be performed from the same handheld device.

• Service and retail, as consumers are given the ability to place and pay for orders on-
the-fly.

• Information services, which include the delivery of financial news, sports

figures and traffic updates to a single mobile device.
Types of m-commerce
M-commerce can be categorized by function as either mobile shopping, mobile banking or
mobile payments. Mobile shopping allows for a customer to purchase a product from a mobile
device, using an application such as Amazon, or over a web app. A subcategory of mobile
shopping is app commerce, which is a transaction that takes place over a native app. Mobile
banking includes any handheld technology that enables customers to conduct fanatical
transactions. This is typically done through a secure, dedicated app provided by the banking
institution. Mobile payments enable users to buy products in-person using a mobile device.
Digital wallets, such as Apple Pay, allow a customer to buy a product without needing to swipe a
card or pay with physical cash.

How mobile commerce works

With most m-commerce enabled platforms, the mobile device is connected to a

wireless network that can be used to conduct online product purchases. For those in
charge of developing an m-commerce application, important KPIs to monitor include
the total mobile traffic, total amount of traffic on the application, average order value
and the value of orders over time. Similarly, tracking the mobile add to cart rate will
help developers see if users are becoming customers. M-commerce developers may
also be interested in logging average page loading times, mobile cart conversion rates
and SMS subscriptions.

In terms of mobile payment products specifically, they operate through a form of

peer-to-peer (P2P) sharing. Once a mobile device is paired with a bank card’s
information, the phone can be waved over a payment terminal to pay for a product.
This contactless payment using a mobile device is possible due to the use of Near
Field Communication (NFC).

Advantages and disadvantages of mobile commerce

The advantages of m-commerce include:

• Added customer retention by being more easily accessible.

• More convenience for customers in comparing prices, reading reviews and making
purchases without the need of a desktop computer.

• Wider variety of products and services.

• Automates a businesses’ point of customer contact and sales.

Disadvantages of m-commerce include:

• A poorly executed mobile experience can deter customers from making purchases.

• Mobile payment options are not available in every geographic location and may
not support every type of digital wallet.

• Businesses must know and comply with tax laws and regulations of all countries
they ship to (some businesses will avoid this by only allowing purchases and
shipping from their country of origin).

Benefits Of Mobile commerce:-

1 Faster purchases

Yes, many sites have mobile versions, though apps are generally 1.5 times faster when
loading data and search results on mobile devices. Moreover, there is no need to pull
data from a server and so customers can browse and purchase products faster. As
mobile ecommerce apps offer same functionality as desktop apps, people may
purchase items directly within an app.

M-commerce revenue has been rising at 30-40% rate annually since 2014, and by the
end of 2017 is expected to reach $150b total. The biggest retail app Amazon increased
number of customers from 43 million in 2015 to 67 million in 2016. The reason for such
achievements is intuitive mobile browsing, which in turn drives sales up.

Better customer experience

 Because it matters. People are well familiar with how smartphones and tablets work, so
they already know how to navigate to desired products in few clicks. In addition to
purchases, customers can share their joy of bought goods with friends, or ask for advice
from community of shopaholics. Smooth customer experience equals better conversion
rates and revenue.

To reach these goals, your online shopping app should be:

• Fast

• Convenient

• Interactive

• Exclusive

3 Direct connection to customers (push

notifications)

This is something that is impossible with a website. Of course, one may send email
messages about new products or seasonal sales, but that channel loses badly to direct
customer notifications via mobile app. Push notifications are both instant and
unobtrusive at the same time, that’s a truly nice option for businesses. And one of the
major reasons to have a brand ecommerce app.

4 Tailored content

Based purely on individual preferences and shopping patterns with a mobile app you
can deliver personalized content to customers. And they love it (if you don’t overdo it,
surely). User location, interests, social media profiles, items viewed, etc. all can be
utilized to bring people what they need.

5 Deeper analytics

Knowing your customers equals prosperity in business these days. Knowing customers
demands data, at least very basic information like age, sex, location, shopping history.
Within your mobile app you may build and set user analytics of various levels of
sophistication. It depends on your business strategy and a budget available to make an
app.

With such data you will understand your target audience much better, and will be able to
increase sales. Names, phone numbers, emails, buying patterns and lots of other things
in store. For instance, Walmart app that 22 million customers use every month,
uses mobile data, online data and sales data combined to deliver better customer
experience. It is a whole and enormous infrastructure.

6 Cost reduction and productivity

By reaching your audience faster with a mobile app you obviously cut down marketing
campaign costs. If an app has social media integration, users will do their part too in
spreading the word. You can even earn from placing ads within your app later on.

7 Store navigation/geolocation

Mobile apps have a much better competitive (technical) in regard to marketing

opportunities. Front and back camera, scanning codes, positioning system for location,
compass, accelerometer, gyroscope and other build-in features can be used for
commercial purposes. One of the top benefits of m-commerce solutions is navigating
users to nearest stores in their vicinity via GPS.

Impediments In Mobile Commerce:-

Mobile commerce (mCommerce) is huge and growing rapidly, as visualised by this rather
informative infographic. However, if you are like me and just don't like infographics here are
some highlights.
Security

Most of our participants worried about the possibility of having their

phones hacked or infected by viruses; issues that could lead to their
personal or card details being intercepted. They felt more exposed than
when using their PC’s. Whether the 'lack' of security on mobiles is real
or perceived there are steps you can take to allay user's fears. Icons
that represent security like padlocks or a security accreditation like 'Veri
sign' are simple ways or doing this. Such methods are surprisingly
sparse.
Screen size
The size of the screen makes it difficult to appreciate the detail of some products, such
as clothes and furniture. Consequently, many of our participants expressed a reluctance
to complete purchases of such items if they were unfamiliar with them. Screen sizes are
gradually improving as is their quality but if you are selling a product which is visually
complex try to help your customer. Have good zoom features for any images or an
option to send images to a desktop to view on a larger scale.
Connectivity
The study also identified a significant level of reluctance amongst users due to a worry
that something might go wrong in the middle of a transaction. Consumers are less likely
to engage in transactions that involve payment while on the go because of the fear of
“have I paid or haven’t I?” This problem is one of the more difficult to plan for as phone
connections are never 100% reliable. However, there is no reason you cannot explain
this. "If you are worried about losing your connection halfway though payment, don't
worry! We will let you know if payment went though" - A simple notification would
suffice. If you want to find out more about mCommerce you can find the full report here.
Also, if you know of or have experienced any issues that have affected your mobile
shopping experience, please let us know!

MOBILE COMMERCE FRAMEWORK

Mobile commerce applications require a reliable wireless network infrastructure to move

the information and execute transaction in a distributed environment. These applications
also rely upon two key component technologies,

i.e., the information publishing technology necessary for the creation of suitable digital
content that can be browsed through handheld devices with limited memory, storage,
and processing capabilities; and information distribution technology to move digital
contents and transaction information over wireless networks. Thus, in the mobile
commerce framework, network infrastructure forms the very foundation while publication
and distribution technologies are the two pillars that support the creation of distributed
mobile commerce applications

In addition to technological infrastructure and applications, for electronic commerce to

flourish it is essential to have a business service infrastructure. The business service
infrastructure companies of directory services, location and search services, and trust
mechanism for private, secure, reliable and non-repudiable transaction along with online
financial settlement mechanism, that operate over the network.

Wireless Network Infrastructure:

The combination of several technologies such as the availability of digital

communication through hand held devices, embedded operating software for
processing information, and digital connectivity through wireless networks are all
essential requirements for mobile commerce applications to operate.

Wireless networks have evolved from the basic voice only radio based analog
transmission and have acquired the digital voice and data transmission capability.
Wireless networks today are capable of achieving 2 Mbps data rates. The following
Table describes the evolution of the wireless networks.

The early mobile telephone devices were basically analog voice only devices that
offered voice communication using cellular telephony. The first generation, referred to
as 1G in short, use a product of the analog cellular telephony developed in 1978 and
deployed during the 1980s. 1G technologies were designed to transmit voice phone
calls from wireless handsets. These calls are sent in the clear, and are easy to intercept
using a scanner.

In the cellular mode of communication large geographical regions are identified and
allocated to service providers. The Telecom Regulatory Authority of India (TRAI)
handles the allocation and other regulatory issues, such as how many players can
operate within a specific area. Each of service provider is allocated a separate
frequency sub-bands within the overall frequency allotment. Service providers operating
in a particular region divide the entire region into smaller area called cells.

The cellular communication system consists of the components: the handheld device,
the transceiver within a cell, and the Mobile Telephone Switching Office (MTSO). The
service provider places an antenna at the center of the cell. The transmission and
reception pattern of the antenna, also called antenna pattern or footprint, is such that it
covers the entire cell. These antenna footprints are usually circular in shape. However,
on the map they are depicted as hexagons for convenience as they offer an orderly
pattern, as shown in fig. below.

Mobile payment

Mobile payment (also referred to as mobile money, mobile money transfer, and mobile wallet)
generally refer to payment services operated under financial regulation and performed from or via
a mobile device. Instead of paying with cash, cheque, or credit cards, a consumer can use a mobile
to pay for a wide range of services and digital or hard goods. Although the concept of using non-
coin-based currency systems has a long history,[1] it is only in the 21st century that the technology to
support such systems has become widely available.
Mobile payment is being adopted all over the world in different ways. [2][3] The first patent exclusively
defined "Mobile Payment System" was filed in 2000[4].
Mobile payments are becoming a key instrument for PSPs and other market participants, in order to
achieve new growth opportunities, according to the European Payments Council (EPC).[7] The EPC
states that "new technology solutions provide a direct improvement to the operations efficiency,
ultimately resulting in cost savings and in an increase in business volume".

Models[edit]
There are five primary models for mobile payments

• Mobile wallets
• Card-based payments
• Carrier billing (Premium SMS or direct carrier billing)
• Contactless payments NFC (Near Field Communication)
• Direct transfers between payer and payee bank accounts in near real-time (bank-led model,
intra/inter-bank transfers/payments that are both bank and mobile operator agnostic)
There can be combinations:

• Direct carrier/bank co-operation, emerging in Haiti. [9]

• Both bank account and card, like Vipps and MobilePay (users with an account at the right bank
can debit their account, while other users can debit their card)
Financial institutions and credit card companies[10] as well as Internet companies such
as Google[11] and a number of mobile communication companies, such as mobile network
operators and major telecommunications infrastructure such as w-HA from Orange and
smartphone multinationals such as Ericsson[12][13] and BlackBerry have implemented mobile payment
solutions.

Mobile wallets[edit]
Main article: Online wallet

A mobile wallet is an app that contain your debit and credit card information so that users can pay for
goods and services digitally by using their mobile devices.[14] Notable mobile wallets include:

• Alipay
• ApplePay
• eWallet (Ilium Software)[15]
• GooglePay
• Gyft[15]
• Samsung Pay
• Venmo[15]
• WeChat
Generally, this is the process:[citation needed]
First payment:

• User registers, inputs their phone number, and the provider sends them an SMS with a PIN
• User enters the received PIN, authenticating the number
• User inputs their credit card info or another payment method if necessary (not necessary if the
account has already been added) and validates payment
Subsequent payments:

• The user re enters their PIN to authenticate and validates payment

Requesting a PIN is known to lower the success rate (conversion) for payments. These systems can
be integrated with directly or can be combined with operator and credit card payments through a
unified mobile web payment platform.

Credit card[edit]
A simple mobile web payment system can also include a credit card payment flow allowing a
consumer to enter their card details to make purchases. This process is familiar but any entry of
details on a mobile phone is known to reduce the success rate (conversion) of payments.
In addition, if the payment vendor can automatically and securely identify customers then card
details can be recalled for future purchases turning credit card payments into simple single click-to-
buy giving higher conversion rates for additional purchases.

Carrier billing[edit]
The consumer uses the mobile billing option during checkout at an e-commerce site—such as an
online gaming site—to make a payment. After two-factor authentication involving the consumer's
mobile number and a PIN or One-Time-Password (often abbreviated as OTP), the consumer's
mobile account is charged for the purchase. It is a true alternative payment method that does not
require the use of credit/debit cards or pre-registration at an online payment solution such as
PayPal, thus bypassing banks and credit card companies altogether. This type of mobile payment
method, which is prevalent in Asia,[citation needed] provides the following benefits:

1. Security – Two-factor authentication and a risk management engine prevents fraud.

2. Convenience – No pre-registration and no new mobile software is required.
3. Easy – It's just another option during the checkout process.
4. Fast – Most transactions are completed in less than 10 seconds.
5. Proven – 70% of all digital content purchased online in some parts of Asia uses the Direct
Mobile Billing method.
Premium SMS and premium MMS[edit]
In the predominant model for SMS payments, the consumer sends a payment request via an SMS
text message or an USSD to a short code and a premium charge is applied to their phone bill or their
online wallet. The merchant involved is informed of the payment success and can then release the
paid for goods.[17]
Since a trusted physical delivery address has typically not been given, these goods are most
frequently digital with the merchant replying using a Multimedia Messaging Service to deliver the
purchased music, ringtones, wallpapers etc.
A Multimedia Messaging Service (MMS) can also deliver barcodes which can then be scanned for
confirmation of payment by a merchant. This is used as an electronic ticket for access to cinemas
and events or to collect hard goods.
Transactional payments by SMS have been popular in Asia and Europe and are now accompanied
by other mobile payment methods,[citation needed] such as mobile web payments (WAP), mobile payment
client (Java ME, Android...) and Direct Mobile Billing.
Inhibiting factors of Premium SMS include:[citation needed]

1. Poor reliability – transactional premium SMS payments can easily fail as messages get lost.
2. Slow speed – sending messages can be slow and it can take hours for a merchant to get
receipt of payment. Consumers do not want to be kept waiting more than a few seconds.
3. Security – The SMS/USSD encryption ends in the radio interface, then the message is a
plaintext.
4. High cost – There are many high costs associated with this method of payment. The cost of
setting up short codes and paying for the delivery of media via a Multimedia Messaging
Service and the resulting customer support costs to account for the number of messages
that get lost or are delayed.
5. Low payout rates – operators also see high costs in running and supporting transactional
payments which results in payout rates to the merchant being as low as 30%. Usually
around 50%
6. Low follow-on sales – once the payment message has been sent and the goods received
there is little else the consumer can do. It is difficult for them to remember where something
was purchased or how to buy it again. This also makes it difficult to tell a friend.
Remote payment by SMS and credit card tokenization[edit]
Even as the volume of Premium SMS transactions have flattened, many cloud-based payment
systems continue to use SMS for presentment, authorization, and authentication, [18] while the
payment itself is processed through existing payment networks such as credit and debit card
networks. These solutions combine the ubiquity of the SMS channel, [19] with the security and
reliability of existing payment infrastructure. Since SMS lacks end-to-end encryption, such solutions
employ a higher-level security strategies known as 'tokenization' and 'target removal' [20] whereby
payment occurs without transmitting any sensitive account details, username, password, or PIN.
To date, point-of-sales mobile payment solutions have not relied on SMS-based authentication as a
payment mechanism, but remote payments such as bill payments,[21] seat upgrades on flights,[22] and
membership or subscription renewals are commonplace.
In comparison to premium short code programs which often exist in isolation, relationship
marketing and payment systems are often integrated with CRM, ERP, marketing-automation
platforms, and reservation systems. Many of the problems inherent with premium SMS have been
addressed by solution providers. Remembering keywords is not required since sessions are initiated
by the enterprise to establish a transaction specific context. Reply messages are linked to the proper
session and authenticated either synchronously through a very short expiry period (every reply is
assumed to be to the last message sent) or by tracking session according to varying reply addresses
and/or reply options.

Mobile web payments (WAP)

The consumer uses web pages displayed or additional applications downloaded and installed on the
mobile phone to make a payment. It uses WAP (Wireless Application Protocol) as underlying
technology and thus inherits all the advantages and disadvantages of WAP. Benefits include:[24][citation
needed]

1. Follow-on sales where the mobile web payment can lead back to a store or to other goods
the consumer may like. These pages have a URL and can be bookmarked making it easy to
re-visit or share.
2. High customer satisfaction from quick and predictable payments
 3. Ease of use from a familiar set of online payment pages
However, unless the mobile account is directly charged through a mobile network operator, the use
of a credit/debit card or pre-registration at online payment solution such as PayPal is still required
just as in a desktop environment.
Mobile web payment methods are now being mandated by a number of mobile network operators.

Direct operator billing[edit]

Direct operator billing, also known as mobile content billing, WAP billing, and carrier billing, requires
integration with the mobile network operator. It provides certain benefits:

1. Mobile network operators already have a billing relationship with consumers, the payment
will be added to their bill.
2. Provides instantaneous payment
3. Protects payment details and consumer identity
4. Better conversion rates
5. Reduced customer support costs for merchants
6. Alternative monetization option in countries where credit card usage is low
One of the drawbacks is that the payout rate will often be much lower than with other mobile
payments options. Examples from a popular provider:

• 92% with PayPal

• 85 to 86% with Credit Card
• 45 to 91.7% with operator billing in the US, UK and some smaller European countries, but
usually around 60%[25]
More recently, Direct operator billing is being deployed in an in-app environment, where mobile
application developers are taking advantage of the one-click payment option that Direct operator
billing provides for monetising mobile applications. This is a logical alternative to credit card and
Premium SMS billing.
In 2012, Ericsson and Western Union partnered to expand the direct operator billing market, making
it possible for mobile operators to include Western Union Mobile Money Transfers as part of their
mobile financial service offerings.[26] Given the international reach of both companies, the partnership
is meant to accelerate the interconnection between the m-commerce market and the existing
financial world.[27]

Contactless near-field communication[edit]

Near-field communication (NFC) is used mostly in paying for purchases made in physical stores or
transportation services. A consumer using a special mobile phone equipped with a smartcard waves
his/her phone near a reader module. Most transactions do not require authentication, but some
require authentication using PIN, before transaction is completed. The payment could be deducted
from a pre-paid account or charged to a mobile or bank account directly.
Mobile payment method via NFC faces significant challenges for wide and fast adoption, due to lack
of supporting infrastructure, complex ecosystem of stakeholders, and standards. [28] Some phone
manufacturers and banks, however, are enthusiastic. Ericsson and Aconite are examples of
businesses that make it possible for banks to create consumer mobile payment applications that
take advantage of NFC technology.[29]
NFC vendors in Japan are closely related to mass-transit networks, like the Mobile Suica used on
the JR East rail network. Osaifu-Keitai system, used for Mobile Suica and many others
including Edy and nanaco, has become the de facto standard method for mobile payments in Japan.
Its core technology, Mobile FeliCa IC, is partially owned by Sony, NTT DoCoMo and JR East. Mobile
FeliCa utilize Sony's FeliCa technology, which itself is the de facto standard for contactless smart
cards in the country.
Other NFC vendors mostly in Europe use contactless payment over mobile phones to pay for on-
and off-street parking in specially demarcated areas. Parking wardens may enforce the parkings by
license plate, transponder tags or barcode stickers. First conceptualized in the 1990s,[citation needed] the
technology has seen commercial use in this century in both Scandinavia and Estonia. End users
benefit from the convenience of being able to pay for parking from the comfort of their car with their
mobile phone, and parking operators are not obliged to invest in either existing or new street-based
parking infrastructures. Parking wardens maintain order in these systems by license plate,
transponder tags or barcode stickers or they read a digital display in the same way as they read a
pay and display receipt.
Other vendors use a combination of both NFC and a barcode on the mobile device for mobile
payment, because many mobile devices in the market do not yet support NFC. [30]

Others[edit]
QR code payments[edit]
QR Codes 2D barcode are square bar codes. QR codes have been in use since 1994.[31] Originally
used to track products in warehouses, QR codes were designed to replace traditional (1D bar
codes). Traditional bar codes just represent numbers, which can be looked up in a database and
translated into something meaningful. QR, or “Quick Response” bar codes were designed to contain
the meaningful info right in the bar code.
QR Codes can be of two main categories:[32][citation needed]

• The QR Code is presented on the mobile device of the person paying and scanned by a POS or
another mobile device of the payee
• The QR Code is presented by the payee, in a static or one time generated fashion and it is
scanned by the person executing the payment
Mobile self-checkout allows for one to scan a QR code or barcode of a product inside a brick-and-
mortar establishment in order to purchase the product on the spot. This theoretically eliminates or
reduces the incidence of long checkout lines, even at self-checkout kiosks.

Cloud-based mobile payments[edit]

Google, PayPal, GlobalPay and GoPago use a cloud-based approach to in-store mobile payment.
The cloud based approach places the mobile payment provider in the middle of the transaction,
which involves two separate steps. First, a cloud-linked payment method is selected and payment is
authorized via NFC or an alternative method. During this step, the payment provider automatically
covers the cost of the purchase with issuer linked funds. Second, in a separate transaction, the
payment provider charges the purchaser's selected, cloud-linked account in a card-not-present
environment to recoup its losses on the first transaction. [33][34][35]

Audio signal-based payments[edit]

The audio channel of the mobile phone is another wireless interface that is used to make payments.
Several companies have created technology to use the acoustic features of cell phones to support
mobile payments and other applications that are not chip-based. The technologies Near sound data
transfer (NSDT), Data Over Voice and NFC 2.0 produce audio signatures that the microphone of the
cell phone can pick up to enable electronic transactions.[36]
Direct carrier/bank co-operation[edit]
In the T-Cash[37] model, the mobile phone and the phone carrier is the front-end interface to the
consumers. The consumer can purchase goods, transfer money to a peer, cash out, and cash
in.[38] A 'mini wallet' account can be opened as simply as entering *700# on the mobile
phone,[39] presumably by depositing money at a participating local merchant and the mobile phone
number. Presumably, other transactions are similarly accomplished by entering special codes and
the phone number of the other party on the consumer's mobile phone.

Bank transfer systems[edit]

Swish is the name of a system established in Sweden.[40] It was established through a collaboration
from major banks in 2012 and has been very successful, with 66 percent of the population as users
in 2017.[41] It is mainly used for peer-to-peer payments between private people, but is also used by
church collect, street vendors and small businesses. A person's account is tied to his or her phone
number and the connection between the phone number and the actual bank account number is
registered in the internet bank. The electronic identification system mobile BankID, issued by several
Swedish banks, is used to verify the payment. Users with a simple phone or without the app can still
receive money if the phone number is registered in the internet bank. Like many other mobile
payment system, its main obstacle is getting people to register and download the app, but it has
managed to reach a critical mass and it has become part of everyday life for many Swedes.
Swedish payments company Trustly also enables mobile bank transfers, but is used mainly for
business-to-consumer transactions that occur solely online. If an e-tailer integrates with Trustly, its
customers can pay directly from their bank account. As opposed to Swish, users don't need to
register a Trustly account or download software to pay with it.
The Danish MobilePay and Norwegian Vipps are also popular in their countries. They use direct and
instant bank transfers, but also for users not connected to a participating bank, credit card billing.
In India, a new direct bank transfer system has emerged called as Unified Payments Interface. This
system enables users to transfer money to other users and businesses in real-time directly from their
bank accounts. Users download UPI supporting app from app stores on their Android or iOS device,
link and verify their mobile number with the bank account by sending one outgoing SMS to app
provider, create a virtual payment address (VPA) which auto generates a QR code and then set a
banking PIN by generating OTP for secure transactions. VPA and QR codes are to ensure easy to
use & privacy which can help in peer-to-peer (P2P) transactions without giving any user details.
Fund transfer can then be initiated to other users or businesses. Settlement of funds happen in real-
time, i.e. money is debited from payer's bank account and credited in recipient's bank account in
real-time. UPI service works 24x7, including weekends and holidays. This is slowly becoming a very
popular service in India and is processing monthly payments worth approximately $10 billion as in
October 2018.[42]

Mobile payment service provider model[edit]

There are four potential mobile payment models:[43]

1. Operator-Centric Model: The mobile operator acts independently to deploy mobile payment
service. The operator could provide an independent mobile wallet from the user mobile
account(airtime). A large deployment of the Operator-Centric Model is severely challenged
by the lack of connection to existing payment networks. Mobile network operator should
handle the interfacing with the banking network to provide advanced mobile payment service
in banked and under banked environment. Pilots using this model have been launched in
emerging countries but they did not cover most of the mobile payment service use cases.
Payments were limited to remittance and airtime top up.
 2. Bank-Centric Model: A bank deploys mobile payment applications or devices to customers
and ensures merchants have the required point-of-sale (POS) acceptance capability. Mobile
network operator are used as a simple carrier, they bring their experience to provide Quality
of service (QOS) assurance.
3. Collaboration Model: This model involves collaboration among banks, mobile operators and
a trusted third party.
4. Peer-to-Peer Model: The mobile payment service provider acts independently from financial
institutions and mobile network operators to provide mobile payment.

Applications of Mobile Commerce

1. M-Commerce for finance

The customer (using the mobile) can pay from their bank account using
mobile commerce facilities. Mobile users can transfer funds between
account or receive any information related to finance from financial
institutions or banks. WAP based mobile devices allow the user to
access the internet or the website of the financial institutions.

For example, a user of the credit card gets reminded from the institution
stating the amount of outstanding balance, minimum amount due and
the due date. Likewise, when the customer pays through cheque or
when the payment is made by him, the institution sends an
acknowledgement through SMS stating the amount that has been
received by the institution.

2. M-Commerce for Retail and After sale Services

Companies can also make online catalog of products so that the mobile
users can access the catalog from their mobile devices. Customers are
able to shop, place orders or hire services and pay for dues through
mobile phones.

3. M-Commerce and Mobile Marketing

It is easy for business organizations to send text messages to promote a
new product or carryout any form of promotional campaign. For
example, Reliance Fresh sends the customer an SMS stating the reward
points earned by them when they purchase goods from Reliance. Even
if some changes are brought in providing reward points, they are
informed to the customer in order to encourage sales.

4. M-Commerce and Mobile Ticketing

Airline tickets can be purchased through mobile phone. It also enables
users of mobile phone to make changes in their tickets. For example,
With “flybuy SMS” launched by Kingfisher Airlines and paymate,
customers can get the details of Kingfisher airlines flights by sending
SMS. The customer can book the ticket after receiving a reply. Besides
the above, movie tickets can also be booked through mobile phones.

5. M-Commerce and Mobile Entertainment

Mobile terminal acts as a portable music player. Downloading ringtones
has become successful m-commerce application. Mobile phone
manufacturers and wireless providers are making good money by
selling different kinds of customized ringtones.

6. M-Commerce for Hotel Reservations

Using mobile devices, customer can reserve for restaurants and hotels
according to their needs.

7. M-Commerce in Healthcare and Medicine

Wireless services are used in healthcare and medicine for billing, lab
ordering, referrals, prescriptions and clinical decisions. For example, in
United States, healthcare professionals are able to obtain patient
information from any location by getting connected wirelessly to the
hospital’s information system. They are able to access the
pharmaceutical information of patients and provide better patient care.

8. M-commerce for Intra-Office Communication

Sales personnel, who are always on the move, may need to access to the
company information system to check price of products. But mobile
allows the traveling sales personnel to track inventory and maintain
communication with seniors at ease. Traveling salesmen do not have to
wait for long to get approval from the seniors. Any information could be
transferred easily and quickly with the help of mobile devices. It
removes barriers in intra-office communication.
9. M-Commerce for Information
Mobiles enable customers to get information like sport news or political
news of their choice. For example, today through SMS, students are able
to check their university results or public examination results.

10. M-Commerce for Gaming

Customers can play multi player games through mobiles. Mobile games
are very popular with colourful displays and it generates good revenue.