Cyber Security Notes

Module-IV:
Definition of E- Commerce, Main components of E-Commerce, Elements of E-Commerce
security, E-Commerce threats, E-Commerce security best practices. Advantages of e-
commerce, Survey of popular e-commerce sites.
Introduction to digital payments, Components of digital payment and stake holders, Modes of
digital payments- Banking Cards, Unified Payment Interface (UPI), e-Wallets, Unstructured
Supplementary Service Data (USSD), Aadhar enabled payments, Digital payments related
common frauds and preventive measures. RBI guidelines on digital payments and customer
protection in unauthorized banking transactions. Relevant provisions of Payment Settlement
Act,2007.

Definition of E- Commerce
▪ E-Commerce or Electronic Commerce means buying and selling of goods, products, or services
over the internet.
▪ E-commerce is also known as electronic commerce or internet commerce.
▪ Transaction of money, funds, and data are also considered as E-commerce.
▪ These business transactions can be done in four ways: Business to Business (B2B), Business to
Customer (B2C), Customer to Customer (C2C), Customer to Business (C2B).

Main components of E-Commerce

▪ The components of E-Commerce are as follows:
1. User: This may be individual / organization or anybody using the e-commerce platforms.
2. E-commerce vendors: This is the organization/ entity providing the user, goods/ services.
E.g.: www.flipkart.com.E-commerce Vendors further needs to ensure following for better,
effective and efficient transaction.
− Suppliers and Supply Chain Management
− Warehouse operations
− Shipping and returns
− E-Commerce catalogue and product display
− Marketing and loyalty programs

P a g e 1 | 13
Cyber Security Notes

3. Technology Infrastructure: This includes Server computers, apps etc. These are the backbone
for the success of the venture. They store the data/program used to run the whole operation of
the organization.
4. Internet/ Network: This is the key to success of e-commerce transactions. Internet
connectivity is important for any e-commerce transaction to go through. The faster net
connectivity leads to better e-commerce.
5. Web Portal: This shall provide the interface through which an individual/organization shall
perform e-commerce transactions. These web portals can be accessed through desktops/
laptops/PDA/hand- held computing devices/ mobiles and now through smart TVs.
6. Payment Gateway: The payment mode through which customers shall make payments.
Payment gateway represents the way e-commerce vendors collect their payments. Examples are
Credit / Debit Card Payments, Online bank payments, Vendors own payment wallet, Third Party
Payment wallets, like PAYTM and Unified Payments Interface (UPI).

Elements of E-Commerce security

▪ E-commerce security involves safeguarding online transactions and protecting sensitive

information during online purchases. Here are some key elements:
1. Encryption: Encrypting data ensures that sensitive information like credit card details, personal
information, and transaction data is encoded during transmission. Secure Sockets Layer (SSL)
or Transport Layer Security (TLS) protocols are commonly used to encrypt data.
2. Secure Payment Gateways: Using trusted and secure payment gateways ensures that financial
information is transmitted securely between the customer, merchant, and financial institutions.
3. Firewalls and Security Software: Implementing firewalls and up-to-date security software
helps prevent unauthorized access to the e-commerce website's network. This includes
protection against malware, viruses, and other cyber threats.
4. Authentication and Authorization: Employing strong user authentication methods, such as
two-factor authentication (2FA), helps verify the identity of users, reducing the risk of
unauthorized access.
5. Regular Updates and Patch Management: Ensuring that the e-commerce platform and all
associated software are regularly updated with the latest security patches helps mitigate
vulnerabilities that could be exploited by attackers.
6. Data Privacy and Compliance: Adhering to data privacy regulations (such as GDPR, CCPA)
and implementing privacy policies that protect customer data is crucial. This includes proper
handling and storage of personal information.

P a g e 2 | 13
Cyber Security Notes

7. Risk Assessment and Monitoring: Conducting regular security audits and risk assessments
helps identify potential vulnerabilities and threats. Continuous monitoring of systems for
suspicious activities is vital to detect and respond to any security breaches promptly.
8. Customer Education: Educating customers about safe online practices, such as creating strong
passwords, avoiding public Wi-Fi for sensitive transactions, and being cautious of phishing
attempts, can significantly enhance overall e-commerce security.
9. Physical Security Measures: Ensuring physical security of servers and data centers where
customer information is stored is essential to prevent unauthorized access to hardware and
infrastructure.
10. Backup and Disaster Recovery: Implementing robust backup and disaster recovery plans
ensures that in case of a security breach or system failure, data can be recovered without
significant loss.

E-Commerce threats

▪ E-commerce platforms face various threats that can compromise security and disrupt
operations. Here are some common threats:
1. Data Breaches: These occur when sensitive customer information, such as credit card details
or personal data, is accessed or stolen by unauthorized individuals or cybercriminals.
Breaches can happen through hacking, phishing, or exploiting vulnerabilities in the system.

P a g e 3 | 13
Cyber Security Notes

2. Phishing Attacks: Cybercriminals use deceptive emails, messages, or websites that mimic
legitimate sources to trick users into revealing sensitive information like login credentials,
credit card numbers, or personal details.
3. Malware and Viruses: Malicious software can infect e-commerce websites, compromising
user data, stealing information, or disrupting operations. Malware can be introduced through
infected files, links, or vulnerable software.
4. DDoS Attacks: Distributed Denial of Service attacks aim to overwhelm a website's servers
with excessive traffic, causing it to become slow or unavailable, disrupting business
operations and potentially leading to financial losses.
5. SQL Injection: Attackers exploit vulnerabilities in the website's code to insert malicious SQL
queries, allowing them to access or manipulate the database, compromising sensitive
information.
6. Man-in-the-Middle (MITM) Attacks: Hackers intercept communication between a user
and an e-commerce website to eavesdrop, steal information, or manipulate data during the
transmission.
7. Identity Theft: Cybercriminals may steal user identities from e-commerce platforms to
make fraudulent purchases, access financial accounts, or commit other forms of fraud.
8. Supply Chain Attacks: Hackers target weaknesses in the supply chain to access the e-
commerce platform, compromising the security of transactions, customer data, or the overall
system.
9. Payment Frauds: Fraudulent activities during payment transactions, such as stolen credit
card information or unauthorized transactions, pose a significant threat to e-commerce
platforms and customers.

E-Commerce security best practices

▪ Ensuring security in e-commerce is crucial to protect both your business and your customers'
sensitive information. Here are some best practices:
1. Use Secure Sockets Layer (SSL) Encryption: Encrypt data transmitted between your
website and users' browsers. This prevents interception of sensitive information like credit
card details.
2. Implement Strong Password Policies: Encourage users to create strong passwords and
use multi-factor authentication (MFA) wherever possible to add an extra layer of security.
3. Regularly Update Software and Security Patches: Keep your e-commerce platform,
plugins, and software updated to patch vulnerabilities that attackers could exploit.

P a g e 4 | 13
Cyber Security Notes

4. Secure Payment Gateways: Use reputable payment gateways that comply with Payment
Card Industry Data Security Standard (PCI DSS). Avoid storing payment information on
your servers.
5. Data Encryption: Encrypt sensitive data, including customer information and payment
details, when stored in databases or during transmission.
6. Regular Security Audits and Testing: Conduct security audits and penetration testing to
identify vulnerabilities and weaknesses in your system before attackers do.
7. Implement Firewalls and DDoS Protection: Install firewalls to monitor and control
incoming and outgoing traffic. Use DDoS (Distributed Denial of Service) protection to
prevent service disruption due to attacks.
8. Train Employees: Educate your staff about security best practices, phishing attacks, and how
to handle sensitive information to prevent internal security breaches.
9. Privacy Policies and Compliance: Comply with data protection regulations (like GDPR,
CCPA) and clearly communicate your privacy policies to customers.
10. Monitor and Respond to Suspicious Activity: Implement monitoring systems to detect
unusual activity and respond promptly to security incidents.
11. Backup Data Regularly: Keep regular backups of your e-commerce data to ensure you can
recover in case of a security breach or data loss.
12. Limit Access to Data: Restrict access to sensitive data. Only grant access to those who need
it for their specific roles.

Advantage of e-commerce
1. Reduced overhead costs: Running an e-commerce store is a lot more cost-effective than
running a physical store. You don’t have to rent commercial real estate — instead, you can pay
an affordable fee for web hosting.
2. No need for a physical storefront: There are so many difficult aspects to running a physical
storefront and using e-commerce means you don’t have to face most of those obstacles. Renting
a commercial property can be expensive. You also have to pay for electricity, water, and internet
to ensure your space is up to code and can handle your business. There’s also security to
consider; if you want your physical storefront to be secure, you’ll need to invest in cameras and
other surveillance equipment. With an e-commerce store, you can simply build your website and
start selling your products online without worrying about setting up a physical storefront and
spending as much money.

P a g e 5 | 13
Cyber Security Notes

3. Ability to reach a broader audience: Perhaps the biggest advantage of e-commerce is the fact
that it allows you to reach a massive audience. Your physical storefront can only get so many
visitors in a day, especially if you live in a smaller town or a rural area. With an e-commerce
store, you can reach potential customers all throughout the world and show them your products.
4. Scalability:. If you have a physical storefront, your business can only grow so much before you
have to move to a larger storefront. You also have to move inventory and equipment from one
location to another, which makes it even harder to scale your store with the growth of your
business. With e-commerce, your website and store can grow as your business does, and you
don’t have to spend a fortune moving to a new physical space.
5. Track logistics: Keeping track of logistics is an essential part of e-commerce and retail
marketing, and it’s significantly easier with e-commerce than it is with a physical storefront. You
can outsource fulfillment logistics so your customers can enjoy benefits like 2-day shipping and
easy returns processing.

Survey of popular e-commerce sites

▪ There are several popular e-commerce sites that cater to different markets and needs.
▪ Some of the well-known ones globally include:
1. Amazon: One of the largest online retailers, offering a wide range of products from
electronics to books to household items.
2. eBay: Known for its auction-style selling and a vast array of products, including both
new and used items.
3. Alibaba: A Chinese e-commerce company specializing in wholesale trading between
businesses and consumers.
4. Walmart: A major retailer with a strong online presence, selling a variety of products
similar to its physical stores.
5. Etsy: Focused on handmade, vintage, and unique goods, often catering to niche markets
and creative products.
6. Target: Similar to Walmart, Target offers a diverse range of products and has a
significant online presence.
7. Best Buy: Specializes in electronics, offering a wide selection of tech-related products.
8. Zappos: A popular online shoe and clothing retailer known for its customer service and
wide selection.
9. ASOS: Primarily focused on fashion and beauty products, targeting a younger audience
with trendy items.

P a g e 6 | 13
Cyber Security Notes

10. Rakuten: A diverse marketplace offering various products and services, often providing
cashback rewards for purchases.
▪ Each of these platforms has its own strengths, unique selling points, and target demographics,
making them popular choices for different types of consumers.

Introduction to Digital Payments

▪ Digital payments are payments done through digital or online modes, with no exchange of hard
cash being involved. Such a payment, sometimes also called an electronic payment (e-payment),
is the transfer of value from one payment account to another where both the payer and the
payee use a digital device such as a mobile phone, computer, or a credit, debit, or prepaid card.
▪ The payer and payee could be either a business or an individual. This means that for digital
payments to take place, the payer and payee both must have a bank account, an online banking
method, a device from which they can make the payment, and a medium of transmission,
meaning that either they should have signed up to a payment provider or an intermediary such
as a bank or a service provider.

Components of Digital Payment and Stake holders

▪ Digital payments involve several components and stakeholders that collectively facilitate the
transfer of money or transactions through electronic means.
▪ Here are the key components and stakeholders:
▪ Components:
1. Payment Gateway: It's the technology that authorizes and facilitates transactions by
connecting merchants, banks, and customers. It encrypts sensitive information and ensures
secure transfer.
2. Payment Processor: Responsible for managing the transaction process by transmitting
data between the merchant's bank and the customer's bank. It verifies transaction details
and ensures funds are transferred.
3. Mobile Wallets: Apps or platforms that store payment information, allowing users to
make transactions through their smartphones. Examples include Apple Pay, Google Pay,
and PayPal.
4. Digital Currencies/Cryptocurrencies: These decentralized forms of currency (like
Bitcoin or Ethereum) facilitate peer-to-peer transactions through blockchain technology.
5. Near Field Communication (NFC): Technology that enables contactless payments by
allowing devices to communicate when in close proximity.

P a g e 7 | 13
Cyber Security Notes

6. QR Codes: Scannable codes that store payment information, enabling easy transactions by
simply scanning the code.
▪ Stakeholders:
1. Customers/Users: Individuals or entities making payments or transactions using digital
payment methods.
2. Merchants/Retailers: Businesses or individuals selling goods or services and accepting
digital payments from customers.
3. Financial Institutions: Banks, credit unions, and other financial entities that provide the
infrastructure and accounts necessary for digital transactions.
4. Payment Service Providers (PSPs): Companies that offer services facilitating digital
payments for merchants, such as Stripe, Square, or Adyen.
5. Regulatory Bodies/Government Agencies: Entities responsible for creating and
enforcing rules, regulations, and standards for digital payments to ensure security and
fairness.
6. Technology Providers: Companies developing and maintaining the technology and
software necessary for secure digital payment systems, including hardware manufacturers
and software developers.
7. Security Firms: Organizations specializing in ensuring the security of digital payment
systems by providing encryption, fraud detection, and cybersecurity services.
▪ These components and stakeholders collectively form the ecosystem that enables the seamless
execution of digital payments across various platforms and devices.

Modes of digital payments

▪ There are various modes of digital payments that have become increasingly popular due to their
convenience and accessibility.
▪ Here's a brief overview of each:
1. Banking cards:
Cards are among the most widely used payment methods and come with various features and
benefits such as security of payments, convenience, etc. The main advantage of debit/credit or
prepaid banking cards is that they can be used to make other types of digital payments. For
example, customers can store card information in digital payment apps or mobile wallets to
make a cashless payment. Some of the most reputed and well-known card payment systems are
Visa, Rupay and MasterCard, among others. Banking cards can be used for online purchases, in
digital payment apps, PoS machines, online transactions, etc.
P a g e 8 | 13
Cyber Security Notes

2. Unified Payment Interface (UPI)

UPI is a payment system that culminates numerous bank accounts into a single application,
allowing the transfer of money easily between any two parties. As compared to NEFT, RTGS,
and IMPS, UPI is far more well-defined and standardized across banks. You can use UPI to
initiate a bank transfer from anywhere in just a few clicks.
The benefit of using UPI is that it allows you to pay directly from your bank account, without
the need to type in the card or bank details. This method has become one of the most popular
digital payment modes in 2020, with October witnessing over 2 billion transactions.
3. e-Wallets
Electronic wallets or e-wallets store financial information and allow users to make online
transactions quickly. E-wallet is a type of pre-paid account in which a user can store his/her
money for any future online transaction. An E-wallet is protected with a password. With the
help of an E-wallet, one can make payments for groceries, online purchases, and flight tickets,
among others. E-wallet has mainly two components, software and information. The software
component stores personal information and provides security and encryption of the data. The
information component is a database of details provided by the user which includes their name,
shipping address, payment method, amount to be paid, credit or debit card details, etc. Services
like PayPal, Google Pay, Apple Pay, and Paytm fall under this category.
4. Unstructured Supplementary Service Data (USSD)
USSD technology enables mobile banking services through basic phones, allowing users to
access banking services by dialing a shortcode. This method doesn't require internet connectivity
and is particularly beneficial in regions with limited internet access. USSD was launched for
those sections of India’s population which don’t have access to proper banking and internet
facilities. Under USSD, mobile banking transactions are possible without an internet connection
by simply dialing *99# on any essential feature phone.
This number is operational across all Telecom Service Providers (TSPs) and allows customers to
avail of services including interbank account to account fund transfer, balance inquiry, and
availing mini statements. Around 51 leading banks offer USSD service in 12 different languages,
including Hindi & English.
5. Aadhar enabled payments system (AEPS)
AEPS is a bank-led model for digital payments that was initiated to leverage the presence and
reach of Aadhar. Under this system, customers can use their Aadhaar-linked accounts to transfer
money between two Aadhaar linked Bank Accounts. As of February 2020, AEPS had crossed
more than 205 million as per NPCI data.

P a g e 9 | 13
Cyber Security Notes

AEPS doesn’t require any physical activity like visiting a branch, using debit or credit cards or
making a signature on a document. This bank-led model allows digital payments at PoS (Point of
Sale / Micro ATM) via a Business Correspondent (also known as Bank Mitra) using Aadhaar
authentication.
▪ Each mode of digital payment offers its own set of advantages in terms of accessibility, ease of
use, security, and suitability for different scenarios. The choice of which to use often depends on
factors like convenience, accessibility to technology, internet connectivity, and personal
preferences.
Digital Payments Related Common Frauds and Preventive Measures
▪ With the increasing trend of digital payment systems, the number of fraud attempts is also
increasing at an alarming rate. Cybercriminals are always looking for ways to exploit the loopholes
in the digital payment process to steal money from unsuspecting individuals.
1. Phishing
▪ Phishing scams are fake messages, emails, or websites that trick people into providing
their personal information, such as login credentials, credit card details, or social security
numbers. These scammers then use this information to access victims’ accounts and steal
their funds.
▪ Preventive Measures:
− Verify website URLs before entering any personal information.
− Never share personal or financial details via email or unsecured websites.
− Enable two-factor authentication for added security.
2. Identity Theft
▪ Identity theft occurs when a fraudster steals someone’s personal information, such as
their name, address, or social security number, and uses it for fraudulent activities, such
as opening a new credit card or mobile payment account.
▪ Preventive Measures:
− Use strong, unique passwords for each financial account.
− Regularly monitor your credit report for any suspicious activities.
− Be cautious while sharing personal information online.
3. Account Takeover
▪ In an account takeover, a fraudster gains access to a user’s digital payment account by
stealing their login credentials or obtaining their personal information using phishing
scams. The attacker then uses the account to make unauthorized transactions and
transfer funds.

P a g e 10 | 13
Cyber Security Notes

▪ Preventive Measures:
− Use strong, unique passwords and change them regularly.
− Enable account alerts for any unusual activity.
− Consider using biometric authentication if available.
4. Card Skimming
▪ Card skimming involves the illegal copying of a user’s credit or debit card information
using a skimming device when the card is swiped for payment. The scammers then use
the copied information to make fraudulent transactions.
▪ Preventive Measures:
− Check for tampering on card readers before using them.
− Use contactless payment methods where possible.
− Regularly monitor your account statements for any unauthorized charges.
5. Malware and Spyware:
▪ Malicious software designed to steal financial information from devices.
▪ Preventive Measures:
− Install and regularly update antivirus and anti-malware software.
− Avoid clicking on suspicious links or downloading unknown attachments.
− Keep your device's operating system and apps up to date.
6. Unauthorized Transactions:
▪ Transactions made without the account holder's knowledge or consent.
▪ Preventive Measures:
− Regularly check account statements for any unfamiliar transactions.
− Enable transaction notifications or alerts for your accounts.
− Report any unauthorized transactions to your bank or payment provider
immediately.
7. Social Engineering Attacks:
▪ Manipulating individuals to reveal confidential information.
▪ Preventive Measures:
− Be cautious of unsolicited calls or messages asking for personal information.
− Verify the identity of the person or organization before sharing any details.
− Educate yourself and your family about common social engineering tactics.

P a g e 11 | 13
Cyber Security Notes

RBI guidelines on digital payments and customer protection in unauthorized

banking transactions.

▪ The Reserve Bank of India (RBI) has put forth various guidelines regarding digital payments and
customer protection, particularly concerning unauthorized banking transactions.
▪ Here are some key aspects:
▪ Digital Payments:
1. Security Measures: RBI mandates that banks and financial institutions implement robust
security measures to safeguard digital transactions. This includes two-factor authentication,
encryption, and other security protocols.
2. Customer Awareness: Banks are required to educate customers about safe digital practices,
potential risks, and methods to secure their transactions. This could be through notifications,
SMS alerts, or educational campaigns.
3. Fraud Monitoring: Regular monitoring of transactions for any suspicious activity or
patterns to prevent fraudulent transactions is mandatory.
4. Prompt Redressal: There are provisions for customers to report unauthorized transactions
promptly. Upon receiving such reports, banks are obligated to investigate and resolve
complaints within a specific timeline.
▪ Customer Protection in Unauthorized Transactions:
1. Limited Liability of Customers: In cases of unauthorized transactions, if the customer
reports the transaction within a stipulated time frame, the customer's liability is limited. The
liability shift is from the customer to the bank, subject to certain conditions and
documentation.
2. Timely Reporting: Customers are encouraged to report unauthorized transactions or any
suspicious activity as soon as possible to minimize their liability.
3. Dispute Resolution: There is a defined process for dispute resolution between the
customer and the bank regarding unauthorized transactions.
4. Reversal of Transactions: The RBI mandates that banks have to ensure prompt reversal of
any unauthorized transaction within a specified time frame once it is reported by the
customer.
Relevant provisions of Payment Settlement Act,2007.
▪ The Payment and Settlement Systems Act, 2007 is an Indian legislation that provides the
regulatory framework for payment systems in India. Here are some of the relevant provisions:

P a g e 12 | 13
Cyber Security Notes

1. Regulation of Payment Systems: The Act establishes the Reserve Bank of India
(RBI) as the regulatory authority for payment systems in India. It aims to ensure the
stability, efficiency, and integrity of payment systems.
2. Designation of Payment Systems: The RBI has the authority to designate systems
for the purpose of the Act, allowing it to regulate and supervise various payment
systems in the country.
3. Licensing of Payment System Operators: The Act outlines provisions for the
licensing and regulation of payment system operators, ensuring that entities involved in
payment systems meet certain criteria and adhere to specified norms.
4. Oversight and Monitoring: The RBI is empowered to oversee and monitor payment
systems to ensure their smooth functioning, stability, and compliance with regulations.
5. Settlement Finality: The Act provides for settlement finality, meaning that once a
settlement in a payment system is deemed final, it cannot be revoked or reversed, except
in certain specified circumstances.
6. Establishment of Payment System Board: The Act establishes a Payment System
Board within the RBI to regulate and supervise payment systems more effectively.
7. Penalties and Enforcement: Provisions for penalties and enforcement mechanisms
are outlined in the Act to ensure compliance with its provisions and regulations set by
the RBI.
▪ These provisions and more are detailed in the Payment and Settlement Systems Act, 2007, aimed
at fostering a secure, efficient, and reliable payment system framework in India.

P a g e 13 | 13