EDI Layered architecture:

Electronic Data Interchange(EDI):

Electronic Data Interchange (EDI) - interposes communication of business information in

standardized electronic form.

Prior to EDI, business depended on postal and phone systems that restricted
communication to those few hours of the workday that overlap between time zones.

Why EDI?
• Reduction in transaction costs
• Foster closer relationships between trading partners
EDI & Electronic Commerce
• Electronic commerce includes EDI & much more
• EDI forges boundary less relationships by improving interchange of information
between trading partners, suppliers, & customers.
EDI layered architecture:
• Semantic (or application) layer
• Standards translation layer
• Packing (or transport) layer
• Physical network infrastructure layer

EDI semantic layer:

• Describes the business application
• Procurement example
 – Requests for quotes
– Price quotes
– Purchase orders
– Acknowledgments
– Invoices
• Specific to company & software used

Standards translation:
 • Specifies business form structure so that information can be exchanged
• Two competing standards
– American National Standards Institute(ANSI)X12
– EDIFACT developed by UN/ECE, Working Party for the Facilitation
of International Trade Procedures
EDI transport layer
• How the business form is sent, e.g. post, UPS, fax
• Increasingly, e-mail is the carrier
• Differentiating EDI from e-mail
– Emphasis on automation
– EDI has certain legal status

Physical network infrastructure layer

• Dial-up lines, Internet, value-added network, etc.
Information flow with EDI:

1. Buyer sends purchase order to seller computer

2. Seller sends purchase order confirmation to buyer
3. Seller sends booking request to transport company
4. Transport company sends booking confirmation to seller
5. Seller sends advance ship notice to buyer
6. Transport company sends status to seller
7. Buyer sends Receipt advice to seller
 8. Seller sends invoice to buyer
9. Buyer sends payment to seller

Applications of EDI:
1. Role of EDI in international trade:

Reduced transaction expenditures

Quicker movement of imported & exported goods

Improved customer service through ―track & trace‖ programs

Faster customs clearance & reduced opportunities for corruption, a huge problem in trade

2. Interbank Electronic Funds Transfer (EFT)

• EFTS is credit transfers between banks where funds flow directly from the payer‘s
bank to the payee‘s bank.
• The two biggest funds transfer services in the United States are the Federal Reserve‘s
system, Fed wire, & the Clearing House Interbank Payments System (CHIPS) of the
New York clearing house
3. Health care EDI for insurance EDI
• Providing good & affordable health care is a universal problem
• EDI is becoming a permanent fixture in both insurance & health care industries as
medical provider, patients, & payers
• Electronic claim processing is quick & reduces the administrative costs of health care.
• Using EDI software, service providers prepare the forms & submit claims
via communication lines to the value-added network service provider
• The company then edits sorts & distributes forms to the payer. If necessary, the
insurance company can electronically route transactions to a third-party for price
evaluation
• Claims submission also receives reports regarding claim status & request for additional
Information
4. Manufacturing & retail procurement using EDI
• These are heavy users of EDI
• In manufacturing, EDI is used to support just-in-time.
• In retailing, EDI is used to support quick response
EDI Protocols:
 ANSI X12
 EDIFACT
Comparison of EDIFACT & X.12 Standards:

These are comprised of strings of data elements called segments.

A transaction set is a set of segments ordered as specified by the standard.

ANSI standards require each element to have a very specific name, such as order date
or invoice date.

EDIFACT segments, allow for multiuse elements, such as date.

EDIFACT has fewer data elements & segments & only one beginning segment
(header),but it has more composites.

It is an ever-evolving platform.

E-Marketing:
E-marketing is directly marketing a commercial message to a group of people using
email. In its broadest sense, every email sent to a potential or current customer could be
considered email marketing.

It usually involves using email to send ads, request business, or solicit sales or donations,
and is meant to build loyalty, trust, or brand awareness.

Email marketing can be done to either sold lists or a current customer database. Broadly,
the term is usually used to refer to sending email messages with the purpose of enhancing
the relationship of a merchant with its current or previous customers, to encourage
customer loyalty and repeat business, acquiring new customers or convincing current
customers to purchase something immediately, and adding advertisements to email
messages sent by other companies to their customers.
Advantages:

An exact return on investment can be tracked and has proven to be high when done
properly. Email marketing is often reported as second only to search marketing as the
most effective online marketing tactic.

Email marketing is significantly cheaper and faster than traditional mail, mainly because
of high cost and time required in a traditional mail campaign for producing the artwork,
printing, addressing and mailing.

Advertisers can reach substantial numbers of email subscribers who have opted in (i.e.,
consented) to receive email communications on subjects of interest to them.

Almost half of American Internet users check or send email on a typical day with email
blasts that are delivered between 1 am and 5 am local time outperforming those sent at
other times in open and click rates.

Email is popular with digital marketers, rising an estimated 15% in 2009 to £292 m in the
UK.

If compared to standard email, direct email marketing produces higher response rate and
higher average order value for e-commerce businesses.

Disadvantages:

A report issued by the email services company Return Path, as of mid-2008 email
deliverability is still an issue for legitimate marketers. According to the report, legitimate
email servers averaged a delivery rate of 56%; twenty percent of the messages were
rejected, and eight percent were filtered.

Companies considering the use of an email marketing program must make sure that their
program does not violate spam laws such as the United States' Controlling the Assault of
Non-Solicited Pornography and Marketing Act (CAN-SPAM),the European Privacy and
Electronic Communications Regulations 2003, or their Internet service provider's
acceptable use policy.
Tele Marketing:

Telemarketing is a method of direct marketing in which a salesperson solicits prospective

customers to buy products or services, either over the phone or through a subsequent face
to face or Web conferencing appointment scheduled during the call.

Telemarketing can also include recorded sales pitches programmed to be played over the
phone via automatic dialing.

Telemarketing may be done from a company office, from a call center, or from home. It
may involve a live operator voice broadcasting which is most frequently associated with
political messages.

An effective telemarketing process often involves two or more calls. The first call (or
series of calls) determines the customer‘s needs. The final call (or series of calls)
motivates the customer to make a purchase. Prospective customers are identified by
various means, including past purchase history, previous requests for information, credit
limit, competition entry forms, and application forms. Names may also be purchased
from another company's consumer database or obtained from a telephone directory or
another public list. The qualification process is intended to determine which customers
are most likely to purchase the product or service.

Charitable organizations, alumni associations, and political parties often use

telemarketing to solicit donations. Marketing research companies use telemarketing
techniques to survey the prospective or past customers of a client‘s business in order to
assess market acceptance of or satisfaction with a particular product, service, brand, or
company. Public opinion polls are conducted in a similar manner.

Telemarketing techniques are also applied to other forms of electronic marketing using e-
mail or fax messages, in which case they are frequently considered spam by receivers.

Disadvantages:

Telemarketing has been negatively associated with various scams and frauds, such as
pyramid schemes, and with deceptively overpriced products and services

Telemarketing is often criticized as an unethical business practice due to the perception

of high-pressure sales techniques during unsolicited calls.
 Telemarketers marketing telephone companies may participate in telephone slamming,
the practice of switching a customer's telephone service without their knowledge or
authorization.

Telemarketing calls are often considered an annoyance, especially when they occur
during the dinner hour, early in the morning, or late in the evening.

Security Threats to E-commerce:

E-Commerce security requirements can be studied by examining the overall process, beginning
with the consumer and ending with the commerce server. Considering each logical link in the
commerce chain, the assets that must be protected to ensure secure e-commerce include client
computers, the messages travelling on the communication channel, and the web and commerce
servers – including any hardware attached to the servers. While telecommunications are certainly
one of the major assets to be protected, the telecommunications links are not the only concern in
computer and e-commerce security. For instance, if the telecommunications links were made
secure but no security measures were implemented for either client computers or commerce and
web-servers, then no communications security would exist at all.
Client threats
Until the introduction of executable web content, Web pages were mainly static. Coded in
HTML, static pages could do little more than display content and provide links to related pages
with additional information. However, the widespread use of active content has changed
this perception.
Active content: Active content refers to programs that are embedded transparently in web pages
and that cause action to occur. Active content can display moving graphics, download and play
audio, or implement web-based spreadsheet programs. Active content is used in e-commerce to
place items one wishes to purchase into a shopping cart and to compute the total invoice amount,
including sales tax, handling, and shipping costs. The best known active content forms are Java
applets, ActiveX controls, JavaScript, and VBScript.
Malicious codes: Computer viruses, worms and trojan horses are examples of malicious code. A
trojan horse is a program which performs a useful function, but performs an unexpected action as
well. Virus is a code segment which replicates by attaching copies to existing executables. A
worm is a program which replicates itself and causes execution of the new copy. These can
create havoc on the client side.
Server-side masquerading: Masquerading lures a victim into believing that the entity with
which it is communicating is a different entity. For example, if a user tries to log into a computer
across the internet but instead reaches another computer that claims to be the desired one, the
user has been spoofed. This may be a passive attack (in which the user does not attempt to
authenticate the recipient, but merely accesses it), but it is usually an active attack.
Communication channel threats
The internet serves as the electronic chain linking a consumer (client) to an e-commerce
resource. Messages on the internet travel a random path from a source node to a destination
node. The message passes through a number of intermediate computers on the network before
reaching the final destination. It is impossible to guarantee that every computer on the internet
through which messages pass is safe, secure, and non-hostile.
Confidentiality threats: Confidentiality is the prevention of unauthorized information
disclosure. Breaching confidentiality on the internet is not difficult. Suppose one logs onto a
website – say www.anybiz.com – that contains a form with text boxes for name, address, and e-
mail address. When one fills out those text boxes and clicks the submit button, the information is
sent to the web-server for processing. One popular method of transmitting data to a web-server is
to collect the text box responses and place them at the end of the target server‘s URL. The
captured data and the HTTP request to send the data to the server is then sent. Now, suppose the
user changes his mind, decides not to wait for a response from the anybiz.com server, and jumps
to another website instead – say www.somecompany.com. The server somecompany.com may
choose to collect web demographics and log the URL from which the user just came
(www.anybiz.com). By doing this, somecompany.com has breached confidentiality by recording
the secret information the user has just entered.
Integrity threats: An integrity threat exists when an unauthorized party can alter a message
stream of information. Unprotected banking transactions are subject to integrity violations.
Cyber vandalism is an example of an integrity violation. Cyber vandalism is the electronic
defacing of an existing website page. Masquerading or spoofing – pretending to be someone you
are not or representing a website as an original when it really is a fake – is one means of creating
havoc on websites. Using a security hole in a domain name server (DNS), perpetrators can
substitute the address of their website in place of the real one to spoof website visitors. Integrity
threats can alter vital financial, medical, or military information. It can have very serious
consequences for businesses and people.
Availability threats: The purpose of availability threats, also known as delay or denial threats, is
to disrupt normal computer processing or to deny processing entirely. For example, if the
processing speed of a single ATM machine transaction slows from one or two seconds to 30
seconds, users will abandon ATM machines entirely. Similarly, slowing any internet service will
drive customers to competitors‘ web or commerce sites.
Server threats
The server is the third link in the client-internet-server trio embodying the e-commerce path
between the user and a commerce server. Servers have vulnerabilities that can be exploited by
anyone determined to cause destruction or to illegally acquire information.
Web-server threats: Web-server software is designed to deliver web pages by responding to
HTTP requests. While web-server software is not inherently high-risk, it has been designed with
web service and convenience as the main design goal. The more complex the software is, the
higher the probability that it contains coding errors (bugs) and security holes – security
weaknesses that provide openings through which evildoers can enter.
Commerce server threats: The commerce server, along with the web-server, responds to
requests from web browsers through the HTTP protocol and CGI scripts. Several pieces of
software comprise the commerce server software suite, including an FTP server, a mail server, a
remote login server, and operating systems on host machines. Each of this software can have
security holes and bugs.
Database threats: E-commerce systems store user data and retrieve product information from
databases connected to the web-server. Besides product information, databases connected to the
web contain valuable and private information that could irreparably damage a company if it were
disclosed or altered. Some databases store username/password pairs in a non-secure way. If
someone obtains user authentication information, then he or she can masquerade as a legitimate
database user and reveal private and costly information.
Common gateway interface threats: A common gateway interface (CGI) implements the
transfer of information from a web-server to another program, such as a database program. CGI
and the programs to which they transfer data provide active content to web pages. Because CGIs
are programs, they present a security threat if misused. Just like web-servers, CGI scripts can be
set up to run with their privileges set to high – unconstrained. Defective or malicious CGIs with
free access to system resources are capable of disabling the system, calling privileged (and
dangerous) base system programs that delete files, or viewing confidential customer information,
including usernames and passwords.
Password hacking: The simplest attack against a password-based system is to guess passwords.
Guessing of passwords requires that access to the complement, the complementation functions,
and the authentication functions be obtained. If none of these have changed by the time the
password is guessed, then the attacker can use the password to access the system.

Security Requirements For E-Commerce:

Authentication:

This is the ability to say that an electronic communication (whether via email or web) does
genuinely come from who it purports to.Without face-to-face contact, passing oneself off as
someone else is not difficult on the internet.
In online commerce the best defence against being misled by an imposter is provided by
unforgeable digital certificates from a trusted authority (such as VeriSign). Although anyone can
generate digital certificates for themselves, a trusted authority demands real-world proof of
identity and checks its validity before issuing a digital certificate. Only certificates from trusted
authorities will be automatically recognized and trusted by the major web browser and email
client software.
Authentication can be provided in some situations by physical tokens (such as a drivers license),
by a piece of information known only to the person involved (eg. a PIN), or by a physical
property of a person (fingerprints or retina scans). Strong authentication requires at least two or
more of these. A digital certificate provides strong authentication as it is a unique token and
requires a password for its usage.
Privacy:
In online commerce, privacy is the ability to ensure that information is accessed and changed
only by authorized parties. Typically this is achieved via encryption. Sensitive data (such as
credit card details, health records, sales figures etc.) are encrypted before being transmitted
across the open internet – via email or the web. Data which has been protected with strong 128-
bit encryption may be intercepted by hackers, but cannot be decrypted by them within a short
time. Again, digital certificates are used here to encrypt email or establish a secure HTTPS
connection with a web-server. For extra security, data can also be stored long-term in an
encrypted format.

Authorization:
Authorization allows a person or computer system to determine if someone has the authority to
request or approve an action or information. In the physical world, authentication is usually
achieved by forms requiring signatures, or locks where only authorized individuals hold the
keys.
Authorization is tied with authentication. If a system can securely verify that a request for
information (such as a web page) or a service (such as a purchase requisition) has come from a
known individual, the system can then check against its internal rules to see if that person has
sufficient authority for the request to proceed.
In the online world, authorization can be achieved by a manager sending a digitally signed email.
Such an email, once checked and verified by the recipient, is a legally binding request for a
service. Similarly, if a web-server has a restricted access area, the server can request a digital
certificate from the user‘s browser to identify the user and then determine if they should be given
access to the information according to the server‘s permission rules.

Integrity:
Integrity of information means ensuring that a communication received has not been altered or
tampered with. Traditionally, this problem has been dealt with by having tight control over
access to paper documents and requiring authorized officers to initial all changes made – a
system with obvious drawbacks and limitations. If someone is receiving sensitive information
online, he not only wants to ensure that it is coming from who he expects it to (authentication),
but also that it hasn‘t been intercepted by a hacker while in transit and its contents altered. The
speed and distances involved in online communications requires a very different approach to this
problem from traditional methods.
One solution is afforded by using digital certificates to digitally ―sign‖ messages. A travelling
employee can send production orders with integrity to the central office by using their digital
certificate to sign their email. The signature includes a hash of the original message – a brief
numerical representation of the message content. When the recipient opens the message, his
email software will automatically create a new hash of the message and compare it against the
one included in the digital signature. If even a single character has been altered in the message,
the two hashes will differ and the software will alert the recipient that the email has been
tampered with during transit.
Non-repudiation:
Non-repudiation is the ability to guarantee that once someone has requested a service or
approved an action. Non-repudiation allows one to legally prove that a person has sent a specific
email or made a purchase approval from a website. Traditionally non-repudiation has been
achieved by having parties sign contracts and then have the contracts notarized by trusted third
parties. Sending documents involved the use of registered mail, and postmarks and signatures to
date-stamp and record the process of transmission and acceptance. In the realm of e-commerce,
non repudiation is achieved by using digital signatures. Digital signatures which have been
issued by a trusted authority (such as VeriSign) cannot be forged and their validity can be
checked with any major email or web browser software. A digital signature is only installed in
the personal computer of its owner, who is usually required to provide a password to make use of
the digital signature to encrypt or digitally sign their communications. If a company receives a
purchase order via email which has been digitally signed, it has the same legal assurances as on
receipt of a physical signed contract.

Security policy for E-commerce:

The security policy may cover issues like:

What service types (e.g., web, FTP, SMTP) users may have access to?

What classes of information exist within the organization and which should be
encrypted before being transmitted?

What client data does the organization hold. How sensitive is it? How is it to be
protected?

What class of employees may have remote access to the corporate network?

Roles and responsibilities of managers and employees in implementing the security

policy.
How security breaches are to be responded to?
The security policy should also consider physical aspects of network security. For

example, Who has access to the corporate server?

Is it in a locked environment or kept in an open office?

What is the procedure for determining who should be given access? The security policy
regulates the activities of employees just as much as it defines how IT infrastructure will
be configured. The policy should include details on how it is to be enforced

How individual responsibilities are determined?

For it to be effective, the policy needs regular testing and review to judge the security measures.
The review process needs to take into account any changes in technology or business practices
which may have an influence upon security. Lastly, the policy itself needs to be regarded as a
living document which will be updated at set intervals to reflect the evolving ways in which the
business, customers and technology interact.
Security Standards:
There are various standards pertaining to the security aspects of enterprises. Some of them are
 ISO 17799 (Information technology – Code of practice for information security
management).
 (ISO/IEC 2000).
 SSE-CMM (Systems security engineering – Capability maturity model).
 (SSE-CMM 2003).
 COBIT (Control objectives for information and related technology).
 (COBIT 2000).

ISO 17799 provides detailed guidelines on how a management framework for enterprise
security should be implemented. It conceives ten security domains. Under each domain there are
certain security objectives to be fulfilled. Each objective can be attained by a number of controls.
The controls may prescribe management measures like guidelines and procedures, or some
security infrastructure in the form of tools and techniques. It details various methods that can be
followed by enterprises to meet security needs for e-commerce. It talks about the need for
security policies, security infrastructure, and continuous testing in
the same manner as has been detailed above.
The main objective of the COBIT is the development of clear policies and good practices for
security and control in IT for worldwide endorsement by commercial, governmental and
professional organizations. The SSE-CMM is a process reference model. It is focused upon the
requirements for implementing security in a system or series of related systems that are in the
Information Technology Security domain.