Вы находитесь на странице: 1из 352

Electronic Commerce

By Pete Loshin and John Vacca

The dot-coms may have busted, but e-commerce is alive and well. All types of companies
are embracing e-commerce methods and succeeding. From small to large, organizations
around the world are figuring out how to leverage the Internet as a business tool.

To win on the Internet, you must understand where the opportunity is today and how to
prepare for tomorrow. This book is a guide to reality. It shows you where there is
opportunity. It also shows you how to benefit from using the Internet as a practical
business tool and how to reap benefits quickly and permanently. This book shows you
how to succeed in a competitive environment without having to spend millions of dollars
doing so.

You need to know the building blocks, but you also need to know how to put those blocks
together in a winning combination to build a good foundation for your business to grow
and thrive in the world of electronic commerce. The blocks are just like parts to a puzzle.
They will not work unless you properly combine tools, methods, and know how to
exploit opportunity. This book explains Internet business models, business applications
that can be supported on the Internet, and how companies can benefit from using new
models and new tools.

After you learn about the parts and how to put them together to supercharge your
company, you will also need to know how and where to drive your new business
machine. Other how-to-do-business-on-the-Internet books leave you high and dry and
never tell you how to drive. This book shows you how to drive your business like a race
car, how to steer through uncertainty, and how to grip the road so you do not end up in a
dot-com graveyard.

But, you will need more than just the gas pedal if you are going to succeed in electronic
commerce. Entering the world of electronic commerce is like going on a safari or
expedition into unexplored lands. You need to be able to navigate your business into
uncharted territory. You need balance, intuition, and considerable daring if you are going
to maximize the tools of the Internet. You need to know where the edge of the cliff is and
how to not fall off, like so many of those who came before you. That is the big payoff of
this book.

Michael Erbschloe
Educator, Author, and Technology Strategist
Carlsbad, California
Recent studies suggest that e-commerce is maturing, taking its place as just another retail
channel, and riding the same ups and downs as any of the traditional channels. It is a
piece of news with mixed implications. Perhaps by now, some of the lingering fears about
e-commerce are fading. Or, perhaps e-commerce is losing momentum. The studies raise
more questions than they answer! But, regardless of whether e-commerce needs to
recapture, maintain, or increase its momentum, there are ways that e-commerce may
enhance its appeal. E-commerce may take advantage of technologies designed to make
communications, self-service, and human-computer actions more natural. E-commerce
may avail itself of technologies such as speech recognition and text-to-speech,
encompassing the functionality of interactive voice response, and talking Web voice
portals. Then, e-commerce may train its ears to recognize calls to even greater success.

If you accept that e-commerce is enjoying growth because consumers perceive that it is
secure and convenient, you might ask whether e-commerce could enjoy even more
growth if its security and convenience could be enhanced. No doubt e-commerce could
stand improvement in these respects. No doubt e-commerce users harbor lingering fears
over credit card usage and the safety of personal information.

To the extent there is interest in improving e-commerce, and in promoting additional

growth, there are opportunities for those who may offer communications solutions. For
example, communications solutions could broaden the appeal of e-commerce, helping it
encompass more than PC-based, browser-mediated interactions. E-commerce could be
more natural. It could accommodate the natural, human preference to speak and listen,
instead of confining users to point-and-click interfaces.

The most obvious solution—broad deployment of multimedia PCs, accompanied by a

proliferation of e-tailers capable of managing multimedia sessions, not to mention wider
availability of residential broadband connectivity—is hardly the only solution. Many
potential customers will lack multimedia terminals and broadband connectivity for some
time to come. In any case, many potential customers will balk at always being tied to a
desktop PC. They’ll insist on being mobile, relying on mobile phones and telemetric-
equipped autos. And, whether they’re driving or not, potential customers won’t be too
eager to navigate the limited interfaces presented by tiny keypads and tiny screen

For customers relying on phones or mobile devices, convenience may come down to
whether they’ll be able to speak and listen their way through commercial transactions.
Such convenience, although seldom raised in mainstream discussions of e-commerce, is a
subject of abiding concern in the communications solutions marketplace. In this
marketplace (through applications such as interactive voice response [IVR]), you’re
already familiar with the challenges of voice-enabling customer interactions. And, you’re
already familiar with the trade-offs posed by efforts to maximize convenience.
Furthermore, you’re also already familiar with the need to consolidate the management of
multiple customer interaction channels.

Although maximizing convenience is a laudable goal, so is minimizing expense.

Attempts to negotiate this trade-off have had mixed success. For example, IVR has often
been deployed in such a way that customers could be forgiven for wondering if IVR isn’t
more convenient for the seller than it is for the buyer. Seemingly interminable scripts,
intricate menus, and incessant prompts for Touch-Tone input have given IVR a less than
stellar reputation. And yet, although IVR may be deployed as a convenience to contact
centers and conserving costly live-agent resources, it may also be deployed sensibly, with
restraint, extending the hours of business operations beyond the workday, providing for
agent intervention when agents are available. Moreover, IVR may be subordinated to
highly integrated customer relationship management (CRM) applications, allowing
contact centers (or interaction centers) to accommodate shifting customer preferences
with respect to communications media, while ensuring consistency in the fulfillment of
customer demands, regardless of which communications channels convey these demands.

With the preceding in mind, this book introduces the issues involved in bringing business
to the Internet—the obstacles to online commerce as well as the advantages. After the
issues have been laid out, I will explain how advances in cryptography make it possible
to transmit business information across unreliable and insecure networks, reliably and
securely. After the general concepts have been presented, different current commercial
schemes and systems are discussed in their proper perspective. After the various schemes
have been examined, other relevant and related issues can be discussed, including digital
currencies, techniques for marketing on the Internet, and related services available to the
online merchant.

Appendixes include an Internet and networking glossary, a guide to locating the most
current and complete electronic commerce resources on the Internet, a list of EDI codes,
a complete listing of the major e-commerce conferences and trade shows, and several e-
commerce case studies.

Chapter 1: What Is Electronic Commerce?

In a remarkably short time, the Internet has grown from a quirky playground into a vital,
sophisticated medium for business, and, as the Web evolves further, the threshold for
conducting successful business online will move increasingly higher. Online consumers
are flooding to the Internet, and they come with very high expectations and a degree of
control that they did not have with traditional brick-and-mortar companies. Businesses,
too, are rushing to join the Internet revolution, and new, viable competitors are emerging
in all industries.

This chapter details introductory strategies and priorities for electronic commerce, which
sets the stage for the rest of the book. It also describes how the platform, portal, and
partners are critical to solving business problems in the four most common areas of
electronic commerce: direct marketing, selling, and service; value chain integration;
corporate purchasing; and financial and information services.

Chapter 2: Types of E-Commerce Technology

In addition to a general discussion of e-commerce technology, this chapter also covers

various business-to-business connectivity protocols between procurement systems,
private marketplaces, and suppliers. The chapter describes how WCBE-based suppliers
and private marketplaces can connect to diverse procurement systems, other suppliers,
and external private marketplaces. Specifically, the chapter shows how WCBE-based
suppliers and WCS MPE-based marketplaces can connect to buyers at procurement
systems that use punchout, such as Ariba, Commerce One, and mySAP. The chapter then
describes how a WCS MPE-based supplier or private marketplace could originate a
punchout process in order to connect to either an external supplier or another private

Next, the chapter outlines the types of trading mechanisms that can be supported by
existing punchout protocols and the asynchronous trading mechanisms, such as request
for quotations (RFQs), that require extensions to the punchout mechanisms. The chapter
also describes B2B/M2M Protocol Exchange, a tool that IBM has implemented that can
map between various protocols used by different procurement systems. Although this
chapter focuses on the external partner business-to-business (B2B) protocols, a large part
of the integration effort for suppliers is the tie-in to internal processes, such as the
processes to handle purchase orders.

Chapter 3: Types of E-Business Models and Markets

To be successful, e-businesses must have a continuous optimization business strategy,

solid knowledge management practices, and integrated business process domains. No
matter what the business, the e-business model processes are the same.

This chapter discusses why the e-business market affords organizations of all sizes and
types the opportunity to leverage their existing assets, employees, technology
infrastructure, and information to gain or maintain marketshare. Finally, the chapter
discusses the need for an integrated value chain and challenges e-business to optimize its
intellectual assets and its investments in core business systems in order to deliver its
products and services to an unpredictable market.

Chapter 4: Types of E-Commerce Providers and Vendors

Selling online has become an imperative for retailers and an increasing number of
manufacturers. Recognizing that a 13% loss in customers can completely eliminate the
profitability of their offline stores, retailers have raced to drive e-commerce growth to
$66 billion in 2003 (5.7% of U.S. retail). By mid-2004, over 94% of the largest U.S.
retailers (over $50 billion in annual sales) will be e-commerce enabled. And, for midsized
retailers ($800 million to $50 billion in sales), over 74% will be selling online. Yet these
adopters face a fundamental challenge: using the first generation buy/build model, many
cannot make money at e-commerce, but none can afford to avoid trying. For most of
them, owning and operating an e-commerce infrastructure does not make economic or
operational sense.

With the preceding in mind, this chapter examines types of e-commerce service providers
(ESPs) and vendors. It addresses three topics: why many early adopters have struggled
with the first generation buy/build approach, how the next-generation ESP model delivers
complete, one-stop online sales channels, and which major advantages companies gain by
outsourcing their e-commerce infrastructure. You will also learn how an ESP model
enables manufacturers and retailers to achieve profitability at $40 million to $180 million
in online sales, focus your organization on real profit drivers—not technology, ensure
reliability and scalability in your Web site and order processing, avoid managing
numerous integrations and third-party service relationships, and upgrade functionality
continuously and seamlessly over time.

Chapter 5: E-Commerce Web Site Creation

This chapter helps you discover new integrated services that make it easier than ever to
secure your Web site and accept online credit card payments. You will also learn how to
create an e-commerce Web site as well as how to avoid the risks and challenges involved
in e-commerce trust, the best way to secure and authenticate your site so your customers
feel comfortable providing sensitive information, and how to enable your site to process
online payments in seconds—including credit and debit cards.

Chapter 6: Managing E-Commerce Web Site Development

Electronic commerce is quickly shaping up to be the way business will be conducted in

the future. This chapter takes a look at how an e-commerce Web site is managed as it is
being developed. In other words, this chapter is not necessarily about electronic
commerce in general. It is actually an exercise in building and managing a business-to-
consumer electronic commerce site. In addition, this chapter does not discuss
management concepts or other tools available to implement e-commerce, but focuses
exclusively on Web site servers.

Chapter 7: Building Shopping Cart Applications

To generate Hyper Text Markup Language (HTML), servlets must supply formatted
strings to println() calls. This technique clogs Java™ code with line after line of hard-to-
comprehend HTML. Furthermore, when servlets generate HTML, Web page design
requires programmers. JavaServer Pages (JSP) pull HTML out of Java code and create a
role for HTML designers. Site development can proceed along parallel tracks (Java
design and HTML design), thereby delivering a Web site faster. JavaServer Pages also
encourage loose coupling between business logic components and presentation
components, thereby making reuse of both more likely. The shopping cart application
discussed in this chapter examines the role of JSP in Web architectures and offers a
practical example of how to get the most out of your e-business applications.

Chapter 8: Mobile Electronic Commerce

The demand for and use of mobile technologies is increasing at a phenomenal rate.
Simultaneously, the underlying landscape of mobile technologies is changing rapidly,
creating the need for solutions to facilitate the long-term growth and success of mobile
enterprise initiatives. This chapter discusses how important it is for software vendors to
provide comprehensive solutions to manage, secure, and maintain the mobile
application’s infrastructure, while fostering development, integration, and access to
applications and information over wireless media.

Chapter 9: Enhancing a Web Server with E-Commerce

Application Development

Today, businesses take a pragmatic view of investments in information technology (IT).

For IT managers, the key to success is to provide the maximum business value for the
minimum cost. This chapter shows how IT must align enhanced server-based application
development and operations with the needs and priorities of the business.

Chapter 10: Strategies, Techniques, and Tools

The e-business revolutin that began in 1997 is proceeding at a revolutionary pace—which

is to say that it is proceeding rapidly, but not uniformly and not always in the ways that
were predicted. This chapter discusses how some e-business industries are moving ahead
as fast as technologies permit, and some are taking a wait-and-see attitude.

Chapter 11: Implementing Merchandising Strategies

The Internet is changing the basis of competition for companies of all sizes. Although
many successful formulas for e-business development now exist, most are based on one
of the following merchandising strategies: Web entrepreneurship, virtual build-out, and
operations improvement. This chapter explains how each strategy relies not only on a
great Web site, but also on high-quality, system-ready information about products and the
merchandising programs that drive sales.

Chapter 12: Implementing E-Commerce Databases

In just over seven years, e-commerce database technology has become the common user
interface of choice for many information dissemination systems. Whereas, relational
database management systems (RDBMS) have been the cornerstone for information
warehousing for years. The integration of the two technologies have made rapid advances
over the last few years. This rapid explosion has led to new challenges for IT managers
and developers. There are several competing technologies available that often do not
address the issues of heterogeneous environments and Web-based application
development. This chapter addresses the challenges of designing and implementing e-
commerce database-integrated Web sites. Furthermore, it focuses on e-commerce
database-Web integration difficulties in heterogeneous database environments.

Chapter 13: Applying and Managing E-Business Intelligence

Tools for Application Development

An organization can effectively address business problems, realizing immediate returns

on investment in technology. This chapter very briefly shows how a fully Web
commerce-integrated, Windows-based development environment for building, testing,
and deploying Web applications meets e-business intelligence (e-BI) application
development solution criteria very effectively. This chapter also examines the business
and technical requirements for applying and managing e-BI tools for application
development solutions.

Chapter 14: Types of Security Technologies

Today, more than ever, organizations are challenged with improving security without
incurring a corresponding increase in cost or burden to their existing staff. By comparing
the benefits that a new product will provide to the total cost of that product, organizations
will make better choices that ultimately lead to greater security. Leveraging existing
products is quite often the quickest way to improving both security and the bottom line.
Finally, in many cases, organizations can address most of their e-commerce application
concerns or problems with the products they already own. With the preceding in mind,
this part of the chapter very briefly highlights emerging threats specific to e-commerce
application security and provides guidance on effective approaches to e-commerce
application protection.

Chapter 15: Protocols for the Public Transport of Private


Creating a high-security, high-performance e-business infrastructure demands close

coordination of both technical and management policies and procedures. This chapter
discusses how e-business security is evolving from an old notion of an information
fortress that keeps others out, to a new notion of privacy and trust as you give customers,
partners, and remote employees access to your business data.

Chapter 16: Building an E-Commerce Trust Infrastructure

Businesses that can manage and process e-commerce transactions can gain a competitive
edge by reaching a worldwide audience, at very low cost. This chapter discusses how the
Web poses a unique set of trust issues, which businesses must address at the outset to
minimize risk. Customers submit information and purchase goods or services via the Web
only when they are confident that their personal information, such as credit card numbers
and financial data, is secure.

Chapter 17: Implementing E-Commerce Enterprise Application

Security Integration

This chapter explores e-commerce enterprise application security integration and new
technology’s support of rapid deployment of secure e-commerce applications. The
technology, based on the integration of distributed component computing and information
security, represents new power to mount secure, scalable e-commerce services. The
chapter also describes how security enables new e-commerce applications that were not
previously feasible, and how e-commerce solutions create new security responsibilities.
Next, the chapter describes the many challenges of enforcing security in component-
based applications. Finally, the chapter formally introduces Enterprise Application
Security Integration (EASI), which is used to tie together many different security
technologies and, as a result, provides the framework for building secure component

Chapter 18: Strong Transaction Security in Multiple Server


For the strongest, most reliable protection of your client-browser communications, Secure
Sockets Layer (SSL) certificates are widely recognized as the industry standard. SSL
certificates allow your Internet site or corporate network to enable SSL encryption, which
authenticates your server and guarantees against alteration and interception of data.

This chapter provides you with a basic introduction to digital ID technology and SSL
certificates. It then lays out the reasons you might consider managed PKI for SSL
certificates as an alternative to one-by-one purchasing. Finally, it presents the features
you can expect if you decide managed PKI for SSL certificates is right for your

Chapter 19: Securing and Managing Your Storefront for E-


With its worldwide reach, the Web is a lucrative distribution channel with unprecedented
potential. By setting up an online storefront, businesses can reach the millions of people
around the world already using the Internet for transactions. In addition, by ensuring the
security of online payments, businesses can minimize risk and reach a far larger market:
the 89 percent of Internet users who still hesitate to shop online because of security

This chapter is a continuation of Chapter 18, with very detailed explanations of key
issues related to online storefront security. It also describes the technologies that are used
to address the issues, and provides step-by-step instructions for obtaining and installing
an SSL certificate.

Chapter 20: Payment Technology Issues

Online payment processing requires coordinating the flow of transactions among a

complex network of financial institutions and processors. Fortunately, technology has
simplified this process so that, with the right solution, payment processing is easy, secure,
and seamless for both you and your customers. This chapter provides you with what you
need to know about online payment processing issues: online payment processing basics,
the payment processing network, how payment processing works, what you should know
about fraud, and what to look for in a payment processing solution. After you’ve read this
chapter, you’ll understand the issues and essential elements of accepting payments online,
the most important step in putting your Web site to work for you.

Chapter 21: Electronic Payment Methods Through Smart Cards

The payment card has been in existence for many years. It started in the form of a card
embossed with details of the cardholder (account number, name, expiration date), which
could be used at a point of sale to purchase goods or services. The magnetic stripe was
soon introduced as a means of holding more data than was possible by embossing alone.
In the end, the smart card appeared. That’s what this chapter is all about!

Chapter 22: Electronic Payment Systems

The payment stage of any electronic bill presentment and payment (EBPP)
implementation must be able to integrate tightly with accounts receivable (A/R) and
accounts payable (A/P) systems, support backend payment-processing workflows and
procedures, and provide detailed reporting capabilities. With the preceding in mind, this
chapter is about electronic payment systems.

Chapter 23: Digital Currencies

This chapter discusses the market implications of adopting electronic payment systems
and digital currencies in electronic commerce. The key to understanding and exploiting
electronic commerce is to recognize it as a market mechanism, in which all components
of a market interact and must be analyzed collectively. For example, electronic payment
systems bring more than lowered transaction costs, affecting product choices, pricing,
and competition. This chapter also examines economic implications of electronic
payment systems—especially micropayments enabled by digital currencies in terms of
size advantage, the lemons problem, digital product pricing, product differentiation—the
commoditization of consumer information and advertisements, and copyrights. In short,
electronic payment systems are one of the critical factors that allow process innovations
via electronic commerce. Finally, these process innovations may either promote
competitive and efficient markets or worsen the trend toward the vertical integration and
monopolization in the globalized economy.
Chapter 24: International E-Commerce Solutions

The Internet connects potential customers with merchants in many different countries.
This chapter discusses how international e-commerce payment solutions provide a
channel for money to cross oceans and borders.

Chapter 25: Business-to-Business and Business-to-Consumer

To help companies make informed decisions and capitalize on the right opportunities, this
chapter discusses solutions designed to help companies integrate business partners more
effectively. Although this notion encompasses a wide range of business challenges and
solutions (including supply chain management, procurement, and CRM), this chapter
focuses specifically on one concept: supplier enablement. The supplier enablement
initiative and technology solutions (whether they be B2B or B2C) are aimed at helping
companies of all sizes to sell to their trading partners more effectively by integrating with
customers’ procurement systems, e-marketplaces, and other electronic sales channels—all
from a single e-business foundation. No matter how large or small a business is, or how
complex or simple its business processes, supplier enablement solutions will make it
easier for your company to reach its customers through whatever purchasing method they

Chapter 26: Summary, Conclusions, and Recommendations

Finally, this chapter summarizes and explores some of the implications to both business
and business computing of the continuing evolution of e-business. The chapter also
discusses decision points and the fundamental importance of something even more
critical to e-business success: ease of integration. This part of the chapter pinpoints 15
essential best practices or recommendations for effective e-service.
Part I: Overview of E-Commerce
Chapter List
Chapter 1: What Is Electronic Commerce?
Chapter 2: Types of E-Commerce Technology
Chapter 3: Types of E-Business Models and Markets
Chapter 4: Types of E-Commerce Providers and Vendors
Chapter 1: What Is Electronic
“It is impossible for ideas to compete in the marketplace if no forum for their
presentation is provided or available.”

—Thomas Mann (1875–1955)


Electronic commerce is doing business online. It is about using the power of digital
information to understand the needs and preferences of each customer and each partner to
customize products and services for them, and then to deliver the products and services as
quickly as possible. Personalized, automated services offer businesses the potential to
increase revenues, lower costs, and establish and strengthen customer and partner
relationships. To achieve these benefits, many companies today engage in electronic
commerce for direct marketing, selling, and customer service; online banking and billing;
secure distribution of information; value chain trading; and corporate purchasing.

Although the benefits of electronic commerce systems are enticing, developing,

deploying, and managing these systems is not always easy. In addition to adopting new
technology, many companies will need to reengineer their business processes to
maximize the benefits of electronic commerce.

An electronic commerce strategy should help deliver a technology platform, a portal for
online services, and a professional expertise that companies can leverage to adopt new
ways of doing business. Platforms are the foundation of any computer system. An e-
commerce platform should be the foundation of technologies and products that enable
and support electronic commerce. With it, businesses can develop low-cost, high-value
commerce systems that are easy to grow as business grows. An e-commerce platform’s
breadth should also be unmatched, ranging from operating systems to application servers,
to an application infrastructure and development tools, and to a development system.

Portals are the crossroads of the Internet, where consumers gather and where businesses
can connect with them. Companies normally provide customers with a wide range of
choices for professional implementation services and tightly integrated software for
commerce solutions. Independent software vendors (ISVs) have created specialized
commerce software components that extend the platform.

This chapter details introductory strategies and priorities for electronic commerce, which
sets the stage for the rest of the book. It also describes how the platform, portal, and
partners are critical to solving business problems in the four most common areas of
electronic commerce: direct marketing, selling, and service; value chain integration;
corporate purchasing; and financial and information services.
E-Commerce: Doing Business on the Internet

Businesses communicate with customers and partners through channels. The Internet is
one of the newest and, for many purposes, best business communications channels. It is
fast, reasonably reliable, inexpensive, and universally accessible—it reaches virtually
every business and more than 200 million consumers. Doing business online is electronic
commerce, and there are four main areas in which companies conduct business online
today: direct marketing, selling, and service; online banking and billing; secure
distribution of information; and value chain trading and corporate purchasing.

Direct Marketing, Selling, and Service

Today, more Web sites focus on direct marketing, selling, and service than on any other
type of electronic commerce. Direct selling was the earliest type of electronic commerce,
and has proven to be a stepping-stone to more complex commerce operations for many
companies. Successes such as Amazon.com, Barnes & Noble, Dell Computer, and the
introduction of e-tickets by major airlines, have catalyzed the growth of this segment,
proving the reach and customer acceptance of the Internet. Across consumer-targeted
commerce sites, there are several keys to success:

• Marketing that creates site visibility and demand, targets customer segments with
personalized offers, and generates qualified sales leads through observation and
analysis of customer behavior.
• Sales-enhancing site design that allows personalized content and adaptive selling
processes that do more than just list catalog items.
• Integrated sales-processing capabilities that provide secure credit card
authorization and payment, automated tax calculation, flexible fulfillment, and
tight integration with existing backend systems, such as inventory, billing, and
• Automated customer service features that generate responsive feedback to
consumer inquiries, capture and track information about consumer requests, and
automatically provide customized services based on personal needs and interests
• This business-to-consumer (B2C) electronic commerce increases revenue by
reaching the right customers more often. Targeted and automated up-selling and
cross-selling are the new fundamentals of online retailing. Sites that most
frequently provide the best and most appropriate products and services are
rewarded with stronger customer relationships, resulting in improved loyalty and
increased value.

Financial and Information Services

A broad range of financial and information services are performed over the Internet
today, and sites that offer them are enjoying rapid growth. These sites are popular because
they help consumers, businesses of all sizes, and financial institutions distribute some of
their most important information over the Internet with greater convenience and richness
than is available using other channels. For example, you have:

• Online banking
• Online billing
• Secure information distribution

Online Banking

Consumers and small businesses can save time and money by doing their banking on the
Internet. Paying bills, making transfers between accounts, and trading stocks, bonds, and
mutual funds can all be performed electronically by using the Internet to connect
consumers and small businesses with their financial institutions.

Online Billing

Companies that bill can achieve significant cost savings and marketing benefits through
the use of Internet-based bill-delivery and receiving systems. Today, consumers receive
an average of 23 bills per month by mail from retailers, credit card companies, and

Secure Information Distribution

To many businesses, information is their most valuable asset. Although the Internet can
enable businesses to reach huge new markets for that information, businesses must also
safeguard that information to protect their assets. Digital Rights Management provides
protection for intellectual and information property, and is a key technology for secure
information distribution.

Maintenance, Repair, and Operations (MRO)

The Internet also offers tremendous time and cost savings for corporate purchasing of
low-cost, high-volume goods for maintenance, repair, and operations (MRO) activities.
Typical MRO goods include office supplies (such as pens and paper), office equipment
and furniture, computers, and replacement parts. The Internet can transform corporate
purchasing from a labor- and paperwork-intensive process into a self-service application.
Company employees can order equipment on Web sites, company officials can
automatically enforce purchase approval and policies through automated business rules,
and suppliers can keep their catalog information centralized and up-to-date. Purchase
order applications can then use the Internet to transfer the order to suppliers. In response,
suppliers can ship the requested goods and invoice the company over the Internet. In
addition to reduced administrative costs, Internet-based corporate purchasing can
improve order-tracking accuracy, better enforce purchasing policies, provide better
customer and supplier service, reduce inventories, and give companies more power in
negotiating exclusive or volume-discount contracts. In other words, the Internet and e-
business have changed the way enterprises serve customers and compete with each other,
and have heightened awareness for competing supply chains (see sidebar, “Supply Chain

Supply Chain Management

Supply chain management (SCM) is changing as companies continue to look for ways to
respond faster, improve service for customers, and maximize sales while decreasing
costs. SCM solutions must support highly configurable products, such as computers and
automobiles, global markets with local specifications, and widely dispersed suppliers and
partners. Yet most companies’ SCM solutions are linear, sequential, and designed for
controlled conditions. They rely on accurate forecasting of demand, but are disconnected
from the actual demand. Decisions are made centrally, and changes typically take days,
weeks, or even months. However, companies increasingly need to respond to changes in
hours and minutes. Supply chains in this century must be adaptive and provide greater
visibility, velocity, flexibility, and responsiveness to enable enterprise value networks to
adapt to changes in supply and demand in real time.

Management Shift

As supply chain networks extend across organizational and geographic boundaries,

companies must find ways to manage the unmanageable. The future of supply chain
management lies in the ability of the enterprise to respond instantaneously to shifts in
global supply and demand, and to major events that occur across extended supply chain
processes. The faster a supply network can adapt to these events, the more value that will
be created. For example, with Walldorf, Germany-based SAP® mySAP™ Supply Chain
Management (mySAP(tm) SCM), enterprise systems supplier SAP is delivering what it
believes is the most adaptive supply chain management solution available on the market.
In addition, SAP is developing adaptive-agent technology and repair-based optimization
that is expected to enable the next generation of adaptive solutions and services.

Supply chain management is now the key to increasing and sustaining profitability. In
fact, Stamford, Connecticut-based Gartner Group recently predicted that 91 percent of
leading companies that fail to leverage supply chain management would forfeit their
status as preferred vendors.

According to SAP, mySAP SCM has demonstrated bottom-line benefits for its users. For
example, New York, N.Y.-based Colgate-Palmolive increased forecast accuracy to 98
percent, reduced inventory by 13 percent, and improved cash flow by 13 percent. The
reason: mySAP SCM enables end-to-end integration of supply chain planning, execution,
networking, and coordination.

The Profits of Adaptive

Proponents of adaptive supply chain networks say that by sharing information about
customer demand with all partners simultaneously—rather than in the traditional,
sequential fashion, with its inherent delays—network partners can act more like a single
entity to stay in-sync with customer needs.

The adaptive supply chain network puts the customer at the center of all activities in the
supply chain, which allows companies to improve overall costs and profits across the
network, instead of just shifting costs to other parts of the supply chain. Given the
dynamics of today’s markets, manufacturers need to rethink their business model on an
almost continuous basis, keep redefining markets and pricing, serve ever-smaller
customer niches, and provide increasingly customized products.

Internal integration helps enterprises break down functional silos and share actionable
information. The adaptive supply chain network relies upon real-time integration of all
supply chain systems, including networking, planning, execution, coordination, and
performance-management systems. But, it also requires integration across systems that
support a variety of functions beyond the traditional supply chain.

Customer relationship management (CRM) is about capturing customer requirements,

building life-long customer relationships and brand value, and influencing demand
through promotions. This information must be fed back into the supply chain network to
improve planning. Although this flow of information generally does not occur now, it
represents the key to customer-segmentation strategies and effective demand
management, which will lead to increasing overall profitability. Customer feedback and
trends must also drive product development to ensure that products are designed
according to customer requirements.

In addition, integration between a product life-cycle management (PLM) system and an

SCM solution reduces time-to-market for new products and ensures that engineering
changes are seamlessly integrated back into manufacturing. Last but not least, aligning a
company’s business model with operational capability requires engineering and sourcing
products differently. To support mass customization and postponement strategies,
products tend to be designed in a modular fashion and sourced from fewer strategic
suppliers. Close collaboration with these suppliers on product design is essential to
reduce time-to-market, increase product quality, and ensure that products are designed for

With that kind of integration, a superior understanding of the customer drives everything
—CRM, product design, supply chain operations, and even the value proposition of the
entire network. In an adaptive supply chain network, SCM, CRM, and PLM must all
work together. That is the hallmark of a truly customer-centric organization—and the key
to profitability.

Competitive Advantage

Making adaptive supply chains a reality means fundamental changes in a company’s

internal operations, starting with the integration of processes and systems across
organizational boundaries. Then, companies can leverage the increased visibility within
and across organizations to achieve change in their supply chain processes, including
functionality for the following.

Adaptive Planning

Today, most supply chain planning and scheduling systems rely primarily upon historical
data collected from enterprise resource planning (ERP) and legacy systems. However, as
companies aim to create virtually “inventory-less” supply chains, they require the ability
to realign demand and supply almost continuously to consider the latest demand situation
and supply status. Adaptive planning replaces batch-oriented, period planning with an
event-driven, real-time response to demand signals and changing supply situations.

Dynamic Collaboration

Traditional supply chains rely mostly upon inventory and assets, but the adaptive supply
chain network is information-based—it uses shared data for planning and execution
processes. By incorporating data garnered from collaborative processes (such as vendor-
managed inventory [VMI]; collaborative planning, forecasting, and replenishment
[CPFR]; collaborative supply management; and collaborative transportation
management), these networks replace inventory and capacity buffers (long used to make
up for a lack of supply chain visibility) with information.

Distributed Execution

Most execution systems are ill-prepared to support the emerging virtual supply network.
Distributed execution considers the distributed nature of processes in a world of
outsourcing, in which multiple partners in the extended network might manage a single
process. Distributed execution allows the management of processes across different ERP
systems by supporting cross-system integration and collaboration.

Event-Driven Coordination

Today, even small disruptions in supply chains initiate a wave of e-mails, faxes, and
phone calls just to keep pace with the problem. Adaptive supply chain networks address
the challenge of managing the virtual enterprise through up-to-the minute monitoring and
control of business processes and the rapid, intelligent resolution of exceptions. Event-
driven coordination complements adaptive planning by trying to solve supply chain
exceptions locally to support existing, optimized plans. The result? Faster response to
market changes and instantaneous adaptation to customer needs across the enterprise and
the network.

Continuous Performance Management

Most executives would agree that consistent performance metrics are the key to steering
the behavior of individuals and reconciling conflicting goals across functional areas.
However, key performance indicators (KPIs) also play a major role in managing
collaborative processes and in providing decision makers with actionable information to
increase the quality and speed of decisions.

Continuous performance management enables closed-loop learning processes by

allowing the company to measure the quality of processes constantly, and by feeding this
information back into supply chain planning. Besides addressing the need for consistent
performance metrics, companies are increasingly complementing supply chain KPIs with
balanced scorecards to get a level view of the state of the organization, and to align
operational targets with strategic objectives across functional silos.

Combined, these elements enable companies to implement closed-loop learning processes

across the supply network. In business, the ability to adapt to change is increasingly
important. For those who do it right, the adaptive supply chain network will be an
important competitive weapon. Those who don’t may well become the dinosaurs of their
industries [4].

Value Chain Integration

No other business model highlights the need for tight integration across suppliers,
manufacturers (see sidebar, “The Manufacturing E-Commerce Bottom Line”), and
distributors quite like the value chain. Delays in inventory tracking and management can
ripple from the cash register all the way back to raw material production, creating
inventory shortages at any stage of the value chain. The resulting out-of-stock events can
mean lost business. The Internet promises to increase business efficiency by reducing
reporting delays and increasing reporting accuracy. Speed is clearly the business
imperative for the value chain.

The Manufacturing E-Commerce Bottom Line

The economic downturn in the United States has played havoc with the country’s
manufacturing and engineering sectors for more than three years, leading to the longest
continual month-over-month decline in industrial production since World War II. But, if
there is a bright spot in what economists are predicting for manufacturers in 2004, it is a
trend toward increasing e-commerce revenues and initiatives within the industrial sectors.

The Federal Reserve recently reported that production in American factories fell 3.3
percent. The September 11 terrorist attacks created additional uncertainty in all markets,
but particularly in manufacturing, where inventory levels among retailers and suppliers
were already high. Consumer spending for durable goods took a drop in the wake of the
attacks and as a result of the developing war on terrorism. Analysts also say they do not
expect an uptick in manufacturing production until consumers begin spending with
Still, companies like General Electric and General Motors were reporting increases in
online sales and predicting gains in e-commerce by the end of 2003. Officials at GE
indicate they expect to increase the amount of online revenue calendar-year-over-
calendar-year from $9 billion to $24 billion.

Historically, online revenue figures in manufacturing, engineering, and supply sectors

have been difficult to determine, because most companies in those sectors do not separate
online revenue from other income. Economic statistics compiled by the U.S. Department
of Commerce and others have consistently noted that although e-commerce activities
have continued to grow despite unfavorable economic conditions, determining the exact
portion of the national economy they represent is difficult.

A recent study by the National Association of Manufacturers (the leading industry group
of industrial producers) saw dramatic increases in the number of companies developing
Web-based activities to reach both new customers and suppliers. Despite the intense hype
surrounding e-commerce, right now it’s still just a small fraction of most business and
manufacturing operations. But, nearly three quarters of the companies surveyed reported
they were developing e-commerce initiatives to grow their revenues, a harbinger of
dramatic change down the road. As capital spending rebounds, there should be a
significant increase in networking and business-to-business software investments.

In another recent study of e-business activities within the manufacturing sector

(commissioned by Interbiz, a division of Computer Associates International), a
significant increase in focus was shown on e-commerce activities in 2002 within
manufacturing and related industrial areas. According to the survey, 56 percent of
manufacturing concerns indicated they were actively involved in e-commerce, with 89
percent reporting effectiveness within their e-business strategies; 22 percent reported
those activities as “highly effective.”

Unfortunately, speed can be costly. Today, approximately 60,000 businesses exchange

business documents such as orders and invoices with their trading partners through a
standard communication and content protocol called Electronic Data Interchange (EDI).
Most EDI implementations use leased lines or value added networks (VANs) that require
significant integration for each trading partner. Network design, installation, and
administration can be costly in terms of hardware, software, and staff. In fact, these costs
are the key reason that EDI is most widely deployed only in larger companies.

Moving forward, all companies will be able to take advantage of value chain integration
through the low cost of the Internet. Open standards for electronic document exchange
will allow all companies to become Internet trading partners and function as suppliers,
consumers, or both in this business-to-business electronic commerce. This integrated
trading will tighten relationships between businesses while offering them greater choices
in supplier selection.
Issues in Implementing Electronic Commerce

Although it is simple to describe their benefits, it is not nearly as easy to develop and
deploy commerce systems. Companies can face significant implementation issues:

• Cost
• Value
• Security
• Leveraging existing systems
• Interoperability


Electronic commerce requires significant investments in new technologies that can touch
many of a company’s core business processes. As with all major business systems,
electronic commerce systems require significant investments in hardware, software,
staffing, and training. Businesses need comprehensive solutions with greater ease-of-use
to help foster cost-effective deployment.


Businesses want to know that their investments in electronic commerce systems will
produce a return. Business objectives such as lead generation, business-process
automation, and cost reduction must be met. Systems used to reach these goals need to be
flexible enough to change when the business changes.


The Internet provides universal access, but companies must protect their assets against
accidental or malicious misuse. System security, however, must not create prohibitive
complexity or reduce flexibility. Customer information also needs to be protected from
internal and external misuse. Privacy systems should safeguard the personal information
critical to building sites that satisfy customer and business needs [6].

Leveraging Existing Systems

Most companies already use information technology (IT) to conduct business in non-
Internet environments, such as marketing, order management, billing, inventory,
distribution, and customer service. The Internet represents an alternative and
complementary way to do business, but it is imperative that electronic commerce systems
integrate existing systems in a manner that avoids duplicating functionality and maintains
usability, performance, and reliability.

When systems from two or more businesses are able to exchange documents without
manual intervention, businesses achieve cost reduction, improved performance, and more
dynamic value chains. Failing to address any of these issues can spell failure for a
system’s implementation effort. Therefore, your company’s commerce strategy should be
designed to address all of these issues to help customers achieve the benefits of electronic

Your company’s vision for electronic commerce should also be to help businesses
establish stronger relationships with customers and industry partners. For example, a
successful strategy for delivering this vision is described by three workflow elements
(platform, portal, and industry partners), each backed by comprehensive technology,
product, and service offerings.

From self-service portals to transaction processing, a successful workflow strategy can be

the underlying engine delivering state-based, processed-focused control services for e-
business applications. Human labor is expensive, and workflow technology allows e-
businesses to supplement, and in some cases eliminate, reliance on human supervision
and intervention.

Workflow Technology

Creating e-business processes without a vision for workflow is shortsighted and

expensive. Workflow addresses business needs, streamlines transactions, and is the glue
for process coordination and consistency.

Self-service applications are perfect examples of how workflow can be employed to

automatically coordinate requests and track fulfillment, thereby allowing corporations to
relocate human resources to more difficult tasks. E-business flexibility can be realized
through workflow’s logic encapsulation that isolates the logic of the business process
from the Web server middleware and associated Web pages. Every Web page click is an
opportunity to invoke workflow-based interaction, guidance, and fulfillment.

E-businesses need workflow technology to react rapidly to process changes. For example,
an instant change to the workflow process can be accomplished with a simple change to
the workflow map by a nonprogrammer, to effect temporary or continuous changes in the
business process, thus accommodating short-term business needs or long-term process
improvements. A workflow driven e-business will see immediate shifts that allow it to
process more efficiently under high volume circumstances.

The bottom line? Workflow design tools should be a core requirement for e-business
applications. A detailed discussion of workflow technology is presented in Chapter 2,
“Types of E-Commerce Technology.”
Now, let’s take a look at the transformation of the scope of the Internet and the Web. The
discussion centers around the Session Initiation Protocol’s (SIP) effect on multimedia-
enabled e-commerce.
Microsoft Corporation, “Electronic Commerce Explained,” ©2003 Microsoft
Corporation. All rights reserved. The Business Forum 9297 Burton Way, Suite 100,
Beverly Hills, CA 90212, (August 2002): pp. 1–19.
Runge, Wolfgang and Renz, Alexander, “Adaptive Networks Broaden Relationships,”
© Copyright 2003 SAP AG. All rights reserved, SAP America Inc., Strategic Planning &
Support Office, 3999 West Chester Pike, Newtown Square, PA 19073,USA, [Advertising
supplement in June, 2002 edition of MSI, Reed Business Information, 2500 Clearwater
Drive, Oak Brook, IL 60523 (June 2002)].
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
ebusiness Privacy Plan, McGraw-Hill Trade, 2001.

The Scope of the Internet and the Web

The renaissance of the Internet age launched an entirely new set of communication
technologies and methods. As multiple technologies evolve and interoperate, so do
complementary standards, such as those for multimedia applications. The advancement of
multimedia applications for the Web has resulted in a wave of new technologies to
enhance the Internet experience. From voice to video, the latest developments have
resulted in the requisite standards to allow for the full maturation of the technology.

Voice over IP (VoIP) has gained acceptance within the last few years, with older
standards enabling the technology. As more advanced standards mature and enhanced
capabilities and features become available, the adoption of VoIP has begun to take off.
For example, H.323 is currently the dominant standard for initiating a voice session. But,
as more multimedia services, such as unified messaging, video conferencing, instant chat,
and presence, gain acceptance in an Internet Protocol (IP) environment, more robust
standards are needed. Hence, the creation of an HTTP-based protocol—Session Initiation
Protocol (SIP).

SIP’s main functions are signaling and call control for IP-based communications. It
defines the desired service for the user, such as point-to-point calls, multipoint
conferencing, text, voice, or video. Using the protocol, SIP servers perform a routing
service that puts the caller in contact with the called party, taking into account the desired
service and user preferences. Because SIP has its foundation in HTTP, it eases the
integration of voice with other Web services.
The Benefits of SIP

As the new voice-ready IP standard, SIP enables the initiation of an interactive Internet
experience involving multimedia elements, such as video, voice, chat, gaming, and
virtual reality. The main advantages of SIP for the VoIP market include enhanced
scalability, easy implementation, and dramatically reduced call setup time.

Another key benefit of SIP for VoIP is the easy integration with many other IP services.
Through SIP, service providers can easily add services and applications for VoIP
customers while minimizing interoperability issues. SIP is flexible and extensible, easily
supporting a wide array of endpoint devices and configurations. More importantly, SIP
runs over IP networks, regardless of the underlying networking technology—
asynchronous transfer mode (ATM).

By taking advantage of the Internet, SIP technology provides new service capabilities
while supporting the use of key services from the circuit-switched telephone network. IP-
based communications can use SIP Uniform Resource Locators (URLs) for addressing,
similar to the World Wide Web, in which the form of the URL resembles an e-mail
address. The support of both telephony and Web-type addressing enables IP
communication to seamlessly bridge a telephone network and the Internet. Users on
either network can reach any point on the Public Switched Telephone Network (PSTN) or
the Internet without giving up the existing devices or advantages of either.

Enabling Multimedia E-Commerce with SIP

The emergence of SIP has opened up new doors of innovation, enabling the next
generation of e-commerce through the use of VoIP and multimedia applications. The
simplicity of SIP technology is facilitating the spread of VoIP around the world. SIP’s
straightforward approach has encouraged developers of e-commerce applications and
telecommunications providers to implement it into their customer relationship
management (CRM) systems.

Traditional voice call centers for customer support are migrating to Web support centers
where the focus is shifting from pure voice (800 numbers) to e-mail support, text chat,
voice, and video with click-to-connect service. The integration of these applications
brings a fresh dimension of communication to customer-facing Web sites. As customers
experience the benefit of multiple touch points, enterprises are compelled to integrate
these new communication methods into their CRM systems. As the enabling protocol,
SIP is well-suited to bring these capabilities to the user.

Because support for instant messaging and presence is built into the SIP, a whole new
level of customer communications can take place. Presence lets users know the
availability of other parties, and when coupled with instant messaging and conferencing,
allows for communications to happen in a spontaneous fashion. With these added
functionalities, the online consumer can experience a rich customer support environment.
Because SIP enables real-time voice and video to become viable applications on many e-
commerce Web sites, it enhances Internet call center productivity. With the click of a
mouse, a customer can talk to or be in face-to-face contact with a service representative.
This level of customer service allows an immediate personal connection with customers
—one of the most critical aspects in CRM. The adoption of e-commerce will be bolstered
further as consumers begin to rely upon this type of online customer service.

SIP-based communications can be achieved with any device, fixed or mobile, such as
laptops and Internet-ready phones [5]. In addition, because SIP supports name mapping
and redirection services, it is possible for users to initiate and receive communications
and services from any location, and for networks to identify users regardless of location.
This adds an additional level of usability from a CRM perspective. As e-commerce
spreads to cell phones and other handheld devices, this functionality will increase in

Now, let’s look at how to use the Web to reach customers. Although customer experience
includes intangible, nonquantifiable aspects, it also includes a wide range of entirely
measurable Web site elements.
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

Using the Web to Reach Customers

The rules are the same. To succeed in e-business, just as in brick-and-mortar, you need
customers. And, keeping customers is vastly cheaper than getting new ones. High rates of
customer retention (and the referrals that accompany happy consumers) can mean the
difference between success and going back to the drawing board.

The challenges that e-businesses face, however, in earning and retaining customers are
different from those confronted by traditional business. A shopper who drives to the
bookstore is not likely to put down the book he wants and drive to another location
because of a line at the checkout stand. Someone looking for the biggest selection of CDs
cannot go to 20 stores in 6 states in half an hour to check their selection. And, once you
have received personal attention from someone at a store, helping you find exactly what
you need, it isn’t hard to decide where to go next time.

The options and flexibility of doing business online put much more control in the hands
of the consumer, placing a premium on the performance, effectiveness, and reliability of
an organization’s Web site. There is no one to apologize to Internet customers when the
service goes down, or when an image is missing, or to explain what an error message
means. And, alternatives are just a click away.

For online consumers, the user experience is the most significant factor in customer
retention. Customer experience comprises a range of issues, including ease-of-use,
dependability, speed, as well as less quantifiable aspects of a Web site. As the Internet
matures and evolves into a ubiquitous, if not preeminent, medium for business, those
companies best able to monitor their Web sites and ensure a positive, rewarding customer
experience will have an unparalleled advantage in the race to create and retain loyal

The Shift to E-Business

There is no free lunch, though, and along with the benefits of doing business in the new
economy comes a new kind of customer, one with different expectations and standards by
which companies are judged. Web sites must offer a consistently positive customer
experience to win over consumers. Inspiring loyalty is the biggest challenge to e-
businesses, and e-consumers are a tough group to win. Thus, the attraction of moving an
established, traditional business to the Internet (or of starting a new, pure-play Internet
business) involves a variety of factors:

• Global reach
• Higher profile
• 24 × 7 availability
• Targeted focus
• Cost savings

Global Reach

A small organization no longer has to be a local organization. Anyone with Web access
(in a living room in Chicago, in a log cabin in Alaska, or in a café in Bordeaux) can spend
their time, and their money, at any online business.

Higher Profile

A company can have a significant Web presence and profile, even with relatively modest
depth and breadth to its inventory. On the Internet, a small but very efficient company can
have the profile of a much larger, deep-pocketed competitor.

24 × 7 Availability

E-businesses do not have to close at the end of the day. Information and services can be
available any time, any day, allowing revenue to be earned without interruption.

Targeted Focus and Cost Savings

Companies do not have to be all things to all consumers. Through the Internet, individual
customers can get goods and services tailored to their needs. Significant savings from,
among other things, streamlining inventory and distribution channels are possible in
effective e-businesses.
New Medium and New Expectations

Internet consumers expect e-business to be faster and more extensive, with more options
and services, than brick-and-mortar alternatives. They expect their experience online to
be easy, as uncomplicated as buying a newspaper or filling the car with gas. And, if they
encounter any problems with the site, or have difficulty understanding how it works, or
are otherwise frustrated, they know they can go somewhere else, to another Web site, and
be there in no time.

Speed Wins

Speed is crucial for successful e-businesses. Consumers expect Web sites to be fast. A
useful starting point is the eight-second rule of thumb. The rule says that a significant
number of users are unwilling to wait longer than eight seconds for a page to load or an
action to be executed, and as technology improves and speeds increase, the time users
will wait before leaving the site is likely to decrease. Many factors, from fundamental site
architecture to network traffic at certain times of the day, affect how fast a site will
function. Vital for success in any e-business is ongoing monitoring of the performance of
its site, identifying cycles of usage and ranges of performance, and making necessary
modifications and upgrades to ensure speed.

There have been attempts to quantify the economic loss due to unacceptably slow Web
page download speeds, which is one aspect of e-business customer churn. It is estimated
that as much as $473 million is lost per month from customer bailout from impatience.

If It Isn’t Broken

Key to the user’s experience and level of comfort in e-business is consistency. Whereas a
brick-and-mortar business could not redesign the store every month, e-businesses can,
and some do. The relative cost for changing the look and feel of an e-business is low, and
the appeal of adding new features is a strong temptation. There is a fine line, however,
between a “sticky” site, one that attracts new customers and urges old ones to return, and
a site that changes so often and in such ways that customers must relearn the site. Instead
of spending the extra time to deal with the hassle, they will go to the competition, the one
that is fundamentally consistent in its presentation and functionality, and they will stay

No Experience Required

Many new e-business consumers are novices not only with online transactions, but also
with the Internet in general, and this complicates the issue of glitches and raises the ante
for Web sites to function smoothly. A computer neophyte is less likely to understand, or
have patience with, technical difficulties. A recent survey conducted by ICL, an e-
business services company, indicates relatively high levels of stress and anxiety caused
by computer problems for “typical” users.
• Forty-nine percent found computer problems more stressful than being stuck or
delayed on public transportation.
• Seventy-nine percent found computer problems more stressful than having to
spend a weekend with a spouse’s parents.
• Twenty-three percent found computer problems more stressful than being left by a
partner or spouse [1].

No Web site runs perfectly 100 percent of the time, but those that are close to 100 percent
(Web sites that minimize outages and are able very quickly to detect and correct problems
when they do occur) have a significant advantage. Web sites that frustrate users scare
them away; Web sites that consistently offer pleasant, easy experiences keep their

The Often Missing Piece

A less tangible but equally vital aspect to customer loyalty in e-business is trust. For
consumers, participation in a typical Internet business model requires divulging personal
information for registration purposes, often including sending credit card numbers to the
site. Increasingly, customers are cautious when sending such information and wary about
sites that they suspect may not adequately guard the privacy of their demographic and
financial information. Web sites that have prolonged outages or frequent transaction
failures break the chain of trust with their consumers, pushing them to other providers
that instill stronger confidence and, therefore, loyalty, in their customers.

To be successful, an e-business has to be:

1. Sophisticated and fast

2. Easy and consistent
3. Extremely reliable [1]

Without these, customers will click away, going to the sites that give consumers the
interaction with e-business that they expect and require.

Acquisition, Retention, and Referrals

Customer acquisition costs range wildly from one company to the next, but everyone
understands that once a company has acquired customers, the key to maximizing revenue
is keeping them.

• It is 7 to 11 times cheaper to keep a current customer than to add a new one.

• A Xerox study showed that their totally satisfied customers were 7 times more
likely to make additional Xerox purchases in the subsequent 29 months than the
merely satisfied.
• Companies can increase profits by almost 100% if 6% more of their customers
were retained.
• Estimates show up to 91–96% of a brand’s profits come from loyal customers.
• A study by McKinsey & Co. calculates that an 11% increase in repeat customers
translates to a 10.6% increase in company value.
• Bain & Co./Mainspring research shows that online grocers must keep customers
for 29 months just to break even [1].

The preceding are potentially frightening data to e-business, which lives, or dies, in a
medium where jumping from one Web site to another, changing brands and loyalties, is
easier and faster than ever. In the realm of e-business, high rates of retention are
imperative for success and even survival.

Loyal customers are the best customers. People who are committed to Buick and who
will not buy a car from any other manufacturer are the ideal consumers for Buick. They
do not require further acquisition expenses, they will buy Buick cars for their children
and recommend Buick to their friends, and they are statistically much more likely to buy
up, getting newer models loaded with optional equipment. The recent boom in online
loyalty reward programs demonstrates that e-business understands the lifetime value of
loyal customers and is starting to shift resources to retention efforts. Many of these
incentives are financial, offering repeat buyers the opportunity to earn points that can be
redeemed for goods or services. Although low prices and points programs are a strong
draw initially for consumers, e-consumers will, as in traditional business, grant their
loyalties ultimately to those businesses that offer them the best experience, of which price
is just one of several considerations. Low prices are the carrot on the stick for acquisition,
but user experience and customer service are the tools of retention.

Of special interest to e-business are customers gained through referrals from existing
customers, as well as customers lost due to negative reactions about a particular Web site.
According to a recent Bain & Co./Mainspring survey, online apparel customers referred 4
people after the initial purchase and 8 people after 11 purchases. The global reach of the
Internet becomes a handicap when a consumer brings up a list of dozens of online
retailers in a given industry. E-business consumers are generally anxious for referrals
from people they trust to help guide them through the ever-growing sea of Web sites.

Standard barriers to following through on a referral are absent in e-business. If a friend

recommends a music store that is 45 minutes away, you might decide not to go because
of the distance. Even a local store may not tempt you if you know that the parking is a
nightmare or if the skies just dropped two feet of snow outside your window. When a
friend recommends a Web site, you get cozy at your desk and go there.

Consumer trust, discussed earlier, is a unique challenge facing e-business. Going to a

brick-and-mortar store lends a sense of confidence and implicit trust that has to be earned
in other ways in the context of the Internet and of doing business through a computer
screen. A referral from a trusted friend or colleague is invaluable to establishing a
relationship between consumers and e-businesses.

Referrals also provide an exception to the high cost of acquiring new customers. Every
customer who is referred to a company is “free,” or is at least a significant offset to the
marketing and sales budgets for customer acquisition. Though somewhat more difficult to
measure, word-of-mouth advertising is extremely important and can have a remarkable
impact on a company’s bottom line.

Poor Performance and Failure

E-businesses tread a thinner line than traditional businesses in efforts to attract and keep
consumers. Someone who drives to a store will extend greater latitude to that shop (in
terms of what the consumer likes or dislikes about the store, its selection, its layout, its
service) than to a Web site. Online consumers expect speed, reliability, and broad
selection. When they do not get it, they leave. All it takes to leave is typing a new Web
address or following a link. For e-business, there is no dress rehearsal and often no
second chance.

Internet users are increasingly barraged by new sites, new services, all competing for
their eyes and their dollars. When consumers find a site they like, they add a bookmark
and stop hunting. And when a site does not satisfy consumers, they don’t return and they
tell their friends not to go.

At issue for consumers is the tension between knowing they have more control with e-
business and feeling overwhelmed by the choices, and this tension can spell disaster for
an e-business that does not adequately mind its store. Often a single negative experience
for a consumer means he or she will not return to that site to give that company another
chance. If someone tries to buy a puzzle online and the transaction fails, there are enough
other online toy retailers that this consumer need never return to the one that failed. A
recent study of online shopping by the Boston Consulting Group for a 12-month period
reveals unsettling statistics for e-commerce companies battling to attract and keep

• Consumers who are satisfied with their first-time online purchase spent, on
average, $600 in 13 transactions; dissatisfied first-time purchasers spent $250 in 5
• Five out of six e-consumers experienced a failed purchase; 29% of all online
purchases failed.
• Twenty-four percent of online shoppers who experienced a failure stopped
shopping at that site; 7% also stopped shopping at that company’s brick-and-
mortar store[1].

In e-business, there are no humans to counter a negative experience. A failed transaction

or a site crash is extremely difficult to qualify or explain online, leaving the consumer
alone at the computer to decide if it makes more sense to try again or go elsewhere. The
message is clear for any company that wants to succeed in the Internet economy: make
sure the site works extremely well, and when something goes wrong, which it inevitably
will, find out about it and fix it fast. When a popular Web service had a nearly-24-hour
outage, the company’s CEO recognized that such an event could be disastrous, even fatal,
for the company, and she or he effectively lived in the IT operations center during the
crisis and the following weeks.

The new and rapidly expanding business of online securities trading offers a vivid
example of the best and the worst for e-businesses. Online trading has offered
unprecedented access for thousands of users to securities markets. The reach of brokerage
houses has extended into demographic sectors that previously had neither the time for nor
the access to securities trading, while securities markets have extended their hours, with
talk of 24-hour trading on the horizon. Thousands of consumers place millions of trades
at relatively low commission, filling the coffers of online trading firms.

Moving the apparatus for trading to the desktop, however, has resulted in a wealth of
information passing to the customer, with a corresponding shift in power away from the
brokerage company. With the Internet, customers are more aware of stock prices, of
transactions, and of failures. When a glitch prevents online traders from selling stock or
canceling orders when the price falls, those traders lose money and can very accurately
identify how much they have lost.

Most of the leading Internet brokerages have suffered outages, ranging from a few
minutes to several hours, and the costs to these businesses go far beyond the defection of
angry customers. Online brokerages are having to compensate customers for losses
suffered when trades could not be executed because of outages, and these payments are
stretching into the millions of dollars for each of several leading online brokerages. Not
only does an outage scare off otherwise potentially loyal customers, it forces the
brokerage to write checks to unhappy customers on their way out the door.

A final significant problem facing e-businesses (at least those that are publicly traded) is
the response on Wall Street to reports of prolonged service failures or customer
dissatisfaction. In a market where a company that reports earnings slightly below
projections can see the price of its stock tumble, word of a serious disruption of service
can be crushing as investors (many of them trading online) flee and unload their stock in
that company.

The price paid by e-business (in lost revenue from dissatisfied customers as well as
payments made for consumer losses) from inadequate performance and significant site
outages is potentially crippling, especially for pure-play Internet companies that have no
other customer base or business medium to depend on. No Web site is perfect, however,
and glitches are a reality in any online application. The key for e-business is to establish
performance benchmarks to attract and keep customers and to minimize technical
problems that make sites unavailable or prevent them from meeting necessary standards.
No e-business will be successful without adequate and appropriate tools to monitor
performance of its Web site and alert site operators immediately about slowdowns and
failures of service.
Ensuring the Customer Experience

Given the economic repercussions of a company’s inability to build and retain a base of
satisfied, loyal customers, the need for effective site-monitoring applications is
paramount, and a site monitor must be sophisticated enough to measure more than
uptime. According to Forrester Research, only 27% of site managers look beyond uptime
to specific network performance standards, and even fewer monitor transaction success
rates. It is these more complex data, however (not simply whether a page is available)
that give important insight into the user experience and associated rates of retention and

Service-level agreements (SLAs) that provide real value stipulate more than simply what
percent of time a site will be up, and monitoring applications gives internal operators and
hosting facilities the tools they need to measure other important parameters. Identifying
whether a slowdown is from an application failure or from a network bottleneck is
advantageous to IT personnel trying to fix the problem. Additionally, effective use of
monitoring software can identify not only real-time glitches, but also design
shortcomings. Thorough reports from monitors might show, for example, a system
weakness that is responsible for transactional failures. The more quickly and accurately a
problem and its cause are identified, the faster it can be fixed.

Monitoring software also gives companies the data they need to make projections about
future site usage and the improvements required to accommodate increased activity.
Successful e-businesses can see their usage double in as little as three to six months.
Understanding growth and anticipating future needs can mean the difference between
recognizing the need and getting that extra server now, or waiting until increased traffic
crashes the system.

Features and services like these (what Forrester Research calls “Transaction Management
Services”) are provided through effective, sophisticated monitoring software. It is this
integrated Web quality monitoring that Forrester sees as the next step to managing the
total quality of Web-based business. If, as they predict, e-commerce reaches global
hypergrowth by 2003, it will be those companies with effective monitoring systems
already in place that are able to survive and succeed.

With the preceding in mind, how do industry-leading executives perceive the use of e-
commerce technology in their companies? What are the business benefits provided by
transaction management systems? Should your company build and maintain its own
transaction management system, or buy electronic trading network services? This next
part of the chapter answers these questions and further discusses the costs, benefits, and
perceptions of technologies that enable interenterprise information exchange, or what is
described as the transaction management market (TMM).
“E-Business Customer Retention,” © Copyright 2003 Mercury Interactive Corporation,
Mercury Interactive Corporation, Building A, 1325 Borregas Avenue, Sunnyvale, CA
94089, 2003.
Benefits of the E-Commerce Market

The letter “e” lost much of its language-domineering swagger with the fall of the dot-com
economy. Technology marketers, journalists, and analysts now cringe at “e”-inspired
products and concepts. Venture capitalists hide their money-stuffed mattresses when
Silicon Valley experts drop by with business plans. Yet, electronic commerce veterans in
some of the largest companies in the United States, companies such as Ford, Cisco, Wal-
Mart, Procter and Gamble, McKesson, and Compaq, see opportunity in the midst of e-
commerce turmoil.

Increasing Interest in Interfacing Technologies

Transaction management market (TMM) technologies automate machine-to-machine

information exchange between organizations. The share of IT budget dedicated to
solutions that interface with customers, suppliers, and service providers is increasing.
This trend is evidenced by continued demand for CRM, order management, demand
forecasting, sourcing, and procurement solutions despite difficult economic conditions.
And, Web services market hype provides an almost deafening statement about the value
of interfacing technologies. Therefore, as economic conditions improve and as eXtensible
Markup Language (XML) standards begin to reduce intersystems integration costs, there
will be an increased demand for transaction management technologies.

Nevertheless, although interfacing technology demand is consistent across most industry

segments, the business conditions generating interest vary considerably. Ever-tightening
electronic relationships between consumer packaged goods (CPG) manufacturers and
larger retailers are driven by the need to accurately track and forecast demand for billions
of fast-moving products through a low-margin, geographically dispersed network. High-
tech manufacturers continue to invest in interfacing technologies to regain some of the
control relinquished with business process outsourcing contracts. Cash-strapped
wholesalers invest in any technology, including TMM solutions, that can reduce the order
to cash cycle. Despite differing business concerns, interest in technologies that improve
interbusiness process efficiency is high.

Demand Analysis

TMM technology interest is strong, but demand is constrained. Interest is driven by a

number of market dynamics including:

Transaction management systems meet many of the investment conditions that gain
significance in a slow-growth economy.

• The technology provides a clear and calculable return on investment (ROI), is

amenable to incremental deployment, and helps control costs.
• TMM investment is becoming more compelling as innovative deployments
enabling VMI, After Tax Profit (ATP), contract manufacturing, and demand
planning gain attention and generate competitive pressure.
• Machine-to-machine communication costs are falling as process standards from
organizations like RossettaNet, OAG, and CIDX develop, and as technology
standards like J2EE, SOAP, AS1/AS2, and WSDL gain popularity [2].

However, strong market forces continue to inhibit new TMM investment. Important
inhibitors include:

Economic uncertainty continues to limit capital resource availability and risk tolerance.

• Standards are immature. Lack of standards correlates to high incremental e-

commerce deployment cost.
• The entry cost for innovative, multienterprise solutions remains high. Entry costs
are driven by change management and experience development needs, not by
technology product costs.
• Web services and XML marketing hype generates interest and uncertainty in near
equal doses.
• E-marketplace failures continue to haunt many large organizations and inhibit
TMM investment[2].

Drivers of Change

Several important technology developments are driving change in the TMM market. First
and foremost is the emergence of the Internet as an effective, low-cost means of
transporting mission-critical business information between systems. Although the Internet
alone does not provide the network quality of service (QoS) demanded for mission-
critical data communications, software and service providers have built solutions on top
of this nearly free transport network. Data transport cost declines have fundamentally
altered the way companies interact.

The second major force of change in the TMM market is the emergence of new
technology standards, such as Java™, XML, and Web services. Overcoming
communication barriers, which come in many forms, is often expensive. Java, XML, and
other technology standards remove a number of machine-to-machine communication
barriers and reduce partner integration costs.

Falling integration costs will affect the TMM market in two ways: first, the addressable
market for TMM solutions will continue to expand as solution price points fall into
ranges acceptable to small and midsized businesses. Second, reducing the cost and
complexity involved in deploying and maintaining a TMM system will release corporate
resources to other higher-value automation efforts. Many experienced users that bought
TMM solutions to control order processing costs have since evolved their systems to
manage a demand forecasting process, complex pricing data, and Just-in-Time (JIT)
inventory strategies.
TMM Business Benefits

TMM solutions provide organizations with the ability to effectively process heavy order
volumes and with the ability to better manage very close, codependent partner relations.
Most TMM deployments address one or both of these business objectives.

Now, let’s look at how companies can use TMM technology to process millions of orders
a week with just a few support staff. Others may move a few files a day, but the
information in those files affects millions of dollars of production costs. For example
(according to a recent study by the Yankee Group), Figure 1.1 summarizes values that are
delivered by TMM technologies [2].

Processing Heavy Order Volumes

TMM solutions can quickly and accurately process thousands, even millions, of orders a
week. Consumer packaged goods manufacturers, apparel manufacturers, retailers,
wholesalers, and companies in similar industries manage high order volumes for fast-
moving, made-to-stock products. In industries such as pharmaceuticals, health products,
and electronic components, where both order volumes and per-SKU prices are high, fast
and accurate order processing is essential to staying in business. Companies facing these
conditions leverage TMM technology to scale business without scaling operational costs.

Combining on-site translation software with electronic trading network service has
proven a very effective means of managing order volume growth without scaling order
processing head count. By working with a network service provider, transaction volume
growth (and related corporate expansion) is not encumbered by technology skill and staff
development needs.

It is difficult to compare manual and automated order processing costs. The comparison
would be interesting, but is not necessary. In a high-growth, heavy order volume industry,
TMM technology is not a cost-savings option, but a business requirement. Therefore,
despite TMM’s mission-critical nature in heavy order volume industries, many companies
use innovative forecasting, direct shipment, and customer service capabilities, as the most
significant advantage to their organization’s gains from TMM service usage today.

Managing Codependent Relationships and Complex Products

In industries with less demanding order volumes, but more complicated products and
relationships, transaction management systems are used for equally valuable but very
different business reasons. In the high-tech, automotive, and chemicals manufacturing
industries, products are complex, highly engineered, and often expensive. Companies in
these industries are highly dependent on partners to produce high-value, high-complex
products. In these industries and others, dependencies are becoming stronger and
products are becoming more complex. TMM systems support codependent relationships,
allowing companies to play an effective role in complex production processes.

Companies using TMM technology to manage codependent relations move complex

products through the supply chain, and require robust process management capabilities
and timely access to information. Developing a JIT inventory management program
demands near-real-time information exchange and complex business rules management.
Providing a single available-to-promise date for a solution bundle, including multiple
vendor products, requires similar functional capabilities.

Best Practices

Today, companies are extending, or planning to extend, their TMM systems into
interesting new business automation scenarios. Several of these best-practice examples
are described next.

Speed and Competitive Advantage

Speeding business process and improving customer service to gain competitive advantage
is not cheap. A company could spend nearly $5 million annually to support its machine-
to-machine order processing system. But, business benefits and competitive distinction
greatly outweigh the costs of the system.

For example, in the food-and-beverage industry, paper and mail are slow. Money makes
money. Anything that slows down money or products costs money. Companies usually
tackle banking communications first to speed the processing of thousands of small
monthly order volumes. Most companies usually tackle logistics management challenges
next, which is followed by an incremental deployment with a supplier connectivity
solution. In addition, most companies claim to have achieved a positive ROI in less than
12 months after going live with the banking stage of their implementation.

Managing Outsourced Business Relationships

Most high-tech companies shift their business strategies as the economy begins to slow.
With cost control pressures mounting and shareholders demanding improved returns, the
companies choose to outsource production and certain support services to contract
manufacturers (CMs). To support the outsourcing strategy, the firms identify and
implement TMM technology. The solution manages the mission-critical information
flowing between a company and its new CM partners. A system could cost less than
$400,000 to deploy (including hardware, software, and services). Ongoing costs run
approximately $230,000 annually.

It is difficult to measure the value a solution provides a company, but, an outsourcing

business strategy would not be possible without the TMM solution. Because of difficult
economic conditions and financial turmoil in the industry it services, firms have limited
visibility into future demand. Companies expect demand to increase as the economy
recovers. Their new CM relationships should allow them to react rapidly to changing
demand and avoid losing sales through lack of production capability.

Expansion Strategy Support

Companies are using TMM technology to support complex operational strategies, as

displayed in Figure 1.2[2]. The role of TMM technology will continue to expand as costs
fall, as standards develop, and as innovative best-practice use cases emerge from the fog
of the current recession.

The Service Provider Advantage

Value added network (VAN) service charges have gained an onerous reputation since the
emergence of the Internet as a corporate communications tool. The idea of charging per-
transaction fees to move data across a network (which is how VAN service charges
accrue) riles free-spirited Internet enthusiasts. But the Internet’s greatest strength
(ubiquity) is also its fatal flaw.

The last thing a company wants is ubiquitous access to its data traffic, nor are companies
interested in the lack of control inherent in a ubiquitously managed network. Absent the
addition of robust technology, the Internet is insecure, unreliable, and unworthy of
mission-critical corporate data. VAN service providers offer subscription-based
technology services that meet corporate data communication needs. VANs ensure that
data gets from point A to point B securely, reliably, and with an audit trail. Companies
pay usage-based subscription charges for access to VAN bandwidth.

Accessing network QoS functionality from a third party also helps separate business
objectives from technology plumbing. Companies interested in deepening partner
collaboration or automating more complex business processes are faced with a myriad of
business challenges. One-time partners become next-project competitors. Partners are
contracted to ship to a production plan, regardless of the status provided by a real-time
system. Processes, which vary by both company and division, need to be reviewed and
aligned. Obstacles abound in a value chain integration scenario. VAN and electronic
trading network service providers remove the interenterprise communication obstacle,
allowing staff to focus on business, not technology problems.

TMM Costs

It is expensive to build and maintain a TMM system. The business benefits can be

Ongoing costs are more easily captured and measured. The average annual cost to operate
a TMM solution is a hefty $2.05 million. Average annual VAN cost is approximately
$650,000 per year, and the average annual internal operational cost (business and IT
support and management labor) totals $2.5 million. These figures capture the bulk of
ongoing costs associated with operating a TMM solution. Software maintenance costs,
which were difficult to capture, are not usually included in this costs assessment.

As the $2 million per year in operational costs indicate, TMM systems are expensive to
run. When considered as a percentage of IT budget or total revenue, the figures are much
less daunting. When considering the business strategies TMM systems support,
operational costs are well within acceptable ROI and total cost of ownership (TCO)
calculation boundaries.

Finally, let’s look at possible roadblocks to e-commerce. Is e-commerce alive and well
and feeling fine? Recently, e-commerce has been associated with some fairly humiliating
phrases: “dot gone” and “dot bomb” being just two of them. At times, e-commerce has
become almost worthy of a snicker when the term comes up in conversation, and lately
it’s hard to open a newspaper without reading about “pink slip parties,” which former
dot-com employees attend to network, write resumes (which they didn’t need during the
venture capital boom), learn that flip-flops and cutoff jeans are not appropriate work
attire in the real world and, finally, come to accept that the fairy-tale employment they
have experienced in recent years has disappeared as spectacularly as Cinderella’s royal
ball accessories at midnight.

Roadblocks to E-Commerce

From the sounds of the media, you would think that e-commerce was a landscape of post-
Armageddon. That must be why eBay experienced a 260% growth in 2002.
Want to know a secret? Total e-commerce sales have been predicted to grow somewhere
in the area of 60% in 2003. A study by the National Association of Purchasing
Management and Forrester Research indicates that business-to-business e-commerce is
still in its infancy, with nearly unlimited potential to grow. A recent survey conducted by
both organizations revealed that 95 percent of companies polled indicated they would be
moving forward to implement e-procurement sometime in 2003. This growth is modest
compared to what’s happening offshore. Boston Consulting Group recently reported that
Asian e-commerce continues to triple annually.

With the preceding in mind, e-business has taken a major hit to the collective solar
plexus. Amazon seems to be hanging on moderately well, though probably not
flourishing. It is generally acknowledged that the implosion of many players on the e-
commerce stage, most notably the ones headed by 24-year-old CEOs, has enabled the
companies left standing to reap more profits due to Web-enabled natural selection.

Old Dogs Have Learned New Tricks

Research firm McKinsey & Company recently unearthed a fascinating statistic: 86

percent of the most successful e-tailers are online channels of existing, established brick-
and-mortar companies. Someone a long time ago put forth the radical theory that a
company needs a business plan to survive in the long-term. Web-based companies
slapped together on a Saturday afternoon in someone’s home office are not likely to have
as sound business plans as a company such as Eddie Bauer that has been around for
generations. In 1998, the retail giants were laughed at for their hesitant and puny efforts
to join the e-commerce party. Today, they are the ones left standing. It’s obvious that
there’s a lesson to be learned from that.

Here’s another interesting trend. In the days of yore (1999 to 2000), many Internet-savvy
consumers indicated that when it came to shopping for larger ticket items, such as audio,
video, and computers, they would do their research online before heading down to a large
electronics superstore such as Circuit City to make a purchase. Today, many people have
taken to wandering the aisles of the large electronics stores to see and touch items, and
then return home to make their purchases from online electronics e-tailers. Why not?
Online return policies have improved about 2,000 percent since the early days of e-
commerce and in many instances, there is no sales tax on items purchased from e-tailers.
Not to mention the fact that buying online enables you to spend the time you would have
dedicated to getting to the mall on some vital task such as sleeping late or reminding
yourself what your family looks like.

Trying Not to Antagonize Your Customers Helps Immensely

E-commerce companies that continue to grow seem to be the ones that better understand
CRM and what it means to their firms. There’s no question, purchasing over the Internet
is as popular as ever and will continue to grow. What many e-tailers didn’t foresee is that
the Internet business model enables customers to be fantastically fickle, and all it takes is
one misstep to lose a customer forever. Good self-service is worth its weight in diamonds,
but it should never entirely replace human interaction. As a result, it becomes fairly safe
to conclude that the e-businesses still standing today are the ones that screwed up CRM
the least.

The survivors have another thing in common: easily navigable Web sites. Remember
some of the disastrous Web sites that first appeared in 1997 and 1998? The designers
sacrificed ease-of-use for art and profundity, with the result that many potential buyers
arrived on the site, admiringly commented, “Ooooh, pretty” and logged off to find a site
that was easier to use. Part and parcel of ease-of-use is a friendly and comprehensive
search engine, and this is another element you will find on the sites of the little e-tailers
who could. Search engines driven by natural language processing are rapidly gaining in
popularity as they allow shoppers to pose questions in much the same manner they would
to a live store representative. For instance, compare brands of digital cameras in the mid-
price range. Not only do searches conducted with natural language processing help the
customer, but the technology can also help the e-tailer understand what its customers
want and how they want it.

Privacy, Please

Yet another element that has helped some e-tailers remain strong is the issue of privacy.
Many companies with Web channels have had some decisions to make recently: collect
customer data and e-mail addresses and sell the information for a price to boost sagging
profits, or prominently reassure customers that their information is private and will
remain so in the future? The former choice represents a short-term fix and the latter
choice is the ticket to the long-term payoff. Many companies that sold customer data
from the get-go or made a decision later to sell information seemed to think that their
activities would not be noticed, or that the average consumer wouldn’t care if they
received a few extra spams brought on by the sale of their personal information. This was
a serious miscalculation. In a crowded information age of little free time and space to
breathe, most consumers are becoming rabidly protective of the little privacy they have.
More importantly, e-tailers and Web marketers that chose to collect information from
children not only earned the ire of parents, they began to draw fire from federal and state

Finally, the vast majority of companies that made a go at succeeding in e-commerce only
to fail a year or two later are like kids who begin playing with a complex toy and give up
in a huff when they can’t operate the toy based on the fact that they didn’t read the
instructions. All’s well and it ends well. The toy becomes available to the kid who values
it and knows how to use it.
“E-Business Evolution: Transaction Management Costs, Benefits, and Market
Development,” © Copyright 2002 Yankee Group, Yankee Group, 31 St. James Avenue,
Boston, Massachusetts 02116 [Sterling Commerce, 4600 Lakehurst Court, Dublin, OH
43016-2000, USA], 2002.

In a remarkably short time, the Internet has grown from a quirky playground into a vital,
sophisticated medium for business, and as the Web evolves further, the threshold for
conducting successful business online will move increasingly higher. Online consumers
are flooding to the Internet, and they come with very high expectations and a degree of
control that they did not have with traditional brick-and-mortar companies. Businesses,
too, are rushing to join the Internet revolution, and new, viable competitors are emerging
in all industries.

The enticement of doing business online must be tempered by the understanding that
when the dust settles, a significant percentage of e-businesses will have failed. The ones
that succeed will be those that are able to deliver a satisfying and consistent customer
experience online, building brand loyalty and guaranteeing high rates of customer

Although customer experience includes intangible, nonquantifiable aspects, it also

includes a wide range of entirely measurable Web site elements. It is necessary for any
organization wanting to succeed in e-business to define a broad spectrum of performance
parameters, establishing benchmarks for speed, reliability, availability, and accuracy, and
to monitor all of those parameters. Nothing works perfectly all the time, and the spoils
will go to those e-businesses that constantly and efficiently monitor their Web sites,
immediately identifying any glitches that do occur and fixing them promptly.

Moving forward, all businesses will be affected by the global move to electronic
commerce. Business operations will change, and new processes will be created.
Companies that start learning in this new environment today will be leaders in the future.

Furthermore, as future technologies are developed, the SIP will continue to play a pivotal
role in the adoption of multimedia e-commerce. SIP’s simplicity, easy integration, and
extensive interoperability ensure its longevity as the preferred multimedia platform.

In fact, SIP pundits speculate that it will pave the way for carriers to roll out the
innovative voice services only possible with IP. These services most likely will include
Web integration to simplify follow-me services, call conferencing, and ways for users to
speak with a live agent just by clicking a Web site button.

Although the road ahead looks clear, there are potential obstacles to the wide-scale
adoption of multimedia e-commerce. Users will need new or upgraded equipment to take
advantage of SIP technology. Incorporation of SIP into operating systems and in
preconfigured PCs will take some time. Some movement is being seen in this area,
however, with Microsoft® and a number of the third generation (3G) wireless
associations adopting SIP as the protocol of choice .[7]

Note Third generation (3G) is an International Telecommunication Union (ITU)

specification for the third generation (analog cellular was the first generation, and
digital Personal Communications Service [PCS] was the second) of mobile
communications technology.

With the help of SIP, Voice over IP (VoIP) e-commerce has the potential to change the
habits of users by enhancing the way they conduct business communication and
transactions over the Internet. As SIP facilitates and completes the integration of
communications on the Web, much innovation lies ahead.

So, despite difficult economic conditions and negative sentiment resulting from the e-
marketplace catastrophe, much is happening in the e-business world. Nearly every
company involved in e-business has expressed interest in improving machine-to-machine
communication with customers, suppliers, or service providers. The majority
(approximately 74%) increased their e-commerce technology budget in 2003 compared to
2002; and, despite difficult economic times and contracting IT budgets, half of the e-
business companies expect the transaction management market (TMM) budget to
increase in 2003 compared to 2002.

Java, XML, and related standards are changing the nature of machine-to-machine
communication. These technologies are driving down integration costs and improving
integration flexibility. As economic conditions improve, these factors will drive increased
spending on technologies that interface with the external business ecosystem.

Furthermore, transaction management systems support a wide range of innovative

business strategies. Many companies are extending EDI systems to manage more
complex interbusiness automation scenarios. Others are rethinking e-commerce strategies
and exploring new intercompany transaction cost/benefit scenarios. This trend toward
complex interbusiness process automation and transaction management will accelerate as
IT budgets expand and Java and XML technologies mature.

Electronic trading network service providers deliver an important and often

misrepresented value proposition to an e-commerce solution. Security, reliability, and
nonrepudiation are foundational requirements for effective interenterprise solutions.

Most transaction management technology users are not in the business of building and
operating secure, reliable, auditable data communications networks. Outsourcing these
data communication requirements to a third-party service provider can be an effective
way to scale transaction volumes without scaling operation costs, and to avoid plunging
valuable business executives into the integration technology morass.

Consistent with the buy low and sell high mantra, now is the time to develop and, if
possible, execute e-business strategy. The following e-business actions are recommended
for companies interested in automating partner information flow:

• Develop the business case for TMM technology use.

• Leverage existing investments.
• Take advantage of technology change.
Developing the Business Case for TMM Technology Use

You should define business objectives and understand technology capability and
limitations relative to automation opportunities. EDI deployments are often driven by
very basic cost-savings arguments or by brute-force customer requirements. TMM
systems are capable of managing much more than purchase order and invoice exchange
process. You should understand your customer (and supply) base and how you can
leverage TMM technology to take advantage of these relationships.

Leveraging Existing Investments

Exploring the ways existing systems interoperate can reap significant benefits. For
example, you could use a content management vendor’s workflow engine to automate
process across both Web site and EDI assets. You should be able to streamline exception
management across multiple platforms. You should also be able to provide consistent
information to partners, regardless of the partner’s means of access (browsers or machine
interface). Systems synergies and cost-savings opportunities abound in the TMM market.

Taking Advantage of Technology Change

Finally, the costs and capabilities of TMM technologies are changing rapidly.
Understanding the implications of changing conditions will help organizations make wise
decisions today, without creating cost of ownership nightmares for tomorrow. It is also
important to understand how individual vendors are reacting to changing conditions. Can
a vendor support your architectural strategy and your Web service plans? And if so, how
willing will the vendor be to negotiate price to move a new e-business product in a down
economy? Well-researched answers to these questions can speed ROI and reduce
implementation complexity.
Vacca, John R., Wireless Broadband Networks Handbook, McGraw-Hill Osborne
Media, 2001.

Chapter 2: Types of E-Commerce

“Peace, commerce, and honest friendship with all nations-entangling alliances with
—Thomas Jefferson (1743–1826)

The global economy may have faltered in 2002, but advances in e-commerce technology
continue to transform personal communication and global business at an astounding pace.
Although these advances promise to bring a substantial percentage of the world’s
population online in the next five years, they also present significant challenges to
industry and policymakers alike.

According to NUA Internet Surveys (http://www.nua.ie/surveys/), over 620 million

people worldwide are linked to the Internet. Experts predict that global Internet usage
will nearly triple between 2003 and 2006, making e-commerce an ever more significant
factor in the global economy. Estimates suggest that by 2009, some 47 percent of all
business-to-business (B2B) commerce will be conducted online.

E-Commerce Technology

With the preceding in mind, the dynamic nature of the new economy, and particularly the
Internet, calls for decision makers to develop policies that stimulate growth and advance
consumer interests. But, in order to create the foundation for the rapid growth of e-
commerce, enterprises must adopt the effective e-commerce technology policies that
embrace the following four crucial principles:

Strong intellectual property protection: Innovation drives e-commerce technology, and

rewarding creativity fosters innovation. Thus, strong copyright, patent, and other forms of
intellectual property protection are key to invigorating the information economy.

Online trust: security and privacy: Without consumer confidence in the safety,
security, and privacy of information in cyberspace, there will be no e-commerce and no
growth. Protecting information and communications on the Internet is an absolute
prerequisite to the continued success of the Internet and the information economy[4].

Free and open international trade: Closed markets and discriminatory treatment will
stifle e-business. The Internet is a global medium, and the rules of the information
economy must reflect that fact. Only in an open, free market will the Internet’s potential
be realized.

Investing in an e-commerce technology infrastructure: Supporting the physical

infrastructure necessary to deliver digital content (primarily through telecommunications
deregulation and government efforts to reduce the digital divide) is vital to spurring
technological growth[3].

Strong Intellectual Property Protection

For hundreds of years, protection of creative material has given authors and other
innovators powerful incentives to develop and distribute exciting new products.
Throughout, respect for private property (whether in its tangible or intellectual form) has
been a core value of market-driven economies.

In the information economy, such protection is even more vital, because the core
currency of the Internet is nearly exclusively intellectual property. Today, software
developers and other authors of creative works depend on the rights granted by copyright
laws to develop new, more functional, and more powerful products. Overall, U.S.
copyright-based industries (particularly the software, film, music, and publishing
industries) are among the fastest growing segments of the American economy. Of those
industries dependent on copyright for their business models, the high-tech industries
comprise an ever-growing share, particularly those creating software and hardware

Industry leaders estimate that, within five years, an astonishing two thirds of software
sales will be conducted over the Internet. Furthermore, one third of all software exports
from the United States will be distributed electronically. Failure to properly protect this
vital intellectual currency means its value will evaporate and the global economy will
suffer greatly.

Copyright in the Internet Age

Digital piracy (the online theft of creative property) poses one of the single greatest
threats to the success of the information economy. It undermines the confidence that
creators and consumers place in their commercial interactions over networks.

The very nature of the online world that makes it so attractive in the marketplace also
renders the work of copyright violators easier. Now that unlimited, flawless copies of
creative works in digital form can be made and distributed globally in a matter of
seconds, intellectual property on the Internet can be at great risk. Internet piracy is real,
acute, and growing, demanding strong protections in the digital arena.

Software Piracy Is the Industry’s Most Serious Problem

Piracy is the most significant problem facing the software industry globally. Every day,
pirates steal millions of copies of copyrighted computer programs. Some of these are
stolen by users making illegal copies personally, others by professional counterfeiting,
and still others via illicit sales or auctions on the Internet.

For example, International Planning and Research (IPR; http://www.iprnet.com/) recently

found that 48 percent of all software loaded onto computers globally in 2002 was pirated.
In many countries, the piracy rate exceeds 80 percent. The resulting economic losses,
according to IPR, were staggering: over $23 billion lost internationally, with $4.3 billion
attributable to piracy in the United States alone.

Caution URLs are liable to change without notice!

Widespread software theft harms not only America’s leading e-commerce technology
developers, but also its consumers. They risk purchasing defective, counterfeit products
and losing the benefits enjoyed by purchasers of legitimate software, such as customer
support and product upgrades.

But, the economic impact of software piracy extends far beyond the confines of the
software industry and its consumers. Piracy distorts e-commerce technology economies
worldwide by robbing governments of legitimate tax revenues and citizens of badly
needed jobs.

A recent study by PricewaterhouseCoopers (http://www.pwcglobal.com/) found that

software piracy cost the U.S. economy over 200,000 jobs, more than $5 billion in lost
wages, and nearly $2 billion in foregone tax revenues. The study concluded that, by 2009,
these losses would grow to 286,000 jobs, $8.4 billion in lost wages, and $2.7 billion in
lost tax revenues. Conversely, PricewaterhouseCoopers concluded that reducing piracy
could produce at least two million additional jobs and nearly $36 billion in additional
government revenues worldwide by 2006.

Governments Must Combat Copyright Theft

Stemming these massive losses requires a concerted, multifaceted effort to combat the
theft of copyrighted material. Although technological measures to fight piracy and
increased public education about copyright are essential, the key to copyright protection
lies in governments worldwide adopting and vigorously enforcing strong laws prohibiting
this theft.

Copyright Laws Must Be Enforced

Strong words in a statute are not enough. These laws must be backed by vigorous
enforcement by governments and must allow private parties to pursue fast and
inexpensive remedies when their rights have been infringed. Strong copyright protection

• Deterrent civil and criminal penalties.

• Sustained criminal enforcement.
• Copyright-related law enforcement efforts must be funded sufficiently.
• Court-ordered and court-appointed piracy inspections must be available.

Deterrent Civil and Criminal Penalties

Effective copyright laws must provide strong civil remedies, including permanent
injunctions against further infringement, the seizure of illegal software (and articles used
to defeat copyright protection), compensation, and fines. They must also provide for
minimum criminal penalties when piracy is committed knowingly and for commercial
purposes or to satisfy the internal demands of a business or other entity. In the United
States, both criminal penalties and civil remedies are available and, increasingly, other
countries are adopting similar legal models.

Sustained Criminal Enforcement

Sustained criminal enforcement is absolutely necessary in order to deter piracy and send
the message that piracy is a serious crime with serious consequences. In the United
States, the No Electronic Theft (NET) Act enables law enforcement officials to prosecute
individuals who steal software by distributing it over the Internet, even if they do not
profit economically from their activities. The NET Act has proven to be an effective
antipiracy tool and has resulted in numerous convictions. In countries where such laws do
not exist, however, customs and other governmental agencies must vigorously investigate
and enforce traditional copyright laws as a first step toward addressing Internet-based

Copyright-Related Law Enforcement Efforts Must Be Funded Sufficiently

Despite the very real economic damage caused by software piracy, copyright enforcement
actions too often are forced to take a back seat to other criminal prosecutions. For
authorities to make a real dent in copyright crimes, governments must provide adequate
funding and explicit direction to those agencies responsible for copyright enforcement.

Court-Ordered and Court-Appointed Piracy Inspections Must Be Available

Given even minimal warning, a pirate can swiftly and easily eliminate evidence of
software theft with the touch of a button. As a result, the prosecution of software piracy,
whether in civil or criminal contexts, requires court-ordered inspections without advance
notice to the suspected software pirate (as required under the Trade-Related Intellectual
Property Rights [TRIPs] Agreement). To ensure fairness, such searches should be court-
supervised, with court-appointed experts being permitted to search and inspect for the
suspected piracy.

The WIPO Copyright Treaties Must Be Implemented

With the Internet, copyright theft has become a global phenomenon. The World
Intellectual Property Organization (WIPO) recognized that fact when it adopted “digital”
copyright treaties to create an international legal standard, covering online intellectual
property. Now, the nations of the world must ratify them.

The treaties were designed to promote online commerce by ensuring that authors are able
to determine how their works are sold and distributed online. The WIPO treaties reinforce
the fact that copyright protects all copies of a work, whether they are considered
“permanent” or “temporary,” “tangible” or “digital.” The treaties also ensure that authors
retain the right to determine the point at which their copyrighted works are placed on the
Internet, in the same way that authors determine the locations at which tangible copies of
their works may be distributed.
The WIPO treaties also recognize that, to protect intellectual property from theft, owners
need to employ e-commerce technology that guards against unauthorized access and
copying. Because such e-commerce technology-based protections are an extremely
effective means to prevent theft, the treaties recognize that attempts by pirates to break
these technical defenses must be outlawed.

Because many international copyright laws do not specifically protect creative materials
distributed over the Internet, global adoption of these treaties is essential to promoting the
safe and legal growth of Internet commerce. Under provisions of the treaties, a total of 30
signatory countries must ratify the treaties in order for their provisions to become
enforceable worldwide. To date, over 36 countries have taken this step.

Governments Must Lead By Example

Governments are among the largest purchasers of computer-related services and

equipment the world over. Not surprisingly then, many governments internationally have
taken the important step of directing their public administrations to effectively manage
software resources. High-profile government software management policies have been
issued in the People’s Republic of China, Spain, Taiwan, Ireland, Colombia, Jordan,
Thailand, the Czech Republic, and Paraguay, among other nations. A number of other
governments are drafting similar policies, which have served as a catalyst for enhancing
software protection in both the public and private sectors in those nations.

For example, in 1998, the United States issued an Executive Order requiring U.S.
government agencies and contractors to effectively manage their software resources and,
in so doing, to use only legal, licensed software. Several U.S. states, including California
and Nevada, issued similar orders applicable to state government agencies and related
entities. These policies have had a powerful impact on the health of the software industry
in the United States and, importantly, have set the tone for proper software management
practices in America’s private sector.

Online Trust: Security and Privacy

In the aftermath of the tragic events of September 11, 2001, individuals, companies, and
governments have all focused attention on the issues of safety and security. Much of that
attention has fallen on the Internet, as it has emerged as a vital information and economic
link throughout the world[4].

The continued success of the Internet is, in many ways, dependent upon the trust that
individuals, businesses, and governments place in it. For that trust to exist, user
information transmitted over computer networks must be safe from thieves, hackers, and
others who would gain access to and make use of sensitive information without

Consumers have repeatedly shown they will not conclude commercial transactions over
the Internet, unless they are confident of the security and privacy [4] of their personal
information. Recent surveys by GartnerG2 (http://www.gartnerg2.com/site/default.asp)
and BusinessWeek/Harris
(http://www.adinfo.businessweek.com/magazine/content/0205/b3768008.htm) suggest
that 75% of U.S. Internet users fear going online for this reason, and that 70% of those
who are already online harbor concerns about privacy that keep them from transacting
commerce on the Internet. Yet, even as concerns about these vital issues proliferate, no
single solution can suffice.

Consider privacy[4], where consumer expectations vary considerably, based on a number

of factors. Privacy expectations for a voluntary, online commercial transaction are very
different from those that accompany a demand by a government entity.

The key difference is choice. When an individual is required by law to submit his Social
Security number or tax return to a government entity, that information should receive
greater protection than that disclosed in a private business transaction. In the latter case,
an individual is free to choose the online entity whose privacy polices match his needs.
When consumers “vote with their feet,” businesses quickly take notice.

For e-commerce to flourish, businesses also need to provide personalized products and
services so that consumers get what they want without suffering “information overload.”
Knowing this, successful e-business marketers must gather information about the wants
and needs of their customers in the same way as traditional marketers. Policymakers also
must remember that online “trust” encompasses two distinct concepts: security, so that an
individual’s private information will not be obtained through illegal hacking, and
confidence that the private information collected for one transaction will not be used in
ways the information provider did not anticipate or expect.

Protecting the Security of Information

The first and best line of defense against unwarranted intrusions into personal privacy is
for individuals to employ e-commerce technology to protect themselves. Industry-
developed and supplied encryption technologies and firewalls, for example, provide
individuals with substantial tools to guard against unwarranted intrusions.

Encryption is technology, in either hardware or software form, which scrambles e-mail,

database information, and other computer data to keep them private. Using a
sophisticated mathematical formula, modern encryption technology makes it possible to
protect sensitive information with an electronic lock that bars thieves, hackers, and
industrial spies.

In light of the recent tragic events of 9-11, security in all its forms (including security
against cyber intrusion and attack) is more important than ever. Strong encryption
technology plays a key role in such security, helping individuals, businesses, and
governments protect sensitive or personal information against willful or malicious theft.
Not surprisingly, then, nations have increasingly adopted policies that encourage the
widespread availability of encryption tools for consumers. At the same time, they have
successfully worked to permit law enforcement to access encrypted communications in
certain critical instances, while rejecting calls for encryption products to be undermined
through the building of “back-door” government keys.

A firewall is essentially a filter that controls access from the Internet into a computer
network, blocking the entry of communications or files that are unauthorized or
potentially harmful. By controlling Internet “traffic” in a network, firewalls protect
individuals and organizations against unwanted intrusions, without slowing down the
efficiency of the computer or network’s operations. They also limit intrusions to one part
of a network from causing damage to other parts, thereby helping to prevent large-scale
system shutdowns brought on by cyber attacks. Not surprisingly, then, firewalls have
become a key component of computer systems today, and their architecture comprises
some of the most state-of-the-art e-commerce technology available in today’s

But, computer security, or cyber security, is more than encryption, and it requires more
than a onetime fix. It is an ongoing process requiring the adoption of strong security
policies, the deployment of proven cyber security software and appliances-such as
antivirus, firewalls, intrusion detection, public key infrastructure (PKI), and vulnerability
management, as well as encryption-and, in the case of larger organizations, the existence
of trained security professionals. These professionals, in turn, must be continually
retrained in order to ensure that they are able to address and combat the evolving nature
of cyber threats.

Strong security tools alone, however, cannot protect users against threats in each and
every instance. Dedicated hackers and criminals will always seek new ways of
circumventing even the most effective security technologies. That is why it is critical that
strong laws be put in place to deter such activities. In particular, where needed, laws
should make it illegal to defeat, hack, or interfere with computer security measures, and
penalties for these crimes should be substantial.

As is the case with copyright laws, however, strong words in a statute are not enough.
Effective antihacking and computer security laws must:

• Provide deterrent civil and criminal penalties.

• Be backed by vigorous enforcement by governments (including through adequate
funding of such enforcement).
• Allow private parties to pursue fast and inexpensive remedies when their cyber
security has been illegally breached[3].

Although the government should create a strong legal framework against cyber crime, it
should not intervene in the marketplace and pick e-commerce technology “winners” by
prescribing arbitrary standards in the security field. Such intervention would do little
more than freeze technological development and limit consumer choice. Instead, the
development and deployment of security tools should be determined by technological
advances, marketplace forces, and individual needs, and should be free of regulation.
Empowering Individuals to Manage Their Personal Information

In the private sector, all parties to any transaction should have the discretion to
voluntarily choose the terms of an information exchange. The choice should be informed;
both parties should clearly understand the information to be exchanged and what will be
done with it. The choice will then be based on the reasonable expectations of the parties
regarding a specific transaction. There likely will be fewer expectations about privacy
accompanying the online purchase of a newspaper subscription, than the purchase of
prescription medicines, for example.

The choices of both consumers and businesses should be respected, and the private sector
should be given the latitude to develop and implement effective privacy policies to meet
customer demands. Marketplace-developed measures are far more likely than
government regulations to meet the expectations of individuals and promote the
development of online commerce. The role of policy in this area should be aimed at
ensuring that:

• Industry self-regulation of privacy practices continues, including giving notice to

customers of these practices.
• Consumers have the option to prevent information from being gathered from them
or used for a different purpose (opt-out), rather than requiring their specific
permission for the information to be gathered (opt-in).
• There is predictability and certainty in interstate Internet-based commerce that
allows the marketplace to function efficiently, rather than multiple state laws that
will complicate, and thus chill, commerce.
• Hackers face stiff criminal penalties for stealing information or impeding its
online movement.
• Law enforcers are fully funded, staffed, equipped, and trained to fight cyber
• The government should lead by example by implementing strong security tools in
its own systems, including Internet security solutions in its electronic operations.
• Enhanced basic research and development on security technologies is
appropriately funded.
• Skilled professionals in the computer security field are trained and developed.
• Information and best practices are more freely shared between the public and
private sectors[3].

Free and Open International Trade

The global vitality of an electronic marketplace depends upon free and open trade.
Tariffs, regulations, and similar barriers to commerce raise costs and can price many
smaller, competitive firms out of the market. When trade is restricted, economic
development is slowed, consumer choice is reduced, and global prosperity is harmed.

International trade is vital to the software industry. Over half of the U.S. industry’s global
revenues are derived from foreign sales. Exports as a percentage of American software
companies’ total sales have increased dramatically over the past decade. They now
account for over $50 billion each year.

Enforcing the Trade-Related Intellectual Property Rights (TRIPs)


Widespread piracy is the software industry’s single most significant trade barrier. The
most effective means of reducing piracy internationally is to enforce TRIPs, the
agreement by which all members of the World Trade Organization (WTO) commit to
abide by laws that protect intellectual property. TRIPs-compliant nations must have in
place adequate civil and criminal laws protecting intellectual property and must, in
practice, effectively enforce those laws.

Unfortunately, many countries fail to criminalize or adequately protect copyright holders

against “end-user” piracy, as required by the TRIPs Agreement. Other nations lack
critical enforcement tools, such as the right to conduct surprise (“ex parte”) civil
searches, also required by the TRIPs Agreement.

The deadline for developing nations to comply with the TRIPs Agreement was January 1,
2000. However, today, many countries still remain in noncompliance and in violation of
their international commitments.

Facilitating Importation and Production of Information E-Commerce

Technology Equipment

A decade ago, in addition to rampant software piracy, the U.S. software industry faced
another major problem in foreign markets: unreasonably high tariffs on computers and
related devices. Significant progress has been made in this area. The WTO “Uruguay
Round” agreements and the subsequent Information Technology Agreement (ITA),
substantially reduced many tariffs for e-commerce technology devices.

Still, many economies, mostly in the developing world, impose high duties or excise
taxes on foreign e-commerce technology equipment. These barriers can range from 20
percent to as much as 100 percent of a product or system’s price. In some cases, a
government might justify such a barrier by claiming that these products are “luxury
goods.” Or, a government might argue that such actions are necessary to protect an
“emerging” domestic industry or “sensitive” sector of its economy.

But, in all cases, such policies simply stifle the development of a vibrant base of e-
commerce technology consumers and service providers. It is essential for governments to
adopt policies that encourage the use of e-commerce technology—not policies that
effectively prohibit or punish it.

The preceding is true whether considering a computer and software in the home, or
routers and wires in the workplace. The refusal to compete against high-quality, imported
products will do nothing to enable domestic manufacturers to produce quality products at
affordable prices.

For a nation’s e-commerce technology development to flourish, countries should also

open up their domestic markets to foreign investment. Foreign companies willing to
invest in e-commerce technology overseas are affirming that particular country’s
development and manufacturing capabilities and consumption potential. An infusion of
capital and expertise also serves as a catalyst for the further development of the domestic

Pursuing New Trade Agreements that Respect E-Commerce

As trade moves increasingly from the import and export of tangible goods to Internet-
based commerce, it is vital to ensure that traditional free-trade principles apply equally in
the realm of electronic commerce. Nations that have sought to rid themselves of
burdensome trade barriers must ensure they do not stifle e-commerce with those same
barriers. Because trade liberalization is crucial to the worldwide growth of the software
industry, the following agreements and negotiations are very important:

• The pursuit of a new round of multilateral trade negotiations under the auspices of
the WTO
• The conclusion of regional free trade agreements, such as the Free Trade Area of
the Americas (FTAA)
• New, bilateral trade agreements, including the U.S.-Singapore Free Trade Area

Thus, the preceding bilateral and multilateral talks provide opportunities to further
strengthen international trade law, provide a predictable business environment for e-
commerce, and develop a progrowth e-commerce agenda.

Keeping E-Commerce Barrier-Free

Any new trade negotiations should focus on barring new measures whose effect would be
to restrict or inhibit the growth of global e-commerce. Countries should also ensure that
they apply current WTO standards to online transactions. Specifically, countries should:

• Sign the Information Technology Agreement (ITA) and eliminate e-commerce

technology tariffs.
• Make the 1998 Moratorium on Customs Duties on Electronic Commerce
permanent and binding.
• Refrain from trade classifications that penalize software and other products
acquired through downloading from a computer network, compared to those
purchased in tangible form.
• Affirm that current WTO obligations and commitments, namely the General
Agreement on Tariffs and Trade (GATT; trade in goods), General Agreement on
Trade in Services (GATS; trade in services), and TRIPs (intellectual property)
rules are technology-neutral and apply to e-commerce. Countries should refrain
from enacting trade-related measures that could impede, actually or potentially,
international e-commerce. Such rules should be enacted only where a legitimate
policy objective necessitates doing so and where the least trade-restrictive
measure is chosen.
• Support a NAFTA-type approach to e-commerce services issues in future trade
negotiations. NAFTA’s services obligations apply to all services, including new
services that have developed since the conclusion of NAFTA (this approach is
sometimes referred to as “top-down”). Because it is impossible to anticipate what
specific e-commerce services will develop over time, any “bottom-up” approach,
as embodied in the current GATS, almost certainly will be out-of-date from its
inception. There is a need to set the stage for an agreement that is more flexible
with respect to future e-commerce and computer industry developments.
• Adopt a horizontal work program in the WTO for all e-commerce issues. This is
necessary in order to ensure that WTO rules and disciplines reflect the horizontal
(cross-disciplinary) nature of e-commerce.

Investing in a Technology Infrastructure

All the consumer confidence and legal support in the world won’t boost e-commerce if
there’s no way to deliver electronic content to customers efficiently and quickly. The
future of electronic delivery demands a dramatic evolution of the telecommunications
infrastructure in the United States and across the globe. Today’s infrastructure was built
to carry voice telephone traffic and has served well for the last 50 years. But, the
information age is placing new demands on this system-demands that it cannot readily
meet. Today’s slow transmission speeds and congestion are a legacy of an outdated
system that must be modernized, lest consumers and businesses turn away because of the
“world wide wait.”

High-speed constant connections to the Internet (broadband access) let users send and
receive far larger volumes of information than traditional dial-up telephone lines allow.
Broadband access can be provided through modified cable television lines, an enhanced
telephone service called Digital Subscriber Line (DSL), satellite, fixed-wireless[5], and
other means.

Broadband access is absolutely necessary in order to make the vision of new, exciting
Internet-based services a reality. For example, highly anticipated interactive applications
(whether online classrooms, business showrooms, or health clinics) cannot exist if users
lack broadband access.

In the United States today, roughly 70 percent of American households have access to the
Internet, according to NielsenNetRatings (http://www.nielsen-netratings.com/). But,
fewer than 10 percent of U.S. households have broadband access.

Many other nations rival the United States in their level of Internet penetration. In
Sweden, nearly 75 percent of citizens have access to the Internet, whereas the number in
Canada is 58 percent. But globally, broadband access rates are even lower than in the
United States.

Several factors conspire to stymie more extensive broadband deployment. There are
financial challenges, changing market conditions, uncertain consumer preferences, and
even cultural and societal trends. In this environment, policymakers must take the lead
and encourage the provision of broadband to consumers and their homes over the so-
called “last mile.”

There is also a need to ensure that individuals in all sectors and geographical locations
enjoy the benefits of broadband access. Not surprisingly, early evidence suggests that, in
the United States, the rate of broadband deployment in urban and high-income areas is
outpacing deployment in rural and low-income areas.

The preceding disparity has raised concerns that the “digital divide” (the gap between
information “haves” and “have-nots”) will increase. The digital divide is a major concern
for companies who have worked individually to expand access to computer technologies
in underserved areas. They recognize that a global e-commerce technology future
depends on widespread access to new technologies, particularly by individuals who have
thus far failed to share in many of the communications and productivity benefits that
technology brings. For all these reasons, many e-commerce companies support policies to
promote broadband deployment in a way that will enhance widespread access to
technology and, in so doing, close the digital divide.

Deregulating and Making Telecommunication Markets Competitive

Genuine competition in all telecommunications markets will accelerate the deployment of

advanced e-commerce technologies at reasonable prices. Competition in the long-
distance market in the United States over the past decade has substantially reduced the
cost of telecommunications services and steadily increased service quality and product
innovation. This same model should be applied to local telephone markets in the United
States and other countries. Competition will stimulate existing and new companies alike
to deploy new equipment and software that is data friendly (packet-switched) and enable
companies to tap into significant consumer demand for information-intense services.

Now, let’s look at another type of e-commerce technology: the tools that reside within the
Internet environment itself. In other words, with the growth of the Internet, B2B
procurement and other processes are being moved to the World Wide Web, for increased
efficiency and reach. Procurement systems from different vendors use various protocols,
and additional protocols are being defined by several industry consortia. As a
consequence, suppliers are faced with the difficult task of supporting a large number of
protocols in order to interoperate with various procurement systems and private
marketplaces. In this part of the chapter, the connectivity requirements for suppliers and
private marketplaces are outlined, and a description of how suppliers and marketplaces
can interoperate with diverse procurement systems and electronic marketplaces is
presented. A description of a simple connectivity that is based on punchout processes for
fixed and contract-based pricing is presented first. Next, a description of how
asynchronous processes, such as requests for quotes, auctions, and exchanges can be
distributed for interoperability across suppliers and marketplaces, is also presented.
Finally, this part of the chapter presents a description of the B2B/market-to-market
(M2M) Protocol Exchange. This is a prototype that IBM has implemented, which maps
between different, but analogous, protocols used in procurement systems and, thus,
alleviates some of the interoperability difficulties.
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
ebusiness Privacy Plan, McGraw-Hill Trade, 2001.
“Necessary Elements For Technology Growth,” © Copyright 2003 Business Software
Alliance, Business Software Alliance, 1150 18th Street, N.W., Suite 700, Washington, DC
20036, 2003.
Vacca, John R., Wireless Broadband Networks Handbook, McGraw-Hill Osborne
Media, 2001.

The Internet Environment

As previously explained, with the rapid growth of the Internet, organizations are
increasingly using the Web to conduct business with greater speed, reach, and efficiency.
This transformation is especially prevalent in business-to-business (B2B) commerce and
trade. Many of the Fortune 500 companies have adopted e-procurement systems such as
Ariba (see sidebar, “Ariba”), Commerce One, and mySAP. Many others participate as
buyers in e-marketplaces, such as Commerce One MarketSet, Ariba Hosted Market Place,
and IBM’s WebSphere Commerce Suite, Marketplace Edition (WCS MPE, or MPE for
short), among others.

Figure 2.1 illustrates the environment for B2B procurement on the Web[1]. B2B buyers
have diverse procurement systems, such as those offered by Ariba, Commerce One, and
SAP, among others. Each of these procurement systems uses different B2B protocols for
interaction with seller systems. Many of these protocols are proprietary and specific to
the procurement system. For example, as illustrated in Figure 2.1, Ariba uses the
punchout process between the Ariba Order Request Management System (ORMS) and
seller systems using their Commerce XML (cXML, or Commerce Extensible Markup
Language) specification for the messages. Commerce One uses XML Common Business
Library (xCBL) as the format of messages, and mySAP uses the Open Catalog Interface
(OCI; for a process similar to punchout) between buyer and seller systems.

With purchasing managers facing the prospect of tighter corporate budgets, developers
Verticalnet Inc., PeopleSoft Inc., and Ariba Inc. are each readying software that they
indicate will enable their customers to better manage spending. The goal is to enable
companies to more closely tie the process of finding sources of raw goods, negotiating
the price for those products, and closing the loop with electronic settlement.

Verticalnet has recently released an enhanced Spend Management module as well as the
next version of its Metaprise collaborative planning and order management suite. Spend
Management introduces a supplier score card and enhanced reporting and analytics,
which will let suppliers see through a Web browser how they are serving buyer and
performance metrics, such as actual costs versus standard spending. New functionality in
Metaprise, which comes from the company’s acquisition of Atlas Commerce Inc.,
facilitates the process of improving requisitions and managing purchase orders. Enhanced
logistics functionality integrates shipping updates with third-party logistics providers.

Meanwhile, PeopleSoft, of Pleasanton, California, recently announced the general

availability of its strategic sourcing suite. The company unveiled PeopleSoft Strategic
Sourcing as a collaborative solution that helps companies manage the complex bidding
and negotiation process in the procurement of direct goods, services, and large capital
expenditures, according to officials.

Separately, Ariba, of Sunnyvale, California, recently unveiled its Spend Management

Suite, which has been in beta testing. The suite consists of new and enhanced software
modules for analysis, sourcing, and procurement to help companies manage their
spending before, during, and after the procurement process-stages that Ariba refers to as
“find it,” “get it,” and “keep it.”

In the find-it category, the new Ariba Analysis module gathers procurement information,
which typically resides in the Ariba Buyer platform, accounts payable, and ERP planning
systems. It then generates reports to help companies find potential savings.
The second new module, called Ariba Contracts, falls into the get-it and keep-it
categories, by focusing on the administration of contracts—those being used successfully
and those requiring renegotiation. Integrated with Ariba Buyer and Enterprise Sourcing,
the module helps companies track and manage contract life cycles. Ariba Invoice, the
third new module, automates every stage in the invoicing process to help companies
reduce reconciliation cycle times and lets suppliers upload invoices into Ariba Supplier
Network and transmit them back to buyers.

As for enhancements, Ariba Buyer has new integration with the Contracts module. Ariba
Workforce features an expanded capability to capture and manage a broader spectrum of
workforce procurement, indicate officials[2].

Many other protocols for B2B processes, many proprietary to procurement and other
systems, and others customized for specific partners are being defined and implemented.
In addition to the procurement systems, which typically reside within the firewall of the
buying organizations, marketplaces are being set up on the Internet through which buyers
can access a large number of suppliers, typically for specific industry segments. Many of
these marketplaces use the same or similar technology to connect to procurement and
supplier systems and offer buyers at small and medium-sized businesses access to

Meanwhile, standards bodies are defining protocols and message formats for B2B
processes. One of the early processes was that defined by the Open Buying on the
Internet (OBI) consortium, a precursor of the punchout process. The RosettaNet
consortium used OBI as a starting point and defined Partner Interchange Processes
(PIPs), including both flows and XML-based message formats for interactions between
partners. The electronic business XML (ebXML) framework (sponsored by the United
Nations Center for the Facilitation of Procedures and Practices for Administration
Commerce and Transport [UN/CEFACT] and the Organization for the Advancement of
Structured Information Standards [OASIS]) includes a messaging service, a
Collaborative-Protocol Agreement (CPA) specification, and a Business Processes
Specification Schema. These are all used for enabling the interaction between business

The Web services approach defines both a messaging and a remote procedure call
mechanism using Simple Object Access Protocol (SOAP). On top of SOAP, the Web
Services Description Language (WSDL) defines a Common Object Request Broker
Architecture (CORBA) interface definition language (IDL)-like interface for Web-based
B2B remote procedure calls. And, the Universal Description, Discovery, and Integration
(UDDI) consortium has defined a directory mechanism for registering and locating
businesses on the Web, with an optional WSDL interface specification. The Open
Application Group (OAG) has defined Business Object Documents (BODs) for the
content of B2B messages.
Some of these originally disparate efforts are now coming together. For example, the
RosettaNet consortium has announced that they will move to the ebXML messaging
protocol, and OAG has announced that they will support ebXML. In spite of these
efforts, however, the number of B2B protocols continues to grow.

This proliferation of B2B protocols gives rise to several connectivity requirements and
problems, as illustrated in Figure 2.2[1]. First, from a supplier’s point of view (box A in
Figure 2.2), suppliers need to connect to the many customer procurement systems and
private marketplaces, using various B2B protocols. Second, private marketplaces (and,
over time, procurement systems as well) need to connect to procurement systems (box B
in Figure 2.2), using different B2B protocols. Third (box C in Figure 2.2), private
marketplaces need to connect to suppliers that may support different B2B protocols.
Fourth (box D in Figure 2.2), private marketplaces need to connect to each other, in order
to access suppliers connected to other marketplaces, or to access services offered at other

Now, let’s look at the connectivity requirements for suppliers and private marketplaces,
and how suppliers and marketplaces relying on IBM’s WebSphere Commerce Business
Edition (WCBE), WebSphere Commerce Suite, and Marketplace Edition (WCS MPE)
can interoperate within the environment for B2B procurement. Simple B2B connectivity
using punchout processes as supported by WCBE are also discussed. Next, marketplace
connectivity for emerging asynchronous processes and distributed trading mechanisms,
as supported by WCS MPE, are discussed. Finally, the last part of this chapter discusses
connectivity, how to use a B2B protocol exchange, and how many of these protocols can
be mapped to each other—thus allowing procurement systems and suppliers to use
different protocols.

Simple B2B Connectivity Using Punchout

Now, let’s focus on two of the B2B connectivity problems previously mentioned, and
illustrated in Figure 2.2. First, let’s discuss the supplier connectivity problem and present
a solution based on IBM’s WCBE for connectivity of suppliers to diverse procurement
systems. Second, a discussion of marketplace connectivity takes place, as well as a
presentation of a solution based on IBM’s WebSphere Commerce Suite and Marketplace
Edition (WCS MPE) for connectivity of marketplaces to diverse procurement systems
and diverse supplier systems.

Most procurement systems and private marketplaces support the notion of punchout
(albeit sometimes using a different term, such as RoundTrip, used by Commerce One). A
buyer at a procurement system or marketplace selects a remote supplier, and the buyer is
automatically logged on to the supplier catalog server and presented with a catalog
customized for his organization, with prenegotiated prices. The buyer shops at the site, as
the items selected for purchase are being stored in a shopping cart. On checkout, the
shopping cart contents are sent back to the buyer’s procurement system for approval. The
procurement system provides workflow for approvals and, on approval, a purchase order
is sent from the procurement system to the supplier. Additional messages may be
exchanged between the supplier and the procurement system, such as shipping notices
and invoices. By having punchout capability, suppliers and marketplaces can interoperate
with procurement systems or marketplaces, with significant benefits to both suppliers and

Note Details of the punchout flow are provided later in the chapter.

For example, IBM’s WCBE is a solution for the business-to-consumer trade, whereas
WCS MPE supports the private trading exchange customers. Customers can connect to
the WCBE Web site, browse through the catalog, and place orders. In the case of WCS
MPE, customers have the benefit of working with various trading mechanisms, such as
request for quotations (RFQs), auctions, reverse auctions, and exchanges. It is especially
useful, given the emerging trends in the industry, that the WebSphere Commerce products
have punchout capability and can interoperate with buyers’ procurement systems and

Although WCS MPE supports aggregation of suppliers’ catalogs, certain suppliers may
have enormous catalogs and their systems may include complex configuration tools.
Often, it is not feasible to offload supplier catalogs into external marketplaces. Thus,
suppliers often have their supply-side Web sites enabled for punchout, and expect WCS
MPE to initiate punchout to the supplier Web site.

Catalog aggregation in the current WCS MPE product is done using the WebSphere
Catalog Manager (WCM) product. WCM supports the loading of catalog data into an
electronic marketplace (eMP) database, transforming catalog data from ASCII,
spreadsheet, and XML formats into a canonical XML format, and extracting catalog data
from any relational database. More enhancements to support industrial catalogs are
planned for future versions of WCM.

Many large corporations have relatively independent subsidiaries and are classic
examples of customers that require support for both receiving punchout requests and
initiating punchout requests. Such corporations often have aggregated supplier catalogs
across their subsidiaries, so their customers see a unified company-wide catalog and
require support for receiving punchout requests from the buyers’ procurement systems to
the aggregated catalog. They also require punchout initiation functionality to connect
from their aggregated-catalog server to individual catalogs supported by their

Punchout from Procurement Systems to WCBE and WCS MPE

For example, IBM’s Commerce Integrator is a generic framework that enables WCBE
and WCS MPE to handle business-to-business transactions using industry standard
protocols. It offers customers the opportunity to integrate their systems with the
procurement system’s own network of high-volume buyers. Commerce Integrator
provides an integrated, scalable system that enables suppliers with WCBE to participate
as a supplier in the procurement system’s marketplace, to increase sales and to enhance
their business-to-business presence on the Web. Specifically:

• Suppliers maintain a single catalog within WCBE and use that catalog to enable
their own Web presence as well as to participate in the procurement system’s
• Suppliers can take advantage of WCBE connectivity to supply chain management
systems, retail business systems, and order management backend systems to
automatically flow orders from the buyer’s procurement system.
• Suppliers can take advantage of the updated business-to-business features of the
WCBE product for using and maintaining information about buyer organizations,
buyer-specific catalogs and price lists, and contract pricing.

Figure 2.3 illustrates a high-level view of a typical punchout flow in which WCBE
interoperates with an e-procurement system, which includes the following steps[1]:

1. An agent in the buyer organization logs on to the procurement system using the
user ID (identifier) and password, and then selects an external catalog. The
procurement system authenticates the buyer agent.
2. The procurement system constructs a request to access the external supplier
catalog using a user ID and other buyer organization credentials.
3. The Member Subsystem of Commerce Integrator authenticates the buyer agent
against the buyer organization data stored in the WCBE database. If successful,
the buyer agent is presented with a catalog customized for the buyer organization.
4. The buyer agent browses the catalog in the WCBE database while a shopping cart
is created. On checkout, the shopping cart is submitted to WCBE, and a quote is
recorded in the database.
5. Commerce Integrator picks up the quote from WCBE.
6. Commerce Integrator sends the quote to the buyer in the format required by the
buyer’s procurement system. An authorized agent for the buyer is prompted for
acceptance of the quote.
7. The authorized agent approves the quote. An order from the procurement system
is sent to Commerce Integrator.
8. Commerce Integrator forwards the order to WCBE[1].

Further messages, such as advance shipment notices and invoices (not shown in Figure
2.3) are sent from WCBE to the procurement system.

Although the punchout flow is similar for most procurement systems, the message format
is different for different procurement systems. For example, Ariba uses cXML messages,
mySAP uses Hyper Text Markup Language (HTML) name-value pairs, Metiom uses the
OBI electronic data interface (EDI) message formats, and Commerce One uses xCBL
message formats. There are some differences between the flows, as outlined previously in
the B2B protocol exchange. To handle these differences, Commerce Integrator includes
some protocol-specific functions, in addition to functions common to all protocols. As
shown in Figure 2.4, incoming messages are handled by a common servlet, which
identifies the protocol and calls protocol-specific functions that map the message to a
common internal format[1]. Then, WCBE commands, shared by all punchout protocols,
are invoked. Responses are converted from the common format into protocol-specific
formats by Commerce Integrator.

Figure 2.4 also shows a B2B gateway. The function of the B2B gateway is to provide a
means of connecting remote trading partners over the Internet, each using its protocol of
choice. Clearly, this functionality facilitates the integration of interenterprise business
processes. Although the B2B gateway may support additional functions, such as business
process management, audit trails, and intraenterprise connectivity, it is beyond the scope
of this chapter to elaborate further on these functions.
The protocol associated with an incoming message is identified by the URL to which the
request is sent. The use of a single servlet for all requests should have no negative
performance impact, because the servlet engine launches a new thread for each request.
Performance bottlenecks would only be caused by undue contention for shared resources.
Were such contention present, it would impact multiple servlets in the same manner as a
single servlet. Because the servlet is merely the entry point for requests that quickly fan
out to different parts of the server, it is unlikely that the degradation of reliability from the
use of a single servlet would be significant.

There are two scenarios of interest: one in which there is no separate B2B gateway and
one in which there is a gateway present. When there is no B2B gateway, protocol-specific
requests are sent to Commerce Integrator, and appropriate commands are invoked. If a
B2B gateway is present, the incoming requests are mapped into a common canonical
format, and then Commerce Integrator invokes appropriate WCBE commands. Thus,
there is a synergistic relation between WCBE/Commerce Integrator and the gateway.

Punchout from WCBE and WCS MPE to External Suppliers

A traditional electronic marketplace (eMP) or a private trading exchange (PTX), such as

IBM WCS MPE, provides various trading mechanisms: RFQs, contract-based buying,
fixed-price buying, auctions, exchange, and so forth. It also provides support for
aggregated catalogs. Both buyers and sellers begin by using the catalog to select a
product to buy or to sell. When sellers offer products for sale, they specify the method of
purchase to be used: RFQ, contracted price, fixed price, auction, or exchange. Buyers
must purchase products using the method specified by the seller (with the exception of
RFQ, which they can initiate).

Aggregating the catalog at the eMP site offers advantages including: it makes a
parametric search across suppliers possible, and it enables small businesses, which do not
have the infrastructure to host catalogs, to engage in e-commerce. However, aggregating
catalogs has its own limitations, including:

• It does not preserve each supplier’s unique brand and Web site design (it requires
direct links to the supplier’s Web pages).
• It supports only static content rather than promoting dynamic, up-to-date
• It provides limited support for suppliers with very large catalogs.
• It provides no support for product configurators (needed for complex products).
• It provides limited support for suppliers with fast changing catalogs or pricing[1].

Thus, in situations in which there is a need for product configurators, or if the catalog
contains fast changing products and prices, the suppliers have to maintain catalogs at
their own sites and not aggregate the catalog onto an eMP. In the common eMP approach,
a buyer has access to only the sellers who participate in the marketplace with which the
buyer is registered. Similarly, a seller cannot sell goods and services in a marketplace
different from the one with which the seller is registered. Now, let’s look at a mechanism
called punchout, in which a buyer in a private marketplace can “punch out” to a remote
supplier to buy fixed-price and contract price offerings.

Figure 2.5 shows the flow for setting up a punchout process (steps 1 to 7) from a
procurement system (or marketplace) to a supplier site; for example, a WCBE site[1].
Remote suppliers are listed at the procurement system. They may provide their entire
catalog remotely using punchout. Alternatively, a supplier may provide a local catalog at
the procurement site, with links for specific functions or details. For example, a supplier
may use punchout for system configuration, or for parts of the supplier catalog that may
change frequently. As shown in Figure 2.5, after selecting a remote supplier for initial or
further shopping (step 1), a login request (step 2) is sent to the remote supplier as an
XML document, encapsulating the user and organization credentials as well as a URL for
postback to the procurement system (used at step 7, as shown in Figure 2.5). The remote
supplier authenticates this request and returns a URL (step 3) with embedded user
information. The client’s browser is redirected (step 4) to this URL, allowing the buyer to
directly shop (step 5) at that remote site using the appropriate catalog for the buyer’s
organization. At the end of the shopping session, a quote representing the shopping cart is
sent back to the client (step 6) and posted back to the procurement system (step 7) at the
postback URL referred to previously.

After the purchase request (in XML format) is received back at the procurement system
(step 7), it is parsed and added to the buyer’s requisition. The buyer then submits the
requisition for approval. After submission, the buyer can then view the submitted
requisition and its status, and modify the requisition, if so desired.
Note The buyer may punch out to multiple suppliers and add the contents of those
shopping carts to his or her requisition.

Subsequently, the approver views the submitted requisitions and, optionally, may punch
out to the supplier to view details of the requisition. The approver can modify the
requisition, if so desired. If the approver rejects the requisition, the status is so indicated,
and can be viewed by the buyer. If the requisition is approved, it is converted into one or
more purchase orders (POs), and is sent to the supplier(s). The PO is sent as an XML
document, in the format required by the supplier. If the remote supplier’s system is based
on WCBE, the PO is formatted in a common canonical format. Also, if it is an Ariba-
compliant supplier, it is formatted in cXML. And, if the format is different, a B2B
protocol exchange can be used to convert the PO to the desired format and protocol.
When the remote supplier acknowledges the receipt of the PO, the state of the order at the
procurement system is updated. Subsequently, additional messages may be sent by the
supplier to the procurement system to indicate further events, such as issuing an advance
shipping notice.

Marketplace Connectivity for Asynchronous Processes

As illustrated in Figure 2.6, IBM’s WCS MPE provides different trading mechanisms,
such as fixed-price buying, contract-based buying, RFQs, auctions, and exchanges[1].
Also, the punchout mechanism can be used for remote supplier integration when dealing
with fixed and contract pricing. However, the more advanced trading mechanisms,
including RFQs, auctions, and exchanges, cannot be supported by the basic punchout
mechanism. This is because the flows between WCS MPE and the remote suppliers for
fixed and contract pricing are synchronous, and occur during a real-time session with the
buyer, thus making them amenable to the online punchout process. RFQs, auctions, and
exchanges involve asynchronous interactions between WCS MPE and the supplier. Next,
let’s look at how such asynchronous processes are handled. RFQs are used as a typical
example. Similar flows and XML document interchanges can be used for other
asynchronous trading mechanisms.

In WCS MPE, an RFQ is a trading mechanism used when a buying organization attempts
to obtain a special price for a purchase, or when a buying organization cannot find an
acceptable offering in the eMP aggregated catalog that meets its needs. The RFQ may be
issued in order to obtain a special price based on quantity for well-defined items or for a
group of items. The RFQ may also be issued for unique items based on the buyer’s
description. The request is sent to one or more selling organizations, and these may
submit a bid on the RFQ. The selling organizations respond to the RFQ and the buying
organization may select one or more winning responses. The result of the RFQ process
could be an order placed by the buyer or a contract could be created for the negotiated
price. Figure 2.7 shows this process flow in WCS MPE[1].

Now, let’s look at two different mechanisms for extending the RFQ process to a
distributed environment. The first mechanism, referred to as “local RFQ,” exploits the
advantages of aggregating the catalogs at the eMP site, while distributing only the RFQ
process. The second mechanism, which is referred to as “remote RFQ,” allows buyers to
connect to a remote WCBE at a supplier or a remote WCS MPE and issue an RFQ.

For local RFQs, the catalog is hosted at the WCS MPE site where the buyer is registered.
Figure 2.8 shows the process flow for this configuration[1]. The configuration includes the
following parties:
• One or more buyers
• An eMP where the buyers are registered
• One or more remote eMPs
• One or more sellers registered on the remote eMP[1]

The flow starts with the buyer browsing the catalog on the eMP and creating an RFQ.
The RFQ is sent as an XML message to the remote eMP. Upon receiving the RFQ, the
remote eMP notifies the target sellers. Each seller views the RFQ and creates a response
for it. The asynchronous responses are then sent to the eMP as XML messages. The buyer
can check the status of the RFQ at any time. The buyer views the RFQ responses by
logging on to the eMP, evaluates them, and selects a winner. Selecting a winner leads
either to a purchase order or a negotiated contract. The order or the contract is then sent
to the remote eMP or remote seller as an XML message. This solution has the advantages
of an aggregated catalog and allows buyers on one eMP access to sellers on a remote
eMP, and vice versa. It has, however, the previously mentioned limitations of aggregated

For remote RFQs, the catalog is hosted either on the remote eMP where the seller is
registered, or on the remote seller’s Web site. Figure 2.9 shows the process flow for this
configuration[1]. This configuration also involves four parties. The flow starts with the
buyer selecting on the local eMP a registered remote eMP or a remote seller. The eMP
connects the buyer to the remote eMP site. The buyer browses the catalog on the remote
eMP and creates an RFQ template. The RFQ template is then sent as an XML message to
the eMP. The RFQ template received from the remote eMP is converted into RFQ by
providing additional information. It can then be optionally submitted for approval.
Finally, it is sent to the remote eMP or remote seller as an XML message. The remote
eMP notifies the target sellers. The sellers view the RFQ and create responses for it. The
responses are then sent to the local eMP as XML messages. The buyer views the RFQ
responses by logging on to the eMP, evaluates them, and selects a winner. Selecting a
winner leads either to an order or to a negotiated contract. The order or the contract is
then sent to the remote eMP or remote seller as an XML message.

This solution overcomes the limitations of aggregated catalogs for such asynchronous
trading mechanisms, and allows buyers on one eMP access to sellers on a remote eMP,
and vice versa. This comes at the price of losing the advantages of aggregated catalogs.

Connectivity Using a B2B Protocol Exchange

As previously mentioned, some suppliers participating in a private marketplace prefer to

keep the catalog contents to themselves and not participate in an aggregated catalog
hosted by the marketplace. As B2B connectivity becomes increasingly popular, the
number of protocols for engaging in B2B transactions continues to grow. Given this
growing “babelization,” it is likely that businesses and marketplaces that need to
communicate will be using different protocols. For example, IBM built the B2B/M2M
Protocol Exchange, a prototype capable of converting between different protocols.

Now, let’s look at how the exchange could be used to enable punchout between a buyer
and a supplier using different protocols. Although this example is limited to punchout, the
protocol exchange can cover many other common B2B interactions, such as shopping
cart processing and order processing.

Suppliers participating in a marketplace may have catalog systems already in place

supporting existing standard or proprietary formats. These formats may vary from
supplier to supplier. Thus, Supplier A may support cXML punchout messages, Supplier B
may support OCI punchout messages, and Supplier C may support some other format.
The marketplace punchout function must send punchout messages in the format and
protocol that a specific supplier is capable of processing. The B2B protocol exchange is a
tool that allows suppliers to interact with buyers whose protocols would otherwise be

Unlike some kinds of protocol conversions, most B2B protocol conversions cannot be
achieved in a stateless manner, that is, in a manner in which the protocol converter has no
knowledge of prior events or message exchanges. This is because many of the protocols
refer to the session state or to prior messages. In other words, a B2B protocol involves
not only message formats, but also message flow and the state of the interchange process
between business partners. Thus, session state management is required along with
message format translation.

A block diagram of a typical environment is shown in Figure 2.10[1]. In this illustration,

Buyer 1 and Supplier 1 use protocol A, whereas Buyer 2 and Supplier 2 use protocol B.
Information exchange between Buyer 1 and Supplier 2, or between Buyer 2 and Supplier
1, requires the use of the protocol exchange. The presence of the exchange is transparent
to buyers as well as suppliers. When Buyer 1 and Supplier 2 are interoperating, Supplier
2 appears to Buyer 1 to be a protocol A supplier, and Buyer 1 appears to Supplier 2 to be
a protocol B buyer.

Now, let’s look in some detail at a punchout operation such as an Ariba cXML punchout
between a buyer and a supplier that use the same protocol. The data flow is illustrated in
Figure 2.5, shown earlier. The numerals refer to the process steps described here. To
purchase from a network catalog, the buyer typically uses a browser to interact (step 1)
with the procurement system, and through the procurement system, establishes a
connection to a network catalog hosted on the supplier’s behalf. The procurement system
thus sends a login request (step 2; a cXML PunchOutSetupRequest) to the supplier
system. The login request contains the credentials (userid/password) of the procurement
system, a session identifier (<BuyerCookie> in cXML), and the postback URL, which is
the HTTP URL at which the procurement system accepts the completed purchase
requests (in step 7). The supplier system authenticates the request and responds (step 3)
with the URL for accessing the network catalog (in a cXML PunchOutSetupResponse).
The procurement system then redirects the browser to the network catalog URL (step 4),
and the buyer connects directly to the network catalog system (step 5) bypassing the
procurement system.
As previously described in some detail, the punchout operation illustrated in Figure 2.5
(between a buyer and a supplier) uses the same protocol. In the event the buyer and
supplier use different protocols, they will be unable to support a punchout interoperation
unless some mechanism such as the protocol exchange is used. The data flow is shown in
Figure 2.11[1].

When using a protocol exchange for this mapping, the procurement system is configured
to treat the exchange as the supplier system. The initial login request (step 2a in Figure
2.11) is sent to the exchange rather than the target supplier system. The processing
required at the exchange at this point may be fairly involved. Typically, the protocol
conversion involves two different authentication domains (the source protocol and the
target protocol). The exchange must validate the incoming credentials and generate the
outgoing credentials for the target protocol domain. In addition, the incoming request
typically has an associated session ID (BuyerCookie), which must be recorded and
mapped to an equivalent session ID in the target protocol. Also, the postback URL must
be saved, and the URL of the exchange must be substituted in the outgoing message.
Finally, the target supplier system must be identified, and the converted request must be
passed as a new login request (step 2b) to the target supplier system.

When the login response (step 3a) is received by the exchange, the response is converted
into a protocol A response by the exchange and is returned to the procurement system
(step 3b). The procurement system redirects (step 4) the browser to the network catalog
site, and the shopping session (step 5) takes place directly between the buyer’s browser
and the network catalog site. At checkout time, the browser accepts the contents of the
shopping cart in protocol B format (step 6), and sends it to the exchange (step 7a) rather
than to the procurement system, due to the substitution of the exchange URL for the
procurement system URL in the protocol A login response. In order to process the
checkout, the exchange creates a new checkout page, with the shopping cart converted
into the protocol A format, and returns this page to the buyer’s browser (step 7b). The
target URL of the “checkout” button on this page is the postback URL of the procurement
system, which was saved during the translation of the login request in step 2a. The buyer
is instructed to perform a second checkout operation (step 7c), which causes the purchase
request to be submitted to the procurement system for approval. The second checkout
may be hidden from the user by using scripting (JavaScript) in the HTML page generated
by the exchange.

This particular punchout description is one example of how the exchange flows might
operate. Specific protocol flows will vary in the exact details. The protocol exchange
runtime is constructed from a set of common protocol objects (Login, ShoppingCart,
Order), with plugins for specific functions of the various protocols. For example, the
mySAP inbound logon plugin accepts a mySAP logon request and converts it to an
internal logon object. The cXML outbound logon plugin converts the logon object into a
cXML PunchOutSetup Request. The various shopping cart plugins convert shopping
carts in different protocols into a common ShoppingCart object. The exchange also
contains code to map between credential domains (from Ariba Network IDs to mySAP
OCI userid/password). Finally, there is a state management framework to maintain the
state of a session and keep track of message content (such as the postback URL), which
must be extracted from one message, temporarily saved, and replaced in a subsequent

The B2B interaction between two parties is defined within the protocol exchange as a
series of plugin transformations to be performed. One plugin accepts a message and turns
it into a common object. A subsequent plugin takes the object and issues it as a message
in a different protocol. There is no implicit assumption, for example, that a cXML
punchout to a supplier will result in the supplier returning the shopping cart in cXML
format, or that a shopping cart returned in cXML format is to be followed by an order to
the supplier in cXML.

This flexibility is necessary to accommodate some of the interactions that are common
today. As an example, the SAP Open Catalog Interface allows the shopping cart to be
returned in either XML or HTML, depending on the configuration of the buyer’s
procurement system. Some of the private buyer and supplier marketplaces are
implemented using combinations of different protocols. A supplier might expect an OBI
logon from which it might return a cXML shopping cart to the purchasing system. And,
the subsequent order may have to be transmitted in EDI, because the supplier’s EDI order
processing system was in place, running over a value added network long before the
supplier had implemented any B2B interactions over the Internet.

Finally, it is hoped the various electronic commerce dialects will someday coalesce into a
smaller and more concise set. But until then, it seems that something like a B2B protocol
exchange will be required to bridge the communication gap between prospective trading
Dias, D. M., Palmer, S. L., Rayfield, J. T., Shaikh, H. H., and Sreeram, T. K., “E-
Commerce Interoperability with IBM’s Websphere Commerce Products,” IBM Systems
Journal, © Copyright 2002 IBM Corporation, IBM Corporation, 1133 Westchester
Avenue, White Plains, New York 10604, United States (2002): pp. 272-286.
Ferguson, Renee Boucher, “E-Sourcing Apps Lead to Time Well-Spent,” eWeek, ©
Copyright 2003 Ziff Davis Media Inc., Ziff Davis Media Inc. 28 East 28th Street, New
York, New York 10016-7930, ( March 2002): p. 18.


The best way to encourage future growth of the global information economy is to learn
from the past. Centers of e-commerce technology activity continue to emerge around the
world: the original Silicon Valley in California, joined by Silicon Alley in New York City,
Silicon Forest in Seattle, or even Silicon Dominion in the State of Virginia, is mirrored by
the emergence of Silicon Glen in Scotland and Silicon Plain in Finland. Other
concentrations of expertise, equipment, and infrastructure include the Research Triangle
in North Carolina, the Route 128 Corridor in Massachusetts, the Intelligent Island in
Singapore, and the Multimedia Super Corridor in Malaysia.

Some of these centers developed naturally; others were created and fostered by
governments that provided financing, tax relief (for imported equipment or income
earned), open immigration for “knowledge workers,” and telecommunications
infrastructure. Each of these centers embraced the fact that collecting industry experience
and expertise in a specific area promotes “critical mass” and synergies, thus fostering
faster e-commerce technological development in that region’s economy.

The same can hold true with regard to users. The world is comprised of over six billion
people, yet there are only 900 million telephone lines in existence. Many of the world’s
citizens have never made a telephone call, let alone used the Internet. How can this be

The United Nations Educational Scientific and Cultural Organization (UNESCO) offers
one approach to this problem. UNESCO suggests the establishment of public access
communication and information services, known as Telecentres. These centers are being
developed across Africa, either as standalone facilities or by adding PCs to schools,
libraries, police stations, and clinics.

Private Telecentres and telekiosks have been established in Ghana, Kenya, and Senegal,
among other countries. Built on the principle that sharing the expense of equipment,
skills development, and access among a large group helps to cut costs and make
information services viable in remote areas, UNESCO has helped foster these technology
hubs across the continent of Africa. It has even developed a “Community Telecentre
Cookbook for Africa,” a how-to guide on establishing and operating Telecentres.
In addition to a general discussion of e-commerce technology, this chapter also covered
various business-to-business connectivity protocols between procurement systems,
private marketplaces, and suppliers. The chapter described how WCBE-based suppliers
and private marketplaces can connect to diverse procurement systems, other suppliers,
and external private marketplaces. Specifically, the chapter showed how WCBE-based
suppliers and WCS MPE-based marketplaces can connect to buyers at procurement
systems that use punchout, such as Ariba, Commerce One, and mySAP. The chapter then
described how a WCS MPE-based supplier or private marketplace could originate a
punchout process in order to connect to either an external supplier or another private

Next, the chapter outlined the types of trading mechanisms that can be supported by
existing punchout protocols and the asynchronous trading mechanisms, such as RFQs,
which require extensions to the punchout mechanisms. Although these mechanisms can
be used across WCS MPE-based suppliers and private marketplaces, such mechanisms
need to be standardized in order to enable them to connect to suppliers and marketplaces
provided by other vendors.

The chapter also described B2B/M2M Protocol Exchange, a tool that IBM has
implemented that can map between various protocols used by different procurement
systems. It allows a supplier using one protocol to connect to a procurement system or
private marketplace that uses a different protocol.

Finally, the WCBE-based Commerce Integrator, with support for B2B procurement
protocols as described earlier in the chapter, has been used to connect ibm.com, as a
supplier, to enterprises using diverse procurement systems and to private marketplaces.
Although this chapter focused on the external partner B2B protocols, a large part of the
integration effort for suppliers is the tie-in to internal processes, such as the processes to
handle purchase orders. Other complementary products, such as IBM’s WebSphere MQ
and WebSphere Business Integrator, are key to completing the picture for end-to-end
Chapter 3: Types of E-Business Models
and Markets
“Do not quench your inspiration and your imagination; do not become the slave of your

—Vincent van Gogh (1853–1890)


In the past two years, e-business seems to have permeated every aspect of daily life. In
just a short time, both individuals and organizations have embraced Internet technologies
to enhance productivity, maximize convenience, and improve communications globally.
From banking to shopping to entertaining, the Internet has become integral to daily
activities. For example, just 23 years ago, most individuals went into a financial
institution and spoke with a human being to conduct regular banking transactions. Ten
years later, individuals began to embrace the ATM machine, which made banking
activities more convenient. Today, millions of individuals rely on online banking services
to complete a large percentage of their transactions.

The rapid growth and acceptance of Internet technologies has led some to wonder why
the e-business phenomenon did not occur decades ago. The short answer is: it was not
possible. In the past, the necessary infrastructure did not exist to support e-business. Most
businesses ran large mainframe computers with proprietary data formats. Even if it had
been achievable to transfer data from these large machines into homes, the home
computer was not yet a commodity, so there were few terminals outside of business to
receive information. As PCs became more popular, especially in the home, the ability to
conduct e-business was still restricted because of the infrastructure required to support it,
including backend customer and supplier interaction along with credit card processing

To set up an e-business even eight years ago would have required an individual
organization to assume the burden of developing the entire technology infrastructure, as
well as its own business and marketing strategies. Today, the challenge of e-business is
integration. There are industry-leading companies that have solved the difficult task of
developing individual Internet-based products and services that handle many of the issues
surrounding customer and supplier interactions. However, the ability to integrate these
technologies and services based on sound business and marketing strategies, operating on
a real-time basis, can be a monumental undertaking.

As e-business continues to be fueled by both organizations and consumers who have

access to the Internet from their homes and offices, the excitement grows and the
potential for success increases. But explosive growth of the Internet has also led to a
growing number of integration challenges for e-businesses of all sizes and types.

In phase one of building an e-business, companies scrambled to get an e-commerce Web

site up quickly. The operative word was “quickly,” because usually there was little or no
regard given to how scalable or reliable the site needed to be—or even how captivating
the content. It was just a matter of beating the competition. These first-to-market
consumer sites were rarely integrated with the manufacturing side of the business, which
was establishing its own Internet-based relationships with suppliers. This lack of
integration has proved to be a significant challenge for many organizations as the
customer base has grown, real-time order status has been requested, and products have
been returned.

In phase two of building an e-business, having an e-commerce site is now a commodity,

not a way to differentiate a business. Customer and supplier expectations are rising,
forcing organizations to start thinking about backend integration and real-time transaction
processing. Businesses must actually maintain complete customer and supplier
relationships using Internet-based technologies and tie those systems to the interpersonal
aspects of the business transaction when required. Organizations that realize the promise
of e-business are the ones that have begun to address the complete business cycle and are
leveraging Internet technologies.

It is no secret that today’s e-business has the potential to transform the business
landscape. Whereas in the past, a company’s business model was the primary
determination of its value, today, a company is valued on its strategy, business model, and
ability to market. With technology driving new competition, a Fortune 500 stalwart that
once seemed unstoppable is now challenged by a start-up that uses Internet technologies
and integrates their systems and processes more effectively. By capitalizing on a
sustained business proposition and correctly applying technology, these start-ups are able
to significantly reduce the barriers to entry while dramatically increasing their market
reach. For e-businesses, the premise “first to market equals first to success” is often the
case; however, the foundation needs to be laid carefully. A disciplined approach to
evaluating the business opportunity, and correctly assessing how a competitive advantage
may be gained using Internet technologies combined with leveraging the existing
investment, is key to a successful e-business. It is just such an approach that is defined as
the e-business model (see sidebar, “Defining the Real E-Business Models”).

Defining the Real E-Business Models

An e-business model is simply the approach a company takes to become a profitable

business on the Internet. There are many buzzwords that define aspects of electronic
business, and there are subgroups as well, such as content providers, auction sites, and
pure-play Internet retailers in the business-to-consumer space.

Many Internet firms witnessed a meteoric rise in their stock values in the late 1990s, only
to crash in 2000. For instance, Drkoop.com Inc. in Austin, Texas, announced its initial
public offering at $9 per share in June of 1999. The price rose to more than $30 per share,
but then plummeted to less than $1 per share.

Given the carnage among dot-com stocks recently, what type of online business models
are expected to succeed in the future? Businesses need to make more money than they
spend. The new model is the old model, but technology is essential to maintain a
competitive advantage, and cash flow is more important than ever.

For example, Yahoo Inc. in Santa Clara, California, has always operated a successful
portal site, providing content and an Internet search engine. However, many portal sites,
such as Go.com, MSN.com, and AltaVista.com, have fallen on hard times.

The idea behind portals is the same as that behind television advertising: aggregating
eyeballs and directing them toward advertisements. But, television viewers are passive,
and people need to wait through the ads to see the shows they want to watch.

However, the Web doesn’t work that way. Content presentation is not serial. Viewers are
active, not passive. There are always millions of places to go. No Web advertisement can
match a 20-second TV spot.

When First-to-Market Fails

Many of the failing companies were operating on a first-to-market strategy. Their hope
was that by getting their ideas out ahead of the market, consumers would develop brand
loyalty before competitors arrived.

For example, Priceline.com Inc. in Norwalk, Connecticut, is a good example of a

company that attempted this strategy, with its name-your-own-price scheme for buying
airline tickets and other goods. However, the closing of Priceline.com Inc.’s Greenwich,
Connecticut-based WebHouse Group licensee (which applied the same model to groceries
and gasoline), combined with increased competition from airlines and other travel sites,
led Wall Street to trade Priceline.com’s stock down to less than $3 per share in December
2000, from a high of $104.25 in March 2000.

First-to-market as a business model has always been risky. You are vulnerable because
you have nothing proprietary, need vast funding, and rely on rapid deployment.

So why did investors and venture capitalists get caught in such speculative and irrational
investments? Investors felt they were investing in technology, when they were really
investing in retailers and distributors. These companies have small profit margins. They
couldn’t justify their valuations in typical price/earnings ratios. When does it turn
profitable? Companies such as Amazon.com have yet to answer that.

One segment of the business-to-consumer world that’s thriving is niche markets. For
example, RedEnvelope Gifts Inc., which launched in 1997 as 911gifts.com, began as a
last-minute gift site, but now markets more than 5,000 items that are unique to the site.
Customers seem willing to pay a premium for RedEnvelope-edited selection and
enhanced customer service. The company has $70 million in sales, with a 57-point profit

There needs to be a quick path to profitability. And, the ultimate metric is margin. There
are three levers to achieving margin: edited selection, customer service, and inspirational

The B2B Way

Is the model buyer- or seller-centric? What is the driving force of the business?

The greatest strength of the Internet is its ability to bring together people, governments,
and businesses and facilitate the flow of information among them. This is one of the main
reasons why business models for business-to-business online marketplaces are expected
to succeed.

It’s clear that the Internet is a viable platform for B2B trade. According to Forrester
Research Inc. in Cambridge, Massachusetts, a projected $4.9 trillion in business-to-
business (B2B) transactions will be made online by 2004.

But private marketplaces being formed by industry leaders represent a more successful
model. These real-time supply chains and e-business design systems are phasing out the
more expensive and inflexible electronic data interchange networks.

The real surprise here is how hard it is to become profitable. The cost of branding
technology is so high that consumers still use a catalog. A Web site is just another

E-Business Models

The emerging e-business market affords companies of all sizes and types the opportunity
to leverage their existing assets, employees, technology infrastructure, and information to
gain or maintain marketshare. For example, in the telecommunications industry, service,
rather than technology, is now the key differentiator. With lower barriers to entry, new
competitors are rapidly entering the market offering new services, such as online bill
presentment and payment, and leveraging their unique digital assets.

Information technology research analysts agree that e-business is any net-enabled

business activity that transforms internal and external relationships to create value and
exploit market opportunities driven by new rules of the connected economy (see sidebar,
“Defining the Real E-Business Models”). However, today’s e-business requires more.
Industry analysts further point out that e-business involves the continuous optimization of
an organization’s value proposition and value-chain position through the adoption of
digital technology.
The challenge for an organization is to turn the vision and the market opportunity into a
viable business. Developing the marketing strategy and plans and designing and
deploying the business solution is key. Those who successfully architect, develop, and
deploy e-business solutions will need to formulate and adopt a comprehensive business
plan. Because of the critical role of Internet technologies and integration requirements, it
is recommended that organizations need a comprehensive planning framework—an
actual e-business model. This structured planning approach enables the organization to
assess, plan for, and implement the multiple aspects of an e-business.

Building an e-business (an integrated value chain) that leverages the Internet’s
communications capabilities is a complex undertaking. The complex integration
requirements of the business solutions, all performing at extremely high levels of
availability and scalability, require an e-business model architectural approach. The value
chain (comprised of the traditional supply chain management functions, planning,
procurement, and inventory management, coupled with the customer-facing functions,
typically referred to as customer relationship management) has integration and
performance demands that exceed the requirements seen in traditional businesses. In a
successful e-business, all of these areas are tightly integrated to provide an organization
the ability to quickly and efficiently sell, manufacture, and deliver products or services.

Furthermore, in a successful e-business, this value chain rests on a foundation that

leverages the organization’s existing core operational business systems, as well as meets
the new business-critical operational requirements for reliability, scalability, flexibility,
and 24 × 7 × 365 availability in a highly volatile, electronic marketplace. An e-business
model includes three essential elements (see Figure 3.1)[1]:

Figure 3.1: E-business model components.

• Solid strategies
• Knowledge management techniques applied to a company’s information and
intellectual assets
• Effective e-business processes typically grouped in the customer relationship
management (CRM), supply chain management (SCM), and core business
operations domains[1]
Solid Strategies

Strategy and execution are key to developing and sustaining a successful e-business.
Only those organizations that successfully integrate key business strategies and processes
dramatically increase their efficiencies. To be successful, organizations must also form
the right strategic relationships and develop efficient business processes with robust
backend solutions that are able to meet users’ demands for real-time service today and
into the future.

In the past, businesses had the luxury of developing business strategies in the boardroom
and IT strategies in the IT department. They then brought these strategies together to run
the overall business. E-businesses cannot afford this luxury. The ability to react and
change direction is critical. Speed is everything. Grounding the organization with sound,
winning strategies is key.

In the new economy’s competitive electronic environment, it is easier for an organization

to be global, but it is also harder to maintain consistency in the levels of services offered
around the world. E-businesses must be ready and able to adjust their business and IT
strategies rapidly, depending on unpredictable competitors and market pressures. Today’s
e-business climate requires the continuous optimization of an organization’s business and
IT strategies. Because IT now has such a significant impact on every business process
(from order taking to inventory to billing), both business and IT strategies are now
developed in parallel.

The best example of this is Dell Computer. From the start, the company’s business
strategy was tightly aligned with its IT strategy, allowing Dell to successfully integrate
every aspect of its business (from order taking to inventory to billing) with both its
customers and suppliers. Dell vaulted to the forefront of its industry when it came to
market with a winning strategy, the unique just-in-time-delivery model. Unlike traditional
computer suppliers, Dell’s business strategy was founded on the premise of zero

Similarly, online brokerage companies have been leaders in the area of integrating IT and
business strategies. The rapid adoption of Internet technologies combined with market
globalization, industry deregulation, and media convergence has afforded these
companies the opportunity to gain share and create value in the e-business marketplace.

Turning an organization’s intellectual assets into knowledge is a key business

differentiator. In addition to a continually optimized business strategy, successful e-
businesses must establish solid knowledge management practices. Knowledge
management is the definitive way to leverage an organization’s information and
intellectual assets for business advantage. It is the formalized, integrated approach that
every organization must take to “know” its business.
Knowledge Management Techniques

Every business has both tacit and explicit knowledge. One is undocumented, and the
other is documented about what is “known” in the company. This knowledge may include
information about products and services or information about how the company works
with a particular supplier. No matter what type of knowledge an e-business has, the
company must put into place processes for organizing that knowledge.

Knowledge management includes managing intellectual capital, such as best practices,

critical business processes, and operating metrics. Establishing ongoing processes for
acquiring, organizing, and distributing this knowledge about customers, products, and
processes is critical to success. The business domains, CRM, SCM, and core business
operations, are dependent on this information and these intellectual assets.

Effective E-Business Processes

In every successful e-business, the business process domains (CRM, SCM, and core
business operations) are an integral part of the continuous optimization process. The
advantage and, thus, the return on investment for an e-business integrating its business
process domains is that it extends the organization’s business directly to customers and

When business process domains are integrated, they can increase productivity and
improve customer and supplier satisfaction. For example, when a repeat customer views a
successful e-business’s Web site, an integrated CRM system presents that individual with
offers or items of interest based on previous orders. After the customer places an order,
this same e-business allows that individual to view the status of his order in real time as it
moves through the supply chain.

Business process domains are aggregations of core business processes. Although there is
growing popularity of business process domains as their own entities (CRM, SCM, and
core business operations), they are commanding a mind-share in the marketplace (and
each has attracted various vendors and products to support it). These domains must
operate together as a key component to the overall e-business strategy (see Figure 3.2)[1].
In a successful e-business, convergence is the driving connection of all of the business
process domains. When there appears to a customer or a supplier to be no barrier between
departments, the business process domains are tightly integrated with the business and IT

Customer Relationship Management

Customer relationships are becoming a more important factor in differentiating one

business from another. In order to stay competitive, e-businesses in every industry have
begun to analyze these relationships with customers using CRM solutions.

In the past, customers would place an order via the telephone and wait until the
company’s purchasing department processed and shipped the order. Today’s customers
place an order electronically and then demand to be able to check the status of their order
within minutes.

CRM enables an organization to adopt a comprehensive view of the customer and

maximize this relationship. These CRM systems enable a business to identify, attract,
retain, and support customs centers, direct mail, and retail facilities. In an efficient e-
business, there are CRM processes in place to handle:

Analytical CRM: The analysis of data created on the operational side of the CRM
equation for the purpose of business performance management; utilizing data
warehousing technologies and leveraging data marts

Customer interactions: Sales, marketing, and customer service (call center, field
service) via multiple, interconnected delivery channels and integration between front
office and back office

Operational CRM: The automation of horizontally integrated business processes

involving “front office” customer touch points
Personalization: The use of new and traditional groupware/Web technologies to
facilitate customer and business partner communications[1]

Supply Chain Management

Integration of the SCM functions is emerging as one of the greatest challenges facing
today’s e-businesses. SCM is the integration of business processes from end user through
to original supplier. The goal of SCM is to create an end-to-end system that automates all
the business processes between suppliers, distribution partners, and trading partners. The
new mantra for this process, according to industry analysts, is “replacing inventory with
information.” In an effective e-business, the following SCM independent processes must
be highly integrated (see Figure 3.3)[1]:

Demand management: These are shared functions, including demand planning, supply
planning, manufacturing planning, and sales and operations planning.

Inbound/outbound logistics: These include transportation management, distribution

management, and warehouse management.

Supply management: These include products and services for customer order

Core Operations

E-businesses also need to develop and operate complex transaction processing systems
that support their core business operations (see Figures 3.4 and 3.5)[1]. These core
operations include the operational systems that support their particular business, such as
claims processing, trade execution, enterprise resource planning (ERP), and enterprise
resource management (ERM).

Whether a company is just beginning to transform its business into an e-business or is an

e-business strengthening its market position, organizations must put in place architectures
that support large and complex integrated solutions. E-businesses must address the
performance requirements for reliability, scalability, and high availability. These systems
also require a high level of flexibility, integration, and often the added complexity of
operating in a global business environment. These e-businesses need to integrate their
customer relationship management, supply chain, and core business operational systems
such as enterprise resource planning, accounting, and general business support systems to
operate efficiently.

Now, let’s look very briefly at types of e-business markets. In other words, let’s look at
how Web developers respond to your clients’ needs in an e-business-driven marketplace.
Agarwal, Bipin, “Defining the E-Business Model,” Tanning Technology Corporation,
4600 South Syracuse Street, Denver, CO 80237, March 22, 2000.

E-Business Markets

Web sites and intranets are designed for the same reason—to provide information. In the
business world, this information needs to be updated and changed constantly in order to
stay abreast of a changing business climate. New product releases, price changes, and
marketing promotions are just a few examples of information that companies need to
constantly provide to their customers, suppliers, employees, and shareholders. In today’s
world of e-commerce and intense corporate competition, companies need the ability to
instantly update published information in order to effectively communicate with their
intended audience. Today’s companies know that they have to have a dynamic and
interesting Web presence, but they are struggling to find ways to effectively manage their
Internet strategy. Traditional advertising agencies and Web development firms are no
longer meeting the all-encompassing Internet requirements necessary for businesses in
today’s e-commerce-driven marketplace. Companies are looking for advertising agencies
and Web development firms that address their initial Web development needs while also
providing them with viable, affordable solutions that are designed to address, implement,
and manage their overall Internet strategy.

Finally, historically, companies outsourced the development of their Web sites because
creation and maintenance required design and programming expertise. However, relying
on third parties for all site maintenance limited a company’s ability to quickly and easily
update their published information. To solve this problem, many companies decided to
bring Web site and intranet development in-house. Companies then discovered that hiring
the necessary skilled personnel contains its own set of inherent problems. Information
“bottlenecks” still occur when a company has one or two people in the internal IT
department who are bombarded with the responsibility of publishing all company
information. In addition, companies are also finding that Web site designers are hard to
find and even harder to keep. The recurring theme in the market is that companies are
recruiting individual Web designers to build and maintain their Web sites and intranets in-
house only to find that after several months of development, the designer may be lured
away by the promise of a more exciting and rewarding career. This “catch 22” has left
companies looking for some additional alternatives. Companies are turning toward their
advertising agencies and Web development firms to provide the solution to this problem.
Octigon provides the software that addresses this “catch 22” and enables Web developers
to meet the increasing demands of the business marketplace. Market trends have caused
Web site management to become an arduous task, with sites evolving to meet the needs
of e-commerce and e-business.

To be successful, e-businesses must have a continuous optimization business strategy,

solid knowledge management practices, and integrated business process domains. No
matter what the business, the e-business model processes are the same.

The e-business market affords organizations of all sizes and types the opportunity to
leverage their existing assets, employees, technology infrastructure, and information to
gain or maintain marketshare. However, the challenge for the organization is to turn the
vision and the market opportunity into a sustainable e-business.

Finally, the need for an integrated value chain challenges the e-business to optimize its
intellectual assets and its investments in core business systems in order to deliver its
products and services to an unpredictable market. It is this unpredictable nature that
challenges the IT organization to deliver the highly scalable and available infrastructure.
Additional challenges include the unique nature of an e-business and the tight linking of
the business operations to a technical infrastructure. A disciplined and architected
approach based on an e-business model provides the framework needed to build complex
business processes and technical infrastructures that the market is increasingly
Chapter 4: Types of E-Commerce
Providers and Vendors
“When nations grow old, the arts grow cold and commerce settles on every tree.”

—William Blake (1757–1827)


The Internet has proven to be a disappointment for many retailers and manufacturers, as
sales channels are hyped to be both efficient and virtual. First generation e-commerce
adopters now find themselves mired in technology bearing little in common with their
core businesses, because they invested in an infrastructure often costing hundreds of
millions of dollars. Today, industry analysts estimate that one-time e-commerce setup
costs, including technology and labor, range from $22 million to $42 million, depending
on transaction volume (5,000 to 25,000 transactions/day) for companies building from
scratch. Very few companies make money, and even fewer return an attractive ROI at
those levels.

For many companies demanding online profitability and reliability, the traditional
buy/build approach is no longer the best option. Without ever buying a piece of software
or hardware, new business architectures enabled by e-commerce Internet service
providers (ECISPs) allow companies to establish fully customized online sales channels.
Under guarantees of world-class service delivery, the ownership, integration, and ongoing
management of this infrastructure can be outsourced. By freeing retailers and
manufacturers to focus on their brand, merchandise, and customers—not the technology,
ECISPs radically improve the attractiveness of e-commerce.

This chapter examines types of ECISPs and vendors. It addresses three topics: how the
next generation ECISP architecture delivers complete, one-stop online sales channels,
which major advantages companies gain by outsourcing their e-commerce infrastructure,
and why many early adopters have struggled with the first generation buy/build approach.
You will also learn how an ECISP architecture enables manufacturers and retailers to
achieve profitability at $50 million to $290 million in online sales, avoid managing
numerous integration and third-party service relationships, ensure reliability and
scalability in your Web site and order processing, focus your organization on real profit
drivers—not technology, and upgrade functionality continuously and seamlessly over

Traditional Buy/Build Approach

Over 93 percent of first generation e-commerce adopters utilized a “buy/build

architecture” in establishing their technology platform. This architecture generally begins
with a commerce software package from leading vendors such as BroadVision, Blue
Martini, ATG, and Microsoft (see Table 4.1)[1]. Bolted upon this are dozens of individual
applications to manage the online channel: planning, merchandising, marketing,
fulfillment, customer service, business intelligence, and so on. Hardware connects this
infrastructure to the Internet, including database, Web, and application servers; routers
and firewalls; load balancers; and the secure facility that hosts it all. To customize and
integrate the platform, most companies rely on a systems integrator for 3 to 12 months of
hard work that is rarely completed on time or within budget.

Table 4.1: Sample of e-commerce software vendors

Vendor Description Sample Customers
Ariba Ariba provides an open commerce platform to build CheMatch,
B2B marketplaces, manage corporate purchasing, Chevron, Covalex,
and electronically enable suppliers and commerce Dow, Merck
service providers on the Internet.
Commerce One Commerce One enables buyers and sellers to trade Duke Energy,
and creates new business opportunities for all trading Eastman, Praxair,
partners. Commerce One offers solutions for Shell, Schlumberger
companies who want to establish a portal on the
Global Trading Web, those who want to host portals
for others, and those looking for a comprehensive e-
procurement solution and robust return on
investment. The company’s products include the
Commerce One BuySite e-procurement application
and the Commerce One MarketSite Solution, the
technology that allows Internet market makers to
build open marketplaces and link them to the Global
Trading Web.
Crossworlds CrossWorlds Software is a leading provider of e- Dow Chemical,
Software business infrastructure software to enable the DuPont, Royal
integration and automation of business processes Philips
within enterprises and among trading partners using
the Internet (acquired by IBM).
e-Credit eCredit.com, Inc. is a leader in the market for real- Beckman, BP
time credit, financing, and related services for e- Amoco, Cargill,
business through the eCredit.com Global Financing Chevron,
Network™. With the Global Financing Network, the Commerx, Inc.
company intelligently connects businesses to (PlasticsNet.Com),
financing partners and global information sources so Conoco, Procter &
credit and financing decisions can be processed in Gamble, Texaco
real time at the point of sale.
HAHT HAHT Commerce, Inc. is the leading global Celanese, Dow
Commerce provider of business-to-business sell-side e- Corning, OxyChem,
commerce solutions. HAHT Commerce e- Montell
Scenarios™ are the first suite of packaged Internet Polyplefins, Sigma-
Table 4.1: Sample of e-commerce software vendors
Vendor Description Sample Customers
applications that integrate and automate marketing, Aldrich
selling, fulfillment, and service functions across the
entire business customer life cycle, allowing
companies to increase revenue, improve service
levels, and lower costs to their distribution channels
and customers.
i2 Technologies i2 Technologies is the leading provider of supply OxyChem
chain optimization solutions. The RHYTHM family
of software provides comprehensive decision support
across both interenterprise and intraenter-prise
supply chains: from suppliers’ suppliers to
customers’ customers.
IBM IBM e-business technology and solutions help BOC, Degussa-
chemical and petroleum companies compete for Hüls, Eastman
market leadership in the following key areas: Chemical, e-
building efficient and flexible supply value chains, Chemicals,
delivering more than price and quality in customer
relationships, providing e-market solutions that
transform your business architecture, and building
business value through ERP extensions.
Moai Moai is a leading provider of negotiated e-commerce Eastman
solutions for online auctions, online procurement,
and e-marketplaces. Although Moai’s primary focus
is on customers in the business-to-business market,
the company also has customers in the business-to-
consumer and consumer-to-consumer markets.
mySAP.com The mySAP.com marketplace is an open electronic Various
hub that creates seamless intercompany relationships
for buying, selling, and collaborating within and
across industries. It provides the infrastructure,
security, and applications to transform previously
disconnected business transactions into a single
collaborative process.
Oracle Oracle Corp. is the world’s leading supplier of Hoechst Marion
software for information management. The company Roussel, ICI Chloro
offers database, tools, and application products, Chemicals, IMC
along with related consulting, education, and support Global Inc,
services, in more than 145 countries around the Reichhold
world. Oracle provides an Internet-ready platform Chemicals
for building and deploying Web-based applications,
a comprehensive suite of Internet-enabled business
applications, professional services for help in
Table 4.1: Sample of e-commerce software vendors
Vendor Description Sample Customers
formulating e-business strategy, as well as in
designing, customizing, and implementing e-
business solutions.
Sapient Sapient provides Internet strategy consulting, Amoco,
sophisticated end-to-end solutions, and launch ChemConnect,
support to Global 1000 and start-up companies. As Praxair
Architects for the New Economy(r), Sapient helps
clients define their Internet strategies and design,
architect, develop, and implement solutions to
execute those strategies.
webMethods webMethods is the leading provider of open Ashland Chemicals,
solutions for business-to-business (B2B) integration. ChemConnect,
The webMethods B2B(tm) solution provides Eastman Chemical,
companies with integrated, direct links to buyers and FMC Corp., The
suppliers, connecting them to major B2B Geon Company,
marketplaces and enabling real-time, interactive Optimum Logistics,
communication through the Internet, regardless of OxyChem, Ventro
existing technology infrastructure. Powered by Corp.
XML, webMethods B2B can automate critical
business processes, such as customer relations,
procurement and financial services, supply chain
management, logistics, and sell-side/buy-side e-

With this approach, each retailer and manufacturer reluctantly enters the technology
management business and replicates an infrastructure that exists at every other company.
Bits and pieces might be outsourced to gain scale and expertise, but the core technology
platform gets re-created countless times. Drawing a real estate analogy, this would be
similar to all mall-based retailers building, owning, and operating the facilities in which
their stores reside, rather than renting floor space from specialized mall developers. In an
industry that has never invested heavily in IT (under 5% of revenues on average), this
technology ownership approach has proven challenging, especially for midsized retailers
and manufacturers.

Real Profit Drivers Distraction

The key elements of retail differentiation have long been branding, merchandising, and
customer service. By building e-commerce in-house, organizational focus shifts to
technology management, systems integration, and drop ship order fulfillment. Most
offline companies have limited experience in these areas and struggle to recruit talent in
competitive IT positions. With an average e-commerce staff of 767, multichannel retailers
have seen their organizations balloon beyond expectation to support ongoing problems in
technology and operations.
Scalability and Reliability Struggle

Front-page headlines in 2002 showcased site failures at such leading online retailers as
Toys R Us, eBbay, Yahoo!, Amazon, and Wal-Mart. Smaller companies wage less-
publicized, daily struggles to meet consumer expectations for site uptime, response time,
and product shipment. Confirming how difficult most businesses have found owning and
operating a reliable e-commerce infrastructure, industry analysts have found that a
whopping 85% of companies planned to change their commerce software package within
seven months of being surveyed. Even with replacement, the reliability problem persists
because 93% of sites are technically understaffed. In other words, because of escalating
salary demands, equity inflexibility, and less desirable work environments, offline
companies face daunting odds in recruiting against start-ups and professional services
firms. The end result: over 37% of orders are failing to get to consumers on time.

Third-Party Service Relationships and Integration Management

Industry analysts have found that 68% of companies have to rely on nine or more
partners to develop and run their Web commerce sites. Systems integration often
constitutes the most important outsourced function because (in a buy/build architecture)
literally dozens of complex linkages must be created across applications, commerce
packages, databases, legacy systems, and third-party services. Unfortunately, most
companies receive less than desired results from their integration partner.

For example, in a comprehensive evaluation of the leading e-commerce integrators,

industry analysts have found that even top performers among a sample of 65 integrators
earned unimpressive scores, and those on the low end showed surprisingly few strengths.
Additionally, not one vendor demonstrated excellence across all service offerings.

Integrators face intense pressure to deliver committed projects, but little pressure to
improve quality. That’s because demand for integration services will exceed supply, thus
driving the major 3,900 global Web sites to hire whatever service providers they can get.

Vendor clients are confused, too. Stunned by skyrocketing price tags and un-even quality,
clients cut corners, switch vendors, or bring work in-house. Unfortunately, few integrator
customers have enough depth of experience to know what to cut, whom they should turn
to, or how to build complex e-commerce sites themselves.
“e-business vendors,” © Copyright 2003 eChemPeople, eChemPeople, 131 Shady
Lane, Bolingbrook, Illinois 60440

Online Sales Channels: Internet Selling Environment

The Internet selling environment includes a hosted online store featuring customer
management, advanced selling, shopping cart, and order processing functionality.
Although the ECISP builds and hosts the store, clients retain complete control over
design elements and merchandising. Consumers see only the client’s brand, content, and
merchandise. The ECISP handles everything technical, including site uptime, response
time, and the management of customer shopping sessions. The ECISP also handles tax
calculation, payment processing, data encryption, order routing, and customer e-mail

The Integration of Business Services and Applications

Integrated business applications and services includes a full suite of tools and services to
manage the online channel, including merchandise planning, storefront management,
marketing, fulfillment, and customer service. These applications allow clients
considerable flexibility. Companies can choose to fulfill orders in one or a combination of
ways: in-house warehousing and fulfillment, third-party logistics services using a
preintegrated provider, and/or drop shipping using preintegrated vendors. Similarly,
clients can perform customer service in-house, or they can outsource this service to a
preintegrated call center. In either case, account management and advanced CRM
applications support the service representatives. Marketing applications and services
include e-mail campaigns and affiliate programs. Storefront management applications
include catalog management, pricing and promotions, and content management. And
finally, merchandise planning includes optional applications for seasonal planning,
demand forecasting, replenishment, and purchase order management.

Business Intelligence Service

Business intelligence service (BIS) includes real-time reports, advanced ad hoc reporting,
and financial data feeds to analyze client business performance. In an ECISP
environment, clients retain ownership of their data and flexibility as to its usage. Clients
receive a combination of direct data feeds (in a format of their choosing) and access to
standard reports delivered through an online portal. With an online analytical processing
(OLAP) package, reporting capabilities become extremely powerful and flexible in terms
of ad hoc design using multiple data sources.

Advisory Service

Advisory services include e-commerce expertise and assistance in merchandising,

demand forecasting, marketing, customer service, and logistics. Given their advantaged
position in serving dozens of companies simultaneously, ECISPs can leverage a single
team of business experts across many clients. Clients benefit from performance
benchmarking and best practices gleaned from the entire network. For example, clients
can benchmark their performance in customer acquisition, shopping conversion,
fulfillment time and accuracy, and staffing levels, all while their ECISP partner
recommends changes to move closer to best practice. Rather than reinventing the e-
commerce wheel, businesses implement well the first time and receive ongoing help from
a partner financially committed to their success.
Infrastructure of Hosted Technology

Hosted technology infrastructure includes world-class e-commerce infrastructure with

guaranteed reliability. ECISPs specialize in designing technology platforms built to scale
with the highest degree of operational excellence. ECISPs achieve economies of scale by
managing a single, multitenant architecture. Rather than operating a separate technology
cluster for each client (thereby losing all of the advantages of scale), ECISPs focus on a
single platform built with best-of-breed components throughout. Some even issue
industry-leading service level agreements covering site uptime, response time, and
customer service responsiveness. Clients sleep at night knowing that their sites run on the
best hardware and software, all backed by failover redundancy, technology operations
experts, and quality of service guarantees. And, they never have to own, build, or manage
any technology themselves.

The Advantages of Outsourcing an Infrastructure to an ECISP

Thanks to the new ECISP architecture, many companies can for the first time sustainably
conduct e-commerce while selling less than $594 million annually online. With
dramatically lower up-front costs, predictable ongoing fees, and guaranteed operational
reliability, the ECISP architecture equips offline companies with the confidence that their
online business will succeed.

Better Return on Investment

The ECISP architecture enables profitable e-commerce at one tenth the revenues of those
required by traditional buy/build approaches. Based on industry averages for transaction
values and operating costs, branded apparel manufacturers and multicategory retailers
could achieve profitability at between $22 million and $24 million in online sales, if
operating on an Escalate e-commerce platform. Even multicategory pure-plays could hit
profitability at $32 million in sales. These compare to the $84 million to $2.3 billion
breakeven estimates for the traditional architecture discussed earlier. Best of all,
companies earn a far higher return on investment when using an ECISP due to the low
setup costs.

Focus and Decision-Making Improvement

With the ability to focus on profit drivers, the ECISP architecture enables companies to
outsource less important “context” technology functions (customization, integration,
maintenance) while owning “core” business functions (branding, merchandising,
service). Companies typically require at most one IT employee to interface with their
ECISP provider. In fact, most companies require just 8 to 12 employees to run their entire
online business, as compared to staffing averages for those who build/own (76 for store-
based retailers and 90 for pure-plays). With an ECISP, employees focus on core business
functions, including marketing, merchandising, and content management—not the
Third-Party Service Relationships and Management of Integration

When using an ECISP, companies may require as few as one additional e-commerce
relationship, that with a Web design firm. The ECISP translates the design work into a
functioning Web storefront, thereby simplifying even that relationship. Some companies
will also choose to hire a third-party consulting firm to perform implementation on the
ECISP architecture.

Having preintegrated all other third-party applications and services, the ECISP ensures
ongoing quality of performance, freeing the client to focus on running the business. For
example, should a client desire to outsource customer service, the ECISP recommends
one or more providers based on the client’s specific requirements, from the service
providers that have already been integrated. The ECISP handles ongoing service provider
integration, data transmission, billing, and quality monitoring. The client focuses on the
real business drivers: service policies and representative training.

Solution Dynamics

Finally, the dynamic solution here is the continuous upgrading and addition of new
functionality. By managing a single, multitenant architecture, ECISPs can continuously
enhance applications, features, and functionality for all clients simultaneously. An
analogy can be drawn to telephone companies (telcos). When a telco adds a new feature
like call waiting, the telco can immediately make it available to any customer on their
network. Similarly, as the ECISP adds a new feature like digital gift certificates, every
client can receive it on their site. And, because ECISPs must continuously innovate on
behalf of their broad network of clients, each individual company can expect frequent
platform improvements that keep them ahead of their competition.


Selling online has become an imperative for retailers and an increasing number of
manufacturers. Recognizing that a 24 percent loss in customers can completely eliminate
the profitability of their offline stores, retailers have raced to drive e-commerce growth to
$77 billion in 2004 (6.8% of U.S. retail). By mid-2005, over 95 percent of the largest
U.S. retailers (over $60 billion in annual sales) will be e-commerce enabled. And, for
midsized retailers ($900 million to $60 billion in sales), over 85 percent will be selling
online. Yet these adopters face a fundamental challenge: using the first generation
buy/build architecture, many cannot make money at e-commerce, but none can afford to
avoid trying. For most of them, owning and operating an e-commerce infrastructure does
not make economic or operational sense.

Finally, next generation ECISPs make that ownership unnecessary. They leverage the
Internet itself to deliver a complete online channel solution with guaranteed levels of
performance quality. Companies contract for a fully branded online store, all of the
applications and services required to manage it, and a partner committed to their ongoing
performance improvement. Implementations of 4 to 13 months get accelerated to 4 to 14
weeks, and up-front costs are cut by 64 to 89 percent. From a profitability and reliability
standpoint, businesses can now justify e-commerce to their shareholders and customers.
By enabling companies to focus on their core business, ECISPs unlock the full potential
of online sales channels. ECISPs provide the sustainable e-commerce solution that
manufacturers and retailers have been seeking.
Part II: Designing and Building E-
Commerce Web Sites: Hands-On
Chapter List
Chapter 5: E-Commerce Web Site Creation
Chapter 6: Managing E-Commerce Web Site Development
Chapter 7: Building Shopping Cart Applications
Chapter 8: Mobile Electronic Commerce
Chapter 9: Enhancing a Web Server with E-Commerce Application Development
Chapter 5: E-Commerce Web Site
“If God created us in His image we have certainly returned the compliment.”

—Voltaire (1694–1778)

Your business may be small—but the Internet lets you think big. Whatever product or
service your business offers, the Internet levels the playing field and lets you compete
with bigger businesses, reaching customers around the world who can conveniently buy
from you 24 hours a day.

The Elements of E-Commerce

In the competitive world of the Web, however, growing your business and increasing
your profits online requires some careful planning. For every successful e-commerce
business, there are dozens that fail by not addressing basic risks and pitfalls along the
way. So, to take full advantage of the e-commerce opportunity, make sure you base your
Web business on a solid foundation that covers every element of e-commerce:

Establish your identity: The right domain name, or URL, can make the difference
between a memorable e-commerce identity and getting lost in the online crowd.

Find the right online home: For brick-and-mortar stores, location is everything. Your e-
commerce business needs the right home, too. Purchase and set up your own Web server,
or find a home for your site with the right Internet Service Provider (ISP) or Web host.

Build an attractive storefront: With the right tools, creating a Web site is easier than
ever—but following some basic guidelines will help make your site easy and fun for
customers to navigate. And that means more sales for you.

Let customers know they can trust you: In the anonymous world of the Internet,
customers will communicate private information[4], such as credit card numbers or phone
numbers[3], to your e-commerce site only if they’re sure your site is legitimate and the
information they send you is protected. Make sure your site is secure—and that your
customers know it.

Make it easy for customers to pay you: You can set up your site so customers can pay
by simply keying in a credit card number. But then how will you process that transaction?
Make sure you not only offer customers a variety of convenient payment methods, but
that you can process them all.
Let the world know about your site: A memorable domain name, a great-looking
design, and top-notch products and services can make your site successful only if
customers know about it. Don’t neglect promoting your site to drive traffic to it[1].

Clearly, building the elements of e-commerce into your Web business is a big job, but it’s
too important to ignore if you want your e-business to grow and thrive. Just take the
following steps to ensure that your e-commerce business gives you the competitive edge.

1. Establish your online identity with the right Web address.

2. Build a user-friendly site.
3. Set up your Web server—or select an ISP to host your site.
4. Secure your site.
5. Accept and manage all kinds of payments.
6. Test, test, test.
7. Promote your site.
8. Now, start selling.

Step 1: Establishing Your Online Identity with the Right Web Address

The first step toward e-commerce is selecting the name of your site. Your Web address
(also called an URL—Uniform Resource Locator—or “domain name”) tells customers
who you are and how to find you on the Internet. It is the core of your Internet identity—
your online brand. And, because no two parties can have the same Web address, your
online identity is totally unique.

What’s in a Name?

Quite a lot, actually. Remember that not only does your domain name tell customers
exactly how to find your business on the Web, but it also communicates and reinforces
the name of your business to every Web site visitor. It can also be used as part of your e-
mail address to establish your online identity. Keep these tips in mind before you choose
a name:

Make it memorable: “Amazon.com” is much catchier than “buyyourbooksonline.com.”

Describe your business: Another approach is to simply and logically describe your
business. “Flowers.com” works perfectly for a florist. In addition, if you are setting up an
online presence for an established business, keep the name of your site the same as the
name of your business.

Keep it short: The best domain names are those that customers can remember and type
into their browsers after seeing or hearing them only once, so complicated strings of
words like “onlinecdstore.com” don’t work as well as a simple phrase: “cdnow.com”[1].
How to Get and Manage Domain Names

After you’ve decided on your Web identity, the next step is to determine if it is available
and then register it with a domain name “registrar.” Registering is easy and inexpensive,
so do it as soon as you’ve decided on your domain name to make sure you get the name
you want. Many businesses register a number of variations, just in case they want to use
them later—or to avoid the risk of competitors obtaining similar names. A Scandinavian
financial service company, for example, recently spent more than $5 million to register
7,424 domain names. You also may want to register common misspellings so that all
customers who incorrectly type your address still find their way to your site instead of
receiving an error message.

E-commerce businesses most often register a name with “.com” as the domain name
suffix (the letters after the dot; also called a top-level domain, or TLD), but often also
register their names with “.net” and “.org” (for “organization”). Other suffixes include
“.tv” and “.edu” for schools and universities. The Internet Corporation for Assigned
Names and Numbers (ICANN) recently announced seven new TLDs—.biz, .info, .name,
.pro, .museum, .aero, and .coop.

Tip Network Solutions is one of the leading domain name registrars. To search for an
available name and register it with Network Solutions, go to
http://www.networksolutions.com/catalog/domainname, enter the Web address
you’ve chosen in the designated box, and click “Go!” In seconds, you’ll know if the
name is available. Registering a name costs as little as $30 per year; furthermore,
registering with a domain name registrar also automatically lists your site with
leading search engines, and is a great way to promote your site (see step 7 later in
this chapter).

How to Buy an Existing Domain Name

What happens if the domain name you want is already registered? You can either choose
another name or buy your first choice from whoever got it first. The fact that the name
you want has already been registered doesn’t necessarily mean it is not available for sale.
You can easily find out whether a domain name that has already been registered is for
sale by checking out the domain name marketplace site at http://www.greatdomains.com.

How to Register Domain Names Worldwide

The Internet is global—shouldn’t your business be, too? Registration of multiple domain
names for use around the world protects your intellectual property, brand name, and
trademarks against infringement by global cybersquatters. If you plan to do business in
other countries, you can register country-specific Web addresses (in country-specific
TLDs, such as .ita for Italy and .uk for the United Kingdom) with Network Solutions’
idNames search and registration service. But as your business grows, you may find that
registering and managing multiple domain names is a complex, time-consuming process.
IdNames can also consolidate worldwide domain name management into a single
centralized account if you have 50 or more domains. After you’ve established your Web
identity by selecting and registering your domain names, it’s time to build your site.

Tip Go to http://www.networksolutions.com/catalog/idnames for more information.

Step 2: Building a User-Friendly Site

With a domain name in place, you’re ready to start building your e-commerce storefront.
But, before you begin, take some time to plan.

Planning Your Site Carefully

You must first identify clear marketing goals for your site, such as generating leads,
building a database of potential customers’ names and e-mail addresses, or putting a
product catalog online to save the time and expense of printing and mailing. Now, you
need to quantify your objectives (such as increasing sales by 15 percent), so you know
whether or not your site is successful.

Next, you need to figure out what your potential customers need to know before buying
your products and services. This might include:

• An overview of your company, its products and services, and their applications
• Complete product or service descriptions, including features, key benefits,
pricing, product specifications, and other information, for each product or service
• Testimonials, case studies, or success stories so customers can see how similar
individuals or organizations have worked with you
• A frequently asked questions (FAQ) section that anticipates and answers
customers’ common issues[1]

You also need to plan the structure of your site, focusing on making it easy for customers
to learn what they need to know, make a purchase decision, and then buy quickly. In
addition, you need to create a site map that outlines every page on your site from the
home page down and how customers get from one page to the next. Furthermore, you
also need to use tools that quantitatively measure site activity (where customers are
clicking, how often, and whether they end up purchasing), and then compare the results
with your goals.

Choosing the Right Web Site Building Tools

With a solid plan in hand, you’re now ready to start constructing your e-commerce site.
Many e-commerce businesses turn to professional design studios to create their Web
sites. But, if your budget is limited, many Web site building tools make it fast and easy
for you to create a polished, professional-looking site—with no in-depth HTML
knowledge necessary. For example, Image Café from Network Solutions, is one of the
easiest. It’s an online Web site building tool that lets you choose from a variety of
professional-quality templates and then customize them with your own identity and
information. You can preview your site online while you are building it, and when your
site is finished, you can instantly send it to an Image Café hosting partner to publish it on
the Web (see step 3 later in this chapter to learn more about site hosting). The entire
process can put you on the Internet in less than 24 hours at convenient and affordable
monthly prices.

E-Commerce Site Design Tips

Now, let’s look at the following basic guidelines. They will help make your site not only
attractive, but also easy for customers to use—and that means easy for customers to buy
from you:

1. Carefully examine your own favorite e-commerce sites.

2. Your home page is your site’s (and your business’s) online front door.
3. Make it easy for customers to explore your site.
4. Keep things simple.
5. Keep download times short[1].

Examining Your Favorite E-Commerce Sites

You need to carefully examine your own favorite e-commerce sites. By creatively
adapting the most compelling marketing and design techniques, you will enhance your
site’s effectiveness.

Your Home Page Is Your Site’s Online Front Door

It’s essential that your home page makes a good first impression on visitors. You need to
make sure it clearly presents the following basic elements that customers are always
likely to look for:

• Your company name, logo, and slogan should be prominently displayed. Take full
advantage of the opportunity to showcase your brand identity.
• A link to an “About the Company” page should be available for customers to
quickly learn who you are and what your business offers.
• A site menu listing the basic subsections of your site should be in the same place
on every page throughout your site to make it easy to navigate.
• A “What’s New” section for news, announcements, and product promotions
should be frequently updated to encourage customers to return often.
• Your contact information should be easy for visitors to find your phone number,
e-mail address, mailing address, and fax number.
• Your privacy statement, clearly describing your business’s policy for protecting
customer’s personal information should be easily found[1].

Making It Easy for Customers to Explore Your Site

As you build your site, try to minimize the number of clicks it takes the customer to go
from your home page to actually being able to click “Buy” and check out. Four to six is a
useful rule of thumb. You need to make sure links make sense, so customers know what
to click to find what they’re looking for. Don’t make your navigation buttons or links too
dominant an element in your site design: instead, focus on product information.

Keeping Things Simple

You should not fill up your site with graphics, animations, and other visual bells and
whistles. Instead, you need to stick to the same basic color palette and fonts your
company uses in other communications, such as your logo, brochures, and signage. It’s
important to ensure that images and graphics serve to enhance, not distract from, your
marketing goals. Make sure your text is easy to read—black letters on a white
background may not be terribly original, but they are easier on the eyes than orange type
on a purple background.

Keeping Download Times Short

You should also test pages to make sure they’re not too overloaded with graphics that
slow load times, and you should minimize the size of your images when possible.
According to the Boston Consulting Group, nearly half of online shoppers surveyed said
they left sites when pages took too long to download. For example, Zona Research
estimates that most Web pages take anywhere from 4 to 12 seconds to load, depending on
the user’s modem and Internet connection (remember: many e-commerce customers shop
from home using slower connections). Most users click away to another site or log off if
a page takes more than eight seconds to load, costing e-commerce businesses billions in
lost potential revenue.

You’ve now completed step 2. You’re now ready to put your site on the Internet.

Step 3: Setting Up Your Web Server—Or Selecting an ISP to Host

Your Site

Your Web site is a series of files that reside on a special computer, called a Web server,
connected to the Internet. For customers to visit your site, they must actually connect to
that Web server via the Internet and view the files. Web servers and the Internet
connections that link them to visitors must be fast and powerful enough to quickly
respond to all the visitors’ requests to view your site.

Many businesses prefer the complete control of purchasing, setting up, and managing
their own Web server hardware and software. Other small- and medium-sized e-
commerce businesses prefer to turn to an ISP or Web hosting company, instead of
investing in the hardware, software, and infrastructure necessary to get online. For a
monthly fee, ISPs and Web hosting companies will connect your site to the Internet at
high speed via one of their Web servers, allowing the site to be viewed by anyone with an
Internet connection and a Web browser. The host provides your site with space on a
server, and also offers Web server software, access to its high-speed Internet connection,
tools for managing and maintaining your site, customer support, e-commerce features,
and more.

There are hundreds of ISP and Web hosting options to choose from, so look for one that
can meet all your needs. You should look for the following in a Web hosting company:

• Shared hosting vs. dedicated server

• Hard-disk storage space[2]
• Availability
• E-mail accounts
• SSL encryption
• Support[1]

Shared Hosting vs. Dedicated Server

Shared hosting is an arrangement in which your site is housed on the same host server
with several other Web sites. This is an economical solution for smaller sites. Paying the
host for your own dedicated server, a solution used by larger and busier sites, provides
faster access and ensures that your site will be accessible to visitors 100 percent of the
time (instead of sharing Web server speed and power with other sites). Does your ISP or
Web hosting provider offer both options?

Hard-Disk Storage Space

Smaller sites may need only 300–500 MB (megabytes) of Web site storage space,
whereas busier e-commerce sites may need at least 9 GB (gigabytes) of space—or their
own dedicated Web server. As your site grows, your ISP should be able to accommodate
you with a range of options.


If you run an e-commerce business, your site must be accessible to customers 24 hours a
day. ISPs and Web hosts maximize the availability of the sites they host using techniques
such as load balancing and clustering. Can your ISP promise near-100-percent

E-mail Accounts

E-mail accounts that match your domain name are often available from your ISP. Are
they included with your monthly access and hosting fee?
SSL Encryption

The security of the credit card numbers, and other personal information that customers
send you, should be a top concern. Does your ISP or Web host protect your site with a
Secure Sockets Layer (SSL) certificate? See step 4 to learn more about Web site security.


A big part of the value of turning to an ISP or Web host is that you don’t have to worry
about keeping the Web server running. Does your host offer 24 x 7 customer service?

Step 4: Securing Your Site

With your Internet identity established and your site built and hosted, it’s now time to
turn your online storefront into a thriving e-commerce business. To do it, you must win
your customers’ trust. Eighty-six percent of Web users surveyed reported that a lack of
security made them uncomfortable sending credit card numbers over the Internet. E-
merchants who can win the confidence of these customers will gain their business and
their loyalty—and an enormous opportunity for grabbing market share and expanding

The Risks of E-Commerce

In person-to-person transactions, security is based on physical cues. Consumers accept

the risks of using credit cards in places such as department stores because they can see
and touch the merchandise and make judgments about the store. On the Internet, without
those physical cues, it is much more difficult for customers to assess the safety of your
business. Also, serious security threats have emerged:

Spoofing: The low cost of Web site creation and the ease of copying existing pages
makes it all too easy to create illegitimate sites that appear to be operated by established
organizations. Con artists have illegally obtained credit card numbers by setting up
professional-looking Web sites that mimic legitimate businesses.

Unauthorized disclosure: When purchasing information is transmitted “in the clear,”

without proper security and encryption, hackers can intercept the transmissions to obtain
customers’ sensitive information—such as credit card numbers.

Unauthorized action: A competitor or disgruntled customer can alter a Web site so that
it malfunctions or refuses service to potential clients.

Eavesdropping: The private content of a transaction, if unprotected, can be intercepted

en route over the Internet.

Data alteration: The content of a transaction can be not only intercepted, but also altered
en route, either maliciously or accidentally. User names, credit card numbers, and dollar
amounts sent without proper security and encryption are all vulnerable to such

To take advantage of the opportunities of e-commerce and avoid the risks, you must find
the answers to questions such as:

• How can I be certain that my customers’ credit card information is protected from
online eavesdroppers?
• How can I reassure customers who come to my site that they are doing business
with me, not with a fake set up to steal their credit card numbers?
• After I’ve found a way to authoritatively identify my business to customers and
protect private customer information on the Web, what’s the best way to let
customers know about it, so that they can confidently transact business with me[1]?

So, the process of addressing these general security questions boils down to these goals:

Authentication: Your customers must be able to assure themselves that they are in fact
doing business with you—not a “spoof” site masquerading as you.

Confidentiality: Sensitive information and transactions on your Web site, such as the
transmission of credit card information, must be kept private and secure.

Data integrity: Communication between you and your customers must be protected from
alteration by third parties in transmission on the Internet.

Proof of communication: A person must not be able to deny that he sent a secured
communication or made an online purchase[1].

The Trust Solution: SSL Certificates for Authentication and Encryption

Digital certificates for your Web site (or “SSL certificates”) are the answer for the
preceding security questions. Installed on your Web server, a SSL certificate is a digital
credential that enables your customers to verify your site’s authenticity and to securely
communicate with it. SSL certificates allow your e-business to provide customers with
the world’s highest level of trust. A SSL certificate assures them that your Web site is
legitimate, that they are really doing business with you, and that confidential information
(such as credit card numbers) transmitted to you online is protected.

How SSL Certificates Work

SSL certificates take advantage of the state-of-the-art Secure Sockets Layer (SSL)
protocol that was developed by Netscape®. SSL has become the universal standard for
authenticating Web sites to Web browser users, and for encrypting communications
between browser users and Web servers. Because SSL is built into all major browsers and
Web servers, simply installing a digital certificate, or SSL certificate, enables SSL
SSL Server Authentication

SSL server authentication allows users to confirm a Web server’s identity. SSL-enabled
client software, such as a Web browser, can automatically check that a server’s certificate
and public ID are valid and have been issued by a certificate authority (CA; such as
VeriSign) listed in the client software’s list of trusted CAs. SSL server authentication is
vital for secure e-commerce transactions in which, for example, users send credit card
numbers over the Web and first want to verify the receiving server’s identity.

Encrypted SSL Connection

An encrypted SSL connection requires that all information sent between a client and a
server be encrypted by the sending software and decrypted by the receiving software,
thus protecting private information from interception over the Internet. In addition, all
data sent over an encrypted SSL connection is protected with a mechanism for detecting
tampering—that is, for automatically determining whether the data has been altered in
transit. This means that users can confidently send private data, such as credit card
numbers, to a Web site, trusting that SSL keeps it private and confidential. So, with the
preceding in mind, the SSL certificate process works as follows:

1. A customer contacts your site and accesses a page secured by a SSL certificate
(indicated by a URL that begins with “https:” instead of just “http:” or by a
message from the browser).
2. Your server responds, automatically sending the customer your site’s digital
certificate, which authenticates your site.
3. Your customer’s Web browser generates a unique “session key” to encrypt all
communications with the site. The user’s browser encrypts the session key itself
with your site’s public key so only your site can read the session key.
4. A secure session is now established. It all takes only seconds and requires no
action by the customer. Depending on the browser, the customer may see a key
icon becoming whole or a padlock closing, indicating that the session is secure[1].

SSL certificates come in two strengths: 40-bit and 128-bit (the numbers refer to the
length of the “session key” generated for each encrypted transaction). The longer the key,
the more difficult it is to break the encryption code. The 128-bit SSL encryption is the
world’s strongest: according to RSA Labs, it would take a trillion years to crack a 128-bit
session key using today’s technology. For example, the primary difference between the
two types of VeriSign SSL certificates is the strength of the SSL session that each
enables. Microsoft and Netscape, for instance, offer two versions of their Web browsers,
export and domestic, that enable different levels of encryption depending on the type of
SSL certificate with which the browser is communicating.
How to Get SSL Certificates

Many leading ISPs and Web hosting providers (such as VeriSign—the Internet Trust
Company) offer a complete range of products and services to help you secure your Web

Commerce Site and Secure Web Site Solutions

Thus, providers are offering SSL certificates in two encryption strengths: 128-bit SSL
(Global Server) IDs and 40-bit SSL (Secure Server) IDs. The 128-bit SSL (Global
Server) IDs enable the world’s strongest SSL encryption with both domestic and export
versions of Microsoft and Netscape browsers. The 128-bit SSL Global Server IDs are the
standard for large-scale online merchants, banks, brokerages, healthcare organizations,
and insurance companies worldwide. On the other hand, the 40-bit SSL (Secure Server)
IDs are ideal for lower-volume, security-sensitive Web sites, intranets, and extranets.

Commerce site services are complete, e-commerce solutions that are ideal for e-
merchants and online stores. A commerce site includes a 40-bit SSL (Secure Server) ID
and online payment management services, plus an array of additional value-added
services. Online payment services enable businesses to easily accept, manage, and
process payments electronically (see step 5 to learn more about facilitating e-commerce
payments on your site). In addition, an e-commerce site also includes a 128-bit SSL
(Global Server) ID, online payment services, and an array of additional value-added

Secure Web site services are best for Web sites, intranets, and extranets that require the
leading SSL certificates and Web site services. A secure Web site also includes a 40-bit
SSL (Secure Server) ID, plus additional value-added services. A secure site also includes
a 128-bit SSL (Global Server) ID and value-added services.

As previously mentioned, many leading ISPs and Web hosting providers include SSL
certificates with their e-commerce packages. When choosing an ISP, look for one that
offers SSL certificates. If you are obtaining your SSL certificate through your ISP or Web
hosting company, your host may ask you to enroll for your certificate yourself, because
you are the owner of the domain name to which the SSL certificate will correspond.
Make sure you ask your hosting company for the information you’ll need to complete the
enrollment process, including:

A CSR, or “Certificate Signing Request”: This is an encrypted file, generated by the

Web server that is hosting your site. This file contains a public key, the name of your
company, its location, and your URL. Because your Web hosting provider operates the
Web server on which your site is hosted, your Web hosting provider must generate the
CSR and send it to you for use during Server ID enrollment.
The kind of server software your Web hosting provider uses: As part of the SSL
certificate enrollment process, you’ll be asked to select your Server Software Vendor, in
addition to your CSR.

A technical contact: Your Web hosting provider should be able to give you the name of
its appropriate technical contact for you to complete the enrollment process[1].

One more thing—if you use multiple Web servers for your site, it’s important that you
use a unique SSL certificate on each one to meet licensing requirements.

Code-Signing IDs

If your e-commerce site offers downloadable software, content, or code, you can digitally
“shrink-wrap” it so customers can be confident that it hasn’t been altered or corrupted in
transmission. All you need is a special code-signing digital certificate, or digital ID.

E-Mail IDs

Installed in your Web browser or e-mail software, an e-mail digital certificate—or digital
ID—serves as your online passport, allowing you to digitally sign e-mail messages. Your
e-mail digital ID assures recipients that messages really came from you, and also allows
you to encrypt messages, using your recipient’s digital ID, so only your recipient can
decrypt and read your messages. Installing and using e-mail digital IDs is easy with
virtually all Web browsers and e-mail programs.

Your Privacy and Security Statement

A vital component of every e-commerce Web site is a comprehensive security and

privacy statement that describes exactly how your business secures information and uses
it. This is extremely important to your customers. For example, TRUSTe, a nonprofit
association supported by businesses such as VeriSign, AT&T, Netscape, Land’s End, and
Wired, regulates the use of data collected on the Web. By abiding by the association’s
rules regarding use of information collected on your site, you can display the TRUSTe
logo as yet another symbol of trust.

Step 5: Accepting and Managing All Kinds of Payments

With an SSL-secured site, your customers will have the confidence to purchase your
goods and services. But enabling customers to pay you online takes more than just
collecting their credit card numbers or other payment information. What will you do with
customer payment information once it’s sent to you? How can you verify that customer’s
credit card information is valid? How will you go about processing and managing those
payments with a complex network of financial institutions?

You could simply set up a credit card terminal and process orders manually. But why
invest the time and effort to build an e-commerce site without taking advantage of the
efficiency of online payment processing? To offer a complete e-commerce experience to
customers and to efficiently manage payments for your business, you need to implement
an “Internet payment gateway” that provides Internet connectivity between buyers,
sellers, and the financial networks that move money between them.

The Internet Payment Processing System

Before you implement a payment gateway, you need to understand how the Internet
payment processing system works. Participants in a typical online payment transaction

Your customer: Typically, a holder of a payment instrument (such as a credit card, debit
card, or electronic check) from an issuer.

The issuer: A financial institution, such as a bank, that provides your customer with a
payment instrument. The issuer is responsible for the cardholder’s debt payment.

The merchant: Your e-commerce site, which sells goods or services to the cardholder via
a Web site. A merchant that accepts payment cards must have an Internet merchant
account with an acquirer.

The acquirer: A financial institution that establishes an account with you, the merchant,
and processes payment authorizations and payments. The acquirer provides authorization
to the merchant that a given account is active and that the proposed purchase does not
exceed the customer’s credit limit. The acquirer also provides electronic transfer of
payments to your account, and is then reimbursed by the issuer via the transfer of
electronic funds over a payment network.

The payment gateway: Operated by a third-party provider, the gateway system

processes merchant payments by providing an interface between your e-commerce site
and the acquirer’s financial processing system.

The processor: A large data center that processes credit card transactions and settles
funds to merchants. The processor is connected to your site on behalf of an acquirer via a
payment gateway[1].

The basic steps of an online payment transaction using a payment gateway system
include the following:

1. The customer places an order online by selecting items from your Web site and
sending you a list. Your site often replies with an order summary of the items,
their price, a total, and an order number.
2. The customer sends the order, including payment data, to you. The payment
information is usually encrypted by an SSL pipeline set up between the
customer’s Web browser and your Web server’s SSL certificate.
3. Your e-commerce site requests payment authorization from the payment gateway,
which routes the request to banks and payment processors. Authorization is a
request to charge a cardholder, and must be settled for the cardholder’s account to
be charged. This ensures that the payment is approved by the issuer, and
guarantees that you will be paid.
4. You confirm the order and supply the goods or services to the customer.
5. You then request payment, sending the request to the payment gateway, which
handles the payment processing with the processor.
6. Transactions are settled, or routed by the acquiring bank to your acquiring bank
for deposit[1].

So, how do you implement a payment gateway to process payments on your e-commerce
site? Building your own dedicated pipeline to connect all the players isn’t a practical
option, so for small- and-medium-sized businesses, outsourcing to a payment service
provider is the best solution.

Setting Up Your Internet Merchant Account

After you’ve selected and set up your payment processing solution, all you need to start
accepting online payments is an Internet merchant account with a financial institution that
enables you to accept credit cards or purchase cards for payments over the Internet. You
can obtain an Internet merchant account from any financial institution that supports the
following processors:

• First Data Merchant Service (FDMS)

• Paymentech (Salem)
• Vital Processing Services
• Nova Information Systems[1]

The preceding includes most banks. Obtaining a merchant account can take anywhere
from two days to three weeks.

Step 6: Test, Test, Test

You may be eager to launch your e-commerce storefront, but take time to review and test
your site thoroughly before going live. You will only have one chance to make a first
impression on each new visiting customer, and broken links, incorrect phone numbers,
and grammatical or spelling errors diminish the professional polish you’re striving for.

You also need to walk through the entire ordering process to test its usability. Is it clear
exactly what customers need to do to purchase? Try buying a product: is the page on
which you supply payment information secure? Is the payment processed correctly
through your payment gateway? Make sure you use both Macintosh and PCs for testing,
and use different browsers and modem speeds. You want to be able to support even low-
end systems (slower computers with a 28.8 modem line).
Also, don’t forget about customer support: it’s the key to creating loyal customers. Are
you prepared to confirm that a customer’s order has been received? Are you ready to
follow-up with an e-mail message for good measure? A personalized message from a real
customer service representative is best, but sending an automatic reply works as well. Set
minimum response times and standards for replying to customer questions and concerns,
and ensure that your customer support staff is fully knowledgeable about all your
products and services, their features and benefits, pricing, and availability.

Step 7: Promoting Your Site

Now, you’ve established a compelling, secure, and easy-to-use Web storefront for your
products and services. It’s time to let people know about it. Here are a few tips for driving
traffic to your site:

Register your site with search engines: Over 90 percent of Internet users search one or
more of the top engines to find what they need. Make sure your business is part of the
results when customers look for the products and services you offer.

Put your domain name everywhere: Brochures, advertisements, business cards, and
even hats, jackets, and t-shirts can be effective ways to promote your site and establish
your corporate identity. Don’t forget to include your domain name in your press release,

Advertise: Placing a banner ad on other well-trafficked sites can attract huge numbers of
prospective customers—and doesn’t have to cost a fortune[1].

Step 8: Now, Start Selling

Finally, your e-commerce business is now ready to succeed in the competitive world of
the Web: with an online identity, a Web host, an eye-catching, professional-looking Web
storefront, rock-solid security, easy-to-use payment management, and the right
promotions. So, if you follow the preceding basic steps, they will help you lay the
foundation for a thriving site.
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
Ebusiness Privacy Plan, McGraw-Hill, 2001.
Vacca, John R., Identity Theft, Prentice Hall PTR, 2002.
“How to Create an E-Commerce Web Site,” ©2003 VeriSign. All rights reserved.
VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA
94043, 2003.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,

This chapter helped you discover new integrated services that make it easier than ever to
secure your Web site and accept online credit card payments. You also learned how to
create an e-commerce Web site, as well as:

• How to avoid the risks and challenges involved in e-commerce trust

• The best way to secure and authenticate your site so your customers feel
comfortable providing sensitive information
• How to enable your site to process online payments in seconds—including credit
and debit cards[1]
Chapter 6: Managing E-Commerce Web
Site Development
“There is no course of life so weak and sottish as that which is managed by order,
method, and discipline.”

—Michel Eyquem de Montaigne (1533–1592)


Electronic commerce is quickly shaping up to be the way business will be conducted in

the future. This chapter takes a look at how an e-commerce Web site is managed as it is
being developed. In other words, this chapter is not necessarily about electronic
commerce in general. It is actually an exercise in building and managing a business-to-
consumer electronic commerce site. In addition, this chapter does not discuss
management concepts or other tools available to implement e-commerce, but focuses
exclusively on Web site servers.

The names “site server” or “commerce server” are used interchangeably throughout this
chapter. It is assumed that there exists a set of requirements that the final site should
adhere to and follow with the development of the site itself.

Note Please check all information or take professional advice before embarking on an
electronic commerce project.

Web Site Server

A Web site server is a comprehensive Internet commerce server an organization can use
to build an e-commerce architecture (see sidebar, “Building an E-Commerce
Architecture”) and monitor/manage business sites on the Web. By providing a
comprehensive set of server components, management tools, and sample sites, a Web site
server significantly reduces development time and costs for business-to-consumer

Building an E-Commerce Architecture

E-commerce continues to hold tremendous profit potential for many companies. It still
offers faster response to customer needs, reduced operating costs, and increased
cooperation among customers and trading partners—if it is done right.

This means not bringing an e-commerce offering to market before planning a workable
architecture. Now, more than ever, companies must thoroughly plan and carefully build
their e-commerce architecture before the first customer ever comes on board. That’s
because capital, time, and resources are scarcer today; margins for error are slimmer; and
shareholders are less in the mood to support initiatives that don’t work out of the gates.

As a corollary, chief information officers (CIOs) frequently have to be the voice of reason
in their companies to ensure that a truly robust, reliable system is built. ClOs may be the
company’s only executive-level people who understand the architectural firepower
needed to build and run a scalable, reliable e-commerce backbone. Only you may be able
to explain to your CEO why you need an integration layer or how your architecture plan
is the best among competing models in the market. And, only you may be able to explain
how much time it takes to build the architecture correctly.

Putting the cart before the horse has never been a wise move, but it was briefly accepted
as a viable business strategy in e-commerce initiatives. In 2001, a company could tout its
e-commerce offering, get customers, and then worry whether it had the scalability,
reliability, and security needed to support business. But that’s over. With the first
casualties of the e-commerce revolution fresh in mind, potential users of your e-
commerce system want to know that you can deliver. ClOs can help their companies by
insisting that they take the following steps:

1. Plan: The architecture is the structure of the e-commerce system and will
determine what the company can and cannot do, both now and in the future.
Therefore, it’s critical for the system’s software engineers to develop an
architecture blueprint up front. The blueprint should include the highest-level
design of the business solution and processes; highest-level technical design and
lower-level designs; and information on any relevant special structures, interfaces,
or algorithms.
2. Plan for the “ilities”: When well-planned and well-built, the architecture will
deliver on all of the key “ilities”—such as scalability, reliability, availability, and
serviceability. But, in their hurry to get to market, far too many companies short
themselves on the necessary components and vendor partners. CIOs can insist on
components from best-in-class technology providers and consult development
firms that have implemented applications within a broad range of architectural
3. Plan for integration: The technology infrastructure must allow you to integrate
customers’ legacy systems, third-party vendors, and applications to come in the
future. For example, insurance companies have extensive legacy systems and
various business partners that must be accommodated. For example, DriveLogic,
the e-commerce arm of CCC Information Services and a leading provider of
technology solutions to over 460 of the nation’s top insurers, has implemented an
architecture that will be able to communicate with all of these systems. It allows
insurers to leverage existing technology and data—a considerable asset—and
accommodates insurer business partners and other technology vendors as well.
4. Make good vendor choices: A robust system calls for the best vendor partners.
Like a house built with cheap materials, architecture pieced together with Iow-
rent components and vendors won’t wear well—and, may jeopardize your
company’s reputation for years to come.
Today, it’s more critical than ever to get the e-commerce strategy right in the preplanning
stages, well before you ever bring the offering to market. To be a leader, and avoid the
mistakes of the past few years, a company must build it right from the start[1].

By using a set of objects, tools, wizards, and sample sites, one can add Internet commerce
capabilities to an existing Web site or can quickly and easily create a new electronic
commerce site. A commerce server usually supports business-to-consumer sites as well as
business-to-business and corporate purchasing sites.

Business-to-Consumer (B2C) Sites

These B2C sites sell products to the consumer through the Web. A commerce server
should include support for advertising, promotions, cross-sells, secure payment, order
processing, and consumer wallets.

Business-to-Business (B2B) Sites

A B2B site is the other hot application for e-commerce, as a replacement for EDI. A
commerce server provides features for building business-to-business sites, such as
support for purchase orders, order approval routing, and the secure exchange of business
information between trading partners.
Beattie, Jim, “When Building E-Commerce Architecture: Don’t Put the Cart Before the
Horse,” Copyright ©2003 Cognizant Technology Solutions, Cognizant Technology
Solutions, 500 Glenpointe Centre West, Teaneck, New Jersey 07666, 2003.

Developing a Commerce Site

Developing a commerce site is similar to developing an application, and a structured

approach is recommended. This part of the chapter discusses a development methodology
for the commerce site. An approach with the following stages is recommended here:

• Scope
• Prototype
• Design
• Implementation
• Testing
• Deployment[3]


The Scope stage involves the following activities:

• Researching the business requirements

• Projecting the infrastructure needs of the solution
• Establishing the overall technical architecture of the solution
• Performing an initial analysis of the security, performance, maintainability, and
integration issues
• Specifying a schedule for development and implementation of the solution[3]


The Prototype stage involves building a basic layout of the site so as to get a taste of what
the site will look like. The prototype is essentially the foundation for the final site and can
be modified according to the customer’s feedback.


The Design stage involves developing the logical design. It also involves designing the
user interface and deriving the physical design.


The Implementation stage involves translating the design into the actual site. This can be
in the form of changes and updates to the prototype. The key tasks are creating the user
interface, developing custom components for the order processing pipelines, if needed,
and implementing the database according to the design.

Testing and Deployment

The site should be tested before deployment. Among other things, the site should be
tested for security, user interface, performance, and ease-of-use. Furthermore, the site
developed should be deployed.
Ganesh, Arvind, “Enterprise Application Development and Commerce Site Server,”
Copyright ©2003 California Software Labs, Ltd., California Software Labs, Ltd., 6800
Koll Center Parkway, Suite 100, Pleasanton, CA 94566, 2003.

Requirements for Your Site

Before we start building your commerce site, let’s take a look at the following set of
requirements that the final site should satisfy:

1. The Web site should enable customers to shop with a shopping cart.
2. The catalog of products can contain:
a. Products from various vendors
b. Sale announcements and other promotions
3. The Web site should feature customer registration.
4. The Web site should support online payment using credit cards. Additionally, the
site should:
a. Support an e-Wallet
b. Securely transfer credit card information
5. The customer should receive e-mail confirmation of his order.
6. The e-mail should also have a link to the Order Status page.
7. Any order that is yet to be shipped can be cancelled by the customer.
8. The Web site should include appropriate error handling.
9. The Web site should suggest other recommended products to the customer.
10. The Web site should support both Internet Explorer and Navigator[3].

Note Following the usual commerce site development methodology suggested earlier,
this set of requirements would have been arrived at in the Scope stage.

Building the Prototype

You are now ready to build a prototype sample site. Building a site using a commerce
server essentially involves customizing a site generated by the use of wizards. Thus, the
wizard-generated site after implementing the initial user interface can be used as the
prototype. A commerce server should give you a choice between making a copy of one of
the commerce server sample sites or a custom site. After you have generated a site, you
can get down to a database and user-interface design. Building the prototype site involves
the following steps:

1. Creating the site database

2. Creating database logins
3. Creating the data source name (DSN)
4. Creating the site foundation
5. Generating the site[3]

A commerce server should be able to distinguish between the site’s administrator and the
site operator. The administrator performs steps 1–4 and manages the server while the
manager builds the site, maintains, and manages it. Now, let’s take a look at each of the
preceding steps.

Preparing the Database (Steps 1, 2, and 3)

When the wizard is run, you need to supply a data source name (DSN), a database login
name and password, and other information that is needed for a connection string. The
wizard will create two configuration files: one for the site and one for its manager pages.
Both files hold the connection string used for accessing the site’s database. The wizard
then obtains the database connection information from the file and uses it to connect to
the database and create the schema. The next step (step 3) is to create a DSN for the
sample site.
Building the Site

A site manager should be able to connect to the manager’s pages and build the site by
running the wizard. This generates all the files and database tables, including product
pages, basic layout, shipping and handling, tax, and payment. Furthermore, this builds the
actual store that will exist on top of the site foundation.

You should run the wizard and follow the instructions displayed on the screen. Some
points of interest when building the site are as follows:

1. A locale step defines the default locale to be used in your store. This drives the
configuration of the default tax calculation component as well as the format used
to display currency and other localized variables.
2. Price promotions allow you to offer promotions, such as discounts based on
dollars spent, percentage discounts, or a two-for-one promotion. Cross-sell
promotions allow the site to offer a related product when a shopper selects a
particular product.
3. With a features step, you can choose if and when you want shoppers to register at
your site and whether you want to maintain this shopper information in the site’s
4. A product attribute type step is based on the type of products that the site intends
to offer. With static attributes, all products have the same attributes.
5. Dynamic attributes allow the site to sell products that might differ in attributes,
for example, one item may be offered in multiple colors, but not list the
manufacturer’s name, and another item, such as a shirt, might have varied sizes,
neck size, sleeve length, and color.
6. An order history step offers the option for the site to store a shopper’s order
history and receipt information[4]. This information is useful to customers who
may want to look up existing orders. In addition, it can provide a source for
integrating into an existing customer service application[3].

After running the wizard, your sample site is now ready and open for shopping. Now,
let’s take a look at how the wizard-generated site meets many of the stated requirements
right “out of the box.” With reference to the list of requirements given earlier, the site
meets the following requirements at this stage: 1, 2.b, 3, 4.a, 8, 9, and 10.

The site you have just built can be used as a prototype after implementing the initial user
interface (UI). The Design stage is next.


The Design stage involves coming up with the overall structure of the site. This task
would be mammoth if it were not made easier by the wizard because it automatically
generates the basic structure of a commerce site with features such as a shopping cart,
shopper ID, order ID, and so on. To build the design for your site, you have to design it
around the existing commerce site design. There are essentially three aspects to site
design in a commerce server: designing the database, the order form, and an order
processing pipeline (OPP). A commerce server site populates its pages with data obtained
dynamically from its database. The database holds all the data related to the site—data
related to the products and shoppers. The site performance and reliability is influenced by
the database design.

An order form object provides storage for customer and purchase information. A
commerce server site uses the order form object to store the items that a customer has
placed in the basket, to store bill-to, ship-to, and receipt information.

The OPP is a collection of components that encapsulates the processing that is performed
on the order form. Each component in the OPP has its own distinct function that it
performs on the order form.

Because the order form is of limited scope, the design should focus on a single example
of each of the different design aspects. At the end of the Design stage, you should be clear
about what is to be done in the Implementation stage.

Database Design

Central to the design of the site is the design of the site database. Much of the database
schema required for a commerce site is automatically generated by the wizard. However,
if you already have a product database in place, and you want the commerce server site to
use it, you can select a sample site whose product schema most closely matches the
existing database. You can use the wizard to copy that sample site, and then modify the
queries as appropriate for your database.

In the sample sites, database queries that are used to display information (such as product
descriptions and properties) on the page are defined in the ASP file for that page. So, to
accommodate a different product schema, one need only modify the query as needed and
create a combination of HTML and scripting to display the product information on the

Note For more information on ASP, see http://www.activeserverpages.com.

In the case of your sample site, the need to modify the wizard-generated database schema
arises because of the following previously listed requirement: 2.a—the product catalog
can have products from various vendors. This requirement introduces a new entity into
the schema—the vendor or manufacturer. This leads to a new relationship between the
products table and the vendor table.

When translated into physical design, the entity maps to a new table. A new table to hold
vendor attributes is created. The relationship between products and a vendor is a many-
to-one relationship. This maps to a new column in the products table that holds the
Vendor ID.
In general, a fair bit of denormalization is recommended because it can result in
significant performance gains. Database queries should be kept to a minimum to increase

Order Form Values

An order form object is a commerce server dictionary object. The order form object
serves as working storage for order form data being collected or processed (the shopping

An order form object is defined internally as a structured group of dictionary objects, and
includes the methods required to add items, clear items, and clear the entire order form
itself. Commerce server sites use the order form object to store items that a shopper might
have chosen to purchase, and to store receipt information that will hold a shopper’s order
history. Some of the common values that the order form might hold are:

• Shopper ID
• Name
• Address
• Order cost information
• Purchase subtotal
• Tax
• Shipping
• Total[3]

Note The order form does not directly support storage of its data on disk—instead, a
database storage object (DBSO) is used to accomplish this.

Now, with the preceding in mind, let’s get back to your sample site. You will need to add
a few values to the order form. This is necessitated by the following requirement that was
previously listed: 5. Customer should receive e-mail confirmation of his order. This
functionality will be implemented by a simple mail transfer protocol (SMTP) component
in the purchase pipeline. The SMTP component will require the information shown in
Table 6.1[3].

Table 6.1: SMTP component functional information and description

Function Description
Order. email_subject The subject for the order confirmation to be sent by e-mail to the
Order.email_body The message body for the order confirmation to be sent by e-mail
to the customer
Order Processing Pipeline (OPP)

The commerce server pipeline is a software infrastructure that links one or more
components and runs them in sequence on the order form object. Each stage in a pipeline
consists of zero or more components, and each of these components is run in sequence. A
component is a Component Object Model (COM) object that is designed to perform some
operation on an order form. Usually, each component has its own small task to perform.
For example, a fixed shipping component checks for the right shipping method and sets
the shipping cost to the appropriate value.

A business-to-consumer commerce site in commerce server uses three kinds of OPPs—

the product, plan, and purchase pipelines. The product pipeline is of little interest here.
The plan pipeline consists of stages, which consist of components that verify the integrity
of the order form. The purchase pipeline has stages and has components that accept the
final purchase of an order form, write an order to database storage and finalize a receipt,
and write the contents of the order form to the receipt database.

Note The purchase pipeline is usually run once an order form has been run successfully
through the plan pipeline, and the shopper has confirmed his desire to finalize a

A commerce server should include the requisite basic pipeline components needed for a
basic commerce site. When you run a wizard, it automatically creates the three OPPs
required for the site—this site does not, however, feature real-time credit card validation
and only includes very basic tax and shipping components. Various third-party
components are available for these functions. Your sample site should use default tax and
shipping components. However, you need to add a new component to handle the
following previously listed requirement: 5. Customer should receive e-mail confirmation
of his order.

Tip Introducing the preceding functionality into the site means that you have to add the
SMTP component to the purchase pipeline.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,


The Implementation stage is where the design is translated into actual changes to the
prototype. This stage includes UI changes depending upon feedback from the customer,
custom development of components (if any), changes to the database schema, and
changes to the ASP files. However, this part of the chapter does not deal with UI
implementation or custom components. At the end of implementation, therefore, you
should have a working commerce site that satisfies all listed requirements.
The Implementation stage involves modifying the wizard-generated ASP files. Most
developers are comfortable using a text editor such as Notepad to manually edit the files.
The ASP files are like HTML files with added functionality; they are responsible for the
look of the site and the UI in general.

Database Implementation

Database implementation deals with making changes to the wizard-generated database to

make it conform to the database schema. These changes usually cascade into changes to
the appropriate ASP files as well. In the case of your sample site, it would require adding
a new table called Vendors that holds the attributes of the Vendor, such as ID, name,
address, phone, fax, e-mail address, home page address, and so forth.

To relate products with their vendors, you need to define a many-to-one relationship that
translates into an additional column in the product table that holds the ID of the vendor.
Both these changes require updates to the ASP files.

Note In general, any change made to the database schema results in a number of changes
to the associated ASP files.

Editing the Pipeline

Previously listed requirements 5 and 6 can be met by introducing the SMTP component
in the purchase pipeline. Adding the SMTP component requires that you also add a
scriptor component just before the SMTP component.

Securing the Site

Going back to the previously listed requirements, you still have the following
requirement to be met: 4.2 Credit card information should be securely transferred. This
means the ASP file that receives the credit card information, entered by the shopper
through a form post, should be secured by a Secure Sockets Layer (SSL).

Commerce server-based sites usually use SSL to encrypt transactions passed over a
secure port. By default, however, secure HTTP used over SSL Hyper Text Transfer
Protocol Secure sockets (HTTPS) is disabled in sites created with a wizard. A commerce
server does this to enable developers to create and test these sites without causing an
error even on a server in which a server certificate is not installed.

Note To enable SSL, you must install a valid server certificate. For further details about
obtaining a certificate for your server, see http://www.verisign.com.

Database Access

You still have one more previously listed requirement that needs to be met: 7. Any order
that is yet to be shipped can be cancelled by the customer. To implement this, you have to
go back to the ASPs again. In the wizard-generated site, the status of the order is
maintained in a separate field in the receipt table. The site does not, however, maintain
status automatically. To do this, the ASPs, which display order data in the manager’s
pages, will have to be modified to allow the manager to set the status of the order.

After you have taken care of maintaining your order status, you will now have to display
this information to the customer. Here, when you display the order status, you can
perform a check to see if it has been shipped. If it has not been shipped yet, the customer
can be presented with an option to cancel the order. If the customer chooses this option,
the status of the order should be set to indicate the cancelled status.

Note The site manager and shopper pages use different logins to access the database. If
the shopper should be able to cancel the order, then a sample site visitor account
should have appropriate permission.
Tip It usually helps to have an additional stage before being “shipped,” which indicates
the status when the order has almost been shipped. This helps avoid losses that may
arise when a customer cancels an order that is about to be shipped.

With the preceding in mind, your little sample site is now ready and is fully functional
(see Figure 6.1), except for payment verification[2]. The site should be subjected to testing
before deployment.


Site security is very crucial in a commerce site. Exaggerated reports of credit card fraud
on the Internet has led to people being highly apprehensive of shopping on the Internet.
However, this initial mental barrier is now being overcome as more people take to
shopping on the Net.

Site security is definitely one of the most important factors, if not the most, that the site
designer will have to spend time on at all stages. The most basic security requirement is
that customers of a commerce server site need assurance that confidential information
such as passwords and credit card numbers are protected from unwanted access. To
achieve this, a commerce server should support the industry-standard SSL.


Security of credit card information is the primary concern for the customer. By default,
commerce server sites do not store credit card information used in an online transaction.
Security of credit card information over the Internet is implemented using SSL.

In a nutshell, SSL is a method of data encryption that is used to secure transactions

between the client and the server. The client and server share an encrypted session key
that is generated by the client software. This key is transferred to the server using the
server’s public key. Using the server’s public key to encrypt the session key ensures that
only the private key of this pair will be able to decrypt the session key.

To receive a page that is secured by SSL, the browser sends a request using the HTTPS
(S for Secure) protocol. In HTTPS, the URL for the restricted Web site starts with https://
instead of the normal http://.

Site Managers

For every commerce server site, a group is created that permits access to the site’s
manager pages. The users in this group are the operators of that particular commerce
server site. This group permits access to the site’s manager pages, along with Read/Write
access to all of the site’s files. An operator of one commerce server site does not have this
type of access to any other commerce server site.

Configuring the Network Against External Intrusions

Guarding the site from external intrusions is also critical. However, this can be
accomplished rather cost-effectively through a standard firewall-safe network

In such a configuration, the network is guarded by a firewall (or proxy server) that allows
certain “Demilitarized Zones” (DMZs), as shown in Figure 6.2[3]. These DMZs are the
areas of the internal network that may be accessed by external (or Internet) users. The
firewall would be configured to allow HTTP access to the commerce server on the local
area network (LAN). The database server, however, will not be publicly accessible. All
database access from the commerce server machine would have to go through the
firewall, as the commerce server will not be connected to the data. For critical purposes,
having the same machine as a commerce server and the database server is not

Copyright ©2001, Eden-2000, SexyShoesandBoots.com, Eden-2000 Web Designs,
MerchantWebsiteDesign.com, 2003.


Electronic commerce over the Internet is predicted to grow at an ever-increasing rate over
the next few years. Many companies are beginning to investigate the feasibility of using
this new sales channel, and many retailers have now established online sales sites. This
market is expected to really explode in the next few years as more retailers jump onto the
Internet commerce bandwagon.

With the preceding in mind, this chapter has sucessfully traced the development of a
commerce site through the different stages from planning to implementation. It provided
an introduction to developing commerce sites.

Finally, the chapter showed how to build a basic commerce site from scratch. Following
the suggested methodology, the chapter showed you how to go through the stages in the
development of a commerce site. After reading this chapter, you should now have a fairly
good idea of how to develop a commerce site.
Chapter 7: Building Shopping Cart
“There are no such things as applied sciences, only applications of science.”

—Louis Pasteur (1822–1895)


Managing major e-businesses these days requires significant development of Web

resources, particularly if you want to let your customers purchase products and services
online. Building the Web site you need to accomplish your business goals is not a simple
undertaking. Available Java technologies (JavaServer Pages, servlets, and JavaBeans™)
offer different advantages, and combining them to achieve the best results is usually
necessary. Although you can build a simple shopping cart using JSP alone, significant
business applications require the complementary strengths of all three technologies. Let’s
see how to combine them to best effect.

For example, JSP offers a 100 percent pure Java alternative to Microsoft’s proprietary
Active Server Pages (ASP). JSP technology extends Java servlet technology, and, in fact,
the JSP framework translates JSP into servlets at runtime. Servlets are popular because
they supply architectural and performance advantages over Common Gateway Interface
(CGI) scripts. Servlets can also generate dynamic Web pages by mixing static HTML
with content supplied by database queries or business services. JavaServer Pages invert
this approach by imbedding Java code in HTML. This ability to insert Java code into
HTML pages adds flexibility to servlet-based Web architectures.

To generate HTML, servlets must supply formatted strings to println() calls. This
technique clogs Java code with line after line of hard-to-comprehend HTML.
Furthermore, when servlets generate HTML, Web page design requires programmers.
JavaServer Pages pull HTML out of Java code and create a role for HTML designers. Site
development can proceed along parallel tracks (Java design and HTML design), thereby
delivering a Web site faster. JavaServer Pages also encourage loose coupling between
business logic components and presentation components, thereby making reuse of both
more likely. The shopping cart application discussed in this chapter examines the role of
JSP in Web architectures and offers a practical example of how to get the most out of
your e-business applications.

A Shopping Cart Scenario

The shopping cart scenario presented in this chapter is a simplified online produce store.
Customers select produce items to add to their shopping cart, and then move through a
series of forms to purchase the items. Figure 7.1 shows that the application architecture
combines JSP with servlets and JavaBeans[1]. Building simple Web applications using JSP
alone is possible, of course, but significant business applications require all three.

Figure 7.2 shows the model-view-controller (MVC) pattern, which partitions applications
into separate data management (model), presentation (view), and control components[1]. It
underlies most modern graphical user interfaces. The partitioning encourages
independent evolution and reuse of the separate components. You can also apply the
MVC pattern to Web applications. JavaServer Pages most appropriately implement the
presentation part of a Web application. JavaBeans encapsulate the services that supply
content to a Web site and simplify passing data between the components of the
architecture. Servlets function best as controllers and mediators routing user requests and
application messages, updating application data, and driving the application workflow.

Technologies such as JSP encourage certain designs, but don’t enforce them. For
instance, all the code that might be put in a servlet or bean could be part of a single,
certainly very confusing, JSP page. The JSP specification permits such designs.
Conversely, anything a JSP page can do, a servlet can also do, so you can build a working
architecture that ignores JSP. The adoption of a design pattern, however, implies certain
design practices and choices. Design patterns generalize the collective wisdom of other
developers. Developers capitalize on these lessons when they adhere to design patterns. If
you use the MVC pattern, then the pattern implies that you should not mix presentation
elements with control or data elements. Stated more specifically, you should not print
HTML from a controller component (servlet) or imbed control elements in a presentation
component (JSP). You should limit the Java in a JSP page to communication with the
control and data components. Finally, if the data model for your application is at all
complex (and it would be in any realistic business application), then you should not
imbed data and computation services in either the control component or the view
component. Instead, you should encapsulate such business in worker components
Bollinger, Gary and Bharathi Natarajan, “Build an E-Commerce Shopping Cart,”
Reprinted from Java Pro magazine with permission from Fawcette Technical
Publications, Inc., 913 Emerson Street, Palo Alto, CA 94301-2415. Copyright © 2000 by
Fawcette Technical Publications, Inc. All rights reserved.

The CustomerServlet

With the design issues of this scenario in mind, let’s look at the details of a sample
application. For example, a CustomerServlet controls the application workflow by doing
two things: it maintains state (the model) for a shopping cart component (implemented by
a BasketBean class), and it routes client requests through a series of JSP pages.

The BasketBean

A BasketBean usually implements a simple data manager (model) for a shopping cart
application. The BasketBean class provides a method to get the running total of a
customer’s purchases and a method to update the contents of the basket. It maintains a
running list of Product instances requested by the client in a hashtable keyed off the Stock
Keeping Unit (SKU) number. Each Product instance stores four attributes: a product
name, SKU number, price per pound, and the number of pounds purchased. A product is
added only if the number of pounds is greater than zero.

The Pages

This simple shopping cart scenario supports a workflow with four stages and three JSP
pages: Inventory.jsp, Purchase.jsp, and Receipt.jsp (see Figure 7.3)[1]. The sample
application presents Inventory.jsp to new clients. Clients select produce by performing
one or more updates to Inventory.jsp. After selecting produce for purchase, clients
purchase the produce and the application presents Purchase.jsp. Finally, the client
confirms the purchase, and the application presents Receipt.jsp.
This JSP page mixes standard HTML with specialized JSP elements. The JSP
specification calls the static HTML in a page-fixed template data and writes it essentially
verbatim (certain substitutions based on quoting and escape conventions are still applied)
into the http response stream. For example, the servlet framework writes the tag
<HTML> unchanged to the response stream. Besides fixed template data, JSP pages can
include directives, scripting elements, and actions. This simple Web store illustrates all

A Real-World Application Model

The preceding simple application is clearly a toy, not meant for deployment. Still, a real
application should follow the same MVC pattern demonstrated by the simple application.
Now, let’s look at how to modify some aspects of the toy to create a more realistic e-
commerce application.

The grocery application implemented its model by using the BasketBean class. The
BasketBean illustrates two qualities of toy software: it “hard codes” its data, and it fails to
define a standard interface. Such flaws limit the maintainability, extensibility, and
scalability of an application.

A production application should define a standard interface for accessing the application
model. An interface establishes a contract allowing different implementations to be
“plugged-in” as required. Such “pluggable” implementations illustrate the bridge pattern.
The purpose of the bridge pattern is to decouple abstract functionality from any specific
implementation of the functionality. For example, the inventory data is initially stored as
static information imbedded in Java code[2]. To gain flexibility, you might pull this data
out of code and store it on the file system. As data volumes grow, a common requirement
is to move data storage into a relational database management system (RDBMS). If the
BasketBean implements a standard interface, then you can reimplement this interface to
use a file system or an RDBMS without rewriting the CustomerServlet.

Real-world applications may also require the separation of data from code. Data changes
often, but code should rarely change. A minimum requirement for moving the sample
application into a production environment would be to split its model into separate data
access and data management tiers. This two-tier architecture allows data volumes to grow
without affecting code. Figure 7.4 shows the design after separating data from data access
and after defining a standard interface[1].
Often, scalability or data transaction requirements force introduction of a third tier into
the data management architecture. Common Object Request Broker Architecture
(CORBA) or Enterprise JavaBean (EJB) interfaces to data management services are now
common. If the BasketBean implements a standard interface, then you can reimplement it
as a distributed service. Figure 7.5 shows this three-tier implementation of the application

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,

Loose Component Coupling

One of the reasons for JSP applications to follow the MVC pattern is that this pattern
encourages distinct, clearly defined roles for model, view, and controller components.
You should keep these components as loosely coupled as possible. However, you should
not keep the CustomerServlet loosely coupled, because it encodes specific workflow
states and hard codes the names of specific JSP pages.

Tight coupling between the controller and view components means that changes to one
component demand corresponding changes to the other component. In this case, if you
add additional JSP pages to the shopping workflow, you must add additional conditions
to the CustomerServlet program logic. Alternately, the CustomerServlet forces you to
give specific names to the JSP pages.

This sample application would be more maintainable and more scalable if you could
remove the tight coupling between the CustomerServlet and its JSP pages. One way to
minimize this close coupling would be to create a helper bean for each JSP page. You can
install these helper beans in the CustomerServlet to manage all HTML requests directed
at the associated JSP page. Such encapsulation of each request in a request handler object
illustrates the command pattern. As with the bridge pattern, the key to implementing a
command pattern is to declare a common interface that each request handler must
implement. In this case, the simplest form of such an interface might be a single method,
such as redirect(), into which you pass the request parameter and the BasketBean object.
Because every concrete implementation of the interface supports this method, the
CustomerServlet can invoke the interface on any given handler without knowing
anything specific about its implementation (see Figure 7.6)[1].

You can customize each helper bean for its partner JSP page and make it as complex as
necessary. For example, it can validate input parameters passed in the request, whether by
simply guaranteeing nonblank entries or by performing more complex tasks such as
verifying credit card information.

If you adopt the helper bean architecture, then you might wonder how you install the
bean. After all, although the JSP framework translates JSP pages into servlets at runtime,
JSP pages are just files until the framework translates them. It’s a kind of chicken-and-
egg problem.
A JSP page has exactly one input point, but it could have multiple outputs based on the
number of submit buttons. Each output could be associated with a different JSP page. For
instance, Inventory.jsp has two outputs, one for Purchase.jsp and one back to itself. You
could associate a helper bean with each output point using a hidden tag.

Finally, the JavaServer Pages extend servlet technology in useful ways. By supporting
Java scripting, they provide a role for Web designers alongside developers and add
flexibility to servlet architectures. JSP pages do not replace servlets; servlets, JSP, and
JavaBeans play complementary roles in Web architectures. By following the MVC
pattern, JSP applications can independently extend or enhance the controlling servlet, JSP
page, and application model to support real-word scaling. The application model can be
extended to a two- or three-tier design; in addition, adding helper beans can manage the
JSP workflow and support loose coupling of application components.


The heart of any Web store is the software that it runs on. However, up until relatively
recently, software solutions for e-commerce were largely do-it-yourself affairs, consisting
of a number of disparate tools lashed together to fulfill the major tasks of an online store.

This situation is changing rapidly. Every day sees the launch of a new software product,
each of which claims to be a complete shopping cart. However, close investigation
reveals a huge difference in the features that these products offer and the price that is
charged for them. It’s not surprising, therefore, that the selection of a suitable shopping
cart is a decision that many aspiring Web merchants agonize over.

So, what features should you look for when choosing a shopping cart? There are three
basic areas to examine: how easy the store is to set up, how easy it is to process orders
through it, and how easy it is to administer on a day-to-day basis.

To an extent, the desirable setup features and options will depend on the skill levels of the
individual storeowner. For example, a storeowner with no HTML or CGI experience
should look for software that creates a complete store via wizards and templates. On the
other hand, more technically savvy merchants will want a solution that provides them
with a higher degree of flexibility and enables them, for example, to create their own
HTML pages.

Regardless of technical skill levels, there are several features that all merchants should
look for. Good documentation and support is a must, of course. Also vital is the ability to
import product data from a database file. For example, after you have more than 10 to 20
items for sale, entering product details manually becomes a major chore.

Would-be storeowners should also think carefully before selecting a shopping cart that
relies on the use of cookies to track visitors in a store. Although much of the media hype
surrounding the use of cookies is dying down, there is still a fair amount of misleading
and confusing information around. And as a result, many people still surf with cookies
disabled in their browsers and are, therefore, unable to shop in stores that rely on them.

An important part of the setup process is the specification of sales tax and shipping
charges. Be careful—many shopping cart solutions currently available have major
limitations in these areas. For example, they may have no way of specifying shipping
charges for international shipments or they may be limited to being able to collect sales
tax from only one U.S. state. The best shopping cart solutions come with preset tax tables
that ensure the correct levels of tax are collected on each order. Some shopping cart
solutions also interface directly with information from carriers such as UPS and can
automatically calculate the shipping cost for each order.

Another area to investigate is the range of advanced features and services that are
provided. Services such as domain name registration and automatic search engine
submission can save a lot of hassle. And, additional features such as autoresponders and
chat rooms can help build a top-class store.

Furthermore, you should also look at order processing. The first two order processing
features to check for are the availability of a virtual shopping cart and the ability to
transfer data securely using SSL. Most shopping carts now come with these features, but
it’s worth checking anyway.

Although the bulk of orders in an online store will probably be placed online and paid
with by a credit card, there are still a lot of shoppers who want to shop and pay using
alternative methods. In order to maximize your sales, a Web store should, therefore, be
capable of accepting orders and payments in as many ways as possible. Available
ordering methods include online, fax, telephone, and snail mail, whereas payment
methods include credit and debit cards, paper and electronic checks, and digital cash.

And, although most smaller merchants will choose to process their credit card payments
offline, it is worth checking that the software is also able to easily handle online
processing. This gives flexibility to cope with future growth.

Note It is also important to select a shopping cart solution that automates as much of the
order management process as possible; for example, the ability to automatically
send an e-mail order acknowledgment to the customer along with a unique number
for order tracking.

Security is another major concern. Although SSL capability is included with most
shopping cart solutions today, some solutions still have major security weaknesses. For
example, although they transfer the customer’s credit card details from their browser to
the merchant’s server using SSL, they may leave it in an unsecured area of the server
where unauthorized parties could access it. Even worse, some send the customers details
to the merchant using unencrypted e-mail.
There are some other features that are also worth looking for. For example, discount clubs
allow you to automatically give discounts to repeat or high-volume customers. Online
order tracking allows customers to instantly check the status of their orders and eases the
demands on your customer service team. And, an inventory management facility can
automatically remove items from sale once the stock drops below a predetermined level.

You should also ignore all the hype about setting up a Web store and then laying back and
waiting for the money to roll in. Running a successful online store requires a great deal of
effort. However, you can make things easier by choosing a shopping cart software
solution that simplifies the day-to-day running of the store.

The first consideration is the method that is used for accessing and administering the
store. Some packages require that changes be made offline and then uploaded to the
server. This usually limits changes being made from one specific PC, and this can be a
tie. Alternatively, many packages allow stores to be updated online from any Internet-
connected PC.

Next, check out how easy it is to add, delete, and amend product data, as well as how
easy it is to run special time-limited price promotions. Try to avoid shopping cart
solutions that require all changes to be made offline and then for the whole database to be
reloaded on to the server.

Also, look out for any additional marketing tools that might be provided. For example,
this includes the maintenance of customer buying history and preferences, targeted e-
mailing capability, and affiliate program management. These can all prove to be very

Finally (and most importantly), examine closely the reports that are provided. There will
be no salesperson in your virtual store to monitor customer behavior and buying patterns
—reports are your only source of information. So, without good reports, you will lack
data to make fundamental decisions about the effectiveness of your store’s design and
product offerings.

Some shopping cart solutions only provide basic analysis of server logs; for example, the
number of hits and referrer information. This is totally inadequate. Ensure that the
shopping cart solution you choose provides a complete suite of detailed reports; for
example, a sales history analysis and information about the most common paths that
customers are taking through your store.

So, now that you have built your shopping cart applications, what should you do? Tell
your customers to shop until they drop!
Chapter 8: Mobile Electronic Commerce
“Walking and talking is the slowest form of mobile communication.”



The use of mobile technologies is steadily on the increase, for both e-commerce and
personal uses[4]. Mobile phones are a common sight today and many people own personal
information management (PIM) devices or handheld computers, where they manage their
schedule, contacts, and other essential functions. Employees on the move appreciate the
value of staying connected with their enterprise and other resources through mobile
phones. Most enterprises now have corporate mobile phone plans that make it easier for
mobile employees to stay in touch and increase productivity.

With rapidly advancing technologies, most wireless carriers today offer transmission of
data in addition to voice signals. For example, you can now receive e-mail on your
mobile phone in addition to regular calls. With the growing proliferation of wireless
enabled Personal Digital Assistants (PDAs), Blackberry mobile e-mail devices, and
notebook PCs, it is all the more important to ensure that the mobile employees are
connected to, and supported by, the enterprise[6]. Although the terms “mobile” and
“wireless” are often used interchangeably, they are two different things:

• Mobile devices are portable, electronic components that are used by mobile
people to do their work.
• Mobile pertains to the ability of an entity to be on the move.
• Wireless pertains to the technology that allows transmission of voice, data, and
other content through radio waves over the air, not restricted to physical cables[2]
or other physical mediums[1].

It is wireless technology that facilitates employee or enterprise mobility. Mobile devices

depend on wireless technology to connect to the enterprise and conduct transfer of
content in order to fulfill the users’ e-commerce needs.

It is not surprising that an increasing number of employees are demanding mobile support
from their enterprise in order to maximize performance. Without a proper mobile strategy
in place, most enterprises will fail to meet their cost and performance objectives. In fact,
recent studies have shown that mobile employees connected to the enterprise are much
more effective than if their enterprise did not support a mobile workplace. For employees
whose work is mostly away from their desktops, this is an important issue.

Mobile employees have a long list of enterprise capabilities needed to support their work.
Here are some basic requirements:
• Adequate protection of information on wireless devices to ensure that confidential
business information is not lost or stolen
• Wireless connection to enterprise assets using laptops, PDAs, mobile phones, and
other devices for flexible access to business processes
• Mobile connection via laptops so that work can be done from anywhere
• Real-time synchronization of information to ensure accuracy and consistency
• Ability to receive appropriate alerts and messages to the mobile device in order to
carry out required job functions with optimal efficiency[1]

The expectations previously listed are quite typical, and today’s mobile infrastructure is
able to deliver them with significant success. The wireless industry is continually
evolving, with new developments springing up at an accelerated pace.

The line between computing and telephony is slowly blurring. Devices that combine the
features of mobile phones and PDAs are becoming quite popular in the market today.
Eventually, it will be one combined device you carry—where you do your scheduling, e-
mail, Web surfing, videoconferences, document management, and take all your business
and personal calls. This would be a true all-around utility device. With data storage
capabilities[3] and network bandwidth steadily improving, it won’t be long before you
have the capabilities of a currently availablehigh-end desktop computer available in a
device that fits into your pocket. One can only speculate the ramifications this
convergence of devices will have on the way you work and how enterprises will function.
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
Vacca, John R., The Cabling Handbook (2nd Edition), Prentice Hall PTR, 2000.
Deshpande, Sumit, “Enabling Mobile eBusiness Success,” © 2003 Computer
Associates International, Inc., One Computer Associates Plaza, Islandia, NY 11749, 2003.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice HallPTR,

Wireless Industry Standards

No technology works in a vacuum. Many entities work at different levels to bring the
technology to a more mature and usable state. Standards and specifications are first
conceived, developed, and then implemented. Currently, most standards bodies for the
mobile e-commerce environment are focused on hardware- or infrastructure-related
issues. Some of the more important standards organizations related to the wireless
industry today include:

• Bluetooth Special Interest Group (SIG) is a volunteer organization run by

employees from member companies. Members support a number of working
groups that focus on specific areas, such as engineering, qualification, and
marketing. The member companies build and qualify products under strict
qualification procedures with regular testing of products at events sponsored by
• The Institute of Electrical and Electronics Engineers (IEEE) does extensive
research in technology spanning a broad spectrum. They created the 80211
standard for wireless networks, and are also instrumental in creating security
protocols such as Wired Equivalent Privacy (WEP)[5]. The IEEE does not provide
certifications of any kind for their specifications.
• Wireless Application Protocol (WAP) Forum offers a comprehensive certification
and interoperability testing program that covers device testing, content
verification, and a set of authoring guidelines to assist developers in providing
interoperable WAP applications and services.
• Wireless Ethernet Compatibility Alliance (WECA) seeks to attest interoperability
of products based on the 802.11b specification, and certify them Wireless Fidelity
(Wi-Fi) compatible. They endorse Wi-Fi as the global wireless LAN standard
across all market segments[1].

Many other organizations such as the W3C, Wireless DSL Consortium, and other
institutions have standards directly affecting the wireless industry, though they are not
specific to wireless communications. For example, XML and Web services standards are
increasingly part of the development and deployment to server and desktop processing,
but they are equally applicable to wireless applications. Several new standards groups are
being formed to address specific issues regarding mobile e-commerce.
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an
Ironcladebusiness Privacy Plan, McGraw-Hill Trade, 2001.

Wireless Communication Platforms for LANS

Despite the prevalence of standards committees in the wireless industry, there is no single
unifying standard. It is important for enterprises to consider all the aspects involved in
mobile support while contemplating a strategy for mobile e-commerce. Some of the key
criteria in choosing a wireless network specification include:

• Average size of transfers

• Number of devices in the wireless network
• Others
• Range of transmission
• Security measures
• Speed of network[1]

Wireless networks may operate in one of two modes—on demand and infrastructure
On Demand Mode (Peer-to-Peer)

Each mobile device, also known as a mobile client, communicates with the other devices
in the network, within a specified transmission range or cell. This is described in Figure
8.1[1]. If a client has to communicate with a device outside the specified cell, a client
within that cell must act as a gateway and perform the necessary routing.

Infrastructure Mode (Wireless LAN)

Communications between multiple wireless clients are routed by a central station known
as an “access point.” The access point acts as a bridge and forwards all communications
to the appropriate client in the network whether wireless or wired. Besides having routing
mechanisms, the access point also has as a Dynamic Host Configuration Protocol
(DHCP) server and other features that facilitate wireless communications in a small to
large business environment. Residential gateways are similar to access points, but do not
have advanced management features required for corporate networks or high-traffic
environments. A wireless client must first be authenticated, and then associated with an
access point before it can perform any communications. Figure 8.2 shows a typical
wireless LAN environment[1]. Enterprises that have a strong mobile e-commerce strategy
must make a selection from the major wireless LAN specifications available in the
market today.

The 802.11b specification was defined by the Institute of Electrical and Electronics
Engineers (IEEE). The 802.11b is used as an extension of Ethernet to wireless
communication, and as such is quite flexible about the different kinds of network traffic
that passes over it. It is primarily used for Transmission Control Protocol/Internet
Protocol (TCP/IP), but also supports AppleTalk and other PC file sharing standards.
Disparate systems like PCs and Macs may communicate over 802.11b, using PC or
Peripheral Component Interconnect (PCI) cards, and even some of the newer hardware,
utilizing Universal Serial Bus (USB) and other forms of 802.11b based wireless network
cards. Adapters for PDAs, such as Palm OS and PocketPC based devices are also

The 802.11b facilitates the wireless transmission of approximately 11 Mbps (Megabits

per second) of raw data at distances ranging from a few feet to several hundred feet over
the standard 2.4 GHz (GigaHertz) unlicensed band. The coverage distance depends on
line of sight, obstacles, and unforeseen obstacles. Several new protocols based on
802.11b, but not compatible with it, are also being released.


Protocol 802.11a transmits 54 Mbps over the 5 GHz band. This is ideal for large data file
transfers and bandwidth intensive applications over a limited area. Although performance
and throughput are significantly increased, the transmission range is notably reduced.

Protocol 802.11g transmits 22 Mbps over 2.4 GHz. This specification is considered to be
the next generation wireless network platform for the enterprise, workingt wice as fast as
the current 802.11b specification. However, this is still a work in progress.

Note 802.11b has become the standard wireless network deployment platform for public
short-range networks, such as those found at airports, hotels, conference centers,
and coffee shops and restaurants.


This wireless network specification, defined by the Bluetooth Special Interest Group, is
ideally suited for Personal Area Networks (PANs) that operate in short ranges and need a
robust wireless network that allows transmission of bandwidth intensive information.
Bluetooth specifications also promote interdevice communications, so mobile phones can
communicate to PDAs, notebook PCs with laptops, and so on. Although it uses the
unlicensed 2.4 GHz band for transmission, its transmission is faster than the 802.11b
networks in both on demand and infrastructure modes. Bluetooth’s range is, however,
much less. Bluetooth technology works well for on demand networks and situations in
which device-to-device communication is desired. For example, you can wirelessly
connect from your PDA to a printer to print documents, or perhaps synchronize your
desktop with your PDA over the air.

Wireless WANS

Although the preceding architectures are specific to wireless LAN environments,

employees that are outside the coverage area are required to connect through wireless
carriers that provide support for a wireless wide area network (WAN) environment. There
are several wireless WAN protocols used all over the world.

Code Division Multiple Access (CDMA)

With CDMA, a large number of users are able to access wireless channels on demand.
Used by most digital mobile phone companies today, the performance is almost 8 to 10
times better than traditional analog cell phone systems. The latest generation of this
technology is called 3G and is much anticipated by many mobile users.

Global System for Mobile (GSM)

The GSM wireless platform provides full voice and data support with worldwide roaming
capabilities. Included in the GSM family is the General Packet Radio Service (GPRS)
platform for delivering Internet content on mobile devices, and the Enhanced Data rates
for GSM Evolution (EDGE) and Third Generation GSM (3GSM) for delivering mobile
Most wireless carriers base their offerings on the previously mentioned platforms,
leveraging the strengths of the protocol they decide to use. For example, services offered
by Sprint PCS and Verizon Wireless are based on CDMA, whereas AT&T Wireless and T-
Mobile use GSM.

Facilitators of a Wireless Environment

In order to facilitate a mobile e-commerce environment, participation of several partners

is required, namely:

• Independent hardware vendors (IHVs)

• Independent software vendors (ISVs)
• Mobile device manufacturers
• Service providers (SPs)
• Wireless operators (or carriers)[1]

Note Connecting all these participants together to create a viable solution are systems
integrators with focused practices in mobile e-commerce implementation.

Wireless Hardware

There are numerous devices that are wireless-enabled to facilitate an efficient mobile
workforce. Some of the top companies that provide these devices are:

Compaq: The makers of iPAQ handheld computers and notebook PCs. They are used in
many enterprise settings due to their versatility and high performance. They use
Microsoft’s PocketPC platform as their operating system.

Kyocera: They specialize in mobile phones with PDA capabilities, using the Palm OS.

Nokia: The leading mobile phone manufacturer, with innovating products that combine
mobile phones, PDAs, and other features.

Palm: Currently the leading provider of PDAs; their operating system, called Palm OS, is
a popular platform for wireless application deployment.

Research In Motion (RIM): The makers of the increasingly popular Blackberry wireless
devices that allow mobile users to send and receive e-mail.

Symbol: The leading manufacturer of wireless devices and scanners for retail, utilizing
the latest technology in bar code scanning[1].

Wireless devices add value to the enterprise only when they connect to the IT
infrastructure and are actively supported by the administration. Access points, network
cards, and other components essential to the deployment of a wireless communications
infrastructure are available from several vendors, including:
• 3Com
• Cisco[4]
• Fujitsu
• HP
• Siemens[1]

Note With the wireless infrastructure in place, it is important to choose the right carrier to
facilitate high-quality communications.

Wireless Operators

Wireless operators are organizations that provide the hardware and communications
infrastructure to make wireless transmission possible in a wireless LAN and/or a wireless
WAN environment (see Figure 8.3)[1]. Most of these provide basic wireless phone
services and many of them now offer services to transmit data in various forms. The top
three wireless carriers worldwide are listed in Table 8.1[1].

Table 8.1: The top three international wireless operators

Wireless Operator Country of Service
Vodafone Germany
China Mobile China
NTT DoCoMo Inc. Japan

The top wireless carriers in the United States are:

• AT&T Wireless
• Cingular Wireless
• Sprint PCS
• Verizon Wireless[1]

Depending on the geographical scope of your organization, you will have to choose the
right partner who can provide the required regional and/or national coverage necessary
for your e-commerce.

Wireless Software

The wireless software industry is still maturing; furthermore, although most of the
players are niche solution providers, very few actually provide substantial value to
enterprise deployments. Ranging from low footprint applications like mini-browsers or
PDA utilities, to more sophisticated solutions like interdevice communications or global
positioning systems, wireless software vendors are engaged in several innovative
research and development initiatives. Companies such as Microsoft, Sun, Palm, and
others are active in this area.
When deploying a mobile e-commerce strategy, you have to consider the right
combination of wireless network architecture, platforms, infrastructure components,
devices, and applications in order to be successful. Figure 8.3 depicts a typical wireless
architecture adopted by most enterprises.

Even with the absence of ubiquitous standards, the current wireless infrastructure is
stable enough to support and deploy wireless applications developed for the mobile
workforce. As wireless technologies mature, the quality and availability of wireless
software will also grow. An important factor to consider is the need to secure and manage
the enterprise infrastructure, while making all the necessary assets available to your
mobile workforce.

Concerns for the Mobile Enterprise

Although it is one thing for organizations to keep up with the latest industry trends,
making it happen in everyday life is a totally different story. The following are some of
the key concerns of enterprises that are contemplating a mobile e-commerce strategy:

Security: Wireless networks are very easy to break into and difficult to monitor. Your
enterprise assets must be protected.

Management: Effective management of the components that make up a mobile

enterprise, all the way from servers to the mobile devices, is an integral concern.

Information access: Corporate information and business intelligence must be made

accessible to your mobile workforce.

Return on investments: Wireless connections should perform as good as, if not better
than, wired connections. They should add value to the enterprise and generate revenue.
The benefits should be measurable in some form. ROI and business continuity is


The number one concern in the world of wireless enterprises is security. Wireless
networks are one of the easiest to hack into and most security measures may not be
adequate to prevent this intrusion. There are several vulnerabilities in the Wired
Equivalent Privacy (WEP) security features provided in the 802.11b standard. The goal of
WEP is to provide data confidentiality in wireless networks at the same level as one that
is wired. However, despite having well-known encryption mechanisms, namely the Ron’s
Code 4 (RC4) cipher, WEP is vulnerable to attacks, both passive and active. This opens
up the wireless network to malicious parties to eaves-drop and tamper with wireless
transmissions. Key management and robust authentications are also open problems with
the 802.11b security features. The IEEE is scheduled to release a more secure version of
WEP in the near future.

Bluetooth comes equipped with security measures such as encryption and authentication,
but these measures may not be very sophisticated for an enterprise environment.
Organizations that have invested in a wireless network need a strong security solution
today. One way to secure an enterprise infrastructure that includes a wireless network is
to build it separate from the intranet, and set up a firewall to protect communications.
Implementing a robust virtual private network (VPN) solution is also useful. The security
features available with the VPN solution along with additional authentication, and access
control features, secure the users whether they are on a wired or wireless network.

Enterprises must also ensure that all devices are virus free and that they do not act as
carriers of malicious code. Access to the network from mobile devices must be
authenticated, and only authorized users should be allowed access.


Like a wired network, the infrastructure that supports a wireless network also needs to be
managed. Some of the components that must be managed include access points, mobile
devices, wireless application servers, and others.

Management of the network increases performance and allows the administration team to
respond to issues quickly. Besides providing a real-time view of the wireless network, the
management solution must also provide a future view, so that proactive measures can be
taken to prevent problems before they occur.

Corporate assets need to be accounted for. Therefore, each mobile device should come
under the eye of enterprise management. Automatic transfer of relevant information,
applications, and updates (like the latest antivirus signatures) should be made possible. In
addition, data on the mobile devices must be backed up without causing any impediment
to normal processing, and must be automatically moved to the server unobtrusively when
on a wired network.

It is important to understand that wireless systems do not operate in a vacuum; they

integrate into the IT infrastructure. Therefore, management of the wireless infrastructure
must be in the context of the overall enterprise infrastructure. Point solutions for wireless
networks are unable to effectively integrate wireless management information without
first monitoring the rest of the enterprise to promptly identify and resolve problems.
Wireless management solutions must be integrated, comprehensive, and reliable.

Information Access

Enterprises with large data resources have volumes of untapped intelligence just waiting
to be put to use. With a growing mobile workforce, it is essential to make this business
intelligence available to them at their point of need and equip them to make profitable
decisions. Mobile employees must also be able to access the business processes critical to
their job function.

Enterprise portals provide a viable dissemination tool for organizations today. Wireless
access to these portals is no longer a “nice-to-have” feature, but an absolute requirement.
Organizations are also looking for ways to leverage legacy resources and make them
available to mobile devices. With the emergence of Web services, the need for a reliable
solution to extend applications to mobile devices is ever on the rise.

Return on Investments

As the demand for wireless support from the workforce grows, enterprises need to act
quickly and provide the necessary services in order to promote success. For example, the
Gartner Group predicts that more than 70% of mobile applications deployed at the start of
2004 will be obsolete by the end of 2004. Keeping this analysis in mind, it is important to
make the right decisions to promote application longevity, while at the same time being
open to new, improved solutions. For enterprises that are contemplating a mobile e-
commerce strategy, the following points are worth considering:

1. Develop your mobile e-commerce strategy with an enterprise-wide focus.

2. Ensure your wired enterprise infrastructure is in order first.
3. Choose the right partner.
4. Anticipate change and be prepared to leverage new technologies[1].

Developing Your Mobile E-Commerce Business Strategy

All your wireless communications and other mobile activities are an integral part of your
e-commerce. Choose an enterprise-wide solution that covers your e-commerce from end
to end, providing all the required measures for security, management, and information
Ensuring Your Wired Enterprise Infrastructure Is in Order First

It is easier to integrate a wireless network into a well-managed wired environment. And,

it’s even easier at an enterprise-wide scale.

Choosing the Right Partner

You should get into partnerships with the right companies that can help you with your
specific needs. Work with systems integrators who have a focused wireless practice. It is,
therefore, extremely important to choose the right software vendor to deliver an
integrated, comprehensive, and reliable enterprise-wide solution for your e-commerce.

Anticipating Change and Leveraging New Technologies

The wireless industry is changing rapidly. Mobile devices are getting smaller, faster, and
more capable. Performance of wireless networks is steadily improving. Opportunities to
leverage mobile technologies will continue to grow. Associate with companies that will
change with the times and yet be stable in what they do best.

Finally, other issues such as performance, extensive coverage, hand-over—between

wireless local area networks (WLANs) and wireless wide area networks (WWANs)—and
roaming, are also important and must be part of the evaluation process. Although it is
important to implement a strategy for mobile e-commerce, an overall enterprise focus is
imperative to gain fast and steady returns on investments.


The demand for and use of mobile technologies is increasing at a phenomenal rate.
Simultaneously, the underlying landscape of mobile technologies is changing rapidly,
creating the need for solutions to facilitate the long-term growth and success of mobile
enterprise initiatives. It is important for software vendors to provide comprehensive
solutions to manage, secure, and maintain the mobile applications infrastructure, while
fostering development, integration, and access to applications and information over
wireless mediums.

Finally, although it is one thing for organizations to keep up with the latest industry
trends, making it happen in everyday life is a totally different story. Enterprises must
contemplate developing a mobile e-commerce strategy.
Chapter 9: Enhancing a Web Server with
E-Commerce Application Development
“Modesty: the gentle art of enhancing your charm by pretending not to be aware of it.”



Today, business needs to be on the Web. Cost-effective marketing, increased sales

opportunities, customer service, supply chain management, and enhanced Web server
communications are just a few of the benefits the Internet offers. But, building and
maintaining an Internet presence can require a considerable investment of resources, and
organizations are actively seeking ways to get a high return on their investment.

Leading e-commerce software applications offer solutions that maximize a Web site’s
server business value. These solutions reduce costs by automating and streamlining
processes, and increase revenues by helping you market, sell, and service your products
more effectively. Deploying a Web site server is a fast, comprehensive means to establish
and maintain high-yield relationships with customers, suppliers, and other value-chain
members. According to Forrester Research, companies saw online sales increase 20%
between 2001 and 2002, versus 4.4% for traditional sales outlets.

The Changing Face of Application Development

IT organizations are in a new era. The boom times marked by soaring budgets for Y2K
and Euro projects and the heady dot-com era are over. A changing economy has caused
businesses to focus on maximizing the value and effectiveness of IT investments, while
controlling costs. These new business expectations create a variety of challenges for
business and IT to build and deploy effective Web server-based applications.

Business Demands

The good news is that most businesses are now aware that the capabilities of the IT
organization to build and deploy Web server-based applications are vital to competing
and thriving in this highly competitive world. This perception of the value of IT is
tempered by a need to ensure that projects are prioritized based on their value to the
business. Instead of looking for projects that promise exotic new markets, the priority
today is for those that have clearly defined deliverables and provide a measurable ROI.

The business expectation is for IT to help the company achieve competitive advantages.
Development projects that improve customer service and integrate information from
across the enterprise are still high on the business agenda. Aligning IT with these new
business demands is critical for success.
Challenges for E-Business Development

IT challenges have never been greater. Risk reduction is a key IT objective. At the same
time, service levels and measurable ROIs are essential components of communications
between IT and the business. IT must also consider how to maximize its value to the
organization. Ultimately, focusing on the right projects is important, but IT must also
deliver quality applications that benefit the entire business.

Control over complexity is also crucial. New technologies are arriving at an accelerating
pace. Key technology focus areas today include:

Portals: Enterprise portals are now the standard browser-based vehicles to deliver
enterprise information.

Web services: Integrating enterprise systems is a required foundation to support new

portal, wireless[4], and other initiatives.

Wireless: Full-time access to production business systems is increasingly demanded for

mobile employees[3] and customers[2].

The IT organization must embrace these new technologies and evaluate a wide range of
other new technologies, such as enhanced Linux servers and new generations of
development tools. In all of these cases, successful implementations must be controlled
from the perspective of the entire infrastructure.

For many years, IT professionals have worked to improve development processes and
apply new technologies to benefit enhanced Web server-based application development.
These well-known initiatives are reflected in Computer Aided Software Engineering
(CASE), object oriented, and component development tools and others. Although each of
these has contributed positively to enhanced Web server-based application development,
managing the overall development process is as important as the technology and tools
that are used to build the systems.

The Software Engineering Institute (SEI) is a federally funded research and development
center committed to the evolution of software engineering processes. The SEI developed
what is known as the Software Capability Maturity Model (SW-CMM), which defines
process models for software development projects. It is an excellent example of an
innovative initiative to help software organizations improve the maturity of their software
development processes.
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
Le Clair, Don, “Managing eBusiness Development,” © 2003 Computer Associates
International, Inc., One Computer Associates Plaza, Islandia, NY 11749, 2003.
Enterprise Development Needs

To maximize value, the three main stakeholders (Business, Application Development,

and IT Operations) need to work together smoothly as shown in Figure 9.1[2]. Solutions
that do not address the needs of all three groups will fail.

Enhanced Web server-based e-commerce application development for the modern

enterprise means much more than just writing code. Managing the e-business
development process involves delivering results in three ways:

• Maximize business value by aligning IT implementations with business goals.

• Increase IT effectiveness by better integrating development and operations.
• Control complexity with end-to-end life cycle management[2].

Meeting these needs requires good communication between the business and IT
communities to be successful. With that foundation, it is possible to evaluate how
technology can be applied to address the specialized needs of each stakeholder.

Maximizing Business Value

IT expenditures need to be justified and rejustified regularly. IT must ensure that the real
and evolving business requirements are reflected in the resulting applications. They must
also ensure that resources are focused on projects that have high impact on the business.

To ensure that the individual projects actually meet the needs of the business users, it is
vital to drive business knowledge into IT through requirements and business process
modeling. There is no value to the business for systems that don’t meet the user’s
functional requirements. This process must also address the user’s service-level
expectations. Response time and system availability metrics are just as important as
features and functions in successful deployments.
Aligning IT’s resources with business priorities (IT Portfolio Management) is mandatory.
For this to succeed, there must be communication between IT and the business. Key
enabling technology includes solutions that help IT to assess the risk, cost, and benefits of
all initiatives. A management portal is an essential tool for bringing together real-time
project status and scheduling information.

People are hungry for current, reliable information about the enhanced Web server-based
e-commerce application development process. Extensive “what-if” capabilities on
resource and portfolio commitments are also necessary to quickly and effectively respond
to new business opportunities and a changing competitive landscape. Project
management solutions with the capability to manage enterprise-wide schedules make this

With these capabilities in place, a CIO can have confidence that development projects are
focused on delivering maximum value to the business, and that these efforts are
supported by technology that enables a free flow of communications with the line of
business management.

Increasing IT Effectiveness

Of course, IT must maximize the effectiveness of the development organization itself. In

addition, many CIOs have a focus on removing any internal obstacles between
application development and IT operations to ensure that successful, enhanced Web
server-based e-commerce application development efforts flow into successful

A top priority is to accelerate time to market with proven best development practices. An
ideal solution will support the delivery of prepackaged best practices libraries that make
the experience of other professionals available out-of-the-box. Leveraging the expertise
of organizations like the SEI can jump-start efforts to implement consistent, repeatable
development processes and reduce the risk associated with development efforts.

The ultimate goal is to improve quality and effectiveness through a continuous process
improvement cycle. This discipline is widely used in manufacturing and is equally
applicable to enhanced Web server-based e-commerce application development. Any
effective process management solution must be customizable to encompass the actual
experiences of your own organization.

Modeling is a proven solution for improving the effectiveness of the development

process. Modeling techniques apply in many areas of the development process, including
data modeling, component modeling, and business process modeling, which was
discussed earlier.

Data modeling makes Database Administrators (DBAs) and architects more productive
and less error-prone by automating manual processes. Advanced tools in this area provide
guidance and validation of logical and physical models, matched with support for the
many different relational databases deployed in the enterprise. Sophisticated modeling
tools support data cleanliness initiatives by reconciling data models between different
applications and databases.

Component modeling helps architects and developers improve the quality of system
design from the outset. The strongest solutions in this area provide full support for the
Unified Modeling Language (UML) standard. UML ensures support for a broad array of
modeling activities and the ability to import models into many popular development

For enterprise projects, it is also important to support larger development teams with
sophisticated solutions that enable collaborative modeling. Model integration between
solutions works to ensure consistency and automate communication among all
participants in the development process. Sharing and the exchange of models in this
environment is critical to success. It is also important to apply solutions that more
effectively tie the Development and IT Operations organizations together. Two key areas
to address are software delivery and service desk.

Moving software into production requires a smooth integration between development’s

change and configuration management solutions; in addition, modern software delivery
solutions that ensure all the components of modern distributed applications are deployed
synchronously. Postdeployment support requires that any problems reported to the
service desk can be traced back to the developer’s efforts to fix them.

There is a long tradition of solutions that improve the productivity of developers.

Improving the overall effectiveness of IT means having solutions that address the
collaborative needs of developers, DBAs, and operations staff to help them manage the
entire development process.

Controlling Complexity

The enterprise enhanced Web server-based e-commerce application development

environment is growing exponentially more complex. New development projects
frequently need both Web and wireless deployments and must integrate information from
a wide array of systems and platforms.

Supporting these new applications requires a wide range of technical skills and the
deployment of many sophisticated new technologies. This dynamic environment is
driving the need for sophisticated enterprise-caliber change and configuration
management (CCM) solutions.

An enterprise solution must deliver continuous control across processes, designs, and
applications. In addition to managing on traditional mainframe, Unix, and Windows®
platforms, leading solutions must support the growing popularity of Linux servers. Given
the multiplatform nature of new Web services and wireless technology, CCM solutions
must have the capability to centrally manage change packages that span all these

Deploying applications has also become more complicated than ever before. For
example, deploying a single new wireless application may require the synchronized
delivery of components to wireless devices, Web servers, application servers, and
mainframes. If any individual component is not deployed, then the entire application will
not work. Successful deployments depend on the ability of the CCM solution used by the
development organization to effectively integrate with the software delivery capabilities
used by IT operations.

Enhanced Web Server-Based E-Commerce Site Business


Companies that market, sell, and service products via the Web share similar objectives,
which typically include:

• Creating a customer community through improved communications, which can

involve online discussion groups, targeted promotions, and content that fits
customers’ interests.
• Reducing transaction costs. Automating online order and fulfillment processes is
just one method to streamline business tasks.
• Facilitating customer self-service and reducing customer service costs by
decreasing expensive dependence on call centers.
• Gaining insight into customer behavior to market and sell more effectively. This is
accomplished with sophisticated analysis and reporting applications that
transform information collected from observation logs, customer profiles, and
transaction databases into knowledge that can help you determine what your
customers want.

Meeting some or all of these objectives can enhance the site’s business value and overall
profitability. A Web site is a fast, inexpensive way to deliver information to customers
and to tailor it to their individual concerns. According to Forrester Research, 90 percent
of all customer, partner, and employee interactions occur on the Web. So, is your business
ready to make the most of its Web site? To do so, a technology solution must deliver a
full spectrum of functionality for data gathering and analysis, retail commerce,
application integration, information exchange, and publishing.

Categories of Business Value

An e-commerce solution can deliver business value benefits in the following categories,
which correspond to Web site business objectives.

Improved Customer Communications

On its site, a company needs to be able to leverage all relevant information in order to:
• Cross-sell products and services.
• Make personalized, effective recommendations on products and services.
• Plan promotions and marketing campaigns.
• Provide targeted information based on customer profiles[1].

Realizing the preceding four goals lets your business take full advantage of one-to-one
personalization. Customer loyalty depends on the quality of the buying experience. So,
anything you can do to enhance that experience will translate into better business value.
The goal is to maximize the value from each customer contact and to deliver highly
personalized interactions to all customers through real-time, as well as offline, channels.
The value of personalized interaction was underlined by a survey conducted by Jupiter
Research, which found that the personalized service offered by 36 surveyed e-commerce
sites boosted new customers by 48% in the first year and increased revenues by 51%.

Leading-edge solutions enable you to capture detailed information about individual

customers, then analyze the information to make better business decisions, customize
responses, and maximize the effectiveness of your communications by tailoring your
interactions with specific users. By gaining in-depth knowledge of your customers, you
can personalize communications to better serve their needs, develop trust, and build
profitable long-term relationships.

Streamlined Business Processes

Organizations significantly increase their Web-based server site’s business value by

automating order processing and fulfillment. Reducing paper-based transactions and
improving organizational efficiency and effectiveness can lower costs. In addition,
organizations can leverage the Web and wireless infrastructure to provide automated
service (and reduce phone calls to employees) throughout the transaction process.

To facilitate automation, you can easily integrate e-business solutions with existing
applications and systems, and access information contained in legacy systems. Multiple
Enterprise Application Integration (EAI) solutions are available from leading commerce
portal providers to integrate popular applications from such vendors as SAP and Siebel®
Systems. Such integration enables you to streamline processes, exchange information,
and conduct business more efficiently.

For sites that offer a multitude of products, targeting is essential. With information from
customers, you can narrow down the most appropriate suggestions. The ability to deliver
a simple, relevant, and consistent user experience is key to enhancing Web-based servers
and the online experience and maximizing selling opportunities.

Improved Service Efficiencies and Customer Satisfaction

Early analysis of the value of e-business focused largely on transaction savings as a

means to justify Web-based server site investments. Personalized service delivered via the
Web is highly effective in improving customer satisfaction and retention rates, thereby
increasing the lifetime value of a customer.

In addition, providing customer self-service via a Web-based server site enhances

business value by reducing staffing costs for service and support employees. Many
companies set a goal of handling 80% to 90% of customer care interactions via
personalized self-service. Enabling customer self-service with access to real-time product
availability, order status, and customer account information will improve customer
satisfaction while lowering operational costs.

An additional step to improving a site’s business value is to combine site data with other
business data such as call center information. Doing so enables you to identify, for
example, customers who have the following profile—heavy-volume call center user,
large-volume offline purchaser, and online user. The goal is then to move such customers
more online, thereby reducing their dependency on high-cost call center operations and
lowering transaction costs.

Meeting Customer Needs and Wants

Analyzing customers’ online behavior, trends, and patterns, and building a

comprehensive customer database can lead to a clearer understanding of how to attract
new customers and retain existing ones. This knowledge can improve a site’s business
value when used to design marketing campaigns, more precisely target offerings, and
increase customer loyalty and lifetime customer value. Leading e-commerce solutions
enable comprehensive profiling of site visitors, based on observed (click stream), stated
(registration), and implicit (purchase) behavior. These solutions help you acquire and
analyze customer information, so you can take advantage of mass personalization
capabilities to communicate and market your products more effectively. This can help
increase your Web-based server site revenues by enhancing your ability to close sales
through targeted, real-time promotions. It also allows you to merchandise your products
more effectively, and reduce the time and effort required to market on the Web.

Considering the importance of customer convenience in today’s world of information

overload, a site must be efficient and easy-to-use. Tailoring product information,
promotions, and messages to each customer’s needs will enable more productive site
visits. That can lead to more satisfied users and a significant increase in repeat business.
Additionally, search capabilities that enable consumers to go directly to products that
interest them will help improve business value via increased ratio of transactions to
browser visits. Customer satisfaction and repeat business are crucial for improving the
business value of your Web-based server site.
“Delivering Incremental Business Value Through Your Web Site,” Copyright © Sprint
2002. All rights reserved. Sprint Communications Company L.P. Kansas City, MO 64112,
USA, 2002.
Assessing a Site’s Current Business Value

Sophisticated analysis and reporting applications not only tell you what your customers
are doing, but also report on how your business is doing. You can identify the nature of
the relationship of current online users, thereby establishing a baseline for your site. It’s
difficult to move forward in a useful direction if you don’t know where you are. To assess
that relationship, you need to determine how involved current customers are with the site.
Finding that out requires getting answers to such questions as:

• Do they simply browse or do they purchase? How much money do they spend?
What is the repeat purchase rate?
• How and when do they access the site?
• How much time do they spend on their visits? Is their time being spent in a useful
manner or wasted because of poor design and tedious searches?
• How often do they visit the site?
• What are their areas of interest[1]?

You also need to assess your customers’ actual value to your business. Usually, this is
calculated via transactional data on how recently and how frequently they’ve visited the
site, and the value of their purchases. However, it could also be a figure based on the
characteristics of your customers. For example, small and medium-sized businesses have
more value than home office workers do. Answering these questions about current site
users will help you prioritize which customers you want most to retain and develop.

To further drive a site’s business value, you need to gather information about both online
and offline customers, so you can decide which of them has the potential to become a
more valuable online customer. You can then overlay the assessment of potential
customer value onto the baseline view to more precisely define the customers you want to
develop into valuable customers for the future.

The goals for current valuable offline users are to identify them and turn them into
valuable online customers, which can enhance the business value of a site by reducing
costs for processing transactions and providing customer service. The first step is to
segment users into categories based on their value and their usage of the site.

Improving Business Value

Analysis and reporting functionality can help improve the business value of your
enhanced Web-based server site by enabling you to take the following steps: first, you
need to review the information available to construct a logical baseline view of your
customers. Analysis and reporting tools maximize the value of the information you’ve
already captured because they help you gain intelligent insight into customer behavior,
preferences, and purchase patterns. They then leverage this information into improved
interactions with individual customers. Analysis applications transform e-commerce
information from observation logs, customer profiles, and transaction databases into
timely information that helps you offer customers the right products or services at the
right time and the right price.

Second, you should use individual profile information and behavioral information on
customers gathered from their online activities, combined with business and external
research data, to create a comprehensive picture of your online and offline customer base.
Third, you should analyze the picture to understand what different customer groups need
from the enhanced Web-based server site and what their requirements might be. This
analysis can help you to create appropriate content, messages, and promotions—even
help you develop new products and services that can be “pushed” to the target individuals
or groups, creating a cohesive strategy across all customer touch points. In the online
environment, this works by specifying business rules that push the right messages to the
right people at the right time. This, in turn, maximizes the opportunity to influence
customer behavior, thereby maximizing the site’s business value. For example, one group
of customers may be cash-rich and time-poor. The analysis and reporting functionality of
your site can help you identify the appropriate content this group will be inclined to
“pull” from the site, and then target messages you need to “push” toward them to
stimulate and increase their online spending and value as customers.

Fourth, an effective e-commerce solution enables you to integrate e-business solutions

with existing applications and systems, and to access information contained in legacy
systems. This integration is a key to enhancing the business value of a site because it
enables you to automate processes for marketing, selling, and service, and to get a
complete picture of your customers. Your enhanced server-based Web site can be an
invaluable channel for reaching new markets and customers, reducing costs by
automating and streamlining processes, getting to know your customers, and selling and
servicing your products more effectively. Solutions that effectively consolidate
information and streamline transactions can be the key to achieving a superior return on
your investment in enhanced server-based Web site technology.

Managed Solutions

Large U.S. companies have begun to outsource their enhanced Web server hardware,
databases, and applications software, as well as all the management and maintenance of
hardware, software, and content. It is becoming more and more popular for companies to
outsource these functions to experts rather than use a less skilled or constrained in-house
team. Almost all hosting is about cost savings, performance improvement, and

Because of the sluggishness in the overall economy, many service providers and
enterprises can no longer afford to do this IT function in-house. Those who have held off
on expansion cannot afford large capital expenses for new equipment or expensive
personnel. For example, according to industry analysts, 53% of IT professionals stated
that staffing expenses will rise in 2004 regardless of the economy. According to Forrester
Research, enterprises can save 47% to 82% of their enhanced Web site-based server
infrastructure costs by turning over their sites completely to a Web host. Hosted
companies experienced a 91% drop in downtime incidents. The increased uptime
translates into about $5.8 million per year in revenues per company.

There are many conveniences that come along with outsourcing, including easy access to
bandwidth, availability of complementary products, security, consulting services, and
predictable budgeting. These conveniences enable companies to focus on core
competencies, improving overall productivity.

Enterprises are still wary of giving up mission-critical applications to hosting providers.

There is a general concern that a company gives up too much control and limits its IT
flexibility when outsourcing mission-critical applications. But according to Summit
Strategies, outsourcing enhances capabilities, supplements in-house skills, and provides
for optimized environments. Plus, outsourcing does not need to be an “all or nothing”

Finally, according to Cahners In-Stat Group, e-commerce applications are the most likely
applications to be outsourced by medium-sized companies. At large companies, these
applications are the second most likely to be outsourced (after database).


Today, businesses take a pragmatic view of investments in IT. For IT managers, the key
to success is to provide the maximum business value for the minimum cost. To achieve
this, IT must align enhanced server-based application development and operations with
the needs and priorities of the business. IT must also increase its overall effectiveness and
minimize the risks in delivering new projects and applying new technology. Further, IT
must gain and maintain control over the increasing complexity of the enterprise enhanced
server-based application development environment.

Finally, when faced with productivity challenges to get more with less, leading e-
commerce software applications play an integral role in maximizing the business value of
your enhanced server-based Web site. By using your enhanced server-based Web site to
unify and extend information and business processes to service customers, suppliers, and
employees, you can help deliver incremental business value from your Web site. Moving
relationships to a personalized and collaborative self-service model enables you to
enhance growth, reduce costs, and improve productivity. And, by combining marketing,
transaction, and service functions in a single solution, you reduce your overall cost of
doing business. Additional efficiencies may be garnered by outsourcing the management
and maintenance of your e-commerce solution. Outsourcing can enable you to reduce
costs, improve performance, and enhance convenience.
Part III: Implementing and Managing E-
Commerce Web Sites
Chapter List
Chapter 10: Strategies, Techniques, and Tools
Chapter 11: Implementing Merchandising Strategies
Chapter 12: Implementing E-Commerce Databases
Chapter 13: Applying and Managing E-Business Intelligence Tools for Application
Chapter 10: Strategies, Techniques, and
“Men have become the tools of their tools.”

—Henry David Thoreau (1817–1862)


E-business is delivering tremendous benefits in some fields: making financial

management more efficient, automating activities in human resources, improving vendor-
buyer relations in supply chains, streamlining workforce and project activities, and
providing managers with the analytic data they need to improve decision making. There
has been mixed success in other areas; retail e-commerce, for instance, has expanded
exponentially, but technical glitches and delivery problems have dampened customer
satisfaction. In spite of the uneven record, most statistics paint a picture of e-business as
an enticing way to conduct business.

• As of February 2003, there were more than 637 million people online.
• Companies that use e-business technologies to replace paper-based purchasing
processes have reduced individual transaction costs from as much as $150 to less
than $10.
• Reliable estimates indicate that the healthcare industry could save $44 billion a
year by using e-business processes to improve supply changing efficiencies[1].
“Building an e-Business Strategy: What to Do Now. What to Do Next,” © 2003,
Lawson Software, All rights reserved, Lawson Software, 380 St. Peter Street, St. Paul,
MN 55102, USA, 2003.

E-Business Now

Those interested in adopting or refining an e-business strategy are dealing with mixed
signals. On one hand, there is reason for caution. Stories of failed dot-com companies
that made big promises, but didn’t deliver, fill the financial pages. Long implementation
periods and complicated “transitions” give many managers pause. High costs for
technology that may be quickly obsolete also have a dampening effect on the e-business
acceptance curve.

And yet, the promise of e-business is such that it overwhelms most objections. From
backend process reengineering to frontend customer convenience, e-business offers what
most organizations need to grow in a worldwide economy and compete against a host of
new rivals. In some industries, the proof is already there and the case for e-business is
especially compelling:
• Healthcare organizations are using Web-based supply chain processes to radically
reduce costs and improve patient care. They are also using Web-based human
resource systems to recruit and retain qualified professionals in a very tight labor
• In retail, Web-based financial applications are greatly simplifying the details of
franchise management, reducing paper-based transactions, improving
communications, and providing easy-to-use analytical information at the store
• In the public sector, schools and government offices are adopting e-business
technologies to facilitate group purchasing, reduce operational costs, and make
services and information more accessible.
• The financial services industry is using e-business technology to reduce
procurement costs and to introduce new services to customers.
• The professional services industry is using Web-based applications to track and
maintain relationships with employees across multiple jobs and sites, and fully
facilitate projects, significantly reducing the time from opportunity to cash-in-

Other industries are also finding that e-business is changing the way they handle
traditional tasks, how they go to market, and even their business focus. The graphic arts
industry, for instance, is replacing paper-based, prepress proofing with online proofs that
can be reviewed quickly and cheaply. Small companies are finding they can compete
worldwide through Web sites linked to online catalogs. Application Service Providers
(ASPs) are creating whole new enterprises around e-business solutions developed for
niche markets.

In today’s world, e-business is the magic driving the way companies cope with changes
in the marketplace. It’s no longer a question of whether or when to implement an e-
business strategy. It’s how and with whom.

What E-Business Offers Now

There are two primary options for organizations that are reviewing their e-business
strategies: use e-business to concentrate on core businesses and use e-business to develop
new competencies.

Using E-Business to Concentrate on Core Businesses

Electronic technologies offer ways to dramatically streamline business processes,

improve operational efficiencies, and reduce purchasing costs. Incorporating e-business
into a company’s infrastructure eliminates a lot of routine work and provides renewed
concentration on core activities such as customer service. Some companies even
redefined what their core business is. Nike®, for example, has used e-business
technology to help it refocus on sales and marketing. IBM has shifted its corporate focus
from selling computers to providing e-business services.
Using E-Business to Develop New Competencies

E-business offers ways to create new markets and even new lines of business. Business
Service Providers (BSPs), for instance, develop or purchase new technologies and then
package them to sell to niche markets. Some BSPs have taken a different path, leaving
the context (the specific market application) to others, while they provide technologies
(financial applications, human resource systems, etc.) widely used in every business

Whichever broad direction is chosen (or if a combination of both seems best), there are
key issues that need to be addressed in the early stages of deciding on an e-business
strategy. The first is to clarify the terminology so everyone is speaking the same

For example, “e-business” has been defined as “a technology-enabled application

environment to facilitate the exchange of business information and automate commercial
transactions”[1]. At its broadest level, e-business refers to just about any business activity
done using the Internet. In a narrower sense, a true e-business process means that
everything is done electronically (from the time it is initiated until the process cycle is
complete) with no human interaction needed until a decision must be made.

Next, “e-commerce” refers to commercial transactions conducted online. In its more

popular sense, e-commerce refers to retailing on the Internet—selling directly to
consumers through a Web site. But, a broader understanding of e-commerce must include
business-to-business commercial applications: using the Internet for procurement and
distribution and employing e-business technologies to streamline supply chain operations.

On the other hand, an “e-service” is a service delivered over the Internet. It is an e-

business solution to a specific need—often a Web site or group of Web sites. For
example, the “Apply Here” button on a job recruitment Web site that allows anyone to
apply for an open position is an e-service. This also includes the delivery of financial data
in a format that helps the recipient use analytics to automatically slice and dice the data
and create charts and presentation materials.

Finally, “360-degree e-business” is the ultimate goal of e-business strategies. It means

that information flows from decision maker to decision maker, and business processes
can be initiated and completed online. The 360-degree e-business supply chain solutions,
for instance, let procurement professionals input requisition information, solicit and
receive bids for contract and noncontract items, check pricing, verify and accept delivery,
receive invoices, and authorize payment and electronically pay—all online. The benefits
include reduced purchasing costs, streamlined operations, and improved relationships
with vendors. The 360-degree e-business requires open access to information and
analytical capabilities that are both sophisticated and easy-to-use.

The difference between “Web-deployable” and “Web-addressable” is also significant (see

sidebar, “Web-Addressable Versus Web-Deployable”). Web-deployable simply means
that specific applications can be delivered or accessed over the Internet. Web-addressable
means that virtually any business activity can be done on the Internet through server-
based logic that can be referenced and executed via a URL.

Once the terminology is clear, the other issues that need to be addressed in an e-business
strategy depend on the type of organization. Some companies need to prioritize security
or financial data management, whereas others need to focus on Human Resources (HR)
applications such as empowering employees to self-manage their own basic HR
information. Still others will find the greatest advantages in using e-business is to
streamline purchasing operations or to distribute information more efficiently across
multiple locations.

Web-Addressable Versus Web-Deployable

Web-deployable refers to applications that can be delivered or accessed over the Internet.
Web-deployable applications render their user interface in a browser.

For example, some applications have distinct business objects that can be deployed via
Web-related standards and protocols. These business objects support end users who
access various systems occasionally, thus providing a standard presentation and common
navigation process via a browser.

Web-addressable refers to server-based application logic that can be referenced and

executed via a URL. Web-addressability means an application can be “remote controlled”
via standard HTTP commands (and/or Java remote method invocation). In other words,
this means that all applications here are Web-addressable. For example, an HTTP call
could allow the user to change the address of the customer, extend their credit limit, or
change their main corporate contact, all from a browser, without a third party reentering
data into the system.

Benefits of Web-Addressability

The following are the benefits of Web-addressability:

• Access standard objects simply by entering a URL address.

• Simplify administration of applications by the Web-addressable solution utilizing
the same business logic as your core business management system.
• Simplify deployment of applications to remote users via browser-based access.
• Manage one set of business objects.
• Separate objects that do not have to be accessed with an embedded parameter to
access your back office data[1].
Building an Effective E-Business Strategy

There are four key issues that apply to most organizations. The following issues can be
viewed as a prerequisite to building an effective e-business strategy:

1. Identify measurable business objectives.

2. Define costs and impact.
3. Align IT architecture.
4. Identify value propositions[1].

Identifying Measurable Business Objectives

Implementing an e-business strategy is a major undertaking. To ensure it is successful,

objectives need to be identified in the beginning and measurable goals set. These may
include eliminating steps in a business process, reducing errors through paper-based
transactions, introducing new market opportunities, or improving information access
among managers or departments.

Defining Costs and Impact

The costs of implementing an e-business strategy are measurable in both time and money.
Some providers may have lower front-end costs, but the time-to-implement may be so
lengthy and complicated that the actual costs are much higher.

The impact on business units must also be anticipated. Introducing an e-business strategy
in one department may result in crossover benefits to other operating functions of the
organization. For instance, using e-business technologies to reduce routine HR functions
frees HR professionals to take a more active role in strategic planning for the

Aligning IT Architecture

Introducing e-business technology across multiple business entities can require a major
commitment of IT support. Using an open architecture configuration eliminates this
concern because e-business applications are transparent to all major hardware platforms,
operating systems, and databases.

Identifying Value Propositions

Finally, implementing an e-business strategy will be a lot smoother if its value is made
clear to all potential users. E-procurement applications, for instance, add value at the
Purchasing Department level by reducing errors and streamlining processes. At the
organizational level, value is added by facilitated group purchasing, which cuts costs. In
addition, vendors receive added value because they have faster access to information so
they can track invoices and payment. Done right, an e-business strategy is a win-win
proposition for all involved.

The e-business revolution that began in 1997 is proceeding at a revolutionary pace—

which is to say that it is proceeding rapidly, but not uniformly and not always in the ways
that were predicted. Finally, some industries are moving ahead as fast as technologies
permit, and some are taking a wait-and-see attitude.
Chapter 11: Implementing Merchandising
“All of the animals except man know that the principal merchandising of life is to enjoy


The Internet is changing the basis of competition for companies of all sizes. Although
many successful formulas for e-business development now exist, most are based on one
of the following merchandising strategies: Web entrepreneurship, virtual build-out, and
operations improvement. This chapter explains how each strategy relies not only on a
great Web site, but on high quality, system-ready information about products and the
merchandising programs that drive sales.

Internet Business Development Merchandising Strategies

Web entrepreneurship is all about transforming an industry—without using brick and

mortar. The core business development concept is to build a massive online customer
base to gain economies of scale through educating buyers to use online services and
transactions. The MicroAge x-Source business-to-business procurement service, Borders
Books and Music, and e-Chemicals are a few examples.

Virtual build-out means expanding nationally or globally—beyond the limits of brick and
mortar. The core concept is to transform an actual in-store experience into a Web
experience available to anyone, anywhere. For practitioners of virtual build-out, the Web
may supplement or be used in place of a catalog and telephone order expansion
merchandising strategy. For example, REI, an outdoors outfitter in the Pacific Northwest,
is using the Web to reach hiking and camping enthusiasts across the country. Its online
stores sell as much as its largest regional stores—and in-store sales have not been

Operations improvement is targeted toward increasing the profit margins of an existing

national or global business. The core concept is to replace the costs of sales and support
staff, paper order processing, and brick-and-mortar operations with customer self-service,
automated sales, delivery, and support services on the Web. Goodyear, for example, has
saved millions of dollars in its dealer channel by using Web process automation to drive
costs out of the sales process. Banks, financial firms, wholesalers and distributors,
retailers, insurers, and even colleges and universities are pursuing Web-based operations
improvement strategies to increase profits and enhance customer service. You need to
seriously consider strategies such as Web entrepreneurship, virtual build-out, and
operations improvement to ensure you capture market share before your competitors do.
The Challenge: Content Management

These e-business development merchandising strategies rely on automation of product

and service presentation, selection and purchasing, execution of merchandising plans
such as cross-selling and special offers, and online delivery of customer support.
Achieving such automation and simultaneous cost control requires absolutely accurate
data. Inaccurate data translates into unhappy customers and decreased profits. So,
attaining consistent, reliable data is critical to your e-commerce success. And, creating
and maintaining reliable data requires effective content management.

There are two kinds of data: data about the products and services, such as name,
description, features, and specifications; and meta-data, which is used to sell, deliver, and
support your products, such as recommended accessories for cross-selling and taxable
code and shipping weight to generate online invoices. As detailed later in the chapter,
many companies have data and meta-data that are not in a form that supports full, cost-
effective automation. The product data has inconsistencies and the meta-data exists as
human procedures in multiple locations, or files in computer systems separated from the
product data, requiring interpretation by people.

A further complication for companies intent on expanding e-business revenues and

profits is that in the rush to establish an e-commerce operation, many have relied on
runtime Web tools to do the preliminary buildtime data preparation. The result is that they
have to spend enormous effort with their Web site design tools in reworking data and
meta-data every time they enhance their merchandising programs.

In fact, online merchandising presents a range of content management challenges that

aren’t easily managed with traditional product data preparation methods. Here are a few

• Companies are learning that effective use of such techniques requires much
cleaner and more consistent product information than appears in most catalogs or
in the underlying databases.
• Effective online merchandising requires an array of techniques, such as product
locators, problem solving wizards, and customer relationship tools to deliver
engaging online experiences. These techniques rely on product and shopper
classification methods that require new meta-data at the product item, category,
and even shopper level. Maintaining these attributes expands data preparation
• The cross-industry trend toward faster product development and shorter product
life cycles means there are more product item adds, changes, and deletes than ever
before. Many merchandising managers want a way to exploit the electronic
product information that manufacturers have already prepared.
• The recognized need to keep e-commerce sites fresh and attractive requires more
frequent updates. Consequently, the product information and catalog design teams
find themselves working continuously on the online catalogs (instead of
periodically as on paper catalogs), and they need more efficient, group-friendly
product information maintenance tools[1].
“Strategies for Online Merchandising,” © International Business Machines Corporation
2003, IBM Corporation, Software Group Division, Route 100, Somers, New York 10589,

Online Merchandising Strategies

Building a profitable and scalable e-commerce business requires flexible merchandising

and an effective infrastructure. Flexible merchandising (delivering value and quality in
meeting customer needs) is covered in this part of the chapter. Effective infrastructure
(building efficient processes to create the information required for flexible
merchandising) is covered later in the chapter.

Flexible Merchandising

The keys to effective online merchandising are simple: the site and sales process should
be interesting, dynamic, appealing, and, most importantly, relevant to each shopper.
Relevance means having the flexibility to provide a range of merchandising techniques to
suit the needs of different shoppers, or the same shopper in different buying situations.
Here is a collection of flexible merchandising strategies used on e-commerce sites—
product locators, problem-solving techniques, and customer relationship tools.

Product Locators

Product locators help buyers find the products they need, often by using both a
classification scheme and a search mechanism. Products need to be classified so buyers
can easily locate them on your site. The efficient way is to incorporate classification data
into the product detail and let e-commerce tools generate the Web pages as needed (as
explained later in this chapter). The alternative is to laboriously paste the product data
into Web page templates at the desired locations—and repaste if the site design changes.
The following are some product locator strategies enabled by product classification data:

• Categories
• Visual catalog
• Parametric comparison
• Table of contents[1]


Many e-commerce sites organize products by category—beginning with a broad

classification, such as clothing, and narrowing in steps, such as outerwear, until
individual items, such as mountain parkas, are reached. This metaphor organizes products
in a familiar way like paper catalogs, and buyers click through Web pages to reach real
Visual Catalog

An electronic components supplier provides a visual catalog that makes it easy to

navigate by inspecting a tree of products and selecting items that look like the ones
needed. This metaphor, which can be developed with custom templates, helps the
occasional buyer who doesn’t know industry terminology. The supplier also provides
search tools for frequent buyers that use full-text descriptions, product codes, or
competitors’ product codes.

Parametric Comparison

A PC accessories reseller lets the buyer pick product models and accessories from pull-
down menus and then presents a table of items that match. Then, the buyer can compare
specifications of individual items against each other and select which to buy. This
metaphor, available with custom templates, creates virtual mini-catalogs on the fly to suit
buyer requirements.

Table of Contents

More sites are adding table of contents features to supplement the other access methods.
Some sites have multiple tables of contents that include products, services, and online
information. Each entry jumps to a page of items or a visual catalog.

Problem-Solving Techniques

Locating products is one thing, making the sale is another. Problem solving (matching the
right products to the customer’s need) increases the chance of closing the sale and
bolstering volume. Successful matching requires linking product uses to needs. The
following are some problem-solving techniques made possible by product usage

• Questions and answers

• Up- and cross-selling
• Accessorization
• Customer relationship tolls[1]

Questions and Answers

A technical products reseller provides a question-and-answer interface that leads the

buyer through a dialogue governed by an expert system. This metaphor, available in most
custom templates, helps the buyer clarify the requirement and identify candidate solutions
at the same time. Such expert systems require linkage of recommended solutions to
specific products. The reseller could also provide search tools for text descriptions, model
names, and product codes.
Up- and Cross-Selling

Sites are beginning to add up-selling and cross-selling capabilities to enhance per-sale
revenues. Up-selling offers more capable (and more costly) versions of a product. Cross-
selling offers a complementary product to be purchased at the same time to expand the
range of problems solved. Up- and cross-selling require links between models with
varying levels of capacity and features and links to products with complementary uses.


Some sites focus on providing all items needed for specific uses, problems, or
applications. For example, road warriors who want a portable printer may also need
specific cables[2], batteries, power supplies, replacement print cartridges, ink tanks,
special types of papers, helper applications, portable scanners, and even online access to
clip art—all items that can be classified as “for use with” the portable printer.

Customer Relationship Tools

The customer relationship data, such as product preferences, past purchases, and
demographics, can help shape merchandising strategies, if the relationship information is
recorded in data attributes. The efficient way to employ customer relationship data is to
accumulate preferences and purchase history on an ongoing basis in a customer profile—
and ensure that this data can be linked with product detail for subsequent promotions.
This approach is being adopted by increasing numbers of retailers and direct marketers
for their customer loyalty programs.

Or, you can analyze past sales data and classify customers after the fact. This is difficult
if product descriptions are the usual haphazard abbreviations shown on invoices. The
following merchandising techniques can be based on linkage of customer relationship
attributes to product information:

• Customer preferences
• Past purchases
• Contracts
• Customization/personalization[1]

Customer Preferences

Keeping a record of preferences can enhance your relationship with customers in many
ways. For example, maintaining the customer’s preferred payment method reduces form
fill-in at payment time. Size, color, texture, style, genre, lifestyle, and language
preferences can simplify the purchasing process and enhance sales for clothing,
housewares, sports gear, music, books, periodicals, and other goods. Customer
preferences need to tie back to category or item-level attributes to work effectively.
Past Purchases

Records of past customer purchases, especially equipment, can enhance sales

opportunities for extended warranties, supplies, maintenance, upgrades, and add-ons. Past
purchases of supply items can drive seasonal or customer-specific promotions.
Leveraging purchases data is straightforward if the product codes used in recording the
original sale are accurate and meaningful.


Much business purchasing is done under supply contracts. Contracts can be administered
systematically online if discounted items are explicitly listed in the contract (in other
words, a contract-specific version of the catalog is prepared). Tiered discounts are often
based on purchase volumes by commodity class, which requires accurate classification of
product items.


Meeting customer-specific requirements can cement your relationships. Customization

requires data fields at the item level, carrying them through the order process. Business-
to-consumer examples include storing measurements for make-to-order clothing and
custom-fit bicycles in a profile, and enabling custom selections of music on CDs.
Business-to-business examples include storing specifications for make-to-order servers,
routers, lab equipment, and specialty chemicals in a profile, and enabling custom
configuration of personal computers and servers[3].

Finally, product locators, problem-solving techniques, selling strategies, and customer

relationship tools all rely on attributes to associate products with one another,
merchandising techniques, and customer groups. Until recently, it has been difficult to
rapidly deploy new merchandising strategies, because of the need to add new attribute
fields and update existing field values for catalog entries.
Vacca, John R., The Cabling Handbook (2nd Edition), Prentice Hall PTR, 2000.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,


Success in e-commerce depends on the execution of Web-based merchandising strategies

to expand your customer base, increase sales, and reduce costs—all at the same time.
Such strategies depend on highly accurate product data for electronic catalogs and
additional information (also called meta-data) required to flexibly merchandise, sell, and
support products and services online. Creating and maintaining electronic catalogs gets
increasingly challenging as the number of Stock Keeping Units (SKUs), product features,
and special catalogs increases. There’s a huge volume of data to be managed, and meta-
data for products, categories, and customers’ needs to support merchandising. Finally,
effective merchandising tactics such as customized sales assistance, parametric search,
up- and cross-selling, personalization, and special offers all rely on the ability to link
products with other products, selling strategies, or shopper interests.
Chapter 12: Implementing E-Commerce
“Do not quench your inspiration and your imagination; do not become the slave of your

—Vincent van Gogh (1853–1890)


E-commerce technology is growing at a phenomenal pace. The Web provides a platform

independent, common user interface to information all over the world at an economical
rate. Every major software vendor in the world has included some sort of e-commerce-
based solution for their products, ranging from support to direct interfaces to Web

Over the last seven years, the Web has evolved from a file-based retrieval system to an
application-oriented medium where users can perform purchases, query databases, or
even customize their interface to various sites. This evolution has challenged Web
developers and Web masters to keep the content on Web sites up-to-date, collect
meaningful statistics on the use of the site, and empower the content owners with the
maintenance of the Web content.

The state of Web technology has evolved so quickly that there are many competing e-
commerce database implementation solutions from which the developer can choose.
Most of these solutions work well in a single vendor or a homogeneous environment.
However, when working in a heterogeneous environment with multiple operating
systems, database applications, and Web server technologies, the options for the Web-
database developer become limited.

Implementing the E-Commerce Database Interface Solution

The primary function of a Web server is to send appropriate HTML code to the Web
browser. Today’s trend is to serve content to the Web via an e-commerce database
solution. In order to make this happen, the Web server must communicate with the
database. The Web server must make requests to the database, interpret the database’s
response, and pass on the appropriate data to the Web browser.

In order for the Web server to communicate with a database, it must communicate
through an Application Programming Interface (API). There are many different types of
database access APIs available for the developer—ranging from proprietary to open
standard APIs. A Web database developer has many options from which he can select the
API that best meets the requirements of the project. However, the developer must be very
careful in the selection of the API if he must support a heterogeneous environment. One
API might not support all database or Web servers in the developer’s environment.

Embedded SQL

In the early days of relational databases, the only portable interface for applications was
Embedded Structured Query Language (SQL). There was no common function API and
no standard Fourth Generation Language (4GL). Embedded SQL uses a language-
specific Precompiler. SQL commands are embedded in a host programming language,
such as C or COBOL. The Precompiler translates the embedded commands into host
language statements that use the native API of the database.

The problem with using Embedded SQL is that there must be a compiled version of the
database interface for each database and operating system supported. This is not efficient
or useful for heterogeneous environments. Also, the developer may run into problems
with each database vendor’s C API. Not all database APIs are created equal.


When building a Web site that must connect to many different databases, the first
database connectivity standard normally considered is Open Database Connectivity
(ODBC). ODBC is a logical choice, because it is a standardized API. It is a set of
function calls based on the SQL Access Group (SAG) function set for utilizing an SQL
database system (backend system). The SAG set implements the basic functionality of
Dynamic SQL. Embedded SQL commands can be translated to call ODBC. Finally, there
are ODBC drivers for every major database application.

Applications access ODBC functions through the ODBC Driver Manager, which
dynamically links to the appropriate ODBC driver. ODBC drivers translate ODBC
requests to native format for a specific data source. The data source may be a complete
RDBMS, such as FirstSQL, or it may be a simple file format, such as Xbase. In other
words, most ODBC drivers are tied to a single data source. Some, like FirstSQL, support
multiple data sources. The FirstSQL ODBC driver supports both a FirstSQL data source
and an Xbase data source.

Though its name begins with open, implying that it is not tied to a single vendor or even
to a subset of RDBMS vendors, ODBC is controlled by a single vendor: Microsoft.
Microsoft defines the specification of the API and supplies the basic driver manager
software used on their operating systems. This control has some good aspects and some
bad for the future of ODBC.

Microsoft has made reasonable, useful extensions to the original SAG definitions in
creating ODBC. Later releases have refined those extensions. Microsoft has committed to
bringing future versions of ODBC more in line with SAG’s specifications and with
existing standards.

In a major strike against ODBC, Microsoft is touting their Object Linking and
Embedding Data Base (OLE DB) facility as a replacement for ODBC. OLE DB could be
viewed as an object layer placed on top of ODBC, but Microsoft is likely to provide
direct OLE DB drivers for their database products and to de-emphasize and perhaps
discontinue ODBC drivers for their products. OLE DB is not open or portable except
between Microsoft operating systems (OSs), which is now a single Windows OS NT.

Because of Microsoft’s total control of the specification and arbitrary complexities in the
facility, OLE DB will not be supported by other operating systems—Operating System 2
(OS/2), Macintosh Operating System (MAC OS), and various flavors of Unix. ODBC,
and Embedded SQL to a lesser degree, will remain as the only open and portable
interfaces for SQL accessible databases. Unfortunately, the fate of ODBC is completely
under the control of Microsoft.

Java and JDBC

Java Database Connectivity (JDBC) is an SQL-level API that allows you to embed SQL
statements as arguments to methods in JDBC interfaces. To allow you to do this in a
database-independent fashion, JDBC requires database vendors to furnish a runtime
implementation of its interfaces. These implementations route your SQL calls to the
database in the proprietary fashion it recognizes. As the programmer, though, you do not
ever have to worry about how JDBC is routing SQL statements. With JDBC, you can run
the same code no matter what database is present. A Java client/server application can
make use of one of the following three major database architectures:

• Object database
• Object-relational database
• Relational database[1]

The majority of today’s databases are relational databases. Thus, the JDBC API is heavily
biased to relational databases and SQL. There is an architectural conflict between Java
and relational databases. Java is object-oriented, whereas relational databases are not
object-oriented. Therefore, mapping between the Java objects to the SQL relationship
must occur. It is up to the developer to do this mapping.

The use of Java and JDBC has two distinct advantages for heterogeneous Web
application development. It is database independent and facilitates distributed computing.
A Java database application does not care what database engine is used. Therefore, the
developer can change the database engine without having to change the Java application.
In fact, the developer can write a class library that maps business objects to database
entities in such a way that the application does not know that a database is in use.

Using Java for distributed computing has the advantage that the user can download the
Java code as he needs it. The administrator does not have to install the software on each
user’s workstation. This model is very beneficial when it comes time to update the
application. The administrator does not have to reinstall software.


Practical Extraction and Reporting Language (PERL) is most likely the most common
scripting language used on the Web today. It is predominantly used with the Uniplexed
Information and Computing System (Unix) operating system, even though it can be used
with Windows NT®. PERL is well-suited for the Web because it is a language that was
written to handle text and text files. The PERL community also needed an interface to
databases. Because PERL is an open source application, the Database Interface (DBI) is
perfect for this task.

Note DBI for the Perl Language is defined as the Database Interface language (DBIl) API
specification set of functions, variables, and conventions that provide a consistent
database interface independent of the actual database being used.

In simple language, the DBI interface allows users to access multiple database types
transparently. So, if you are connecting to an Oracle, Informix, mSQL, Sybase, or
whatever database, you don’t need to know the underlying mechanics of the 4GL layer.
The API defined by DBI will work on all of these database types.

A similar benefit is gained by the ability to connect to two different databases of different
vendors within the one PERL script (if you want to read data from an Oracle database
and insert it back into an Informix database all within one program). The DBI layer
allows you to do this simply and powerfully.
Moore, Dennis K., “Web Database Integration Designing and Implementing Web Sites
to Interface with Heterogeneous Database Environments,” © 2003 Raven
Communications, Inc., Raven Communications, Inc., 11429 Dunloring Place, Upper
Marlboro, MD 20774, 2003.

Heterogeneous Development

The developer has a difficult job when developing and implementing e-commerce
database solutions in heterogeneous environments. The developer must contend with
broader requirements and issues than a single platform development effort. The developer
may have to sacrifice system performance for portability of code or support issues.

The developer should conduct a trade-off analysis for each option considered. The trade-
off analysis should consist of the following criteria list at minimum (not in any order of
relevance). The developer should assign a relative weight to each criterion based on the
system requirements and then rank each alternative in accordance with each criterion.
The sum of all criteria should give the developer a sense of how each alternative meets
the system requirements. Of course, there are intangibles that cannot always be accurately
assessed. The intangibles are measured by the experience of the developer or a group of
developers as follows:

Performance: Measured in speed or response time.

Portability of code: How many different systems are supported with minimal changes to

Reliability and availability: Mean time between failures or system uptime.

Scalability: As performance requirements increase, can the system support higher


Security: Vulnerability to outside access or system penetration.

Total cost of ownership: How much in dollars to install, operate, and support the

Training and support: How many man-hours to train and support the system[1]?

The e-commerce database developer and implementer must assess these criteria from the
operating system to the Web and to the database to determine the best solution that meets
the requirements of the application.

The Future

The Web is evolving into the largest information repository in the world. There will be a
continued strong demand for tools, utilities, and applications so that the user can access
this information with greater speed and efficiency. Web application development will
continue to mature to satisfy the user’s demand. The development time on the Web is
much shorter than other development environments. The Web developer will continue to
look for tools to provide more functionality and yet be flexible to use in many different
environments. Three evolving technologies—Java servlets, XML, and CORBA—will
play a very significant role in aiding the developer in heterogeneous environments in the
near future.

Java Servlets

Server-side scripting will continue to evolve into object-oriented, server-side

programming using Java and C++. Once Java becomes truly platform independent, it will
become the server-side programming language of choice because the programmer will
not care what OS or what database he is interfacing.

One of the early frustrations with Java is the performance on the client side. It took much
too long to run a Java applet on a client. Today’s trend is to run Java on the server side
(servlets). Here, the developer enjoys the advantages of Java while avoiding slow
download times to the client.

The secret’s out: Java isn’t just for programming client-side applets that run in Web
browsers or for writing Internet applications. The simple, flexible servlet API brings the
power of Java to your servers, too. Java is a great platform for writing the server side of
your Web-based application. The same features that make Java a better platform for
writing client applications make it better for writing servers. Your server applications will
benefit from its type safety and other rapid development features, even more than your
client applications did, because multithreading support is built into the Java platform.

Java makes it easy to develop and deploy all parts of a professional, maintainable,
distributed system application. The servlet API provides you the fastest way to start using
JavaServer technology in your networked applications. You can start with applications
that involve clients and a single server, and gradually create multitier enterprise
applications that integrate the power and flexibility of Java throughout your existing
network, because Java servlets run on the software and hardware you’ve already


One of the biggest limitations of HTML has been the presentation and organization of its
content. XML allows developers to easily describe and deliver rich, structured data from
any application in a standard, consistent manner. XML does not replace HTML; rather, it
is a complementary format. XML is becoming the vehicle for structured data on the Web,
fully complementing HTML, which is used to present the data. By breaking structured
data away from presentation, Web developers can begin to build the next generation of
Web applications.

Learning to author XML and manipulate XML data sources will enable you as an HTML
author to supply your Web pages with content that is more intelligent and more dynamic.
Marking up data using XML also enables you to create data sources that can be accessed
in a number of different ways for a number of different purposes, making interoperability
between applications and your Web site possible.

XML also holds the promise of becoming a standardized mechanism for the exchange of
data as well as documents. For example, XML may become a way for databases from
vendors to exchange information across the Internet.


As object-oriented programming takes hold for Web development, there will be a

continued evolution toward object-oriented content such as object database management
systems (ODBMS). CORBA will play a significant role in the evolution of object-
oriented distributed content.
Distributed objects enhance security, fault tolerance, configuration management, and
code reuse. It’s possible to take advantage of these attractive qualities by incorporating
existing information services into a Web server based on the CORBA open industry
standard for distributed objects.

The CORBA put forth by the Object Management Group (OMG) combines distributed
processing with object orientation. It is the world’s first multivendor, industry-supported,
distributed object standard. CORBA provides a standard, seamless, transparent way to
distribute objects across multiple platforms and operating systems. The architecture is
isolated from the actual transport protocols—such as Transmission Control Protocol
(TCP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA)
—allowing an open-ended standard.

Finally, current technologies for implementing distributed systems include sockets,

remote procedure calls (RPCs), a distributed computing environment (DCE), or
middleware oriented methods (MOMs). Each of these alternatives affords a different
level of complexity and success, and nearly all have been wrapped into object-oriented
class libraries. However, none of these methods were specifically designed to seamlessly
integrate distributed objects in a client/server environment, so they don’t have an intrinsic
concept of object passing (by value) or remote inheritance.


In just over seven years, e-commerce database technology has become the common user
interface of choice for many information dissemination systems. Whereas, RDBMSs
have been the cornerstone for information warehousing for years. The integration of the
two technologies have made rapid advances over the last few years. This rapid explosion
has led to new challenges for IT managers and developers. There are several competing
technologies available that often do not address the issues of heterogeneous environments
and Web-based application development. This chapter addressed the challenges of
designing and implementing e-commerce database-integrated Web sites. Furthermore, it
focused on e-commerce database-Web integration difficulties in heterogeneous database

Before one can design or manage e-commerce database interfaces to Web sites, he must
understand the evolution of Web technology. The Web has evolved to become the
electronic information dissemination and presentation of choice in networked
environments. Web technology started as a means of disseminating text documents and
establishing relationships with other text documents. The technology evolved where other
media such as graphics, audio, and video files can be disseminated via the Web. Because
there is a wealth of valuable information in databases, the integration of Web sites with e-
commerce database technology is a natural progression of Web technology. The Web
provides a common user interface, whereas the database provides the logical structure of
storing and manipulating data[2].
When a technology evolves at a rapid pace, there are some inherent limitations and
incompatibilities that information managers and developers must face. For example, the
Web was not designed to maintain state efficiently. There are methods of maintaining
state by using environmental variables or setting cookies. The manager or developer must
understand these limitations to satisfy the growing information dissemination and
collection requirements via the Web.

Besides the limitations of the Web, there are many issues regarding database access via
the Web. First, the developer must choose a database interfacing technique(s). There are
many proprietary solutions such as Cold Fusion, Microsoft’s ActiveX Data Object (ADO)
via Active Server Pages, and others. In addition, each major database vendor has their
own Web database interface solution. Oracle has its Web Developer Suite, whereas
Sybase has its web.sql product. There are open standards or solutions such as PERL’s
DBI and PHP Hypertext Preprocessor (PHP). There are legacy systems in which
interfacing is very difficult. In addition, building Java applications using JDBC has its
own set of advantages and disadvantages. Each method has issues dealing with support,
development time, system performance, scalability, robustness, migration, and so forth.
The information manager or developer’s decision is made even more difficult when
contending with many different types of databases in a heterogeneous environment.

Designing and implementing Web sites that interface with databases is very challenging
and requires detailed planning and analysis. An IT manager or developer must thoroughly
understand Web technology, database interfacing methods, and database technology
along with the issues each technology has in relation with e-commerce and other
technology. This chapter served as a guideline and reference for information managers
and developers for addressing these issues in their respective environments.

Finally, the Internet will continue to evolve into the mainstream of the world. As a result,
the amount of content on the Web will continue to grow. Database technology is the
enabling technology in which logic can be applied to the input and retrieval of
information. More Web sites will connect to databases to take advantage of the logical
operations of a database. Large organizations with heterogeneous environments will
implement Web-database solutions that can be applied throughout their environment.

As previously explained, there is a myriad of database interface solutions available to the

developer today. However, there are not many that can be effectively applied to
heterogeneous environments. The foremost is using ODBC to interface with your
databases. The developer must be careful with ODBC because not all ODBC drivers and
resources are built the same. There are incongruent aspects of various ODBC products in
the market today. JDBC is another option. You must use Java on the server side or your
scripting language must connect to JDBC resources.

The future seems very bright for database access in heterogeneous environments using
Java on the server side. Java and JDBC on the server side will free the developer from
worrying about what operating system is used and what database is used. The developer
is free to focus on the e-commerce application itself.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,
Chapter 13: Applying and Managing E-
Business Intelligence Tools for
Application Development
“Language is the armory of the human mind, and at once contains the trophies of its past
and the weapons of its future conquests.”



Organizations today face intense pressure to see a quick return on investment in

information technology. The key is broad delivery of information to everyone who
impacts business processes—at a rapid time-to-market with a low cost of ownership.

To meet this challenge, organizations need e-business intelligence (e-BI), not for a select
few, but for everyone—employees, managers, partners, suppliers, customers, and
constituents. Increases in demand and hands-on users are making the traditional model
for applying and managing e-BI tools for application development, developed within
departments and disconnected from the enterprise, inefficient and ineffective.

Now, organizations need enterprise-wide solutions that can immediately deliver real-time
information in the most usable, familiar formats to very large, even unlimited, numbers of
users. The results must be real and measurable.

IT organizations are critical to managing and implementing such enterprise-wide e-BI

solutions. Any solution must meet the needs of both IT and end users, providing the
ability to deploy easy-to-use applications to large numbers of diverse users, rapidly
develop applications without requiring programming, and manage and administer the
whole system. To meet the needs of IT, the users, and the organization, an e-BI
application development solution requires the following:

• Accurate, consistent, and timely information delivered in real time

• Clear, measurable goals
• Conformity to the standards of all other enterprise applications, meeting
enterprise policies and procedures for development and deployment
• Low training costs
• Maximum productivity for developers
• Rapid time-to-market with low total cost of ownership
• Support for the full range of skill levels and needs of all users[1]

By meeting the preceding criteria, an organization can effectively address business

problems, realizing immediate returns on investment in technology. This chapter very
briefly shows how a fully Web commerce-integrated, Windows-based development
environment for building, testing, and deploying Web applications meets these criteria
very effectively. The chapter also examines the business and technical requirements for
applying and managing e-BI tools for application development solutions.
Eiss, Larry, “Rapid Business Intelligence Application Development for the Web,” ©
2003 Information Builders, Information Builders, Two Penn Plaza, New York, NY
10121-2898, USA, 2003.

E-Business Requirements for Rapid Application Development

By providing a new perspective on the data in an enterprise, e-BI applications have

become unique and powerful tools that enhance the value of knowledge workers. Despite
their value, Giga Information Group estimates, for example, that most organizations have
provided e-BI applications to only six to eight percent of the people who could use them.
To provide more information to more people, organizations must address the following
six challenges:

• Manage training costs.

• Handle single source issues.
• Meet IT requirements.
• Deploy across the enterprise.
• Deploy to multiple platforms.
• Provide administration and security[1].

Managing Training Costs

In the past, many e-BI applications have presented steep learning curves. It is not the
primary job of domain experts to develop and deploy applications, even when those
applications are specifically for them. Consequently, tools must be easy to use, but at the
same time provide significant power and flexibility. This has been a classic problem since
the inception of the computer. There has always been a tension between ease and
sophistication. Finding such tools is not easy.

Demonstrations, by virtue of their limited time, naturally gloss over many fine points. If
the demonstration makes development look easy, it does not necessarily follow that the
requisite power for sophisticated application development is available. Similarly, a less
appealing demonstration may seem to indicate greater power or flexibility, but it may
follow that the tool is easy to use.

Handling Single Source Issues

Finding an integrated development solution from one vendor that includes the proper
robust developer tools, application server, report writer, middleware, and e-commerce
interface is difficult. It is important to minimize the number of vendors, but best-of-breed
solutions cannot be sacrificed. Support for heterogeneous solutions is costly. Determining
which vendor is actually responsible for what problem is a daunting task at best, and it is
common for each vendor to lay the blame on another. On the other hand, settling for
second-rate components saps the value of the entire solution.

Meeting IT Requirements

To realize the significant benefits of e-BI applications, the rigor and structure of IT
policies and procedures will have to be met. However, it is difficult to find e-BI
development tools that meet this challenge because e-BI applications have generally been
managed outside the IT organization.

A vendor that appears to be an innovator and on the leading edge of technology may not
have the maturity to fit well into the existing IT structure. Yet, there may be concerns that
more mature vendors have not kept up with the pace of technological change. Moreover,
products that seem to fit the requirements in other areas may have been acquired and
reacquired through mergers over time. Mergers and acquisitions raise significant
concerns about the level of integration with the product mix of the latest owner, and
about the continuity of technical and support staff.

Deploying Across the Enterprise

Even the best designed and most elegantly written application is of no value until it is
deployed to users. Getting applications up and running across the enterprise is imperative.
Unfortunately, the condition of most IT environments today makes this a complex
problem. True thin-client, no plug-in technologies, such as JavaBeans, servlets, HTML,
XML, and DHTML, are necessary to allow cost-effective, scalable, and usable
deployments. In many cases, a centrally managed environment for administering users
and supporting mobile[3] and wireless devices[4] is also important. Security must be
maintained[2] and technologies must be leveraged, but all this must be done in a highly
distributed, heterogeneous environment. The e-BI development tool an enterprise selects
must address such needs without requiring enigmatic, complicated architectural tweaks
and configuration tuning.

Deploying to Multiple Platforms

Enterprise e-BI development tools cannot be limited to one or two platforms. Instead,
they need to provide scalability from local PCs to mainframes. Furthermore, these tools
must be flexible enough to access any data source with a high degree of efficiency. The
use of proprietary cubes or indirect access mechanisms should raise red flags because
they inherently limit the scalability and flexibility of the solution.

Providing Administration and Security

Reporting is a major component of e-BI applications. Although reports are central to

turning data into information and information into knowledge, unlimited access is clearly
unacceptable in most situations. If controlled access is to be effectively maintained,
however, the development solution must provide simple and effective administrative
tools that do not require a dedicated staff for even large user constituencies.

Furthermore, existing security mechanisms, protocols, and tools, such as RACF, Top
Secret, and others, along with directory-based components such as Lightweight Directory
Access Protocol (LDAP), must not be left out or superceded. Selecting a tool with a deep
enough history to coexist with and leverage the existing security structure is imperative if
redundant systems and inflated implementation costs are to be avoided and, more
importantly, if real security is to be maintained.

Now, let’s look at how Web developers respond to your clients’ needs in an e-business
driven marketplace. With the Web becoming an integral part of daily corporate
communication, this part of the chapter very briefly outlines the requirements necessary
for the professional Web designer to compete in the future of enterprise Web application
development. In other words, this part of the chapter gives insight into the future of
applying and managing Web commerce tools for application development and also very
briefly demonstrates ways to leverage technology in order to meet clients’ needs while
increasing business revenue.
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall, 2001.

The Future of Web Commerce Tools for Application


Web sites and intranets are designed for the same reason—to provide information. In the
business world, this information needs to be updated and changed constantly in order to
stay abreast of a changing business climate. New product releases, price changes, and
marketing promotions are just a few examples of information that companies need to
constantly provide to their customers, suppliers, employees, and shareholders. In today’s
world of e-commerce and intense corporate competition, companies need the ability to
instantly update published information in order to effectively communicate with their
intended audience. Today’s companies know that they have to have a dynamic and
interesting Web presence, but they are struggling to find ways to effectively manage their
Internet strategy. Traditional advertising agencies and Web development firms are no
longer meeting the all-encompassing Internet requirements necessary for businesses in
today’s e-commerce driven marketplace. Companies are looking for advertising agencies
and Web development firms that address their initial Web development needs while also
providing them with viable, affordable solutions that are designed to address, implement,
and manage their overall Internet strategy.

Historically, companies outsourced the development of their Web sites, because creation
and maintenance required design and programming expertise. However, relying on third
parties for all site maintenance limited a company’s ability to quickly and easily update
their published information. To solve this problem, many companies decided to bring
Web site and intranet development in-house. Companies then discovered that hiring the
necessary skilled personnel contains its own set of inherent problems. Information
“bottlenecks” still occur when a company has one or two people in the internal IT
department who are bombarded with the responsibility of publishing all company
information. In addition, companies are also finding that Web site designers are hard to
find and even harder to keep. The recurring theme in the market is that companies are
recruiting individual Web designers to build and maintain their Web sites and intranets in-
house, only to find that after several months of development, the designer may be lured
away by the promise of a more exciting and rewarding career. This “catch 22” has left
companies looking for some additional alternatives. Companies are turning toward their
advertising agencies and Web development firms to provide the solution to this problem.

Market trends have caused Web site management to become an arduous task, with sites
evolving to meet the needs of e-commerce and e-business. For example, today’s Web
application development software is now a complete site production platform that enables
content contribution, production management, content management, verification, and
deployment. Users should be able to submit content, manage site architecture, collaborate
with others, and control the delivery of information. With its open architecture, today’s
Web application development software should work with existing enterprise
infrastructures and be able to handle dynamic content. The software should also be able
to integrate with other leading Web site design solutions, so that Web design firms can
continue to develop sites as they have done historically, while incorporating the added
functionality. The software should also allow for the separation of design and logic,
which means that while the designer can control the graphical look and feel of a site, the
client can manage the architecture, the content, and the functionality of their own site.

Web Application Development Software

Finally, today’s Web application development software is a rapid development,

deployment, and site management engine that is designed to allow users to very rapidly
develop sites, very easily deploy sites, and very simply and effectively manage the
architecture and content of the site once it is deployed. The software is designed so that
all of the Web commerce tools for managing a site are completely nontechnical. This
allows users with absolutely no programming or Web site design experience to simply
add pages to a site, move pages around, and password protect pages as well as publish
content in these pages. The software should also act as a platform that allows functional
applications to be deployed through a developed site. These applications should be
prebuilt software products that perform a vast array of functions. By using Web
application development software, a completely nontechnical user can deploy these
applications in a Web site—thereby creating a highly functional and dynamic Web
presence. The software should also allow Web developers to be more competitive and
more responsive to their customers’ needs. In addition, the software should allow Web
developers to develop sites very rapidly; but more importantly, it should give them the
ability to offer their customers critically important, valuable architecture and content
management tools that the client needs to manage their own online presence.


Today’s competitive organizations need to develop a wide range of e-BI applications that
tap as much data as possible and quickly deploy those applications via the Web to
managers, employees, partners, suppliers, customers, and constituents—everyone they
depend on to make decisions. Developing usable, deployable, and scalable e-BI
applications is taking on greater urgency every day.

Finally, a true Web architecture is essential to rapidly provide these business intelligence
applications to unlimited numbers of people, and see a quick return on investment. IT can
use the same Web-based, integrated Windows development solution to deploy
information with speed, quality, and effectiveness that users of all levels can use to access
information in any format. In addition, IT can securely manage and administer the system
while still allowing power users to develop their own applications.
Part IV: Designing, Building, and
Implementing E-Commerce Security
Chapter List
Chapter 14: Types of Security Technologies
Chapter 15: Protocols for the Public Transport of Private Information
Chapter 16: Building an E-Commerce Trust Infrastructure
Chapter 17: Implementing E-Commerce Enterprise Application Security Integration
Chapter 18: Strong Transaction Security in Multiple Server Environments
Chapter 19: Securing and Managing Your Storefront for E-Business
Chapter 14: Types of Security
“It is true greatness to have in one the frailty of a man and the security of a god.”

—Seneca (3 B.C.–65 A.D.)


You are undoubtedly aware by now that the technology revolution is here to stay. In fact,
many of the things you take for granted today (e-mail, cell phones, PDAs) were
unimaginable just a few short years ago. This rapid growth of technology, where prices
drop while consumer value increases, is historically unprecedented. A frequently asked
question is, “How exactly did we get here?”

One of the fundamental enablers of this change, and of the increase in productivity, is the
shift to rapid product development cycles—particularly in the case of software. Feature-
rich applications that were impossible to develop and deploy in the recent past are now
conceived of and deployed with lightning speed. The increased intensity of business
competition has driven this demand for faster and better products made available in the
marketplace. In the future, the stakes will become even greater, as competition in every
sector continues to escalate. Still, entrepreneurs and visionaries will press on in spite of
the risks, and deliver new technologies in better ways.

The Internet

Buying groceries, paying bills, purchasing clothes, seeking medical advice—cyberspace

has become a vital part of everyone’s daily lives. According to the Information
Technology Association of America (ITAA), total worldwide Internet users now exceed
600 million. In 2008, the number of users worldwide will pass the three-billion mark. In
fact, the Internet is the most rapidly adopted technology ever—it has taken only eight
years for it to reach 58 percent of households (versus 38 years for the telephone).

The Internet Is Big Business

First came the dot-com explosion, with most “old economy” companies rushing to put up
an electronic retail storefront. This business-to-consumer (B2C) marketplace quickly
mushroomed into billions of dollars in value. Most recently, ferocious competition has
made it tougher for “old economy” companies to maintain their advantage. Today, the
strategic shift for most companies has been to the business-to-business (B2B)
marketplace in which companies can partner in a “virtual village”—and thereby increase
sales, lower costs, and increase productivity. Instead of just being another sales or
communications vehicle to the end consumer, the Internet has become integrated into the
corporate infrastructure. Coinciding with this increased technological integration of the
Internet, the value of the average transaction has also increased dramatically.

The New Economy

E-commerce business is emerging as the “new economy,” which is the increase in

productivity made possible by technology that allows you to collect and share more
information than ever before. With more companies running technology-based businesses
and connecting systems internally and externally, more sensitive data is now being kept
in systems that are available to an increased number of individuals and entities.
Underneath everything is the supporting technological infrastructure that makes the “new
economy” possible. This infrastructure is made up of legacy systems, client/server
systems, and a myriad of new operating systems, applications, and devices. The “glue”
holding all of these systems together is the skilled knowledge workers, who work harder
and faster to produce more.

Where Old Meets New

The longer the Internet is around, the more people agree that the perceived distinction
between “old economy” and “new economy” is meaningless. In fact, what has been
taking place is a melding of business processes and technologies to produce better goods
and services. However, the challenge facing most organizations is that integration is
rarely an easy thing—particularly when moving at Internet speed. Despite the best efforts
of seasoned IT professionals, enterprises accelerating to Internet speed in the new digital
economy will suffer IT mishaps due to the vicious cycle of increasing features, limited
resources, and compromised quality objectives.

Flawed Infrastructure

Certainly, there have been tremendous quality improvements in many areas of systems
development and integration. Without these efforts, you would not have the widely
adopted Internet that exists today. However, that does not mean that responsible IT
managers can bury their heads in the sand and assume that the existing infrastructure is
sufficient to protect the billions of dollars being transacted via e-commerce. Here are a
few reasons why you will need to work hard to improve the infrastructure going forward,
if you are to have a reliable and trusted “e”-conomy:

• Decreased amount of time for product testing and quality assurance

• Not enough IT resources available to get the job done well
• Proliferation and availability of network intrusion (“hacking”) tools
• Security focus is still an afterthought when it comes to product development[3]

Any threats to these systems would mean costly downtime that can affect your economic
health. It is obvious that the survival of this cyber marketplace will depend mainly on
safety, security, and trust.
“VeriSign Internet Security Education: E-Commerce Survival Training,” © 2003
VeriSign, Inc. All rights reserved. Verisign, Inc., 1350 Charleston Road, Mountain View,
California 94043, 2003.

Emergence of Cyber Crime

Unfortunately, not all of you are using the Internet in a positive way. The Internet has not
only allowed you to communicate around the world, it has also opened up the doors for
electronic crime. The Computer Security Institute’s (CSI’s) 2002 Computer Crime and
Security Survey raised the level of awareness and aided in determining the scope of cyber
crime. This survey of large corporations revealed that 73 percent of the respondents
detected the unauthorized use of their computer systems in the last year.

During the past few years, the most serious financial losses due to attacks have occurred
through theft of proprietary information and financial fraud, according to CSI. Sixty-nine
respondents in CSI’s 2002 Computer Crime and Security Survey reported a total loss of
$99,019,000 in theft of proprietary information while 87 respondents reported a total loss
of $88,229,000 in financial fraud. These 2002 totals were higher than the combined totals
of the previous six years! The survey also confirmed that the following trends have
evolved over the past few years:

• A broad spectrum of attacks has been spotted.

• Cyber attacks are hitting organizations from the inside and outside.
• Huge financial losses are reported due to cyber attacks.
• Information security technologies are not the sole solution to prevent these

Outside Attacks

Internet users are starting to realize the severity of these attacks. In the past eight years,
the CSI has found that people are more aware of attacks happening, rather than being in
denial. The following types of attacks have been recognized in the wide spectrum of
cyber crime.

Unauthorized Intrusion

Networks that are not 100 percent protected are prime targets for external intrusion.
Between 380 and 500 Web page hacks occur every week at small Web sites; whereas, on
larger sites, the magnitude is greater. The New York Times Web site was recently brought
down for 12 hours and then vandalized. Information that is tampered with leads to
financial losses, service disruptions for a company’s site, and potentially irreparable
damage to the corporate brand.
Service Denial

Similar to unauthorized intrusion, malicious denial of service also results in the loss of
revenue and reputation. Big name Internet companies, such as Hotmail, Yahoo!, and
Amazon.com, recently experienced denial-of-service (DoS) attacks. Hotmail’s site shut
down for six consecutive days, not only preventing seven million users from accessing it,
but also scarring the reputation of Hotmail.

Malicious Downloads

The “Email Bomb,” including the I LOVEYOU and Melissa viruses, have plagued e-mail
addresses. More recently, Microsoft’s computer system was hacked by a Trojan horse
called QAZ, due to a few machines being unprotected. Security experts confirm that “this
is all it takes” and are hoping for this to be a lesson for other companies to keep their
antivirus software updated and educate their employees on good security practices.

Inside Attacks

Recently, more media attention has been placed on the “sexy cyberattacks” previously
cited, rather than insider attacks. But, in reality, more of the widespread attacks are now
coming from insiders. CSI confirmed this when it reported that the majority of the attacks
in the past year have been from insider abuse and unauthorized access.

And, insiders are not just trustworthy employees. Business partners, subsidiaries, and
third-party suppliers have the same access as traditional employees of a company.

Threats Due to Lack of Security

Cybercrime is not the only reason for malicious attacks. Could it be that companies
themselves are not taking the necessary preventive measures? See sidebar, “Lists of
Mistakes” for the answer.

Lists of Mistakes

According to the SANS Institute, the answer to the preceding question is “Yes!” SANs
has developed the following three lists of mistakes people make that enable attackers.

End Users: The Five Worst Security Mistakes

1. Opening unsolicited e-mail attachments from unreliable sources

2. Forgetting to install security patches, including ones for Microsoft Office,
Microsoft Internet Explorer, and Netscape
3. Downloading screen savers or games from unreliable sources
4. Not creating or testing backups
5. Using a modem while connected through a local area network
Corporate Management: The Seven Top Errors That Lead to Computer Security

1. Not providing training to the assigned people who maintain security within the
2. Only acknowledging physical security issues while neglecting the need to secure
3. Making a few fixes to security problems and not taking the necessary measures to
ensure the problems are fixed
4. Relying mainly on a firewall
5. Failing to realize how much money intellectual property and business reputations
are worth
6. Authorizing only short-term fixes so problems reemerge rapidly
7. Pretending the problem will go away if ignored

IT Professionals: The Ten Worst Security Mistakes

1. Connecting systems to the Internet before hardening them

2. Connecting test systems to the Internet with default accounts/passwords
3. Failing to update systems when security holes are found
4. Using unencrypted protocols for managing systems, routers, firewalls, and PKI
5. Giving users passwords over the phone or changing them when the requester is
not authenticated
6. Failing to maintain and test backups
7. Running unnecessary services
8. Implementing firewalls with rules that do not prevent dangerous incoming or
outgoing traffic
9. Failing to implement or update virus detection software
10. Failing to educate users on what to do when they see a potential security

Cyber Security Need

As the Internet expands more and more rapidly, there is a greater and greater need for
tighter security measures. A recent survey by ITAA found cyber security to be the next
“top priority” issue facing the IT industry around the globe.

Likewise, according to the Carnegie Mellon Institute’s Computer Emergency Response

Team Coordination Center (CERT/CC), the number of security-related incidents in the
third and fourth quarters of 2002 has almost totaled the number in the entire year of 2001.
It is obvious that instead of “reacting” to the problem, a strategic plan of attack is needed.
Education will be the next step.
Internet Security Education

To truly be successful in the digital economy, every company will have to rely on a
combination of products, services, and training provided by partners. It is too risky and
inefficient for any company to supply all of these from internal resources.


Business buyers are now able to choose from a wide selection of competitively
manufactured and priced goods. From PCs to routers to firewalls—the options are


Ongoing services are critical for companies because they allow them to be current with
the latest technologies available in the marketplace. They enable companies to embrace
best-of-breed products and to continually gain knowledge.


Only 42 percent of IT training is provided by in-house employees. Due to rapid changes

in technology, organizations must rely on outside expertise. Simply put, if you don’t keep
your IT employees well-trained, your technology becomes quickly outdated. This is
particularly true in the area of information security where the tools and techniques change
with exceptional frequency. Internet security education is critical to providing the proper
deployment of security solutions.

Technology makes it possible, and training makes it happen! Get the answers before you
need to start asking the questions!

Now, let’s take a very brief look at specific threats to e-commerce application security
and how to provide guidance on effective approaches to e-commerce application
protection. E-commerce applications require a new, secure, technological approach to
threat categories.

E-Commerce Application Security Technology Essentials

In today’s marketplace, across all industry segments, businesses are realizing that
transformation to e-business is required to remain competitive. Analysts predict that
companies not making the necessary changes will be overrun by their competition. As
enterprises around the world undergo transformations, they are increasingly leveraging
Internet technologies to help:

1. Broaden their markets by extending their reach globally.

2. Enter new business areas through collaborations or expanded services made
possible with Web-based interactions.
3. Increase employee productivity by providing easier access to corporate
information and services.
4. Reduce costs through improved operations that integrate Web access and
traditional IT systems[1].

The e-business transformation is not only changing the competitive landscape, it is

changing the very nature of how enterprises view security. Data and transaction security
is of paramount importance in this age of rapidly expanding commercial and public
computer networks and the emerging Internet economy. For an e-business transformation
to be successful, the role that security plays has to become a top priority in every
company that makes use of information technology.

In other words, the Internet has forever changed the way business gets done. E-
commerce-based applications are enabling interaction among customers, prospects, and
partners. Unfortunately, many e-commerce-based applications have inherent
vulnerabilities and security-oriented design flaws. Internet-based attacks exploit these
weaknesses to compromise sites and gain access to critical systems.

Security awareness for e-commerce-based applications is, therefore, essential to an

organization’s overall security posture. The key to a successful program is an integrated,
multilayer approach to vulnerability assessment (VA), intrusion detection system (IDS),
and event correlation.

This part of the chapter very briefly highlights emerging threats specific to e-commerce
application security and provides guidance on effective approaches to e-commerce
application protection. E-commerce applications require a new approach to threat
categories. Nevertheless, improved security relative to e-commerce applications can be
easily achieved through the effective leverage of existing software solutions.

A Growing Threat

As businesses open their networks to business partners, customers, and their mobile
workforce[2], they are significantly increasing both the value and vulnerability of their
online assets. Security incidents are costly, with organizations losing productivity as well
as experiencing business interruption, legal exposure, and shareholder liability. Merger
and acquisition due diligence and insurability concerns, as well as regulatory
requirements, are generating even broader awareness that information protection is a
critical need.

Most organizations already have some degree of online security infrastructure—firewalls,

intrusion detection systems, operating system hardening procedures, and so on. The
problem is that they often overlook the need to secure and verify the integrity of
internally developed applications and coded pages against external attacks. In these
circumstances, simple manipulation of client code or data, such as the price of goods in
an online shopping basket application or sending corrupt and incorrect data to the server
can lead to fraudulent transactions or theft of confidential information. An understanding
of manipulation techniques combined with rigorous client-side security testing will lead
to greater security.

Rigorous Client-Side Testing Is Required

Direct attacks against e-commerce applications through manipulation of their inherent

vulnerabilities have become commonplace due to the relative ease. Rigorous, client-side
security testing and an understanding of manipulation techniques is essential to
identifying the potential failure points of e-commerce applications.

The most prevalent methods of attack on applications include buffer overflow attacks,
exploitation of application component privileges, and client-side manipulation. On top of
the e-commerce server’s OS, several subcategories of applications exist in which
vulnerabilities may be exploited, including the following:

Database: Database application vulnerabilities for Microsoft SQL Server, Oracle,

Sybase, and IBM DB2, including bugs, misconfigurations, and default/blank passwords

Web and application server: Vulnerabilities for CGI, Java, Xquery, default files, and
other resources called by applications, as well as Web servers (IIS, Apache) and
development environments (ColdFusion, etc.)

Web site and application: HTML and XML applications; assessment functions include
Web crawling and step-through testing[4]

VA, the starting point for this process, is extremely important for both discovery and
identifying vulnerabilities. This process allows an organization to turn off unused
services, identify and patch vulnerable software, and make educated decisions about
which elements of the overall infrastructure require the most extensive protection

Information gained through VA helps set up significantly more effective IDS

implementation and allows the IDS to feed attack and misuse information back into the
VA process to ensure that successful penetrations cannot be repeated. This process takes
place at the network, server, desktop, and application levels, and can additionally be used
to validate that an intrusion protection system is in place and functional.

Finally, it can be extremely difficult for any automated audit and assessment application
to know how custom applications will respond to cookie manipulation, form field
manipulation, and other e-commerce application threats without carrying out a complete,
link-to-link, application-specific assessment. This is a time-consuming, interactive
analysis best performed by someone with both security and Web development knowledge
—a rarely combined skill set. Organizations may need to dedicate additional staff to fully
realize and take advantage of the results promised by such analysis, or to outsource the
review to leverage the security and application programming expertise of an organization
with the appropriate skills specialization.
“SiteScope Security Essentials,” Copyright © 2003 Mercury Interactive Corporation,
Mercury Interactive Corporation, Building A, 1325 Borregas Avenue, Sunnyvale, Ca.
94089 2003.
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
“Web Application Protection: Using Existing Protection Solutions,” © 2003 Internet
Security Systems — ISS, Inc. All rights reserved, Internet Security Systems — ISS, 6303
Barfield Road, Atlanta, GA 30328, 2003.


Today, more than ever, organizations are challenged with improving security without
incurring a corresponding increase in cost or burden to their existing staff. By comparing
the benefits of a new product to the total cost of that product, organizations will make
better choices that ultimately lead to greater security. Leveraging existing products is
quite often the quickest way to improving both security and the bottom line. Finally, in
many cases, organizations can address most of their e-commerce application concerns or
problems with the products they already own.
Chapter 15: Protocols for the Public
Transport of Private Information
“The public have an insatiable curiosity to know everything. Except what is worth
knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their

—Oscar Wilde (1854–1900)


The Internet and the proliferation of e-business have initiated a new era of data
acquisition and personalization. While opportunities for cultivating and cementing
customer relationships abound, companies are undergoing intense scrutiny to ensure that
they respect and protect consumer privacy.

The ability to capture and transport vast amounts of personally identifiable data is a
marketer’s dream. Yet if not handled prudently, this capability can turn into a customer’s
(and a company’s) worst nightmare. Today, companies must realize that their most
valuable asset is not the data—it’s the customer.

In the age of next-generation e-business, success hinges on a company’s ability to foster

and sustain profitable and open relationships with its most valuable customers. Now,
more than ever, any organization that fails to build consumer confidence and trust runs
the risk of losing market share to competitors who do.

Chapter 15: Protocols for the Public

Transport of Private Information
“The public have an insatiable curiosity to know everything. Except what is worth
knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their

—Oscar Wilde (1854–1900)


The Internet and the proliferation of e-business have initiated a new era of data
acquisition and personalization. While opportunities for cultivating and cementing
customer relationships abound, companies are undergoing intense scrutiny to ensure that
they respect and protect consumer privacy.
The ability to capture and transport vast amounts of personally identifiable data is a
marketer’s dream. Yet if not handled prudently, this capability can turn into a customer’s
(and a company’s) worst nightmare. Today, companies must realize that their most
valuable asset is not the data—it’s the customer.

In the age of next-generation e-business, success hinges on a company’s ability to foster

and sustain profitable and open relationships with its most valuable customers. Now,
more than ever, any organization that fails to build consumer confidence and trust runs
the risk of losing market share to competitors who do.

Privacy: A Vital E-Business Enabler

Although Web-based consumer activity is often the focus of attention, respecting and
protecting privacy goes further than securing data retrieved online. As a matter of fact,
privacy management and control should extend to every customer touchpoint (from the
call center to fulfillment to shipping), while at the same time supporting enterprise
corporate directives. In order to realize and sustain e-business results, organizations need
to appreciate the following considerations.


E-business depends on trust—and a lot of it. All commerce involves some level of trust;
however, e-business requires more of it because buyers are asked to provide greater
amounts of personal information to online vendors they typically know little, if anything,
about. Furthermore, increasing numbers of Web-based consumers understand that the
frontend interface is connected to a backend infrastructure, making the confidentiality of
their data even more tenuous.

Customers’ Trust

You can’t win customers’ trust if you don’t respect their privacy. Organizations that
collect potentially sensitive information become custodians of personal data. Obviously,
this trust must not be betrayed. IT systems and privacy policies need to protect personal
data from theft and any unauthorized distribution or use. It is not just a matter of ethics—
it is sound business practice.

Companies that violate consumer privacy needs make the foolish and potentially fatal
mistake of valuing the data more than the relationship. At the same time, customers who
are not comfortable with a company’s privacy policy may likely conduct their business

Respecting Privacy

Respecting privacy takes more than mere adherence to laws and regulations. Given
today’s e-business landscape, where information is now a heavily sought-after
commodity, it is no surprise that government is stepping in to mandate consumer privacy.
However, no regulation, despite how well-crafted, can match everybody’s needs and
preferences. Furthermore, as privacy preferences change over the course of an
individual’s life, the government cannot always be relied upon to operate in sync with
such shifts.

Consequently, the onus of effective, real-time privacy protection rests on the enterprise.
Not only do governments require it—consumers demand it.

Customer Privacy Needs

Companies benefit when they harness their understanding of customer privacy needs.
Customer relationships and loyalty are fortified when strong privacy practices are
employed. Treating people the way they want and ask to be treated (and communicating
those efforts back to the marketplace) is a strong one-to-one customer relationship
management approach—and can offer companies a real competitive edge.

Heightening E-Business Results

Finally, companies can heighten e-business results when they value the customer over the
data. An enterprise solution is key to integrating privacy into policies, e-business
strategies, and processes. Thus, the following are the ground rules for e-business privacy:

• Businesses are custodians of personal data and must protect and secure it from
theft and misuse.
• Companies need to know their customers, while being as open with them as they
want their customers to be in return.
• Customers are likely to share more personal data if they are convinced their
privacy is strongly protected.
• Gaining consumer trust, respect, and confidence is not a static event or policy; it
is an ongoing process that requires continuous management.
• Privacy preferences are really critical customer needs.
• Privacy management can be a one-to-one marketing opportunity.
• Relationships with your customers are more valuable than the data. When
customers feel respected, they are typically more loyal.
• When organizations build and support an enterprise-wide privacy solution, the
potential return on e-business can be enormous[1].

The preceding rules are a challenge, considering the rigorous demands of myriad
industries, on any platform (with consideration for changing technologies) from
mainframe to wireless[3]. However, when privacy is built into every aspect of the
organization, the highest returns can be realized from loyal, valued customers.
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

Creating a high-security, high-performance, e-business infrastructure demands close

coordination of both technical and management policies and procedures. Additionally, e-
business security is evolving from an old notion of an information fortress that keeps
others out, to a new notion of privacy and trust as you give customers, partners, and
remote employees access to your business data. Although allowing access is the very
basis of e-business, this also adds additional levels of complexity far beyond the
traditional security model. The time, costs, and associated with monitoring external
connections, internal activities, and vulnerabilities can be overwhelming.

Finally, International Data Corporation (IDC) research predicts that over time, the
pressure to outsource security and privacy solutions will increase as the shortage of
skilled IT professionals continues. But, whether you look to an external service provider
or in-house to implement a new security infrastructure, you must take a series of specific
steps to consider goals and basic capabilities. Without a blueprint based upon technical
and business assessments, you cannot hope to create a system that is secure, up-to-date,
and encompasses the divergent needs of greater information sharing and privacy.
Chapter 16: Building an E-Commerce
Trust Infrastructure
“When a man assumes a public trust, he should consider himself as public property.”

—Thomas Jefferson (1743–1826)


A secure e-commerce Web site can provide businesses with powerful competitive
advantages, including increased online retail sales and streamlined application processes
for products such as insurance, mortgages, or credit cards. E-commerce credit card sales
can be especially lucrative; according to independent analysts, cash transactions on the
Internet will reach $13 billion in 2004, and $74 billion in 2009. By offering products and
services on the Web, businesses can gain unique benefits:

• New customers
• Cost-effective delivery channel
• Streamlined enrollment
• Better marketing through better customer knowledge[1]
“Setting Up an E-Commerce Infrastructure,” © 2003 VeriSign, Inc. All rights reserved.
VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA

New Customers

Anyone with an Internet connection is a potential customer; millions around the world
are already using the Internet for business transactions. Web storefronts are open 24 hours
a day, and require no investments in brick and mortar.

Cost-Effective Delivery Channel

Many products and services, such as software or information, can be distributed directly
to customers via the Web. This enhances the customer experience and increases
profitability by eliminating the shipping and overhead costs associated with order

Streamlined Enrollment

Paper-based enrollment workflows are fraught with delays. Applications for insurance, a
mortgage, or a credit card, for example, can be held up in the mail. And once received,
application information must be entered into computer systems manually, a labor-
intensive process that can introduce errors. By accepting applications via a secure Web
site, businesses can speed application processing, reduce processing costs, and improve
customer service.

Better Marketing Through Better Customer Knowledge

Establishing a storefront on the Web positions enterprises for one-to-one marketing—the

ability to customize products and services to individual customers rather than large
market segments. The Web facilitates one-to-one marketing by enabling businesses to
capture information about demographics, personal buying habits, and preferences. By
analyzing this information, enterprises can target merchandise and promotions for
maximum impact, tailor Web pages to specific consumers, and conduct effective, tightly
focused marketing campaigns.

No business can afford to ignore this opportunity. But businesses also can’t ignore the
potential pitfalls. Before entering the fiercely competitive e-commerce arena, businesses
must carefully assess and address the accompanying risks.

How to Build an Infrastructure for Trusted E-Commerce

The solution for meeting each of the preceding goals includes two essential components:
digital certificates for Web servers, to provide authentication, privacy, and data integrity
through encryption; and a secure online payment management system, to allow e-
commerce Web sites to securely and automatically accept, process, and manage payments
online. Together, these technologies form the essential trust infrastructure for any
business that wants to take full advantage of the Internet.

Public Key Cryptography and Digital Certificates

This part of the chapter presents background technical information on cryptographic

systems. This includes Public Key Cryptography (PKC) and the system underlying SSL
—the basis for every e-commerce trust infrastructure.

Encryption is the process of transforming information before communicating it to make it

unintelligible to all but the intended recipient. Encryption employs mathematical
formulas called cryptographic algorithms, or ciphers, and numbers called keys, to encrypt
or decrypt information.

Symmetric Cryptography

Until recently, symmetric encryption techniques were used to secure information

transmitted on public networks. Traditional, symmetric cryptographic systems are based
on the idea of a shared secret. In such a system, two parties that want to communicate
securely first agree in advance on a single “secret key” that allows each party to both
encrypt and decrypt messages.
Symmetric cryptography has several drawbacks. Exchanging secret keys is unwieldy in
large networks. Furthermore, the sharing of secret keys requires both senders and
recipients to trust, and, therefore, to be familiar with, every person they communicate
with securely. Also, symmetric systems require a secure channel to distribute the “secret”
keys in the first place. If there is indeed such a secure channel, why not use it to send the
entire secret message?

In today’s Web-based systems involving many participants and transitory interactions

with strong cryptography requirements, such symmetric key-based systems are highly
impractical as a means for agreeing upon the necessary secrets to begin communicating
securely. This problem, the key agreement, or key distribution problem, is part of a larger
problem that is central to the modern understanding of cryptographic systems—the key
management problem (described in greater detail later in the chapter). Together, they
represent the fundamental challenge in designing effective cryptography systems for
modern computing systems. Symmetric key encryption plays an important role in the
SSL protocol, along with asymmetric public key encryption.

Public Key Cryptography

Today’s public key, or asymmetric cryptography systems are a considerable improvement

over traditional symmetric cryptography systems in that they allow two parties to
exchange data privately in the presence of possible eavesdroppers, without previously
agreeing on a “shared secret.” Such a system is a called “asymmetric” because it is based
on the idea of a matched cryptographic key pair in which a cryptographic key is no longer
a simple “shared secret,” but rather is split into two subkeys, the private key and public

Abstractly, a participant wanting to receive encrypted communications using an

asymmetric cryptography system first generates such a key pair, keeping the private-key
portion as a secret and “publishing” the public-key portion to all parties that want to
encrypt data for that participant. Because encrypting data requires only access to the
public key, and decrypting data requires the private key, such a system in principle can
sidestep the first layer of complexity in the key management problem because no shared
secret need be exchanged.

Modern Cryptography Systems: A Hybrid Approach

In fact, a combination of both public key and traditional symmetric cryptography is used
in modern cryptographic systems. The reason for this is that public key encryption
schemes are computationally intensive versus their symmetric key counterparts. Because
symmetric key cryptography is much faster for encrypting bulk data, modern
cryptography systems typically use public key cryptography to solve the key distribution
problem first, then symmetric key cryptography is used to encrypt the bulk data.

Such a scheme is used by today’s SSL protocol for securing Web transactions and by
secure e-mail schemes such as Secure/Multipurpose Internet Mail Extensions (S/MIME)
that are built into such products as Netscape Communicator and Microsoft Internet

The Key Management Problem

Underlying every cryptographic system is a set of practical problems and questions

involving privacy, security, and overall confidence in the underlying confidentiality
features of the system. In principle, the techniques of asymmetric and symmetric
cryptography are sufficient to resolve the security questions and properties previously
described. For example, today’s Web browsers use the public key of a Web site in order
to send credit card numbers over the Web. Similarly, one can protect access to files and
data using a private symmetric key to scramble the information before saving it.

However, in practice, each of these problems requires a “certified” public key in order to
operate correctly without third parties being able to interfere. This leads to a second set of
questions. For example, how can you be sure that the public key that your browser uses to
send credit card information is in fact the right one for that Web site, and not a bogus
one? And, how can you reliably communicate your public keys to your correspondents so
that they can rely on it to send you encrypted communications?

What is needed in order to address such concerns is the notion of a “secure binding”
between a given entity that participates in a transaction and the public key that is used to
bootstrap secure communication with that entity using asymmetric public key
cryptography. The next part of the chapter describes how a combination of digital
signatures and X.509 digital certificates (which employ digital signatures), including SSL
certificates, fulfills this role in e-commerce trust systems.

Digital Signatures

Digital signatures are based on a combination of the traditional idea of data hashing with
public key-based encryption. Most hash functions are similar to encryption functions. In
fact, some hash functions are just slightly modified encryption functions. Most operate by
grabbing a block of data at a time and repeatedly using a simple scrambling algorithm to
modify the bits. If this scrambling is done repeatedly, then there is no known practical
way to predict the outcome. It is not, in general, practical for someone to modify the
original data in any way while ensuring that the same output will emerge from the hash
function. These hash-based signature algorithms use a cryptographically secure hash
function, such as Message Digest 5 (MD-5) or Secure Hash Algorithm (SHA), to produce
a hash value from a given piece of data.

Because the digital signature process is central to the idea of a digital certificate (and in
turn, the digital certificate is the primary tool to ensure e-commerce security), it’s useful
to look at a diagram of the process. Figure 16.1 illustrates the steps taken by a sender in
forming a digitally signed message, as well as the steps a recipient takes in verifying that
the signed message is valid[1].
The first step is to take the original message and compute a “digest” of the outgoing
message using a hashing algorithm. The result is a “message digest,” which is typically
depicted as a long string of hexadecimal digits (and manipulated by software as binary
data). In the next step, the sender uses his private key to encrypt the message digest.

The original message content, together with the encrypted digest, forms a digitally signed
message, as depicted in the center of Figure 16.1. This digitally signed message is
suitable for delivery to the recipient. On receipt, the receiver verifies the digital signature
using an inverse set of steps: first, the encrypted digest is decrypted using the sender’s
public key. Next, this result is compared to an independent computation of the message
digest value using the hashing algorithm. If the two values are the same, the message has
been successfully verified.

Note No actual encryption of the message content itself need take place. Only the digital
signature itself is encrypted while the message is in transit (unless, of course, there
are privacy concerns, in which case the message content should be encrypted as

Why is a digital signature compelling evidence that only the intended signer could have
created the message? For example, what if interlopers were to change the original
message? It was not encrypted, after all, and could have been changed by a third party in
transit. The answer is that if such a change had been made, then the decrypted, original
message digest wouldn’t have matched the recomputed one for the changed data in the
message. Verification of the digital signature would fail. Similarly, the creation of a bogus
signature is impractical because an interloper doesn’t have the appropriate private key.

Digital Certificates

A digital certificate is an electronic file that uniquely identifies individuals and Web sites
on the Internet and enables secure, confidential communications. It associates the name
of an entity that participates in a secured transaction (for example, an e-mail address or a
Web site address) with the public key that is used to sign communication with that entity
in a cryptographic system.

Typically, the “signer” of a digital certificate is a “trusted third party” or “certificate

authority” (CA; such as VeriSign). In addition, all participants who use such certificates
agree it is a point of secure storage and management of the associated private signing key.
The CA issues, creates, and signs certificates, as well as possibly playing a role in their

Using digital certificates simplifies the problem of trusting that a particular public key is
in fact associated with a participating party, effectively reducing it to the problem of
“trusting” the associated CA service. Digital certificates, therefore, can serve as a kind of
digital passport or credential. This approach represents an advance in the key
management problem, because it reduces the problem of bootstrapping trust to the
problem of setting up (or in today’s marketplace, selecting as a vendor) the appropriate
CA functionality. All parties that trust the CA can be confident that the public keys that
appear in certificates are valid.

Use of Signer Certificates in Browsers

Digital certificates already play a fundamental role in Internet-based cryptography

systems. For example, consider the case of a secure Web transaction that takes place
when a user visits a Web storefront to make a credit card purchase. When the user’s
browser accesses a secure page, a public key from the Web store has already been
delivered to the client browser in the form of an X.509 digital certificate. All this happens
transparently to the user at the time the secure connection is set up.

The browser trusts the certificate because it is signed, and the browser trusts the signature
because the signature can be verified. And, why can it be verified? Because the signer’s
public key is already embedded in the browser software itself. To see this in the particular
case of a browser, begin by clicking on the Security icon on the main toolbar, as shown in
Figure 16.2[1].

Under Certificates, choose Signers, and scroll down the list, as shown in Figure 16.3[1]. A
window similar to that shown in Figure 16.4 should appear[1].
Next, select a particular certificate and click on the Edit button. A display similar to the
one shown in Figure 16.5 should appear[1].
This is a representation of an X.509 digital certificate. Although X.509 certificates come
in three different versions (such as the one displayed in Figure 16.5), they are the ones
that are most commonly encountered in today’s cryptography systems. Such a certificate
consists of the following fields to identify the owner of the certificate and the trusted CA
that issued the certificate:

• Version
• Serial number
• Signature algorithm ID
• Issuer name
• Validity period
• Subject (user) name
• Subject public-key information
• Issuer unique identifier
• Subject unique identifier
• Extensions
• Digital signature for the preceding fields[1]

Although only a few of the preceding fields (Version, Serial number, Signature algorithm
ID, Issuer name, Validity period, Subject (user) name, Subject public-key information,
Issuer unique identifier, Subject unique identifier, Extensions and Digital signature for the
preceding fields) that are shown in Figure 16.5 (version, serial number, issuer name, and
subject name) correspond to the display elements in Figure 16.5, these basic elements
give an idea of what such a typical certificate contains. In other words, the certificate
shown in Figure 16.5 contains only a few of the basic fields. A more detailed dump of
raw certificate content might look like the following[1]:

Version: v3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: CN=Root CA, OU=CIS, O=Structured Arts Computing
Corporation, C=US
Not Before: Fri Dec 5 18:39:01 1997
Not After: Sat Dec 5 18:39:01 1998
Subject: CN=Test User, OU=Test Org Unit, O=Test Organization,
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
Public Exponent: 65537 (0x10001)
Identifier: Certificate Type
Critical: no
Certified Usage:
SSL Client
Identifier: Authority Key Identifier
Critical: no
Key Identifier:
Algorithm: PKCS #1 MD5 With RSA Encryption

The next part of the chapter describes how SSL digital certificates for Web servers apply
cryptographic techniques to secure e-commerce Web sites.

SSL Server Certificates

The practical means of implementing PKI and digital signatures are via Web server
certificates that enable authentication and SSL encryption. SSL certificates form the basis
of an Internet trust infrastructure by allowing Web sites to offer safe, secure information
exchange to their customers. SSL server certificates satisfy the need for confidentiality,
integrity, authentication, and nonrepudiation.
SSL Defined

SSL, originally developed by Netscape Communications, is an information technology

for securely transmitting information over the Internet. The SSL protocol has become the
universal standard on the Web for authenticating Web sites to Web browser users, and for
encrypting communications between browser users and Web servers.

Server certificates are available from CAs (such as VeriSign)—trustworthy, independent

third parties that issue certificates to individuals, organizations, and Web sites. CAs use
thorough verification methods to ensure that certificate users are who they claim to be
before issuing them. CA’s own self-signed SSL digital certificates are built into all major
browsers and Web servers, including Netscape Communicator and Microsoft Internet
Explorer, so that simply installing a digital certificate on a Web server enables SSL
capabilities when communicating with Web browsers. SSL server certificates fulfill two
necessary functions to establish e-commerce trust: SSL server authentication and SSL

SSL Server Authentication

Server certificates allows users to confirm a Web server’s identity. Web browsers
automatically check that a server’s certificate and public ID are valid and have been
issued by a CA included in the list of trusted CAs built into browser software. SSL server
authentication is vital for secure e-commerce transactions in which users, for example,
are sending credit card numbers over the Web and first want to verify the receiving
server’s identity.

SSL Encryption

SSL server certificates establish a secure channel that enables all information sent
between a user’s Web browser and a Web server to be encrypted by the sending software
and decrypted by the receiving software—thus protecting private information from
interception over the Internet. In addition, all data sent over an encrypted SSL connection
is protected with a mechanism for detecting tampering—that is, for automatically
determining whether the data has been altered in transit. This means that users can
confidently send private data, such as credit card numbers, to a Web site, trusting that
SSL keeps it private and confidential.

How SSL Server Certificates Work

SSL certificates take advantage of SSL to work seamlessly between Web sites and
visitors’ Web browsers. The SSL protocol uses a combination of asymmetric public key
encryption and faster symmetric encryption. (See sidebar, “SSL Server Certificates
Steps” for more information.)

The Netscape Navigator and Microsoft Internet Explorer browsers have built-in security
mechanisms to prevent users from unwittingly submitting their personal information over
insecure channels. If a user tries to submit information to an unsecured site (a site without
an SSL server certificate), the browsers will, by default, show a warning.

In contrast, if a user submits credit card or other information to a site with a valid server
certificate and an SSL connection, the warning does not appear. The secure connection is
seamless, but visitors can be sure that transactions with a site are secured by looking for
the following cues:

• The URL in the browser window displays “https” at the beginning, instead of http.
• In Netscape Communicator, the padlock in the lower-left corner of the Navigator
window will be closed instead of open.
• In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE

SSL Strengths: 40-Bit and 128-Bit SSL

SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the session
key generated by every encrypted transaction. The longer the key, the more difficult it is
to break the encryption code. 128-bit SSL encryption is the world’s strongest; according
to RSA Labs, it would take a trillion years to crack using today’s technology. 128-bit
encryption is approximately 3 X 1026 stronger than 40-bit encryption.

Microsoft and Netscape offer two versions of their Web browsers, export and domestic,
that enable different levels of encryption depending on the type of SSL server certificate
with which the browser is communicating. First, 40-bit SSL server certificates (such as
VeriSign’s SSL Certificates) enable 40-bit SSL when communicating with export-version
Netscape and Microsoft Internet Explorer (IE) browsers (used by most people in the U.S.
and worldwide) and 128-bit SSL encryption when communicating with domestic-version
Microsoft and Netscape browsers. Second, 128-bit SSL server certificates (such as
VeriSign’s Global Server IDs) enable 128-bit SSL encryption (the world’s strongest) with
both domestic and export versions of Microsoft and Netscape browsers.

SSL Server Certificates Steps

The process begins by establishing an SSL “handshake”—allowing the server to

authenticate itself to the browser user, and then permitting the server and browser to
cooperate in the creation of the symmetric keys used for encryption, decryption, and
tamper detection:

1. A customer contacts a site and accesses a secured URL—a page secured by an

SSL certificate (indicated by a URL that begins with “https:” instead of just
“http:” or by a message from the browser). This might typically be an online order
form collecting private information from the customer, such as address, phone
number, and credit card number or other payment information.
2. The customer’s browser automatically sends the server the browser’s SSL version
number, cipher settings, randomly generated data, and other information the
server needs to communicate with the client using SSL.
3. The server responds, automatically sending the customer’s browser the site’s
digital certificate, along with the server’s SSL version number, cipher settings,
and so on.
4. The customer’s browser examines the information contained in the server’s
certificate, and verifies that:
a. The server certificate is valid and has a valid date.
b. The CA that issued the server has been signed by a trusted CA whose
certificate is built into the browser.
c. The issuing CA’s public key, built into the browser, validates the issuer’s
digital signature.
d. The domain name specified by the server certificate matches the server’s
actual domain name.

If the server cannot be authenticated, the user is warned that an encrypted,

authenticated connection cannot be established.

5. If the server can be successfully authenticated, the customer’s Web browser

generates a unique “session key” to encrypt all communications with the site
using asymmetric encryption.
6. The user’s browser encrypts the session key itself with the site’s public key so that
only the site can read the session key, and sends it to the server.
7. The server decrypts the session key using its own private key.
8. The browser sends a message to the server informing it that future messages from
the client will be encrypted with the session key.
9. The server then sends a message to the client informing it that future messages
from the server will be encrypted with the session key.
10. An SSL-secured session is now established. SSL then uses symmetric encryption
(which is much faster than asymmetric PKI encryption) to encrypt and decrypt
messages within the SSL-secured “pipeline.”
11. After the session is complete, the session key is eliminated.

It all takes only seconds and requires no action by the user[1].

In order to fully enable 128-bit encryption with a Global Server ID, it’s important to
generate the right kind of private key during the process of obtaining an SSL certificate.
An important step in the process is generating a Certificate Signing Request (CSR) within
the Web server software. In generating a CSR, Web server administrators should be
careful to select a 1024-bit private key, which enables the Global Server ID to establish
128-bit SSL encryption, rather than a 512-bit private key, which enables only 40-bit
Netscape users can follow these steps to see what level of encryption is protecting their

• Go to the secure Web page you want to check.

• Click the Security button in Navigator’s toolbar. The Security Info dialog box
indicates whether the Web site uses encryption.
• If it does, click the Open Page Info button to display more information about the
site’s security features, including the type of encryption used.

You can also check to see which level of SSL is activated on your Web server by
following these steps:

• Using a 128-bit client, such as the domestic version of Netscape Navigator, click
Options/Security Preferences.
• Under the Enable SSL options, click Configure for both SSL 2 and SSL 3. Make
sure acceptance for the 40- and 56-bit encryption ciphers are turned off.
• Try to access the site. If it using less than 128 bit security, then you will receive an
error in your browser window: “Netscape and this server cannot communicate
securely because they have no common encryption methods[1].”

IE users can find out a Web site’s encryption level by following these steps:

• Go to the Web site you want to check.

• Right-click on the Web site’s page and select Properties.
• Click the Certificates button.
• In the Fields box, select Encryption type. The Details box shows you the level of
encryption, 40-bit or 128-bit. (See the following section for more information
about SSL encryption levels.)[1].

E-businesses may choose to simplify the process of certificate checking for site visitors
by describing the security measures they have implemented in a Security and Privacy
statement on their sites. For example, sites that use VeriSign SSL Certificates can also
post the Secure Site Seal on their home page, security statement page, and purchase
pages. The Seal is a widely recognized symbol of trust that enables site visitors to check
certificates in real time from VeriSign with one click.

SGC and 128-Bit Step-Up

To ensure that strong, 128-bit encryption protects e-commerce transactions for all users,
businesses should install 128-bit IDs, such as VeriSign’s Global Server IDs, on their
servers. However, the export browsers that permit only 40-bit encryption with 40-bit SSL
server certificates will allow strong, 128-bit encryption when interacting with 128-bit
server certificates because these certificates are equipped with a special extension that
enables Server Gated Cryptography (SGC) for Microsoft browsers and “International
Step-Up” for Netscape browsers.
The extension enables 128-bit encryption with export-version browsers by prompting two
“handshakes” when a user’s browser accesses a page protected by a Global Server ID.
When an export-version Netscape or Microsoft browser connects to the Web server, the
browser initiates a connection with only a 40-bit cipher. When the server certificate is
transferred, the browser verifies the certificate against its built-in list of approved CAs.
Here, it recognizes that the server certificate includes the SGC or International Step-Up
extension, and then immediately renegotiates the SSL parameters for the connection to
initiate an SSL session with a 128-bit cipher. In subsequent connections, the browser
immediately uses the 128-bit cipher for full-strength encryption.

Securing Multiple Servers and Domains with SSL

As organizations and service providers enhance their Web sites and extranets with newer
technology to reach larger audiences, server configurations have become increasingly
complex. They must now accommodate:

• Redundant server backups that allow Web sites and extranets to maximize site
performance by balancing traffic loads among multiple servers
• Organizations running multiple servers to support multiple site names
• Organizations running multiple servers to support a single site name
• Service providers using virtual and shared hosting configurations[1]

But, in complex, multiserver environments, SSL server certificates must be used carefully
if they are to serve their purpose of reliably identifying sites and the businesses operating
them to visitors and encrypt e-commerce transactions—thus, establishing the trust that
customers require before engaging in e-commerce. When used properly in an e-
commerce trust infrastructure equipped with multiple servers, SSL server certificates
must still satisfy the three requirements of online trust:

1. Client applications, such as Web browsers, can verify that a site is protected by an
SSL server certificate by matching the “common name” in a certificate to the
domain name (such as www.verisign.com) that appears in the browser. Certificates
are easily accessible via Netscape and Microsoft browsers.
2. Users can also verify that the organization listed in the certificate has the right to
use the domain name, and is the same as the entity with which the customer is
3. The private keys corresponding to the certificate, which enable the encryption of
data sent via Web browsers, are protected from disclosure by the enterprise or ISP
operating the server[1].

The Certificate Sharing Problem

In order to satisfy the requirements of Internet trust, one SSL server certificate can be
used to secure each domain name on every server in a multiserver environment, and the
corresponding private keys can be generated from the hosting server. Some enterprises or
ISPs practice certificate sharing, or using a single SSL server certificate to secure
multiple servers. Organizations use certificate sharing in order to secure backup servers,
to ensure high-quality service on high-traffic sites by balancing traffic among several
servers, or, in the case of ISPs and Web hosts, to provide inexpensive SSL protection to
price-sensitive customers. However, as described next, certificate-sharing configurations
do not satisfy the fundamental requirements of Internet trust.

VeriSign Recommendations for Implementing SSL on Multiple Servers

Now, let’s look at some common shared certificate configurations for an e-commerce
trust infrastructure:

Fail-safe backup: Redundant servers, not used simultaneously.

Load balancing: Multiple sites with different common names on multiple servers.

Load balancing: Multiple sites with the same common name on multiple servers.

ISP shared SSL: One certificate issued to an ISP’s domain, used on multiple servers by
multiple Web sites.

Name-based virtual hosting: An ISP or Web Host provides each hosted customer with a
unique domain name, such as customername.isp.com[1].

Fail-Safe Backup

Certificate sharing is permissible. However, when the backup server is not under the
same control as the primary server, the private key cannot be adequately protected, and a
separate certificate should be used for each server.

Load Balancing: Multiple Sites with Different Common Names

To prevent browsers from detecting that the URL of the site visited differs from the
common name in the certificate, a different certificate should be used for each
server/domain name combination. A different certificate should also be used to protect the
security of private keys.

Load Balancing: Multiple Sites with the Same Common Name

Instead of jeopardizing private key functionality by copying the key for multiple servers,
a different certificate should be used for each server. Each certificate may have the same
common name and organizational name, but slightly different organizational unit values.

ISP Shared SSL

ISP shared SSL prevents site visitors from verifying that the site they are visiting is the
same as the site protected by the certificate and listed in the certificate itself. Each site’s
server should have its own certificate. Or, merchants must inform their customers that site
encryption is provided by the ISP, not the merchant, and the ISP must guarantee the
services of all the hosted companies whose sites use shared SSL.

Name-Based Virtual Hosting

If the same certificate is used for each domain name, browsers will indicate that the site
domain name does not match the common name in the certificate. To solve this problem,
a “wildcard” certificate of the form *.isp.com is required to properly serve the multi-
hostname configuration without creating browser mismatch error messages.

Next, let’s examine the second key component of an Internet trust infrastructure: secure
online payment management.

Online Payment Services

After businesses have built a Web site and implemented SSL certificates to authenticate
themselves to customers and encrypt communications and transactions, they must address
another crucial component of an e-commerce infrastructure. This involves enabling
customers to easily pay for products and services online—and processing and managing
those payments in conjunction with a complex network of financial institutions.

Today’s fragmented Internet payment systems often connect online merchants to banks
via privately operated, point-to-point payment networks. In 2002, for example, over 9
billion electronic payment transactions (originating from approximately 6 million
merchant locations and representing over $690 billion in merchant dollar volume) were
passed over leased lines and non-Internet interfaces to a single transaction processor
(First Data Corporation).

This situation is rapidly changing. Internet commerce is entering an accelerated growth

phase. IDC estimates worldwide e-commerce revenues will increase to $652 billion in
2004. Behind each of these Internet purchases is a payment transaction. However,
traditional payment systems have proven to be ill-equipped to manage the costs and
complexity of transitioning and enabling transactions over the Internet. As a result, only a
fraction of today’s potentially automated e-commerce transactions are currently enabled
for Internet payment. The situation is particularly acute in the B2B payments arena—
today, most B2B systems stop short of enabling actual payment execution on the Web.

Demand is, therefore, high for a simpler, “Internet payment gateway” approach that
provides easier Internet connectivity between buyers, sellers, and the financial networks
that move money between them. A truly flexible Internet payment gateway must support
multiple payment instruments, connect to all relevant back-office payment processors,
and be packaged for easy integration into front-office Web applications. Ideally, the
gateway should also offer uniform interfaces to payment functionality, permitting e-
businesses to deploy payment applications that can be easily switched between
alternative financial instruments, institutions, and payment processors. And, to form part
of a complete e-commerce trust infrastructure, the gateway must ensure fail-safe security
for payment data as it passes from customer to Web site and through the backend
processing system.

Finally, some merchants may build an Internet payment gateway themselves, or purchase
a software-based solution. However, according to the Gartner Group, most e-merchants
have transaction volumes that do not justify the expense of bringing the process in-house,
and are opting to outsource ASP solutions.


Businesses that can manage and process e-commerce transactions can gain a competitive
edge by reaching a worldwide audience, at very low cost. But, the Web poses a unique set
of trust issues, which businesses must address at the outset to minimize risk. Customers
submit information and purchase goods or services via the Web only when they are
confident that their personal information, such as credit card numbers and financial data,
is secure.

Finally, the solution for businesses that are serious about e-commerce is to implement a
complete e-commerce trust infrastructure. PKI cryptography and digital signature
technology, applied via SSL digital certificates, provide the authentication, data integrity,
and privacy necessary for e-commerce. Internet payment gateway systems provide online
merchants with the ability to efficiently and securely accept and process a variety of
online payments from customers.
Chapter 17: Implementing E-Commerce
Enterprise Application Security
“There are no such things as applied sciences, only applications of science.”

—Louis Pasteur (1822–1895)

Mergers, acquisitions, and multicompany collaborative federations are nothing new to the
e-commerce world. What is new and urgent is the need to secure a high number of critical
applications from unauthorized use, both from external and internal sources. Today’s e-
commerce characteristics, including remote workforces, wireless applications[1], corporate
partnership programs, CRM systems, and numerous others require organizations to
increase the availability of corporate information, which significantly increases security

The Challenge

Enterprise Application Integration (EAI) solves or simplifies many of the problems of

data access and resource management across the enterprise, but then, a whole new set of
issues surface. Once you have integrated your applications and business processes into a
single, virtual “business engine,” how do you control access to those applications and
processes, and the data that they manage?

In the past, companies maintained security by allowing only trusted insiders to access
sensitive corporate applications and data, through physically restricted access. However
the rise of e-commerce now requires those companies to allow their customers, prospects,
suppliers, and partners to access even the deepest reaches of the corporate “backend.” IT
management has been put on the horns of a dilemma: access versus barriers. If they
tighten security to eliminate the risk of electronic theft or vandalism, the business grinds
to a halt.

This is the central issue of enterprise security. How can an organization provide access to
multiple users or groups without compromising data security? This issue is further
complicated by e-commerce as the next step in the evolution of global companies. By
distributing applications and data across the Internet, institutions face a whole new set of
problems and threats controlling access to—and protecting the integrity of—data and
business processes.
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
The Solution: Application Security Integration

Just as EAI technologies addressed the problems of data access and resource management
across the enterprise by integrating applications and business processes into a single,
virtual “business engine,” companies now need a set of easy-to-use tools and
technologies to control access to those same applications and processes. Today, a new
class of technology (Enterprise Application Security Integration, or EASI) is emerging to
ensure that the distributed enterprise is protected.

This chapter explores this new technology’s support of rapid deployment of secure e-
commerce applications. The technology, based on the integration of distributed
component computing and information security, represents new power to mount secure,
scalable e-commerce services. The chapter also describes how security enables new e-
commerce applications that were not previously feasible, and how e-commerce solutions
create new security responsibilities. Next, the chapter describes the many challenges of
enforcing security in component-based applications. Finally, the chapter formally
introduces EASI, which is used to tie together many different security technologies, and,
as a result, provide the framework for building secure component architectures.

EASI is fast becoming an essential part of any comprehensive enterprise architecture

plan. It has been recognized by analysts for its importance in securing the new e-
commerce infrastructure. GIGA Information Group encourages companies to embrace
this new model: organizations should incorporate the emerging EASI model into their
internal application security integration efforts and their buying decisions for all parts of
the application platform. And, they should drive their vendors toward alignment with the
emerging architecture.

Security as an Enabler for E-Commerce Applications

Corporations are discovering the power of online services to increase customer loyalty,
support sales efforts, and manage internal information. The common thread in these
diverse efforts is the need to present end users with a unified view of information stored
in multiple systems, particularly as organizations move from static Web sites to the
transactional capabilities of electronic commerce. To satisfy this need, legacy systems are
being integrated with powerful new e-commerce-based applications that provide broad
connectivity across a multitude of backend systems. These unified applications bring
direct bottom-line benefits, for example:

• On the Internet
• Via extranets
• With an intranet[1]
On the Internet

A bank cements relationships with commercial customers by offering increased

efficiency with online currency trading. This service requires real-time updates and links
to back-office transactional and profitability analysis systems.

Via Extranets

A bank and an airline both increase their customer bases with a joint venture—a credit
card that offers frequent flyer credits sponsored by the bank. This service requires joint
data-sharing, such as purchase payment and charge-back information, as well as decision
support applications to retrieve, manipulate, and store information across enterprise
boundaries. Additionally, employees from both companies will need to access some, but
not all, of the same information.

With an Intranet

A global manufacturer accelerates the organizational learning curve by creating a global

knowledge-sharing system for manufacturing research and development. Plant engineers
on one continent can instantly share process breakthroughs with colleagues thousands of
miles away.
Hartman, Bret. “Enterprise Application Security Integration: An Overview,” © 2003
Quadrasis, Inc. All rights reserved. Quadrasis, Inc., 1601 Trapelo Road, Reservoir Place,
3rd Floor, Waltham, MA 02451 [Bret Hartman (Author), Donald J. Flinn (Author), and
Konstantin Beznosov (Author). Enterprise Security with EJB and CORBA®, John Wiley
& Sons; 1st edition (April 6, 2001)], 2003.

E-Commerce Applications Increase Risks

These new e-commerce applications can have a dark side. They can open a direct pipeline
to the enterprise’s most valuable information assets, presenting a tempting target for
fraud, malicious hackers, and industrial espionage.

Appropriate protections are a prerequisite for doing business, both for an organization’s
credibility with its stakeholders and its financial viability. For example:

• The bank and airline in a joint venture may compete in other areas or through
other partnerships. A secure barrier, permitting only authorized transactions, must
be erected between the two enterprise computing environments.
• The bank offering currency-trading needs to protect the integrity of its core
systems from unauthorized transfers or tampering.
• The manufacturer posting proprietary discoveries needs to ensure that their
competitors or subcontractors cannot tap into the system. Attacks from both the
outside and inside must be blocked[1].
Information Security Goals: Enable Use, Bar Intrusion

To secure information assets, organizations must open availability to legitimate users

while barring unauthorized access. In general, secure systems must provide the following

Accountability: Detect attacks in progress or trace any damage from successful attacks.
Prevent system users from later denying completed transactions.

Availability: Ensure uninterrupted service to authorized users. Service interruptions can

either be accidental or maliciously caused by denial-of-service attacks.

Confidentiality: Safeguard user privacy[3] and prevent the theft of information both
stored and in transit.

Integrity: Ensure that electronic transactions and data resources are not tampered with at
any point, either accidentally or maliciously[1].

To provide the four preceding key protections, information security must be an integral
part of system design and implementation.
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
ebusiness Privacy Plan, McGraw-Hill Trade, 2001.

E-Commerce Solutions Create New Security Responsibilities

The breadth of information security in e-commerce applications is broader than you

might expect. Many system architects and developers are accustomed to thinking about
security as a low-level topic, dealing only with networks, firewalls, operating systems,
and cryptography. However, e-commerce is changing the risk levels associated with
deploying software, and, as a consequence, security becomes an important design issue
for any software component.

The scope of e-commerce security is so broad because these applications typically cut
across lines of business. There are many examples of new business models that drive
security needs:

• E-commerce
• Cross-selling and customer relationship management
• Supply chain management
• Bandwidth on demand[1]

E-commerce sites on the Internet rely on credit card authorization services from an
outside company. A federated relationship between an e-commerce company and a credit
card service depends on trustworthy authenticated communication.

Cross-Selling and Customer Relationship Management

Cross-selling and customer relationship management rely on customer information being

shared across many lines of business within an enterprise. Cross-selling allows an
enterprise to offer a customer new products or services based on existing sales. Customer
relationship management allows the enterprise to give consistent customer support across
many different services. These e-commerce services are very valuable, but if they are not
properly constrained by security policies, the services may violate a customer’s wishes
for privacy.

Supply Chain Management

Supply chain management requires continuing communication among all of the suppliers
in a manufacturing chain to ensure that the supply of various parts is adequate to meet
demand. The transactions describing the supply chain that are exchanged among the
enterprises contain highly proprietary data that must be protected from outside snooping.

Bandwidth on Demand

Bandwidth on demand allows customers to make dynamic requests for increases in the
quality of a telecommunication service and to get instant results. Bandwidth on demand is
an example of self-administration, where users handle many of their own administrative
functions rather than relying on an administrator within the enterprise to do it for them.
Self-administration provides better service for customers at a lower cost, but comes with
significant security risks. Because corporate servers that were previously available to
system administrators are now accessible by end users, security mechanisms must be in
place to ensure that sensitive administrative functions are off-limits.

In each of the cases previously described, one enterprise or line of business can expose
another organization to increased security risk. For example, a partner can unintentionally
expose your business to security attack by providing their customers access to your
business resources. As a result, security risk is no longer under the complete control of a
single organization. Risks must be assessed and managed across a collection of
organizations, which is a new and very challenging security responsibility.

Risk Management Holds the Key

A large middle ground exists between the extremes of avoiding e-commerce applications
altogether, blithely launching unprotected systems, or burdening every application with
prohibitively costly and user-unfriendly security measures. This middle ground is the area
of risk management. The risk-management approach aims not to eliminate risk, but to
control it. Risk management is a rigorous balancing process of determining how much
and what kind of security to incorporate in light of business needs and acceptable levels
of risk. It unlocks the profit potential of expanded network connectivity by enabling
legitimate use, while blocking unauthorized access. The goal is to protect adequately to
meet business needs without undue risk, making the right trade-offs between security and
cost, performance and functionality.

For example, consider four different e-commerce users: an Internet Service Provider
(ISP), a hospital administrator, a banker, and a military officer. Each has a different
security concern.

• The ISP is concerned primarily about availability—making services available to

its customers.
• The hospital administrator wants to ensure data integrity—that patient records are
updated only by authorized staff.
• The banker is most concerned about accountability—that the person who
authorizes a financial transaction is identified and tracked.
• The military officer wants confidentiality—to keep military secrets out of the
hands of potential enemies[1].

The challenge is to implement security in a way that meets business needs cost-
effectively, both in the short-term and as enterprise needs expand. Meeting the challenge
requires a collaborative effort between corporate strategists and reformation technology
managers. Understanding the business drivers for information security helps clarify
where to focus security measures. Understanding the underlying application architecture
(how components work together) clarifies the most practical approach for building
system security. Distributed applications, in particular, require new ways of thinking.

Industrial experience in managing e-commerce information security is generally low.

Security technology is changing rapidly, and corporate management is not well-equipped
to cope with risk management changes caused by technology changes. New versions of
interconnected e-commerce systems and software product versions continue to appear,
and with each release a whole new set of security vulnerabilities surface.

Managing security risk in distributed e-commerce applications is daunting, but following

some basic rules for building security into component-based applications lays the
groundwork for a solid risk management approach. Although this chapter does not give
detailed advice on security risk management, it does describe principles for building
secure applications that are independent of any specific technology and will continue to
be a guide for you as technologies evolve. This chapter provides basic principles for
enterprise application integration, which are security integration themes that are
repeatedly addressed by many enterprises.
Information Security: A Proven Concern

Information security is a serious concern for most businesses. Even though reporting of
computer-based crime is sporadic because companies fear negative publicity and
continued attacks, the trend is quite clear: information security attacks continue to be a
real threat to businesses. According to a recent Computer Security Institute Survey, 72%
of interviewed businesses reported that they had been subjects of serious information
security attacks in 2002. Seventy-four percent of the businesses reported that the attacks
caused significant financial losses, such as losses due to financial fraud or theft of
valuable intellectual property.

The threats to businesses are from both internal and external attacks. In the same survey,
61% of the businesses reported they were subjected to attacks launched from the Internet,
and 83% of businesses reported that insider attack (by trusted corporate users) was a
primary concern. This last statistic is very important—to meet corporate needs, a
complete end-to-end security solution must address insider attacks.

Most e-commerce solutions today blur the line between the insider world containing
trusted users and the outside world containing potentially hostile attackers. Furthermore,
the primary purpose of multitier architectures is to open up the corporate network to the
external world, thus allowing valuable corporate resources to be accessible to outsiders.
Outsiders (such as business partners, suppliers, or remote employees) may have very
similar data access rights to corporate information as many insiders. As a result,
protection mechanisms must be in place not only at the external system boundaries, but
also throughout the enterprise architecture.

According to a META Group survey, 72% of businesses view information security as

critical to their corporate mission. Due to the continuing threat, many businesses are
increasing their spending on security; large corporations are increasing their spending the
most. Piecemeal security solutions can be worse than no security at all, because they
result in:

• Increased maintenance, training, and administration cost

• Point solutions that don’t scale or interoperate
• Redundant spending across the organization[1]

Applying security products without thinking about how they all fit together clearly does
not work. Businesses should build and leverage a common security infrastructure that is
shared across the enterprise. An integrated approach to security is the only way to address
complex, multitier e-commerce applications, which will be explained later in this chapter.

Distributed Systems, Distributed Security, Enterprise Control

Component technology, which closely groups data and the business logic that makes use
of the data, is having a dramatic impact on the business computing landscape.
Developments in the field of distributed component computing allow cooperating
components to reside in different machines, networks, or even enterprises. These
developments enable businesses to enhance and reuse installed applications rapidly,
representing new power to tap the immense value of legacy resources. As a result, many
organizations are migrating from traditional, single-layer client/server applications to
multitiered application architectures.

Distributed component technology provides the foundation for next-generation e-

commerce applications because it offers so much versatility. Distributed component
components that encapsulate code and data can reside anywhere on the network. Client
software need only know about the component’s interface. How the component is
implemented and where it is running is transparent to the invoking application.
Transparency and reusability give distributed component computing environments great
power, but they present new challenges for information security. These challenges require
new ways of thinking and new tools.

Security Challenges in Distributed Component Environments

Traditionally, computer security has worked effectively in systems in which sensitive data
can be isolated and protected in a central repository. Distributed components have exactly
the opposite philosophy by making distributed data widely accessible across large
networks. Simply put, the more accessible data is, the harder it is to protect. Ordinarily,
it’s a good idea to keep your crown jewels locked up in a vault. Distributed components
encourage you to pass them around to all your friends for safekeeping.

The traditional notion of computer security is embodied in the concept of a trusted

computing base (TCB), as shown in Figure 17.1[1]. The TCB consists of the hardware and
software mechanisms that are responsible for enforcing the security policy, which defines
when a user may access a resource. The TCB must be:

• Always invoked (nonbypassable)

• Small enough to be thoroughly analyzed
• Tamper-proof[1]

The TCB is usually implemented within an operating system that is under strict
configuration control. This architecture permits very tight security because the TCB is the
mediator through which all user accesses to resources must pass. Everything within the
TCB is trusted to enforce the security policy; everything outside of the TCB is untrusted.

Distributed component systems, on the other hand, have the more complex security
architecture, as shown in Figure 17.2[1]. Security functionality (the shaded areas of the
diagram) in component systems is distributed throughout the architecture rather than
residing in a central TCB. Because distributed component systems are frequently
heterogeneous, security may be implemented differently on different platforms. Security
might be enforced by the application components, middleware, operating system,
hardware, or any combination of these. Some platforms may contain a great deal of code
that is trusted to enforce the security policy, whereas other platforms may have very little.

Distributing security in this manner means that a particular distributed application may be
secure, but that fact is hard to confirm. In a distributed component system, the
combination of all of this trusted code together theoretically embodies a distributed TCB.
But is this really a distributed TCB? Probably not. It may be tamperproof and always
invoked, but it may not be small enough to be easy to analyze. That’s a concern, because
if you can’t analyze the system, you can’t be at all certain that your valuable data is being

Some security traditionalists believe that it is not possible to build highly secure
distributed component systems. There is a question, though, of whether a TCB model is
even appropriate for distributed component environments. Although TCBs are great for
enforcing security, they aren’t sufficiently flexible to support component-based systems.

The flexibility and openness of distributed component systems make security

administration a real challenge. Systems managers with experience administering security
in Unix or Windows NT environments know how difficult it is to get it right. Many
security attacks on these systems are not due to obscure security vulnerabilities, but to
inadvertent administrative errors, or “leaving the barn door open.”

Several other characteristics of distributed component systems also complicate security

enforcement. The systems are:
Dynamic: Component systems are designed to be dynamic, allowing new application
components to be created on the fly. Components can play both client and server roles,
and can interact in multiple and unpredictable ways. This means that security policies
must also be dynamic, adding complexity.

Exposed: Many distributed component systems are designed to work over the Internet or
large intranets. Data going over networks is subject to packet-sniffing interception.

Layered: Systems consist of many security layers (applications, middleware, operating

system, hardware, and network) that must fit together.

Multienterprise: Distributed component computing allows the sharing of information

among enterprises. Enterprise security policies will be different (for example, between a
hospital and a bank), which means that data sharing requires translations between
enterprise policies[1].

Configuring and administering security for distributed component systems is potentially

far more complex than for a traditional system. Without special tools, security has to be
administered manually for each layer independently, leaving room for mistakes and
inconsistencies. For instance, an application may correctly confirm that a loan officer is
authorized to access a record before allowing changes. However, if supporting operating
system calls have not been set up with complementary file permissions, access protection
is not complete. The challenge is to create an environment in which the complexity is
minimized, ensuring that security administration is enforced automatically and

End-to-End Enterprise Application Security Integration (EASI)

As e-commerce environments have evolved to distributed component models, security

technologies have been trying to keep up. Most of the pieces of the security puzzle exist
as off-the-shelf products, but it still takes considerable effort to put all these pieces
together to build an integrated solution.

Twenty-two years ago, life was reasonably simple for the security professional. Sensitive
data resided on monolithic backend data stores. There were only a few physical access
paths to the data, which were protected by well-understood operating system access
control mechanisms. Policies, procedures, and tools have been in place for many years to
solve this class of problems.

Several years ago, Web-based applications burst onto the scene. With the advent of e-
commerce in this environment, secure access to the Web servers was extremely
important. Today, there are many mature perimeter security technologies, such as SSL,
firewalls, and Web authentication/authorization servers that enforce security between
browser clients and corporate Web servers.
Huge numbers of companies are now building complex e-commerce logic into
application servers in the mid-tier. The business motivation for this development is
compelling. Mid-tier business logic allows accessibility to backend legacy data in ways
never imagined. The opportunities for increased interaction among all kinds of buyers
and suppliers seems endless.

Security gets much more interesting through the introduction of components in the
middle tier. Although there are many mid-tier technologies that hook up Web servers to
backend legacy systems, the security of these approaches is often nonexistent. In fact,
several recent publicized attacks have been caused by weaknesses in mid-tier security
that have exposed sensitive backend data (customer credit card numbers and purchase
data) to the outside world. Companies are usually at a loss for what to do with middle tier

To solve the thorny issue of securely connecting Web servers to the back office, let’s now
discuss the concept of end-to-end EASI. As previously discussed, EASI is a special case
of EAI.

In addition, EAI is a technique for unifying many different applications by using a

common middleware infrastructure. EAI provides an application “bus” that allows every
application to communicate to others via a common generic interface. Without EAI, an
application would need a separate interface for each other application, thus causing an
explosion of pairwise stovepipes between applications. EAI allows application
development to scale to a large number of interchangeable components.

Integration of end-to-end security requires EAI techniques. Many different security

technologies are used in the perimeter, middle, and legacy tiers, as shown in Figure
17.3[1]. Typically, these security technologies do not easily interoperate. As a result, you
will face exactly the same problem that application integrators face: a separate ad hoc
interface to connect one security technology to another causes an explosion of pairwise
stovepipes between security technologies.
EASI Requirements

A key issue in enterprise security architectures is the ability to support end-to-end

security across many application components. End-to-end security is the ability to ensure
that data access is properly protected over the entire path of requests and replies as they
travel through the system. The scope of end-to-end security begins with the person
accessing a Web browser or other client program, continues through the business
components of the middle tier, and ends at the data store on backend legacy system. The
path of data may travel both through public and private networks with varying degrees of

In the enterprise architecture shown in Figure 17.4, a user accesses an application in the
presentation layer (a Web browser client sends requests to a Web server), which
communicates to mid-tier business components (application servers)[1]. Frequently, the
client request is transmitted through a complex, multitier chain of business components
running on a variety of platforms. The request finally makes it to one or more backend
legacy systems, which accesses persistent data stores on behalf of the user, processes the
request, and returns the appropriate results.

EASI Solutions

EASI solutions integrate security technologies across the perimeter, middle, and legacy
security tiers. An EASI solution first and foremost consists of a security framework,
which describes a collection of security service interfaces that may be implemented by an
evolving set of security products.

An EASI solution also includes integration techniques, such as bridges, wrappers, and
interceptors that developers can use to plug security technologies into a middleware
environment. To hook together different security technologies, EASI must solve a key
problem: defining a secure association between clients and targets that establishes a
common security context. The security context consists of a user’s privileges that must be
transferred across the system to a target application. A user’s privileges, which form the
basis for authorization decisions and audit events, must be protected as they are
transmitted between perimeter, middle, and legacy tiers. Because each technology in
these tiers represents and protects a user’s privileges differently, integration of security
context can be a rather difficult problem.

EASI Framework

The EASI framework, as shown in Figure 17.5, specifies the interactions among the
security services and application components that use those security services. By using
common interfaces, it’s possible to add new security technology solutions without
making big changes to the existing framework. In this way, the EASI framework supports
“plug-ins” for new security technologies. Key aspects of the framework are shown in
Figure 17.5[1].


The security framework provides enterprise security services for presentation

components, business logic components, and the back office. The framework supports
security mechanisms that enforce security on behalf of security aware and security
unaware applications.

Security Aware Application

The security aware application uses the security Application Program Interfaces (APIs) to
access and validate the security policies that apply to it. Security aware applications may
directly access security functions that enable the applications to perform additional
security checks and fully exploit the capabilities of the security infrastructure.
Security Unaware Application

The security unaware application does not explicitly call security services, but it is still
secured by the supporting environment (an Enterprise Java Bean [EJB] container).
Security is typically enforced for security unaware applications by using interceptors,
which transparently call the underlying security APIs on behalf of the application. This
approach reduces the burden on application developers to develop security modules
within the application and lessens the chance of security flaws being introduced.

Other applications, called security self-reliant applications, do not use any of the security
services provided by the framework. A security self-reliant application may not use the
security services because it has no security relevant functionality and, thus, does not need
to be secured, or because it uses separate independent security functions that are not part
of the defined EASI security framework.

Application Programming Interfaces (APIs)

The framework security APIs are called explicitly by security aware applications and
implicitly by security unaware applications via interceptors. Security APIs provide
interfaces for access to the framework security services. The framework supports
standard, custom, and vendor security APIs.

Standard Security API

Support for APIs is based on open standards or industry de facto standards, such as XML
(SAML), J2EE, .NET, and CORBA. These standards should be used whenever possible
because they are likely to provide the most stability and the most flexibility across many
different vendors’ products.

Custom Security API

Custom APIs may be implemented when an enterprise’s needs cannot be met by existing
standard APIs. Custom APIs are required especially when an enterprise uses a security
service that is tailored to its business, for example, a custom rule-based entitlements
engine developed internally by an investment bank.

Vendor Security API

As a last resort, vendor-specific proprietary APIs may be used where open standards have
not yet been defined. You should avoid using proprietary security APIs in applications if
at all possible. Proprietary APIs make it very difficult for the developer or administrator
to switch security products. Although vendors may think this is a great idea, security
technology is changing much too rapidly to be confined to any one product. As an
alternative, you should wrap a vendor’s proprietary API with a standard or custom API.
Core Security Services

The next layer of the security framework provides core security services enabling end-to-
end application security across multitier applications. Each of the security services
defines a wrapper that sits between the security APIs and the security products. The
security services wrappers serve to isolate applications from underlying security
products. By creating a new wrapper, it is straightforward to switch security products
without affecting application code, if the need arises. The key security services are
authentication, authorization, cryptography, accountability, and security administration.


Verifying that principals (human users, registered system entities, and components) are
who they claim to be is what is known as authentication. The result of authentication is a
set of credentials, which describe the attributes (identity, role, group, clearance) that may
be associated with the authenticated principal.


Granting of permission for principals to access resources is what is known as

authorization. Data integrity and confidentiality access controls enforce restrictions of
access to prevent unauthorized use. Data integrity controls ensure that only authorized
principals may modify resources. Data confidentiality controls ensure that resource
contents are disclosed only to authorized principals.


Cryptographic algorithms and protocols for protecting data and messages from disclosure
and/or modification is what is known as cryptography. Encryption provides
confidentiality by encoding data into an unintelligible form with a reversible algorithm
that allows the holder of the encryption key(s) to decode the encrypted data. Digital
signatures apply cryptography to ensure that data is authentic and has not been modified
during storage[2] or transmission.


Ensuring that principals are accountable for their actions is what is known as
accountability. A security audit provides a record of security-relevant events and permits
monitoring of a principal’s actions in a system. Nonrepudiation provides irrefutable proof
of data origin and/or receipt.
Security Administration

Security administration is the process of defining and maintaining the security policies
embodied in user profiles, authentication, authorization, and accountability mechanisms.
This also includes other data relevant to the security framework.

Framework Security Facilities

The framework provides general security facilities that support the core security services.
The framework security facilities are the profile manager, security association, and proxy

Profile Manager

The profile manager provides a general facility for persistent storage of user and
application profile data. It allows data to be accessed by other framework services.

Security Association

Security association handles the principal’s security credentials and controls how they
propagate. During a communication between any two client and target application
components, the security association establishes the trust in each party’s credentials, and
creates the security context that will be used when protecting requests and responses in
transit between client and target. The security association controls the use of delegation,
which allows a delegated intermediate to use the credentials of an initiating principal so
that the delegate may act on behalf of the initiating principal.

Security Proxy Services

Security proxy services provide interoperability between different security technology

domains by acting as a server in the client’s technology domain. This also includes a
client in the target’s domain.

Security Products

Implementation of the framework generally requires several security technology products

that collectively comprise the enterprise security services. Example security products that
are required include firewalls, Web authentication/authorization products, component
authentication/authorization products, cryptographic products, and directory services.
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,
EASI Benefits

By now, the benefits of using a framework to address EASI should be clear. Standards are
the best way to maintain application portability and interoperability in the long run.
Products and technologies will come and go, but generally accepted security standards
for fundamental security services will be much more stable. A standards-based set of
security APIs allows you to evolve security products over time without needing to rewrite
your applications. Designing your applications for evolving security products is
important, because your business requirements and new security technologies will
continue to be a moving target. You might pick a great security product that satisfies your
needs for now, but you’ll probably want to change at some point as business or market
needs change. In addition, you want to avoid being stuck with any one vendor’s product,
because the high cost of custom code modification limits your options.

Having a security framework also means that you don’t need to implement everything at
once. The framework allows you to start out small by picking the security services you
need, and builds up more sophisticated security functionality when and if it’s required.
The framework gives you a road map for your security architecture, helping to guide you
on how to pick products and technologies that match your needs over time.

Finally, the framework puts the security focus where it should be: on building a common
infrastructure that can be shared across the enterprise. Custom-built security that is hand-
coded within applications is expensive to implement and maintain, and is likely to have
more security vulnerabilities. A single security infrastructure with APIs that can be used
by all of your applications avoids multiple, duplicate definitions of users, security
attributes, and other policies. You can focus your limited time and money on building up
a few critical interoperable security technologies, rather than coping with a mass of
unrelated security products that will never work together.

Principles of EASI

Now, let’s look at some basic principles to follow when integrating security into
component-based e-commerce applications. You’ll learn these rules as you apply EASI
techniques to many large customers’ problems.


The two principles of authentication are trust no one (not to be confused with the FOX
television series the “X-Files”) and balance cost against threat.

Trust No One

In distributed systems, authentication isn’t just about people. A client request bounces
through many applications in a multitier architecture, so there are many points of
vulnerability. Each component that is a part of a request chain should be authenticated on
its own. If not, an attacker may be able to insert a new component in this chain and cause
serious damage. The more complex the application architecture, the more serious the

Balance Cost Against Threat

On the other hand, the best authentication isn’t for everyone. The most secure
authentication, such as public key certificates on smart cards, is probably too expensive
to deploy and manage for many applications. If authentication techniques are too strong,
people may just give up and not use the system. It’s better to have authentication that
people will use rather than building a secure boat anchor. Single sign-on is an example of
this principle; no one likes to log in more than once.


The two principles of authorization are application driven and push security down.

Application Driven

Authorization policies aren’t really to protect URLs or files—they protect business data
that resides in those files. A lot of time and money is wasted blindly setting up security
products that do little to protect important application data. To secure a system, don’t lose
sight of the fact that the most important thing to understand is the purpose of the business
application. After you understand what the business application is for, and what bad
security things could go wrong, then you can figure out the best way to protect the data.

Push Security Down

After you know which application data is really important to protect, look to enforce
authorization at the lowest practical level in the architecture. Least desirable is within the
application, although some policies cannot be enforced anywhere else. By pushing
authorization down to the lower layers of the architecture, you’re more likely to have
robust common security mechanisms that can be shared across many applications.

Accountability: Audit Early, Not Often

Auditing is expensive in distributed systems, so for performance reasons it’s better to do

it as little as possible. Unlike authorization, it’s preferable to push the source of an audit
event to the upper layers of the architecture near the application. Low-level auditing (at
the operating system level) is extremely difficult to analyze, because it takes several low-
level events to match to a single business transaction. Low-level auditing is fine for
discovering an attack on your operating system, but correlating low-level audit data
across multiple audit logs to detect an application attack can be close to impossible. As a
result, the most effective auditing is done as soon as an application recognizes that a
potentially dangerous event occurred.
Security Administration

The principles of security administration are collections for scale, centralized

management, and distributed enforcement.

Collections for Scale

E-commerce applications are all about managing huge numbers: millions of users and
resources, thousands of servers. The best way to deal with large numbers is to collect
things into groups, and make those groups hierarchical. By defining collections,
administrators can set policies on lots of things at the same time and delegate security
responsibilities across many administrators.

Note Collections are not just about people; services and data should also be grouped to
handle scale.

Centralized Management and Distributed Enforcement

Administering distributed applications is difficult because components are widely

scattered, and manually setting up policies for each component across a large network
isn’t practical. The easiest way to administer security is when the security policy is in one
place. However, a centralized policy may not be very efficient to enforce if the security
infrastructure must check a central policy every time a remote component executes. The
best approaches give the best of both worlds by offering security administration that is
logically centralized, but use distribution techniques to get the policy out near the
components where it’s needed. Beware of synchronization issues; many products use
caching that speeds up access but could mean that policies are sometimes out of date.

Security Association

The principles of security administration are think end-to-end, not point-to-point and
design for failure.

Think End-to-End and Not Point-to-Point

As mentioned previously, e-commerce applications are implemented by chains of

requests, which are much more complex than the antique client/server model. Transport
security mechanisms, such as SSL or Secure Internet Protocol (IPSEC), are inadequate in
multitier environments, because they cannot secure a chain of requests; they only secure
two end points. It’s for this reason that these protocols don’t deal with delegation.
Protocols such as Security Assertions Markup Language (SAML) and CSI that are built
upon transport security are the best way to secure applications end-to-end.
Design for Failure

Finally, a simplistic component model assumes that all applications trust each other to
protect data. That may be okay for small systems, but it’s a dangerous assumption when
the applications are more distributed. If one component is compromised in this scenario,
then the entire set of distributed components is vulnerable. A better approach is to view
collections of components as mutually suspicious islands—if one collection of
components is compromised, then others will still be safe.


This chapter introduced you to the world of component-based enterprise security. It

described how security is an enabler for many e-commerce applications. Without a good
security solution in place, many new e-commerce opportunities would not be feasible.
The chapter also discussed the concept of risk management, which balances the level of
security that is required in light of the business needs of cost, performance, and
functionality. It showed that information security is a serious concern for many
businesses, both in terms of external and internal (insider) attacks.

Next, the chapter described the many challenges of enforcing security in component-
based applications. It defined the notion of a TCB, and showed that the TCB concept is
not a very good match for distributed component environments.

Finally, the chapter introduced Enterprise Application Security Integration (EASI), which
is used to tie together many different security technologies. It defined perimeter, middle,
and legacy tiers of security, and described how they all work together to provide end-to-
end security. The chapter then defined an EASI solution in terms of a security framework,
technologies, and integration techniques that hook those technologies together. The EASI
framework consists of a number of layers, including the applications, APls, core security
services, framework security services, and underlying security products.
Chapter 18: Strong Transaction Security
in Multiple Server Environments
“The ballot is stronger than the bullet.”

—Abraham Lincoln (1809–1865)


In today’s businesses, electronic communication is a central part of the everyday flow of

information, and privacy is a top priority. Whether your company conducts sales over the
Internet or hosts a company-specific network, you want to know that your
communications are safe from unauthorized interference.

For information exchange between servers and client browsers and server-to-server, load
balancing devices and SSL accelerators, SSL certificates have become recognized as the
bottom line in security. Working with the SSL protocol for encryption, SSL certificates
protect businesses against site spoofing, data corruption, and repudiation of agreements.
They assure customers that it is safe to submit personal information, and provide
colleagues with the trust they need to share sensitive business information.

For companies with multiple servers and load balancing devices in their network, you can
now locally manage your own SSL certificates with managed public key infrastructure
(PKI) for SSL certificates. If you need to secure five or more servers, enrollments and
cancellations can become cumbersome when managed one-by-one. With managed PKI
for SSL certificates, you save money by purchasing your SSL certificates in bulk, then
save time by issuing your own IDs to servers and load balancing devices within your
organization. You can customize your end-user support to meet your company-specific
needs, and integrate your server and client security systems.

This chapter provides you with a basic introduction to digital ID technology and SSL
certificates. It then lays out the reasons that you would want to consider managed PKI for
SSL certificates as an alternative to one-by-one purchasing. Finally, it presents the
features you can expect if you decide managed PKI for SSL certificates is right for your

Security Solutions: The Digital ID System

Given the security risks involved in conducting business online, what does it take to
make your Internet transactions and company communications safe? Industry leaders
agree that the answer is the SSL certificate. Over 607,000 SSL certificates have been
issued as of this writing. Companies using SSL certificates include 92 of the Fortune 100
companies and all of the RelevantKnowledge, Inc. Top 20 Commerce Sites.
What Is a Digital ID?

A digital identification (ID), also known as a digital certificate, is the electronic

equivalent to a passport or business license. It is a credential, issued by a trusted
authority, that individuals or organizations can present electronically to prove their
identity or their right to access information.

When a CA issues digital IDs, it verifies that the owner is not claiming a false identity.
Just as when a government issues a passport, it is officially vouching for the identity of
the holder. When a CA gives your business a digital certificate, it is putting its name
behind your right to use your company name and Web address.

How Do Digital IDs Work?

The solution to problems of identification, authentication, and privacy in computer-based

systems lies in the field of cryptography. Because of the nonphysical nature of electronic
communication, traditional methods of physically marking transactions with a seal or
signature are useless. Rather, some mark must be coded into the information itself in
order to identify the source and provide privacy against eavesdroppers.

One widely used tool for privacy protection is what cryptographers call a “secret key.”
Logon passwords and cash card PINs are examples of secret keys. Consumers share these
secret keys only with the parties they want to communicate with, such as an online
subscription service or a bank. Private information is then encrypted with this password,
and it can only be decrypted by one of the parties holding that same password.

Despite its widespread use, this secret-key system has some serious limitations. As
network communications proliferate, it becomes very cumbersome for users to create and
remember different passwords for each situation. Moreover, the sharing of a secret key
involves inherent risks. In the process of transmitting a password, it can fall into the
wrong hands. Or, one of the sharing parties might use it maliciously and then deny all

Digital ID technology addresses these issues because it does not rely on the sharing of
secret keys. Rather than using the same key to both encrypt and decrypt data, a digital ID
uses a matched pair of keys that are unique complements to one another. In other words,
what is done by one key can only be undone by the other key in the pair.

In this type of key-pair system, your “private key” gets installed on your server and can
only be accessed by you. Your “public key” gets widely distributed as part of a digital ID.
Customers, partners, or employees who want to communicate privately with your server
can use the public key in your digital ID to encrypt information, and you are then the only
one who can decrypt that information. Because the public key alone does not provide
access to communications, you do not need to worry about who gets ahold of this key.
Your digital ID tells customers and correspondents that your public key in fact belongs to
you. Also, your digital ID contains your name and identifying information, your public
key, and digital signature as certification.

How Do SSL Certificates Work?

Secure server digital IDs allow any server to implement the SSL protocol, which is the
standard technology for secure, Web-based communications. SSL capability is built into
server hardware, but it requires a digital ID in order to be functional. So, with the latest
SSL and a secure server digital ID, your Web site should support the following functions:

• Mutual authentication
• Message privacy
• Message integrity[1]

Mutual Authentication

With mutual authentication, the identity of both the server and the customer can be
verified. The reason for this is so that all parties know exactly who is on the other end of
the transaction.

Message Privacy

With message privacy, all traffic between the server and the customer is encrypted using a
unique “session key.” Each session key is only used with one customer during one
connection, and that key is itself encrypted with the server’s public key. These layers of
privacy protection guarantee that information cannot be intercepted or viewed by
unauthorized parties.

Message Integrity

With message integrity, the contents of all communications between the server and the
customer are protected from being altered en route. All those involved in the transaction
know that what they’re seeing is exactly what was sent out from the other side.

Figure 18.1 illustrates the process that guarantees protected communications between a
server and a client[1]. All exchanges of digital IDs happen within a matter of seconds and
appear seamless to the client.
All of this technology translates to online communications that are safe for you and your
customers. End users know exactly who they are dealing with and feel comfortable that
the information they send is not falling into unknown hands. You know that your server is
receiving accurate transmissions that have not been tampered with or viewed en route.

What Do End Users See?

Both the Netscape Navigator and Microsoft Internet Explorer browsers have built-in
security mechanisms to prevent users from unwittingly submitting sensitive information
over insecure channels. If a user tries to submit information to an unsecured site, the
browsers will, by default, show a warning such as the one shown in Figure 18.2[1].

By contrast, if a user attempts to submit information to a site with a valid digital ID and
an SSL connection, no such warning is sent. Furthermore, both the Microsoft and
Netscape browsers provide users with a positive visual clue that they are at a secure site.
In Netscape Navigator 3.0 and earlier, the key icon in the lower-left corner of the
browser, which is normally broken, is made whole. In Netscape Navigator 4.0 and later,
as well as in Microsoft Internet Explorer, the normally open padlock icon becomes shut,
as shown in Figure 18.3[1].
The Needs of Your Organization

After you have decided to invest in the peace of mind that comes with SSL certificates,
you will need to decide whether one-by-one purchasing or managed PKI for SSL
certificates meets the needs of your organization. The following are several factors you
should consider:

• The size of your network

• Change within your network
• Cross-departmental coordination
• The needs of your end users[1]

The Size of Your Network

If your company will be hosting five or more servers within the next year, you are a good
candidate for managed PKI for SSL certificates. You can begin with five SSL certificates
and the administrator’s kit. This should meet your current needs plus your renewals for
later in the year. You will save money through a bulk discount, while increasing
efficiency significantly by eliminating the need to enroll and pay separately for each SSL

Change within Your Network

If you want the ability to expand, reduce, or restructure your network with no hassle,
managed PKI for SSL certificates is the answer. With one-by-one purchasing, each
addition, renewal, or cancellation of a secure server must go through a service center.
Each SSL certificate requires 3–5 business days to be issued and must be paid for with a
separate credit card processing or purchase order. When you purchase in bulk through
managed PKI for SSL certificates, your managed PKI administrator can issue and cancel
SSL certificates instantly, giving you superior control of your operations, especially in
critical times.

Cross-Departmental Coordination

If several groups within your organization are likely to work with secure servers,
managed PKI for SSL certificates will simplify and enhance your information system
management. When server hosts from each department apply separately for SSL
certificates, the result can be disorganization, compromising both the efficiency and
integrity of your network’s security. A department might “reinvent the wheel” that has
already been invented within the company, or, alternatively, a group might assume that a
given security issue is being handled elsewhere and thus fail to address it. With one
administrator distributing SSL certificates as the need arises, you reduce the possibility
for overlap or lapse in the security of your electronic communications.
The Needs of Your End Users

Would your end users benefit from a Web and e-mail interface that is designed for their
specific use? With managed PKI for SSL certificates, you have the option of customizing
the enrollment forms and support pages your users see. With one-by-one management,
each person hosting a secure server interacts with the system for enrollment, renewal, and
cancellation. This interface, while straightforward and user-friendly, is designed for
general use with any server.

If you purchase your SSL certificates through managed PKI, your package includes
enrollment and support screens, but you also have the option of customizing or creating
your own pages. You can provide instructions specific to your server software, your
organizational structure, or other company specifics. You can design the look and feel to
match the interface your users are comfortable with, and even integrate it with your
personal digital ID interface, if you use managed PKI to issue digital certificates to

When your users need technical support, they can immediately access the managed PKI
administrator within your organization. If the problem cannot be addressed locally, the
managed PKI administrator can always contact a member of the support team.

The Managed PKI for SSL Certificates System

Managed PKI for SSL certificates is designed to be easily installed and administered. The
following features provide the backbone of your network security system: the managed
PKI for SSL certificates administrator and instant enrollment for SSL certificates.

The Managed PKI for SSL Certificates Administrator

When you use managed PKI for SSL certificates to manage your secure network, an
administrator within your organization oversees a local control center to issue SSL
certificates. This managed PKI administrator, using a standard PC with the Netscape
Navigator browser, purchases managed PKI for SSL certificates, and receives an
administrator’s kit. Before issuing the administrator’s kit, the vendor should conduct the
necessary background checks to ensure that your organization is legitimate and has the
right to use the domain names being secured.

The administrator’s kit should include all of the software necessary to establish a
managed PKI control center on the administrator’s PC. It also includes an optional smart
card reader and a managed PKI administrator ID stored on a smart card. After the
administrator’s kit is installed and the control center is up and running, you are ready to
start issuing SSL certificates.
Instant Enrollment for SSL Certificates

The local control center allows users within your network to receive SSL certificates
without any manual intervention. Because a vendor has already verified your company
and domain names, the only approval necessary is from the managed PKI administrator at
your organization. The enrollment process goes as follows:

1. A user within your network generates a Certificate Signing Request (CSR) on the
server being secured.
2. The user submits the CSR, along with the necessary enrollment forms, to the
digital ID center.
3. The vendor instantly and automatically sends a pending request to the managed
PKI control center at your organization.
4. The managed PKI administrator within your organization validates the user’s
enrollment request.
5. The vendor then generates an SSL certificate and sends it to the user’s e-mail
6. The user downloads the SSL certificate and installs it on the server[1].

Finally, all communications occur in protected SSL sessions and are, thus, safe for your


For the strongest, most reliable protection of your client-browser communications, SSL
certificates are widely recognized as the industry standard. SSL certificates allow your
Internet site or corporate network to enable SSL encryption, which authenticates your
server and guarantees against alteration and interception of data.

For SSL certificate protection on multiserver networks, managed PKI for SSL certificates
makes managing your SSL certificates cheaper and more efficient, and enhances
coordination within your organization. Managed PKI for SSL certificates provides the
options of customized end-user support, private label certification, and managed PKI for
issuing digital certificates to individuals integration, making it the security system that
fits the unique needs of your company.

Managed PKI for client IDs allows an organization to issue digital certificates to
individuals within its network. These digital IDs can replace password logons to a
company network and allow your Web site to control who accesses its content. Personal
digital IDs also make it possible to send digitally signed and encrypted e-mail, using the
Secure Multipurpose Internet Mail Extension (S/MIME) protocol.

Finally, if your company already uses managed PKI to issue digital certificates to
individuals within its network, or if you are interested in doing so, you can integrate this
system with your managed PKI for SSL certificate management. The managed PKI
administrator’s kit gives you the option of controlling all IDs from one control center.
Chapter 19: Securing and Managing Your
Storefront for E-Business
“Is it possible to store the mind with a billion facts and still be entirely uneducated?”



Businesses that accept transactions via their online storefront can gain a competitive edge
by reaching a worldwide audience, at very low cost. But, the online storefront poses a
unique set of security issues, which businesses must address at the outset to minimize
risk. Customers will submit information via the online storefront only if they are
confident that their personal information, such as credit card numbers, financial data, or
medical history, is secure.

With the preceding in mind, by installing an SSL certificate (previously discussed in

Chapter 18) on your server, you can securely collect sensitive information online, and
increase business by giving your customers confidence that their transactions are safe.
Immediately after installing your SSL certificate, you can establish secure
communications with any customer using a browser from Netscape or Microsoft. This
proven technology is in use now—by the top 60 e-commerce sites, all of the Fortune 500
companies with an online storefront presence, and thousands of other leading sites.

This chapter is a continuation of Chapter 18, with very detailed explanations of key
issues related to online storefront security. It also describes the technologies that are used
to address the issues, and provides step-by-step instructions for obtaining and installing
an SSL certificate.

Securing Your Web Storefront with an SSL Certificate

As previously explained in Chapter18, a proven, low-cost solution to secure online

transactions is available today. SSL certificates have earned the trust of businesses world-
wide, including virtually all of the Fortune 500 companies on the Web and all of the top
80 e-commerce sites. To date, over 854,000 SSL certificates have been issued. This part
of the chapter continues the discussion that was started in Chapter 18 by describing in
detail how SSL certificates work to make online transactions secure.

Presenting Your Credentials via an SSL Certificate

An SSL certificate, also known as a digital certificate (see sidebar, “How Digital
Certificates Work”), is the electronic equivalent of a business license. SSL certificates are
issued by a trusted third party, called a Certification Authority (CA). The CA that issues
an SSL certificate is vouching for your right to use your company name and Web
storefront address, just as the office of the Secretary of State does when it issues Articles
of Incorporation. CAs can also issue digital certificates to individuals.

Before issuing an SSL certificate, the CA reviews your credentials (such as your
organization’s Dun & Bradstreet number or Articles of Incorporation) and completes a
thorough background checking process to ensure that your organization is what it claims
to be, and is not claiming a false identity. Then, the CA issues your organization an SSL
certificate, which is an electronic credential that your business can present to prove its
identity or right to access information (see sidebar, “How Digital Certificates Work”).

An SSL certificate from the CA provides the ultimate in credibility for your online
business. A CA’s rigorous authentication practices set the industry standard. The CA
documents its carefully crafted and time-proven practices and procedures in a Certificate
Practices Statement. And, the CA annually undergoes an extensive SAS 70 Type II audit
by KPMG.

Note The Statement of Auditing Standard 70, SAS 70, was established by the American
Institute of Certified Public Accountants to certify trusted practices.

Employees responsible for dealing with certificates undergo complete background checks
and thorough training. The CA has achieved its unsurpassed reputation as a trusted third
party by paying as careful attention to physical security as electronic security. For
example, a company’s 22,000-square-foot plant where keys are issued has five tiers of
security, the last three requiring fingerprint identification.

How Digital Certificates Work

In physical transactions, the challenges of identification, authentication, and privacy are

solved with physical marks, such as seals or signatures. In electronic transactions, the
equivalent of a seal must be coded into the information itself. By checking that the
electronic “seal” is present and has not been broken, the recipient can confirm the identity
of the message sender and ensure that the message content was not altered in transit. To
create an electronic equivalent of physical security, some vendors use advanced

Throughout history, most private messages were kept secret with single key
cryptography. Single key cryptography is the way that most secret messages have been
sent over the centuries. In single key cryptography, there is a unique code (or key) for
both encrypting and decrypting messages. Single key cryptography works as follows:

Suppose Bob has one secret key. If Alice wants to send Bob a secret message:

1. Bob sends Alice a copy of his secret key.

2. Alice encrypts a message with Bob’s secret key.
3. Bob decrypts the message with his secret key.
Unfortunately, this method has several problems. First, Bob must find a secure method of
getting his secret key to Alice. If the secret key is intercepted, all of Bob’s
communications are compromised. Second, Bob needs to trust Alice. If Alice is a double
agent, she may give Bob’s secret key to his enemies. Or, she may read Bob’s other private
messages or even imitate Bob. Finally, if you have an organization with people who need
to exchange secret messages, you will either need to have thousands (if not millions) of
secret keys, or you will need to rely on a smaller number of keys, which opens the door to

SSL certificate technology employs the more advanced public key cryptography, which
does not involve the sharing of secret keys. Rather than using the same key to both
encrypt and decrypt data, an SSL certificate uses a matched pair of keys that uniquely
complement each other. When a message is encrypted by one key, only the other key can
decrypt it.

When a key pair is generated for your business, your “private key” is installed on your
server; nobody else has access to it. Your matching “public key,” in contrast, is freely
distributed as part of your SSL certificate. You can share it with anyone, and even publish
it in directories. Customers or correspondents who want to communicate with you
privately can use the public key in your SSL certificate to encrypt information before
sending it to you. Only you can decrypt the information, because only you have your
private key.

Your SSL certificate contains your name and identifying information, your public key,
and the CA’s own digital signature as certification. It tells customers and correspondents
that your public key belongs to you[2].

A CA’s rigorous authentication practices, leading-edge cryptographic techniques, and

ultrasecure facilities are designed to maximize your confidence in the CA’s services.
These practices, technology, and infrastructure are the foundation for SSL certificates to
secure transactions working in conjunction with your Web storefront server.

Simplifying Management of Multiple SSL Certificates

Is your site hosted on 10 or more servers? As previously explained in Chapter 18, with
one simple purchase, a managed PKI service lets you issue all the SSL certificates you
need (either standard or universal 128-bit SSL certificates) in bundles of 10, 25, 50, 100,
or more. A convenient one-step purchasing process lets you take advantage of a single
purchase order, and volume discounts make managed PKI the most cost-effective way to
secure big sites. Managed PKI is simple to set up and configure: start issuing server
certificates quickly via a CA intuitive Web storefront-based process. Renewing IDs or
buying additional IDs is just as easy.
Learning More About Your Customers Through Client Authentication

An SSL certificate tells your customers exactly who you are. Suppose you want to learn
who your customers are, or to restrict access to your content to certain consumers. You
can set up your Web storefront site to authenticate visitors’ identities with SSL certificates
for individual users. Compared to asking customers to supply a user name and password,
SSL certificate registration is more convenient for customers and more informative for
your business.

Deploying Strong Security for Worldwide Commerce

Until recently, strong 128-bit encryption was not exportable. The United States
Department of Commerce has approved the issuance of certificates for 128-bit encrypted
communications—the highest level of encryption ever allowed across United States
borders. With a 128-bit Global Server ID, your 128-bit customers can now enjoy
unparalleled security when visiting your Web storefront site. The Global Server ID is a
septillion times more secure than any other product.

Facilitating Payments with Payment Services

Extending a business to the Web and opening an e-commerce storefront requires

merchants to master many tasks—not only Web storefront site development and design,
but also maintaining the confidentiality and security of consumer data and accepting and
processing payments. A CA can take the headache out of payment processing by
managing a secure, reliable, and low-cost solution for accepting payments.

CA payment services provide the ideal payment transaction platform for merchants who
want to conduct business on the Internet. Regardless of your business’s size or demands,
a CA can deliver the right solution: a fast, scalable, and reliable Internet payment
platform that enables companies to authorize, process, and manage multiple payment
types. Payment services bring affordability, flexibility, and convenience to Internet
payment processing by combining a flat-fee monthly pricing model with a growing menu
of services and solutions for merchants, financial institutions, resellers, and developers.

For example, VeriSign’s Commerce Site and Commerce Site Pro Services combine SSL
certificates with the VeriSign Payflow Pro service to form a complete, integrated solution
that’s ideal for e-merchants and online stores. Commerce Site includes a 40-bit SSL
certificate and Payflow Pro, plus additional value-added services. Commerce Site Pro
also includes a 128-bit SSL Global Server ID and Payflow Pro, plus value-added

Payflow Pro is designed especially to help Web storefront merchants securely accept and
process credit card, debit card, purchase card, and electronic check payments. Payflow
Pro is a versatile solution for online payment processing, and is ideal for large-scale, e-
commerce merchants that require peak performance and complete customizability.
Payflow Pro enables payment processing through a small SSL TCP/IP-enabled client that
controls communications between merchants’ applications and the Payflow platform.
Designed for scalability and reliability, Payflow Pro creates a dedicated SSL TCP/IP-
level communication thread for each transaction between the client and the server.
Payflow Pro is downloadable as a Software Development Kit (SDK) or comes
preintegrated with most shopping carts and e-commerce platforms. Up to 5,000
transactions are included.

Step-By-Step Instructions

In one to three days, after the CA has verified your credentials, you will receive your SSL
certificate via e-mail. Simply install the SSL certificate on your server, and then
immediately begin conducting transactions online—with the confidence that you and
your customers are protected.

As previously mentioned, the U.S. Department of Commerce requires your company to

qualify before buying the 128-bit SSL encryption power of Global Server IDs. All
companies within the United States are eligible for Global Server IDs. The U.S.
government determines the categories of companies that can implement the powerful
128-bit SSL encryption technology of Global Server IDs outside the United States and
across U.S. borders. New regulations make Global Server IDs available to a wider group
of customers than ever before. Any company or organization around the world may
purchase a Global Server ID, with the following exceptions: persons listed on the U.S.
government’s Denied Person’s List, and customers located in Cuba, Iran, Iraq, Libya,
North Korea, Sudan, and Syria.

Before You Begin

Before beginning a CA’s online enrollment, check to make sure you are ready to proceed
by preparing the following.

Installing Server Software

Nearly all brands support the CA’s 40-bit SSL certificates. The server on which the 128-
bit Global Server ID can run server software from any non-U.S. software vendor, or
software from a U.S. software vendor properly classified by the U.S. Department of
Commerce, including:

• Apache-SSL
• BEA WebLogic
• C2Net Apache Stronghold
• Compaq/Tandem iTP Webserver
• Covalent Raven
• Hewlett Packard Virtual Vault (with Netscape Enterprise)
• IBM http Server/Webphone
• iPlanet Servers
• Lotus Domino
• Microsoft IIS
• Mod-SSL
• Nanoteq Netseq server
• Netscape Suite Spot servers, including Netscape Enterprise and Netscape Proxy
• O’Reilly WebSite Pro
• Red Hat Professional
• Zeus[2]

Registering Your Domain Name and Confirming Firewall Configuration

If you haven’t already, register your URL at:

WLEAKSFEQ?requestid=492631 or a local equivalent. SSL certificate enrollment
requires that you can make both HTTP and HTTPS connections to a CA’s Web storefront

Preparing Payment

If you are applying for a free, 14-day trial SSL certificate, no payment is necessary. If you
are purchasing a one-year, full-service SSL certificate, you can pay with a purchase order,
check, wire transfer, or an American Express®, Visa®, MasterCard®, or Discover card.

Reviewing Legal Agreement and Gathering Proof of Right Documents

In the process of enrolling, you will need to sign a Secure Server Subscriber Agreement.
Before issuing your SSL certificate, the CA must confirm that your company is legitimate
and is registered with the proper government authorities. If you have a Dun & Bradstreet
DUNS number, simply supply your number. International DUNS numbers must be in the
Dun & Bradstreet database for at least two months before a CA can verify the
information. If you do not have a DUNS number, either go to http://www.dnb.com/us/ and
apply for one, or submit a hard copy of at least one of the following filed documents for
your company: articles of incorporation, partnership papers, business license, or fictitious
business license. All documents must be in English.

Selecting an Option for Obtaining Payment

Collecting credit card payments (in person or via the phone or Web) always involves two
steps. First, obtain the credit card number from the customer. Second, secure payment
from an acquiring processor on behalf of the credit card issuing bank. When your
business uses an SSL certificate to obtain billing information from your customers, you
have two options for collecting payments from the acquiring processor: traditional phone-
in or online processing. You are now ready to obtain your SSL certificate (see sidebar,
“How to Obtain Your SSL Certificate”).
How to Obtain Your SSL Certificate

To complete your SSL certificate enrollment, please visit one of many sites, for example:
http://www.verisign.com/products/site. There, you will be instructed to complete the
following steps.

1. Generate Certificate Signing Request: Follow the instructions in your server

software manual, or online at http://digitalid.verisign.com/server/enrollStep3.htm,
to create a Certificate Signing Request (CSR) and a key pair. After the server
software creates the two files, make backup copies of them on a floppy disk, and
store the disk in a secure location. This is important: if your private key is lost, the
CA will not be able to recover it for you.
2. Submit the Certificate Signing Request (CSR) to the CA: Open the CSR file in
a text editor, such as WordPad, Notepad, or Textpad. Do not use a word
processing application such as Microsoft Word or Adobe FrameMaker. Select the
text in the CSR, beginning with and including:


and ending with


Copy and paste the CSR into the CA online enrollment form for the trial or the
one-year subscription. Click the Submit button.

3. Complete application: Fill out the online application form with information
about your company and contacts. The technical contact must be authorized to run
and maintain your secure Web storefront server and must be employed by your
organization. If you access the Web storefront through an Internet Service
Provider (ISP), the ISP may complete the CSR for you and serve as the technical
contact, and you can then enroll. If your ISP does not offer CA IDs, refer it to
www.verisign.com/isp/index.html for information about VeriSign’s Secure Site ISP

The organizational contact must be authorized to make binding agreements, such

as the Secure Server Service Agreement, and must be employed by your
organization. It is best to select a different person from the technical contact.

The billing contact will receive invoices. This can be the same person as the
technical or organizational contact.

4. Authentication takes 1–3 days: Within a few hours of receiving your

application, the CA will send a confirming e-mail to your technical and
organizational contacts. The e-mail will include a URL where you can check the
status of your application, as well as a Personal Identification Number (PIN) that
you will need to view the status. If the information you submitted is complete,
your technical contact and organizational contact will receive your SSL certificate
by e-mail in 1–3 working days.
5. Install your SSL certificate: When you receive your SSL certificate, make a
backup copy of it and store it on a labeled floppy disk, noting the date you
received it. Store the floppy disk in a secure place. To install your SSL certificate,
follow the instructions in your server software documentation for digital
6. Enable SSL on your server: Consult your server software manual to enable SSL.
The process should take approximately five minutes.
7. Post the Secure Site Seal on all your secure pages: You should receive a file of
the Seal, complete with instructions on how to install it, via e-mail shortly after
completing the enrollment process. You can also find downloadable Seal files and
instructions at http://www.verisign.com/seal/secure/install.html[2]

Note SSL imposes some performance overhead. Therefore, most server software
applications allow you to apply SSL selectively to Web storefront pages that require
encryption, such as payment pages. There is no benefit from applying SSL to
product information pages, for example.

Options for Obtaining Payment

Congratulations! You can now offer secure transactions to your online customers.

Traditional Phone-In

If your business already collects credit card payments from person-to-person or telephone
sales, you are probably using this method currently. Simply read each customer’s card
number from your Internet order form and transmit it to the processor using a point-of-
sale (POS) terminal.

If your business is not yet set up to collect credit card payments, contact a merchant
services company, such as First Data Corporation Web Info. Merchant service companies
generally charge a nominal setup fee, also called an underwriting fee, and then charge a
percentage of each transaction.

Online Processing

Most leading credit card processors offer their merchants the option to collect payments
online. The payment-enabling software needed for these transactions depends on the
system that the credit card service provider uses. For example, PayflowSM Payment
Services provide high-quality, low-cost payment connectivity between buyers, sellers,
and financial networks. Payflow services bring the Internet’s “anyone-to-anyone” ease of
connectivity to the payments industry. By using Payflow, a merchant can connect to any
bank, transaction service, or form of payment without worrying about the underlying
technology. Customers can pay with a variety of financial instruments, including
checking accounts, savings accounts, and credit cards, quickly and simply.

Now, let’s look at how to establish trust to protect and grow your online storefront. In
other words, in light of the risks associated with electronic commerce and online
communication, it is imperative to not only use secure encryption technology when
conducting online business, but to also be able to prove one’s identity and develop trust
relationships with customers and partners.

Building online trust relationships with partners and customers involves being
authenticated by a trusted third party and receiving an authenticated SSL digital
certificate that is signed by that trusted third party. Encryption, the process of
transforming information to make it unintelligible to all but the intended recipient(s),
forms the basis of data integrity and privacy necessary for online business. Without
authentication, however, encryption technology does not sufficiently protect online users.
Authentication must be used in conjunction with encryption to provide:

• Confirmation that the organization named in the certificate has the right to use the
domain name included in the certificate
• Confirmation that the organization named in the certificate is a legal entity
• Confirmation that the individual who requested the SSL certificate on behalf of
the organization was authorized to do so[1]

There is a distinction between authenticated (“high-assurance”) certificates, which

provide trust and security, and unauthenticated (“low-assurance”) certificates, which
threaten consumer confidence and online security. In addition to using encryption
technology, it is vital that your Web storefront is authenticated, which will improve Web
visitors’ trust in your Web storefront and in your business.

When you establish your secure Web storefront, you can take advantage of a wealth of
options to further enhance your e-commerce operation. You can display the number-one
trust brand on the Internet (Cheskin/Studio Archetype) to give your customers the
confidence to communicate and transact business with your site. A seal allows your
visitors to check your SSL certificate’s information and status in real time, thus
increasing their trust in your online storefront and increasing your sales and revenues.

Increased trust in the safety of online transactions has numerous benefits, of which
increased revenue and profitability are the most important. There are real challenges (and
significant opportunities) for online storefronts to deliver the same level of trust and
personalization over the Internet as is offered by brick-and-mortar storefronts.

Nevertheless, until recently, most SSL certificates could be categorized as medium- to

high-assurance certificates, providing three security services: confidentiality,
authentication, and integrity. Digital certificates uniquely identify individuals and Web
storefronts on the Internet and enable secure, confidential communications.
Unfortunately, some providers of SSL certificates have elected to provide unauthenticated
or low-assurance SSL certificates in order to lower costs and accelerate order fulfillment.
This conflicts with generally accepted industry practices, erodes customer confidence,
and serves as a source of confusion for Web storefront visitors.

“Low-assurance” SSL certificates provide confidentiality and integrity, but lack

authentication. In the past, the lock icon in the users’ browser was perceived to be a
reliable sign of authentication. Now, users are forced to examine the SSL certificate itself
to distinguish between a high-assurance, authenticated certificate and a low-assurance,
unauthenticated certificate.

If, for example, a user intends to securely communicate with a Web site bearing an SSL
certificate with the organization name “ABC Inc.,” the user is compelled to check
whether the certificate is authenticated by a third party. The SSL certificate intends to
convey assurance that the visited Web storefront (http://www.abc-incorporated.com) is
definitely an “ABC Inc..” Web storefront and that it is not another entity pretending to be
ABC Inc., trying to trick Web site visitors into doing business with them. Only through
rigorous authentication can a company prove to its customers and partners that its Web
storefront is authentic and has the right to use the domain name presented on the
“Guide to Securing Your Web Site for Business,” © 2003 VeriSign, Inc. All rights
reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View,
CA 94043.
“Establish Trust to Protect and Grow Your Online Business,” © 2003 VeriSign, Inc. All
rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain
View, CA 94043.

Why Is Authenticated SSL Necessary?

Notions of identity and authentication are fundamental concepts in every marketplace.

People and institutions need to get to know one another and establish trust before
conducting business. In traditional commerce, people rely on physical credentials (such
as a business license or letter of credit) to prove their identities and assure the other party
of their ability to consummate a trade.

In the age of e-business, authenticated SSL certificates provide crucial online identity and
security to help establish trust between parties involved in online transactions over digital
networks. Regardless of whether commerce takes place in the digital world or in the
physical world, the parties involved must be able to answer these questions:

• Who are you? (Requirement of identity)

• To what community do you belong? Are you a trusted member? (Trust by
• How can you prove your identity? (Validation of identity)[1]
Customers must be assured that the Web storefront with which they are communicating is
genuine and that the information they send via Web browsers stays private and


The Web presents a unique set of trust issues, which businesses must address at the outset
to minimize risk. Customers submit information and purchase goods or services via the
Web, only when they are confident that their personal information, such as credit card
numbers and financial data, is secure. The solution for businesses that are serious about e-
commerce is to implement a complete e-commerce trust infrastructure based on
encryption technology. Encryption, the process of transforming information to make it
unintelligible to all but the intended recipient, forms the basis of data integrity and
privacy necessary for e-commerce.


Encryption is not enough; it is imperative that your Web storefront is also authenticated,
which will improve Web storefront visitors’ trust in you and your Web storefront.
Authentication means that a trusted authority can prove that you are who you say you are.
To prove that your business is authentic, your Web storefront needs to be secured by best-
of-breed encryption technology and authentication practices.

Digital Certificates

As previously discussed in Chapter 18, a digital certificate is an electronic file that

uniquely identifies individuals and Web storefronts on the Internet and enables secure,
confidential communications. Digital certificates serve as a kind of digital passport or

Typically, the “signer” of a digital certificate is a CA. Some digital certificates are
authenticated trusted authorities, but unfortunately there are CAs that provide
unauthenticated SSL certificates. This practice exposes online users to the risks of false
online storefronts operating on the Internet. Authenticated SSL certificates enable a Web
storefront visitor to securely communicate with the Web storefront, such that information
provided by the Web storefront visitor cannot be intercepted in transit (confidentiality) or
altered without detection (integrity), and to verify that the site the user is actually visiting
is the company’s Web site and not an imposter’s site (authentication).

Finally, a CA assures trust by coupling its authentication service with state-of-the-art

encryption technology in its digital certificate solutions. Your online storefront will only
be issued an authenticated SSL certificate after:

• Verifying your identity and confirming that your organization is a legal entity
• Confirming that you have the right to use the domain name included in the
• Verifying that the individual who requested the SSL certificate on behalf of the
organization was authorized to do so[1]


With its worldwide reach, the Web is a lucrative distribution channel with unprecedented
potential. By setting up an online storefront, businesses can reach the millions of people
around the world already using the Internet for transactions. And, by ensuring the security
of online payments, businesses can minimize risk and reach a far larger market—the 89
percent of Internet users who still hesitate to shop online because of security concerns.

An SSL certificate enables you to immediately begin conducting online business securely,
with authentication, message privacy, and message integrity. As a result, you can
minimize risk, win customer confidence, and, ultimately, gain a competitive edge.

Some CAs believe that encryption without authentication is enough to ensure a secure
Web storefront and to build trust between you and your customers. But, encryption alone
is not sufficient. Unauthenticated SSL certificates provide confidentiality and integrity,
but lack the third-party authentication necessary to:

• Verify that the user is actually visiting the company’s Web storefront and not an
imposter’s site.
• Allow the receiver of a digital message to be confident of both the identity of the
sender and the integrity of the message.
• Ensure safe online transactions that protect both customers and your business[1].

For these reasons, it is critical that your Web storefront is authenticated, which will
improve Web visitors’ trust in you and your Web storefront. Furthermore, if certificates
can be issued to unauthorized parties, the trustworthiness of legitimate certificates is
diminished. Requiring verification of the certificate applicant’s authority to request a
certificate (employment with the organization named in the certificate) guards against the
threat of issuing a certificate to a malicious individual who is not associated with the

An authenticated SSL certificate provides the ultimate in credibility for your online
storefront. Rigorous authentication practices set by industry standards provide assurance
that subscribers are properly identified and authenticated, and subscriber certificate
requests are accurate, authorized, and complete.

In addition, by displaying a Secure Site Seal, you can give your customers the confidence
to communicate and transact business with your site. A Secure Site Seal allows your
visitors to check your SSL certificate’s information and status in real time, and provides
additional protection against the misuse of revoked and expired certificates.

Finally, rigorous authentication practices, as well as leading-edge cryptographic

techniques and ultrasecure facilities are designed to maximize you and your customers’
confidence. These practices, technology, and infrastructure are the foundation for server
certificates to secure transactions, working in conjunction with your Web storefront
Part V: Electronic Payments Technology
Chapter List
Chapter 20: Payment Technology Issues
Chapter 21: Electronic Payment Methods Through Smart Cards
Chapter 22: Electronic Payment Systems
Chapter 23: Digital Currencies
Chapter 20: Payment Technology Issues
“If you think nobody cares if you’re alive, try missing a couple of house payments.”



Online payment processing requires coordinating the flow of transactions among a

complex network of financial institutions and processors. Fortunately, technology has
simplified this process so that, with the right solution, payment processing is easy, secure,
and seamless for both you and your customers. This chapter provides you with what you
need to know about online payment processing issues:

• Online payment processing basics

• The payment processing network
• How payment processing works
• What you should know about fraud
• What to look for in a payment processing solution
• Getting started

After you’ve read this chapter, you’ll understand the issues and essential elements of
accepting payments online, the most important step in putting your Web site to work for

Online Payment Processing Basics

Purchasing online may seem to be quick and easy, but most consumers give little thought
to the process that appears to work instantaneously. For it to work correctly, merchants
must connect to a network of banks (both acquiring and issuing banks), processors, and
other financial institutions so that payment information provided by the customer can be
routed securely and reliably. The solution is a payment gateway that connects your online
store to these institutions and processors. Because payment information is highly
sensitive, trust and confidence are essential elements of any payment transaction. This
means the gateway should be provided by a company with in-depth experience in
payment processing and security.

The Payment Processing Network

Here’s a breakdown of the participants and elements involved in processing payments:

Acquiring bank: In the online payment processing world, an acquiring bank provides
Internet merchant accounts. A merchant must open an Internet merchant account with an
acquiring bank to enable online credit card authorization and payment processing.
Examples of acquiring banks include Merchant eSolutions and most major banks.
Authorization: The process by which a customer’s credit card is verified as active and
that they have the credit available to make a transaction. In the online payment
processing world, an authorization also verifies that the billing information the customer
has provided matches up with the information on record with their credit card company.

Credit card association: A financial institution that provides credit card services that are
branded and distributed by customer issuing banks. Examples include Visa® and
MasterCard® (see sidebar, “Visa and MasterCard Take Different Approaches to

Customer: The holder of the payment instrument—such as a credit card, debit card, or
electronic check.

Customer issuing bank: A financial institution that provides a customer with a credit
card or other payment instrument. Examples include Citibank and Suntrust. During a
purchase, the customer issuing bank verifies that the payment information submitted to
the merchant is valid and that the customer has the funds or credit limit to make the
proposed purchase.

Internet merchant account: A special account with an acquiring bank that allows the
merchant to accept credit cards over the Internet. The merchant typically pays a
processing fee for each transaction processed, also known as the discount rate. A
merchant applies for an Internet merchant account in a process similar to applying for a
commercial loan. The fees charged by the acquiring bank will vary.

Merchant: Someone who owns a company that sells products or services.

Payment gateway: A service that provides connectivity among merchants, customers,

and financial networks to process authorizations and payments. The service is usually
operated by a third-party provider such as VeriSign.

Processor: A large data center that processes credit card transactions and settles funds to
merchants. The processor is connected to a merchant’s site on behalf of an acquiring bank
via a payment gateway.

Settlement: The process by which transactions with authorization codes are sent to the
processor for payment to the merchant. Settlement is a sort of electronic bookkeeping
procedure that causes all funds from captured transactions to be routed to the merchant’s
acquiring bank for deposit[1].

Visa and MasterCard Take Different Approaches to Authentication

Online merchants could face integration hassles as they deploy forthcoming and
competing credit card payer authentication technologies from Visa USA and MasterCard
International Inc. The technologies, Visa’s Verified by Visa and MasterCard’s Secure
Payment Application service, take distinctly different approaches. Visa performs
authentication on the merchant site, whereas MasterCard handles it on the customer’s PC
automatically, using a previously downloaded applet.

As a result, merchants that accept credit cards will be required to support two
authentication mechanisms. Furthermore, some observers speculate the companies’
respective systems may be no more successful in gaining market acceptance than the ill-
fated Secure Electronic Transaction (SET) authentication protocol, a protocol
spearheaded by Visa and MasterCard.

Visa sweetened the bait for its system recently when it announced that online merchants
using Verified by Visa will have no liability for any transactions processed by the service.
Verified by Visa, also known as Visa Payer Authentication, authenticates credit card users
with a password and requires no client software. MasterCard’s Secure Payment
Application service, which the Purchase, N.Y., company will pilot in April, also uses a
password or PIN and requires an applet for authentication.

MasterCard and Visa, which formerly cooperated, now find fault with each other’s
approaches. Visa’s service, for instance, will extend transaction processing times, take
customers off the merchant sites for authentication, and require complex integration.
MasterCard’s service, Visa countered, amounts to a digital wallet, which consumers have
been loath to use.

About the only thing MasterCard and Visa seem to agree on is that SET, which was
launched in December 1997, was a failure. SET required long download times for
customers, used clumsy digital certificate technology, and created integration hassles for
merchants and banks that issued the credit cards. It had all but faded away by late 1998.

But with Visa and MasterCard now going separate ways, some merchants see little reason
to try authentication technology. You’re creating another layer of complication. After
customers go through the trouble of giving you their credit card number, they now have
the problem of remembering one more password.

How Payment Processing Works

Payment processing in the online world is similar to payment processing in the offline or
“Brick and Mortar” world, with one significant exception. In the online world, the card is
“not present” at the transaction (see Figure 20.1)[1]. This means that the merchant must
take additional steps to verify that the card information is being submitted by the actual
owner of the card, as shown in Figure 20.1. Payment processing can be divided into two
major phases or steps: authorization and settlement (see sidebar, “Payment Processing—
Authorization and Settlement”).
Payment Processing—Authorization and Settlement

Authorization verifies that the card is active and that the customer has sufficient credit
available to make the transaction. Settlement involves transferring money from the
customer’s account to the merchant’s account.

Authorization: Online

1. A customer decides to make a purchase on a merchant’s Web site, proceeds to

checkout, and inputs credit card information.
2. The merchant’s Web site receives customer information and sends transaction
information to the payment gateway.
3. The payment gateway routes information to the processor.
4. The processor sends information to the issuing bank of the customer’s credit card.
5. The issuing bank sends the transaction result (authorization or decline) to the
6. The processor routes the transaction result to the payment gateway.
7. The payment gateway passes result information to the merchant.
8. The merchant accepts or rejects the transaction and ships goods if necessary.
Because this is a “card not present” transaction, the merchant should take
additional precautions to ensure that the card has not been stolen and that the
customer is the actual owner of the card. See the “What You Should Know About
Fraud” section later in this chapter for more information on preventing fraudulent
transactions (see Figure 20.1).

Authorization: “Brick and Mortar”

1. A customer selects item(s) to purchase, brings them to a cashier, and hands the
credit card to the merchant.
2. The merchant swipes the card and transfers transaction information to a point-of-
sale terminal.
3. The point-of-sale terminal routes information to the processor via a dial-up
connection (for the purposes of the graphic shown in Figure 20.1, the point-of-
sale terminal takes the place of the payment gateway in the offline world).
4. The processor sends information to the issuing bank of the customer’s credit card.
5. The issuing bank sends the transaction result (authorization or decline) to the
6. The processor routes the transaction result to the point-of-sale terminal.
7. The point-of-sale terminal shows the merchant whether the transaction was
approved or declined.
8. The merchant tells the customer the outcome of the transaction. If approved, the
merchant has the customer sign the credit card receipt and gives the item(s) to the
customer (see Figure 20.1).

Payment Processing—Settlement

The settlement process transfers authorized funds for a transaction from the customer’s
bank account to the merchant’s bank account, as shown in Figure 20.2[1]. The process is
basically the same whether the transaction is conducted online or offline[1].

What You Should Know About Fraud

Credit card fraud can be a significant problem for customers, merchants, and credit card
issuers[2]. Liability for fraudulent transactions belongs to the credit card issuer for a card-
present, in-store transaction, but shifts to the merchant for “card not present” transactions,
including transactions conducted online. This means that the merchant does not receive
payment for a fraudulent online transaction. Fortunately, there are steps you can take to
significantly limit your risk as an online merchant. The following important fraud
prevention steps should be adhered to:

1. Choose a payment services provider that is well-established and credible. Your

provider should also have in-depth experience in and a strong track record for
transaction security.
2. Make sure your payment gateway provider offers real-time credit card
authorization results. This ensures that the credit card has not been reported as lost
or stolen and that it is a valid card number.
3. One of the simplest ways to reduce the risk of a fraudulent transaction is to use
Address Verification Service (AVS). This matches the card holder billing address
on file with the billing address submitted to ensure that the card holder is the card
4. Use Card Security Codes, known as CVV2 for Visa, CVVC for MasterCard, and
CID for American Express®. For American Express, the code is a four-digit
number that appears on the front of the card above the account number. For Visa
and MasterCard, the code is a three-digit number that appears at the end of the
account number on the back of the card. The code is not printed on any receipts
and provides additional assurance that the actual card is in possession of the
person submitting the transaction. As a merchant, you can ask for this code on
your online order form. Even if you do not use this for processing, simply asking
for it acts as a strong deterrent against fraud.
5. Watch for multiple orders for easily resold items such as electronic goods
purchased on the same credit card.
6. Develop a negative card and shipping address list and cross-check transactions
against it. Many perpetrators will go back to the same merchant again and again
to make fraudulent transactions[1].
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.

What to Look for in a Payment Processing Solution

Finding a reliable, secure, and flexible payment processing solution for your business is
critical, so it’s important to take the time to investigate and assess the options available to
you. A payment processing solution should:

1. Reliably and cost-effectively accept and process a variety of payment types,

including credit cards and electronic checks. Not only does this reduce lost sales,
but it also enhances the quality of your site by allowing your customers the
freedom and flexibility to pay you quickly and conveniently.
2. Provide real-time credit card authorization results allowing you to accept or reject
orders immediately and reduce the risk of fraudulent transactions.
3. Easily track and manage payments from multiple payment types or processors so
you can spend more time on your business, not on managing transactions.
4. Provide recurring billing payment services, allowing you to set up scheduled
payment charges to your customers. For example, you can set up automatically
recurring charges for items such as membership dues or for installment payments.
Recurring billing is an important feature that provides added convenience for both
you and your customer.
5. Be able to act as a virtual terminal to allow for processing offline transactions.
This gives you the flexibility to process orders received via telephone, fax, e-mail,
or in person.
6. Provide and store transaction records allowing you to easily search for
transactions and create transaction reports.
7. Scale rapidly and seamlessly to accommodate increased transaction volumes so
your systems grow as your business grows.
8. Provide flexible, easy integration with the merchant’s Web site. The sooner you
can start accepting payments, the sooner you start generating revenue from your
9. Be able to work with all the leading Internet merchant accounts, which allows you
to switch your banking relationship and not have to worry about installing new
software or performing new integrations.
10. Be provided by a well-established and trustworthy company. This ensures that
your payment service provider will continue to provide reliable payment services
as well as new features[1].

Getting Started Now

You can start accepting payments online in three easy steps:

1. Choose and purchase a payment solution that fits your needs.

2. Set up the payment solution on your Web site.
3. Set up your Internet merchant account[1].

Accepting payments online is an important step in growing your business.


Over 80 percent of U.S. households are online, and more than half of these households
shop from home on a weekly basis. In fact, according to Ipsos-Reid, a leading research
company, of the 120 million Americans who use the Internet, half of them will spend at
least $700 shopping online in 2004. This means that if you’re not selling online, you’re
missing a significant revenue opportunity. And, with advances in technology, selling
online has never been easier or more cost-effective.

An online store allows you to be open for business 24 hours a day, 7 days a week. Not
only is this an important convenience for your customers, it also means more revenue for
you. An online store also helps you to reduce your overhead costs because you don’t need
to hire reception staff and people to take orders. With the right payment processing tools,
these functions are all done automatically for you. And lastly, an online store helps you to
reach new markets—across the country or even outside the United States. An online store
is no longer an option for a successful business, it’s a critical step in managing and
growing your business.

The most important part of selling online is accepting payments from your customers
ranging from a single transaction (the purchase of an item from your Web site), to a series
of transactions from a customer (the payment of membership fees or installment
payments via your Web site). Online payment processing offers a customer the
convenience of submitting their credit card or other forms of payment on your Web site,
and for you to actually receive the money from this transaction. Recurring payment
processing allows you to set up regularly scheduled payments for your customers for a
series of transactions.
Chapter 21: Electronic Payment Methods
Through Smart Cards
“Crito, I owe a cock to Asclepius; will you remember to pay the debt?”

—Socrates (470–399 B.C.)


The electronic payment card has been in existence for many years. It started in the form
of a card embossed with details of the cardholder (account number, name, expiration
date), which could be used at a point of sale to purchase goods or services. The magnetic
stripe was soon introduced as a means of holding more data than was possible by
embossing alone. The magnetic stripe also allowed cardholder details to be read
electronically in a suitable terminal, so that checks could be made with little or no human
intervention about the cardholder’s creditworthiness or whether the card had been
reported lost or stolen.

Card technology has advanced over the years to keep ahead of the worldwide increase in
card-related crime. As the criminal fraternity found ways of producing sufficiently good
counterfeit cards, the card companies introduced new ways of combating the problem. A
succession of antifraud measures have been introduced over the years, such as the
hologram, the Card Verification Value (CVV, a value stored on the magnetic stripe that
can be used to determine if a card has been produced illicitly), and in some cases,
photographs of the cardholder[2].

Magnetic stripe cards have now been developed to the point where there is little or no
further scope for introducing more anticrime measures. This has caused the card
associations to look at new technologies to take the plastic card well into the twenty-first
century. One technology that offers many benefits is the smart card—essentially, a small
computer chip embedded into a plastic card with the same dimensions as the magnetic
stripe card. The only difference the cardholder sees is a small metal area on the face of
the card that contains a set of electrical contacts through which the chip can be accessed.

From the anticrime perspective, there are a number of benefits in adopting the smart card.
The card itself (or in conjunction with the terminal) can make decisions about whether or
not a transaction can take place. Secret values can be stored on the card that are not
accessible to the outside world—allowing, for example, the card to check the
cardholder’s PIN without having to go online to the card issuer’s host system. Also, there
is the possibility of modifying the way the card works, while it is inserted in a point-of-
sale terminal—even to the point of blocking the card from further transactions if it has
been reported lost or stolen.
As well as these antifraud measures, the smart card is seen as offering a number of other
benefits to the card issuer and cardholder. These additional benefits are an integral part of
building the business case for introducing smart card technology. Some of the other
benefits of introducing smart cards are:

• The ability to have more than one payment application resident on the card. For
example, a card could contain an “electronic purse” to provide the equivalent of
cash, usually for lower-value transactions, such as parking, tickets, newspapers,
and so forth.
• The ability to have other applications, such as loyalty schemes, and access to
information facilities (libraries) coresident on the card.
• The possibility of reducing online validation costs by allowing the card to operate
offline more of the time.

There are many issues to be resolved before such all-embracing cards become
commonplace, the most obvious ones being who owns the card and who controls which
applications can be loaded or deleted. Today, the banks are interested mainly in providing
payment-related services to their customers and most of the current activity surrounding
the provision of smart card-based credit/debit services—sometimes with an additional
electronic purse facility.
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.

The Solution

In the early 1990s, the major card associations (Europay, MasterCard, and Visa)
recognized that for smart cards to become acceptable, it was necessary to standardize the
way they work, at least for banking applications. Considerable work was undertaken to
reach agreement on a standard culminating in the so-called Europay MasterCard Visa
(EMV) specifications.

EMV Specifications

EMV specifications define the physical characteristics (size, shape, thickness, position of
contacts), the electrical characteristics (signals to be fed to each contact), command set
(how to access data and functions on the card), overall card security methodologies (static
data authentication, dynamic data authentication), and the data to be stored on cards for
payment systems. The EMV specifications do not fully describe particular payment
applications—that being left to individual card associations to define. They do describe
the basic framework under which all payment applications will work. It is important to
appreciate that although the EMV specifications describe how cards, terminals, and host
systems interact, they do not describe how cards will be personalized, because different
card manufacturers use different methodologies.
Visa Specifications

Visa has produced a specification that deals with the details of how a credit/debit
application will operate in a Visa world. This is known as the Visa Integrated circuit card
(ICC) Specification (VIS).

Smart Debit/Credit

VIS refers to an application called Chip Card Payment Service (CCPS). This name is
gradually being replaced by the term Visa Smart Debit/Credit. The Visa Smart
Debit/Credit has recently been introduced to a significant number of countries in the last

Visa Cash

The Visa electronic purse product is called Visa Cash. It is available in two basic forms:
disposable and reloadable. There are two types of reloadable Visa Cash cards: the DES-
based version and the public key version. The public key variant offers improvements in
security because the public key algorithm is implemented on the card itself. Visa Cash is
in use in many different countries around the world.

MasterCard Specifications

MasterCard has released a set of specifications describing their product, which they call
Debit and Credit on Chip. These are functionally equivalent to the Visa VIS specification,
although there are small variations.

MasterCard has recently implemented Debit and Credit on Chip on the Multos open
platform card. The MasterCard electronic cash product is the Mondex purse. This can
coreside on the same Multos card as Debit and Credit on Chip.

Other Specifications

In the UK, the Association for Payment Clearing Services (APACS) has developed a
specification detailing the chip credit and debit features that will be implemented in the
UK. This is known as the UK ICC Specification (UKIS), and is effectively a subset of the
Visa VIS specification. UKIS does not implement the PIN on the card feature because
PINs at point of sale are not used in the UK. It is understood that Europay has recently
developed a credit/debit smart card scheme (see sidebar, “Point-of-Sale Solutions Are
Getting Smarter”).

Point-of-Sale Solutions Are Getting Smarter

With the help of loyalty-based smart-card programs, retailers and banks are hoping to
increase spending and boost customer retention. For solution providers, the promise of
smart-card technology may lead to increased revenue despite flagging POS terminal

Up until now, smart cards haven’t made much headway in the United States. The U.S.
telecommunications infrastructure is widespread and operates at affordable rates. That’s
allowed magnetic stripe cards to function very well at the point of sale. But today, there
are two main drivers behind smart-card technology: adding value at the POS and fraud on
the Internet.

One way to add value at the POS is with loyalty programs that keep customers coming
back for more. Many retailers across the United States already have loyalty programs in
place, allowing customers to accrue “points” through purchases and redeem them later
on. But, smart-card-based loyalty programs offer benefits that stripe or bar-code systems
can’t. Magnetic stripe cards can be duped easily. Smart cards deliver a more secure
solution. And, with smart cards, there’s no need to upload transaction information to a
server. A chip on the card allows for real-time transactions and real-time receipts. In
addition, smart cards can store the loyalty programs of up to 30 merchants, so customers
don’t need to carry multiple cards.

The main reason why smart cards aren’t as popular as they could be, is that card issuers
aren’t pushing them. If you put smart cards in the market, the infrastructure will follow.

What you’re doing with smart cards is distributing the database down to the chip. You’re
running loyalty and gift card programs right out of the terminal, without a backend
processing and tracking system.

How to Help Banks Move to Smart Cards

In order to migrate to smart-card-based payment systems, banks will have to make a

number of changes to their existing systems. Among these are:

• Enhancements to the card issuing process

• Enhancements to the card personalization process
• Enhancements to the systems that handle card transactions[1]

Enhancements to the Card Issuing Process

Existing systems were developed, often many years ago, to handle the types of data
needed for magnetic stripe cards. Smart cards require considerably more data to be
generated, including cryptographic keys for the cards themselves. In most instances,
changing existing systems represents a major investment of resources.
Enhancements to the Card Personalization Process

Banks generally personalize their cards in one of two ways: either using an in-house
facility or using an external personalization bureau. The choice is usually based on the
size of the cardholder base, because setting up an in-house facility is an expensive

Enhancements to the Systems that Handle Card Transactions

Systems are in place today for handling a number of magnetic-stripe-based transactions,

such as ATM cash dispensing, online card and PIN verification, and offline bulk
transaction processing. By using smart cards, there is a need to extend these systems to
handle the transaction verification mechanism used in smart debit and credit cards, or in
the case of electronic purse schemes, like Visa Cash, to handle the secure loading of e-
cash onto the card.

The Personalization Preparation Process (P3)

Today’s magnetic stripe cards are generally produced as depicted in Figure 21.1[1]. The
issuer host system embodies the database of all cardholder details and provides facilities
to generate data to produce a new card.

The Existing
Magnetic Stripe Process

Often, cards are produced in batches and it is the responsibility of the host system to
assemble all data for a given batch of cards. A batch might be generated as a result of the
normal replacement cycle (two or three years) or possibly to replace those cards that have
been reported lost or stolen during the day. The host system produces the data in a series
of records, one record per cardholder. The data is known as a Personalization Data File.

Each record of the Personalization Data File comprises a number of modules. These
normally include:

• Data to be embossed onto the card.

• Data to be encoded onto the magnetic stripe of the card.
• Data to be printed on a “paper carrier.” This carrier is used to hold the card, while
in its delivery envelope, and is printed, for example, with the cardholder’s name
and address.
• Data for an ID photograph[1].

Most of the information for these modules is held in the cardholder database. Some items
in the magnetic stripe module need to be generated using a security module. These
include a PIN Verification Value (PVV), or equivalent, and a Card Verification Value
(CVV). Both these items are derived using a cryptographic process that involves the use
of secret keys.

It is worth noting that although the data in the Personalization Data File is normally
handled carefully, there is nothing inherently secret about it and, for that reason, it is not
normally encrypted. It only becomes a useful commodity when it is combined with a real
plastic card, which happens in the personalization bureau. Such facilities are highly
secure establishments with tight access control procedures and many internal mechanisms
to guard against finished cards being lost or stolen. Normally, cards in their paper carriers
are inserted directly into envelopes and passed straight to the postal system. The PIN
mailer for a card is normally produced in a separate establishment from the cards
themselves, often as a separate output from the issuer host system. This separation of PIN
mailer and finished card is normally an essential part of the card issuance process. Often,
PIN mailers are not posted until the cardholder acknowledges receipt of the card.

With the arrival of the smart card, the issuer needs to produce an extra “module” of data,
which is intended to be programmed into the chip itself. Of course, there will be many
items of information in this chip data, which are common to the magnetic stripe and the
embossing data. Examples of this are a Primary Account Number (PAN) and the
cardholder name. However, there are some new items that are specific to smart cards.
Some examples of these are:

Upper consecutive offline limit: This is a value held by the card that determines its
spending limit. After this limit has been exceeded, the card forces the transaction to be
completed online. This is part of the inherent risk management features of a chip card.

Signature of static card data: This is a value calculated using a public key
cryptographic algorithm at the time the card data is generated. It can be validated by each
terminal accepting the card and is used to give some confidence that the card is genuine.

Issuer certificate: This data is set up by the issuer in conjunction with the card
association to which the issuer belongs (Visa or MasterCard). It is placed onto every card
issued and contains the public key of the issuer. It is used by the terminal as part of the
process to validate the signature in the second item in this list.

Unique Derived Keys (UDKs): These are DES keys, unique to each card, which are
placed on the chip and used as part of the transaction validation process. Basically, the
transaction details are passed to the card, which uses the UDK to generate a cryptogram
(similar to a MAC) that is passed back to the issuer for validation. Using this technique,
the issuer can be sure that the transaction was handled by a valid card[1].
The various credit and debit specifications define in excess of 40 such data items, which
need to be generated and placed on smart cards. It is the issuer’s responsibility to
generate these items, something that existing card systems were never designed to handle.

Note The advent of chip cards has meant that for the first time, some of the data passing
from issuer to personalizer is now secret and must only be sent in encrypted form.
The UDKs previously described are an example of such secret data.

The Personalization Preparation Process (P3) System

There is a need for a product that is able to generate the new data required by the various
smart card schemes. This means that a card issuer can migrate to smart cards without
having to make changes to an existing cardholder database host system. As noted before,
this can be a costly and time-consuming exercise and often proves to be a major barrier
for a bank in moving to smart cards.

P3 is a compact name for personalization preparation process, which goes some way to
describing what the system achieves. Its main objectives are:

• To take an existing Personalization Data File in an industry-accepted format and

add to it the extra data required for the smart card scheme concerned. Currently,
P3 supports the Visa Cash scheme (Public Key or DES-based variants), the Visa
“Easy Entry” scheme, the Visa Smart Debit/Credit scheme, and the UKIS scheme.
P3 will be enhanced to support other schemes in the future.
• To achieve this, it securely stores all the cryptographic keys and certificates
required by the preceding schemes.
• To generate issuer public and private key sets (RSA public key algorithm), and to
get the public key into a form in which it can be sent to the scheme’s CA so that it
can produce the issuer certificate. The certificate so produced can be imported
back into the P3 system and stored for use in the personalization preparation
• To produce the output data in a format that can be used by most card
personalization bureaus around the world. Sensitive card data, such as keys, is
encrypted in the output stream.
• To store details about regularly performed jobs, so that record processing can be
performed with the minimum of user intervention.
• To provide a security environment with controlled access that aligns with the
operating procedures found in many personalization bureaus. Using the security
features of Windows NT, a P3 user can set up system managers, administrators,
and operators to perform the required tasks for normal operation[1].

The P3 system fits into an existing card issuing process, as shown in Figure 21.2[1]. There
are two possible configurations of P3. It could belong to and be co-sited with the issuer
host system. Alternatively, P3 could be operated by a Personalization Bureau who may
act on behalf of several issuers.
Scheme Certification Authorities (CA): Part of the security of the various smart card
schemes includes the need for an issuer to generate an RSA public/private key pair. The
private key is retained securely in a Host Security Module and used to “sign” card data to
produce a signature that is placed on the card. The public key is transmitted to the scheme
provider (Visa, Europay, or MasterCard), where it is certified using the “scheme private
key” to produce the issuer certificate. This is transmitted back to the issuer, where it is
stored so that it can be placed on every card. The certification process is slightly different
for each of the scheme providers, but the principle is the same.

Issuer host system: P3 receives personalization data from the existing issuer host
system, as described in other parts of this document.

Personalization system: P3 adds the appropriate smart card data to the cardholder record
before passing the combined data to the personalization system[1].

After cards have been issued, they may be used to obtain goods or services. If the card is
a credit or debit card, it is generally used at a point of sale or at an ATM. As part of the
transaction, the card generates an Authorization Request Cryptogram (ARQC) using
unique keys held on the card. This is passed back as part of the transaction message to be
validated by the bank’s host validation system. The host system is able to validate the
ARQC and produce an Authorization Response Cryptogram (ARPC), which is sent back
to the card. The card can validate this ARPC. This mutual authentication process gives a
very high assurance that the card is genuine, and that the bank with which it is in
communication is the one that originally issued the card.

If the card is an electronic purse card, normal purchases are carried out as offline
transactions. However, there is a need to go online when the card is to be reloaded with
funds. In the case of Visa Cash, a card generates a Load Request, which involves a
cryptographic signature known as S1. This is validated by the host system, which then
generates the Load Authorization signature (S2). The card validates this and finally
produces a Load Completion Signature (S3), which is sent back to the host system to
confirm that funds have been loaded.

Both of the preceding online transaction processes involve cryptographic keys. These
keys have to be shared between the online host system and P3. Facilities are provided in
P3 to allow this.

At the time of writing, the P3 system is able to support the following applications. Work
is in progress on other applications, which will be announced in the 5th edition of this

• Visa Cash (DES-based)

• Visa Cash (Public Key)
• Visa Easy Entry
• Visa Smart Credit Debit
• APACS UKIS application[1]

Smart Card Credit, Debit, Visa Cash Load, and Unload Processing
HSM Functions

Finally, as outlined previously, an online host system handling credit and debit
transactions from smart cards needs to be able to process the ARQC/ARPC values. To be
able to handle the Visa Cash Load (and Unload) functions, the online host system must be
able to handle the S1, S2, and S3 signatures as previously described.
“Smart Cards for Payment Systems,” © 2003 THALES e-SECURITY INC. All rights
reserved. THALES e-SECURITY INC., 2200 N. Commerce Parkway, Suite 200, Weston,
FL 33326, U.S.A.


The payment card has been in existence for many years. It started in the form of a card
embossed with details of the cardholder (account number, name, expiration date), which
could be used at a point of sale to purchase goods or services. The magnetic stripe was
soon introduced as a means of holding more data than was possible by embossing alone.
In the end, the smart card appeared.
Finally, from the anticrime perspective, there are a number of benefits to adopting the
smart card. The card itself (or in conjunction with the terminal) can make decisions about
whether or not a transaction can take place. Secret values can be stored on the card,
which are not accessible to the outside world—allowing, for example, the card to check
the cardholder’s PIN without having to go online to the card issuer’s host system. Also,
there is the possibility of modifying the way the card works, while it is inserted in a point
of sale terminal—even to the point of blocking the card from further transactions if it has
been reported lost or stolen.
Chapter 22: Electronic Payment Systems
“We have a criminal jury system which is superior to any in the world; and its efficiency
is only marred by the difficulty of finding twelve men every day who don’t know
anything and can’t read.”

—Mark Twain (1835–1910)


As more B2B trading partners conduct business and provide customer service over the
Web, it makes sense to handle invoicing, billing, and payment processing in the same
fashion. B2B trading partners have specific motivations for online billing: billers want to
receive payments faster and with less manual processing, whereas payers want to
streamline the cumbersome payment-approval process. Thus, the payment stage of any
electronic bill presentment and payment (EBPP) implementation must be able to integrate
tightly with accounts receivable (A/R) and accounts payable (A/P) systems, support
backend payment-processing workflows and procedures, and provide detailed reporting

When it comes to online billing, getting your bills to the Web is just one part of the
challenge—accepting payments electronically finishes the equation. Without payment,
your online billing presence is only a one-way street.

In other words, in the business-to-consumer (B2C) sector, EBPP is a top priority,

especially in the utility, telecommunication, credit-card, and financial-service markets.
The trend has been slower to catch on in the business-to-business (B2B) sector, where
many large companies have well-established systems and processes for handling
payments from their B2B trading partners.

To handle payments for billing interactions, market giant CheckFree Corp.

(http://www.checkfree.com) is the undisputed leader. But, other biller-centric vendors,
including Metavante (http://www.metavante.com) and Princeton eCom
(http://www.princetonecom.com), also have strong offerings and are becoming market
forces. Billers seeking full-service EBPP solutions, which include presentment and
payment services, should consider this class of vendors.

For basic transaction processing and related services, CyberCash

(http://www.cybercash.com/), CyberSource Corp. (http://www.cybersource.com),
VeriSign, and others of this ilk make sense. But, such services are more broad-based
commerce payment solutions that are not necessarily focused on bill payment. For
companies that want to implement secure payment for their commerce sites and integrate
these same services into their EBPP applications, these services make sense.
Finally, a number of electronic-check vendors, including PayByCheck.com
(http://www.paybycheck.com) and X.com Corp. (http://secure.paypal.x.com), have
extended their services beyond person-to-person payment with offerings for businesses.
In the near term, these solutions are most well-suited for small-to-midsize companies that
merely want to give their payers a simple way to pay via electronic checks. It remains to
be seen whether major billers will rely on such services for high volumes of payments.

State of the EBPP Market

Although the online billing market has received plenty of attention, it hasn’t taken off as
fast as many analysts had predicted. In the B2C market, it’s a classic chicken-and-egg
situation: billers are reluctant to get into online billing until a critical mass of consumers
shows a willingness to pay online, and consumers are reluctant to pay online until more
of their bills are available that way.

Of course, there are other hurdles impeding widespread adoption, such as finding an
acceptable cost to consumers. In addition, privacy and security concerns continue to
make customers hesitant.

But, momentum for online billing is finally starting to build. Forrester Research predicts
that 70 percent of all U.S. households will be paying bills online by 2008. For billers,
EBPP is not just a cost-cutting or timesaving application, but a way to get closer to their
customers. In addition, many large businesses are now looking at EBPP for B2B
transactions with their supply-chain partners (see sidebar, “Bill and Invoice Presentment
and Settlement (BIPS) Access and Distribution Models”).

Whether in B2C or B2B, most biller-customers now consider EBPP a strategic

application that is a key part of their larger e-commerce and customer-relationship
management strategies. It’s a value-added service for customers that access the biller’s
Web site for purchases, customer service, support, and so on. At the same time, savvy
billers in the B2C space realize they have to provide options by syndicating their content
to multiple payment sites or consolidators. Many consumers would rather have all their
bills in one place, so billers need to offer this alternative.

Bill and Invoice Presentment and Settlement (BIPS) Access and Distribution Models

There are two basic models for BIPS: the biller-direct model (whether hosted internally
or outsourced) and the consolidator model. In the biller-direct approach, the customer
goes directly to the biller’s site to access and pay bills. In the consolidator model, a third
party aggregates billing data from many billers, providing customers with one site to visit
to pay multiple bills. Both the biller-direct approach and the consolidator approach have
advantages and disadvantages, but both models will continue to coexist.

Biller-Direct Model
In the biller-direct model, the biller makes the billing data available to customers over the
Web or through e-mail. Customers can go directly to the biller’s site to access and pay
their bills, with no other parties involved. The biller-direct model provides a one-to-one
direct link between the biller and the customer.

Billers may host their own biller-direct sites, or enlist the services of a biller service
provider (BSP). BSPs can include application service providers (ASPs) or service
bureaus (such as Bell & Howell, EDS, Pitney Bowes, or DST Output), or any other entity
that can handle any or all aspects of BIPS. Billers can also use such BSPs to syndicate
billing data to consolidators or to consumer service providers (CSPs) such as Web
portals, thus handling the technical intricacies for the biller, while extending the biller’s
reach to multiple customer distribution points.

Distribution or Syndication Model

As an alternative to having customers visit a dedicated biller-direct site (whether hosted

by a biller or outside service provider), billers can choose to work with third-party
intermediaries that provide alternative end-points from which customers can access, view,
and pay their bills. The most established distribution model available today is the
consolidator model, in which a third party acts as the aggregator for multiple billers. The
consolidator provides a single site that allows customers to access multiple bills from
their different billers. The leading consolidator in the market today is CheckFree; newer
players gaining traction include BillingZone.

Under a consolidator model, customers log on to the consolidator’s site and can view and
pay all of their bills in one place. The consolidator provides an important convenience to
customers, and provides a vehicle to attract more users to pay their bills online. Greater
customer exposure leads to increased customer adoption, which can reduce the total cost
of billing. For this service, consolidators typically collect a transaction fee or “click
charge” from billers for every transaction conducted.

One limitation of the consolidator model has been the inability of consolidators to attract
enough billers to give customers a single site from which they can access all of their bills.
Thus, many billers are turning to other distribution points in an effort to give their
customers the flexibility to access their bills through the distribution point of their choice.

Thus, many billers are now turning to consumer service providers (CSPs) in their
strategies to syndicate their billing data to multiple end points and increase customer
adoption. Portals such as AOL and Yahoo! act as consumers’ gateway to the Web, attract
large volumes of user traffic, and are ideally positioned to connect users and their bills.
Banks and financial institutions can also act as CSPs for their customers.

Another emerging approach for bill distribution is to work with intermediaries that serve
as distribution pipes or “switches” for online billing. For example, services from
organizations such as MasterCard RPPS and the Spectrum alliance (a joint venture of
Wells Fargo, First Union, and JP Morgan Chase), provide billers with a trusted
intermediary that handles the intricacies of bill distribution to various customer end
points, and also handles the return payment processing.

Such services act as “behind the scenes” intermediaries that provide billers with a way to
greatly extend their reach without having to manage processes or relationships with
multiple distribution points[1].

Dozens of companies are providing software and services for online billing. In addition,
there has been considerable activity in mergers and acquisitions. The most notable moves
have been made by payment-processing market leader CheckFree, which acquired chief
rival TransPoint, purchased software vendor BlueGill Technologies, and formed a
strategic alliance with Bank of America in which the bank acquired 16 percent of
CheckFree’s stock.
“Bill and Invoice Presentment and Settlement: The Doculabs Report,” © 2003
Doculabs. All rights reserved. Doculabs Headquarters, 120 S. LaSalle St, Suite 2300,
Chicago, IL 60603.

Payment Considerations

No matter what method of EBPP you implement, realize that payment processing can be
highly complex. For your customers, you will need to support multiple electronic
payment system options, which might include credit cards, electronic checks, automatic
balance transfers, and debit cards. Electronic fund transfers are the most prevalent
transactions in the B2B world, but some business customers prefer to pay by other means.
In addition, whatever payment methods you accept, you’ll need to integrate those
services with your own A/R system.

Payment processing is made even more complicated by the number of parties that can be
involved. For example, accepting credit-card payments means interacting with the credit-
card companies or a third party like CyberCash. Accepting an electronic fund transfer
means the processing will pass from the customer’s financial institution to the automated
clearing house (ACH) network for settlement. And, if you syndicate your bill presentment
to multiple sites, you must work with multiple consolidators, portals, and consumer
service providers (CSPs) to get paid. If you’re a biller, this means the payment service
you choose must be able to integrate with the many channels that may be involved in
processing your payments.

Although accepting electronic payments usually means you get money faster, you should
realize that most electronic-payment system mechanisms are neither real time nor online.
The ACH network and credit-card infrastructures are batch-processing-intensive. No
matter which service provider you choose, some level of integration or customization will
be required for you to be able to accept batch-payment data transfers from external
Another key concern is security. Be sure to choose a vendor with a sound approach for
encrypting its data transfers. Related to this is the data-center infrastructure the payment
provider offers. The payment vendor should have clearly documented backup and
recovery procedures, and should ensure high levels of availability, reliability, and
performance through its service-level agreements (SLAs). The payment vendor should
provide you with reporting or audit-trail data for your internal analysis, ideally accessible
through a Web-based administration interface.

Finally, standards compliance is becoming more important. For example, XML will play
a critical role as a standard format for billing data, making it easier for trading partners to
ingest such data into their own backend systems.

In addition, emerging standards for financial transactions, such as Open Financial

Exchange (OFX) and Interactive Financial Exchange (IFX), will also play a role. OFX,
created by CheckFree, Intuit, and Microsoft, defines a means for financial-services
companies to exchange financial data over the Internet. IFX is a similar initiative
designed specifically for online bill presentment and payment.

All these standards will play a role in providing an alternative to EDI, an expensive
approach to electronic commerce that to date has been implemented only by very large
companies with many trading partners and a strict B2B focus. Of the three, XML has the
most momentum, thanks to the general push for more standard methods of B2B
integration. OFX and IFX are in the medium adopter stage.

Using Payment Service Providers

Choosing the right payment service provider can relieve a lot of the headaches of
handling payments and interacting with so many different parties. In addition, some
payment processors offer a bevy of value-added services that make their packages
compelling to billers. For example, some payment processors also offer services as
diverse as presentment, customer enrollment, validation, reporting, and even financing
and cash-management services.

Of course, these capabilities come at a cost. Different payment processors offer different
pricing models. Some processors charge a percentage of the dollar value of the
transaction. Others charge a flat fee for every transaction, regardless of the dollar volume.
Still others charge based on volume or the number of bills converted or presented.

In most cases, the biller swallows the costs of online billing, just as in traditional billing
operations. Although customers of the consumer-focused consolidator sites have shown a
willingness to pay for online billing, they are not likely to pay more than it would cost to
mail in their payments. In the B2B world, some customers may be willing to bear some
of the costs of e-billing by paying for things like financial services, but the model is still
So, when it comes to picking a payment service, what are your options? As previously
mentioned, there exists three major classes of payment services that organizations can use
as part of their EBPP deployments: biller focused, commerce focused, and payer focused.

In the biller-focused area, CheckFree is the leader. The company processes 49 million
electronic payments per month, has an infrastructure that can handle massive volumes,
and has been active in forming partnerships and making strategic acquisitions. CheckFree
offers sound capabilities and services beyond payment, including consolidation and

But, competitors are poised to chip away at CheckFree’s lead. Princeton eCom is a strong
player in this market, with one key advantage over CheckFree: it offers an electronic-
lockbox service as part of its offering. This approach makes especially good sense for
small and midsize companies (Princeton eCom’s target market) that want to get their
lockbox and online payment services in an integrated package. Metavante enters the
market with a wealth of experience in the statement-generation-software and payment-
processing markets. Its foray into online billing could make the company a formidable
player, as it has a strong customer base with financial institutions, particularly in the

In the commerce-focused area, the major players include CyberCash, CyberSource, and
VeriSign. All three provide good payment services, with support for a wide variety of
different payment types. CyberSource has the edge in terms of its breadth of payment
services, with offerings for fraud screening[2], tax calculation, distribution control, and
fulfillment management. VeriSign has the advantage in terms of secure transfer services.
In addition to payment, the company offers services for secure messaging, PKI,
certificate processing, and other site trust services that payment-only vendors lack.

In the payer-focused area, most people immediately think of sites like PayPlace.com and
ProPay.com. Although such sites provide a nifty solution for applications such as online
auction payments or letting a group of people settle a vacation tab, they are not
appropriate for more sophisticated online billing, especially in the B2B arena.

But, two vendors that come from this space, X.com and PayByCheck.com, are now
adapting their solutions for billers. Both services make it simple for billers to set up
accounts and simply include a link to the service providers’ site, where customers make
their payments online. X.com has released a new premium package of its PayPal service
in which the payment funds are swept from the biller’s PayPal account automatically
through the ACH and into the biller’s external bank account on a scheduled basis.
PayByCheck.com is pursuing a similar strategy, but the company lags PayPal in terms of
market momentum and customer base.
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.
Future Direction

There are dozens of payment service providers in the market, but expect to see more
consolidation in 2004. In addition, expect the payment processors to encroach on each
other’s market spaces, as multiple vendors try to extend their services to appeal to
retailers, consumers, banks, and B2B trading partners alike.

Finally, payment services eventually will become a commodity, with only a few vendors
handling this discrete portion of the EBPP cycle. The vendors that survive will be those
that offer simple, reliable services at a good price or offer payment as part of a larger
package of value-added services for EBPP. However, if you are thinking about EBPP,
there’s no need to wait for a shakeout in the payment services arena; switching will be
progressively simpler as the baseline services grow more commoditized and as standards
become more firmly established.


In the EBPP market, payment processing is one of the most complex parts of the sale. For
most IT shops, the solution is to use a third-party payment service provider to handle the
dirty work.

A number of different types of electronic payment service providers are in business,

including biller-focused, commerce-focused, and payer-focused providers. The biller-
focused providers should continue to dominate the market for e-billing, with the
commerce-focused providers playing a more limited role. Many of the payer-focused
providers are beginning to add merchant- and biller-focused offerings to their arsenals,
but it remains to be seen if a significant percentage of the market will use such services
for mission-critical B2B payments.

Finally, with so many players in the market, consolidation is likely. Considerable

consolidation already exists in the biller-focused market (led by CheckFree), and it is
expected to continue in the other markets as well. Ultimately, electronic payment system
services will become a commodity offering. The vendors that remain will be
differentiated by the value-added services they offer. In addition, as standards emerge and
gain acceptance, increased commoditization should reduce switching costs.
Chapter 23: Digital Currencies
“There are three great friends: an old wife, an old dog, and ready money.”

—Benjamin Franklin (1706–1790)

New technology has made it possible to pay for goods and services over the Internet.
Whereas some of the methods link existing electronic banking and payment systems such
as credit and debit card networks with new retail interfaces via the Internet, new means of
payment known as digital currencies have also been developed to facilitate global
electronic commerce.

Introducing Digital Currencies

Electronic money (also known as digital currency) based on stored-value, smart card, or
other technologies has been developed to facilitate consumers and businesses to engage
in global electronic commerce (see sidebar, “Digital Currency”). These cater to the
increasing population of online consumers who don’t have a credit card or those who are
reluctant to provide their credit card number online. These newly developed payments
systems share some common characteristics or aims, namely:

Integrity: Keeping risk in the system at a minimum, as well as maintaining reliability

and broad public confidence in the system’s workings

Accessibility: Making the payments’ system conveniently available through one or more
providers, regardless of the income or the socioeconomic status of the user

Efficiency: Ensuring transaction speed, encouraging innovation, and demanding cost-


It is also necessary to make provisions for:

• Anonymity and traceability of payments

• Fungibility (ability to make change of funds into new denominations on demand)
and convertibility of currencies
• Security and infrastructure issues[2]

Digital Currency

Digital Gold or Digital Currency is quickly becoming popular among online users. It is
very easy to open an account, fund it, and transfer money all over the world using some
of the well-known gold systems, such as e-gold, osgold, e-bullion, evocash, and so on.
This is a new wave of the future in moving money worldwide, whether it is to send your
family money or to pay for merchandise online, from those merchants who accept this
form of exchange. All of this is done instantly without delay and without heavy transfer

The basics of digital currency is to offer worldwide flexibility and mobility. This is how it
works with e-gold as an example:

1. You fill out a simple form to open a free e-gold account.

2. Then, you need to fund the account by utilizing a gold exchange service.
3. Depending on the exchanger, the fees will vary, but are usually very reasonable
and their service is speedy.
4. You can wire money to the exchanger, send them a check, or some even take
credit cards to fund your account.
5. After your account is funded, you are ready to send your gold to anyone in the
world who has an e-gold account for a maximum transfer fee of 50 cents. No
matter how big or small the transfer is to another e-gold user, the fee will never
exceed 50 cents with e-gold!

With other digital currencies, the fee can be as low as 25 cents with osgold or as high as
$1 dollar through evocash. Can you see how much money you can save in transfer fees
alone? Especially when you consider that a typical bank wire costs around $14.00, it
would end up costing you a bundle if you had to wire money to many people often!

Now, let’s say the person you just moved the funds to through e-gold wants to take it out
to use in the real world. Easy! By utilizing a similar gold exchange service, your recipient
can exchange his e-gold to cash for a small fee. Or, even better, they can get a debit card
and transfer their gold to their card and use it at any ATM to withdraw their money for a
small ATM fee! Now, think of how convenient this will be globally! Places like e-bullion
offer a debit card at just $34.95. You can get an exchange service to transfer your e-gold
to your e-bullion account and then you can withdraw that money with an e-bullion debit
card! Welcome to technology!

Some say that gold is more stable and holds its own value, whereas paper money has no
real value. Think of these digital currencies as a worldwide bank account that is open 24
hours a day, 7 days a week, and can be accessed online with a few clicks of your mouse!
How incredibly mobile and accessible is that? With places like evocash, you can earn 9%
interest for keeping your money with them! Remember to treat your digital currency like
you would your regular bank account and never give out your passwords. It’s a smart idea
to change your password often by using a combination of letters and numbers that others
will not be able to guess. In addition, be sure keep sensitive information about your
accounts in a safe place outside of your computer’s hard drive.

Top Three Most Popular Digital Currencies

• E-gold is backed by gold itself, circulated electronically—a worldwide, free

market currency. You can sign up for a new e-gold account at http://www.e-
• Evocash is the Internet system that is transforming financial business worldwide.
They have recently redesigned their Web site
(http://www.evocash.com/index.cfm?w=1024) to be more user-friendly.
• E-Bullion’s Web premier online payments system offers customers a global e-
commerce system (http://www.e-bullion.com/)[1].

“Electronic Commerce,” Copyright 2002 National Computer Board. All rights reserved.
National Computer Board, 7th Floor, Stratton Court, La Poudrière Street, Port-Louis,
Mauritius, 2003.
“Digital Currency,” Copyright © 1998–2002 by mytopsecrets.com. All Rights
Reserved. Mytopsecrets.com, P.O. Box 1715, Glen Burnie, MD 21060-1715, 2003.


Digital currencies enable new types of payments, goods, and services (information and
online entertainment)—such as microproducts and micropayments. They share some
fundamental properties, namely:

• They represent monetary value.

• They are exchangeable as payments for goods and services, currency and coin,
and other tokens.
• They can be stored and retrieved.
• They are tamper-resistant in that they are difficult to copy or forge[2].
• Digital currencies are intended to permit their users to move funds electronically
within an environment. They include “tokens” of value expressed in digital form,
in the same sense that a casino chip is a token of value expressed in physical
form. Furthermore, digital currencies are designed to serve as the electronic
version of paper cash, carrying the same attributes as the physical medium—
anonymity and liquidity. There are basically two types of digital currency
systems: purely electronic digital cash refers to digital money systems that use
computers to transfer value over networked environments, such as the Internet,
and stored-value “smart cards” retain value on a microchip embedded on a card,
and are used in the “physical” world at the point of sale, or through computers
equipped with a smart card reader.

Characteristics of Purely Electronic Digital Currencies

Digital currencies rely on advanced information technologies and high-speed

communications networks to store, transmit, and receive representations of value.
Furthermore, digital currencies for the most part depend upon technological
developments in cryptography to provide security in an open networked environment—
such as public key infrastructure and encryption mechanisms. They rely on reduced costs
and economies of scale created by technological advances.
Digital currencies require “loading” from funds held within the financial system. This
involves “the exchange of cash or deposits for digital value backed by an issuer.” An
instance of this could take place over the Internet by downloading electronic money onto
a PC hard drive, or by a consumer transferring electronic cash onto a smart card at an
ATM and simultaneously debiting his bank account.

Characteristics of Stored-Value Cards

The principal function of stored-value or smart cards is the portable storage and retrieval
of data. These applications have evolved from existing electronic funds transfer
mechanisms using debit cards, such as prepaid cards and copy machine cards. The
embedded integrated circuit on the card defines the capabilities of the product, and
possible components may include a microprocessor, nonstatic random access memory
(RAM), read only memory (ROM), erasable programmable read only memory
(EPROM), other nonvolatile memory, and special purpose coprocessors.

These characteristics make smart cards a viable medium for a digital currency payment
system. In making a payment through stored-value cards, the following points can be

• There are no backend settlements involved.

• There is no audit trail for transactions.
• If a card is lost, the same result is achieved when actual cash is lost—it’s gone.
• Developers are working on ways to deliver card-to-card funds transfers[2].

Stored-value cards have met with high approval ratings among consumers in Europe, and
are gaining increasing popularity in the United States. Stored-value smart cards are
capable of more than facilitating payments. They can offer added-value information,
including digital certificates for identification purposes, and may authenticate a secure

It is worth noting that computer hardware manufacturers have started to include smart
card readers with their PCs and PC keyboards. The ubiquity of this digital currency
system in on the rise.

So, why use digital currencies? Let’s take a look.

Using Digital Currencies

Digital currencies are cheaper, faster, safer, global, and more private than traditional
credit cards and bank wires. In other words, digital currencies will prove to be as world-
changing as the invention of the printing press and gunpowder. Digital currencies link
together financial institutions and markets across the globe in a way that allows
instantaneous value transfers with a mere fraction of the cost associated with traditional
bank wires and credit cards. The architects of the new digital economy are busily at work
creating new financial products and linking digital currencies to “old-world” financial
networks, allowing you to easily convert your digital currencies to cash anywhere in the
world. Here are some of the reasons that digital currencies are the best way to do business
on or off the Net!

Digital Currencies Are Cheaper!

Transaction costs using credit cards or PayPal (for example) range from 2.2% to 4.2%.
International bank wires cost, on average, $43 to $73 using Western Union. Digital
currencies allow transactions to take place from as low as 0.1% (GoldMoney), to 2% on
the very high end (Standard Transactions). In other words, the cheapest digital currency
on the Net allows online transactions for forty-five times less than credit cards. Even the
most expensive digital currency costs less than a credit card transaction! Digital
currencies lower transaction costs by three orders of magnitude! This means that
transactions that were previously too expensive to make because of the time, money, and
effort involved are now feasible using digital currencies, such as e-gold, gold-grams,
Standard Dollars, Standard Gold, e-Bullion, and Hansa Dollars. For retail merchants who
process a high volume of credit card transactions, the savings can be significant! The
savings in transaction costs can then be passed along to their customers in the form of
lower prices, which helps merchants accepting digital currencies to gain a competitive

Digital Currencies Are Faster!

The average credit card transaction can be reversed for three to six months after the sale
takes place. This leaves merchants in a vulnerable position. Cheapskates reverse the
charges on a regular basis against merchants who deliver the goods. This kind of theft
drives up prices for everyone to cover the cost of lost goods and money due to fraudulent
credit card use[5]. Bank wires in-country take at least three days to clear. International
bank wires can take up to two weeks to clear! Digital currencies solve these problems by
allowing instantaneous and nonreversible transactions! For merchants, this means that all
sales are final. They don’t have to worry about having their account frozen because some
hacker used a stolen credit card at their store. This also means that when you need to send
money to a friend or family member anywhere in the world, you can do it in a few
seconds, and they can withdraw it as cash from an ATM machine the very next morning.
That’s fast!

Digital Currencies Are International!

PayPal, for example, only works in the United States. In order for people outside the
United States to sell their product or service on the Web, they have needed an
international credit card merchant account. The problem is, outside the United States and
Europe, merchant accounts can be difficult to obtain. This creates a barrier to entry that
makes it harder for international entrepreneurs to offer their products and services to the
world. Digital currencies solve this problem by allowing instantaneous transfers of
money anywhere in the world! As the network of exchange agents grows, it is now
possible to quickly and easily convert your digital currency to cash in any country in the
world. A Standard Reserve “Instant World Account” allows account holders to convert
their Standard Gold or Standard Dollars into cash at any ATM machine on the planet! E-
bullion offers an anonymous numbered offshore debit card. This means that no matter
where you are, if you can find an ATM machine, you can convert your Digital Currency
into local currency!

Digital Currencies Are Safer!

Credit card fraud is becoming increasingly prevalent as hackers steal card numbers from
computer networks, crooks root through your garbage and steal your identity, and other
nefarious thieves devise ways to get your account number. Digital currencies offer a
higher level of security than credit cards. Even the lowest level of security for digital
money, an account number and password, is one order of magnitude safer than a credit
card. All a thief needs to steal a credit card is the account number. With digital currencies,
the merchant never sees your password, so it is impossible for a thief to steal it, unless
you give it to him yourself (by letting him access your computer). For example,
GoldMoney supports digital certificates for customer identification. These certificates
cryptographically verify that you are you. This prevents thieves from accessing your
account. E-bullion and E-gold are now offering similar security measures to their clients.
It is also possible to combine digital certificates with an affordable biometric fingerprint
reader to make sure that absolutely no one has access to your account but you. This is the
highest level of security currently available on the Net, but there are other improvements
still to come.

Digital Currencies Allow Person-to-Person Payments!

Digital currencies allow one thing that credit cards never will: person-to-person
payments. As previously mentioned, PayPal is limited to the United States. So, what do
you do when you want to buy a collector’s doll that you found in an online classified ad,
but the owner lives in New Zealand and you live in the United States? Digital currencies
allow you to spend your money to anyone else who has a digital currency account. It only
takes a few moments for your friend to open his own account by using the Internet, and in
most cases it doesn’t cost a penny! Person-to-person payments allow small-scale
merchants to get started without the added expense of maintaining a credit card merchant
account. This means lower costs of entry into the marketplace and lower costs of doing

Digital Currencies Allow You to Protect Your Privacy!

It is a known fact that traditional banks store massive databases that track all of your
account activity in the name of “know your customer,” “fighting the war on drugs,” and,
more recently, “the war on terrorism.” In reality, banks conveniently use those databases
to sell information about their customers’ spending habits to other companies, and
governments use that data to find excuses to confiscate your money and property. So, not
only does your government have access to all of your spending habits, but so does any
individual or organization who is willing to pay for it.
Most digital currencies are housed in “capital-friendly” jurisdictions with strict privacy
protection laws[6]. For someone to get your account information, they have to obtain a
court order in the country where your digital currency is headquartered. This means that
true crimes can be prosecuted, but your privacy will remain intact if you are just an
average law-abiding customer. Think of it as guaranteeing yourself the right to “due
process.” Furthermore, it is impossible to use digital currencies for money-laundering.
You have to spend your national money (such as U.S. dollars) through an exchange agent
in order to purchase digital currency in the first place. Because exchange agents all have
accounts at banks with anti-money-laundering practices in place, this means that all
money used to purchase digital currencies is theoretically “clean.” Clean money in, clean
money out!

So, digital currencies are able to provide privacy to their customers, and still be able to
guarantee that they are not being used for money laundering. Digital currencies are
“orthogonal” to the traditional financial world. As long as all the money coming in and
out goes through banks with anti-money-laundering practices in place, then money
laundering is impossible. Furthermore, all of the digital currencies in business at this time
are firmly committed to discouraging crime and money laundering, while at the same
time protecting the privacy of their account holders. This means you can use digital
currencies to do business with confidence that you are in good company! You can obtain
a Standard Reserve Instant World Card or an e-bullion Debit Card and withdraw your
digital currency from any ATM machine in the world as cash. But, because the cards are
processed in an offshore jurisdiction, you can be assured that your privacy is protected.
Because both of these companies are diligent in preventing money laundering, you can be
assured that you are in good company[8].

So, are there any economic consequences of using digital currencies? In other words, do
digital currencies have any serious consequences for the structure of the economies? Let’s
take a look.
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
Ebusiness Privacy Plan, McGraw-Hill Professional, 2001.
“Why Use Digital Currencies,” Copyright © The Gold Economy Magazine 2001-2002
[© Copyright 1996-2003 EscapeArtist Inc. All Rights Reserved. EscapeArtist.com Inc.,
843-1243 World Trade Center, Panama, Republic of Panama 843], 2003.

The Economic Consequences of Using Digital Currencies

The later years have seen the explosive growth of the Internet as one of its main features;
furthermore, much has been talked and written about the coming of the online economy
and electronic commerce. One of the most important aspects of this development has
been the growing demand for methods of secure payments over the Net. This demand,
coupled with advances in cryptology, has facilitated the growth of digital cash or digital
currency—cash or currency constituted not of pieces of paper or metal objects, but
streams of digits.


An important quality of digital cash is that it has the potential of being entirely
anonymous, through the use of mathematical “blinding” techniques, both with regards to
usage and holdings. This means that, as with physical cash, there are few, if any, traces
for the government or other institutions to survey.

When using credit cards, digital signatures are left that can be linked to the specific
individual, describing where, when, and what was purchased for how much. This feature
of credit cards has made many people claim that technological developments lead to
greater control by the state or government over the individual. The anonymity of digital
cash would be a development in the opposite direction. In other words, the widespread
use of digital cash would render the prospect of a 1984 scenario, in which governmental
surveillance creates a society of fear, suspicion, and suppression unlikely, and act as a
guarantor of individual freedoms. Of course, all of this remains to be seen!

This anonymity does have its drawbacks, however. One example of this is criminal cases
in which evidence of financial transactions are often integral requirements for correct
judgement and sentencing. Thus, the financial anonymity of digital cash can make it
harder to convict criminals than it might otherwise have been.

Anonymous financial transactions and holdings also make it generally easier for money
laundering to take place. It can be argued, however, that this is relatively easy as it is
today with few currency controls and falling costs of overseas banking. With the advent
of anonymous digital cash, the costs and risks associated with money laundering would
fall considerably. Tax evasion would also become easier for similar reasons.

Just as the increasing ease of international capital movements has caused governments
worldwide to shift the burden of taxation from mobile to stationary capital, one
consequence of the reduced disincentives to evade taxes may be increased taxation of
geographically fixed assets. Hassle-free money laundering could lead to the extension of
organized crime.

The End of Fiat

An intriguing property of digital cash is that, in theory, anyone can issue it, and it is by no
means clear that banks will be the most successful players. The be all and end all of a
successful currency is confidence, and the issuers who command respect among
consumers have a huge advantage over others. Companies like Microsoft, Visa, and
Coca-Cola would, therefore, have a good base from which to start due to their impeccable
reputations and solid brand names.
An important determinant for which currencies will be accepted and trusted by
consumers is what they are backed up with. At present, the vast majority of currencies are
fiat-based (not to be confused with Fiat, the Turin, Italy-based car company). This means
that they have no intrinsic value and are not linked to anything of market value. The only
reason why people accept such paper currencies is that they expect everyone else to do
the same.

Such a system, however, could not possibly originate from scratch. Digital currencies
would, therefore, either have to be proxies for governmentally issued currencies, so that
for instance, one “Coca-Cola-Dollar” can be exchanged into 3 USD, or backed by assets,
such as precious metals, equities, or bonds in a fixed ratio.

Which of these two routes would dominate depends largely on the performance and
reliability of the governmentally issued currencies. But, comparative economic studies
show that currencies based on, for instance, precious metals are more reliable and stable
than fiat currencies. This is exemplified by the successful operation of the pre-World War
I gold standard, which played an integral part in the “Golden Age” of market liberalism.

Currency Competition Restored

Another implication of the prospect of digital cash is increased currency competition. In

the current situation, currency competition is limited to competition among the various
governmentally issued currencies. This means that if you distrust your local currency, as
many people in Asia do at present, you may choose to accept only USD or GBP, and
choose to keep your cash holdings in these currencies. The currency competition is,
however, presently limited by the relatively dominant position of a local currency in an

Currency competition has increased in recent years as a result of deregulation of financial

transactions and currency regulation falling out of fashion. Some industry analysts claim
that they can already see the results of this in the relatively stable, noninflationary period
that major currencies, such as USD, DM, and sterling, have experienced.

Digital cash offers the prospect of competition much more intensive and extensive than
what exists at present. The various players would have to compete on qualities, such as
inflation, reliability, stability, confidence, and ease of use.

For private banks, there is an incentive to push the level of fractional reserve banking as
high as possible. This means that they issue more in terms of credit letters such as loans,
short-term credits, and, potentially, digital cash, than they have reserves to repay, by
gambling on the unlikelihood that a majority of their creditors will want to withdraw their
funds simultaneously.

The market mechanism balances this incentive to hold fractional reserves with the
consumers’ desire for minimal risk (and, thus, a high ratio of assets to credits). The free
operation of currency competition would thus drive the process toward the ideal balance
according to the preferences of the consumers.

Consumers would probably get information about the reliability of the various digital
currencies through the media and special consumer interest groups, and through the
development of brand name reputations in the same way as they do with goods such as
cars and furniture today.

Regulating the Regulators

The widespread use of digital cash would redefine the role of regulators, such as central
banks and the Federal Reserve. With the establishment of a competitive market in which
the laws of supply and demand determine the nature of the currencies in use
governmentally, supplied currencies would either have to compete in accordance with the
preferences of the consumers or obtain special privileges. Given the immense financial
security of most major governments compared with most corporations, it seems likely
that governments, if sufficiently aware of the situation, would be able to compete on
equal if not better terms than the private sector.

When it comes to regulating the digital cash industry, however, governments would face
severe difficulties due to its international nature. If a particular government decided to
place restrictions on, or even forbid, the use of privately issued digital cash, nothing
could keep the citizens of that very country from using digital cash issued abroad.

The only way in which it would be possible to effectively limit the use of digital cash,
would be if a broad coalition of governments issued a collaborative policy to this
purpose. Even then, small countries could act as free zones for digital cash issuance in the
same way as they do with regards to offshore banking today.

The current failure of governments to effectively combat illegal material on the Internet
shows that the ongoing developments of information technology place real restrictions on
the governments’ power and that, in the absence of extensive and effective international
agreements, digital cash would face very limited threats from the regulators.

Also worth noting is that some regulators seem reluctant to regulate digital cash. In
particular, Alan Greenspan, of the U.S. Federal Reserve, has taken a surprisingly
noninterventionist approach. This may be due to his background in Austrian economics,
which advocates free banking and return to the gold standard.

But, with a major economic power such as the United States seemingly willing to accept
the unhindered development of digital cash, it will in turn be up to the consumers to
decide whether it is preferable to the governmentally issued fiat currencies of today[4].

Finally, let’s look at the future of digital currencies. This final part of the chapter focuses
on the emerging digital money-like products that will supplant most conventional
government issued money and existing payments systems over the next couple of
Tynes, Johannes Skylstad, “Economic Consequences of Digital Cash,” Copyright ©
London School of Economics and Political Science 2002, London School of Economics
and Political Science, Houghton Street, London WC2A 2AE, 2003.

The Future of Digital Currencies

The age of digital money is upon us. The new technologies of the Internet, digital
electronics, public key encryption, and the rapid price declines of computing power and
telecommunications bandwidth are having a dramatic effect on the financial world. These
new technologies are enabling the development of financial markets, procedures, and
instruments that economists in the past could only theorize about. Financial transactions
can be settled in real time even though the contracting parties may be thousands of miles
apart. Money and other assets can be moved at almost the speed of light to any point on
the globe for a minuscule cost. Easy-to-use encryption programs enable almost anyone to
move data or money around the globe with almost complete security. It is now possible
for private digital currency issuers to compete without the high information and
transaction costs that burdened the multiple-issuer systems in the past. Moreover, new,
private monies are emerging, including “digital gold.” The technical barriers have been
overcome, as well as many of the economic challenges.

Digital money or digital currency is the monetary value of government—or privately

issued currency units stored in electronic form in an electronic device. Digital money is
one type of a digital financial instrument that fulfills most or all of the functions of
money. The monetary value stored in the electronic device can be transferred to other
such devices, allowing the users to engage in payment transactions. This is different from
traditional electronic payment systems, such as credit and debit cards and wire transfers,
which usually require online authorization and may involve debiting and crediting bank
accounts for each transaction. A prepaid monetary value may be stored in a computer
chip on a card (“smart card”), stored on a computer chip in a wireless device[7], or stored
on a computer disk drive. Money transfers with cards are most often made through card
reader/writers, whereas transfers using computers or wireless devices are made over
wired or wireless communication networks, such as the Internet. Cards, wireless devices,
and computers can also be used to merely authorize monetary transfers from one account
to another. These accounts may be bank accounts or reserve assets held in nonbank
institutions. Stock, bond, mutual fund, and gold deposit accounts may allow ownership
transfer of assets, even in micro amounts, to be made by computer or wireless devices. To
prevent fraud, all such transfers need to be protected by cryptographic codes. The
technology now exists to make such transfers anonymous, like paper currency
transactions, if the user so chooses.

Financial cryptographers have developed methods whereby people will be able to

securely hold bearer digital cash, bonds, stock, and even financial derivatives, and make
very low-cost and anonymous transactions with them. A U.S. dollar in paper form is a
bearer instrument. That is, the person who holds it is normally considered to be its lawful
owner. There is no list of owners of paper currency (a registration record); ownership is
conveyed by physical possession.

The advantage of bearer instrument transactions is that settlement is in real time, and,
therefore, there is no risk of nonpayment, as there is in book entry transactions such as
checks and credit cards. There are no chargebacks to the merchant, and the risk of fraud
(in the absence of counterfeiting) is greatly reduced. Bearer instruments are also
anonymous, which can protect the owner from corrupt governments or criminal types.
However, because of this anonymity, many governments do not like or have prohibited
certain types of bearer instruments because they make it hard for tax officials to collect
revenue. Digital monetary and financial products are “disruptive” technologies, in that
their creation upsets the existing legal and public policy order as to how money and
financial products and institutions are regulated and organized. National borders are
ceasing to have the relevancy they once did.

Both businesses and governments need to build the appropriate legal order for the digital
age and understand how it should be managed. This requires changes in laws and
regulations, leaving businesses in a thicket of uncertainty during the transition period.
Central bankers, treasury officials, law enforcement authorities, and intellectual property
administrators (patent officials, etc.) will by necessity have to adjust to a different world.
Their challenge will be to create a new set of rules and procedures that bring the
necessary order without impinging on the rights of privacy of individuals and institutions,
or destroying the economic efficiencies that the new technology is bringing.

Policy Implications of Digital Payments Systems

Many legal issues will arise as digital money becomes more prevalent. Given that most
digital money will be global in the sense that the Internet will facilitate its movement or
use outside its issuing jurisdiction, the lack of legal uniformity between countries raises
many policy issues. For instance, who has the liability if a failure does occur in a
particular digital money system because of fraud or for some other reason? When digital
money payments are made across national borders, who has jurisdiction? Does digital
money violate the monopoly rights of central banks to issue money? May a central bank
issue digital money? Do nonbank issuers of digital money need to be regulated, and if so,
who should the regulator be? Who is going to determine if the clearing organizations
have sufficiently robust and fraudproof systems?

Given that various digital money systems are now being developed and offered, the
answers to the preceding questions will probably slowly evolve over the next few years
as real problems emerge. Already, multilateral financial institutions, such as the Bank for
International Settlements and the International Monetary Fund, have established working
groups to try to develop recommendations for their members in dealing with the
previously mentioned issues. These BIS and IMF recommendations will be of particular
interest to the world’s central bankers who are facing the front line of change. To the
extent people use privately issued digital money for transactions, the demand for
government money is reduced. If people are willing to hold liquid balances in the form of
digital money, the quantity of demand deposits (checking accounts) that people need or
desire is smaller, thus reducing the central bank’s supply of money. The same principle
holds true for other money substitutes, from very limited money substitutes (balances
held on telephone cards, or frequent flyer miles), to broad, money-like products (digital
gold). As these broad and narrow-use money substitutes grow in popularity because of
their ease of use in the digital age, the amount of money supplied by central banks will
decline. Until some nongovernment money reaches a critical mass, whereby most users
and businesses find they can do a substantial portion of their business in the “new
money,” virtually all digital money and money substitute products will be reconverted to
central-bank-issued money at some point. However, even during this period of partial and
temporary substitution of digital money for central bank money, the demand for central
bank money will gradually decline.

Justifiable concerns have been raised about the innovations in payments technology and
the development of digital money and their impact on inflation. For monetary systems
with a quantity anchor (such as the U.S. dollar and other fiat currencies), technology
changes resulting in an increase in the money multiplier or a decrease in money demand,
will increase the price level unless base money is reduced by an appropriate amount. If
digital money is issued by an institution other than a bank, which has no reserve
requirement, the growth in digital money will increase the money supply unless the
central bank takes corrective action. The increases in the money supply resulting from the
new technologies will be both gradual and easily recognized, and, hence, would be
neutralized by the central bank, by appropriate reductions in the monetary base.

As with all innovations with payments technology, the introduction of digital cash has a
one-time effect on the price level. The money multiplier would be larger, but stable at its
new level. If digital money is issued by a bank at the expense of deposits, and is subject
to the same reserve requirements as deposits, the monetary effect would be approximately
neutralized. If digital cash issued by banks is subject to a 100% reserve, or if digital cash
is issued by a nonbank, with a 100% reserve, no new money is created. With any price
rule digital money system (commodity-backed systems), inflation by definition is not a

In general, electronic payments and digital money systems increase the efficiency by
which the existing money supply can make payments, thus reducing the demand for
money. These improvements tend to take place gradually over time, and are observed as
an increase in the velocity of money, which requires a compensating adjustment in base
money by the Federal Reserve. In summation, there is no reason for great concern in
terms of monetary policy management by central banks as a result of these new
technological innovations. The changes will be gradual and obvious, giving plenty of
time to make policy adjustments to prevent inflation.

One effect of the decrease in demand for central bank money will be the disappearance of
central bank seigniorage revenue. At present, the world’s central banks obtain a
considerable income from issuing paper banknotes, which are noninterest bearing central
bank liabilities. Among the G-10 countries, seigniorage as a percent of GDP, ranged from
a low of .34% in the UK to a high of .71% in Italy in 2002. This seigniorage not only
provides for all of the central bank operations, but also provides their treasuries with
significant revenue. However, it is also apparent that the efficiency gains for the economy
from digital money swamp any negative effect on government revenue of the loss of
seigniorage revenue, which has been in effect a tax on the banking system.

It can be expected that the growth of digital money will have a direct and significant
impact on the common measures of the money supply, particularly currency and demand
deposits (M1 and M2). Given that many central bankers target these monetary aggregates
in the conduct of their monetary policy, the focus of monetary policy may need to
change. The growth of digital money could ultimately cause a substantial drop in banks’
demand for settlement balances. In the major economies, cash is the largest component of
central bank liabilities. Extensive use of digital money is likely to shrink the balance
sheets of the central banks significantly. At some point, the shrinkage might restrict the
central banks’ ability to conduct open market operations or foreign exchange sterilization
operations. However, to the extent that the new digital monies are fully backed by assets
such as gold or high-quality financial instruments, the need to conduct open market
operations will diminish, because the supply of money for transactions should
automatically adjust to demand.

As more and more transactions are settled on a real-time basis, the risk of nonpayment
and fraud declines, and, hence, the need for regulation and monitoring also declines. The
role of the central bank may ultimately shrink to doing little more than defining the
numeraire for the national money. The definition is likely to be a modern version of the
gold standard. Specifically, a national currency in the future may well be defined as a
monetary unit that is equal to a basket of specified commodities with a one world price,
such as gold and crude oil, and even some services. Any good or service having a one
world price that is set in organized auction markets could be a candidate for a currency
basket that would be used to define the value of the monetary unit.

Some central banks might also continue to serve as a lender of last resort to large
financial institutions by using off balance sheet transactions. The need for such a lender
of last resort would seem to diminish in a world of instant information on almost all
activities, institutions, and real-time settlements. In the new century, the kind of financial
shocks and surprises experienced in the past ought to be increasingly rare, unless
financial regulators interfere too much with the market adjustments that will naturally
occur in a world of increasingly perfect information.

The rapidity of adoption of digital money systems by consumers depends on how their
cost, convenience, and anonymity is perceived in relation to paper currency and coin.
Eventually, electronic transfer and digital money systems will replace paper and coin,
because they can greatly reduce transaction costs and will ultimately become more
convenient. At the current level of technological advance, it appears that within relatively
few years, whether they involve a few cents or millions of dollars, almost all monetary
transactions will move over the Internet, or by wireless device, or by chip card for small
transactions. The question of anonymity will remain an impediment, until policymakers
understand that the fundamental desire and right to personal privacy must be
accommodated with the new technologies, to an extent no less than people now have with
cash. The role of central banks will change, and will likely shrink, as a result of the new

One danger to the world economy is that central banks will try to hold on to their
traditional roles by restricting the new technologies or regulating them in such a way as
to make them noneconomic. Regulators should keep a hands-off approach until a problem
has been clearly demonstrated and, at that time, devise corrective actions to do the least
damage to innovation and financial freedom.

Law enforcement officials around the world have been concerned about the potential
abuse of digital money systems for the purpose of money laundering, and, therefore, are
trying to restrict or ban them. Officials in various government and regulatory agencies,
such as the Financial Crimes Enforcement Network, assert that they should have more
power and ability to monitor all transactions. It is true that digital money systems,
particularly anonymous ones, may indeed make the job of money laundering easier. On
the other hand, many government law enforcement agencies throughout the world have
abused basic rights to financial privacy. The benefits of digital money greatly outweigh
the potential criminal abuses, and, hence, measures to restrict the use of digital money
should be resisted. Without the availability of anonymous systems, there will be strong
resistance on the part of many individuals to fully move to e-payments systems and
digital money.

The existing efforts against money laundering, primarily by the United States and major
European governments, have not proven to be the least bit cost-effective. For instance, in
the United States in 2002, only 1,376 people were convicted of money laundering, yet the
cost to the private and public sectors of the anti-money-laundering efforts exceeded 50
billion dollars, which comes out to more than 4 million dollars per conviction. For
example, the British state has been able to take out 0.008 percent of the criminal money
that has flowed through London. There is no evidence that authorities in the United States
are having much more success. Money launderers do not have a statistically significant
chance of being caught and losing the profits from their misdeeds, and, therefore, the
deterrent effect of such laws is negligible. Privacy advocates have also documented that
the money laundering laws are very arbitrarily enforced in many countries, including the
United States. Money laundering is a crime of motive, rather than one of specific activity,
hence its enforcement, by the very nature of the crime, is highly subjective. This
subjectivity leads to selective and politically biased enforcement. Because of the constant
threat of the vagueness of the money laundering laws and regulations, constructive
financial innovation has been retarded, particularly in the development of digital monies.

The money laundering laws have propelled the United States to adopt attitudes
insensitive to foreign countries’ rights to self-determination, and to violate the
sovereignty of foreign states. The United States tries to impose policies on foreign states
and businesses that the United States would never accept if the situation were reversed.
The United States and the European Union have no business telling smaller developing
nations that they are involved in “harmful tax competition,” or that they should abolish
bank and corporate secrecy laws. Small nations have a need and a right to attract foreign
capital, and it is perfectly legitimate for them to compete against harmful tax, regulatory,
and privacy policies that larger nations impose on their own citizens.

Anti-money-laundering legislation has not only proven to be ineffective and

counterproductive, but also greatly undermines the financial privacy rights of individuals.
Such laws require widespread reporting on the financial activities of bank customers by
bank employees to their governments, thus undermining the separation of business from
law enforcement, and ultimately the financial privacy necessary for civil society. The fact
is, the new technologies of various forms of encrypted e-payments will make the task of
enforcing the money laundering laws even greater, unless governments are permitted a
level of financial privacy intrusion that most civilized people will find unacceptable.
However, widespread adoption of digital money will actually reduce the number of
crimes most people care about, such as murders, thefts, and robberies. In 2002, there
were approximately 52,000 murders in the United States, and a substantial number
involved people trying to take someone else’s physical money. A move to digital money
would reduce the murder, theft, and robbery rates. Stealing digital money is a much more
complex undertaking than stealing paper currency, and will be beyond the capabilities of
most common criminals. If there is no physical money to steal, the incentive for criminals
to steal and kill people for money will be greatly reduced. Abolishing the anti-money-
laundering laws is likely to speed up the use of digital money, resulting in less total
crime, and less wasted money by governments, even though it will make life slightly
easier for money launderers. Eventually, knowledgeable people are likely to conclude
that the “war on money laundering” is going to be no more successful than was liquor
prohibition in the United States during the 1920s. It will become increasingly obvious
that the resources utilized in the “war on money laundering” could be better spent
attacking the underlying crimes. The knowledge of how to utilize high levels of
encryption is now widespread. This knowledge, coupled with the Internet, smart cards,
and related technology, ultimately means that it is almost futile to try to prohibit the hard-
to-define crime of money laundering.


Digital payments and monetary systems are coming of age, and will replace most existing
money and payments systems over the next couple of decades. These changes will bring
enormous economic benefits by greatly increasing the efficiency and reducing the costs
of your payments systems. In addition, the absence of paper currency and coin, which is
readily subject to theft or loss, should greatly reduce crime. The U.S. government has a
choice of either embracing the new technologies and helping them along (mainly by
getting out of the way), or taking a “Luddite” approach and attempting to restrict and
deny the inevitable. A civil society depends on a government that does not unduly restrict
liberty and economic opportunity.
The following recommendations will seem radical and frightening to those who do not
understand the new technologies and where we are headed. However, those who do
understand the new technologies, and desire a civil society that provides liberty, privacy,
and economic opportunity, will see these recommendations as desirable and necessary.

First, remove all restrictions on issuing digital bearer financial instruments, including
stocks and bonds. Financial cryptographers have already figured out how to issue such
instruments in cyberspace, and many feel that they do not need the government’s
permission. Rather than create a new class of cybercriminals, governments should
recognize the reality, and do something that is both good for the economy and that
supports civil liberties.

Second, remove the capital gains tax from trading in commodities and private currencies,
in order to allow the full development of commodity-backed digital currencies (such as
gold) and other digital currencies. The capital gains tax on commodities does not bring
any revenue over the long run to government, given that losses and gains offset each
other. In the real world, it is probably a net loss for the government, because people will
be more prone to report their losses rather than their gains, and it reduces the efficiency of
the commodities markets. Over the long run, “capital gains” from currency trades are
most often created when a government has debased its own currency.

Third, remove all restrictions on anonymous digital money and payments systems.
Restrictions are almost impossible to enforce, and privacy is a basic human right.

Finally, repeal the Bank Secrecy Act and the subsequent related anti-money-laundering
legislation. The existing legislation and implementation is not cost-effective, is subject to
abuse, interferes with basic civil liberties to an unacceptable degree, and actually results
in higher levels of crime[3].
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
Rahn, Dr. Richard W., “Digital Money,” House Committee on Financial Services, 2002.


This chapter discussed the market implications of adopting electronic payment systems
and digital currencies in electronic commerce. The key to understanding and exploiting
electronic commerce is to recognize it as a market mechanism, where all components of a
market interact and must be analyzed collectively. For example, electronic payment
systems bring more than lowered transaction costs, affecting product choices, pricing,
and competition. This chapter also examined economic implications of electronic
payment systems—especially micropayments enabled by digital currencies in terms of
size advantage, the lemons problem, digital product pricing, product differentiation—the
commoditization of consumer information and advertisements, and copyrights. In short,
electronic payment systems are one of the critical factors that allow process innovations
via electronic commerce. Finally, these process innovations may either promote
competitive and efficient markets or worsen the trend toward the vertical integration and
monopolization in the globalized economy.

Part VI: E-Commerce Solutions and

Future Directions
Chapter List
Chapter 24: International E-Commerce Solutions
Chapter 25: Business-to-Business and Business-to-Consumer
Chapter 26: Summary, Conclusions, and Recommendations

Chapter 24: International E-Commerce

“Most people are more comfortable with old problems than with new solutions.”


The Internet connects potential customers with merchants in many different countries.
International e-commerce payment solutions provide a channel for money to cross oceans
and borders as follows:

eBay Payments: Billpoint International Buyer Support


Bibit Payment Services: A world leading Payment Service Provider


Mondex Smart Card International services: A MasterCard OnLine service


Planet Payment™: Leading provider of Internet payment solutions


Visa TravelMoney: Security and convenience for all your travel needs

WorldPay: Multicurrency processing

Cruz, Ray, “Merchant E-Commerce Alternatives,” All rights reserved © BYTE4U
2000-2002, P.O. Box 691541, West Hollywood, CA 90069, U.S., 2002.

-Commerce Credit Card Payment Alternatives: U.S. and


The following services allow buyers to use their own conventional credit cards without
requiring the merchant to establish an actual merchant credit card processing account:

BillCC.com: Serves as reseller/retailer of your products for a commission


ClickBank: No monthly fees! (http://www.clickbank.com/overview.html?raycruzer)

Entrepreneur.com: Credit cards or E-cash?


DigiBuy: Electronic commerce solution for publishers of software, shareware, electronic

art, information, and data (http://www.digibuy.com/)
iBill Complete: Internet Billing Company (http://www.ibill.com/Services/iBillComplete/)

Kagi! Worldwide Internet Store (We charge—You deliver): Premiere e-commerce

service company that provides turn-key online stores for thousands of products
distributed over the Internet (http://www2.kagi.com/)

Revecom: Multicurrency payment processing (http://www.paysystems.com/)[1]

Alternative International E-Commerce Payment Solutions

A popular alternative for international e-commerce payments solutions today, especially

on Web auction exchanges, is the person-to-person payment system, such as PayPal
(https://www.paypal.com/refer/pal=raycruz@ergonica.com). Many former Buy-It!
Button merchants are switching to PayPal. These systems allow you to make payments to
anyone with an e-mail address, even if they do not have an account. You can also place a
PayPal button on your Web page to accept payments by setting up an account.

PayPal claims to have over 10 million accounts and is a major player on eBay and other
auction sites. An attractive feature of PayPal is the relatively low fee of 2.9%. With no
setup fees, this is an attractive option for e-commerce vendors. One drawback is the
inconvenience for the buyer of having to set up a PayPal account before being able to use
his credit card to buy your product. Through PayPal, the consumer retains all the
protections provided by his own credit card issuing banks and institutions, such as Visa
and MasterCard. If the buyer demands a refund or obtains a chargeback through the bank,
PayPal makes the adjustment on the vendor’s PayPal account.

With c2it (http://www.cj.com/expired.jsp?PID=677520&AID=5439511), you can send,

receive, and move money within the United States for free. However, c2it does not
provide the pay button, shopping cart, or recurring payments offered by PayPal. When
sending money by c2it internationally, c2it will charge $10 per International Check and
$15 per International Direct Deposit. In addition to the transaction fee, any difference
between the foreign exchange rate given to you and the foreign exchange rate received by
c2it will be kept by c2it.

Currently, you can use any U.S.-based checking, savings, and money market accounts to
send and receive money by c2it. You can also use any MasterCard or Visa credit card
accounts. You do not have to link a Citibank account to use c2it. MasterCard and Visa
debit cards may only be used to Send Cash and Add Cash at this time, and may not be
used for transferring money between linked accounts. Although this is one of the most
versatile and low-cost person-to-person payment services, it is not designed for e-
commerce merchants. Guess who created the first ATM in the world? Yes, Citibank in
New York.

Another payment option is ClickBank, which charges a higher flat fee of 7%, but makes
the purchase more convenient for the consumer. The merchant pays the 7% fee for each
transaction and also pays an initial setup fee of $49.95. For low-volume start-ups, this
may still be a lower cost than establishing an actual merchant account with Visa or

BillCC.com, iBill, and Revecom provide alternative e-business opportunities using their
own merchant accounts to sell your products, subject to careful controls. Without the
specific approval of the underwriting banks, using one company’s merchant account to
sell another merchant’s products is called factoring, and is a violation of Visa and
MasterCard rules.

If your business is international in nature, or your customers are from other countries, you
may need an international payment service such as the Global Debit Card. This system
uses CIRRUS ATM cards and MasterCard debit cards to access cash and make purchases
throughout the world. You may also become a B2B reseller of the debit cards by signing
up with the Financial Services International network. If you, as the seller or merchant,
can accept debit cards, this will enable purchases from virtually anywhere in the world.

The Global Debit Card does not require a social security number and includes a CIRRUS
PLUS debit card and a MasterCard debit card for the same account. Although a U.S.
mailing address is required to apply for the debit card, the card applicant can establish a
U.S. mailing address for a minimum of $40 plus postage to the applicant’s foreign
address using the U.S. Mailing Address service at usmailingaddress.com
(http://www.usmailingaddress.com/mgoldmine/). Funds may be deposited in the debit
account through Western Union or Money-Gram in U.S. dollars.

Kagi is an Internet store specializing in products created by thousands of individuals

around the globe. Kagi started with downloadable software and has since become a seller
of all sorts of other products, such as music, videos, and other physical goods. Kagi
makes it easy for people to pay for products and frees the seller from handling all the
payment processing. Mainly, Kagi processes software payments.

DigiBuy is an electronic commerce solution for publishers of software, shareware,

electronic art, information, and data. Using DigiBuy’s turnkey service, you can quickly
and inexpensively build a secure storefront to merchandise your products, take orders
online, process payments, and distribute digital products over the Internet from points
around the globe.

Planet Payment™ is a leading provider of Internet payment solutions for e-businesses

(globally) in nearly any currency. Planet Payment features multicurrency credit card
acceptance services (http://www.planetpayment.com/), advanced payment gateway
(http://www.planetpayment.com/) technology, and value-added products and services.
Planet Payment’s state-of-the-art Internet payment service enables e-businesses to accept
MasterCard, Visa, American Express, and other major cards in a secure online
environment in over 140 currencies (http://www.planetpayment.com/). These affordable
solutions are compatible with most shopping carts and Web site technologies, so
implementation and setup is complete within minutes.
WorldPay pioneered multicurrency processing in association with NatWest bank in 1996.
The WorldPay multicurrency processing system enables you to offer your products and
services in over 120 different currencies, and to receive payment for them from a range of
14 remittance currencies. WorldPay manages the uncertainty of foreign exchange rates
for you, allowing your shoppers the unique choice of purchasing goods and services from
you in a currency that they recognize and understand. More international payment
solutions are listed next.

Smart cards and digital wallets use traditional credit card accounts to enhance online
shopping in different ways. Smart cards have embedded chips that when read by a smart
card reader verify that the original card is present at the moment the transaction is being
enacted. Digital wallets hide the credit card account number when the transaction takes
place and also fill in shopping cart forms for you with ease.

Another credit card processing alternative is using e-cash systems, such as eCharge,
Qpass, iPin, and trivnet. Merchants can set up accounts with each of these resources to
enable e-cash online payments.

Your Internet business can be facilitated by marketing your products on the Internet
without the overhead of having your own merchant account. Another alternative is token
money that can be traded for real products. Several auction portals and merchant account
alternatives, as well as e-cash options, are listed in the following sections.

Auction Resources

If you’re selling collectors’ items or unique products, this may be a good way to start.
The following are some currently available auction resources:

• AuctionAddict.com Online Auction (http://auctionaddict.com/)

• Bay9 Auctions
• EBay: Your personal trading community (http://pages.ebay.com/)
• uBid.com: Online auction
• Yahoo! Auctions (http://auctions.yahoo.com/)[1]

Smart Cards

Smart cards are more secure because of embedded chips that verify the card’s presence in
a smart card reader. In the near future, all new PCs will ship with standard smart card
readers. The following are some currently available smart cards:

• Blue: American Express

• Fusion Visa: FleetBoston Financial (http://www.fusioncard.com/home/)
• Mondex: MasterCard International (http://www.mondex.com/)
• Smart Visa: The Card with Intelligence

Digital Wallets

Digital wallets use a standard credit card account and disguise your real credit card
number with a one-use number. The advantage is more security and convenience because
payment forms are filled in automatically. The following are some currently available
digital wallets:

• deskshop: Discover Bank

• MBNA ShopSafe: MBNA America Bank (http://www.mbnashopsafe.com/)
• Microsoft Passport (http://www.passport.net/Consumer/default.asp)
• Q*Wallet (http://www.qwallet.com/)[1]

Person-to-Person Payments

Person-to-person payments systems support e-mail-based payments directly to another

person’s bank account. The following are some currently available person-to-person
payments systems:

• Billpoint: eBay and Wells Fargo (http://www.billpoint.com/)

• c2it: Citibank (http://www.cj.com/expired.jsp?PID=677520&AID=5439511)
• PayPal.com (https://www.paypal.com/refer/pal=raycruz@ergonica.com)[1]

Micropayment Systems: eCash

These offer secure payment alternatives for small ticket items. The following are some
currently available micropayment systems:

• ECharge: Secure alternative to using credit cards (http://www.echarge.com/)

• Trivnet: Making Online Commerce Pay (http://www.trivnet.com/)[1]

Token Value and Store-Based Credit

Finally, you can earn credits to shop at various stores by using these token-based
alternatives to real money. The following are some currently available token value and
store-based credit systems:

• Flooz (http://www.flooz.com/)
• InternetCash (http://www.internetcash.com/)
• Praxell (http://www.praxell.com/)[1]

This chapter does not endorse any e-commerce service listed on this site. The information
provided is to help you become aware of numerous options that you should investigate on
your own. After you’re ready to start making money, many of the links in this chapter
will take you directly to the service you need to start processing transactions on the Web
without a traditional merchant account!

Chapter 25: Business-to-Business and

“All of the animals except man know that the principal business of life is to enjoy it.”


Today’s business-to-business (B2B) e-commerce environment offers companies of all

sizes dynamic and exciting business opportunities, but it is rife with uncertainties and
challenges. Although most analysts still expect the volume of goods and services sold
through B2B e-commerce to climb into the trillions of dollars worldwide in the next few
years, the uncertainty seems to be growing. In the face of all of the confusion surrounding
B2B e-commerce, most companies are struggling to understand where their real
opportunities lie and how they can make strategic technology investments that align with
today’s business objectives while providing the flexibility to help them respond to rapid
changes in the business landscape.

To help companies make informed decisions and capitalize on the right opportunities, this
chapter discusses solutions designed to help companies integrate business partners more
effectively. Although this notion encompasses a wide range of business challenges and
solutions (including supply chain management, procurement, and CRM), this chapter
focuses specifically on one concept: supplier enablement. The supplier enablement
initiative and technology solutions (whether they be B2B or B2C) are aimed at helping
companies of all sizes to sell to their trading partners more effectively by integrating with
customers’ procurement systems, as well as e-marketplaces and other electronic sales
channels—all from a single e-business foundation. No matter how large or small a
business is, or how complex or simple its business processes, supplier enablement
solutions makes it easier for a company to reach its customers through whatever
purchasing method they prefer.

More specifically, the supplier enablement solutions leverage existing and new
technology investments, open technology standards, and partnerships to empower
suppliers to reach the broadest set of buyers. This was done by selling both directly from
and beyond their own Web site, through a range of cost-effective, high-performance
solutions that offer superior scalability, reliability, and time-to-market.

Roles and Challenges in Business-to-Business E-Commerce

Before solving key issues in B2B e-commerce, it is important to understand the key roles
that companies or individuals within companies play. There are four primary roles in B2B
e-commerce. Every company plays at least one of them, and many companies play
multiple roles. Figure 25.1 shows three of the roles (Web services live within and
between the three others)[1].
Suppliers: Businesses that market and sell goods or services directly to business
customers through traditional or other sales channels, ideally selling directly to their
customers’ Web-based procurement systems and electronic marketplaces.

Buyers: Customers and businesses that purchase goods and services directly from
suppliers, either through traditional means or electronically through self-service
procurement systems, ERP-based procurement applications, and electronic marketplaces
(private or public). Examples of buy-side applications include those from vendors such as
SAP, Ariba, Clarus, PeopleSoft, Commerce One, Oracle, and many others.

Market makers: Third-party organizations that run e-marketplaces using Internet

technologies to connect multiple buyers with multiple suppliers so that participants can
reach new trading partners, conduct e-commerce, and take advantage of Web services
such as payment, logistics, and collaboration.

Web service providers: Third-party organizations that provide buyers, e-marketplaces,

and suppliers with Web-based services (including payment, authentication, logistics,
credit, business registries, and many others) necessary for completing B2B e-commerce
transactions and collaboration[1].

Each role has distinct business and technical challenges, but there are some common
themes. For buyers, market makers, and Web service providers, the primary issue is
liquidity. Success depends on the ability to reach the critical mass of trading partners and
transaction volume necessary to provide sufficient return on investment and create a
viable, sustainable business.

Suppliers face the difficult challenges of maintaining the ability to sell effectively to all
their customers, both in traditional channels and through emerging e-commerce channels,
while finding a way to differentiate themselves from the competition in those new
electronic environments.
As a result, although it has been relatively easy to convince buyers and market makers of
the value of B2B e-commerce, suppliers have been much slower to come around. And,
without a critical mass of suppliers, the savings from procurement systems can’t be
maximized and the liquidity that e-marketplaces require will be impossible to achieve.
“Empowering Suppliers for Integrated Business-to-Business E-Commerce,” © 2002
Microsoft Corporation. All rights reserved. Microsoft Corporation, One Microsoft Way,
Redmond, WA 98052-6399, USA, 01100, 2003.

The Supplier’s Perspective

Arguably, the number one reason that suppliers have been reluctant to take advantage of
B2B e-commerce is that although electronic trading offers clear, easy-to-understand
benefits for buyers, the value proposition for suppliers has been much less clear.
Suppliers must look at the e-commerce landscape as it relates to their own business
ecosystem and their ongoing efforts to drive maximum revenue and benefits. And, all
suppliers have different types of customers who must be served through some
combination of traditional and electronic methods. In addition, e-commerce systems must
integrate with and take advantage of existing internal systems (see Figure 25.2)[1]. Finally,
electronic channels must offer suppliers the ability to differentiate themselves and expose
their business value to their customers in order to compete effectively.

From the supplier’s perspective, a technology investment must fulfill a number of

objectives that are common to companies of every size and complexity:

• It must make measurable impact on the supplier’s business through:

o Increased revenue
o Increased efficiency
o Lower costs of doing business
o Increased agility
o Improved customer service and satisfaction
• It must allow suppliers to differentiate themselves and compete more effectively
by providing:
o The ability to expose the supplier’s full value proposition and brand in
electronic form
o Lower cost and faster acquisition of new customers
o Increased business from existing customers
• It must leverage the existing strengths and investments of the supplier through:
o The ability to enhance and complement existing business processes
o The ability to enhance and complement existing technology investments
(ERP, supply chain, CRM, logistics, collaboration, etc.)
o The ability to increase overall business intelligence and decision-making

A Variety of Selling Channels

A wide range of electronic selling channels exist today. One hypothetical example:
imagine a maker of industrial supplies based in Brazil that sells products directly to
customers all over the world via its Web site, to its biggest customers in North America
and Europe through their electronic procurement systems, and to a wide range of
additional customers through vertical and regional marketplaces. Because all of those
external systems may use different platforms, technologies, communication standards,
and data formats, integration can be complex and costly. To be truly valuable for the
supplier, a solution must insulate a supplier’s processes and strengths from the
complexities that exist outside of its control.

Why Item Number and Price Aren’t Enough

Some solutions offer suppliers the ability to make their goods and services available and
take orders electronically, but stop far short of truly empowering the supplier. In some
cases, these solutions actually threaten their existing business by reducing a company’s
ability to differentiate itself and expose the true value of its products or services.

For example, if a supplier of automobile parts has traditionally competed by offering

superior, customized products and great service at a premium price, simply publishing a
catalog of goods and services to a marketplace or procurement system could make those
items appear as peers to lower-priced, lower-quality items. Buyers may only see the part
number, description, and price, leading them to choose the lower-priced item. This
disempowers the supplier and can result in misinformed buying decisions by their
business customers and, ultimately, lost sales for the supplier. Additionally, many sellers
want to promote their brand and capabilities along with their products and services, and
need a way to effectively interact with their customers and build stronger customer
relationships, even while selling electronically.
Basic Supplier Challenges

For suppliers that are considering whether to embrace B2B e-commerce, it is important to
understand the business and technical challenges, as well as the functionality necessary to
achieve success online. These challenges fall in three major categories:

• Making products and services available to multiple business customers

• Receiving orders from multiple customers
• Managing the online business[1]

Making Products and Services Available to Multiple Business


The first step in any electronic selling environment is providing suppliers with the ability
to get their products and services to market. Several challenges must be overcome to
make this possible.

Catalog Considerations

What separates a good catalog from a bad catalog? The characteristics of successful
electronic catalogs include the ability to create and manage custom catalogs, including
catalogs that provide customized pricing for individual customers or specific selling
channels. Interaction with existing sources of product, pricing, and inventory information
(ERP, supply chain, and other back office applications) is also critical. Additionally, an
effective catalog system should provide Web-ready information (photos, short and long
descriptions, links to additional information, etc.) and proper classification data (such as
UNSPSC) to be effective with customer applications.

Catalog Publishing

Any effective solution must provide the ability to publish product and pricing