E-commerce| Unit-4 | E-commerce Security and Payment Systems

Sorry Gurudev 0

 

                                                     E-commerce

Unit 4 - E-commerce Security and Payment Systems



TU Syllabus:
E-commerce Security Environment; Security Threats; Technology Solutions; Management Policies, Business Procedures, and Public Laws; E-commerce Payment Systems


E-commerce Security Environment

E-commerce security is the protection of e-commerce assets such as customer data, financial information and intellectual property from an unauthorized access, use, disclosure, disruption, modification or destruction. E-commerce, the digital backbone of modern retail, has revolutionized the way business and consumer interact. However, the exponential growth of online shopping has also introduced new challenges, particularly in the realm of security. The e-commerce sector is a prime target for cybercriminals, due to the sheer volume of transaction and sensitive data exchanges involved.

Dimensions of e-commerce security:

The six key dimensions of e-commerce security—integrity, nonrepudiation, authenticity, confidentiality, privacy, and availability—are essential to ensure safe online transactions and protect users.
  1. Integrity: Integrity means making sure that the information on a website or sent over the Internet isn’t changed by someone who isn’t supposed to. It ensures the data stays exactly as the sender intended, without any tampering during transmission. Example: If you send a bank transfer request for Rs.100 to a friend, but a hacker changes it to Rs. 1,000 and sends it to their own account, the integrity of the message is broken because it’s not what you originally sent.
  2. Nonrepudiation: Nonrepudiation ensures that people can’t deny their online actions, like saying they didn’t send a message or place an order. It provides proof that someone did what they did, so they can’t back out of their commitments. Example: A customer orders a laptop online but later says, “I didn’t order this!” Nonrepudiation uses digital signatures to prove they placed the order, so they can’t deny it.
  3. Authenticity: Authenticity is about confirming the true identity of the person or website you’re dealing with online. It prevents “spoofing,” where someone pretends to be someone else to trick you. Example: You visit a website that looks like your bank’s site, but it’s a fake one set up by a scammer. Authenticity checks (like verifying the site’s security certificate) help you confirm it’s really your bank.
  4. Confidentiality: Confidentiality ensures that only the right people can see sensitive messages or data, keeping it secret from unauthorized users. It protects information from being intercepted by outsiders during transmission. Example: When you enter your credit card details to buy something online, confidentiality ensures hackers can’t steal those details while they’re being sent to the website.
  5. Privacy: Privacy is about giving customers control over how their personal information (like name, address, or shopping habits) is used by e-commerce sites. It also means protecting that information from being misused by others, like hackers. Example: You share your email with an online store for order updates, but they sell it to advertisers without your permission. Good privacy practices stop this by keeping your info safe and only using it as agreed.
  6. Availability: Availability ensures that e-commerce websites and services are always up and running, so users can access them whenever needed. It prevents disruptions, like attacks that crash a site, from stopping business. Example: During a big sale, a hacker launches a DDoS attack to crash an online store’s website. Availability measures, like backup servers, keep the site running so customers can still shop.



Security Threats

Security threats in e-commerce are risks that can harm the system, steal data, or disrupt operations. These threats exploit vulnerabilities at different points, such as the client (user’s device), server (website host), or communication channel (Internet).

Common Security Threats:
  1. Malicious Code (Malware): Includes viruses, worms, Trojan horses, and ransomware that infect systems to steal data or disrupt operations. Example: A Trojan horse disguises itself as a legitimate app, but once downloaded by a customer, it steals their login details for an e-commerce site.
  2. Denial of Service (DoS) and Distributed DoS (DDoS): Attackers flood a website with fake traffic to overwhelm it, making it unavailable to real users. Example: During a big sale, hackers launch a DDoS attack on Flipkart, causing the site to crash and stopping customers from shopping. 
  3. Sniffing/Eavesdropping: Hackers intercept data (like passwords) traveling over unsecured networks. Example: A hacker uses a public Wi-Fi network to capture a customer’s credit card details while they shop online. 
  4. SQL Injection: Hackers insert malicious code into a website’s query forms to access or corrupt its database. Example: A hacker targets an e-commerce site’s search bar, injecting code to steal customer email addresses from the database. 
  5. Credit Card Fraud: Fraudsters use stolen credit card details to make unauthorized purchases or file fake refund requests. Example: A scammer uses a stolen credit card to buy electronics from an online store, leaving the real cardholder to dispute the charges.
  6. Insider Attacks: Employees with access to sensitive data misuse it or leave security gaps due to negligence. Example: A disgruntled employee at an e-commerce company leaks customer data to a competitor.
  7. Phishing and Spoofing: Hackers create fake emails or websites that look real to trick users into sharing personal information. Example: A fake email pretending to be from Amazon asks a user to “verify” their password, leading to account theft.


Technology Solutions

Technology solutions are tools and techniques used to protect e-commerce systems from threats, secure data, and ensure safe transactions. These solutions address vulnerabilities at different levels—communication, networks, servers, and clients.

Key Technology Solutions:

Encryption
  • Converts data into a secret code (ciphertext) that only authorized users with a key can decode, ensuring integrity, nonrepudiation, authenticity, and confidentiality.
  • Types:
  • Symmetric Encryption: Uses the same key for encrypting and decrypting (e.g., AES).
  • Asymmetric Encryption: Uses a public key to encrypt and a private key to decrypt (e.g., RSA).
Secure Sockets Layer (SSL)/Transport Layer Security (TLS):
  • Secures communication between a user’s browser and the website using encryption, ensuring data isn’t intercepted.
  • Example: A website with “https://” (like https://www.amazon.com) uses SSL to protect your login details.
Firewalls
  • Acts as a barrier between the e-commerce server and the Internet, blocking unauthorized access while allowing legitimate traffic.
  • Types:
  • Packet filter firewall: Filters traffic based on IP addresses.
  • Application-level proxy: Checks specific applications (e.g., HTTP) for authenticity.

    • Example: An e-commerce site uses a firewall to block a hacker trying to access its customer database.

    Digital Signatures and Certificates

    • Digital signatures verify the authenticity of a message or sender, while certificates (issued by trusted authorities) confirm a website’s identity.
    • Example: A digital certificate on PayPal’s website assures users it’s the real PayPal, not a fake site.

    Anti-Virus and Anti-Malware Software:
    • Detects and removes malicious software like viruses, worms, and ransomware from servers and user devices.
    • Example: An e-commerce admin uses Norton Anti-Virus to scan their server and remove a Trojan horse.

     Virtual Private Networks (VPNs):

    • Creates a secure, encrypted “tunnel” for data to travel over the Internet, protecting it from eavesdropping.
    • Example: A remote employee uses a VPN to securely access the e-commerce company’s internal systems.
    Address Verification System (AVS):
    • Checks if the billing address matches the credit card to prevent fraudulent purchases.
    • Example: An online store uses AVS to flag a purchase where the shipping address differs from the cardholder’s billing address.

    Essential Management Policies for Securing a E-commerce Site
    1. Data Protection and Privacy Policies: Data protection and privacy policies are rules established by an e-commerce business to safeguard customer information, such as personal details and payment data, and to control how this information is collected, stored, used, and shared, ensuring compliance with privacy laws and maintaining customer trust. Example: An online store ensures that customer addresses and emails are encrypted and only used for order updates, asking for consent before sending promotional emails, as per GDPR requirements.
    2. Access Control and Authentication Policies: Access control and authentication policies are guidelines that define who can access specific systems, data, or resources in an e-commerce platform and how their identity is verified to prevent unauthorized access. Example: An e-commerce company requires employees to use a password and a one-time code sent to their phone (2FA) to access the customer database, ensuring only authorized staff can view it.
    3. Incident Response and Recovery Policies: Incident response and recovery policies are a set of procedures designed to quickly identify, respond to, and recover from security incidents, such as data breaches or cyberattacks, minimizing damage and restoring normal operations. Example: After a hacker steals customer data from an e-commerce site, the company follows its policy to lock affected accounts, notify users, and restore the system using a secure backup.
    4. Vendor and Third-Party Management Policies: Vendor and third-party management policies are guidelines that regulate the security practices of external partners, such as suppliers, payment processors, or cloud providers, ensuring they meet the e-commerce business’s security standards and do not introduce vulnerabilities. Example: An e-commerce platform requires its payment processor, Stripe, to encrypt all transactions and provide annual security reports to ensure customer payment data is safe.
    5. Security Training and Awareness Policies: Security training and awareness policies are rules that mandate regular education and training for employees to recognize security threats, follow best practices, and maintain a culture of security awareness within the e-commerce organization. Example: An online store trains its customer service team to recognize fake emails pretending to be from the company, preventing them from clicking malicious links that could expose customer data.
    6. Compliance and Regulatory Policies: Compliance and regulatory policies are guidelines that ensure an e-commerce business adheres to legal and industry standards, such as data protection laws and payment security regulations, to avoid penalties and maintain trust. Example: An e-commerce site complies with GDPR by asking EU customers for permission before sending marketing emails, avoiding fines for non-compliance.
    7. Continuous Monitoring and Improvement Policies: Continuous monitoring and improvement policies are procedures that involve regularly observing e-commerce systems for potential security risks and making ongoing improvements to strengthen security measures based on findings and evolving threats. Example: An e-commerce company uses monitoring software to detect a hacking attempt, then updates its firewall rules to block similar attacks in the future.
    Management policies in e-commerce security are critical for a comprehensive approach to risk management. Data protection and privacy policies safeguard customer information, access control and authentication policies limit unauthorized access, incident response and recovery policies ensure quick recovery from breaches, vendor and third-party management policies secure external partnerships, security training and awareness policies educate employees, compliance and regulatory policies align with legal standards, and continuous monitoring and improvement policies keep security up-to-date. Together, they create a robust framework to protect e-commerce operations.



    Business Procedure

    Business procedures are the operational practices and processes that an e-commerce business follows to ensure security, manage risks, and maintain smooth operations. Below are descriptions of the six specified procedures:

    User Account Management Procedures: User account management procedures are the steps an e-commerce business takes to create, monitor, and manage user accounts (for both customers and employees) to ensure secure access, prevent unauthorized use, and maintain account integrity. Example: An e-commerce platform requires new customers to verify their email during registration and automatically locks accounts after five failed login attempts to prevent hacking.

    User Access Control Procedures: User access control procedures are the processes that regulate who can access specific systems, data, or resources in an e-commerce platform, ensuring that only authorized individuals have the appropriate level of access based on their role. Example: An online store ensures that its warehouse staff can only access inventory data, while only the finance team can process refunds, using role-based access controls.

    Transaction Security Procedures: Transaction security procedures are the steps taken to secure online transactions, such as payments and order processing, to prevent fraud, ensure data integrity, and maintain customer trust during financial exchanges. Example: An e-commerce site uses a payment gateway like Razorpay to encrypt credit card details and requires a one-time password (OTP) for transactions above Rs. 500 to prevent fraud.

    Data Management and Protection Procedures: Data management and protection procedures are the processes an e-commerce business follows to collect, store, handle, and protect sensitive data, such as customer information and transaction records, ensuring confidentiality, integrity, and compliance with privacy laws. Example: An online store encrypts customer payment details in its database, backs up data weekly to a secure cloud server, and deletes old customer records after five years as per policy.

    Compliance and Regulatory Procedures: Compliance and regulatory procedures are the operational steps an e-commerce business takes to adhere to legal and industry standards, such as data protection laws and payment security regulations, to avoid penalties and ensure ethical practices. Example: An e-commerce site ensures compliance with GDPR by asking EU customers for permission before sending marketing emails and keeps records of consent for audits.

    Security Management and Incident Response Procedures: Security management and incident response procedures are the operational processes for monitoring, managing, and responding to security incidents, such as cyberattacks or data breaches, to minimize damage and restore normal operations quickly. Example: After detecting a phishing attack, an e-commerce company follows its procedure to block the attacker’s IP, notifies customers to change passwords, and updates its email filters to prevent similar attacks.

    Employee Training and Awareness Procedures: Employee training and awareness procedures are the steps taken to educate and train employees on security best practices, threat recognition, and proper handling of sensitive data to reduce human errors and foster a security-conscious culture. Example: An online store trains its customer service team to recognize fake emails pretending to be from the company, preventing them from clicking malicious links that could expose customer data.


    Public laws

    Electronic Transactions Act, 2063 (2008) (ETA): The ETA is Nepal’s primary law for regulating electronic transactions and addressing cybercrimes. It legalizes electronic records, digital signatures, and online contracts, ensuring their validity and security. It also defines cybercrimes like unauthorized access, data tampering, and computer fraud, with penalties including fines up to NPR 200,000 or imprisonment up to three years.

    Consumer Protection Act, 2075 (2018): This law protects consumers from unfair trade practices in both offline and online markets. It mandates transparency in product details, pricing, and delivery, and ensures consumers can file complaints against fraudulent sellers.

    Companies Act, 2063 (2006):This act governs the registration, operation, and compliance of all companies in Nepal, including e-commerce businesses, requiring them to register with the Office of the Company Registrar and comply with operational standards.

    Privacy Act, 2075 (2018): This law implements the constitutional right to privacy under Article 28 of the Constitution of Nepal, regulating the use of personal information by public and private entities. It defines personal information (e.g., name, address, biometric data) and sets penalties for breaches.




    E-commerce Payment Systems

    E-commerce payment systems are digital platforms and methods that facilitate secure, efficient, and convenient transactions between buyers and sellers over the internet, replacing traditional cash or check payments. 

    Electronic Payment Systems (EPS) in Nepal are digital methods and platforms that enable the transfer of funds between parties (e.g., consumers, merchants, and banks) over the Internet or mobile networks, supporting e-commerce transactions by replacing traditional cash or check payments with secure, convenient alternatives.

    Digital Wallets: Digital wallets, also known as mobile payment systems, are applications or platforms that allow users to store funds digitally, make payments to merchants, pay utility bills, or transfer money using a smartphone or computer, often via QR codes or mobile apps, without requiring a direct bank account for every transaction. 
    Examples:
    • eSewa: Nepal’s first digital wallet, used for paying merchants on platforms like Hamro Bazaar or settling utility bills.
    • Khalti: A mobile wallet for e-commerce payments on SastoDeal, with features like QR code scanning for quick transactions.
    Card-Based Payment Systems: Card-based payment systems involve the use of credit or debit cards issued by banks or financial institutions to make payments online or at point-of-sale (POS) terminals, processed through secure payment gateways for e-commerce transactions. Example: visa card, credit card,etc.

    Internet Banking: Internet banking is an electronic payment system that allows users to access their bank accounts online via a secure website to transfer funds, pay bills, or make e-commerce purchases directly from their account.
    Examples:
    • Himalayan Bank Internet Banking: A user logs into Himalayan Bank’s online portal to pay for a laptop on Thulo.com.
    • Nabil Bank Net Banking: A customer transfers funds to an e-commerce merchant’s account for bulk purchases.
    Mobile Banking: Mobile banking is an electronic payment system where users access banking services through a mobile app provided by their bank, enabling fund transfers, bill payments, and e-commerce transactions directly from their phone. 
    Examples:
    • Kumari Bank Mobile Banking: A user pays for groceries on BigBasket using Kumari Bank’s mobile app.
    • Global IME Mobile Banking: A customer transfers money to a merchant on Gyapu Marketplace via the app.
    Interbank Payment System (IPS): The Interbank Payment System (IPS) is an electronic payment system operated by Nepal Clearing House Ltd. (NCHL) that enables real-time or near-real-time fund transfers between bank accounts across different banks, supporting e-commerce transactions. Example: Connect IPS.

    Electronic Fund Transfer (EFT): Electronic Fund Transfer (EFT) is a payment system that allows direct transfer of funds from one bank account to another, typically for e-commerce purchases or bill payments, without the need for physical checks.

    QR Code-Based Payments: QR code-based payments are an electronic payment system where users scan a merchant’s QR code using a mobile app (typically a digital wallet) to make instant payments, often linked to a bank account or wallet balance.
    Example:
    • Khalti QR Payment: A customer scans a QR code on Hamro Bazaar to pay for a smartphone using Khalti, instantly transferring funds.




    Post a Comment

    Do Leave Your Comments

    Post a Comment

    Do Leave Your Comments

    Previous Post Next Post