Have you ever wondered where your credit card information goes after you submit it to pay for an
online purchase? Although you may think that the data goes directly to the merchant, as it passes
over the Internet it actually travels th
rough intermediary networks before it reaches its targeted
location. As a result, the Internet is often referred to as an ‘open’ system.
Due to the open nature of the Internet there is increased security risk. For instance, when
customers provide their cre
dit card information over the Internet to purchase online, this data is at
risk of being intercepted as it travels from a customer’s site to the merchant’s site. If the data is
intercepted the order can be stopped, the payment information can be altered or
than the cardholder can use the credit card information.
Six main security elements are required in an E
commerce transaction. From a consumer’s
perspective, they are as follows:
repudiation: The consumer cannot deny having made an order
Confidentiality: The consumer’s personal information is protected from unauthorized
access as it travels through intermediary networks and computers.
Access Control: The consumer’s personal information can only be accessed by those
who are supposed to
Integrity: The consumer’s personal information is protected from unauthorized
Authentication: The identity of the consumer is verified.
Availability: The consumer is assured that the system and data are accessible when
To aid in the process of effectively protecting data as it is transmitted over the Internet, encryption
techniques are available. Encryption is the transformation of data into unreadable code that is not
easily interpreted. Two common encryp
tion techniques include private (secret/symmetric) key and
public (asymmetric) key cryptography.
Private Key Cryptography
In private key encryption, both the merchant and consumer share a private key that is used to
encrypt and decrypt data. Private key sy
stems are simpler and faster. The main drawback is the
distribution and management of the keys. Imagine having thousands of customers who require
their own key. You would need to devise a method that ensures each person receives a key and
that the key is m
anaged appropriately. Hence, private key systems are best for small networks
where the parties know each other and can trust each other with the keys.
lic Key Cryptography
Public key encryption uses two keys
a public key that encrypts the message and a private key
that decrypts the message. Both the consumer and merchant would have their own pair. The
public key is stored in a key repository with a cer
tification authority (trusted third party) and is
publicly available, while the private key is retained by the user.
For instance, a customer uses his or her credit card to make an online purchase. The merchant’s
public key is used to encrypt the customer
’s credit card information. When the merchant receives
the encrypted data it is decrypted with the merchant’s private key.
The main advantages of a public key system are that it supports digital certificates and digital
signatures, and it provides all secu
rity elements required for an E
commerce transaction. The
main disadvantages are that it uses more computer resources than private key cryptography,
which means it is slower, and it is more costly to implement.
Public key cryptography provides the ability to use both digital certificates and digital signatures.
A digital certificate can be attached to an e
mail or read within a computer application i.e.
wser, and is used to verify the identity of the certificate’s owner. It also provides proof of
credibility, as it is obtained from a certification authority like Verisign. However, it is under the
discretion of the consumer to understand the process taken
to authenticate the certificate owner.
There are different certificate levels available which means some certificate owners may not be
as trustworthy as others.
A digital signature aims to duplicate the process used for physical signatures by ensuring that
message arrives in its original form. It also validates the identity of the sender.
SECURE SOCKETS LAYER (SSL)
SSL is an example of an industry wide encryption standard used worldwide in E
transactions to protect online submission of sensitive
customer information, such as credit card
details. SSL uses public key encryption, including digital certificates.
Today, all web browsers support SSL, which is essentially transparent to users, with the
exception of an icon (lock or key) at the bottom of
a browser window that indicates when a secure
area is locked.
SECURE ELECTRONIC TRANSACTIONS (SET)
Secure Electronic Transaction (SET) was launched in 1997 by MasterCard and Visa and is like
SSL as it involves the use of public key encryption.
The main dif
ference between SET and SSL is that SET uses digital certificates for all involved
parties, unlike SSL which has only recently introduced this feature to its newer versions. As a
result, SET provides for better authentication. As well, SET has better overa
Unfortunately, it does have its drawbacks including complex implementation and higher costs