Documente Academic
Documente Profesional
Documente Cultură
Electronic Commerce
by Pete Loshin, John Vacca
To win on the Internet, you must understand where the opportunity is today and how to
prepare for tomorrow. This book is a guide to reality. It shows you where there is
opportunity. It also shows you how to benefit from using the Internet as a practical
business tool and how to reap benefits quickly and permanently. This book shows you
how to succeed in a competitive environment without having to spend millions of dollars
doing so.
You need to know the building blocks, but you also need to know how to put those blocks
together in a winning combination to build a good foundation for your business to grow
and thrive in the world of electronic commerce. The blocks are just like parts to a puzzle.
They will not work unless you properly combine tools, methods, and know how to
exploit opportunity. This book explains Internet business models, business applications
that can be supported on the Internet, and how companies can benefit from using new
models and new tools.
After you learn about the parts and how to put them together to supercharge your
company, you will also need to know how and where to drive your new business
machine. Other how-to-do-business-on-the-Internet books leave you high and dry and
never tell you how to drive. This book shows you how to drive your business like a race
car, how to steer through uncertainty, and how to grip the road so you do not end up in a
dot-com graveyard.
But, you will need more than just the gas pedal if you are going to succeed in electronic
commerce. Entering the world of electronic commerce is like going on a safari or
expedition into unexplored lands. You need to be able to navigate your business into
uncharted territory. You need balance, intuition, and considerable daring if you are going
to maximize the tools of the Internet. You need to know where the edge of the cliff is and
how to not fall off, like so many of those who came before you. That is the big payoff of
this book.
Michael Erbschloe
Educator, Author, and Technology Strategist
Carlsbad, California
Preface
Recent studies suggest that e-commerce is maturing, taking its place as just another retail
channel, and riding the same ups and downs as any of the traditional channels. It is a
piece of news with mixed implications. Perhaps by now, some of the lingering fears about
e-commerce are fading. Or, perhaps e-commerce is losing momentum. The studies raise
more questions than they answer! But, regardless of whether e-commerce needs to
recapture, maintain, or increase its momentum, there are ways that e-commerce may
enhance its appeal. E-commerce may take advantage of technologies designed to make
communications, self-service, and human-computer actions more natural. E-commerce
may avail itself of technologies such as speech recognition and text-to-speech,
encompassing the functionality of interactive voice response, and talking Web voice
portals. Then, e-commerce may train its ears to recognize calls to even greater success.
If you accept that e-commerce is enjoying growth because consumers perceive that it is
secure and convenient, you might ask whether e-commerce could enjoy even more
growth if its security and convenience could be enhanced. No doubt e-commerce could
stand improvement in these respects. No doubt e-commerce users harbor lingering fears
over credit card usage and the safety of personal information.
For customers relying on phones or mobile devices, convenience may come down to
whether they’ll be able to speak and listen their way through commercial transactions.
Such convenience, although seldom raised in mainstream discussions of e-commerce, is a
subject of abiding concern in the communications solutions marketplace. In this
marketplace (through applications such as interactive voice response [IVR]), you’re
already familiar with the challenges of voice-enabling customer interactions. And, you’re
already familiar with the trade-offs posed by efforts to maximize convenience.
Furthermore, you’re also already familiar with the need to consolidate the management of
multiple customer interaction channels.
With the preceding in mind, this book introduces the issues involved in bringing business
to the Internet—the obstacles to online commerce as well as the advantages. After the
issues have been laid out, I will explain how advances in cryptography make it possible
to transmit business information across unreliable and insecure networks, reliably and
securely. After the general concepts have been presented, different current commercial
schemes and systems are discussed in their proper perspective. After the various schemes
have been examined, other relevant and related issues can be discussed, including digital
currencies, techniques for marketing on the Internet, and related services available to the
online merchant.
Appendixes include an Internet and networking glossary, a guide to locating the most
current and complete electronic commerce resources on the Internet, a list of EDI codes,
a complete listing of the major e-commerce conferences and trade shows, and several e-
commerce case studies.
In a remarkably short time, the Internet has grown from a quirky playground into a vital,
sophisticated medium for business, and, as the Web evolves further, the threshold for
conducting successful business online will move increasingly higher. Online consumers
are flooding to the Internet, and they come with very high expectations and a degree of
control that they did not have with traditional brick-and-mortar companies. Businesses,
too, are rushing to join the Internet revolution, and new, viable competitors are emerging
in all industries.
This chapter details introductory strategies and priorities for electronic commerce, which
sets the stage for the rest of the book. It also describes how the platform, portal, and
partners are critical to solving business problems in the four most common areas of
electronic commerce: direct marketing, selling, and service; value chain integration;
corporate purchasing; and financial and information services.
Next, the chapter outlines the types of trading mechanisms that can be supported by
existing punchout protocols and the asynchronous trading mechanisms, such as request
for quotations (RFQs), that require extensions to the punchout mechanisms. The chapter
also describes B2B/M2M Protocol Exchange, a tool that IBM has implemented that can
map between various protocols used by different procurement systems. Although this
chapter focuses on the external partner business-to-business (B2B) protocols, a large part
of the integration effort for suppliers is the tie-in to internal processes, such as the
processes to handle purchase orders.
This chapter discusses why the e-business market affords organizations of all sizes and
types the opportunity to leverage their existing assets, employees, technology
infrastructure, and information to gain or maintain marketshare. Finally, the chapter
discusses the need for an integrated value chain and challenges e-business to optimize its
intellectual assets and its investments in core business systems in order to deliver its
products and services to an unpredictable market.
Selling online has become an imperative for retailers and an increasing number of
manufacturers. Recognizing that a 13% loss in customers can completely eliminate the
profitability of their offline stores, retailers have raced to drive e-commerce growth to
$66 billion in 2003 (5.7% of U.S. retail). By mid-2004, over 94% of the largest U.S.
retailers (over $50 billion in annual sales) will be e-commerce enabled. And, for midsized
retailers ($800 million to $50 billion in sales), over 74% will be selling online. Yet these
adopters face a fundamental challenge: using the first generation buy/build model, many
cannot make money at e-commerce, but none can afford to avoid trying. For most of
them, owning and operating an e-commerce infrastructure does not make economic or
operational sense.
With the preceding in mind, this chapter examines types of e-commerce service providers
(ESPs) and vendors. It addresses three topics: why many early adopters have struggled
with the first generation buy/build approach, how the next-generation ESP model delivers
complete, one-stop online sales channels, and which major advantages companies gain by
outsourcing their e-commerce infrastructure. You will also learn how an ESP model
enables manufacturers and retailers to achieve profitability at $40 million to $180 million
in online sales, focus your organization on real profit drivers—not technology, ensure
reliability and scalability in your Web site and order processing, avoid managing
numerous integrations and third-party service relationships, and upgrade functionality
continuously and seamlessly over time.
This chapter helps you discover new integrated services that make it easier than ever to
secure your Web site and accept online credit card payments. You will also learn how to
create an e-commerce Web site as well as how to avoid the risks and challenges involved
in e-commerce trust, the best way to secure and authenticate your site so your customers
feel comfortable providing sensitive information, and how to enable your site to process
online payments in seconds—including credit and debit cards.
To generate Hyper Text Markup Language (HTML), servlets must supply formatted
strings to println() calls. This technique clogs Java™ code with line after line of hard-to-
comprehend HTML. Furthermore, when servlets generate HTML, Web page design
requires programmers. JavaServer Pages (JSP) pull HTML out of Java code and create a
role for HTML designers. Site development can proceed along parallel tracks (Java
design and HTML design), thereby delivering a Web site faster. JavaServer Pages also
encourage loose coupling between business logic components and presentation
components, thereby making reuse of both more likely. The shopping cart application
discussed in this chapter examines the role of JSP in Web architectures and offers a
practical example of how to get the most out of your e-business applications.
The demand for and use of mobile technologies is increasing at a phenomenal rate.
Simultaneously, the underlying landscape of mobile technologies is changing rapidly,
creating the need for solutions to facilitate the long-term growth and success of mobile
enterprise initiatives. This chapter discusses how important it is for software vendors to
provide comprehensive solutions to manage, secure, and maintain the mobile
application’s infrastructure, while fostering development, integration, and access to
applications and information over wireless media.
The Internet is changing the basis of competition for companies of all sizes. Although
many successful formulas for e-business development now exist, most are based on one
of the following merchandising strategies: Web entrepreneurship, virtual build-out, and
operations improvement. This chapter explains how each strategy relies not only on a
great Web site, but also on high-quality, system-ready information about products and the
merchandising programs that drive sales.
In just over seven years, e-commerce database technology has become the common user
interface of choice for many information dissemination systems. Whereas, relational
database management systems (RDBMS) have been the cornerstone for information
warehousing for years. The integration of the two technologies have made rapid advances
over the last few years. This rapid explosion has led to new challenges for IT managers
and developers. There are several competing technologies available that often do not
address the issues of heterogeneous environments and Web-based application
development. This chapter addresses the challenges of designing and implementing e-
commerce database-integrated Web sites. Furthermore, it focuses on e-commerce
database-Web integration difficulties in heterogeneous database environments.
Today, more than ever, organizations are challenged with improving security without
incurring a corresponding increase in cost or burden to their existing staff. By comparing
the benefits that a new product will provide to the total cost of that product, organizations
will make better choices that ultimately lead to greater security. Leveraging existing
products is quite often the quickest way to improving both security and the bottom line.
Finally, in many cases, organizations can address most of their e-commerce application
concerns or problems with the products they already own. With the preceding in mind,
this part of the chapter very briefly highlights emerging threats specific to e-commerce
application security and provides guidance on effective approaches to e-commerce
application protection.
Businesses that can manage and process e-commerce transactions can gain a competitive
edge by reaching a worldwide audience, at very low cost. This chapter discusses how the
Web poses a unique set of trust issues, which businesses must address at the outset to
minimize risk. Customers submit information and purchase goods or services via the Web
only when they are confident that their personal information, such as credit card numbers
and financial data, is secure.
This chapter explores e-commerce enterprise application security integration and new
technology’s support of rapid deployment of secure e-commerce applications. The
technology, based on the integration of distributed component computing and information
security, represents new power to mount secure, scalable e-commerce services. The
chapter also describes how security enables new e-commerce applications that were not
previously feasible, and how e-commerce solutions create new security responsibilities.
Next, the chapter describes the many challenges of enforcing security in component-
based applications. Finally, the chapter formally introduces Enterprise Application
Security Integration (EASI), which is used to tie together many different security
technologies and, as a result, provides the framework for building secure component
architectures.
For the strongest, most reliable protection of your client-browser communications, Secure
Sockets Layer (SSL) certificates are widely recognized as the industry standard. SSL
certificates allow your Internet site or corporate network to enable SSL encryption, which
authenticates your server and guarantees against alteration and interception of data.
This chapter provides you with a basic introduction to digital ID technology and SSL
certificates. It then lays out the reasons you might consider managed PKI for SSL
certificates as an alternative to one-by-one purchasing. Finally, it presents the features
you can expect if you decide managed PKI for SSL certificates is right for your
organization.
With its worldwide reach, the Web is a lucrative distribution channel with unprecedented
potential. By setting up an online storefront, businesses can reach the millions of people
around the world already using the Internet for transactions. In addition, by ensuring the
security of online payments, businesses can minimize risk and reach a far larger market:
the 89 percent of Internet users who still hesitate to shop online because of security
concerns.
This chapter is a continuation of Chapter 18, with very detailed explanations of key
issues related to online storefront security. It also describes the technologies that are used
to address the issues, and provides step-by-step instructions for obtaining and installing
an SSL certificate.
The payment card has been in existence for many years. It started in the form of a card
embossed with details of the cardholder (account number, name, expiration date), which
could be used at a point of sale to purchase goods or services. The magnetic stripe was
soon introduced as a means of holding more data than was possible by embossing alone.
In the end, the smart card appeared. That’s what this chapter is all about!
The payment stage of any electronic bill presentment and payment (EBPP)
implementation must be able to integrate tightly with accounts receivable (A/R) and
accounts payable (A/P) systems, support backend payment-processing workflows and
procedures, and provide detailed reporting capabilities. With the preceding in mind, this
chapter is about electronic payment systems.
This chapter discusses the market implications of adopting electronic payment systems
and digital currencies in electronic commerce. The key to understanding and exploiting
electronic commerce is to recognize it as a market mechanism, in which all components
of a market interact and must be analyzed collectively. For example, electronic payment
systems bring more than lowered transaction costs, affecting product choices, pricing,
and competition. This chapter also examines economic implications of electronic
payment systems—especially micropayments enabled by digital currencies in terms of
size advantage, the lemons problem, digital product pricing, product differentiation—the
commoditization of consumer information and advertisements, and copyrights. In short,
electronic payment systems are one of the critical factors that allow process innovations
via electronic commerce. Finally, these process innovations may either promote
competitive and efficient markets or worsen the trend toward the vertical integration and
monopolization in the globalized economy.
Chapter 24: International E-Commerce Solutions
The Internet connects potential customers with merchants in many different countries.
This chapter discusses how international e-commerce payment solutions provide a
channel for money to cross oceans and borders.
To help companies make informed decisions and capitalize on the right opportunities, this
chapter discusses solutions designed to help companies integrate business partners more
effectively. Although this notion encompasses a wide range of business challenges and
solutions (including supply chain management, procurement, and CRM), this chapter
focuses specifically on one concept: supplier enablement. The supplier enablement
initiative and technology solutions (whether they be B2B or B2C) are aimed at helping
companies of all sizes to sell to their trading partners more effectively by integrating with
customers’ procurement systems, e-marketplaces, and other electronic sales channels—all
from a single e-business foundation. No matter how large or small a business is, or how
complex or simple its business processes, supplier enablement solutions will make it
easier for your company to reach its customers through whatever purchasing method they
prefer.
Finally, this chapter summarizes and explores some of the implications to both business
and business computing of the continuing evolution of e-business. The chapter also
discusses decision points and the fundamental importance of something even more
critical to e-business success: ease of integration. This part of the chapter pinpoints 15
essential best practices or recommendations for effective e-service.
Part I: Overview of E-Commerce
Technology
Chapter List
Chapter 1: What Is Electronic Commerce?
Chapter 2: Types of E-Commerce Technology
Chapter 3: Types of E-Business Models and Markets
Chapter 4: Types of E-Commerce Providers and Vendors
Chapter 1: What Is Electronic
Commerce?
“It is impossible for ideas to compete in the marketplace if no forum for their
presentation is provided or available.”
Overview
Electronic commerce is doing business online. It is about using the power of digital
information to understand the needs and preferences of each customer and each partner to
customize products and services for them, and then to deliver the products and services as
quickly as possible. Personalized, automated services offer businesses the potential to
increase revenues, lower costs, and establish and strengthen customer and partner
relationships. To achieve these benefits, many companies today engage in electronic
commerce for direct marketing, selling, and customer service; online banking and billing;
secure distribution of information; value chain trading; and corporate purchasing.
An electronic commerce strategy should help deliver a technology platform, a portal for
online services, and a professional expertise that companies can leverage to adopt new
ways of doing business. Platforms are the foundation of any computer system. An e-
commerce platform should be the foundation of technologies and products that enable
and support electronic commerce. With it, businesses can develop low-cost, high-value
commerce systems that are easy to grow as business grows. An e-commerce platform’s
breadth should also be unmatched, ranging from operating systems to application servers,
to an application infrastructure and development tools, and to a development system.
Portals are the crossroads of the Internet, where consumers gather and where businesses
can connect with them. Companies normally provide customers with a wide range of
choices for professional implementation services and tightly integrated software for
commerce solutions. Independent software vendors (ISVs) have created specialized
commerce software components that extend the platform.
This chapter details introductory strategies and priorities for electronic commerce, which
sets the stage for the rest of the book. It also describes how the platform, portal, and
partners are critical to solving business problems in the four most common areas of
electronic commerce: direct marketing, selling, and service; value chain integration;
corporate purchasing; and financial and information services.
E-Commerce: Doing Business on the Internet
Businesses communicate with customers and partners through channels. The Internet is
one of the newest and, for many purposes, best business communications channels. It is
fast, reasonably reliable, inexpensive, and universally accessible—it reaches virtually
every business and more than 200 million consumers. Doing business online is electronic
commerce, and there are four main areas in which companies conduct business online
today: direct marketing, selling, and service; online banking and billing; secure
distribution of information; and value chain trading and corporate purchasing.
Today, more Web sites focus on direct marketing, selling, and service than on any other
type of electronic commerce. Direct selling was the earliest type of electronic commerce,
and has proven to be a stepping-stone to more complex commerce operations for many
companies. Successes such as Amazon.com, Barnes & Noble, Dell Computer, and the
introduction of e-tickets by major airlines, have catalyzed the growth of this segment,
proving the reach and customer acceptance of the Internet. Across consumer-targeted
commerce sites, there are several keys to success:
• Marketing that creates site visibility and demand, targets customer segments with
personalized offers, and generates qualified sales leads through observation and
analysis of customer behavior.
• Sales-enhancing site design that allows personalized content and adaptive selling
processes that do more than just list catalog items.
• Integrated sales-processing capabilities that provide secure credit card
authorization and payment, automated tax calculation, flexible fulfillment, and
tight integration with existing backend systems, such as inventory, billing, and
distribution.
• Automated customer service features that generate responsive feedback to
consumer inquiries, capture and track information about consumer requests, and
automatically provide customized services based on personal needs and interests
[3]
.
• This business-to-consumer (B2C) electronic commerce increases revenue by
reaching the right customers more often. Targeted and automated up-selling and
cross-selling are the new fundamentals of online retailing. Sites that most
frequently provide the best and most appropriate products and services are
rewarded with stronger customer relationships, resulting in improved loyalty and
increased value.
A broad range of financial and information services are performed over the Internet
today, and sites that offer them are enjoying rapid growth. These sites are popular because
they help consumers, businesses of all sizes, and financial institutions distribute some of
their most important information over the Internet with greater convenience and richness
than is available using other channels. For example, you have:
• Online banking
• Online billing
• Secure information distribution
Online Banking
Consumers and small businesses can save time and money by doing their banking on the
Internet. Paying bills, making transfers between accounts, and trading stocks, bonds, and
mutual funds can all be performed electronically by using the Internet to connect
consumers and small businesses with their financial institutions.
Online Billing
Companies that bill can achieve significant cost savings and marketing benefits through
the use of Internet-based bill-delivery and receiving systems. Today, consumers receive
an average of 23 bills per month by mail from retailers, credit card companies, and
utilities.
To many businesses, information is their most valuable asset. Although the Internet can
enable businesses to reach huge new markets for that information, businesses must also
safeguard that information to protect their assets. Digital Rights Management provides
protection for intellectual and information property, and is a key technology for secure
information distribution.
The Internet also offers tremendous time and cost savings for corporate purchasing of
low-cost, high-volume goods for maintenance, repair, and operations (MRO) activities.
Typical MRO goods include office supplies (such as pens and paper), office equipment
and furniture, computers, and replacement parts. The Internet can transform corporate
purchasing from a labor- and paperwork-intensive process into a self-service application.
Company employees can order equipment on Web sites, company officials can
automatically enforce purchase approval and policies through automated business rules,
and suppliers can keep their catalog information centralized and up-to-date. Purchase
order applications can then use the Internet to transfer the order to suppliers. In response,
suppliers can ship the requested goods and invoice the company over the Internet. In
addition to reduced administrative costs, Internet-based corporate purchasing can
improve order-tracking accuracy, better enforce purchasing policies, provide better
customer and supplier service, reduce inventories, and give companies more power in
negotiating exclusive or volume-discount contracts. In other words, the Internet and e-
business have changed the way enterprises serve customers and compete with each other,
and have heightened awareness for competing supply chains (see sidebar, “Supply Chain
Management”).
Supply chain management (SCM) is changing as companies continue to look for ways to
respond faster, improve service for customers, and maximize sales while decreasing
costs. SCM solutions must support highly configurable products, such as computers and
automobiles, global markets with local specifications, and widely dispersed suppliers and
partners. Yet most companies’ SCM solutions are linear, sequential, and designed for
controlled conditions. They rely on accurate forecasting of demand, but are disconnected
from the actual demand. Decisions are made centrally, and changes typically take days,
weeks, or even months. However, companies increasingly need to respond to changes in
hours and minutes. Supply chains in this century must be adaptive and provide greater
visibility, velocity, flexibility, and responsiveness to enable enterprise value networks to
adapt to changes in supply and demand in real time.
Management Shift
Supply chain management is now the key to increasing and sustaining profitability. In
fact, Stamford, Connecticut-based Gartner Group recently predicted that 91 percent of
leading companies that fail to leverage supply chain management would forfeit their
status as preferred vendors.
According to SAP, mySAP SCM has demonstrated bottom-line benefits for its users. For
example, New York, N.Y.-based Colgate-Palmolive increased forecast accuracy to 98
percent, reduced inventory by 13 percent, and improved cash flow by 13 percent. The
reason: mySAP SCM enables end-to-end integration of supply chain planning, execution,
networking, and coordination.
Proponents of adaptive supply chain networks say that by sharing information about
customer demand with all partners simultaneously—rather than in the traditional,
sequential fashion, with its inherent delays—network partners can act more like a single
entity to stay in-sync with customer needs.
The adaptive supply chain network puts the customer at the center of all activities in the
supply chain, which allows companies to improve overall costs and profits across the
network, instead of just shifting costs to other parts of the supply chain. Given the
dynamics of today’s markets, manufacturers need to rethink their business model on an
almost continuous basis, keep redefining markets and pricing, serve ever-smaller
customer niches, and provide increasingly customized products.
Internal integration helps enterprises break down functional silos and share actionable
information. The adaptive supply chain network relies upon real-time integration of all
supply chain systems, including networking, planning, execution, coordination, and
performance-management systems. But, it also requires integration across systems that
support a variety of functions beyond the traditional supply chain.
With that kind of integration, a superior understanding of the customer drives everything
—CRM, product design, supply chain operations, and even the value proposition of the
entire network. In an adaptive supply chain network, SCM, CRM, and PLM must all
work together. That is the hallmark of a truly customer-centric organization—and the key
to profitability.
Competitive Advantage
Adaptive Planning
Today, most supply chain planning and scheduling systems rely primarily upon historical
data collected from enterprise resource planning (ERP) and legacy systems. However, as
companies aim to create virtually “inventory-less” supply chains, they require the ability
to realign demand and supply almost continuously to consider the latest demand situation
and supply status. Adaptive planning replaces batch-oriented, period planning with an
event-driven, real-time response to demand signals and changing supply situations.
Dynamic Collaboration
Traditional supply chains rely mostly upon inventory and assets, but the adaptive supply
chain network is information-based—it uses shared data for planning and execution
processes. By incorporating data garnered from collaborative processes (such as vendor-
managed inventory [VMI]; collaborative planning, forecasting, and replenishment
[CPFR]; collaborative supply management; and collaborative transportation
management), these networks replace inventory and capacity buffers (long used to make
up for a lack of supply chain visibility) with information.
Distributed Execution
Most execution systems are ill-prepared to support the emerging virtual supply network.
Distributed execution considers the distributed nature of processes in a world of
outsourcing, in which multiple partners in the extended network might manage a single
process. Distributed execution allows the management of processes across different ERP
systems by supporting cross-system integration and collaboration.
Event-Driven Coordination
Today, even small disruptions in supply chains initiate a wave of e-mails, faxes, and
phone calls just to keep pace with the problem. Adaptive supply chain networks address
the challenge of managing the virtual enterprise through up-to-the minute monitoring and
control of business processes and the rapid, intelligent resolution of exceptions. Event-
driven coordination complements adaptive planning by trying to solve supply chain
exceptions locally to support existing, optimized plans. The result? Faster response to
market changes and instantaneous adaptation to customer needs across the enterprise and
the network.
Most executives would agree that consistent performance metrics are the key to steering
the behavior of individuals and reconciling conflicting goals across functional areas.
However, key performance indicators (KPIs) also play a major role in managing
collaborative processes and in providing decision makers with actionable information to
increase the quality and speed of decisions.
No other business model highlights the need for tight integration across suppliers,
manufacturers (see sidebar, “The Manufacturing E-Commerce Bottom Line”), and
distributors quite like the value chain. Delays in inventory tracking and management can
ripple from the cash register all the way back to raw material production, creating
inventory shortages at any stage of the value chain. The resulting out-of-stock events can
mean lost business. The Internet promises to increase business efficiency by reducing
reporting delays and increasing reporting accuracy. Speed is clearly the business
imperative for the value chain.
The economic downturn in the United States has played havoc with the country’s
manufacturing and engineering sectors for more than three years, leading to the longest
continual month-over-month decline in industrial production since World War II. But, if
there is a bright spot in what economists are predicting for manufacturers in 2004, it is a
trend toward increasing e-commerce revenues and initiatives within the industrial sectors.
The Federal Reserve recently reported that production in American factories fell 3.3
percent. The September 11 terrorist attacks created additional uncertainty in all markets,
but particularly in manufacturing, where inventory levels among retailers and suppliers
were already high. Consumer spending for durable goods took a drop in the wake of the
attacks and as a result of the developing war on terrorism. Analysts also say they do not
expect an uptick in manufacturing production until consumers begin spending with
confidence.
Still, companies like General Electric and General Motors were reporting increases in
online sales and predicting gains in e-commerce by the end of 2003. Officials at GE
indicate they expect to increase the amount of online revenue calendar-year-over-
calendar-year from $9 billion to $24 billion.
A recent study by the National Association of Manufacturers (the leading industry group
of industrial producers) saw dramatic increases in the number of companies developing
Web-based activities to reach both new customers and suppliers. Despite the intense hype
surrounding e-commerce, right now it’s still just a small fraction of most business and
manufacturing operations. But, nearly three quarters of the companies surveyed reported
they were developing e-commerce initiatives to grow their revenues, a harbinger of
dramatic change down the road. As capital spending rebounds, there should be a
significant increase in networking and business-to-business software investments.
Moving forward, all companies will be able to take advantage of value chain integration
through the low cost of the Internet. Open standards for electronic document exchange
will allow all companies to become Internet trading partners and function as suppliers,
consumers, or both in this business-to-business electronic commerce. This integrated
trading will tighten relationships between businesses while offering them greater choices
in supplier selection.
Issues in Implementing Electronic Commerce
Although it is simple to describe their benefits, it is not nearly as easy to develop and
deploy commerce systems. Companies can face significant implementation issues:
• Cost
• Value
• Security
• Leveraging existing systems
• Interoperability
Cost
Electronic commerce requires significant investments in new technologies that can touch
many of a company’s core business processes. As with all major business systems,
electronic commerce systems require significant investments in hardware, software,
staffing, and training. Businesses need comprehensive solutions with greater ease-of-use
to help foster cost-effective deployment.
Value
Businesses want to know that their investments in electronic commerce systems will
produce a return. Business objectives such as lead generation, business-process
automation, and cost reduction must be met. Systems used to reach these goals need to be
flexible enough to change when the business changes.
Security
The Internet provides universal access, but companies must protect their assets against
accidental or malicious misuse. System security, however, must not create prohibitive
complexity or reduce flexibility. Customer information also needs to be protected from
internal and external misuse. Privacy systems should safeguard the personal information
critical to building sites that satisfy customer and business needs [6].
Most companies already use information technology (IT) to conduct business in non-
Internet environments, such as marketing, order management, billing, inventory,
distribution, and customer service. The Internet represents an alternative and
complementary way to do business, but it is imperative that electronic commerce systems
integrate existing systems in a manner that avoids duplicating functionality and maintains
usability, performance, and reliability.
Interoperability
When systems from two or more businesses are able to exchange documents without
manual intervention, businesses achieve cost reduction, improved performance, and more
dynamic value chains. Failing to address any of these issues can spell failure for a
system’s implementation effort. Therefore, your company’s commerce strategy should be
designed to address all of these issues to help customers achieve the benefits of electronic
commerce.
Your company’s vision for electronic commerce should also be to help businesses
establish stronger relationships with customers and industry partners. For example, a
successful strategy for delivering this vision is described by three workflow elements
(platform, portal, and industry partners), each backed by comprehensive technology,
product, and service offerings.
Workflow Technology
E-businesses need workflow technology to react rapidly to process changes. For example,
an instant change to the workflow process can be accomplished with a simple change to
the workflow map by a nonprogrammer, to effect temporary or continuous changes in the
business process, thus accommodating short-term business needs or long-term process
improvements. A workflow driven e-business will see immediate shifts that allow it to
process more efficiently under high volume circumstances.
The bottom line? Workflow design tools should be a core requirement for e-business
applications. A detailed discussion of workflow technology is presented in Chapter 2,
“Types of E-Commerce Technology.”
Now, let’s take a look at the transformation of the scope of the Internet and the Web. The
discussion centers around the Session Initiation Protocol’s (SIP) effect on multimedia-
enabled e-commerce.
[3]
Microsoft Corporation, “Electronic Commerce Explained,” ©2003 Microsoft
Corporation. All rights reserved. The Business Forum 9297 Burton Way, Suite 100,
Beverly Hills, CA 90212, (August 2002): pp. 1–19.
[4]
Runge, Wolfgang and Renz, Alexander, “Adaptive Networks Broaden Relationships,”
© Copyright 2003 SAP AG. All rights reserved, SAP America Inc., Strategic Planning &
Support Office, 3999 West Chester Pike, Newtown Square, PA 19073,USA, [Advertising
supplement in June, 2002 edition of MSI, Reed Business Information, 2500 Clearwater
Drive, Oak Brook, IL 60523 (June 2002)].
[6]
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
ebusiness Privacy Plan, McGraw-Hill Trade, 2001.
The renaissance of the Internet age launched an entirely new set of communication
technologies and methods. As multiple technologies evolve and interoperate, so do
complementary standards, such as those for multimedia applications. The advancement of
multimedia applications for the Web has resulted in a wave of new technologies to
enhance the Internet experience. From voice to video, the latest developments have
resulted in the requisite standards to allow for the full maturation of the technology.
Voice over IP (VoIP) has gained acceptance within the last few years, with older
standards enabling the technology. As more advanced standards mature and enhanced
capabilities and features become available, the adoption of VoIP has begun to take off.
For example, H.323 is currently the dominant standard for initiating a voice session. But,
as more multimedia services, such as unified messaging, video conferencing, instant chat,
and presence, gain acceptance in an Internet Protocol (IP) environment, more robust
standards are needed. Hence, the creation of an HTTP-based protocol—Session Initiation
Protocol (SIP).
SIP’s main functions are signaling and call control for IP-based communications. It
defines the desired service for the user, such as point-to-point calls, multipoint
conferencing, text, voice, or video. Using the protocol, SIP servers perform a routing
service that puts the caller in contact with the called party, taking into account the desired
service and user preferences. Because SIP has its foundation in HTTP, it eases the
integration of voice with other Web services.
The Benefits of SIP
As the new voice-ready IP standard, SIP enables the initiation of an interactive Internet
experience involving multimedia elements, such as video, voice, chat, gaming, and
virtual reality. The main advantages of SIP for the VoIP market include enhanced
scalability, easy implementation, and dramatically reduced call setup time.
Another key benefit of SIP for VoIP is the easy integration with many other IP services.
Through SIP, service providers can easily add services and applications for VoIP
customers while minimizing interoperability issues. SIP is flexible and extensible, easily
supporting a wide array of endpoint devices and configurations. More importantly, SIP
runs over IP networks, regardless of the underlying networking technology—
asynchronous transfer mode (ATM).
By taking advantage of the Internet, SIP technology provides new service capabilities
while supporting the use of key services from the circuit-switched telephone network. IP-
based communications can use SIP Uniform Resource Locators (URLs) for addressing,
similar to the World Wide Web, in which the form of the URL resembles an e-mail
address. The support of both telephony and Web-type addressing enables IP
communication to seamlessly bridge a telephone network and the Internet. Users on
either network can reach any point on the Public Switched Telephone Network (PSTN) or
the Internet without giving up the existing devices or advantages of either.
The emergence of SIP has opened up new doors of innovation, enabling the next
generation of e-commerce through the use of VoIP and multimedia applications. The
simplicity of SIP technology is facilitating the spread of VoIP around the world. SIP’s
straightforward approach has encouraged developers of e-commerce applications and
telecommunications providers to implement it into their customer relationship
management (CRM) systems.
Traditional voice call centers for customer support are migrating to Web support centers
where the focus is shifting from pure voice (800 numbers) to e-mail support, text chat,
voice, and video with click-to-connect service. The integration of these applications
brings a fresh dimension of communication to customer-facing Web sites. As customers
experience the benefit of multiple touch points, enterprises are compelled to integrate
these new communication methods into their CRM systems. As the enabling protocol,
SIP is well-suited to bring these capabilities to the user.
Because support for instant messaging and presence is built into the SIP, a whole new
level of customer communications can take place. Presence lets users know the
availability of other parties, and when coupled with instant messaging and conferencing,
allows for communications to happen in a spontaneous fashion. With these added
functionalities, the online consumer can experience a rich customer support environment.
Because SIP enables real-time voice and video to become viable applications on many e-
commerce Web sites, it enhances Internet call center productivity. With the click of a
mouse, a customer can talk to or be in face-to-face contact with a service representative.
This level of customer service allows an immediate personal connection with customers
—one of the most critical aspects in CRM. The adoption of e-commerce will be bolstered
further as consumers begin to rely upon this type of online customer service.
SIP-based communications can be achieved with any device, fixed or mobile, such as
laptops and Internet-ready phones [5]. In addition, because SIP supports name mapping
and redirection services, it is possible for users to initiate and receive communications
and services from any location, and for networks to identify users regardless of location.
This adds an additional level of usability from a CRM perspective. As e-commerce
spreads to cell phones and other handheld devices, this functionality will increase in
importance.
Now, let’s look at how to use the Web to reach customers. Although customer experience
includes intangible, nonquantifiable aspects, it also includes a wide range of entirely
measurable Web site elements.
[5]
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
The rules are the same. To succeed in e-business, just as in brick-and-mortar, you need
customers. And, keeping customers is vastly cheaper than getting new ones. High rates of
customer retention (and the referrals that accompany happy consumers) can mean the
difference between success and going back to the drawing board.
The challenges that e-businesses face, however, in earning and retaining customers are
different from those confronted by traditional business. A shopper who drives to the
bookstore is not likely to put down the book he wants and drive to another location
because of a line at the checkout stand. Someone looking for the biggest selection of CDs
cannot go to 20 stores in 6 states in half an hour to check their selection. And, once you
have received personal attention from someone at a store, helping you find exactly what
you need, it isn’t hard to decide where to go next time.
The options and flexibility of doing business online put much more control in the hands
of the consumer, placing a premium on the performance, effectiveness, and reliability of
an organization’s Web site. There is no one to apologize to Internet customers when the
service goes down, or when an image is missing, or to explain what an error message
means. And, alternatives are just a click away.
For online consumers, the user experience is the most significant factor in customer
retention. Customer experience comprises a range of issues, including ease-of-use,
dependability, speed, as well as less quantifiable aspects of a Web site. As the Internet
matures and evolves into a ubiquitous, if not preeminent, medium for business, those
companies best able to monitor their Web sites and ensure a positive, rewarding customer
experience will have an unparalleled advantage in the race to create and retain loyal
customers.
There is no free lunch, though, and along with the benefits of doing business in the new
economy comes a new kind of customer, one with different expectations and standards by
which companies are judged. Web sites must offer a consistently positive customer
experience to win over consumers. Inspiring loyalty is the biggest challenge to e-
businesses, and e-consumers are a tough group to win. Thus, the attraction of moving an
established, traditional business to the Internet (or of starting a new, pure-play Internet
business) involves a variety of factors:
• Global reach
• Higher profile
• 24 × 7 availability
• Targeted focus
• Cost savings
Global Reach
A small organization no longer has to be a local organization. Anyone with Web access
(in a living room in Chicago, in a log cabin in Alaska, or in a café in Bordeaux) can spend
their time, and their money, at any online business.
Higher Profile
A company can have a significant Web presence and profile, even with relatively modest
depth and breadth to its inventory. On the Internet, a small but very efficient company can
have the profile of a much larger, deep-pocketed competitor.
24 × 7 Availability
E-businesses do not have to close at the end of the day. Information and services can be
available any time, any day, allowing revenue to be earned without interruption.
Companies do not have to be all things to all consumers. Through the Internet, individual
customers can get goods and services tailored to their needs. Significant savings from,
among other things, streamlining inventory and distribution channels are possible in
effective e-businesses.
New Medium and New Expectations
Internet consumers expect e-business to be faster and more extensive, with more options
and services, than brick-and-mortar alternatives. They expect their experience online to
be easy, as uncomplicated as buying a newspaper or filling the car with gas. And, if they
encounter any problems with the site, or have difficulty understanding how it works, or
are otherwise frustrated, they know they can go somewhere else, to another Web site, and
be there in no time.
Speed Wins
Speed is crucial for successful e-businesses. Consumers expect Web sites to be fast. A
useful starting point is the eight-second rule of thumb. The rule says that a significant
number of users are unwilling to wait longer than eight seconds for a page to load or an
action to be executed, and as technology improves and speeds increase, the time users
will wait before leaving the site is likely to decrease. Many factors, from fundamental site
architecture to network traffic at certain times of the day, affect how fast a site will
function. Vital for success in any e-business is ongoing monitoring of the performance of
its site, identifying cycles of usage and ranges of performance, and making necessary
modifications and upgrades to ensure speed.
There have been attempts to quantify the economic loss due to unacceptably slow Web
page download speeds, which is one aspect of e-business customer churn. It is estimated
that as much as $473 million is lost per month from customer bailout from impatience.
If It Isn’t Broken
Key to the user’s experience and level of comfort in e-business is consistency. Whereas a
brick-and-mortar business could not redesign the store every month, e-businesses can,
and some do. The relative cost for changing the look and feel of an e-business is low, and
the appeal of adding new features is a strong temptation. There is a fine line, however,
between a “sticky” site, one that attracts new customers and urges old ones to return, and
a site that changes so often and in such ways that customers must relearn the site. Instead
of spending the extra time to deal with the hassle, they will go to the competition, the one
that is fundamentally consistent in its presentation and functionality, and they will stay
there.
No Experience Required
Many new e-business consumers are novices not only with online transactions, but also
with the Internet in general, and this complicates the issue of glitches and raises the ante
for Web sites to function smoothly. A computer neophyte is less likely to understand, or
have patience with, technical difficulties. A recent survey conducted by ICL, an e-
business services company, indicates relatively high levels of stress and anxiety caused
by computer problems for “typical” users.
• Forty-nine percent found computer problems more stressful than being stuck or
delayed on public transportation.
• Seventy-nine percent found computer problems more stressful than having to
spend a weekend with a spouse’s parents.
• Twenty-three percent found computer problems more stressful than being left by a
partner or spouse [1].
No Web site runs perfectly 100 percent of the time, but those that are close to 100 percent
(Web sites that minimize outages and are able very quickly to detect and correct problems
when they do occur) have a significant advantage. Web sites that frustrate users scare
them away; Web sites that consistently offer pleasant, easy experiences keep their
customers.
A less tangible but equally vital aspect to customer loyalty in e-business is trust. For
consumers, participation in a typical Internet business model requires divulging personal
information for registration purposes, often including sending credit card numbers to the
site. Increasingly, customers are cautious when sending such information and wary about
sites that they suspect may not adequately guard the privacy of their demographic and
financial information. Web sites that have prolonged outages or frequent transaction
failures break the chain of trust with their consumers, pushing them to other providers
that instill stronger confidence and, therefore, loyalty, in their customers.
Without these, customers will click away, going to the sites that give consumers the
interaction with e-business that they expect and require.
Customer acquisition costs range wildly from one company to the next, but everyone
understands that once a company has acquired customers, the key to maximizing revenue
is keeping them.
The preceding are potentially frightening data to e-business, which lives, or dies, in a
medium where jumping from one Web site to another, changing brands and loyalties, is
easier and faster than ever. In the realm of e-business, high rates of retention are
imperative for success and even survival.
Loyal customers are the best customers. People who are committed to Buick and who
will not buy a car from any other manufacturer are the ideal consumers for Buick. They
do not require further acquisition expenses, they will buy Buick cars for their children
and recommend Buick to their friends, and they are statistically much more likely to buy
up, getting newer models loaded with optional equipment. The recent boom in online
loyalty reward programs demonstrates that e-business understands the lifetime value of
loyal customers and is starting to shift resources to retention efforts. Many of these
incentives are financial, offering repeat buyers the opportunity to earn points that can be
redeemed for goods or services. Although low prices and points programs are a strong
draw initially for consumers, e-consumers will, as in traditional business, grant their
loyalties ultimately to those businesses that offer them the best experience, of which price
is just one of several considerations. Low prices are the carrot on the stick for acquisition,
but user experience and customer service are the tools of retention.
Of special interest to e-business are customers gained through referrals from existing
customers, as well as customers lost due to negative reactions about a particular Web site.
According to a recent Bain & Co./Mainspring survey, online apparel customers referred 4
people after the initial purchase and 8 people after 11 purchases. The global reach of the
Internet becomes a handicap when a consumer brings up a list of dozens of online
retailers in a given industry. E-business consumers are generally anxious for referrals
from people they trust to help guide them through the ever-growing sea of Web sites.
Referrals also provide an exception to the high cost of acquiring new customers. Every
customer who is referred to a company is “free,” or is at least a significant offset to the
marketing and sales budgets for customer acquisition. Though somewhat more difficult to
measure, word-of-mouth advertising is extremely important and can have a remarkable
impact on a company’s bottom line.
E-businesses tread a thinner line than traditional businesses in efforts to attract and keep
consumers. Someone who drives to a store will extend greater latitude to that shop (in
terms of what the consumer likes or dislikes about the store, its selection, its layout, its
service) than to a Web site. Online consumers expect speed, reliability, and broad
selection. When they do not get it, they leave. All it takes to leave is typing a new Web
address or following a link. For e-business, there is no dress rehearsal and often no
second chance.
Internet users are increasingly barraged by new sites, new services, all competing for
their eyes and their dollars. When consumers find a site they like, they add a bookmark
and stop hunting. And when a site does not satisfy consumers, they don’t return and they
tell their friends not to go.
At issue for consumers is the tension between knowing they have more control with e-
business and feeling overwhelmed by the choices, and this tension can spell disaster for
an e-business that does not adequately mind its store. Often a single negative experience
for a consumer means he or she will not return to that site to give that company another
chance. If someone tries to buy a puzzle online and the transaction fails, there are enough
other online toy retailers that this consumer need never return to the one that failed. A
recent study of online shopping by the Boston Consulting Group for a 12-month period
reveals unsettling statistics for e-commerce companies battling to attract and keep
consumers.
• Consumers who are satisfied with their first-time online purchase spent, on
average, $600 in 13 transactions; dissatisfied first-time purchasers spent $250 in 5
transactions.
• Five out of six e-consumers experienced a failed purchase; 29% of all online
purchases failed.
• Twenty-four percent of online shoppers who experienced a failure stopped
shopping at that site; 7% also stopped shopping at that company’s brick-and-
mortar store[1].
The new and rapidly expanding business of online securities trading offers a vivid
example of the best and the worst for e-businesses. Online trading has offered
unprecedented access for thousands of users to securities markets. The reach of brokerage
houses has extended into demographic sectors that previously had neither the time for nor
the access to securities trading, while securities markets have extended their hours, with
talk of 24-hour trading on the horizon. Thousands of consumers place millions of trades
at relatively low commission, filling the coffers of online trading firms.
Moving the apparatus for trading to the desktop, however, has resulted in a wealth of
information passing to the customer, with a corresponding shift in power away from the
brokerage company. With the Internet, customers are more aware of stock prices, of
transactions, and of failures. When a glitch prevents online traders from selling stock or
canceling orders when the price falls, those traders lose money and can very accurately
identify how much they have lost.
Most of the leading Internet brokerages have suffered outages, ranging from a few
minutes to several hours, and the costs to these businesses go far beyond the defection of
angry customers. Online brokerages are having to compensate customers for losses
suffered when trades could not be executed because of outages, and these payments are
stretching into the millions of dollars for each of several leading online brokerages. Not
only does an outage scare off otherwise potentially loyal customers, it forces the
brokerage to write checks to unhappy customers on their way out the door.
A final significant problem facing e-businesses (at least those that are publicly traded) is
the response on Wall Street to reports of prolonged service failures or customer
dissatisfaction. In a market where a company that reports earnings slightly below
projections can see the price of its stock tumble, word of a serious disruption of service
can be crushing as investors (many of them trading online) flee and unload their stock in
that company.
The price paid by e-business (in lost revenue from dissatisfied customers as well as
payments made for consumer losses) from inadequate performance and significant site
outages is potentially crippling, especially for pure-play Internet companies that have no
other customer base or business medium to depend on. No Web site is perfect, however,
and glitches are a reality in any online application. The key for e-business is to establish
performance benchmarks to attract and keep customers and to minimize technical
problems that make sites unavailable or prevent them from meeting necessary standards.
No e-business will be successful without adequate and appropriate tools to monitor
performance of its Web site and alert site operators immediately about slowdowns and
failures of service.
Ensuring the Customer Experience
Given the economic repercussions of a company’s inability to build and retain a base of
satisfied, loyal customers, the need for effective site-monitoring applications is
paramount, and a site monitor must be sophisticated enough to measure more than
uptime. According to Forrester Research, only 27% of site managers look beyond uptime
to specific network performance standards, and even fewer monitor transaction success
rates. It is these more complex data, however (not simply whether a page is available)
that give important insight into the user experience and associated rates of retention and
referral.
Service-level agreements (SLAs) that provide real value stipulate more than simply what
percent of time a site will be up, and monitoring applications gives internal operators and
hosting facilities the tools they need to measure other important parameters. Identifying
whether a slowdown is from an application failure or from a network bottleneck is
advantageous to IT personnel trying to fix the problem. Additionally, effective use of
monitoring software can identify not only real-time glitches, but also design
shortcomings. Thorough reports from monitors might show, for example, a system
weakness that is responsible for transactional failures. The more quickly and accurately a
problem and its cause are identified, the faster it can be fixed.
Monitoring software also gives companies the data they need to make projections about
future site usage and the improvements required to accommodate increased activity.
Successful e-businesses can see their usage double in as little as three to six months.
Understanding growth and anticipating future needs can mean the difference between
recognizing the need and getting that extra server now, or waiting until increased traffic
crashes the system.
Features and services like these (what Forrester Research calls “Transaction Management
Services”) are provided through effective, sophisticated monitoring software. It is this
integrated Web quality monitoring that Forrester sees as the next step to managing the
total quality of Web-based business. If, as they predict, e-commerce reaches global
hypergrowth by 2003, it will be those companies with effective monitoring systems
already in place that are able to survive and succeed.
With the preceding in mind, how do industry-leading executives perceive the use of e-
commerce technology in their companies? What are the business benefits provided by
transaction management systems? Should your company build and maintain its own
transaction management system, or buy electronic trading network services? This next
part of the chapter answers these questions and further discusses the costs, benefits, and
perceptions of technologies that enable interenterprise information exchange, or what is
described as the transaction management market (TMM).
[1]
“E-Business Customer Retention,” © Copyright 2003 Mercury Interactive Corporation,
Mercury Interactive Corporation, Building A, 1325 Borregas Avenue, Sunnyvale, CA
94089, 2003.
Benefits of the E-Commerce Market
The letter “e” lost much of its language-domineering swagger with the fall of the dot-com
economy. Technology marketers, journalists, and analysts now cringe at “e”-inspired
products and concepts. Venture capitalists hide their money-stuffed mattresses when
Silicon Valley experts drop by with business plans. Yet, electronic commerce veterans in
some of the largest companies in the United States, companies such as Ford, Cisco, Wal-
Mart, Procter and Gamble, McKesson, and Compaq, see opportunity in the midst of e-
commerce turmoil.
Demand Analysis
Transaction management systems meet many of the investment conditions that gain
significance in a slow-growth economy.
However, strong market forces continue to inhibit new TMM investment. Important
inhibitors include:
Economic uncertainty continues to limit capital resource availability and risk tolerance.
Drivers of Change
Several important technology developments are driving change in the TMM market. First
and foremost is the emergence of the Internet as an effective, low-cost means of
transporting mission-critical business information between systems. Although the Internet
alone does not provide the network quality of service (QoS) demanded for mission-
critical data communications, software and service providers have built solutions on top
of this nearly free transport network. Data transport cost declines have fundamentally
altered the way companies interact.
The second major force of change in the TMM market is the emergence of new
technology standards, such as Java™, XML, and Web services. Overcoming
communication barriers, which come in many forms, is often expensive. Java, XML, and
other technology standards remove a number of machine-to-machine communication
barriers and reduce partner integration costs.
Falling integration costs will affect the TMM market in two ways: first, the addressable
market for TMM solutions will continue to expand as solution price points fall into
ranges acceptable to small and midsized businesses. Second, reducing the cost and
complexity involved in deploying and maintaining a TMM system will release corporate
resources to other higher-value automation efforts. Many experienced users that bought
TMM solutions to control order processing costs have since evolved their systems to
manage a demand forecasting process, complex pricing data, and Just-in-Time (JIT)
inventory strategies.
TMM Business Benefits
TMM solutions provide organizations with the ability to effectively process heavy order
volumes and with the ability to better manage very close, codependent partner relations.
Most TMM deployments address one or both of these business objectives.
Now, let’s look at how companies can use TMM technology to process millions of orders
a week with just a few support staff. Others may move a few files a day, but the
information in those files affects millions of dollars of production costs. For example
(according to a recent study by the Yankee Group), Figure 1.1 summarizes values that are
delivered by TMM technologies [2].
TMM solutions can quickly and accurately process thousands, even millions, of orders a
week. Consumer packaged goods manufacturers, apparel manufacturers, retailers,
wholesalers, and companies in similar industries manage high order volumes for fast-
moving, made-to-stock products. In industries such as pharmaceuticals, health products,
and electronic components, where both order volumes and per-SKU prices are high, fast
and accurate order processing is essential to staying in business. Companies facing these
conditions leverage TMM technology to scale business without scaling operational costs.
Combining on-site translation software with electronic trading network service has
proven a very effective means of managing order volume growth without scaling order
processing head count. By working with a network service provider, transaction volume
growth (and related corporate expansion) is not encumbered by technology skill and staff
development needs.
It is difficult to compare manual and automated order processing costs. The comparison
would be interesting, but is not necessary. In a high-growth, heavy order volume industry,
TMM technology is not a cost-savings option, but a business requirement. Therefore,
despite TMM’s mission-critical nature in heavy order volume industries, many companies
use innovative forecasting, direct shipment, and customer service capabilities, as the most
significant advantage to their organization’s gains from TMM service usage today.
In industries with less demanding order volumes, but more complicated products and
relationships, transaction management systems are used for equally valuable but very
different business reasons. In the high-tech, automotive, and chemicals manufacturing
industries, products are complex, highly engineered, and often expensive. Companies in
these industries are highly dependent on partners to produce high-value, high-complex
products. In these industries and others, dependencies are becoming stronger and
products are becoming more complex. TMM systems support codependent relationships,
allowing companies to play an effective role in complex production processes.
Best Practices
Today, companies are extending, or planning to extend, their TMM systems into
interesting new business automation scenarios. Several of these best-practice examples
are described next.
Speeding business process and improving customer service to gain competitive advantage
is not cheap. A company could spend nearly $5 million annually to support its machine-
to-machine order processing system. But, business benefits and competitive distinction
greatly outweigh the costs of the system.
For example, in the food-and-beverage industry, paper and mail are slow. Money makes
money. Anything that slows down money or products costs money. Companies usually
tackle banking communications first to speed the processing of thousands of small
monthly order volumes. Most companies usually tackle logistics management challenges
next, which is followed by an incremental deployment with a supplier connectivity
solution. In addition, most companies claim to have achieved a positive ROI in less than
12 months after going live with the banking stage of their implementation.
Most high-tech companies shift their business strategies as the economy begins to slow.
With cost control pressures mounting and shareholders demanding improved returns, the
companies choose to outsource production and certain support services to contract
manufacturers (CMs). To support the outsourcing strategy, the firms identify and
implement TMM technology. The solution manages the mission-critical information
flowing between a company and its new CM partners. A system could cost less than
$400,000 to deploy (including hardware, software, and services). Ongoing costs run
approximately $230,000 annually.
Value added network (VAN) service charges have gained an onerous reputation since the
emergence of the Internet as a corporate communications tool. The idea of charging per-
transaction fees to move data across a network (which is how VAN service charges
accrue) riles free-spirited Internet enthusiasts. But the Internet’s greatest strength
(ubiquity) is also its fatal flaw.
The last thing a company wants is ubiquitous access to its data traffic, nor are companies
interested in the lack of control inherent in a ubiquitously managed network. Absent the
addition of robust technology, the Internet is insecure, unreliable, and unworthy of
mission-critical corporate data. VAN service providers offer subscription-based
technology services that meet corporate data communication needs. VANs ensure that
data gets from point A to point B securely, reliably, and with an audit trail. Companies
pay usage-based subscription charges for access to VAN bandwidth.
Accessing network QoS functionality from a third party also helps separate business
objectives from technology plumbing. Companies interested in deepening partner
collaboration or automating more complex business processes are faced with a myriad of
business challenges. One-time partners become next-project competitors. Partners are
contracted to ship to a production plan, regardless of the status provided by a real-time
system. Processes, which vary by both company and division, need to be reviewed and
aligned. Obstacles abound in a value chain integration scenario. VAN and electronic
trading network service providers remove the interenterprise communication obstacle,
allowing staff to focus on business, not technology problems.
TMM Costs
It is expensive to build and maintain a TMM system. The business benefits can be
impressive.
Ongoing costs are more easily captured and measured. The average annual cost to operate
a TMM solution is a hefty $2.05 million. Average annual VAN cost is approximately
$650,000 per year, and the average annual internal operational cost (business and IT
support and management labor) totals $2.5 million. These figures capture the bulk of
ongoing costs associated with operating a TMM solution. Software maintenance costs,
which were difficult to capture, are not usually included in this costs assessment.
As the $2 million per year in operational costs indicate, TMM systems are expensive to
run. When considered as a percentage of IT budget or total revenue, the figures are much
less daunting. When considering the business strategies TMM systems support,
operational costs are well within acceptable ROI and total cost of ownership (TCO)
calculation boundaries.
Finally, let’s look at possible roadblocks to e-commerce. Is e-commerce alive and well
and feeling fine? Recently, e-commerce has been associated with some fairly humiliating
phrases: “dot gone” and “dot bomb” being just two of them. At times, e-commerce has
become almost worthy of a snicker when the term comes up in conversation, and lately
it’s hard to open a newspaper without reading about “pink slip parties,” which former
dot-com employees attend to network, write resumes (which they didn’t need during the
venture capital boom), learn that flip-flops and cutoff jeans are not appropriate work
attire in the real world and, finally, come to accept that the fairy-tale employment they
have experienced in recent years has disappeared as spectacularly as Cinderella’s royal
ball accessories at midnight.
Roadblocks to E-Commerce
From the sounds of the media, you would think that e-commerce was a landscape of post-
Armageddon. That must be why eBay experienced a 260% growth in 2002.
Want to know a secret? Total e-commerce sales have been predicted to grow somewhere
in the area of 60% in 2003. A study by the National Association of Purchasing
Management and Forrester Research indicates that business-to-business e-commerce is
still in its infancy, with nearly unlimited potential to grow. A recent survey conducted by
both organizations revealed that 95 percent of companies polled indicated they would be
moving forward to implement e-procurement sometime in 2003. This growth is modest
compared to what’s happening offshore. Boston Consulting Group recently reported that
Asian e-commerce continues to triple annually.
With the preceding in mind, e-business has taken a major hit to the collective solar
plexus. Amazon seems to be hanging on moderately well, though probably not
flourishing. It is generally acknowledged that the implosion of many players on the e-
commerce stage, most notably the ones headed by 24-year-old CEOs, has enabled the
companies left standing to reap more profits due to Web-enabled natural selection.
Here’s another interesting trend. In the days of yore (1999 to 2000), many Internet-savvy
consumers indicated that when it came to shopping for larger ticket items, such as audio,
video, and computers, they would do their research online before heading down to a large
electronics superstore such as Circuit City to make a purchase. Today, many people have
taken to wandering the aisles of the large electronics stores to see and touch items, and
then return home to make their purchases from online electronics e-tailers. Why not?
Online return policies have improved about 2,000 percent since the early days of e-
commerce and in many instances, there is no sales tax on items purchased from e-tailers.
Not to mention the fact that buying online enables you to spend the time you would have
dedicated to getting to the mall on some vital task such as sleeping late or reminding
yourself what your family looks like.
E-commerce companies that continue to grow seem to be the ones that better understand
CRM and what it means to their firms. There’s no question, purchasing over the Internet
is as popular as ever and will continue to grow. What many e-tailers didn’t foresee is that
the Internet business model enables customers to be fantastically fickle, and all it takes is
one misstep to lose a customer forever. Good self-service is worth its weight in diamonds,
but it should never entirely replace human interaction. As a result, it becomes fairly safe
to conclude that the e-businesses still standing today are the ones that screwed up CRM
the least.
The survivors have another thing in common: easily navigable Web sites. Remember
some of the disastrous Web sites that first appeared in 1997 and 1998? The designers
sacrificed ease-of-use for art and profundity, with the result that many potential buyers
arrived on the site, admiringly commented, “Ooooh, pretty” and logged off to find a site
that was easier to use. Part and parcel of ease-of-use is a friendly and comprehensive
search engine, and this is another element you will find on the sites of the little e-tailers
who could. Search engines driven by natural language processing are rapidly gaining in
popularity as they allow shoppers to pose questions in much the same manner they would
to a live store representative. For instance, compare brands of digital cameras in the mid-
price range. Not only do searches conducted with natural language processing help the
customer, but the technology can also help the e-tailer understand what its customers
want and how they want it.
Privacy, Please
Yet another element that has helped some e-tailers remain strong is the issue of privacy.
Many companies with Web channels have had some decisions to make recently: collect
customer data and e-mail addresses and sell the information for a price to boost sagging
profits, or prominently reassure customers that their information is private and will
remain so in the future? The former choice represents a short-term fix and the latter
choice is the ticket to the long-term payoff. Many companies that sold customer data
from the get-go or made a decision later to sell information seemed to think that their
activities would not be noticed, or that the average consumer wouldn’t care if they
received a few extra spams brought on by the sale of their personal information. This was
a serious miscalculation. In a crowded information age of little free time and space to
breathe, most consumers are becoming rabidly protective of the little privacy they have.
More importantly, e-tailers and Web marketers that chose to collect information from
children not only earned the ire of parents, they began to draw fire from federal and state
regulators.
Finally, the vast majority of companies that made a go at succeeding in e-commerce only
to fail a year or two later are like kids who begin playing with a complex toy and give up
in a huff when they can’t operate the toy based on the fact that they didn’t read the
instructions. All’s well and it ends well. The toy becomes available to the kid who values
it and knows how to use it.
[2]
“E-Business Evolution: Transaction Management Costs, Benefits, and Market
Development,” © Copyright 2002 Yankee Group, Yankee Group, 31 St. James Avenue,
Boston, Massachusetts 02116 [Sterling Commerce, 4600 Lakehurst Court, Dublin, OH
43016-2000, USA], 2002.
Summary
In a remarkably short time, the Internet has grown from a quirky playground into a vital,
sophisticated medium for business, and as the Web evolves further, the threshold for
conducting successful business online will move increasingly higher. Online consumers
are flooding to the Internet, and they come with very high expectations and a degree of
control that they did not have with traditional brick-and-mortar companies. Businesses,
too, are rushing to join the Internet revolution, and new, viable competitors are emerging
in all industries.
The enticement of doing business online must be tempered by the understanding that
when the dust settles, a significant percentage of e-businesses will have failed. The ones
that succeed will be those that are able to deliver a satisfying and consistent customer
experience online, building brand loyalty and guaranteeing high rates of customer
retention.
Moving forward, all businesses will be affected by the global move to electronic
commerce. Business operations will change, and new processes will be created.
Companies that start learning in this new environment today will be leaders in the future.
Furthermore, as future technologies are developed, the SIP will continue to play a pivotal
role in the adoption of multimedia e-commerce. SIP’s simplicity, easy integration, and
extensive interoperability ensure its longevity as the preferred multimedia platform.
In fact, SIP pundits speculate that it will pave the way for carriers to roll out the
innovative voice services only possible with IP. These services most likely will include
Web integration to simplify follow-me services, call conferencing, and ways for users to
speak with a live agent just by clicking a Web site button.
Although the road ahead looks clear, there are potential obstacles to the wide-scale
adoption of multimedia e-commerce. Users will need new or upgraded equipment to take
advantage of SIP technology. Incorporation of SIP into operating systems and in
preconfigured PCs will take some time. Some movement is being seen in this area,
however, with Microsoft® and a number of the third generation (3G) wireless
associations adopting SIP as the protocol of choice .[7]
With the help of SIP, Voice over IP (VoIP) e-commerce has the potential to change the
habits of users by enhancing the way they conduct business communication and
transactions over the Internet. As SIP facilitates and completes the integration of
communications on the Web, much innovation lies ahead.
So, despite difficult economic conditions and negative sentiment resulting from the e-
marketplace catastrophe, much is happening in the e-business world. Nearly every
company involved in e-business has expressed interest in improving machine-to-machine
communication with customers, suppliers, or service providers. The majority
(approximately 74%) increased their e-commerce technology budget in 2003 compared to
2002; and, despite difficult economic times and contracting IT budgets, half of the e-
business companies expect the transaction management market (TMM) budget to
increase in 2003 compared to 2002.
Java, XML, and related standards are changing the nature of machine-to-machine
communication. These technologies are driving down integration costs and improving
integration flexibility. As economic conditions improve, these factors will drive increased
spending on technologies that interface with the external business ecosystem.
Most transaction management technology users are not in the business of building and
operating secure, reliable, auditable data communications networks. Outsourcing these
data communication requirements to a third-party service provider can be an effective
way to scale transaction volumes without scaling operation costs, and to avoid plunging
valuable business executives into the integration technology morass.
Consistent with the buy low and sell high mantra, now is the time to develop and, if
possible, execute e-business strategy. The following e-business actions are recommended
for companies interested in automating partner information flow:
You should define business objectives and understand technology capability and
limitations relative to automation opportunities. EDI deployments are often driven by
very basic cost-savings arguments or by brute-force customer requirements. TMM
systems are capable of managing much more than purchase order and invoice exchange
process. You should understand your customer (and supply) base and how you can
leverage TMM technology to take advantage of these relationships.
Exploring the ways existing systems interoperate can reap significant benefits. For
example, you could use a content management vendor’s workflow engine to automate
process across both Web site and EDI assets. You should be able to streamline exception
management across multiple platforms. You should also be able to provide consistent
information to partners, regardless of the partner’s means of access (browsers or machine
interface). Systems synergies and cost-savings opportunities abound in the TMM market.
Finally, the costs and capabilities of TMM technologies are changing rapidly.
Understanding the implications of changing conditions will help organizations make wise
decisions today, without creating cost of ownership nightmares for tomorrow. It is also
important to understand how individual vendors are reacting to changing conditions. Can
a vendor support your architectural strategy and your Web service plans? And if so, how
willing will the vendor be to negotiate price to move a new e-business product in a down
economy? Well-researched answers to these questions can speed ROI and reduce
implementation complexity.
[7]
Vacca, John R., Wireless Broadband Networks Handbook, McGraw-Hill Osborne
Media, 2001.
The global economy may have faltered in 2002, but advances in e-commerce technology
continue to transform personal communication and global business at an astounding pace.
Although these advances promise to bring a substantial percentage of the world’s
population online in the next five years, they also present significant challenges to
industry and policymakers alike.
E-Commerce Technology
With the preceding in mind, the dynamic nature of the new economy, and particularly the
Internet, calls for decision makers to develop policies that stimulate growth and advance
consumer interests. But, in order to create the foundation for the rapid growth of e-
commerce, enterprises must adopt the effective e-commerce technology policies that
embrace the following four crucial principles:
Online trust: security and privacy: Without consumer confidence in the safety,
security, and privacy of information in cyberspace, there will be no e-commerce and no
growth. Protecting information and communications on the Internet is an absolute
prerequisite to the continued success of the Internet and the information economy[4].
Free and open international trade: Closed markets and discriminatory treatment will
stifle e-business. The Internet is a global medium, and the rules of the information
economy must reflect that fact. Only in an open, free market will the Internet’s potential
be realized.
For hundreds of years, protection of creative material has given authors and other
innovators powerful incentives to develop and distribute exciting new products.
Throughout, respect for private property (whether in its tangible or intellectual form) has
been a core value of market-driven economies.
In the information economy, such protection is even more vital, because the core
currency of the Internet is nearly exclusively intellectual property. Today, software
developers and other authors of creative works depend on the rights granted by copyright
laws to develop new, more functional, and more powerful products. Overall, U.S.
copyright-based industries (particularly the software, film, music, and publishing
industries) are among the fastest growing segments of the American economy. Of those
industries dependent on copyright for their business models, the high-tech industries
comprise an ever-growing share, particularly those creating software and hardware
products.
Industry leaders estimate that, within five years, an astonishing two thirds of software
sales will be conducted over the Internet. Furthermore, one third of all software exports
from the United States will be distributed electronically. Failure to properly protect this
vital intellectual currency means its value will evaporate and the global economy will
suffer greatly.
Digital piracy (the online theft of creative property) poses one of the single greatest
threats to the success of the information economy. It undermines the confidence that
creators and consumers place in their commercial interactions over networks.
The very nature of the online world that makes it so attractive in the marketplace also
renders the work of copyright violators easier. Now that unlimited, flawless copies of
creative works in digital form can be made and distributed globally in a matter of
seconds, intellectual property on the Internet can be at great risk. Internet piracy is real,
acute, and growing, demanding strong protections in the digital arena.
Piracy is the most significant problem facing the software industry globally. Every day,
pirates steal millions of copies of copyrighted computer programs. Some of these are
stolen by users making illegal copies personally, others by professional counterfeiting,
and still others via illicit sales or auctions on the Internet.
But, the economic impact of software piracy extends far beyond the confines of the
software industry and its consumers. Piracy distorts e-commerce technology economies
worldwide by robbing governments of legitimate tax revenues and citizens of badly
needed jobs.
Stemming these massive losses requires a concerted, multifaceted effort to combat the
theft of copyrighted material. Although technological measures to fight piracy and
increased public education about copyright are essential, the key to copyright protection
lies in governments worldwide adopting and vigorously enforcing strong laws prohibiting
this theft.
Strong words in a statute are not enough. These laws must be backed by vigorous
enforcement by governments and must allow private parties to pursue fast and
inexpensive remedies when their rights have been infringed. Strong copyright protection
includes:
Effective copyright laws must provide strong civil remedies, including permanent
injunctions against further infringement, the seizure of illegal software (and articles used
to defeat copyright protection), compensation, and fines. They must also provide for
minimum criminal penalties when piracy is committed knowingly and for commercial
purposes or to satisfy the internal demands of a business or other entity. In the United
States, both criminal penalties and civil remedies are available and, increasingly, other
countries are adopting similar legal models.
Sustained criminal enforcement is absolutely necessary in order to deter piracy and send
the message that piracy is a serious crime with serious consequences. In the United
States, the No Electronic Theft (NET) Act enables law enforcement officials to prosecute
individuals who steal software by distributing it over the Internet, even if they do not
profit economically from their activities. The NET Act has proven to be an effective
antipiracy tool and has resulted in numerous convictions. In countries where such laws do
not exist, however, customs and other governmental agencies must vigorously investigate
and enforce traditional copyright laws as a first step toward addressing Internet-based
piracy.
Despite the very real economic damage caused by software piracy, copyright enforcement
actions too often are forced to take a back seat to other criminal prosecutions. For
authorities to make a real dent in copyright crimes, governments must provide adequate
funding and explicit direction to those agencies responsible for copyright enforcement.
Given even minimal warning, a pirate can swiftly and easily eliminate evidence of
software theft with the touch of a button. As a result, the prosecution of software piracy,
whether in civil or criminal contexts, requires court-ordered inspections without advance
notice to the suspected software pirate (as required under the Trade-Related Intellectual
Property Rights [TRIPs] Agreement). To ensure fairness, such searches should be court-
supervised, with court-appointed experts being permitted to search and inspect for the
suspected piracy.
With the Internet, copyright theft has become a global phenomenon. The World
Intellectual Property Organization (WIPO) recognized that fact when it adopted “digital”
copyright treaties to create an international legal standard, covering online intellectual
property. Now, the nations of the world must ratify them.
The treaties were designed to promote online commerce by ensuring that authors are able
to determine how their works are sold and distributed online. The WIPO treaties reinforce
the fact that copyright protects all copies of a work, whether they are considered
“permanent” or “temporary,” “tangible” or “digital.” The treaties also ensure that authors
retain the right to determine the point at which their copyrighted works are placed on the
Internet, in the same way that authors determine the locations at which tangible copies of
their works may be distributed.
The WIPO treaties also recognize that, to protect intellectual property from theft, owners
need to employ e-commerce technology that guards against unauthorized access and
copying. Because such e-commerce technology-based protections are an extremely
effective means to prevent theft, the treaties recognize that attempts by pirates to break
these technical defenses must be outlawed.
Because many international copyright laws do not specifically protect creative materials
distributed over the Internet, global adoption of these treaties is essential to promoting the
safe and legal growth of Internet commerce. Under provisions of the treaties, a total of 30
signatory countries must ratify the treaties in order for their provisions to become
enforceable worldwide. To date, over 36 countries have taken this step.
For example, in 1998, the United States issued an Executive Order requiring U.S.
government agencies and contractors to effectively manage their software resources and,
in so doing, to use only legal, licensed software. Several U.S. states, including California
and Nevada, issued similar orders applicable to state government agencies and related
entities. These policies have had a powerful impact on the health of the software industry
in the United States and, importantly, have set the tone for proper software management
practices in America’s private sector.
In the aftermath of the tragic events of September 11, 2001, individuals, companies, and
governments have all focused attention on the issues of safety and security. Much of that
attention has fallen on the Internet, as it has emerged as a vital information and economic
link throughout the world[4].
The continued success of the Internet is, in many ways, dependent upon the trust that
individuals, businesses, and governments place in it. For that trust to exist, user
information transmitted over computer networks must be safe from thieves, hackers, and
others who would gain access to and make use of sensitive information without
permission.
Consumers have repeatedly shown they will not conclude commercial transactions over
the Internet, unless they are confident of the security and privacy [4] of their personal
information. Recent surveys by GartnerG2 (http://www.gartnerg2.com/site/default.asp)
and BusinessWeek/Harris
(http://www.adinfo.businessweek.com/magazine/content/0205/b3768008.htm) suggest
that 75% of U.S. Internet users fear going online for this reason, and that 70% of those
who are already online harbor concerns about privacy that keep them from transacting
commerce on the Internet. Yet, even as concerns about these vital issues proliferate, no
single solution can suffice.
The key difference is choice. When an individual is required by law to submit his Social
Security number or tax return to a government entity, that information should receive
greater protection than that disclosed in a private business transaction. In the latter case,
an individual is free to choose the online entity whose privacy polices match his needs.
When consumers “vote with their feet,” businesses quickly take notice.
For e-commerce to flourish, businesses also need to provide personalized products and
services so that consumers get what they want without suffering “information overload.”
Knowing this, successful e-business marketers must gather information about the wants
and needs of their customers in the same way as traditional marketers. Policymakers also
must remember that online “trust” encompasses two distinct concepts: security, so that an
individual’s private information will not be obtained through illegal hacking, and
confidence that the private information collected for one transaction will not be used in
ways the information provider did not anticipate or expect.
The first and best line of defense against unwarranted intrusions into personal privacy is
for individuals to employ e-commerce technology to protect themselves. Industry-
developed and supplied encryption technologies and firewalls, for example, provide
individuals with substantial tools to guard against unwarranted intrusions.
In light of the recent tragic events of 9-11, security in all its forms (including security
against cyber intrusion and attack) is more important than ever. Strong encryption
technology plays a key role in such security, helping individuals, businesses, and
governments protect sensitive or personal information against willful or malicious theft.
Not surprisingly, then, nations have increasingly adopted policies that encourage the
widespread availability of encryption tools for consumers. At the same time, they have
successfully worked to permit law enforcement to access encrypted communications in
certain critical instances, while rejecting calls for encryption products to be undermined
through the building of “back-door” government keys.
A firewall is essentially a filter that controls access from the Internet into a computer
network, blocking the entry of communications or files that are unauthorized or
potentially harmful. By controlling Internet “traffic” in a network, firewalls protect
individuals and organizations against unwanted intrusions, without slowing down the
efficiency of the computer or network’s operations. They also limit intrusions to one part
of a network from causing damage to other parts, thereby helping to prevent large-scale
system shutdowns brought on by cyber attacks. Not surprisingly, then, firewalls have
become a key component of computer systems today, and their architecture comprises
some of the most state-of-the-art e-commerce technology available in today’s
marketplace.
But, computer security, or cyber security, is more than encryption, and it requires more
than a onetime fix. It is an ongoing process requiring the adoption of strong security
policies, the deployment of proven cyber security software and appliances-such as
antivirus, firewalls, intrusion detection, public key infrastructure (PKI), and vulnerability
management, as well as encryption-and, in the case of larger organizations, the existence
of trained security professionals. These professionals, in turn, must be continually
retrained in order to ensure that they are able to address and combat the evolving nature
of cyber threats.
Strong security tools alone, however, cannot protect users against threats in each and
every instance. Dedicated hackers and criminals will always seek new ways of
circumventing even the most effective security technologies. That is why it is critical that
strong laws be put in place to deter such activities. In particular, where needed, laws
should make it illegal to defeat, hack, or interfere with computer security measures, and
penalties for these crimes should be substantial.
As is the case with copyright laws, however, strong words in a statute are not enough.
Effective antihacking and computer security laws must:
Although the government should create a strong legal framework against cyber crime, it
should not intervene in the marketplace and pick e-commerce technology “winners” by
prescribing arbitrary standards in the security field. Such intervention would do little
more than freeze technological development and limit consumer choice. Instead, the
development and deployment of security tools should be determined by technological
advances, marketplace forces, and individual needs, and should be free of regulation.
Empowering Individuals to Manage Their Personal Information
In the private sector, all parties to any transaction should have the discretion to
voluntarily choose the terms of an information exchange. The choice should be informed;
both parties should clearly understand the information to be exchanged and what will be
done with it. The choice will then be based on the reasonable expectations of the parties
regarding a specific transaction. There likely will be fewer expectations about privacy
accompanying the online purchase of a newspaper subscription, than the purchase of
prescription medicines, for example.
The choices of both consumers and businesses should be respected, and the private sector
should be given the latitude to develop and implement effective privacy policies to meet
customer demands. Marketplace-developed measures are far more likely than
government regulations to meet the expectations of individuals and promote the
development of online commerce. The role of policy in this area should be aimed at
ensuring that:
The global vitality of an electronic marketplace depends upon free and open trade.
Tariffs, regulations, and similar barriers to commerce raise costs and can price many
smaller, competitive firms out of the market. When trade is restricted, economic
development is slowed, consumer choice is reduced, and global prosperity is harmed.
International trade is vital to the software industry. Over half of the U.S. industry’s global
revenues are derived from foreign sales. Exports as a percentage of American software
companies’ total sales have increased dramatically over the past decade. They now
account for over $50 billion each year.
Widespread piracy is the software industry’s single most significant trade barrier. The
most effective means of reducing piracy internationally is to enforce TRIPs, the
agreement by which all members of the World Trade Organization (WTO) commit to
abide by laws that protect intellectual property. TRIPs-compliant nations must have in
place adequate civil and criminal laws protecting intellectual property and must, in
practice, effectively enforce those laws.
The deadline for developing nations to comply with the TRIPs Agreement was January 1,
2000. However, today, many countries still remain in noncompliance and in violation of
their international commitments.
A decade ago, in addition to rampant software piracy, the U.S. software industry faced
another major problem in foreign markets: unreasonably high tariffs on computers and
related devices. Significant progress has been made in this area. The WTO “Uruguay
Round” agreements and the subsequent Information Technology Agreement (ITA),
substantially reduced many tariffs for e-commerce technology devices.
Still, many economies, mostly in the developing world, impose high duties or excise
taxes on foreign e-commerce technology equipment. These barriers can range from 20
percent to as much as 100 percent of a product or system’s price. In some cases, a
government might justify such a barrier by claiming that these products are “luxury
goods.” Or, a government might argue that such actions are necessary to protect an
“emerging” domestic industry or “sensitive” sector of its economy.
But, in all cases, such policies simply stifle the development of a vibrant base of e-
commerce technology consumers and service providers. It is essential for governments to
adopt policies that encourage the use of e-commerce technology—not policies that
effectively prohibit or punish it.
The preceding is true whether considering a computer and software in the home, or
routers and wires in the workplace. The refusal to compete against high-quality, imported
products will do nothing to enable domestic manufacturers to produce quality products at
affordable prices.
As trade moves increasingly from the import and export of tangible goods to Internet-
based commerce, it is vital to ensure that traditional free-trade principles apply equally in
the realm of electronic commerce. Nations that have sought to rid themselves of
burdensome trade barriers must ensure they do not stifle e-commerce with those same
barriers. Because trade liberalization is crucial to the worldwide growth of the software
industry, the following agreements and negotiations are very important:
• The pursuit of a new round of multilateral trade negotiations under the auspices of
the WTO
• The conclusion of regional free trade agreements, such as the Free Trade Area of
the Americas (FTAA)
• New, bilateral trade agreements, including the U.S.-Singapore Free Trade Area
(FTA)[3]
Thus, the preceding bilateral and multilateral talks provide opportunities to further
strengthen international trade law, provide a predictable business environment for e-
commerce, and develop a progrowth e-commerce agenda.
Any new trade negotiations should focus on barring new measures whose effect would be
to restrict or inhibit the growth of global e-commerce. Countries should also ensure that
they apply current WTO standards to online transactions. Specifically, countries should:
All the consumer confidence and legal support in the world won’t boost e-commerce if
there’s no way to deliver electronic content to customers efficiently and quickly. The
future of electronic delivery demands a dramatic evolution of the telecommunications
infrastructure in the United States and across the globe. Today’s infrastructure was built
to carry voice telephone traffic and has served well for the last 50 years. But, the
information age is placing new demands on this system-demands that it cannot readily
meet. Today’s slow transmission speeds and congestion are a legacy of an outdated
system that must be modernized, lest consumers and businesses turn away because of the
“world wide wait.”
High-speed constant connections to the Internet (broadband access) let users send and
receive far larger volumes of information than traditional dial-up telephone lines allow.
Broadband access can be provided through modified cable television lines, an enhanced
telephone service called Digital Subscriber Line (DSL), satellite, fixed-wireless[5], and
other means.
Broadband access is absolutely necessary in order to make the vision of new, exciting
Internet-based services a reality. For example, highly anticipated interactive applications
(whether online classrooms, business showrooms, or health clinics) cannot exist if users
lack broadband access.
In the United States today, roughly 70 percent of American households have access to the
Internet, according to NielsenNetRatings (http://www.nielsen-netratings.com/). But,
fewer than 10 percent of U.S. households have broadband access.
Many other nations rival the United States in their level of Internet penetration. In
Sweden, nearly 75 percent of citizens have access to the Internet, whereas the number in
Canada is 58 percent. But globally, broadband access rates are even lower than in the
United States.
Several factors conspire to stymie more extensive broadband deployment. There are
financial challenges, changing market conditions, uncertain consumer preferences, and
even cultural and societal trends. In this environment, policymakers must take the lead
and encourage the provision of broadband to consumers and their homes over the so-
called “last mile.”
There is also a need to ensure that individuals in all sectors and geographical locations
enjoy the benefits of broadband access. Not surprisingly, early evidence suggests that, in
the United States, the rate of broadband deployment in urban and high-income areas is
outpacing deployment in rural and low-income areas.
The preceding disparity has raised concerns that the “digital divide” (the gap between
information “haves” and “have-nots”) will increase. The digital divide is a major concern
for companies who have worked individually to expand access to computer technologies
in underserved areas. They recognize that a global e-commerce technology future
depends on widespread access to new technologies, particularly by individuals who have
thus far failed to share in many of the communications and productivity benefits that
technology brings. For all these reasons, many e-commerce companies support policies to
promote broadband deployment in a way that will enhance widespread access to
technology and, in so doing, close the digital divide.
Now, let’s look at another type of e-commerce technology: the tools that reside within the
Internet environment itself. In other words, with the growth of the Internet, B2B
procurement and other processes are being moved to the World Wide Web, for increased
efficiency and reach. Procurement systems from different vendors use various protocols,
and additional protocols are being defined by several industry consortia. As a
consequence, suppliers are faced with the difficult task of supporting a large number of
protocols in order to interoperate with various procurement systems and private
marketplaces. In this part of the chapter, the connectivity requirements for suppliers and
private marketplaces are outlined, and a description of how suppliers and marketplaces
can interoperate with diverse procurement systems and electronic marketplaces is
presented. A description of a simple connectivity that is based on punchout processes for
fixed and contract-based pricing is presented first. Next, a description of how
asynchronous processes, such as requests for quotes, auctions, and exchanges can be
distributed for interoperability across suppliers and marketplaces, is also presented.
Finally, this part of the chapter presents a description of the B2B/market-to-market
(M2M) Protocol Exchange. This is a prototype that IBM has implemented, which maps
between different, but analogous, protocols used in procurement systems and, thus,
alleviates some of the interoperability difficulties.
[4]
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
ebusiness Privacy Plan, McGraw-Hill Trade, 2001.
[3]
“Necessary Elements For Technology Growth,” © Copyright 2003 Business Software
Alliance, Business Software Alliance, 1150 18th Street, N.W., Suite 700, Washington, DC
20036, 2003.
[5]
Vacca, John R., Wireless Broadband Networks Handbook, McGraw-Hill Osborne
Media, 2001.
As previously explained, with the rapid growth of the Internet, organizations are
increasingly using the Web to conduct business with greater speed, reach, and efficiency.
This transformation is especially prevalent in business-to-business (B2B) commerce and
trade. Many of the Fortune 500 companies have adopted e-procurement systems such as
Ariba (see sidebar, “Ariba”), Commerce One, and mySAP. Many others participate as
buyers in e-marketplaces, such as Commerce One MarketSet, Ariba Hosted Market Place,
and IBM’s WebSphere Commerce Suite, Marketplace Edition (WCS MPE, or MPE for
short), among others.
Figure 2.1 illustrates the environment for B2B procurement on the Web[1]. B2B buyers
have diverse procurement systems, such as those offered by Ariba, Commerce One, and
SAP, among others. Each of these procurement systems uses different B2B protocols for
interaction with seller systems. Many of these protocols are proprietary and specific to
the procurement system. For example, as illustrated in Figure 2.1, Ariba uses the
punchout process between the Ariba Order Request Management System (ORMS) and
seller systems using their Commerce XML (cXML, or Commerce Extensible Markup
Language) specification for the messages. Commerce One uses XML Common Business
Library (xCBL) as the format of messages, and mySAP uses the Open Catalog Interface
(OCI; for a process similar to punchout) between buyer and seller systems.
Ariba
With purchasing managers facing the prospect of tighter corporate budgets, developers
Verticalnet Inc., PeopleSoft Inc., and Ariba Inc. are each readying software that they
indicate will enable their customers to better manage spending. The goal is to enable
companies to more closely tie the process of finding sources of raw goods, negotiating
the price for those products, and closing the loop with electronic settlement.
Verticalnet has recently released an enhanced Spend Management module as well as the
next version of its Metaprise collaborative planning and order management suite. Spend
Management introduces a supplier score card and enhanced reporting and analytics,
which will let suppliers see through a Web browser how they are serving buyer and
performance metrics, such as actual costs versus standard spending. New functionality in
Metaprise, which comes from the company’s acquisition of Atlas Commerce Inc.,
facilitates the process of improving requisitions and managing purchase orders. Enhanced
logistics functionality integrates shipping updates with third-party logistics providers.
In the find-it category, the new Ariba Analysis module gathers procurement information,
which typically resides in the Ariba Buyer platform, accounts payable, and ERP planning
systems. It then generates reports to help companies find potential savings.
The second new module, called Ariba Contracts, falls into the get-it and keep-it
categories, by focusing on the administration of contracts—those being used successfully
and those requiring renegotiation. Integrated with Ariba Buyer and Enterprise Sourcing,
the module helps companies track and manage contract life cycles. Ariba Invoice, the
third new module, automates every stage in the invoicing process to help companies
reduce reconciliation cycle times and lets suppliers upload invoices into Ariba Supplier
Network and transmit them back to buyers.
As for enhancements, Ariba Buyer has new integration with the Contracts module. Ariba
Workforce features an expanded capability to capture and manage a broader spectrum of
workforce procurement, indicate officials[2].
Many other protocols for B2B processes, many proprietary to procurement and other
systems, and others customized for specific partners are being defined and implemented.
In addition to the procurement systems, which typically reside within the firewall of the
buying organizations, marketplaces are being set up on the Internet through which buyers
can access a large number of suppliers, typically for specific industry segments. Many of
these marketplaces use the same or similar technology to connect to procurement and
supplier systems and offer buyers at small and medium-sized businesses access to
suppliers.
Meanwhile, standards bodies are defining protocols and message formats for B2B
processes. One of the early processes was that defined by the Open Buying on the
Internet (OBI) consortium, a precursor of the punchout process. The RosettaNet
consortium used OBI as a starting point and defined Partner Interchange Processes
(PIPs), including both flows and XML-based message formats for interactions between
partners. The electronic business XML (ebXML) framework (sponsored by the United
Nations Center for the Facilitation of Procedures and Practices for Administration
Commerce and Transport [UN/CEFACT] and the Organization for the Advancement of
Structured Information Standards [OASIS]) includes a messaging service, a
Collaborative-Protocol Agreement (CPA) specification, and a Business Processes
Specification Schema. These are all used for enabling the interaction between business
processes.
The Web services approach defines both a messaging and a remote procedure call
mechanism using Simple Object Access Protocol (SOAP). On top of SOAP, the Web
Services Description Language (WSDL) defines a Common Object Request Broker
Architecture (CORBA) interface definition language (IDL)-like interface for Web-based
B2B remote procedure calls. And, the Universal Description, Discovery, and Integration
(UDDI) consortium has defined a directory mechanism for registering and locating
businesses on the Web, with an optional WSDL interface specification. The Open
Application Group (OAG) has defined Business Object Documents (BODs) for the
content of B2B messages.
Some of these originally disparate efforts are now coming together. For example, the
RosettaNet consortium has announced that they will move to the ebXML messaging
protocol, and OAG has announced that they will support ebXML. In spite of these
efforts, however, the number of B2B protocols continues to grow.
This proliferation of B2B protocols gives rise to several connectivity requirements and
problems, as illustrated in Figure 2.2[1]. First, from a supplier’s point of view (box A in
Figure 2.2), suppliers need to connect to the many customer procurement systems and
private marketplaces, using various B2B protocols. Second, private marketplaces (and,
over time, procurement systems as well) need to connect to procurement systems (box B
in Figure 2.2), using different B2B protocols. Third (box C in Figure 2.2), private
marketplaces need to connect to suppliers that may support different B2B protocols.
Fourth (box D in Figure 2.2), private marketplaces need to connect to each other, in order
to access suppliers connected to other marketplaces, or to access services offered at other
marketplaces.
Now, let’s look at the connectivity requirements for suppliers and private marketplaces,
and how suppliers and marketplaces relying on IBM’s WebSphere Commerce Business
Edition (WCBE), WebSphere Commerce Suite, and Marketplace Edition (WCS MPE)
can interoperate within the environment for B2B procurement. Simple B2B connectivity
using punchout processes as supported by WCBE are also discussed. Next, marketplace
connectivity for emerging asynchronous processes and distributed trading mechanisms,
as supported by WCS MPE, are discussed. Finally, the last part of this chapter discusses
connectivity, how to use a B2B protocol exchange, and how many of these protocols can
be mapped to each other—thus allowing procurement systems and suppliers to use
different protocols.
Now, let’s focus on two of the B2B connectivity problems previously mentioned, and
illustrated in Figure 2.2. First, let’s discuss the supplier connectivity problem and present
a solution based on IBM’s WCBE for connectivity of suppliers to diverse procurement
systems. Second, a discussion of marketplace connectivity takes place, as well as a
presentation of a solution based on IBM’s WebSphere Commerce Suite and Marketplace
Edition (WCS MPE) for connectivity of marketplaces to diverse procurement systems
and diverse supplier systems.
Most procurement systems and private marketplaces support the notion of punchout
(albeit sometimes using a different term, such as RoundTrip, used by Commerce One). A
buyer at a procurement system or marketplace selects a remote supplier, and the buyer is
automatically logged on to the supplier catalog server and presented with a catalog
customized for his organization, with prenegotiated prices. The buyer shops at the site, as
the items selected for purchase are being stored in a shopping cart. On checkout, the
shopping cart contents are sent back to the buyer’s procurement system for approval. The
procurement system provides workflow for approvals and, on approval, a purchase order
is sent from the procurement system to the supplier. Additional messages may be
exchanged between the supplier and the procurement system, such as shipping notices
and invoices. By having punchout capability, suppliers and marketplaces can interoperate
with procurement systems or marketplaces, with significant benefits to both suppliers and
buyers.
Note Details of the punchout flow are provided later in the chapter.
For example, IBM’s WCBE is a solution for the business-to-consumer trade, whereas
WCS MPE supports the private trading exchange customers. Customers can connect to
the WCBE Web site, browse through the catalog, and place orders. In the case of WCS
MPE, customers have the benefit of working with various trading mechanisms, such as
request for quotations (RFQs), auctions, reverse auctions, and exchanges. It is especially
useful, given the emerging trends in the industry, that the WebSphere Commerce products
have punchout capability and can interoperate with buyers’ procurement systems and
marketplaces.
Although WCS MPE supports aggregation of suppliers’ catalogs, certain suppliers may
have enormous catalogs and their systems may include complex configuration tools.
Often, it is not feasible to offload supplier catalogs into external marketplaces. Thus,
suppliers often have their supply-side Web sites enabled for punchout, and expect WCS
MPE to initiate punchout to the supplier Web site.
Catalog aggregation in the current WCS MPE product is done using the WebSphere
Catalog Manager (WCM) product. WCM supports the loading of catalog data into an
electronic marketplace (eMP) database, transforming catalog data from ASCII,
spreadsheet, and XML formats into a canonical XML format, and extracting catalog data
from any relational database. More enhancements to support industrial catalogs are
planned for future versions of WCM.
Many large corporations have relatively independent subsidiaries and are classic
examples of customers that require support for both receiving punchout requests and
initiating punchout requests. Such corporations often have aggregated supplier catalogs
across their subsidiaries, so their customers see a unified company-wide catalog and
require support for receiving punchout requests from the buyers’ procurement systems to
the aggregated catalog. They also require punchout initiation functionality to connect
from their aggregated-catalog server to individual catalogs supported by their
subsidiaries.
For example, IBM’s Commerce Integrator is a generic framework that enables WCBE
and WCS MPE to handle business-to-business transactions using industry standard
protocols. It offers customers the opportunity to integrate their systems with the
procurement system’s own network of high-volume buyers. Commerce Integrator
provides an integrated, scalable system that enables suppliers with WCBE to participate
as a supplier in the procurement system’s marketplace, to increase sales and to enhance
their business-to-business presence on the Web. Specifically:
• Suppliers maintain a single catalog within WCBE and use that catalog to enable
their own Web presence as well as to participate in the procurement system’s
network.
• Suppliers can take advantage of WCBE connectivity to supply chain management
systems, retail business systems, and order management backend systems to
automatically flow orders from the buyer’s procurement system.
• Suppliers can take advantage of the updated business-to-business features of the
WCBE product for using and maintaining information about buyer organizations,
buyer-specific catalogs and price lists, and contract pricing.
Figure 2.3 illustrates a high-level view of a typical punchout flow in which WCBE
interoperates with an e-procurement system, which includes the following steps[1]:
1. An agent in the buyer organization logs on to the procurement system using the
user ID (identifier) and password, and then selects an external catalog. The
procurement system authenticates the buyer agent.
2. The procurement system constructs a request to access the external supplier
catalog using a user ID and other buyer organization credentials.
3. The Member Subsystem of Commerce Integrator authenticates the buyer agent
against the buyer organization data stored in the WCBE database. If successful,
the buyer agent is presented with a catalog customized for the buyer organization.
4. The buyer agent browses the catalog in the WCBE database while a shopping cart
is created. On checkout, the shopping cart is submitted to WCBE, and a quote is
recorded in the database.
5. Commerce Integrator picks up the quote from WCBE.
6. Commerce Integrator sends the quote to the buyer in the format required by the
buyer’s procurement system. An authorized agent for the buyer is prompted for
acceptance of the quote.
7. The authorized agent approves the quote. An order from the procurement system
is sent to Commerce Integrator.
8. Commerce Integrator forwards the order to WCBE[1].
Further messages, such as advance shipment notices and invoices (not shown in Figure
2.3) are sent from WCBE to the procurement system.
Although the punchout flow is similar for most procurement systems, the message format
is different for different procurement systems. For example, Ariba uses cXML messages,
mySAP uses Hyper Text Markup Language (HTML) name-value pairs, Metiom uses the
OBI electronic data interface (EDI) message formats, and Commerce One uses xCBL
message formats. There are some differences between the flows, as outlined previously in
the B2B protocol exchange. To handle these differences, Commerce Integrator includes
some protocol-specific functions, in addition to functions common to all protocols. As
shown in Figure 2.4, incoming messages are handled by a common servlet, which
identifies the protocol and calls protocol-specific functions that map the message to a
common internal format[1]. Then, WCBE commands, shared by all punchout protocols,
are invoked. Responses are converted from the common format into protocol-specific
formats by Commerce Integrator.
Figure 2.4 also shows a B2B gateway. The function of the B2B gateway is to provide a
means of connecting remote trading partners over the Internet, each using its protocol of
choice. Clearly, this functionality facilitates the integration of interenterprise business
processes. Although the B2B gateway may support additional functions, such as business
process management, audit trails, and intraenterprise connectivity, it is beyond the scope
of this chapter to elaborate further on these functions.
The protocol associated with an incoming message is identified by the URL to which the
request is sent. The use of a single servlet for all requests should have no negative
performance impact, because the servlet engine launches a new thread for each request.
Performance bottlenecks would only be caused by undue contention for shared resources.
Were such contention present, it would impact multiple servlets in the same manner as a
single servlet. Because the servlet is merely the entry point for requests that quickly fan
out to different parts of the server, it is unlikely that the degradation of reliability from the
use of a single servlet would be significant.
There are two scenarios of interest: one in which there is no separate B2B gateway and
one in which there is a gateway present. When there is no B2B gateway, protocol-specific
requests are sent to Commerce Integrator, and appropriate commands are invoked. If a
B2B gateway is present, the incoming requests are mapped into a common canonical
format, and then Commerce Integrator invokes appropriate WCBE commands. Thus,
there is a synergistic relation between WCBE/Commerce Integrator and the gateway.
Aggregating the catalog at the eMP site offers advantages including: it makes a
parametric search across suppliers possible, and it enables small businesses, which do not
have the infrastructure to host catalogs, to engage in e-commerce. However, aggregating
catalogs has its own limitations, including:
• It does not preserve each supplier’s unique brand and Web site design (it requires
direct links to the supplier’s Web pages).
• It supports only static content rather than promoting dynamic, up-to-date
information.
• It provides limited support for suppliers with very large catalogs.
• It provides no support for product configurators (needed for complex products).
• It provides limited support for suppliers with fast changing catalogs or pricing[1].
Thus, in situations in which there is a need for product configurators, or if the catalog
contains fast changing products and prices, the suppliers have to maintain catalogs at
their own sites and not aggregate the catalog onto an eMP. In the common eMP approach,
a buyer has access to only the sellers who participate in the marketplace with which the
buyer is registered. Similarly, a seller cannot sell goods and services in a marketplace
different from the one with which the seller is registered. Now, let’s look at a mechanism
called punchout, in which a buyer in a private marketplace can “punch out” to a remote
supplier to buy fixed-price and contract price offerings.
Figure 2.5 shows the flow for setting up a punchout process (steps 1 to 7) from a
procurement system (or marketplace) to a supplier site; for example, a WCBE site[1].
Remote suppliers are listed at the procurement system. They may provide their entire
catalog remotely using punchout. Alternatively, a supplier may provide a local catalog at
the procurement site, with links for specific functions or details. For example, a supplier
may use punchout for system configuration, or for parts of the supplier catalog that may
change frequently. As shown in Figure 2.5, after selecting a remote supplier for initial or
further shopping (step 1), a login request (step 2) is sent to the remote supplier as an
XML document, encapsulating the user and organization credentials as well as a URL for
postback to the procurement system (used at step 7, as shown in Figure 2.5). The remote
supplier authenticates this request and returns a URL (step 3) with embedded user
information. The client’s browser is redirected (step 4) to this URL, allowing the buyer to
directly shop (step 5) at that remote site using the appropriate catalog for the buyer’s
organization. At the end of the shopping session, a quote representing the shopping cart is
sent back to the client (step 6) and posted back to the procurement system (step 7) at the
postback URL referred to previously.
After the purchase request (in XML format) is received back at the procurement system
(step 7), it is parsed and added to the buyer’s requisition. The buyer then submits the
requisition for approval. After submission, the buyer can then view the submitted
requisition and its status, and modify the requisition, if so desired.
Note The buyer may punch out to multiple suppliers and add the contents of those
shopping carts to his or her requisition.
Subsequently, the approver views the submitted requisitions and, optionally, may punch
out to the supplier to view details of the requisition. The approver can modify the
requisition, if so desired. If the approver rejects the requisition, the status is so indicated,
and can be viewed by the buyer. If the requisition is approved, it is converted into one or
more purchase orders (POs), and is sent to the supplier(s). The PO is sent as an XML
document, in the format required by the supplier. If the remote supplier’s system is based
on WCBE, the PO is formatted in a common canonical format. Also, if it is an Ariba-
compliant supplier, it is formatted in cXML. And, if the format is different, a B2B
protocol exchange can be used to convert the PO to the desired format and protocol.
When the remote supplier acknowledges the receipt of the PO, the state of the order at the
procurement system is updated. Subsequently, additional messages may be sent by the
supplier to the procurement system to indicate further events, such as issuing an advance
shipping notice.
As illustrated in Figure 2.6, IBM’s WCS MPE provides different trading mechanisms,
such as fixed-price buying, contract-based buying, RFQs, auctions, and exchanges[1].
Also, the punchout mechanism can be used for remote supplier integration when dealing
with fixed and contract pricing. However, the more advanced trading mechanisms,
including RFQs, auctions, and exchanges, cannot be supported by the basic punchout
mechanism. This is because the flows between WCS MPE and the remote suppliers for
fixed and contract pricing are synchronous, and occur during a real-time session with the
buyer, thus making them amenable to the online punchout process. RFQs, auctions, and
exchanges involve asynchronous interactions between WCS MPE and the supplier. Next,
let’s look at how such asynchronous processes are handled. RFQs are used as a typical
example. Similar flows and XML document interchanges can be used for other
asynchronous trading mechanisms.
In WCS MPE, an RFQ is a trading mechanism used when a buying organization attempts
to obtain a special price for a purchase, or when a buying organization cannot find an
acceptable offering in the eMP aggregated catalog that meets its needs. The RFQ may be
issued in order to obtain a special price based on quantity for well-defined items or for a
group of items. The RFQ may also be issued for unique items based on the buyer’s
description. The request is sent to one or more selling organizations, and these may
submit a bid on the RFQ. The selling organizations respond to the RFQ and the buying
organization may select one or more winning responses. The result of the RFQ process
could be an order placed by the buyer or a contract could be created for the negotiated
price. Figure 2.7 shows this process flow in WCS MPE[1].
Now, let’s look at two different mechanisms for extending the RFQ process to a
distributed environment. The first mechanism, referred to as “local RFQ,” exploits the
advantages of aggregating the catalogs at the eMP site, while distributing only the RFQ
process. The second mechanism, which is referred to as “remote RFQ,” allows buyers to
connect to a remote WCBE at a supplier or a remote WCS MPE and issue an RFQ.
For local RFQs, the catalog is hosted at the WCS MPE site where the buyer is registered.
Figure 2.8 shows the process flow for this configuration[1]. The configuration includes the
following parties:
• One or more buyers
• An eMP where the buyers are registered
• One or more remote eMPs
• One or more sellers registered on the remote eMP[1]
The flow starts with the buyer browsing the catalog on the eMP and creating an RFQ.
The RFQ is sent as an XML message to the remote eMP. Upon receiving the RFQ, the
remote eMP notifies the target sellers. Each seller views the RFQ and creates a response
for it. The asynchronous responses are then sent to the eMP as XML messages. The buyer
can check the status of the RFQ at any time. The buyer views the RFQ responses by
logging on to the eMP, evaluates them, and selects a winner. Selecting a winner leads
either to a purchase order or a negotiated contract. The order or the contract is then sent
to the remote eMP or remote seller as an XML message. This solution has the advantages
of an aggregated catalog and allows buyers on one eMP access to sellers on a remote
eMP, and vice versa. It has, however, the previously mentioned limitations of aggregated
catalogs.
For remote RFQs, the catalog is hosted either on the remote eMP where the seller is
registered, or on the remote seller’s Web site. Figure 2.9 shows the process flow for this
configuration[1]. This configuration also involves four parties. The flow starts with the
buyer selecting on the local eMP a registered remote eMP or a remote seller. The eMP
connects the buyer to the remote eMP site. The buyer browses the catalog on the remote
eMP and creates an RFQ template. The RFQ template is then sent as an XML message to
the eMP. The RFQ template received from the remote eMP is converted into RFQ by
providing additional information. It can then be optionally submitted for approval.
Finally, it is sent to the remote eMP or remote seller as an XML message. The remote
eMP notifies the target sellers. The sellers view the RFQ and create responses for it. The
responses are then sent to the local eMP as XML messages. The buyer views the RFQ
responses by logging on to the eMP, evaluates them, and selects a winner. Selecting a
winner leads either to an order or to a negotiated contract. The order or the contract is
then sent to the remote eMP or remote seller as an XML message.
This solution overcomes the limitations of aggregated catalogs for such asynchronous
trading mechanisms, and allows buyers on one eMP access to sellers on a remote eMP,
and vice versa. This comes at the price of losing the advantages of aggregated catalogs.
Now, let’s look at how the exchange could be used to enable punchout between a buyer
and a supplier using different protocols. Although this example is limited to punchout, the
protocol exchange can cover many other common B2B interactions, such as shopping
cart processing and order processing.
Unlike some kinds of protocol conversions, most B2B protocol conversions cannot be
achieved in a stateless manner, that is, in a manner in which the protocol converter has no
knowledge of prior events or message exchanges. This is because many of the protocols
refer to the session state or to prior messages. In other words, a B2B protocol involves
not only message formats, but also message flow and the state of the interchange process
between business partners. Thus, session state management is required along with
message format translation.
Now, let’s look in some detail at a punchout operation such as an Ariba cXML punchout
between a buyer and a supplier that use the same protocol. The data flow is illustrated in
Figure 2.5, shown earlier. The numerals refer to the process steps described here. To
purchase from a network catalog, the buyer typically uses a browser to interact (step 1)
with the procurement system, and through the procurement system, establishes a
connection to a network catalog hosted on the supplier’s behalf. The procurement system
thus sends a login request (step 2; a cXML PunchOutSetupRequest) to the supplier
system. The login request contains the credentials (userid/password) of the procurement
system, a session identifier (<BuyerCookie> in cXML), and the postback URL, which is
the HTTP URL at which the procurement system accepts the completed purchase
requests (in step 7). The supplier system authenticates the request and responds (step 3)
with the URL for accessing the network catalog (in a cXML PunchOutSetupResponse).
The procurement system then redirects the browser to the network catalog URL (step 4),
and the buyer connects directly to the network catalog system (step 5) bypassing the
procurement system.
As previously described in some detail, the punchout operation illustrated in Figure 2.5
(between a buyer and a supplier) uses the same protocol. In the event the buyer and
supplier use different protocols, they will be unable to support a punchout interoperation
unless some mechanism such as the protocol exchange is used. The data flow is shown in
Figure 2.11[1].
When using a protocol exchange for this mapping, the procurement system is configured
to treat the exchange as the supplier system. The initial login request (step 2a in Figure
2.11) is sent to the exchange rather than the target supplier system. The processing
required at the exchange at this point may be fairly involved. Typically, the protocol
conversion involves two different authentication domains (the source protocol and the
target protocol). The exchange must validate the incoming credentials and generate the
outgoing credentials for the target protocol domain. In addition, the incoming request
typically has an associated session ID (BuyerCookie), which must be recorded and
mapped to an equivalent session ID in the target protocol. Also, the postback URL must
be saved, and the URL of the exchange must be substituted in the outgoing message.
Finally, the target supplier system must be identified, and the converted request must be
passed as a new login request (step 2b) to the target supplier system.
When the login response (step 3a) is received by the exchange, the response is converted
into a protocol A response by the exchange and is returned to the procurement system
(step 3b). The procurement system redirects (step 4) the browser to the network catalog
site, and the shopping session (step 5) takes place directly between the buyer’s browser
and the network catalog site. At checkout time, the browser accepts the contents of the
shopping cart in protocol B format (step 6), and sends it to the exchange (step 7a) rather
than to the procurement system, due to the substitution of the exchange URL for the
procurement system URL in the protocol A login response. In order to process the
checkout, the exchange creates a new checkout page, with the shopping cart converted
into the protocol A format, and returns this page to the buyer’s browser (step 7b). The
target URL of the “checkout” button on this page is the postback URL of the procurement
system, which was saved during the translation of the login request in step 2a. The buyer
is instructed to perform a second checkout operation (step 7c), which causes the purchase
request to be submitted to the procurement system for approval. The second checkout
may be hidden from the user by using scripting (JavaScript) in the HTML page generated
by the exchange.
This particular punchout description is one example of how the exchange flows might
operate. Specific protocol flows will vary in the exact details. The protocol exchange
runtime is constructed from a set of common protocol objects (Login, ShoppingCart,
Order), with plugins for specific functions of the various protocols. For example, the
mySAP inbound logon plugin accepts a mySAP logon request and converts it to an
internal logon object. The cXML outbound logon plugin converts the logon object into a
cXML PunchOutSetup Request. The various shopping cart plugins convert shopping
carts in different protocols into a common ShoppingCart object. The exchange also
contains code to map between credential domains (from Ariba Network IDs to mySAP
OCI userid/password). Finally, there is a state management framework to maintain the
state of a session and keep track of message content (such as the postback URL), which
must be extracted from one message, temporarily saved, and replaced in a subsequent
message.
The B2B interaction between two parties is defined within the protocol exchange as a
series of plugin transformations to be performed. One plugin accepts a message and turns
it into a common object. A subsequent plugin takes the object and issues it as a message
in a different protocol. There is no implicit assumption, for example, that a cXML
punchout to a supplier will result in the supplier returning the shopping cart in cXML
format, or that a shopping cart returned in cXML format is to be followed by an order to
the supplier in cXML.
This flexibility is necessary to accommodate some of the interactions that are common
today. As an example, the SAP Open Catalog Interface allows the shopping cart to be
returned in either XML or HTML, depending on the configuration of the buyer’s
procurement system. Some of the private buyer and supplier marketplaces are
implemented using combinations of different protocols. A supplier might expect an OBI
logon from which it might return a cXML shopping cart to the purchasing system. And,
the subsequent order may have to be transmitted in EDI, because the supplier’s EDI order
processing system was in place, running over a value added network long before the
supplier had implemented any B2B interactions over the Internet.
Finally, it is hoped the various electronic commerce dialects will someday coalesce into a
smaller and more concise set. But until then, it seems that something like a B2B protocol
exchange will be required to bridge the communication gap between prospective trading
partners.
[1]
Dias, D. M., Palmer, S. L., Rayfield, J. T., Shaikh, H. H., and Sreeram, T. K., “E-
Commerce Interoperability with IBM’s Websphere Commerce Products,” IBM Systems
Journal, © Copyright 2002 IBM Corporation, IBM Corporation, 1133 Westchester
Avenue, White Plains, New York 10604, United States (2002): pp. 272-286.
[2]
Ferguson, Renee Boucher, “E-Sourcing Apps Lead to Time Well-Spent,” eWeek, ©
Copyright 2003 Ziff Davis Media Inc., Ziff Davis Media Inc. 28 East 28th Street, New
York, New York 10016-7930, ( March 2002): p. 18.
Summary
The best way to encourage future growth of the global information economy is to learn
from the past. Centers of e-commerce technology activity continue to emerge around the
world: the original Silicon Valley in California, joined by Silicon Alley in New York City,
Silicon Forest in Seattle, or even Silicon Dominion in the State of Virginia, is mirrored by
the emergence of Silicon Glen in Scotland and Silicon Plain in Finland. Other
concentrations of expertise, equipment, and infrastructure include the Research Triangle
in North Carolina, the Route 128 Corridor in Massachusetts, the Intelligent Island in
Singapore, and the Multimedia Super Corridor in Malaysia.
Some of these centers developed naturally; others were created and fostered by
governments that provided financing, tax relief (for imported equipment or income
earned), open immigration for “knowledge workers,” and telecommunications
infrastructure. Each of these centers embraced the fact that collecting industry experience
and expertise in a specific area promotes “critical mass” and synergies, thus fostering
faster e-commerce technological development in that region’s economy.
The same can hold true with regard to users. The world is comprised of over six billion
people, yet there are only 900 million telephone lines in existence. Many of the world’s
citizens have never made a telephone call, let alone used the Internet. How can this be
changed?
The United Nations Educational Scientific and Cultural Organization (UNESCO) offers
one approach to this problem. UNESCO suggests the establishment of public access
communication and information services, known as Telecentres. These centers are being
developed across Africa, either as standalone facilities or by adding PCs to schools,
libraries, police stations, and clinics.
Private Telecentres and telekiosks have been established in Ghana, Kenya, and Senegal,
among other countries. Built on the principle that sharing the expense of equipment,
skills development, and access among a large group helps to cut costs and make
information services viable in remote areas, UNESCO has helped foster these technology
hubs across the continent of Africa. It has even developed a “Community Telecentre
Cookbook for Africa,” a how-to guide on establishing and operating Telecentres.
In addition to a general discussion of e-commerce technology, this chapter also covered
various business-to-business connectivity protocols between procurement systems,
private marketplaces, and suppliers. The chapter described how WCBE-based suppliers
and private marketplaces can connect to diverse procurement systems, other suppliers,
and external private marketplaces. Specifically, the chapter showed how WCBE-based
suppliers and WCS MPE-based marketplaces can connect to buyers at procurement
systems that use punchout, such as Ariba, Commerce One, and mySAP. The chapter then
described how a WCS MPE-based supplier or private marketplace could originate a
punchout process in order to connect to either an external supplier or another private
marketplace.
Next, the chapter outlined the types of trading mechanisms that can be supported by
existing punchout protocols and the asynchronous trading mechanisms, such as RFQs,
which require extensions to the punchout mechanisms. Although these mechanisms can
be used across WCS MPE-based suppliers and private marketplaces, such mechanisms
need to be standardized in order to enable them to connect to suppliers and marketplaces
provided by other vendors.
The chapter also described B2B/M2M Protocol Exchange, a tool that IBM has
implemented that can map between various protocols used by different procurement
systems. It allows a supplier using one protocol to connect to a procurement system or
private marketplace that uses a different protocol.
Finally, the WCBE-based Commerce Integrator, with support for B2B procurement
protocols as described earlier in the chapter, has been used to connect ibm.com, as a
supplier, to enterprises using diverse procurement systems and to private marketplaces.
Although this chapter focused on the external partner B2B protocols, a large part of the
integration effort for suppliers is the tie-in to internal processes, such as the processes to
handle purchase orders. Other complementary products, such as IBM’s WebSphere MQ
and WebSphere Business Integrator, are key to completing the picture for end-to-end
integration.
Chapter 3: Types of E-Business Models
and Markets
“Do not quench your inspiration and your imagination; do not become the slave of your
model.”
Overview
In the past two years, e-business seems to have permeated every aspect of daily life. In
just a short time, both individuals and organizations have embraced Internet technologies
to enhance productivity, maximize convenience, and improve communications globally.
From banking to shopping to entertaining, the Internet has become integral to daily
activities. For example, just 23 years ago, most individuals went into a financial
institution and spoke with a human being to conduct regular banking transactions. Ten
years later, individuals began to embrace the ATM machine, which made banking
activities more convenient. Today, millions of individuals rely on online banking services
to complete a large percentage of their transactions.
The rapid growth and acceptance of Internet technologies has led some to wonder why
the e-business phenomenon did not occur decades ago. The short answer is: it was not
possible. In the past, the necessary infrastructure did not exist to support e-business. Most
businesses ran large mainframe computers with proprietary data formats. Even if it had
been achievable to transfer data from these large machines into homes, the home
computer was not yet a commodity, so there were few terminals outside of business to
receive information. As PCs became more popular, especially in the home, the ability to
conduct e-business was still restricted because of the infrastructure required to support it,
including backend customer and supplier interaction along with credit card processing
systems.
To set up an e-business even eight years ago would have required an individual
organization to assume the burden of developing the entire technology infrastructure, as
well as its own business and marketing strategies. Today, the challenge of e-business is
integration. There are industry-leading companies that have solved the difficult task of
developing individual Internet-based products and services that handle many of the issues
surrounding customer and supplier interactions. However, the ability to integrate these
technologies and services based on sound business and marketing strategies, operating on
a real-time basis, can be a monumental undertaking.
It is no secret that today’s e-business has the potential to transform the business
landscape. Whereas in the past, a company’s business model was the primary
determination of its value, today, a company is valued on its strategy, business model, and
ability to market. With technology driving new competition, a Fortune 500 stalwart that
once seemed unstoppable is now challenged by a start-up that uses Internet technologies
and integrates their systems and processes more effectively. By capitalizing on a
sustained business proposition and correctly applying technology, these start-ups are able
to significantly reduce the barriers to entry while dramatically increasing their market
reach. For e-businesses, the premise “first to market equals first to success” is often the
case; however, the foundation needs to be laid carefully. A disciplined approach to
evaluating the business opportunity, and correctly assessing how a competitive advantage
may be gained using Internet technologies combined with leveraging the existing
investment, is key to a successful e-business. It is just such an approach that is defined as
the e-business model (see sidebar, “Defining the Real E-Business Models”).
Many Internet firms witnessed a meteoric rise in their stock values in the late 1990s, only
to crash in 2000. For instance, Drkoop.com Inc. in Austin, Texas, announced its initial
public offering at $9 per share in June of 1999. The price rose to more than $30 per share,
but then plummeted to less than $1 per share.
Given the carnage among dot-com stocks recently, what type of online business models
are expected to succeed in the future? Businesses need to make more money than they
spend. The new model is the old model, but technology is essential to maintain a
competitive advantage, and cash flow is more important than ever.
For example, Yahoo Inc. in Santa Clara, California, has always operated a successful
portal site, providing content and an Internet search engine. However, many portal sites,
such as Go.com, MSN.com, and AltaVista.com, have fallen on hard times.
The idea behind portals is the same as that behind television advertising: aggregating
eyeballs and directing them toward advertisements. But, television viewers are passive,
and people need to wait through the ads to see the shows they want to watch.
However, the Web doesn’t work that way. Content presentation is not serial. Viewers are
active, not passive. There are always millions of places to go. No Web advertisement can
match a 20-second TV spot.
Many of the failing companies were operating on a first-to-market strategy. Their hope
was that by getting their ideas out ahead of the market, consumers would develop brand
loyalty before competitors arrived.
First-to-market as a business model has always been risky. You are vulnerable because
you have nothing proprietary, need vast funding, and rely on rapid deployment.
So why did investors and venture capitalists get caught in such speculative and irrational
investments? Investors felt they were investing in technology, when they were really
investing in retailers and distributors. These companies have small profit margins. They
couldn’t justify their valuations in typical price/earnings ratios. When does it turn
profitable? Companies such as Amazon.com have yet to answer that.
One segment of the business-to-consumer world that’s thriving is niche markets. For
example, RedEnvelope Gifts Inc., which launched in 1997 as 911gifts.com, began as a
last-minute gift site, but now markets more than 5,000 items that are unique to the site.
Customers seem willing to pay a premium for RedEnvelope-edited selection and
enhanced customer service. The company has $70 million in sales, with a 57-point profit
margin.
There needs to be a quick path to profitability. And, the ultimate metric is margin. There
are three levers to achieving margin: edited selection, customer service, and inspirational
branding.
Is the model buyer- or seller-centric? What is the driving force of the business?
The greatest strength of the Internet is its ability to bring together people, governments,
and businesses and facilitate the flow of information among them. This is one of the main
reasons why business models for business-to-business online marketplaces are expected
to succeed.
It’s clear that the Internet is a viable platform for B2B trade. According to Forrester
Research Inc. in Cambridge, Massachusetts, a projected $4.9 trillion in business-to-
business (B2B) transactions will be made online by 2004.
But private marketplaces being formed by industry leaders represent a more successful
model. These real-time supply chains and e-business design systems are phasing out the
more expensive and inflexible electronic data interchange networks.
The real surprise here is how hard it is to become profitable. The cost of branding
technology is so high that consumers still use a catalog. A Web site is just another
channel.
E-Business Models
The emerging e-business market affords companies of all sizes and types the opportunity
to leverage their existing assets, employees, technology infrastructure, and information to
gain or maintain marketshare. For example, in the telecommunications industry, service,
rather than technology, is now the key differentiator. With lower barriers to entry, new
competitors are rapidly entering the market offering new services, such as online bill
presentment and payment, and leveraging their unique digital assets.
Building an e-business (an integrated value chain) that leverages the Internet’s
communications capabilities is a complex undertaking. The complex integration
requirements of the business solutions, all performing at extremely high levels of
availability and scalability, require an e-business model architectural approach. The value
chain (comprised of the traditional supply chain management functions, planning,
procurement, and inventory management, coupled with the customer-facing functions,
typically referred to as customer relationship management) has integration and
performance demands that exceed the requirements seen in traditional businesses. In a
successful e-business, all of these areas are tightly integrated to provide an organization
the ability to quickly and efficiently sell, manufacture, and deliver products or services.
• Solid strategies
• Knowledge management techniques applied to a company’s information and
intellectual assets
• Effective e-business processes typically grouped in the customer relationship
management (CRM), supply chain management (SCM), and core business
operations domains[1]
Solid Strategies
Strategy and execution are key to developing and sustaining a successful e-business.
Only those organizations that successfully integrate key business strategies and processes
dramatically increase their efficiencies. To be successful, organizations must also form
the right strategic relationships and develop efficient business processes with robust
backend solutions that are able to meet users’ demands for real-time service today and
into the future.
In the past, businesses had the luxury of developing business strategies in the boardroom
and IT strategies in the IT department. They then brought these strategies together to run
the overall business. E-businesses cannot afford this luxury. The ability to react and
change direction is critical. Speed is everything. Grounding the organization with sound,
winning strategies is key.
The best example of this is Dell Computer. From the start, the company’s business
strategy was tightly aligned with its IT strategy, allowing Dell to successfully integrate
every aspect of its business (from order taking to inventory to billing) with both its
customers and suppliers. Dell vaulted to the forefront of its industry when it came to
market with a winning strategy, the unique just-in-time-delivery model. Unlike traditional
computer suppliers, Dell’s business strategy was founded on the premise of zero
inventory.
Similarly, online brokerage companies have been leaders in the area of integrating IT and
business strategies. The rapid adoption of Internet technologies combined with market
globalization, industry deregulation, and media convergence has afforded these
companies the opportunity to gain share and create value in the e-business marketplace.
Every business has both tacit and explicit knowledge. One is undocumented, and the
other is documented about what is “known” in the company. This knowledge may include
information about products and services or information about how the company works
with a particular supplier. No matter what type of knowledge an e-business has, the
company must put into place processes for organizing that knowledge.
In every successful e-business, the business process domains (CRM, SCM, and core
business operations) are an integral part of the continuous optimization process. The
advantage and, thus, the return on investment for an e-business integrating its business
process domains is that it extends the organization’s business directly to customers and
suppliers.
When business process domains are integrated, they can increase productivity and
improve customer and supplier satisfaction. For example, when a repeat customer views a
successful e-business’s Web site, an integrated CRM system presents that individual with
offers or items of interest based on previous orders. After the customer places an order,
this same e-business allows that individual to view the status of his order in real time as it
moves through the supply chain.
Business process domains are aggregations of core business processes. Although there is
growing popularity of business process domains as their own entities (CRM, SCM, and
core business operations), they are commanding a mind-share in the marketplace (and
each has attracted various vendors and products to support it). These domains must
operate together as a key component to the overall e-business strategy (see Figure 3.2)[1].
In a successful e-business, convergence is the driving connection of all of the business
process domains. When there appears to a customer or a supplier to be no barrier between
departments, the business process domains are tightly integrated with the business and IT
strategies.
In the past, customers would place an order via the telephone and wait until the
company’s purchasing department processed and shipped the order. Today’s customers
place an order electronically and then demand to be able to check the status of their order
within minutes.
Analytical CRM: The analysis of data created on the operational side of the CRM
equation for the purpose of business performance management; utilizing data
warehousing technologies and leveraging data marts
Customer interactions: Sales, marketing, and customer service (call center, field
service) via multiple, interconnected delivery channels and integration between front
office and back office
Integration of the SCM functions is emerging as one of the greatest challenges facing
today’s e-businesses. SCM is the integration of business processes from end user through
to original supplier. The goal of SCM is to create an end-to-end system that automates all
the business processes between suppliers, distribution partners, and trading partners. The
new mantra for this process, according to industry analysts, is “replacing inventory with
information.” In an effective e-business, the following SCM independent processes must
be highly integrated (see Figure 3.3)[1]:
Demand management: These are shared functions, including demand planning, supply
planning, manufacturing planning, and sales and operations planning.
Supply management: These include products and services for customer order
fulfillment[1].
Core Operations
E-businesses also need to develop and operate complex transaction processing systems
that support their core business operations (see Figures 3.4 and 3.5)[1]. These core
operations include the operational systems that support their particular business, such as
claims processing, trade execution, enterprise resource planning (ERP), and enterprise
resource management (ERM).
Now, let’s look very briefly at types of e-business markets. In other words, let’s look at
how Web developers respond to your clients’ needs in an e-business-driven marketplace.
[1]
Agarwal, Bipin, “Defining the E-Business Model,” Tanning Technology Corporation,
4600 South Syracuse Street, Denver, CO 80237, March 22, 2000.
E-Business Markets
Web sites and intranets are designed for the same reason—to provide information. In the
business world, this information needs to be updated and changed constantly in order to
stay abreast of a changing business climate. New product releases, price changes, and
marketing promotions are just a few examples of information that companies need to
constantly provide to their customers, suppliers, employees, and shareholders. In today’s
world of e-commerce and intense corporate competition, companies need the ability to
instantly update published information in order to effectively communicate with their
intended audience. Today’s companies know that they have to have a dynamic and
interesting Web presence, but they are struggling to find ways to effectively manage their
Internet strategy. Traditional advertising agencies and Web development firms are no
longer meeting the all-encompassing Internet requirements necessary for businesses in
today’s e-commerce-driven marketplace. Companies are looking for advertising agencies
and Web development firms that address their initial Web development needs while also
providing them with viable, affordable solutions that are designed to address, implement,
and manage their overall Internet strategy.
Finally, historically, companies outsourced the development of their Web sites because
creation and maintenance required design and programming expertise. However, relying
on third parties for all site maintenance limited a company’s ability to quickly and easily
update their published information. To solve this problem, many companies decided to
bring Web site and intranet development in-house. Companies then discovered that hiring
the necessary skilled personnel contains its own set of inherent problems. Information
“bottlenecks” still occur when a company has one or two people in the internal IT
department who are bombarded with the responsibility of publishing all company
information. In addition, companies are also finding that Web site designers are hard to
find and even harder to keep. The recurring theme in the market is that companies are
recruiting individual Web designers to build and maintain their Web sites and intranets in-
house only to find that after several months of development, the designer may be lured
away by the promise of a more exciting and rewarding career. This “catch 22” has left
companies looking for some additional alternatives. Companies are turning toward their
advertising agencies and Web development firms to provide the solution to this problem.
Octigon provides the software that addresses this “catch 22” and enables Web developers
to meet the increasing demands of the business marketplace. Market trends have caused
Web site management to become an arduous task, with sites evolving to meet the needs
of e-commerce and e-business.
Summary
The e-business market affords organizations of all sizes and types the opportunity to
leverage their existing assets, employees, technology infrastructure, and information to
gain or maintain marketshare. However, the challenge for the organization is to turn the
vision and the market opportunity into a sustainable e-business.
Finally, the need for an integrated value chain challenges the e-business to optimize its
intellectual assets and its investments in core business systems in order to deliver its
products and services to an unpredictable market. It is this unpredictable nature that
challenges the IT organization to deliver the highly scalable and available infrastructure.
Additional challenges include the unique nature of an e-business and the tight linking of
the business operations to a technical infrastructure. A disciplined and architected
approach based on an e-business model provides the framework needed to build complex
business processes and technical infrastructures that the market is increasingly
demanding.
Chapter 4: Types of E-Commerce
Providers and Vendors
“When nations grow old, the arts grow cold and commerce settles on every tree.”
Overview
The Internet has proven to be a disappointment for many retailers and manufacturers, as
sales channels are hyped to be both efficient and virtual. First generation e-commerce
adopters now find themselves mired in technology bearing little in common with their
core businesses, because they invested in an infrastructure often costing hundreds of
millions of dollars. Today, industry analysts estimate that one-time e-commerce setup
costs, including technology and labor, range from $22 million to $42 million, depending
on transaction volume (5,000 to 25,000 transactions/day) for companies building from
scratch. Very few companies make money, and even fewer return an attractive ROI at
those levels.
For many companies demanding online profitability and reliability, the traditional
buy/build approach is no longer the best option. Without ever buying a piece of software
or hardware, new business architectures enabled by e-commerce Internet service
providers (ECISPs) allow companies to establish fully customized online sales channels.
Under guarantees of world-class service delivery, the ownership, integration, and ongoing
management of this infrastructure can be outsourced. By freeing retailers and
manufacturers to focus on their brand, merchandise, and customers—not the technology,
ECISPs radically improve the attractiveness of e-commerce.
This chapter examines types of ECISPs and vendors. It addresses three topics: how the
next generation ECISP architecture delivers complete, one-stop online sales channels,
which major advantages companies gain by outsourcing their e-commerce infrastructure,
and why many early adopters have struggled with the first generation buy/build approach.
You will also learn how an ECISP architecture enables manufacturers and retailers to
achieve profitability at $50 million to $290 million in online sales, avoid managing
numerous integration and third-party service relationships, ensure reliability and
scalability in your Web site and order processing, focus your organization on real profit
drivers—not technology, and upgrade functionality continuously and seamlessly over
time.
With this approach, each retailer and manufacturer reluctantly enters the technology
management business and replicates an infrastructure that exists at every other company.
Bits and pieces might be outsourced to gain scale and expertise, but the core technology
platform gets re-created countless times. Drawing a real estate analogy, this would be
similar to all mall-based retailers building, owning, and operating the facilities in which
their stores reside, rather than renting floor space from specialized mall developers. In an
industry that has never invested heavily in IT (under 5% of revenues on average), this
technology ownership approach has proven challenging, especially for midsized retailers
and manufacturers.
The key elements of retail differentiation have long been branding, merchandising, and
customer service. By building e-commerce in-house, organizational focus shifts to
technology management, systems integration, and drop ship order fulfillment. Most
offline companies have limited experience in these areas and struggle to recruit talent in
competitive IT positions. With an average e-commerce staff of 767, multichannel retailers
have seen their organizations balloon beyond expectation to support ongoing problems in
technology and operations.
Scalability and Reliability Struggle
Front-page headlines in 2002 showcased site failures at such leading online retailers as
Toys R Us, eBbay, Yahoo!, Amazon, and Wal-Mart. Smaller companies wage less-
publicized, daily struggles to meet consumer expectations for site uptime, response time,
and product shipment. Confirming how difficult most businesses have found owning and
operating a reliable e-commerce infrastructure, industry analysts have found that a
whopping 85% of companies planned to change their commerce software package within
seven months of being surveyed. Even with replacement, the reliability problem persists
because 93% of sites are technically understaffed. In other words, because of escalating
salary demands, equity inflexibility, and less desirable work environments, offline
companies face daunting odds in recruiting against start-ups and professional services
firms. The end result: over 37% of orders are failing to get to consumers on time.
Industry analysts have found that 68% of companies have to rely on nine or more
partners to develop and run their Web commerce sites. Systems integration often
constitutes the most important outsourced function because (in a buy/build architecture)
literally dozens of complex linkages must be created across applications, commerce
packages, databases, legacy systems, and third-party services. Unfortunately, most
companies receive less than desired results from their integration partner.
Integrators face intense pressure to deliver committed projects, but little pressure to
improve quality. That’s because demand for integration services will exceed supply, thus
driving the major 3,900 global Web sites to hire whatever service providers they can get.
Vendor clients are confused, too. Stunned by skyrocketing price tags and un-even quality,
clients cut corners, switch vendors, or bring work in-house. Unfortunately, few integrator
customers have enough depth of experience to know what to cut, whom they should turn
to, or how to build complex e-commerce sites themselves.
[1]
“e-business vendors,” © Copyright 2003 eChemPeople, eChemPeople, 131 Shady
Lane, Bolingbrook, Illinois 60440
The Internet selling environment includes a hosted online store featuring customer
management, advanced selling, shopping cart, and order processing functionality.
Although the ECISP builds and hosts the store, clients retain complete control over
design elements and merchandising. Consumers see only the client’s brand, content, and
merchandise. The ECISP handles everything technical, including site uptime, response
time, and the management of customer shopping sessions. The ECISP also handles tax
calculation, payment processing, data encryption, order routing, and customer e-mail
notification.
Integrated business applications and services includes a full suite of tools and services to
manage the online channel, including merchandise planning, storefront management,
marketing, fulfillment, and customer service. These applications allow clients
considerable flexibility. Companies can choose to fulfill orders in one or a combination of
ways: in-house warehousing and fulfillment, third-party logistics services using a
preintegrated provider, and/or drop shipping using preintegrated vendors. Similarly,
clients can perform customer service in-house, or they can outsource this service to a
preintegrated call center. In either case, account management and advanced CRM
applications support the service representatives. Marketing applications and services
include e-mail campaigns and affiliate programs. Storefront management applications
include catalog management, pricing and promotions, and content management. And
finally, merchandise planning includes optional applications for seasonal planning,
demand forecasting, replenishment, and purchase order management.
Business intelligence service (BIS) includes real-time reports, advanced ad hoc reporting,
and financial data feeds to analyze client business performance. In an ECISP
environment, clients retain ownership of their data and flexibility as to its usage. Clients
receive a combination of direct data feeds (in a format of their choosing) and access to
standard reports delivered through an online portal. With an online analytical processing
(OLAP) package, reporting capabilities become extremely powerful and flexible in terms
of ad hoc design using multiple data sources.
Advisory Service
Thanks to the new ECISP architecture, many companies can for the first time sustainably
conduct e-commerce while selling less than $594 million annually online. With
dramatically lower up-front costs, predictable ongoing fees, and guaranteed operational
reliability, the ECISP architecture equips offline companies with the confidence that their
online business will succeed.
The ECISP architecture enables profitable e-commerce at one tenth the revenues of those
required by traditional buy/build approaches. Based on industry averages for transaction
values and operating costs, branded apparel manufacturers and multicategory retailers
could achieve profitability at between $22 million and $24 million in online sales, if
operating on an Escalate e-commerce platform. Even multicategory pure-plays could hit
profitability at $32 million in sales. These compare to the $84 million to $2.3 billion
breakeven estimates for the traditional architecture discussed earlier. Best of all,
companies earn a far higher return on investment when using an ECISP due to the low
setup costs.
With the ability to focus on profit drivers, the ECISP architecture enables companies to
outsource less important “context” technology functions (customization, integration,
maintenance) while owning “core” business functions (branding, merchandising,
service). Companies typically require at most one IT employee to interface with their
ECISP provider. In fact, most companies require just 8 to 12 employees to run their entire
online business, as compared to staffing averages for those who build/own (76 for store-
based retailers and 90 for pure-plays). With an ECISP, employees focus on core business
functions, including marketing, merchandising, and content management—not the
technology.
Third-Party Service Relationships and Management of Integration
Reduction
When using an ECISP, companies may require as few as one additional e-commerce
relationship, that with a Web design firm. The ECISP translates the design work into a
functioning Web storefront, thereby simplifying even that relationship. Some companies
will also choose to hire a third-party consulting firm to perform implementation on the
ECISP architecture.
Having preintegrated all other third-party applications and services, the ECISP ensures
ongoing quality of performance, freeing the client to focus on running the business. For
example, should a client desire to outsource customer service, the ECISP recommends
one or more providers based on the client’s specific requirements, from the service
providers that have already been integrated. The ECISP handles ongoing service provider
integration, data transmission, billing, and quality monitoring. The client focuses on the
real business drivers: service policies and representative training.
Solution Dynamics
Finally, the dynamic solution here is the continuous upgrading and addition of new
functionality. By managing a single, multitenant architecture, ECISPs can continuously
enhance applications, features, and functionality for all clients simultaneously. An
analogy can be drawn to telephone companies (telcos). When a telco adds a new feature
like call waiting, the telco can immediately make it available to any customer on their
network. Similarly, as the ECISP adds a new feature like digital gift certificates, every
client can receive it on their site. And, because ECISPs must continuously innovate on
behalf of their broad network of clients, each individual company can expect frequent
platform improvements that keep them ahead of their competition.
Summary
Selling online has become an imperative for retailers and an increasing number of
manufacturers. Recognizing that a 24 percent loss in customers can completely eliminate
the profitability of their offline stores, retailers have raced to drive e-commerce growth to
$77 billion in 2004 (6.8% of U.S. retail). By mid-2005, over 95 percent of the largest
U.S. retailers (over $60 billion in annual sales) will be e-commerce enabled. And, for
midsized retailers ($900 million to $60 billion in sales), over 85 percent will be selling
online. Yet these adopters face a fundamental challenge: using the first generation
buy/build architecture, many cannot make money at e-commerce, but none can afford to
avoid trying. For most of them, owning and operating an e-commerce infrastructure does
not make economic or operational sense.
Finally, next generation ECISPs make that ownership unnecessary. They leverage the
Internet itself to deliver a complete online channel solution with guaranteed levels of
performance quality. Companies contract for a fully branded online store, all of the
applications and services required to manage it, and a partner committed to their ongoing
performance improvement. Implementations of 4 to 13 months get accelerated to 4 to 14
weeks, and up-front costs are cut by 64 to 89 percent. From a profitability and reliability
standpoint, businesses can now justify e-commerce to their shareholders and customers.
By enabling companies to focus on their core business, ECISPs unlock the full potential
of online sales channels. ECISPs provide the sustainable e-commerce solution that
manufacturers and retailers have been seeking.
Part II: Designing and Building E-
Commerce Web Sites: Hands-On
Chapter List
Chapter 5: E-Commerce Web Site Creation
Chapter 6: Managing E-Commerce Web Site Development
Chapter 7: Building Shopping Cart Applications
Chapter 8: Mobile Electronic Commerce
Chapter 9: Enhancing a Web Server with E-Commerce Application Development
Chapter 5: E-Commerce Web Site
Creation
“If God created us in His image we have certainly returned the compliment.”
—Voltaire (1694–1778)
Your business may be small—but the Internet lets you think big. Whatever product or
service your business offers, the Internet levels the playing field and lets you compete
with bigger businesses, reaching customers around the world who can conveniently buy
from you 24 hours a day.
In the competitive world of the Web, however, growing your business and increasing
your profits online requires some careful planning. For every successful e-commerce
business, there are dozens that fail by not addressing basic risks and pitfalls along the
way. So, to take full advantage of the e-commerce opportunity, make sure you base your
Web business on a solid foundation that covers every element of e-commerce:
Establish your identity: The right domain name, or URL, can make the difference
between a memorable e-commerce identity and getting lost in the online crowd.
Find the right online home: For brick-and-mortar stores, location is everything. Your e-
commerce business needs the right home, too. Purchase and set up your own Web server,
or find a home for your site with the right Internet Service Provider (ISP) or Web host.
Build an attractive storefront: With the right tools, creating a Web site is easier than
ever—but following some basic guidelines will help make your site easy and fun for
customers to navigate. And that means more sales for you.
Let customers know they can trust you: In the anonymous world of the Internet,
customers will communicate private information[4], such as credit card numbers or phone
numbers[3], to your e-commerce site only if they’re sure your site is legitimate and the
information they send you is protected. Make sure your site is secure—and that your
customers know it.
Make it easy for customers to pay you: You can set up your site so customers can pay
by simply keying in a credit card number. But then how will you process that transaction?
Make sure you not only offer customers a variety of convenient payment methods, but
that you can process them all.
Let the world know about your site: A memorable domain name, a great-looking
design, and top-notch products and services can make your site successful only if
customers know about it. Don’t neglect promoting your site to drive traffic to it[1].
Clearly, building the elements of e-commerce into your Web business is a big job, but it’s
too important to ignore if you want your e-business to grow and thrive. Just take the
following steps to ensure that your e-commerce business gives you the competitive edge.
Step 1: Establishing Your Online Identity with the Right Web Address
The first step toward e-commerce is selecting the name of your site. Your Web address
(also called an URL—Uniform Resource Locator—or “domain name”) tells customers
who you are and how to find you on the Internet. It is the core of your Internet identity—
your online brand. And, because no two parties can have the same Web address, your
online identity is totally unique.
What’s in a Name?
Quite a lot, actually. Remember that not only does your domain name tell customers
exactly how to find your business on the Web, but it also communicates and reinforces
the name of your business to every Web site visitor. It can also be used as part of your e-
mail address to establish your online identity. Keep these tips in mind before you choose
a name:
Describe your business: Another approach is to simply and logically describe your
business. “Flowers.com” works perfectly for a florist. In addition, if you are setting up an
online presence for an established business, keep the name of your site the same as the
name of your business.
Keep it short: The best domain names are those that customers can remember and type
into their browsers after seeing or hearing them only once, so complicated strings of
words like “onlinecdstore.com” don’t work as well as a simple phrase: “cdnow.com”[1].
How to Get and Manage Domain Names
After you’ve decided on your Web identity, the next step is to determine if it is available
and then register it with a domain name “registrar.” Registering is easy and inexpensive,
so do it as soon as you’ve decided on your domain name to make sure you get the name
you want. Many businesses register a number of variations, just in case they want to use
them later—or to avoid the risk of competitors obtaining similar names. A Scandinavian
financial service company, for example, recently spent more than $5 million to register
7,424 domain names. You also may want to register common misspellings so that all
customers who incorrectly type your address still find their way to your site instead of
receiving an error message.
E-commerce businesses most often register a name with “.com” as the domain name
suffix (the letters after the dot; also called a top-level domain, or TLD), but often also
register their names with “.net” and “.org” (for “organization”). Other suffixes include
“.tv” and “.edu” for schools and universities. The Internet Corporation for Assigned
Names and Numbers (ICANN) recently announced seven new TLDs—.biz, .info, .name,
.pro, .museum, .aero, and .coop.
Tip Network Solutions is one of the leading domain name registrars. To search for an
available name and register it with Network Solutions, go to
http://www.networksolutions.com/catalog/domainname, enter the Web address
you’ve chosen in the designated box, and click “Go!” In seconds, you’ll know if the
name is available. Registering a name costs as little as $30 per year; furthermore,
registering with a domain name registrar also automatically lists your site with
leading search engines, and is a great way to promote your site (see step 7 later in
this chapter).
What happens if the domain name you want is already registered? You can either choose
another name or buy your first choice from whoever got it first. The fact that the name
you want has already been registered doesn’t necessarily mean it is not available for sale.
You can easily find out whether a domain name that has already been registered is for
sale by checking out the domain name marketplace site at http://www.greatdomains.com.
The Internet is global—shouldn’t your business be, too? Registration of multiple domain
names for use around the world protects your intellectual property, brand name, and
trademarks against infringement by global cybersquatters. If you plan to do business in
other countries, you can register country-specific Web addresses (in country-specific
TLDs, such as .ita for Italy and .uk for the United Kingdom) with Network Solutions’
idNames search and registration service. But as your business grows, you may find that
registering and managing multiple domain names is a complex, time-consuming process.
IdNames can also consolidate worldwide domain name management into a single
centralized account if you have 50 or more domains. After you’ve established your Web
identity by selecting and registering your domain names, it’s time to build your site.
With a domain name in place, you’re ready to start building your e-commerce storefront.
But, before you begin, take some time to plan.
You must first identify clear marketing goals for your site, such as generating leads,
building a database of potential customers’ names and e-mail addresses, or putting a
product catalog online to save the time and expense of printing and mailing. Now, you
need to quantify your objectives (such as increasing sales by 15 percent), so you know
whether or not your site is successful.
Next, you need to figure out what your potential customers need to know before buying
your products and services. This might include:
• An overview of your company, its products and services, and their applications
• Complete product or service descriptions, including features, key benefits,
pricing, product specifications, and other information, for each product or service
• Testimonials, case studies, or success stories so customers can see how similar
individuals or organizations have worked with you
• A frequently asked questions (FAQ) section that anticipates and answers
customers’ common issues[1]
You also need to plan the structure of your site, focusing on making it easy for customers
to learn what they need to know, make a purchase decision, and then buy quickly. In
addition, you need to create a site map that outlines every page on your site from the
home page down and how customers get from one page to the next. Furthermore, you
also need to use tools that quantitatively measure site activity (where customers are
clicking, how often, and whether they end up purchasing), and then compare the results
with your goals.
With a solid plan in hand, you’re now ready to start constructing your e-commerce site.
Many e-commerce businesses turn to professional design studios to create their Web
sites. But, if your budget is limited, many Web site building tools make it fast and easy
for you to create a polished, professional-looking site—with no in-depth HTML
knowledge necessary. For example, Image Café from Network Solutions, is one of the
easiest. It’s an online Web site building tool that lets you choose from a variety of
professional-quality templates and then customize them with your own identity and
information. You can preview your site online while you are building it, and when your
site is finished, you can instantly send it to an Image Café hosting partner to publish it on
the Web (see step 3 later in this chapter to learn more about site hosting). The entire
process can put you on the Internet in less than 24 hours at convenient and affordable
monthly prices.
Now, let’s look at the following basic guidelines. They will help make your site not only
attractive, but also easy for customers to use—and that means easy for customers to buy
from you:
You need to carefully examine your own favorite e-commerce sites. By creatively
adapting the most compelling marketing and design techniques, you will enhance your
site’s effectiveness.
It’s essential that your home page makes a good first impression on visitors. You need to
make sure it clearly presents the following basic elements that customers are always
likely to look for:
• Your company name, logo, and slogan should be prominently displayed. Take full
advantage of the opportunity to showcase your brand identity.
• A link to an “About the Company” page should be available for customers to
quickly learn who you are and what your business offers.
• A site menu listing the basic subsections of your site should be in the same place
on every page throughout your site to make it easy to navigate.
• A “What’s New” section for news, announcements, and product promotions
should be frequently updated to encourage customers to return often.
• Your contact information should be easy for visitors to find your phone number,
e-mail address, mailing address, and fax number.
• Your privacy statement, clearly describing your business’s policy for protecting
customer’s personal information should be easily found[1].
You should not fill up your site with graphics, animations, and other visual bells and
whistles. Instead, you need to stick to the same basic color palette and fonts your
company uses in other communications, such as your logo, brochures, and signage. It’s
important to ensure that images and graphics serve to enhance, not distract from, your
marketing goals. Make sure your text is easy to read—black letters on a white
background may not be terribly original, but they are easier on the eyes than orange type
on a purple background.
You should also test pages to make sure they’re not too overloaded with graphics that
slow load times, and you should minimize the size of your images when possible.
According to the Boston Consulting Group, nearly half of online shoppers surveyed said
they left sites when pages took too long to download. For example, Zona Research
estimates that most Web pages take anywhere from 4 to 12 seconds to load, depending on
the user’s modem and Internet connection (remember: many e-commerce customers shop
from home using slower connections). Most users click away to another site or log off if
a page takes more than eight seconds to load, costing e-commerce businesses billions in
lost potential revenue.
You’ve now completed step 2. You’re now ready to put your site on the Internet.
Your Web site is a series of files that reside on a special computer, called a Web server,
connected to the Internet. For customers to visit your site, they must actually connect to
that Web server via the Internet and view the files. Web servers and the Internet
connections that link them to visitors must be fast and powerful enough to quickly
respond to all the visitors’ requests to view your site.
Many businesses prefer the complete control of purchasing, setting up, and managing
their own Web server hardware and software. Other small- and medium-sized e-
commerce businesses prefer to turn to an ISP or Web hosting company, instead of
investing in the hardware, software, and infrastructure necessary to get online. For a
monthly fee, ISPs and Web hosting companies will connect your site to the Internet at
high speed via one of their Web servers, allowing the site to be viewed by anyone with an
Internet connection and a Web browser. The host provides your site with space on a
server, and also offers Web server software, access to its high-speed Internet connection,
tools for managing and maintaining your site, customer support, e-commerce features,
and more.
There are hundreds of ISP and Web hosting options to choose from, so look for one that
can meet all your needs. You should look for the following in a Web hosting company:
Shared hosting is an arrangement in which your site is housed on the same host server
with several other Web sites. This is an economical solution for smaller sites. Paying the
host for your own dedicated server, a solution used by larger and busier sites, provides
faster access and ensures that your site will be accessible to visitors 100 percent of the
time (instead of sharing Web server speed and power with other sites). Does your ISP or
Web hosting provider offer both options?
Smaller sites may need only 300–500 MB (megabytes) of Web site storage space,
whereas busier e-commerce sites may need at least 9 GB (gigabytes) of space—or their
own dedicated Web server. As your site grows, your ISP should be able to accommodate
you with a range of options.
Availability
If you run an e-commerce business, your site must be accessible to customers 24 hours a
day. ISPs and Web hosts maximize the availability of the sites they host using techniques
such as load balancing and clustering. Can your ISP promise near-100-percent
availability?
E-mail Accounts
E-mail accounts that match your domain name are often available from your ISP. Are
they included with your monthly access and hosting fee?
SSL Encryption
The security of the credit card numbers, and other personal information that customers
send you, should be a top concern. Does your ISP or Web host protect your site with a
Secure Sockets Layer (SSL) certificate? See step 4 to learn more about Web site security.
Support
A big part of the value of turning to an ISP or Web host is that you don’t have to worry
about keeping the Web server running. Does your host offer 24 x 7 customer service?
With your Internet identity established and your site built and hosted, it’s now time to
turn your online storefront into a thriving e-commerce business. To do it, you must win
your customers’ trust. Eighty-six percent of Web users surveyed reported that a lack of
security made them uncomfortable sending credit card numbers over the Internet. E-
merchants who can win the confidence of these customers will gain their business and
their loyalty—and an enormous opportunity for grabbing market share and expanding
sales.
Spoofing: The low cost of Web site creation and the ease of copying existing pages
makes it all too easy to create illegitimate sites that appear to be operated by established
organizations. Con artists have illegally obtained credit card numbers by setting up
professional-looking Web sites that mimic legitimate businesses.
Unauthorized action: A competitor or disgruntled customer can alter a Web site so that
it malfunctions or refuses service to potential clients.
Data alteration: The content of a transaction can be not only intercepted, but also altered
en route, either maliciously or accidentally. User names, credit card numbers, and dollar
amounts sent without proper security and encryption are all vulnerable to such
alteration[1].
To take advantage of the opportunities of e-commerce and avoid the risks, you must find
the answers to questions such as:
• How can I be certain that my customers’ credit card information is protected from
online eavesdroppers?
• How can I reassure customers who come to my site that they are doing business
with me, not with a fake set up to steal their credit card numbers?
• After I’ve found a way to authoritatively identify my business to customers and
protect private customer information on the Web, what’s the best way to let
customers know about it, so that they can confidently transact business with me[1]?
So, the process of addressing these general security questions boils down to these goals:
Authentication: Your customers must be able to assure themselves that they are in fact
doing business with you—not a “spoof” site masquerading as you.
Confidentiality: Sensitive information and transactions on your Web site, such as the
transmission of credit card information, must be kept private and secure.
Data integrity: Communication between you and your customers must be protected from
alteration by third parties in transmission on the Internet.
Proof of communication: A person must not be able to deny that he sent a secured
communication or made an online purchase[1].
Digital certificates for your Web site (or “SSL certificates”) are the answer for the
preceding security questions. Installed on your Web server, a SSL certificate is a digital
credential that enables your customers to verify your site’s authenticity and to securely
communicate with it. SSL certificates allow your e-business to provide customers with
the world’s highest level of trust. A SSL certificate assures them that your Web site is
legitimate, that they are really doing business with you, and that confidential information
(such as credit card numbers) transmitted to you online is protected.
SSL certificates take advantage of the state-of-the-art Secure Sockets Layer (SSL)
protocol that was developed by Netscape®. SSL has become the universal standard for
authenticating Web sites to Web browser users, and for encrypting communications
between browser users and Web servers. Because SSL is built into all major browsers and
Web servers, simply installing a digital certificate, or SSL certificate, enables SSL
capabilities.
SSL Server Authentication
SSL server authentication allows users to confirm a Web server’s identity. SSL-enabled
client software, such as a Web browser, can automatically check that a server’s certificate
and public ID are valid and have been issued by a certificate authority (CA; such as
VeriSign) listed in the client software’s list of trusted CAs. SSL server authentication is
vital for secure e-commerce transactions in which, for example, users send credit card
numbers over the Web and first want to verify the receiving server’s identity.
An encrypted SSL connection requires that all information sent between a client and a
server be encrypted by the sending software and decrypted by the receiving software,
thus protecting private information from interception over the Internet. In addition, all
data sent over an encrypted SSL connection is protected with a mechanism for detecting
tampering—that is, for automatically determining whether the data has been altered in
transit. This means that users can confidently send private data, such as credit card
numbers, to a Web site, trusting that SSL keeps it private and confidential. So, with the
preceding in mind, the SSL certificate process works as follows:
1. A customer contacts your site and accesses a page secured by a SSL certificate
(indicated by a URL that begins with “https:” instead of just “http:” or by a
message from the browser).
2. Your server responds, automatically sending the customer your site’s digital
certificate, which authenticates your site.
3. Your customer’s Web browser generates a unique “session key” to encrypt all
communications with the site. The user’s browser encrypts the session key itself
with your site’s public key so only your site can read the session key.
4. A secure session is now established. It all takes only seconds and requires no
action by the customer. Depending on the browser, the customer may see a key
icon becoming whole or a padlock closing, indicating that the session is secure[1].
SSL certificates come in two strengths: 40-bit and 128-bit (the numbers refer to the
length of the “session key” generated for each encrypted transaction). The longer the key,
the more difficult it is to break the encryption code. The 128-bit SSL encryption is the
world’s strongest: according to RSA Labs, it would take a trillion years to crack a 128-bit
session key using today’s technology. For example, the primary difference between the
two types of VeriSign SSL certificates is the strength of the SSL session that each
enables. Microsoft and Netscape, for instance, offer two versions of their Web browsers,
export and domestic, that enable different levels of encryption depending on the type of
SSL certificate with which the browser is communicating.
How to Get SSL Certificates
Many leading ISPs and Web hosting providers (such as VeriSign—the Internet Trust
Company) offer a complete range of products and services to help you secure your Web
site.
Thus, providers are offering SSL certificates in two encryption strengths: 128-bit SSL
(Global Server) IDs and 40-bit SSL (Secure Server) IDs. The 128-bit SSL (Global
Server) IDs enable the world’s strongest SSL encryption with both domestic and export
versions of Microsoft and Netscape browsers. The 128-bit SSL Global Server IDs are the
standard for large-scale online merchants, banks, brokerages, healthcare organizations,
and insurance companies worldwide. On the other hand, the 40-bit SSL (Secure Server)
IDs are ideal for lower-volume, security-sensitive Web sites, intranets, and extranets.
Commerce site services are complete, e-commerce solutions that are ideal for e-
merchants and online stores. A commerce site includes a 40-bit SSL (Secure Server) ID
and online payment management services, plus an array of additional value-added
services. Online payment services enable businesses to easily accept, manage, and
process payments electronically (see step 5 to learn more about facilitating e-commerce
payments on your site). In addition, an e-commerce site also includes a 128-bit SSL
(Global Server) ID, online payment services, and an array of additional value-added
services.
Secure Web site services are best for Web sites, intranets, and extranets that require the
leading SSL certificates and Web site services. A secure Web site also includes a 40-bit
SSL (Secure Server) ID, plus additional value-added services. A secure site also includes
a 128-bit SSL (Global Server) ID and value-added services.
As previously mentioned, many leading ISPs and Web hosting providers include SSL
certificates with their e-commerce packages. When choosing an ISP, look for one that
offers SSL certificates. If you are obtaining your SSL certificate through your ISP or Web
hosting company, your host may ask you to enroll for your certificate yourself, because
you are the owner of the domain name to which the SSL certificate will correspond.
Make sure you ask your hosting company for the information you’ll need to complete the
enrollment process, including:
A technical contact: Your Web hosting provider should be able to give you the name of
its appropriate technical contact for you to complete the enrollment process[1].
One more thing—if you use multiple Web servers for your site, it’s important that you
use a unique SSL certificate on each one to meet licensing requirements.
Code-Signing IDs
If your e-commerce site offers downloadable software, content, or code, you can digitally
“shrink-wrap” it so customers can be confident that it hasn’t been altered or corrupted in
transmission. All you need is a special code-signing digital certificate, or digital ID.
E-Mail IDs
Installed in your Web browser or e-mail software, an e-mail digital certificate—or digital
ID—serves as your online passport, allowing you to digitally sign e-mail messages. Your
e-mail digital ID assures recipients that messages really came from you, and also allows
you to encrypt messages, using your recipient’s digital ID, so only your recipient can
decrypt and read your messages. Installing and using e-mail digital IDs is easy with
virtually all Web browsers and e-mail programs.
With an SSL-secured site, your customers will have the confidence to purchase your
goods and services. But enabling customers to pay you online takes more than just
collecting their credit card numbers or other payment information. What will you do with
customer payment information once it’s sent to you? How can you verify that customer’s
credit card information is valid? How will you go about processing and managing those
payments with a complex network of financial institutions?
You could simply set up a credit card terminal and process orders manually. But why
invest the time and effort to build an e-commerce site without taking advantage of the
efficiency of online payment processing? To offer a complete e-commerce experience to
customers and to efficiently manage payments for your business, you need to implement
an “Internet payment gateway” that provides Internet connectivity between buyers,
sellers, and the financial networks that move money between them.
Before you implement a payment gateway, you need to understand how the Internet
payment processing system works. Participants in a typical online payment transaction
include:
Your customer: Typically, a holder of a payment instrument (such as a credit card, debit
card, or electronic check) from an issuer.
The issuer: A financial institution, such as a bank, that provides your customer with a
payment instrument. The issuer is responsible for the cardholder’s debt payment.
The merchant: Your e-commerce site, which sells goods or services to the cardholder via
a Web site. A merchant that accepts payment cards must have an Internet merchant
account with an acquirer.
The acquirer: A financial institution that establishes an account with you, the merchant,
and processes payment authorizations and payments. The acquirer provides authorization
to the merchant that a given account is active and that the proposed purchase does not
exceed the customer’s credit limit. The acquirer also provides electronic transfer of
payments to your account, and is then reimbursed by the issuer via the transfer of
electronic funds over a payment network.
The processor: A large data center that processes credit card transactions and settles
funds to merchants. The processor is connected to your site on behalf of an acquirer via a
payment gateway[1].
The basic steps of an online payment transaction using a payment gateway system
include the following:
1. The customer places an order online by selecting items from your Web site and
sending you a list. Your site often replies with an order summary of the items,
their price, a total, and an order number.
2. The customer sends the order, including payment data, to you. The payment
information is usually encrypted by an SSL pipeline set up between the
customer’s Web browser and your Web server’s SSL certificate.
3. Your e-commerce site requests payment authorization from the payment gateway,
which routes the request to banks and payment processors. Authorization is a
request to charge a cardholder, and must be settled for the cardholder’s account to
be charged. This ensures that the payment is approved by the issuer, and
guarantees that you will be paid.
4. You confirm the order and supply the goods or services to the customer.
5. You then request payment, sending the request to the payment gateway, which
handles the payment processing with the processor.
6. Transactions are settled, or routed by the acquiring bank to your acquiring bank
for deposit[1].
So, how do you implement a payment gateway to process payments on your e-commerce
site? Building your own dedicated pipeline to connect all the players isn’t a practical
option, so for small- and-medium-sized businesses, outsourcing to a payment service
provider is the best solution.
After you’ve selected and set up your payment processing solution, all you need to start
accepting online payments is an Internet merchant account with a financial institution that
enables you to accept credit cards or purchase cards for payments over the Internet. You
can obtain an Internet merchant account from any financial institution that supports the
following processors:
The preceding includes most banks. Obtaining a merchant account can take anywhere
from two days to three weeks.
You may be eager to launch your e-commerce storefront, but take time to review and test
your site thoroughly before going live. You will only have one chance to make a first
impression on each new visiting customer, and broken links, incorrect phone numbers,
and grammatical or spelling errors diminish the professional polish you’re striving for.
You also need to walk through the entire ordering process to test its usability. Is it clear
exactly what customers need to do to purchase? Try buying a product: is the page on
which you supply payment information secure? Is the payment processed correctly
through your payment gateway? Make sure you use both Macintosh and PCs for testing,
and use different browsers and modem speeds. You want to be able to support even low-
end systems (slower computers with a 28.8 modem line).
Also, don’t forget about customer support: it’s the key to creating loyal customers. Are
you prepared to confirm that a customer’s order has been received? Are you ready to
follow-up with an e-mail message for good measure? A personalized message from a real
customer service representative is best, but sending an automatic reply works as well. Set
minimum response times and standards for replying to customer questions and concerns,
and ensure that your customer support staff is fully knowledgeable about all your
products and services, their features and benefits, pricing, and availability.
Now, you’ve established a compelling, secure, and easy-to-use Web storefront for your
products and services. It’s time to let people know about it. Here are a few tips for driving
traffic to your site:
Register your site with search engines: Over 90 percent of Internet users search one or
more of the top engines to find what they need. Make sure your business is part of the
results when customers look for the products and services you offer.
Put your domain name everywhere: Brochures, advertisements, business cards, and
even hats, jackets, and t-shirts can be effective ways to promote your site and establish
your corporate identity. Don’t forget to include your domain name in your press release,
too.
Advertise: Placing a banner ad on other well-trafficked sites can attract huge numbers of
prospective customers—and doesn’t have to cost a fortune[1].
Finally, your e-commerce business is now ready to succeed in the competitive world of
the Web: with an online identity, a Web host, an eye-catching, professional-looking Web
storefront, rock-solid security, easy-to-use payment management, and the right
promotions. So, if you follow the preceding basic steps, they will help you lay the
foundation for a thriving site.
[4]
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
Ebusiness Privacy Plan, McGraw-Hill, 2001.
[3]
Vacca, John R., Identity Theft, Prentice Hall PTR, 2002.
[1]
“How to Create an E-Commerce Web Site,” ©2003 VeriSign. All rights reserved.
VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA
94043, 2003.
[2]
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,
2001.
Summary
This chapter helped you discover new integrated services that make it easier than ever to
secure your Web site and accept online credit card payments. You also learned how to
create an e-commerce Web site, as well as:
Overview
The names “site server” or “commerce server” are used interchangeably throughout this
chapter. It is assumed that there exists a set of requirements that the final site should
adhere to and follow with the development of the site itself.
Note Please check all information or take professional advice before embarking on an
electronic commerce project.
A Web site server is a comprehensive Internet commerce server an organization can use
to build an e-commerce architecture (see sidebar, “Building an E-Commerce
Architecture”) and monitor/manage business sites on the Web. By providing a
comprehensive set of server components, management tools, and sample sites, a Web site
server significantly reduces development time and costs for business-to-consumer
applications.
E-commerce continues to hold tremendous profit potential for many companies. It still
offers faster response to customer needs, reduced operating costs, and increased
cooperation among customers and trading partners—if it is done right.
This means not bringing an e-commerce offering to market before planning a workable
architecture. Now, more than ever, companies must thoroughly plan and carefully build
their e-commerce architecture before the first customer ever comes on board. That’s
because capital, time, and resources are scarcer today; margins for error are slimmer; and
shareholders are less in the mood to support initiatives that don’t work out of the gates.
As a corollary, chief information officers (CIOs) frequently have to be the voice of reason
in their companies to ensure that a truly robust, reliable system is built. ClOs may be the
company’s only executive-level people who understand the architectural firepower
needed to build and run a scalable, reliable e-commerce backbone. Only you may be able
to explain to your CEO why you need an integration layer or how your architecture plan
is the best among competing models in the market. And, only you may be able to explain
how much time it takes to build the architecture correctly.
Putting the cart before the horse has never been a wise move, but it was briefly accepted
as a viable business strategy in e-commerce initiatives. In 2001, a company could tout its
e-commerce offering, get customers, and then worry whether it had the scalability,
reliability, and security needed to support business. But that’s over. With the first
casualties of the e-commerce revolution fresh in mind, potential users of your e-
commerce system want to know that you can deliver. ClOs can help their companies by
insisting that they take the following steps:
1. Plan: The architecture is the structure of the e-commerce system and will
determine what the company can and cannot do, both now and in the future.
Therefore, it’s critical for the system’s software engineers to develop an
architecture blueprint up front. The blueprint should include the highest-level
design of the business solution and processes; highest-level technical design and
lower-level designs; and information on any relevant special structures, interfaces,
or algorithms.
2. Plan for the “ilities”: When well-planned and well-built, the architecture will
deliver on all of the key “ilities”—such as scalability, reliability, availability, and
serviceability. But, in their hurry to get to market, far too many companies short
themselves on the necessary components and vendor partners. CIOs can insist on
components from best-in-class technology providers and consult development
firms that have implemented applications within a broad range of architectural
schemas.
3. Plan for integration: The technology infrastructure must allow you to integrate
customers’ legacy systems, third-party vendors, and applications to come in the
future. For example, insurance companies have extensive legacy systems and
various business partners that must be accommodated. For example, DriveLogic,
the e-commerce arm of CCC Information Services and a leading provider of
technology solutions to over 460 of the nation’s top insurers, has implemented an
architecture that will be able to communicate with all of these systems. It allows
insurers to leverage existing technology and data—a considerable asset—and
accommodates insurer business partners and other technology vendors as well.
4. Make good vendor choices: A robust system calls for the best vendor partners.
Like a house built with cheap materials, architecture pieced together with Iow-
rent components and vendors won’t wear well—and, may jeopardize your
company’s reputation for years to come.
Today, it’s more critical than ever to get the e-commerce strategy right in the preplanning
stages, well before you ever bring the offering to market. To be a leader, and avoid the
mistakes of the past few years, a company must build it right from the start[1].
By using a set of objects, tools, wizards, and sample sites, one can add Internet commerce
capabilities to an existing Web site or can quickly and easily create a new electronic
commerce site. A commerce server usually supports business-to-consumer sites as well as
business-to-business and corporate purchasing sites.
These B2C sites sell products to the consumer through the Web. A commerce server
should include support for advertising, promotions, cross-sells, secure payment, order
processing, and consumer wallets.
A B2B site is the other hot application for e-commerce, as a replacement for EDI. A
commerce server provides features for building business-to-business sites, such as
support for purchase orders, order approval routing, and the secure exchange of business
information between trading partners.
[1]
Beattie, Jim, “When Building E-Commerce Architecture: Don’t Put the Cart Before the
Horse,” Copyright ©2003 Cognizant Technology Solutions, Cognizant Technology
Solutions, 500 Glenpointe Centre West, Teaneck, New Jersey 07666, 2003.
• Scope
• Prototype
• Design
• Implementation
• Testing
• Deployment[3]
Scope
Prototype
The Prototype stage involves building a basic layout of the site so as to get a taste of what
the site will look like. The prototype is essentially the foundation for the final site and can
be modified according to the customer’s feedback.
Design
The Design stage involves developing the logical design. It also involves designing the
user interface and deriving the physical design.
Implementation
The Implementation stage involves translating the design into the actual site. This can be
in the form of changes and updates to the prototype. The key tasks are creating the user
interface, developing custom components for the order processing pipelines, if needed,
and implementing the database according to the design.
The site should be tested before deployment. Among other things, the site should be
tested for security, user interface, performance, and ease-of-use. Furthermore, the site
developed should be deployed.
[3]
Ganesh, Arvind, “Enterprise Application Development and Commerce Site Server,”
Copyright ©2003 California Software Labs, Ltd., California Software Labs, Ltd., 6800
Koll Center Parkway, Suite 100, Pleasanton, CA 94566, 2003.
Before we start building your commerce site, let’s take a look at the following set of
requirements that the final site should satisfy:
1. The Web site should enable customers to shop with a shopping cart.
2. The catalog of products can contain:
a. Products from various vendors
b. Sale announcements and other promotions
3. The Web site should feature customer registration.
4. The Web site should support online payment using credit cards. Additionally, the
site should:
a. Support an e-Wallet
b. Securely transfer credit card information
5. The customer should receive e-mail confirmation of his order.
6. The e-mail should also have a link to the Order Status page.
7. Any order that is yet to be shipped can be cancelled by the customer.
8. The Web site should include appropriate error handling.
9. The Web site should suggest other recommended products to the customer.
10. The Web site should support both Internet Explorer and Navigator[3].
Note Following the usual commerce site development methodology suggested earlier,
this set of requirements would have been arrived at in the Scope stage.
You are now ready to build a prototype sample site. Building a site using a commerce
server essentially involves customizing a site generated by the use of wizards. Thus, the
wizard-generated site after implementing the initial user interface can be used as the
prototype. A commerce server should give you a choice between making a copy of one of
the commerce server sample sites or a custom site. After you have generated a site, you
can get down to a database and user-interface design. Building the prototype site involves
the following steps:
A commerce server should be able to distinguish between the site’s administrator and the
site operator. The administrator performs steps 1–4 and manages the server while the
manager builds the site, maintains, and manages it. Now, let’s take a look at each of the
preceding steps.
When the wizard is run, you need to supply a data source name (DSN), a database login
name and password, and other information that is needed for a connection string. The
wizard will create two configuration files: one for the site and one for its manager pages.
Both files hold the connection string used for accessing the site’s database. The wizard
then obtains the database connection information from the file and uses it to connect to
the database and create the schema. The next step (step 3) is to create a DSN for the
sample site.
Building the Site
A site manager should be able to connect to the manager’s pages and build the site by
running the wizard. This generates all the files and database tables, including product
pages, basic layout, shipping and handling, tax, and payment. Furthermore, this builds the
actual store that will exist on top of the site foundation.
You should run the wizard and follow the instructions displayed on the screen. Some
points of interest when building the site are as follows:
1. A locale step defines the default locale to be used in your store. This drives the
configuration of the default tax calculation component as well as the format used
to display currency and other localized variables.
2. Price promotions allow you to offer promotions, such as discounts based on
dollars spent, percentage discounts, or a two-for-one promotion. Cross-sell
promotions allow the site to offer a related product when a shopper selects a
particular product.
3. With a features step, you can choose if and when you want shoppers to register at
your site and whether you want to maintain this shopper information in the site’s
database.
4. A product attribute type step is based on the type of products that the site intends
to offer. With static attributes, all products have the same attributes.
5. Dynamic attributes allow the site to sell products that might differ in attributes,
for example, one item may be offered in multiple colors, but not list the
manufacturer’s name, and another item, such as a shirt, might have varied sizes,
neck size, sleeve length, and color.
6. An order history step offers the option for the site to store a shopper’s order
history and receipt information[4]. This information is useful to customers who
may want to look up existing orders. In addition, it can provide a source for
integrating into an existing customer service application[3].
After running the wizard, your sample site is now ready and open for shopping. Now,
let’s take a look at how the wizard-generated site meets many of the stated requirements
right “out of the box.” With reference to the list of requirements given earlier, the site
meets the following requirements at this stage: 1, 2.b, 3, 4.a, 8, 9, and 10.
The site you have just built can be used as a prototype after implementing the initial user
interface (UI). The Design stage is next.
Design
The Design stage involves coming up with the overall structure of the site. This task
would be mammoth if it were not made easier by the wizard because it automatically
generates the basic structure of a commerce site with features such as a shopping cart,
shopper ID, order ID, and so on. To build the design for your site, you have to design it
around the existing commerce site design. There are essentially three aspects to site
design in a commerce server: designing the database, the order form, and an order
processing pipeline (OPP). A commerce server site populates its pages with data obtained
dynamically from its database. The database holds all the data related to the site—data
related to the products and shoppers. The site performance and reliability is influenced by
the database design.
An order form object provides storage for customer and purchase information. A
commerce server site uses the order form object to store the items that a customer has
placed in the basket, to store bill-to, ship-to, and receipt information.
The OPP is a collection of components that encapsulates the processing that is performed
on the order form. Each component in the OPP has its own distinct function that it
performs on the order form.
Because the order form is of limited scope, the design should focus on a single example
of each of the different design aspects. At the end of the Design stage, you should be clear
about what is to be done in the Implementation stage.
Database Design
Central to the design of the site is the design of the site database. Much of the database
schema required for a commerce site is automatically generated by the wizard. However,
if you already have a product database in place, and you want the commerce server site to
use it, you can select a sample site whose product schema most closely matches the
existing database. You can use the wizard to copy that sample site, and then modify the
queries as appropriate for your database.
In the sample sites, database queries that are used to display information (such as product
descriptions and properties) on the page are defined in the ASP file for that page. So, to
accommodate a different product schema, one need only modify the query as needed and
create a combination of HTML and scripting to display the product information on the
page.
In the case of your sample site, the need to modify the wizard-generated database schema
arises because of the following previously listed requirement: 2.a—the product catalog
can have products from various vendors. This requirement introduces a new entity into
the schema—the vendor or manufacturer. This leads to a new relationship between the
products table and the vendor table.
When translated into physical design, the entity maps to a new table. A new table to hold
vendor attributes is created. The relationship between products and a vendor is a many-
to-one relationship. This maps to a new column in the products table that holds the
Vendor ID.
In general, a fair bit of denormalization is recommended because it can result in
significant performance gains. Database queries should be kept to a minimum to increase
speed.
An order form object is a commerce server dictionary object. The order form object
serves as working storage for order form data being collected or processed (the shopping
basket).
An order form object is defined internally as a structured group of dictionary objects, and
includes the methods required to add items, clear items, and clear the entire order form
itself. Commerce server sites use the order form object to store items that a shopper might
have chosen to purchase, and to store receipt information that will hold a shopper’s order
history. Some of the common values that the order form might hold are:
• Shopper ID
• Name
• Address
• Order cost information
• Purchase subtotal
• Tax
• Shipping
• Total[3]
Note The order form does not directly support storage of its data on disk—instead, a
database storage object (DBSO) is used to accomplish this.
Now, with the preceding in mind, let’s get back to your sample site. You will need to add
a few values to the order form. This is necessitated by the following requirement that was
previously listed: 5. Customer should receive e-mail confirmation of his order. This
functionality will be implemented by a simple mail transfer protocol (SMTP) component
in the purchase pipeline. The SMTP component will require the information shown in
Table 6.1[3].
The commerce server pipeline is a software infrastructure that links one or more
components and runs them in sequence on the order form object. Each stage in a pipeline
consists of zero or more components, and each of these components is run in sequence. A
component is a Component Object Model (COM) object that is designed to perform some
operation on an order form. Usually, each component has its own small task to perform.
For example, a fixed shipping component checks for the right shipping method and sets
the shipping cost to the appropriate value.
Note The purchase pipeline is usually run once an order form has been run successfully
through the plan pipeline, and the shopper has confirmed his desire to finalize a
purchase.
A commerce server should include the requisite basic pipeline components needed for a
basic commerce site. When you run a wizard, it automatically creates the three OPPs
required for the site—this site does not, however, feature real-time credit card validation
and only includes very basic tax and shipping components. Various third-party
components are available for these functions. Your sample site should use default tax and
shipping components. However, you need to add a new component to handle the
following previously listed requirement: 5. Customer should receive e-mail confirmation
of his order.
Tip Introducing the preceding functionality into the site means that you have to add the
SMTP component to the purchase pipeline.
[4]
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,
2001.
Implementation
The Implementation stage is where the design is translated into actual changes to the
prototype. This stage includes UI changes depending upon feedback from the customer,
custom development of components (if any), changes to the database schema, and
changes to the ASP files. However, this part of the chapter does not deal with UI
implementation or custom components. At the end of implementation, therefore, you
should have a working commerce site that satisfies all listed requirements.
The Implementation stage involves modifying the wizard-generated ASP files. Most
developers are comfortable using a text editor such as Notepad to manually edit the files.
The ASP files are like HTML files with added functionality; they are responsible for the
look of the site and the UI in general.
Database Implementation
To relate products with their vendors, you need to define a many-to-one relationship that
translates into an additional column in the product table that holds the ID of the vendor.
Both these changes require updates to the ASP files.
Note In general, any change made to the database schema results in a number of changes
to the associated ASP files.
Previously listed requirements 5 and 6 can be met by introducing the SMTP component
in the purchase pipeline. Adding the SMTP component requires that you also add a
scriptor component just before the SMTP component.
Going back to the previously listed requirements, you still have the following
requirement to be met: 4.2 Credit card information should be securely transferred. This
means the ASP file that receives the credit card information, entered by the shopper
through a form post, should be secured by a Secure Sockets Layer (SSL).
Commerce server-based sites usually use SSL to encrypt transactions passed over a
secure port. By default, however, secure HTTP used over SSL Hyper Text Transfer
Protocol Secure sockets (HTTPS) is disabled in sites created with a wizard. A commerce
server does this to enable developers to create and test these sites without causing an
error even on a server in which a server certificate is not installed.
Note To enable SSL, you must install a valid server certificate. For further details about
obtaining a certificate for your server, see http://www.verisign.com.
Database Access
You still have one more previously listed requirement that needs to be met: 7. Any order
that is yet to be shipped can be cancelled by the customer. To implement this, you have to
go back to the ASPs again. In the wizard-generated site, the status of the order is
maintained in a separate field in the receipt table. The site does not, however, maintain
status automatically. To do this, the ASPs, which display order data in the manager’s
pages, will have to be modified to allow the manager to set the status of the order.
After you have taken care of maintaining your order status, you will now have to display
this information to the customer. Here, when you display the order status, you can
perform a check to see if it has been shipped. If it has not been shipped yet, the customer
can be presented with an option to cancel the order. If the customer chooses this option,
the status of the order should be set to indicate the cancelled status.
Note The site manager and shopper pages use different logins to access the database. If
the shopper should be able to cancel the order, then a sample site visitor account
should have appropriate permission.
Tip It usually helps to have an additional stage before being “shipped,” which indicates
the status when the order has almost been shipped. This helps avoid losses that may
arise when a customer cancels an order that is about to be shipped.
With the preceding in mind, your little sample site is now ready and is fully functional
(see Figure 6.1), except for payment verification[2]. The site should be subjected to testing
before deployment.
Security
Site security is very crucial in a commerce site. Exaggerated reports of credit card fraud
on the Internet has led to people being highly apprehensive of shopping on the Internet.
However, this initial mental barrier is now being overcome as more people take to
shopping on the Net.
Site security is definitely one of the most important factors, if not the most, that the site
designer will have to spend time on at all stages. The most basic security requirement is
that customers of a commerce server site need assurance that confidential information
such as passwords and credit card numbers are protected from unwanted access. To
achieve this, a commerce server should support the industry-standard SSL.
Security of credit card information is the primary concern for the customer. By default,
commerce server sites do not store credit card information used in an online transaction.
Security of credit card information over the Internet is implemented using SSL.
To receive a page that is secured by SSL, the browser sends a request using the HTTPS
(S for Secure) protocol. In HTTPS, the URL for the restricted Web site starts with https://
instead of the normal http://.
Site Managers
For every commerce server site, a group is created that permits access to the site’s
manager pages. The users in this group are the operators of that particular commerce
server site. This group permits access to the site’s manager pages, along with Read/Write
access to all of the site’s files. An operator of one commerce server site does not have this
type of access to any other commerce server site.
Guarding the site from external intrusions is also critical. However, this can be
accomplished rather cost-effectively through a standard firewall-safe network
configuration.
In such a configuration, the network is guarded by a firewall (or proxy server) that allows
certain “Demilitarized Zones” (DMZs), as shown in Figure 6.2[3]. These DMZs are the
areas of the internal network that may be accessed by external (or Internet) users. The
firewall would be configured to allow HTTP access to the commerce server on the local
area network (LAN). The database server, however, will not be publicly accessible. All
database access from the commerce server machine would have to go through the
firewall, as the commerce server will not be connected to the data. For critical purposes,
having the same machine as a commerce server and the database server is not
recommended.
2]
Copyright ©2001, Eden-2000, SexyShoesandBoots.com, Eden-2000 Web Designs,
MerchantWebsiteDesign.com, 2003.
Summary
Electronic commerce over the Internet is predicted to grow at an ever-increasing rate over
the next few years. Many companies are beginning to investigate the feasibility of using
this new sales channel, and many retailers have now established online sales sites. This
market is expected to really explode in the next few years as more retailers jump onto the
Internet commerce bandwagon.
With the preceding in mind, this chapter has sucessfully traced the development of a
commerce site through the different stages from planning to implementation. It provided
an introduction to developing commerce sites.
Finally, the chapter showed how to build a basic commerce site from scratch. Following
the suggested methodology, the chapter showed you how to go through the stages in the
development of a commerce site. After reading this chapter, you should now have a fairly
good idea of how to develop a commerce site.
Chapter 7: Building Shopping Cart
Applications
“There are no such things as applied sciences, only applications of science.”
Overview
For example, JSP offers a 100 percent pure Java alternative to Microsoft’s proprietary
Active Server Pages (ASP). JSP technology extends Java servlet technology, and, in fact,
the JSP framework translates JSP into servlets at runtime. Servlets are popular because
they supply architectural and performance advantages over Common Gateway Interface
(CGI) scripts. Servlets can also generate dynamic Web pages by mixing static HTML
with content supplied by database queries or business services. JavaServer Pages invert
this approach by imbedding Java code in HTML. This ability to insert Java code into
HTML pages adds flexibility to servlet-based Web architectures.
To generate HTML, servlets must supply formatted strings to println() calls. This
technique clogs Java code with line after line of hard-to-comprehend HTML.
Furthermore, when servlets generate HTML, Web page design requires programmers.
JavaServer Pages pull HTML out of Java code and create a role for HTML designers. Site
development can proceed along parallel tracks (Java design and HTML design), thereby
delivering a Web site faster. JavaServer Pages also encourage loose coupling between
business logic components and presentation components, thereby making reuse of both
more likely. The shopping cart application discussed in this chapter examines the role of
JSP in Web architectures and offers a practical example of how to get the most out of
your e-business applications.
The shopping cart scenario presented in this chapter is a simplified online produce store.
Customers select produce items to add to their shopping cart, and then move through a
series of forms to purchase the items. Figure 7.1 shows that the application architecture
combines JSP with servlets and JavaBeans[1]. Building simple Web applications using JSP
alone is possible, of course, but significant business applications require all three.
Figure 7.2 shows the model-view-controller (MVC) pattern, which partitions applications
into separate data management (model), presentation (view), and control components[1]. It
underlies most modern graphical user interfaces. The partitioning encourages
independent evolution and reuse of the separate components. You can also apply the
MVC pattern to Web applications. JavaServer Pages most appropriately implement the
presentation part of a Web application. JavaBeans encapsulate the services that supply
content to a Web site and simplify passing data between the components of the
architecture. Servlets function best as controllers and mediators routing user requests and
application messages, updating application data, and driving the application workflow.
Technologies such as JSP encourage certain designs, but don’t enforce them. For
instance, all the code that might be put in a servlet or bean could be part of a single,
certainly very confusing, JSP page. The JSP specification permits such designs.
Conversely, anything a JSP page can do, a servlet can also do, so you can build a working
architecture that ignores JSP. The adoption of a design pattern, however, implies certain
design practices and choices. Design patterns generalize the collective wisdom of other
developers. Developers capitalize on these lessons when they adhere to design patterns. If
you use the MVC pattern, then the pattern implies that you should not mix presentation
elements with control or data elements. Stated more specifically, you should not print
HTML from a controller component (servlet) or imbed control elements in a presentation
component (JSP). You should limit the Java in a JSP page to communication with the
control and data components. Finally, if the data model for your application is at all
complex (and it would be in any realistic business application), then you should not
imbed data and computation services in either the control component or the view
component. Instead, you should encapsulate such business in worker components
(JavaBeans).
[1]
Bollinger, Gary and Bharathi Natarajan, “Build an E-Commerce Shopping Cart,”
Reprinted from Java Pro magazine with permission from Fawcette Technical
Publications, Inc., 913 Emerson Street, Palo Alto, CA 94301-2415. Copyright © 2000 by
Fawcette Technical Publications, Inc. All rights reserved.
The CustomerServlet
With the design issues of this scenario in mind, let’s look at the details of a sample
application. For example, a CustomerServlet controls the application workflow by doing
two things: it maintains state (the model) for a shopping cart component (implemented by
a BasketBean class), and it routes client requests through a series of JSP pages.
The BasketBean
A BasketBean usually implements a simple data manager (model) for a shopping cart
application. The BasketBean class provides a method to get the running total of a
customer’s purchases and a method to update the contents of the basket. It maintains a
running list of Product instances requested by the client in a hashtable keyed off the Stock
Keeping Unit (SKU) number. Each Product instance stores four attributes: a product
name, SKU number, price per pound, and the number of pounds purchased. A product is
added only if the number of pounds is greater than zero.
The Pages
This simple shopping cart scenario supports a workflow with four stages and three JSP
pages: Inventory.jsp, Purchase.jsp, and Receipt.jsp (see Figure 7.3)[1]. The sample
application presents Inventory.jsp to new clients. Clients select produce by performing
one or more updates to Inventory.jsp. After selecting produce for purchase, clients
purchase the produce and the application presents Purchase.jsp. Finally, the client
confirms the purchase, and the application presents Receipt.jsp.
This JSP page mixes standard HTML with specialized JSP elements. The JSP
specification calls the static HTML in a page-fixed template data and writes it essentially
verbatim (certain substitutions based on quoting and escape conventions are still applied)
into the http response stream. For example, the servlet framework writes the tag
<HTML> unchanged to the response stream. Besides fixed template data, JSP pages can
include directives, scripting elements, and actions. This simple Web store illustrates all
three.
The preceding simple application is clearly a toy, not meant for deployment. Still, a real
application should follow the same MVC pattern demonstrated by the simple application.
Now, let’s look at how to modify some aspects of the toy to create a more realistic e-
commerce application.
The grocery application implemented its model by using the BasketBean class. The
BasketBean illustrates two qualities of toy software: it “hard codes” its data, and it fails to
define a standard interface. Such flaws limit the maintainability, extensibility, and
scalability of an application.
A production application should define a standard interface for accessing the application
model. An interface establishes a contract allowing different implementations to be
“plugged-in” as required. Such “pluggable” implementations illustrate the bridge pattern.
The purpose of the bridge pattern is to decouple abstract functionality from any specific
implementation of the functionality. For example, the inventory data is initially stored as
static information imbedded in Java code[2]. To gain flexibility, you might pull this data
out of code and store it on the file system. As data volumes grow, a common requirement
is to move data storage into a relational database management system (RDBMS). If the
BasketBean implements a standard interface, then you can reimplement this interface to
use a file system or an RDBMS without rewriting the CustomerServlet.
Real-world applications may also require the separation of data from code. Data changes
often, but code should rarely change. A minimum requirement for moving the sample
application into a production environment would be to split its model into separate data
access and data management tiers. This two-tier architecture allows data volumes to grow
without affecting code. Figure 7.4 shows the design after separating data from data access
and after defining a standard interface[1].
Often, scalability or data transaction requirements force introduction of a third tier into
the data management architecture. Common Object Request Broker Architecture
(CORBA) or Enterprise JavaBean (EJB) interfaces to data management services are now
common. If the BasketBean implements a standard interface, then you can reimplement it
as a distributed service. Figure 7.5 shows this three-tier implementation of the application
model[1].
[2]
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,
2001.
One of the reasons for JSP applications to follow the MVC pattern is that this pattern
encourages distinct, clearly defined roles for model, view, and controller components.
You should keep these components as loosely coupled as possible. However, you should
not keep the CustomerServlet loosely coupled, because it encodes specific workflow
states and hard codes the names of specific JSP pages.
Tight coupling between the controller and view components means that changes to one
component demand corresponding changes to the other component. In this case, if you
add additional JSP pages to the shopping workflow, you must add additional conditions
to the CustomerServlet program logic. Alternately, the CustomerServlet forces you to
give specific names to the JSP pages.
This sample application would be more maintainable and more scalable if you could
remove the tight coupling between the CustomerServlet and its JSP pages. One way to
minimize this close coupling would be to create a helper bean for each JSP page. You can
install these helper beans in the CustomerServlet to manage all HTML requests directed
at the associated JSP page. Such encapsulation of each request in a request handler object
illustrates the command pattern. As with the bridge pattern, the key to implementing a
command pattern is to declare a common interface that each request handler must
implement. In this case, the simplest form of such an interface might be a single method,
such as redirect(), into which you pass the request parameter and the BasketBean object.
Because every concrete implementation of the interface supports this method, the
CustomerServlet can invoke the interface on any given handler without knowing
anything specific about its implementation (see Figure 7.6)[1].
You can customize each helper bean for its partner JSP page and make it as complex as
necessary. For example, it can validate input parameters passed in the request, whether by
simply guaranteeing nonblank entries or by performing more complex tasks such as
verifying credit card information.
If you adopt the helper bean architecture, then you might wonder how you install the
bean. After all, although the JSP framework translates JSP pages into servlets at runtime,
JSP pages are just files until the framework translates them. It’s a kind of chicken-and-
egg problem.
A JSP page has exactly one input point, but it could have multiple outputs based on the
number of submit buttons. Each output could be associated with a different JSP page. For
instance, Inventory.jsp has two outputs, one for Purchase.jsp and one back to itself. You
could associate a helper bean with each output point using a hidden tag.
Finally, the JavaServer Pages extend servlet technology in useful ways. By supporting
Java scripting, they provide a role for Web designers alongside developers and add
flexibility to servlet architectures. JSP pages do not replace servlets; servlets, JSP, and
JavaBeans play complementary roles in Web architectures. By following the MVC
pattern, JSP applications can independently extend or enhance the controlling servlet, JSP
page, and application model to support real-word scaling. The application model can be
extended to a two- or three-tier design; in addition, adding helper beans can manage the
JSP workflow and support loose coupling of application components.
Summary
The heart of any Web store is the software that it runs on. However, up until relatively
recently, software solutions for e-commerce were largely do-it-yourself affairs, consisting
of a number of disparate tools lashed together to fulfill the major tasks of an online store.
This situation is changing rapidly. Every day sees the launch of a new software product,
each of which claims to be a complete shopping cart. However, close investigation
reveals a huge difference in the features that these products offer and the price that is
charged for them. It’s not surprising, therefore, that the selection of a suitable shopping
cart is a decision that many aspiring Web merchants agonize over.
So, what features should you look for when choosing a shopping cart? There are three
basic areas to examine: how easy the store is to set up, how easy it is to process orders
through it, and how easy it is to administer on a day-to-day basis.
To an extent, the desirable setup features and options will depend on the skill levels of the
individual storeowner. For example, a storeowner with no HTML or CGI experience
should look for software that creates a complete store via wizards and templates. On the
other hand, more technically savvy merchants will want a solution that provides them
with a higher degree of flexibility and enables them, for example, to create their own
HTML pages.
Regardless of technical skill levels, there are several features that all merchants should
look for. Good documentation and support is a must, of course. Also vital is the ability to
import product data from a database file. For example, after you have more than 10 to 20
items for sale, entering product details manually becomes a major chore.
Would-be storeowners should also think carefully before selecting a shopping cart that
relies on the use of cookies to track visitors in a store. Although much of the media hype
surrounding the use of cookies is dying down, there is still a fair amount of misleading
and confusing information around. And as a result, many people still surf with cookies
disabled in their browsers and are, therefore, unable to shop in stores that rely on them.
An important part of the setup process is the specification of sales tax and shipping
charges. Be careful—many shopping cart solutions currently available have major
limitations in these areas. For example, they may have no way of specifying shipping
charges for international shipments or they may be limited to being able to collect sales
tax from only one U.S. state. The best shopping cart solutions come with preset tax tables
that ensure the correct levels of tax are collected on each order. Some shopping cart
solutions also interface directly with information from carriers such as UPS and can
automatically calculate the shipping cost for each order.
Another area to investigate is the range of advanced features and services that are
provided. Services such as domain name registration and automatic search engine
submission can save a lot of hassle. And, additional features such as autoresponders and
chat rooms can help build a top-class store.
Furthermore, you should also look at order processing. The first two order processing
features to check for are the availability of a virtual shopping cart and the ability to
transfer data securely using SSL. Most shopping carts now come with these features, but
it’s worth checking anyway.
Although the bulk of orders in an online store will probably be placed online and paid
with by a credit card, there are still a lot of shoppers who want to shop and pay using
alternative methods. In order to maximize your sales, a Web store should, therefore, be
capable of accepting orders and payments in as many ways as possible. Available
ordering methods include online, fax, telephone, and snail mail, whereas payment
methods include credit and debit cards, paper and electronic checks, and digital cash.
And, although most smaller merchants will choose to process their credit card payments
offline, it is worth checking that the software is also able to easily handle online
processing. This gives flexibility to cope with future growth.
Note It is also important to select a shopping cart solution that automates as much of the
order management process as possible; for example, the ability to automatically
send an e-mail order acknowledgment to the customer along with a unique number
for order tracking.
Security is another major concern. Although SSL capability is included with most
shopping cart solutions today, some solutions still have major security weaknesses. For
example, although they transfer the customer’s credit card details from their browser to
the merchant’s server using SSL, they may leave it in an unsecured area of the server
where unauthorized parties could access it. Even worse, some send the customers details
to the merchant using unencrypted e-mail.
There are some other features that are also worth looking for. For example, discount clubs
allow you to automatically give discounts to repeat or high-volume customers. Online
order tracking allows customers to instantly check the status of their orders and eases the
demands on your customer service team. And, an inventory management facility can
automatically remove items from sale once the stock drops below a predetermined level.
You should also ignore all the hype about setting up a Web store and then laying back and
waiting for the money to roll in. Running a successful online store requires a great deal of
effort. However, you can make things easier by choosing a shopping cart software
solution that simplifies the day-to-day running of the store.
The first consideration is the method that is used for accessing and administering the
store. Some packages require that changes be made offline and then uploaded to the
server. This usually limits changes being made from one specific PC, and this can be a
tie. Alternatively, many packages allow stores to be updated online from any Internet-
connected PC.
Next, check out how easy it is to add, delete, and amend product data, as well as how
easy it is to run special time-limited price promotions. Try to avoid shopping cart
solutions that require all changes to be made offline and then for the whole database to be
reloaded on to the server.
Also, look out for any additional marketing tools that might be provided. For example,
this includes the maintenance of customer buying history and preferences, targeted e-
mailing capability, and affiliate program management. These can all prove to be very
useful.
Finally (and most importantly), examine closely the reports that are provided. There will
be no salesperson in your virtual store to monitor customer behavior and buying patterns
—reports are your only source of information. So, without good reports, you will lack
data to make fundamental decisions about the effectiveness of your store’s design and
product offerings.
Some shopping cart solutions only provide basic analysis of server logs; for example, the
number of hits and referrer information. This is totally inadequate. Ensure that the
shopping cart solution you choose provides a complete suite of detailed reports; for
example, a sales history analysis and information about the most common paths that
customers are taking through your store.
So, now that you have built your shopping cart applications, what should you do? Tell
your customers to shop until they drop!
Chapter 8: Mobile Electronic Commerce
“Walking and talking is the slowest form of mobile communication.”
—Anonymous
Overview
The use of mobile technologies is steadily on the increase, for both e-commerce and
personal uses[4]. Mobile phones are a common sight today and many people own personal
information management (PIM) devices or handheld computers, where they manage their
schedule, contacts, and other essential functions. Employees on the move appreciate the
value of staying connected with their enterprise and other resources through mobile
phones. Most enterprises now have corporate mobile phone plans that make it easier for
mobile employees to stay in touch and increase productivity.
With rapidly advancing technologies, most wireless carriers today offer transmission of
data in addition to voice signals. For example, you can now receive e-mail on your
mobile phone in addition to regular calls. With the growing proliferation of wireless
enabled Personal Digital Assistants (PDAs), Blackberry mobile e-mail devices, and
notebook PCs, it is all the more important to ensure that the mobile employees are
connected to, and supported by, the enterprise[6]. Although the terms “mobile” and
“wireless” are often used interchangeably, they are two different things:
• Mobile devices are portable, electronic components that are used by mobile
people to do their work.
• Mobile pertains to the ability of an entity to be on the move.
• Wireless pertains to the technology that allows transmission of voice, data, and
other content through radio waves over the air, not restricted to physical cables[2]
or other physical mediums[1].
It is not surprising that an increasing number of employees are demanding mobile support
from their enterprise in order to maximize performance. Without a proper mobile strategy
in place, most enterprises will fail to meet their cost and performance objectives. In fact,
recent studies have shown that mobile employees connected to the enterprise are much
more effective than if their enterprise did not support a mobile workplace. For employees
whose work is mostly away from their desktops, this is an important issue.
Mobile employees have a long list of enterprise capabilities needed to support their work.
Here are some basic requirements:
• Adequate protection of information on wireless devices to ensure that confidential
business information is not lost or stolen
• Wireless connection to enterprise assets using laptops, PDAs, mobile phones, and
other devices for flexible access to business processes
• Mobile connection via laptops so that work can be done from anywhere
• Real-time synchronization of information to ensure accuracy and consistency
• Ability to receive appropriate alerts and messages to the mobile device in order to
carry out required job functions with optimal efficiency[1]
The expectations previously listed are quite typical, and today’s mobile infrastructure is
able to deliver them with significant success. The wireless industry is continually
evolving, with new developments springing up at an accelerated pace.
The line between computing and telephony is slowly blurring. Devices that combine the
features of mobile phones and PDAs are becoming quite popular in the market today.
Eventually, it will be one combined device you carry—where you do your scheduling, e-
mail, Web surfing, videoconferences, document management, and take all your business
and personal calls. This would be a true all-around utility device. With data storage
capabilities[3] and network bandwidth steadily improving, it won’t be long before you
have the capabilities of a currently availablehigh-end desktop computer available in a
device that fits into your pocket. One can only speculate the ramifications this
convergence of devices will have on the way you work and how enterprises will function.
[4]
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
[6]
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
[2]
Vacca, John R., The Cabling Handbook (2nd Edition), Prentice Hall PTR, 2000.
[1]
Deshpande, Sumit, “Enabling Mobile eBusiness Success,” © 2003 Computer
Associates International, Inc., One Computer Associates Plaza, Islandia, NY 11749, 2003.
[3]
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice HallPTR,
2001.
No technology works in a vacuum. Many entities work at different levels to bring the
technology to a more mature and usable state. Standards and specifications are first
conceived, developed, and then implemented. Currently, most standards bodies for the
mobile e-commerce environment are focused on hardware- or infrastructure-related
issues. Some of the more important standards organizations related to the wireless
industry today include:
Many other organizations such as the W3C, Wireless DSL Consortium, and other
institutions have standards directly affecting the wireless industry, though they are not
specific to wireless communications. For example, XML and Web services standards are
increasingly part of the development and deployment to server and desktop processing,
but they are equally applicable to wireless applications. Several new standards groups are
being formed to address specific issues regarding mobile e-commerce.
[5]
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an
Ironcladebusiness Privacy Plan, McGraw-Hill Trade, 2001.
Despite the prevalence of standards committees in the wireless industry, there is no single
unifying standard. It is important for enterprises to consider all the aspects involved in
mobile support while contemplating a strategy for mobile e-commerce. Some of the key
criteria in choosing a wireless network specification include:
Wireless networks may operate in one of two modes—on demand and infrastructure
mode.
On Demand Mode (Peer-to-Peer)
Each mobile device, also known as a mobile client, communicates with the other devices
in the network, within a specified transmission range or cell. This is described in Figure
8.1[1]. If a client has to communicate with a device outside the specified cell, a client
within that cell must act as a gateway and perform the necessary routing.
Communications between multiple wireless clients are routed by a central station known
as an “access point.” The access point acts as a bridge and forwards all communications
to the appropriate client in the network whether wireless or wired. Besides having routing
mechanisms, the access point also has as a Dynamic Host Configuration Protocol
(DHCP) server and other features that facilitate wireless communications in a small to
large business environment. Residential gateways are similar to access points, but do not
have advanced management features required for corporate networks or high-traffic
environments. A wireless client must first be authenticated, and then associated with an
access point before it can perform any communications. Figure 8.2 shows a typical
wireless LAN environment[1]. Enterprises that have a strong mobile e-commerce strategy
must make a selection from the major wireless LAN specifications available in the
market today.
802.11b
The 802.11b specification was defined by the Institute of Electrical and Electronics
Engineers (IEEE). The 802.11b is used as an extension of Ethernet to wireless
communication, and as such is quite flexible about the different kinds of network traffic
that passes over it. It is primarily used for Transmission Control Protocol/Internet
Protocol (TCP/IP), but also supports AppleTalk and other PC file sharing standards.
Disparate systems like PCs and Macs may communicate over 802.11b, using PC or
Peripheral Component Interconnect (PCI) cards, and even some of the newer hardware,
utilizing Universal Serial Bus (USB) and other forms of 802.11b based wireless network
cards. Adapters for PDAs, such as Palm OS and PocketPC based devices are also
available.
802.11a
Protocol 802.11a transmits 54 Mbps over the 5 GHz band. This is ideal for large data file
transfers and bandwidth intensive applications over a limited area. Although performance
and throughput are significantly increased, the transmission range is notably reduced.
802.11g
Protocol 802.11g transmits 22 Mbps over 2.4 GHz. This specification is considered to be
the next generation wireless network platform for the enterprise, workingt wice as fast as
the current 802.11b specification. However, this is still a work in progress.
Note 802.11b has become the standard wireless network deployment platform for public
short-range networks, such as those found at airports, hotels, conference centers,
and coffee shops and restaurants.
Bluetooth
This wireless network specification, defined by the Bluetooth Special Interest Group, is
ideally suited for Personal Area Networks (PANs) that operate in short ranges and need a
robust wireless network that allows transmission of bandwidth intensive information.
Bluetooth specifications also promote interdevice communications, so mobile phones can
communicate to PDAs, notebook PCs with laptops, and so on. Although it uses the
unlicensed 2.4 GHz band for transmission, its transmission is faster than the 802.11b
networks in both on demand and infrastructure modes. Bluetooth’s range is, however,
much less. Bluetooth technology works well for on demand networks and situations in
which device-to-device communication is desired. For example, you can wirelessly
connect from your PDA to a printer to print documents, or perhaps synchronize your
desktop with your PDA over the air.
Wireless WANS
With CDMA, a large number of users are able to access wireless channels on demand.
Used by most digital mobile phone companies today, the performance is almost 8 to 10
times better than traditional analog cell phone systems. The latest generation of this
technology is called 3G and is much anticipated by many mobile users.
The GSM wireless platform provides full voice and data support with worldwide roaming
capabilities. Included in the GSM family is the General Packet Radio Service (GPRS)
platform for delivering Internet content on mobile devices, and the Enhanced Data rates
for GSM Evolution (EDGE) and Third Generation GSM (3GSM) for delivering mobile
multimedia.
Most wireless carriers base their offerings on the previously mentioned platforms,
leveraging the strengths of the protocol they decide to use. For example, services offered
by Sprint PCS and Verizon Wireless are based on CDMA, whereas AT&T Wireless and T-
Mobile use GSM.
Note Connecting all these participants together to create a viable solution are systems
integrators with focused practices in mobile e-commerce implementation.
Wireless Hardware
There are numerous devices that are wireless-enabled to facilitate an efficient mobile
workforce. Some of the top companies that provide these devices are:
Compaq: The makers of iPAQ handheld computers and notebook PCs. They are used in
many enterprise settings due to their versatility and high performance. They use
Microsoft’s PocketPC platform as their operating system.
Kyocera: They specialize in mobile phones with PDA capabilities, using the Palm OS.
Nokia: The leading mobile phone manufacturer, with innovating products that combine
mobile phones, PDAs, and other features.
Palm: Currently the leading provider of PDAs; their operating system, called Palm OS, is
a popular platform for wireless application deployment.
Research In Motion (RIM): The makers of the increasingly popular Blackberry wireless
devices that allow mobile users to send and receive e-mail.
Symbol: The leading manufacturer of wireless devices and scanners for retail, utilizing
the latest technology in bar code scanning[1].
Wireless devices add value to the enterprise only when they connect to the IT
infrastructure and are actively supported by the administration. Access points, network
cards, and other components essential to the deployment of a wireless communications
infrastructure are available from several vendors, including:
• 3Com
• Cisco[4]
• Fujitsu
• HP
• IBM
• Siemens[1]
Note With the wireless infrastructure in place, it is important to choose the right carrier to
facilitate high-quality communications.
Wireless Operators
Wireless operators are organizations that provide the hardware and communications
infrastructure to make wireless transmission possible in a wireless LAN and/or a wireless
WAN environment (see Figure 8.3)[1]. Most of these provide basic wireless phone
services and many of them now offer services to transmit data in various forms. The top
three wireless carriers worldwide are listed in Table 8.1[1].
• AT&T Wireless
• Cingular Wireless
• Sprint PCS
• Verizon Wireless[1]
Depending on the geographical scope of your organization, you will have to choose the
right partner who can provide the required regional and/or national coverage necessary
for your e-commerce.
Wireless Software
The wireless software industry is still maturing; furthermore, although most of the
players are niche solution providers, very few actually provide substantial value to
enterprise deployments. Ranging from low footprint applications like mini-browsers or
PDA utilities, to more sophisticated solutions like interdevice communications or global
positioning systems, wireless software vendors are engaged in several innovative
research and development initiatives. Companies such as Microsoft, Sun, Palm, and
others are active in this area.
When deploying a mobile e-commerce strategy, you have to consider the right
combination of wireless network architecture, platforms, infrastructure components,
devices, and applications in order to be successful. Figure 8.3 depicts a typical wireless
architecture adopted by most enterprises.
Even with the absence of ubiquitous standards, the current wireless infrastructure is
stable enough to support and deploy wireless applications developed for the mobile
workforce. As wireless technologies mature, the quality and availability of wireless
software will also grow. An important factor to consider is the need to secure and manage
the enterprise infrastructure, while making all the necessary assets available to your
mobile workforce.
Although it is one thing for organizations to keep up with the latest industry trends,
making it happen in everyday life is a totally different story. The following are some of
the key concerns of enterprises that are contemplating a mobile e-commerce strategy:
Security: Wireless networks are very easy to break into and difficult to monitor. Your
enterprise assets must be protected.
Return on investments: Wireless connections should perform as good as, if not better
than, wired connections. They should add value to the enterprise and generate revenue.
The benefits should be measurable in some form. ROI and business continuity is
important[1].
Security
The number one concern in the world of wireless enterprises is security. Wireless
networks are one of the easiest to hack into and most security measures may not be
adequate to prevent this intrusion. There are several vulnerabilities in the Wired
Equivalent Privacy (WEP) security features provided in the 802.11b standard. The goal of
WEP is to provide data confidentiality in wireless networks at the same level as one that
is wired. However, despite having well-known encryption mechanisms, namely the Ron’s
Code 4 (RC4) cipher, WEP is vulnerable to attacks, both passive and active. This opens
up the wireless network to malicious parties to eaves-drop and tamper with wireless
transmissions. Key management and robust authentications are also open problems with
the 802.11b security features. The IEEE is scheduled to release a more secure version of
WEP in the near future.
Bluetooth comes equipped with security measures such as encryption and authentication,
but these measures may not be very sophisticated for an enterprise environment.
Organizations that have invested in a wireless network need a strong security solution
today. One way to secure an enterprise infrastructure that includes a wireless network is
to build it separate from the intranet, and set up a firewall to protect communications.
Implementing a robust virtual private network (VPN) solution is also useful. The security
features available with the VPN solution along with additional authentication, and access
control features, secure the users whether they are on a wired or wireless network.
Enterprises must also ensure that all devices are virus free and that they do not act as
carriers of malicious code. Access to the network from mobile devices must be
authenticated, and only authorized users should be allowed access.
Management
Like a wired network, the infrastructure that supports a wireless network also needs to be
managed. Some of the components that must be managed include access points, mobile
devices, wireless application servers, and others.
Management of the network increases performance and allows the administration team to
respond to issues quickly. Besides providing a real-time view of the wireless network, the
management solution must also provide a future view, so that proactive measures can be
taken to prevent problems before they occur.
Corporate assets need to be accounted for. Therefore, each mobile device should come
under the eye of enterprise management. Automatic transfer of relevant information,
applications, and updates (like the latest antivirus signatures) should be made possible. In
addition, data on the mobile devices must be backed up without causing any impediment
to normal processing, and must be automatically moved to the server unobtrusively when
on a wired network.
Information Access
Enterprises with large data resources have volumes of untapped intelligence just waiting
to be put to use. With a growing mobile workforce, it is essential to make this business
intelligence available to them at their point of need and equip them to make profitable
decisions. Mobile employees must also be able to access the business processes critical to
their job function.
Enterprise portals provide a viable dissemination tool for organizations today. Wireless
access to these portals is no longer a “nice-to-have” feature, but an absolute requirement.
Organizations are also looking for ways to leverage legacy resources and make them
available to mobile devices. With the emergence of Web services, the need for a reliable
solution to extend applications to mobile devices is ever on the rise.
Return on Investments
As the demand for wireless support from the workforce grows, enterprises need to act
quickly and provide the necessary services in order to promote success. For example, the
Gartner Group predicts that more than 70% of mobile applications deployed at the start of
2004 will be obsolete by the end of 2004. Keeping this analysis in mind, it is important to
make the right decisions to promote application longevity, while at the same time being
open to new, improved solutions. For enterprises that are contemplating a mobile e-
commerce strategy, the following points are worth considering:
All your wireless communications and other mobile activities are an integral part of your
e-commerce. Choose an enterprise-wide solution that covers your e-commerce from end
to end, providing all the required measures for security, management, and information
access.
Ensuring Your Wired Enterprise Infrastructure Is in Order First
You should get into partnerships with the right companies that can help you with your
specific needs. Work with systems integrators who have a focused wireless practice. It is,
therefore, extremely important to choose the right software vendor to deliver an
integrated, comprehensive, and reliable enterprise-wide solution for your e-commerce.
The wireless industry is changing rapidly. Mobile devices are getting smaller, faster, and
more capable. Performance of wireless networks is steadily improving. Opportunities to
leverage mobile technologies will continue to grow. Associate with companies that will
change with the times and yet be stable in what they do best.
Summary
The demand for and use of mobile technologies is increasing at a phenomenal rate.
Simultaneously, the underlying landscape of mobile technologies is changing rapidly,
creating the need for solutions to facilitate the long-term growth and success of mobile
enterprise initiatives. It is important for software vendors to provide comprehensive
solutions to manage, secure, and maintain the mobile applications infrastructure, while
fostering development, integration, and access to applications and information over
wireless mediums.
Finally, although it is one thing for organizations to keep up with the latest industry
trends, making it happen in everyday life is a totally different story. Enterprises must
contemplate developing a mobile e-commerce strategy.
Chapter 9: Enhancing a Web Server with
E-Commerce Application Development
“Modesty: the gentle art of enhancing your charm by pretending not to be aware of it.”
—Anonymous
Overview
Leading e-commerce software applications offer solutions that maximize a Web site’s
server business value. These solutions reduce costs by automating and streamlining
processes, and increase revenues by helping you market, sell, and service your products
more effectively. Deploying a Web site server is a fast, comprehensive means to establish
and maintain high-yield relationships with customers, suppliers, and other value-chain
members. According to Forrester Research, companies saw online sales increase 20%
between 2001 and 2002, versus 4.4% for traditional sales outlets.
IT organizations are in a new era. The boom times marked by soaring budgets for Y2K
and Euro projects and the heady dot-com era are over. A changing economy has caused
businesses to focus on maximizing the value and effectiveness of IT investments, while
controlling costs. These new business expectations create a variety of challenges for
business and IT to build and deploy effective Web server-based applications.
Business Demands
The good news is that most businesses are now aware that the capabilities of the IT
organization to build and deploy Web server-based applications are vital to competing
and thriving in this highly competitive world. This perception of the value of IT is
tempered by a need to ensure that projects are prioritized based on their value to the
business. Instead of looking for projects that promise exotic new markets, the priority
today is for those that have clearly defined deliverables and provide a measurable ROI.
The business expectation is for IT to help the company achieve competitive advantages.
Development projects that improve customer service and integrate information from
across the enterprise are still high on the business agenda. Aligning IT with these new
business demands is critical for success.
Challenges for E-Business Development
IT challenges have never been greater. Risk reduction is a key IT objective. At the same
time, service levels and measurable ROIs are essential components of communications
between IT and the business. IT must also consider how to maximize its value to the
organization. Ultimately, focusing on the right projects is important, but IT must also
deliver quality applications that benefit the entire business.
Control over complexity is also crucial. New technologies are arriving at an accelerating
pace. Key technology focus areas today include:
Portals: Enterprise portals are now the standard browser-based vehicles to deliver
enterprise information.
The IT organization must embrace these new technologies and evaluate a wide range of
other new technologies, such as enhanced Linux servers and new generations of
development tools. In all of these cases, successful implementations must be controlled
from the perspective of the entire infrastructure.
For many years, IT professionals have worked to improve development processes and
apply new technologies to benefit enhanced Web server-based application development.
These well-known initiatives are reflected in Computer Aided Software Engineering
(CASE), object oriented, and component development tools and others. Although each of
these has contributed positively to enhanced Web server-based application development,
managing the overall development process is as important as the technology and tools
that are used to build the systems.
The Software Engineering Institute (SEI) is a federally funded research and development
center committed to the evolution of software engineering processes. The SEI developed
what is known as the Software Capability Maturity Model (SW-CMM), which defines
process models for software development projects. It is an excellent example of an
innovative initiative to help software organizations improve the maturity of their software
development processes.
[4]
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
[3]
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
[2]
Le Clair, Don, “Managing eBusiness Development,” © 2003 Computer Associates
International, Inc., One Computer Associates Plaza, Islandia, NY 11749, 2003.
Enterprise Development Needs
Meeting these needs requires good communication between the business and IT
communities to be successful. With that foundation, it is possible to evaluate how
technology can be applied to address the specialized needs of each stakeholder.
IT expenditures need to be justified and rejustified regularly. IT must ensure that the real
and evolving business requirements are reflected in the resulting applications. They must
also ensure that resources are focused on projects that have high impact on the business.
To ensure that the individual projects actually meet the needs of the business users, it is
vital to drive business knowledge into IT through requirements and business process
modeling. There is no value to the business for systems that don’t meet the user’s
functional requirements. This process must also address the user’s service-level
expectations. Response time and system availability metrics are just as important as
features and functions in successful deployments.
Aligning IT’s resources with business priorities (IT Portfolio Management) is mandatory.
For this to succeed, there must be communication between IT and the business. Key
enabling technology includes solutions that help IT to assess the risk, cost, and benefits of
all initiatives. A management portal is an essential tool for bringing together real-time
project status and scheduling information.
People are hungry for current, reliable information about the enhanced Web server-based
e-commerce application development process. Extensive “what-if” capabilities on
resource and portfolio commitments are also necessary to quickly and effectively respond
to new business opportunities and a changing competitive landscape. Project
management solutions with the capability to manage enterprise-wide schedules make this
possible.
With these capabilities in place, a CIO can have confidence that development projects are
focused on delivering maximum value to the business, and that these efforts are
supported by technology that enables a free flow of communications with the line of
business management.
Increasing IT Effectiveness
A top priority is to accelerate time to market with proven best development practices. An
ideal solution will support the delivery of prepackaged best practices libraries that make
the experience of other professionals available out-of-the-box. Leveraging the expertise
of organizations like the SEI can jump-start efforts to implement consistent, repeatable
development processes and reduce the risk associated with development efforts.
The ultimate goal is to improve quality and effectiveness through a continuous process
improvement cycle. This discipline is widely used in manufacturing and is equally
applicable to enhanced Web server-based e-commerce application development. Any
effective process management solution must be customizable to encompass the actual
experiences of your own organization.
Data modeling makes Database Administrators (DBAs) and architects more productive
and less error-prone by automating manual processes. Advanced tools in this area provide
guidance and validation of logical and physical models, matched with support for the
many different relational databases deployed in the enterprise. Sophisticated modeling
tools support data cleanliness initiatives by reconciling data models between different
applications and databases.
Component modeling helps architects and developers improve the quality of system
design from the outset. The strongest solutions in this area provide full support for the
Unified Modeling Language (UML) standard. UML ensures support for a broad array of
modeling activities and the ability to import models into many popular development
tools.
For enterprise projects, it is also important to support larger development teams with
sophisticated solutions that enable collaborative modeling. Model integration between
solutions works to ensure consistency and automate communication among all
participants in the development process. Sharing and the exchange of models in this
environment is critical to success. It is also important to apply solutions that more
effectively tie the Development and IT Operations organizations together. Two key areas
to address are software delivery and service desk.
Controlling Complexity
Supporting these new applications requires a wide range of technical skills and the
deployment of many sophisticated new technologies. This dynamic environment is
driving the need for sophisticated enterprise-caliber change and configuration
management (CCM) solutions.
An enterprise solution must deliver continuous control across processes, designs, and
applications. In addition to managing on traditional mainframe, Unix, and Windows®
platforms, leading solutions must support the growing popularity of Linux servers. Given
the multiplatform nature of new Web services and wireless technology, CCM solutions
must have the capability to centrally manage change packages that span all these
environments.
Deploying applications has also become more complicated than ever before. For
example, deploying a single new wireless application may require the synchronized
delivery of components to wireless devices, Web servers, application servers, and
mainframes. If any individual component is not deployed, then the entire application will
not work. Successful deployments depend on the ability of the CCM solution used by the
development organization to effectively integrate with the software delivery capabilities
used by IT operations.
Companies that market, sell, and service products via the Web share similar objectives,
which typically include:
Meeting some or all of these objectives can enhance the site’s business value and overall
profitability. A Web site is a fast, inexpensive way to deliver information to customers
and to tailor it to their individual concerns. According to Forrester Research, 90 percent
of all customer, partner, and employee interactions occur on the Web. So, is your business
ready to make the most of its Web site? To do so, a technology solution must deliver a
full spectrum of functionality for data gathering and analysis, retail commerce,
application integration, information exchange, and publishing.
An e-commerce solution can deliver business value benefits in the following categories,
which correspond to Web site business objectives.
On its site, a company needs to be able to leverage all relevant information in order to:
• Cross-sell products and services.
• Make personalized, effective recommendations on products and services.
• Plan promotions and marketing campaigns.
• Provide targeted information based on customer profiles[1].
Realizing the preceding four goals lets your business take full advantage of one-to-one
personalization. Customer loyalty depends on the quality of the buying experience. So,
anything you can do to enhance that experience will translate into better business value.
The goal is to maximize the value from each customer contact and to deliver highly
personalized interactions to all customers through real-time, as well as offline, channels.
The value of personalized interaction was underlined by a survey conducted by Jupiter
Research, which found that the personalized service offered by 36 surveyed e-commerce
sites boosted new customers by 48% in the first year and increased revenues by 51%.
To facilitate automation, you can easily integrate e-business solutions with existing
applications and systems, and access information contained in legacy systems. Multiple
Enterprise Application Integration (EAI) solutions are available from leading commerce
portal providers to integrate popular applications from such vendors as SAP and Siebel®
Systems. Such integration enables you to streamline processes, exchange information,
and conduct business more efficiently.
For sites that offer a multitude of products, targeting is essential. With information from
customers, you can narrow down the most appropriate suggestions. The ability to deliver
a simple, relevant, and consistent user experience is key to enhancing Web-based servers
and the online experience and maximizing selling opportunities.
An additional step to improving a site’s business value is to combine site data with other
business data such as call center information. Doing so enables you to identify, for
example, customers who have the following profile—heavy-volume call center user,
large-volume offline purchaser, and online user. The goal is then to move such customers
more online, thereby reducing their dependency on high-cost call center operations and
lowering transaction costs.
Sophisticated analysis and reporting applications not only tell you what your customers
are doing, but also report on how your business is doing. You can identify the nature of
the relationship of current online users, thereby establishing a baseline for your site. It’s
difficult to move forward in a useful direction if you don’t know where you are. To assess
that relationship, you need to determine how involved current customers are with the site.
Finding that out requires getting answers to such questions as:
• Do they simply browse or do they purchase? How much money do they spend?
What is the repeat purchase rate?
• How and when do they access the site?
• How much time do they spend on their visits? Is their time being spent in a useful
manner or wasted because of poor design and tedious searches?
• How often do they visit the site?
• What are their areas of interest[1]?
You also need to assess your customers’ actual value to your business. Usually, this is
calculated via transactional data on how recently and how frequently they’ve visited the
site, and the value of their purchases. However, it could also be a figure based on the
characteristics of your customers. For example, small and medium-sized businesses have
more value than home office workers do. Answering these questions about current site
users will help you prioritize which customers you want most to retain and develop.
To further drive a site’s business value, you need to gather information about both online
and offline customers, so you can decide which of them has the potential to become a
more valuable online customer. You can then overlay the assessment of potential
customer value onto the baseline view to more precisely define the customers you want to
develop into valuable customers for the future.
The goals for current valuable offline users are to identify them and turn them into
valuable online customers, which can enhance the business value of a site by reducing
costs for processing transactions and providing customer service. The first step is to
segment users into categories based on their value and their usage of the site.
Analysis and reporting functionality can help improve the business value of your
enhanced Web-based server site by enabling you to take the following steps: first, you
need to review the information available to construct a logical baseline view of your
customers. Analysis and reporting tools maximize the value of the information you’ve
already captured because they help you gain intelligent insight into customer behavior,
preferences, and purchase patterns. They then leverage this information into improved
interactions with individual customers. Analysis applications transform e-commerce
information from observation logs, customer profiles, and transaction databases into
timely information that helps you offer customers the right products or services at the
right time and the right price.
Second, you should use individual profile information and behavioral information on
customers gathered from their online activities, combined with business and external
research data, to create a comprehensive picture of your online and offline customer base.
Third, you should analyze the picture to understand what different customer groups need
from the enhanced Web-based server site and what their requirements might be. This
analysis can help you to create appropriate content, messages, and promotions—even
help you develop new products and services that can be “pushed” to the target individuals
or groups, creating a cohesive strategy across all customer touch points. In the online
environment, this works by specifying business rules that push the right messages to the
right people at the right time. This, in turn, maximizes the opportunity to influence
customer behavior, thereby maximizing the site’s business value. For example, one group
of customers may be cash-rich and time-poor. The analysis and reporting functionality of
your site can help you identify the appropriate content this group will be inclined to
“pull” from the site, and then target messages you need to “push” toward them to
stimulate and increase their online spending and value as customers.
Managed Solutions
Large U.S. companies have begun to outsource their enhanced Web server hardware,
databases, and applications software, as well as all the management and maintenance of
hardware, software, and content. It is becoming more and more popular for companies to
outsource these functions to experts rather than use a less skilled or constrained in-house
team. Almost all hosting is about cost savings, performance improvement, and
convenience.
Because of the sluggishness in the overall economy, many service providers and
enterprises can no longer afford to do this IT function in-house. Those who have held off
on expansion cannot afford large capital expenses for new equipment or expensive
personnel. For example, according to industry analysts, 53% of IT professionals stated
that staffing expenses will rise in 2004 regardless of the economy. According to Forrester
Research, enterprises can save 47% to 82% of their enhanced Web site-based server
infrastructure costs by turning over their sites completely to a Web host. Hosted
companies experienced a 91% drop in downtime incidents. The increased uptime
translates into about $5.8 million per year in revenues per company.
There are many conveniences that come along with outsourcing, including easy access to
bandwidth, availability of complementary products, security, consulting services, and
predictable budgeting. These conveniences enable companies to focus on core
competencies, improving overall productivity.
Finally, according to Cahners In-Stat Group, e-commerce applications are the most likely
applications to be outsourced by medium-sized companies. At large companies, these
applications are the second most likely to be outsourced (after database).
Summary
Today, businesses take a pragmatic view of investments in IT. For IT managers, the key
to success is to provide the maximum business value for the minimum cost. To achieve
this, IT must align enhanced server-based application development and operations with
the needs and priorities of the business. IT must also increase its overall effectiveness and
minimize the risks in delivering new projects and applying new technology. Further, IT
must gain and maintain control over the increasing complexity of the enterprise enhanced
server-based application development environment.
Finally, when faced with productivity challenges to get more with less, leading e-
commerce software applications play an integral role in maximizing the business value of
your enhanced server-based Web site. By using your enhanced server-based Web site to
unify and extend information and business processes to service customers, suppliers, and
employees, you can help deliver incremental business value from your Web site. Moving
relationships to a personalized and collaborative self-service model enables you to
enhance growth, reduce costs, and improve productivity. And, by combining marketing,
transaction, and service functions in a single solution, you reduce your overall cost of
doing business. Additional efficiencies may be garnered by outsourcing the management
and maintenance of your e-commerce solution. Outsourcing can enable you to reduce
costs, improve performance, and enhance convenience.
Part III: Implementing and Managing E-
Commerce Web Sites
Chapter List
Chapter 10: Strategies, Techniques, and Tools
Chapter 11: Implementing Merchandising Strategies
Chapter 12: Implementing E-Commerce Databases
Chapter 13: Applying and Managing E-Business Intelligence Tools for Application
Development
Chapter 10: Strategies, Techniques, and
Tools
“Men have become the tools of their tools.”
Overview
• As of February 2003, there were more than 637 million people online.
• Companies that use e-business technologies to replace paper-based purchasing
processes have reduced individual transaction costs from as much as $150 to less
than $10.
• Reliable estimates indicate that the healthcare industry could save $44 billion a
year by using e-business processes to improve supply changing efficiencies[1].
[1]
“Building an e-Business Strategy: What to Do Now. What to Do Next,” © 2003,
Lawson Software, All rights reserved, Lawson Software, 380 St. Peter Street, St. Paul,
MN 55102, USA, 2003.
E-Business Now
Those interested in adopting or refining an e-business strategy are dealing with mixed
signals. On one hand, there is reason for caution. Stories of failed dot-com companies
that made big promises, but didn’t deliver, fill the financial pages. Long implementation
periods and complicated “transitions” give many managers pause. High costs for
technology that may be quickly obsolete also have a dampening effect on the e-business
acceptance curve.
And yet, the promise of e-business is such that it overwhelms most objections. From
backend process reengineering to frontend customer convenience, e-business offers what
most organizations need to grow in a worldwide economy and compete against a host of
new rivals. In some industries, the proof is already there and the case for e-business is
especially compelling:
• Healthcare organizations are using Web-based supply chain processes to radically
reduce costs and improve patient care. They are also using Web-based human
resource systems to recruit and retain qualified professionals in a very tight labor
market.
• In retail, Web-based financial applications are greatly simplifying the details of
franchise management, reducing paper-based transactions, improving
communications, and providing easy-to-use analytical information at the store
level.
• In the public sector, schools and government offices are adopting e-business
technologies to facilitate group purchasing, reduce operational costs, and make
services and information more accessible.
• The financial services industry is using e-business technology to reduce
procurement costs and to introduce new services to customers.
• The professional services industry is using Web-based applications to track and
maintain relationships with employees across multiple jobs and sites, and fully
facilitate projects, significantly reducing the time from opportunity to cash-in-
hand[1].
Other industries are also finding that e-business is changing the way they handle
traditional tasks, how they go to market, and even their business focus. The graphic arts
industry, for instance, is replacing paper-based, prepress proofing with online proofs that
can be reviewed quickly and cheaply. Small companies are finding they can compete
worldwide through Web sites linked to online catalogs. Application Service Providers
(ASPs) are creating whole new enterprises around e-business solutions developed for
niche markets.
In today’s world, e-business is the magic driving the way companies cope with changes
in the marketplace. It’s no longer a question of whether or when to implement an e-
business strategy. It’s how and with whom.
There are two primary options for organizations that are reviewing their e-business
strategies: use e-business to concentrate on core businesses and use e-business to develop
new competencies.
E-business offers ways to create new markets and even new lines of business. Business
Service Providers (BSPs), for instance, develop or purchase new technologies and then
package them to sell to niche markets. Some BSPs have taken a different path, leaving
the context (the specific market application) to others, while they provide technologies
(financial applications, human resource systems, etc.) widely used in every business
organization.
Whichever broad direction is chosen (or if a combination of both seems best), there are
key issues that need to be addressed in the early stages of deciding on an e-business
strategy. The first is to clarify the terminology so everyone is speaking the same
language.
Once the terminology is clear, the other issues that need to be addressed in an e-business
strategy depend on the type of organization. Some companies need to prioritize security
or financial data management, whereas others need to focus on Human Resources (HR)
applications such as empowering employees to self-manage their own basic HR
information. Still others will find the greatest advantages in using e-business is to
streamline purchasing operations or to distribute information more efficiently across
multiple locations.
Web-deployable refers to applications that can be delivered or accessed over the Internet.
Web-deployable applications render their user interface in a browser.
For example, some applications have distinct business objects that can be deployed via
Web-related standards and protocols. These business objects support end users who
access various systems occasionally, thus providing a standard presentation and common
navigation process via a browser.
Benefits of Web-Addressability
There are four key issues that apply to most organizations. The following issues can be
viewed as a prerequisite to building an effective e-business strategy:
The costs of implementing an e-business strategy are measurable in both time and money.
Some providers may have lower front-end costs, but the time-to-implement may be so
lengthy and complicated that the actual costs are much higher.
The impact on business units must also be anticipated. Introducing an e-business strategy
in one department may result in crossover benefits to other operating functions of the
organization. For instance, using e-business technologies to reduce routine HR functions
frees HR professionals to take a more active role in strategic planning for the
organization.
Aligning IT Architecture
Introducing e-business technology across multiple business entities can require a major
commitment of IT support. Using an open architecture configuration eliminates this
concern because e-business applications are transparent to all major hardware platforms,
operating systems, and databases.
Finally, implementing an e-business strategy will be a lot smoother if its value is made
clear to all potential users. E-procurement applications, for instance, add value at the
Purchasing Department level by reducing errors and streamlining processes. At the
organizational level, value is added by facilitated group purchasing, which cuts costs. In
addition, vendors receive added value because they have faster access to information so
they can track invoices and payment. Done right, an e-business strategy is a win-win
proposition for all involved.
Summary
—Anonymous
The Internet is changing the basis of competition for companies of all sizes. Although
many successful formulas for e-business development now exist, most are based on one
of the following merchandising strategies: Web entrepreneurship, virtual build-out, and
operations improvement. This chapter explains how each strategy relies not only on a
great Web site, but on high quality, system-ready information about products and the
merchandising programs that drive sales.
Virtual build-out means expanding nationally or globally—beyond the limits of brick and
mortar. The core concept is to transform an actual in-store experience into a Web
experience available to anyone, anywhere. For practitioners of virtual build-out, the Web
may supplement or be used in place of a catalog and telephone order expansion
merchandising strategy. For example, REI, an outdoors outfitter in the Pacific Northwest,
is using the Web to reach hiking and camping enthusiasts across the country. Its online
stores sell as much as its largest regional stores—and in-store sales have not been
impacted.
There are two kinds of data: data about the products and services, such as name,
description, features, and specifications; and meta-data, which is used to sell, deliver, and
support your products, such as recommended accessories for cross-selling and taxable
code and shipping weight to generate online invoices. As detailed later in the chapter,
many companies have data and meta-data that are not in a form that supports full, cost-
effective automation. The product data has inconsistencies and the meta-data exists as
human procedures in multiple locations, or files in computer systems separated from the
product data, requiring interpretation by people.
• Companies are learning that effective use of such techniques requires much
cleaner and more consistent product information than appears in most catalogs or
in the underlying databases.
• Effective online merchandising requires an array of techniques, such as product
locators, problem solving wizards, and customer relationship tools to deliver
engaging online experiences. These techniques rely on product and shopper
classification methods that require new meta-data at the product item, category,
and even shopper level. Maintaining these attributes expands data preparation
work.
• The cross-industry trend toward faster product development and shorter product
life cycles means there are more product item adds, changes, and deletes than ever
before. Many merchandising managers want a way to exploit the electronic
product information that manufacturers have already prepared.
• The recognized need to keep e-commerce sites fresh and attractive requires more
frequent updates. Consequently, the product information and catalog design teams
find themselves working continuously on the online catalogs (instead of
periodically as on paper catalogs), and they need more efficient, group-friendly
product information maintenance tools[1].
[1]
“Strategies for Online Merchandising,” © International Business Machines Corporation
2003, IBM Corporation, Software Group Division, Route 100, Somers, New York 10589,
2003.
Flexible Merchandising
The keys to effective online merchandising are simple: the site and sales process should
be interesting, dynamic, appealing, and, most importantly, relevant to each shopper.
Relevance means having the flexibility to provide a range of merchandising techniques to
suit the needs of different shoppers, or the same shopper in different buying situations.
Here is a collection of flexible merchandising strategies used on e-commerce sites—
product locators, problem-solving techniques, and customer relationship tools.
Product Locators
Product locators help buyers find the products they need, often by using both a
classification scheme and a search mechanism. Products need to be classified so buyers
can easily locate them on your site. The efficient way is to incorporate classification data
into the product detail and let e-commerce tools generate the Web pages as needed (as
explained later in this chapter). The alternative is to laboriously paste the product data
into Web page templates at the desired locations—and repaste if the site design changes.
The following are some product locator strategies enabled by product classification data:
• Categories
• Visual catalog
• Parametric comparison
• Table of contents[1]
Categories
Parametric Comparison
A PC accessories reseller lets the buyer pick product models and accessories from pull-
down menus and then presents a table of items that match. Then, the buyer can compare
specifications of individual items against each other and select which to buy. This
metaphor, available with custom templates, creates virtual mini-catalogs on the fly to suit
buyer requirements.
Table of Contents
More sites are adding table of contents features to supplement the other access methods.
Some sites have multiple tables of contents that include products, services, and online
information. Each entry jumps to a page of items or a visual catalog.
Problem-Solving Techniques
Locating products is one thing, making the sale is another. Problem solving (matching the
right products to the customer’s need) increases the chance of closing the sale and
bolstering volume. Successful matching requires linking product uses to needs. The
following are some problem-solving techniques made possible by product usage
attributes:
Sites are beginning to add up-selling and cross-selling capabilities to enhance per-sale
revenues. Up-selling offers more capable (and more costly) versions of a product. Cross-
selling offers a complementary product to be purchased at the same time to expand the
range of problems solved. Up- and cross-selling require links between models with
varying levels of capacity and features and links to products with complementary uses.
Accessorization
Some sites focus on providing all items needed for specific uses, problems, or
applications. For example, road warriors who want a portable printer may also need
specific cables[2], batteries, power supplies, replacement print cartridges, ink tanks,
special types of papers, helper applications, portable scanners, and even online access to
clip art—all items that can be classified as “for use with” the portable printer.
The customer relationship data, such as product preferences, past purchases, and
demographics, can help shape merchandising strategies, if the relationship information is
recorded in data attributes. The efficient way to employ customer relationship data is to
accumulate preferences and purchase history on an ongoing basis in a customer profile—
and ensure that this data can be linked with product detail for subsequent promotions.
This approach is being adopted by increasing numbers of retailers and direct marketers
for their customer loyalty programs.
Or, you can analyze past sales data and classify customers after the fact. This is difficult
if product descriptions are the usual haphazard abbreviations shown on invoices. The
following merchandising techniques can be based on linkage of customer relationship
attributes to product information:
• Customer preferences
• Past purchases
• Contracts
• Customization/personalization[1]
Customer Preferences
Keeping a record of preferences can enhance your relationship with customers in many
ways. For example, maintaining the customer’s preferred payment method reduces form
fill-in at payment time. Size, color, texture, style, genre, lifestyle, and language
preferences can simplify the purchasing process and enhance sales for clothing,
housewares, sports gear, music, books, periodicals, and other goods. Customer
preferences need to tie back to category or item-level attributes to work effectively.
Past Purchases
Contracts
Much business purchasing is done under supply contracts. Contracts can be administered
systematically online if discounted items are explicitly listed in the contract (in other
words, a contract-specific version of the catalog is prepared). Tiered discounts are often
based on purchase volumes by commodity class, which requires accurate classification of
product items.
Customization/Personalization
Summary
Overview
Over the last seven years, the Web has evolved from a file-based retrieval system to an
application-oriented medium where users can perform purchases, query databases, or
even customize their interface to various sites. This evolution has challenged Web
developers and Web masters to keep the content on Web sites up-to-date, collect
meaningful statistics on the use of the site, and empower the content owners with the
maintenance of the Web content.
The state of Web technology has evolved so quickly that there are many competing e-
commerce database implementation solutions from which the developer can choose.
Most of these solutions work well in a single vendor or a homogeneous environment.
However, when working in a heterogeneous environment with multiple operating
systems, database applications, and Web server technologies, the options for the Web-
database developer become limited.
The primary function of a Web server is to send appropriate HTML code to the Web
browser. Today’s trend is to serve content to the Web via an e-commerce database
solution. In order to make this happen, the Web server must communicate with the
database. The Web server must make requests to the database, interpret the database’s
response, and pass on the appropriate data to the Web browser.
In order for the Web server to communicate with a database, it must communicate
through an Application Programming Interface (API). There are many different types of
database access APIs available for the developer—ranging from proprietary to open
standard APIs. A Web database developer has many options from which he can select the
API that best meets the requirements of the project. However, the developer must be very
careful in the selection of the API if he must support a heterogeneous environment. One
API might not support all database or Web servers in the developer’s environment.
Embedded SQL
In the early days of relational databases, the only portable interface for applications was
Embedded Structured Query Language (SQL). There was no common function API and
no standard Fourth Generation Language (4GL). Embedded SQL uses a language-
specific Precompiler. SQL commands are embedded in a host programming language,
such as C or COBOL. The Precompiler translates the embedded commands into host
language statements that use the native API of the database.
The problem with using Embedded SQL is that there must be a compiled version of the
database interface for each database and operating system supported. This is not efficient
or useful for heterogeneous environments. Also, the developer may run into problems
with each database vendor’s C API. Not all database APIs are created equal.
ODBC
When building a Web site that must connect to many different databases, the first
database connectivity standard normally considered is Open Database Connectivity
(ODBC). ODBC is a logical choice, because it is a standardized API. It is a set of
function calls based on the SQL Access Group (SAG) function set for utilizing an SQL
database system (backend system). The SAG set implements the basic functionality of
Dynamic SQL. Embedded SQL commands can be translated to call ODBC. Finally, there
are ODBC drivers for every major database application.
Applications access ODBC functions through the ODBC Driver Manager, which
dynamically links to the appropriate ODBC driver. ODBC drivers translate ODBC
requests to native format for a specific data source. The data source may be a complete
RDBMS, such as FirstSQL, or it may be a simple file format, such as Xbase. In other
words, most ODBC drivers are tied to a single data source. Some, like FirstSQL, support
multiple data sources. The FirstSQL ODBC driver supports both a FirstSQL data source
and an Xbase data source.
Though its name begins with open, implying that it is not tied to a single vendor or even
to a subset of RDBMS vendors, ODBC is controlled by a single vendor: Microsoft.
Microsoft defines the specification of the API and supplies the basic driver manager
software used on their operating systems. This control has some good aspects and some
bad for the future of ODBC.
Microsoft has made reasonable, useful extensions to the original SAG definitions in
creating ODBC. Later releases have refined those extensions. Microsoft has committed to
bringing future versions of ODBC more in line with SAG’s specifications and with
existing standards.
OLE DB
In a major strike against ODBC, Microsoft is touting their Object Linking and
Embedding Data Base (OLE DB) facility as a replacement for ODBC. OLE DB could be
viewed as an object layer placed on top of ODBC, but Microsoft is likely to provide
direct OLE DB drivers for their database products and to de-emphasize and perhaps
discontinue ODBC drivers for their products. OLE DB is not open or portable except
between Microsoft operating systems (OSs), which is now a single Windows OS NT.
Because of Microsoft’s total control of the specification and arbitrary complexities in the
facility, OLE DB will not be supported by other operating systems—Operating System 2
(OS/2), Macintosh Operating System (MAC OS), and various flavors of Unix. ODBC,
and Embedded SQL to a lesser degree, will remain as the only open and portable
interfaces for SQL accessible databases. Unfortunately, the fate of ODBC is completely
under the control of Microsoft.
Java Database Connectivity (JDBC) is an SQL-level API that allows you to embed SQL
statements as arguments to methods in JDBC interfaces. To allow you to do this in a
database-independent fashion, JDBC requires database vendors to furnish a runtime
implementation of its interfaces. These implementations route your SQL calls to the
database in the proprietary fashion it recognizes. As the programmer, though, you do not
ever have to worry about how JDBC is routing SQL statements. With JDBC, you can run
the same code no matter what database is present. A Java client/server application can
make use of one of the following three major database architectures:
• Object database
• Object-relational database
• Relational database[1]
The majority of today’s databases are relational databases. Thus, the JDBC API is heavily
biased to relational databases and SQL. There is an architectural conflict between Java
and relational databases. Java is object-oriented, whereas relational databases are not
object-oriented. Therefore, mapping between the Java objects to the SQL relationship
must occur. It is up to the developer to do this mapping.
The use of Java and JDBC has two distinct advantages for heterogeneous Web
application development. It is database independent and facilitates distributed computing.
A Java database application does not care what database engine is used. Therefore, the
developer can change the database engine without having to change the Java application.
In fact, the developer can write a class library that maps business objects to database
entities in such a way that the application does not know that a database is in use.
Using Java for distributed computing has the advantage that the user can download the
Java code as he needs it. The administrator does not have to install the software on each
user’s workstation. This model is very beneficial when it comes time to update the
application. The administrator does not have to reinstall software.
DBI-PERL
Practical Extraction and Reporting Language (PERL) is most likely the most common
scripting language used on the Web today. It is predominantly used with the Uniplexed
Information and Computing System (Unix) operating system, even though it can be used
with Windows NT®. PERL is well-suited for the Web because it is a language that was
written to handle text and text files. The PERL community also needed an interface to
databases. Because PERL is an open source application, the Database Interface (DBI) is
perfect for this task.
Note DBI for the Perl Language is defined as the Database Interface language (DBIl) API
specification set of functions, variables, and conventions that provide a consistent
database interface independent of the actual database being used.
In simple language, the DBI interface allows users to access multiple database types
transparently. So, if you are connecting to an Oracle, Informix, mSQL, Sybase, or
whatever database, you don’t need to know the underlying mechanics of the 4GL layer.
The API defined by DBI will work on all of these database types.
A similar benefit is gained by the ability to connect to two different databases of different
vendors within the one PERL script (if you want to read data from an Oracle database
and insert it back into an Informix database all within one program). The DBI layer
allows you to do this simply and powerfully.
[1]
Moore, Dennis K., “Web Database Integration Designing and Implementing Web Sites
to Interface with Heterogeneous Database Environments,” © 2003 Raven
Communications, Inc., Raven Communications, Inc., 11429 Dunloring Place, Upper
Marlboro, MD 20774, 2003.
Heterogeneous Development
The developer has a difficult job when developing and implementing e-commerce
database solutions in heterogeneous environments. The developer must contend with
broader requirements and issues than a single platform development effort. The developer
may have to sacrifice system performance for portability of code or support issues.
The developer should conduct a trade-off analysis for each option considered. The trade-
off analysis should consist of the following criteria list at minimum (not in any order of
relevance). The developer should assign a relative weight to each criterion based on the
system requirements and then rank each alternative in accordance with each criterion.
The sum of all criteria should give the developer a sense of how each alternative meets
the system requirements. Of course, there are intangibles that cannot always be accurately
assessed. The intangibles are measured by the experience of the developer or a group of
developers as follows:
Portability of code: How many different systems are supported with minimal changes to
code?
Total cost of ownership: How much in dollars to install, operate, and support the
system?
Training and support: How many man-hours to train and support the system[1]?
The e-commerce database developer and implementer must assess these criteria from the
operating system to the Web and to the database to determine the best solution that meets
the requirements of the application.
The Future
The Web is evolving into the largest information repository in the world. There will be a
continued strong demand for tools, utilities, and applications so that the user can access
this information with greater speed and efficiency. Web application development will
continue to mature to satisfy the user’s demand. The development time on the Web is
much shorter than other development environments. The Web developer will continue to
look for tools to provide more functionality and yet be flexible to use in many different
environments. Three evolving technologies—Java servlets, XML, and CORBA—will
play a very significant role in aiding the developer in heterogeneous environments in the
near future.
Java Servlets
One of the early frustrations with Java is the performance on the client side. It took much
too long to run a Java applet on a client. Today’s trend is to run Java on the server side
(servlets). Here, the developer enjoys the advantages of Java while avoiding slow
download times to the client.
The secret’s out: Java isn’t just for programming client-side applets that run in Web
browsers or for writing Internet applications. The simple, flexible servlet API brings the
power of Java to your servers, too. Java is a great platform for writing the server side of
your Web-based application. The same features that make Java a better platform for
writing client applications make it better for writing servers. Your server applications will
benefit from its type safety and other rapid development features, even more than your
client applications did, because multithreading support is built into the Java platform.
Java makes it easy to develop and deploy all parts of a professional, maintainable,
distributed system application. The servlet API provides you the fastest way to start using
JavaServer technology in your networked applications. You can start with applications
that involve clients and a single server, and gradually create multitier enterprise
applications that integrate the power and flexibility of Java throughout your existing
network, because Java servlets run on the software and hardware you’ve already
installed.
XML
One of the biggest limitations of HTML has been the presentation and organization of its
content. XML allows developers to easily describe and deliver rich, structured data from
any application in a standard, consistent manner. XML does not replace HTML; rather, it
is a complementary format. XML is becoming the vehicle for structured data on the Web,
fully complementing HTML, which is used to present the data. By breaking structured
data away from presentation, Web developers can begin to build the next generation of
Web applications.
Learning to author XML and manipulate XML data sources will enable you as an HTML
author to supply your Web pages with content that is more intelligent and more dynamic.
Marking up data using XML also enables you to create data sources that can be accessed
in a number of different ways for a number of different purposes, making interoperability
between applications and your Web site possible.
XML also holds the promise of becoming a standardized mechanism for the exchange of
data as well as documents. For example, XML may become a way for databases from
vendors to exchange information across the Internet.
CORBA
The CORBA put forth by the Object Management Group (OMG) combines distributed
processing with object orientation. It is the world’s first multivendor, industry-supported,
distributed object standard. CORBA provides a standard, seamless, transparent way to
distribute objects across multiple platforms and operating systems. The architecture is
isolated from the actual transport protocols—such as Transmission Control Protocol
(TCP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA)
—allowing an open-ended standard.
Summary
In just over seven years, e-commerce database technology has become the common user
interface of choice for many information dissemination systems. Whereas, RDBMSs
have been the cornerstone for information warehousing for years. The integration of the
two technologies have made rapid advances over the last few years. This rapid explosion
has led to new challenges for IT managers and developers. There are several competing
technologies available that often do not address the issues of heterogeneous environments
and Web-based application development. This chapter addressed the challenges of
designing and implementing e-commerce database-integrated Web sites. Furthermore, it
focused on e-commerce database-Web integration difficulties in heterogeneous database
environments.
Before one can design or manage e-commerce database interfaces to Web sites, he must
understand the evolution of Web technology. The Web has evolved to become the
electronic information dissemination and presentation of choice in networked
environments. Web technology started as a means of disseminating text documents and
establishing relationships with other text documents. The technology evolved where other
media such as graphics, audio, and video files can be disseminated via the Web. Because
there is a wealth of valuable information in databases, the integration of Web sites with e-
commerce database technology is a natural progression of Web technology. The Web
provides a common user interface, whereas the database provides the logical structure of
storing and manipulating data[2].
When a technology evolves at a rapid pace, there are some inherent limitations and
incompatibilities that information managers and developers must face. For example, the
Web was not designed to maintain state efficiently. There are methods of maintaining
state by using environmental variables or setting cookies. The manager or developer must
understand these limitations to satisfy the growing information dissemination and
collection requirements via the Web.
Besides the limitations of the Web, there are many issues regarding database access via
the Web. First, the developer must choose a database interfacing technique(s). There are
many proprietary solutions such as Cold Fusion, Microsoft’s ActiveX Data Object (ADO)
via Active Server Pages, and others. In addition, each major database vendor has their
own Web database interface solution. Oracle has its Web Developer Suite, whereas
Sybase has its web.sql product. There are open standards or solutions such as PERL’s
DBI and PHP Hypertext Preprocessor (PHP). There are legacy systems in which
interfacing is very difficult. In addition, building Java applications using JDBC has its
own set of advantages and disadvantages. Each method has issues dealing with support,
development time, system performance, scalability, robustness, migration, and so forth.
The information manager or developer’s decision is made even more difficult when
contending with many different types of databases in a heterogeneous environment.
Designing and implementing Web sites that interface with databases is very challenging
and requires detailed planning and analysis. An IT manager or developer must thoroughly
understand Web technology, database interfacing methods, and database technology
along with the issues each technology has in relation with e-commerce and other
technology. This chapter served as a guideline and reference for information managers
and developers for addressing these issues in their respective environments.
Finally, the Internet will continue to evolve into the mainstream of the world. As a result,
the amount of content on the Web will continue to grow. Database technology is the
enabling technology in which logic can be applied to the input and retrieval of
information. More Web sites will connect to databases to take advantage of the logical
operations of a database. Large organizations with heterogeneous environments will
implement Web-database solutions that can be applied throughout their environment.
The future seems very bright for database access in heterogeneous environments using
Java on the server side. Java and JDBC on the server side will free the developer from
worrying about what operating system is used and what database is used. The developer
is free to focus on the e-commerce application itself.
[2]
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR,
2001.
Chapter 13: Applying and Managing E-
Business Intelligence Tools for
Application Development
“Language is the armory of the human mind, and at once contains the trophies of its past
and the weapons of its future conquests.”
—Anonymous
Overview
To meet this challenge, organizations need e-business intelligence (e-BI), not for a select
few, but for everyone—employees, managers, partners, suppliers, customers, and
constituents. Increases in demand and hands-on users are making the traditional model
for applying and managing e-BI tools for application development, developed within
departments and disconnected from the enterprise, inefficient and ineffective.
Now, organizations need enterprise-wide solutions that can immediately deliver real-time
information in the most usable, familiar formats to very large, even unlimited, numbers of
users. The results must be real and measurable.
In the past, many e-BI applications have presented steep learning curves. It is not the
primary job of domain experts to develop and deploy applications, even when those
applications are specifically for them. Consequently, tools must be easy to use, but at the
same time provide significant power and flexibility. This has been a classic problem since
the inception of the computer. There has always been a tension between ease and
sophistication. Finding such tools is not easy.
Demonstrations, by virtue of their limited time, naturally gloss over many fine points. If
the demonstration makes development look easy, it does not necessarily follow that the
requisite power for sophisticated application development is available. Similarly, a less
appealing demonstration may seem to indicate greater power or flexibility, but it may
follow that the tool is easy to use.
Finding an integrated development solution from one vendor that includes the proper
robust developer tools, application server, report writer, middleware, and e-commerce
interface is difficult. It is important to minimize the number of vendors, but best-of-breed
solutions cannot be sacrificed. Support for heterogeneous solutions is costly. Determining
which vendor is actually responsible for what problem is a daunting task at best, and it is
common for each vendor to lay the blame on another. On the other hand, settling for
second-rate components saps the value of the entire solution.
Meeting IT Requirements
To realize the significant benefits of e-BI applications, the rigor and structure of IT
policies and procedures will have to be met. However, it is difficult to find e-BI
development tools that meet this challenge because e-BI applications have generally been
managed outside the IT organization.
A vendor that appears to be an innovator and on the leading edge of technology may not
have the maturity to fit well into the existing IT structure. Yet, there may be concerns that
more mature vendors have not kept up with the pace of technological change. Moreover,
products that seem to fit the requirements in other areas may have been acquired and
reacquired through mergers over time. Mergers and acquisitions raise significant
concerns about the level of integration with the product mix of the latest owner, and
about the continuity of technical and support staff.
Even the best designed and most elegantly written application is of no value until it is
deployed to users. Getting applications up and running across the enterprise is imperative.
Unfortunately, the condition of most IT environments today makes this a complex
problem. True thin-client, no plug-in technologies, such as JavaBeans, servlets, HTML,
XML, and DHTML, are necessary to allow cost-effective, scalable, and usable
deployments. In many cases, a centrally managed environment for administering users
and supporting mobile[3] and wireless devices[4] is also important. Security must be
maintained[2] and technologies must be leveraged, but all this must be done in a highly
distributed, heterogeneous environment. The e-BI development tool an enterprise selects
must address such needs without requiring enigmatic, complicated architectural tweaks
and configuration tuning.
Enterprise e-BI development tools cannot be limited to one or two platforms. Instead,
they need to provide scalability from local PCs to mainframes. Furthermore, these tools
must be flexible enough to access any data source with a high degree of efficiency. The
use of proprietary cubes or indirect access mechanisms should raise red flags because
they inherently limit the scalability and flexibility of the solution.
Furthermore, existing security mechanisms, protocols, and tools, such as RACF, Top
Secret, and others, along with directory-based components such as Lightweight Directory
Access Protocol (LDAP), must not be left out or superceded. Selecting a tool with a deep
enough history to coexist with and leverage the existing security structure is imperative if
redundant systems and inflated implementation costs are to be avoided and, more
importantly, if real security is to be maintained.
Now, let’s look at how Web developers respond to your clients’ needs in an e-business
driven marketplace. With the Web becoming an integral part of daily corporate
communication, this part of the chapter very briefly outlines the requirements necessary
for the professional Web designer to compete in the future of enterprise Web application
development. In other words, this part of the chapter gives insight into the future of
applying and managing Web commerce tools for application development and also very
briefly demonstrates ways to leverage technology in order to meet clients’ needs while
increasing business revenue.
[3]
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
[4]
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
[2]
Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall, 2001.
Web sites and intranets are designed for the same reason—to provide information. In the
business world, this information needs to be updated and changed constantly in order to
stay abreast of a changing business climate. New product releases, price changes, and
marketing promotions are just a few examples of information that companies need to
constantly provide to their customers, suppliers, employees, and shareholders. In today’s
world of e-commerce and intense corporate competition, companies need the ability to
instantly update published information in order to effectively communicate with their
intended audience. Today’s companies know that they have to have a dynamic and
interesting Web presence, but they are struggling to find ways to effectively manage their
Internet strategy. Traditional advertising agencies and Web development firms are no
longer meeting the all-encompassing Internet requirements necessary for businesses in
today’s e-commerce driven marketplace. Companies are looking for advertising agencies
and Web development firms that address their initial Web development needs while also
providing them with viable, affordable solutions that are designed to address, implement,
and manage their overall Internet strategy.
Historically, companies outsourced the development of their Web sites, because creation
and maintenance required design and programming expertise. However, relying on third
parties for all site maintenance limited a company’s ability to quickly and easily update
their published information. To solve this problem, many companies decided to bring
Web site and intranet development in-house. Companies then discovered that hiring the
necessary skilled personnel contains its own set of inherent problems. Information
“bottlenecks” still occur when a company has one or two people in the internal IT
department who are bombarded with the responsibility of publishing all company
information. In addition, companies are also finding that Web site designers are hard to
find and even harder to keep. The recurring theme in the market is that companies are
recruiting individual Web designers to build and maintain their Web sites and intranets in-
house, only to find that after several months of development, the designer may be lured
away by the promise of a more exciting and rewarding career. This “catch 22” has left
companies looking for some additional alternatives. Companies are turning toward their
advertising agencies and Web development firms to provide the solution to this problem.
Market trends have caused Web site management to become an arduous task, with sites
evolving to meet the needs of e-commerce and e-business. For example, today’s Web
application development software is now a complete site production platform that enables
content contribution, production management, content management, verification, and
deployment. Users should be able to submit content, manage site architecture, collaborate
with others, and control the delivery of information. With its open architecture, today’s
Web application development software should work with existing enterprise
infrastructures and be able to handle dynamic content. The software should also be able
to integrate with other leading Web site design solutions, so that Web design firms can
continue to develop sites as they have done historically, while incorporating the added
functionality. The software should also allow for the separation of design and logic,
which means that while the designer can control the graphical look and feel of a site, the
client can manage the architecture, the content, and the functionality of their own site.
Summary
Today’s competitive organizations need to develop a wide range of e-BI applications that
tap as much data as possible and quickly deploy those applications via the Web to
managers, employees, partners, suppliers, customers, and constituents—everyone they
depend on to make decisions. Developing usable, deployable, and scalable e-BI
applications is taking on greater urgency every day.
Finally, a true Web architecture is essential to rapidly provide these business intelligence
applications to unlimited numbers of people, and see a quick return on investment. IT can
use the same Web-based, integrated Windows development solution to deploy
information with speed, quality, and effectiveness that users of all levels can use to access
information in any format. In addition, IT can securely manage and administer the system
while still allowing power users to develop their own applications.
Part IV: Designing, Building, and
Implementing E-Commerce Security
Chapter List
Chapter 14: Types of Security Technologies
Chapter 15: Protocols for the Public Transport of Private Information
Chapter 16: Building an E-Commerce Trust Infrastructure
Chapter 17: Implementing E-Commerce Enterprise Application Security Integration
Chapter 18: Strong Transaction Security in Multiple Server Environments
Chapter 19: Securing and Managing Your Storefront for E-Business
Chapter 14: Types of Security
Technologies
“It is true greatness to have in one the frailty of a man and the security of a god.”
Overview
You are undoubtedly aware by now that the technology revolution is here to stay. In fact,
many of the things you take for granted today (e-mail, cell phones, PDAs) were
unimaginable just a few short years ago. This rapid growth of technology, where prices
drop while consumer value increases, is historically unprecedented. A frequently asked
question is, “How exactly did we get here?”
One of the fundamental enablers of this change, and of the increase in productivity, is the
shift to rapid product development cycles—particularly in the case of software. Feature-
rich applications that were impossible to develop and deploy in the recent past are now
conceived of and deployed with lightning speed. The increased intensity of business
competition has driven this demand for faster and better products made available in the
marketplace. In the future, the stakes will become even greater, as competition in every
sector continues to escalate. Still, entrepreneurs and visionaries will press on in spite of
the risks, and deliver new technologies in better ways.
The Internet
First came the dot-com explosion, with most “old economy” companies rushing to put up
an electronic retail storefront. This business-to-consumer (B2C) marketplace quickly
mushroomed into billions of dollars in value. Most recently, ferocious competition has
made it tougher for “old economy” companies to maintain their advantage. Today, the
strategic shift for most companies has been to the business-to-business (B2B)
marketplace in which companies can partner in a “virtual village”—and thereby increase
sales, lower costs, and increase productivity. Instead of just being another sales or
communications vehicle to the end consumer, the Internet has become integrated into the
corporate infrastructure. Coinciding with this increased technological integration of the
Internet, the value of the average transaction has also increased dramatically.
The longer the Internet is around, the more people agree that the perceived distinction
between “old economy” and “new economy” is meaningless. In fact, what has been
taking place is a melding of business processes and technologies to produce better goods
and services. However, the challenge facing most organizations is that integration is
rarely an easy thing—particularly when moving at Internet speed. Despite the best efforts
of seasoned IT professionals, enterprises accelerating to Internet speed in the new digital
economy will suffer IT mishaps due to the vicious cycle of increasing features, limited
resources, and compromised quality objectives.
Flawed Infrastructure
Certainly, there have been tremendous quality improvements in many areas of systems
development and integration. Without these efforts, you would not have the widely
adopted Internet that exists today. However, that does not mean that responsible IT
managers can bury their heads in the sand and assume that the existing infrastructure is
sufficient to protect the billions of dollars being transacted via e-commerce. Here are a
few reasons why you will need to work hard to improve the infrastructure going forward,
if you are to have a reliable and trusted “e”-conomy:
Any threats to these systems would mean costly downtime that can affect your economic
health. It is obvious that the survival of this cyber marketplace will depend mainly on
safety, security, and trust.
[3]
“VeriSign Internet Security Education: E-Commerce Survival Training,” © 2003
VeriSign, Inc. All rights reserved. Verisign, Inc., 1350 Charleston Road, Mountain View,
California 94043, 2003.
Unfortunately, not all of you are using the Internet in a positive way. The Internet has not
only allowed you to communicate around the world, it has also opened up the doors for
electronic crime. The Computer Security Institute’s (CSI’s) 2002 Computer Crime and
Security Survey raised the level of awareness and aided in determining the scope of cyber
crime. This survey of large corporations revealed that 73 percent of the respondents
detected the unauthorized use of their computer systems in the last year.
During the past few years, the most serious financial losses due to attacks have occurred
through theft of proprietary information and financial fraud, according to CSI. Sixty-nine
respondents in CSI’s 2002 Computer Crime and Security Survey reported a total loss of
$99,019,000 in theft of proprietary information while 87 respondents reported a total loss
of $88,229,000 in financial fraud. These 2002 totals were higher than the combined totals
of the previous six years! The survey also confirmed that the following trends have
evolved over the past few years:
Outside Attacks
Internet users are starting to realize the severity of these attacks. In the past eight years,
the CSI has found that people are more aware of attacks happening, rather than being in
denial. The following types of attacks have been recognized in the wide spectrum of
cyber crime.
Unauthorized Intrusion
Networks that are not 100 percent protected are prime targets for external intrusion.
Between 380 and 500 Web page hacks occur every week at small Web sites; whereas, on
larger sites, the magnitude is greater. The New York Times Web site was recently brought
down for 12 hours and then vandalized. Information that is tampered with leads to
financial losses, service disruptions for a company’s site, and potentially irreparable
damage to the corporate brand.
Service Denial
Similar to unauthorized intrusion, malicious denial of service also results in the loss of
revenue and reputation. Big name Internet companies, such as Hotmail, Yahoo!, and
Amazon.com, recently experienced denial-of-service (DoS) attacks. Hotmail’s site shut
down for six consecutive days, not only preventing seven million users from accessing it,
but also scarring the reputation of Hotmail.
Malicious Downloads
The “Email Bomb,” including the I LOVEYOU and Melissa viruses, have plagued e-mail
addresses. More recently, Microsoft’s computer system was hacked by a Trojan horse
called QAZ, due to a few machines being unprotected. Security experts confirm that “this
is all it takes” and are hoping for this to be a lesson for other companies to keep their
antivirus software updated and educate their employees on good security practices.
Inside Attacks
Recently, more media attention has been placed on the “sexy cyberattacks” previously
cited, rather than insider attacks. But, in reality, more of the widespread attacks are now
coming from insiders. CSI confirmed this when it reported that the majority of the attacks
in the past year have been from insider abuse and unauthorized access.
And, insiders are not just trustworthy employees. Business partners, subsidiaries, and
third-party suppliers have the same access as traditional employees of a company.
Cybercrime is not the only reason for malicious attacks. Could it be that companies
themselves are not taking the necessary preventive measures? See sidebar, “Lists of
Mistakes” for the answer.
Lists of Mistakes
According to the SANS Institute, the answer to the preceding question is “Yes!” SANs
has developed the following three lists of mistakes people make that enable attackers.
1. Not providing training to the assigned people who maintain security within the
company
2. Only acknowledging physical security issues while neglecting the need to secure
information
3. Making a few fixes to security problems and not taking the necessary measures to
ensure the problems are fixed
4. Relying mainly on a firewall
5. Failing to realize how much money intellectual property and business reputations
are worth
6. Authorizing only short-term fixes so problems reemerge rapidly
7. Pretending the problem will go away if ignored
As the Internet expands more and more rapidly, there is a greater and greater need for
tighter security measures. A recent survey by ITAA found cyber security to be the next
“top priority” issue facing the IT industry around the globe.
To truly be successful in the digital economy, every company will have to rely on a
combination of products, services, and training provided by partners. It is too risky and
inefficient for any company to supply all of these from internal resources.
Products
Business buyers are now able to choose from a wide selection of competitively
manufactured and priced goods. From PCs to routers to firewalls—the options are
plentiful.
Services
Ongoing services are critical for companies because they allow them to be current with
the latest technologies available in the marketplace. They enable companies to embrace
best-of-breed products and to continually gain knowledge.
Training
Technology makes it possible, and training makes it happen! Get the answers before you
need to start asking the questions!
Now, let’s take a very brief look at specific threats to e-commerce application security
and how to provide guidance on effective approaches to e-commerce application
protection. E-commerce applications require a new, secure, technological approach to
threat categories.
In today’s marketplace, across all industry segments, businesses are realizing that
transformation to e-business is required to remain competitive. Analysts predict that
companies not making the necessary changes will be overrun by their competition. As
enterprises around the world undergo transformations, they are increasingly leveraging
Internet technologies to help:
In other words, the Internet has forever changed the way business gets done. E-
commerce-based applications are enabling interaction among customers, prospects, and
partners. Unfortunately, many e-commerce-based applications have inherent
vulnerabilities and security-oriented design flaws. Internet-based attacks exploit these
weaknesses to compromise sites and gain access to critical systems.
This part of the chapter very briefly highlights emerging threats specific to e-commerce
application security and provides guidance on effective approaches to e-commerce
application protection. E-commerce applications require a new approach to threat
categories. Nevertheless, improved security relative to e-commerce applications can be
easily achieved through the effective leverage of existing software solutions.
A Growing Threat
As businesses open their networks to business partners, customers, and their mobile
workforce[2], they are significantly increasing both the value and vulnerability of their
online assets. Security incidents are costly, with organizations losing productivity as well
as experiencing business interruption, legal exposure, and shareholder liability. Merger
and acquisition due diligence and insurability concerns, as well as regulatory
requirements, are generating even broader awareness that information protection is a
critical need.
The most prevalent methods of attack on applications include buffer overflow attacks,
exploitation of application component privileges, and client-side manipulation. On top of
the e-commerce server’s OS, several subcategories of applications exist in which
vulnerabilities may be exploited, including the following:
Web and application server: Vulnerabilities for CGI, Java, Xquery, default files, and
other resources called by applications, as well as Web servers (IIS, Apache) and
development environments (ColdFusion, etc.)
Web site and application: HTML and XML applications; assessment functions include
Web crawling and step-through testing[4]
VA, the starting point for this process, is extremely important for both discovery and
identifying vulnerabilities. This process allows an organization to turn off unused
services, identify and patch vulnerable software, and make educated decisions about
which elements of the overall infrastructure require the most extensive protection
measures.
Finally, it can be extremely difficult for any automated audit and assessment application
to know how custom applications will respond to cookie manipulation, form field
manipulation, and other e-commerce application threats without carrying out a complete,
link-to-link, application-specific assessment. This is a time-consuming, interactive
analysis best performed by someone with both security and Web development knowledge
—a rarely combined skill set. Organizations may need to dedicate additional staff to fully
realize and take advantage of the results promised by such analysis, or to outsource the
review to leverage the security and application programming expertise of an organization
with the appropriate skills specialization.
[1]
“SiteScope Security Essentials,” Copyright © 2003 Mercury Interactive Corporation,
Mercury Interactive Corporation, Building A, 1325 Borregas Avenue, Sunnyvale, Ca.
94089 2003.
[2]
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
[4]
“Web Application Protection: Using Existing Protection Solutions,” © 2003 Internet
Security Systems — ISS, Inc. All rights reserved, Internet Security Systems — ISS, 6303
Barfield Road, Atlanta, GA 30328, 2003.
Summary
Today, more than ever, organizations are challenged with improving security without
incurring a corresponding increase in cost or burden to their existing staff. By comparing
the benefits of a new product to the total cost of that product, organizations will make
better choices that ultimately lead to greater security. Leveraging existing products is
quite often the quickest way to improving both security and the bottom line. Finally, in
many cases, organizations can address most of their e-commerce application concerns or
problems with the products they already own.
Chapter 15: Protocols for the Public
Transport of Private Information
“The public have an insatiable curiosity to know everything. Except what is worth
knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their
demands.”
Overview
The Internet and the proliferation of e-business have initiated a new era of data
acquisition and personalization. While opportunities for cultivating and cementing
customer relationships abound, companies are undergoing intense scrutiny to ensure that
they respect and protect consumer privacy.
The ability to capture and transport vast amounts of personally identifiable data is a
marketer’s dream. Yet if not handled prudently, this capability can turn into a customer’s
(and a company’s) worst nightmare. Today, companies must realize that their most
valuable asset is not the data—it’s the customer.
Overview
The Internet and the proliferation of e-business have initiated a new era of data
acquisition and personalization. While opportunities for cultivating and cementing
customer relationships abound, companies are undergoing intense scrutiny to ensure that
they respect and protect consumer privacy.
The ability to capture and transport vast amounts of personally identifiable data is a
marketer’s dream. Yet if not handled prudently, this capability can turn into a customer’s
(and a company’s) worst nightmare. Today, companies must realize that their most
valuable asset is not the data—it’s the customer.
Although Web-based consumer activity is often the focus of attention, respecting and
protecting privacy goes further than securing data retrieved online. As a matter of fact,
privacy management and control should extend to every customer touchpoint (from the
call center to fulfillment to shipping), while at the same time supporting enterprise
corporate directives. In order to realize and sustain e-business results, organizations need
to appreciate the following considerations.
Trust
E-business depends on trust—and a lot of it. All commerce involves some level of trust;
however, e-business requires more of it because buyers are asked to provide greater
amounts of personal information to online vendors they typically know little, if anything,
about. Furthermore, increasing numbers of Web-based consumers understand that the
frontend interface is connected to a backend infrastructure, making the confidentiality of
their data even more tenuous.
Customers’ Trust
You can’t win customers’ trust if you don’t respect their privacy. Organizations that
collect potentially sensitive information become custodians of personal data. Obviously,
this trust must not be betrayed. IT systems and privacy policies need to protect personal
data from theft and any unauthorized distribution or use. It is not just a matter of ethics—
it is sound business practice.
Companies that violate consumer privacy needs make the foolish and potentially fatal
mistake of valuing the data more than the relationship. At the same time, customers who
are not comfortable with a company’s privacy policy may likely conduct their business
elsewhere.
Respecting Privacy
Respecting privacy takes more than mere adherence to laws and regulations. Given
today’s e-business landscape, where information is now a heavily sought-after
commodity, it is no surprise that government is stepping in to mandate consumer privacy.
However, no regulation, despite how well-crafted, can match everybody’s needs and
preferences. Furthermore, as privacy preferences change over the course of an
individual’s life, the government cannot always be relied upon to operate in sync with
such shifts.
Consequently, the onus of effective, real-time privacy protection rests on the enterprise.
Not only do governments require it—consumers demand it.
Companies benefit when they harness their understanding of customer privacy needs.
Customer relationships and loyalty are fortified when strong privacy practices are
employed. Treating people the way they want and ask to be treated (and communicating
those efforts back to the marketplace) is a strong one-to-one customer relationship
management approach—and can offer companies a real competitive edge.
Finally, companies can heighten e-business results when they value the customer over the
data. An enterprise solution is key to integrating privacy into policies, e-business
strategies, and processes. Thus, the following are the ground rules for e-business privacy:
• Businesses are custodians of personal data and must protect and secure it from
theft and misuse.
• Companies need to know their customers, while being as open with them as they
want their customers to be in return.
• Customers are likely to share more personal data if they are convinced their
privacy is strongly protected.
• Gaining consumer trust, respect, and confidence is not a static event or policy; it
is an ongoing process that requires continuous management.
• Privacy preferences are really critical customer needs.
• Privacy management can be a one-to-one marketing opportunity.
• Relationships with your customers are more valuable than the data. When
customers feel respected, they are typically more loyal.
• When organizations build and support an enterprise-wide privacy solution, the
potential return on e-business can be enormous[1].
The preceding rules are a challenge, considering the rigorous demands of myriad
industries, on any platform (with consideration for changing technologies) from
mainframe to wireless[3]. However, when privacy is built into every aspect of the
organization, the highest returns can be realized from loyal, valued customers.
[3]
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
Summary
Finally, International Data Corporation (IDC) research predicts that over time, the
pressure to outsource security and privacy solutions will increase as the shortage of
skilled IT professionals continues. But, whether you look to an external service provider
or in-house to implement a new security infrastructure, you must take a series of specific
steps to consider goals and basic capabilities. Without a blueprint based upon technical
and business assessments, you cannot hope to create a system that is secure, up-to-date,
and encompasses the divergent needs of greater information sharing and privacy.
Chapter 16: Building an E-Commerce
Trust Infrastructure
“When a man assumes a public trust, he should consider himself as public property.”
Overview
A secure e-commerce Web site can provide businesses with powerful competitive
advantages, including increased online retail sales and streamlined application processes
for products such as insurance, mortgages, or credit cards. E-commerce credit card sales
can be especially lucrative; according to independent analysts, cash transactions on the
Internet will reach $13 billion in 2004, and $74 billion in 2009. By offering products and
services on the Web, businesses can gain unique benefits:
• New customers
• Cost-effective delivery channel
• Streamlined enrollment
• Better marketing through better customer knowledge[1]
[1]
“Setting Up an E-Commerce Infrastructure,” © 2003 VeriSign, Inc. All rights reserved.
VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA
94043.
New Customers
Anyone with an Internet connection is a potential customer; millions around the world
are already using the Internet for business transactions. Web storefronts are open 24 hours
a day, and require no investments in brick and mortar.
Many products and services, such as software or information, can be distributed directly
to customers via the Web. This enhances the customer experience and increases
profitability by eliminating the shipping and overhead costs associated with order
fulfillment.
Streamlined Enrollment
Paper-based enrollment workflows are fraught with delays. Applications for insurance, a
mortgage, or a credit card, for example, can be held up in the mail. And once received,
application information must be entered into computer systems manually, a labor-
intensive process that can introduce errors. By accepting applications via a secure Web
site, businesses can speed application processing, reduce processing costs, and improve
customer service.
No business can afford to ignore this opportunity. But businesses also can’t ignore the
potential pitfalls. Before entering the fiercely competitive e-commerce arena, businesses
must carefully assess and address the accompanying risks.
The solution for meeting each of the preceding goals includes two essential components:
digital certificates for Web servers, to provide authentication, privacy, and data integrity
through encryption; and a secure online payment management system, to allow e-
commerce Web sites to securely and automatically accept, process, and manage payments
online. Together, these technologies form the essential trust infrastructure for any
business that wants to take full advantage of the Internet.
Symmetric Cryptography
In fact, a combination of both public key and traditional symmetric cryptography is used
in modern cryptographic systems. The reason for this is that public key encryption
schemes are computationally intensive versus their symmetric key counterparts. Because
symmetric key cryptography is much faster for encrypting bulk data, modern
cryptography systems typically use public key cryptography to solve the key distribution
problem first, then symmetric key cryptography is used to encrypt the bulk data.
Such a scheme is used by today’s SSL protocol for securing Web transactions and by
secure e-mail schemes such as Secure/Multipurpose Internet Mail Extensions (S/MIME)
that are built into such products as Netscape Communicator and Microsoft Internet
Explorer.
However, in practice, each of these problems requires a “certified” public key in order to
operate correctly without third parties being able to interfere. This leads to a second set of
questions. For example, how can you be sure that the public key that your browser uses to
send credit card information is in fact the right one for that Web site, and not a bogus
one? And, how can you reliably communicate your public keys to your correspondents so
that they can rely on it to send you encrypted communications?
What is needed in order to address such concerns is the notion of a “secure binding”
between a given entity that participates in a transaction and the public key that is used to
bootstrap secure communication with that entity using asymmetric public key
cryptography. The next part of the chapter describes how a combination of digital
signatures and X.509 digital certificates (which employ digital signatures), including SSL
certificates, fulfills this role in e-commerce trust systems.
Digital Signatures
Digital signatures are based on a combination of the traditional idea of data hashing with
public key-based encryption. Most hash functions are similar to encryption functions. In
fact, some hash functions are just slightly modified encryption functions. Most operate by
grabbing a block of data at a time and repeatedly using a simple scrambling algorithm to
modify the bits. If this scrambling is done repeatedly, then there is no known practical
way to predict the outcome. It is not, in general, practical for someone to modify the
original data in any way while ensuring that the same output will emerge from the hash
function. These hash-based signature algorithms use a cryptographically secure hash
function, such as Message Digest 5 (MD-5) or Secure Hash Algorithm (SHA), to produce
a hash value from a given piece of data.
Because the digital signature process is central to the idea of a digital certificate (and in
turn, the digital certificate is the primary tool to ensure e-commerce security), it’s useful
to look at a diagram of the process. Figure 16.1 illustrates the steps taken by a sender in
forming a digitally signed message, as well as the steps a recipient takes in verifying that
the signed message is valid[1].
The first step is to take the original message and compute a “digest” of the outgoing
message using a hashing algorithm. The result is a “message digest,” which is typically
depicted as a long string of hexadecimal digits (and manipulated by software as binary
data). In the next step, the sender uses his private key to encrypt the message digest.
The original message content, together with the encrypted digest, forms a digitally signed
message, as depicted in the center of Figure 16.1. This digitally signed message is
suitable for delivery to the recipient. On receipt, the receiver verifies the digital signature
using an inverse set of steps: first, the encrypted digest is decrypted using the sender’s
public key. Next, this result is compared to an independent computation of the message
digest value using the hashing algorithm. If the two values are the same, the message has
been successfully verified.
Note No actual encryption of the message content itself need take place. Only the digital
signature itself is encrypted while the message is in transit (unless, of course, there
are privacy concerns, in which case the message content should be encrypted as
well).
Why is a digital signature compelling evidence that only the intended signer could have
created the message? For example, what if interlopers were to change the original
message? It was not encrypted, after all, and could have been changed by a third party in
transit. The answer is that if such a change had been made, then the decrypted, original
message digest wouldn’t have matched the recomputed one for the changed data in the
message. Verification of the digital signature would fail. Similarly, the creation of a bogus
signature is impractical because an interloper doesn’t have the appropriate private key.
Digital Certificates
A digital certificate is an electronic file that uniquely identifies individuals and Web sites
on the Internet and enables secure, confidential communications. It associates the name
of an entity that participates in a secured transaction (for example, an e-mail address or a
Web site address) with the public key that is used to sign communication with that entity
in a cryptographic system.
Using digital certificates simplifies the problem of trusting that a particular public key is
in fact associated with a participating party, effectively reducing it to the problem of
“trusting” the associated CA service. Digital certificates, therefore, can serve as a kind of
digital passport or credential. This approach represents an advance in the key
management problem, because it reduces the problem of bootstrapping trust to the
problem of setting up (or in today’s marketplace, selecting as a vendor) the appropriate
CA functionality. All parties that trust the CA can be confident that the public keys that
appear in certificates are valid.
The browser trusts the certificate because it is signed, and the browser trusts the signature
because the signature can be verified. And, why can it be verified? Because the signer’s
public key is already embedded in the browser software itself. To see this in the particular
case of a browser, begin by clicking on the Security icon on the main toolbar, as shown in
Figure 16.2[1].
Under Certificates, choose Signers, and scroll down the list, as shown in Figure 16.3[1]. A
window similar to that shown in Figure 16.4 should appear[1].
Next, select a particular certificate and click on the Edit button. A display similar to the
one shown in Figure 16.5 should appear[1].
This is a representation of an X.509 digital certificate. Although X.509 certificates come
in three different versions (such as the one displayed in Figure 16.5), they are the ones
that are most commonly encountered in today’s cryptography systems. Such a certificate
consists of the following fields to identify the owner of the certificate and the trusted CA
that issued the certificate:
• Version
• Serial number
• Signature algorithm ID
• Issuer name
• Validity period
• Subject (user) name
• Subject public-key information
• Issuer unique identifier
• Subject unique identifier
• Extensions
• Digital signature for the preceding fields[1]
Although only a few of the preceding fields (Version, Serial number, Signature algorithm
ID, Issuer name, Validity period, Subject (user) name, Subject public-key information,
Issuer unique identifier, Subject unique identifier, Extensions and Digital signature for the
preceding fields) that are shown in Figure 16.5 (version, serial number, issuer name, and
subject name) correspond to the display elements in Figure 16.5, these basic elements
give an idea of what such a typical certificate contains. In other words, the certificate
shown in Figure 16.5 contains only a few of the basic fields. A more detailed dump of
raw certificate content might look like the following[1]:
Certificate:
Data:
Version: v3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: CN=Root CA, OU=CIS, O=Structured Arts Computing
Corporation, C=US
Validity:
Not Before: Fri Dec 5 18:39:01 1997
Not After: Sat Dec 5 18:39:01 1998
Subject: CN=Test User, OU=Test Org Unit, O=Test Organization,
C=US
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
Modulus:
00:c2:29:01:63:a1:fe:32:ae:0c:51:8d:e9:07:6b:02:fe:ec:
6d:0e:cc:95:4b:dc:0a:4b:0b:31:a3:1a:e1:68:1f:d8:0b:b7:
91:fb:f7:fd:bd:32:ba:76:01:45:e1:7f:8b:66:cd:7e:79:67:
8d:48:30:2a:09:48:4c:9b:c7:98:d2:b3:1c:e9:54:2c:3c:0a:
10:b0:76:ae:06:69:58:ac:e8:d8:4f:37:83:c3:f1:34:02:6d:
9f:38:60:6f:5e:54:4f:71:c7:92:28:fb:0a:b3:44:f3:1a:a3:
fe:99:f4:3f:d3:12:e2:f8:3b:03:65:33:88:9b:67:c7:de:88:
23:90:2b
Public Exponent: 65537 (0x10001)
Extensions:
Identifier: Certificate Type
Critical: no
Certified Usage:
SSL Client
Identifier: Authority Key Identifier
Critical: no
Key Identifier:
a7:84:21:f4:50:0e:40:0f:53:f2:c5:d0:53:d5:47:56:b7:c5:
5e:96
Signature:
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
2d:76:3f:49:5b:53:3a:c5:02:06:a3:67:6d:d9:03:50:57:7f:de:a7:a9:
cd:69:02:97:6f:66:6a:7f:95:ea:89:75:7a:fc:b0:26:81:fc:33:bb:60:
e8:f7:73:77:37:f8:8a:04:3b:fc:c1:3e:42:40:3d:58:16:17:7e:47:35:
1c:73:5a:ab:72:33:c3:f5:2b:c6:eb:b5:39:52:82:c6:3e:e1:38:c6:39:
8b:ee:e3:9f:b3:b9:29:42:0d:11:a5:79:af:6d:3a:f8:a6:ba:d0:9c:55:
48:0d:75:91:05:0b:47:67:98:32:f3:2d:2e:49:ed:22:ab:28:e8:d6:96:
a1:9b
The next part of the chapter describes how SSL digital certificates for Web servers apply
cryptographic techniques to secure e-commerce Web sites.
The practical means of implementing PKI and digital signatures are via Web server
certificates that enable authentication and SSL encryption. SSL certificates form the basis
of an Internet trust infrastructure by allowing Web sites to offer safe, secure information
exchange to their customers. SSL server certificates satisfy the need for confidentiality,
integrity, authentication, and nonrepudiation.
SSL Defined
Server certificates allows users to confirm a Web server’s identity. Web browsers
automatically check that a server’s certificate and public ID are valid and have been
issued by a CA included in the list of trusted CAs built into browser software. SSL server
authentication is vital for secure e-commerce transactions in which users, for example,
are sending credit card numbers over the Web and first want to verify the receiving
server’s identity.
SSL Encryption
SSL server certificates establish a secure channel that enables all information sent
between a user’s Web browser and a Web server to be encrypted by the sending software
and decrypted by the receiving software—thus protecting private information from
interception over the Internet. In addition, all data sent over an encrypted SSL connection
is protected with a mechanism for detecting tampering—that is, for automatically
determining whether the data has been altered in transit. This means that users can
confidently send private data, such as credit card numbers, to a Web site, trusting that
SSL keeps it private and confidential.
SSL certificates take advantage of SSL to work seamlessly between Web sites and
visitors’ Web browsers. The SSL protocol uses a combination of asymmetric public key
encryption and faster symmetric encryption. (See sidebar, “SSL Server Certificates
Steps” for more information.)
The Netscape Navigator and Microsoft Internet Explorer browsers have built-in security
mechanisms to prevent users from unwittingly submitting their personal information over
insecure channels. If a user tries to submit information to an unsecured site (a site without
an SSL server certificate), the browsers will, by default, show a warning.
In contrast, if a user submits credit card or other information to a site with a valid server
certificate and an SSL connection, the warning does not appear. The secure connection is
seamless, but visitors can be sure that transactions with a site are secured by looking for
the following cues:
• The URL in the browser window displays “https” at the beginning, instead of http.
• In Netscape Communicator, the padlock in the lower-left corner of the Navigator
window will be closed instead of open.
• In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE
window[1].
SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the session
key generated by every encrypted transaction. The longer the key, the more difficult it is
to break the encryption code. 128-bit SSL encryption is the world’s strongest; according
to RSA Labs, it would take a trillion years to crack using today’s technology. 128-bit
encryption is approximately 3 X 1026 stronger than 40-bit encryption.
Microsoft and Netscape offer two versions of their Web browsers, export and domestic,
that enable different levels of encryption depending on the type of SSL server certificate
with which the browser is communicating. First, 40-bit SSL server certificates (such as
VeriSign’s SSL Certificates) enable 40-bit SSL when communicating with export-version
Netscape and Microsoft Internet Explorer (IE) browsers (used by most people in the U.S.
and worldwide) and 128-bit SSL encryption when communicating with domestic-version
Microsoft and Netscape browsers. Second, 128-bit SSL server certificates (such as
VeriSign’s Global Server IDs) enable 128-bit SSL encryption (the world’s strongest) with
both domestic and export versions of Microsoft and Netscape browsers.
In order to fully enable 128-bit encryption with a Global Server ID, it’s important to
generate the right kind of private key during the process of obtaining an SSL certificate.
An important step in the process is generating a Certificate Signing Request (CSR) within
the Web server software. In generating a CSR, Web server administrators should be
careful to select a 1024-bit private key, which enables the Global Server ID to establish
128-bit SSL encryption, rather than a 512-bit private key, which enables only 40-bit
encryption.
Netscape users can follow these steps to see what level of encryption is protecting their
transactions:
You can also check to see which level of SSL is activated on your Web server by
following these steps:
• Using a 128-bit client, such as the domestic version of Netscape Navigator, click
Options/Security Preferences.
• Under the Enable SSL options, click Configure for both SSL 2 and SSL 3. Make
sure acceptance for the 40- and 56-bit encryption ciphers are turned off.
• Try to access the site. If it using less than 128 bit security, then you will receive an
error in your browser window: “Netscape and this server cannot communicate
securely because they have no common encryption methods[1].”
IE users can find out a Web site’s encryption level by following these steps:
E-businesses may choose to simplify the process of certificate checking for site visitors
by describing the security measures they have implemented in a Security and Privacy
statement on their sites. For example, sites that use VeriSign SSL Certificates can also
post the Secure Site Seal on their home page, security statement page, and purchase
pages. The Seal is a widely recognized symbol of trust that enables site visitors to check
certificates in real time from VeriSign with one click.
To ensure that strong, 128-bit encryption protects e-commerce transactions for all users,
businesses should install 128-bit IDs, such as VeriSign’s Global Server IDs, on their
servers. However, the export browsers that permit only 40-bit encryption with 40-bit SSL
server certificates will allow strong, 128-bit encryption when interacting with 128-bit
server certificates because these certificates are equipped with a special extension that
enables Server Gated Cryptography (SGC) for Microsoft browsers and “International
Step-Up” for Netscape browsers.
The extension enables 128-bit encryption with export-version browsers by prompting two
“handshakes” when a user’s browser accesses a page protected by a Global Server ID.
When an export-version Netscape or Microsoft browser connects to the Web server, the
browser initiates a connection with only a 40-bit cipher. When the server certificate is
transferred, the browser verifies the certificate against its built-in list of approved CAs.
Here, it recognizes that the server certificate includes the SGC or International Step-Up
extension, and then immediately renegotiates the SSL parameters for the connection to
initiate an SSL session with a 128-bit cipher. In subsequent connections, the browser
immediately uses the 128-bit cipher for full-strength encryption.
As organizations and service providers enhance their Web sites and extranets with newer
technology to reach larger audiences, server configurations have become increasingly
complex. They must now accommodate:
• Redundant server backups that allow Web sites and extranets to maximize site
performance by balancing traffic loads among multiple servers
• Organizations running multiple servers to support multiple site names
• Organizations running multiple servers to support a single site name
• Service providers using virtual and shared hosting configurations[1]
But, in complex, multiserver environments, SSL server certificates must be used carefully
if they are to serve their purpose of reliably identifying sites and the businesses operating
them to visitors and encrypt e-commerce transactions—thus, establishing the trust that
customers require before engaging in e-commerce. When used properly in an e-
commerce trust infrastructure equipped with multiple servers, SSL server certificates
must still satisfy the three requirements of online trust:
1. Client applications, such as Web browsers, can verify that a site is protected by an
SSL server certificate by matching the “common name” in a certificate to the
domain name (such as www.verisign.com) that appears in the browser. Certificates
are easily accessible via Netscape and Microsoft browsers.
2. Users can also verify that the organization listed in the certificate has the right to
use the domain name, and is the same as the entity with which the customer is
communicating.
3. The private keys corresponding to the certificate, which enable the encryption of
data sent via Web browsers, are protected from disclosure by the enterprise or ISP
operating the server[1].
In order to satisfy the requirements of Internet trust, one SSL server certificate can be
used to secure each domain name on every server in a multiserver environment, and the
corresponding private keys can be generated from the hosting server. Some enterprises or
ISPs practice certificate sharing, or using a single SSL server certificate to secure
multiple servers. Organizations use certificate sharing in order to secure backup servers,
to ensure high-quality service on high-traffic sites by balancing traffic among several
servers, or, in the case of ISPs and Web hosts, to provide inexpensive SSL protection to
price-sensitive customers. However, as described next, certificate-sharing configurations
do not satisfy the fundamental requirements of Internet trust.
Now, let’s look at some common shared certificate configurations for an e-commerce
trust infrastructure:
Load balancing: Multiple sites with different common names on multiple servers.
Load balancing: Multiple sites with the same common name on multiple servers.
ISP shared SSL: One certificate issued to an ISP’s domain, used on multiple servers by
multiple Web sites.
Name-based virtual hosting: An ISP or Web Host provides each hosted customer with a
unique domain name, such as customername.isp.com[1].
Fail-Safe Backup
Certificate sharing is permissible. However, when the backup server is not under the
same control as the primary server, the private key cannot be adequately protected, and a
separate certificate should be used for each server.
To prevent browsers from detecting that the URL of the site visited differs from the
common name in the certificate, a different certificate should be used for each
server/domain name combination. A different certificate should also be used to protect the
security of private keys.
Instead of jeopardizing private key functionality by copying the key for multiple servers,
a different certificate should be used for each server. Each certificate may have the same
common name and organizational name, but slightly different organizational unit values.
ISP shared SSL prevents site visitors from verifying that the site they are visiting is the
same as the site protected by the certificate and listed in the certificate itself. Each site’s
server should have its own certificate. Or, merchants must inform their customers that site
encryption is provided by the ISP, not the merchant, and the ISP must guarantee the
services of all the hosted companies whose sites use shared SSL.
If the same certificate is used for each domain name, browsers will indicate that the site
domain name does not match the common name in the certificate. To solve this problem,
a “wildcard” certificate of the form *.isp.com is required to properly serve the multi-
hostname configuration without creating browser mismatch error messages.
Next, let’s examine the second key component of an Internet trust infrastructure: secure
online payment management.
After businesses have built a Web site and implemented SSL certificates to authenticate
themselves to customers and encrypt communications and transactions, they must address
another crucial component of an e-commerce infrastructure. This involves enabling
customers to easily pay for products and services online—and processing and managing
those payments in conjunction with a complex network of financial institutions.
Today’s fragmented Internet payment systems often connect online merchants to banks
via privately operated, point-to-point payment networks. In 2002, for example, over 9
billion electronic payment transactions (originating from approximately 6 million
merchant locations and representing over $690 billion in merchant dollar volume) were
passed over leased lines and non-Internet interfaces to a single transaction processor
(First Data Corporation).
Demand is, therefore, high for a simpler, “Internet payment gateway” approach that
provides easier Internet connectivity between buyers, sellers, and the financial networks
that move money between them. A truly flexible Internet payment gateway must support
multiple payment instruments, connect to all relevant back-office payment processors,
and be packaged for easy integration into front-office Web applications. Ideally, the
gateway should also offer uniform interfaces to payment functionality, permitting e-
businesses to deploy payment applications that can be easily switched between
alternative financial instruments, institutions, and payment processors. And, to form part
of a complete e-commerce trust infrastructure, the gateway must ensure fail-safe security
for payment data as it passes from customer to Web site and through the backend
processing system.
Finally, some merchants may build an Internet payment gateway themselves, or purchase
a software-based solution. However, according to the Gartner Group, most e-merchants
have transaction volumes that do not justify the expense of bringing the process in-house,
and are opting to outsource ASP solutions.
Summary
Businesses that can manage and process e-commerce transactions can gain a competitive
edge by reaching a worldwide audience, at very low cost. But, the Web poses a unique set
of trust issues, which businesses must address at the outset to minimize risk. Customers
submit information and purchase goods or services via the Web only when they are
confident that their personal information, such as credit card numbers and financial data,
is secure.
Finally, the solution for businesses that are serious about e-commerce is to implement a
complete e-commerce trust infrastructure. PKI cryptography and digital signature
technology, applied via SSL digital certificates, provide the authentication, data integrity,
and privacy necessary for e-commerce. Internet payment gateway systems provide online
merchants with the ability to efficiently and securely accept and process a variety of
online payments from customers.
Chapter 17: Implementing E-Commerce
Enterprise Application Security
Integration
“There are no such things as applied sciences, only applications of science.”
Mergers, acquisitions, and multicompany collaborative federations are nothing new to the
e-commerce world. What is new and urgent is the need to secure a high number of critical
applications from unauthorized use, both from external and internal sources. Today’s e-
commerce characteristics, including remote workforces, wireless applications[1], corporate
partnership programs, CRM systems, and numerous others require organizations to
increase the availability of corporate information, which significantly increases security
risks.
The Challenge
In the past, companies maintained security by allowing only trusted insiders to access
sensitive corporate applications and data, through physically restricted access. However
the rise of e-commerce now requires those companies to allow their customers, prospects,
suppliers, and partners to access even the deepest reaches of the corporate “backend.” IT
management has been put on the horns of a dilemma: access versus barriers. If they
tighten security to eliminate the risk of electronic theft or vandalism, the business grinds
to a halt.
This is the central issue of enterprise security. How can an organization provide access to
multiple users or groups without compromising data security? This issue is further
complicated by e-commerce as the next step in the evolution of global companies. By
distributing applications and data across the Internet, institutions face a whole new set of
problems and threats controlling access to—and protecting the integrity of—data and
business processes.
[1]
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
The Solution: Application Security Integration
Just as EAI technologies addressed the problems of data access and resource management
across the enterprise by integrating applications and business processes into a single,
virtual “business engine,” companies now need a set of easy-to-use tools and
technologies to control access to those same applications and processes. Today, a new
class of technology (Enterprise Application Security Integration, or EASI) is emerging to
ensure that the distributed enterprise is protected.
This chapter explores this new technology’s support of rapid deployment of secure e-
commerce applications. The technology, based on the integration of distributed
component computing and information security, represents new power to mount secure,
scalable e-commerce services. The chapter also describes how security enables new e-
commerce applications that were not previously feasible, and how e-commerce solutions
create new security responsibilities. Next, the chapter describes the many challenges of
enforcing security in component-based applications. Finally, the chapter formally
introduces EASI, which is used to tie together many different security technologies, and,
as a result, provide the framework for building secure component architectures.
Corporations are discovering the power of online services to increase customer loyalty,
support sales efforts, and manage internal information. The common thread in these
diverse efforts is the need to present end users with a unified view of information stored
in multiple systems, particularly as organizations move from static Web sites to the
transactional capabilities of electronic commerce. To satisfy this need, legacy systems are
being integrated with powerful new e-commerce-based applications that provide broad
connectivity across a multitude of backend systems. These unified applications bring
direct bottom-line benefits, for example:
• On the Internet
• Via extranets
• With an intranet[1]
On the Internet
Via Extranets
A bank and an airline both increase their customer bases with a joint venture—a credit
card that offers frequent flyer credits sponsored by the bank. This service requires joint
data-sharing, such as purchase payment and charge-back information, as well as decision
support applications to retrieve, manipulate, and store information across enterprise
boundaries. Additionally, employees from both companies will need to access some, but
not all, of the same information.
With an Intranet
These new e-commerce applications can have a dark side. They can open a direct pipeline
to the enterprise’s most valuable information assets, presenting a tempting target for
fraud, malicious hackers, and industrial espionage.
Appropriate protections are a prerequisite for doing business, both for an organization’s
credibility with its stakeholders and its financial viability. For example:
• The bank and airline in a joint venture may compete in other areas or through
other partnerships. A secure barrier, permitting only authorized transactions, must
be erected between the two enterprise computing environments.
• The bank offering currency-trading needs to protect the integrity of its core
systems from unauthorized transfers or tampering.
• The manufacturer posting proprietary discoveries needs to ensure that their
competitors or subcontractors cannot tap into the system. Attacks from both the
outside and inside must be blocked[1].
Information Security Goals: Enable Use, Bar Intrusion
Accountability: Detect attacks in progress or trace any damage from successful attacks.
Prevent system users from later denying completed transactions.
Confidentiality: Safeguard user privacy[3] and prevent the theft of information both
stored and in transit.
Integrity: Ensure that electronic transactions and data resources are not tampered with at
any point, either accidentally or maliciously[1].
To provide the four preceding key protections, information security must be an integral
part of system design and implementation.
[3]
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
ebusiness Privacy Plan, McGraw-Hill Trade, 2001.
The scope of e-commerce security is so broad because these applications typically cut
across lines of business. There are many examples of new business models that drive
security needs:
• E-commerce
• Cross-selling and customer relationship management
• Supply chain management
• Bandwidth on demand[1]
E-Commerce
E-commerce sites on the Internet rely on credit card authorization services from an
outside company. A federated relationship between an e-commerce company and a credit
card service depends on trustworthy authenticated communication.
Supply chain management requires continuing communication among all of the suppliers
in a manufacturing chain to ensure that the supply of various parts is adequate to meet
demand. The transactions describing the supply chain that are exchanged among the
enterprises contain highly proprietary data that must be protected from outside snooping.
Bandwidth on Demand
Bandwidth on demand allows customers to make dynamic requests for increases in the
quality of a telecommunication service and to get instant results. Bandwidth on demand is
an example of self-administration, where users handle many of their own administrative
functions rather than relying on an administrator within the enterprise to do it for them.
Self-administration provides better service for customers at a lower cost, but comes with
significant security risks. Because corporate servers that were previously available to
system administrators are now accessible by end users, security mechanisms must be in
place to ensure that sensitive administrative functions are off-limits.
In each of the cases previously described, one enterprise or line of business can expose
another organization to increased security risk. For example, a partner can unintentionally
expose your business to security attack by providing their customers access to your
business resources. As a result, security risk is no longer under the complete control of a
single organization. Risks must be assessed and managed across a collection of
organizations, which is a new and very challenging security responsibility.
A large middle ground exists between the extremes of avoiding e-commerce applications
altogether, blithely launching unprotected systems, or burdening every application with
prohibitively costly and user-unfriendly security measures. This middle ground is the area
of risk management. The risk-management approach aims not to eliminate risk, but to
control it. Risk management is a rigorous balancing process of determining how much
and what kind of security to incorporate in light of business needs and acceptable levels
of risk. It unlocks the profit potential of expanded network connectivity by enabling
legitimate use, while blocking unauthorized access. The goal is to protect adequately to
meet business needs without undue risk, making the right trade-offs between security and
cost, performance and functionality.
For example, consider four different e-commerce users: an Internet Service Provider
(ISP), a hospital administrator, a banker, and a military officer. Each has a different
security concern.
The challenge is to implement security in a way that meets business needs cost-
effectively, both in the short-term and as enterprise needs expand. Meeting the challenge
requires a collaborative effort between corporate strategists and reformation technology
managers. Understanding the business drivers for information security helps clarify
where to focus security measures. Understanding the underlying application architecture
(how components work together) clarifies the most practical approach for building
system security. Distributed applications, in particular, require new ways of thinking.
Information security is a serious concern for most businesses. Even though reporting of
computer-based crime is sporadic because companies fear negative publicity and
continued attacks, the trend is quite clear: information security attacks continue to be a
real threat to businesses. According to a recent Computer Security Institute Survey, 72%
of interviewed businesses reported that they had been subjects of serious information
security attacks in 2002. Seventy-four percent of the businesses reported that the attacks
caused significant financial losses, such as losses due to financial fraud or theft of
valuable intellectual property.
The threats to businesses are from both internal and external attacks. In the same survey,
61% of the businesses reported they were subjected to attacks launched from the Internet,
and 83% of businesses reported that insider attack (by trusted corporate users) was a
primary concern. This last statistic is very important—to meet corporate needs, a
complete end-to-end security solution must address insider attacks.
Most e-commerce solutions today blur the line between the insider world containing
trusted users and the outside world containing potentially hostile attackers. Furthermore,
the primary purpose of multitier architectures is to open up the corporate network to the
external world, thus allowing valuable corporate resources to be accessible to outsiders.
Outsiders (such as business partners, suppliers, or remote employees) may have very
similar data access rights to corporate information as many insiders. As a result,
protection mechanisms must be in place not only at the external system boundaries, but
also throughout the enterprise architecture.
Applying security products without thinking about how they all fit together clearly does
not work. Businesses should build and leverage a common security infrastructure that is
shared across the enterprise. An integrated approach to security is the only way to address
complex, multitier e-commerce applications, which will be explained later in this chapter.
Component technology, which closely groups data and the business logic that makes use
of the data, is having a dramatic impact on the business computing landscape.
Developments in the field of distributed component computing allow cooperating
components to reside in different machines, networks, or even enterprises. These
developments enable businesses to enhance and reuse installed applications rapidly,
representing new power to tap the immense value of legacy resources. As a result, many
organizations are migrating from traditional, single-layer client/server applications to
multitiered application architectures.
Traditionally, computer security has worked effectively in systems in which sensitive data
can be isolated and protected in a central repository. Distributed components have exactly
the opposite philosophy by making distributed data widely accessible across large
networks. Simply put, the more accessible data is, the harder it is to protect. Ordinarily,
it’s a good idea to keep your crown jewels locked up in a vault. Distributed components
encourage you to pass them around to all your friends for safekeeping.
The TCB is usually implemented within an operating system that is under strict
configuration control. This architecture permits very tight security because the TCB is the
mediator through which all user accesses to resources must pass. Everything within the
TCB is trusted to enforce the security policy; everything outside of the TCB is untrusted.
Distributed component systems, on the other hand, have the more complex security
architecture, as shown in Figure 17.2[1]. Security functionality (the shaded areas of the
diagram) in component systems is distributed throughout the architecture rather than
residing in a central TCB. Because distributed component systems are frequently
heterogeneous, security may be implemented differently on different platforms. Security
might be enforced by the application components, middleware, operating system,
hardware, or any combination of these. Some platforms may contain a great deal of code
that is trusted to enforce the security policy, whereas other platforms may have very little.
Distributing security in this manner means that a particular distributed application may be
secure, but that fact is hard to confirm. In a distributed component system, the
combination of all of this trusted code together theoretically embodies a distributed TCB.
But is this really a distributed TCB? Probably not. It may be tamperproof and always
invoked, but it may not be small enough to be easy to analyze. That’s a concern, because
if you can’t analyze the system, you can’t be at all certain that your valuable data is being
protected.
Some security traditionalists believe that it is not possible to build highly secure
distributed component systems. There is a question, though, of whether a TCB model is
even appropriate for distributed component environments. Although TCBs are great for
enforcing security, they aren’t sufficiently flexible to support component-based systems.
Exposed: Many distributed component systems are designed to work over the Internet or
large intranets. Data going over networks is subject to packet-sniffing interception.
Twenty-two years ago, life was reasonably simple for the security professional. Sensitive
data resided on monolithic backend data stores. There were only a few physical access
paths to the data, which were protected by well-understood operating system access
control mechanisms. Policies, procedures, and tools have been in place for many years to
solve this class of problems.
Several years ago, Web-based applications burst onto the scene. With the advent of e-
commerce in this environment, secure access to the Web servers was extremely
important. Today, there are many mature perimeter security technologies, such as SSL,
firewalls, and Web authentication/authorization servers that enforce security between
browser clients and corporate Web servers.
Huge numbers of companies are now building complex e-commerce logic into
application servers in the mid-tier. The business motivation for this development is
compelling. Mid-tier business logic allows accessibility to backend legacy data in ways
never imagined. The opportunities for increased interaction among all kinds of buyers
and suppliers seems endless.
Security gets much more interesting through the introduction of components in the
middle tier. Although there are many mid-tier technologies that hook up Web servers to
backend legacy systems, the security of these approaches is often nonexistent. In fact,
several recent publicized attacks have been caused by weaknesses in mid-tier security
that have exposed sensitive backend data (customer credit card numbers and purchase
data) to the outside world. Companies are usually at a loss for what to do with middle tier
security.
To solve the thorny issue of securely connecting Web servers to the back office, let’s now
discuss the concept of end-to-end EASI. As previously discussed, EASI is a special case
of EAI.
In the enterprise architecture shown in Figure 17.4, a user accesses an application in the
presentation layer (a Web browser client sends requests to a Web server), which
communicates to mid-tier business components (application servers)[1]. Frequently, the
client request is transmitted through a complex, multitier chain of business components
running on a variety of platforms. The request finally makes it to one or more backend
legacy systems, which accesses persistent data stores on behalf of the user, processes the
request, and returns the appropriate results.
EASI Solutions
EASI solutions integrate security technologies across the perimeter, middle, and legacy
security tiers. An EASI solution first and foremost consists of a security framework,
which describes a collection of security service interfaces that may be implemented by an
evolving set of security products.
An EASI solution also includes integration techniques, such as bridges, wrappers, and
interceptors that developers can use to plug security technologies into a middleware
environment. To hook together different security technologies, EASI must solve a key
problem: defining a secure association between clients and targets that establishes a
common security context. The security context consists of a user’s privileges that must be
transferred across the system to a target application. A user’s privileges, which form the
basis for authorization decisions and audit events, must be protected as they are
transmitted between perimeter, middle, and legacy tiers. Because each technology in
these tiers represents and protects a user’s privileges differently, integration of security
context can be a rather difficult problem.
EASI Framework
The EASI framework, as shown in Figure 17.5, specifies the interactions among the
security services and application components that use those security services. By using
common interfaces, it’s possible to add new security technology solutions without
making big changes to the existing framework. In this way, the EASI framework supports
“plug-ins” for new security technologies. Key aspects of the framework are shown in
Figure 17.5[1].
Applications
The security aware application uses the security Application Program Interfaces (APIs) to
access and validate the security policies that apply to it. Security aware applications may
directly access security functions that enable the applications to perform additional
security checks and fully exploit the capabilities of the security infrastructure.
Security Unaware Application
The security unaware application does not explicitly call security services, but it is still
secured by the supporting environment (an Enterprise Java Bean [EJB] container).
Security is typically enforced for security unaware applications by using interceptors,
which transparently call the underlying security APIs on behalf of the application. This
approach reduces the burden on application developers to develop security modules
within the application and lessens the chance of security flaws being introduced.
Other applications, called security self-reliant applications, do not use any of the security
services provided by the framework. A security self-reliant application may not use the
security services because it has no security relevant functionality and, thus, does not need
to be secured, or because it uses separate independent security functions that are not part
of the defined EASI security framework.
The framework security APIs are called explicitly by security aware applications and
implicitly by security unaware applications via interceptors. Security APIs provide
interfaces for access to the framework security services. The framework supports
standard, custom, and vendor security APIs.
Support for APIs is based on open standards or industry de facto standards, such as XML
(SAML), J2EE, .NET, and CORBA. These standards should be used whenever possible
because they are likely to provide the most stability and the most flexibility across many
different vendors’ products.
Custom APIs may be implemented when an enterprise’s needs cannot be met by existing
standard APIs. Custom APIs are required especially when an enterprise uses a security
service that is tailored to its business, for example, a custom rule-based entitlements
engine developed internally by an investment bank.
As a last resort, vendor-specific proprietary APIs may be used where open standards have
not yet been defined. You should avoid using proprietary security APIs in applications if
at all possible. Proprietary APIs make it very difficult for the developer or administrator
to switch security products. Although vendors may think this is a great idea, security
technology is changing much too rapidly to be confined to any one product. As an
alternative, you should wrap a vendor’s proprietary API with a standard or custom API.
Core Security Services
The next layer of the security framework provides core security services enabling end-to-
end application security across multitier applications. Each of the security services
defines a wrapper that sits between the security APIs and the security products. The
security services wrappers serve to isolate applications from underlying security
products. By creating a new wrapper, it is straightforward to switch security products
without affecting application code, if the need arises. The key security services are
authentication, authorization, cryptography, accountability, and security administration.
Authentication
Verifying that principals (human users, registered system entities, and components) are
who they claim to be is what is known as authentication. The result of authentication is a
set of credentials, which describe the attributes (identity, role, group, clearance) that may
be associated with the authenticated principal.
Authorization
Cryptography
Cryptographic algorithms and protocols for protecting data and messages from disclosure
and/or modification is what is known as cryptography. Encryption provides
confidentiality by encoding data into an unintelligible form with a reversible algorithm
that allows the holder of the encryption key(s) to decode the encrypted data. Digital
signatures apply cryptography to ensure that data is authentic and has not been modified
during storage[2] or transmission.
Accountability
Ensuring that principals are accountable for their actions is what is known as
accountability. A security audit provides a record of security-relevant events and permits
monitoring of a principal’s actions in a system. Nonrepudiation provides irrefutable proof
of data origin and/or receipt.
Security Administration
Security administration is the process of defining and maintaining the security policies
embodied in user profiles, authentication, authorization, and accountability mechanisms.
This also includes other data relevant to the security framework.
The framework provides general security facilities that support the core security services.
The framework security facilities are the profile manager, security association, and proxy
services.
Profile Manager
The profile manager provides a general facility for persistent storage of user and
application profile data. It allows data to be accessed by other framework services.
Security Association
Security association handles the principal’s security credentials and controls how they
propagate. During a communication between any two client and target application
components, the security association establishes the trust in each party’s credentials, and
creates the security context that will be used when protecting requests and responses in
transit between client and target. The security association controls the use of delegation,
which allows a delegated intermediate to use the credentials of an initiating principal so
that the delegate may act on behalf of the initiating principal.
Security Products
By now, the benefits of using a framework to address EASI should be clear. Standards are
the best way to maintain application portability and interoperability in the long run.
Products and technologies will come and go, but generally accepted security standards
for fundamental security services will be much more stable. A standards-based set of
security APIs allows you to evolve security products over time without needing to rewrite
your applications. Designing your applications for evolving security products is
important, because your business requirements and new security technologies will
continue to be a moving target. You might pick a great security product that satisfies your
needs for now, but you’ll probably want to change at some point as business or market
needs change. In addition, you want to avoid being stuck with any one vendor’s product,
because the high cost of custom code modification limits your options.
Having a security framework also means that you don’t need to implement everything at
once. The framework allows you to start out small by picking the security services you
need, and builds up more sophisticated security functionality when and if it’s required.
The framework gives you a road map for your security architecture, helping to guide you
on how to pick products and technologies that match your needs over time.
Finally, the framework puts the security focus where it should be: on building a common
infrastructure that can be shared across the enterprise. Custom-built security that is hand-
coded within applications is expensive to implement and maintain, and is likely to have
more security vulnerabilities. A single security infrastructure with APIs that can be used
by all of your applications avoids multiple, duplicate definitions of users, security
attributes, and other policies. You can focus your limited time and money on building up
a few critical interoperable security technologies, rather than coping with a mass of
unrelated security products that will never work together.
Principles of EASI
Now, let’s look at some basic principles to follow when integrating security into
component-based e-commerce applications. You’ll learn these rules as you apply EASI
techniques to many large customers’ problems.
Authentication
The two principles of authentication are trust no one (not to be confused with the FOX
television series the “X-Files”) and balance cost against threat.
Trust No One
In distributed systems, authentication isn’t just about people. A client request bounces
through many applications in a multitier architecture, so there are many points of
vulnerability. Each component that is a part of a request chain should be authenticated on
its own. If not, an attacker may be able to insert a new component in this chain and cause
serious damage. The more complex the application architecture, the more serious the
threat.
On the other hand, the best authentication isn’t for everyone. The most secure
authentication, such as public key certificates on smart cards, is probably too expensive
to deploy and manage for many applications. If authentication techniques are too strong,
people may just give up and not use the system. It’s better to have authentication that
people will use rather than building a secure boat anchor. Single sign-on is an example of
this principle; no one likes to log in more than once.
Authorization
The two principles of authorization are application driven and push security down.
Application Driven
Authorization policies aren’t really to protect URLs or files—they protect business data
that resides in those files. A lot of time and money is wasted blindly setting up security
products that do little to protect important application data. To secure a system, don’t lose
sight of the fact that the most important thing to understand is the purpose of the business
application. After you understand what the business application is for, and what bad
security things could go wrong, then you can figure out the best way to protect the data.
After you know which application data is really important to protect, look to enforce
authorization at the lowest practical level in the architecture. Least desirable is within the
application, although some policies cannot be enforced anywhere else. By pushing
authorization down to the lower layers of the architecture, you’re more likely to have
robust common security mechanisms that can be shared across many applications.
E-commerce applications are all about managing huge numbers: millions of users and
resources, thousands of servers. The best way to deal with large numbers is to collect
things into groups, and make those groups hierarchical. By defining collections,
administrators can set policies on lots of things at the same time and delegate security
responsibilities across many administrators.
Note Collections are not just about people; services and data should also be grouped to
handle scale.
Security Association
The principles of security administration are think end-to-end, not point-to-point and
design for failure.
Finally, a simplistic component model assumes that all applications trust each other to
protect data. That may be okay for small systems, but it’s a dangerous assumption when
the applications are more distributed. If one component is compromised in this scenario,
then the entire set of distributed components is vulnerable. A better approach is to view
collections of components as mutually suspicious islands—if one collection of
components is compromised, then others will still be safe.
Summary
Next, the chapter described the many challenges of enforcing security in component-
based applications. It defined the notion of a TCB, and showed that the TCB concept is
not a very good match for distributed component environments.
Finally, the chapter introduced Enterprise Application Security Integration (EASI), which
is used to tie together many different security technologies. It defined perimeter, middle,
and legacy tiers of security, and described how they all work together to provide end-to-
end security. The chapter then defined an EASI solution in terms of a security framework,
technologies, and integration techniques that hook those technologies together. The EASI
framework consists of a number of layers, including the applications, APls, core security
services, framework security services, and underlying security products.
Chapter 18: Strong Transaction Security
in Multiple Server Environments
“The ballot is stronger than the bullet.”
Overview
For information exchange between servers and client browsers and server-to-server, load
balancing devices and SSL accelerators, SSL certificates have become recognized as the
bottom line in security. Working with the SSL protocol for encryption, SSL certificates
protect businesses against site spoofing, data corruption, and repudiation of agreements.
They assure customers that it is safe to submit personal information, and provide
colleagues with the trust they need to share sensitive business information.
For companies with multiple servers and load balancing devices in their network, you can
now locally manage your own SSL certificates with managed public key infrastructure
(PKI) for SSL certificates. If you need to secure five or more servers, enrollments and
cancellations can become cumbersome when managed one-by-one. With managed PKI
for SSL certificates, you save money by purchasing your SSL certificates in bulk, then
save time by issuing your own IDs to servers and load balancing devices within your
organization. You can customize your end-user support to meet your company-specific
needs, and integrate your server and client security systems.
This chapter provides you with a basic introduction to digital ID technology and SSL
certificates. It then lays out the reasons that you would want to consider managed PKI for
SSL certificates as an alternative to one-by-one purchasing. Finally, it presents the
features you can expect if you decide managed PKI for SSL certificates is right for your
organization.
Given the security risks involved in conducting business online, what does it take to
make your Internet transactions and company communications safe? Industry leaders
agree that the answer is the SSL certificate. Over 607,000 SSL certificates have been
issued as of this writing. Companies using SSL certificates include 92 of the Fortune 100
companies and all of the RelevantKnowledge, Inc. Top 20 Commerce Sites.
What Is a Digital ID?
When a CA issues digital IDs, it verifies that the owner is not claiming a false identity.
Just as when a government issues a passport, it is officially vouching for the identity of
the holder. When a CA gives your business a digital certificate, it is putting its name
behind your right to use your company name and Web address.
One widely used tool for privacy protection is what cryptographers call a “secret key.”
Logon passwords and cash card PINs are examples of secret keys. Consumers share these
secret keys only with the parties they want to communicate with, such as an online
subscription service or a bank. Private information is then encrypted with this password,
and it can only be decrypted by one of the parties holding that same password.
Despite its widespread use, this secret-key system has some serious limitations. As
network communications proliferate, it becomes very cumbersome for users to create and
remember different passwords for each situation. Moreover, the sharing of a secret key
involves inherent risks. In the process of transmitting a password, it can fall into the
wrong hands. Or, one of the sharing parties might use it maliciously and then deny all
action.
Digital ID technology addresses these issues because it does not rely on the sharing of
secret keys. Rather than using the same key to both encrypt and decrypt data, a digital ID
uses a matched pair of keys that are unique complements to one another. In other words,
what is done by one key can only be undone by the other key in the pair.
In this type of key-pair system, your “private key” gets installed on your server and can
only be accessed by you. Your “public key” gets widely distributed as part of a digital ID.
Customers, partners, or employees who want to communicate privately with your server
can use the public key in your digital ID to encrypt information, and you are then the only
one who can decrypt that information. Because the public key alone does not provide
access to communications, you do not need to worry about who gets ahold of this key.
Your digital ID tells customers and correspondents that your public key in fact belongs to
you. Also, your digital ID contains your name and identifying information, your public
key, and digital signature as certification.
Secure server digital IDs allow any server to implement the SSL protocol, which is the
standard technology for secure, Web-based communications. SSL capability is built into
server hardware, but it requires a digital ID in order to be functional. So, with the latest
SSL and a secure server digital ID, your Web site should support the following functions:
• Mutual authentication
• Message privacy
• Message integrity[1]
Mutual Authentication
With mutual authentication, the identity of both the server and the customer can be
verified. The reason for this is so that all parties know exactly who is on the other end of
the transaction.
Message Privacy
With message privacy, all traffic between the server and the customer is encrypted using a
unique “session key.” Each session key is only used with one customer during one
connection, and that key is itself encrypted with the server’s public key. These layers of
privacy protection guarantee that information cannot be intercepted or viewed by
unauthorized parties.
Message Integrity
With message integrity, the contents of all communications between the server and the
customer are protected from being altered en route. All those involved in the transaction
know that what they’re seeing is exactly what was sent out from the other side.
Figure 18.1 illustrates the process that guarantees protected communications between a
server and a client[1]. All exchanges of digital IDs happen within a matter of seconds and
appear seamless to the client.
All of this technology translates to online communications that are safe for you and your
customers. End users know exactly who they are dealing with and feel comfortable that
the information they send is not falling into unknown hands. You know that your server is
receiving accurate transmissions that have not been tampered with or viewed en route.
Both the Netscape Navigator and Microsoft Internet Explorer browsers have built-in
security mechanisms to prevent users from unwittingly submitting sensitive information
over insecure channels. If a user tries to submit information to an unsecured site, the
browsers will, by default, show a warning such as the one shown in Figure 18.2[1].
By contrast, if a user attempts to submit information to a site with a valid digital ID and
an SSL connection, no such warning is sent. Furthermore, both the Microsoft and
Netscape browsers provide users with a positive visual clue that they are at a secure site.
In Netscape Navigator 3.0 and earlier, the key icon in the lower-left corner of the
browser, which is normally broken, is made whole. In Netscape Navigator 4.0 and later,
as well as in Microsoft Internet Explorer, the normally open padlock icon becomes shut,
as shown in Figure 18.3[1].
The Needs of Your Organization
After you have decided to invest in the peace of mind that comes with SSL certificates,
you will need to decide whether one-by-one purchasing or managed PKI for SSL
certificates meets the needs of your organization. The following are several factors you
should consider:
If your company will be hosting five or more servers within the next year, you are a good
candidate for managed PKI for SSL certificates. You can begin with five SSL certificates
and the administrator’s kit. This should meet your current needs plus your renewals for
later in the year. You will save money through a bulk discount, while increasing
efficiency significantly by eliminating the need to enroll and pay separately for each SSL
certificate.
If you want the ability to expand, reduce, or restructure your network with no hassle,
managed PKI for SSL certificates is the answer. With one-by-one purchasing, each
addition, renewal, or cancellation of a secure server must go through a service center.
Each SSL certificate requires 3–5 business days to be issued and must be paid for with a
separate credit card processing or purchase order. When you purchase in bulk through
managed PKI for SSL certificates, your managed PKI administrator can issue and cancel
SSL certificates instantly, giving you superior control of your operations, especially in
critical times.
Cross-Departmental Coordination
If several groups within your organization are likely to work with secure servers,
managed PKI for SSL certificates will simplify and enhance your information system
management. When server hosts from each department apply separately for SSL
certificates, the result can be disorganization, compromising both the efficiency and
integrity of your network’s security. A department might “reinvent the wheel” that has
already been invented within the company, or, alternatively, a group might assume that a
given security issue is being handled elsewhere and thus fail to address it. With one
administrator distributing SSL certificates as the need arises, you reduce the possibility
for overlap or lapse in the security of your electronic communications.
The Needs of Your End Users
Would your end users benefit from a Web and e-mail interface that is designed for their
specific use? With managed PKI for SSL certificates, you have the option of customizing
the enrollment forms and support pages your users see. With one-by-one management,
each person hosting a secure server interacts with the system for enrollment, renewal, and
cancellation. This interface, while straightforward and user-friendly, is designed for
general use with any server.
If you purchase your SSL certificates through managed PKI, your package includes
enrollment and support screens, but you also have the option of customizing or creating
your own pages. You can provide instructions specific to your server software, your
organizational structure, or other company specifics. You can design the look and feel to
match the interface your users are comfortable with, and even integrate it with your
personal digital ID interface, if you use managed PKI to issue digital certificates to
individuals.
When your users need technical support, they can immediately access the managed PKI
administrator within your organization. If the problem cannot be addressed locally, the
managed PKI administrator can always contact a member of the support team.
Managed PKI for SSL certificates is designed to be easily installed and administered. The
following features provide the backbone of your network security system: the managed
PKI for SSL certificates administrator and instant enrollment for SSL certificates.
When you use managed PKI for SSL certificates to manage your secure network, an
administrator within your organization oversees a local control center to issue SSL
certificates. This managed PKI administrator, using a standard PC with the Netscape
Navigator browser, purchases managed PKI for SSL certificates, and receives an
administrator’s kit. Before issuing the administrator’s kit, the vendor should conduct the
necessary background checks to ensure that your organization is legitimate and has the
right to use the domain names being secured.
The administrator’s kit should include all of the software necessary to establish a
managed PKI control center on the administrator’s PC. It also includes an optional smart
card reader and a managed PKI administrator ID stored on a smart card. After the
administrator’s kit is installed and the control center is up and running, you are ready to
start issuing SSL certificates.
Instant Enrollment for SSL Certificates
The local control center allows users within your network to receive SSL certificates
without any manual intervention. Because a vendor has already verified your company
and domain names, the only approval necessary is from the managed PKI administrator at
your organization. The enrollment process goes as follows:
1. A user within your network generates a Certificate Signing Request (CSR) on the
server being secured.
2. The user submits the CSR, along with the necessary enrollment forms, to the
digital ID center.
3. The vendor instantly and automatically sends a pending request to the managed
PKI control center at your organization.
4. The managed PKI administrator within your organization validates the user’s
enrollment request.
5. The vendor then generates an SSL certificate and sends it to the user’s e-mail
address.
6. The user downloads the SSL certificate and installs it on the server[1].
Finally, all communications occur in protected SSL sessions and are, thus, safe for your
company.
Summary
For the strongest, most reliable protection of your client-browser communications, SSL
certificates are widely recognized as the industry standard. SSL certificates allow your
Internet site or corporate network to enable SSL encryption, which authenticates your
server and guarantees against alteration and interception of data.
For SSL certificate protection on multiserver networks, managed PKI for SSL certificates
makes managing your SSL certificates cheaper and more efficient, and enhances
coordination within your organization. Managed PKI for SSL certificates provides the
options of customized end-user support, private label certification, and managed PKI for
issuing digital certificates to individuals integration, making it the security system that
fits the unique needs of your company.
Managed PKI for client IDs allows an organization to issue digital certificates to
individuals within its network. These digital IDs can replace password logons to a
company network and allow your Web site to control who accesses its content. Personal
digital IDs also make it possible to send digitally signed and encrypted e-mail, using the
Secure Multipurpose Internet Mail Extension (S/MIME) protocol.
Finally, if your company already uses managed PKI to issue digital certificates to
individuals within its network, or if you are interested in doing so, you can integrate this
system with your managed PKI for SSL certificate management. The managed PKI
administrator’s kit gives you the option of controlling all IDs from one control center.
Chapter 19: Securing and Managing Your
Storefront for E-Business
“Is it possible to store the mind with a billion facts and still be entirely uneducated?”
—Anonymous
Overview
Businesses that accept transactions via their online storefront can gain a competitive edge
by reaching a worldwide audience, at very low cost. But, the online storefront poses a
unique set of security issues, which businesses must address at the outset to minimize
risk. Customers will submit information via the online storefront only if they are
confident that their personal information, such as credit card numbers, financial data, or
medical history, is secure.
This chapter is a continuation of Chapter 18, with very detailed explanations of key
issues related to online storefront security. It also describes the technologies that are used
to address the issues, and provides step-by-step instructions for obtaining and installing
an SSL certificate.
An SSL certificate, also known as a digital certificate (see sidebar, “How Digital
Certificates Work”), is the electronic equivalent of a business license. SSL certificates are
issued by a trusted third party, called a Certification Authority (CA). The CA that issues
an SSL certificate is vouching for your right to use your company name and Web
storefront address, just as the office of the Secretary of State does when it issues Articles
of Incorporation. CAs can also issue digital certificates to individuals.
Before issuing an SSL certificate, the CA reviews your credentials (such as your
organization’s Dun & Bradstreet number or Articles of Incorporation) and completes a
thorough background checking process to ensure that your organization is what it claims
to be, and is not claiming a false identity. Then, the CA issues your organization an SSL
certificate, which is an electronic credential that your business can present to prove its
identity or right to access information (see sidebar, “How Digital Certificates Work”).
An SSL certificate from the CA provides the ultimate in credibility for your online
business. A CA’s rigorous authentication practices set the industry standard. The CA
documents its carefully crafted and time-proven practices and procedures in a Certificate
Practices Statement. And, the CA annually undergoes an extensive SAS 70 Type II audit
by KPMG.
Note The Statement of Auditing Standard 70, SAS 70, was established by the American
Institute of Certified Public Accountants to certify trusted practices.
Employees responsible for dealing with certificates undergo complete background checks
and thorough training. The CA has achieved its unsurpassed reputation as a trusted third
party by paying as careful attention to physical security as electronic security. For
example, a company’s 22,000-square-foot plant where keys are issued has five tiers of
security, the last three requiring fingerprint identification.
Throughout history, most private messages were kept secret with single key
cryptography. Single key cryptography is the way that most secret messages have been
sent over the centuries. In single key cryptography, there is a unique code (or key) for
both encrypting and decrypting messages. Single key cryptography works as follows:
Suppose Bob has one secret key. If Alice wants to send Bob a secret message:
SSL certificate technology employs the more advanced public key cryptography, which
does not involve the sharing of secret keys. Rather than using the same key to both
encrypt and decrypt data, an SSL certificate uses a matched pair of keys that uniquely
complement each other. When a message is encrypted by one key, only the other key can
decrypt it.
When a key pair is generated for your business, your “private key” is installed on your
server; nobody else has access to it. Your matching “public key,” in contrast, is freely
distributed as part of your SSL certificate. You can share it with anyone, and even publish
it in directories. Customers or correspondents who want to communicate with you
privately can use the public key in your SSL certificate to encrypt information before
sending it to you. Only you can decrypt the information, because only you have your
private key.
Your SSL certificate contains your name and identifying information, your public key,
and the CA’s own digital signature as certification. It tells customers and correspondents
that your public key belongs to you[2].
Is your site hosted on 10 or more servers? As previously explained in Chapter 18, with
one simple purchase, a managed PKI service lets you issue all the SSL certificates you
need (either standard or universal 128-bit SSL certificates) in bundles of 10, 25, 50, 100,
or more. A convenient one-step purchasing process lets you take advantage of a single
purchase order, and volume discounts make managed PKI the most cost-effective way to
secure big sites. Managed PKI is simple to set up and configure: start issuing server
certificates quickly via a CA intuitive Web storefront-based process. Renewing IDs or
buying additional IDs is just as easy.
Learning More About Your Customers Through Client Authentication
An SSL certificate tells your customers exactly who you are. Suppose you want to learn
who your customers are, or to restrict access to your content to certain consumers. You
can set up your Web storefront site to authenticate visitors’ identities with SSL certificates
for individual users. Compared to asking customers to supply a user name and password,
SSL certificate registration is more convenient for customers and more informative for
your business.
Until recently, strong 128-bit encryption was not exportable. The United States
Department of Commerce has approved the issuance of certificates for 128-bit encrypted
communications—the highest level of encryption ever allowed across United States
borders. With a 128-bit Global Server ID, your 128-bit customers can now enjoy
unparalleled security when visiting your Web storefront site. The Global Server ID is a
septillion times more secure than any other product.
CA payment services provide the ideal payment transaction platform for merchants who
want to conduct business on the Internet. Regardless of your business’s size or demands,
a CA can deliver the right solution: a fast, scalable, and reliable Internet payment
platform that enables companies to authorize, process, and manage multiple payment
types. Payment services bring affordability, flexibility, and convenience to Internet
payment processing by combining a flat-fee monthly pricing model with a growing menu
of services and solutions for merchants, financial institutions, resellers, and developers.
For example, VeriSign’s Commerce Site and Commerce Site Pro Services combine SSL
certificates with the VeriSign Payflow Pro service to form a complete, integrated solution
that’s ideal for e-merchants and online stores. Commerce Site includes a 40-bit SSL
certificate and Payflow Pro, plus additional value-added services. Commerce Site Pro
also includes a 128-bit SSL Global Server ID and Payflow Pro, plus value-added
services.
Payflow Pro is designed especially to help Web storefront merchants securely accept and
process credit card, debit card, purchase card, and electronic check payments. Payflow
Pro is a versatile solution for online payment processing, and is ideal for large-scale, e-
commerce merchants that require peak performance and complete customizability.
Payflow Pro enables payment processing through a small SSL TCP/IP-enabled client that
controls communications between merchants’ applications and the Payflow platform.
Designed for scalability and reliability, Payflow Pro creates a dedicated SSL TCP/IP-
level communication thread for each transaction between the client and the server.
Payflow Pro is downloadable as a Software Development Kit (SDK) or comes
preintegrated with most shopping carts and e-commerce platforms. Up to 5,000
transactions are included.
Step-By-Step Instructions
In one to three days, after the CA has verified your credentials, you will receive your SSL
certificate via e-mail. Simply install the SSL certificate on your server, and then
immediately begin conducting transactions online—with the confidence that you and
your customers are protected.
Before beginning a CA’s online enrollment, check to make sure you are ready to proceed
by preparing the following.
Nearly all brands support the CA’s 40-bit SSL certificates. The server on which the 128-
bit Global Server ID can run server software from any non-U.S. software vendor, or
software from a U.S. software vendor properly classified by the U.S. Department of
Commerce, including:
• Apache-SSL
• BEA WebLogic
• C2Net Apache Stronghold
• Compaq/Tandem iTP Webserver
• Covalent Raven
• Hewlett Packard Virtual Vault (with Netscape Enterprise)
• IBM http Server/Webphone
• iPlanet Servers
• Lotus Domino
• Microsoft IIS
• Mod-SSL
• Nanoteq Netseq server
• Netscape Suite Spot servers, including Netscape Enterprise and Netscape Proxy
Server
• O’Reilly WebSite Pro
• Red Hat Professional
• Zeus[2]
Preparing Payment
If you are applying for a free, 14-day trial SSL certificate, no payment is necessary. If you
are purchasing a one-year, full-service SSL certificate, you can pay with a purchase order,
check, wire transfer, or an American Express®, Visa®, MasterCard®, or Discover card.
In the process of enrolling, you will need to sign a Secure Server Subscriber Agreement.
Before issuing your SSL certificate, the CA must confirm that your company is legitimate
and is registered with the proper government authorities. If you have a Dun & Bradstreet
DUNS number, simply supply your number. International DUNS numbers must be in the
Dun & Bradstreet database for at least two months before a CA can verify the
information. If you do not have a DUNS number, either go to http://www.dnb.com/us/ and
apply for one, or submit a hard copy of at least one of the following filed documents for
your company: articles of incorporation, partnership papers, business license, or fictitious
business license. All documents must be in English.
Collecting credit card payments (in person or via the phone or Web) always involves two
steps. First, obtain the credit card number from the customer. Second, secure payment
from an acquiring processor on behalf of the credit card issuing bank. When your
business uses an SSL certificate to obtain billing information from your customers, you
have two options for collecting payments from the acquiring processor: traditional phone-
in or online processing. You are now ready to obtain your SSL certificate (see sidebar,
“How to Obtain Your SSL Certificate”).
How to Obtain Your SSL Certificate
To complete your SSL certificate enrollment, please visit one of many sites, for example:
http://www.verisign.com/products/site. There, you will be instructed to complete the
following steps.
Copy and paste the CSR into the CA online enrollment form for the trial or the
one-year subscription. Click the Submit button.
3. Complete application: Fill out the online application form with information
about your company and contacts. The technical contact must be authorized to run
and maintain your secure Web storefront server and must be employed by your
organization. If you access the Web storefront through an Internet Service
Provider (ISP), the ISP may complete the CSR for you and serve as the technical
contact, and you can then enroll. If your ISP does not offer CA IDs, refer it to
www.verisign.com/isp/index.html for information about VeriSign’s Secure Site ISP
Program.
The billing contact will receive invoices. This can be the same person as the
technical or organizational contact.
Note SSL imposes some performance overhead. Therefore, most server software
applications allow you to apply SSL selectively to Web storefront pages that require
encryption, such as payment pages. There is no benefit from applying SSL to
product information pages, for example.
Congratulations! You can now offer secure transactions to your online customers.
Traditional Phone-In
If your business already collects credit card payments from person-to-person or telephone
sales, you are probably using this method currently. Simply read each customer’s card
number from your Internet order form and transmit it to the processor using a point-of-
sale (POS) terminal.
If your business is not yet set up to collect credit card payments, contact a merchant
services company, such as First Data Corporation Web Info. Merchant service companies
generally charge a nominal setup fee, also called an underwriting fee, and then charge a
percentage of each transaction.
Online Processing
Most leading credit card processors offer their merchants the option to collect payments
online. The payment-enabling software needed for these transactions depends on the
system that the credit card service provider uses. For example, PayflowSM Payment
Services provide high-quality, low-cost payment connectivity between buyers, sellers,
and financial networks. Payflow services bring the Internet’s “anyone-to-anyone” ease of
connectivity to the payments industry. By using Payflow, a merchant can connect to any
bank, transaction service, or form of payment without worrying about the underlying
technology. Customers can pay with a variety of financial instruments, including
checking accounts, savings accounts, and credit cards, quickly and simply.
Now, let’s look at how to establish trust to protect and grow your online storefront. In
other words, in light of the risks associated with electronic commerce and online
communication, it is imperative to not only use secure encryption technology when
conducting online business, but to also be able to prove one’s identity and develop trust
relationships with customers and partners.
Building online trust relationships with partners and customers involves being
authenticated by a trusted third party and receiving an authenticated SSL digital
certificate that is signed by that trusted third party. Encryption, the process of
transforming information to make it unintelligible to all but the intended recipient(s),
forms the basis of data integrity and privacy necessary for online business. Without
authentication, however, encryption technology does not sufficiently protect online users.
Authentication must be used in conjunction with encryption to provide:
• Confirmation that the organization named in the certificate has the right to use the
domain name included in the certificate
• Confirmation that the organization named in the certificate is a legal entity
• Confirmation that the individual who requested the SSL certificate on behalf of
the organization was authorized to do so[1]
When you establish your secure Web storefront, you can take advantage of a wealth of
options to further enhance your e-commerce operation. You can display the number-one
trust brand on the Internet (Cheskin/Studio Archetype) to give your customers the
confidence to communicate and transact business with your site. A seal allows your
visitors to check your SSL certificate’s information and status in real time, thus
increasing their trust in your online storefront and increasing your sales and revenues.
Increased trust in the safety of online transactions has numerous benefits, of which
increased revenue and profitability are the most important. There are real challenges (and
significant opportunities) for online storefronts to deliver the same level of trust and
personalization over the Internet as is offered by brick-and-mortar storefronts.
If, for example, a user intends to securely communicate with a Web site bearing an SSL
certificate with the organization name “ABC Inc.,” the user is compelled to check
whether the certificate is authenticated by a third party. The SSL certificate intends to
convey assurance that the visited Web storefront (http://www.abc-incorporated.com) is
definitely an “ABC Inc..” Web storefront and that it is not another entity pretending to be
ABC Inc., trying to trick Web site visitors into doing business with them. Only through
rigorous authentication can a company prove to its customers and partners that its Web
storefront is authentic and has the right to use the domain name presented on the
certificate.
[2]
“Guide to Securing Your Web Site for Business,” © 2003 VeriSign, Inc. All rights
reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View,
CA 94043.
[1]
“Establish Trust to Protect and Grow Your Online Business,” © 2003 VeriSign, Inc. All
rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain
View, CA 94043.
In the age of e-business, authenticated SSL certificates provide crucial online identity and
security to help establish trust between parties involved in online transactions over digital
networks. Regardless of whether commerce takes place in the digital world or in the
physical world, the parties involved must be able to answer these questions:
Encryption
The Web presents a unique set of trust issues, which businesses must address at the outset
to minimize risk. Customers submit information and purchase goods or services via the
Web, only when they are confident that their personal information, such as credit card
numbers and financial data, is secure. The solution for businesses that are serious about e-
commerce is to implement a complete e-commerce trust infrastructure based on
encryption technology. Encryption, the process of transforming information to make it
unintelligible to all but the intended recipient, forms the basis of data integrity and
privacy necessary for e-commerce.
Authentication
Encryption is not enough; it is imperative that your Web storefront is also authenticated,
which will improve Web storefront visitors’ trust in you and your Web storefront.
Authentication means that a trusted authority can prove that you are who you say you are.
To prove that your business is authentic, your Web storefront needs to be secured by best-
of-breed encryption technology and authentication practices.
Digital Certificates
Typically, the “signer” of a digital certificate is a CA. Some digital certificates are
authenticated trusted authorities, but unfortunately there are CAs that provide
unauthenticated SSL certificates. This practice exposes online users to the risks of false
online storefronts operating on the Internet. Authenticated SSL certificates enable a Web
storefront visitor to securely communicate with the Web storefront, such that information
provided by the Web storefront visitor cannot be intercepted in transit (confidentiality) or
altered without detection (integrity), and to verify that the site the user is actually visiting
is the company’s Web site and not an imposter’s site (authentication).
• Verifying your identity and confirming that your organization is a legal entity
• Confirming that you have the right to use the domain name included in the
certificate
• Verifying that the individual who requested the SSL certificate on behalf of the
organization was authorized to do so[1]
Summary
With its worldwide reach, the Web is a lucrative distribution channel with unprecedented
potential. By setting up an online storefront, businesses can reach the millions of people
around the world already using the Internet for transactions. And, by ensuring the security
of online payments, businesses can minimize risk and reach a far larger market—the 89
percent of Internet users who still hesitate to shop online because of security concerns.
An SSL certificate enables you to immediately begin conducting online business securely,
with authentication, message privacy, and message integrity. As a result, you can
minimize risk, win customer confidence, and, ultimately, gain a competitive edge.
Some CAs believe that encryption without authentication is enough to ensure a secure
Web storefront and to build trust between you and your customers. But, encryption alone
is not sufficient. Unauthenticated SSL certificates provide confidentiality and integrity,
but lack the third-party authentication necessary to:
• Verify that the user is actually visiting the company’s Web storefront and not an
imposter’s site.
• Allow the receiver of a digital message to be confident of both the identity of the
sender and the integrity of the message.
• Ensure safe online transactions that protect both customers and your business[1].
For these reasons, it is critical that your Web storefront is authenticated, which will
improve Web visitors’ trust in you and your Web storefront. Furthermore, if certificates
can be issued to unauthorized parties, the trustworthiness of legitimate certificates is
diminished. Requiring verification of the certificate applicant’s authority to request a
certificate (employment with the organization named in the certificate) guards against the
threat of issuing a certificate to a malicious individual who is not associated with the
organization.
An authenticated SSL certificate provides the ultimate in credibility for your online
storefront. Rigorous authentication practices set by industry standards provide assurance
that subscribers are properly identified and authenticated, and subscriber certificate
requests are accurate, authorized, and complete.
In addition, by displaying a Secure Site Seal, you can give your customers the confidence
to communicate and transact business with your site. A Secure Site Seal allows your
visitors to check your SSL certificate’s information and status in real time, and provides
additional protection against the misuse of revoked and expired certificates.
—Anonymous
Overview
After you’ve read this chapter, you’ll understand the issues and essential elements of
accepting payments online, the most important step in putting your Web site to work for
you.
Purchasing online may seem to be quick and easy, but most consumers give little thought
to the process that appears to work instantaneously. For it to work correctly, merchants
must connect to a network of banks (both acquiring and issuing banks), processors, and
other financial institutions so that payment information provided by the customer can be
routed securely and reliably. The solution is a payment gateway that connects your online
store to these institutions and processors. Because payment information is highly
sensitive, trust and confidence are essential elements of any payment transaction. This
means the gateway should be provided by a company with in-depth experience in
payment processing and security.
Acquiring bank: In the online payment processing world, an acquiring bank provides
Internet merchant accounts. A merchant must open an Internet merchant account with an
acquiring bank to enable online credit card authorization and payment processing.
Examples of acquiring banks include Merchant eSolutions and most major banks.
Authorization: The process by which a customer’s credit card is verified as active and
that they have the credit available to make a transaction. In the online payment
processing world, an authorization also verifies that the billing information the customer
has provided matches up with the information on record with their credit card company.
Credit card association: A financial institution that provides credit card services that are
branded and distributed by customer issuing banks. Examples include Visa® and
MasterCard® (see sidebar, “Visa and MasterCard Take Different Approaches to
Authentication”).
Customer: The holder of the payment instrument—such as a credit card, debit card, or
electronic check.
Customer issuing bank: A financial institution that provides a customer with a credit
card or other payment instrument. Examples include Citibank and Suntrust. During a
purchase, the customer issuing bank verifies that the payment information submitted to
the merchant is valid and that the customer has the funds or credit limit to make the
proposed purchase.
Internet merchant account: A special account with an acquiring bank that allows the
merchant to accept credit cards over the Internet. The merchant typically pays a
processing fee for each transaction processed, also known as the discount rate. A
merchant applies for an Internet merchant account in a process similar to applying for a
commercial loan. The fees charged by the acquiring bank will vary.
Processor: A large data center that processes credit card transactions and settles funds to
merchants. The processor is connected to a merchant’s site on behalf of an acquiring bank
via a payment gateway.
Settlement: The process by which transactions with authorization codes are sent to the
processor for payment to the merchant. Settlement is a sort of electronic bookkeeping
procedure that causes all funds from captured transactions to be routed to the merchant’s
acquiring bank for deposit[1].
Online merchants could face integration hassles as they deploy forthcoming and
competing credit card payer authentication technologies from Visa USA and MasterCard
International Inc. The technologies, Visa’s Verified by Visa and MasterCard’s Secure
Payment Application service, take distinctly different approaches. Visa performs
authentication on the merchant site, whereas MasterCard handles it on the customer’s PC
automatically, using a previously downloaded applet.
As a result, merchants that accept credit cards will be required to support two
authentication mechanisms. Furthermore, some observers speculate the companies’
respective systems may be no more successful in gaining market acceptance than the ill-
fated Secure Electronic Transaction (SET) authentication protocol, a protocol
spearheaded by Visa and MasterCard.
Visa sweetened the bait for its system recently when it announced that online merchants
using Verified by Visa will have no liability for any transactions processed by the service.
Verified by Visa, also known as Visa Payer Authentication, authenticates credit card users
with a password and requires no client software. MasterCard’s Secure Payment
Application service, which the Purchase, N.Y., company will pilot in April, also uses a
password or PIN and requires an applet for authentication.
MasterCard and Visa, which formerly cooperated, now find fault with each other’s
approaches. Visa’s service, for instance, will extend transaction processing times, take
customers off the merchant sites for authentication, and require complex integration.
MasterCard’s service, Visa countered, amounts to a digital wallet, which consumers have
been loath to use.
About the only thing MasterCard and Visa seem to agree on is that SET, which was
launched in December 1997, was a failure. SET required long download times for
customers, used clumsy digital certificate technology, and created integration hassles for
merchants and banks that issued the credit cards. It had all but faded away by late 1998.
But with Visa and MasterCard now going separate ways, some merchants see little reason
to try authentication technology. You’re creating another layer of complication. After
customers go through the trouble of giving you their credit card number, they now have
the problem of remembering one more password.
Payment processing in the online world is similar to payment processing in the offline or
“Brick and Mortar” world, with one significant exception. In the online world, the card is
“not present” at the transaction (see Figure 20.1)[1]. This means that the merchant must
take additional steps to verify that the card information is being submitted by the actual
owner of the card, as shown in Figure 20.1. Payment processing can be divided into two
major phases or steps: authorization and settlement (see sidebar, “Payment Processing—
Authorization and Settlement”).
Payment Processing—Authorization and Settlement
Authorization verifies that the card is active and that the customer has sufficient credit
available to make the transaction. Settlement involves transferring money from the
customer’s account to the merchant’s account.
Authorization: Online
1. A customer selects item(s) to purchase, brings them to a cashier, and hands the
credit card to the merchant.
2. The merchant swipes the card and transfers transaction information to a point-of-
sale terminal.
3. The point-of-sale terminal routes information to the processor via a dial-up
connection (for the purposes of the graphic shown in Figure 20.1, the point-of-
sale terminal takes the place of the payment gateway in the offline world).
4. The processor sends information to the issuing bank of the customer’s credit card.
5. The issuing bank sends the transaction result (authorization or decline) to the
processor.
6. The processor routes the transaction result to the point-of-sale terminal.
7. The point-of-sale terminal shows the merchant whether the transaction was
approved or declined.
8. The merchant tells the customer the outcome of the transaction. If approved, the
merchant has the customer sign the credit card receipt and gives the item(s) to the
customer (see Figure 20.1).
Payment Processing—Settlement
The settlement process transfers authorized funds for a transaction from the customer’s
bank account to the merchant’s bank account, as shown in Figure 20.2[1]. The process is
basically the same whether the transaction is conducted online or offline[1].
Credit card fraud can be a significant problem for customers, merchants, and credit card
issuers[2]. Liability for fraudulent transactions belongs to the credit card issuer for a card-
present, in-store transaction, but shifts to the merchant for “card not present” transactions,
including transactions conducted online. This means that the merchant does not receive
payment for a fraudulent online transaction. Fortunately, there are steps you can take to
significantly limit your risk as an online merchant. The following important fraud
prevention steps should be adhered to:
Finding a reliable, secure, and flexible payment processing solution for your business is
critical, so it’s important to take the time to investigate and assess the options available to
you. A payment processing solution should:
Summary
Over 80 percent of U.S. households are online, and more than half of these households
shop from home on a weekly basis. In fact, according to Ipsos-Reid, a leading research
company, of the 120 million Americans who use the Internet, half of them will spend at
least $700 shopping online in 2004. This means that if you’re not selling online, you’re
missing a significant revenue opportunity. And, with advances in technology, selling
online has never been easier or more cost-effective.
An online store allows you to be open for business 24 hours a day, 7 days a week. Not
only is this an important convenience for your customers, it also means more revenue for
you. An online store also helps you to reduce your overhead costs because you don’t need
to hire reception staff and people to take orders. With the right payment processing tools,
these functions are all done automatically for you. And lastly, an online store helps you to
reach new markets—across the country or even outside the United States. An online store
is no longer an option for a successful business, it’s a critical step in managing and
growing your business.
The most important part of selling online is accepting payments from your customers
ranging from a single transaction (the purchase of an item from your Web site), to a series
of transactions from a customer (the payment of membership fees or installment
payments via your Web site). Online payment processing offers a customer the
convenience of submitting their credit card or other forms of payment on your Web site,
and for you to actually receive the money from this transaction. Recurring payment
processing allows you to set up regularly scheduled payments for your customers for a
series of transactions.
Chapter 21: Electronic Payment Methods
Through Smart Cards
“Crito, I owe a cock to Asclepius; will you remember to pay the debt?”
Overview
The electronic payment card has been in existence for many years. It started in the form
of a card embossed with details of the cardholder (account number, name, expiration
date), which could be used at a point of sale to purchase goods or services. The magnetic
stripe was soon introduced as a means of holding more data than was possible by
embossing alone. The magnetic stripe also allowed cardholder details to be read
electronically in a suitable terminal, so that checks could be made with little or no human
intervention about the cardholder’s creditworthiness or whether the card had been
reported lost or stolen.
Card technology has advanced over the years to keep ahead of the worldwide increase in
card-related crime. As the criminal fraternity found ways of producing sufficiently good
counterfeit cards, the card companies introduced new ways of combating the problem. A
succession of antifraud measures have been introduced over the years, such as the
hologram, the Card Verification Value (CVV, a value stored on the magnetic stripe that
can be used to determine if a card has been produced illicitly), and in some cases,
photographs of the cardholder[2].
Magnetic stripe cards have now been developed to the point where there is little or no
further scope for introducing more anticrime measures. This has caused the card
associations to look at new technologies to take the plastic card well into the twenty-first
century. One technology that offers many benefits is the smart card—essentially, a small
computer chip embedded into a plastic card with the same dimensions as the magnetic
stripe card. The only difference the cardholder sees is a small metal area on the face of
the card that contains a set of electrical contacts through which the chip can be accessed.
From the anticrime perspective, there are a number of benefits in adopting the smart card.
The card itself (or in conjunction with the terminal) can make decisions about whether or
not a transaction can take place. Secret values can be stored on the card that are not
accessible to the outside world—allowing, for example, the card to check the
cardholder’s PIN without having to go online to the card issuer’s host system. Also, there
is the possibility of modifying the way the card works, while it is inserted in a point-of-
sale terminal—even to the point of blocking the card from further transactions if it has
been reported lost or stolen.
As well as these antifraud measures, the smart card is seen as offering a number of other
benefits to the card issuer and cardholder. These additional benefits are an integral part of
building the business case for introducing smart card technology. Some of the other
benefits of introducing smart cards are:
• The ability to have more than one payment application resident on the card. For
example, a card could contain an “electronic purse” to provide the equivalent of
cash, usually for lower-value transactions, such as parking, tickets, newspapers,
and so forth.
• The ability to have other applications, such as loyalty schemes, and access to
information facilities (libraries) coresident on the card.
• The possibility of reducing online validation costs by allowing the card to operate
offline more of the time.
There are many issues to be resolved before such all-embracing cards become
commonplace, the most obvious ones being who owns the card and who controls which
applications can be loaded or deleted. Today, the banks are interested mainly in providing
payment-related services to their customers and most of the current activity surrounding
the provision of smart card-based credit/debit services—sometimes with an additional
electronic purse facility.
[2]
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.
The Solution
In the early 1990s, the major card associations (Europay, MasterCard, and Visa)
recognized that for smart cards to become acceptable, it was necessary to standardize the
way they work, at least for banking applications. Considerable work was undertaken to
reach agreement on a standard culminating in the so-called Europay MasterCard Visa
(EMV) specifications.
EMV Specifications
EMV specifications define the physical characteristics (size, shape, thickness, position of
contacts), the electrical characteristics (signals to be fed to each contact), command set
(how to access data and functions on the card), overall card security methodologies (static
data authentication, dynamic data authentication), and the data to be stored on cards for
payment systems. The EMV specifications do not fully describe particular payment
applications—that being left to individual card associations to define. They do describe
the basic framework under which all payment applications will work. It is important to
appreciate that although the EMV specifications describe how cards, terminals, and host
systems interact, they do not describe how cards will be personalized, because different
card manufacturers use different methodologies.
Visa Specifications
Visa has produced a specification that deals with the details of how a credit/debit
application will operate in a Visa world. This is known as the Visa Integrated circuit card
(ICC) Specification (VIS).
Smart Debit/Credit
VIS refers to an application called Chip Card Payment Service (CCPS). This name is
gradually being replaced by the term Visa Smart Debit/Credit. The Visa Smart
Debit/Credit has recently been introduced to a significant number of countries in the last
year.
Visa Cash
The Visa electronic purse product is called Visa Cash. It is available in two basic forms:
disposable and reloadable. There are two types of reloadable Visa Cash cards: the DES-
based version and the public key version. The public key variant offers improvements in
security because the public key algorithm is implemented on the card itself. Visa Cash is
in use in many different countries around the world.
MasterCard Specifications
MasterCard has released a set of specifications describing their product, which they call
Debit and Credit on Chip. These are functionally equivalent to the Visa VIS specification,
although there are small variations.
MasterCard has recently implemented Debit and Credit on Chip on the Multos open
platform card. The MasterCard electronic cash product is the Mondex purse. This can
coreside on the same Multos card as Debit and Credit on Chip.
Other Specifications
In the UK, the Association for Payment Clearing Services (APACS) has developed a
specification detailing the chip credit and debit features that will be implemented in the
UK. This is known as the UK ICC Specification (UKIS), and is effectively a subset of the
Visa VIS specification. UKIS does not implement the PIN on the card feature because
PINs at point of sale are not used in the UK. It is understood that Europay has recently
developed a credit/debit smart card scheme (see sidebar, “Point-of-Sale Solutions Are
Getting Smarter”).
With the help of loyalty-based smart-card programs, retailers and banks are hoping to
increase spending and boost customer retention. For solution providers, the promise of
smart-card technology may lead to increased revenue despite flagging POS terminal
sales.
Up until now, smart cards haven’t made much headway in the United States. The U.S.
telecommunications infrastructure is widespread and operates at affordable rates. That’s
allowed magnetic stripe cards to function very well at the point of sale. But today, there
are two main drivers behind smart-card technology: adding value at the POS and fraud on
the Internet.
One way to add value at the POS is with loyalty programs that keep customers coming
back for more. Many retailers across the United States already have loyalty programs in
place, allowing customers to accrue “points” through purchases and redeem them later
on. But, smart-card-based loyalty programs offer benefits that stripe or bar-code systems
can’t. Magnetic stripe cards can be duped easily. Smart cards deliver a more secure
solution. And, with smart cards, there’s no need to upload transaction information to a
server. A chip on the card allows for real-time transactions and real-time receipts. In
addition, smart cards can store the loyalty programs of up to 30 merchants, so customers
don’t need to carry multiple cards.
The main reason why smart cards aren’t as popular as they could be, is that card issuers
aren’t pushing them. If you put smart cards in the market, the infrastructure will follow.
What you’re doing with smart cards is distributing the database down to the chip. You’re
running loyalty and gift card programs right out of the terminal, without a backend
processing and tracking system.
Existing systems were developed, often many years ago, to handle the types of data
needed for magnetic stripe cards. Smart cards require considerably more data to be
generated, including cryptographic keys for the cards themselves. In most instances,
changing existing systems represents a major investment of resources.
Enhancements to the Card Personalization Process
Banks generally personalize their cards in one of two ways: either using an in-house
facility or using an external personalization bureau. The choice is usually based on the
size of the cardholder base, because setting up an in-house facility is an expensive
exercise.
Today’s magnetic stripe cards are generally produced as depicted in Figure 21.1[1]. The
issuer host system embodies the database of all cardholder details and provides facilities
to generate data to produce a new card.
The Existing
Magnetic Stripe Process
Often, cards are produced in batches and it is the responsibility of the host system to
assemble all data for a given batch of cards. A batch might be generated as a result of the
normal replacement cycle (two or three years) or possibly to replace those cards that have
been reported lost or stolen during the day. The host system produces the data in a series
of records, one record per cardholder. The data is known as a Personalization Data File.
Each record of the Personalization Data File comprises a number of modules. These
normally include:
Most of the information for these modules is held in the cardholder database. Some items
in the magnetic stripe module need to be generated using a security module. These
include a PIN Verification Value (PVV), or equivalent, and a Card Verification Value
(CVV). Both these items are derived using a cryptographic process that involves the use
of secret keys.
It is worth noting that although the data in the Personalization Data File is normally
handled carefully, there is nothing inherently secret about it and, for that reason, it is not
normally encrypted. It only becomes a useful commodity when it is combined with a real
plastic card, which happens in the personalization bureau. Such facilities are highly
secure establishments with tight access control procedures and many internal mechanisms
to guard against finished cards being lost or stolen. Normally, cards in their paper carriers
are inserted directly into envelopes and passed straight to the postal system. The PIN
mailer for a card is normally produced in a separate establishment from the cards
themselves, often as a separate output from the issuer host system. This separation of PIN
mailer and finished card is normally an essential part of the card issuance process. Often,
PIN mailers are not posted until the cardholder acknowledges receipt of the card.
With the arrival of the smart card, the issuer needs to produce an extra “module” of data,
which is intended to be programmed into the chip itself. Of course, there will be many
items of information in this chip data, which are common to the magnetic stripe and the
embossing data. Examples of this are a Primary Account Number (PAN) and the
cardholder name. However, there are some new items that are specific to smart cards.
Some examples of these are:
Upper consecutive offline limit: This is a value held by the card that determines its
spending limit. After this limit has been exceeded, the card forces the transaction to be
completed online. This is part of the inherent risk management features of a chip card.
Signature of static card data: This is a value calculated using a public key
cryptographic algorithm at the time the card data is generated. It can be validated by each
terminal accepting the card and is used to give some confidence that the card is genuine.
Issuer certificate: This data is set up by the issuer in conjunction with the card
association to which the issuer belongs (Visa or MasterCard). It is placed onto every card
issued and contains the public key of the issuer. It is used by the terminal as part of the
process to validate the signature in the second item in this list.
Unique Derived Keys (UDKs): These are DES keys, unique to each card, which are
placed on the chip and used as part of the transaction validation process. Basically, the
transaction details are passed to the card, which uses the UDK to generate a cryptogram
(similar to a MAC) that is passed back to the issuer for validation. Using this technique,
the issuer can be sure that the transaction was handled by a valid card[1].
The various credit and debit specifications define in excess of 40 such data items, which
need to be generated and placed on smart cards. It is the issuer’s responsibility to
generate these items, something that existing card systems were never designed to handle.
Note The advent of chip cards has meant that for the first time, some of the data passing
from issuer to personalizer is now secret and must only be sent in encrypted form.
The UDKs previously described are an example of such secret data.
There is a need for a product that is able to generate the new data required by the various
smart card schemes. This means that a card issuer can migrate to smart cards without
having to make changes to an existing cardholder database host system. As noted before,
this can be a costly and time-consuming exercise and often proves to be a major barrier
for a bank in moving to smart cards.
P3 is a compact name for personalization preparation process, which goes some way to
describing what the system achieves. Its main objectives are:
The P3 system fits into an existing card issuing process, as shown in Figure 21.2[1]. There
are two possible configurations of P3. It could belong to and be co-sited with the issuer
host system. Alternatively, P3 could be operated by a Personalization Bureau who may
act on behalf of several issuers.
Scheme Certification Authorities (CA): Part of the security of the various smart card
schemes includes the need for an issuer to generate an RSA public/private key pair. The
private key is retained securely in a Host Security Module and used to “sign” card data to
produce a signature that is placed on the card. The public key is transmitted to the scheme
provider (Visa, Europay, or MasterCard), where it is certified using the “scheme private
key” to produce the issuer certificate. This is transmitted back to the issuer, where it is
stored so that it can be placed on every card. The certification process is slightly different
for each of the scheme providers, but the principle is the same.
Issuer host system: P3 receives personalization data from the existing issuer host
system, as described in other parts of this document.
Personalization system: P3 adds the appropriate smart card data to the cardholder record
before passing the combined data to the personalization system[1].
After cards have been issued, they may be used to obtain goods or services. If the card is
a credit or debit card, it is generally used at a point of sale or at an ATM. As part of the
transaction, the card generates an Authorization Request Cryptogram (ARQC) using
unique keys held on the card. This is passed back as part of the transaction message to be
validated by the bank’s host validation system. The host system is able to validate the
ARQC and produce an Authorization Response Cryptogram (ARPC), which is sent back
to the card. The card can validate this ARPC. This mutual authentication process gives a
very high assurance that the card is genuine, and that the bank with which it is in
communication is the one that originally issued the card.
If the card is an electronic purse card, normal purchases are carried out as offline
transactions. However, there is a need to go online when the card is to be reloaded with
funds. In the case of Visa Cash, a card generates a Load Request, which involves a
cryptographic signature known as S1. This is validated by the host system, which then
generates the Load Authorization signature (S2). The card validates this and finally
produces a Load Completion Signature (S3), which is sent back to the host system to
confirm that funds have been loaded.
Both of the preceding online transaction processes involve cryptographic keys. These
keys have to be shared between the online host system and P3. Facilities are provided in
P3 to allow this.
At the time of writing, the P3 system is able to support the following applications. Work
is in progress on other applications, which will be announced in the 5th edition of this
book.
Smart Card Credit, Debit, Visa Cash Load, and Unload Processing
HSM Functions
Finally, as outlined previously, an online host system handling credit and debit
transactions from smart cards needs to be able to process the ARQC/ARPC values. To be
able to handle the Visa Cash Load (and Unload) functions, the online host system must be
able to handle the S1, S2, and S3 signatures as previously described.
[1]
“Smart Cards for Payment Systems,” © 2003 THALES e-SECURITY INC. All rights
reserved. THALES e-SECURITY INC., 2200 N. Commerce Parkway, Suite 200, Weston,
FL 33326, U.S.A.
Summary
The payment card has been in existence for many years. It started in the form of a card
embossed with details of the cardholder (account number, name, expiration date), which
could be used at a point of sale to purchase goods or services. The magnetic stripe was
soon introduced as a means of holding more data than was possible by embossing alone.
In the end, the smart card appeared.
Finally, from the anticrime perspective, there are a number of benefits to adopting the
smart card. The card itself (or in conjunction with the terminal) can make decisions about
whether or not a transaction can take place. Secret values can be stored on the card,
which are not accessible to the outside world—allowing, for example, the card to check
the cardholder’s PIN without having to go online to the card issuer’s host system. Also,
there is the possibility of modifying the way the card works, while it is inserted in a point
of sale terminal—even to the point of blocking the card from further transactions if it has
been reported lost or stolen.
Chapter 22: Electronic Payment Systems
“We have a criminal jury system which is superior to any in the world; and its efficiency
is only marred by the difficulty of finding twelve men every day who don’t know
anything and can’t read.”
Overview
As more B2B trading partners conduct business and provide customer service over the
Web, it makes sense to handle invoicing, billing, and payment processing in the same
fashion. B2B trading partners have specific motivations for online billing: billers want to
receive payments faster and with less manual processing, whereas payers want to
streamline the cumbersome payment-approval process. Thus, the payment stage of any
electronic bill presentment and payment (EBPP) implementation must be able to integrate
tightly with accounts receivable (A/R) and accounts payable (A/P) systems, support
backend payment-processing workflows and procedures, and provide detailed reporting
capabilities.
When it comes to online billing, getting your bills to the Web is just one part of the
challenge—accepting payments electronically finishes the equation. Without payment,
your online billing presence is only a one-way street.
Although the online billing market has received plenty of attention, it hasn’t taken off as
fast as many analysts had predicted. In the B2C market, it’s a classic chicken-and-egg
situation: billers are reluctant to get into online billing until a critical mass of consumers
shows a willingness to pay online, and consumers are reluctant to pay online until more
of their bills are available that way.
Of course, there are other hurdles impeding widespread adoption, such as finding an
acceptable cost to consumers. In addition, privacy and security concerns continue to
make customers hesitant.
But, momentum for online billing is finally starting to build. Forrester Research predicts
that 70 percent of all U.S. households will be paying bills online by 2008. For billers,
EBPP is not just a cost-cutting or timesaving application, but a way to get closer to their
customers. In addition, many large businesses are now looking at EBPP for B2B
transactions with their supply-chain partners (see sidebar, “Bill and Invoice Presentment
and Settlement (BIPS) Access and Distribution Models”).
Bill and Invoice Presentment and Settlement (BIPS) Access and Distribution Models
There are two basic models for BIPS: the biller-direct model (whether hosted internally
or outsourced) and the consolidator model. In the biller-direct approach, the customer
goes directly to the biller’s site to access and pay bills. In the consolidator model, a third
party aggregates billing data from many billers, providing customers with one site to visit
to pay multiple bills. Both the biller-direct approach and the consolidator approach have
advantages and disadvantages, but both models will continue to coexist.
Biller-Direct Model
In the biller-direct model, the biller makes the billing data available to customers over the
Web or through e-mail. Customers can go directly to the biller’s site to access and pay
their bills, with no other parties involved. The biller-direct model provides a one-to-one
direct link between the biller and the customer.
Billers may host their own biller-direct sites, or enlist the services of a biller service
provider (BSP). BSPs can include application service providers (ASPs) or service
bureaus (such as Bell & Howell, EDS, Pitney Bowes, or DST Output), or any other entity
that can handle any or all aspects of BIPS. Billers can also use such BSPs to syndicate
billing data to consolidators or to consumer service providers (CSPs) such as Web
portals, thus handling the technical intricacies for the biller, while extending the biller’s
reach to multiple customer distribution points.
Under a consolidator model, customers log on to the consolidator’s site and can view and
pay all of their bills in one place. The consolidator provides an important convenience to
customers, and provides a vehicle to attract more users to pay their bills online. Greater
customer exposure leads to increased customer adoption, which can reduce the total cost
of billing. For this service, consolidators typically collect a transaction fee or “click
charge” from billers for every transaction conducted.
One limitation of the consolidator model has been the inability of consolidators to attract
enough billers to give customers a single site from which they can access all of their bills.
Thus, many billers are turning to other distribution points in an effort to give their
customers the flexibility to access their bills through the distribution point of their choice.
Thus, many billers are now turning to consumer service providers (CSPs) in their
strategies to syndicate their billing data to multiple end points and increase customer
adoption. Portals such as AOL and Yahoo! act as consumers’ gateway to the Web, attract
large volumes of user traffic, and are ideally positioned to connect users and their bills.
Banks and financial institutions can also act as CSPs for their customers.
Another emerging approach for bill distribution is to work with intermediaries that serve
as distribution pipes or “switches” for online billing. For example, services from
organizations such as MasterCard RPPS and the Spectrum alliance (a joint venture of
Wells Fargo, First Union, and JP Morgan Chase), provide billers with a trusted
intermediary that handles the intricacies of bill distribution to various customer end
points, and also handles the return payment processing.
Such services act as “behind the scenes” intermediaries that provide billers with a way to
greatly extend their reach without having to manage processes or relationships with
multiple distribution points[1].
Dozens of companies are providing software and services for online billing. In addition,
there has been considerable activity in mergers and acquisitions. The most notable moves
have been made by payment-processing market leader CheckFree, which acquired chief
rival TransPoint, purchased software vendor BlueGill Technologies, and formed a
strategic alliance with Bank of America in which the bank acquired 16 percent of
CheckFree’s stock.
[1]
“Bill and Invoice Presentment and Settlement: The Doculabs Report,” © 2003
Doculabs. All rights reserved. Doculabs Headquarters, 120 S. LaSalle St, Suite 2300,
Chicago, IL 60603.
Payment Considerations
No matter what method of EBPP you implement, realize that payment processing can be
highly complex. For your customers, you will need to support multiple electronic
payment system options, which might include credit cards, electronic checks, automatic
balance transfers, and debit cards. Electronic fund transfers are the most prevalent
transactions in the B2B world, but some business customers prefer to pay by other means.
In addition, whatever payment methods you accept, you’ll need to integrate those
services with your own A/R system.
Payment processing is made even more complicated by the number of parties that can be
involved. For example, accepting credit-card payments means interacting with the credit-
card companies or a third party like CyberCash. Accepting an electronic fund transfer
means the processing will pass from the customer’s financial institution to the automated
clearing house (ACH) network for settlement. And, if you syndicate your bill presentment
to multiple sites, you must work with multiple consolidators, portals, and consumer
service providers (CSPs) to get paid. If you’re a biller, this means the payment service
you choose must be able to integrate with the many channels that may be involved in
processing your payments.
Although accepting electronic payments usually means you get money faster, you should
realize that most electronic-payment system mechanisms are neither real time nor online.
The ACH network and credit-card infrastructures are batch-processing-intensive. No
matter which service provider you choose, some level of integration or customization will
be required for you to be able to accept batch-payment data transfers from external
parties.
Another key concern is security. Be sure to choose a vendor with a sound approach for
encrypting its data transfers. Related to this is the data-center infrastructure the payment
provider offers. The payment vendor should have clearly documented backup and
recovery procedures, and should ensure high levels of availability, reliability, and
performance through its service-level agreements (SLAs). The payment vendor should
provide you with reporting or audit-trail data for your internal analysis, ideally accessible
through a Web-based administration interface.
Finally, standards compliance is becoming more important. For example, XML will play
a critical role as a standard format for billing data, making it easier for trading partners to
ingest such data into their own backend systems.
All these standards will play a role in providing an alternative to EDI, an expensive
approach to electronic commerce that to date has been implemented only by very large
companies with many trading partners and a strict B2B focus. Of the three, XML has the
most momentum, thanks to the general push for more standard methods of B2B
integration. OFX and IFX are in the medium adopter stage.
Choosing the right payment service provider can relieve a lot of the headaches of
handling payments and interacting with so many different parties. In addition, some
payment processors offer a bevy of value-added services that make their packages
compelling to billers. For example, some payment processors also offer services as
diverse as presentment, customer enrollment, validation, reporting, and even financing
and cash-management services.
Of course, these capabilities come at a cost. Different payment processors offer different
pricing models. Some processors charge a percentage of the dollar value of the
transaction. Others charge a flat fee for every transaction, regardless of the dollar volume.
Still others charge based on volume or the number of bills converted or presented.
In most cases, the biller swallows the costs of online billing, just as in traditional billing
operations. Although customers of the consumer-focused consolidator sites have shown a
willingness to pay for online billing, they are not likely to pay more than it would cost to
mail in their payments. In the B2B world, some customers may be willing to bear some
of the costs of e-billing by paying for things like financial services, but the model is still
untested.
So, when it comes to picking a payment service, what are your options? As previously
mentioned, there exists three major classes of payment services that organizations can use
as part of their EBPP deployments: biller focused, commerce focused, and payer focused.
In the biller-focused area, CheckFree is the leader. The company processes 49 million
electronic payments per month, has an infrastructure that can handle massive volumes,
and has been active in forming partnerships and making strategic acquisitions. CheckFree
offers sound capabilities and services beyond payment, including consolidation and
presentment.
But, competitors are poised to chip away at CheckFree’s lead. Princeton eCom is a strong
player in this market, with one key advantage over CheckFree: it offers an electronic-
lockbox service as part of its offering. This approach makes especially good sense for
small and midsize companies (Princeton eCom’s target market) that want to get their
lockbox and online payment services in an integrated package. Metavante enters the
market with a wealth of experience in the statement-generation-software and payment-
processing markets. Its foray into online billing could make the company a formidable
player, as it has a strong customer base with financial institutions, particularly in the
Midwest.
In the commerce-focused area, the major players include CyberCash, CyberSource, and
VeriSign. All three provide good payment services, with support for a wide variety of
different payment types. CyberSource has the edge in terms of its breadth of payment
services, with offerings for fraud screening[2], tax calculation, distribution control, and
fulfillment management. VeriSign has the advantage in terms of secure transfer services.
In addition to payment, the company offers services for secure messaging, PKI,
certificate processing, and other site trust services that payment-only vendors lack.
In the payer-focused area, most people immediately think of sites like PayPlace.com and
ProPay.com. Although such sites provide a nifty solution for applications such as online
auction payments or letting a group of people settle a vacation tab, they are not
appropriate for more sophisticated online billing, especially in the B2B arena.
But, two vendors that come from this space, X.com and PayByCheck.com, are now
adapting their solutions for billers. Both services make it simple for billers to set up
accounts and simply include a link to the service providers’ site, where customers make
their payments online. X.com has released a new premium package of its PayPal service
in which the payment funds are swept from the biller’s PayPal account automatically
through the ACH and into the biller’s external bank account on a scheduled basis.
PayByCheck.com is pursuing a similar strategy, but the company lags PayPal in terms of
market momentum and customer base.
[2]
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.
Future Direction
There are dozens of payment service providers in the market, but expect to see more
consolidation in 2004. In addition, expect the payment processors to encroach on each
other’s market spaces, as multiple vendors try to extend their services to appeal to
retailers, consumers, banks, and B2B trading partners alike.
Finally, payment services eventually will become a commodity, with only a few vendors
handling this discrete portion of the EBPP cycle. The vendors that survive will be those
that offer simple, reliable services at a good price or offer payment as part of a larger
package of value-added services for EBPP. However, if you are thinking about EBPP,
there’s no need to wait for a shakeout in the payment services arena; switching will be
progressively simpler as the baseline services grow more commoditized and as standards
become more firmly established.
Summary
In the EBPP market, payment processing is one of the most complex parts of the sale. For
most IT shops, the solution is to use a third-party payment service provider to handle the
dirty work.
New technology has made it possible to pay for goods and services over the Internet.
Whereas some of the methods link existing electronic banking and payment systems such
as credit and debit card networks with new retail interfaces via the Internet, new means of
payment known as digital currencies have also been developed to facilitate global
electronic commerce.
Electronic money (also known as digital currency) based on stored-value, smart card, or
other technologies has been developed to facilitate consumers and businesses to engage
in global electronic commerce (see sidebar, “Digital Currency”). These cater to the
increasing population of online consumers who don’t have a credit card or those who are
reluctant to provide their credit card number online. These newly developed payments
systems share some common characteristics or aims, namely:
Accessibility: Making the payments’ system conveniently available through one or more
providers, regardless of the income or the socioeconomic status of the user
Digital Currency
Digital Gold or Digital Currency is quickly becoming popular among online users. It is
very easy to open an account, fund it, and transfer money all over the world using some
of the well-known gold systems, such as e-gold, osgold, e-bullion, evocash, and so on.
This is a new wave of the future in moving money worldwide, whether it is to send your
family money or to pay for merchandise online, from those merchants who accept this
form of exchange. All of this is done instantly without delay and without heavy transfer
fees.
The basics of digital currency is to offer worldwide flexibility and mobility. This is how it
works with e-gold as an example:
With other digital currencies, the fee can be as low as 25 cents with osgold or as high as
$1 dollar through evocash. Can you see how much money you can save in transfer fees
alone? Especially when you consider that a typical bank wire costs around $14.00, it
would end up costing you a bundle if you had to wire money to many people often!
Now, let’s say the person you just moved the funds to through e-gold wants to take it out
to use in the real world. Easy! By utilizing a similar gold exchange service, your recipient
can exchange his e-gold to cash for a small fee. Or, even better, they can get a debit card
and transfer their gold to their card and use it at any ATM to withdraw their money for a
small ATM fee! Now, think of how convenient this will be globally! Places like e-bullion
offer a debit card at just $34.95. You can get an exchange service to transfer your e-gold
to your e-bullion account and then you can withdraw that money with an e-bullion debit
card! Welcome to technology!
Some say that gold is more stable and holds its own value, whereas paper money has no
real value. Think of these digital currencies as a worldwide bank account that is open 24
hours a day, 7 days a week, and can be accessed online with a few clicks of your mouse!
How incredibly mobile and accessible is that? With places like evocash, you can earn 9%
interest for keeping your money with them! Remember to treat your digital currency like
you would your regular bank account and never give out your passwords. It’s a smart idea
to change your password often by using a combination of letters and numbers that others
will not be able to guess. In addition, be sure keep sensitive information about your
accounts in a safe place outside of your computer’s hard drive.
[2]
“Electronic Commerce,” Copyright 2002 National Computer Board. All rights reserved.
National Computer Board, 7th Floor, Stratton Court, La Poudrière Street, Port-Louis,
Mauritius, 2003.
[1]
“Digital Currency,” Copyright © 1998–2002 by mytopsecrets.com. All Rights
Reserved. Mytopsecrets.com, P.O. Box 1715, Glen Burnie, MD 21060-1715, 2003.
Applications
Digital currencies enable new types of payments, goods, and services (information and
online entertainment)—such as microproducts and micropayments. They share some
fundamental properties, namely:
The principal function of stored-value or smart cards is the portable storage and retrieval
of data. These applications have evolved from existing electronic funds transfer
mechanisms using debit cards, such as prepaid cards and copy machine cards. The
embedded integrated circuit on the card defines the capabilities of the product, and
possible components may include a microprocessor, nonstatic random access memory
(RAM), read only memory (ROM), erasable programmable read only memory
(EPROM), other nonvolatile memory, and special purpose coprocessors.
These characteristics make smart cards a viable medium for a digital currency payment
system. In making a payment through stored-value cards, the following points can be
noted:
Stored-value cards have met with high approval ratings among consumers in Europe, and
are gaining increasing popularity in the United States. Stored-value smart cards are
capable of more than facilitating payments. They can offer added-value information,
including digital certificates for identification purposes, and may authenticate a secure
transaction.
It is worth noting that computer hardware manufacturers have started to include smart
card readers with their PCs and PC keyboards. The ubiquity of this digital currency
system in on the rise.
Digital currencies are cheaper, faster, safer, global, and more private than traditional
credit cards and bank wires. In other words, digital currencies will prove to be as world-
changing as the invention of the printing press and gunpowder. Digital currencies link
together financial institutions and markets across the globe in a way that allows
instantaneous value transfers with a mere fraction of the cost associated with traditional
bank wires and credit cards. The architects of the new digital economy are busily at work
creating new financial products and linking digital currencies to “old-world” financial
networks, allowing you to easily convert your digital currencies to cash anywhere in the
world. Here are some of the reasons that digital currencies are the best way to do business
on or off the Net!
Transaction costs using credit cards or PayPal (for example) range from 2.2% to 4.2%.
International bank wires cost, on average, $43 to $73 using Western Union. Digital
currencies allow transactions to take place from as low as 0.1% (GoldMoney), to 2% on
the very high end (Standard Transactions). In other words, the cheapest digital currency
on the Net allows online transactions for forty-five times less than credit cards. Even the
most expensive digital currency costs less than a credit card transaction! Digital
currencies lower transaction costs by three orders of magnitude! This means that
transactions that were previously too expensive to make because of the time, money, and
effort involved are now feasible using digital currencies, such as e-gold, gold-grams,
Standard Dollars, Standard Gold, e-Bullion, and Hansa Dollars. For retail merchants who
process a high volume of credit card transactions, the savings can be significant! The
savings in transaction costs can then be passed along to their customers in the form of
lower prices, which helps merchants accepting digital currencies to gain a competitive
advantage.
The average credit card transaction can be reversed for three to six months after the sale
takes place. This leaves merchants in a vulnerable position. Cheapskates reverse the
charges on a regular basis against merchants who deliver the goods. This kind of theft
drives up prices for everyone to cover the cost of lost goods and money due to fraudulent
credit card use[5]. Bank wires in-country take at least three days to clear. International
bank wires can take up to two weeks to clear! Digital currencies solve these problems by
allowing instantaneous and nonreversible transactions! For merchants, this means that all
sales are final. They don’t have to worry about having their account frozen because some
hacker used a stolen credit card at their store. This also means that when you need to send
money to a friend or family member anywhere in the world, you can do it in a few
seconds, and they can withdraw it as cash from an ATM machine the very next morning.
That’s fast!
PayPal, for example, only works in the United States. In order for people outside the
United States to sell their product or service on the Web, they have needed an
international credit card merchant account. The problem is, outside the United States and
Europe, merchant accounts can be difficult to obtain. This creates a barrier to entry that
makes it harder for international entrepreneurs to offer their products and services to the
world. Digital currencies solve this problem by allowing instantaneous transfers of
money anywhere in the world! As the network of exchange agents grows, it is now
possible to quickly and easily convert your digital currency to cash in any country in the
world. A Standard Reserve “Instant World Account” allows account holders to convert
their Standard Gold or Standard Dollars into cash at any ATM machine on the planet! E-
bullion offers an anonymous numbered offshore debit card. This means that no matter
where you are, if you can find an ATM machine, you can convert your Digital Currency
into local currency!
Credit card fraud is becoming increasingly prevalent as hackers steal card numbers from
computer networks, crooks root through your garbage and steal your identity, and other
nefarious thieves devise ways to get your account number. Digital currencies offer a
higher level of security than credit cards. Even the lowest level of security for digital
money, an account number and password, is one order of magnitude safer than a credit
card. All a thief needs to steal a credit card is the account number. With digital currencies,
the merchant never sees your password, so it is impossible for a thief to steal it, unless
you give it to him yourself (by letting him access your computer). For example,
GoldMoney supports digital certificates for customer identification. These certificates
cryptographically verify that you are you. This prevents thieves from accessing your
account. E-bullion and E-gold are now offering similar security measures to their clients.
It is also possible to combine digital certificates with an affordable biometric fingerprint
reader to make sure that absolutely no one has access to your account but you. This is the
highest level of security currently available on the Net, but there are other improvements
still to come.
Digital currencies allow one thing that credit cards never will: person-to-person
payments. As previously mentioned, PayPal is limited to the United States. So, what do
you do when you want to buy a collector’s doll that you found in an online classified ad,
but the owner lives in New Zealand and you live in the United States? Digital currencies
allow you to spend your money to anyone else who has a digital currency account. It only
takes a few moments for your friend to open his own account by using the Internet, and in
most cases it doesn’t cost a penny! Person-to-person payments allow small-scale
merchants to get started without the added expense of maintaining a credit card merchant
account. This means lower costs of entry into the marketplace and lower costs of doing
business!
It is a known fact that traditional banks store massive databases that track all of your
account activity in the name of “know your customer,” “fighting the war on drugs,” and,
more recently, “the war on terrorism.” In reality, banks conveniently use those databases
to sell information about their customers’ spending habits to other companies, and
governments use that data to find excuses to confiscate your money and property. So, not
only does your government have access to all of your spending habits, but so does any
individual or organization who is willing to pay for it.
Most digital currencies are housed in “capital-friendly” jurisdictions with strict privacy
protection laws[6]. For someone to get your account information, they have to obtain a
court order in the country where your digital currency is headquartered. This means that
true crimes can be prosecuted, but your privacy will remain intact if you are just an
average law-abiding customer. Think of it as guaranteeing yourself the right to “due
process.” Furthermore, it is impossible to use digital currencies for money-laundering.
You have to spend your national money (such as U.S. dollars) through an exchange agent
in order to purchase digital currency in the first place. Because exchange agents all have
accounts at banks with anti-money-laundering practices in place, this means that all
money used to purchase digital currencies is theoretically “clean.” Clean money in, clean
money out!
So, digital currencies are able to provide privacy to their customers, and still be able to
guarantee that they are not being used for money laundering. Digital currencies are
“orthogonal” to the traditional financial world. As long as all the money coming in and
out goes through banks with anti-money-laundering practices in place, then money
laundering is impossible. Furthermore, all of the digital currencies in business at this time
are firmly committed to discouraging crime and money laundering, while at the same
time protecting the privacy of their account holders. This means you can use digital
currencies to do business with confidence that you are in good company! You can obtain
a Standard Reserve Instant World Card or an e-bullion Debit Card and withdraw your
digital currency from any ATM machine in the world as cash. But, because the cards are
processed in an offshore jurisdiction, you can be assured that your privacy is protected.
Because both of these companies are diligent in preventing money laundering, you can be
assured that you are in good company[8].
So, are there any economic consequences of using digital currencies? In other words, do
digital currencies have any serious consequences for the structure of the economies? Let’s
take a look.
[5]
Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.
[6]
Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad
Ebusiness Privacy Plan, McGraw-Hill Professional, 2001.
[8]
“Why Use Digital Currencies,” Copyright © The Gold Economy Magazine 2001-2002
[© Copyright 1996-2003 EscapeArtist Inc. All Rights Reserved. EscapeArtist.com Inc.,
843-1243 World Trade Center, Panama, Republic of Panama 843], 2003.
The later years have seen the explosive growth of the Internet as one of its main features;
furthermore, much has been talked and written about the coming of the online economy
and electronic commerce. One of the most important aspects of this development has
been the growing demand for methods of secure payments over the Net. This demand,
coupled with advances in cryptology, has facilitated the growth of digital cash or digital
currency—cash or currency constituted not of pieces of paper or metal objects, but
streams of digits.
Anonymity
An important quality of digital cash is that it has the potential of being entirely
anonymous, through the use of mathematical “blinding” techniques, both with regards to
usage and holdings. This means that, as with physical cash, there are few, if any, traces
for the government or other institutions to survey.
When using credit cards, digital signatures are left that can be linked to the specific
individual, describing where, when, and what was purchased for how much. This feature
of credit cards has made many people claim that technological developments lead to
greater control by the state or government over the individual. The anonymity of digital
cash would be a development in the opposite direction. In other words, the widespread
use of digital cash would render the prospect of a 1984 scenario, in which governmental
surveillance creates a society of fear, suspicion, and suppression unlikely, and act as a
guarantor of individual freedoms. Of course, all of this remains to be seen!
This anonymity does have its drawbacks, however. One example of this is criminal cases
in which evidence of financial transactions are often integral requirements for correct
judgement and sentencing. Thus, the financial anonymity of digital cash can make it
harder to convict criminals than it might otherwise have been.
Anonymous financial transactions and holdings also make it generally easier for money
laundering to take place. It can be argued, however, that this is relatively easy as it is
today with few currency controls and falling costs of overseas banking. With the advent
of anonymous digital cash, the costs and risks associated with money laundering would
fall considerably. Tax evasion would also become easier for similar reasons.
Just as the increasing ease of international capital movements has caused governments
worldwide to shift the burden of taxation from mobile to stationary capital, one
consequence of the reduced disincentives to evade taxes may be increased taxation of
geographically fixed assets. Hassle-free money laundering could lead to the extension of
organized crime.
An intriguing property of digital cash is that, in theory, anyone can issue it, and it is by no
means clear that banks will be the most successful players. The be all and end all of a
successful currency is confidence, and the issuers who command respect among
consumers have a huge advantage over others. Companies like Microsoft, Visa, and
Coca-Cola would, therefore, have a good base from which to start due to their impeccable
reputations and solid brand names.
An important determinant for which currencies will be accepted and trusted by
consumers is what they are backed up with. At present, the vast majority of currencies are
fiat-based (not to be confused with Fiat, the Turin, Italy-based car company). This means
that they have no intrinsic value and are not linked to anything of market value. The only
reason why people accept such paper currencies is that they expect everyone else to do
the same.
Such a system, however, could not possibly originate from scratch. Digital currencies
would, therefore, either have to be proxies for governmentally issued currencies, so that
for instance, one “Coca-Cola-Dollar” can be exchanged into 3 USD, or backed by assets,
such as precious metals, equities, or bonds in a fixed ratio.
Which of these two routes would dominate depends largely on the performance and
reliability of the governmentally issued currencies. But, comparative economic studies
show that currencies based on, for instance, precious metals are more reliable and stable
than fiat currencies. This is exemplified by the successful operation of the pre-World War
I gold standard, which played an integral part in the “Golden Age” of market liberalism.
Digital cash offers the prospect of competition much more intensive and extensive than
what exists at present. The various players would have to compete on qualities, such as
inflation, reliability, stability, confidence, and ease of use.
For private banks, there is an incentive to push the level of fractional reserve banking as
high as possible. This means that they issue more in terms of credit letters such as loans,
short-term credits, and, potentially, digital cash, than they have reserves to repay, by
gambling on the unlikelihood that a majority of their creditors will want to withdraw their
funds simultaneously.
The market mechanism balances this incentive to hold fractional reserves with the
consumers’ desire for minimal risk (and, thus, a high ratio of assets to credits). The free
operation of currency competition would thus drive the process toward the ideal balance
according to the preferences of the consumers.
Consumers would probably get information about the reliability of the various digital
currencies through the media and special consumer interest groups, and through the
development of brand name reputations in the same way as they do with goods such as
cars and furniture today.
The widespread use of digital cash would redefine the role of regulators, such as central
banks and the Federal Reserve. With the establishment of a competitive market in which
the laws of supply and demand determine the nature of the currencies in use
governmentally, supplied currencies would either have to compete in accordance with the
preferences of the consumers or obtain special privileges. Given the immense financial
security of most major governments compared with most corporations, it seems likely
that governments, if sufficiently aware of the situation, would be able to compete on
equal if not better terms than the private sector.
When it comes to regulating the digital cash industry, however, governments would face
severe difficulties due to its international nature. If a particular government decided to
place restrictions on, or even forbid, the use of privately issued digital cash, nothing
could keep the citizens of that very country from using digital cash issued abroad.
The only way in which it would be possible to effectively limit the use of digital cash,
would be if a broad coalition of governments issued a collaborative policy to this
purpose. Even then, small countries could act as free zones for digital cash issuance in the
same way as they do with regards to offshore banking today.
The current failure of governments to effectively combat illegal material on the Internet
shows that the ongoing developments of information technology place real restrictions on
the governments’ power and that, in the absence of extensive and effective international
agreements, digital cash would face very limited threats from the regulators.
Also worth noting is that some regulators seem reluctant to regulate digital cash. In
particular, Alan Greenspan, of the U.S. Federal Reserve, has taken a surprisingly
noninterventionist approach. This may be due to his background in Austrian economics,
which advocates free banking and return to the gold standard.
But, with a major economic power such as the United States seemingly willing to accept
the unhindered development of digital cash, it will in turn be up to the consumers to
decide whether it is preferable to the governmentally issued fiat currencies of today[4].
Finally, let’s look at the future of digital currencies. This final part of the chapter focuses
on the emerging digital money-like products that will supplant most conventional
government issued money and existing payments systems over the next couple of
decades.
[4]
Tynes, Johannes Skylstad, “Economic Consequences of Digital Cash,” Copyright ©
London School of Economics and Political Science 2002, London School of Economics
and Political Science, Houghton Street, London WC2A 2AE, 2003.
The age of digital money is upon us. The new technologies of the Internet, digital
electronics, public key encryption, and the rapid price declines of computing power and
telecommunications bandwidth are having a dramatic effect on the financial world. These
new technologies are enabling the development of financial markets, procedures, and
instruments that economists in the past could only theorize about. Financial transactions
can be settled in real time even though the contracting parties may be thousands of miles
apart. Money and other assets can be moved at almost the speed of light to any point on
the globe for a minuscule cost. Easy-to-use encryption programs enable almost anyone to
move data or money around the globe with almost complete security. It is now possible
for private digital currency issuers to compete without the high information and
transaction costs that burdened the multiple-issuer systems in the past. Moreover, new,
private monies are emerging, including “digital gold.” The technical barriers have been
overcome, as well as many of the economic challenges.
The advantage of bearer instrument transactions is that settlement is in real time, and,
therefore, there is no risk of nonpayment, as there is in book entry transactions such as
checks and credit cards. There are no chargebacks to the merchant, and the risk of fraud
(in the absence of counterfeiting) is greatly reduced. Bearer instruments are also
anonymous, which can protect the owner from corrupt governments or criminal types.
However, because of this anonymity, many governments do not like or have prohibited
certain types of bearer instruments because they make it hard for tax officials to collect
revenue. Digital monetary and financial products are “disruptive” technologies, in that
their creation upsets the existing legal and public policy order as to how money and
financial products and institutions are regulated and organized. National borders are
ceasing to have the relevancy they once did.
Both businesses and governments need to build the appropriate legal order for the digital
age and understand how it should be managed. This requires changes in laws and
regulations, leaving businesses in a thicket of uncertainty during the transition period.
Central bankers, treasury officials, law enforcement authorities, and intellectual property
administrators (patent officials, etc.) will by necessity have to adjust to a different world.
Their challenge will be to create a new set of rules and procedures that bring the
necessary order without impinging on the rights of privacy of individuals and institutions,
or destroying the economic efficiencies that the new technology is bringing.
Many legal issues will arise as digital money becomes more prevalent. Given that most
digital money will be global in the sense that the Internet will facilitate its movement or
use outside its issuing jurisdiction, the lack of legal uniformity between countries raises
many policy issues. For instance, who has the liability if a failure does occur in a
particular digital money system because of fraud or for some other reason? When digital
money payments are made across national borders, who has jurisdiction? Does digital
money violate the monopoly rights of central banks to issue money? May a central bank
issue digital money? Do nonbank issuers of digital money need to be regulated, and if so,
who should the regulator be? Who is going to determine if the clearing organizations
have sufficiently robust and fraudproof systems?
Given that various digital money systems are now being developed and offered, the
answers to the preceding questions will probably slowly evolve over the next few years
as real problems emerge. Already, multilateral financial institutions, such as the Bank for
International Settlements and the International Monetary Fund, have established working
groups to try to develop recommendations for their members in dealing with the
previously mentioned issues. These BIS and IMF recommendations will be of particular
interest to the world’s central bankers who are facing the front line of change. To the
extent people use privately issued digital money for transactions, the demand for
government money is reduced. If people are willing to hold liquid balances in the form of
digital money, the quantity of demand deposits (checking accounts) that people need or
desire is smaller, thus reducing the central bank’s supply of money. The same principle
holds true for other money substitutes, from very limited money substitutes (balances
held on telephone cards, or frequent flyer miles), to broad, money-like products (digital
gold). As these broad and narrow-use money substitutes grow in popularity because of
their ease of use in the digital age, the amount of money supplied by central banks will
decline. Until some nongovernment money reaches a critical mass, whereby most users
and businesses find they can do a substantial portion of their business in the “new
money,” virtually all digital money and money substitute products will be reconverted to
central-bank-issued money at some point. However, even during this period of partial and
temporary substitution of digital money for central bank money, the demand for central
bank money will gradually decline.
Justifiable concerns have been raised about the innovations in payments technology and
the development of digital money and their impact on inflation. For monetary systems
with a quantity anchor (such as the U.S. dollar and other fiat currencies), technology
changes resulting in an increase in the money multiplier or a decrease in money demand,
will increase the price level unless base money is reduced by an appropriate amount. If
digital money is issued by an institution other than a bank, which has no reserve
requirement, the growth in digital money will increase the money supply unless the
central bank takes corrective action. The increases in the money supply resulting from the
new technologies will be both gradual and easily recognized, and, hence, would be
neutralized by the central bank, by appropriate reductions in the monetary base.
As with all innovations with payments technology, the introduction of digital cash has a
one-time effect on the price level. The money multiplier would be larger, but stable at its
new level. If digital money is issued by a bank at the expense of deposits, and is subject
to the same reserve requirements as deposits, the monetary effect would be approximately
neutralized. If digital cash issued by banks is subject to a 100% reserve, or if digital cash
is issued by a nonbank, with a 100% reserve, no new money is created. With any price
rule digital money system (commodity-backed systems), inflation by definition is not a
problem.
In general, electronic payments and digital money systems increase the efficiency by
which the existing money supply can make payments, thus reducing the demand for
money. These improvements tend to take place gradually over time, and are observed as
an increase in the velocity of money, which requires a compensating adjustment in base
money by the Federal Reserve. In summation, there is no reason for great concern in
terms of monetary policy management by central banks as a result of these new
technological innovations. The changes will be gradual and obvious, giving plenty of
time to make policy adjustments to prevent inflation.
One effect of the decrease in demand for central bank money will be the disappearance of
central bank seigniorage revenue. At present, the world’s central banks obtain a
considerable income from issuing paper banknotes, which are noninterest bearing central
bank liabilities. Among the G-10 countries, seigniorage as a percent of GDP, ranged from
a low of .34% in the UK to a high of .71% in Italy in 2002. This seigniorage not only
provides for all of the central bank operations, but also provides their treasuries with
significant revenue. However, it is also apparent that the efficiency gains for the economy
from digital money swamp any negative effect on government revenue of the loss of
seigniorage revenue, which has been in effect a tax on the banking system.
It can be expected that the growth of digital money will have a direct and significant
impact on the common measures of the money supply, particularly currency and demand
deposits (M1 and M2). Given that many central bankers target these monetary aggregates
in the conduct of their monetary policy, the focus of monetary policy may need to
change. The growth of digital money could ultimately cause a substantial drop in banks’
demand for settlement balances. In the major economies, cash is the largest component of
central bank liabilities. Extensive use of digital money is likely to shrink the balance
sheets of the central banks significantly. At some point, the shrinkage might restrict the
central banks’ ability to conduct open market operations or foreign exchange sterilization
operations. However, to the extent that the new digital monies are fully backed by assets
such as gold or high-quality financial instruments, the need to conduct open market
operations will diminish, because the supply of money for transactions should
automatically adjust to demand.
As more and more transactions are settled on a real-time basis, the risk of nonpayment
and fraud declines, and, hence, the need for regulation and monitoring also declines. The
role of the central bank may ultimately shrink to doing little more than defining the
numeraire for the national money. The definition is likely to be a modern version of the
gold standard. Specifically, a national currency in the future may well be defined as a
monetary unit that is equal to a basket of specified commodities with a one world price,
such as gold and crude oil, and even some services. Any good or service having a one
world price that is set in organized auction markets could be a candidate for a currency
basket that would be used to define the value of the monetary unit.
Some central banks might also continue to serve as a lender of last resort to large
financial institutions by using off balance sheet transactions. The need for such a lender
of last resort would seem to diminish in a world of instant information on almost all
activities, institutions, and real-time settlements. In the new century, the kind of financial
shocks and surprises experienced in the past ought to be increasingly rare, unless
financial regulators interfere too much with the market adjustments that will naturally
occur in a world of increasingly perfect information.
The rapidity of adoption of digital money systems by consumers depends on how their
cost, convenience, and anonymity is perceived in relation to paper currency and coin.
Eventually, electronic transfer and digital money systems will replace paper and coin,
because they can greatly reduce transaction costs and will ultimately become more
convenient. At the current level of technological advance, it appears that within relatively
few years, whether they involve a few cents or millions of dollars, almost all monetary
transactions will move over the Internet, or by wireless device, or by chip card for small
transactions. The question of anonymity will remain an impediment, until policymakers
understand that the fundamental desire and right to personal privacy must be
accommodated with the new technologies, to an extent no less than people now have with
cash. The role of central banks will change, and will likely shrink, as a result of the new
technologies.
One danger to the world economy is that central banks will try to hold on to their
traditional roles by restricting the new technologies or regulating them in such a way as
to make them noneconomic. Regulators should keep a hands-off approach until a problem
has been clearly demonstrated and, at that time, devise corrective actions to do the least
damage to innovation and financial freedom.
Law enforcement officials around the world have been concerned about the potential
abuse of digital money systems for the purpose of money laundering, and, therefore, are
trying to restrict or ban them. Officials in various government and regulatory agencies,
such as the Financial Crimes Enforcement Network, assert that they should have more
power and ability to monitor all transactions. It is true that digital money systems,
particularly anonymous ones, may indeed make the job of money laundering easier. On
the other hand, many government law enforcement agencies throughout the world have
abused basic rights to financial privacy. The benefits of digital money greatly outweigh
the potential criminal abuses, and, hence, measures to restrict the use of digital money
should be resisted. Without the availability of anonymous systems, there will be strong
resistance on the part of many individuals to fully move to e-payments systems and
digital money.
The existing efforts against money laundering, primarily by the United States and major
European governments, have not proven to be the least bit cost-effective. For instance, in
the United States in 2002, only 1,376 people were convicted of money laundering, yet the
cost to the private and public sectors of the anti-money-laundering efforts exceeded 50
billion dollars, which comes out to more than 4 million dollars per conviction. For
example, the British state has been able to take out 0.008 percent of the criminal money
that has flowed through London. There is no evidence that authorities in the United States
are having much more success. Money launderers do not have a statistically significant
chance of being caught and losing the profits from their misdeeds, and, therefore, the
deterrent effect of such laws is negligible. Privacy advocates have also documented that
the money laundering laws are very arbitrarily enforced in many countries, including the
United States. Money laundering is a crime of motive, rather than one of specific activity,
hence its enforcement, by the very nature of the crime, is highly subjective. This
subjectivity leads to selective and politically biased enforcement. Because of the constant
threat of the vagueness of the money laundering laws and regulations, constructive
financial innovation has been retarded, particularly in the development of digital monies.
The money laundering laws have propelled the United States to adopt attitudes
insensitive to foreign countries’ rights to self-determination, and to violate the
sovereignty of foreign states. The United States tries to impose policies on foreign states
and businesses that the United States would never accept if the situation were reversed.
The United States and the European Union have no business telling smaller developing
nations that they are involved in “harmful tax competition,” or that they should abolish
bank and corporate secrecy laws. Small nations have a need and a right to attract foreign
capital, and it is perfectly legitimate for them to compete against harmful tax, regulatory,
and privacy policies that larger nations impose on their own citizens.
Recommendations
Digital payments and monetary systems are coming of age, and will replace most existing
money and payments systems over the next couple of decades. These changes will bring
enormous economic benefits by greatly increasing the efficiency and reducing the costs
of your payments systems. In addition, the absence of paper currency and coin, which is
readily subject to theft or loss, should greatly reduce crime. The U.S. government has a
choice of either embracing the new technologies and helping them along (mainly by
getting out of the way), or taking a “Luddite” approach and attempting to restrict and
deny the inevitable. A civil society depends on a government that does not unduly restrict
liberty and economic opportunity.
The following recommendations will seem radical and frightening to those who do not
understand the new technologies and where we are headed. However, those who do
understand the new technologies, and desire a civil society that provides liberty, privacy,
and economic opportunity, will see these recommendations as desirable and necessary.
First, remove all restrictions on issuing digital bearer financial instruments, including
stocks and bonds. Financial cryptographers have already figured out how to issue such
instruments in cyberspace, and many feel that they do not need the government’s
permission. Rather than create a new class of cybercriminals, governments should
recognize the reality, and do something that is both good for the economy and that
supports civil liberties.
Second, remove the capital gains tax from trading in commodities and private currencies,
in order to allow the full development of commodity-backed digital currencies (such as
gold) and other digital currencies. The capital gains tax on commodities does not bring
any revenue over the long run to government, given that losses and gains offset each
other. In the real world, it is probably a net loss for the government, because people will
be more prone to report their losses rather than their gains, and it reduces the efficiency of
the commodities markets. Over the long run, “capital gains” from currency trades are
most often created when a government has debased its own currency.
Third, remove all restrictions on anonymous digital money and payments systems.
Restrictions are almost impossible to enforce, and privacy is a basic human right.
Finally, repeal the Bank Secrecy Act and the subsequent related anti-money-laundering
legislation. The existing legislation and implementation is not cost-effective, is subject to
abuse, interferes with basic civil liberties to an unacceptable degree, and actually results
in higher levels of crime[3].
[7]
Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
[3]
Rahn, Dr. Richard W., “Digital Money,” House Committee on Financial Services, 2002.
Summary
This chapter discussed the market implications of adopting electronic payment systems
and digital currencies in electronic commerce. The key to understanding and exploiting
electronic commerce is to recognize it as a market mechanism, where all components of a
market interact and must be analyzed collectively. For example, electronic payment
systems bring more than lowered transaction costs, affecting product choices, pricing,
and competition. This chapter also examined economic implications of electronic
payment systems—especially micropayments enabled by digital currencies in terms of
size advantage, the lemons problem, digital product pricing, product differentiation—the
commoditization of consumer information and advertisements, and copyrights. In short,
electronic payment systems are one of the critical factors that allow process innovations
via electronic commerce. Finally, these process innovations may either promote
competitive and efficient markets or worsen the trend toward the vertical integration and
monopolization in the globalized economy.
Overview
The Internet connects potential customers with merchants in many different countries.
International e-commerce payment solutions provide a channel for money to cross oceans
and borders as follows:
Visa TravelMoney: Security and convenience for all your travel needs
(http://usa.visa.com/personal/cards/visa_travel_money.html)
The following services allow buyers to use their own conventional credit cards without
requiring the merchant to establish an actual merchant credit card processing account:
PayPal claims to have over 10 million accounts and is a major player on eBay and other
auction sites. An attractive feature of PayPal is the relatively low fee of 2.9%. With no
setup fees, this is an attractive option for e-commerce vendors. One drawback is the
inconvenience for the buyer of having to set up a PayPal account before being able to use
his credit card to buy your product. Through PayPal, the consumer retains all the
protections provided by his own credit card issuing banks and institutions, such as Visa
and MasterCard. If the buyer demands a refund or obtains a chargeback through the bank,
PayPal makes the adjustment on the vendor’s PayPal account.
Currently, you can use any U.S.-based checking, savings, and money market accounts to
send and receive money by c2it. You can also use any MasterCard or Visa credit card
accounts. You do not have to link a Citibank account to use c2it. MasterCard and Visa
debit cards may only be used to Send Cash and Add Cash at this time, and may not be
used for transferring money between linked accounts. Although this is one of the most
versatile and low-cost person-to-person payment services, it is not designed for e-
commerce merchants. Guess who created the first ATM in the world? Yes, Citibank in
New York.
Another payment option is ClickBank, which charges a higher flat fee of 7%, but makes
the purchase more convenient for the consumer. The merchant pays the 7% fee for each
transaction and also pays an initial setup fee of $49.95. For low-volume start-ups, this
may still be a lower cost than establishing an actual merchant account with Visa or
MasterCard.
BillCC.com, iBill, and Revecom provide alternative e-business opportunities using their
own merchant accounts to sell your products, subject to careful controls. Without the
specific approval of the underwriting banks, using one company’s merchant account to
sell another merchant’s products is called factoring, and is a violation of Visa and
MasterCard rules.
If your business is international in nature, or your customers are from other countries, you
may need an international payment service such as the Global Debit Card. This system
uses CIRRUS ATM cards and MasterCard debit cards to access cash and make purchases
throughout the world. You may also become a B2B reseller of the debit cards by signing
up with the Financial Services International network. If you, as the seller or merchant,
can accept debit cards, this will enable purchases from virtually anywhere in the world.
The Global Debit Card does not require a social security number and includes a CIRRUS
PLUS debit card and a MasterCard debit card for the same account. Although a U.S.
mailing address is required to apply for the debit card, the card applicant can establish a
U.S. mailing address for a minimum of $40 plus postage to the applicant’s foreign
address using the U.S. Mailing Address service at usmailingaddress.com
(http://www.usmailingaddress.com/mgoldmine/). Funds may be deposited in the debit
account through Western Union or Money-Gram in U.S. dollars.
Smart cards and digital wallets use traditional credit card accounts to enhance online
shopping in different ways. Smart cards have embedded chips that when read by a smart
card reader verify that the original card is present at the moment the transaction is being
enacted. Digital wallets hide the credit card account number when the transaction takes
place and also fill in shopping cart forms for you with ease.
Another credit card processing alternative is using e-cash systems, such as eCharge,
Qpass, iPin, and trivnet. Merchants can set up accounts with each of these resources to
enable e-cash online payments.
Your Internet business can be facilitated by marketing your products on the Internet
without the overhead of having your own merchant account. Another alternative is token
money that can be traded for real products. Several auction portals and merchant account
alternatives, as well as e-cash options, are listed in the following sections.
Auction Resources
If you’re selling collectors’ items or unique products, this may be a good way to start.
The following are some currently available auction resources:
Smart Cards
Smart cards are more secure because of embedded chips that verify the card’s presence in
a smart card reader. In the near future, all new PCs will ship with standard smart card
readers. The following are some currently available smart cards:
Digital Wallets
Digital wallets use a standard credit card account and disguise your real credit card
number with a one-use number. The advantage is more security and convenience because
payment forms are filled in automatically. The following are some currently available
digital wallets:
Person-to-Person Payments
These offer secure payment alternatives for small ticket items. The following are some
currently available micropayment systems:
Finally, you can earn credits to shop at various stores by using these token-based
alternatives to real money. The following are some currently available token value and
store-based credit systems:
• Flooz (http://www.flooz.com/)
• InternetCash (http://www.internetcash.com/)
• Praxell (http://www.praxell.com/)[1]
Summary
This chapter does not endorse any e-commerce service listed on this site. The information
provided is to help you become aware of numerous options that you should investigate on
your own. After you’re ready to start making money, many of the links in this chapter
will take you directly to the service you need to start processing transactions on the Web
without a traditional merchant account!
—Anonymous
Overview
To help companies make informed decisions and capitalize on the right opportunities, this
chapter discusses solutions designed to help companies integrate business partners more
effectively. Although this notion encompasses a wide range of business challenges and
solutions (including supply chain management, procurement, and CRM), this chapter
focuses specifically on one concept: supplier enablement. The supplier enablement
initiative and technology solutions (whether they be B2B or B2C) are aimed at helping
companies of all sizes to sell to their trading partners more effectively by integrating with
customers’ procurement systems, as well as e-marketplaces and other electronic sales
channels—all from a single e-business foundation. No matter how large or small a
business is, or how complex or simple its business processes, supplier enablement
solutions makes it easier for a company to reach its customers through whatever
purchasing method they prefer.
More specifically, the supplier enablement solutions leverage existing and new
technology investments, open technology standards, and partnerships to empower
suppliers to reach the broadest set of buyers. This was done by selling both directly from
and beyond their own Web site, through a range of cost-effective, high-performance
solutions that offer superior scalability, reliability, and time-to-market.
Before solving key issues in B2B e-commerce, it is important to understand the key roles
that companies or individuals within companies play. There are four primary roles in B2B
e-commerce. Every company plays at least one of them, and many companies play
multiple roles. Figure 25.1 shows three of the roles (Web services live within and
between the three others)[1].
Suppliers: Businesses that market and sell goods or services directly to business
customers through traditional or other sales channels, ideally selling directly to their
customers’ Web-based procurement systems and electronic marketplaces.
Buyers: Customers and businesses that purchase goods and services directly from
suppliers, either through traditional means or electronically through self-service
procurement systems, ERP-based procurement applications, and electronic marketplaces
(private or public). Examples of buy-side applications include those from vendors such as
SAP, Ariba, Clarus, PeopleSoft, Commerce One, Oracle, and many others.
Each role has distinct business and technical challenges, but there are some common
themes. For buyers, market makers, and Web service providers, the primary issue is
liquidity. Success depends on the ability to reach the critical mass of trading partners and
transaction volume necessary to provide sufficient return on investment and create a
viable, sustainable business.
Suppliers face the difficult challenges of maintaining the ability to sell effectively to all
their customers, both in traditional channels and through emerging e-commerce channels,
while finding a way to differentiate themselves from the competition in those new
electronic environments.
As a result, although it has been relatively easy to convince buyers and market makers of
the value of B2B e-commerce, suppliers have been much slower to come around. And,
without a critical mass of suppliers, the savings from procurement systems can’t be
maximized and the liquidity that e-marketplaces require will be impossible to achieve.
[1]
“Empowering Suppliers for Integrated Business-to-Business E-Commerce,” © 2002
Microsoft Corporation. All rights reserved. Microsoft Corporation, One Microsoft Way,
Redmond, WA 98052-6399, USA, 01100, 2003.
Arguably, the number one reason that suppliers have been reluctant to take advantage of
B2B e-commerce is that although electronic trading offers clear, easy-to-understand
benefits for buyers, the value proposition for suppliers has been much less clear.
Suppliers must look at the e-commerce landscape as it relates to their own business
ecosystem and their ongoing efforts to drive maximum revenue and benefits. And, all
suppliers have different types of customers who must be served through some
combination of traditional and electronic methods. In addition, e-commerce systems must
integrate with and take advantage of existing internal systems (see Figure 25.2)[1]. Finally,
electronic channels must offer suppliers the ability to differentiate themselves and expose
their business value to their customers in order to compete effectively.
A wide range of electronic selling channels exist today. One hypothetical example:
imagine a maker of industrial supplies based in Brazil that sells products directly to
customers all over the world via its Web site, to its biggest customers in North America
and Europe through their electronic procurement systems, and to a wide range of
additional customers through vertical and regional marketplaces. Because all of those
external systems may use different platforms, technologies, communication standards,
and data formats, integration can be complex and costly. To be truly valuable for the
supplier, a solution must insulate a supplier’s processes and strengths from the
complexities that exist outside of its control.
Some solutions offer suppliers the ability to make their goods and services available and
take orders electronically, but stop far short of truly empowering the supplier. In some
cases, these solutions actually threaten their existing business by reducing a company’s
ability to differentiate itself and expose the true value of its products or services.
For suppliers that are considering whether to embrace B2B e-commerce, it is important to
understand the business and technical challenges, as well as the functionality necessary to
achieve success online. These challenges fall in three major categories:
The first step in any electronic selling environment is providing suppliers with the ability
to get their products and services to market. Several challenges must be overcome to
make this possible.
Catalog Considerations
What separates a good catalog from a bad catalog? The characteristics of successful
electronic catalogs include the ability to create and manage custom catalogs, including
catalogs that provide customized pricing for individual customers or specific selling
channels. Interaction with existing sources of product, pricing, and inventory information
(ERP, supply chain, and other back office applications) is also critical. Additionally, an
effective catalog system should provide Web-ready information (photos, short and long
descriptions, links to additional information, etc.) and proper classification data (such as
UNSPSC) to be effective with customer applications.
Catalog Publishing
Any effective solution must provide the ability to publish product and pricing
information. This can be done in whatever format is required to meet the needs of any
customer, without adding new layers of complexity for the supplier.
Even if you can make your products and services available, how do you make them easy
to find? How do you make it easy to begin an electronic relationship with your company?
After a supplier has made its products and services available electronically, it must then
be able to deal with the various types of orders that will be generated. Although “many
orders from many customers” is a good problem to have, it comes with two key
challenges: accepting multiple orders and order management.
Much like the challenge of making products and services available to customers who use
different platforms and technologies, receiving orders from multiple customers using
different order formats and delivery and communication protocols can be difficult. An
effective supplier solution must insulate the supplier from this complexity by seamlessly
handling the delivery and transformation of all orders, regardless of format or protocol.
This offers a dramatic benefit to both buyers and suppliers because it allows each to use
its preferred business processes and order formats while communicating easily with the
other. In addition, inside a supplier’s systems, data and information from all customers
will be similar.
Order Management
Equally challenging are the many ways that incoming orders can be managed. This varies
greatly depending on the existing processes of the supplier. As a result, suppliers must
have the ability to process orders locally within the sell-side environment and integrate
them directly with existing order management and back office applications. For that to be
truly manageable, the solution must be intelligent enough to orchestrate and execute the
supplier’s business processes, depending on the characteristics of the order.
The third key challenge (and opportunity) for suppliers when choosing a solution for
effective online selling is understanding how the solution will interact with their existing
technology infrastructure, as well as what additional value it will provide to the
organization. Many e-commerce solutions focus primarily on external integration and
data exchange, but fail to address key internal challenges for the supplier.
Suppliers of all sizes and complexity have made investments in applications such as
enterprise resource planning (ERP), accounting, supply chain management (SCM),
customer relationship management (CRM), and more, all of which may run on different
technology platforms. Attempting to replace or work around these applications is
expensive and complicated. It is also unnecessary, especially when the tools and
technologies exist to allow suppliers to leverage those systems to their fullest while
adding incremental value.
In addition to existing systems, most businesses have internal processes that provide
significant value to the organization. An effective solution should leverage those
processes and complement them by providing the necessary tools and workflow features.
Business Intelligence
After the challenges and functional requirements previously described are met, the
supplier has the opportunity to leverage a B2B e-commerce solution to enhance its
decision-making capabilities. It is not enough for a sell-side solution to simply provide an
electronic means to trade with multiple customers. It must provide, at a minimum,
strategic information about what a company is selling and to whom. A B2B e-commerce
system begins to provide real value when it can deliver the data needed to help suppliers
answer such questions as:
Enabling Technologies
Now, let’s look at B2C electronic information systems. This part of the chapter explores
the common pitfalls in the design and implementation of a successful e-commerce
information architecture. After identifying the most common problems, this part of the
chapter shows how to architecturally guarantee continuous Web site availability and
scalability, successfully implement a clickstream data warehouse, and create a contractual
environment with technology suppliers that ensures the business success of the e-
commerce enterprise.
Business-to-Consumer
But, are the millions of e-commerce site users necessarily also site customers? Obviously
not—site users can be anyone from casual visitors, to advertising click-throughs, to
targeted prospects, to actual customers. Although traditional brick-and-mortar commerce
enterprises typically have no easy way to record and analyze user behavior until they
become customers (if even that), e-commerce enterprises can record and analyze all
activities of all types of users, all of the time (see Figure 25.3)[2]. The ability to record and
analyze all site user behavior in minute detail gives e-commerce enterprises a significant
edge over brick-and-mortar competitors who have little direct visibility to the behavior of
anyone besides actual customers (see Figure 25.4)[2].
E-Commerce Information System Architecture
Electronic commerce enterprises typically have five categories of business activity that
are realized in up to a dozen potential business activity fulfillment mechanisms. The
correspondence between the business activities and their fulfillment mechanisms is
shown in Figure 25.5[2]. A particular e-commerce enterprise may not have a full suite of
the fulfillment mechanisms, depending on its business model and its maturity as a
business. For example, not all electronic commerce enterprises have telephone call
centers. At a minimum, they require only a Web-based customer service interface. But, a
fully-functional e-commerce enterprise generally will have aspects of all the business
activities and the fulfillment mechanisms.
Backend Operational Systems: On the Web, order entry becomes a very broad category
that includes much more than the ordering of products by customers. Order entry and
fulfillment is the action-driven outcome of user analysis of site content, customers or
otherwise. This can include product orders, information downloads, requests for more
information, information tailoring requests (like My Yahoo), financial orders such as
stock purchase, sale, or funds transfer, general order status requests, and so forth.
Note Not all sites have call center systems, but all e-commerce sites have Web servers by
definition.
The next set of stakeholders is the e-commerce enterprise’s operational personnel, who
are responsible for the care and feeding of the frontend Web servers, call centers, and the
operational tie-ins to external user acquisition media. In many cases, e-commerce
operational personnel are solely focused on these frontend systems despite the obvious
need for backend system functionality. For more enlightened e-commerce enterprises,
operational personnel also have a stake in order entry/order fulfillment systems, which
centrally fulfill site-oriented activities, which may include things like user registration,
requests for information, downloads, product or service (stock/auction) orders, and so on.
Web server site content may also be distributed centrally from such a system.
E-commerce executive management and stockholders have a stake in the success of all
the systems of an enterprise, but they are acutely interested in a well-implemented
enterprise financial management system. These systems enable up-to-the-moment
financial management of the enterprise, directly linked to the actual revenue and cost
streams associated with frontend and backend operational systems. Without such a
system, management is essentially flying blind from a financial perspective, which is
very dangerous and, unfortunately, a very common situation with young e-commerce
enterprises. A properly implemented enterprise financial management system can also
satisfy the financial reporting requirements set forth by the SEC and investment bankers,
which are among the required prerequisites for successful initial public offerings.
So, what is the principal problem with this complex e-commerce information architecture
landscape? The lack of focus on backend e-commerce information systems, as shown in
Figure 25.9[2].
Many e-commerce start-ups are expert-heavy in frontend Web servers and business
domain knowledge. This is good, but they often lack corresponding expertise in the
details of the backend information systems that enable critical functions, such as order
entry and fulfillment, financial management, and the analysis of user behavior on their
Web sites. This lack of depth in a total e-commerce IT solution leads to the following
fundamental business problems:
Many e-commerce enterprises fail to undertake the difficult design and implementation of
a highly scalable clickstream/callstream data warehouse, which records the activities of
all users of a particular Web site and its associated call centers. The knowledge derived
from the analysis of the information in the clickstream/callstream data warehouse is the
key to long-term competitive advantage of an e-commerce enterprise, making the
implementation of an effective clickstream/callstream data warehouse an early priority in
the life of an e-commerce enterprise.
It is easy to lay blame and identify problems, but how does one construct a viable
solution model that conquers these three fundamental e-commerce enterprise dilemmas?
The next part of the chapter explores solutions to each of these important problems.
Because e-commerce enterprises are information entities at their core, the problem of
high availability becomes particularly acute. A highly available implementation of the
information architecture of an e-commerce enterprise also needs to deliver high levels of
performance, even in the face of failure, which places special performance design and
implementation requirements on this highly available architecture.
Typical e-commerce enterprises take care of the first level of these requirements by
sitting their Web servers at Web site-hosting service providers, such as Exodus,
AboveNet, Frontier GlobalCenter, and others. These site-hosting service providers
typically have multiple geographically separated, secure buildings that are sited on top of
central-location Internet backbone connections for fast access. The e-commerce
enterprise’s Web servers are placed at one or more of the Web-host service provider sites,
creating fast, replicated Web server access for site users. In addition, the site-hosting
service providers typically create a high availability environment for the hosted site
servers, including such features as redundant Internet backbone connections, redundant
uninterruptable power grids, nonwater-based fire suppression, and caged-system physical
security measures. An architectural diagram of this type of environment is shown in
Figure 25.10[2].
Multiple replicated-content Web servers reside at these sites, providing a continuous Web
presence for the e-commerce enterprise. Users enjoy fast and reliable access, and
operational personnel can theoretically sleep at night.
But, not all of the critical e-commerce systems can be replicated as easily as the Web
server frontends. Backend systems tend to be centralized by their very nature and this
creates a new set of single-point-of-failure problems that go beyond the site and
environmental redundancy provided by the site-hosting service provider.
For example, backend order entry, processing, and fulfillment systems are usually
centralized. A customer who places an order from a particular Web server may later
inquire about its status from another server, and all the order information needs to be
stored in a centralized database so that this functionality can be delivered from any point
of entry. But, the system that houses this centralized order database becomes a major
single point of failure that requires a redundant architecture on top of that provided by the
Web hosting service provider.
Any failure in the hardware or software of the centralized backend order system can stop
an e-commerce site, and the types of “orders” can be anything from a purchase of
physical goods, served-up advertisements, auction site bids, stock market buy and sell
orders, to site content information. These centralized information systems must have a
redundant, clustered, highly available implementation within a particular site-hosting
environment, or they become a single point of failure.
Taking all of the preceding issues into consideration, a fully redundant, geographically
replicated, high-availability e-commerce system architecture, including all frontend and
backend systems, is shown in Figure 25.11[2].
Problem Two: The Design and Implementation of an Effective
Clickstream/Callstream Data Warehouse
It is a cliché, but the Web changes everything about the design of a B2C commerce-
oriented data warehouse. The wide scope of this change is best appreciated by reviewing
the typical data warehouse schema of traditional brick-and-mortar retailers, a simple
example of which is shown in Figure 25.12[2].
Although traditional brick-and-mortar retail data warehouses differ greatly in the details
of their specific implementations, all have some version of four key dimensions: Time,
Product, Geography, and Promotion, as well as a Sales Fact table containing sales
transaction data. There is also no notion of a customer dimension in this old-style data
warehouse. Until recently, it was so difficult to capture the identity of a specific customer
and his associated market basket that this key analytical dimension, perhaps the most
important of all the dimensions, was left out. Nevertheless, the information contained in
this type of schema has changed the face of retailing, greatly improving inventory
management, store layout, and mass-media advertising effectiveness.
Customer/market-basket analysis is a great advance, but there are two classes of potential
customer activity that are not captured by loyalty cards or other brick-and-mortar
information system tie-ins. Sales prospects are potential customers that do comparison
shopping at different stores, catalogs, and assess various advertisements. They move in
and out of a particular retailing environment without leaving a trace of their activity,
unless, of course, they actually buy and become a customer. And casual visitors, just
browsing your store, catalog, or advertisements are similarly anonymous. Web-based e-
commerce is unique in that it can capture all the presales activity of prospecting potential
customers as well as browsing visitors, greatly enhancing the enterprise’s overall market
knowledge, and permitting much more sophisticated customer acquisition and retention
strategies. As mentioned earlier, in an e-commerce environment, you lump visitors,
prospects, targets, and customers into the general category of users. Let’s now start with
the data warehouse schema of a forward-looking brick-and-mortar retailer and see how it
changes in an electronic commerce environment.
The E-Commerce Data Warehouse Site Activity Fact Table Records
Much More Than Just Sales Activity
The traditional brick-and-mortar Sales Fact Table becomes the User Activity Fact Table
in the e-commerce environment. Although actual sales transaction information is all that
is typically known in the brick-and-mortar world, e-commerce sites can record all site
user activity, including that of prospecting buyers, targeted users, and casual visitors (see
Figure 25.13[2].
On the Web, the presales activity of actual customers can be recorded in minute detail.
Facts that can be recorded in a User Activity Fact Table include activity source, time
spent on the activity, activity cost, and activity revenue. For example, an activity source
might be a parent Web page URL, or the TCP/IP address of a site user coming into the
site. Time spent is the elapsed time spent on a particular site Web page or frame. The site
activity cost is the dollar cost to the enterprise for the activity on the page or frame, and
the activity revenue is the revenue gained from the site activity, both of which can be any
number greater than or equal to zero. Each of these site activity facts has a composite key
from the associated e-commerce data warehouse dimension tables, which are explained
next. The voluminous clickstream detail creates an explosion of fact table information
that makes scalable data warehouse environments an absolute necessity.
The leading-edge Customer Dimension from the brick-and-mortar world becomes the
User Dimension in an e-commerce environment. External e-commerce site users are
visitors that can be any one of customers, prospecting potential buyers, or casual visitors,
and all their site activity is easily recorded by Web logging mechanisms.
Note E-commerce site users do not necessarily have to be external to the enterprise.
If customer service and call center personnel use a Web-based system, then customer
service call center site activity can be recorded in the same data warehouse schema that is
used for external clickstream activity (see Figure 25.14)[2]. This realization is an
important breakthrough, because it links all user contact activity in a single data store,
whether the method of contact is via the Web, the telephone, or e-mail. All electronic user
activity is recorded, regardless of media, in the unified clickstream/callstream data
warehouse. In addition, the knowledge gained from the full spectrum of user activity
stored in this unified analytical model gives significant competitive market and customer
knowledge advantages to e-commerce enterprises.
In the press and analyst reports, much is made about the difficulty of identifying a visitor
to a Web site, because, at a minimum, all that is known about a visitor is his originating
IP address and nothing else. Although this is a problem, it pales when compared to that of
the traditional brick-and-mortar retailer who typically has no idea who visited a store
(walked in and then out of his store), what they did while there, or which potential
customers scanned and silently rejected expensive print or media ad campaigns or never
read them at all (see Figure 25.15)[2]. In contrast, the e-commerce entity can capture the
details of all client visits and Web ad-induced click-throughs, and although they may not
know the client’s exact identity, they at least know that he got to the site and what he did
there. The analysis of his behavior is significant, even if his actual identity is unknown.
This is a significant increase in customer/prospect/visitor knowledge, and it gives
electronic enterprises a significant competitive advantage over brick-and-mortar
competitors.
Geography Gains Fine Detail on the Web
Physical Geography
Physical geography is the physical location of the site user. The physical geography of a
user may not necessarily be derived from a user’s IP address, but to the extent that it is
known, it provides insight into geographic customer behavior patterns. For example, a
global Web e-commerce enterprise can market summer items in July to users in the
Northern hemisphere, while simultaneously marketing winter items to users in the
Southern hemisphere where the seasons are reversed.
Web Geography
Web geography is the identity of the source site that got the user to the e-commerce site.
This source is at least a TCP/IP address. But, source site information can be enriched with
other identifying factors, including Internet Service Provider ID, portal site ID, search
engine ID, advertising server provider ID, customer service toll-free number, and so on.
The idea behind Web geography is to identify, as completely as possible, the mechanism
used to enter the e-commerce enterprise. Identifying the location of these access
origination sites is one of the keys to customer-acquisition campaign effectiveness, much
like advertisements in geographical newspapers enhance sales in brick-and-mortar stores
in a particular geography. Advertising efforts should be concentrated on these point-of-
entry sites.
Site Geography
Site geography is a map of the pages within a Web site, including page and frame parent
information. Site geography defines the path a user takes through the content of a Web
site, and the analysis of these paths is crucial to a complete knowledge of user behavior
and site effectiveness.
Because e-commerce enterprises have users that can be located across the globe, the
traditional Time Dimension splits into the financially oriented Fiscal Time Dimension
and a physical geography-specific User Time Dimension, as shown in Figure 25.17[2].
Fiscal Time defines the fiscal year of the e-commerce enterprise, but User Time defines
the user-oriented time of day characteristics such as morning, afternoon, evening, the
season of the year, and so on. E-commerce seasonality is nonintuitive without the User
Time dimension. For example, Northern hemisphere users can be in User Time summer,
while Southern hemisphere users are simultaneously in the User Time winter season.
For example, electronic ad servers serve up advertisements that are targeted at a user’s
behavior profile and, in return, the site receives click-through revenue based on user ad-
click activity. The increased focus on external advertising revenue in e-commerce, and
the different business goals of internal and external promotions, cause the single
traditional promotion dimension to split into the Internal and External Promotion
Dimensions (see Figure 25.19)[2].
Another distinguishing characteristic is that Web-based promotions are much more finely
targetable than with traditional brick-and-mortar retailers. Also, customer-acquisition
media, such as Internet interest sites and chat rooms, are more finely targeted with richer
media than was previously possible. This means, for example, that a mountain climbing
gear retailer may prosper on the Web, where it might have to be part of a sporting goods
chain to survive in the brick-and-mortar world. This ability to more finely target a wider
geography and, hence, larger interest group, is one of the key drivers behind the profusion
of business-to-consumer electronic commerce enterprises.
The end result is the clickstream/callstream data warehouse schema shown in Figure
25.20[2]. As you can see, the Web changes everything.
In an outsourced solution, the integration vendor is the primary provider of the solution,
and they are likely the sole source of the intellectual capital for the solution. Because the
contracting e-commerce enterprise is relieved of much of the responsibility for the
creation of internal solution expertise, the resulting outsourced solution is limited by the
knowledge, business relationships, and integration expertise of the integration vendor.
These limitations can lead to long-term solution issues that cannot be easily solved by the
contracting enterprise, because the expertise required to do so is nonexistent by definition
—it was outsourced.
This is bad enough, but the motivations of the integration vendor are rarely aligned with
e-commerce enterprise business success. Most integration contracts are based on
internally focused time and materials pricing, which has nothing to do with e-commerce
business success. Furthermore, there is an implicit “forever” term to outsourcing
contracts, meaning that the e-commerce enterprise will pay for this external solution
expertise forever, because they are abdicating the development of the same in-house
solution capabilities. When coupled with the time and materials nature of integrator
pricing, this can lead to an incentive for the outsourcer to never solve any fundamental
business problems, because if they did, it would only reduce their revenue.
An additional worry is the practical inability to write umbrella outsourcing contracts that
address all the potential information technology modifications required to support
unanticipated changes in business conditions. In an Internet environment, the contract-
induced inability to rapidly adjust to changing business conditions can be fatal to the
enterprise.
Finally, these insidious issues associated with totally outsourced solutions lead to a
middle ground. Although this situation is not without problems, it better aligns business
goals of the e-commerce enterprise and integration solution vendor. In order to solve the
implied “forever” solution term with the integration vendors, the outsourcing contract
must be fixed-term and nonrenewable, and it must mandate sign-off criteria and specify
knowledge transfer to responsible individuals in the e-commerce information technology
organization. Although this type of arrangement can still lead to higher initial solution
costs and a solution limited by the knowledge of the integrator, the business drivers
behind the motivations of both parties are much more aligned to the success of the e-
commerce enterprise. The integration vendor takes time-limited and performance-goal-
specific responsibility for a successful solution, and the resultant knowledge transfer
causes the contracting e-commerce information technology organization to learn the
skills required for long-term stewardship of the solution.
[2]
Sequent, “Business to Consumer (B2C) Electronic Commerce Information Systems,”
IBM NUMA-Q, 15450 S.W. Koll Parkway, Beaverton, Oregon 97006-6063 [DM Review,
240 Regency Court, Suite 201, Brookfield, WI 53045, United States], 2003.
Summary
The future direction of B2B e-commerce remains unclear. Today, it is impossible to know
with clarity exactly what the ideal scenario will be for buyers, suppliers, and e-
marketplaces. Will long-standing relationships be maintained, or will new value-added
services offered by e-marketplaces replace them? No matter how B2B e-commerce
shakes out, there are several factors that appear to be a certainty:
So, the issue becomes when and how (not if) you will e-commerce-enable your business.
How much e-commerce can accelerate your e-business success is in part determined by
the technology platform that you choose today and the intelligence you put behind your
decisions.
Finally, it may come as a great surprise, but most electronic commerce enterprises are not
prepared for success. Electronic commerce enterprises climb a steep information
technology ramp that must provide bulletproof continuous availability, scalability for
millions of users, and sophisticated user-relationship-management clickstream data
warehouses in the first months of business. Ironically, a hugely successful Web site can
mean either an exploding business success or an exploding business plan, depending on
how well the e-commerce enterprise plans and executes its information technology
infrastructure.
Chapter 26: Summary, Conclusions, and
Recommendations
“Finally, let me say just this in conclusion.”
—Anonymous
The Internet has forever altered the business arena, creating a world in which the
customer is in command and the only constant is change. To succeed in this new world of
e-business requires an infrastructure that gives you maximum performance, real-time
responsiveness, application flexibility, and simplified management.
Summary
A short time ago, the Internet was primarily about surfing the Web and visiting cool sites.
Then, people began to realize the Internet could transform the business landscape. The
race was on to develop new and hybrid business models in order to compete in the
dot.com or “click-and-mortar” arena.
Unfortunately, as many companies found out during the last two e-tailing seasons, simply
having an Internet-based business plan is not enough. Companies are discovering that
customers take e-business applications just as seriously as they take traditional business
applications. They demand the same level of performance and availability, and many e-
businesses are finding their infrastructure isn’t ready to meet the demands of serious e-
business.
The question facing businesses today, therefore, is what’s going to happen to their
infrastructure and their business model when those 68 million online customers become
680 million—or 6 billion? Looking ahead, what will happen when they begin accessing
the Internet from wireless smart phones and PDAs, over high-speed cable modem or
digital subscriber line connections[4]? Thus, this part of the chapter summarizes and
explores some of the implications to both business and business computing of the
continuing evolution of e-business.
Follow the business news and it’s easy to be convinced that the e-business revolution
isn’t complete; the fact is, the revolution has hardly started. A recent survey by Price
Waterhouse Coopers and The Conference Board stated that large enterprises were moving
into e-business at a much slower pace than previously expected. Nearly 78 percent of the
large enterprises surveyed were not yet processing transactions online. For 83 percent of
the companies, e-business was generating less than 8 percent of revenue.
Also, according to analysts at the International Data Corp., there were fewer than 600
million Web users worldwide. But, the vast untapped potential on each side of the digital
marketplace is only the beginning. Also, driving change is the next-generation Internet,
which provides very high bandwidth at very low cost. The result will not only be vast
numbers of new users, but users who will be logging on with an array of new devices.
For example, IDC estimates that mobile commerce will grow to 52 million users in 2004,
creating a $54-billion channel[3].
What that means is over the next few years, you will see a marketplace that is defined by
explosion and convergence: an explosion of new devices, new users, new media and
transactions, and a convergence of standards to bring it all together. As a result, every
business today must begin to ask some strategic questions with this continuing evolution
in mind: how do you evolve your infrastructure, what are the right architectures and
interfaces to build on, and what products and services do you need? The answers to these
questions will define the infrastructure for the next generation of e-business.
What will the infrastructure for serious e-business look like? The answer is that the next-
generation infrastructure will be as diverse as the organizations that build it. Each
company will customize its infrastructure based on its strategy and growth plans, and will
depend on the continuing development of open Internet standards to ensure
interoperability with trading partners and customers alike.
In the changing e-business environment, no one can afford for IT staffing to grow at the
same rate as the IT infrastructure. New ways must be found to control software licensing
costs as well. Simpler, more effective management can play a crucial role in the critical
transition of IT from a cost center to a profit center in the new world of e-business.
Choice in Applications
As the next generation of e-business unfolds, value will often be determined by the
ability to deliver new services customized to meet changing customer needs faster than
the competition. Today, however, there is often a conflict between those responsible for
ensuring quality of service and those charged with rapidly deploying new business
applications. What’s required is the freedom to run any application on the server that
offers the right combination of cost, performance, and growth capabilities for the job—as
well as the ability to integrate critical data wherever it resides on the network.
Extreme Performance
Experience has demonstrated that e-business is based on three types of tasks: the
traditional data/transaction processing jobs, such as “back-office” tasks, the newer
generation of “front-office” and Web-serving applications, and a variety of network
management jobs. Each of these tasks calls for varying levels of performance, and each
demands a server optimized for the job. In other words, one size does not fit all in an e-
business infrastructure.
Finally, delivering information in a way that doesn’t keep customers waiting requires
much more than fast servers. It will involve a whole new level of connectivity supporting
an unprecedented level of integration across the virtual enterprise so that customer-
critical information is available whenever and wherever needed.
[4]
[4] Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.
[3]
Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.
Conclusions
In the next phase of e-business, customers want one vendor to provide all the pieces that
make automated buying and selling of direct goods seamless, linking transactions to
order fulfillment, manufacturing supply chains, inventory replenishment, and
transportation. Customers don’t want to deal with the hassle of integrating all the
disparate software pieces, costing them millions of dollars and years of work. No longer
are the choices for enterprise e-business solutions limited to (1) buying more than is
needed and living with a “closed” system in order to minimize surprises, time to market,
and the lack of reliable support, and (2) building a system from scratch in order to
achieve a custom solution, while surrendering to the variables of time and budget—with
no guarantee of ultimate functionality, scalability, interoperability, or support.
Today, it’s possible to find an e-business solution that offers the best of both worlds. The
best “buy” provides all the functionality that’s needed to be competitive today without
requiring a business to buy more than necessary. The right system for e-business now
comprises:
The right system for e-business, enabling best practices, rapid integration through fewer
“moving parts” or variables, and 24-hour, 7-day customer service; this system is modular,
distributed, and absolutely reliable.
The right company for now and the long run, focused on solving business problems, with
a proven record of engineering excellence, with a proven, sizable customer base and the
ability to guarantee comprehensive future customization to fit unique and changing
business conditions[1].
As IT systems age, the Internet matures, and behemoth computing companies are left in
the dust, one problem remains constant: how to find an IT solution that directly
contributes to the larger mission of the enterprise—and fast. This eternal quest has been
framed in different languages over the decades, but none so persistent as “build or buy?”
The classic build-or-buy struggle has been ongoing for 29 years and is now expressed
through three approaches:
• Development suites
• Point solutions
• Packaged solutions[1]
Development Suites
Development suites allow IT departments to build whatever they need without requiring
that they buy more than they need. Key challenges lie in the time and money required to
build, test, and troubleshoot new systems while ensuring interoperability, scalability, and
security. Furthermore, the true and total cost of the application may be difficult to
calculate accurately.
Point Solutions
Point solutions focus on one specific problem each. So, in order to address larger
business problems for the enterprise, additional functionality must often be added by
stitching together multiple point solutions and/or development suites. Meanwhile, IT
departments can find themselves left alone without support for custom integrations
between changing versions of software. Support from vendors is a vital consideration
when mission-critical operations are on the line.
Packaged Solutions
Packaged solutions seek to meet business challenges through software that addresses
complete business problems. These end-to-end systems facilitate integration with existing
mission-critical system investments and business-process modeling. These solutions are
fully tested in real-world settings, undergo constant improvement, and are backed by 24-
hour, 7-day support. Though all three of these approaches are very different and have
their own advantages and disadvantages, at the center of all three are the following
issues:
• Openness
• Best-of-breed
• Scalability
• Time to market[1]
This part of the chapter discusses the preceding decision points and also the fundamental
importance of something even more critical to e-business success: ease of integration. In
other words, it’s important to “Buy for the life of the site”—not its birth. That means
bringing in tested functionality demanded by e-business customers today, while ensuring
that the supporting vendor and the next generation of that system will be available (and
work with other key enterprise systems) tomorrow.
The fact is that “buy” no longer means “one size fits all.” A genuine solution can and
should provide a number of key advantages for the organization seeking to increase its
agility through e-business:
• Enterprise-ready technology
• Enterprise-worthy functionality and support
• Stable, partnership-oriented vendor[1]
Enterprise-Ready Technology
Without the right foundation, no e-business system is stable. The success of a system is
dependent on its ability to solve a business problem while simultaneously ensuring
unrivaled scalability and performance, foolproof security, and open enterprise standards
to facilitate content exchange and integration with existing business-critical applications.
E-business waits for no one. The right system is an enterprise-grade, modular, stable,
distributed, end-to-end solution that can be immediately rolled out onto the Web
platform. It offers the high-quality experience customers seek, facilitates best practices,
has been stringently tested, simplifies enterprise application integration, and enables
facile evolution as enterprise needs change.
Real solutions solve problems now and later. This is made possible by working with a
committed vendor with a proven record of working with its customers to meet their goals.
No solution is complete without full support from knowledgeable representatives that is
available 24 hours a day and 7 days a week.
Open Systems: Pathway to Freedom?
The open-systems issue is often the first to be addressed in the evaluation of potential e-
business systems. Open standards do offer the possibility to more easily extend individual
systems and combine disparate systems. However, when an open standards-based system
leaves many business problems unsolved, its very openness can appear more like open
air. Some leave room for a variety of options that must be carefully evaluated as to safety,
security, and straightforward integration, but provide no up-front solutions.
It’s also important to note than many otherwise open solutions are coupled with a specific
application server. This can neutralize the advantage of being free from proprietary
architectures, as any additional point solutions required will need to operate with that
same application server.
Development suites promise any IT group the ability to build tailored systems for each
situation, thereby leaving the door open to freedom of choice in the future. However, it’s
noteworthy that the organization is vulnerable to development time and expense factors
that can be prohibitive when attempting to bring a finished product to market.
End-to-end systems based on proven enterprise architecture are the fruit of hundreds of
hours of testing, tuning, and perfecting. The practical meaning of openness for the
enterprise is the ease with which a system can be extended by modifying existing objects
or by adding new objects and components and integrated with external systems. Beyond
simplistic issues of language and application-server choice, five key levels of
extensibility exist:
In the heat of implementation, these are the measures by which the practical openness of
an approach must be judged. At the business level, key considerations in the purchase of
any solution should be:
Whether the vendor will ensure its efficacy at solving that business problem tomorrow[1]
The promise of plug and play for the enterprise has been that, through an alliance with a
specific application server, the enterprise will have the freedom to choose best-of-breed
applications from expert vendors, with the assurance that each application will be easily
installed and work cooperatively with other plug-and-play software. This ideal has not yet
been realized. One of the major reasons for this underperformance is that most complex
aspects of an enterprise e-business application don’t reside at the level of the application
server, but rather one layer below. This lower layer includes:
• Data repository
• Data models, such as the definition of a user profile, purchase order, or product
• Business logic, such as the workflow of a shopping cart for an order-entry
application[1]
Meeting these challenges is absolutely vital when starting from scratch or choosing parts
of solutions from vendors who use different databases and differing business logic. An
end-to-end e-business application ensures a consistent underlying data repository, a
common data model, and streamlined business logic.
The terms performance and scalability are often used interchangeably, when they are
actually two different concepts. Both are of utmost significance for an enterprise e-
business system, and the two are related. Here are their definitions:
Scalability: The ability of a system with multiple available processors to call as many of
those processors into service as necessary when system load increases, as well as the
ability of that system to be expanded
Very often, those making IT buying decisions do so with a heavy emphasis on scalability
and performance, and rightly so. Many times in technology-evaluation situations, the
word scalability is used when performance is the real issue. It’s important to note that
performance benchmarks on individual applications or on the underlying plumbing of a
system are irrelevant if the overall system doesn’t scale. Furthermore, linear scalability
and geometric scalability are two different things:
Linear scalability: The ability to increase system resources by adding CPUs, with each
CPU adding a linear increase in capacity
Linear scalability is essential because, without it, the cost of hardware required to ensure
scalability becomes prohibitive. Linear scalability scales in four dimensions, across:
Building scalability into end-to-end solutions is much more straightforward than when
dealing with systems made with a patchwork of different applications or those built from
scratch.
Stated simply, integration can make or break an implementation. Backend and legacy
systems in most enterprises not only represent considerable investments, but are
responsible for mission-critical aspects of daily business.
All too often, as the unplanned functionality of a system increases, its performance has a
correlating decrease. To address this shortcoming, some vendors suggest eliminating
functionality. Although this may have been an acceptable alternative in the early days of
e-business, it is no longer viable, given concerns with quality of service, customer
satisfaction, and reduction of churn.
Note The combination of increasing costs to capture and accumulate new Internet
subscribers and intense competition in the marketplace has made customer retention
and churn minimization critical factors in the survival of service providers.
Occurring when new subscribers sign up for service while others are discontinuing
their use, churn poses serious challenges to a provider’s ability to turn a profit.
Effective churn management stems from a provider’s ability to determine the
reasons for this customer behavior. This means that information is a provider’s best
defense against churn. Root cause analysis of churn also removes ambiguity in the
business planning stage, and allows service providers to create products, services,
and e-business practices that make their e-business more efficient and profitable.
The problem is that customers don’t have robust, interoperable software suites for end-to-
end e-commerce from a single vendor, and they have to cobble together solutions from
different vendors, which is a costly and slow process. In other words, technology changes
too rapidly and the market is too uncertain to plan and never fully execute. A Web site is a
work in progress; you are always and changing and improving it. Buying a solution gives
you a steady foundation from which to grow and easily adapt to changing customer
demands and changing business models.
Once functionality has been purged from an e-business system, it is likely to be gone
forever. Therefore, the significance of making performance and functionality prime
components of an e-business system from the beginning is clear. And, that’s eminently
possible with an end-to-end system designed to offer those fundamentals from the start.
Finally, in the rush to establish e-business leadership, it’s critically important to focus on
the real issues of end-to-end functionality, integration, and support. No longer are the
choices limited to toolkits, mix-and-match systems, or “closed” packaged applications.
Today’s enterprise needs an end-to-end solution fast, and it can’t accept the risks of
uncertain performance, integration, or functionality in the rush to market.
[1]
“Beyond ‘Build vs. Buy’: Winning at E-Business through Reliable End-to-End
Integration,” © 2000 BroadVision, Inc. All rights reserved. BroadVision, Inc. 585
Broadway, Redwood City, California 94063.
Recommendations
Substantial business benefits result from using the Internet for customer service. The Web
is open 24 hours a day. And every time a customer finds an answer online, it eliminates
the cost of a phone call or an e-mail reply. This yields significant savings and frees up
operators to handle issues that really warrant their attention.
Customer service on the Web, also known as e-service, is scalable, allowing companies to
handle spikes in customer queries without having to temporarily add operators or phone
lines. Most importantly, e-service ensures customers get answers to their questions
immediately, resulting in higher levels of customer satisfaction and retention.
E-service adoption by organizations has yielded many important lessons. Many benefits
are gained from simply implementing the right e-service software, but even greater
success is achieved by applying proven best practices. In other words, becoming a
successful e-service practitioner requires more than just technology, it requires expertise.
With the preceding in mind, this last part of the chapter pinpoints 15 essential best
practices or recommendations for effective e-service. These field-proven best practices
impact both the cost savings and increased customer satisfaction companies experience as
a result of their e-service initiatives. These best practices have been organized into three
categories:
People and processes: These are project management strategies that impact the
effectiveness of the e-service initiative and ensure a speedy, successful project launch and
substantially enhanced long-term results.
Site smarts: These are tips and tricks in Web site design and the presentation of answers
to customer questions. These simple principles can be applied with great effect to
virtually any e-service implementation.
Software smarts: These are insights that relate specifically to getting optimum value[2].
Why E-Service?
Before enumerating the top 15 best practices for e-service, it’s a good idea to review the
benefits effective e-service implementations deliver.
Cost Savings
E-service has been proven to consistently yield significant cost savings. There is virtually
no incremental cost when a customer finds an answer on a Web site. If that customer
sends an e-mail, on the other hand, it can cost several dollars for a customer service
representative (CSR) to respond. A phone call can cost $20–$30 or more. Multiply that
per-inquiry savings by thousands of inquiries and the savings can be quite substantial.
Customer Satisfaction
E-service makes for satisfied customers. When customers have questions, they want
answers fast. If they find their answer with a click or two of the mouse, they feel good.
This equates to higher customer loyalty and retention. Effective e-service can have a very
positive impact on e-business revenue.
As customers consistently find answers online over time, their comfort level with the site
and the company grows. This is a competitive advantage over companies that make them
wait days for e-mail replies and put them on hold. Quality e-service instills confidence,
strengthens relationships, and offers a 24 × 7 resource to customers.
Rapid Scalability
E-service makes customer service staff more productive by shielding them from
repetitive queries—allowing them to focus on issues that actually require personal
attention. This change also tends to improve morale and reduce turnover. Plus, giving
CSRs access to the e-service knowledge base ensures they have the information to give
customers fast, consistent answers.
With all these proven benefits, e-service best practices are clearly worth applying. By
excelling at e-service, companies save money, delight customers, beat the competition,
handle crises with ease, and get more value performance from their customer service
staffs.
The more often customers have a positive experience with a company’s e-service, the
more the company experiences these diverse benefits. A primary, quantifiable goal of any
e-service implementation is to maximize the percentage of customers who find answers
for themselves on the company Web site. The easier and faster customers can pinpoint the
information they’re looking for, the greater the resulting business rewards.
• Customers use e-service knowledge items on the Web site to find answers to their
questions whenever possible, rather than using e-mail or the phone
• Online knowledge items provide answers for the most common questions
• Customers can quickly and easily find the answer/knowledge item
• Knowledge items answer customers’ questions fully and effectively
The first set of e-service best practices involve people and processes. These practices are
essentially project management strategies ensuring rapid time-to-benefit and optimum
long-term results for e-service initiatives. Based on the experiences of organizations
across all sectors, three strategies in particular have been shown to be essential in
achieving maximum return on investment (ROI).
E-Service Best Practice #1: The E-Service Champion
The champion is needed beyond the launch of the project. E-service is a highly dynamic
business solution. It constantly adapts to the changing needs of the company and its
customers as new products and services are introduced, markets and technologies evolve,
and use of the site grows. Without a champion, site content is likely to be neglected and
become stale. Support across the organization for the success of the e-service initiative
will fade. Eventually, this will manifest in reduced effectiveness and lower ROI.
Champions provide both direction and accountability for e-service projects. That’s why
the most successful first-wave adopters have (almost without exception) had very strong
e-service champions leading the way.
These processes typically involve people from different departments. For example,
whereas a customer support manager may champion e-service, someone in marketing
may administer the corporate Web site itself. The Web site administrator must be
involved to ensure any changes to the site helps drive customers to the e-service content.
These changes will be described in more detail next.
Similarly, product management groups and other technicians typically generate a lot of
content. It is advisable to have their buy-in on the e-service effort and prepare them to
collaborate on the creation of content. Often, these groups have a variety of existing
materials that can be very useful in creating content.
One way to motivate groups to participate in the e-service processes is to appeal to their
self-interest. For example, e-service provides valuable feedback to product managers
about the problems customers encounter, which can be used to improve next-generation
products or even spawn ideas for new ones. Similarly, because e-service draws customers
to the Web site, it can help marketing to do online cross-selling and up-selling.
Depending on the nature of the individual business, other participants may also be
enlisted in the e-service effort: accounting, shipping, sales, suppliers, distributors, and so
forth. Regardless of the specific participants involved, every e-service champion should
determine whose help will be needed and get commitment from the beginning of the
project. That way, when the time comes for them to contribute to the process, there will
be no surprises and arguments.
As valuable as a self-service rate of 60–70% may be, a rate of 85–95% is even better.
And, those rates are achievable for companies. E-service, by its nature, provides the
feedback necessary to “tweak” implementations to increase the effectiveness of content
and site navigation. By taking advantage of these built-in feedback mechanisms (which
range from customers’ own comments about content to site traffic statistics), diligent e-
service managers can increase ROI by 200% and more.
Site Smarts
The faster customers get to helpful knowledge items, the better. The optimum solution is
to clearly identify links on the home page (which can be labeled “Customer Service,”
“Need help?” or something similar) that leads directly to a list of top ten answers.
Another common mistake is forcing the customer to navigate through one or more layers
of knowledge categories before finding actual answers. This may seem like an intelligent
way to manage the navigation process, but it tends to be counterproductive. Users need to
see answers right away. Because the bulk of their needs can be addressed with a relatively
small number of knowledge items, it’s best to present those knowledge items to them as
quickly as possible.
If it turns out that those knowledge items aren’t what they’re looking for, they can then
continue searching. Plus, now that they see what the knowledge items on the site look
like, they proceed with their search with more confidence.
Many Web site managers consider it a given that the company’s toll-free number is
displayed prominently on the site—sometimes on every page. Conventional site
designers tend to put a “Contact us” link on the home page and everywhere else. But,
successful e-service practitioners found this to be counterproductive. If you give
customers a phone number or an e-mail link to use, then they assume this is your
preferred contact method. As a result, e-service content is ignored or never even browsed.
An alternative approach proven to be more effective for both customer service teams and
the customers themselves is to provide support phone numbers and/or an e-mail form
after they have viewed at least one knowledge item from the e-service system. As soon as
they enter the e-service area, they then have ready access to phone or e-mail support—but
not before.
This approach is not customer-unfriendly in any way. Customers like knowing a site has
lots of useful content. But, they have to be directed to that content at least once to
experience its benefits. Once they have that first positive experience, they’re hooked.
And, by habituating customers to using the Web site as a self-help resource, e-service
adopters can reduce their service and support costs.
On the other hand, some Web site managers don’t display any type of contact
information, and simply do not want to be contacted at all. It makes one wonder why
they’re advertising in the first place or why the page even exists. This can be quite
irritating and very annoying to prospective customers. In fact, there are some Web pages
that do have an e-mail contact link, but when you try to send an e-mail, it bounces back
as undeliverable. Or, to make matters worse, there are Web sites that don’t respond to any
e-mail contact at all, no matter how many times you send a message or inquiry. The ISPs
that sponsor these types of sites should simply just drop them from their customer list and
sever the link. Their existence is not doing anyone any favors.
Many companies have an abundance of useful information on their site, but it’s scattered
across various areas. Product information is in one place, shipping information is in
another, return policies are somewhere else. Often, there is a good reason for this
information to be in these different places. Implementing e-service doesn’t mean
removing this information or completely redesigning the corporate Web site.
It is important to make sure this information can be found within the e-service area. Once
a customer enters the e-service area looking for assistance, they should not have to leave
it and look elsewhere to find what they need.
For example, a leading sporting goods manufacturer had an excellent product selection
tool in the sales area of its site. As good as it was, it turned out that many customers
didn’t use it and instead called the company’s CSRs to get walked through the selection
process. After the company started its e-service initiative, it made the very same tool
available in its e-service section—as the answer to the question “Which item is right for
me?” Remarkably, use of the tool rose dramatically—and phone calls dropped. That’s
because customers found the tool during their quest for help, rather than during a less
directed browsing of the site.
It’s worthwhile to look at the information on the company site as a whole and evaluate
whether any of it could also be used as an answer to a FAQ. This simple repurposing of
existing content can substantially improve customer satisfaction and self-service rates.
Well-written text can be very helpful, but often something more is required to answer a
customer’s question. The interactive product specification tool previously mentioned is a
prime example. Customers can choose from a list of various parameters and, at the end,
are given the exact model that applies to their needs—with a hyperlink that leads them
right to the appropriate Web page. Many companies selling technical products offer
schematics or diagrams, some allowing customers to click their way through a given
procedure or repair. Several companies are adding streaming video to their e-service
content.
In many cases, the necessary visual content may already exist in the form of online
manuals or computer-based training. The trick is to get that content from its current
location onto the e-service site, and to make it available as an answer to the appropriate
question.
In other cases, it may be worthwhile to develop the necessary content expressly for e-
service purposes. The cost of doing so is often minimal and can be justified by looking at
the number of phone and e-mail support incidents generated by the issue.
Customers don’t always begin their visit to a Web site looking for help. Sometimes, they
start by browsing or merely shopping and then encounter an issue that creates a question
in their minds. Often, this question may have to do with a feature or process on the site
itself. That’s why it’s often wise to put additional prominent links back to the site’s e-
service content area in many places.
In fact, many of the most successful e-service implementers keep a prominent link to
their e-service content in a consistent place throughout the site. This reminds customers
the e-service content is available and it includes material that is relevant to any topic they
may have questions about. By reinforcing this message with a consistent visual cue,
customers can be conditioned to use e-service with greater frequency, rather than calling
or e-mailing. Habits are hard to break, so it’s important to be consistent in pointing out
that help can be found online.
A large percentage of customers are in front of their PCs when on the phone. So, it’s a
good idea to put a suggestion about using e-service on call center “hold” messages. That
way, users can take action as they wait for a CSR to get free. In many cases, they can
solve their problem while they’re on hold. CSRs can reinforce the e-service message if
they realize during the call the question could have been answered online. By politely
showing the customer where to find the answer, the CSR encourages the customer to try
the Web next time.
Although it’s critical to not present phone or e-mail channels before customers check
online content, the converse is also true. After a customer responds to the invitation to
examine the e-service resource, he or she must not feel trapped in a dead end. This
creates a disincentive to try e-service again. So, immediate contact with a CSR (whether
by phone, e-mail, or real-time chat) must always be available as an option within the e-
service system.
Software Smarts
In addition to project management and site implementation, the most crucial and effective
e-service best practices relate to the use of features and functionality available in a
company’s e-service software-of-choice. The configuration of basic system capabilities
makes a dramatic difference in the percentage of customers successfully solving their
problems online.
Customers often launch an e-mail from a Web site without realizing the answer to their
question is just a click away. Users can avoid responding to these e-mails manually by
having their software scan e-mail text and automatically suggest relevant knowledge
items to the customer. This eliminates the delay that occurs if the e-mail was sent and
replied to later. It also teaches customers that answers to their questions can be found on
the site encouraging them to find their own answers on subsequent site visits.
E-Service Best Practice #12: Take Advantage of Reports and Other
Feedback
The most successful RightNow users take advantage of the software’s reporting functions
to continually improve their e-service content[2]. A prime example of this is the Keyword
Search report, which shows the search terms customers use most frequently. If there’s a
commonly used search term in the report and no corresponding e-service knowledge
items, then something is amiss. Savvy e-service managers respond to such situations by
developing and/or reorganizing knowledge items to address the search terms customers
are entering.
These rules can serve other purposes as well. For example, if a certain e-mail subject line
characterizes a new breed of computer virus, then e-mails fitting the profile can be
automatically deleted. A reply to the e-mail can also be automatically sent, informing the
sender of what happened and suggesting that they check their e-mail system for infection.
Using emotional indicators to spot crises customers is a special case of the previously
mentioned routing technique. Many times, customer service teams score more points with
the customer by rescuing a bad situation than they do when they take care of a more
mundane issue.
Getting Started
E-service isn’t just a technology. It’s a strategic activity for any company selling in a
competitive marketplace. Also, e-service best practices are as important for achieving
customer delight and reducing operating expenses as e-service software. The combination
of e-service best practices with a proven software platform delivers a remarkable solution
for achieving rapid business results. These best practices include:
There is, of course, one more critical best practice on which all of these other practices
depend:
The most successful e-service practitioners aren’t those who wait until they’ve developed
a perfect system to launch it. They start with “seed” knowledge items and base
functionality and expand from there. Almost without exception, e-service winners have
started with limited content and a simple set of e-service functions. What ultimately
makes them winners is that they get started sooner rather than later, and then
continuously refine their e-service implementation to incorporate the preceding best
practices. By taking this incremental approach, they begin to experience the benefits of e-
service immediately and then expand those benefits over time.