Electronic Commerce By Loshin And Vacca

  • Uploaded by: vinni vone
  • 0
  • 0
  • July 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Electronic Commerce By Loshin And Vacca as PDF for free.

More details

  • Words: 123,568
  • Pages: 352
Electronic Commerce By Pete Loshin and John Vacca

Foreword The dot-coms may have busted, but e-commerce is alive and well. All types of companies are embracing e-commerce methods and succeeding. From small to large, organizations around the world are figuring out how to leverage the Internet as a business tool. To win on the Internet, you must understand where the opportunity is today and how to prepare for tomorrow. This book is a guide to reality. It shows you where there is opportunity. It also shows you how to benefit from using the Internet as a practical business tool and how to reap benefits quickly and permanently. This book shows you how to succeed in a competitive environment without having to spend millions of dollars doing so. You need to know the building blocks, but you also need to know how to put those blocks together in a winning combination to build a good foundation for your business to grow and thrive in the world of electronic commerce. The blocks are just like parts to a puzzle. They will not work unless you properly combine tools, methods, and know how to exploit opportunity. This book explains Internet business models, business applications that can be supported on the Internet, and how companies can benefit from using new models and new tools. After you learn about the parts and how to put them together to supercharge your company, you will also need to know how and where to drive your new business machine. Other how-to-do-business-on-the-Internet books leave you high and dry and never tell you how to drive. This book shows you how to drive your business like a race car, how to steer through uncertainty, and how to grip the road so you do not end up in a dot-com graveyard. But, you will need more than just the gas pedal if you are going to succeed in electronic commerce. Entering the world of electronic commerce is like going on a safari or expedition into unexplored lands. You need to be able to navigate your business into uncharted territory. You need balance, intuition, and considerable daring if you are going to maximize the tools of the Internet. You need to know where the edge of the cliff is and how to not fall off, like so many of those who came before you. That is the big payoff of this book. Michael Erbschloe Educator, Author, and Technology Strategist Carlsbad, California

Preface Recent studies suggest that e-commerce is maturing, taking its place as just another retail channel, and riding the same ups and downs as any of the traditional channels. It is a piece of news with mixed implications. Perhaps by now, some of the lingering fears about e-commerce are fading. Or, perhaps e-commerce is losing momentum. The studies raise more questions than they answer! But, regardless of whether e-commerce needs to recapture, maintain, or increase its momentum, there are ways that e-commerce may enhance its appeal. E-commerce may take advantage of technologies designed to make communications, self-service, and human-computer actions more natural. E-commerce may avail itself of technologies such as speech recognition and text-to-speech, encompassing the functionality of interactive voice response, and talking Web voice portals. Then, e-commerce may train its ears to recognize calls to even greater success. If you accept that e-commerce is enjoying growth because consumers perceive that it is secure and convenient, you might ask whether e-commerce could enjoy even more growth if its security and convenience could be enhanced. No doubt e-commerce could stand improvement in these respects. No doubt e-commerce users harbor lingering fears over credit card usage and the safety of personal information. To the extent there is interest in improving e-commerce, and in promoting additional growth, there are opportunities for those who may offer communications solutions. For example, communications solutions could broaden the appeal of e-commerce, helping it encompass more than PC-based, browser-mediated interactions. E-commerce could be more natural. It could accommodate the natural, human preference to speak and listen, instead of confining users to point-and-click interfaces. The most obvious solution—broad deployment of multimedia PCs, accompanied by a proliferation of e-tailers capable of managing multimedia sessions, not to mention wider availability of residential broadband connectivity—is hardly the only solution. Many potential customers will lack multimedia terminals and broadband connectivity for some time to come. In any case, many potential customers will balk at always being tied to a desktop PC. They’ll insist on being mobile, relying on mobile phones and telemetricequipped autos. And, whether they’re driving or not, potential customers won’t be too eager to navigate the limited interfaces presented by tiny keypads and tiny screen displays. For customers relying on phones or mobile devices, convenience may come down to whether they’ll be able to speak and listen their way through commercial transactions. Such convenience, although seldom raised in mainstream discussions of e-commerce, is a subject of abiding concern in the communications solutions marketplace. In this marketplace (through applications such as interactive voice response [IVR]), you’re already familiar with the challenges of voice-enabling customer interactions. And, you’re already familiar with the trade-offs posed by efforts to maximize convenience.

Furthermore, you’re also already familiar with the need to consolidate the management of multiple customer interaction channels. Although maximizing convenience is a laudable goal, so is minimizing expense. Attempts to negotiate this trade-off have had mixed success. For example, IVR has often been deployed in such a way that customers could be forgiven for wondering if IVR isn’t more convenient for the seller than it is for the buyer. Seemingly interminable scripts, intricate menus, and incessant prompts for Touch-Tone input have given IVR a less than stellar reputation. And yet, although IVR may be deployed as a convenience to contact centers and conserving costly live-agent resources, it may also be deployed sensibly, with restraint, extending the hours of business operations beyond the workday, providing for agent intervention when agents are available. Moreover, IVR may be subordinated to highly integrated customer relationship management (CRM) applications, allowing contact centers (or interaction centers) to accommodate shifting customer preferences with respect to communications media, while ensuring consistency in the fulfillment of customer demands, regardless of which communications channels convey these demands. With the preceding in mind, this book introduces the issues involved in bringing business to the Internet—the obstacles to online commerce as well as the advantages. After the issues have been laid out, I will explain how advances in cryptography make it possible to transmit business information across unreliable and insecure networks, reliably and securely. After the general concepts have been presented, different current commercial schemes and systems are discussed in their proper perspective. After the various schemes have been examined, other relevant and related issues can be discussed, including digital currencies, techniques for marketing on the Internet, and related services available to the online merchant. Appendixes include an Internet and networking glossary, a guide to locating the most current and complete electronic commerce resources on the Internet, a list of EDI codes, a complete listing of the major e-commerce conferences and trade shows, and several ecommerce case studies.

Chapter 1: What Is Electronic Commerce? In a remarkably short time, the Internet has grown from a quirky playground into a vital, sophisticated medium for business, and, as the Web evolves further, the threshold for conducting successful business online will move increasingly higher. Online consumers are flooding to the Internet, and they come with very high expectations and a degree of control that they did not have with traditional brick-and-mortar companies. Businesses, too, are rushing to join the Internet revolution, and new, viable competitors are emerging in all industries. This chapter details introductory strategies and priorities for electronic commerce, which sets the stage for the rest of the book. It also describes how the platform, portal, and partners are critical to solving business problems in the four most common areas of

electronic commerce: direct marketing, selling, and service; value chain integration; corporate purchasing; and financial and information services.

Chapter 2: Types of E-Commerce Technology In addition to a general discussion of e-commerce technology, this chapter also covers various business-to-business connectivity protocols between procurement systems, private marketplaces, and suppliers. The chapter describes how WCBE-based suppliers and private marketplaces can connect to diverse procurement systems, other suppliers, and external private marketplaces. Specifically, the chapter shows how WCBE-based suppliers and WCS MPE-based marketplaces can connect to buyers at procurement systems that use punchout, such as Ariba, Commerce One, and mySAP. The chapter then describes how a WCS MPE-based supplier or private marketplace could originate a punchout process in order to connect to either an external supplier or another private marketplace. Next, the chapter outlines the types of trading mechanisms that can be supported by existing punchout protocols and the asynchronous trading mechanisms, such as request for quotations (RFQs), that require extensions to the punchout mechanisms. The chapter also describes B2B/M2M Protocol Exchange, a tool that IBM has implemented that can map between various protocols used by different procurement systems. Although this chapter focuses on the external partner business-to-business (B2B) protocols, a large part of the integration effort for suppliers is the tie-in to internal processes, such as the processes to handle purchase orders.

Chapter 3: Types of E-Business Models and Markets To be successful, e-businesses must have a continuous optimization business strategy, solid knowledge management practices, and integrated business process domains. No matter what the business, the e-business model processes are the same. This chapter discusses why the e-business market affords organizations of all sizes and types the opportunity to leverage their existing assets, employees, technology infrastructure, and information to gain or maintain marketshare. Finally, the chapter discusses the need for an integrated value chain and challenges e-business to optimize its intellectual assets and its investments in core business systems in order to deliver its products and services to an unpredictable market.

Chapter 4: Types of E-Commerce Providers and Vendors Selling online has become an imperative for retailers and an increasing number of manufacturers. Recognizing that a 13% loss in customers can completely eliminate the profitability of their offline stores, retailers have raced to drive e-commerce growth to $66 billion in 2003 (5.7% of U.S. retail). By mid-2004, over 94% of the largest U.S.

retailers (over $50 billion in annual sales) will be e-commerce enabled. And, for midsized retailers ($800 million to $50 billion in sales), over 74% will be selling online. Yet these adopters face a fundamental challenge: using the first generation buy/build model, many cannot make money at e-commerce, but none can afford to avoid trying. For most of them, owning and operating an e-commerce infrastructure does not make economic or operational sense. With the preceding in mind, this chapter examines types of e-commerce service providers (ESPs) and vendors. It addresses three topics: why many early adopters have struggled with the first generation buy/build approach, how the next-generation ESP model delivers complete, one-stop online sales channels, and which major advantages companies gain by outsourcing their e-commerce infrastructure. You will also learn how an ESP model enables manufacturers and retailers to achieve profitability at $40 million to $180 million in online sales, focus your organization on real profit drivers—not technology, ensure reliability and scalability in your Web site and order processing, avoid managing numerous integrations and third-party service relationships, and upgrade functionality continuously and seamlessly over time.

Chapter 5: E-Commerce Web Site Creation This chapter helps you discover new integrated services that make it easier than ever to secure your Web site and accept online credit card payments. You will also learn how to create an e-commerce Web site as well as how to avoid the risks and challenges involved in e-commerce trust, the best way to secure and authenticate your site so your customers feel comfortable providing sensitive information, and how to enable your site to process online payments in seconds—including credit and debit cards.

Chapter 6: Managing E-Commerce Web Site Development Electronic commerce is quickly shaping up to be the way business will be conducted in the future. This chapter takes a look at how an e-commerce Web site is managed as it is being developed. In other words, this chapter is not necessarily about electronic commerce in general. It is actually an exercise in building and managing a business-toconsumer electronic commerce site. In addition, this chapter does not discuss management concepts or other tools available to implement e-commerce, but focuses exclusively on Web site servers.

Chapter 7: Building Shopping Cart Applications To generate Hyper Text Markup Language (HTML), servlets must supply formatted strings to println() calls. This technique clogs Java™ code with line after line of hard-tocomprehend HTML. Furthermore, when servlets generate HTML, Web page design requires programmers. JavaServer Pages (JSP) pull HTML out of Java code and create a role for HTML designers. Site development can proceed along parallel tracks (Java design and HTML design), thereby delivering a Web site faster. JavaServer Pages also encourage loose coupling between business logic components and presentation

components, thereby making reuse of both more likely. The shopping cart application discussed in this chapter examines the role of JSP in Web architectures and offers a practical example of how to get the most out of your e-business applications.

Chapter 8: Mobile Electronic Commerce The demand for and use of mobile technologies is increasing at a phenomenal rate. Simultaneously, the underlying landscape of mobile technologies is changing rapidly, creating the need for solutions to facilitate the long-term growth and success of mobile enterprise initiatives. This chapter discusses how important it is for software vendors to provide comprehensive solutions to manage, secure, and maintain the mobile application’s infrastructure, while fostering development, integration, and access to applications and information over wireless media.

Chapter 9: Enhancing a Web Server with E-Commerce Application Development Today, businesses take a pragmatic view of investments in information technology (IT). For IT managers, the key to success is to provide the maximum business value for the minimum cost. This chapter shows how IT must align enhanced server-based application development and operations with the needs and priorities of the business.

Chapter 10: Strategies, Techniques, and Tools The e-business revolutin that began in 1997 is proceeding at a revolutionary pace—which is to say that it is proceeding rapidly, but not uniformly and not always in the ways that were predicted. This chapter discusses how some e-business industries are moving ahead as fast as technologies permit, and some are taking a wait-and-see attitude.

Chapter 11: Implementing Merchandising Strategies The Internet is changing the basis of competition for companies of all sizes. Although many successful formulas for e-business development now exist, most are based on one of the following merchandising strategies: Web entrepreneurship, virtual build-out, and operations improvement. This chapter explains how each strategy relies not only on a great Web site, but also on high-quality, system-ready information about products and the merchandising programs that drive sales.

Chapter 12: Implementing E-Commerce Databases In just over seven years, e-commerce database technology has become the common user interface of choice for many information dissemination systems. Whereas, relational database management systems (RDBMS) have been the cornerstone for information warehousing for years. The integration of the two technologies have made rapid advances over the last few years. This rapid explosion has led to new challenges for IT managers

and developers. There are several competing technologies available that often do not address the issues of heterogeneous environments and Web-based application development. This chapter addresses the challenges of designing and implementing ecommerce database-integrated Web sites. Furthermore, it focuses on e-commerce database-Web integration difficulties in heterogeneous database environments.

Chapter 13: Applying and Managing E-Business Intelligence Tools for Application Development An organization can effectively address business problems, realizing immediate returns on investment in technology. This chapter very briefly shows how a fully Web commerce-integrated, Windows-based development environment for building, testing, and deploying Web applications meets e-business intelligence (e-BI) application development solution criteria very effectively. This chapter also examines the business and technical requirements for applying and managing e-BI tools for application development solutions.

Chapter 14: Types of Security Technologies Today, more than ever, organizations are challenged with improving security without incurring a corresponding increase in cost or burden to their existing staff. By comparing the benefits that a new product will provide to the total cost of that product, organizations will make better choices that ultimately lead to greater security. Leveraging existing products is quite often the quickest way to improving both security and the bottom line. Finally, in many cases, organizations can address most of their e-commerce application concerns or problems with the products they already own. With the preceding in mind, this part of the chapter very briefly highlights emerging threats specific to e-commerce application security and provides guidance on effective approaches to e-commerce application protection.

Chapter 15: Protocols for the Public Transport of Private Information Creating a high-security, high-performance e-business infrastructure demands close coordination of both technical and management policies and procedures. This chapter discusses how e-business security is evolving from an old notion of an information fortress that keeps others out, to a new notion of privacy and trust as you give customers, partners, and remote employees access to your business data.

Chapter 16: Building an E-Commerce Trust Infrastructure Businesses that can manage and process e-commerce transactions can gain a competitive edge by reaching a worldwide audience, at very low cost. This chapter discusses how the Web poses a unique set of trust issues, which businesses must address at the outset to minimize risk. Customers submit information and purchase goods or services via the Web

only when they are confident that their personal information, such as credit card numbers and financial data, is secure.

Chapter 17: Implementing E-Commerce Enterprise Application Security Integration This chapter explores e-commerce enterprise application security integration and new technology’s support of rapid deployment of secure e-commerce applications. The technology, based on the integration of distributed component computing and information security, represents new power to mount secure, scalable e-commerce services. The chapter also describes how security enables new e-commerce applications that were not previously feasible, and how e-commerce solutions create new security responsibilities. Next, the chapter describes the many challenges of enforcing security in componentbased applications. Finally, the chapter formally introduces Enterprise Application Security Integration (EASI), which is used to tie together many different security technologies and, as a result, provides the framework for building secure component architectures.

Chapter 18: Strong Transaction Security in Multiple Server Environments For the strongest, most reliable protection of your client-browser communications, Secure Sockets Layer (SSL) certificates are widely recognized as the industry standard. SSL certificates allow your Internet site or corporate network to enable SSL encryption, which authenticates your server and guarantees against alteration and interception of data. This chapter provides you with a basic introduction to digital ID technology and SSL certificates. It then lays out the reasons you might consider managed PKI for SSL certificates as an alternative to one-by-one purchasing. Finally, it presents the features you can expect if you decide managed PKI for SSL certificates is right for your organization.

Chapter 19: Securing and Managing Your Storefront for EBusiness With its worldwide reach, the Web is a lucrative distribution channel with unprecedented potential. By setting up an online storefront, businesses can reach the millions of people around the world already using the Internet for transactions. In addition, by ensuring the security of online payments, businesses can minimize risk and reach a far larger market: the 89 percent of Internet users who still hesitate to shop online because of security concerns. This chapter is a continuation of Chapter 18, with very detailed explanations of key issues related to online storefront security. It also describes the technologies that are used

to address the issues, and provides step-by-step instructions for obtaining and installing an SSL certificate.

Chapter 20: Payment Technology Issues Online payment processing requires coordinating the flow of transactions among a complex network of financial institutions and processors. Fortunately, technology has simplified this process so that, with the right solution, payment processing is easy, secure, and seamless for both you and your customers. This chapter provides you with what you need to know about online payment processing issues: online payment processing basics, the payment processing network, how payment processing works, what you should know about fraud, and what to look for in a payment processing solution. After you’ve read this chapter, you’ll understand the issues and essential elements of accepting payments online, the most important step in putting your Web site to work for you.

Chapter 21: Electronic Payment Methods Through Smart Cards The payment card has been in existence for many years. It started in the form of a card embossed with details of the cardholder (account number, name, expiration date), which could be used at a point of sale to purchase goods or services. The magnetic stripe was soon introduced as a means of holding more data than was possible by embossing alone. In the end, the smart card appeared. That’s what this chapter is all about!

Chapter 22: Electronic Payment Systems The payment stage of any electronic bill presentment and payment (EBPP) implementation must be able to integrate tightly with accounts receivable (A/R) and accounts payable (A/P) systems, support backend payment-processing workflows and procedures, and provide detailed reporting capabilities. With the preceding in mind, this chapter is about electronic payment systems.

Chapter 23: Digital Currencies This chapter discusses the market implications of adopting electronic payment systems and digital currencies in electronic commerce. The key to understanding and exploiting electronic commerce is to recognize it as a market mechanism, in which all components of a market interact and must be analyzed collectively. For example, electronic payment systems bring more than lowered transaction costs, affecting product choices, pricing, and competition. This chapter also examines economic implications of electronic payment systems—especially micropayments enabled by digital currencies in terms of size advantage, the lemons problem, digital product pricing, product differentiation—the commoditization of consumer information and advertisements, and copyrights. In short, electronic payment systems are one of the critical factors that allow process innovations via electronic commerce. Finally, these process innovations may either promote competitive and efficient markets or worsen the trend toward the vertical integration and monopolization in the globalized economy.

Chapter 24: International E-Commerce Solutions The Internet connects potential customers with merchants in many different countries. This chapter discusses how international e-commerce payment solutions provide a channel for money to cross oceans and borders.

Chapter 25: Business-to-Business and Business-to-Consumer To help companies make informed decisions and capitalize on the right opportunities, this chapter discusses solutions designed to help companies integrate business partners more effectively. Although this notion encompasses a wide range of business challenges and solutions (including supply chain management, procurement, and CRM), this chapter focuses specifically on one concept: supplier enablement. The supplier enablement initiative and technology solutions (whether they be B2B or B2C) are aimed at helping companies of all sizes to sell to their trading partners more effectively by integrating with customers’ procurement systems, e-marketplaces, and other electronic sales channels—all from a single e-business foundation. No matter how large or small a business is, or how complex or simple its business processes, supplier enablement solutions will make it easier for your company to reach its customers through whatever purchasing method they prefer.

Chapter 26: Summary, Conclusions, and Recommendations Finally, this chapter summarizes and explores some of the implications to both business and business computing of the continuing evolution of e-business. The chapter also discusses decision points and the fundamental importance of something even more critical to e-business success: ease of integration. This part of the chapter pinpoints 15 essential best practices or recommendations for effective e-service.

Part I: Overview of E-Commerce Technology Chapter List Chapter 1: What Is Electronic Commerce? Chapter 2: Types of E-Commerce Technology Chapter 3: Types of E-Business Models and Markets Chapter 4: Types of E-Commerce Providers and Vendors

Chapter 1: What Is Electronic Commerce? “It is impossible for ideas to compete in the marketplace if no forum for their presentation is provided or available.” —Thomas Mann (1875–1955)

Overview Electronic commerce is doing business online. It is about using the power of digital information to understand the needs and preferences of each customer and each partner to customize products and services for them, and then to deliver the products and services as quickly as possible. Personalized, automated services offer businesses the potential to increase revenues, lower costs, and establish and strengthen customer and partner relationships. To achieve these benefits, many companies today engage in electronic commerce for direct marketing, selling, and customer service; online banking and billing; secure distribution of information; value chain trading; and corporate purchasing. Although the benefits of electronic commerce systems are enticing, developing, deploying, and managing these systems is not always easy. In addition to adopting new technology, many companies will need to reengineer their business processes to maximize the benefits of electronic commerce. An electronic commerce strategy should help deliver a technology platform, a portal for online services, and a professional expertise that companies can leverage to adopt new ways of doing business. Platforms are the foundation of any computer system. An ecommerce platform should be the foundation of technologies and products that enable and support electronic commerce. With it, businesses can develop low-cost, high-value commerce systems that are easy to grow as business grows. An e-commerce platform’s breadth should also be unmatched, ranging from operating systems to application servers, to an application infrastructure and development tools, and to a development system. Portals are the crossroads of the Internet, where consumers gather and where businesses can connect with them. Companies normally provide customers with a wide range of choices for professional implementation services and tightly integrated software for commerce solutions. Independent software vendors (ISVs) have created specialized commerce software components that extend the platform. This chapter details introductory strategies and priorities for electronic commerce, which sets the stage for the rest of the book. It also describes how the platform, portal, and partners are critical to solving business problems in the four most common areas of electronic commerce: direct marketing, selling, and service; value chain integration; corporate purchasing; and financial and information services.

E-Commerce: Doing Business on the Internet Businesses communicate with customers and partners through channels. The Internet is one of the newest and, for many purposes, best business communications channels. It is fast, reasonably reliable, inexpensive, and universally accessible—it reaches virtually every business and more than 200 million consumers. Doing business online is electronic commerce, and there are four main areas in which companies conduct business online today: direct marketing, selling, and service; online banking and billing; secure distribution of information; and value chain trading and corporate purchasing.

Direct Marketing, Selling, and Service Today, more Web sites focus on direct marketing, selling, and service than on any other type of electronic commerce. Direct selling was the earliest type of electronic commerce, and has proven to be a stepping-stone to more complex commerce operations for many companies. Successes such as Amazon.com, Barnes & Noble, Dell Computer, and the introduction of e-tickets by major airlines, have catalyzed the growth of this segment, proving the reach and customer acceptance of the Internet. Across consumer-targeted commerce sites, there are several keys to success: •

• •





Marketing that creates site visibility and demand, targets customer segments with personalized offers, and generates qualified sales leads through observation and analysis of customer behavior. Sales-enhancing site design that allows personalized content and adaptive selling processes that do more than just list catalog items. Integrated sales-processing capabilities that provide secure credit card authorization and payment, automated tax calculation, flexible fulfillment, and tight integration with existing backend systems, such as inventory, billing, and distribution. Automated customer service features that generate responsive feedback to consumer inquiries, capture and track information about consumer requests, and automatically provide customized services based on personal needs and interests [3] . This business-to-consumer (B2C) electronic commerce increases revenue by reaching the right customers more often. Targeted and automated up-selling and cross-selling are the new fundamentals of online retailing. Sites that most frequently provide the best and most appropriate products and services are rewarded with stronger customer relationships, resulting in improved loyalty and increased value.

Financial and Information Services A broad range of financial and information services are performed over the Internet today, and sites that offer them are enjoying rapid growth. These sites are popular because they help consumers, businesses of all sizes, and financial institutions distribute some of

their most important information over the Internet with greater convenience and richness than is available using other channels. For example, you have: • • •

Online banking Online billing Secure information distribution

Online Banking Consumers and small businesses can save time and money by doing their banking on the Internet. Paying bills, making transfers between accounts, and trading stocks, bonds, and mutual funds can all be performed electronically by using the Internet to connect consumers and small businesses with their financial institutions.

Online Billing Companies that bill can achieve significant cost savings and marketing benefits through the use of Internet-based bill-delivery and receiving systems. Today, consumers receive an average of 23 bills per month by mail from retailers, credit card companies, and utilities.

Secure Information Distribution To many businesses, information is their most valuable asset. Although the Internet can enable businesses to reach huge new markets for that information, businesses must also safeguard that information to protect their assets. Digital Rights Management provides protection for intellectual and information property, and is a key technology for secure information distribution.

Maintenance, Repair, and Operations (MRO) The Internet also offers tremendous time and cost savings for corporate purchasing of low-cost, high-volume goods for maintenance, repair, and operations (MRO) activities. Typical MRO goods include office supplies (such as pens and paper), office equipment and furniture, computers, and replacement parts. The Internet can transform corporate purchasing from a labor- and paperwork-intensive process into a self-service application. Company employees can order equipment on Web sites, company officials can automatically enforce purchase approval and policies through automated business rules, and suppliers can keep their catalog information centralized and up-to-date. Purchase order applications can then use the Internet to transfer the order to suppliers. In response, suppliers can ship the requested goods and invoice the company over the Internet. In addition to reduced administrative costs, Internet-based corporate purchasing can improve order-tracking accuracy, better enforce purchasing policies, provide better customer and supplier service, reduce inventories, and give companies more power in negotiating exclusive or volume-discount contracts. In other words, the Internet and ebusiness have changed the way enterprises serve customers and compete with each other,

and have heightened awareness for competing supply chains (see sidebar, “Supply Chain Management”). Supply Chain Management Supply chain management (SCM) is changing as companies continue to look for ways to respond faster, improve service for customers, and maximize sales while decreasing costs. SCM solutions must support highly configurable products, such as computers and automobiles, global markets with local specifications, and widely dispersed suppliers and partners. Yet most companies’ SCM solutions are linear, sequential, and designed for controlled conditions. They rely on accurate forecasting of demand, but are disconnected from the actual demand. Decisions are made centrally, and changes typically take days, weeks, or even months. However, companies increasingly need to respond to changes in hours and minutes. Supply chains in this century must be adaptive and provide greater visibility, velocity, flexibility, and responsiveness to enable enterprise value networks to adapt to changes in supply and demand in real time. Management Shift As supply chain networks extend across organizational and geographic boundaries, companies must find ways to manage the unmanageable. The future of supply chain management lies in the ability of the enterprise to respond instantaneously to shifts in global supply and demand, and to major events that occur across extended supply chain processes. The faster a supply network can adapt to these events, the more value that will be created. For example, with Walldorf, Germany-based SAP® mySAP™ Supply Chain Management (mySAP(tm) SCM), enterprise systems supplier SAP is delivering what it believes is the most adaptive supply chain management solution available on the market. In addition, SAP is developing adaptive-agent technology and repair-based optimization that is expected to enable the next generation of adaptive solutions and services. Supply chain management is now the key to increasing and sustaining profitability. In fact, Stamford, Connecticut-based Gartner Group recently predicted that 91 percent of leading companies that fail to leverage supply chain management would forfeit their status as preferred vendors. According to SAP, mySAP SCM has demonstrated bottom-line benefits for its users. For example, New York, N.Y.-based Colgate-Palmolive increased forecast accuracy to 98 percent, reduced inventory by 13 percent, and improved cash flow by 13 percent. The reason: mySAP SCM enables end-to-end integration of supply chain planning, execution, networking, and coordination. The Profits of Adaptive Proponents of adaptive supply chain networks say that by sharing information about customer demand with all partners simultaneously—rather than in the traditional,

sequential fashion, with its inherent delays—network partners can act more like a single entity to stay in-sync with customer needs. The adaptive supply chain network puts the customer at the center of all activities in the supply chain, which allows companies to improve overall costs and profits across the network, instead of just shifting costs to other parts of the supply chain. Given the dynamics of today’s markets, manufacturers need to rethink their business model on an almost continuous basis, keep redefining markets and pricing, serve ever-smaller customer niches, and provide increasingly customized products. Internal integration helps enterprises break down functional silos and share actionable information. The adaptive supply chain network relies upon real-time integration of all supply chain systems, including networking, planning, execution, coordination, and performance-management systems. But, it also requires integration across systems that support a variety of functions beyond the traditional supply chain. Customer relationship management (CRM) is about capturing customer requirements, building life-long customer relationships and brand value, and influencing demand through promotions. This information must be fed back into the supply chain network to improve planning. Although this flow of information generally does not occur now, it represents the key to customer-segmentation strategies and effective demand management, which will lead to increasing overall profitability. Customer feedback and trends must also drive product development to ensure that products are designed according to customer requirements. In addition, integration between a product life-cycle management (PLM) system and an SCM solution reduces time-to-market for new products and ensures that engineering changes are seamlessly integrated back into manufacturing. Last but not least, aligning a company’s business model with operational capability requires engineering and sourcing products differently. To support mass customization and postponement strategies, products tend to be designed in a modular fashion and sourced from fewer strategic suppliers. Close collaboration with these suppliers on product design is essential to reduce time-to-market, increase product quality, and ensure that products are designed for supply. With that kind of integration, a superior understanding of the customer drives everything —CRM, product design, supply chain operations, and even the value proposition of the entire network. In an adaptive supply chain network, SCM, CRM, and PLM must all work together. That is the hallmark of a truly customer-centric organization—and the key to profitability. Competitive Advantage Making adaptive supply chains a reality means fundamental changes in a company’s internal operations, starting with the integration of processes and systems across organizational boundaries. Then, companies can leverage the increased visibility within

and across organizations to achieve change in their supply chain processes, including functionality for the following. Adaptive Planning Today, most supply chain planning and scheduling systems rely primarily upon historical data collected from enterprise resource planning (ERP) and legacy systems. However, as companies aim to create virtually “inventory-less” supply chains, they require the ability to realign demand and supply almost continuously to consider the latest demand situation and supply status. Adaptive planning replaces batch-oriented, period planning with an event-driven, real-time response to demand signals and changing supply situations. Dynamic Collaboration Traditional supply chains rely mostly upon inventory and assets, but the adaptive supply chain network is information-based—it uses shared data for planning and execution processes. By incorporating data garnered from collaborative processes (such as vendormanaged inventory [VMI]; collaborative planning, forecasting, and replenishment [CPFR]; collaborative supply management; and collaborative transportation management), these networks replace inventory and capacity buffers (long used to make up for a lack of supply chain visibility) with information. Distributed Execution Most execution systems are ill-prepared to support the emerging virtual supply network. Distributed execution considers the distributed nature of processes in a world of outsourcing, in which multiple partners in the extended network might manage a single process. Distributed execution allows the management of processes across different ERP systems by supporting cross-system integration and collaboration. Event-Driven Coordination Today, even small disruptions in supply chains initiate a wave of e-mails, faxes, and phone calls just to keep pace with the problem. Adaptive supply chain networks address the challenge of managing the virtual enterprise through up-to-the minute monitoring and control of business processes and the rapid, intelligent resolution of exceptions. Eventdriven coordination complements adaptive planning by trying to solve supply chain exceptions locally to support existing, optimized plans. The result? Faster response to market changes and instantaneous adaptation to customer needs across the enterprise and the network. Continuous Performance Management Most executives would agree that consistent performance metrics are the key to steering the behavior of individuals and reconciling conflicting goals across functional areas. However, key performance indicators (KPIs) also play a major role in managing

collaborative processes and in providing decision makers with actionable information to increase the quality and speed of decisions. Continuous performance management enables closed-loop learning processes by allowing the company to measure the quality of processes constantly, and by feeding this information back into supply chain planning. Besides addressing the need for consistent performance metrics, companies are increasingly complementing supply chain KPIs with balanced scorecards to get a level view of the state of the organization, and to align operational targets with strategic objectives across functional silos. Combined, these elements enable companies to implement closed-loop learning processes across the supply network. In business, the ability to adapt to change is increasingly important. For those who do it right, the adaptive supply chain network will be an important competitive weapon. Those who don’t may well become the dinosaurs of their industries [4].

Value Chain Integration No other business model highlights the need for tight integration across suppliers, manufacturers (see sidebar, “The Manufacturing E-Commerce Bottom Line”), and distributors quite like the value chain. Delays in inventory tracking and management can ripple from the cash register all the way back to raw material production, creating inventory shortages at any stage of the value chain. The resulting out-of-stock events can mean lost business. The Internet promises to increase business efficiency by reducing reporting delays and increasing reporting accuracy. Speed is clearly the business imperative for the value chain. The Manufacturing E-Commerce Bottom Line The economic downturn in the United States has played havoc with the country’s manufacturing and engineering sectors for more than three years, leading to the longest continual month-over-month decline in industrial production since World War II. But, if there is a bright spot in what economists are predicting for manufacturers in 2004, it is a trend toward increasing e-commerce revenues and initiatives within the industrial sectors. The Federal Reserve recently reported that production in American factories fell 3.3 percent. The September 11 terrorist attacks created additional uncertainty in all markets, but particularly in manufacturing, where inventory levels among retailers and suppliers were already high. Consumer spending for durable goods took a drop in the wake of the attacks and as a result of the developing war on terrorism. Analysts also say they do not expect an uptick in manufacturing production until consumers begin spending with confidence.

Still, companies like General Electric and General Motors were reporting increases in online sales and predicting gains in e-commerce by the end of 2003. Officials at GE indicate they expect to increase the amount of online revenue calendar-year-overcalendar-year from $9 billion to $24 billion. Historically, online revenue figures in manufacturing, engineering, and supply sectors have been difficult to determine, because most companies in those sectors do not separate online revenue from other income. Economic statistics compiled by the U.S. Department of Commerce and others have consistently noted that although e-commerce activities have continued to grow despite unfavorable economic conditions, determining the exact portion of the national economy they represent is difficult. A recent study by the National Association of Manufacturers (the leading industry group of industrial producers) saw dramatic increases in the number of companies developing Web-based activities to reach both new customers and suppliers. Despite the intense hype surrounding e-commerce, right now it’s still just a small fraction of most business and manufacturing operations. But, nearly three quarters of the companies surveyed reported they were developing e-commerce initiatives to grow their revenues, a harbinger of dramatic change down the road. As capital spending rebounds, there should be a significant increase in networking and business-to-business software investments. In another recent study of e-business activities within the manufacturing sector (commissioned by Interbiz, a division of Computer Associates International), a significant increase in focus was shown on e-commerce activities in 2002 within manufacturing and related industrial areas. According to the survey, 56 percent of manufacturing concerns indicated they were actively involved in e-commerce, with 89 percent reporting effectiveness within their e-business strategies; 22 percent reported those activities as “highly effective.”

Unfortunately, speed can be costly. Today, approximately 60,000 businesses exchange business documents such as orders and invoices with their trading partners through a standard communication and content protocol called Electronic Data Interchange (EDI). Most EDI implementations use leased lines or value added networks (VANs) that require significant integration for each trading partner. Network design, installation, and administration can be costly in terms of hardware, software, and staff. In fact, these costs are the key reason that EDI is most widely deployed only in larger companies. Moving forward, all companies will be able to take advantage of value chain integration through the low cost of the Internet. Open standards for electronic document exchange will allow all companies to become Internet trading partners and function as suppliers, consumers, or both in this business-to-business electronic commerce. This integrated trading will tighten relationships between businesses while offering them greater choices in supplier selection.

Issues in Implementing Electronic Commerce Although it is simple to describe their benefits, it is not nearly as easy to develop and deploy commerce systems. Companies can face significant implementation issues: • • • • •

Cost Value Security Leveraging existing systems Interoperability

Cost Electronic commerce requires significant investments in new technologies that can touch many of a company’s core business processes. As with all major business systems, electronic commerce systems require significant investments in hardware, software, staffing, and training. Businesses need comprehensive solutions with greater ease-of-use to help foster cost-effective deployment.

Value Businesses want to know that their investments in electronic commerce systems will produce a return. Business objectives such as lead generation, business-process automation, and cost reduction must be met. Systems used to reach these goals need to be flexible enough to change when the business changes.

Security The Internet provides universal access, but companies must protect their assets against accidental or malicious misuse. System security, however, must not create prohibitive complexity or reduce flexibility. Customer information also needs to be protected from internal and external misuse. Privacy systems should safeguard the personal information critical to building sites that satisfy customer and business needs [6].

Leveraging Existing Systems Most companies already use information technology (IT) to conduct business in nonInternet environments, such as marketing, order management, billing, inventory, distribution, and customer service. The Internet represents an alternative and complementary way to do business, but it is imperative that electronic commerce systems integrate existing systems in a manner that avoids duplicating functionality and maintains usability, performance, and reliability.

Interoperability When systems from two or more businesses are able to exchange documents without manual intervention, businesses achieve cost reduction, improved performance, and more dynamic value chains. Failing to address any of these issues can spell failure for a system’s implementation effort. Therefore, your company’s commerce strategy should be designed to address all of these issues to help customers achieve the benefits of electronic commerce. Your company’s vision for electronic commerce should also be to help businesses establish stronger relationships with customers and industry partners. For example, a successful strategy for delivering this vision is described by three workflow elements (platform, portal, and industry partners), each backed by comprehensive technology, product, and service offerings. From self-service portals to transaction processing, a successful workflow strategy can be the underlying engine delivering state-based, processed-focused control services for ebusiness applications. Human labor is expensive, and workflow technology allows ebusinesses to supplement, and in some cases eliminate, reliance on human supervision and intervention.

Workflow Technology Creating e-business processes without a vision for workflow is shortsighted and expensive. Workflow addresses business needs, streamlines transactions, and is the glue for process coordination and consistency. Self-service applications are perfect examples of how workflow can be employed to automatically coordinate requests and track fulfillment, thereby allowing corporations to relocate human resources to more difficult tasks. E-business flexibility can be realized through workflow’s logic encapsulation that isolates the logic of the business process from the Web server middleware and associated Web pages. Every Web page click is an opportunity to invoke workflow-based interaction, guidance, and fulfillment. E-businesses need workflow technology to react rapidly to process changes. For example, an instant change to the workflow process can be accomplished with a simple change to the workflow map by a nonprogrammer, to effect temporary or continuous changes in the business process, thus accommodating short-term business needs or long-term process improvements. A workflow driven e-business will see immediate shifts that allow it to process more efficiently under high volume circumstances. The bottom line? Workflow design tools should be a core requirement for e-business applications. A detailed discussion of workflow technology is presented in Chapter 2, “Types of E-Commerce Technology.”

Now, let’s take a look at the transformation of the scope of the Internet and the Web. The discussion centers around the Session Initiation Protocol’s (SIP) effect on multimediaenabled e-commerce. [3]

Microsoft Corporation, “Electronic Commerce Explained,” ©2003 Microsoft Corporation. All rights reserved. The Business Forum 9297 Burton Way, Suite 100, Beverly Hills, CA 90212, (August 2002): pp. 1–19. [4]

Runge, Wolfgang and Renz, Alexander, “Adaptive Networks Broaden Relationships,” © Copyright 2003 SAP AG. All rights reserved, SAP America Inc., Strategic Planning & Support Office, 3999 West Chester Pike, Newtown Square, PA 19073,USA, [Advertising supplement in June, 2002 edition of MSI, Reed Business Information, 2500 Clearwater Drive, Oak Brook, IL 60523 (June 2002)]. [6]

Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill Trade, 2001.

The Scope of the Internet and the Web The renaissance of the Internet age launched an entirely new set of communication technologies and methods. As multiple technologies evolve and interoperate, so do complementary standards, such as those for multimedia applications. The advancement of multimedia applications for the Web has resulted in a wave of new technologies to enhance the Internet experience. From voice to video, the latest developments have resulted in the requisite standards to allow for the full maturation of the technology. Voice over IP (VoIP) has gained acceptance within the last few years, with older standards enabling the technology. As more advanced standards mature and enhanced capabilities and features become available, the adoption of VoIP has begun to take off. For example, H.323 is currently the dominant standard for initiating a voice session. But, as more multimedia services, such as unified messaging, video conferencing, instant chat, and presence, gain acceptance in an Internet Protocol (IP) environment, more robust standards are needed. Hence, the creation of an HTTP-based protocol—Session Initiation Protocol (SIP). SIP’s main functions are signaling and call control for IP-based communications. It defines the desired service for the user, such as point-to-point calls, multipoint conferencing, text, voice, or video. Using the protocol, SIP servers perform a routing service that puts the caller in contact with the called party, taking into account the desired service and user preferences. Because SIP has its foundation in HTTP, it eases the integration of voice with other Web services.

The Benefits of SIP As the new voice-ready IP standard, SIP enables the initiation of an interactive Internet experience involving multimedia elements, such as video, voice, chat, gaming, and virtual reality. The main advantages of SIP for the VoIP market include enhanced scalability, easy implementation, and dramatically reduced call setup time. Another key benefit of SIP for VoIP is the easy integration with many other IP services. Through SIP, service providers can easily add services and applications for VoIP customers while minimizing interoperability issues. SIP is flexible and extensible, easily supporting a wide array of endpoint devices and configurations. More importantly, SIP runs over IP networks, regardless of the underlying networking technology— asynchronous transfer mode (ATM). By taking advantage of the Internet, SIP technology provides new service capabilities while supporting the use of key services from the circuit-switched telephone network. IPbased communications can use SIP Uniform Resource Locators (URLs) for addressing, similar to the World Wide Web, in which the form of the URL resembles an e-mail address. The support of both telephony and Web-type addressing enables IP communication to seamlessly bridge a telephone network and the Internet. Users on either network can reach any point on the Public Switched Telephone Network (PSTN) or the Internet without giving up the existing devices or advantages of either.

Enabling Multimedia E-Commerce with SIP The emergence of SIP has opened up new doors of innovation, enabling the next generation of e-commerce through the use of VoIP and multimedia applications. The simplicity of SIP technology is facilitating the spread of VoIP around the world. SIP’s straightforward approach has encouraged developers of e-commerce applications and telecommunications providers to implement it into their customer relationship management (CRM) systems. Traditional voice call centers for customer support are migrating to Web support centers where the focus is shifting from pure voice (800 numbers) to e-mail support, text chat, voice, and video with click-to-connect service. The integration of these applications brings a fresh dimension of communication to customer-facing Web sites. As customers experience the benefit of multiple touch points, enterprises are compelled to integrate these new communication methods into their CRM systems. As the enabling protocol, SIP is well-suited to bring these capabilities to the user. Because support for instant messaging and presence is built into the SIP, a whole new level of customer communications can take place. Presence lets users know the availability of other parties, and when coupled with instant messaging and conferencing, allows for communications to happen in a spontaneous fashion. With these added functionalities, the online consumer can experience a rich customer support environment.

Because SIP enables real-time voice and video to become viable applications on many ecommerce Web sites, it enhances Internet call center productivity. With the click of a mouse, a customer can talk to or be in face-to-face contact with a service representative. This level of customer service allows an immediate personal connection with customers —one of the most critical aspects in CRM. The adoption of e-commerce will be bolstered further as consumers begin to rely upon this type of online customer service. SIP-based communications can be achieved with any device, fixed or mobile, such as laptops and Internet-ready phones [5]. In addition, because SIP supports name mapping and redirection services, it is possible for users to initiate and receive communications and services from any location, and for networks to identify users regardless of location. This adds an additional level of usability from a CRM perspective. As e-commerce spreads to cell phones and other handheld devices, this functionality will increase in importance. Now, let’s look at how to use the Web to reach customers. Although customer experience includes intangible, nonquantifiable aspects, it also includes a wide range of entirely measurable Web site elements. [5]

Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

Using the Web to Reach Customers The rules are the same. To succeed in e-business, just as in brick-and-mortar, you need customers. And, keeping customers is vastly cheaper than getting new ones. High rates of customer retention (and the referrals that accompany happy consumers) can mean the difference between success and going back to the drawing board. The challenges that e-businesses face, however, in earning and retaining customers are different from those confronted by traditional business. A shopper who drives to the bookstore is not likely to put down the book he wants and drive to another location because of a line at the checkout stand. Someone looking for the biggest selection of CDs cannot go to 20 stores in 6 states in half an hour to check their selection. And, once you have received personal attention from someone at a store, helping you find exactly what you need, it isn’t hard to decide where to go next time. The options and flexibility of doing business online put much more control in the hands of the consumer, placing a premium on the performance, effectiveness, and reliability of an organization’s Web site. There is no one to apologize to Internet customers when the service goes down, or when an image is missing, or to explain what an error message means. And, alternatives are just a click away. For online consumers, the user experience is the most significant factor in customer retention. Customer experience comprises a range of issues, including ease-of-use, dependability, speed, as well as less quantifiable aspects of a Web site. As the Internet matures and evolves into a ubiquitous, if not preeminent, medium for business, those

companies best able to monitor their Web sites and ensure a positive, rewarding customer experience will have an unparalleled advantage in the race to create and retain loyal customers.

The Shift to E-Business There is no free lunch, though, and along with the benefits of doing business in the new economy comes a new kind of customer, one with different expectations and standards by which companies are judged. Web sites must offer a consistently positive customer experience to win over consumers. Inspiring loyalty is the biggest challenge to ebusinesses, and e-consumers are a tough group to win. Thus, the attraction of moving an established, traditional business to the Internet (or of starting a new, pure-play Internet business) involves a variety of factors: • • • • •

Global reach Higher profile 24 × 7 availability Targeted focus Cost savings

Global Reach A small organization no longer has to be a local organization. Anyone with Web access (in a living room in Chicago, in a log cabin in Alaska, or in a café in Bordeaux) can spend their time, and their money, at any online business.

Higher Profile A company can have a significant Web presence and profile, even with relatively modest depth and breadth to its inventory. On the Internet, a small but very efficient company can have the profile of a much larger, deep-pocketed competitor.

24 × 7 Availability E-businesses do not have to close at the end of the day. Information and services can be available any time, any day, allowing revenue to be earned without interruption.

Targeted Focus and Cost Savings Companies do not have to be all things to all consumers. Through the Internet, individual customers can get goods and services tailored to their needs. Significant savings from, among other things, streamlining inventory and distribution channels are possible in effective e-businesses.

New Medium and New Expectations Internet consumers expect e-business to be faster and more extensive, with more options and services, than brick-and-mortar alternatives. They expect their experience online to be easy, as uncomplicated as buying a newspaper or filling the car with gas. And, if they encounter any problems with the site, or have difficulty understanding how it works, or are otherwise frustrated, they know they can go somewhere else, to another Web site, and be there in no time.

Speed Wins Speed is crucial for successful e-businesses. Consumers expect Web sites to be fast. A useful starting point is the eight-second rule of thumb. The rule says that a significant number of users are unwilling to wait longer than eight seconds for a page to load or an action to be executed, and as technology improves and speeds increase, the time users will wait before leaving the site is likely to decrease. Many factors, from fundamental site architecture to network traffic at certain times of the day, affect how fast a site will function. Vital for success in any e-business is ongoing monitoring of the performance of its site, identifying cycles of usage and ranges of performance, and making necessary modifications and upgrades to ensure speed. There have been attempts to quantify the economic loss due to unacceptably slow Web page download speeds, which is one aspect of e-business customer churn. It is estimated that as much as $473 million is lost per month from customer bailout from impatience.

If It Isn’t Broken Key to the user’s experience and level of comfort in e-business is consistency. Whereas a brick-and-mortar business could not redesign the store every month, e-businesses can, and some do. The relative cost for changing the look and feel of an e-business is low, and the appeal of adding new features is a strong temptation. There is a fine line, however, between a “sticky” site, one that attracts new customers and urges old ones to return, and a site that changes so often and in such ways that customers must relearn the site. Instead of spending the extra time to deal with the hassle, they will go to the competition, the one that is fundamentally consistent in its presentation and functionality, and they will stay there.

No Experience Required Many new e-business consumers are novices not only with online transactions, but also with the Internet in general, and this complicates the issue of glitches and raises the ante for Web sites to function smoothly. A computer neophyte is less likely to understand, or have patience with, technical difficulties. A recent survey conducted by ICL, an ebusiness services company, indicates relatively high levels of stress and anxiety caused by computer problems for “typical” users.

• • •

Forty-nine percent found computer problems more stressful than being stuck or delayed on public transportation. Seventy-nine percent found computer problems more stressful than having to spend a weekend with a spouse’s parents. Twenty-three percent found computer problems more stressful than being left by a partner or spouse [1].

No Web site runs perfectly 100 percent of the time, but those that are close to 100 percent (Web sites that minimize outages and are able very quickly to detect and correct problems when they do occur) have a significant advantage. Web sites that frustrate users scare them away; Web sites that consistently offer pleasant, easy experiences keep their customers.

The Often Missing Piece A less tangible but equally vital aspect to customer loyalty in e-business is trust. For consumers, participation in a typical Internet business model requires divulging personal information for registration purposes, often including sending credit card numbers to the site. Increasingly, customers are cautious when sending such information and wary about sites that they suspect may not adequately guard the privacy of their demographic and financial information. Web sites that have prolonged outages or frequent transaction failures break the chain of trust with their consumers, pushing them to other providers that instill stronger confidence and, therefore, loyalty, in their customers. To be successful, an e-business has to be: 1. Sophisticated and fast 2. Easy and consistent 3. Extremely reliable [1] Without these, customers will click away, going to the sites that give consumers the interaction with e-business that they expect and require.

Acquisition, Retention, and Referrals Customer acquisition costs range wildly from one company to the next, but everyone understands that once a company has acquired customers, the key to maximizing revenue is keeping them. • •

• •

It is 7 to 11 times cheaper to keep a current customer than to add a new one. A Xerox study showed that their totally satisfied customers were 7 times more likely to make additional Xerox purchases in the subsequent 29 months than the merely satisfied. Companies can increase profits by almost 100% if 6% more of their customers were retained. Estimates show up to 91–96% of a brand’s profits come from loyal customers.

• •

A study by McKinsey & Co. calculates that an 11% increase in repeat customers translates to a 10.6% increase in company value. Bain & Co./Mainspring research shows that online grocers must keep customers for 29 months just to break even [1].

The preceding are potentially frightening data to e-business, which lives, or dies, in a medium where jumping from one Web site to another, changing brands and loyalties, is easier and faster than ever. In the realm of e-business, high rates of retention are imperative for success and even survival. Loyal customers are the best customers. People who are committed to Buick and who will not buy a car from any other manufacturer are the ideal consumers for Buick. They do not require further acquisition expenses, they will buy Buick cars for their children and recommend Buick to their friends, and they are statistically much more likely to buy up, getting newer models loaded with optional equipment. The recent boom in online loyalty reward programs demonstrates that e-business understands the lifetime value of loyal customers and is starting to shift resources to retention efforts. Many of these incentives are financial, offering repeat buyers the opportunity to earn points that can be redeemed for goods or services. Although low prices and points programs are a strong draw initially for consumers, e-consumers will, as in traditional business, grant their loyalties ultimately to those businesses that offer them the best experience, of which price is just one of several considerations. Low prices are the carrot on the stick for acquisition, but user experience and customer service are the tools of retention. Of special interest to e-business are customers gained through referrals from existing customers, as well as customers lost due to negative reactions about a particular Web site. According to a recent Bain & Co./Mainspring survey, online apparel customers referred 4 people after the initial purchase and 8 people after 11 purchases. The global reach of the Internet becomes a handicap when a consumer brings up a list of dozens of online retailers in a given industry. E-business consumers are generally anxious for referrals from people they trust to help guide them through the ever-growing sea of Web sites. Standard barriers to following through on a referral are absent in e-business. If a friend recommends a music store that is 45 minutes away, you might decide not to go because of the distance. Even a local store may not tempt you if you know that the parking is a nightmare or if the skies just dropped two feet of snow outside your window. When a friend recommends a Web site, you get cozy at your desk and go there. Consumer trust, discussed earlier, is a unique challenge facing e-business. Going to a brick-and-mortar store lends a sense of confidence and implicit trust that has to be earned in other ways in the context of the Internet and of doing business through a computer screen. A referral from a trusted friend or colleague is invaluable to establishing a relationship between consumers and e-businesses. Referrals also provide an exception to the high cost of acquiring new customers. Every customer who is referred to a company is “free,” or is at least a significant offset to the

marketing and sales budgets for customer acquisition. Though somewhat more difficult to measure, word-of-mouth advertising is extremely important and can have a remarkable impact on a company’s bottom line.

Poor Performance and Failure E-businesses tread a thinner line than traditional businesses in efforts to attract and keep consumers. Someone who drives to a store will extend greater latitude to that shop (in terms of what the consumer likes or dislikes about the store, its selection, its layout, its service) than to a Web site. Online consumers expect speed, reliability, and broad selection. When they do not get it, they leave. All it takes to leave is typing a new Web address or following a link. For e-business, there is no dress rehearsal and often no second chance. Internet users are increasingly barraged by new sites, new services, all competing for their eyes and their dollars. When consumers find a site they like, they add a bookmark and stop hunting. And when a site does not satisfy consumers, they don’t return and they tell their friends not to go. At issue for consumers is the tension between knowing they have more control with ebusiness and feeling overwhelmed by the choices, and this tension can spell disaster for an e-business that does not adequately mind its store. Often a single negative experience for a consumer means he or she will not return to that site to give that company another chance. If someone tries to buy a puzzle online and the transaction fails, there are enough other online toy retailers that this consumer need never return to the one that failed. A recent study of online shopping by the Boston Consulting Group for a 12-month period reveals unsettling statistics for e-commerce companies battling to attract and keep consumers. •

• •

Consumers who are satisfied with their first-time online purchase spent, on average, $600 in 13 transactions; dissatisfied first-time purchasers spent $250 in 5 transactions. Five out of six e-consumers experienced a failed purchase; 29% of all online purchases failed. Twenty-four percent of online shoppers who experienced a failure stopped shopping at that site; 7% also stopped shopping at that company’s brick-andmortar store[1].

In e-business, there are no humans to counter a negative experience. A failed transaction or a site crash is extremely difficult to qualify or explain online, leaving the consumer alone at the computer to decide if it makes more sense to try again or go elsewhere. The message is clear for any company that wants to succeed in the Internet economy: make sure the site works extremely well, and when something goes wrong, which it inevitably will, find out about it and fix it fast. When a popular Web service had a nearly-24-hour outage, the company’s CEO recognized that such an event could be disastrous, even fatal,

for the company, and she or he effectively lived in the IT operations center during the crisis and the following weeks. The new and rapidly expanding business of online securities trading offers a vivid example of the best and the worst for e-businesses. Online trading has offered unprecedented access for thousands of users to securities markets. The reach of brokerage houses has extended into demographic sectors that previously had neither the time for nor the access to securities trading, while securities markets have extended their hours, with talk of 24-hour trading on the horizon. Thousands of consumers place millions of trades at relatively low commission, filling the coffers of online trading firms. Moving the apparatus for trading to the desktop, however, has resulted in a wealth of information passing to the customer, with a corresponding shift in power away from the brokerage company. With the Internet, customers are more aware of stock prices, of transactions, and of failures. When a glitch prevents online traders from selling stock or canceling orders when the price falls, those traders lose money and can very accurately identify how much they have lost. Most of the leading Internet brokerages have suffered outages, ranging from a few minutes to several hours, and the costs to these businesses go far beyond the defection of angry customers. Online brokerages are having to compensate customers for losses suffered when trades could not be executed because of outages, and these payments are stretching into the millions of dollars for each of several leading online brokerages. Not only does an outage scare off otherwise potentially loyal customers, it forces the brokerage to write checks to unhappy customers on their way out the door. A final significant problem facing e-businesses (at least those that are publicly traded) is the response on Wall Street to reports of prolonged service failures or customer dissatisfaction. In a market where a company that reports earnings slightly below projections can see the price of its stock tumble, word of a serious disruption of service can be crushing as investors (many of them trading online) flee and unload their stock in that company. The price paid by e-business (in lost revenue from dissatisfied customers as well as payments made for consumer losses) from inadequate performance and significant site outages is potentially crippling, especially for pure-play Internet companies that have no other customer base or business medium to depend on. No Web site is perfect, however, and glitches are a reality in any online application. The key for e-business is to establish performance benchmarks to attract and keep customers and to minimize technical problems that make sites unavailable or prevent them from meeting necessary standards. No e-business will be successful without adequate and appropriate tools to monitor performance of its Web site and alert site operators immediately about slowdowns and failures of service.

Ensuring the Customer Experience Given the economic repercussions of a company’s inability to build and retain a base of satisfied, loyal customers, the need for effective site-monitoring applications is paramount, and a site monitor must be sophisticated enough to measure more than uptime. According to Forrester Research, only 27% of site managers look beyond uptime to specific network performance standards, and even fewer monitor transaction success rates. It is these more complex data, however (not simply whether a page is available) that give important insight into the user experience and associated rates of retention and referral. Service-level agreements (SLAs) that provide real value stipulate more than simply what percent of time a site will be up, and monitoring applications gives internal operators and hosting facilities the tools they need to measure other important parameters. Identifying whether a slowdown is from an application failure or from a network bottleneck is advantageous to IT personnel trying to fix the problem. Additionally, effective use of monitoring software can identify not only real-time glitches, but also design shortcomings. Thorough reports from monitors might show, for example, a system weakness that is responsible for transactional failures. The more quickly and accurately a problem and its cause are identified, the faster it can be fixed. Monitoring software also gives companies the data they need to make projections about future site usage and the improvements required to accommodate increased activity. Successful e-businesses can see their usage double in as little as three to six months. Understanding growth and anticipating future needs can mean the difference between recognizing the need and getting that extra server now, or waiting until increased traffic crashes the system. Features and services like these (what Forrester Research calls “Transaction Management Services”) are provided through effective, sophisticated monitoring software. It is this integrated Web quality monitoring that Forrester sees as the next step to managing the total quality of Web-based business. If, as they predict, e-commerce reaches global hypergrowth by 2003, it will be those companies with effective monitoring systems already in place that are able to survive and succeed. With the preceding in mind, how do industry-leading executives perceive the use of ecommerce technology in their companies? What are the business benefits provided by transaction management systems? Should your company build and maintain its own transaction management system, or buy electronic trading network services? This next part of the chapter answers these questions and further discusses the costs, benefits, and perceptions of technologies that enable interenterprise information exchange, or what is described as the transaction management market (TMM). [1]

“E-Business Customer Retention,” © Copyright 2003 Mercury Interactive Corporation, Mercury Interactive Corporation, Building A, 1325 Borregas Avenue, Sunnyvale, CA 94089, 2003.

Benefits of the E-Commerce Market The letter “e” lost much of its language-domineering swagger with the fall of the dot-com economy. Technology marketers, journalists, and analysts now cringe at “e”-inspired products and concepts. Venture capitalists hide their money-stuffed mattresses when Silicon Valley experts drop by with business plans. Yet, electronic commerce veterans in some of the largest companies in the United States, companies such as Ford, Cisco, WalMart, Procter and Gamble, McKesson, and Compaq, see opportunity in the midst of ecommerce turmoil.

Increasing Interest in Interfacing Technologies Transaction management market (TMM) technologies automate machine-to-machine information exchange between organizations. The share of IT budget dedicated to solutions that interface with customers, suppliers, and service providers is increasing. This trend is evidenced by continued demand for CRM, order management, demand forecasting, sourcing, and procurement solutions despite difficult economic conditions. And, Web services market hype provides an almost deafening statement about the value of interfacing technologies. Therefore, as economic conditions improve and as eXtensible Markup Language (XML) standards begin to reduce intersystems integration costs, there will be an increased demand for transaction management technologies. Nevertheless, although interfacing technology demand is consistent across most industry segments, the business conditions generating interest vary considerably. Ever-tightening electronic relationships between consumer packaged goods (CPG) manufacturers and larger retailers are driven by the need to accurately track and forecast demand for billions of fast-moving products through a low-margin, geographically dispersed network. Hightech manufacturers continue to invest in interfacing technologies to regain some of the control relinquished with business process outsourcing contracts. Cash-strapped wholesalers invest in any technology, including TMM solutions, that can reduce the order to cash cycle. Despite differing business concerns, interest in technologies that improve interbusiness process efficiency is high.

Demand Analysis TMM technology interest is strong, but demand is constrained. Interest is driven by a number of market dynamics including: Transaction management systems meet many of the investment conditions that gain significance in a slow-growth economy. • •

The technology provides a clear and calculable return on investment (ROI), is amenable to incremental deployment, and helps control costs. TMM investment is becoming more compelling as innovative deployments enabling VMI, After Tax Profit (ATP), contract manufacturing, and demand planning gain attention and generate competitive pressure.



Machine-to-machine communication costs are falling as process standards from organizations like RossettaNet, OAG, and CIDX develop, and as technology standards like J2EE, SOAP, AS1/AS2, and WSDL gain popularity [2].

However, strong market forces continue to inhibit new TMM investment. Important inhibitors include: Economic uncertainty continues to limit capital resource availability and risk tolerance. • •

• •

Standards are immature. Lack of standards correlates to high incremental ecommerce deployment cost. The entry cost for innovative, multienterprise solutions remains high. Entry costs are driven by change management and experience development needs, not by technology product costs. Web services and XML marketing hype generates interest and uncertainty in near equal doses. E-marketplace failures continue to haunt many large organizations and inhibit TMM investment[2].

Drivers of Change Several important technology developments are driving change in the TMM market. First and foremost is the emergence of the Internet as an effective, low-cost means of transporting mission-critical business information between systems. Although the Internet alone does not provide the network quality of service (QoS) demanded for missioncritical data communications, software and service providers have built solutions on top of this nearly free transport network. Data transport cost declines have fundamentally altered the way companies interact. The second major force of change in the TMM market is the emergence of new technology standards, such as Java™, XML, and Web services. Overcoming communication barriers, which come in many forms, is often expensive. Java, XML, and other technology standards remove a number of machine-to-machine communication barriers and reduce partner integration costs. Falling integration costs will affect the TMM market in two ways: first, the addressable market for TMM solutions will continue to expand as solution price points fall into ranges acceptable to small and midsized businesses. Second, reducing the cost and complexity involved in deploying and maintaining a TMM system will release corporate resources to other higher-value automation efforts. Many experienced users that bought TMM solutions to control order processing costs have since evolved their systems to manage a demand forecasting process, complex pricing data, and Just-in-Time (JIT) inventory strategies.

TMM Business Benefits TMM solutions provide organizations with the ability to effectively process heavy order volumes and with the ability to better manage very close, codependent partner relations. Most TMM deployments address one or both of these business objectives. Now, let’s look at how companies can use TMM technology to process millions of orders a week with just a few support staff. Others may move a few files a day, but the information in those files affects millions of dollars of production costs. For example (according to a recent study by the Yankee Group), Figure 1.1 summarizes values that are delivered by TMM technologies [2].

Processing Heavy Order Volumes TMM solutions can quickly and accurately process thousands, even millions, of orders a week. Consumer packaged goods manufacturers, apparel manufacturers, retailers, wholesalers, and companies in similar industries manage high order volumes for fastmoving, made-to-stock products. In industries such as pharmaceuticals, health products, and electronic components, where both order volumes and per-SKU prices are high, fast and accurate order processing is essential to staying in business. Companies facing these conditions leverage TMM technology to scale business without scaling operational costs. Combining on-site translation software with electronic trading network service has proven a very effective means of managing order volume growth without scaling order processing head count. By working with a network service provider, transaction volume growth (and related corporate expansion) is not encumbered by technology skill and staff development needs. It is difficult to compare manual and automated order processing costs. The comparison would be interesting, but is not necessary. In a high-growth, heavy order volume industry, TMM technology is not a cost-savings option, but a business requirement. Therefore, despite TMM’s mission-critical nature in heavy order volume industries, many companies

use innovative forecasting, direct shipment, and customer service capabilities, as the most significant advantage to their organization’s gains from TMM service usage today.

Managing Codependent Relationships and Complex Products In industries with less demanding order volumes, but more complicated products and relationships, transaction management systems are used for equally valuable but very different business reasons. In the high-tech, automotive, and chemicals manufacturing industries, products are complex, highly engineered, and often expensive. Companies in these industries are highly dependent on partners to produce high-value, high-complex products. In these industries and others, dependencies are becoming stronger and products are becoming more complex. TMM systems support codependent relationships, allowing companies to play an effective role in complex production processes. Companies using TMM technology to manage codependent relations move complex products through the supply chain, and require robust process management capabilities and timely access to information. Developing a JIT inventory management program demands near-real-time information exchange and complex business rules management. Providing a single available-to-promise date for a solution bundle, including multiple vendor products, requires similar functional capabilities.

Best Practices Today, companies are extending, or planning to extend, their TMM systems into interesting new business automation scenarios. Several of these best-practice examples are described next.

Speed and Competitive Advantage Speeding business process and improving customer service to gain competitive advantage is not cheap. A company could spend nearly $5 million annually to support its machineto-machine order processing system. But, business benefits and competitive distinction greatly outweigh the costs of the system. For example, in the food-and-beverage industry, paper and mail are slow. Money makes money. Anything that slows down money or products costs money. Companies usually tackle banking communications first to speed the processing of thousands of small monthly order volumes. Most companies usually tackle logistics management challenges next, which is followed by an incremental deployment with a supplier connectivity solution. In addition, most companies claim to have achieved a positive ROI in less than 12 months after going live with the banking stage of their implementation.

Managing Outsourced Business Relationships Most high-tech companies shift their business strategies as the economy begins to slow. With cost control pressures mounting and shareholders demanding improved returns, the

companies choose to outsource production and certain support services to contract manufacturers (CMs). To support the outsourcing strategy, the firms identify and implement TMM technology. The solution manages the mission-critical information flowing between a company and its new CM partners. A system could cost less than $400,000 to deploy (including hardware, software, and services). Ongoing costs run approximately $230,000 annually. It is difficult to measure the value a solution provides a company, but, an outsourcing business strategy would not be possible without the TMM solution. Because of difficult economic conditions and financial turmoil in the industry it services, firms have limited visibility into future demand. Companies expect demand to increase as the economy recovers. Their new CM relationships should allow them to react rapidly to changing demand and avoid losing sales through lack of production capability.

Expansion Strategy Support Companies are using TMM technology to support complex operational strategies, as displayed in Figure 1.2[2]. The role of TMM technology will continue to expand as costs fall, as standards develop, and as innovative best-practice use cases emerge from the fog of the current recession.

The Service Provider Advantage Value added network (VAN) service charges have gained an onerous reputation since the emergence of the Internet as a corporate communications tool. The idea of charging pertransaction fees to move data across a network (which is how VAN service charges accrue) riles free-spirited Internet enthusiasts. But the Internet’s greatest strength (ubiquity) is also its fatal flaw. The last thing a company wants is ubiquitous access to its data traffic, nor are companies interested in the lack of control inherent in a ubiquitously managed network. Absent the addition of robust technology, the Internet is insecure, unreliable, and unworthy of mission-critical corporate data. VAN service providers offer subscription-based technology services that meet corporate data communication needs. VANs ensure that

data gets from point A to point B securely, reliably, and with an audit trail. Companies pay usage-based subscription charges for access to VAN bandwidth. Accessing network QoS functionality from a third party also helps separate business objectives from technology plumbing. Companies interested in deepening partner collaboration or automating more complex business processes are faced with a myriad of business challenges. One-time partners become next-project competitors. Partners are contracted to ship to a production plan, regardless of the status provided by a real-time system. Processes, which vary by both company and division, need to be reviewed and aligned. Obstacles abound in a value chain integration scenario. VAN and electronic trading network service providers remove the interenterprise communication obstacle, allowing staff to focus on business, not technology problems.

TMM Costs It is expensive to build and maintain a TMM system. The business benefits can be impressive. Ongoing costs are more easily captured and measured. The average annual cost to operate a TMM solution is a hefty $2.05 million. Average annual VAN cost is approximately $650,000 per year, and the average annual internal operational cost (business and IT support and management labor) totals $2.5 million. These figures capture the bulk of ongoing costs associated with operating a TMM solution. Software maintenance costs, which were difficult to capture, are not usually included in this costs assessment. As the $2 million per year in operational costs indicate, TMM systems are expensive to run. When considered as a percentage of IT budget or total revenue, the figures are much less daunting. When considering the business strategies TMM systems support, operational costs are well within acceptable ROI and total cost of ownership (TCO) calculation boundaries. Finally, let’s look at possible roadblocks to e-commerce. Is e-commerce alive and well and feeling fine? Recently, e-commerce has been associated with some fairly humiliating phrases: “dot gone” and “dot bomb” being just two of them. At times, e-commerce has become almost worthy of a snicker when the term comes up in conversation, and lately it’s hard to open a newspaper without reading about “pink slip parties,” which former dot-com employees attend to network, write resumes (which they didn’t need during the venture capital boom), learn that flip-flops and cutoff jeans are not appropriate work attire in the real world and, finally, come to accept that the fairy-tale employment they have experienced in recent years has disappeared as spectacularly as Cinderella’s royal ball accessories at midnight.

Roadblocks to E-Commerce From the sounds of the media, you would think that e-commerce was a landscape of postArmageddon. That must be why eBay experienced a 260% growth in 2002.

Want to know a secret? Total e-commerce sales have been predicted to grow somewhere in the area of 60% in 2003. A study by the National Association of Purchasing Management and Forrester Research indicates that business-to-business e-commerce is still in its infancy, with nearly unlimited potential to grow. A recent survey conducted by both organizations revealed that 95 percent of companies polled indicated they would be moving forward to implement e-procurement sometime in 2003. This growth is modest compared to what’s happening offshore. Boston Consulting Group recently reported that Asian e-commerce continues to triple annually. With the preceding in mind, e-business has taken a major hit to the collective solar plexus. Amazon seems to be hanging on moderately well, though probably not flourishing. It is generally acknowledged that the implosion of many players on the ecommerce stage, most notably the ones headed by 24-year-old CEOs, has enabled the companies left standing to reap more profits due to Web-enabled natural selection.

Old Dogs Have Learned New Tricks Research firm McKinsey & Company recently unearthed a fascinating statistic: 86 percent of the most successful e-tailers are online channels of existing, established brickand-mortar companies. Someone a long time ago put forth the radical theory that a company needs a business plan to survive in the long-term. Web-based companies slapped together on a Saturday afternoon in someone’s home office are not likely to have as sound business plans as a company such as Eddie Bauer that has been around for generations. In 1998, the retail giants were laughed at for their hesitant and puny efforts to join the e-commerce party. Today, they are the ones left standing. It’s obvious that there’s a lesson to be learned from that. Here’s another interesting trend. In the days of yore (1999 to 2000), many Internet-savvy consumers indicated that when it came to shopping for larger ticket items, such as audio, video, and computers, they would do their research online before heading down to a large electronics superstore such as Circuit City to make a purchase. Today, many people have taken to wandering the aisles of the large electronics stores to see and touch items, and then return home to make their purchases from online electronics e-tailers. Why not? Online return policies have improved about 2,000 percent since the early days of ecommerce and in many instances, there is no sales tax on items purchased from e-tailers. Not to mention the fact that buying online enables you to spend the time you would have dedicated to getting to the mall on some vital task such as sleeping late or reminding yourself what your family looks like.

Trying Not to Antagonize Your Customers Helps Immensely E-commerce companies that continue to grow seem to be the ones that better understand CRM and what it means to their firms. There’s no question, purchasing over the Internet is as popular as ever and will continue to grow. What many e-tailers didn’t foresee is that the Internet business model enables customers to be fantastically fickle, and all it takes is one misstep to lose a customer forever. Good self-service is worth its weight in diamonds,

but it should never entirely replace human interaction. As a result, it becomes fairly safe to conclude that the e-businesses still standing today are the ones that screwed up CRM the least. The survivors have another thing in common: easily navigable Web sites. Remember some of the disastrous Web sites that first appeared in 1997 and 1998? The designers sacrificed ease-of-use for art and profundity, with the result that many potential buyers arrived on the site, admiringly commented, “Ooooh, pretty” and logged off to find a site that was easier to use. Part and parcel of ease-of-use is a friendly and comprehensive search engine, and this is another element you will find on the sites of the little e-tailers who could. Search engines driven by natural language processing are rapidly gaining in popularity as they allow shoppers to pose questions in much the same manner they would to a live store representative. For instance, compare brands of digital cameras in the midprice range. Not only do searches conducted with natural language processing help the customer, but the technology can also help the e-tailer understand what its customers want and how they want it.

Privacy, Please Yet another element that has helped some e-tailers remain strong is the issue of privacy. Many companies with Web channels have had some decisions to make recently: collect customer data and e-mail addresses and sell the information for a price to boost sagging profits, or prominently reassure customers that their information is private and will remain so in the future? The former choice represents a short-term fix and the latter choice is the ticket to the long-term payoff. Many companies that sold customer data from the get-go or made a decision later to sell information seemed to think that their activities would not be noticed, or that the average consumer wouldn’t care if they received a few extra spams brought on by the sale of their personal information. This was a serious miscalculation. In a crowded information age of little free time and space to breathe, most consumers are becoming rabidly protective of the little privacy they have. More importantly, e-tailers and Web marketers that chose to collect information from children not only earned the ire of parents, they began to draw fire from federal and state regulators. Finally, the vast majority of companies that made a go at succeeding in e-commerce only to fail a year or two later are like kids who begin playing with a complex toy and give up in a huff when they can’t operate the toy based on the fact that they didn’t read the instructions. All’s well and it ends well. The toy becomes available to the kid who values it and knows how to use it. [2]

“E-Business Evolution: Transaction Management Costs, Benefits, and Market Development,” © Copyright 2002 Yankee Group, Yankee Group, 31 St. James Avenue, Boston, Massachusetts 02116 [Sterling Commerce, 4600 Lakehurst Court, Dublin, OH 43016-2000, USA], 2002.

Summary In a remarkably short time, the Internet has grown from a quirky playground into a vital, sophisticated medium for business, and as the Web evolves further, the threshold for conducting successful business online will move increasingly higher. Online consumers are flooding to the Internet, and they come with very high expectations and a degree of control that they did not have with traditional brick-and-mortar companies. Businesses, too, are rushing to join the Internet revolution, and new, viable competitors are emerging in all industries. The enticement of doing business online must be tempered by the understanding that when the dust settles, a significant percentage of e-businesses will have failed. The ones that succeed will be those that are able to deliver a satisfying and consistent customer experience online, building brand loyalty and guaranteeing high rates of customer retention. Although customer experience includes intangible, nonquantifiable aspects, it also includes a wide range of entirely measurable Web site elements. It is necessary for any organization wanting to succeed in e-business to define a broad spectrum of performance parameters, establishing benchmarks for speed, reliability, availability, and accuracy, and to monitor all of those parameters. Nothing works perfectly all the time, and the spoils will go to those e-businesses that constantly and efficiently monitor their Web sites, immediately identifying any glitches that do occur and fixing them promptly. Moving forward, all businesses will be affected by the global move to electronic commerce. Business operations will change, and new processes will be created. Companies that start learning in this new environment today will be leaders in the future. Furthermore, as future technologies are developed, the SIP will continue to play a pivotal role in the adoption of multimedia e-commerce. SIP’s simplicity, easy integration, and extensive interoperability ensure its longevity as the preferred multimedia platform. In fact, SIP pundits speculate that it will pave the way for carriers to roll out the innovative voice services only possible with IP. These services most likely will include Web integration to simplify follow-me services, call conferencing, and ways for users to speak with a live agent just by clicking a Web site button. Although the road ahead looks clear, there are potential obstacles to the wide-scale adoption of multimedia e-commerce. Users will need new or upgraded equipment to take advantage of SIP technology. Incorporation of SIP into operating systems and in preconfigured PCs will take some time. Some movement is being seen in this area, however, with Microsoft® and a number of the third generation (3G) wireless associations adopting SIP as the protocol of choice .[7] Note Third generation (3G) is an International Telecommunication Union (ITU) specification for the third generation (analog cellular was the first generation, and

digital Personal Communications Service [PCS] was the second) of mobile communications technology. With the help of SIP, Voice over IP (VoIP) e-commerce has the potential to change the habits of users by enhancing the way they conduct business communication and transactions over the Internet. As SIP facilitates and completes the integration of communications on the Web, much innovation lies ahead. So, despite difficult economic conditions and negative sentiment resulting from the emarketplace catastrophe, much is happening in the e-business world. Nearly every company involved in e-business has expressed interest in improving machine-to-machine communication with customers, suppliers, or service providers. The majority (approximately 74%) increased their e-commerce technology budget in 2003 compared to 2002; and, despite difficult economic times and contracting IT budgets, half of the ebusiness companies expect the transaction management market (TMM) budget to increase in 2003 compared to 2002. Java, XML, and related standards are changing the nature of machine-to-machine communication. These technologies are driving down integration costs and improving integration flexibility. As economic conditions improve, these factors will drive increased spending on technologies that interface with the external business ecosystem. Furthermore, transaction management systems support a wide range of innovative business strategies. Many companies are extending EDI systems to manage more complex interbusiness automation scenarios. Others are rethinking e-commerce strategies and exploring new intercompany transaction cost/benefit scenarios. This trend toward complex interbusiness process automation and transaction management will accelerate as IT budgets expand and Java and XML technologies mature. Electronic trading network service providers deliver an important and often misrepresented value proposition to an e-commerce solution. Security, reliability, and nonrepudiation are foundational requirements for effective interenterprise solutions. Most transaction management technology users are not in the business of building and operating secure, reliable, auditable data communications networks. Outsourcing these data communication requirements to a third-party service provider can be an effective way to scale transaction volumes without scaling operation costs, and to avoid plunging valuable business executives into the integration technology morass. Consistent with the buy low and sell high mantra, now is the time to develop and, if possible, execute e-business strategy. The following e-business actions are recommended for companies interested in automating partner information flow: • • •

Develop the business case for TMM technology use. Leverage existing investments. Take advantage of technology change.

Developing the Business Case for TMM Technology Use You should define business objectives and understand technology capability and limitations relative to automation opportunities. EDI deployments are often driven by very basic cost-savings arguments or by brute-force customer requirements. TMM systems are capable of managing much more than purchase order and invoice exchange process. You should understand your customer (and supply) base and how you can leverage TMM technology to take advantage of these relationships.

Leveraging Existing Investments Exploring the ways existing systems interoperate can reap significant benefits. For example, you could use a content management vendor’s workflow engine to automate process across both Web site and EDI assets. You should be able to streamline exception management across multiple platforms. You should also be able to provide consistent information to partners, regardless of the partner’s means of access (browsers or machine interface). Systems synergies and cost-savings opportunities abound in the TMM market.

Taking Advantage of Technology Change Finally, the costs and capabilities of TMM technologies are changing rapidly. Understanding the implications of changing conditions will help organizations make wise decisions today, without creating cost of ownership nightmares for tomorrow. It is also important to understand how individual vendors are reacting to changing conditions. Can a vendor support your architectural strategy and your Web service plans? And if so, how willing will the vendor be to negotiate price to move a new e-business product in a down economy? Well-researched answers to these questions can speed ROI and reduce implementation complexity. [7]

Vacca, John R., Wireless Broadband Networks Handbook, McGraw-Hill Osborne Media, 2001.

Chapter 2: Types of E-Commerce Technology “Peace, commerce, and honest friendship with all nations-entangling alliances with none.”

—Thomas Jefferson (1743–1826) The global economy may have faltered in 2002, but advances in e-commerce technology continue to transform personal communication and global business at an astounding pace. Although these advances promise to bring a substantial percentage of the world’s population online in the next five years, they also present significant challenges to industry and policymakers alike. According to NUA Internet Surveys (http://www.nua.ie/surveys/), over 620 million people worldwide are linked to the Internet. Experts predict that global Internet usage will nearly triple between 2003 and 2006, making e-commerce an ever more significant factor in the global economy. Estimates suggest that by 2009, some 47 percent of all business-to-business (B2B) commerce will be conducted online.

E-Commerce Technology With the preceding in mind, the dynamic nature of the new economy, and particularly the Internet, calls for decision makers to develop policies that stimulate growth and advance consumer interests. But, in order to create the foundation for the rapid growth of ecommerce, enterprises must adopt the effective e-commerce technology policies that embrace the following four crucial principles: Strong intellectual property protection: Innovation drives e-commerce technology, and rewarding creativity fosters innovation. Thus, strong copyright, patent, and other forms of intellectual property protection are key to invigorating the information economy. Online trust: security and privacy: Without consumer confidence in the safety, security, and privacy of information in cyberspace, there will be no e-commerce and no growth. Protecting information and communications on the Internet is an absolute prerequisite to the continued success of the Internet and the information economy[4]. Free and open international trade: Closed markets and discriminatory treatment will stifle e-business. The Internet is a global medium, and the rules of the information economy must reflect that fact. Only in an open, free market will the Internet’s potential be realized. Investing in an e-commerce technology infrastructure: Supporting the physical infrastructure necessary to deliver digital content (primarily through telecommunications deregulation and government efforts to reduce the digital divide) is vital to spurring technological growth[3].

Strong Intellectual Property Protection For hundreds of years, protection of creative material has given authors and other innovators powerful incentives to develop and distribute exciting new products.

Throughout, respect for private property (whether in its tangible or intellectual form) has been a core value of market-driven economies. In the information economy, such protection is even more vital, because the core currency of the Internet is nearly exclusively intellectual property. Today, software developers and other authors of creative works depend on the rights granted by copyright laws to develop new, more functional, and more powerful products. Overall, U.S. copyright-based industries (particularly the software, film, music, and publishing industries) are among the fastest growing segments of the American economy. Of those industries dependent on copyright for their business models, the high-tech industries comprise an ever-growing share, particularly those creating software and hardware products. Industry leaders estimate that, within five years, an astonishing two thirds of software sales will be conducted over the Internet. Furthermore, one third of all software exports from the United States will be distributed electronically. Failure to properly protect this vital intellectual currency means its value will evaporate and the global economy will suffer greatly.

Copyright in the Internet Age Digital piracy (the online theft of creative property) poses one of the single greatest threats to the success of the information economy. It undermines the confidence that creators and consumers place in their commercial interactions over networks. The very nature of the online world that makes it so attractive in the marketplace also renders the work of copyright violators easier. Now that unlimited, flawless copies of creative works in digital form can be made and distributed globally in a matter of seconds, intellectual property on the Internet can be at great risk. Internet piracy is real, acute, and growing, demanding strong protections in the digital arena.

Software Piracy Is the Industry’s Most Serious Problem Piracy is the most significant problem facing the software industry globally. Every day, pirates steal millions of copies of copyrighted computer programs. Some of these are stolen by users making illegal copies personally, others by professional counterfeiting, and still others via illicit sales or auctions on the Internet. For example, International Planning and Research (IPR; http://www.iprnet.com/) recently found that 48 percent of all software loaded onto computers globally in 2002 was pirated. In many countries, the piracy rate exceeds 80 percent. The resulting economic losses, according to IPR, were staggering: over $23 billion lost internationally, with $4.3 billion attributable to piracy in the United States alone. Caution URLs are liable to change without notice!

Widespread software theft harms not only America’s leading e-commerce technology developers, but also its consumers. They risk purchasing defective, counterfeit products and losing the benefits enjoyed by purchasers of legitimate software, such as customer support and product upgrades. But, the economic impact of software piracy extends far beyond the confines of the software industry and its consumers. Piracy distorts e-commerce technology economies worldwide by robbing governments of legitimate tax revenues and citizens of badly needed jobs. A recent study by PricewaterhouseCoopers (http://www.pwcglobal.com/) found that software piracy cost the U.S. economy over 200,000 jobs, more than $5 billion in lost wages, and nearly $2 billion in foregone tax revenues. The study concluded that, by 2009, these losses would grow to 286,000 jobs, $8.4 billion in lost wages, and $2.7 billion in lost tax revenues. Conversely, PricewaterhouseCoopers concluded that reducing piracy could produce at least two million additional jobs and nearly $36 billion in additional government revenues worldwide by 2006.

Governments Must Combat Copyright Theft Stemming these massive losses requires a concerted, multifaceted effort to combat the theft of copyrighted material. Although technological measures to fight piracy and increased public education about copyright are essential, the key to copyright protection lies in governments worldwide adopting and vigorously enforcing strong laws prohibiting this theft.

Copyright Laws Must Be Enforced Strong words in a statute are not enough. These laws must be backed by vigorous enforcement by governments and must allow private parties to pursue fast and inexpensive remedies when their rights have been infringed. Strong copyright protection includes: • • • •

Deterrent civil and criminal penalties. Sustained criminal enforcement. Copyright-related law enforcement efforts must be funded sufficiently. Court-ordered and court-appointed piracy inspections must be available.

Deterrent Civil and Criminal Penalties Effective copyright laws must provide strong civil remedies, including permanent injunctions against further infringement, the seizure of illegal software (and articles used to defeat copyright protection), compensation, and fines. They must also provide for minimum criminal penalties when piracy is committed knowingly and for commercial purposes or to satisfy the internal demands of a business or other entity. In the United

States, both criminal penalties and civil remedies are available and, increasingly, other countries are adopting similar legal models.

Sustained Criminal Enforcement Sustained criminal enforcement is absolutely necessary in order to deter piracy and send the message that piracy is a serious crime with serious consequences. In the United States, the No Electronic Theft (NET) Act enables law enforcement officials to prosecute individuals who steal software by distributing it over the Internet, even if they do not profit economically from their activities. The NET Act has proven to be an effective antipiracy tool and has resulted in numerous convictions. In countries where such laws do not exist, however, customs and other governmental agencies must vigorously investigate and enforce traditional copyright laws as a first step toward addressing Internet-based piracy.

Copyright-Related Law Enforcement Efforts Must Be Funded Sufficiently Despite the very real economic damage caused by software piracy, copyright enforcement actions too often are forced to take a back seat to other criminal prosecutions. For authorities to make a real dent in copyright crimes, governments must provide adequate funding and explicit direction to those agencies responsible for copyright enforcement.

Court-Ordered and Court-Appointed Piracy Inspections Must Be Available Given even minimal warning, a pirate can swiftly and easily eliminate evidence of software theft with the touch of a button. As a result, the prosecution of software piracy, whether in civil or criminal contexts, requires court-ordered inspections without advance notice to the suspected software pirate (as required under the Trade-Related Intellectual Property Rights [TRIPs] Agreement). To ensure fairness, such searches should be courtsupervised, with court-appointed experts being permitted to search and inspect for the suspected piracy.

The WIPO Copyright Treaties Must Be Implemented With the Internet, copyright theft has become a global phenomenon. The World Intellectual Property Organization (WIPO) recognized that fact when it adopted “digital” copyright treaties to create an international legal standard, covering online intellectual property. Now, the nations of the world must ratify them. The treaties were designed to promote online commerce by ensuring that authors are able to determine how their works are sold and distributed online. The WIPO treaties reinforce the fact that copyright protects all copies of a work, whether they are considered “permanent” or “temporary,” “tangible” or “digital.” The treaties also ensure that authors retain the right to determine the point at which their copyrighted works are placed on the Internet, in the same way that authors determine the locations at which tangible copies of their works may be distributed.

The WIPO treaties also recognize that, to protect intellectual property from theft, owners need to employ e-commerce technology that guards against unauthorized access and copying. Because such e-commerce technology-based protections are an extremely effective means to prevent theft, the treaties recognize that attempts by pirates to break these technical defenses must be outlawed. Because many international copyright laws do not specifically protect creative materials distributed over the Internet, global adoption of these treaties is essential to promoting the safe and legal growth of Internet commerce. Under provisions of the treaties, a total of 30 signatory countries must ratify the treaties in order for their provisions to become enforceable worldwide. To date, over 36 countries have taken this step.

Governments Must Lead By Example Governments are among the largest purchasers of computer-related services and equipment the world over. Not surprisingly then, many governments internationally have taken the important step of directing their public administrations to effectively manage software resources. High-profile government software management policies have been issued in the People’s Republic of China, Spain, Taiwan, Ireland, Colombia, Jordan, Thailand, the Czech Republic, and Paraguay, among other nations. A number of other governments are drafting similar policies, which have served as a catalyst for enhancing software protection in both the public and private sectors in those nations. For example, in 1998, the United States issued an Executive Order requiring U.S. government agencies and contractors to effectively manage their software resources and, in so doing, to use only legal, licensed software. Several U.S. states, including California and Nevada, issued similar orders applicable to state government agencies and related entities. These policies have had a powerful impact on the health of the software industry in the United States and, importantly, have set the tone for proper software management practices in America’s private sector.

Online Trust: Security and Privacy In the aftermath of the tragic events of September 11, 2001, individuals, companies, and governments have all focused attention on the issues of safety and security. Much of that attention has fallen on the Internet, as it has emerged as a vital information and economic link throughout the world[4]. The continued success of the Internet is, in many ways, dependent upon the trust that individuals, businesses, and governments place in it. For that trust to exist, user information transmitted over computer networks must be safe from thieves, hackers, and others who would gain access to and make use of sensitive information without permission. Consumers have repeatedly shown they will not conclude commercial transactions over the Internet, unless they are confident of the security and privacy [4] of their personal

information. Recent surveys by GartnerG2 (http://www.gartnerg2.com/site/default.asp) and BusinessWeek/Harris (http://www.adinfo.businessweek.com/magazine/content/0205/b3768008.htm) suggest that 75% of U.S. Internet users fear going online for this reason, and that 70% of those who are already online harbor concerns about privacy that keep them from transacting commerce on the Internet. Yet, even as concerns about these vital issues proliferate, no single solution can suffice. Consider privacy[4], where consumer expectations vary considerably, based on a number of factors. Privacy expectations for a voluntary, online commercial transaction are very different from those that accompany a demand by a government entity. The key difference is choice. When an individual is required by law to submit his Social Security number or tax return to a government entity, that information should receive greater protection than that disclosed in a private business transaction. In the latter case, an individual is free to choose the online entity whose privacy polices match his needs. When consumers “vote with their feet,” businesses quickly take notice. For e-commerce to flourish, businesses also need to provide personalized products and services so that consumers get what they want without suffering “information overload.” Knowing this, successful e-business marketers must gather information about the wants and needs of their customers in the same way as traditional marketers. Policymakers also must remember that online “trust” encompasses two distinct concepts: security, so that an individual’s private information will not be obtained through illegal hacking, and confidence that the private information collected for one transaction will not be used in ways the information provider did not anticipate or expect.

Protecting the Security of Information The first and best line of defense against unwarranted intrusions into personal privacy is for individuals to employ e-commerce technology to protect themselves. Industrydeveloped and supplied encryption technologies and firewalls, for example, provide individuals with substantial tools to guard against unwarranted intrusions. Encryption is technology, in either hardware or software form, which scrambles e-mail, database information, and other computer data to keep them private. Using a sophisticated mathematical formula, modern encryption technology makes it possible to protect sensitive information with an electronic lock that bars thieves, hackers, and industrial spies. In light of the recent tragic events of 9-11, security in all its forms (including security against cyber intrusion and attack) is more important than ever. Strong encryption technology plays a key role in such security, helping individuals, businesses, and governments protect sensitive or personal information against willful or malicious theft. Not surprisingly, then, nations have increasingly adopted policies that encourage the widespread availability of encryption tools for consumers. At the same time, they have

successfully worked to permit law enforcement to access encrypted communications in certain critical instances, while rejecting calls for encryption products to be undermined through the building of “back-door” government keys. A firewall is essentially a filter that controls access from the Internet into a computer network, blocking the entry of communications or files that are unauthorized or potentially harmful. By controlling Internet “traffic” in a network, firewalls protect individuals and organizations against unwanted intrusions, without slowing down the efficiency of the computer or network’s operations. They also limit intrusions to one part of a network from causing damage to other parts, thereby helping to prevent large-scale system shutdowns brought on by cyber attacks. Not surprisingly, then, firewalls have become a key component of computer systems today, and their architecture comprises some of the most state-of-the-art e-commerce technology available in today’s marketplace. But, computer security, or cyber security, is more than encryption, and it requires more than a onetime fix. It is an ongoing process requiring the adoption of strong security policies, the deployment of proven cyber security software and appliances-such as antivirus, firewalls, intrusion detection, public key infrastructure (PKI), and vulnerability management, as well as encryption-and, in the case of larger organizations, the existence of trained security professionals. These professionals, in turn, must be continually retrained in order to ensure that they are able to address and combat the evolving nature of cyber threats. Strong security tools alone, however, cannot protect users against threats in each and every instance. Dedicated hackers and criminals will always seek new ways of circumventing even the most effective security technologies. That is why it is critical that strong laws be put in place to deter such activities. In particular, where needed, laws should make it illegal to defeat, hack, or interfere with computer security measures, and penalties for these crimes should be substantial. As is the case with copyright laws, however, strong words in a statute are not enough. Effective antihacking and computer security laws must: • • •

Provide deterrent civil and criminal penalties. Be backed by vigorous enforcement by governments (including through adequate funding of such enforcement). Allow private parties to pursue fast and inexpensive remedies when their cyber security has been illegally breached[3].

Although the government should create a strong legal framework against cyber crime, it should not intervene in the marketplace and pick e-commerce technology “winners” by prescribing arbitrary standards in the security field. Such intervention would do little more than freeze technological development and limit consumer choice. Instead, the development and deployment of security tools should be determined by technological advances, marketplace forces, and individual needs, and should be free of regulation.

Empowering Individuals to Manage Their Personal Information In the private sector, all parties to any transaction should have the discretion to voluntarily choose the terms of an information exchange. The choice should be informed; both parties should clearly understand the information to be exchanged and what will be done with it. The choice will then be based on the reasonable expectations of the parties regarding a specific transaction. There likely will be fewer expectations about privacy accompanying the online purchase of a newspaper subscription, than the purchase of prescription medicines, for example. The choices of both consumers and businesses should be respected, and the private sector should be given the latitude to develop and implement effective privacy policies to meet customer demands. Marketplace-developed measures are far more likely than government regulations to meet the expectations of individuals and promote the development of online commerce. The role of policy in this area should be aimed at ensuring that: • •



• • • • • •

Industry self-regulation of privacy practices continues, including giving notice to customers of these practices. Consumers have the option to prevent information from being gathered from them or used for a different purpose (opt-out), rather than requiring their specific permission for the information to be gathered (opt-in). There is predictability and certainty in interstate Internet-based commerce that allows the marketplace to function efficiently, rather than multiple state laws that will complicate, and thus chill, commerce. Hackers face stiff criminal penalties for stealing information or impeding its online movement. Law enforcers are fully funded, staffed, equipped, and trained to fight cyber crime. The government should lead by example by implementing strong security tools in its own systems, including Internet security solutions in its electronic operations. Enhanced basic research and development on security technologies is appropriately funded. Skilled professionals in the computer security field are trained and developed. Information and best practices are more freely shared between the public and private sectors[3].

Free and Open International Trade The global vitality of an electronic marketplace depends upon free and open trade. Tariffs, regulations, and similar barriers to commerce raise costs and can price many smaller, competitive firms out of the market. When trade is restricted, economic development is slowed, consumer choice is reduced, and global prosperity is harmed. International trade is vital to the software industry. Over half of the U.S. industry’s global revenues are derived from foreign sales. Exports as a percentage of American software

companies’ total sales have increased dramatically over the past decade. They now account for over $50 billion each year.

Enforcing the Trade-Related Intellectual Property Rights (TRIPs) Agreement Widespread piracy is the software industry’s single most significant trade barrier. The most effective means of reducing piracy internationally is to enforce TRIPs, the agreement by which all members of the World Trade Organization (WTO) commit to abide by laws that protect intellectual property. TRIPs-compliant nations must have in place adequate civil and criminal laws protecting intellectual property and must, in practice, effectively enforce those laws. Unfortunately, many countries fail to criminalize or adequately protect copyright holders against “end-user” piracy, as required by the TRIPs Agreement. Other nations lack critical enforcement tools, such as the right to conduct surprise (“ex parte”) civil searches, also required by the TRIPs Agreement. The deadline for developing nations to comply with the TRIPs Agreement was January 1, 2000. However, today, many countries still remain in noncompliance and in violation of their international commitments.

Facilitating Importation and Production of Information E-Commerce Technology Equipment A decade ago, in addition to rampant software piracy, the U.S. software industry faced another major problem in foreign markets: unreasonably high tariffs on computers and related devices. Significant progress has been made in this area. The WTO “Uruguay Round” agreements and the subsequent Information Technology Agreement (ITA), substantially reduced many tariffs for e-commerce technology devices. Still, many economies, mostly in the developing world, impose high duties or excise taxes on foreign e-commerce technology equipment. These barriers can range from 20 percent to as much as 100 percent of a product or system’s price. In some cases, a government might justify such a barrier by claiming that these products are “luxury goods.” Or, a government might argue that such actions are necessary to protect an “emerging” domestic industry or “sensitive” sector of its economy. But, in all cases, such policies simply stifle the development of a vibrant base of ecommerce technology consumers and service providers. It is essential for governments to adopt policies that encourage the use of e-commerce technology—not policies that effectively prohibit or punish it. The preceding is true whether considering a computer and software in the home, or routers and wires in the workplace. The refusal to compete against high-quality, imported

products will do nothing to enable domestic manufacturers to produce quality products at affordable prices. For a nation’s e-commerce technology development to flourish, countries should also open up their domestic markets to foreign investment. Foreign companies willing to invest in e-commerce technology overseas are affirming that particular country’s development and manufacturing capabilities and consumption potential. An infusion of capital and expertise also serves as a catalyst for the further development of the domestic industry.

Pursuing New Trade Agreements that Respect E-Commerce As trade moves increasingly from the import and export of tangible goods to Internetbased commerce, it is vital to ensure that traditional free-trade principles apply equally in the realm of electronic commerce. Nations that have sought to rid themselves of burdensome trade barriers must ensure they do not stifle e-commerce with those same barriers. Because trade liberalization is crucial to the worldwide growth of the software industry, the following agreements and negotiations are very important: • • •

The pursuit of a new round of multilateral trade negotiations under the auspices of the WTO The conclusion of regional free trade agreements, such as the Free Trade Area of the Americas (FTAA) New, bilateral trade agreements, including the U.S.-Singapore Free Trade Area (FTA)[3]

Thus, the preceding bilateral and multilateral talks provide opportunities to further strengthen international trade law, provide a predictable business environment for ecommerce, and develop a progrowth e-commerce agenda.

Keeping E-Commerce Barrier-Free Any new trade negotiations should focus on barring new measures whose effect would be to restrict or inhibit the growth of global e-commerce. Countries should also ensure that they apply current WTO standards to online transactions. Specifically, countries should: • • •



Sign the Information Technology Agreement (ITA) and eliminate e-commerce technology tariffs. Make the 1998 Moratorium on Customs Duties on Electronic Commerce permanent and binding. Refrain from trade classifications that penalize software and other products acquired through downloading from a computer network, compared to those purchased in tangible form. Affirm that current WTO obligations and commitments, namely the General Agreement on Tariffs and Trade (GATT; trade in goods), General Agreement on Trade in Services (GATS; trade in services), and TRIPs (intellectual property)





rules are technology-neutral and apply to e-commerce. Countries should refrain from enacting trade-related measures that could impede, actually or potentially, international e-commerce. Such rules should be enacted only where a legitimate policy objective necessitates doing so and where the least trade-restrictive measure is chosen. Support a NAFTA-type approach to e-commerce services issues in future trade negotiations. NAFTA’s services obligations apply to all services, including new services that have developed since the conclusion of NAFTA (this approach is sometimes referred to as “top-down”). Because it is impossible to anticipate what specific e-commerce services will develop over time, any “bottom-up” approach, as embodied in the current GATS, almost certainly will be out-of-date from its inception. There is a need to set the stage for an agreement that is more flexible with respect to future e-commerce and computer industry developments. Adopt a horizontal work program in the WTO for all e-commerce issues. This is necessary in order to ensure that WTO rules and disciplines reflect the horizontal (cross-disciplinary) nature of e-commerce.

Investing in a Technology Infrastructure All the consumer confidence and legal support in the world won’t boost e-commerce if there’s no way to deliver electronic content to customers efficiently and quickly. The future of electronic delivery demands a dramatic evolution of the telecommunications infrastructure in the United States and across the globe. Today’s infrastructure was built to carry voice telephone traffic and has served well for the last 50 years. But, the information age is placing new demands on this system-demands that it cannot readily meet. Today’s slow transmission speeds and congestion are a legacy of an outdated system that must be modernized, lest consumers and businesses turn away because of the “world wide wait.” High-speed constant connections to the Internet (broadband access) let users send and receive far larger volumes of information than traditional dial-up telephone lines allow. Broadband access can be provided through modified cable television lines, an enhanced telephone service called Digital Subscriber Line (DSL), satellite, fixed-wireless[5], and other means. Broadband access is absolutely necessary in order to make the vision of new, exciting Internet-based services a reality. For example, highly anticipated interactive applications (whether online classrooms, business showrooms, or health clinics) cannot exist if users lack broadband access. In the United States today, roughly 70 percent of American households have access to the Internet, according to NielsenNetRatings (http://www.nielsen-netratings.com/). But, fewer than 10 percent of U.S. households have broadband access. Many other nations rival the United States in their level of Internet penetration. In Sweden, nearly 75 percent of citizens have access to the Internet, whereas the number in

Canada is 58 percent. But globally, broadband access rates are even lower than in the United States. Several factors conspire to stymie more extensive broadband deployment. There are financial challenges, changing market conditions, uncertain consumer preferences, and even cultural and societal trends. In this environment, policymakers must take the lead and encourage the provision of broadband to consumers and their homes over the socalled “last mile.” There is also a need to ensure that individuals in all sectors and geographical locations enjoy the benefits of broadband access. Not surprisingly, early evidence suggests that, in the United States, the rate of broadband deployment in urban and high-income areas is outpacing deployment in rural and low-income areas. The preceding disparity has raised concerns that the “digital divide” (the gap between information “haves” and “have-nots”) will increase. The digital divide is a major concern for companies who have worked individually to expand access to computer technologies in underserved areas. They recognize that a global e-commerce technology future depends on widespread access to new technologies, particularly by individuals who have thus far failed to share in many of the communications and productivity benefits that technology brings. For all these reasons, many e-commerce companies support policies to promote broadband deployment in a way that will enhance widespread access to technology and, in so doing, close the digital divide.

Deregulating and Making Telecommunication Markets Competitive Genuine competition in all telecommunications markets will accelerate the deployment of advanced e-commerce technologies at reasonable prices. Competition in the longdistance market in the United States over the past decade has substantially reduced the cost of telecommunications services and steadily increased service quality and product innovation. This same model should be applied to local telephone markets in the United States and other countries. Competition will stimulate existing and new companies alike to deploy new equipment and software that is data friendly (packet-switched) and enable companies to tap into significant consumer demand for information-intense services. Now, let’s look at another type of e-commerce technology: the tools that reside within the Internet environment itself. In other words, with the growth of the Internet, B2B procurement and other processes are being moved to the World Wide Web, for increased efficiency and reach. Procurement systems from different vendors use various protocols, and additional protocols are being defined by several industry consortia. As a consequence, suppliers are faced with the difficult task of supporting a large number of protocols in order to interoperate with various procurement systems and private marketplaces. In this part of the chapter, the connectivity requirements for suppliers and private marketplaces are outlined, and a description of how suppliers and marketplaces can interoperate with diverse procurement systems and electronic marketplaces is presented. A description of a simple connectivity that is based on punchout processes for

fixed and contract-based pricing is presented first. Next, a description of how asynchronous processes, such as requests for quotes, auctions, and exchanges can be distributed for interoperability across suppliers and marketplaces, is also presented. Finally, this part of the chapter presents a description of the B2B/market-to-market (M2M) Protocol Exchange. This is a prototype that IBM has implemented, which maps between different, but analogous, protocols used in procurement systems and, thus, alleviates some of the interoperability difficulties. [4]

Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill Trade, 2001. [3]

“Necessary Elements For Technology Growth,” © Copyright 2003 Business Software Alliance, Business Software Alliance, 1150 18th Street, N.W., Suite 700, Washington, DC 20036, 2003. [5]

Vacca, John R., Wireless Broadband Networks Handbook, McGraw-Hill Osborne Media, 2001.

The Internet Environment As previously explained, with the rapid growth of the Internet, organizations are increasingly using the Web to conduct business with greater speed, reach, and efficiency. This transformation is especially prevalent in business-to-business (B2B) commerce and trade. Many of the Fortune 500 companies have adopted e-procurement systems such as Ariba (see sidebar, “Ariba”), Commerce One, and mySAP. Many others participate as buyers in e-marketplaces, such as Commerce One MarketSet, Ariba Hosted Market Place, and IBM’s WebSphere Commerce Suite, Marketplace Edition (WCS MPE, or MPE for short), among others. Figure 2.1 illustrates the environment for B2B procurement on the Web[1]. B2B buyers have diverse procurement systems, such as those offered by Ariba, Commerce One, and SAP, among others. Each of these procurement systems uses different B2B protocols for interaction with seller systems. Many of these protocols are proprietary and specific to the procurement system. For example, as illustrated in Figure 2.1, Ariba uses the punchout process between the Ariba Order Request Management System (ORMS) and seller systems using their Commerce XML (cXML, or Commerce Extensible Markup Language) specification for the messages. Commerce One uses XML Common Business Library (xCBL) as the format of messages, and mySAP uses the Open Catalog Interface (OCI; for a process similar to punchout) between buyer and seller systems.

Ariba With purchasing managers facing the prospect of tighter corporate budgets, developers Verticalnet Inc., PeopleSoft Inc., and Ariba Inc. are each readying software that they indicate will enable their customers to better manage spending. The goal is to enable companies to more closely tie the process of finding sources of raw goods, negotiating the price for those products, and closing the loop with electronic settlement. Verticalnet has recently released an enhanced Spend Management module as well as the next version of its Metaprise collaborative planning and order management suite. Spend Management introduces a supplier score card and enhanced reporting and analytics, which will let suppliers see through a Web browser how they are serving buyer and performance metrics, such as actual costs versus standard spending. New functionality in Metaprise, which comes from the company’s acquisition of Atlas Commerce Inc., facilitates the process of improving requisitions and managing purchase orders. Enhanced logistics functionality integrates shipping updates with third-party logistics providers. Meanwhile, PeopleSoft, of Pleasanton, California, recently announced the general availability of its strategic sourcing suite. The company unveiled PeopleSoft Strategic Sourcing as a collaborative solution that helps companies manage the complex bidding and negotiation process in the procurement of direct goods, services, and large capital expenditures, according to officials. Separately, Ariba, of Sunnyvale, California, recently unveiled its Spend Management Suite, which has been in beta testing. The suite consists of new and enhanced software modules for analysis, sourcing, and procurement to help companies manage their spending before, during, and after the procurement process-stages that Ariba refers to as “find it,” “get it,” and “keep it.” In the find-it category, the new Ariba Analysis module gathers procurement information, which typically resides in the Ariba Buyer platform, accounts payable, and ERP planning systems. It then generates reports to help companies find potential savings.

The second new module, called Ariba Contracts, falls into the get-it and keep-it categories, by focusing on the administration of contracts—those being used successfully and those requiring renegotiation. Integrated with Ariba Buyer and Enterprise Sourcing, the module helps companies track and manage contract life cycles. Ariba Invoice, the third new module, automates every stage in the invoicing process to help companies reduce reconciliation cycle times and lets suppliers upload invoices into Ariba Supplier Network and transmit them back to buyers. As for enhancements, Ariba Buyer has new integration with the Contracts module. Ariba Workforce features an expanded capability to capture and manage a broader spectrum of workforce procurement, indicate officials[2].

Many other protocols for B2B processes, many proprietary to procurement and other systems, and others customized for specific partners are being defined and implemented. In addition to the procurement systems, which typically reside within the firewall of the buying organizations, marketplaces are being set up on the Internet through which buyers can access a large number of suppliers, typically for specific industry segments. Many of these marketplaces use the same or similar technology to connect to procurement and supplier systems and offer buyers at small and medium-sized businesses access to suppliers. Meanwhile, standards bodies are defining protocols and message formats for B2B processes. One of the early processes was that defined by the Open Buying on the Internet (OBI) consortium, a precursor of the punchout process. The RosettaNet consortium used OBI as a starting point and defined Partner Interchange Processes (PIPs), including both flows and XML-based message formats for interactions between partners. The electronic business XML (ebXML) framework (sponsored by the United Nations Center for the Facilitation of Procedures and Practices for Administration Commerce and Transport [UN/CEFACT] and the Organization for the Advancement of Structured Information Standards [OASIS]) includes a messaging service, a Collaborative-Protocol Agreement (CPA) specification, and a Business Processes Specification Schema. These are all used for enabling the interaction between business processes. The Web services approach defines both a messaging and a remote procedure call mechanism using Simple Object Access Protocol (SOAP). On top of SOAP, the Web Services Description Language (WSDL) defines a Common Object Request Broker Architecture (CORBA) interface definition language (IDL)-like interface for Web-based B2B remote procedure calls. And, the Universal Description, Discovery, and Integration (UDDI) consortium has defined a directory mechanism for registering and locating businesses on the Web, with an optional WSDL interface specification. The Open Application Group (OAG) has defined Business Object Documents (BODs) for the content of B2B messages.

Some of these originally disparate efforts are now coming together. For example, the RosettaNet consortium has announced that they will move to the ebXML messaging protocol, and OAG has announced that they will support ebXML. In spite of these efforts, however, the number of B2B protocols continues to grow. This proliferation of B2B protocols gives rise to several connectivity requirements and problems, as illustrated in Figure 2.2[1]. First, from a supplier’s point of view (box A in Figure 2.2), suppliers need to connect to the many customer procurement systems and private marketplaces, using various B2B protocols. Second, private marketplaces (and, over time, procurement systems as well) need to connect to procurement systems (box B in Figure 2.2), using different B2B protocols. Third (box C in Figure 2.2), private marketplaces need to connect to suppliers that may support different B2B protocols. Fourth (box D in Figure 2.2), private marketplaces need to connect to each other, in order to access suppliers connected to other marketplaces, or to access services offered at other marketplaces.

Now, let’s look at the connectivity requirements for suppliers and private marketplaces, and how suppliers and marketplaces relying on IBM’s WebSphere Commerce Business Edition (WCBE), WebSphere Commerce Suite, and Marketplace Edition (WCS MPE) can interoperate within the environment for B2B procurement. Simple B2B connectivity using punchout processes as supported by WCBE are also discussed. Next, marketplace connectivity for emerging asynchronous processes and distributed trading mechanisms, as supported by WCS MPE, are discussed. Finally, the last part of this chapter discusses connectivity, how to use a B2B protocol exchange, and how many of these protocols can be mapped to each other—thus allowing procurement systems and suppliers to use different protocols.

Simple B2B Connectivity Using Punchout Now, let’s focus on two of the B2B connectivity problems previously mentioned, and illustrated in Figure 2.2. First, let’s discuss the supplier connectivity problem and present

a solution based on IBM’s WCBE for connectivity of suppliers to diverse procurement systems. Second, a discussion of marketplace connectivity takes place, as well as a presentation of a solution based on IBM’s WebSphere Commerce Suite and Marketplace Edition (WCS MPE) for connectivity of marketplaces to diverse procurement systems and diverse supplier systems. Most procurement systems and private marketplaces support the notion of punchout (albeit sometimes using a different term, such as RoundTrip, used by Commerce One). A buyer at a procurement system or marketplace selects a remote supplier, and the buyer is automatically logged on to the supplier catalog server and presented with a catalog customized for his organization, with prenegotiated prices. The buyer shops at the site, as the items selected for purchase are being stored in a shopping cart. On checkout, the shopping cart contents are sent back to the buyer’s procurement system for approval. The procurement system provides workflow for approvals and, on approval, a purchase order is sent from the procurement system to the supplier. Additional messages may be exchanged between the supplier and the procurement system, such as shipping notices and invoices. By having punchout capability, suppliers and marketplaces can interoperate with procurement systems or marketplaces, with significant benefits to both suppliers and buyers. Note Details of the punchout flow are provided later in the chapter. For example, IBM’s WCBE is a solution for the business-to-consumer trade, whereas WCS MPE supports the private trading exchange customers. Customers can connect to the WCBE Web site, browse through the catalog, and place orders. In the case of WCS MPE, customers have the benefit of working with various trading mechanisms, such as request for quotations (RFQs), auctions, reverse auctions, and exchanges. It is especially useful, given the emerging trends in the industry, that the WebSphere Commerce products have punchout capability and can interoperate with buyers’ procurement systems and marketplaces. Although WCS MPE supports aggregation of suppliers’ catalogs, certain suppliers may have enormous catalogs and their systems may include complex configuration tools. Often, it is not feasible to offload supplier catalogs into external marketplaces. Thus, suppliers often have their supply-side Web sites enabled for punchout, and expect WCS MPE to initiate punchout to the supplier Web site. Catalog aggregation in the current WCS MPE product is done using the WebSphere Catalog Manager (WCM) product. WCM supports the loading of catalog data into an electronic marketplace (eMP) database, transforming catalog data from ASCII, spreadsheet, and XML formats into a canonical XML format, and extracting catalog data from any relational database. More enhancements to support industrial catalogs are planned for future versions of WCM. Many large corporations have relatively independent subsidiaries and are classic examples of customers that require support for both receiving punchout requests and

initiating punchout requests. Such corporations often have aggregated supplier catalogs across their subsidiaries, so their customers see a unified company-wide catalog and require support for receiving punchout requests from the buyers’ procurement systems to the aggregated catalog. They also require punchout initiation functionality to connect from their aggregated-catalog server to individual catalogs supported by their subsidiaries.

Punchout from Procurement Systems to WCBE and WCS MPE For example, IBM’s Commerce Integrator is a generic framework that enables WCBE and WCS MPE to handle business-to-business transactions using industry standard protocols. It offers customers the opportunity to integrate their systems with the procurement system’s own network of high-volume buyers. Commerce Integrator provides an integrated, scalable system that enables suppliers with WCBE to participate as a supplier in the procurement system’s marketplace, to increase sales and to enhance their business-to-business presence on the Web. Specifically: •





Suppliers maintain a single catalog within WCBE and use that catalog to enable their own Web presence as well as to participate in the procurement system’s network. Suppliers can take advantage of WCBE connectivity to supply chain management systems, retail business systems, and order management backend systems to automatically flow orders from the buyer’s procurement system. Suppliers can take advantage of the updated business-to-business features of the WCBE product for using and maintaining information about buyer organizations, buyer-specific catalogs and price lists, and contract pricing.

Figure 2.3 illustrates a high-level view of a typical punchout flow in which WCBE interoperates with an e-procurement system, which includes the following steps[1]:

1. An agent in the buyer organization logs on to the procurement system using the user ID (identifier) and password, and then selects an external catalog. The procurement system authenticates the buyer agent.

2. The procurement system constructs a request to access the external supplier catalog using a user ID and other buyer organization credentials. 3. The Member Subsystem of Commerce Integrator authenticates the buyer agent against the buyer organization data stored in the WCBE database. If successful, the buyer agent is presented with a catalog customized for the buyer organization. 4. The buyer agent browses the catalog in the WCBE database while a shopping cart is created. On checkout, the shopping cart is submitted to WCBE, and a quote is recorded in the database. 5. Commerce Integrator picks up the quote from WCBE. 6. Commerce Integrator sends the quote to the buyer in the format required by the buyer’s procurement system. An authorized agent for the buyer is prompted for acceptance of the quote. 7. The authorized agent approves the quote. An order from the procurement system is sent to Commerce Integrator. 8. Commerce Integrator forwards the order to WCBE[1]. Further messages, such as advance shipment notices and invoices (not shown in Figure 2.3) are sent from WCBE to the procurement system. Although the punchout flow is similar for most procurement systems, the message format is different for different procurement systems. For example, Ariba uses cXML messages, mySAP uses Hyper Text Markup Language (HTML) name-value pairs, Metiom uses the OBI electronic data interface (EDI) message formats, and Commerce One uses xCBL message formats. There are some differences between the flows, as outlined previously in the B2B protocol exchange. To handle these differences, Commerce Integrator includes some protocol-specific functions, in addition to functions common to all protocols. As shown in Figure 2.4, incoming messages are handled by a common servlet, which identifies the protocol and calls protocol-specific functions that map the message to a common internal format[1]. Then, WCBE commands, shared by all punchout protocols, are invoked. Responses are converted from the common format into protocol-specific formats by Commerce Integrator. Figure 2.4 also shows a B2B gateway. The function of the B2B gateway is to provide a means of connecting remote trading partners over the Internet, each using its protocol of choice. Clearly, this functionality facilitates the integration of interenterprise business processes. Although the B2B gateway may support additional functions, such as business process management, audit trails, and intraenterprise connectivity, it is beyond the scope of this chapter to elaborate further on these functions.

The protocol associated with an incoming message is identified by the URL to which the request is sent. The use of a single servlet for all requests should have no negative performance impact, because the servlet engine launches a new thread for each request. Performance bottlenecks would only be caused by undue contention for shared resources. Were such contention present, it would impact multiple servlets in the same manner as a single servlet. Because the servlet is merely the entry point for requests that quickly fan out to different parts of the server, it is unlikely that the degradation of reliability from the use of a single servlet would be significant. There are two scenarios of interest: one in which there is no separate B2B gateway and one in which there is a gateway present. When there is no B2B gateway, protocol-specific requests are sent to Commerce Integrator, and appropriate commands are invoked. If a B2B gateway is present, the incoming requests are mapped into a common canonical format, and then Commerce Integrator invokes appropriate WCBE commands. Thus, there is a synergistic relation between WCBE/Commerce Integrator and the gateway.

Punchout from WCBE and WCS MPE to External Suppliers A traditional electronic marketplace (eMP) or a private trading exchange (PTX), such as IBM WCS MPE, provides various trading mechanisms: RFQs, contract-based buying, fixed-price buying, auctions, exchange, and so forth. It also provides support for aggregated catalogs. Both buyers and sellers begin by using the catalog to select a product to buy or to sell. When sellers offer products for sale, they specify the method of purchase to be used: RFQ, contracted price, fixed price, auction, or exchange. Buyers must purchase products using the method specified by the seller (with the exception of RFQ, which they can initiate). Aggregating the catalog at the eMP site offers advantages including: it makes a parametric search across suppliers possible, and it enables small businesses, which do not have the infrastructure to host catalogs, to engage in e-commerce. However, aggregating catalogs has its own limitations, including: • •

It does not preserve each supplier’s unique brand and Web site design (it requires direct links to the supplier’s Web pages). It supports only static content rather than promoting dynamic, up-to-date information.

• • •

It provides limited support for suppliers with very large catalogs. It provides no support for product configurators (needed for complex products). It provides limited support for suppliers with fast changing catalogs or pricing[1].

Thus, in situations in which there is a need for product configurators, or if the catalog contains fast changing products and prices, the suppliers have to maintain catalogs at their own sites and not aggregate the catalog onto an eMP. In the common eMP approach, a buyer has access to only the sellers who participate in the marketplace with which the buyer is registered. Similarly, a seller cannot sell goods and services in a marketplace different from the one with which the seller is registered. Now, let’s look at a mechanism called punchout, in which a buyer in a private marketplace can “punch out” to a remote supplier to buy fixed-price and contract price offerings. Figure 2.5 shows the flow for setting up a punchout process (steps 1 to 7) from a procurement system (or marketplace) to a supplier site; for example, a WCBE site[1]. Remote suppliers are listed at the procurement system. They may provide their entire catalog remotely using punchout. Alternatively, a supplier may provide a local catalog at the procurement site, with links for specific functions or details. For example, a supplier may use punchout for system configuration, or for parts of the supplier catalog that may change frequently. As shown in Figure 2.5, after selecting a remote supplier for initial or further shopping (step 1), a login request (step 2) is sent to the remote supplier as an XML document, encapsulating the user and organization credentials as well as a URL for postback to the procurement system (used at step 7, as shown in Figure 2.5). The remote supplier authenticates this request and returns a URL (step 3) with embedded user information. The client’s browser is redirected (step 4) to this URL, allowing the buyer to directly shop (step 5) at that remote site using the appropriate catalog for the buyer’s organization. At the end of the shopping session, a quote representing the shopping cart is sent back to the client (step 6) and posted back to the procurement system (step 7) at the postback URL referred to previously.

After the purchase request (in XML format) is received back at the procurement system (step 7), it is parsed and added to the buyer’s requisition. The buyer then submits the requisition for approval. After submission, the buyer can then view the submitted requisition and its status, and modify the requisition, if so desired.

Note The buyer may punch out to multiple suppliers and add the contents of those shopping carts to his or her requisition. Subsequently, the approver views the submitted requisitions and, optionally, may punch out to the supplier to view details of the requisition. The approver can modify the requisition, if so desired. If the approver rejects the requisition, the status is so indicated, and can be viewed by the buyer. If the requisition is approved, it is converted into one or more purchase orders (POs), and is sent to the supplier(s). The PO is sent as an XML document, in the format required by the supplier. If the remote supplier’s system is based on WCBE, the PO is formatted in a common canonical format. Also, if it is an Aribacompliant supplier, it is formatted in cXML. And, if the format is different, a B2B protocol exchange can be used to convert the PO to the desired format and protocol. When the remote supplier acknowledges the receipt of the PO, the state of the order at the procurement system is updated. Subsequently, additional messages may be sent by the supplier to the procurement system to indicate further events, such as issuing an advance shipping notice.

Marketplace Connectivity for Asynchronous Processes As illustrated in Figure 2.6, IBM’s WCS MPE provides different trading mechanisms, such as fixed-price buying, contract-based buying, RFQs, auctions, and exchanges[1]. Also, the punchout mechanism can be used for remote supplier integration when dealing with fixed and contract pricing. However, the more advanced trading mechanisms, including RFQs, auctions, and exchanges, cannot be supported by the basic punchout mechanism. This is because the flows between WCS MPE and the remote suppliers for fixed and contract pricing are synchronous, and occur during a real-time session with the buyer, thus making them amenable to the online punchout process. RFQs, auctions, and exchanges involve asynchronous interactions between WCS MPE and the supplier. Next, let’s look at how such asynchronous processes are handled. RFQs are used as a typical example. Similar flows and XML document interchanges can be used for other asynchronous trading mechanisms.

In WCS MPE, an RFQ is a trading mechanism used when a buying organization attempts to obtain a special price for a purchase, or when a buying organization cannot find an acceptable offering in the eMP aggregated catalog that meets its needs. The RFQ may be

issued in order to obtain a special price based on quantity for well-defined items or for a group of items. The RFQ may also be issued for unique items based on the buyer’s description. The request is sent to one or more selling organizations, and these may submit a bid on the RFQ. The selling organizations respond to the RFQ and the buying organization may select one or more winning responses. The result of the RFQ process could be an order placed by the buyer or a contract could be created for the negotiated price. Figure 2.7 shows this process flow in WCS MPE[1].

Now, let’s look at two different mechanisms for extending the RFQ process to a distributed environment. The first mechanism, referred to as “local RFQ,” exploits the advantages of aggregating the catalogs at the eMP site, while distributing only the RFQ process. The second mechanism, which is referred to as “remote RFQ,” allows buyers to connect to a remote WCBE at a supplier or a remote WCS MPE and issue an RFQ. For local RFQs, the catalog is hosted at the WCS MPE site where the buyer is registered. Figure 2.8 shows the process flow for this configuration[1]. The configuration includes the following parties:

• • • •

One or more buyers An eMP where the buyers are registered One or more remote eMPs One or more sellers registered on the remote eMP[1]

The flow starts with the buyer browsing the catalog on the eMP and creating an RFQ. The RFQ is sent as an XML message to the remote eMP. Upon receiving the RFQ, the remote eMP notifies the target sellers. Each seller views the RFQ and creates a response for it. The asynchronous responses are then sent to the eMP as XML messages. The buyer can check the status of the RFQ at any time. The buyer views the RFQ responses by logging on to the eMP, evaluates them, and selects a winner. Selecting a winner leads either to a purchase order or a negotiated contract. The order or the contract is then sent to the remote eMP or remote seller as an XML message. This solution has the advantages of an aggregated catalog and allows buyers on one eMP access to sellers on a remote eMP, and vice versa. It has, however, the previously mentioned limitations of aggregated catalogs. For remote RFQs, the catalog is hosted either on the remote eMP where the seller is registered, or on the remote seller’s Web site. Figure 2.9 shows the process flow for this configuration[1]. This configuration also involves four parties. The flow starts with the buyer selecting on the local eMP a registered remote eMP or a remote seller. The eMP connects the buyer to the remote eMP site. The buyer browses the catalog on the remote eMP and creates an RFQ template. The RFQ template is then sent as an XML message to the eMP. The RFQ template received from the remote eMP is converted into RFQ by providing additional information. It can then be optionally submitted for approval. Finally, it is sent to the remote eMP or remote seller as an XML message. The remote eMP notifies the target sellers. The sellers view the RFQ and create responses for it. The responses are then sent to the local eMP as XML messages. The buyer views the RFQ

responses by logging on to the eMP, evaluates them, and selects a winner. Selecting a winner leads either to an order or to a negotiated contract. The order or the contract is then sent to the remote eMP or remote seller as an XML message.

This solution overcomes the limitations of aggregated catalogs for such asynchronous trading mechanisms, and allows buyers on one eMP access to sellers on a remote eMP, and vice versa. This comes at the price of losing the advantages of aggregated catalogs.

Connectivity Using a B2B Protocol Exchange As previously mentioned, some suppliers participating in a private marketplace prefer to keep the catalog contents to themselves and not participate in an aggregated catalog hosted by the marketplace. As B2B connectivity becomes increasingly popular, the number of protocols for engaging in B2B transactions continues to grow. Given this growing “babelization,” it is likely that businesses and marketplaces that need to communicate will be using different protocols. For example, IBM built the B2B/M2M Protocol Exchange, a prototype capable of converting between different protocols. Now, let’s look at how the exchange could be used to enable punchout between a buyer and a supplier using different protocols. Although this example is limited to punchout, the protocol exchange can cover many other common B2B interactions, such as shopping cart processing and order processing. Suppliers participating in a marketplace may have catalog systems already in place supporting existing standard or proprietary formats. These formats may vary from supplier to supplier. Thus, Supplier A may support cXML punchout messages, Supplier B may support OCI punchout messages, and Supplier C may support some other format. The marketplace punchout function must send punchout messages in the format and

protocol that a specific supplier is capable of processing. The B2B protocol exchange is a tool that allows suppliers to interact with buyers whose protocols would otherwise be incompatible. Unlike some kinds of protocol conversions, most B2B protocol conversions cannot be achieved in a stateless manner, that is, in a manner in which the protocol converter has no knowledge of prior events or message exchanges. This is because many of the protocols refer to the session state or to prior messages. In other words, a B2B protocol involves not only message formats, but also message flow and the state of the interchange process between business partners. Thus, session state management is required along with message format translation. A block diagram of a typical environment is shown in Figure 2.10[1]. In this illustration, Buyer 1 and Supplier 1 use protocol A, whereas Buyer 2 and Supplier 2 use protocol B. Information exchange between Buyer 1 and Supplier 2, or between Buyer 2 and Supplier 1, requires the use of the protocol exchange. The presence of the exchange is transparent to buyers as well as suppliers. When Buyer 1 and Supplier 2 are interoperating, Supplier 2 appears to Buyer 1 to be a protocol A supplier, and Buyer 1 appears to Supplier 2 to be a protocol B buyer.

Now, let’s look in some detail at a punchout operation such as an Ariba cXML punchout between a buyer and a supplier that use the same protocol. The data flow is illustrated in Figure 2.5, shown earlier. The numerals refer to the process steps described here. To purchase from a network catalog, the buyer typically uses a browser to interact (step 1) with the procurement system, and through the procurement system, establishes a connection to a network catalog hosted on the supplier’s behalf. The procurement system thus sends a login request (step 2; a cXML PunchOutSetupRequest) to the supplier system. The login request contains the credentials (userid/password) of the procurement system, a session identifier (<BuyerCookie> in cXML), and the postback URL, which is the HTTP URL at which the procurement system accepts the completed purchase requests (in step 7). The supplier system authenticates the request and responds (step 3) with the URL for accessing the network catalog (in a cXML PunchOutSetupResponse). The procurement system then redirects the browser to the network catalog URL (step 4), and the buyer connects directly to the network catalog system (step 5) bypassing the procurement system.

As previously described in some detail, the punchout operation illustrated in Figure 2.5 (between a buyer and a supplier) uses the same protocol. In the event the buyer and supplier use different protocols, they will be unable to support a punchout interoperation unless some mechanism such as the protocol exchange is used. The data flow is shown in Figure 2.11[1].

When using a protocol exchange for this mapping, the procurement system is configured to treat the exchange as the supplier system. The initial login request (step 2a in Figure 2.11) is sent to the exchange rather than the target supplier system. The processing required at the exchange at this point may be fairly involved. Typically, the protocol conversion involves two different authentication domains (the source protocol and the target protocol). The exchange must validate the incoming credentials and generate the outgoing credentials for the target protocol domain. In addition, the incoming request typically has an associated session ID (BuyerCookie), which must be recorded and mapped to an equivalent session ID in the target protocol. Also, the postback URL must be saved, and the URL of the exchange must be substituted in the outgoing message. Finally, the target supplier system must be identified, and the converted request must be passed as a new login request (step 2b) to the target supplier system. When the login response (step 3a) is received by the exchange, the response is converted into a protocol A response by the exchange and is returned to the procurement system (step 3b). The procurement system redirects (step 4) the browser to the network catalog site, and the shopping session (step 5) takes place directly between the buyer’s browser and the network catalog site. At checkout time, the browser accepts the contents of the shopping cart in protocol B format (step 6), and sends it to the exchange (step 7a) rather than to the procurement system, due to the substitution of the exchange URL for the procurement system URL in the protocol A login response. In order to process the checkout, the exchange creates a new checkout page, with the shopping cart converted

into the protocol A format, and returns this page to the buyer’s browser (step 7b). The target URL of the “checkout” button on this page is the postback URL of the procurement system, which was saved during the translation of the login request in step 2a. The buyer is instructed to perform a second checkout operation (step 7c), which causes the purchase request to be submitted to the procurement system for approval. The second checkout may be hidden from the user by using scripting (JavaScript) in the HTML page generated by the exchange. This particular punchout description is one example of how the exchange flows might operate. Specific protocol flows will vary in the exact details. The protocol exchange runtime is constructed from a set of common protocol objects (Login, ShoppingCart, Order), with plugins for specific functions of the various protocols. For example, the mySAP inbound logon plugin accepts a mySAP logon request and converts it to an internal logon object. The cXML outbound logon plugin converts the logon object into a cXML PunchOutSetup Request. The various shopping cart plugins convert shopping carts in different protocols into a common ShoppingCart object. The exchange also contains code to map between credential domains (from Ariba Network IDs to mySAP OCI userid/password). Finally, there is a state management framework to maintain the state of a session and keep track of message content (such as the postback URL), which must be extracted from one message, temporarily saved, and replaced in a subsequent message. The B2B interaction between two parties is defined within the protocol exchange as a series of plugin transformations to be performed. One plugin accepts a message and turns it into a common object. A subsequent plugin takes the object and issues it as a message in a different protocol. There is no implicit assumption, for example, that a cXML punchout to a supplier will result in the supplier returning the shopping cart in cXML format, or that a shopping cart returned in cXML format is to be followed by an order to the supplier in cXML. This flexibility is necessary to accommodate some of the interactions that are common today. As an example, the SAP Open Catalog Interface allows the shopping cart to be returned in either XML or HTML, depending on the configuration of the buyer’s procurement system. Some of the private buyer and supplier marketplaces are implemented using combinations of different protocols. A supplier might expect an OBI logon from which it might return a cXML shopping cart to the purchasing system. And, the subsequent order may have to be transmitted in EDI, because the supplier’s EDI order processing system was in place, running over a value added network long before the supplier had implemented any B2B interactions over the Internet. Finally, it is hoped the various electronic commerce dialects will someday coalesce into a smaller and more concise set. But until then, it seems that something like a B2B protocol exchange will be required to bridge the communication gap between prospective trading partners.

[1]

Dias, D. M., Palmer, S. L., Rayfield, J. T., Shaikh, H. H., and Sreeram, T. K., “ECommerce Interoperability with IBM’s Websphere Commerce Products,” IBM Systems Journal, © Copyright 2002 IBM Corporation, IBM Corporation, 1133 Westchester Avenue, White Plains, New York 10604, United States (2002): pp. 272-286. [2]

Ferguson, Renee Boucher, “E-Sourcing Apps Lead to Time Well-Spent,” eWeek, © Copyright 2003 Ziff Davis Media Inc., Ziff Davis Media Inc. 28 East 28th Street, New York, New York 10016-7930, ( March 2002): p. 18.

Summary The best way to encourage future growth of the global information economy is to learn from the past. Centers of e-commerce technology activity continue to emerge around the world: the original Silicon Valley in California, joined by Silicon Alley in New York City, Silicon Forest in Seattle, or even Silicon Dominion in the State of Virginia, is mirrored by the emergence of Silicon Glen in Scotland and Silicon Plain in Finland. Other concentrations of expertise, equipment, and infrastructure include the Research Triangle in North Carolina, the Route 128 Corridor in Massachusetts, the Intelligent Island in Singapore, and the Multimedia Super Corridor in Malaysia. Some of these centers developed naturally; others were created and fostered by governments that provided financing, tax relief (for imported equipment or income earned), open immigration for “knowledge workers,” and telecommunications infrastructure. Each of these centers embraced the fact that collecting industry experience and expertise in a specific area promotes “critical mass” and synergies, thus fostering faster e-commerce technological development in that region’s economy. The same can hold true with regard to users. The world is comprised of over six billion people, yet there are only 900 million telephone lines in existence. Many of the world’s citizens have never made a telephone call, let alone used the Internet. How can this be changed? The United Nations Educational Scientific and Cultural Organization (UNESCO) offers one approach to this problem. UNESCO suggests the establishment of public access communication and information services, known as Telecentres. These centers are being developed across Africa, either as standalone facilities or by adding PCs to schools, libraries, police stations, and clinics. Private Telecentres and telekiosks have been established in Ghana, Kenya, and Senegal, among other countries. Built on the principle that sharing the expense of equipment, skills development, and access among a large group helps to cut costs and make information services viable in remote areas, UNESCO has helped foster these technology hubs across the continent of Africa. It has even developed a “Community Telecentre Cookbook for Africa,” a how-to guide on establishing and operating Telecentres.

In addition to a general discussion of e-commerce technology, this chapter also covered various business-to-business connectivity protocols between procurement systems, private marketplaces, and suppliers. The chapter described how WCBE-based suppliers and private marketplaces can connect to diverse procurement systems, other suppliers, and external private marketplaces. Specifically, the chapter showed how WCBE-based suppliers and WCS MPE-based marketplaces can connect to buyers at procurement systems that use punchout, such as Ariba, Commerce One, and mySAP. The chapter then described how a WCS MPE-based supplier or private marketplace could originate a punchout process in order to connect to either an external supplier or another private marketplace. Next, the chapter outlined the types of trading mechanisms that can be supported by existing punchout protocols and the asynchronous trading mechanisms, such as RFQs, which require extensions to the punchout mechanisms. Although these mechanisms can be used across WCS MPE-based suppliers and private marketplaces, such mechanisms need to be standardized in order to enable them to connect to suppliers and marketplaces provided by other vendors. The chapter also described B2B/M2M Protocol Exchange, a tool that IBM has implemented that can map between various protocols used by different procurement systems. It allows a supplier using one protocol to connect to a procurement system or private marketplace that uses a different protocol. Finally, the WCBE-based Commerce Integrator, with support for B2B procurement protocols as described earlier in the chapter, has been used to connect ibm.com, as a supplier, to enterprises using diverse procurement systems and to private marketplaces. Although this chapter focused on the external partner B2B protocols, a large part of the integration effort for suppliers is the tie-in to internal processes, such as the processes to handle purchase orders. Other complementary products, such as IBM’s WebSphere MQ and WebSphere Business Integrator, are key to completing the picture for end-to-end integration.

Chapter 3: Types of E-Business Models and Markets “Do not quench your inspiration and your imagination; do not become the slave of your model.” —Vincent van Gogh (1853–1890)

Overview In the past two years, e-business seems to have permeated every aspect of daily life. In just a short time, both individuals and organizations have embraced Internet technologies to enhance productivity, maximize convenience, and improve communications globally. From banking to shopping to entertaining, the Internet has become integral to daily activities. For example, just 23 years ago, most individuals went into a financial institution and spoke with a human being to conduct regular banking transactions. Ten years later, individuals began to embrace the ATM machine, which made banking activities more convenient. Today, millions of individuals rely on online banking services to complete a large percentage of their transactions. The rapid growth and acceptance of Internet technologies has led some to wonder why the e-business phenomenon did not occur decades ago. The short answer is: it was not possible. In the past, the necessary infrastructure did not exist to support e-business. Most businesses ran large mainframe computers with proprietary data formats. Even if it had been achievable to transfer data from these large machines into homes, the home computer was not yet a commodity, so there were few terminals outside of business to receive information. As PCs became more popular, especially in the home, the ability to conduct e-business was still restricted because of the infrastructure required to support it, including backend customer and supplier interaction along with credit card processing systems. To set up an e-business even eight years ago would have required an individual organization to assume the burden of developing the entire technology infrastructure, as well as its own business and marketing strategies. Today, the challenge of e-business is integration. There are industry-leading companies that have solved the difficult task of developing individual Internet-based products and services that handle many of the issues surrounding customer and supplier interactions. However, the ability to integrate these technologies and services based on sound business and marketing strategies, operating on a real-time basis, can be a monumental undertaking. As e-business continues to be fueled by both organizations and consumers who have access to the Internet from their homes and offices, the excitement grows and the

potential for success increases. But explosive growth of the Internet has also led to a growing number of integration challenges for e-businesses of all sizes and types. In phase one of building an e-business, companies scrambled to get an e-commerce Web site up quickly. The operative word was “quickly,” because usually there was little or no regard given to how scalable or reliable the site needed to be—or even how captivating the content. It was just a matter of beating the competition. These first-to-market consumer sites were rarely integrated with the manufacturing side of the business, which was establishing its own Internet-based relationships with suppliers. This lack of integration has proved to be a significant challenge for many organizations as the customer base has grown, real-time order status has been requested, and products have been returned. In phase two of building an e-business, having an e-commerce site is now a commodity, not a way to differentiate a business. Customer and supplier expectations are rising, forcing organizations to start thinking about backend integration and real-time transaction processing. Businesses must actually maintain complete customer and supplier relationships using Internet-based technologies and tie those systems to the interpersonal aspects of the business transaction when required. Organizations that realize the promise of e-business are the ones that have begun to address the complete business cycle and are leveraging Internet technologies. It is no secret that today’s e-business has the potential to transform the business landscape. Whereas in the past, a company’s business model was the primary determination of its value, today, a company is valued on its strategy, business model, and ability to market. With technology driving new competition, a Fortune 500 stalwart that once seemed unstoppable is now challenged by a start-up that uses Internet technologies and integrates their systems and processes more effectively. By capitalizing on a sustained business proposition and correctly applying technology, these start-ups are able to significantly reduce the barriers to entry while dramatically increasing their market reach. For e-businesses, the premise “first to market equals first to success” is often the case; however, the foundation needs to be laid carefully. A disciplined approach to evaluating the business opportunity, and correctly assessing how a competitive advantage may be gained using Internet technologies combined with leveraging the existing investment, is key to a successful e-business. It is just such an approach that is defined as the e-business model (see sidebar, “Defining the Real E-Business Models”). Defining the Real E-Business Models An e-business model is simply the approach a company takes to become a profitable business on the Internet. There are many buzzwords that define aspects of electronic business, and there are subgroups as well, such as content providers, auction sites, and pure-play Internet retailers in the business-to-consumer space. Many Internet firms witnessed a meteoric rise in their stock values in the late 1990s, only to crash in 2000. For instance, Drkoop.com Inc. in Austin, Texas, announced its initial

public offering at $9 per share in June of 1999. The price rose to more than $30 per share, but then plummeted to less than $1 per share. Given the carnage among dot-com stocks recently, what type of online business models are expected to succeed in the future? Businesses need to make more money than they spend. The new model is the old model, but technology is essential to maintain a competitive advantage, and cash flow is more important than ever. For example, Yahoo Inc. in Santa Clara, California, has always operated a successful portal site, providing content and an Internet search engine. However, many portal sites, such as Go.com, MSN.com, and AltaVista.com, have fallen on hard times. The idea behind portals is the same as that behind television advertising: aggregating eyeballs and directing them toward advertisements. But, television viewers are passive, and people need to wait through the ads to see the shows they want to watch. However, the Web doesn’t work that way. Content presentation is not serial. Viewers are active, not passive. There are always millions of places to go. No Web advertisement can match a 20-second TV spot. When First-to-Market Fails Many of the failing companies were operating on a first-to-market strategy. Their hope was that by getting their ideas out ahead of the market, consumers would develop brand loyalty before competitors arrived. For example, Priceline.com Inc. in Norwalk, Connecticut, is a good example of a company that attempted this strategy, with its name-your-own-price scheme for buying airline tickets and other goods. However, the closing of Priceline.com Inc.’s Greenwich, Connecticut-based WebHouse Group licensee (which applied the same model to groceries and gasoline), combined with increased competition from airlines and other travel sites, led Wall Street to trade Priceline.com’s stock down to less than $3 per share in December 2000, from a high of $104.25 in March 2000. First-to-market as a business model has always been risky. You are vulnerable because you have nothing proprietary, need vast funding, and rely on rapid deployment. So why did investors and venture capitalists get caught in such speculative and irrational investments? Investors felt they were investing in technology, when they were really investing in retailers and distributors. These companies have small profit margins. They couldn’t justify their valuations in typical price/earnings ratios. When does it turn profitable? Companies such as Amazon.com have yet to answer that. One segment of the business-to-consumer world that’s thriving is niche markets. For example, RedEnvelope Gifts Inc., which launched in 1997 as 911gifts.com, began as a last-minute gift site, but now markets more than 5,000 items that are unique to the site.

Customers seem willing to pay a premium for RedEnvelope-edited selection and enhanced customer service. The company has $70 million in sales, with a 57-point profit margin. There needs to be a quick path to profitability. And, the ultimate metric is margin. There are three levers to achieving margin: edited selection, customer service, and inspirational branding. The B2B Way Is the model buyer- or seller-centric? What is the driving force of the business? The greatest strength of the Internet is its ability to bring together people, governments, and businesses and facilitate the flow of information among them. This is one of the main reasons why business models for business-to-business online marketplaces are expected to succeed. It’s clear that the Internet is a viable platform for B2B trade. According to Forrester Research Inc. in Cambridge, Massachusetts, a projected $4.9 trillion in business-tobusiness (B2B) transactions will be made online by 2004. But private marketplaces being formed by industry leaders represent a more successful model. These real-time supply chains and e-business design systems are phasing out the more expensive and inflexible electronic data interchange networks. The real surprise here is how hard it is to become profitable. The cost of branding technology is so high that consumers still use a catalog. A Web site is just another channel.

E-Business Models The emerging e-business market affords companies of all sizes and types the opportunity to leverage their existing assets, employees, technology infrastructure, and information to gain or maintain marketshare. For example, in the telecommunications industry, service, rather than technology, is now the key differentiator. With lower barriers to entry, new competitors are rapidly entering the market offering new services, such as online bill presentment and payment, and leveraging their unique digital assets. Information technology research analysts agree that e-business is any net-enabled business activity that transforms internal and external relationships to create value and exploit market opportunities driven by new rules of the connected economy (see sidebar, “Defining the Real E-Business Models”). However, today’s e-business requires more. Industry analysts further point out that e-business involves the continuous optimization of an organization’s value proposition and value-chain position through the adoption of digital technology.

The challenge for an organization is to turn the vision and the market opportunity into a viable business. Developing the marketing strategy and plans and designing and deploying the business solution is key. Those who successfully architect, develop, and deploy e-business solutions will need to formulate and adopt a comprehensive business plan. Because of the critical role of Internet technologies and integration requirements, it is recommended that organizations need a comprehensive planning framework—an actual e-business model. This structured planning approach enables the organization to assess, plan for, and implement the multiple aspects of an e-business. Building an e-business (an integrated value chain) that leverages the Internet’s communications capabilities is a complex undertaking. The complex integration requirements of the business solutions, all performing at extremely high levels of availability and scalability, require an e-business model architectural approach. The value chain (comprised of the traditional supply chain management functions, planning, procurement, and inventory management, coupled with the customer-facing functions, typically referred to as customer relationship management) has integration and performance demands that exceed the requirements seen in traditional businesses. In a successful e-business, all of these areas are tightly integrated to provide an organization the ability to quickly and efficiently sell, manufacture, and deliver products or services. Furthermore, in a successful e-business, this value chain rests on a foundation that leverages the organization’s existing core operational business systems, as well as meets the new business-critical operational requirements for reliability, scalability, flexibility, and 24 × 7 × 365 availability in a highly volatile, electronic marketplace. An e-business model includes three essential elements (see Figure 3.1)[1]:

Figure 3.1: E-business model components. • • •

Solid strategies Knowledge management techniques applied to a company’s information and intellectual assets Effective e-business processes typically grouped in the customer relationship management (CRM), supply chain management (SCM), and core business operations domains[1]

Solid Strategies Strategy and execution are key to developing and sustaining a successful e-business. Only those organizations that successfully integrate key business strategies and processes dramatically increase their efficiencies. To be successful, organizations must also form the right strategic relationships and develop efficient business processes with robust backend solutions that are able to meet users’ demands for real-time service today and into the future. In the past, businesses had the luxury of developing business strategies in the boardroom and IT strategies in the IT department. They then brought these strategies together to run the overall business. E-businesses cannot afford this luxury. The ability to react and change direction is critical. Speed is everything. Grounding the organization with sound, winning strategies is key. In the new economy’s competitive electronic environment, it is easier for an organization to be global, but it is also harder to maintain consistency in the levels of services offered around the world. E-businesses must be ready and able to adjust their business and IT strategies rapidly, depending on unpredictable competitors and market pressures. Today’s e-business climate requires the continuous optimization of an organization’s business and IT strategies. Because IT now has such a significant impact on every business process (from order taking to inventory to billing), both business and IT strategies are now developed in parallel. The best example of this is Dell Computer. From the start, the company’s business strategy was tightly aligned with its IT strategy, allowing Dell to successfully integrate every aspect of its business (from order taking to inventory to billing) with both its customers and suppliers. Dell vaulted to the forefront of its industry when it came to market with a winning strategy, the unique just-in-time-delivery model. Unlike traditional computer suppliers, Dell’s business strategy was founded on the premise of zero inventory. Similarly, online brokerage companies have been leaders in the area of integrating IT and business strategies. The rapid adoption of Internet technologies combined with market globalization, industry deregulation, and media convergence has afforded these companies the opportunity to gain share and create value in the e-business marketplace. Turning an organization’s intellectual assets into knowledge is a key business differentiator. In addition to a continually optimized business strategy, successful ebusinesses must establish solid knowledge management practices. Knowledge management is the definitive way to leverage an organization’s information and intellectual assets for business advantage. It is the formalized, integrated approach that every organization must take to “know” its business.

Knowledge Management Techniques Every business has both tacit and explicit knowledge. One is undocumented, and the other is documented about what is “known” in the company. This knowledge may include information about products and services or information about how the company works with a particular supplier. No matter what type of knowledge an e-business has, the company must put into place processes for organizing that knowledge. Knowledge management includes managing intellectual capital, such as best practices, critical business processes, and operating metrics. Establishing ongoing processes for acquiring, organizing, and distributing this knowledge about customers, products, and processes is critical to success. The business domains, CRM, SCM, and core business operations, are dependent on this information and these intellectual assets.

Effective E-Business Processes In every successful e-business, the business process domains (CRM, SCM, and core business operations) are an integral part of the continuous optimization process. The advantage and, thus, the return on investment for an e-business integrating its business process domains is that it extends the organization’s business directly to customers and suppliers. When business process domains are integrated, they can increase productivity and improve customer and supplier satisfaction. For example, when a repeat customer views a successful e-business’s Web site, an integrated CRM system presents that individual with offers or items of interest based on previous orders. After the customer places an order, this same e-business allows that individual to view the status of his order in real time as it moves through the supply chain. Business process domains are aggregations of core business processes. Although there is growing popularity of business process domains as their own entities (CRM, SCM, and core business operations), they are commanding a mind-share in the marketplace (and each has attracted various vendors and products to support it). These domains must operate together as a key component to the overall e-business strategy (see Figure 3.2)[1].

In a successful e-business, convergence is the driving connection of all of the business process domains. When there appears to a customer or a supplier to be no barrier between departments, the business process domains are tightly integrated with the business and IT strategies.

Customer Relationship Management Customer relationships are becoming a more important factor in differentiating one business from another. In order to stay competitive, e-businesses in every industry have begun to analyze these relationships with customers using CRM solutions. In the past, customers would place an order via the telephone and wait until the company’s purchasing department processed and shipped the order. Today’s customers place an order electronically and then demand to be able to check the status of their order within minutes. CRM enables an organization to adopt a comprehensive view of the customer and maximize this relationship. These CRM systems enable a business to identify, attract, retain, and support customs centers, direct mail, and retail facilities. In an efficient ebusiness, there are CRM processes in place to handle: Analytical CRM: The analysis of data created on the operational side of the CRM equation for the purpose of business performance management; utilizing data warehousing technologies and leveraging data marts Customer interactions: Sales, marketing, and customer service (call center, field service) via multiple, interconnected delivery channels and integration between front office and back office Operational CRM: The automation of horizontally integrated business processes involving “front office” customer touch points

Personalization: The use of new and traditional groupware/Web technologies to facilitate customer and business partner communications[1]

Supply Chain Management Integration of the SCM functions is emerging as one of the greatest challenges facing today’s e-businesses. SCM is the integration of business processes from end user through to original supplier. The goal of SCM is to create an end-to-end system that automates all the business processes between suppliers, distribution partners, and trading partners. The new mantra for this process, according to industry analysts, is “replacing inventory with information.” In an effective e-business, the following SCM independent processes must be highly integrated (see Figure 3.3)[1]:

Demand management: These are shared functions, including demand planning, supply planning, manufacturing planning, and sales and operations planning. Inbound/outbound logistics: These include transportation management, distribution management, and warehouse management. Supply management: These include products and services for customer order fulfillment[1].

Core Operations E-businesses also need to develop and operate complex transaction processing systems that support their core business operations (see Figures 3.4 and 3.5)[1]. These core operations include the operational systems that support their particular business, such as

claims processing, trade execution, enterprise resource planning (ERP), and enterprise resource management (ERM).

Whether a company is just beginning to transform its business into an e-business or is an e-business strengthening its market position, organizations must put in place architectures that support large and complex integrated solutions. E-businesses must address the performance requirements for reliability, scalability, and high availability. These systems also require a high level of flexibility, integration, and often the added complexity of operating in a global business environment. These e-businesses need to integrate their customer relationship management, supply chain, and core business operational systems

such as enterprise resource planning, accounting, and general business support systems to operate efficiently. Now, let’s look very briefly at types of e-business markets. In other words, let’s look at how Web developers respond to your clients’ needs in an e-business-driven marketplace. [1]

Agarwal, Bipin, “Defining the E-Business Model,” Tanning Technology Corporation, 4600 South Syracuse Street, Denver, CO 80237, March 22, 2000.

E-Business Markets Web sites and intranets are designed for the same reason—to provide information. In the business world, this information needs to be updated and changed constantly in order to stay abreast of a changing business climate. New product releases, price changes, and marketing promotions are just a few examples of information that companies need to constantly provide to their customers, suppliers, employees, and shareholders. In today’s world of e-commerce and intense corporate competition, companies need the ability to instantly update published information in order to effectively communicate with their intended audience. Today’s companies know that they have to have a dynamic and interesting Web presence, but they are struggling to find ways to effectively manage their Internet strategy. Traditional advertising agencies and Web development firms are no longer meeting the all-encompassing Internet requirements necessary for businesses in today’s e-commerce-driven marketplace. Companies are looking for advertising agencies and Web development firms that address their initial Web development needs while also providing them with viable, affordable solutions that are designed to address, implement, and manage their overall Internet strategy. Finally, historically, companies outsourced the development of their Web sites because creation and maintenance required design and programming expertise. However, relying on third parties for all site maintenance limited a company’s ability to quickly and easily update their published information. To solve this problem, many companies decided to bring Web site and intranet development in-house. Companies then discovered that hiring the necessary skilled personnel contains its own set of inherent problems. Information “bottlenecks” still occur when a company has one or two people in the internal IT department who are bombarded with the responsibility of publishing all company information. In addition, companies are also finding that Web site designers are hard to find and even harder to keep. The recurring theme in the market is that companies are recruiting individual Web designers to build and maintain their Web sites and intranets inhouse only to find that after several months of development, the designer may be lured away by the promise of a more exciting and rewarding career. This “catch 22” has left companies looking for some additional alternatives. Companies are turning toward their advertising agencies and Web development firms to provide the solution to this problem. Octigon provides the software that addresses this “catch 22” and enables Web developers to meet the increasing demands of the business marketplace. Market trends have caused Web site management to become an arduous task, with sites evolving to meet the needs of e-commerce and e-business.

Summary To be successful, e-businesses must have a continuous optimization business strategy, solid knowledge management practices, and integrated business process domains. No matter what the business, the e-business model processes are the same. The e-business market affords organizations of all sizes and types the opportunity to leverage their existing assets, employees, technology infrastructure, and information to gain or maintain marketshare. However, the challenge for the organization is to turn the vision and the market opportunity into a sustainable e-business. Finally, the need for an integrated value chain challenges the e-business to optimize its intellectual assets and its investments in core business systems in order to deliver its products and services to an unpredictable market. It is this unpredictable nature that challenges the IT organization to deliver the highly scalable and available infrastructure. Additional challenges include the unique nature of an e-business and the tight linking of the business operations to a technical infrastructure. A disciplined and architected approach based on an e-business model provides the framework needed to build complex business processes and technical infrastructures that the market is increasingly demanding.

Chapter 4: Types of E-Commerce Providers and Vendors “When nations grow old, the arts grow cold and commerce settles on every tree.” —William Blake (1757–1827)

Overview The Internet has proven to be a disappointment for many retailers and manufacturers, as sales channels are hyped to be both efficient and virtual. First generation e-commerce adopters now find themselves mired in technology bearing little in common with their core businesses, because they invested in an infrastructure often costing hundreds of millions of dollars. Today, industry analysts estimate that one-time e-commerce setup costs, including technology and labor, range from $22 million to $42 million, depending on transaction volume (5,000 to 25,000 transactions/day) for companies building from scratch. Very few companies make money, and even fewer return an attractive ROI at those levels. For many companies demanding online profitability and reliability, the traditional buy/build approach is no longer the best option. Without ever buying a piece of software or hardware, new business architectures enabled by e-commerce Internet service providers (ECISPs) allow companies to establish fully customized online sales channels. Under guarantees of world-class service delivery, the ownership, integration, and ongoing management of this infrastructure can be outsourced. By freeing retailers and manufacturers to focus on their brand, merchandise, and customers—not the technology, ECISPs radically improve the attractiveness of e-commerce. This chapter examines types of ECISPs and vendors. It addresses three topics: how the next generation ECISP architecture delivers complete, one-stop online sales channels, which major advantages companies gain by outsourcing their e-commerce infrastructure, and why many early adopters have struggled with the first generation buy/build approach. You will also learn how an ECISP architecture enables manufacturers and retailers to achieve profitability at $50 million to $290 million in online sales, avoid managing numerous integration and third-party service relationships, ensure reliability and scalability in your Web site and order processing, focus your organization on real profit drivers—not technology, and upgrade functionality continuously and seamlessly over time.

Traditional Buy/Build Approach Over 93 percent of first generation e-commerce adopters utilized a “buy/build architecture” in establishing their technology platform. This architecture generally begins with a commerce software package from leading vendors such as BroadVision, Blue

Martini, ATG, and Microsoft (see Table 4.1)[1]. Bolted upon this are dozens of individual applications to manage the online channel: planning, merchandising, marketing, fulfillment, customer service, business intelligence, and so on. Hardware connects this infrastructure to the Internet, including database, Web, and application servers; routers and firewalls; load balancers; and the secure facility that hosts it all. To customize and integrate the platform, most companies rely on a systems integrator for 3 to 12 months of hard work that is rarely completed on time or within budget. Table 4.1: Sample of e-commerce software vendors Vendor Description Sample Customers Ariba Ariba provides an open commerce platform to build CheMatch, B2B marketplaces, manage corporate purchasing, Chevron, Covalex, and electronically enable suppliers and commerce Dow, Merck service providers on the Internet. Commerce One Commerce One enables buyers and sellers to trade Duke Energy, and creates new business opportunities for all trading Eastman, Praxair, partners. Commerce One offers solutions for Shell, Schlumberger companies who want to establish a portal on the Global Trading Web, those who want to host portals for others, and those looking for a comprehensive eprocurement solution and robust return on investment. The company’s products include the Commerce One BuySite e-procurement application and the Commerce One MarketSite Solution, the technology that allows Internet market makers to build open marketplaces and link them to the Global Trading Web. Crossworlds CrossWorlds Software is a leading provider of eDow Chemical, Software business infrastructure software to enable the DuPont, Royal integration and automation of business processes Philips within enterprises and among trading partners using the Internet (acquired by IBM). e-Credit eCredit.com, Inc. is a leader in the market for real- Beckman, BP time credit, financing, and related services for eAmoco, Cargill, business through the eCredit.com Global Financing Chevron, Network™. With the Global Financing Network, the Commerx, Inc. company intelligently connects businesses to (PlasticsNet.Com), financing partners and global information sources so Conoco, Procter & credit and financing decisions can be processed in Gamble, Texaco real time at the point of sale. HAHT HAHT Commerce, Inc. is the leading global Celanese, Dow Commerce provider of business-to-business sell-side eCorning, OxyChem, commerce solutions. HAHT Commerce eMontell Scenarios™ are the first suite of packaged Internet Polyplefins, Sigma-

Table 4.1: Sample of e-commerce software vendors Vendor Description Sample Customers applications that integrate and automate marketing, Aldrich selling, fulfillment, and service functions across the entire business customer life cycle, allowing companies to increase revenue, improve service levels, and lower costs to their distribution channels and customers. i2 Technologies i2 Technologies is the leading provider of supply OxyChem chain optimization solutions. The RHYTHM family of software provides comprehensive decision support across both interenterprise and intraenter-prise supply chains: from suppliers’ suppliers to customers’ customers. IBM IBM e-business technology and solutions help BOC, Degussachemical and petroleum companies compete for Hüls, Eastman market leadership in the following key areas: Chemical, ebuilding efficient and flexible supply value chains, Chemicals, delivering more than price and quality in customer relationships, providing e-market solutions that transform your business architecture, and building business value through ERP extensions. Moai Moai is a leading provider of negotiated e-commerce Eastman solutions for online auctions, online procurement, and e-marketplaces. Although Moai’s primary focus is on customers in the business-to-business market, the company also has customers in the business-toconsumer and consumer-to-consumer markets. mySAP.com The mySAP.com marketplace is an open electronic Various hub that creates seamless intercompany relationships for buying, selling, and collaborating within and across industries. It provides the infrastructure, security, and applications to transform previously disconnected business transactions into a single collaborative process. Oracle Oracle Corp. is the world’s leading supplier of Hoechst Marion software for information management. The company Roussel, ICI Chloro offers database, tools, and application products, Chemicals, IMC along with related consulting, education, and support Global Inc, services, in more than 145 countries around the Reichhold world. Oracle provides an Internet-ready platform Chemicals for building and deploying Web-based applications, a comprehensive suite of Internet-enabled business applications, professional services for help in

Vendor

Sapient

webMethods

Table 4.1: Sample of e-commerce software vendors Description Sample Customers formulating e-business strategy, as well as in designing, customizing, and implementing ebusiness solutions. Sapient provides Internet strategy consulting, Amoco, sophisticated end-to-end solutions, and launch ChemConnect, support to Global 1000 and start-up companies. As Praxair Architects for the New Economy(r), Sapient helps clients define their Internet strategies and design, architect, develop, and implement solutions to execute those strategies. webMethods is the leading provider of open Ashland Chemicals, solutions for business-to-business (B2B) integration. ChemConnect, The webMethods B2B(tm) solution provides Eastman Chemical, companies with integrated, direct links to buyers and FMC Corp., The suppliers, connecting them to major B2B Geon Company, marketplaces and enabling real-time, interactive Optimum Logistics, communication through the Internet, regardless of OxyChem, Ventro existing technology infrastructure. Powered by Corp. XML, webMethods B2B can automate critical business processes, such as customer relations, procurement and financial services, supply chain management, logistics, and sell-side/buy-side ecommerce.

With this approach, each retailer and manufacturer reluctantly enters the technology management business and replicates an infrastructure that exists at every other company. Bits and pieces might be outsourced to gain scale and expertise, but the core technology platform gets re-created countless times. Drawing a real estate analogy, this would be similar to all mall-based retailers building, owning, and operating the facilities in which their stores reside, rather than renting floor space from specialized mall developers. In an industry that has never invested heavily in IT (under 5% of revenues on average), this technology ownership approach has proven challenging, especially for midsized retailers and manufacturers.

Real Profit Drivers Distraction The key elements of retail differentiation have long been branding, merchandising, and customer service. By building e-commerce in-house, organizational focus shifts to technology management, systems integration, and drop ship order fulfillment. Most offline companies have limited experience in these areas and struggle to recruit talent in competitive IT positions. With an average e-commerce staff of 767, multichannel retailers have seen their organizations balloon beyond expectation to support ongoing problems in technology and operations.

Scalability and Reliability Struggle Front-page headlines in 2002 showcased site failures at such leading online retailers as Toys R Us, eBbay, Yahoo!, Amazon, and Wal-Mart. Smaller companies wage lesspublicized, daily struggles to meet consumer expectations for site uptime, response time, and product shipment. Confirming how difficult most businesses have found owning and operating a reliable e-commerce infrastructure, industry analysts have found that a whopping 85% of companies planned to change their commerce software package within seven months of being surveyed. Even with replacement, the reliability problem persists because 93% of sites are technically understaffed. In other words, because of escalating salary demands, equity inflexibility, and less desirable work environments, offline companies face daunting odds in recruiting against start-ups and professional services firms. The end result: over 37% of orders are failing to get to consumers on time.

Third-Party Service Relationships and Integration Management Industry analysts have found that 68% of companies have to rely on nine or more partners to develop and run their Web commerce sites. Systems integration often constitutes the most important outsourced function because (in a buy/build architecture) literally dozens of complex linkages must be created across applications, commerce packages, databases, legacy systems, and third-party services. Unfortunately, most companies receive less than desired results from their integration partner. For example, in a comprehensive evaluation of the leading e-commerce integrators, industry analysts have found that even top performers among a sample of 65 integrators earned unimpressive scores, and those on the low end showed surprisingly few strengths. Additionally, not one vendor demonstrated excellence across all service offerings. Integrators face intense pressure to deliver committed projects, but little pressure to improve quality. That’s because demand for integration services will exceed supply, thus driving the major 3,900 global Web sites to hire whatever service providers they can get. Vendor clients are confused, too. Stunned by skyrocketing price tags and un-even quality, clients cut corners, switch vendors, or bring work in-house. Unfortunately, few integrator customers have enough depth of experience to know what to cut, whom they should turn to, or how to build complex e-commerce sites themselves. [1]

“e-business vendors,” © Copyright 2003 eChemPeople, eChemPeople, 131 Shady Lane, Bolingbrook, Illinois 60440

Online Sales Channels: Internet Selling Environment The Internet selling environment includes a hosted online store featuring customer management, advanced selling, shopping cart, and order processing functionality.

Although the ECISP builds and hosts the store, clients retain complete control over design elements and merchandising. Consumers see only the client’s brand, content, and merchandise. The ECISP handles everything technical, including site uptime, response time, and the management of customer shopping sessions. The ECISP also handles tax calculation, payment processing, data encryption, order routing, and customer e-mail notification.

The Integration of Business Services and Applications Integrated business applications and services includes a full suite of tools and services to manage the online channel, including merchandise planning, storefront management, marketing, fulfillment, and customer service. These applications allow clients considerable flexibility. Companies can choose to fulfill orders in one or a combination of ways: in-house warehousing and fulfillment, third-party logistics services using a preintegrated provider, and/or drop shipping using preintegrated vendors. Similarly, clients can perform customer service in-house, or they can outsource this service to a preintegrated call center. In either case, account management and advanced CRM applications support the service representatives. Marketing applications and services include e-mail campaigns and affiliate programs. Storefront management applications include catalog management, pricing and promotions, and content management. And finally, merchandise planning includes optional applications for seasonal planning, demand forecasting, replenishment, and purchase order management.

Business Intelligence Service Business intelligence service (BIS) includes real-time reports, advanced ad hoc reporting, and financial data feeds to analyze client business performance. In an ECISP environment, clients retain ownership of their data and flexibility as to its usage. Clients receive a combination of direct data feeds (in a format of their choosing) and access to standard reports delivered through an online portal. With an online analytical processing (OLAP) package, reporting capabilities become extremely powerful and flexible in terms of ad hoc design using multiple data sources.

Advisory Service Advisory services include e-commerce expertise and assistance in merchandising, demand forecasting, marketing, customer service, and logistics. Given their advantaged position in serving dozens of companies simultaneously, ECISPs can leverage a single team of business experts across many clients. Clients benefit from performance benchmarking and best practices gleaned from the entire network. For example, clients can benchmark their performance in customer acquisition, shopping conversion, fulfillment time and accuracy, and staffing levels, all while their ECISP partner recommends changes to move closer to best practice. Rather than reinventing the ecommerce wheel, businesses implement well the first time and receive ongoing help from a partner financially committed to their success.

Infrastructure of Hosted Technology Hosted technology infrastructure includes world-class e-commerce infrastructure with guaranteed reliability. ECISPs specialize in designing technology platforms built to scale with the highest degree of operational excellence. ECISPs achieve economies of scale by managing a single, multitenant architecture. Rather than operating a separate technology cluster for each client (thereby losing all of the advantages of scale), ECISPs focus on a single platform built with best-of-breed components throughout. Some even issue industry-leading service level agreements covering site uptime, response time, and customer service responsiveness. Clients sleep at night knowing that their sites run on the best hardware and software, all backed by failover redundancy, technology operations experts, and quality of service guarantees. And, they never have to own, build, or manage any technology themselves.

The Advantages of Outsourcing an Infrastructure to an ECISP Thanks to the new ECISP architecture, many companies can for the first time sustainably conduct e-commerce while selling less than $594 million annually online. With dramatically lower up-front costs, predictable ongoing fees, and guaranteed operational reliability, the ECISP architecture equips offline companies with the confidence that their online business will succeed.

Better Return on Investment The ECISP architecture enables profitable e-commerce at one tenth the revenues of those required by traditional buy/build approaches. Based on industry averages for transaction values and operating costs, branded apparel manufacturers and multicategory retailers could achieve profitability at between $22 million and $24 million in online sales, if operating on an Escalate e-commerce platform. Even multicategory pure-plays could hit profitability at $32 million in sales. These compare to the $84 million to $2.3 billion breakeven estimates for the traditional architecture discussed earlier. Best of all, companies earn a far higher return on investment when using an ECISP due to the low setup costs.

Focus and Decision-Making Improvement With the ability to focus on profit drivers, the ECISP architecture enables companies to outsource less important “context” technology functions (customization, integration, maintenance) while owning “core” business functions (branding, merchandising, service). Companies typically require at most one IT employee to interface with their ECISP provider. In fact, most companies require just 8 to 12 employees to run their entire online business, as compared to staffing averages for those who build/own (76 for storebased retailers and 90 for pure-plays). With an ECISP, employees focus on core business functions, including marketing, merchandising, and content management—not the technology.

Third-Party Service Relationships and Management of Integration Reduction When using an ECISP, companies may require as few as one additional e-commerce relationship, that with a Web design firm. The ECISP translates the design work into a functioning Web storefront, thereby simplifying even that relationship. Some companies will also choose to hire a third-party consulting firm to perform implementation on the ECISP architecture. Having preintegrated all other third-party applications and services, the ECISP ensures ongoing quality of performance, freeing the client to focus on running the business. For example, should a client desire to outsource customer service, the ECISP recommends one or more providers based on the client’s specific requirements, from the service providers that have already been integrated. The ECISP handles ongoing service provider integration, data transmission, billing, and quality monitoring. The client focuses on the real business drivers: service policies and representative training.

Solution Dynamics Finally, the dynamic solution here is the continuous upgrading and addition of new functionality. By managing a single, multitenant architecture, ECISPs can continuously enhance applications, features, and functionality for all clients simultaneously. An analogy can be drawn to telephone companies (telcos). When a telco adds a new feature like call waiting, the telco can immediately make it available to any customer on their network. Similarly, as the ECISP adds a new feature like digital gift certificates, every client can receive it on their site. And, because ECISPs must continuously innovate on behalf of their broad network of clients, each individual company can expect frequent platform improvements that keep them ahead of their competition.

Summary Selling online has become an imperative for retailers and an increasing number of manufacturers. Recognizing that a 24 percent loss in customers can completely eliminate the profitability of their offline stores, retailers have raced to drive e-commerce growth to $77 billion in 2004 (6.8% of U.S. retail). By mid-2005, over 95 percent of the largest U.S. retailers (over $60 billion in annual sales) will be e-commerce enabled. And, for midsized retailers ($900 million to $60 billion in sales), over 85 percent will be selling online. Yet these adopters face a fundamental challenge: using the first generation buy/build architecture, many cannot make money at e-commerce, but none can afford to avoid trying. For most of them, owning and operating an e-commerce infrastructure does not make economic or operational sense. Finally, next generation ECISPs make that ownership unnecessary. They leverage the Internet itself to deliver a complete online channel solution with guaranteed levels of performance quality. Companies contract for a fully branded online store, all of the applications and services required to manage it, and a partner committed to their ongoing

performance improvement. Implementations of 4 to 13 months get accelerated to 4 to 14 weeks, and up-front costs are cut by 64 to 89 percent. From a profitability and reliability standpoint, businesses can now justify e-commerce to their shareholders and customers. By enabling companies to focus on their core business, ECISPs unlock the full potential of online sales channels. ECISPs provide the sustainable e-commerce solution that manufacturers and retailers have been seeking.

Part II: Designing and Building ECommerce Web Sites: Hands-On Chapter List Chapter 5: E-Commerce Web Site Creation Chapter 6: Managing E-Commerce Web Site Development Chapter 7: Building Shopping Cart Applications Chapter 8: Mobile Electronic Commerce Chapter 9: Enhancing a Web Server with E-Commerce Application Development

Chapter 5: E-Commerce Web Site Creation “If God created us in His image we have certainly returned the compliment.” —Voltaire (1694–1778) Your business may be small—but the Internet lets you think big. Whatever product or service your business offers, the Internet levels the playing field and lets you compete with bigger businesses, reaching customers around the world who can conveniently buy from you 24 hours a day.

The Elements of E-Commerce In the competitive world of the Web, however, growing your business and increasing your profits online requires some careful planning. For every successful e-commerce business, there are dozens that fail by not addressing basic risks and pitfalls along the way. So, to take full advantage of the e-commerce opportunity, make sure you base your Web business on a solid foundation that covers every element of e-commerce: Establish your identity: The right domain name, or URL, can make the difference between a memorable e-commerce identity and getting lost in the online crowd. Find the right online home: For brick-and-mortar stores, location is everything. Your ecommerce business needs the right home, too. Purchase and set up your own Web server, or find a home for your site with the right Internet Service Provider (ISP) or Web host. Build an attractive storefront: With the right tools, creating a Web site is easier than ever—but following some basic guidelines will help make your site easy and fun for customers to navigate. And that means more sales for you. Let customers know they can trust you: In the anonymous world of the Internet, customers will communicate private information[4], such as credit card numbers or phone numbers[3], to your e-commerce site only if they’re sure your site is legitimate and the information they send you is protected. Make sure your site is secure—and that your customers know it. Make it easy for customers to pay you: You can set up your site so customers can pay by simply keying in a credit card number. But then how will you process that transaction? Make sure you not only offer customers a variety of convenient payment methods, but that you can process them all.

Let the world know about your site: A memorable domain name, a great-looking design, and top-notch products and services can make your site successful only if customers know about it. Don’t neglect promoting your site to drive traffic to it[1]. Clearly, building the elements of e-commerce into your Web business is a big job, but it’s too important to ignore if you want your e-business to grow and thrive. Just take the following steps to ensure that your e-commerce business gives you the competitive edge. 1. 2. 3. 4. 5. 6. 7. 8.

Establish your online identity with the right Web address. Build a user-friendly site. Set up your Web server—or select an ISP to host your site. Secure your site. Accept and manage all kinds of payments. Test, test, test. Promote your site. Now, start selling.

Step 1: Establishing Your Online Identity with the Right Web Address The first step toward e-commerce is selecting the name of your site. Your Web address (also called an URL—Uniform Resource Locator—or “domain name”) tells customers who you are and how to find you on the Internet. It is the core of your Internet identity— your online brand. And, because no two parties can have the same Web address, your online identity is totally unique.

What’s in a Name? Quite a lot, actually. Remember that not only does your domain name tell customers exactly how to find your business on the Web, but it also communicates and reinforces the name of your business to every Web site visitor. It can also be used as part of your email address to establish your online identity. Keep these tips in mind before you choose a name: Make it memorable: “Amazon.com” is much catchier than “buyyourbooksonline.com.” Describe your business: Another approach is to simply and logically describe your business. “Flowers.com” works perfectly for a florist. In addition, if you are setting up an online presence for an established business, keep the name of your site the same as the name of your business. Keep it short: The best domain names are those that customers can remember and type into their browsers after seeing or hearing them only once, so complicated strings of words like “onlinecdstore.com” don’t work as well as a simple phrase: “cdnow.com”[1].

How to Get and Manage Domain Names After you’ve decided on your Web identity, the next step is to determine if it is available and then register it with a domain name “registrar.” Registering is easy and inexpensive, so do it as soon as you’ve decided on your domain name to make sure you get the name you want. Many businesses register a number of variations, just in case they want to use them later—or to avoid the risk of competitors obtaining similar names. A Scandinavian financial service company, for example, recently spent more than $5 million to register 7,424 domain names. You also may want to register common misspellings so that all customers who incorrectly type your address still find their way to your site instead of receiving an error message. E-commerce businesses most often register a name with “.com” as the domain name suffix (the letters after the dot; also called a top-level domain, or TLD), but often also register their names with “.net” and “.org” (for “organization”). Other suffixes include “.tv” and “.edu” for schools and universities. The Internet Corporation for Assigned Names and Numbers (ICANN) recently announced seven new TLDs—.biz, .info, .name, .pro, .museum, .aero, and .coop. Tip Network Solutions is one of the leading domain name registrars. To search for an available name and register it with Network Solutions, go to http://www.networksolutions.com/catalog/domainname, enter the Web address you’ve chosen in the designated box, and click “Go!” In seconds, you’ll know if the name is available. Registering a name costs as little as $30 per year; furthermore, registering with a domain name registrar also automatically lists your site with leading search engines, and is a great way to promote your site (see step 7 later in this chapter).

How to Buy an Existing Domain Name What happens if the domain name you want is already registered? You can either choose another name or buy your first choice from whoever got it first. The fact that the name you want has already been registered doesn’t necessarily mean it is not available for sale. You can easily find out whether a domain name that has already been registered is for sale by checking out the domain name marketplace site at http://www.greatdomains.com.

How to Register Domain Names Worldwide The Internet is global—shouldn’t your business be, too? Registration of multiple domain names for use around the world protects your intellectual property, brand name, and trademarks against infringement by global cybersquatters. If you plan to do business in other countries, you can register country-specific Web addresses (in country-specific TLDs, such as .ita for Italy and .uk for the United Kingdom) with Network Solutions’ idNames search and registration service. But as your business grows, you may find that registering and managing multiple domain names is a complex, time-consuming process. IdNames can also consolidate worldwide domain name management into a single

centralized account if you have 50 or more domains. After you’ve established your Web identity by selecting and registering your domain names, it’s time to build your site. Tip Go to http://www.networksolutions.com/catalog/idnames for more information.

Step 2: Building a User-Friendly Site With a domain name in place, you’re ready to start building your e-commerce storefront. But, before you begin, take some time to plan.

Planning Your Site Carefully You must first identify clear marketing goals for your site, such as generating leads, building a database of potential customers’ names and e-mail addresses, or putting a product catalog online to save the time and expense of printing and mailing. Now, you need to quantify your objectives (such as increasing sales by 15 percent), so you know whether or not your site is successful. Next, you need to figure out what your potential customers need to know before buying your products and services. This might include: • • • •

An overview of your company, its products and services, and their applications Complete product or service descriptions, including features, key benefits, pricing, product specifications, and other information, for each product or service Testimonials, case studies, or success stories so customers can see how similar individuals or organizations have worked with you A frequently asked questions (FAQ) section that anticipates and answers customers’ common issues[1]

You also need to plan the structure of your site, focusing on making it easy for customers to learn what they need to know, make a purchase decision, and then buy quickly. In addition, you need to create a site map that outlines every page on your site from the home page down and how customers get from one page to the next. Furthermore, you also need to use tools that quantitatively measure site activity (where customers are clicking, how often, and whether they end up purchasing), and then compare the results with your goals.

Choosing the Right Web Site Building Tools With a solid plan in hand, you’re now ready to start constructing your e-commerce site. Many e-commerce businesses turn to professional design studios to create their Web sites. But, if your budget is limited, many Web site building tools make it fast and easy for you to create a polished, professional-looking site—with no in-depth HTML knowledge necessary. For example, Image Café from Network Solutions, is one of the easiest. It’s an online Web site building tool that lets you choose from a variety of professional-quality templates and then customize them with your own identity and

information. You can preview your site online while you are building it, and when your site is finished, you can instantly send it to an Image Café hosting partner to publish it on the Web (see step 3 later in this chapter to learn more about site hosting). The entire process can put you on the Internet in less than 24 hours at convenient and affordable monthly prices.

E-Commerce Site Design Tips Now, let’s look at the following basic guidelines. They will help make your site not only attractive, but also easy for customers to use—and that means easy for customers to buy from you: 1. 2. 3. 4. 5.

Carefully examine your own favorite e-commerce sites. Your home page is your site’s (and your business’s) online front door. Make it easy for customers to explore your site. Keep things simple. Keep download times short[1].

Examining Your Favorite E-Commerce Sites You need to carefully examine your own favorite e-commerce sites. By creatively adapting the most compelling marketing and design techniques, you will enhance your site’s effectiveness.

Your Home Page Is Your Site’s Online Front Door It’s essential that your home page makes a good first impression on visitors. You need to make sure it clearly presents the following basic elements that customers are always likely to look for: • • • • • •

Your company name, logo, and slogan should be prominently displayed. Take full advantage of the opportunity to showcase your brand identity. A link to an “About the Company” page should be available for customers to quickly learn who you are and what your business offers. A site menu listing the basic subsections of your site should be in the same place on every page throughout your site to make it easy to navigate. A “What’s New” section for news, announcements, and product promotions should be frequently updated to encourage customers to return often. Your contact information should be easy for visitors to find your phone number, e-mail address, mailing address, and fax number. Your privacy statement, clearly describing your business’s policy for protecting customer’s personal information should be easily found[1].

Making It Easy for Customers to Explore Your Site

As you build your site, try to minimize the number of clicks it takes the customer to go from your home page to actually being able to click “Buy” and check out. Four to six is a useful rule of thumb. You need to make sure links make sense, so customers know what to click to find what they’re looking for. Don’t make your navigation buttons or links too dominant an element in your site design: instead, focus on product information.

Keeping Things Simple You should not fill up your site with graphics, animations, and other visual bells and whistles. Instead, you need to stick to the same basic color palette and fonts your company uses in other communications, such as your logo, brochures, and signage. It’s important to ensure that images and graphics serve to enhance, not distract from, your marketing goals. Make sure your text is easy to read—black letters on a white background may not be terribly original, but they are easier on the eyes than orange type on a purple background.

Keeping Download Times Short You should also test pages to make sure they’re not too overloaded with graphics that slow load times, and you should minimize the size of your images when possible. According to the Boston Consulting Group, nearly half of online shoppers surveyed said they left sites when pages took too long to download. For example, Zona Research estimates that most Web pages take anywhere from 4 to 12 seconds to load, depending on the user’s modem and Internet connection (remember: many e-commerce customers shop from home using slower connections). Most users click away to another site or log off if a page takes more than eight seconds to load, costing e-commerce businesses billions in lost potential revenue. You’ve now completed step 2. You’re now ready to put your site on the Internet.

Step 3: Setting Up Your Web Server—Or Selecting an ISP to Host Your Site Your Web site is a series of files that reside on a special computer, called a Web server, connected to the Internet. For customers to visit your site, they must actually connect to that Web server via the Internet and view the files. Web servers and the Internet connections that link them to visitors must be fast and powerful enough to quickly respond to all the visitors’ requests to view your site. Many businesses prefer the complete control of purchasing, setting up, and managing their own Web server hardware and software. Other small- and medium-sized ecommerce businesses prefer to turn to an ISP or Web hosting company, instead of investing in the hardware, software, and infrastructure necessary to get online. For a monthly fee, ISPs and Web hosting companies will connect your site to the Internet at high speed via one of their Web servers, allowing the site to be viewed by anyone with an Internet connection and a Web browser. The host provides your site with space on a

server, and also offers Web server software, access to its high-speed Internet connection, tools for managing and maintaining your site, customer support, e-commerce features, and more. There are hundreds of ISP and Web hosting options to choose from, so look for one that can meet all your needs. You should look for the following in a Web hosting company: • • • • • •

Shared hosting vs. dedicated server Hard-disk storage space[2] Availability E-mail accounts SSL encryption Support[1]

Shared Hosting vs. Dedicated Server Shared hosting is an arrangement in which your site is housed on the same host server with several other Web sites. This is an economical solution for smaller sites. Paying the host for your own dedicated server, a solution used by larger and busier sites, provides faster access and ensures that your site will be accessible to visitors 100 percent of the time (instead of sharing Web server speed and power with other sites). Does your ISP or Web hosting provider offer both options?

Hard-Disk Storage Space Smaller sites may need only 300–500 MB (megabytes) of Web site storage space, whereas busier e-commerce sites may need at least 9 GB (gigabytes) of space—or their own dedicated Web server. As your site grows, your ISP should be able to accommodate you with a range of options.

Availability If you run an e-commerce business, your site must be accessible to customers 24 hours a day. ISPs and Web hosts maximize the availability of the sites they host using techniques such as load balancing and clustering. Can your ISP promise near-100-percent availability?

E-mail Accounts E-mail accounts that match your domain name are often available from your ISP. Are they included with your monthly access and hosting fee?

SSL Encryption The security of the credit card numbers, and other personal information that customers send you, should be a top concern. Does your ISP or Web host protect your site with a Secure Sockets Layer (SSL) certificate? See step 4 to learn more about Web site security.

Support A big part of the value of turning to an ISP or Web host is that you don’t have to worry about keeping the Web server running. Does your host offer 24 x 7 customer service?

Step 4: Securing Your Site With your Internet identity established and your site built and hosted, it’s now time to turn your online storefront into a thriving e-commerce business. To do it, you must win your customers’ trust. Eighty-six percent of Web users surveyed reported that a lack of security made them uncomfortable sending credit card numbers over the Internet. Emerchants who can win the confidence of these customers will gain their business and their loyalty—and an enormous opportunity for grabbing market share and expanding sales.

The Risks of E-Commerce In person-to-person transactions, security is based on physical cues. Consumers accept the risks of using credit cards in places such as department stores because they can see and touch the merchandise and make judgments about the store. On the Internet, without those physical cues, it is much more difficult for customers to assess the safety of your business. Also, serious security threats have emerged: Spoofing: The low cost of Web site creation and the ease of copying existing pages makes it all too easy to create illegitimate sites that appear to be operated by established organizations. Con artists have illegally obtained credit card numbers by setting up professional-looking Web sites that mimic legitimate businesses. Unauthorized disclosure: When purchasing information is transmitted “in the clear,” without proper security and encryption, hackers can intercept the transmissions to obtain customers’ sensitive information—such as credit card numbers. Unauthorized action: A competitor or disgruntled customer can alter a Web site so that it malfunctions or refuses service to potential clients. Eavesdropping: The private content of a transaction, if unprotected, can be intercepted en route over the Internet. Data alteration: The content of a transaction can be not only intercepted, but also altered en route, either maliciously or accidentally. User names, credit card numbers, and dollar

amounts sent without proper security and encryption are all vulnerable to such alteration[1]. To take advantage of the opportunities of e-commerce and avoid the risks, you must find the answers to questions such as: • • •

How can I be certain that my customers’ credit card information is protected from online eavesdroppers? How can I reassure customers who come to my site that they are doing business with me, not with a fake set up to steal their credit card numbers? After I’ve found a way to authoritatively identify my business to customers and protect private customer information on the Web, what’s the best way to let customers know about it, so that they can confidently transact business with me[1]?

So, the process of addressing these general security questions boils down to these goals: Authentication: Your customers must be able to assure themselves that they are in fact doing business with you—not a “spoof” site masquerading as you. Confidentiality: Sensitive information and transactions on your Web site, such as the transmission of credit card information, must be kept private and secure. Data integrity: Communication between you and your customers must be protected from alteration by third parties in transmission on the Internet. Proof of communication: A person must not be able to deny that he sent a secured communication or made an online purchase[1].

The Trust Solution: SSL Certificates for Authentication and Encryption Digital certificates for your Web site (or “SSL certificates”) are the answer for the preceding security questions. Installed on your Web server, a SSL certificate is a digital credential that enables your customers to verify your site’s authenticity and to securely communicate with it. SSL certificates allow your e-business to provide customers with the world’s highest level of trust. A SSL certificate assures them that your Web site is legitimate, that they are really doing business with you, and that confidential information (such as credit card numbers) transmitted to you online is protected.

How SSL Certificates Work SSL certificates take advantage of the state-of-the-art Secure Sockets Layer (SSL) protocol that was developed by Netscape®. SSL has become the universal standard for authenticating Web sites to Web browser users, and for encrypting communications between browser users and Web servers. Because SSL is built into all major browsers and Web servers, simply installing a digital certificate, or SSL certificate, enables SSL capabilities.

SSL Server Authentication SSL server authentication allows users to confirm a Web server’s identity. SSL-enabled client software, such as a Web browser, can automatically check that a server’s certificate and public ID are valid and have been issued by a certificate authority (CA; such as VeriSign) listed in the client software’s list of trusted CAs. SSL server authentication is vital for secure e-commerce transactions in which, for example, users send credit card numbers over the Web and first want to verify the receiving server’s identity.

Encrypted SSL Connection An encrypted SSL connection requires that all information sent between a client and a server be encrypted by the sending software and decrypted by the receiving software, thus protecting private information from interception over the Internet. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering—that is, for automatically determining whether the data has been altered in transit. This means that users can confidently send private data, such as credit card numbers, to a Web site, trusting that SSL keeps it private and confidential. So, with the preceding in mind, the SSL certificate process works as follows: 1. A customer contacts your site and accesses a page secured by a SSL certificate (indicated by a URL that begins with “https:” instead of just “http:” or by a message from the browser). 2. Your server responds, automatically sending the customer your site’s digital certificate, which authenticates your site. 3. Your customer’s Web browser generates a unique “session key” to encrypt all communications with the site. The user’s browser encrypts the session key itself with your site’s public key so only your site can read the session key. 4. A secure session is now established. It all takes only seconds and requires no action by the customer. Depending on the browser, the customer may see a key icon becoming whole or a padlock closing, indicating that the session is secure[1]. SSL certificates come in two strengths: 40-bit and 128-bit (the numbers refer to the length of the “session key” generated for each encrypted transaction). The longer the key, the more difficult it is to break the encryption code. The 128-bit SSL encryption is the world’s strongest: according to RSA Labs, it would take a trillion years to crack a 128-bit session key using today’s technology. For example, the primary difference between the two types of VeriSign SSL certificates is the strength of the SSL session that each enables. Microsoft and Netscape, for instance, offer two versions of their Web browsers, export and domestic, that enable different levels of encryption depending on the type of SSL certificate with which the browser is communicating.

How to Get SSL Certificates Many leading ISPs and Web hosting providers (such as VeriSign—the Internet Trust Company) offer a complete range of products and services to help you secure your Web site.

Commerce Site and Secure Web Site Solutions Thus, providers are offering SSL certificates in two encryption strengths: 128-bit SSL (Global Server) IDs and 40-bit SSL (Secure Server) IDs. The 128-bit SSL (Global Server) IDs enable the world’s strongest SSL encryption with both domestic and export versions of Microsoft and Netscape browsers. The 128-bit SSL Global Server IDs are the standard for large-scale online merchants, banks, brokerages, healthcare organizations, and insurance companies worldwide. On the other hand, the 40-bit SSL (Secure Server) IDs are ideal for lower-volume, security-sensitive Web sites, intranets, and extranets. Commerce site services are complete, e-commerce solutions that are ideal for emerchants and online stores. A commerce site includes a 40-bit SSL (Secure Server) ID and online payment management services, plus an array of additional value-added services. Online payment services enable businesses to easily accept, manage, and process payments electronically (see step 5 to learn more about facilitating e-commerce payments on your site). In addition, an e-commerce site also includes a 128-bit SSL (Global Server) ID, online payment services, and an array of additional value-added services. Secure Web site services are best for Web sites, intranets, and extranets that require the leading SSL certificates and Web site services. A secure Web site also includes a 40-bit SSL (Secure Server) ID, plus additional value-added services. A secure site also includes a 128-bit SSL (Global Server) ID and value-added services. As previously mentioned, many leading ISPs and Web hosting providers include SSL certificates with their e-commerce packages. When choosing an ISP, look for one that offers SSL certificates. If you are obtaining your SSL certificate through your ISP or Web hosting company, your host may ask you to enroll for your certificate yourself, because you are the owner of the domain name to which the SSL certificate will correspond. Make sure you ask your hosting company for the information you’ll need to complete the enrollment process, including: A CSR, or “Certificate Signing Request”: This is an encrypted file, generated by the Web server that is hosting your site. This file contains a public key, the name of your company, its location, and your URL. Because your Web hosting provider operates the Web server on which your site is hosted, your Web hosting provider must generate the CSR and send it to you for use during Server ID enrollment.

The kind of server software your Web hosting provider uses: As part of the SSL certificate enrollment process, you’ll be asked to select your Server Software Vendor, in addition to your CSR. A technical contact: Your Web hosting provider should be able to give you the name of its appropriate technical contact for you to complete the enrollment process[1]. One more thing—if you use multiple Web servers for your site, it’s important that you use a unique SSL certificate on each one to meet licensing requirements.

Code-Signing IDs If your e-commerce site offers downloadable software, content, or code, you can digitally “shrink-wrap” it so customers can be confident that it hasn’t been altered or corrupted in transmission. All you need is a special code-signing digital certificate, or digital ID.

E-Mail IDs Installed in your Web browser or e-mail software, an e-mail digital certificate—or digital ID—serves as your online passport, allowing you to digitally sign e-mail messages. Your e-mail digital ID assures recipients that messages really came from you, and also allows you to encrypt messages, using your recipient’s digital ID, so only your recipient can decrypt and read your messages. Installing and using e-mail digital IDs is easy with virtually all Web browsers and e-mail programs.

Your Privacy and Security Statement A vital component of every e-commerce Web site is a comprehensive security and privacy statement that describes exactly how your business secures information and uses it. This is extremely important to your customers. For example, TRUSTe, a nonprofit association supported by businesses such as VeriSign, AT&T, Netscape, Land’s End, and Wired, regulates the use of data collected on the Web. By abiding by the association’s rules regarding use of information collected on your site, you can display the TRUSTe logo as yet another symbol of trust.

Step 5: Accepting and Managing All Kinds of Payments With an SSL-secured site, your customers will have the confidence to purchase your goods and services. But enabling customers to pay you online takes more than just collecting their credit card numbers or other payment information. What will you do with customer payment information once it’s sent to you? How can you verify that customer’s credit card information is valid? How will you go about processing and managing those payments with a complex network of financial institutions? You could simply set up a credit card terminal and process orders manually. But why invest the time and effort to build an e-commerce site without taking advantage of the

efficiency of online payment processing? To offer a complete e-commerce experience to customers and to efficiently manage payments for your business, you need to implement an “Internet payment gateway” that provides Internet connectivity between buyers, sellers, and the financial networks that move money between them.

The Internet Payment Processing System Before you implement a payment gateway, you need to understand how the Internet payment processing system works. Participants in a typical online payment transaction include: Your customer: Typically, a holder of a payment instrument (such as a credit card, debit card, or electronic check) from an issuer. The issuer: A financial institution, such as a bank, that provides your customer with a payment instrument. The issuer is responsible for the cardholder’s debt payment. The merchant: Your e-commerce site, which sells goods or services to the cardholder via a Web site. A merchant that accepts payment cards must have an Internet merchant account with an acquirer. The acquirer: A financial institution that establishes an account with you, the merchant, and processes payment authorizations and payments. The acquirer provides authorization to the merchant that a given account is active and that the proposed purchase does not exceed the customer’s credit limit. The acquirer also provides electronic transfer of payments to your account, and is then reimbursed by the issuer via the transfer of electronic funds over a payment network. The payment gateway: Operated by a third-party provider, the gateway system processes merchant payments by providing an interface between your e-commerce site and the acquirer’s financial processing system. The processor: A large data center that processes credit card transactions and settles funds to merchants. The processor is connected to your site on behalf of an acquirer via a payment gateway[1]. The basic steps of an online payment transaction using a payment gateway system include the following: 1. The customer places an order online by selecting items from your Web site and sending you a list. Your site often replies with an order summary of the items, their price, a total, and an order number. 2. The customer sends the order, including payment data, to you. The payment information is usually encrypted by an SSL pipeline set up between the customer’s Web browser and your Web server’s SSL certificate.

3. Your e-commerce site requests payment authorization from the payment gateway, which routes the request to banks and payment processors. Authorization is a request to charge a cardholder, and must be settled for the cardholder’s account to be charged. This ensures that the payment is approved by the issuer, and guarantees that you will be paid. 4. You confirm the order and supply the goods or services to the customer. 5. You then request payment, sending the request to the payment gateway, which handles the payment processing with the processor. 6. Transactions are settled, or routed by the acquiring bank to your acquiring bank for deposit[1]. So, how do you implement a payment gateway to process payments on your e-commerce site? Building your own dedicated pipeline to connect all the players isn’t a practical option, so for small- and-medium-sized businesses, outsourcing to a payment service provider is the best solution.

Setting Up Your Internet Merchant Account After you’ve selected and set up your payment processing solution, all you need to start accepting online payments is an Internet merchant account with a financial institution that enables you to accept credit cards or purchase cards for payments over the Internet. You can obtain an Internet merchant account from any financial institution that supports the following processors: • • • •

First Data Merchant Service (FDMS) Paymentech (Salem) Vital Processing Services Nova Information Systems[1]

The preceding includes most banks. Obtaining a merchant account can take anywhere from two days to three weeks.

Step 6: Test, Test, Test You may be eager to launch your e-commerce storefront, but take time to review and test your site thoroughly before going live. You will only have one chance to make a first impression on each new visiting customer, and broken links, incorrect phone numbers, and grammatical or spelling errors diminish the professional polish you’re striving for. You also need to walk through the entire ordering process to test its usability. Is it clear exactly what customers need to do to purchase? Try buying a product: is the page on which you supply payment information secure? Is the payment processed correctly through your payment gateway? Make sure you use both Macintosh and PCs for testing, and use different browsers and modem speeds. You want to be able to support even lowend systems (slower computers with a 28.8 modem line).

Also, don’t forget about customer support: it’s the key to creating loyal customers. Are you prepared to confirm that a customer’s order has been received? Are you ready to follow-up with an e-mail message for good measure? A personalized message from a real customer service representative is best, but sending an automatic reply works as well. Set minimum response times and standards for replying to customer questions and concerns, and ensure that your customer support staff is fully knowledgeable about all your products and services, their features and benefits, pricing, and availability.

Step 7: Promoting Your Site Now, you’ve established a compelling, secure, and easy-to-use Web storefront for your products and services. It’s time to let people know about it. Here are a few tips for driving traffic to your site: Register your site with search engines: Over 90 percent of Internet users search one or more of the top engines to find what they need. Make sure your business is part of the results when customers look for the products and services you offer. Put your domain name everywhere: Brochures, advertisements, business cards, and even hats, jackets, and t-shirts can be effective ways to promote your site and establish your corporate identity. Don’t forget to include your domain name in your press release, too. Advertise: Placing a banner ad on other well-trafficked sites can attract huge numbers of prospective customers—and doesn’t have to cost a fortune[1].

Step 8: Now, Start Selling Finally, your e-commerce business is now ready to succeed in the competitive world of the Web: with an online identity, a Web host, an eye-catching, professional-looking Web storefront, rock-solid security, easy-to-use payment management, and the right promotions. So, if you follow the preceding basic steps, they will help you lay the foundation for a thriving site. [4]

Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad Ebusiness Privacy Plan, McGraw-Hill, 2001. [3]

Vacca, John R., Identity Theft, Prentice Hall PTR, 2002.

[1]

“How to Create an E-Commerce Web Site,” ©2003 VeriSign. All rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA 94043, 2003. [2]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR, 2001.

Summary This chapter helped you discover new integrated services that make it easier than ever to secure your Web site and accept online credit card payments. You also learned how to create an e-commerce Web site, as well as: • • •

How to avoid the risks and challenges involved in e-commerce trust The best way to secure and authenticate your site so your customers feel comfortable providing sensitive information How to enable your site to process online payments in seconds—including credit and debit cards[1]

Chapter 6: Managing E-Commerce Web Site Development “There is no course of life so weak and sottish as that which is managed by order, method, and discipline.” —Michel Eyquem de Montaigne (1533–1592)

Overview Electronic commerce is quickly shaping up to be the way business will be conducted in the future. This chapter takes a look at how an e-commerce Web site is managed as it is being developed. In other words, this chapter is not necessarily about electronic commerce in general. It is actually an exercise in building and managing a business-toconsumer electronic commerce site. In addition, this chapter does not discuss management concepts or other tools available to implement e-commerce, but focuses exclusively on Web site servers. The names “site server” or “commerce server” are used interchangeably throughout this chapter. It is assumed that there exists a set of requirements that the final site should adhere to and follow with the development of the site itself. Note Please check all information or take professional advice before embarking on an electronic commerce project.

Web Site Server A Web site server is a comprehensive Internet commerce server an organization can use to build an e-commerce architecture (see sidebar, “Building an E-Commerce Architecture”) and monitor/manage business sites on the Web. By providing a comprehensive set of server components, management tools, and sample sites, a Web site server significantly reduces development time and costs for business-to-consumer applications. Building an E-Commerce Architecture E-commerce continues to hold tremendous profit potential for many companies. It still offers faster response to customer needs, reduced operating costs, and increased cooperation among customers and trading partners—if it is done right. This means not bringing an e-commerce offering to market before planning a workable architecture. Now, more than ever, companies must thoroughly plan and carefully build their e-commerce architecture before the first customer ever comes on board. That’s

because capital, time, and resources are scarcer today; margins for error are slimmer; and shareholders are less in the mood to support initiatives that don’t work out of the gates. As a corollary, chief information officers (CIOs) frequently have to be the voice of reason in their companies to ensure that a truly robust, reliable system is built. ClOs may be the company’s only executive-level people who understand the architectural firepower needed to build and run a scalable, reliable e-commerce backbone. Only you may be able to explain to your CEO why you need an integration layer or how your architecture plan is the best among competing models in the market. And, only you may be able to explain how much time it takes to build the architecture correctly. Putting the cart before the horse has never been a wise move, but it was briefly accepted as a viable business strategy in e-commerce initiatives. In 2001, a company could tout its e-commerce offering, get customers, and then worry whether it had the scalability, reliability, and security needed to support business. But that’s over. With the first casualties of the e-commerce revolution fresh in mind, potential users of your ecommerce system want to know that you can deliver. ClOs can help their companies by insisting that they take the following steps: 1. Plan: The architecture is the structure of the e-commerce system and will determine what the company can and cannot do, both now and in the future. Therefore, it’s critical for the system’s software engineers to develop an architecture blueprint up front. The blueprint should include the highest-level design of the business solution and processes; highest-level technical design and lower-level designs; and information on any relevant special structures, interfaces, or algorithms. 2. Plan for the “ilities”: When well-planned and well-built, the architecture will deliver on all of the key “ilities”—such as scalability, reliability, availability, and serviceability. But, in their hurry to get to market, far too many companies short themselves on the necessary components and vendor partners. CIOs can insist on components from best-in-class technology providers and consult development firms that have implemented applications within a broad range of architectural schemas. 3. Plan for integration: The technology infrastructure must allow you to integrate customers’ legacy systems, third-party vendors, and applications to come in the future. For example, insurance companies have extensive legacy systems and various business partners that must be accommodated. For example, DriveLogic, the e-commerce arm of CCC Information Services and a leading provider of technology solutions to over 460 of the nation’s top insurers, has implemented an architecture that will be able to communicate with all of these systems. It allows insurers to leverage existing technology and data—a considerable asset—and accommodates insurer business partners and other technology vendors as well. 4. Make good vendor choices: A robust system calls for the best vendor partners. Like a house built with cheap materials, architecture pieced together with Iowrent components and vendors won’t wear well—and, may jeopardize your company’s reputation for years to come.

Today, it’s more critical than ever to get the e-commerce strategy right in the preplanning stages, well before you ever bring the offering to market. To be a leader, and avoid the mistakes of the past few years, a company must build it right from the start[1].

By using a set of objects, tools, wizards, and sample sites, one can add Internet commerce capabilities to an existing Web site or can quickly and easily create a new electronic commerce site. A commerce server usually supports business-to-consumer sites as well as business-to-business and corporate purchasing sites.

Business-to-Consumer (B2C) Sites These B2C sites sell products to the consumer through the Web. A commerce server should include support for advertising, promotions, cross-sells, secure payment, order processing, and consumer wallets.

Business-to-Business (B2B) Sites A B2B site is the other hot application for e-commerce, as a replacement for EDI. A commerce server provides features for building business-to-business sites, such as support for purchase orders, order approval routing, and the secure exchange of business information between trading partners. [1]

Beattie, Jim, “When Building E-Commerce Architecture: Don’t Put the Cart Before the Horse,” Copyright ©2003 Cognizant Technology Solutions, Cognizant Technology Solutions, 500 Glenpointe Centre West, Teaneck, New Jersey 07666, 2003.

Developing a Commerce Site Developing a commerce site is similar to developing an application, and a structured approach is recommended. This part of the chapter discusses a development methodology for the commerce site. An approach with the following stages is recommended here: • • • • • •

Scope Prototype Design Implementation Testing Deployment[3]

Scope The Scope stage involves the following activities: •

Researching the business requirements

• • • •

Projecting the infrastructure needs of the solution Establishing the overall technical architecture of the solution Performing an initial analysis of the security, performance, maintainability, and integration issues Specifying a schedule for development and implementation of the solution[3]

Prototype The Prototype stage involves building a basic layout of the site so as to get a taste of what the site will look like. The prototype is essentially the foundation for the final site and can be modified according to the customer’s feedback.

Design The Design stage involves developing the logical design. It also involves designing the user interface and deriving the physical design.

Implementation The Implementation stage involves translating the design into the actual site. This can be in the form of changes and updates to the prototype. The key tasks are creating the user interface, developing custom components for the order processing pipelines, if needed, and implementing the database according to the design.

Testing and Deployment The site should be tested before deployment. Among other things, the site should be tested for security, user interface, performance, and ease-of-use. Furthermore, the site developed should be deployed. [3]

Ganesh, Arvind, “Enterprise Application Development and Commerce Site Server,” Copyright ©2003 California Software Labs, Ltd., California Software Labs, Ltd., 6800 Koll Center Parkway, Suite 100, Pleasanton, CA 94566, 2003.

Requirements for Your Site Before we start building your commerce site, let’s take a look at the following set of requirements that the final site should satisfy: 1. The Web site should enable customers to shop with a shopping cart. 2. The catalog of products can contain: a. Products from various vendors b. Sale announcements and other promotions 3. The Web site should feature customer registration. 4. The Web site should support online payment using credit cards. Additionally, the site should:

a. Support an e-Wallet b. Securely transfer credit card information 5. The customer should receive e-mail confirmation of his order. 6. The e-mail should also have a link to the Order Status page. 7. Any order that is yet to be shipped can be cancelled by the customer. 8. The Web site should include appropriate error handling. 9. The Web site should suggest other recommended products to the customer. 10. The Web site should support both Internet Explorer and Navigator[3]. Note Following the usual commerce site development methodology suggested earlier, this set of requirements would have been arrived at in the Scope stage.

Building the Prototype You are now ready to build a prototype sample site. Building a site using a commerce server essentially involves customizing a site generated by the use of wizards. Thus, the wizard-generated site after implementing the initial user interface can be used as the prototype. A commerce server should give you a choice between making a copy of one of the commerce server sample sites or a custom site. After you have generated a site, you can get down to a database and user-interface design. Building the prototype site involves the following steps: 1. 2. 3. 4. 5.

Creating the site database Creating database logins Creating the data source name (DSN) Creating the site foundation Generating the site[3]

A commerce server should be able to distinguish between the site’s administrator and the site operator. The administrator performs steps 1–4 and manages the server while the manager builds the site, maintains, and manages it. Now, let’s take a look at each of the preceding steps.

Preparing the Database (Steps 1, 2, and 3) When the wizard is run, you need to supply a data source name (DSN), a database login name and password, and other information that is needed for a connection string. The wizard will create two configuration files: one for the site and one for its manager pages. Both files hold the connection string used for accessing the site’s database. The wizard then obtains the database connection information from the file and uses it to connect to the database and create the schema. The next step (step 3) is to create a DSN for the sample site.

Building the Site A site manager should be able to connect to the manager’s pages and build the site by running the wizard. This generates all the files and database tables, including product pages, basic layout, shipping and handling, tax, and payment. Furthermore, this builds the actual store that will exist on top of the site foundation. You should run the wizard and follow the instructions displayed on the screen. Some points of interest when building the site are as follows: 1. A locale step defines the default locale to be used in your store. This drives the configuration of the default tax calculation component as well as the format used to display currency and other localized variables. 2. Price promotions allow you to offer promotions, such as discounts based on dollars spent, percentage discounts, or a two-for-one promotion. Cross-sell promotions allow the site to offer a related product when a shopper selects a particular product. 3. With a features step, you can choose if and when you want shoppers to register at your site and whether you want to maintain this shopper information in the site’s database. 4. A product attribute type step is based on the type of products that the site intends to offer. With static attributes, all products have the same attributes. 5. Dynamic attributes allow the site to sell products that might differ in attributes, for example, one item may be offered in multiple colors, but not list the manufacturer’s name, and another item, such as a shirt, might have varied sizes, neck size, sleeve length, and color. 6. An order history step offers the option for the site to store a shopper’s order history and receipt information[4]. This information is useful to customers who may want to look up existing orders. In addition, it can provide a source for integrating into an existing customer service application[3]. After running the wizard, your sample site is now ready and open for shopping. Now, let’s take a look at how the wizard-generated site meets many of the stated requirements right “out of the box.” With reference to the list of requirements given earlier, the site meets the following requirements at this stage: 1, 2.b, 3, 4.a, 8, 9, and 10. The site you have just built can be used as a prototype after implementing the initial user interface (UI). The Design stage is next.

Design The Design stage involves coming up with the overall structure of the site. This task would be mammoth if it were not made easier by the wizard because it automatically generates the basic structure of a commerce site with features such as a shopping cart, shopper ID, order ID, and so on. To build the design for your site, you have to design it around the existing commerce site design. There are essentially three aspects to site

design in a commerce server: designing the database, the order form, and an order processing pipeline (OPP). A commerce server site populates its pages with data obtained dynamically from its database. The database holds all the data related to the site—data related to the products and shoppers. The site performance and reliability is influenced by the database design. An order form object provides storage for customer and purchase information. A commerce server site uses the order form object to store the items that a customer has placed in the basket, to store bill-to, ship-to, and receipt information. The OPP is a collection of components that encapsulates the processing that is performed on the order form. Each component in the OPP has its own distinct function that it performs on the order form. Because the order form is of limited scope, the design should focus on a single example of each of the different design aspects. At the end of the Design stage, you should be clear about what is to be done in the Implementation stage.

Database Design Central to the design of the site is the design of the site database. Much of the database schema required for a commerce site is automatically generated by the wizard. However, if you already have a product database in place, and you want the commerce server site to use it, you can select a sample site whose product schema most closely matches the existing database. You can use the wizard to copy that sample site, and then modify the queries as appropriate for your database. In the sample sites, database queries that are used to display information (such as product descriptions and properties) on the page are defined in the ASP file for that page. So, to accommodate a different product schema, one need only modify the query as needed and create a combination of HTML and scripting to display the product information on the page. Note For more information on ASP, see http://www.activeserverpages.com. In the case of your sample site, the need to modify the wizard-generated database schema arises because of the following previously listed requirement: 2.a—the product catalog can have products from various vendors. This requirement introduces a new entity into the schema—the vendor or manufacturer. This leads to a new relationship between the products table and the vendor table. When translated into physical design, the entity maps to a new table. A new table to hold vendor attributes is created. The relationship between products and a vendor is a manyto-one relationship. This maps to a new column in the products table that holds the Vendor ID.

In general, a fair bit of denormalization is recommended because it can result in significant performance gains. Database queries should be kept to a minimum to increase speed.

Order Form Values An order form object is a commerce server dictionary object. The order form object serves as working storage for order form data being collected or processed (the shopping basket). An order form object is defined internally as a structured group of dictionary objects, and includes the methods required to add items, clear items, and clear the entire order form itself. Commerce server sites use the order form object to store items that a shopper might have chosen to purchase, and to store receipt information that will hold a shopper’s order history. Some of the common values that the order form might hold are: • • • • • • • •

Shopper ID Name Address Order cost information Purchase subtotal Tax Shipping Total[3]

Note The order form does not directly support storage of its data on disk—instead, a database storage object (DBSO) is used to accomplish this. Now, with the preceding in mind, let’s get back to your sample site. You will need to add a few values to the order form. This is necessitated by the following requirement that was previously listed: 5. Customer should receive e-mail confirmation of his order. This functionality will be implemented by a simple mail transfer protocol (SMTP) component in the purchase pipeline. The SMTP component will require the information shown in Table 6.1[3]. Table 6.1: SMTP component functional information and description Function Description Order. email_subject The subject for the order confirmation to be sent by e-mail to the customer Order.email_body The message body for the order confirmation to be sent by e-mail to the customer

Order Processing Pipeline (OPP) The commerce server pipeline is a software infrastructure that links one or more components and runs them in sequence on the order form object. Each stage in a pipeline consists of zero or more components, and each of these components is run in sequence. A component is a Component Object Model (COM) object that is designed to perform some operation on an order form. Usually, each component has its own small task to perform. For example, a fixed shipping component checks for the right shipping method and sets the shipping cost to the appropriate value. A business-to-consumer commerce site in commerce server uses three kinds of OPPs— the product, plan, and purchase pipelines. The product pipeline is of little interest here. The plan pipeline consists of stages, which consist of components that verify the integrity of the order form. The purchase pipeline has stages and has components that accept the final purchase of an order form, write an order to database storage and finalize a receipt, and write the contents of the order form to the receipt database. Note The purchase pipeline is usually run once an order form has been run successfully through the plan pipeline, and the shopper has confirmed his desire to finalize a purchase. A commerce server should include the requisite basic pipeline components needed for a basic commerce site. When you run a wizard, it automatically creates the three OPPs required for the site—this site does not, however, feature real-time credit card validation and only includes very basic tax and shipping components. Various third-party components are available for these functions. Your sample site should use default tax and shipping components. However, you need to add a new component to handle the following previously listed requirement: 5. Customer should receive e-mail confirmation of his order. Tip Introducing the preceding functionality into the site means that you have to add the SMTP component to the purchase pipeline. [4]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR, 2001.

Implementation The Implementation stage is where the design is translated into actual changes to the prototype. This stage includes UI changes depending upon feedback from the customer, custom development of components (if any), changes to the database schema, and changes to the ASP files. However, this part of the chapter does not deal with UI implementation or custom components. At the end of implementation, therefore, you should have a working commerce site that satisfies all listed requirements.

The Implementation stage involves modifying the wizard-generated ASP files. Most developers are comfortable using a text editor such as Notepad to manually edit the files. The ASP files are like HTML files with added functionality; they are responsible for the look of the site and the UI in general.

Database Implementation Database implementation deals with making changes to the wizard-generated database to make it conform to the database schema. These changes usually cascade into changes to the appropriate ASP files as well. In the case of your sample site, it would require adding a new table called Vendors that holds the attributes of the Vendor, such as ID, name, address, phone, fax, e-mail address, home page address, and so forth. To relate products with their vendors, you need to define a many-to-one relationship that translates into an additional column in the product table that holds the ID of the vendor. Both these changes require updates to the ASP files. Note In general, any change made to the database schema results in a number of changes to the associated ASP files.

Editing the Pipeline Previously listed requirements 5 and 6 can be met by introducing the SMTP component in the purchase pipeline. Adding the SMTP component requires that you also add a scriptor component just before the SMTP component.

Securing the Site Going back to the previously listed requirements, you still have the following requirement to be met: 4.2 Credit card information should be securely transferred. This means the ASP file that receives the credit card information, entered by the shopper through a form post, should be secured by a Secure Sockets Layer (SSL). Commerce server-based sites usually use SSL to encrypt transactions passed over a secure port. By default, however, secure HTTP used over SSL Hyper Text Transfer Protocol Secure sockets (HTTPS) is disabled in sites created with a wizard. A commerce server does this to enable developers to create and test these sites without causing an error even on a server in which a server certificate is not installed. Note To enable SSL, you must install a valid server certificate. For further details about obtaining a certificate for your server, see http://www.verisign.com.

Database Access You still have one more previously listed requirement that needs to be met: 7. Any order that is yet to be shipped can be cancelled by the customer. To implement this, you have to

go back to the ASPs again. In the wizard-generated site, the status of the order is maintained in a separate field in the receipt table. The site does not, however, maintain status automatically. To do this, the ASPs, which display order data in the manager’s pages, will have to be modified to allow the manager to set the status of the order. After you have taken care of maintaining your order status, you will now have to display this information to the customer. Here, when you display the order status, you can perform a check to see if it has been shipped. If it has not been shipped yet, the customer can be presented with an option to cancel the order. If the customer chooses this option, the status of the order should be set to indicate the cancelled status. Note The site manager and shopper pages use different logins to access the database. If the shopper should be able to cancel the order, then a sample site visitor account should have appropriate permission. Tip It usually helps to have an additional stage before being “shipped,” which indicates the status when the order has almost been shipped. This helps avoid losses that may arise when a customer cancels an order that is about to be shipped. With the preceding in mind, your little sample site is now ready and is fully functional (see Figure 6.1), except for payment verification[2]. The site should be subjected to testing before deployment.

Security Site security is very crucial in a commerce site. Exaggerated reports of credit card fraud on the Internet has led to people being highly apprehensive of shopping on the Internet.

However, this initial mental barrier is now being overcome as more people take to shopping on the Net. Site security is definitely one of the most important factors, if not the most, that the site designer will have to spend time on at all stages. The most basic security requirement is that customers of a commerce server site need assurance that confidential information such as passwords and credit card numbers are protected from unwanted access. To achieve this, a commerce server should support the industry-standard SSL.

SSL and HTTPS Security of credit card information is the primary concern for the customer. By default, commerce server sites do not store credit card information used in an online transaction. Security of credit card information over the Internet is implemented using SSL. In a nutshell, SSL is a method of data encryption that is used to secure transactions between the client and the server. The client and server share an encrypted session key that is generated by the client software. This key is transferred to the server using the server’s public key. Using the server’s public key to encrypt the session key ensures that only the private key of this pair will be able to decrypt the session key. To receive a page that is secured by SSL, the browser sends a request using the HTTPS (S for Secure) protocol. In HTTPS, the URL for the restricted Web site starts with https:// instead of the normal http://.

Site Managers For every commerce server site, a group is created that permits access to the site’s manager pages. The users in this group are the operators of that particular commerce server site. This group permits access to the site’s manager pages, along with Read/Write access to all of the site’s files. An operator of one commerce server site does not have this type of access to any other commerce server site.

Configuring the Network Against External Intrusions Guarding the site from external intrusions is also critical. However, this can be accomplished rather cost-effectively through a standard firewall-safe network configuration. In such a configuration, the network is guarded by a firewall (or proxy server) that allows certain “Demilitarized Zones” (DMZs), as shown in Figure 6.2[3]. These DMZs are the areas of the internal network that may be accessed by external (or Internet) users. The firewall would be configured to allow HTTP access to the commerce server on the local area network (LAN). The database server, however, will not be publicly accessible. All database access from the commerce server machine would have to go through the firewall, as the commerce server will not be connected to the data. For critical purposes,

having the same machine as a commerce server and the database server is not recommended.

2]

Copyright ©2001, Eden-2000, SexyShoesandBoots.com, Eden-2000 Web Designs, MerchantWebsiteDesign.com, 2003.

Summary Electronic commerce over the Internet is predicted to grow at an ever-increasing rate over the next few years. Many companies are beginning to investigate the feasibility of using this new sales channel, and many retailers have now established online sales sites. This market is expected to really explode in the next few years as more retailers jump onto the Internet commerce bandwagon. With the preceding in mind, this chapter has sucessfully traced the development of a commerce site through the different stages from planning to implementation. It provided an introduction to developing commerce sites. Finally, the chapter showed how to build a basic commerce site from scratch. Following the suggested methodology, the chapter showed you how to go through the stages in the development of a commerce site. After reading this chapter, you should now have a fairly good idea of how to develop a commerce site.

Chapter 7: Building Shopping Cart Applications “There are no such things as applied sciences, only applications of science.” —Louis Pasteur (1822–1895)

Overview Managing major e-businesses these days requires significant development of Web resources, particularly if you want to let your customers purchase products and services online. Building the Web site you need to accomplish your business goals is not a simple undertaking. Available Java technologies (JavaServer Pages, servlets, and JavaBeans™) offer different advantages, and combining them to achieve the best results is usually necessary. Although you can build a simple shopping cart using JSP alone, significant business applications require the complementary strengths of all three technologies. Let’s see how to combine them to best effect. For example, JSP offers a 100 percent pure Java alternative to Microsoft’s proprietary Active Server Pages (ASP). JSP technology extends Java servlet technology, and, in fact, the JSP framework translates JSP into servlets at runtime. Servlets are popular because they supply architectural and performance advantages over Common Gateway Interface (CGI) scripts. Servlets can also generate dynamic Web pages by mixing static HTML with content supplied by database queries or business services. JavaServer Pages invert this approach by imbedding Java code in HTML. This ability to insert Java code into HTML pages adds flexibility to servlet-based Web architectures. To generate HTML, servlets must supply formatted strings to println() calls. This technique clogs Java code with line after line of hard-to-comprehend HTML. Furthermore, when servlets generate HTML, Web page design requires programmers. JavaServer Pages pull HTML out of Java code and create a role for HTML designers. Site development can proceed along parallel tracks (Java design and HTML design), thereby delivering a Web site faster. JavaServer Pages also encourage loose coupling between business logic components and presentation components, thereby making reuse of both more likely. The shopping cart application discussed in this chapter examines the role of JSP in Web architectures and offers a practical example of how to get the most out of your e-business applications.

A Shopping Cart Scenario The shopping cart scenario presented in this chapter is a simplified online produce store. Customers select produce items to add to their shopping cart, and then move through a series of forms to purchase the items. Figure 7.1 shows that the application architecture

combines JSP with servlets and JavaBeans[1]. Building simple Web applications using JSP alone is possible, of course, but significant business applications require all three.

Figure 7.2 shows the model-view-controller (MVC) pattern, which partitions applications into separate data management (model), presentation (view), and control components[1]. It underlies most modern graphical user interfaces. The partitioning encourages independent evolution and reuse of the separate components. You can also apply the MVC pattern to Web applications. JavaServer Pages most appropriately implement the presentation part of a Web application. JavaBeans encapsulate the services that supply content to a Web site and simplify passing data between the components of the architecture. Servlets function best as controllers and mediators routing user requests and application messages, updating application data, and driving the application workflow.

Technologies such as JSP encourage certain designs, but don’t enforce them. For instance, all the code that might be put in a servlet or bean could be part of a single, certainly very confusing, JSP page. The JSP specification permits such designs. Conversely, anything a JSP page can do, a servlet can also do, so you can build a working architecture that ignores JSP. The adoption of a design pattern, however, implies certain design practices and choices. Design patterns generalize the collective wisdom of other developers. Developers capitalize on these lessons when they adhere to design patterns. If you use the MVC pattern, then the pattern implies that you should not mix presentation elements with control or data elements. Stated more specifically, you should not print HTML from a controller component (servlet) or imbed control elements in a presentation

component (JSP). You should limit the Java in a JSP page to communication with the control and data components. Finally, if the data model for your application is at all complex (and it would be in any realistic business application), then you should not imbed data and computation services in either the control component or the view component. Instead, you should encapsulate such business in worker components (JavaBeans). [1]

Bollinger, Gary and Bharathi Natarajan, “Build an E-Commerce Shopping Cart,” Reprinted from Java Pro magazine with permission from Fawcette Technical Publications, Inc., 913 Emerson Street, Palo Alto, CA 94301-2415. Copyright © 2000 by Fawcette Technical Publications, Inc. All rights reserved.

The CustomerServlet With the design issues of this scenario in mind, let’s look at the details of a sample application. For example, a CustomerServlet controls the application workflow by doing two things: it maintains state (the model) for a shopping cart component (implemented by a BasketBean class), and it routes client requests through a series of JSP pages.

The BasketBean A BasketBean usually implements a simple data manager (model) for a shopping cart application. The BasketBean class provides a method to get the running total of a customer’s purchases and a method to update the contents of the basket. It maintains a running list of Product instances requested by the client in a hashtable keyed off the Stock Keeping Unit (SKU) number. Each Product instance stores four attributes: a product name, SKU number, price per pound, and the number of pounds purchased. A product is added only if the number of pounds is greater than zero.

The Pages This simple shopping cart scenario supports a workflow with four stages and three JSP pages: Inventory.jsp, Purchase.jsp, and Receipt.jsp (see Figure 7.3)[1]. The sample application presents Inventory.jsp to new clients. Clients select produce by performing one or more updates to Inventory.jsp. After selecting produce for purchase, clients purchase the produce and the application presents Purchase.jsp. Finally, the client confirms the purchase, and the application presents Receipt.jsp.

This JSP page mixes standard HTML with specialized JSP elements. The JSP specification calls the static HTML in a page-fixed template data and writes it essentially verbatim (certain substitutions based on quoting and escape conventions are still applied) into the http response stream. For example, the servlet framework writes the tag unchanged to the response stream. Besides fixed template data, JSP pages can include directives, scripting elements, and actions. This simple Web store illustrates all three.

A Real-World Application Model The preceding simple application is clearly a toy, not meant for deployment. Still, a real application should follow the same MVC pattern demonstrated by the simple application. Now, let’s look at how to modify some aspects of the toy to create a more realistic ecommerce application. The grocery application implemented its model by using the BasketBean class. The BasketBean illustrates two qualities of toy software: it “hard codes” its data, and it fails to define a standard interface. Such flaws limit the maintainability, extensibility, and scalability of an application. A production application should define a standard interface for accessing the application model. An interface establishes a contract allowing different implementations to be “plugged-in” as required. Such “pluggable” implementations illustrate the bridge pattern. The purpose of the bridge pattern is to decouple abstract functionality from any specific implementation of the functionality. For example, the inventory data is initially stored as static information imbedded in Java code[2]. To gain flexibility, you might pull this data out of code and store it on the file system. As data volumes grow, a common requirement is to move data storage into a relational database management system (RDBMS). If the BasketBean implements a standard interface, then you can reimplement this interface to use a file system or an RDBMS without rewriting the CustomerServlet. Real-world applications may also require the separation of data from code. Data changes often, but code should rarely change. A minimum requirement for moving the sample application into a production environment would be to split its model into separate data access and data management tiers. This two-tier architecture allows data volumes to grow without affecting code. Figure 7.4 shows the design after separating data from data access and after defining a standard interface[1].

Often, scalability or data transaction requirements force introduction of a third tier into the data management architecture. Common Object Request Broker Architecture (CORBA) or Enterprise JavaBean (EJB) interfaces to data management services are now common. If the BasketBean implements a standard interface, then you can reimplement it as a distributed service. Figure 7.5 shows this three-tier implementation of the application model[1].

[2]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR, 2001.

Loose Component Coupling One of the reasons for JSP applications to follow the MVC pattern is that this pattern encourages distinct, clearly defined roles for model, view, and controller components.

You should keep these components as loosely coupled as possible. However, you should not keep the CustomerServlet loosely coupled, because it encodes specific workflow states and hard codes the names of specific JSP pages. Tight coupling between the controller and view components means that changes to one component demand corresponding changes to the other component. In this case, if you add additional JSP pages to the shopping workflow, you must add additional conditions to the CustomerServlet program logic. Alternately, the CustomerServlet forces you to give specific names to the JSP pages. This sample application would be more maintainable and more scalable if you could remove the tight coupling between the CustomerServlet and its JSP pages. One way to minimize this close coupling would be to create a helper bean for each JSP page. You can install these helper beans in the CustomerServlet to manage all HTML requests directed at the associated JSP page. Such encapsulation of each request in a request handler object illustrates the command pattern. As with the bridge pattern, the key to implementing a command pattern is to declare a common interface that each request handler must implement. In this case, the simplest form of such an interface might be a single method, such as redirect(), into which you pass the request parameter and the BasketBean object. Because every concrete implementation of the interface supports this method, the CustomerServlet can invoke the interface on any given handler without knowing anything specific about its implementation (see Figure 7.6)[1].

You can customize each helper bean for its partner JSP page and make it as complex as necessary. For example, it can validate input parameters passed in the request, whether by simply guaranteeing nonblank entries or by performing more complex tasks such as verifying credit card information. If you adopt the helper bean architecture, then you might wonder how you install the bean. After all, although the JSP framework translates JSP pages into servlets at runtime, JSP pages are just files until the framework translates them. It’s a kind of chicken-andegg problem.

A JSP page has exactly one input point, but it could have multiple outputs based on the number of submit buttons. Each output could be associated with a different JSP page. For instance, Inventory.jsp has two outputs, one for Purchase.jsp and one back to itself. You could associate a helper bean with each output point using a hidden tag. Finally, the JavaServer Pages extend servlet technology in useful ways. By supporting Java scripting, they provide a role for Web designers alongside developers and add flexibility to servlet architectures. JSP pages do not replace servlets; servlets, JSP, and JavaBeans play complementary roles in Web architectures. By following the MVC pattern, JSP applications can independently extend or enhance the controlling servlet, JSP page, and application model to support real-word scaling. The application model can be extended to a two- or three-tier design; in addition, adding helper beans can manage the JSP workflow and support loose coupling of application components.

Summary The heart of any Web store is the software that it runs on. However, up until relatively recently, software solutions for e-commerce were largely do-it-yourself affairs, consisting of a number of disparate tools lashed together to fulfill the major tasks of an online store. This situation is changing rapidly. Every day sees the launch of a new software product, each of which claims to be a complete shopping cart. However, close investigation reveals a huge difference in the features that these products offer and the price that is charged for them. It’s not surprising, therefore, that the selection of a suitable shopping cart is a decision that many aspiring Web merchants agonize over. So, what features should you look for when choosing a shopping cart? There are three basic areas to examine: how easy the store is to set up, how easy it is to process orders through it, and how easy it is to administer on a day-to-day basis. To an extent, the desirable setup features and options will depend on the skill levels of the individual storeowner. For example, a storeowner with no HTML or CGI experience should look for software that creates a complete store via wizards and templates. On the other hand, more technically savvy merchants will want a solution that provides them with a higher degree of flexibility and enables them, for example, to create their own HTML pages. Regardless of technical skill levels, there are several features that all merchants should look for. Good documentation and support is a must, of course. Also vital is the ability to import product data from a database file. For example, after you have more than 10 to 20 items for sale, entering product details manually becomes a major chore. Would-be storeowners should also think carefully before selecting a shopping cart that relies on the use of cookies to track visitors in a store. Although much of the media hype surrounding the use of cookies is dying down, there is still a fair amount of misleading

and confusing information around. And as a result, many people still surf with cookies disabled in their browsers and are, therefore, unable to shop in stores that rely on them. An important part of the setup process is the specification of sales tax and shipping charges. Be careful—many shopping cart solutions currently available have major limitations in these areas. For example, they may have no way of specifying shipping charges for international shipments or they may be limited to being able to collect sales tax from only one U.S. state. The best shopping cart solutions come with preset tax tables that ensure the correct levels of tax are collected on each order. Some shopping cart solutions also interface directly with information from carriers such as UPS and can automatically calculate the shipping cost for each order. Another area to investigate is the range of advanced features and services that are provided. Services such as domain name registration and automatic search engine submission can save a lot of hassle. And, additional features such as autoresponders and chat rooms can help build a top-class store. Furthermore, you should also look at order processing. The first two order processing features to check for are the availability of a virtual shopping cart and the ability to transfer data securely using SSL. Most shopping carts now come with these features, but it’s worth checking anyway. Although the bulk of orders in an online store will probably be placed online and paid with by a credit card, there are still a lot of shoppers who want to shop and pay using alternative methods. In order to maximize your sales, a Web store should, therefore, be capable of accepting orders and payments in as many ways as possible. Available ordering methods include online, fax, telephone, and snail mail, whereas payment methods include credit and debit cards, paper and electronic checks, and digital cash. And, although most smaller merchants will choose to process their credit card payments offline, it is worth checking that the software is also able to easily handle online processing. This gives flexibility to cope with future growth. Note It is also important to select a shopping cart solution that automates as much of the order management process as possible; for example, the ability to automatically send an e-mail order acknowledgment to the customer along with a unique number for order tracking. Security is another major concern. Although SSL capability is included with most shopping cart solutions today, some solutions still have major security weaknesses. For example, although they transfer the customer’s credit card details from their browser to the merchant’s server using SSL, they may leave it in an unsecured area of the server where unauthorized parties could access it. Even worse, some send the customers details to the merchant using unencrypted e-mail.

There are some other features that are also worth looking for. For example, discount clubs allow you to automatically give discounts to repeat or high-volume customers. Online order tracking allows customers to instantly check the status of their orders and eases the demands on your customer service team. And, an inventory management facility can automatically remove items from sale once the stock drops below a predetermined level. You should also ignore all the hype about setting up a Web store and then laying back and waiting for the money to roll in. Running a successful online store requires a great deal of effort. However, you can make things easier by choosing a shopping cart software solution that simplifies the day-to-day running of the store. The first consideration is the method that is used for accessing and administering the store. Some packages require that changes be made offline and then uploaded to the server. This usually limits changes being made from one specific PC, and this can be a tie. Alternatively, many packages allow stores to be updated online from any Internetconnected PC. Next, check out how easy it is to add, delete, and amend product data, as well as how easy it is to run special time-limited price promotions. Try to avoid shopping cart solutions that require all changes to be made offline and then for the whole database to be reloaded on to the server. Also, look out for any additional marketing tools that might be provided. For example, this includes the maintenance of customer buying history and preferences, targeted emailing capability, and affiliate program management. These can all prove to be very useful. Finally (and most importantly), examine closely the reports that are provided. There will be no salesperson in your virtual store to monitor customer behavior and buying patterns —reports are your only source of information. So, without good reports, you will lack data to make fundamental decisions about the effectiveness of your store’s design and product offerings. Some shopping cart solutions only provide basic analysis of server logs; for example, the number of hits and referrer information. This is totally inadequate. Ensure that the shopping cart solution you choose provides a complete suite of detailed reports; for example, a sales history analysis and information about the most common paths that customers are taking through your store. So, now that you have built your shopping cart applications, what should you do? Tell your customers to shop until they drop!

Chapter 8: Mobile Electronic Commerce “Walking and talking is the slowest form of mobile communication.” —Anonymous

Overview The use of mobile technologies is steadily on the increase, for both e-commerce and personal uses[4]. Mobile phones are a common sight today and many people own personal information management (PIM) devices or handheld computers, where they manage their schedule, contacts, and other essential functions. Employees on the move appreciate the value of staying connected with their enterprise and other resources through mobile phones. Most enterprises now have corporate mobile phone plans that make it easier for mobile employees to stay in touch and increase productivity. With rapidly advancing technologies, most wireless carriers today offer transmission of data in addition to voice signals. For example, you can now receive e-mail on your mobile phone in addition to regular calls. With the growing proliferation of wireless enabled Personal Digital Assistants (PDAs), Blackberry mobile e-mail devices, and notebook PCs, it is all the more important to ensure that the mobile employees are connected to, and supported by, the enterprise[6]. Although the terms “mobile” and “wireless” are often used interchangeably, they are two different things: • • •

Mobile devices are portable, electronic components that are used by mobile people to do their work. Mobile pertains to the ability of an entity to be on the move. Wireless pertains to the technology that allows transmission of voice, data, and other content through radio waves over the air, not restricted to physical cables[2] or other physical mediums[1].

It is wireless technology that facilitates employee or enterprise mobility. Mobile devices depend on wireless technology to connect to the enterprise and conduct transfer of content in order to fulfill the users’ e-commerce needs. It is not surprising that an increasing number of employees are demanding mobile support from their enterprise in order to maximize performance. Without a proper mobile strategy in place, most enterprises will fail to meet their cost and performance objectives. In fact, recent studies have shown that mobile employees connected to the enterprise are much more effective than if their enterprise did not support a mobile workplace. For employees whose work is mostly away from their desktops, this is an important issue. Mobile employees have a long list of enterprise capabilities needed to support their work. Here are some basic requirements:

• • • • •

Adequate protection of information on wireless devices to ensure that confidential business information is not lost or stolen Wireless connection to enterprise assets using laptops, PDAs, mobile phones, and other devices for flexible access to business processes Mobile connection via laptops so that work can be done from anywhere Real-time synchronization of information to ensure accuracy and consistency Ability to receive appropriate alerts and messages to the mobile device in order to carry out required job functions with optimal efficiency[1]

The expectations previously listed are quite typical, and today’s mobile infrastructure is able to deliver them with significant success. The wireless industry is continually evolving, with new developments springing up at an accelerated pace. The line between computing and telephony is slowly blurring. Devices that combine the features of mobile phones and PDAs are becoming quite popular in the market today. Eventually, it will be one combined device you carry—where you do your scheduling, email, Web surfing, videoconferences, document management, and take all your business and personal calls. This would be a true all-around utility device. With data storage capabilities[3] and network bandwidth steadily improving, it won’t be long before you have the capabilities of a currently availablehigh-end desktop computer available in a device that fits into your pocket. One can only speculate the ramifications this convergence of devices will have on the way you work and how enterprises will function. [4]

Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

[6]

Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

[2]

Vacca, John R., The Cabling Handbook (2nd Edition), Prentice Hall PTR, 2000.

[1]

Deshpande, Sumit, “Enabling Mobile eBusiness Success,” © 2003 Computer Associates International, Inc., One Computer Associates Plaza, Islandia, NY 11749, 2003. [3]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice HallPTR, 2001.

Wireless Industry Standards No technology works in a vacuum. Many entities work at different levels to bring the technology to a more mature and usable state. Standards and specifications are first conceived, developed, and then implemented. Currently, most standards bodies for the mobile e-commerce environment are focused on hardware- or infrastructure-related issues. Some of the more important standards organizations related to the wireless industry today include: •

Bluetooth Special Interest Group (SIG) is a volunteer organization run by employees from member companies. Members support a number of working







groups that focus on specific areas, such as engineering, qualification, and marketing. The member companies build and qualify products under strict qualification procedures with regular testing of products at events sponsored by Bluetooth. The Institute of Electrical and Electronics Engineers (IEEE) does extensive research in technology spanning a broad spectrum. They created the 80211 standard for wireless networks, and are also instrumental in creating security protocols such as Wired Equivalent Privacy (WEP)[5]. The IEEE does not provide certifications of any kind for their specifications. Wireless Application Protocol (WAP) Forum offers a comprehensive certification and interoperability testing program that covers device testing, content verification, and a set of authoring guidelines to assist developers in providing interoperable WAP applications and services. Wireless Ethernet Compatibility Alliance (WECA) seeks to attest interoperability of products based on the 802.11b specification, and certify them Wireless Fidelity (Wi-Fi) compatible. They endorse Wi-Fi as the global wireless LAN standard across all market segments[1].

Many other organizations such as the W3C, Wireless DSL Consortium, and other institutions have standards directly affecting the wireless industry, though they are not specific to wireless communications. For example, XML and Web services standards are increasingly part of the development and deployment to server and desktop processing, but they are equally applicable to wireless applications. Several new standards groups are being formed to address specific issues regarding mobile e-commerce. [5]

Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironcladebusiness Privacy Plan, McGraw-Hill Trade, 2001.

Wireless Communication Platforms for LANS Despite the prevalence of standards committees in the wireless industry, there is no single unifying standard. It is important for enterprises to consider all the aspects involved in mobile support while contemplating a strategy for mobile e-commerce. Some of the key criteria in choosing a wireless network specification include: • • • • • •

Average size of transfers Number of devices in the wireless network Others Range of transmission Security measures Speed of network[1]

Wireless networks may operate in one of two modes—on demand and infrastructure mode.

On Demand Mode (Peer-to-Peer) Each mobile device, also known as a mobile client, communicates with the other devices in the network, within a specified transmission range or cell. This is described in Figure 8.1[1]. If a client has to communicate with a device outside the specified cell, a client within that cell must act as a gateway and perform the necessary routing.

Infrastructure Mode (Wireless LAN) Communications between multiple wireless clients are routed by a central station known as an “access point.” The access point acts as a bridge and forwards all communications to the appropriate client in the network whether wireless or wired. Besides having routing mechanisms, the access point also has as a Dynamic Host Configuration Protocol (DHCP) server and other features that facilitate wireless communications in a small to large business environment. Residential gateways are similar to access points, but do not have advanced management features required for corporate networks or high-traffic environments. A wireless client must first be authenticated, and then associated with an access point before it can perform any communications. Figure 8.2 shows a typical wireless LAN environment[1]. Enterprises that have a strong mobile e-commerce strategy must make a selection from the major wireless LAN specifications available in the market today.

802.11b The 802.11b specification was defined by the Institute of Electrical and Electronics Engineers (IEEE). The 802.11b is used as an extension of Ethernet to wireless communication, and as such is quite flexible about the different kinds of network traffic that passes over it. It is primarily used for Transmission Control Protocol/Internet Protocol (TCP/IP), but also supports AppleTalk and other PC file sharing standards. Disparate systems like PCs and Macs may communicate over 802.11b, using PC or Peripheral Component Interconnect (PCI) cards, and even some of the newer hardware, utilizing Universal Serial Bus (USB) and other forms of 802.11b based wireless network cards. Adapters for PDAs, such as Palm OS and PocketPC based devices are also available. The 802.11b facilitates the wireless transmission of approximately 11 Mbps (Megabits per second) of raw data at distances ranging from a few feet to several hundred feet over the standard 2.4 GHz (GigaHertz) unlicensed band. The coverage distance depends on line of sight, obstacles, and unforeseen obstacles. Several new protocols based on 802.11b, but not compatible with it, are also being released.

802.11a Protocol 802.11a transmits 54 Mbps over the 5 GHz band. This is ideal for large data file transfers and bandwidth intensive applications over a limited area. Although performance and throughput are significantly increased, the transmission range is notably reduced.

802.11g Protocol 802.11g transmits 22 Mbps over 2.4 GHz. This specification is considered to be the next generation wireless network platform for the enterprise, workingt wice as fast as the current 802.11b specification. However, this is still a work in progress. Note 802.11b has become the standard wireless network deployment platform for public short-range networks, such as those found at airports, hotels, conference centers, and coffee shops and restaurants.

Bluetooth This wireless network specification, defined by the Bluetooth Special Interest Group, is ideally suited for Personal Area Networks (PANs) that operate in short ranges and need a robust wireless network that allows transmission of bandwidth intensive information. Bluetooth specifications also promote interdevice communications, so mobile phones can communicate to PDAs, notebook PCs with laptops, and so on. Although it uses the unlicensed 2.4 GHz band for transmission, its transmission is faster than the 802.11b networks in both on demand and infrastructure modes. Bluetooth’s range is, however, much less. Bluetooth technology works well for on demand networks and situations in which device-to-device communication is desired. For example, you can wirelessly connect from your PDA to a printer to print documents, or perhaps synchronize your desktop with your PDA over the air.

Wireless WANS Although the preceding architectures are specific to wireless LAN environments, employees that are outside the coverage area are required to connect through wireless carriers that provide support for a wireless wide area network (WAN) environment. There are several wireless WAN protocols used all over the world.

Code Division Multiple Access (CDMA) With CDMA, a large number of users are able to access wireless channels on demand. Used by most digital mobile phone companies today, the performance is almost 8 to 10 times better than traditional analog cell phone systems. The latest generation of this technology is called 3G and is much anticipated by many mobile users.

Global System for Mobile (GSM) The GSM wireless platform provides full voice and data support with worldwide roaming capabilities. Included in the GSM family is the General Packet Radio Service (GPRS) platform for delivering Internet content on mobile devices, and the Enhanced Data rates for GSM Evolution (EDGE) and Third Generation GSM (3GSM) for delivering mobile multimedia.

Most wireless carriers base their offerings on the previously mentioned platforms, leveraging the strengths of the protocol they decide to use. For example, services offered by Sprint PCS and Verizon Wireless are based on CDMA, whereas AT&T Wireless and TMobile use GSM.

Facilitators of a Wireless Environment In order to facilitate a mobile e-commerce environment, participation of several partners is required, namely: • • • • •

Independent hardware vendors (IHVs) Independent software vendors (ISVs) Mobile device manufacturers Service providers (SPs) Wireless operators (or carriers)[1]

Note Connecting all these participants together to create a viable solution are systems integrators with focused practices in mobile e-commerce implementation.

Wireless Hardware There are numerous devices that are wireless-enabled to facilitate an efficient mobile workforce. Some of the top companies that provide these devices are: Compaq: The makers of iPAQ handheld computers and notebook PCs. They are used in many enterprise settings due to their versatility and high performance. They use Microsoft’s PocketPC platform as their operating system. Kyocera: They specialize in mobile phones with PDA capabilities, using the Palm OS. Nokia: The leading mobile phone manufacturer, with innovating products that combine mobile phones, PDAs, and other features. Palm: Currently the leading provider of PDAs; their operating system, called Palm OS, is a popular platform for wireless application deployment. Research In Motion (RIM): The makers of the increasingly popular Blackberry wireless devices that allow mobile users to send and receive e-mail. Symbol: The leading manufacturer of wireless devices and scanners for retail, utilizing the latest technology in bar code scanning[1]. Wireless devices add value to the enterprise only when they connect to the IT infrastructure and are actively supported by the administration. Access points, network cards, and other components essential to the deployment of a wireless communications infrastructure are available from several vendors, including:

• • • • • •

3Com Cisco[4] Fujitsu HP IBM Siemens[1]

Note With the wireless infrastructure in place, it is important to choose the right carrier to facilitate high-quality communications.

Wireless Operators Wireless operators are organizations that provide the hardware and communications infrastructure to make wireless transmission possible in a wireless LAN and/or a wireless WAN environment (see Figure 8.3)[1]. Most of these provide basic wireless phone services and many of them now offer services to transmit data in various forms. The top three wireless carriers worldwide are listed in Table 8.1[1]. Table 8.1: The top three international wireless operators Wireless Operator Country of Service Vodafone Germany China Mobile China NTT DoCoMo Inc. Japan The top wireless carriers in the United States are: • • • •

AT&T Wireless Cingular Wireless Sprint PCS Verizon Wireless[1]

Depending on the geographical scope of your organization, you will have to choose the right partner who can provide the required regional and/or national coverage necessary for your e-commerce.

Wireless Software The wireless software industry is still maturing; furthermore, although most of the players are niche solution providers, very few actually provide substantial value to enterprise deployments. Ranging from low footprint applications like mini-browsers or PDA utilities, to more sophisticated solutions like interdevice communications or global positioning systems, wireless software vendors are engaged in several innovative research and development initiatives. Companies such as Microsoft, Sun, Palm, and others are active in this area.

When deploying a mobile e-commerce strategy, you have to consider the right combination of wireless network architecture, platforms, infrastructure components, devices, and applications in order to be successful. Figure 8.3 depicts a typical wireless architecture adopted by most enterprises.

Even with the absence of ubiquitous standards, the current wireless infrastructure is stable enough to support and deploy wireless applications developed for the mobile workforce. As wireless technologies mature, the quality and availability of wireless software will also grow. An important factor to consider is the need to secure and manage the enterprise infrastructure, while making all the necessary assets available to your mobile workforce.

Concerns for the Mobile Enterprise Although it is one thing for organizations to keep up with the latest industry trends, making it happen in everyday life is a totally different story. The following are some of the key concerns of enterprises that are contemplating a mobile e-commerce strategy: Security: Wireless networks are very easy to break into and difficult to monitor. Your enterprise assets must be protected. Management: Effective management of the components that make up a mobile enterprise, all the way from servers to the mobile devices, is an integral concern. Information access: Corporate information and business intelligence must be made accessible to your mobile workforce. Return on investments: Wireless connections should perform as good as, if not better than, wired connections. They should add value to the enterprise and generate revenue.

The benefits should be measurable in some form. ROI and business continuity is important[1].

Security The number one concern in the world of wireless enterprises is security. Wireless networks are one of the easiest to hack into and most security measures may not be adequate to prevent this intrusion. There are several vulnerabilities in the Wired Equivalent Privacy (WEP) security features provided in the 802.11b standard. The goal of WEP is to provide data confidentiality in wireless networks at the same level as one that is wired. However, despite having well-known encryption mechanisms, namely the Ron’s Code 4 (RC4) cipher, WEP is vulnerable to attacks, both passive and active. This opens up the wireless network to malicious parties to eaves-drop and tamper with wireless transmissions. Key management and robust authentications are also open problems with the 802.11b security features. The IEEE is scheduled to release a more secure version of WEP in the near future. Bluetooth comes equipped with security measures such as encryption and authentication, but these measures may not be very sophisticated for an enterprise environment. Organizations that have invested in a wireless network need a strong security solution today. One way to secure an enterprise infrastructure that includes a wireless network is to build it separate from the intranet, and set up a firewall to protect communications. Implementing a robust virtual private network (VPN) solution is also useful. The security features available with the VPN solution along with additional authentication, and access control features, secure the users whether they are on a wired or wireless network. Enterprises must also ensure that all devices are virus free and that they do not act as carriers of malicious code. Access to the network from mobile devices must be authenticated, and only authorized users should be allowed access.

Management Like a wired network, the infrastructure that supports a wireless network also needs to be managed. Some of the components that must be managed include access points, mobile devices, wireless application servers, and others. Management of the network increases performance and allows the administration team to respond to issues quickly. Besides providing a real-time view of the wireless network, the management solution must also provide a future view, so that proactive measures can be taken to prevent problems before they occur. Corporate assets need to be accounted for. Therefore, each mobile device should come under the eye of enterprise management. Automatic transfer of relevant information, applications, and updates (like the latest antivirus signatures) should be made possible. In addition, data on the mobile devices must be backed up without causing any impediment

to normal processing, and must be automatically moved to the server unobtrusively when on a wired network. It is important to understand that wireless systems do not operate in a vacuum; they integrate into the IT infrastructure. Therefore, management of the wireless infrastructure must be in the context of the overall enterprise infrastructure. Point solutions for wireless networks are unable to effectively integrate wireless management information without first monitoring the rest of the enterprise to promptly identify and resolve problems. Wireless management solutions must be integrated, comprehensive, and reliable.

Information Access Enterprises with large data resources have volumes of untapped intelligence just waiting to be put to use. With a growing mobile workforce, it is essential to make this business intelligence available to them at their point of need and equip them to make profitable decisions. Mobile employees must also be able to access the business processes critical to their job function. Enterprise portals provide a viable dissemination tool for organizations today. Wireless access to these portals is no longer a “nice-to-have” feature, but an absolute requirement. Organizations are also looking for ways to leverage legacy resources and make them available to mobile devices. With the emergence of Web services, the need for a reliable solution to extend applications to mobile devices is ever on the rise.

Return on Investments As the demand for wireless support from the workforce grows, enterprises need to act quickly and provide the necessary services in order to promote success. For example, the Gartner Group predicts that more than 70% of mobile applications deployed at the start of 2004 will be obsolete by the end of 2004. Keeping this analysis in mind, it is important to make the right decisions to promote application longevity, while at the same time being open to new, improved solutions. For enterprises that are contemplating a mobile ecommerce strategy, the following points are worth considering: 1. 2. 3. 4.

Develop your mobile e-commerce strategy with an enterprise-wide focus. Ensure your wired enterprise infrastructure is in order first. Choose the right partner. Anticipate change and be prepared to leverage new technologies[1].

Developing Your Mobile E-Commerce Business Strategy All your wireless communications and other mobile activities are an integral part of your e-commerce. Choose an enterprise-wide solution that covers your e-commerce from end to end, providing all the required measures for security, management, and information access.

Ensuring Your Wired Enterprise Infrastructure Is in Order First It is easier to integrate a wireless network into a well-managed wired environment. And, it’s even easier at an enterprise-wide scale.

Choosing the Right Partner You should get into partnerships with the right companies that can help you with your specific needs. Work with systems integrators who have a focused wireless practice. It is, therefore, extremely important to choose the right software vendor to deliver an integrated, comprehensive, and reliable enterprise-wide solution for your e-commerce.

Anticipating Change and Leveraging New Technologies The wireless industry is changing rapidly. Mobile devices are getting smaller, faster, and more capable. Performance of wireless networks is steadily improving. Opportunities to leverage mobile technologies will continue to grow. Associate with companies that will change with the times and yet be stable in what they do best. Finally, other issues such as performance, extensive coverage, hand-over—between wireless local area networks (WLANs) and wireless wide area networks (WWANs)—and roaming, are also important and must be part of the evaluation process. Although it is important to implement a strategy for mobile e-commerce, an overall enterprise focus is imperative to gain fast and steady returns on investments.

Summary The demand for and use of mobile technologies is increasing at a phenomenal rate. Simultaneously, the underlying landscape of mobile technologies is changing rapidly, creating the need for solutions to facilitate the long-term growth and success of mobile enterprise initiatives. It is important for software vendors to provide comprehensive solutions to manage, secure, and maintain the mobile applications infrastructure, while fostering development, integration, and access to applications and information over wireless mediums. Finally, although it is one thing for organizations to keep up with the latest industry trends, making it happen in everyday life is a totally different story. Enterprises must contemplate developing a mobile e-commerce strategy.

Chapter 9: Enhancing a Web Server with E-Commerce Application Development “Modesty: the gentle art of enhancing your charm by pretending not to be aware of it.” —Anonymous

Overview Today, business needs to be on the Web. Cost-effective marketing, increased sales opportunities, customer service, supply chain management, and enhanced Web server communications are just a few of the benefits the Internet offers. But, building and maintaining an Internet presence can require a considerable investment of resources, and organizations are actively seeking ways to get a high return on their investment. Leading e-commerce software applications offer solutions that maximize a Web site’s server business value. These solutions reduce costs by automating and streamlining processes, and increase revenues by helping you market, sell, and service your products more effectively. Deploying a Web site server is a fast, comprehensive means to establish and maintain high-yield relationships with customers, suppliers, and other value-chain members. According to Forrester Research, companies saw online sales increase 20% between 2001 and 2002, versus 4.4% for traditional sales outlets.

The Changing Face of Application Development IT organizations are in a new era. The boom times marked by soaring budgets for Y2K and Euro projects and the heady dot-com era are over. A changing economy has caused businesses to focus on maximizing the value and effectiveness of IT investments, while controlling costs. These new business expectations create a variety of challenges for business and IT to build and deploy effective Web server-based applications.

Business Demands The good news is that most businesses are now aware that the capabilities of the IT organization to build and deploy Web server-based applications are vital to competing and thriving in this highly competitive world. This perception of the value of IT is tempered by a need to ensure that projects are prioritized based on their value to the business. Instead of looking for projects that promise exotic new markets, the priority today is for those that have clearly defined deliverables and provide a measurable ROI. The business expectation is for IT to help the company achieve competitive advantages. Development projects that improve customer service and integrate information from across the enterprise are still high on the business agenda. Aligning IT with these new business demands is critical for success.

Challenges for E-Business Development IT challenges have never been greater. Risk reduction is a key IT objective. At the same time, service levels and measurable ROIs are essential components of communications between IT and the business. IT must also consider how to maximize its value to the organization. Ultimately, focusing on the right projects is important, but IT must also deliver quality applications that benefit the entire business. Control over complexity is also crucial. New technologies are arriving at an accelerating pace. Key technology focus areas today include: Portals: Enterprise portals are now the standard browser-based vehicles to deliver enterprise information. Web services: Integrating enterprise systems is a required foundation to support new portal, wireless[4], and other initiatives. Wireless: Full-time access to production business systems is increasingly demanded for mobile employees[3] and customers[2]. The IT organization must embrace these new technologies and evaluate a wide range of other new technologies, such as enhanced Linux servers and new generations of development tools. In all of these cases, successful implementations must be controlled from the perspective of the entire infrastructure. For many years, IT professionals have worked to improve development processes and apply new technologies to benefit enhanced Web server-based application development. These well-known initiatives are reflected in Computer Aided Software Engineering (CASE), object oriented, and component development tools and others. Although each of these has contributed positively to enhanced Web server-based application development, managing the overall development process is as important as the technology and tools that are used to build the systems. The Software Engineering Institute (SEI) is a federally funded research and development center committed to the evolution of software engineering processes. The SEI developed what is known as the Software Capability Maturity Model (SW-CMM), which defines process models for software development projects. It is an excellent example of an innovative initiative to help software organizations improve the maturity of their software development processes. [4]

Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

[3]

Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

[2]

Le Clair, Don, “Managing eBusiness Development,” © 2003 Computer Associates International, Inc., One Computer Associates Plaza, Islandia, NY 11749, 2003.

Enterprise Development Needs To maximize value, the three main stakeholders (Business, Application Development, and IT Operations) need to work together smoothly as shown in Figure 9.1[2]. Solutions that do not address the needs of all three groups will fail.

Enhanced Web server-based e-commerce application development for the modern enterprise means much more than just writing code. Managing the e-business development process involves delivering results in three ways: • • •

Maximize business value by aligning IT implementations with business goals. Increase IT effectiveness by better integrating development and operations. Control complexity with end-to-end life cycle management[2].

Meeting these needs requires good communication between the business and IT communities to be successful. With that foundation, it is possible to evaluate how technology can be applied to address the specialized needs of each stakeholder.

Maximizing Business Value IT expenditures need to be justified and rejustified regularly. IT must ensure that the real and evolving business requirements are reflected in the resulting applications. They must also ensure that resources are focused on projects that have high impact on the business. To ensure that the individual projects actually meet the needs of the business users, it is vital to drive business knowledge into IT through requirements and business process modeling. There is no value to the business for systems that don’t meet the user’s functional requirements. This process must also address the user’s service-level expectations. Response time and system availability metrics are just as important as features and functions in successful deployments.

Aligning IT’s resources with business priorities (IT Portfolio Management) is mandatory. For this to succeed, there must be communication between IT and the business. Key enabling technology includes solutions that help IT to assess the risk, cost, and benefits of all initiatives. A management portal is an essential tool for bringing together real-time project status and scheduling information. People are hungry for current, reliable information about the enhanced Web server-based e-commerce application development process. Extensive “what-if” capabilities on resource and portfolio commitments are also necessary to quickly and effectively respond to new business opportunities and a changing competitive landscape. Project management solutions with the capability to manage enterprise-wide schedules make this possible. With these capabilities in place, a CIO can have confidence that development projects are focused on delivering maximum value to the business, and that these efforts are supported by technology that enables a free flow of communications with the line of business management.

Increasing IT Effectiveness Of course, IT must maximize the effectiveness of the development organization itself. In addition, many CIOs have a focus on removing any internal obstacles between application development and IT operations to ensure that successful, enhanced Web server-based e-commerce application development efforts flow into successful deployments. A top priority is to accelerate time to market with proven best development practices. An ideal solution will support the delivery of prepackaged best practices libraries that make the experience of other professionals available out-of-the-box. Leveraging the expertise of organizations like the SEI can jump-start efforts to implement consistent, repeatable development processes and reduce the risk associated with development efforts. The ultimate goal is to improve quality and effectiveness through a continuous process improvement cycle. This discipline is widely used in manufacturing and is equally applicable to enhanced Web server-based e-commerce application development. Any effective process management solution must be customizable to encompass the actual experiences of your own organization. Modeling is a proven solution for improving the effectiveness of the development process. Modeling techniques apply in many areas of the development process, including data modeling, component modeling, and business process modeling, which was discussed earlier. Data modeling makes Database Administrators (DBAs) and architects more productive and less error-prone by automating manual processes. Advanced tools in this area provide guidance and validation of logical and physical models, matched with support for the

many different relational databases deployed in the enterprise. Sophisticated modeling tools support data cleanliness initiatives by reconciling data models between different applications and databases. Component modeling helps architects and developers improve the quality of system design from the outset. The strongest solutions in this area provide full support for the Unified Modeling Language (UML) standard. UML ensures support for a broad array of modeling activities and the ability to import models into many popular development tools. For enterprise projects, it is also important to support larger development teams with sophisticated solutions that enable collaborative modeling. Model integration between solutions works to ensure consistency and automate communication among all participants in the development process. Sharing and the exchange of models in this environment is critical to success. It is also important to apply solutions that more effectively tie the Development and IT Operations organizations together. Two key areas to address are software delivery and service desk. Moving software into production requires a smooth integration between development’s change and configuration management solutions; in addition, modern software delivery solutions that ensure all the components of modern distributed applications are deployed synchronously. Postdeployment support requires that any problems reported to the service desk can be traced back to the developer’s efforts to fix them. There is a long tradition of solutions that improve the productivity of developers. Improving the overall effectiveness of IT means having solutions that address the collaborative needs of developers, DBAs, and operations staff to help them manage the entire development process.

Controlling Complexity The enterprise enhanced Web server-based e-commerce application development environment is growing exponentially more complex. New development projects frequently need both Web and wireless deployments and must integrate information from a wide array of systems and platforms. Supporting these new applications requires a wide range of technical skills and the deployment of many sophisticated new technologies. This dynamic environment is driving the need for sophisticated enterprise-caliber change and configuration management (CCM) solutions. An enterprise solution must deliver continuous control across processes, designs, and applications. In addition to managing on traditional mainframe, Unix, and Windows® platforms, leading solutions must support the growing popularity of Linux servers. Given the multiplatform nature of new Web services and wireless technology, CCM solutions

must have the capability to centrally manage change packages that span all these environments. Deploying applications has also become more complicated than ever before. For example, deploying a single new wireless application may require the synchronized delivery of components to wireless devices, Web servers, application servers, and mainframes. If any individual component is not deployed, then the entire application will not work. Successful deployments depend on the ability of the CCM solution used by the development organization to effectively integrate with the software delivery capabilities used by IT operations.

Enhanced Web Server-Based E-Commerce Site Business Objectives Companies that market, sell, and service products via the Web share similar objectives, which typically include: •

• • •

Creating a customer community through improved communications, which can involve online discussion groups, targeted promotions, and content that fits customers’ interests. Reducing transaction costs. Automating online order and fulfillment processes is just one method to streamline business tasks. Facilitating customer self-service and reducing customer service costs by decreasing expensive dependence on call centers. Gaining insight into customer behavior to market and sell more effectively. This is accomplished with sophisticated analysis and reporting applications that transform information collected from observation logs, customer profiles, and transaction databases into knowledge that can help you determine what your customers want.

Meeting some or all of these objectives can enhance the site’s business value and overall profitability. A Web site is a fast, inexpensive way to deliver information to customers and to tailor it to their individual concerns. According to Forrester Research, 90 percent of all customer, partner, and employee interactions occur on the Web. So, is your business ready to make the most of its Web site? To do so, a technology solution must deliver a full spectrum of functionality for data gathering and analysis, retail commerce, application integration, information exchange, and publishing.

Categories of Business Value An e-commerce solution can deliver business value benefits in the following categories, which correspond to Web site business objectives.

Improved Customer Communications On its site, a company needs to be able to leverage all relevant information in order to:

• • • •

Cross-sell products and services. Make personalized, effective recommendations on products and services. Plan promotions and marketing campaigns. Provide targeted information based on customer profiles[1].

Realizing the preceding four goals lets your business take full advantage of one-to-one personalization. Customer loyalty depends on the quality of the buying experience. So, anything you can do to enhance that experience will translate into better business value. The goal is to maximize the value from each customer contact and to deliver highly personalized interactions to all customers through real-time, as well as offline, channels. The value of personalized interaction was underlined by a survey conducted by Jupiter Research, which found that the personalized service offered by 36 surveyed e-commerce sites boosted new customers by 48% in the first year and increased revenues by 51%. Leading-edge solutions enable you to capture detailed information about individual customers, then analyze the information to make better business decisions, customize responses, and maximize the effectiveness of your communications by tailoring your interactions with specific users. By gaining in-depth knowledge of your customers, you can personalize communications to better serve their needs, develop trust, and build profitable long-term relationships.

Streamlined Business Processes Organizations significantly increase their Web-based server site’s business value by automating order processing and fulfillment. Reducing paper-based transactions and improving organizational efficiency and effectiveness can lower costs. In addition, organizations can leverage the Web and wireless infrastructure to provide automated service (and reduce phone calls to employees) throughout the transaction process. To facilitate automation, you can easily integrate e-business solutions with existing applications and systems, and access information contained in legacy systems. Multiple Enterprise Application Integration (EAI) solutions are available from leading commerce portal providers to integrate popular applications from such vendors as SAP and Siebel® Systems. Such integration enables you to streamline processes, exchange information, and conduct business more efficiently. For sites that offer a multitude of products, targeting is essential. With information from customers, you can narrow down the most appropriate suggestions. The ability to deliver a simple, relevant, and consistent user experience is key to enhancing Web-based servers and the online experience and maximizing selling opportunities.

Improved Service Efficiencies and Customer Satisfaction Early analysis of the value of e-business focused largely on transaction savings as a means to justify Web-based server site investments. Personalized service delivered via the

Web is highly effective in improving customer satisfaction and retention rates, thereby increasing the lifetime value of a customer. In addition, providing customer self-service via a Web-based server site enhances business value by reducing staffing costs for service and support employees. Many companies set a goal of handling 80% to 90% of customer care interactions via personalized self-service. Enabling customer self-service with access to real-time product availability, order status, and customer account information will improve customer satisfaction while lowering operational costs. An additional step to improving a site’s business value is to combine site data with other business data such as call center information. Doing so enables you to identify, for example, customers who have the following profile—heavy-volume call center user, large-volume offline purchaser, and online user. The goal is then to move such customers more online, thereby reducing their dependency on high-cost call center operations and lowering transaction costs.

Meeting Customer Needs and Wants Analyzing customers’ online behavior, trends, and patterns, and building a comprehensive customer database can lead to a clearer understanding of how to attract new customers and retain existing ones. This knowledge can improve a site’s business value when used to design marketing campaigns, more precisely target offerings, and increase customer loyalty and lifetime customer value. Leading e-commerce solutions enable comprehensive profiling of site visitors, based on observed (click stream), stated (registration), and implicit (purchase) behavior. These solutions help you acquire and analyze customer information, so you can take advantage of mass personalization capabilities to communicate and market your products more effectively. This can help increase your Web-based server site revenues by enhancing your ability to close sales through targeted, real-time promotions. It also allows you to merchandise your products more effectively, and reduce the time and effort required to market on the Web. Considering the importance of customer convenience in today’s world of information overload, a site must be efficient and easy-to-use. Tailoring product information, promotions, and messages to each customer’s needs will enable more productive site visits. That can lead to more satisfied users and a significant increase in repeat business. Additionally, search capabilities that enable consumers to go directly to products that interest them will help improve business value via increased ratio of transactions to browser visits. Customer satisfaction and repeat business are crucial for improving the business value of your Web-based server site. [1]

“Delivering Incremental Business Value Through Your Web Site,” Copyright © Sprint 2002. All rights reserved. Sprint Communications Company L.P. Kansas City, MO 64112, USA, 2002.

Assessing a Site’s Current Business Value Sophisticated analysis and reporting applications not only tell you what your customers are doing, but also report on how your business is doing. You can identify the nature of the relationship of current online users, thereby establishing a baseline for your site. It’s difficult to move forward in a useful direction if you don’t know where you are. To assess that relationship, you need to determine how involved current customers are with the site. Finding that out requires getting answers to such questions as: • • • • •

Do they simply browse or do they purchase? How much money do they spend? What is the repeat purchase rate? How and when do they access the site? How much time do they spend on their visits? Is their time being spent in a useful manner or wasted because of poor design and tedious searches? How often do they visit the site? What are their areas of interest[1]?

You also need to assess your customers’ actual value to your business. Usually, this is calculated via transactional data on how recently and how frequently they’ve visited the site, and the value of their purchases. However, it could also be a figure based on the characteristics of your customers. For example, small and medium-sized businesses have more value than home office workers do. Answering these questions about current site users will help you prioritize which customers you want most to retain and develop. To further drive a site’s business value, you need to gather information about both online and offline customers, so you can decide which of them has the potential to become a more valuable online customer. You can then overlay the assessment of potential customer value onto the baseline view to more precisely define the customers you want to develop into valuable customers for the future. The goals for current valuable offline users are to identify them and turn them into valuable online customers, which can enhance the business value of a site by reducing costs for processing transactions and providing customer service. The first step is to segment users into categories based on their value and their usage of the site.

Improving Business Value Analysis and reporting functionality can help improve the business value of your enhanced Web-based server site by enabling you to take the following steps: first, you need to review the information available to construct a logical baseline view of your customers. Analysis and reporting tools maximize the value of the information you’ve already captured because they help you gain intelligent insight into customer behavior, preferences, and purchase patterns. They then leverage this information into improved interactions with individual customers. Analysis applications transform e-commerce information from observation logs, customer profiles, and transaction databases into

timely information that helps you offer customers the right products or services at the right time and the right price. Second, you should use individual profile information and behavioral information on customers gathered from their online activities, combined with business and external research data, to create a comprehensive picture of your online and offline customer base. Third, you should analyze the picture to understand what different customer groups need from the enhanced Web-based server site and what their requirements might be. This analysis can help you to create appropriate content, messages, and promotions—even help you develop new products and services that can be “pushed” to the target individuals or groups, creating a cohesive strategy across all customer touch points. In the online environment, this works by specifying business rules that push the right messages to the right people at the right time. This, in turn, maximizes the opportunity to influence customer behavior, thereby maximizing the site’s business value. For example, one group of customers may be cash-rich and time-poor. The analysis and reporting functionality of your site can help you identify the appropriate content this group will be inclined to “pull” from the site, and then target messages you need to “push” toward them to stimulate and increase their online spending and value as customers. Fourth, an effective e-commerce solution enables you to integrate e-business solutions with existing applications and systems, and to access information contained in legacy systems. This integration is a key to enhancing the business value of a site because it enables you to automate processes for marketing, selling, and service, and to get a complete picture of your customers. Your enhanced server-based Web site can be an invaluable channel for reaching new markets and customers, reducing costs by automating and streamlining processes, getting to know your customers, and selling and servicing your products more effectively. Solutions that effectively consolidate information and streamline transactions can be the key to achieving a superior return on your investment in enhanced server-based Web site technology.

Managed Solutions Large U.S. companies have begun to outsource their enhanced Web server hardware, databases, and applications software, as well as all the management and maintenance of hardware, software, and content. It is becoming more and more popular for companies to outsource these functions to experts rather than use a less skilled or constrained in-house team. Almost all hosting is about cost savings, performance improvement, and convenience. Because of the sluggishness in the overall economy, many service providers and enterprises can no longer afford to do this IT function in-house. Those who have held off on expansion cannot afford large capital expenses for new equipment or expensive personnel. For example, according to industry analysts, 53% of IT professionals stated that staffing expenses will rise in 2004 regardless of the economy. According to Forrester Research, enterprises can save 47% to 82% of their enhanced Web site-based server infrastructure costs by turning over their sites completely to a Web host. Hosted

companies experienced a 91% drop in downtime incidents. The increased uptime translates into about $5.8 million per year in revenues per company. There are many conveniences that come along with outsourcing, including easy access to bandwidth, availability of complementary products, security, consulting services, and predictable budgeting. These conveniences enable companies to focus on core competencies, improving overall productivity. Enterprises are still wary of giving up mission-critical applications to hosting providers. There is a general concern that a company gives up too much control and limits its IT flexibility when outsourcing mission-critical applications. But according to Summit Strategies, outsourcing enhances capabilities, supplements in-house skills, and provides for optimized environments. Plus, outsourcing does not need to be an “all or nothing” proposition. Finally, according to Cahners In-Stat Group, e-commerce applications are the most likely applications to be outsourced by medium-sized companies. At large companies, these applications are the second most likely to be outsourced (after database).

Summary Today, businesses take a pragmatic view of investments in IT. For IT managers, the key to success is to provide the maximum business value for the minimum cost. To achieve this, IT must align enhanced server-based application development and operations with the needs and priorities of the business. IT must also increase its overall effectiveness and minimize the risks in delivering new projects and applying new technology. Further, IT must gain and maintain control over the increasing complexity of the enterprise enhanced server-based application development environment. Finally, when faced with productivity challenges to get more with less, leading ecommerce software applications play an integral role in maximizing the business value of your enhanced server-based Web site. By using your enhanced server-based Web site to unify and extend information and business processes to service customers, suppliers, and employees, you can help deliver incremental business value from your Web site. Moving relationships to a personalized and collaborative self-service model enables you to enhance growth, reduce costs, and improve productivity. And, by combining marketing, transaction, and service functions in a single solution, you reduce your overall cost of doing business. Additional efficiencies may be garnered by outsourcing the management and maintenance of your e-commerce solution. Outsourcing can enable you to reduce costs, improve performance, and enhance convenience.

Part III: Implementing and Managing ECommerce Web Sites Chapter List Chapter 10: Strategies, Techniques, and Tools Chapter 11: Implementing Merchandising Strategies Chapter 12: Implementing E-Commerce Databases Chapter 13: Applying and Managing E-Business Intelligence Tools for Application Development

Chapter 10: Strategies, Techniques, and Tools “Men have become the tools of their tools.” —Henry David Thoreau (1817–1862)

Overview E-business is delivering tremendous benefits in some fields: making financial management more efficient, automating activities in human resources, improving vendorbuyer relations in supply chains, streamlining workforce and project activities, and providing managers with the analytic data they need to improve decision making. There has been mixed success in other areas; retail e-commerce, for instance, has expanded exponentially, but technical glitches and delivery problems have dampened customer satisfaction. In spite of the uneven record, most statistics paint a picture of e-business as an enticing way to conduct business. • •



As of February 2003, there were more than 637 million people online. Companies that use e-business technologies to replace paper-based purchasing processes have reduced individual transaction costs from as much as $150 to less than $10. Reliable estimates indicate that the healthcare industry could save $44 billion a year by using e-business processes to improve supply changing efficiencies[1].

[1]

“Building an e-Business Strategy: What to Do Now. What to Do Next,” © 2003, Lawson Software, All rights reserved, Lawson Software, 380 St. Peter Street, St. Paul, MN 55102, USA, 2003.

E-Business Now Those interested in adopting or refining an e-business strategy are dealing with mixed signals. On one hand, there is reason for caution. Stories of failed dot-com companies that made big promises, but didn’t deliver, fill the financial pages. Long implementation periods and complicated “transitions” give many managers pause. High costs for technology that may be quickly obsolete also have a dampening effect on the e-business acceptance curve. And yet, the promise of e-business is such that it overwhelms most objections. From backend process reengineering to frontend customer convenience, e-business offers what most organizations need to grow in a worldwide economy and compete against a host of new rivals. In some industries, the proof is already there and the case for e-business is especially compelling:







• •

Healthcare organizations are using Web-based supply chain processes to radically reduce costs and improve patient care. They are also using Web-based human resource systems to recruit and retain qualified professionals in a very tight labor market. In retail, Web-based financial applications are greatly simplifying the details of franchise management, reducing paper-based transactions, improving communications, and providing easy-to-use analytical information at the store level. In the public sector, schools and government offices are adopting e-business technologies to facilitate group purchasing, reduce operational costs, and make services and information more accessible. The financial services industry is using e-business technology to reduce procurement costs and to introduce new services to customers. The professional services industry is using Web-based applications to track and maintain relationships with employees across multiple jobs and sites, and fully facilitate projects, significantly reducing the time from opportunity to cash-inhand[1].

Other industries are also finding that e-business is changing the way they handle traditional tasks, how they go to market, and even their business focus. The graphic arts industry, for instance, is replacing paper-based, prepress proofing with online proofs that can be reviewed quickly and cheaply. Small companies are finding they can compete worldwide through Web sites linked to online catalogs. Application Service Providers (ASPs) are creating whole new enterprises around e-business solutions developed for niche markets. In today’s world, e-business is the magic driving the way companies cope with changes in the marketplace. It’s no longer a question of whether or when to implement an ebusiness strategy. It’s how and with whom.

What E-Business Offers Now There are two primary options for organizations that are reviewing their e-business strategies: use e-business to concentrate on core businesses and use e-business to develop new competencies.

Using E-Business to Concentrate on Core Businesses Electronic technologies offer ways to dramatically streamline business processes, improve operational efficiencies, and reduce purchasing costs. Incorporating e-business into a company’s infrastructure eliminates a lot of routine work and provides renewed concentration on core activities such as customer service. Some companies even redefined what their core business is. Nike®, for example, has used e-business technology to help it refocus on sales and marketing. IBM has shifted its corporate focus from selling computers to providing e-business services.

Using E-Business to Develop New Competencies E-business offers ways to create new markets and even new lines of business. Business Service Providers (BSPs), for instance, develop or purchase new technologies and then package them to sell to niche markets. Some BSPs have taken a different path, leaving the context (the specific market application) to others, while they provide technologies (financial applications, human resource systems, etc.) widely used in every business organization. Whichever broad direction is chosen (or if a combination of both seems best), there are key issues that need to be addressed in the early stages of deciding on an e-business strategy. The first is to clarify the terminology so everyone is speaking the same language. For example, “e-business” has been defined as “a technology-enabled application environment to facilitate the exchange of business information and automate commercial transactions”[1]. At its broadest level, e-business refers to just about any business activity done using the Internet. In a narrower sense, a true e-business process means that everything is done electronically (from the time it is initiated until the process cycle is complete) with no human interaction needed until a decision must be made. Next, “e-commerce” refers to commercial transactions conducted online. In its more popular sense, e-commerce refers to retailing on the Internet—selling directly to consumers through a Web site. But, a broader understanding of e-commerce must include business-to-business commercial applications: using the Internet for procurement and distribution and employing e-business technologies to streamline supply chain operations. On the other hand, an “e-service” is a service delivered over the Internet. It is an ebusiness solution to a specific need—often a Web site or group of Web sites. For example, the “Apply Here” button on a job recruitment Web site that allows anyone to apply for an open position is an e-service. This also includes the delivery of financial data in a format that helps the recipient use analytics to automatically slice and dice the data and create charts and presentation materials. Finally, “360-degree e-business” is the ultimate goal of e-business strategies. It means that information flows from decision maker to decision maker, and business processes can be initiated and completed online. The 360-degree e-business supply chain solutions, for instance, let procurement professionals input requisition information, solicit and receive bids for contract and noncontract items, check pricing, verify and accept delivery, receive invoices, and authorize payment and electronically pay—all online. The benefits include reduced purchasing costs, streamlined operations, and improved relationships with vendors. The 360-degree e-business requires open access to information and analytical capabilities that are both sophisticated and easy-to-use. The difference between “Web-deployable” and “Web-addressable” is also significant (see sidebar, “Web-Addressable Versus Web-Deployable”). Web-deployable simply means

that specific applications can be delivered or accessed over the Internet. Web-addressable means that virtually any business activity can be done on the Internet through serverbased logic that can be referenced and executed via a URL. Once the terminology is clear, the other issues that need to be addressed in an e-business strategy depend on the type of organization. Some companies need to prioritize security or financial data management, whereas others need to focus on Human Resources (HR) applications such as empowering employees to self-manage their own basic HR information. Still others will find the greatest advantages in using e-business is to streamline purchasing operations or to distribute information more efficiently across multiple locations. Web-Addressable Versus Web-Deployable Web-deployable refers to applications that can be delivered or accessed over the Internet. Web-deployable applications render their user interface in a browser. For example, some applications have distinct business objects that can be deployed via Web-related standards and protocols. These business objects support end users who access various systems occasionally, thus providing a standard presentation and common navigation process via a browser. Web-addressable refers to server-based application logic that can be referenced and executed via a URL. Web-addressability means an application can be “remote controlled” via standard HTTP commands (and/or Java remote method invocation). In other words, this means that all applications here are Web-addressable. For example, an HTTP call could allow the user to change the address of the customer, extend their credit limit, or change their main corporate contact, all from a browser, without a third party reentering data into the system. Benefits of Web-Addressability The following are the benefits of Web-addressability: • • • • •

Access standard objects simply by entering a URL address. Simplify administration of applications by the Web-addressable solution utilizing the same business logic as your core business management system. Simplify deployment of applications to remote users via browser-based access. Manage one set of business objects. Separate objects that do not have to be accessed with an embedded parameter to access your back office data[1].

Building an Effective E-Business Strategy There are four key issues that apply to most organizations. The following issues can be viewed as a prerequisite to building an effective e-business strategy: 1. 2. 3. 4.

Identify measurable business objectives. Define costs and impact. Align IT architecture. Identify value propositions[1].

Identifying Measurable Business Objectives Implementing an e-business strategy is a major undertaking. To ensure it is successful, objectives need to be identified in the beginning and measurable goals set. These may include eliminating steps in a business process, reducing errors through paper-based transactions, introducing new market opportunities, or improving information access among managers or departments.

Defining Costs and Impact The costs of implementing an e-business strategy are measurable in both time and money. Some providers may have lower front-end costs, but the time-to-implement may be so lengthy and complicated that the actual costs are much higher. The impact on business units must also be anticipated. Introducing an e-business strategy in one department may result in crossover benefits to other operating functions of the organization. For instance, using e-business technologies to reduce routine HR functions frees HR professionals to take a more active role in strategic planning for the organization.

Aligning IT Architecture Introducing e-business technology across multiple business entities can require a major commitment of IT support. Using an open architecture configuration eliminates this concern because e-business applications are transparent to all major hardware platforms, operating systems, and databases.

Identifying Value Propositions Finally, implementing an e-business strategy will be a lot smoother if its value is made clear to all potential users. E-procurement applications, for instance, add value at the Purchasing Department level by reducing errors and streamlining processes. At the organizational level, value is added by facilitated group purchasing, which cuts costs. In addition, vendors receive added value because they have faster access to information so they can track invoices and payment. Done right, an e-business strategy is a win-win proposition for all involved.

Summary The e-business revolution that began in 1997 is proceeding at a revolutionary pace— which is to say that it is proceeding rapidly, but not uniformly and not always in the ways that were predicted. Finally, some industries are moving ahead as fast as technologies permit, and some are taking a wait-and-see attitude.

Chapter 11: Implementing Merchandising Strategies “All of the animals except man know that the principal merchandising of life is to enjoy it.” —Anonymous The Internet is changing the basis of competition for companies of all sizes. Although many successful formulas for e-business development now exist, most are based on one of the following merchandising strategies: Web entrepreneurship, virtual build-out, and operations improvement. This chapter explains how each strategy relies not only on a great Web site, but on high quality, system-ready information about products and the merchandising programs that drive sales.

Internet Business Development Merchandising Strategies Web entrepreneurship is all about transforming an industry—without using brick and mortar. The core business development concept is to build a massive online customer base to gain economies of scale through educating buyers to use online services and transactions. The MicroAge x-Source business-to-business procurement service, Borders Books and Music, and e-Chemicals are a few examples. Virtual build-out means expanding nationally or globally—beyond the limits of brick and mortar. The core concept is to transform an actual in-store experience into a Web experience available to anyone, anywhere. For practitioners of virtual build-out, the Web may supplement or be used in place of a catalog and telephone order expansion merchandising strategy. For example, REI, an outdoors outfitter in the Pacific Northwest, is using the Web to reach hiking and camping enthusiasts across the country. Its online stores sell as much as its largest regional stores—and in-store sales have not been impacted. Operations improvement is targeted toward increasing the profit margins of an existing national or global business. The core concept is to replace the costs of sales and support staff, paper order processing, and brick-and-mortar operations with customer self-service, automated sales, delivery, and support services on the Web. Goodyear, for example, has saved millions of dollars in its dealer channel by using Web process automation to drive costs out of the sales process. Banks, financial firms, wholesalers and distributors, retailers, insurers, and even colleges and universities are pursuing Web-based operations improvement strategies to increase profits and enhance customer service. You need to seriously consider strategies such as Web entrepreneurship, virtual build-out, and operations improvement to ensure you capture market share before your competitors do.

The Challenge: Content Management These e-business development merchandising strategies rely on automation of product and service presentation, selection and purchasing, execution of merchandising plans such as cross-selling and special offers, and online delivery of customer support. Achieving such automation and simultaneous cost control requires absolutely accurate data. Inaccurate data translates into unhappy customers and decreased profits. So, attaining consistent, reliable data is critical to your e-commerce success. And, creating and maintaining reliable data requires effective content management. There are two kinds of data: data about the products and services, such as name, description, features, and specifications; and meta-data, which is used to sell, deliver, and support your products, such as recommended accessories for cross-selling and taxable code and shipping weight to generate online invoices. As detailed later in the chapter, many companies have data and meta-data that are not in a form that supports full, costeffective automation. The product data has inconsistencies and the meta-data exists as human procedures in multiple locations, or files in computer systems separated from the product data, requiring interpretation by people. A further complication for companies intent on expanding e-business revenues and profits is that in the rush to establish an e-commerce operation, many have relied on runtime Web tools to do the preliminary buildtime data preparation. The result is that they have to spend enormous effort with their Web site design tools in reworking data and meta-data every time they enhance their merchandising programs. In fact, online merchandising presents a range of content management challenges that aren’t easily managed with traditional product data preparation methods. Here are a few examples: •







Companies are learning that effective use of such techniques requires much cleaner and more consistent product information than appears in most catalogs or in the underlying databases. Effective online merchandising requires an array of techniques, such as product locators, problem solving wizards, and customer relationship tools to deliver engaging online experiences. These techniques rely on product and shopper classification methods that require new meta-data at the product item, category, and even shopper level. Maintaining these attributes expands data preparation work. The cross-industry trend toward faster product development and shorter product life cycles means there are more product item adds, changes, and deletes than ever before. Many merchandising managers want a way to exploit the electronic product information that manufacturers have already prepared. The recognized need to keep e-commerce sites fresh and attractive requires more frequent updates. Consequently, the product information and catalog design teams find themselves working continuously on the online catalogs (instead of

periodically as on paper catalogs), and they need more efficient, group-friendly product information maintenance tools[1]. [1]

“Strategies for Online Merchandising,” © International Business Machines Corporation 2003, IBM Corporation, Software Group Division, Route 100, Somers, New York 10589, 2003.

Online Merchandising Strategies Building a profitable and scalable e-commerce business requires flexible merchandising and an effective infrastructure. Flexible merchandising (delivering value and quality in meeting customer needs) is covered in this part of the chapter. Effective infrastructure (building efficient processes to create the information required for flexible merchandising) is covered later in the chapter.

Flexible Merchandising The keys to effective online merchandising are simple: the site and sales process should be interesting, dynamic, appealing, and, most importantly, relevant to each shopper. Relevance means having the flexibility to provide a range of merchandising techniques to suit the needs of different shoppers, or the same shopper in different buying situations. Here is a collection of flexible merchandising strategies used on e-commerce sites— product locators, problem-solving techniques, and customer relationship tools.

Product Locators Product locators help buyers find the products they need, often by using both a classification scheme and a search mechanism. Products need to be classified so buyers can easily locate them on your site. The efficient way is to incorporate classification data into the product detail and let e-commerce tools generate the Web pages as needed (as explained later in this chapter). The alternative is to laboriously paste the product data into Web page templates at the desired locations—and repaste if the site design changes. The following are some product locator strategies enabled by product classification data: • • • •

Categories Visual catalog Parametric comparison Table of contents[1]

Categories Many e-commerce sites organize products by category—beginning with a broad classification, such as clothing, and narrowing in steps, such as outerwear, until individual items, such as mountain parkas, are reached. This metaphor organizes products in a familiar way like paper catalogs, and buyers click through Web pages to reach real products.

Visual Catalog An electronic components supplier provides a visual catalog that makes it easy to navigate by inspecting a tree of products and selecting items that look like the ones needed. This metaphor, which can be developed with custom templates, helps the occasional buyer who doesn’t know industry terminology. The supplier also provides search tools for frequent buyers that use full-text descriptions, product codes, or competitors’ product codes.

Parametric Comparison A PC accessories reseller lets the buyer pick product models and accessories from pulldown menus and then presents a table of items that match. Then, the buyer can compare specifications of individual items against each other and select which to buy. This metaphor, available with custom templates, creates virtual mini-catalogs on the fly to suit buyer requirements.

Table of Contents More sites are adding table of contents features to supplement the other access methods. Some sites have multiple tables of contents that include products, services, and online information. Each entry jumps to a page of items or a visual catalog.

Problem-Solving Techniques Locating products is one thing, making the sale is another. Problem solving (matching the right products to the customer’s need) increases the chance of closing the sale and bolstering volume. Successful matching requires linking product uses to needs. The following are some problem-solving techniques made possible by product usage attributes: • • • •

Questions and answers Up- and cross-selling Accessorization Customer relationship tolls[1]

Questions and Answers A technical products reseller provides a question-and-answer interface that leads the buyer through a dialogue governed by an expert system. This metaphor, available in most custom templates, helps the buyer clarify the requirement and identify candidate solutions at the same time. Such expert systems require linkage of recommended solutions to specific products. The reseller could also provide search tools for text descriptions, model names, and product codes.

Up- and Cross-Selling Sites are beginning to add up-selling and cross-selling capabilities to enhance per-sale revenues. Up-selling offers more capable (and more costly) versions of a product. Crossselling offers a complementary product to be purchased at the same time to expand the range of problems solved. Up- and cross-selling require links between models with varying levels of capacity and features and links to products with complementary uses.

Accessorization Some sites focus on providing all items needed for specific uses, problems, or applications. For example, road warriors who want a portable printer may also need specific cables[2], batteries, power supplies, replacement print cartridges, ink tanks, special types of papers, helper applications, portable scanners, and even online access to clip art—all items that can be classified as “for use with” the portable printer.

Customer Relationship Tools The customer relationship data, such as product preferences, past purchases, and demographics, can help shape merchandising strategies, if the relationship information is recorded in data attributes. The efficient way to employ customer relationship data is to accumulate preferences and purchase history on an ongoing basis in a customer profile— and ensure that this data can be linked with product detail for subsequent promotions. This approach is being adopted by increasing numbers of retailers and direct marketers for their customer loyalty programs. Or, you can analyze past sales data and classify customers after the fact. This is difficult if product descriptions are the usual haphazard abbreviations shown on invoices. The following merchandising techniques can be based on linkage of customer relationship attributes to product information: • • • •

Customer preferences Past purchases Contracts Customization/personalization[1]

Customer Preferences Keeping a record of preferences can enhance your relationship with customers in many ways. For example, maintaining the customer’s preferred payment method reduces form fill-in at payment time. Size, color, texture, style, genre, lifestyle, and language preferences can simplify the purchasing process and enhance sales for clothing, housewares, sports gear, music, books, periodicals, and other goods. Customer preferences need to tie back to category or item-level attributes to work effectively.

Past Purchases Records of past customer purchases, especially equipment, can enhance sales opportunities for extended warranties, supplies, maintenance, upgrades, and add-ons. Past purchases of supply items can drive seasonal or customer-specific promotions. Leveraging purchases data is straightforward if the product codes used in recording the original sale are accurate and meaningful.

Contracts Much business purchasing is done under supply contracts. Contracts can be administered systematically online if discounted items are explicitly listed in the contract (in other words, a contract-specific version of the catalog is prepared). Tiered discounts are often based on purchase volumes by commodity class, which requires accurate classification of product items.

Customization/Personalization Meeting customer-specific requirements can cement your relationships. Customization requires data fields at the item level, carrying them through the order process. Businessto-consumer examples include storing measurements for make-to-order clothing and custom-fit bicycles in a profile, and enabling custom selections of music on CDs. Business-to-business examples include storing specifications for make-to-order servers, routers, lab equipment, and specialty chemicals in a profile, and enabling custom configuration of personal computers and servers[3]. Finally, product locators, problem-solving techniques, selling strategies, and customer relationship tools all rely on attributes to associate products with one another, merchandising techniques, and customer groups. Until recently, it has been difficult to rapidly deploy new merchandising strategies, because of the need to add new attribute fields and update existing field values for catalog entries. [2]

Vacca, John R., The Cabling Handbook (2nd Edition), Prentice Hall PTR, 2000.

[3]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR, 2001.

Summary Success in e-commerce depends on the execution of Web-based merchandising strategies to expand your customer base, increase sales, and reduce costs—all at the same time. Such strategies depend on highly accurate product data for electronic catalogs and additional information (also called meta-data) required to flexibly merchandise, sell, and support products and services online. Creating and maintaining electronic catalogs gets increasingly challenging as the number of Stock Keeping Units (SKUs), product features, and special catalogs increases. There’s a huge volume of data to be managed, and meta-

data for products, categories, and customers’ needs to support merchandising. Finally, effective merchandising tactics such as customized sales assistance, parametric search, up- and cross-selling, personalization, and special offers all rely on the ability to link products with other products, selling strategies, or shopper interests.

Chapter 12: Implementing E-Commerce Databases “Do not quench your inspiration and your imagination; do not become the slave of your model.” —Vincent van Gogh (1853–1890)

Overview E-commerce technology is growing at a phenomenal pace. The Web provides a platform independent, common user interface to information all over the world at an economical rate. Every major software vendor in the world has included some sort of e-commercebased solution for their products, ranging from support to direct interfaces to Web technology. Over the last seven years, the Web has evolved from a file-based retrieval system to an application-oriented medium where users can perform purchases, query databases, or even customize their interface to various sites. This evolution has challenged Web developers and Web masters to keep the content on Web sites up-to-date, collect meaningful statistics on the use of the site, and empower the content owners with the maintenance of the Web content. The state of Web technology has evolved so quickly that there are many competing ecommerce database implementation solutions from which the developer can choose. Most of these solutions work well in a single vendor or a homogeneous environment. However, when working in a heterogeneous environment with multiple operating systems, database applications, and Web server technologies, the options for the Webdatabase developer become limited.

Implementing the E-Commerce Database Interface Solution The primary function of a Web server is to send appropriate HTML code to the Web browser. Today’s trend is to serve content to the Web via an e-commerce database solution. In order to make this happen, the Web server must communicate with the database. The Web server must make requests to the database, interpret the database’s response, and pass on the appropriate data to the Web browser. In order for the Web server to communicate with a database, it must communicate through an Application Programming Interface (API). There are many different types of database access APIs available for the developer—ranging from proprietary to open standard APIs. A Web database developer has many options from which he can select the API that best meets the requirements of the project. However, the developer must be very

careful in the selection of the API if he must support a heterogeneous environment. One API might not support all database or Web servers in the developer’s environment.

Embedded SQL In the early days of relational databases, the only portable interface for applications was Embedded Structured Query Language (SQL). There was no common function API and no standard Fourth Generation Language (4GL). Embedded SQL uses a languagespecific Precompiler. SQL commands are embedded in a host programming language, such as C or COBOL. The Precompiler translates the embedded commands into host language statements that use the native API of the database. The problem with using Embedded SQL is that there must be a compiled version of the database interface for each database and operating system supported. This is not efficient or useful for heterogeneous environments. Also, the developer may run into problems with each database vendor’s C API. Not all database APIs are created equal.

ODBC When building a Web site that must connect to many different databases, the first database connectivity standard normally considered is Open Database Connectivity (ODBC). ODBC is a logical choice, because it is a standardized API. It is a set of function calls based on the SQL Access Group (SAG) function set for utilizing an SQL database system (backend system). The SAG set implements the basic functionality of Dynamic SQL. Embedded SQL commands can be translated to call ODBC. Finally, there are ODBC drivers for every major database application. Applications access ODBC functions through the ODBC Driver Manager, which dynamically links to the appropriate ODBC driver. ODBC drivers translate ODBC requests to native format for a specific data source. The data source may be a complete RDBMS, such as FirstSQL, or it may be a simple file format, such as Xbase. In other words, most ODBC drivers are tied to a single data source. Some, like FirstSQL, support multiple data sources. The FirstSQL ODBC driver supports both a FirstSQL data source and an Xbase data source. Though its name begins with open, implying that it is not tied to a single vendor or even to a subset of RDBMS vendors, ODBC is controlled by a single vendor: Microsoft. Microsoft defines the specification of the API and supplies the basic driver manager software used on their operating systems. This control has some good aspects and some bad for the future of ODBC. Microsoft has made reasonable, useful extensions to the original SAG definitions in creating ODBC. Later releases have refined those extensions. Microsoft has committed to bringing future versions of ODBC more in line with SAG’s specifications and with existing standards.

OLE DB In a major strike against ODBC, Microsoft is touting their Object Linking and Embedding Data Base (OLE DB) facility as a replacement for ODBC. OLE DB could be viewed as an object layer placed on top of ODBC, but Microsoft is likely to provide direct OLE DB drivers for their database products and to de-emphasize and perhaps discontinue ODBC drivers for their products. OLE DB is not open or portable except between Microsoft operating systems (OSs), which is now a single Windows OS NT. Because of Microsoft’s total control of the specification and arbitrary complexities in the facility, OLE DB will not be supported by other operating systems—Operating System 2 (OS/2), Macintosh Operating System (MAC OS), and various flavors of Unix. ODBC, and Embedded SQL to a lesser degree, will remain as the only open and portable interfaces for SQL accessible databases. Unfortunately, the fate of ODBC is completely under the control of Microsoft.

Java and JDBC Java Database Connectivity (JDBC) is an SQL-level API that allows you to embed SQL statements as arguments to methods in JDBC interfaces. To allow you to do this in a database-independent fashion, JDBC requires database vendors to furnish a runtime implementation of its interfaces. These implementations route your SQL calls to the database in the proprietary fashion it recognizes. As the programmer, though, you do not ever have to worry about how JDBC is routing SQL statements. With JDBC, you can run the same code no matter what database is present. A Java client/server application can make use of one of the following three major database architectures: • • •

Object database Object-relational database Relational database[1]

The majority of today’s databases are relational databases. Thus, the JDBC API is heavily biased to relational databases and SQL. There is an architectural conflict between Java and relational databases. Java is object-oriented, whereas relational databases are not object-oriented. Therefore, mapping between the Java objects to the SQL relationship must occur. It is up to the developer to do this mapping. The use of Java and JDBC has two distinct advantages for heterogeneous Web application development. It is database independent and facilitates distributed computing. A Java database application does not care what database engine is used. Therefore, the developer can change the database engine without having to change the Java application. In fact, the developer can write a class library that maps business objects to database entities in such a way that the application does not know that a database is in use. Using Java for distributed computing has the advantage that the user can download the Java code as he needs it. The administrator does not have to install the software on each

user’s workstation. This model is very beneficial when it comes time to update the application. The administrator does not have to reinstall software.

DBI-PERL Practical Extraction and Reporting Language (PERL) is most likely the most common scripting language used on the Web today. It is predominantly used with the Uniplexed Information and Computing System (Unix) operating system, even though it can be used with Windows NT®. PERL is well-suited for the Web because it is a language that was written to handle text and text files. The PERL community also needed an interface to databases. Because PERL is an open source application, the Database Interface (DBI) is perfect for this task. Note DBI for the Perl Language is defined as the Database Interface language (DBIl) API specification set of functions, variables, and conventions that provide a consistent database interface independent of the actual database being used. In simple language, the DBI interface allows users to access multiple database types transparently. So, if you are connecting to an Oracle, Informix, mSQL, Sybase, or whatever database, you don’t need to know the underlying mechanics of the 4GL layer. The API defined by DBI will work on all of these database types. A similar benefit is gained by the ability to connect to two different databases of different vendors within the one PERL script (if you want to read data from an Oracle database and insert it back into an Informix database all within one program). The DBI layer allows you to do this simply and powerfully. [1]

Moore, Dennis K., “Web Database Integration Designing and Implementing Web Sites to Interface with Heterogeneous Database Environments,” © 2003 Raven Communications, Inc., Raven Communications, Inc., 11429 Dunloring Place, Upper Marlboro, MD 20774, 2003.

Heterogeneous Development The developer has a difficult job when developing and implementing e-commerce database solutions in heterogeneous environments. The developer must contend with broader requirements and issues than a single platform development effort. The developer may have to sacrifice system performance for portability of code or support issues. The developer should conduct a trade-off analysis for each option considered. The tradeoff analysis should consist of the following criteria list at minimum (not in any order of relevance). The developer should assign a relative weight to each criterion based on the system requirements and then rank each alternative in accordance with each criterion. The sum of all criteria should give the developer a sense of how each alternative meets the system requirements. Of course, there are intangibles that cannot always be accurately

assessed. The intangibles are measured by the experience of the developer or a group of developers as follows: Performance: Measured in speed or response time. Portability of code: How many different systems are supported with minimal changes to code? Reliability and availability: Mean time between failures or system uptime. Scalability: As performance requirements increase, can the system support higher platforms? Security: Vulnerability to outside access or system penetration. Total cost of ownership: How much in dollars to install, operate, and support the system? Training and support: How many man-hours to train and support the system[1]? The e-commerce database developer and implementer must assess these criteria from the operating system to the Web and to the database to determine the best solution that meets the requirements of the application.

The Future The Web is evolving into the largest information repository in the world. There will be a continued strong demand for tools, utilities, and applications so that the user can access this information with greater speed and efficiency. Web application development will continue to mature to satisfy the user’s demand. The development time on the Web is much shorter than other development environments. The Web developer will continue to look for tools to provide more functionality and yet be flexible to use in many different environments. Three evolving technologies—Java servlets, XML, and CORBA—will play a very significant role in aiding the developer in heterogeneous environments in the near future.

Java Servlets Server-side scripting will continue to evolve into object-oriented, server-side programming using Java and C++. Once Java becomes truly platform independent, it will become the server-side programming language of choice because the programmer will not care what OS or what database he is interfacing. One of the early frustrations with Java is the performance on the client side. It took much too long to run a Java applet on a client. Today’s trend is to run Java on the server side

(servlets). Here, the developer enjoys the advantages of Java while avoiding slow download times to the client. The secret’s out: Java isn’t just for programming client-side applets that run in Web browsers or for writing Internet applications. The simple, flexible servlet API brings the power of Java to your servers, too. Java is a great platform for writing the server side of your Web-based application. The same features that make Java a better platform for writing client applications make it better for writing servers. Your server applications will benefit from its type safety and other rapid development features, even more than your client applications did, because multithreading support is built into the Java platform. Java makes it easy to develop and deploy all parts of a professional, maintainable, distributed system application. The servlet API provides you the fastest way to start using JavaServer technology in your networked applications. You can start with applications that involve clients and a single server, and gradually create multitier enterprise applications that integrate the power and flexibility of Java throughout your existing network, because Java servlets run on the software and hardware you’ve already installed.

XML One of the biggest limitations of HTML has been the presentation and organization of its content. XML allows developers to easily describe and deliver rich, structured data from any application in a standard, consistent manner. XML does not replace HTML; rather, it is a complementary format. XML is becoming the vehicle for structured data on the Web, fully complementing HTML, which is used to present the data. By breaking structured data away from presentation, Web developers can begin to build the next generation of Web applications. Learning to author XML and manipulate XML data sources will enable you as an HTML author to supply your Web pages with content that is more intelligent and more dynamic. Marking up data using XML also enables you to create data sources that can be accessed in a number of different ways for a number of different purposes, making interoperability between applications and your Web site possible. XML also holds the promise of becoming a standardized mechanism for the exchange of data as well as documents. For example, XML may become a way for databases from vendors to exchange information across the Internet.

CORBA As object-oriented programming takes hold for Web development, there will be a continued evolution toward object-oriented content such as object database management systems (ODBMS). CORBA will play a significant role in the evolution of objectoriented distributed content.

Distributed objects enhance security, fault tolerance, configuration management, and code reuse. It’s possible to take advantage of these attractive qualities by incorporating existing information services into a Web server based on the CORBA open industry standard for distributed objects. The CORBA put forth by the Object Management Group (OMG) combines distributed processing with object orientation. It is the world’s first multivendor, industry-supported, distributed object standard. CORBA provides a standard, seamless, transparent way to distribute objects across multiple platforms and operating systems. The architecture is isolated from the actual transport protocols—such as Transmission Control Protocol (TCP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA) —allowing an open-ended standard. Finally, current technologies for implementing distributed systems include sockets, remote procedure calls (RPCs), a distributed computing environment (DCE), or middleware oriented methods (MOMs). Each of these alternatives affords a different level of complexity and success, and nearly all have been wrapped into object-oriented class libraries. However, none of these methods were specifically designed to seamlessly integrate distributed objects in a client/server environment, so they don’t have an intrinsic concept of object passing (by value) or remote inheritance.

Summary In just over seven years, e-commerce database technology has become the common user interface of choice for many information dissemination systems. Whereas, RDBMSs have been the cornerstone for information warehousing for years. The integration of the two technologies have made rapid advances over the last few years. This rapid explosion has led to new challenges for IT managers and developers. There are several competing technologies available that often do not address the issues of heterogeneous environments and Web-based application development. This chapter addressed the challenges of designing and implementing e-commerce database-integrated Web sites. Furthermore, it focused on e-commerce database-Web integration difficulties in heterogeneous database environments. Before one can design or manage e-commerce database interfaces to Web sites, he must understand the evolution of Web technology. The Web has evolved to become the electronic information dissemination and presentation of choice in networked environments. Web technology started as a means of disseminating text documents and establishing relationships with other text documents. The technology evolved where other media such as graphics, audio, and video files can be disseminated via the Web. Because there is a wealth of valuable information in databases, the integration of Web sites with ecommerce database technology is a natural progression of Web technology. The Web provides a common user interface, whereas the database provides the logical structure of storing and manipulating data[2].

When a technology evolves at a rapid pace, there are some inherent limitations and incompatibilities that information managers and developers must face. For example, the Web was not designed to maintain state efficiently. There are methods of maintaining state by using environmental variables or setting cookies. The manager or developer must understand these limitations to satisfy the growing information dissemination and collection requirements via the Web. Besides the limitations of the Web, there are many issues regarding database access via the Web. First, the developer must choose a database interfacing technique(s). There are many proprietary solutions such as Cold Fusion, Microsoft’s ActiveX Data Object (ADO) via Active Server Pages, and others. In addition, each major database vendor has their own Web database interface solution. Oracle has its Web Developer Suite, whereas Sybase has its web.sql product. There are open standards or solutions such as PERL’s DBI and PHP Hypertext Preprocessor (PHP). There are legacy systems in which interfacing is very difficult. In addition, building Java applications using JDBC has its own set of advantages and disadvantages. Each method has issues dealing with support, development time, system performance, scalability, robustness, migration, and so forth. The information manager or developer’s decision is made even more difficult when contending with many different types of databases in a heterogeneous environment. Designing and implementing Web sites that interface with databases is very challenging and requires detailed planning and analysis. An IT manager or developer must thoroughly understand Web technology, database interfacing methods, and database technology along with the issues each technology has in relation with e-commerce and other technology. This chapter served as a guideline and reference for information managers and developers for addressing these issues in their respective environments. Finally, the Internet will continue to evolve into the mainstream of the world. As a result, the amount of content on the Web will continue to grow. Database technology is the enabling technology in which logic can be applied to the input and retrieval of information. More Web sites will connect to databases to take advantage of the logical operations of a database. Large organizations with heterogeneous environments will implement Web-database solutions that can be applied throughout their environment. As previously explained, there is a myriad of database interface solutions available to the developer today. However, there are not many that can be effectively applied to heterogeneous environments. The foremost is using ODBC to interface with your databases. The developer must be careful with ODBC because not all ODBC drivers and resources are built the same. There are incongruent aspects of various ODBC products in the market today. JDBC is another option. You must use Java on the server side or your scripting language must connect to JDBC resources. The future seems very bright for database access in heterogeneous environments using Java on the server side. Java and JDBC on the server side will free the developer from worrying about what operating system is used and what database is used. The developer is free to focus on the e-commerce application itself.

[2]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR, 2001.

Chapter 13: Applying and Managing EBusiness Intelligence Tools for Application Development “Language is the armory of the human mind, and at once contains the trophies of its past and the weapons of its future conquests.” —Anonymous

Overview Organizations today face intense pressure to see a quick return on investment in information technology. The key is broad delivery of information to everyone who impacts business processes—at a rapid time-to-market with a low cost of ownership. To meet this challenge, organizations need e-business intelligence (e-BI), not for a select few, but for everyone—employees, managers, partners, suppliers, customers, and constituents. Increases in demand and hands-on users are making the traditional model for applying and managing e-BI tools for application development, developed within departments and disconnected from the enterprise, inefficient and ineffective. Now, organizations need enterprise-wide solutions that can immediately deliver real-time information in the most usable, familiar formats to very large, even unlimited, numbers of users. The results must be real and measurable. IT organizations are critical to managing and implementing such enterprise-wide e-BI solutions. Any solution must meet the needs of both IT and end users, providing the ability to deploy easy-to-use applications to large numbers of diverse users, rapidly develop applications without requiring programming, and manage and administer the whole system. To meet the needs of IT, the users, and the organization, an e-BI application development solution requires the following: • • • • • • •

Accurate, consistent, and timely information delivered in real time Clear, measurable goals Conformity to the standards of all other enterprise applications, meeting enterprise policies and procedures for development and deployment Low training costs Maximum productivity for developers Rapid time-to-market with low total cost of ownership Support for the full range of skill levels and needs of all users[1]

By meeting the preceding criteria, an organization can effectively address business problems, realizing immediate returns on investment in technology. This chapter very

briefly shows how a fully Web commerce-integrated, Windows-based development environment for building, testing, and deploying Web applications meets these criteria very effectively. The chapter also examines the business and technical requirements for applying and managing e-BI tools for application development solutions. [1]

Eiss, Larry, “Rapid Business Intelligence Application Development for the Web,” © 2003 Information Builders, Information Builders, Two Penn Plaza, New York, NY 10121-2898, USA, 2003.

E-Business Requirements for Rapid Application Development By providing a new perspective on the data in an enterprise, e-BI applications have become unique and powerful tools that enhance the value of knowledge workers. Despite their value, Giga Information Group estimates, for example, that most organizations have provided e-BI applications to only six to eight percent of the people who could use them. To provide more information to more people, organizations must address the following six challenges: • • • • • •

Manage training costs. Handle single source issues. Meet IT requirements. Deploy across the enterprise. Deploy to multiple platforms. Provide administration and security[1].

Managing Training Costs In the past, many e-BI applications have presented steep learning curves. It is not the primary job of domain experts to develop and deploy applications, even when those applications are specifically for them. Consequently, tools must be easy to use, but at the same time provide significant power and flexibility. This has been a classic problem since the inception of the computer. There has always been a tension between ease and sophistication. Finding such tools is not easy. Demonstrations, by virtue of their limited time, naturally gloss over many fine points. If the demonstration makes development look easy, it does not necessarily follow that the requisite power for sophisticated application development is available. Similarly, a less appealing demonstration may seem to indicate greater power or flexibility, but it may follow that the tool is easy to use.

Handling Single Source Issues Finding an integrated development solution from one vendor that includes the proper robust developer tools, application server, report writer, middleware, and e-commerce interface is difficult. It is important to minimize the number of vendors, but best-of-breed solutions cannot be sacrificed. Support for heterogeneous solutions is costly. Determining

which vendor is actually responsible for what problem is a daunting task at best, and it is common for each vendor to lay the blame on another. On the other hand, settling for second-rate components saps the value of the entire solution.

Meeting IT Requirements To realize the significant benefits of e-BI applications, the rigor and structure of IT policies and procedures will have to be met. However, it is difficult to find e-BI development tools that meet this challenge because e-BI applications have generally been managed outside the IT organization. A vendor that appears to be an innovator and on the leading edge of technology may not have the maturity to fit well into the existing IT structure. Yet, there may be concerns that more mature vendors have not kept up with the pace of technological change. Moreover, products that seem to fit the requirements in other areas may have been acquired and reacquired through mergers over time. Mergers and acquisitions raise significant concerns about the level of integration with the product mix of the latest owner, and about the continuity of technical and support staff.

Deploying Across the Enterprise Even the best designed and most elegantly written application is of no value until it is deployed to users. Getting applications up and running across the enterprise is imperative. Unfortunately, the condition of most IT environments today makes this a complex problem. True thin-client, no plug-in technologies, such as JavaBeans, servlets, HTML, XML, and DHTML, are necessary to allow cost-effective, scalable, and usable deployments. In many cases, a centrally managed environment for administering users and supporting mobile[3] and wireless devices[4] is also important. Security must be maintained[2] and technologies must be leveraged, but all this must be done in a highly distributed, heterogeneous environment. The e-BI development tool an enterprise selects must address such needs without requiring enigmatic, complicated architectural tweaks and configuration tuning.

Deploying to Multiple Platforms Enterprise e-BI development tools cannot be limited to one or two platforms. Instead, they need to provide scalability from local PCs to mainframes. Furthermore, these tools must be flexible enough to access any data source with a high degree of efficiency. The use of proprietary cubes or indirect access mechanisms should raise red flags because they inherently limit the scalability and flexibility of the solution.

Providing Administration and Security Reporting is a major component of e-BI applications. Although reports are central to turning data into information and information into knowledge, unlimited access is clearly unacceptable in most situations. If controlled access is to be effectively maintained,

however, the development solution must provide simple and effective administrative tools that do not require a dedicated staff for even large user constituencies. Furthermore, existing security mechanisms, protocols, and tools, such as RACF, Top Secret, and others, along with directory-based components such as Lightweight Directory Access Protocol (LDAP), must not be left out or superceded. Selecting a tool with a deep enough history to coexist with and leverage the existing security structure is imperative if redundant systems and inflated implementation costs are to be avoided and, more importantly, if real security is to be maintained. Now, let’s look at how Web developers respond to your clients’ needs in an e-business driven marketplace. With the Web becoming an integral part of daily corporate communication, this part of the chapter very briefly outlines the requirements necessary for the professional Web designer to compete in the future of enterprise Web application development. In other words, this part of the chapter gives insight into the future of applying and managing Web commerce tools for application development and also very briefly demonstrates ways to leverage technology in order to meet clients’ needs while increasing business revenue. [3]

Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

[4]

Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

[2]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall, 2001.

The Future of Web Commerce Tools for Application Development Web sites and intranets are designed for the same reason—to provide information. In the business world, this information needs to be updated and changed constantly in order to stay abreast of a changing business climate. New product releases, price changes, and marketing promotions are just a few examples of information that companies need to constantly provide to their customers, suppliers, employees, and shareholders. In today’s world of e-commerce and intense corporate competition, companies need the ability to instantly update published information in order to effectively communicate with their intended audience. Today’s companies know that they have to have a dynamic and interesting Web presence, but they are struggling to find ways to effectively manage their Internet strategy. Traditional advertising agencies and Web development firms are no longer meeting the all-encompassing Internet requirements necessary for businesses in today’s e-commerce driven marketplace. Companies are looking for advertising agencies and Web development firms that address their initial Web development needs while also providing them with viable, affordable solutions that are designed to address, implement, and manage their overall Internet strategy. Historically, companies outsourced the development of their Web sites, because creation and maintenance required design and programming expertise. However, relying on third

parties for all site maintenance limited a company’s ability to quickly and easily update their published information. To solve this problem, many companies decided to bring Web site and intranet development in-house. Companies then discovered that hiring the necessary skilled personnel contains its own set of inherent problems. Information “bottlenecks” still occur when a company has one or two people in the internal IT department who are bombarded with the responsibility of publishing all company information. In addition, companies are also finding that Web site designers are hard to find and even harder to keep. The recurring theme in the market is that companies are recruiting individual Web designers to build and maintain their Web sites and intranets inhouse, only to find that after several months of development, the designer may be lured away by the promise of a more exciting and rewarding career. This “catch 22” has left companies looking for some additional alternatives. Companies are turning toward their advertising agencies and Web development firms to provide the solution to this problem. Market trends have caused Web site management to become an arduous task, with sites evolving to meet the needs of e-commerce and e-business. For example, today’s Web application development software is now a complete site production platform that enables content contribution, production management, content management, verification, and deployment. Users should be able to submit content, manage site architecture, collaborate with others, and control the delivery of information. With its open architecture, today’s Web application development software should work with existing enterprise infrastructures and be able to handle dynamic content. The software should also be able to integrate with other leading Web site design solutions, so that Web design firms can continue to develop sites as they have done historically, while incorporating the added functionality. The software should also allow for the separation of design and logic, which means that while the designer can control the graphical look and feel of a site, the client can manage the architecture, the content, and the functionality of their own site.

Web Application Development Software Finally, today’s Web application development software is a rapid development, deployment, and site management engine that is designed to allow users to very rapidly develop sites, very easily deploy sites, and very simply and effectively manage the architecture and content of the site once it is deployed. The software is designed so that all of the Web commerce tools for managing a site are completely nontechnical. This allows users with absolutely no programming or Web site design experience to simply add pages to a site, move pages around, and password protect pages as well as publish content in these pages. The software should also act as a platform that allows functional applications to be deployed through a developed site. These applications should be prebuilt software products that perform a vast array of functions. By using Web application development software, a completely nontechnical user can deploy these applications in a Web site—thereby creating a highly functional and dynamic Web presence. The software should also allow Web developers to be more competitive and more responsive to their customers’ needs. In addition, the software should allow Web developers to develop sites very rapidly; but more importantly, it should give them the

ability to offer their customers critically important, valuable architecture and content management tools that the client needs to manage their own online presence.

Summary Today’s competitive organizations need to develop a wide range of e-BI applications that tap as much data as possible and quickly deploy those applications via the Web to managers, employees, partners, suppliers, customers, and constituents—everyone they depend on to make decisions. Developing usable, deployable, and scalable e-BI applications is taking on greater urgency every day. Finally, a true Web architecture is essential to rapidly provide these business intelligence applications to unlimited numbers of people, and see a quick return on investment. IT can use the same Web-based, integrated Windows development solution to deploy information with speed, quality, and effectiveness that users of all levels can use to access information in any format. In addition, IT can securely manage and administer the system while still allowing power users to develop their own applications.

Part IV: Designing, Building, and Implementing E-Commerce Security Chapter List Chapter 14: Types of Security Technologies Chapter 15: Protocols for the Public Transport of Private Information Chapter 16: Building an E-Commerce Trust Infrastructure Chapter 17: Implementing E-Commerce Enterprise Application Security Integration Chapter 18: Strong Transaction Security in Multiple Server Environments Chapter 19: Securing and Managing Your Storefront for E-Business

Chapter 14: Types of Security Technologies “It is true greatness to have in one the frailty of a man and the security of a god.” —Seneca (3 B.C.–65 A.D.)

Overview You are undoubtedly aware by now that the technology revolution is here to stay. In fact, many of the things you take for granted today (e-mail, cell phones, PDAs) were unimaginable just a few short years ago. This rapid growth of technology, where prices drop while consumer value increases, is historically unprecedented. A frequently asked question is, “How exactly did we get here?” One of the fundamental enablers of this change, and of the increase in productivity, is the shift to rapid product development cycles—particularly in the case of software. Featurerich applications that were impossible to develop and deploy in the recent past are now conceived of and deployed with lightning speed. The increased intensity of business competition has driven this demand for faster and better products made available in the marketplace. In the future, the stakes will become even greater, as competition in every sector continues to escalate. Still, entrepreneurs and visionaries will press on in spite of the risks, and deliver new technologies in better ways.

The Internet Buying groceries, paying bills, purchasing clothes, seeking medical advice—cyberspace has become a vital part of everyone’s daily lives. According to the Information Technology Association of America (ITAA), total worldwide Internet users now exceed 600 million. In 2008, the number of users worldwide will pass the three-billion mark. In fact, the Internet is the most rapidly adopted technology ever—it has taken only eight years for it to reach 58 percent of households (versus 38 years for the telephone).

The Internet Is Big Business First came the dot-com explosion, with most “old economy” companies rushing to put up an electronic retail storefront. This business-to-consumer (B2C) marketplace quickly mushroomed into billions of dollars in value. Most recently, ferocious competition has made it tougher for “old economy” companies to maintain their advantage. Today, the strategic shift for most companies has been to the business-to-business (B2B) marketplace in which companies can partner in a “virtual village”—and thereby increase sales, lower costs, and increase productivity. Instead of just being another sales or communications vehicle to the end consumer, the Internet has become integrated into the

corporate infrastructure. Coinciding with this increased technological integration of the Internet, the value of the average transaction has also increased dramatically.

The New Economy E-commerce business is emerging as the “new economy,” which is the increase in productivity made possible by technology that allows you to collect and share more information than ever before. With more companies running technology-based businesses and connecting systems internally and externally, more sensitive data is now being kept in systems that are available to an increased number of individuals and entities. Underneath everything is the supporting technological infrastructure that makes the “new economy” possible. This infrastructure is made up of legacy systems, client/server systems, and a myriad of new operating systems, applications, and devices. The “glue” holding all of these systems together is the skilled knowledge workers, who work harder and faster to produce more.

Where Old Meets New The longer the Internet is around, the more people agree that the perceived distinction between “old economy” and “new economy” is meaningless. In fact, what has been taking place is a melding of business processes and technologies to produce better goods and services. However, the challenge facing most organizations is that integration is rarely an easy thing—particularly when moving at Internet speed. Despite the best efforts of seasoned IT professionals, enterprises accelerating to Internet speed in the new digital economy will suffer IT mishaps due to the vicious cycle of increasing features, limited resources, and compromised quality objectives.

Flawed Infrastructure Certainly, there have been tremendous quality improvements in many areas of systems development and integration. Without these efforts, you would not have the widely adopted Internet that exists today. However, that does not mean that responsible IT managers can bury their heads in the sand and assume that the existing infrastructure is sufficient to protect the billions of dollars being transacted via e-commerce. Here are a few reasons why you will need to work hard to improve the infrastructure going forward, if you are to have a reliable and trusted “e”-conomy: • • • •

Decreased amount of time for product testing and quality assurance Not enough IT resources available to get the job done well Proliferation and availability of network intrusion (“hacking”) tools Security focus is still an afterthought when it comes to product development[3]

Any threats to these systems would mean costly downtime that can affect your economic health. It is obvious that the survival of this cyber marketplace will depend mainly on safety, security, and trust.

[3]

“VeriSign Internet Security Education: E-Commerce Survival Training,” © 2003 VeriSign, Inc. All rights reserved. Verisign, Inc., 1350 Charleston Road, Mountain View, California 94043, 2003.

Emergence of Cyber Crime Unfortunately, not all of you are using the Internet in a positive way. The Internet has not only allowed you to communicate around the world, it has also opened up the doors for electronic crime. The Computer Security Institute’s (CSI’s) 2002 Computer Crime and Security Survey raised the level of awareness and aided in determining the scope of cyber crime. This survey of large corporations revealed that 73 percent of the respondents detected the unauthorized use of their computer systems in the last year. During the past few years, the most serious financial losses due to attacks have occurred through theft of proprietary information and financial fraud, according to CSI. Sixty-nine respondents in CSI’s 2002 Computer Crime and Security Survey reported a total loss of $99,019,000 in theft of proprietary information while 87 respondents reported a total loss of $88,229,000 in financial fraud. These 2002 totals were higher than the combined totals of the previous six years! The survey also confirmed that the following trends have evolved over the past few years: • • • •

A broad spectrum of attacks has been spotted. Cyber attacks are hitting organizations from the inside and outside. Huge financial losses are reported due to cyber attacks. Information security technologies are not the sole solution to prevent these attacks[3].

Outside Attacks Internet users are starting to realize the severity of these attacks. In the past eight years, the CSI has found that people are more aware of attacks happening, rather than being in denial. The following types of attacks have been recognized in the wide spectrum of cyber crime.

Unauthorized Intrusion Networks that are not 100 percent protected are prime targets for external intrusion. Between 380 and 500 Web page hacks occur every week at small Web sites; whereas, on larger sites, the magnitude is greater. The New York Times Web site was recently brought down for 12 hours and then vandalized. Information that is tampered with leads to financial losses, service disruptions for a company’s site, and potentially irreparable damage to the corporate brand.

Service Denial Similar to unauthorized intrusion, malicious denial of service also results in the loss of revenue and reputation. Big name Internet companies, such as Hotmail, Yahoo!, and Amazon.com, recently experienced denial-of-service (DoS) attacks. Hotmail’s site shut down for six consecutive days, not only preventing seven million users from accessing it, but also scarring the reputation of Hotmail.

Malicious Downloads The “Email Bomb,” including the I LOVEYOU and Melissa viruses, have plagued e-mail addresses. More recently, Microsoft’s computer system was hacked by a Trojan horse called QAZ, due to a few machines being unprotected. Security experts confirm that “this is all it takes” and are hoping for this to be a lesson for other companies to keep their antivirus software updated and educate their employees on good security practices.

Inside Attacks Recently, more media attention has been placed on the “sexy cyberattacks” previously cited, rather than insider attacks. But, in reality, more of the widespread attacks are now coming from insiders. CSI confirmed this when it reported that the majority of the attacks in the past year have been from insider abuse and unauthorized access. And, insiders are not just trustworthy employees. Business partners, subsidiaries, and third-party suppliers have the same access as traditional employees of a company.

Threats Due to Lack of Security Cybercrime is not the only reason for malicious attacks. Could it be that companies themselves are not taking the necessary preventive measures? See sidebar, “Lists of Mistakes” for the answer. Lists of Mistakes According to the SANS Institute, the answer to the preceding question is “Yes!” SANs has developed the following three lists of mistakes people make that enable attackers. End Users: The Five Worst Security Mistakes 1. Opening unsolicited e-mail attachments from unreliable sources 2. Forgetting to install security patches, including ones for Microsoft Office, Microsoft Internet Explorer, and Netscape 3. Downloading screen savers or games from unreliable sources 4. Not creating or testing backups 5. Using a modem while connected through a local area network

Corporate Management: The Seven Top Errors That Lead to Computer Security Vulnerabilities 1. Not providing training to the assigned people who maintain security within the company 2. Only acknowledging physical security issues while neglecting the need to secure information 3. Making a few fixes to security problems and not taking the necessary measures to ensure the problems are fixed 4. Relying mainly on a firewall 5. Failing to realize how much money intellectual property and business reputations are worth 6. Authorizing only short-term fixes so problems reemerge rapidly 7. Pretending the problem will go away if ignored IT Professionals: The Ten Worst Security Mistakes 1. 2. 3. 4. 5.

Connecting systems to the Internet before hardening them Connecting test systems to the Internet with default accounts/passwords Failing to update systems when security holes are found Using unencrypted protocols for managing systems, routers, firewalls, and PKI Giving users passwords over the phone or changing them when the requester is not authenticated 6. Failing to maintain and test backups 7. Running unnecessary services 8. Implementing firewalls with rules that do not prevent dangerous incoming or outgoing traffic 9. Failing to implement or update virus detection software 10. Failing to educate users on what to do when they see a potential security problem[3]

Cyber Security Need As the Internet expands more and more rapidly, there is a greater and greater need for tighter security measures. A recent survey by ITAA found cyber security to be the next “top priority” issue facing the IT industry around the globe. Likewise, according to the Carnegie Mellon Institute’s Computer Emergency Response Team Coordination Center (CERT/CC), the number of security-related incidents in the third and fourth quarters of 2002 has almost totaled the number in the entire year of 2001. It is obvious that instead of “reacting” to the problem, a strategic plan of attack is needed. Education will be the next step.

Internet Security Education To truly be successful in the digital economy, every company will have to rely on a combination of products, services, and training provided by partners. It is too risky and inefficient for any company to supply all of these from internal resources.

Products Business buyers are now able to choose from a wide selection of competitively manufactured and priced goods. From PCs to routers to firewalls—the options are plentiful.

Services Ongoing services are critical for companies because they allow them to be current with the latest technologies available in the marketplace. They enable companies to embrace best-of-breed products and to continually gain knowledge.

Training Only 42 percent of IT training is provided by in-house employees. Due to rapid changes in technology, organizations must rely on outside expertise. Simply put, if you don’t keep your IT employees well-trained, your technology becomes quickly outdated. This is particularly true in the area of information security where the tools and techniques change with exceptional frequency. Internet security education is critical to providing the proper deployment of security solutions. Technology makes it possible, and training makes it happen! Get the answers before you need to start asking the questions! Now, let’s take a very brief look at specific threats to e-commerce application security and how to provide guidance on effective approaches to e-commerce application protection. E-commerce applications require a new, secure, technological approach to threat categories.

E-Commerce Application Security Technology Essentials In today’s marketplace, across all industry segments, businesses are realizing that transformation to e-business is required to remain competitive. Analysts predict that companies not making the necessary changes will be overrun by their competition. As enterprises around the world undergo transformations, they are increasingly leveraging Internet technologies to help: 1. Broaden their markets by extending their reach globally. 2. Enter new business areas through collaborations or expanded services made possible with Web-based interactions.

3. Increase employee productivity by providing easier access to corporate information and services. 4. Reduce costs through improved operations that integrate Web access and traditional IT systems[1]. The e-business transformation is not only changing the competitive landscape, it is changing the very nature of how enterprises view security. Data and transaction security is of paramount importance in this age of rapidly expanding commercial and public computer networks and the emerging Internet economy. For an e-business transformation to be successful, the role that security plays has to become a top priority in every company that makes use of information technology. In other words, the Internet has forever changed the way business gets done. Ecommerce-based applications are enabling interaction among customers, prospects, and partners. Unfortunately, many e-commerce-based applications have inherent vulnerabilities and security-oriented design flaws. Internet-based attacks exploit these weaknesses to compromise sites and gain access to critical systems. Security awareness for e-commerce-based applications is, therefore, essential to an organization’s overall security posture. The key to a successful program is an integrated, multilayer approach to vulnerability assessment (VA), intrusion detection system (IDS), and event correlation. This part of the chapter very briefly highlights emerging threats specific to e-commerce application security and provides guidance on effective approaches to e-commerce application protection. E-commerce applications require a new approach to threat categories. Nevertheless, improved security relative to e-commerce applications can be easily achieved through the effective leverage of existing software solutions.

A Growing Threat As businesses open their networks to business partners, customers, and their mobile workforce[2], they are significantly increasing both the value and vulnerability of their online assets. Security incidents are costly, with organizations losing productivity as well as experiencing business interruption, legal exposure, and shareholder liability. Merger and acquisition due diligence and insurability concerns, as well as regulatory requirements, are generating even broader awareness that information protection is a critical need. Most organizations already have some degree of online security infrastructure—firewalls, intrusion detection systems, operating system hardening procedures, and so on. The problem is that they often overlook the need to secure and verify the integrity of internally developed applications and coded pages against external attacks. In these circumstances, simple manipulation of client code or data, such as the price of goods in an online shopping basket application or sending corrupt and incorrect data to the server can lead to fraudulent transactions or theft of confidential information. An understanding

of manipulation techniques combined with rigorous client-side security testing will lead to greater security.

Rigorous Client-Side Testing Is Required Direct attacks against e-commerce applications through manipulation of their inherent vulnerabilities have become commonplace due to the relative ease. Rigorous, client-side security testing and an understanding of manipulation techniques is essential to identifying the potential failure points of e-commerce applications. The most prevalent methods of attack on applications include buffer overflow attacks, exploitation of application component privileges, and client-side manipulation. On top of the e-commerce server’s OS, several subcategories of applications exist in which vulnerabilities may be exploited, including the following: Database: Database application vulnerabilities for Microsoft SQL Server, Oracle, Sybase, and IBM DB2, including bugs, misconfigurations, and default/blank passwords Web and application server: Vulnerabilities for CGI, Java, Xquery, default files, and other resources called by applications, as well as Web servers (IIS, Apache) and development environments (ColdFusion, etc.) Web site and application: HTML and XML applications; assessment functions include Web crawling and step-through testing[4] VA, the starting point for this process, is extremely important for both discovery and identifying vulnerabilities. This process allows an organization to turn off unused services, identify and patch vulnerable software, and make educated decisions about which elements of the overall infrastructure require the most extensive protection measures. Information gained through VA helps set up significantly more effective IDS implementation and allows the IDS to feed attack and misuse information back into the VA process to ensure that successful penetrations cannot be repeated. This process takes place at the network, server, desktop, and application levels, and can additionally be used to validate that an intrusion protection system is in place and functional. Finally, it can be extremely difficult for any automated audit and assessment application to know how custom applications will respond to cookie manipulation, form field manipulation, and other e-commerce application threats without carrying out a complete, link-to-link, application-specific assessment. This is a time-consuming, interactive analysis best performed by someone with both security and Web development knowledge —a rarely combined skill set. Organizations may need to dedicate additional staff to fully realize and take advantage of the results promised by such analysis, or to outsource the review to leverage the security and application programming expertise of an organization with the appropriate skills specialization.

[1]

“SiteScope Security Essentials,” Copyright © 2003 Mercury Interactive Corporation, Mercury Interactive Corporation, Building A, 1325 Borregas Avenue, Sunnyvale, Ca. 94089 2003. [2]

Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

[4]

“Web Application Protection: Using Existing Protection Solutions,” © 2003 Internet Security Systems — ISS, Inc. All rights reserved, Internet Security Systems — ISS, 6303 Barfield Road, Atlanta, GA 30328, 2003.

Summary Today, more than ever, organizations are challenged with improving security without incurring a corresponding increase in cost or burden to their existing staff. By comparing the benefits of a new product to the total cost of that product, organizations will make better choices that ultimately lead to greater security. Leveraging existing products is quite often the quickest way to improving both security and the bottom line. Finally, in many cases, organizations can address most of their e-commerce application concerns or problems with the products they already own.

Chapter 15: Protocols for the Public Transport of Private Information “The public have an insatiable curiosity to know everything. Except what is worth knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their demands.” —Oscar Wilde (1854–1900)

Overview The Internet and the proliferation of e-business have initiated a new era of data acquisition and personalization. While opportunities for cultivating and cementing customer relationships abound, companies are undergoing intense scrutiny to ensure that they respect and protect consumer privacy. The ability to capture and transport vast amounts of personally identifiable data is a marketer’s dream. Yet if not handled prudently, this capability can turn into a customer’s (and a company’s) worst nightmare. Today, companies must realize that their most valuable asset is not the data—it’s the customer. In the age of next-generation e-business, success hinges on a company’s ability to foster and sustain profitable and open relationships with its most valuable customers. Now, more than ever, any organization that fails to build consumer confidence and trust runs the risk of losing market share to competitors who do.

Chapter 15: Protocols for the Public Transport of Private Information “The public have an insatiable curiosity to know everything. Except what is worth knowing. Journalism, conscious of this, and having tradesman-like habits, supplies their demands.” —Oscar Wilde (1854–1900)

Overview The Internet and the proliferation of e-business have initiated a new era of data acquisition and personalization. While opportunities for cultivating and cementing customer relationships abound, companies are undergoing intense scrutiny to ensure that they respect and protect consumer privacy.

The ability to capture and transport vast amounts of personally identifiable data is a marketer’s dream. Yet if not handled prudently, this capability can turn into a customer’s (and a company’s) worst nightmare. Today, companies must realize that their most valuable asset is not the data—it’s the customer. In the age of next-generation e-business, success hinges on a company’s ability to foster and sustain profitable and open relationships with its most valuable customers. Now, more than ever, any organization that fails to build consumer confidence and trust runs the risk of losing market share to competitors who do.

Privacy: A Vital E-Business Enabler Although Web-based consumer activity is often the focus of attention, respecting and protecting privacy goes further than securing data retrieved online. As a matter of fact, privacy management and control should extend to every customer touchpoint (from the call center to fulfillment to shipping), while at the same time supporting enterprise corporate directives. In order to realize and sustain e-business results, organizations need to appreciate the following considerations.

Trust E-business depends on trust—and a lot of it. All commerce involves some level of trust; however, e-business requires more of it because buyers are asked to provide greater amounts of personal information to online vendors they typically know little, if anything, about. Furthermore, increasing numbers of Web-based consumers understand that the frontend interface is connected to a backend infrastructure, making the confidentiality of their data even more tenuous.

Customers’ Trust You can’t win customers’ trust if you don’t respect their privacy. Organizations that collect potentially sensitive information become custodians of personal data. Obviously, this trust must not be betrayed. IT systems and privacy policies need to protect personal data from theft and any unauthorized distribution or use. It is not just a matter of ethics— it is sound business practice. Companies that violate consumer privacy needs make the foolish and potentially fatal mistake of valuing the data more than the relationship. At the same time, customers who are not comfortable with a company’s privacy policy may likely conduct their business elsewhere.

Respecting Privacy Respecting privacy takes more than mere adherence to laws and regulations. Given today’s e-business landscape, where information is now a heavily sought-after commodity, it is no surprise that government is stepping in to mandate consumer privacy.

However, no regulation, despite how well-crafted, can match everybody’s needs and preferences. Furthermore, as privacy preferences change over the course of an individual’s life, the government cannot always be relied upon to operate in sync with such shifts. Consequently, the onus of effective, real-time privacy protection rests on the enterprise. Not only do governments require it—consumers demand it.

Customer Privacy Needs Companies benefit when they harness their understanding of customer privacy needs. Customer relationships and loyalty are fortified when strong privacy practices are employed. Treating people the way they want and ask to be treated (and communicating those efforts back to the marketplace) is a strong one-to-one customer relationship management approach—and can offer companies a real competitive edge.

Heightening E-Business Results Finally, companies can heighten e-business results when they value the customer over the data. An enterprise solution is key to integrating privacy into policies, e-business strategies, and processes. Thus, the following are the ground rules for e-business privacy: • • • • • • • •

Businesses are custodians of personal data and must protect and secure it from theft and misuse. Companies need to know their customers, while being as open with them as they want their customers to be in return. Customers are likely to share more personal data if they are convinced their privacy is strongly protected. Gaining consumer trust, respect, and confidence is not a static event or policy; it is an ongoing process that requires continuous management. Privacy preferences are really critical customer needs. Privacy management can be a one-to-one marketing opportunity. Relationships with your customers are more valuable than the data. When customers feel respected, they are typically more loyal. When organizations build and support an enterprise-wide privacy solution, the potential return on e-business can be enormous[1].

The preceding rules are a challenge, considering the rigorous demands of myriad industries, on any platform (with consideration for changing technologies) from mainframe to wireless[3]. However, when privacy is built into every aspect of the organization, the highest returns can be realized from loyal, valued customers. [3]

Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

Summary Creating a high-security, high-performance, e-business infrastructure demands close coordination of both technical and management policies and procedures. Additionally, ebusiness security is evolving from an old notion of an information fortress that keeps others out, to a new notion of privacy and trust as you give customers, partners, and remote employees access to your business data. Although allowing access is the very basis of e-business, this also adds additional levels of complexity far beyond the traditional security model. The time, costs, and associated with monitoring external connections, internal activities, and vulnerabilities can be overwhelming. Finally, International Data Corporation (IDC) research predicts that over time, the pressure to outsource security and privacy solutions will increase as the shortage of skilled IT professionals continues. But, whether you look to an external service provider or in-house to implement a new security infrastructure, you must take a series of specific steps to consider goals and basic capabilities. Without a blueprint based upon technical and business assessments, you cannot hope to create a system that is secure, up-to-date, and encompasses the divergent needs of greater information sharing and privacy.

Chapter 16: Building an E-Commerce Trust Infrastructure “When a man assumes a public trust, he should consider himself as public property.” —Thomas Jefferson (1743–1826)

Overview A secure e-commerce Web site can provide businesses with powerful competitive advantages, including increased online retail sales and streamlined application processes for products such as insurance, mortgages, or credit cards. E-commerce credit card sales can be especially lucrative; according to independent analysts, cash transactions on the Internet will reach $13 billion in 2004, and $74 billion in 2009. By offering products and services on the Web, businesses can gain unique benefits: • • • •

New customers Cost-effective delivery channel Streamlined enrollment Better marketing through better customer knowledge[1]

[1]

“Setting Up an E-Commerce Infrastructure,” © 2003 VeriSign, Inc. All rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA 94043.

New Customers Anyone with an Internet connection is a potential customer; millions around the world are already using the Internet for business transactions. Web storefronts are open 24 hours a day, and require no investments in brick and mortar.

Cost-Effective Delivery Channel Many products and services, such as software or information, can be distributed directly to customers via the Web. This enhances the customer experience and increases profitability by eliminating the shipping and overhead costs associated with order fulfillment.

Streamlined Enrollment Paper-based enrollment workflows are fraught with delays. Applications for insurance, a mortgage, or a credit card, for example, can be held up in the mail. And once received, application information must be entered into computer systems manually, a laborintensive process that can introduce errors. By accepting applications via a secure Web

site, businesses can speed application processing, reduce processing costs, and improve customer service.

Better Marketing Through Better Customer Knowledge Establishing a storefront on the Web positions enterprises for one-to-one marketing—the ability to customize products and services to individual customers rather than large market segments. The Web facilitates one-to-one marketing by enabling businesses to capture information about demographics, personal buying habits, and preferences. By analyzing this information, enterprises can target merchandise and promotions for maximum impact, tailor Web pages to specific consumers, and conduct effective, tightly focused marketing campaigns. No business can afford to ignore this opportunity. But businesses also can’t ignore the potential pitfalls. Before entering the fiercely competitive e-commerce arena, businesses must carefully assess and address the accompanying risks.

How to Build an Infrastructure for Trusted E-Commerce The solution for meeting each of the preceding goals includes two essential components: digital certificates for Web servers, to provide authentication, privacy, and data integrity through encryption; and a secure online payment management system, to allow ecommerce Web sites to securely and automatically accept, process, and manage payments online. Together, these technologies form the essential trust infrastructure for any business that wants to take full advantage of the Internet.

Public Key Cryptography and Digital Certificates This part of the chapter presents background technical information on cryptographic systems. This includes Public Key Cryptography (PKC) and the system underlying SSL —the basis for every e-commerce trust infrastructure. Encryption is the process of transforming information before communicating it to make it unintelligible to all but the intended recipient. Encryption employs mathematical formulas called cryptographic algorithms, or ciphers, and numbers called keys, to encrypt or decrypt information.

Symmetric Cryptography Until recently, symmetric encryption techniques were used to secure information transmitted on public networks. Traditional, symmetric cryptographic systems are based on the idea of a shared secret. In such a system, two parties that want to communicate securely first agree in advance on a single “secret key” that allows each party to both encrypt and decrypt messages.

Symmetric cryptography has several drawbacks. Exchanging secret keys is unwieldy in large networks. Furthermore, the sharing of secret keys requires both senders and recipients to trust, and, therefore, to be familiar with, every person they communicate with securely. Also, symmetric systems require a secure channel to distribute the “secret” keys in the first place. If there is indeed such a secure channel, why not use it to send the entire secret message? In today’s Web-based systems involving many participants and transitory interactions with strong cryptography requirements, such symmetric key-based systems are highly impractical as a means for agreeing upon the necessary secrets to begin communicating securely. This problem, the key agreement, or key distribution problem, is part of a larger problem that is central to the modern understanding of cryptographic systems—the key management problem (described in greater detail later in the chapter). Together, they represent the fundamental challenge in designing effective cryptography systems for modern computing systems. Symmetric key encryption plays an important role in the SSL protocol, along with asymmetric public key encryption.

Public Key Cryptography Today’s public key, or asymmetric cryptography systems are a considerable improvement over traditional symmetric cryptography systems in that they allow two parties to exchange data privately in the presence of possible eavesdroppers, without previously agreeing on a “shared secret.” Such a system is a called “asymmetric” because it is based on the idea of a matched cryptographic key pair in which a cryptographic key is no longer a simple “shared secret,” but rather is split into two subkeys, the private key and public key. Abstractly, a participant wanting to receive encrypted communications using an asymmetric cryptography system first generates such a key pair, keeping the private-key portion as a secret and “publishing” the public-key portion to all parties that want to encrypt data for that participant. Because encrypting data requires only access to the public key, and decrypting data requires the private key, such a system in principle can sidestep the first layer of complexity in the key management problem because no shared secret need be exchanged.

Modern Cryptography Systems: A Hybrid Approach In fact, a combination of both public key and traditional symmetric cryptography is used in modern cryptographic systems. The reason for this is that public key encryption schemes are computationally intensive versus their symmetric key counterparts. Because symmetric key cryptography is much faster for encrypting bulk data, modern cryptography systems typically use public key cryptography to solve the key distribution problem first, then symmetric key cryptography is used to encrypt the bulk data. Such a scheme is used by today’s SSL protocol for securing Web transactions and by secure e-mail schemes such as Secure/Multipurpose Internet Mail Extensions (S/MIME)

that are built into such products as Netscape Communicator and Microsoft Internet Explorer.

The Key Management Problem Underlying every cryptographic system is a set of practical problems and questions involving privacy, security, and overall confidence in the underlying confidentiality features of the system. In principle, the techniques of asymmetric and symmetric cryptography are sufficient to resolve the security questions and properties previously described. For example, today’s Web browsers use the public key of a Web site in order to send credit card numbers over the Web. Similarly, one can protect access to files and data using a private symmetric key to scramble the information before saving it. However, in practice, each of these problems requires a “certified” public key in order to operate correctly without third parties being able to interfere. This leads to a second set of questions. For example, how can you be sure that the public key that your browser uses to send credit card information is in fact the right one for that Web site, and not a bogus one? And, how can you reliably communicate your public keys to your correspondents so that they can rely on it to send you encrypted communications? What is needed in order to address such concerns is the notion of a “secure binding” between a given entity that participates in a transaction and the public key that is used to bootstrap secure communication with that entity using asymmetric public key cryptography. The next part of the chapter describes how a combination of digital signatures and X.509 digital certificates (which employ digital signatures), including SSL certificates, fulfills this role in e-commerce trust systems.

Digital Signatures Digital signatures are based on a combination of the traditional idea of data hashing with public key-based encryption. Most hash functions are similar to encryption functions. In fact, some hash functions are just slightly modified encryption functions. Most operate by grabbing a block of data at a time and repeatedly using a simple scrambling algorithm to modify the bits. If this scrambling is done repeatedly, then there is no known practical way to predict the outcome. It is not, in general, practical for someone to modify the original data in any way while ensuring that the same output will emerge from the hash function. These hash-based signature algorithms use a cryptographically secure hash function, such as Message Digest 5 (MD-5) or Secure Hash Algorithm (SHA), to produce a hash value from a given piece of data. Because the digital signature process is central to the idea of a digital certificate (and in turn, the digital certificate is the primary tool to ensure e-commerce security), it’s useful to look at a diagram of the process. Figure 16.1 illustrates the steps taken by a sender in forming a digitally signed message, as well as the steps a recipient takes in verifying that the signed message is valid[1].

The first step is to take the original message and compute a “digest” of the outgoing message using a hashing algorithm. The result is a “message digest,” which is typically depicted as a long string of hexadecimal digits (and manipulated by software as binary data). In the next step, the sender uses his private key to encrypt the message digest. The original message content, together with the encrypted digest, forms a digitally signed message, as depicted in the center of Figure 16.1. This digitally signed message is suitable for delivery to the recipient. On receipt, the receiver verifies the digital signature using an inverse set of steps: first, the encrypted digest is decrypted using the sender’s public key. Next, this result is compared to an independent computation of the message digest value using the hashing algorithm. If the two values are the same, the message has been successfully verified. Note No actual encryption of the message content itself need take place. Only the digital signature itself is encrypted while the message is in transit (unless, of course, there are privacy concerns, in which case the message content should be encrypted as well). Why is a digital signature compelling evidence that only the intended signer could have created the message? For example, what if interlopers were to change the original message? It was not encrypted, after all, and could have been changed by a third party in transit. The answer is that if such a change had been made, then the decrypted, original message digest wouldn’t have matched the recomputed one for the changed data in the message. Verification of the digital signature would fail. Similarly, the creation of a bogus signature is impractical because an interloper doesn’t have the appropriate private key.

Digital Certificates A digital certificate is an electronic file that uniquely identifies individuals and Web sites on the Internet and enables secure, confidential communications. It associates the name of an entity that participates in a secured transaction (for example, an e-mail address or a

Web site address) with the public key that is used to sign communication with that entity in a cryptographic system. Typically, the “signer” of a digital certificate is a “trusted third party” or “certificate authority” (CA; such as VeriSign). In addition, all participants who use such certificates agree it is a point of secure storage and management of the associated private signing key. The CA issues, creates, and signs certificates, as well as possibly playing a role in their distribution. Using digital certificates simplifies the problem of trusting that a particular public key is in fact associated with a participating party, effectively reducing it to the problem of “trusting” the associated CA service. Digital certificates, therefore, can serve as a kind of digital passport or credential. This approach represents an advance in the key management problem, because it reduces the problem of bootstrapping trust to the problem of setting up (or in today’s marketplace, selecting as a vendor) the appropriate CA functionality. All parties that trust the CA can be confident that the public keys that appear in certificates are valid.

Use of Signer Certificates in Browsers Digital certificates already play a fundamental role in Internet-based cryptography systems. For example, consider the case of a secure Web transaction that takes place when a user visits a Web storefront to make a credit card purchase. When the user’s browser accesses a secure page, a public key from the Web store has already been delivered to the client browser in the form of an X.509 digital certificate. All this happens transparently to the user at the time the secure connection is set up. The browser trusts the certificate because it is signed, and the browser trusts the signature because the signature can be verified. And, why can it be verified? Because the signer’s public key is already embedded in the browser software itself. To see this in the particular case of a browser, begin by clicking on the Security icon on the main toolbar, as shown in Figure 16.2[1].

Under Certificates, choose Signers, and scroll down the list, as shown in Figure 16.3[1]. A window similar to that shown in Figure 16.4 should appear[1].

Next, select a particular certificate and click on the Edit button. A display similar to the one shown in Figure 16.5 should appear[1].

This is a representation of an X.509 digital certificate. Although X.509 certificates come in three different versions (such as the one displayed in Figure 16.5), they are the ones that are most commonly encountered in today’s cryptography systems. Such a certificate consists of the following fields to identify the owner of the certificate and the trusted CA that issued the certificate: • • • • • • • • • • •

Version Serial number Signature algorithm ID Issuer name Validity period Subject (user) name Subject public-key information Issuer unique identifier Subject unique identifier Extensions Digital signature for the preceding fields[1]

Although only a few of the preceding fields (Version, Serial number, Signature algorithm ID, Issuer name, Validity period, Subject (user) name, Subject public-key information, Issuer unique identifier, Subject unique identifier, Extensions and Digital signature for the preceding fields) that are shown in Figure 16.5 (version, serial number, issuer name, and subject name) correspond to the display elements in Figure 16.5, these basic elements give an idea of what such a typical certificate contains. In other words, the certificate shown in Figure 16.5 contains only a few of the basic fields. A more detailed dump of raw certificate content might look like the following[1]: Certificate: Data: Version: v3 (0x2) Serial Number: 8 (0x8)

Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: CN=Root CA, OU=CIS, O=Structured Arts Computing Corporation, C=US Validity: Not Before: Fri Dec 5 18:39:01 1997 Not After: Sat Dec 5 18:39:01 1998 Subject: CN=Test User, OU=Test Org Unit, O=Test Organization, C=US Subject Public Key Info: Algorithm: PKCS #1 RSA Encryption Public Key: Modulus: 00:c2:29:01:63:a1:fe:32:ae:0c:51:8d:e9:07:6b:02:fe:ec: 6d:0e:cc:95:4b:dc:0a:4b:0b:31:a3:1a:e1:68:1f:d8:0b:b7: 91:fb:f7:fd:bd:32:ba:76:01:45:e1:7f:8b:66:cd:7e:79:67: 8d:48:30:2a:09:48:4c:9b:c7:98:d2:b3:1c:e9:54:2c:3c:0a: 10:b0:76:ae:06:69:58:ac:e8:d8:4f:37:83:c3:f1:34:02:6d: 9f:38:60:6f:5e:54:4f:71:c7:92:28:fb:0a:b3:44:f3:1a:a3: fe:99:f4:3f:d3:12:e2:f8:3b:03:65:33:88:9b:67:c7:de:88: 23:90:2b Public Exponent: 65537 (0x10001) Extensions: Identifier: Certificate Type Critical: no Certified Usage: SSL Client Identifier: Authority Key Identifier Critical: no Key Identifier: a7:84:21:f4:50:0e:40:0f:53:f2:c5:d0:53:d5:47:56:b7:c5: 5e:96 Signature: Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 2d:76:3f:49:5b:53:3a:c5:02:06:a3:67:6d:d9:03:50:57:7f:de:a7:a9: cd:69:02:97:6f:66:6a:7f:95:ea:89:75:7a:fc:b0:26:81:fc:33:bb:60: e8:f7:73:77:37:f8:8a:04:3b:fc:c1:3e:42:40:3d:58:16:17:7e:47:35: 1c:73:5a:ab:72:33:c3:f5:2b:c6:eb:b5:39:52:82:c6:3e:e1:38:c6:39: 8b:ee:e3:9f:b3:b9:29:42:0d:11:a5:79:af:6d:3a:f8:a6:ba:d0:9c:55: 48:0d:75:91:05:0b:47:67:98:32:f3:2d:2e:49:ed:22:ab:28:e8:d6:96: a1:9b

The next part of the chapter describes how SSL digital certificates for Web servers apply cryptographic techniques to secure e-commerce Web sites.

SSL Server Certificates The practical means of implementing PKI and digital signatures are via Web server certificates that enable authentication and SSL encryption. SSL certificates form the basis of an Internet trust infrastructure by allowing Web sites to offer safe, secure information exchange to their customers. SSL server certificates satisfy the need for confidentiality, integrity, authentication, and nonrepudiation.

SSL Defined SSL, originally developed by Netscape Communications, is an information technology for securely transmitting information over the Internet. The SSL protocol has become the universal standard on the Web for authenticating Web sites to Web browser users, and for encrypting communications between browser users and Web servers. Server certificates are available from CAs (such as VeriSign)—trustworthy, independent third parties that issue certificates to individuals, organizations, and Web sites. CAs use thorough verification methods to ensure that certificate users are who they claim to be before issuing them. CA’s own self-signed SSL digital certificates are built into all major browsers and Web servers, including Netscape Communicator and Microsoft Internet Explorer, so that simply installing a digital certificate on a Web server enables SSL capabilities when communicating with Web browsers. SSL server certificates fulfill two necessary functions to establish e-commerce trust: SSL server authentication and SSL encryption.

SSL Server Authentication Server certificates allows users to confirm a Web server’s identity. Web browsers automatically check that a server’s certificate and public ID are valid and have been issued by a CA included in the list of trusted CAs built into browser software. SSL server authentication is vital for secure e-commerce transactions in which users, for example, are sending credit card numbers over the Web and first want to verify the receiving server’s identity.

SSL Encryption SSL server certificates establish a secure channel that enables all information sent between a user’s Web browser and a Web server to be encrypted by the sending software and decrypted by the receiving software—thus protecting private information from interception over the Internet. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering—that is, for automatically determining whether the data has been altered in transit. This means that users can confidently send private data, such as credit card numbers, to a Web site, trusting that SSL keeps it private and confidential.

How SSL Server Certificates Work SSL certificates take advantage of SSL to work seamlessly between Web sites and visitors’ Web browsers. The SSL protocol uses a combination of asymmetric public key encryption and faster symmetric encryption. (See sidebar, “SSL Server Certificates Steps” for more information.) The Netscape Navigator and Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over

insecure channels. If a user tries to submit information to an unsecured site (a site without an SSL server certificate), the browsers will, by default, show a warning. In contrast, if a user submits credit card or other information to a site with a valid server certificate and an SSL connection, the warning does not appear. The secure connection is seamless, but visitors can be sure that transactions with a site are secured by looking for the following cues: • • •

The URL in the browser window displays “https” at the beginning, instead of http. In Netscape Communicator, the padlock in the lower-left corner of the Navigator window will be closed instead of open. In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE window[1].

SSL Strengths: 40-Bit and 128-Bit SSL SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the session key generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. 128-bit SSL encryption is the world’s strongest; according to RSA Labs, it would take a trillion years to crack using today’s technology. 128-bit encryption is approximately 3 X 1026 stronger than 40-bit encryption. Microsoft and Netscape offer two versions of their Web browsers, export and domestic, that enable different levels of encryption depending on the type of SSL server certificate with which the browser is communicating. First, 40-bit SSL server certificates (such as VeriSign’s SSL Certificates) enable 40-bit SSL when communicating with export-version Netscape and Microsoft Internet Explorer (IE) browsers (used by most people in the U.S. and worldwide) and 128-bit SSL encryption when communicating with domestic-version Microsoft and Netscape browsers. Second, 128-bit SSL server certificates (such as VeriSign’s Global Server IDs) enable 128-bit SSL encryption (the world’s strongest) with both domestic and export versions of Microsoft and Netscape browsers. SSL Server Certificates Steps The process begins by establishing an SSL “handshake”—allowing the server to authenticate itself to the browser user, and then permitting the server and browser to cooperate in the creation of the symmetric keys used for encryption, decryption, and tamper detection: 1. A customer contacts a site and accesses a secured URL—a page secured by an SSL certificate (indicated by a URL that begins with “https:” instead of just “http:” or by a message from the browser). This might typically be an online order form collecting private information from the customer, such as address, phone number, and credit card number or other payment information.

2. The customer’s browser automatically sends the server the browser’s SSL version number, cipher settings, randomly generated data, and other information the server needs to communicate with the client using SSL. 3. The server responds, automatically sending the customer’s browser the site’s digital certificate, along with the server’s SSL version number, cipher settings, and so on. 4. The customer’s browser examines the information contained in the server’s certificate, and verifies that: a. The server certificate is valid and has a valid date. b. The CA that issued the server has been signed by a trusted CA whose certificate is built into the browser. c. The issuing CA’s public key, built into the browser, validates the issuer’s digital signature. d. The domain name specified by the server certificate matches the server’s actual domain name. If the server cannot be authenticated, the user is warned that an encrypted, authenticated connection cannot be established. 5. If the server can be successfully authenticated, the customer’s Web browser generates a unique “session key” to encrypt all communications with the site using asymmetric encryption. 6. The user’s browser encrypts the session key itself with the site’s public key so that only the site can read the session key, and sends it to the server. 7. The server decrypts the session key using its own private key. 8. The browser sends a message to the server informing it that future messages from the client will be encrypted with the session key. 9. The server then sends a message to the client informing it that future messages from the server will be encrypted with the session key. 10. An SSL-secured session is now established. SSL then uses symmetric encryption (which is much faster than asymmetric PKI encryption) to encrypt and decrypt messages within the SSL-secured “pipeline.” 11. After the session is complete, the session key is eliminated. It all takes only seconds and requires no action by the user[1].

In order to fully enable 128-bit encryption with a Global Server ID, it’s important to generate the right kind of private key during the process of obtaining an SSL certificate. An important step in the process is generating a Certificate Signing Request (CSR) within the Web server software. In generating a CSR, Web server administrators should be careful to select a 1024-bit private key, which enables the Global Server ID to establish 128-bit SSL encryption, rather than a 512-bit private key, which enables only 40-bit encryption.

Netscape users can follow these steps to see what level of encryption is protecting their transactions: • • •

Go to the secure Web page you want to check. Click the Security button in Navigator’s toolbar. The Security Info dialog box indicates whether the Web site uses encryption. If it does, click the Open Page Info button to display more information about the site’s security features, including the type of encryption used.

You can also check to see which level of SSL is activated on your Web server by following these steps: • • •

Using a 128-bit client, such as the domestic version of Netscape Navigator, click Options/Security Preferences. Under the Enable SSL options, click Configure for both SSL 2 and SSL 3. Make sure acceptance for the 40- and 56-bit encryption ciphers are turned off. Try to access the site. If it using less than 128 bit security, then you will receive an error in your browser window: “Netscape and this server cannot communicate securely because they have no common encryption methods[1].”

IE users can find out a Web site’s encryption level by following these steps: • • • •

Go to the Web site you want to check. Right-click on the Web site’s page and select Properties. Click the Certificates button. In the Fields box, select Encryption type. The Details box shows you the level of encryption, 40-bit or 128-bit. (See the following section for more information about SSL encryption levels.)[1].

E-businesses may choose to simplify the process of certificate checking for site visitors by describing the security measures they have implemented in a Security and Privacy statement on their sites. For example, sites that use VeriSign SSL Certificates can also post the Secure Site Seal on their home page, security statement page, and purchase pages. The Seal is a widely recognized symbol of trust that enables site visitors to check certificates in real time from VeriSign with one click.

SGC and 128-Bit Step-Up To ensure that strong, 128-bit encryption protects e-commerce transactions for all users, businesses should install 128-bit IDs, such as VeriSign’s Global Server IDs, on their servers. However, the export browsers that permit only 40-bit encryption with 40-bit SSL server certificates will allow strong, 128-bit encryption when interacting with 128-bit server certificates because these certificates are equipped with a special extension that enables Server Gated Cryptography (SGC) for Microsoft browsers and “International Step-Up” for Netscape browsers.

The extension enables 128-bit encryption with export-version browsers by prompting two “handshakes” when a user’s browser accesses a page protected by a Global Server ID. When an export-version Netscape or Microsoft browser connects to the Web server, the browser initiates a connection with only a 40-bit cipher. When the server certificate is transferred, the browser verifies the certificate against its built-in list of approved CAs. Here, it recognizes that the server certificate includes the SGC or International Step-Up extension, and then immediately renegotiates the SSL parameters for the connection to initiate an SSL session with a 128-bit cipher. In subsequent connections, the browser immediately uses the 128-bit cipher for full-strength encryption.

Securing Multiple Servers and Domains with SSL As organizations and service providers enhance their Web sites and extranets with newer technology to reach larger audiences, server configurations have become increasingly complex. They must now accommodate: • • • •

Redundant server backups that allow Web sites and extranets to maximize site performance by balancing traffic loads among multiple servers Organizations running multiple servers to support multiple site names Organizations running multiple servers to support a single site name Service providers using virtual and shared hosting configurations[1]

But, in complex, multiserver environments, SSL server certificates must be used carefully if they are to serve their purpose of reliably identifying sites and the businesses operating them to visitors and encrypt e-commerce transactions—thus, establishing the trust that customers require before engaging in e-commerce. When used properly in an ecommerce trust infrastructure equipped with multiple servers, SSL server certificates must still satisfy the three requirements of online trust: 1. Client applications, such as Web browsers, can verify that a site is protected by an SSL server certificate by matching the “common name” in a certificate to the domain name (such as www.verisign.com) that appears in the browser. Certificates are easily accessible via Netscape and Microsoft browsers. 2. Users can also verify that the organization listed in the certificate has the right to use the domain name, and is the same as the entity with which the customer is communicating. 3. The private keys corresponding to the certificate, which enable the encryption of data sent via Web browsers, are protected from disclosure by the enterprise or ISP operating the server[1].

The Certificate Sharing Problem In order to satisfy the requirements of Internet trust, one SSL server certificate can be used to secure each domain name on every server in a multiserver environment, and the corresponding private keys can be generated from the hosting server. Some enterprises or ISPs practice certificate sharing, or using a single SSL server certificate to secure

multiple servers. Organizations use certificate sharing in order to secure backup servers, to ensure high-quality service on high-traffic sites by balancing traffic among several servers, or, in the case of ISPs and Web hosts, to provide inexpensive SSL protection to price-sensitive customers. However, as described next, certificate-sharing configurations do not satisfy the fundamental requirements of Internet trust.

VeriSign Recommendations for Implementing SSL on Multiple Servers Now, let’s look at some common shared certificate configurations for an e-commerce trust infrastructure: Fail-safe backup: Redundant servers, not used simultaneously. Load balancing: Multiple sites with different common names on multiple servers. Load balancing: Multiple sites with the same common name on multiple servers. ISP shared SSL: One certificate issued to an ISP’s domain, used on multiple servers by multiple Web sites. Name-based virtual hosting: An ISP or Web Host provides each hosted customer with a unique domain name, such as customername.isp.com[1].

Fail-Safe Backup Certificate sharing is permissible. However, when the backup server is not under the same control as the primary server, the private key cannot be adequately protected, and a separate certificate should be used for each server.

Load Balancing: Multiple Sites with Different Common Names To prevent browsers from detecting that the URL of the site visited differs from the common name in the certificate, a different certificate should be used for each server/domain name combination. A different certificate should also be used to protect the security of private keys.

Load Balancing: Multiple Sites with the Same Common Name Instead of jeopardizing private key functionality by copying the key for multiple servers, a different certificate should be used for each server. Each certificate may have the same common name and organizational name, but slightly different organizational unit values.

ISP Shared SSL ISP shared SSL prevents site visitors from verifying that the site they are visiting is the same as the site protected by the certificate and listed in the certificate itself. Each site’s

server should have its own certificate. Or, merchants must inform their customers that site encryption is provided by the ISP, not the merchant, and the ISP must guarantee the services of all the hosted companies whose sites use shared SSL.

Name-Based Virtual Hosting If the same certificate is used for each domain name, browsers will indicate that the site domain name does not match the common name in the certificate. To solve this problem, a “wildcard” certificate of the form *.isp.com is required to properly serve the multihostname configuration without creating browser mismatch error messages. Next, let’s examine the second key component of an Internet trust infrastructure: secure online payment management.

Online Payment Services After businesses have built a Web site and implemented SSL certificates to authenticate themselves to customers and encrypt communications and transactions, they must address another crucial component of an e-commerce infrastructure. This involves enabling customers to easily pay for products and services online—and processing and managing those payments in conjunction with a complex network of financial institutions. Today’s fragmented Internet payment systems often connect online merchants to banks via privately operated, point-to-point payment networks. In 2002, for example, over 9 billion electronic payment transactions (originating from approximately 6 million merchant locations and representing over $690 billion in merchant dollar volume) were passed over leased lines and non-Internet interfaces to a single transaction processor (First Data Corporation). This situation is rapidly changing. Internet commerce is entering an accelerated growth phase. IDC estimates worldwide e-commerce revenues will increase to $652 billion in 2004. Behind each of these Internet purchases is a payment transaction. However, traditional payment systems have proven to be ill-equipped to manage the costs and complexity of transitioning and enabling transactions over the Internet. As a result, only a fraction of today’s potentially automated e-commerce transactions are currently enabled for Internet payment. The situation is particularly acute in the B2B payments arena— today, most B2B systems stop short of enabling actual payment execution on the Web. Demand is, therefore, high for a simpler, “Internet payment gateway” approach that provides easier Internet connectivity between buyers, sellers, and the financial networks that move money between them. A truly flexible Internet payment gateway must support multiple payment instruments, connect to all relevant back-office payment processors, and be packaged for easy integration into front-office Web applications. Ideally, the gateway should also offer uniform interfaces to payment functionality, permitting ebusinesses to deploy payment applications that can be easily switched between alternative financial instruments, institutions, and payment processors. And, to form part

of a complete e-commerce trust infrastructure, the gateway must ensure fail-safe security for payment data as it passes from customer to Web site and through the backend processing system. Finally, some merchants may build an Internet payment gateway themselves, or purchase a software-based solution. However, according to the Gartner Group, most e-merchants have transaction volumes that do not justify the expense of bringing the process in-house, and are opting to outsource ASP solutions.

Summary Businesses that can manage and process e-commerce transactions can gain a competitive edge by reaching a worldwide audience, at very low cost. But, the Web poses a unique set of trust issues, which businesses must address at the outset to minimize risk. Customers submit information and purchase goods or services via the Web only when they are confident that their personal information, such as credit card numbers and financial data, is secure. Finally, the solution for businesses that are serious about e-commerce is to implement a complete e-commerce trust infrastructure. PKI cryptography and digital signature technology, applied via SSL digital certificates, provide the authentication, data integrity, and privacy necessary for e-commerce. Internet payment gateway systems provide online merchants with the ability to efficiently and securely accept and process a variety of online payments from customers.

Chapter 17: Implementing E-Commerce Enterprise Application Security Integration “There are no such things as applied sciences, only applications of science.” —Louis Pasteur (1822–1895) Mergers, acquisitions, and multicompany collaborative federations are nothing new to the e-commerce world. What is new and urgent is the need to secure a high number of critical applications from unauthorized use, both from external and internal sources. Today’s ecommerce characteristics, including remote workforces, wireless applications[1], corporate partnership programs, CRM systems, and numerous others require organizations to increase the availability of corporate information, which significantly increases security risks.

The Challenge Enterprise Application Integration (EAI) solves or simplifies many of the problems of data access and resource management across the enterprise, but then, a whole new set of issues surface. Once you have integrated your applications and business processes into a single, virtual “business engine,” how do you control access to those applications and processes, and the data that they manage? In the past, companies maintained security by allowing only trusted insiders to access sensitive corporate applications and data, through physically restricted access. However the rise of e-commerce now requires those companies to allow their customers, prospects, suppliers, and partners to access even the deepest reaches of the corporate “backend.” IT management has been put on the horns of a dilemma: access versus barriers. If they tighten security to eliminate the risk of electronic theft or vandalism, the business grinds to a halt. This is the central issue of enterprise security. How can an organization provide access to multiple users or groups without compromising data security? This issue is further complicated by e-commerce as the next step in the evolution of global companies. By distributing applications and data across the Internet, institutions face a whole new set of problems and threats controlling access to—and protecting the integrity of—data and business processes. [1]

Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

The Solution: Application Security Integration Just as EAI technologies addressed the problems of data access and resource management across the enterprise by integrating applications and business processes into a single, virtual “business engine,” companies now need a set of easy-to-use tools and technologies to control access to those same applications and processes. Today, a new class of technology (Enterprise Application Security Integration, or EASI) is emerging to ensure that the distributed enterprise is protected. This chapter explores this new technology’s support of rapid deployment of secure ecommerce applications. The technology, based on the integration of distributed component computing and information security, represents new power to mount secure, scalable e-commerce services. The chapter also describes how security enables new ecommerce applications that were not previously feasible, and how e-commerce solutions create new security responsibilities. Next, the chapter describes the many challenges of enforcing security in component-based applications. Finally, the chapter formally introduces EASI, which is used to tie together many different security technologies, and, as a result, provide the framework for building secure component architectures. EASI is fast becoming an essential part of any comprehensive enterprise architecture plan. It has been recognized by analysts for its importance in securing the new ecommerce infrastructure. GIGA Information Group encourages companies to embrace this new model: organizations should incorporate the emerging EASI model into their internal application security integration efforts and their buying decisions for all parts of the application platform. And, they should drive their vendors toward alignment with the emerging architecture.

Security as an Enabler for E-Commerce Applications Corporations are discovering the power of online services to increase customer loyalty, support sales efforts, and manage internal information. The common thread in these diverse efforts is the need to present end users with a unified view of information stored in multiple systems, particularly as organizations move from static Web sites to the transactional capabilities of electronic commerce. To satisfy this need, legacy systems are being integrated with powerful new e-commerce-based applications that provide broad connectivity across a multitude of backend systems. These unified applications bring direct bottom-line benefits, for example: • • •

On the Internet Via extranets With an intranet[1]

On the Internet A bank cements relationships with commercial customers by offering increased efficiency with online currency trading. This service requires real-time updates and links to back-office transactional and profitability analysis systems.

Via Extranets A bank and an airline both increase their customer bases with a joint venture—a credit card that offers frequent flyer credits sponsored by the bank. This service requires joint data-sharing, such as purchase payment and charge-back information, as well as decision support applications to retrieve, manipulate, and store information across enterprise boundaries. Additionally, employees from both companies will need to access some, but not all, of the same information.

With an Intranet A global manufacturer accelerates the organizational learning curve by creating a global knowledge-sharing system for manufacturing research and development. Plant engineers on one continent can instantly share process breakthroughs with colleagues thousands of miles away. [1]

Hartman, Bret. “Enterprise Application Security Integration: An Overview,” © 2003 Quadrasis, Inc. All rights reserved. Quadrasis, Inc., 1601 Trapelo Road, Reservoir Place, 3rd Floor, Waltham, MA 02451 [Bret Hartman (Author), Donald J. Flinn (Author), and Konstantin Beznosov (Author). Enterprise Security with EJB and CORBA®, John Wiley & Sons; 1st edition (April 6, 2001)], 2003.

E-Commerce Applications Increase Risks These new e-commerce applications can have a dark side. They can open a direct pipeline to the enterprise’s most valuable information assets, presenting a tempting target for fraud, malicious hackers, and industrial espionage. Appropriate protections are a prerequisite for doing business, both for an organization’s credibility with its stakeholders and its financial viability. For example: •

• •

The bank and airline in a joint venture may compete in other areas or through other partnerships. A secure barrier, permitting only authorized transactions, must be erected between the two enterprise computing environments. The bank offering currency-trading needs to protect the integrity of its core systems from unauthorized transfers or tampering. The manufacturer posting proprietary discoveries needs to ensure that their competitors or subcontractors cannot tap into the system. Attacks from both the outside and inside must be blocked[1].

Information Security Goals: Enable Use, Bar Intrusion To secure information assets, organizations must open availability to legitimate users while barring unauthorized access. In general, secure systems must provide the following protections: Accountability: Detect attacks in progress or trace any damage from successful attacks. Prevent system users from later denying completed transactions. Availability: Ensure uninterrupted service to authorized users. Service interruptions can either be accidental or maliciously caused by denial-of-service attacks. Confidentiality: Safeguard user privacy[3] and prevent the theft of information both stored and in transit. Integrity: Ensure that electronic transactions and data resources are not tampered with at any point, either accidentally or maliciously[1]. To provide the four preceding key protections, information security must be an integral part of system design and implementation. [3]

Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill Trade, 2001.

E-Commerce Solutions Create New Security Responsibilities The breadth of information security in e-commerce applications is broader than you might expect. Many system architects and developers are accustomed to thinking about security as a low-level topic, dealing only with networks, firewalls, operating systems, and cryptography. However, e-commerce is changing the risk levels associated with deploying software, and, as a consequence, security becomes an important design issue for any software component. The scope of e-commerce security is so broad because these applications typically cut across lines of business. There are many examples of new business models that drive security needs: • • • •

E-commerce Cross-selling and customer relationship management Supply chain management Bandwidth on demand[1]

E-Commerce E-commerce sites on the Internet rely on credit card authorization services from an outside company. A federated relationship between an e-commerce company and a credit card service depends on trustworthy authenticated communication.

Cross-Selling and Customer Relationship Management Cross-selling and customer relationship management rely on customer information being shared across many lines of business within an enterprise. Cross-selling allows an enterprise to offer a customer new products or services based on existing sales. Customer relationship management allows the enterprise to give consistent customer support across many different services. These e-commerce services are very valuable, but if they are not properly constrained by security policies, the services may violate a customer’s wishes for privacy.

Supply Chain Management Supply chain management requires continuing communication among all of the suppliers in a manufacturing chain to ensure that the supply of various parts is adequate to meet demand. The transactions describing the supply chain that are exchanged among the enterprises contain highly proprietary data that must be protected from outside snooping.

Bandwidth on Demand Bandwidth on demand allows customers to make dynamic requests for increases in the quality of a telecommunication service and to get instant results. Bandwidth on demand is an example of self-administration, where users handle many of their own administrative functions rather than relying on an administrator within the enterprise to do it for them. Self-administration provides better service for customers at a lower cost, but comes with significant security risks. Because corporate servers that were previously available to system administrators are now accessible by end users, security mechanisms must be in place to ensure that sensitive administrative functions are off-limits. In each of the cases previously described, one enterprise or line of business can expose another organization to increased security risk. For example, a partner can unintentionally expose your business to security attack by providing their customers access to your business resources. As a result, security risk is no longer under the complete control of a single organization. Risks must be assessed and managed across a collection of organizations, which is a new and very challenging security responsibility.

Risk Management Holds the Key A large middle ground exists between the extremes of avoiding e-commerce applications altogether, blithely launching unprotected systems, or burdening every application with prohibitively costly and user-unfriendly security measures. This middle ground is the area

of risk management. The risk-management approach aims not to eliminate risk, but to control it. Risk management is a rigorous balancing process of determining how much and what kind of security to incorporate in light of business needs and acceptable levels of risk. It unlocks the profit potential of expanded network connectivity by enabling legitimate use, while blocking unauthorized access. The goal is to protect adequately to meet business needs without undue risk, making the right trade-offs between security and cost, performance and functionality. For example, consider four different e-commerce users: an Internet Service Provider (ISP), a hospital administrator, a banker, and a military officer. Each has a different security concern. • • • •

The ISP is concerned primarily about availability—making services available to its customers. The hospital administrator wants to ensure data integrity—that patient records are updated only by authorized staff. The banker is most concerned about accountability—that the person who authorizes a financial transaction is identified and tracked. The military officer wants confidentiality—to keep military secrets out of the hands of potential enemies[1].

The challenge is to implement security in a way that meets business needs costeffectively, both in the short-term and as enterprise needs expand. Meeting the challenge requires a collaborative effort between corporate strategists and reformation technology managers. Understanding the business drivers for information security helps clarify where to focus security measures. Understanding the underlying application architecture (how components work together) clarifies the most practical approach for building system security. Distributed applications, in particular, require new ways of thinking. Industrial experience in managing e-commerce information security is generally low. Security technology is changing rapidly, and corporate management is not well-equipped to cope with risk management changes caused by technology changes. New versions of interconnected e-commerce systems and software product versions continue to appear, and with each release a whole new set of security vulnerabilities surface. Managing security risk in distributed e-commerce applications is daunting, but following some basic rules for building security into component-based applications lays the groundwork for a solid risk management approach. Although this chapter does not give detailed advice on security risk management, it does describe principles for building secure applications that are independent of any specific technology and will continue to be a guide for you as technologies evolve. This chapter provides basic principles for enterprise application integration, which are security integration themes that are repeatedly addressed by many enterprises.

Information Security: A Proven Concern Information security is a serious concern for most businesses. Even though reporting of computer-based crime is sporadic because companies fear negative publicity and continued attacks, the trend is quite clear: information security attacks continue to be a real threat to businesses. According to a recent Computer Security Institute Survey, 72% of interviewed businesses reported that they had been subjects of serious information security attacks in 2002. Seventy-four percent of the businesses reported that the attacks caused significant financial losses, such as losses due to financial fraud or theft of valuable intellectual property. The threats to businesses are from both internal and external attacks. In the same survey, 61% of the businesses reported they were subjected to attacks launched from the Internet, and 83% of businesses reported that insider attack (by trusted corporate users) was a primary concern. This last statistic is very important—to meet corporate needs, a complete end-to-end security solution must address insider attacks. Most e-commerce solutions today blur the line between the insider world containing trusted users and the outside world containing potentially hostile attackers. Furthermore, the primary purpose of multitier architectures is to open up the corporate network to the external world, thus allowing valuable corporate resources to be accessible to outsiders. Outsiders (such as business partners, suppliers, or remote employees) may have very similar data access rights to corporate information as many insiders. As a result, protection mechanisms must be in place not only at the external system boundaries, but also throughout the enterprise architecture. According to a META Group survey, 72% of businesses view information security as critical to their corporate mission. Due to the continuing threat, many businesses are increasing their spending on security; large corporations are increasing their spending the most. Piecemeal security solutions can be worse than no security at all, because they result in: • • •

Increased maintenance, training, and administration cost Point solutions that don’t scale or interoperate Redundant spending across the organization[1]

Applying security products without thinking about how they all fit together clearly does not work. Businesses should build and leverage a common security infrastructure that is shared across the enterprise. An integrated approach to security is the only way to address complex, multitier e-commerce applications, which will be explained later in this chapter.

Distributed Systems, Distributed Security, Enterprise Control Component technology, which closely groups data and the business logic that makes use of the data, is having a dramatic impact on the business computing landscape. Developments in the field of distributed component computing allow cooperating

components to reside in different machines, networks, or even enterprises. These developments enable businesses to enhance and reuse installed applications rapidly, representing new power to tap the immense value of legacy resources. As a result, many organizations are migrating from traditional, single-layer client/server applications to multitiered application architectures. Distributed component technology provides the foundation for next-generation ecommerce applications because it offers so much versatility. Distributed component components that encapsulate code and data can reside anywhere on the network. Client software need only know about the component’s interface. How the component is implemented and where it is running is transparent to the invoking application. Transparency and reusability give distributed component computing environments great power, but they present new challenges for information security. These challenges require new ways of thinking and new tools.

Security Challenges in Distributed Component Environments Traditionally, computer security has worked effectively in systems in which sensitive data can be isolated and protected in a central repository. Distributed components have exactly the opposite philosophy by making distributed data widely accessible across large networks. Simply put, the more accessible data is, the harder it is to protect. Ordinarily, it’s a good idea to keep your crown jewels locked up in a vault. Distributed components encourage you to pass them around to all your friends for safekeeping. The traditional notion of computer security is embodied in the concept of a trusted computing base (TCB), as shown in Figure 17.1[1]. The TCB consists of the hardware and software mechanisms that are responsible for enforcing the security policy, which defines when a user may access a resource. The TCB must be:

• • •

Always invoked (nonbypassable) Small enough to be thoroughly analyzed Tamper-proof[1]

The TCB is usually implemented within an operating system that is under strict configuration control. This architecture permits very tight security because the TCB is the

mediator through which all user accesses to resources must pass. Everything within the TCB is trusted to enforce the security policy; everything outside of the TCB is untrusted. Distributed component systems, on the other hand, have the more complex security architecture, as shown in Figure 17.2[1]. Security functionality (the shaded areas of the diagram) in component systems is distributed throughout the architecture rather than residing in a central TCB. Because distributed component systems are frequently heterogeneous, security may be implemented differently on different platforms. Security might be enforced by the application components, middleware, operating system, hardware, or any combination of these. Some platforms may contain a great deal of code that is trusted to enforce the security policy, whereas other platforms may have very little.

Distributing security in this manner means that a particular distributed application may be secure, but that fact is hard to confirm. In a distributed component system, the combination of all of this trusted code together theoretically embodies a distributed TCB. But is this really a distributed TCB? Probably not. It may be tamperproof and always invoked, but it may not be small enough to be easy to analyze. That’s a concern, because if you can’t analyze the system, you can’t be at all certain that your valuable data is being protected. Some security traditionalists believe that it is not possible to build highly secure distributed component systems. There is a question, though, of whether a TCB model is even appropriate for distributed component environments. Although TCBs are great for enforcing security, they aren’t sufficiently flexible to support component-based systems. The flexibility and openness of distributed component systems make security administration a real challenge. Systems managers with experience administering security in Unix or Windows NT environments know how difficult it is to get it right. Many security attacks on these systems are not due to obscure security vulnerabilities, but to inadvertent administrative errors, or “leaving the barn door open.” Several other characteristics of distributed component systems also complicate security enforcement. The systems are:

Dynamic: Component systems are designed to be dynamic, allowing new application components to be created on the fly. Components can play both client and server roles, and can interact in multiple and unpredictable ways. This means that security policies must also be dynamic, adding complexity. Exposed: Many distributed component systems are designed to work over the Internet or large intranets. Data going over networks is subject to packet-sniffing interception. Layered: Systems consist of many security layers (applications, middleware, operating system, hardware, and network) that must fit together. Multienterprise: Distributed component computing allows the sharing of information among enterprises. Enterprise security policies will be different (for example, between a hospital and a bank), which means that data sharing requires translations between enterprise policies[1]. Configuring and administering security for distributed component systems is potentially far more complex than for a traditional system. Without special tools, security has to be administered manually for each layer independently, leaving room for mistakes and inconsistencies. For instance, an application may correctly confirm that a loan officer is authorized to access a record before allowing changes. However, if supporting operating system calls have not been set up with complementary file permissions, access protection is not complete. The challenge is to create an environment in which the complexity is minimized, ensuring that security administration is enforced automatically and consistently.

End-to-End Enterprise Application Security Integration (EASI) As e-commerce environments have evolved to distributed component models, security technologies have been trying to keep up. Most of the pieces of the security puzzle exist as off-the-shelf products, but it still takes considerable effort to put all these pieces together to build an integrated solution. Twenty-two years ago, life was reasonably simple for the security professional. Sensitive data resided on monolithic backend data stores. There were only a few physical access paths to the data, which were protected by well-understood operating system access control mechanisms. Policies, procedures, and tools have been in place for many years to solve this class of problems. Several years ago, Web-based applications burst onto the scene. With the advent of ecommerce in this environment, secure access to the Web servers was extremely important. Today, there are many mature perimeter security technologies, such as SSL, firewalls, and Web authentication/authorization servers that enforce security between browser clients and corporate Web servers.

Huge numbers of companies are now building complex e-commerce logic into application servers in the mid-tier. The business motivation for this development is compelling. Mid-tier business logic allows accessibility to backend legacy data in ways never imagined. The opportunities for increased interaction among all kinds of buyers and suppliers seems endless. Security gets much more interesting through the introduction of components in the middle tier. Although there are many mid-tier technologies that hook up Web servers to backend legacy systems, the security of these approaches is often nonexistent. In fact, several recent publicized attacks have been caused by weaknesses in mid-tier security that have exposed sensitive backend data (customer credit card numbers and purchase data) to the outside world. Companies are usually at a loss for what to do with middle tier security. To solve the thorny issue of securely connecting Web servers to the back office, let’s now discuss the concept of end-to-end EASI. As previously discussed, EASI is a special case of EAI. In addition, EAI is a technique for unifying many different applications by using a common middleware infrastructure. EAI provides an application “bus” that allows every application to communicate to others via a common generic interface. Without EAI, an application would need a separate interface for each other application, thus causing an explosion of pairwise stovepipes between applications. EAI allows application development to scale to a large number of interchangeable components. Integration of end-to-end security requires EAI techniques. Many different security technologies are used in the perimeter, middle, and legacy tiers, as shown in Figure 17.3[1]. Typically, these security technologies do not easily interoperate. As a result, you will face exactly the same problem that application integrators face: a separate ad hoc interface to connect one security technology to another causes an explosion of pairwise stovepipes between security technologies.

EASI Requirements A key issue in enterprise security architectures is the ability to support end-to-end security across many application components. End-to-end security is the ability to ensure that data access is properly protected over the entire path of requests and replies as they travel through the system. The scope of end-to-end security begins with the person accessing a Web browser or other client program, continues through the business components of the middle tier, and ends at the data store on backend legacy system. The path of data may travel both through public and private networks with varying degrees of protection. In the enterprise architecture shown in Figure 17.4, a user accesses an application in the presentation layer (a Web browser client sends requests to a Web server), which communicates to mid-tier business components (application servers)[1]. Frequently, the client request is transmitted through a complex, multitier chain of business components running on a variety of platforms. The request finally makes it to one or more backend legacy systems, which accesses persistent data stores on behalf of the user, processes the request, and returns the appropriate results.

EASI Solutions EASI solutions integrate security technologies across the perimeter, middle, and legacy security tiers. An EASI solution first and foremost consists of a security framework, which describes a collection of security service interfaces that may be implemented by an evolving set of security products. An EASI solution also includes integration techniques, such as bridges, wrappers, and interceptors that developers can use to plug security technologies into a middleware environment. To hook together different security technologies, EASI must solve a key

problem: defining a secure association between clients and targets that establishes a common security context. The security context consists of a user’s privileges that must be transferred across the system to a target application. A user’s privileges, which form the basis for authorization decisions and audit events, must be protected as they are transmitted between perimeter, middle, and legacy tiers. Because each technology in these tiers represents and protects a user’s privileges differently, integration of security context can be a rather difficult problem.

EASI Framework The EASI framework, as shown in Figure 17.5, specifies the interactions among the security services and application components that use those security services. By using common interfaces, it’s possible to add new security technology solutions without making big changes to the existing framework. In this way, the EASI framework supports “plug-ins” for new security technologies. Key aspects of the framework are shown in Figure 17.5[1].

Applications The security framework provides enterprise security services for presentation components, business logic components, and the back office. The framework supports security mechanisms that enforce security on behalf of security aware and security unaware applications.

Security Aware Application The security aware application uses the security Application Program Interfaces (APIs) to access and validate the security policies that apply to it. Security aware applications may directly access security functions that enable the applications to perform additional security checks and fully exploit the capabilities of the security infrastructure.

Security Unaware Application The security unaware application does not explicitly call security services, but it is still secured by the supporting environment (an Enterprise Java Bean [EJB] container). Security is typically enforced for security unaware applications by using interceptors, which transparently call the underlying security APIs on behalf of the application. This approach reduces the burden on application developers to develop security modules within the application and lessens the chance of security flaws being introduced. Other applications, called security self-reliant applications, do not use any of the security services provided by the framework. A security self-reliant application may not use the security services because it has no security relevant functionality and, thus, does not need to be secured, or because it uses separate independent security functions that are not part of the defined EASI security framework.

Application Programming Interfaces (APIs) The framework security APIs are called explicitly by security aware applications and implicitly by security unaware applications via interceptors. Security APIs provide interfaces for access to the framework security services. The framework supports standard, custom, and vendor security APIs.

Standard Security API Support for APIs is based on open standards or industry de facto standards, such as XML (SAML), J2EE, .NET, and CORBA. These standards should be used whenever possible because they are likely to provide the most stability and the most flexibility across many different vendors’ products.

Custom Security API Custom APIs may be implemented when an enterprise’s needs cannot be met by existing standard APIs. Custom APIs are required especially when an enterprise uses a security service that is tailored to its business, for example, a custom rule-based entitlements engine developed internally by an investment bank.

Vendor Security API As a last resort, vendor-specific proprietary APIs may be used where open standards have not yet been defined. You should avoid using proprietary security APIs in applications if at all possible. Proprietary APIs make it very difficult for the developer or administrator to switch security products. Although vendors may think this is a great idea, security technology is changing much too rapidly to be confined to any one product. As an alternative, you should wrap a vendor’s proprietary API with a standard or custom API.

Core Security Services The next layer of the security framework provides core security services enabling end-toend application security across multitier applications. Each of the security services defines a wrapper that sits between the security APIs and the security products. The security services wrappers serve to isolate applications from underlying security products. By creating a new wrapper, it is straightforward to switch security products without affecting application code, if the need arises. The key security services are authentication, authorization, cryptography, accountability, and security administration.

Authentication Verifying that principals (human users, registered system entities, and components) are who they claim to be is what is known as authentication. The result of authentication is a set of credentials, which describe the attributes (identity, role, group, clearance) that may be associated with the authenticated principal.

Authorization Granting of permission for principals to access resources is what is known as authorization. Data integrity and confidentiality access controls enforce restrictions of access to prevent unauthorized use. Data integrity controls ensure that only authorized principals may modify resources. Data confidentiality controls ensure that resource contents are disclosed only to authorized principals.

Cryptography Cryptographic algorithms and protocols for protecting data and messages from disclosure and/or modification is what is known as cryptography. Encryption provides confidentiality by encoding data into an unintelligible form with a reversible algorithm that allows the holder of the encryption key(s) to decode the encrypted data. Digital signatures apply cryptography to ensure that data is authentic and has not been modified during storage[2] or transmission.

Accountability Ensuring that principals are accountable for their actions is what is known as accountability. A security audit provides a record of security-relevant events and permits monitoring of a principal’s actions in a system. Nonrepudiation provides irrefutable proof of data origin and/or receipt.

Security Administration Security administration is the process of defining and maintaining the security policies embodied in user profiles, authentication, authorization, and accountability mechanisms. This also includes other data relevant to the security framework.

Framework Security Facilities The framework provides general security facilities that support the core security services. The framework security facilities are the profile manager, security association, and proxy services.

Profile Manager The profile manager provides a general facility for persistent storage of user and application profile data. It allows data to be accessed by other framework services.

Security Association Security association handles the principal’s security credentials and controls how they propagate. During a communication between any two client and target application components, the security association establishes the trust in each party’s credentials, and creates the security context that will be used when protecting requests and responses in transit between client and target. The security association controls the use of delegation, which allows a delegated intermediate to use the credentials of an initiating principal so that the delegate may act on behalf of the initiating principal.

Security Proxy Services Security proxy services provide interoperability between different security technology domains by acting as a server in the client’s technology domain. This also includes a client in the target’s domain.

Security Products Implementation of the framework generally requires several security technology products that collectively comprise the enterprise security services. Example security products that are required include firewalls, Web authentication/authorization products, component authentication/authorization products, cryptographic products, and directory services. [2]

Vacca, John R., The Essential Guide to Storage Area Networks, Prentice Hall PTR, 2001.

EASI Benefits By now, the benefits of using a framework to address EASI should be clear. Standards are the best way to maintain application portability and interoperability in the long run. Products and technologies will come and go, but generally accepted security standards for fundamental security services will be much more stable. A standards-based set of security APIs allows you to evolve security products over time without needing to rewrite your applications. Designing your applications for evolving security products is important, because your business requirements and new security technologies will continue to be a moving target. You might pick a great security product that satisfies your needs for now, but you’ll probably want to change at some point as business or market needs change. In addition, you want to avoid being stuck with any one vendor’s product, because the high cost of custom code modification limits your options. Having a security framework also means that you don’t need to implement everything at once. The framework allows you to start out small by picking the security services you need, and builds up more sophisticated security functionality when and if it’s required. The framework gives you a road map for your security architecture, helping to guide you on how to pick products and technologies that match your needs over time. Finally, the framework puts the security focus where it should be: on building a common infrastructure that can be shared across the enterprise. Custom-built security that is handcoded within applications is expensive to implement and maintain, and is likely to have more security vulnerabilities. A single security infrastructure with APIs that can be used by all of your applications avoids multiple, duplicate definitions of users, security attributes, and other policies. You can focus your limited time and money on building up a few critical interoperable security technologies, rather than coping with a mass of unrelated security products that will never work together.

Principles of EASI Now, let’s look at some basic principles to follow when integrating security into component-based e-commerce applications. You’ll learn these rules as you apply EASI techniques to many large customers’ problems.

Authentication The two principles of authentication are trust no one (not to be confused with the FOX television series the “X-Files”) and balance cost against threat.

Trust No One In distributed systems, authentication isn’t just about people. A client request bounces through many applications in a multitier architecture, so there are many points of vulnerability. Each component that is a part of a request chain should be authenticated on its own. If not, an attacker may be able to insert a new component in this chain and cause

serious damage. The more complex the application architecture, the more serious the threat.

Balance Cost Against Threat On the other hand, the best authentication isn’t for everyone. The most secure authentication, such as public key certificates on smart cards, is probably too expensive to deploy and manage for many applications. If authentication techniques are too strong, people may just give up and not use the system. It’s better to have authentication that people will use rather than building a secure boat anchor. Single sign-on is an example of this principle; no one likes to log in more than once.

Authorization The two principles of authorization are application driven and push security down.

Application Driven Authorization policies aren’t really to protect URLs or files—they protect business data that resides in those files. A lot of time and money is wasted blindly setting up security products that do little to protect important application data. To secure a system, don’t lose sight of the fact that the most important thing to understand is the purpose of the business application. After you understand what the business application is for, and what bad security things could go wrong, then you can figure out the best way to protect the data.

Push Security Down After you know which application data is really important to protect, look to enforce authorization at the lowest practical level in the architecture. Least desirable is within the application, although some policies cannot be enforced anywhere else. By pushing authorization down to the lower layers of the architecture, you’re more likely to have robust common security mechanisms that can be shared across many applications.

Accountability: Audit Early, Not Often Auditing is expensive in distributed systems, so for performance reasons it’s better to do it as little as possible. Unlike authorization, it’s preferable to push the source of an audit event to the upper layers of the architecture near the application. Low-level auditing (at the operating system level) is extremely difficult to analyze, because it takes several lowlevel events to match to a single business transaction. Low-level auditing is fine for discovering an attack on your operating system, but correlating low-level audit data across multiple audit logs to detect an application attack can be close to impossible. As a result, the most effective auditing is done as soon as an application recognizes that a potentially dangerous event occurred.

Security Administration The principles of security administration are collections for scale, centralized management, and distributed enforcement.

Collections for Scale E-commerce applications are all about managing huge numbers: millions of users and resources, thousands of servers. The best way to deal with large numbers is to collect things into groups, and make those groups hierarchical. By defining collections, administrators can set policies on lots of things at the same time and delegate security responsibilities across many administrators. Note Collections are not just about people; services and data should also be grouped to handle scale.

Centralized Management and Distributed Enforcement Administering distributed applications is difficult because components are widely scattered, and manually setting up policies for each component across a large network isn’t practical. The easiest way to administer security is when the security policy is in one place. However, a centralized policy may not be very efficient to enforce if the security infrastructure must check a central policy every time a remote component executes. The best approaches give the best of both worlds by offering security administration that is logically centralized, but use distribution techniques to get the policy out near the components where it’s needed. Beware of synchronization issues; many products use caching that speeds up access but could mean that policies are sometimes out of date.

Security Association The principles of security administration are think end-to-end, not point-to-point and design for failure.

Think End-to-End and Not Point-to-Point As mentioned previously, e-commerce applications are implemented by chains of requests, which are much more complex than the antique client/server model. Transport security mechanisms, such as SSL or Secure Internet Protocol (IPSEC), are inadequate in multitier environments, because they cannot secure a chain of requests; they only secure two end points. It’s for this reason that these protocols don’t deal with delegation. Protocols such as Security Assertions Markup Language (SAML) and CSI that are built upon transport security are the best way to secure applications end-to-end.

Design for Failure Finally, a simplistic component model assumes that all applications trust each other to protect data. That may be okay for small systems, but it’s a dangerous assumption when the applications are more distributed. If one component is compromised in this scenario, then the entire set of distributed components is vulnerable. A better approach is to view collections of components as mutually suspicious islands—if one collection of components is compromised, then others will still be safe.

Summary This chapter introduced you to the world of component-based enterprise security. It described how security is an enabler for many e-commerce applications. Without a good security solution in place, many new e-commerce opportunities would not be feasible. The chapter also discussed the concept of risk management, which balances the level of security that is required in light of the business needs of cost, performance, and functionality. It showed that information security is a serious concern for many businesses, both in terms of external and internal (insider) attacks. Next, the chapter described the many challenges of enforcing security in componentbased applications. It defined the notion of a TCB, and showed that the TCB concept is not a very good match for distributed component environments. Finally, the chapter introduced Enterprise Application Security Integration (EASI), which is used to tie together many different security technologies. It defined perimeter, middle, and legacy tiers of security, and described how they all work together to provide end-toend security. The chapter then defined an EASI solution in terms of a security framework, technologies, and integration techniques that hook those technologies together. The EASI framework consists of a number of layers, including the applications, APls, core security services, framework security services, and underlying security products.

Chapter 18: Strong Transaction Security in Multiple Server Environments “The ballot is stronger than the bullet.” —Abraham Lincoln (1809–1865)

Overview In today’s businesses, electronic communication is a central part of the everyday flow of information, and privacy is a top priority. Whether your company conducts sales over the Internet or hosts a company-specific network, you want to know that your communications are safe from unauthorized interference. For information exchange between servers and client browsers and server-to-server, load balancing devices and SSL accelerators, SSL certificates have become recognized as the bottom line in security. Working with the SSL protocol for encryption, SSL certificates protect businesses against site spoofing, data corruption, and repudiation of agreements. They assure customers that it is safe to submit personal information, and provide colleagues with the trust they need to share sensitive business information. For companies with multiple servers and load balancing devices in their network, you can now locally manage your own SSL certificates with managed public key infrastructure (PKI) for SSL certificates. If you need to secure five or more servers, enrollments and cancellations can become cumbersome when managed one-by-one. With managed PKI for SSL certificates, you save money by purchasing your SSL certificates in bulk, then save time by issuing your own IDs to servers and load balancing devices within your organization. You can customize your end-user support to meet your company-specific needs, and integrate your server and client security systems. This chapter provides you with a basic introduction to digital ID technology and SSL certificates. It then lays out the reasons that you would want to consider managed PKI for SSL certificates as an alternative to one-by-one purchasing. Finally, it presents the features you can expect if you decide managed PKI for SSL certificates is right for your organization.

Security Solutions: The Digital ID System Given the security risks involved in conducting business online, what does it take to make your Internet transactions and company communications safe? Industry leaders agree that the answer is the SSL certificate. Over 607,000 SSL certificates have been issued as of this writing. Companies using SSL certificates include 92 of the Fortune 100 companies and all of the RelevantKnowledge, Inc. Top 20 Commerce Sites.

What Is a Digital ID? A digital identification (ID), also known as a digital certificate, is the electronic equivalent to a passport or business license. It is a credential, issued by a trusted authority, that individuals or organizations can present electronically to prove their identity or their right to access information. When a CA issues digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues a passport, it is officially vouching for the identity of the holder. When a CA gives your business a digital certificate, it is putting its name behind your right to use your company name and Web address.

How Do Digital IDs Work? The solution to problems of identification, authentication, and privacy in computer-based systems lies in the field of cryptography. Because of the nonphysical nature of electronic communication, traditional methods of physically marking transactions with a seal or signature are useless. Rather, some mark must be coded into the information itself in order to identify the source and provide privacy against eavesdroppers. One widely used tool for privacy protection is what cryptographers call a “secret key.” Logon passwords and cash card PINs are examples of secret keys. Consumers share these secret keys only with the parties they want to communicate with, such as an online subscription service or a bank. Private information is then encrypted with this password, and it can only be decrypted by one of the parties holding that same password. Despite its widespread use, this secret-key system has some serious limitations. As network communications proliferate, it becomes very cumbersome for users to create and remember different passwords for each situation. Moreover, the sharing of a secret key involves inherent risks. In the process of transmitting a password, it can fall into the wrong hands. Or, one of the sharing parties might use it maliciously and then deny all action. Digital ID technology addresses these issues because it does not rely on the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, a digital ID uses a matched pair of keys that are unique complements to one another. In other words, what is done by one key can only be undone by the other key in the pair. In this type of key-pair system, your “private key” gets installed on your server and can only be accessed by you. Your “public key” gets widely distributed as part of a digital ID. Customers, partners, or employees who want to communicate privately with your server can use the public key in your digital ID to encrypt information, and you are then the only one who can decrypt that information. Because the public key alone does not provide access to communications, you do not need to worry about who gets ahold of this key.

Your digital ID tells customers and correspondents that your public key in fact belongs to you. Also, your digital ID contains your name and identifying information, your public key, and digital signature as certification.

How Do SSL Certificates Work? Secure server digital IDs allow any server to implement the SSL protocol, which is the standard technology for secure, Web-based communications. SSL capability is built into server hardware, but it requires a digital ID in order to be functional. So, with the latest SSL and a secure server digital ID, your Web site should support the following functions: • • •

Mutual authentication Message privacy Message integrity[1]

Mutual Authentication With mutual authentication, the identity of both the server and the customer can be verified. The reason for this is so that all parties know exactly who is on the other end of the transaction.

Message Privacy With message privacy, all traffic between the server and the customer is encrypted using a unique “session key.” Each session key is only used with one customer during one connection, and that key is itself encrypted with the server’s public key. These layers of privacy protection guarantee that information cannot be intercepted or viewed by unauthorized parties.

Message Integrity With message integrity, the contents of all communications between the server and the customer are protected from being altered en route. All those involved in the transaction know that what they’re seeing is exactly what was sent out from the other side. Figure 18.1 illustrates the process that guarantees protected communications between a server and a client[1]. All exchanges of digital IDs happen within a matter of seconds and appear seamless to the client.

All of this technology translates to online communications that are safe for you and your customers. End users know exactly who they are dealing with and feel comfortable that the information they send is not falling into unknown hands. You know that your server is receiving accurate transmissions that have not been tampered with or viewed en route.

What Do End Users See? Both the Netscape Navigator and Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting sensitive information over insecure channels. If a user tries to submit information to an unsecured site, the browsers will, by default, show a warning such as the one shown in Figure 18.2[1].

By contrast, if a user attempts to submit information to a site with a valid digital ID and an SSL connection, no such warning is sent. Furthermore, both the Microsoft and Netscape browsers provide users with a positive visual clue that they are at a secure site. In Netscape Navigator 3.0 and earlier, the key icon in the lower-left corner of the

browser, which is normally broken, is made whole. In Netscape Navigator 4.0 and later, as well as in Microsoft Internet Explorer, the normally open padlock icon becomes shut, as shown in Figure 18.3[1].

The Needs of Your Organization After you have decided to invest in the peace of mind that comes with SSL certificates, you will need to decide whether one-by-one purchasing or managed PKI for SSL certificates meets the needs of your organization. The following are several factors you should consider: • • • •

The size of your network Change within your network Cross-departmental coordination The needs of your end users[1]

The Size of Your Network If your company will be hosting five or more servers within the next year, you are a good candidate for managed PKI for SSL certificates. You can begin with five SSL certificates and the administrator’s kit. This should meet your current needs plus your renewals for later in the year. You will save money through a bulk discount, while increasing efficiency significantly by eliminating the need to enroll and pay separately for each SSL certificate.

Change within Your Network If you want the ability to expand, reduce, or restructure your network with no hassle, managed PKI for SSL certificates is the answer. With one-by-one purchasing, each addition, renewal, or cancellation of a secure server must go through a service center. Each SSL certificate requires 3–5 business days to be issued and must be paid for with a separate credit card processing or purchase order. When you purchase in bulk through managed PKI for SSL certificates, your managed PKI administrator can issue and cancel SSL certificates instantly, giving you superior control of your operations, especially in critical times.

Cross-Departmental Coordination If several groups within your organization are likely to work with secure servers, managed PKI for SSL certificates will simplify and enhance your information system management. When server hosts from each department apply separately for SSL certificates, the result can be disorganization, compromising both the efficiency and integrity of your network’s security. A department might “reinvent the wheel” that has already been invented within the company, or, alternatively, a group might assume that a given security issue is being handled elsewhere and thus fail to address it. With one administrator distributing SSL certificates as the need arises, you reduce the possibility for overlap or lapse in the security of your electronic communications.

The Needs of Your End Users Would your end users benefit from a Web and e-mail interface that is designed for their specific use? With managed PKI for SSL certificates, you have the option of customizing the enrollment forms and support pages your users see. With one-by-one management, each person hosting a secure server interacts with the system for enrollment, renewal, and cancellation. This interface, while straightforward and user-friendly, is designed for general use with any server. If you purchase your SSL certificates through managed PKI, your package includes enrollment and support screens, but you also have the option of customizing or creating your own pages. You can provide instructions specific to your server software, your organizational structure, or other company specifics. You can design the look and feel to match the interface your users are comfortable with, and even integrate it with your personal digital ID interface, if you use managed PKI to issue digital certificates to individuals. When your users need technical support, they can immediately access the managed PKI administrator within your organization. If the problem cannot be addressed locally, the managed PKI administrator can always contact a member of the support team.

The Managed PKI for SSL Certificates System Managed PKI for SSL certificates is designed to be easily installed and administered. The following features provide the backbone of your network security system: the managed PKI for SSL certificates administrator and instant enrollment for SSL certificates.

The Managed PKI for SSL Certificates Administrator When you use managed PKI for SSL certificates to manage your secure network, an administrator within your organization oversees a local control center to issue SSL certificates. This managed PKI administrator, using a standard PC with the Netscape Navigator browser, purchases managed PKI for SSL certificates, and receives an administrator’s kit. Before issuing the administrator’s kit, the vendor should conduct the necessary background checks to ensure that your organization is legitimate and has the right to use the domain names being secured. The administrator’s kit should include all of the software necessary to establish a managed PKI control center on the administrator’s PC. It also includes an optional smart card reader and a managed PKI administrator ID stored on a smart card. After the administrator’s kit is installed and the control center is up and running, you are ready to start issuing SSL certificates.

Instant Enrollment for SSL Certificates The local control center allows users within your network to receive SSL certificates without any manual intervention. Because a vendor has already verified your company and domain names, the only approval necessary is from the managed PKI administrator at your organization. The enrollment process goes as follows: 1. A user within your network generates a Certificate Signing Request (CSR) on the server being secured. 2. The user submits the CSR, along with the necessary enrollment forms, to the digital ID center. 3. The vendor instantly and automatically sends a pending request to the managed PKI control center at your organization. 4. The managed PKI administrator within your organization validates the user’s enrollment request. 5. The vendor then generates an SSL certificate and sends it to the user’s e-mail address. 6. The user downloads the SSL certificate and installs it on the server[1]. Finally, all communications occur in protected SSL sessions and are, thus, safe for your company.

Summary For the strongest, most reliable protection of your client-browser communications, SSL certificates are widely recognized as the industry standard. SSL certificates allow your Internet site or corporate network to enable SSL encryption, which authenticates your server and guarantees against alteration and interception of data. For SSL certificate protection on multiserver networks, managed PKI for SSL certificates makes managing your SSL certificates cheaper and more efficient, and enhances coordination within your organization. Managed PKI for SSL certificates provides the options of customized end-user support, private label certification, and managed PKI for issuing digital certificates to individuals integration, making it the security system that fits the unique needs of your company. Managed PKI for client IDs allows an organization to issue digital certificates to individuals within its network. These digital IDs can replace password logons to a company network and allow your Web site to control who accesses its content. Personal digital IDs also make it possible to send digitally signed and encrypted e-mail, using the Secure Multipurpose Internet Mail Extension (S/MIME) protocol. Finally, if your company already uses managed PKI to issue digital certificates to individuals within its network, or if you are interested in doing so, you can integrate this system with your managed PKI for SSL certificate management. The managed PKI administrator’s kit gives you the option of controlling all IDs from one control center.

Chapter 19: Securing and Managing Your Storefront for E-Business “Is it possible to store the mind with a billion facts and still be entirely uneducated?” —Anonymous

Overview Businesses that accept transactions via their online storefront can gain a competitive edge by reaching a worldwide audience, at very low cost. But, the online storefront poses a unique set of security issues, which businesses must address at the outset to minimize risk. Customers will submit information via the online storefront only if they are confident that their personal information, such as credit card numbers, financial data, or medical history, is secure. With the preceding in mind, by installing an SSL certificate (previously discussed in Chapter 18) on your server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. Immediately after installing your SSL certificate, you can establish secure communications with any customer using a browser from Netscape or Microsoft. This proven technology is in use now—by the top 60 e-commerce sites, all of the Fortune 500 companies with an online storefront presence, and thousands of other leading sites. This chapter is a continuation of Chapter 18, with very detailed explanations of key issues related to online storefront security. It also describes the technologies that are used to address the issues, and provides step-by-step instructions for obtaining and installing an SSL certificate.

Securing Your Web Storefront with an SSL Certificate As previously explained in Chapter18, a proven, low-cost solution to secure online transactions is available today. SSL certificates have earned the trust of businesses worldwide, including virtually all of the Fortune 500 companies on the Web and all of the top 80 e-commerce sites. To date, over 854,000 SSL certificates have been issued. This part of the chapter continues the discussion that was started in Chapter 18 by describing in detail how SSL certificates work to make online transactions secure.

Presenting Your Credentials via an SSL Certificate An SSL certificate, also known as a digital certificate (see sidebar, “How Digital Certificates Work”), is the electronic equivalent of a business license. SSL certificates are issued by a trusted third party, called a Certification Authority (CA). The CA that issues an SSL certificate is vouching for your right to use your company name and Web

storefront address, just as the office of the Secretary of State does when it issues Articles of Incorporation. CAs can also issue digital certificates to individuals. Before issuing an SSL certificate, the CA reviews your credentials (such as your organization’s Dun & Bradstreet number or Articles of Incorporation) and completes a thorough background checking process to ensure that your organization is what it claims to be, and is not claiming a false identity. Then, the CA issues your organization an SSL certificate, which is an electronic credential that your business can present to prove its identity or right to access information (see sidebar, “How Digital Certificates Work”). An SSL certificate from the CA provides the ultimate in credibility for your online business. A CA’s rigorous authentication practices set the industry standard. The CA documents its carefully crafted and time-proven practices and procedures in a Certificate Practices Statement. And, the CA annually undergoes an extensive SAS 70 Type II audit by KPMG. Note The Statement of Auditing Standard 70, SAS 70, was established by the American Institute of Certified Public Accountants to certify trusted practices. Employees responsible for dealing with certificates undergo complete background checks and thorough training. The CA has achieved its unsurpassed reputation as a trusted third party by paying as careful attention to physical security as electronic security. For example, a company’s 22,000-square-foot plant where keys are issued has five tiers of security, the last three requiring fingerprint identification. How Digital Certificates Work In physical transactions, the challenges of identification, authentication, and privacy are solved with physical marks, such as seals or signatures. In electronic transactions, the equivalent of a seal must be coded into the information itself. By checking that the electronic “seal” is present and has not been broken, the recipient can confirm the identity of the message sender and ensure that the message content was not altered in transit. To create an electronic equivalent of physical security, some vendors use advanced cryptography. Throughout history, most private messages were kept secret with single key cryptography. Single key cryptography is the way that most secret messages have been sent over the centuries. In single key cryptography, there is a unique code (or key) for both encrypting and decrypting messages. Single key cryptography works as follows: Suppose Bob has one secret key. If Alice wants to send Bob a secret message: 1. Bob sends Alice a copy of his secret key. 2. Alice encrypts a message with Bob’s secret key. 3. Bob decrypts the message with his secret key.

Unfortunately, this method has several problems. First, Bob must find a secure method of getting his secret key to Alice. If the secret key is intercepted, all of Bob’s communications are compromised. Second, Bob needs to trust Alice. If Alice is a double agent, she may give Bob’s secret key to his enemies. Or, she may read Bob’s other private messages or even imitate Bob. Finally, if you have an organization with people who need to exchange secret messages, you will either need to have thousands (if not millions) of secret keys, or you will need to rely on a smaller number of keys, which opens the door to compromise. SSL certificate technology employs the more advanced public key cryptography, which does not involve the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, an SSL certificate uses a matched pair of keys that uniquely complement each other. When a message is encrypted by one key, only the other key can decrypt it. When a key pair is generated for your business, your “private key” is installed on your server; nobody else has access to it. Your matching “public key,” in contrast, is freely distributed as part of your SSL certificate. You can share it with anyone, and even publish it in directories. Customers or correspondents who want to communicate with you privately can use the public key in your SSL certificate to encrypt information before sending it to you. Only you can decrypt the information, because only you have your private key. Your SSL certificate contains your name and identifying information, your public key, and the CA’s own digital signature as certification. It tells customers and correspondents that your public key belongs to you[2].

A CA’s rigorous authentication practices, leading-edge cryptographic techniques, and ultrasecure facilities are designed to maximize your confidence in the CA’s services. These practices, technology, and infrastructure are the foundation for SSL certificates to secure transactions working in conjunction with your Web storefront server.

Simplifying Management of Multiple SSL Certificates Is your site hosted on 10 or more servers? As previously explained in Chapter 18, with one simple purchase, a managed PKI service lets you issue all the SSL certificates you need (either standard or universal 128-bit SSL certificates) in bundles of 10, 25, 50, 100, or more. A convenient one-step purchasing process lets you take advantage of a single purchase order, and volume discounts make managed PKI the most cost-effective way to secure big sites. Managed PKI is simple to set up and configure: start issuing server certificates quickly via a CA intuitive Web storefront-based process. Renewing IDs or buying additional IDs is just as easy.

Learning More About Your Customers Through Client Authentication An SSL certificate tells your customers exactly who you are. Suppose you want to learn who your customers are, or to restrict access to your content to certain consumers. You can set up your Web storefront site to authenticate visitors’ identities with SSL certificates for individual users. Compared to asking customers to supply a user name and password, SSL certificate registration is more convenient for customers and more informative for your business.

Deploying Strong Security for Worldwide Commerce Until recently, strong 128-bit encryption was not exportable. The United States Department of Commerce has approved the issuance of certificates for 128-bit encrypted communications—the highest level of encryption ever allowed across United States borders. With a 128-bit Global Server ID, your 128-bit customers can now enjoy unparalleled security when visiting your Web storefront site. The Global Server ID is a septillion times more secure than any other product.

Facilitating Payments with Payment Services Extending a business to the Web and opening an e-commerce storefront requires merchants to master many tasks—not only Web storefront site development and design, but also maintaining the confidentiality and security of consumer data and accepting and processing payments. A CA can take the headache out of payment processing by managing a secure, reliable, and low-cost solution for accepting payments. CA payment services provide the ideal payment transaction platform for merchants who want to conduct business on the Internet. Regardless of your business’s size or demands, a CA can deliver the right solution: a fast, scalable, and reliable Internet payment platform that enables companies to authorize, process, and manage multiple payment types. Payment services bring affordability, flexibility, and convenience to Internet payment processing by combining a flat-fee monthly pricing model with a growing menu of services and solutions for merchants, financial institutions, resellers, and developers. For example, VeriSign’s Commerce Site and Commerce Site Pro Services combine SSL certificates with the VeriSign Payflow Pro service to form a complete, integrated solution that’s ideal for e-merchants and online stores. Commerce Site includes a 40-bit SSL certificate and Payflow Pro, plus additional value-added services. Commerce Site Pro also includes a 128-bit SSL Global Server ID and Payflow Pro, plus value-added services. Payflow Pro is designed especially to help Web storefront merchants securely accept and process credit card, debit card, purchase card, and electronic check payments. Payflow Pro is a versatile solution for online payment processing, and is ideal for large-scale, ecommerce merchants that require peak performance and complete customizability. Payflow Pro enables payment processing through a small SSL TCP/IP-enabled client that

controls communications between merchants’ applications and the Payflow platform. Designed for scalability and reliability, Payflow Pro creates a dedicated SSL TCP/IPlevel communication thread for each transaction between the client and the server. Payflow Pro is downloadable as a Software Development Kit (SDK) or comes preintegrated with most shopping carts and e-commerce platforms. Up to 5,000 transactions are included.

Step-By-Step Instructions In one to three days, after the CA has verified your credentials, you will receive your SSL certificate via e-mail. Simply install the SSL certificate on your server, and then immediately begin conducting transactions online—with the confidence that you and your customers are protected. As previously mentioned, the U.S. Department of Commerce requires your company to qualify before buying the 128-bit SSL encryption power of Global Server IDs. All companies within the United States are eligible for Global Server IDs. The U.S. government determines the categories of companies that can implement the powerful 128-bit SSL encryption technology of Global Server IDs outside the United States and across U.S. borders. New regulations make Global Server IDs available to a wider group of customers than ever before. Any company or organization around the world may purchase a Global Server ID, with the following exceptions: persons listed on the U.S. government’s Denied Person’s List, and customers located in Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.

Before You Begin Before beginning a CA’s online enrollment, check to make sure you are ready to proceed by preparing the following.

Installing Server Software Nearly all brands support the CA’s 40-bit SSL certificates. The server on which the 128bit Global Server ID can run server software from any non-U.S. software vendor, or software from a U.S. software vendor properly classified by the U.S. Department of Commerce, including: • • • • • • • • •

Apache-SSL BEA WebLogic C2Net Apache Stronghold Compaq/Tandem iTP Webserver Covalent Raven Hewlett Packard Virtual Vault (with Netscape Enterprise) IBM http Server/Webphone iPlanet Servers Lotus Domino

• • • • • • •

Microsoft IIS Mod-SSL Nanoteq Netseq server Netscape Suite Spot servers, including Netscape Enterprise and Netscape Proxy Server O’Reilly WebSite Pro Red Hat Professional Zeus[2]

Registering Your Domain Name and Confirming Firewall Configuration If you haven’t already, register your URL at: http://www.networksolutions.com/en_US/index.jhtml;jsessionid=ZUVPWFYO2XNEMC WLEAKSFEQ?requestid=492631 or a local equivalent. SSL certificate enrollment requires that you can make both HTTP and HTTPS connections to a CA’s Web storefront site.

Preparing Payment If you are applying for a free, 14-day trial SSL certificate, no payment is necessary. If you are purchasing a one-year, full-service SSL certificate, you can pay with a purchase order, check, wire transfer, or an American Express®, Visa®, MasterCard®, or Discover card.

Reviewing Legal Agreement and Gathering Proof of Right Documents In the process of enrolling, you will need to sign a Secure Server Subscriber Agreement. Before issuing your SSL certificate, the CA must confirm that your company is legitimate and is registered with the proper government authorities. If you have a Dun & Bradstreet DUNS number, simply supply your number. International DUNS numbers must be in the Dun & Bradstreet database for at least two months before a CA can verify the information. If you do not have a DUNS number, either go to http://www.dnb.com/us/ and apply for one, or submit a hard copy of at least one of the following filed documents for your company: articles of incorporation, partnership papers, business license, or fictitious business license. All documents must be in English.

Selecting an Option for Obtaining Payment Collecting credit card payments (in person or via the phone or Web) always involves two steps. First, obtain the credit card number from the customer. Second, secure payment from an acquiring processor on behalf of the credit card issuing bank. When your business uses an SSL certificate to obtain billing information from your customers, you have two options for collecting payments from the acquiring processor: traditional phonein or online processing. You are now ready to obtain your SSL certificate (see sidebar, “How to Obtain Your SSL Certificate”).

How to Obtain Your SSL Certificate To complete your SSL certificate enrollment, please visit one of many sites, for example: http://www.verisign.com/products/site. There, you will be instructed to complete the following steps. 1. Generate Certificate Signing Request: Follow the instructions in your server software manual, or online at http://digitalid.verisign.com/server/enrollStep3.htm, to create a Certificate Signing Request (CSR) and a key pair. After the server software creates the two files, make backup copies of them on a floppy disk, and store the disk in a secure location. This is important: if your private key is lost, the CA will not be able to recover it for you. 2. Submit the Certificate Signing Request (CSR) to the CA: Open the CSR file in a text editor, such as WordPad, Notepad, or Textpad. Do not use a word processing application such as Microsoft Word or Adobe FrameMaker. Select the text in the CSR, beginning with and including: —-BEGIN NEW CERTIFICATE REQUEST—and ending with —-END NEW CERTIFICATE REQUEST—Copy and paste the CSR into the CA online enrollment form for the trial or the one-year subscription. Click the Submit button. 3. Complete application: Fill out the online application form with information about your company and contacts. The technical contact must be authorized to run and maintain your secure Web storefront server and must be employed by your organization. If you access the Web storefront through an Internet Service Provider (ISP), the ISP may complete the CSR for you and serve as the technical contact, and you can then enroll. If your ISP does not offer CA IDs, refer it to www.verisign.com/isp/index.html for information about VeriSign’s Secure Site ISP Program. The organizational contact must be authorized to make binding agreements, such as the Secure Server Service Agreement, and must be employed by your organization. It is best to select a different person from the technical contact. The billing contact will receive invoices. This can be the same person as the technical or organizational contact. 4. Authentication takes 1–3 days: Within a few hours of receiving your application, the CA will send a confirming e-mail to your technical and organizational contacts. The e-mail will include a URL where you can check the status of your application, as well as a Personal Identification Number (PIN) that

you will need to view the status. If the information you submitted is complete, your technical contact and organizational contact will receive your SSL certificate by e-mail in 1–3 working days. 5. Install your SSL certificate: When you receive your SSL certificate, make a backup copy of it and store it on a labeled floppy disk, noting the date you received it. Store the floppy disk in a secure place. To install your SSL certificate, follow the instructions in your server software documentation for digital certificates. 6. Enable SSL on your server: Consult your server software manual to enable SSL. The process should take approximately five minutes. 7. Post the Secure Site Seal on all your secure pages: You should receive a file of the Seal, complete with instructions on how to install it, via e-mail shortly after completing the enrollment process. You can also find downloadable Seal files and instructions at http://www.verisign.com/seal/secure/install.html[2] Note SSL imposes some performance overhead. Therefore, most server software applications allow you to apply SSL selectively to Web storefront pages that require encryption, such as payment pages. There is no benefit from applying SSL to product information pages, for example.

Options for Obtaining Payment Congratulations! You can now offer secure transactions to your online customers.

Traditional Phone-In If your business already collects credit card payments from person-to-person or telephone sales, you are probably using this method currently. Simply read each customer’s card number from your Internet order form and transmit it to the processor using a point-ofsale (POS) terminal. If your business is not yet set up to collect credit card payments, contact a merchant services company, such as First Data Corporation Web Info. Merchant service companies generally charge a nominal setup fee, also called an underwriting fee, and then charge a percentage of each transaction.

Online Processing Most leading credit card processors offer their merchants the option to collect payments online. The payment-enabling software needed for these transactions depends on the system that the credit card service provider uses. For example, PayflowSM Payment Services provide high-quality, low-cost payment connectivity between buyers, sellers, and financial networks. Payflow services bring the Internet’s “anyone-to-anyone” ease of connectivity to the payments industry. By using Payflow, a merchant can connect to any bank, transaction service, or form of payment without worrying about the underlying

technology. Customers can pay with a variety of financial instruments, including checking accounts, savings accounts, and credit cards, quickly and simply. Now, let’s look at how to establish trust to protect and grow your online storefront. In other words, in light of the risks associated with electronic commerce and online communication, it is imperative to not only use secure encryption technology when conducting online business, but to also be able to prove one’s identity and develop trust relationships with customers and partners. Building online trust relationships with partners and customers involves being authenticated by a trusted third party and receiving an authenticated SSL digital certificate that is signed by that trusted third party. Encryption, the process of transforming information to make it unintelligible to all but the intended recipient(s), forms the basis of data integrity and privacy necessary for online business. Without authentication, however, encryption technology does not sufficiently protect online users. Authentication must be used in conjunction with encryption to provide: • • •

Confirmation that the organization named in the certificate has the right to use the domain name included in the certificate Confirmation that the organization named in the certificate is a legal entity Confirmation that the individual who requested the SSL certificate on behalf of the organization was authorized to do so[1]

There is a distinction between authenticated (“high-assurance”) certificates, which provide trust and security, and unauthenticated (“low-assurance”) certificates, which threaten consumer confidence and online security. In addition to using encryption technology, it is vital that your Web storefront is authenticated, which will improve Web visitors’ trust in your Web storefront and in your business. When you establish your secure Web storefront, you can take advantage of a wealth of options to further enhance your e-commerce operation. You can display the number-one trust brand on the Internet (Cheskin/Studio Archetype) to give your customers the confidence to communicate and transact business with your site. A seal allows your visitors to check your SSL certificate’s information and status in real time, thus increasing their trust in your online storefront and increasing your sales and revenues. Increased trust in the safety of online transactions has numerous benefits, of which increased revenue and profitability are the most important. There are real challenges (and significant opportunities) for online storefronts to deliver the same level of trust and personalization over the Internet as is offered by brick-and-mortar storefronts. Nevertheless, until recently, most SSL certificates could be categorized as medium- to high-assurance certificates, providing three security services: confidentiality, authentication, and integrity. Digital certificates uniquely identify individuals and Web storefronts on the Internet and enable secure, confidential communications. Unfortunately, some providers of SSL certificates have elected to provide unauthenticated

or low-assurance SSL certificates in order to lower costs and accelerate order fulfillment. This conflicts with generally accepted industry practices, erodes customer confidence, and serves as a source of confusion for Web storefront visitors. “Low-assurance” SSL certificates provide confidentiality and integrity, but lack authentication. In the past, the lock icon in the users’ browser was perceived to be a reliable sign of authentication. Now, users are forced to examine the SSL certificate itself to distinguish between a high-assurance, authenticated certificate and a low-assurance, unauthenticated certificate. If, for example, a user intends to securely communicate with a Web site bearing an SSL certificate with the organization name “ABC Inc.,” the user is compelled to check whether the certificate is authenticated by a third party. The SSL certificate intends to convey assurance that the visited Web storefront (http://www.abc-incorporated.com) is definitely an “ABC Inc..” Web storefront and that it is not another entity pretending to be ABC Inc., trying to trick Web site visitors into doing business with them. Only through rigorous authentication can a company prove to its customers and partners that its Web storefront is authentic and has the right to use the domain name presented on the certificate. [2]

“Guide to Securing Your Web Site for Business,” © 2003 VeriSign, Inc. All rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA 94043. [1]

“Establish Trust to Protect and Grow Your Online Business,” © 2003 VeriSign, Inc. All rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA 94043.

Why Is Authenticated SSL Necessary? Notions of identity and authentication are fundamental concepts in every marketplace. People and institutions need to get to know one another and establish trust before conducting business. In traditional commerce, people rely on physical credentials (such as a business license or letter of credit) to prove their identities and assure the other party of their ability to consummate a trade. In the age of e-business, authenticated SSL certificates provide crucial online identity and security to help establish trust between parties involved in online transactions over digital networks. Regardless of whether commerce takes place in the digital world or in the physical world, the parties involved must be able to answer these questions: • • •

Who are you? (Requirement of identity) To what community do you belong? Are you a trusted member? (Trust by association) How can you prove your identity? (Validation of identity)[1]

Customers must be assured that the Web storefront with which they are communicating is genuine and that the information they send via Web browsers stays private and confidential.

Encryption The Web presents a unique set of trust issues, which businesses must address at the outset to minimize risk. Customers submit information and purchase goods or services via the Web, only when they are confident that their personal information, such as credit card numbers and financial data, is secure. The solution for businesses that are serious about ecommerce is to implement a complete e-commerce trust infrastructure based on encryption technology. Encryption, the process of transforming information to make it unintelligible to all but the intended recipient, forms the basis of data integrity and privacy necessary for e-commerce.

Authentication Encryption is not enough; it is imperative that your Web storefront is also authenticated, which will improve Web storefront visitors’ trust in you and your Web storefront. Authentication means that a trusted authority can prove that you are who you say you are. To prove that your business is authentic, your Web storefront needs to be secured by bestof-breed encryption technology and authentication practices.

Digital Certificates As previously discussed in Chapter 18, a digital certificate is an electronic file that uniquely identifies individuals and Web storefronts on the Internet and enables secure, confidential communications. Digital certificates serve as a kind of digital passport or credential. Typically, the “signer” of a digital certificate is a CA. Some digital certificates are authenticated trusted authorities, but unfortunately there are CAs that provide unauthenticated SSL certificates. This practice exposes online users to the risks of false online storefronts operating on the Internet. Authenticated SSL certificates enable a Web storefront visitor to securely communicate with the Web storefront, such that information provided by the Web storefront visitor cannot be intercepted in transit (confidentiality) or altered without detection (integrity), and to verify that the site the user is actually visiting is the company’s Web site and not an imposter’s site (authentication). Finally, a CA assures trust by coupling its authentication service with state-of-the-art encryption technology in its digital certificate solutions. Your online storefront will only be issued an authenticated SSL certificate after: • •

Verifying your identity and confirming that your organization is a legal entity Confirming that you have the right to use the domain name included in the certificate



Verifying that the individual who requested the SSL certificate on behalf of the organization was authorized to do so[1]

Summary With its worldwide reach, the Web is a lucrative distribution channel with unprecedented potential. By setting up an online storefront, businesses can reach the millions of people around the world already using the Internet for transactions. And, by ensuring the security of online payments, businesses can minimize risk and reach a far larger market—the 89 percent of Internet users who still hesitate to shop online because of security concerns. An SSL certificate enables you to immediately begin conducting online business securely, with authentication, message privacy, and message integrity. As a result, you can minimize risk, win customer confidence, and, ultimately, gain a competitive edge. Some CAs believe that encryption without authentication is enough to ensure a secure Web storefront and to build trust between you and your customers. But, encryption alone is not sufficient. Unauthenticated SSL certificates provide confidentiality and integrity, but lack the third-party authentication necessary to: • • •

Verify that the user is actually visiting the company’s Web storefront and not an imposter’s site. Allow the receiver of a digital message to be confident of both the identity of the sender and the integrity of the message. Ensure safe online transactions that protect both customers and your business[1].

For these reasons, it is critical that your Web storefront is authenticated, which will improve Web visitors’ trust in you and your Web storefront. Furthermore, if certificates can be issued to unauthorized parties, the trustworthiness of legitimate certificates is diminished. Requiring verification of the certificate applicant’s authority to request a certificate (employment with the organization named in the certificate) guards against the threat of issuing a certificate to a malicious individual who is not associated with the organization. An authenticated SSL certificate provides the ultimate in credibility for your online storefront. Rigorous authentication practices set by industry standards provide assurance that subscribers are properly identified and authenticated, and subscriber certificate requests are accurate, authorized, and complete. In addition, by displaying a Secure Site Seal, you can give your customers the confidence to communicate and transact business with your site. A Secure Site Seal allows your visitors to check your SSL certificate’s information and status in real time, and provides additional protection against the misuse of revoked and expired certificates. Finally, rigorous authentication practices, as well as leading-edge cryptographic techniques and ultrasecure facilities are designed to maximize you and your customers’

confidence. These practices, technology, and infrastructure are the foundation for server certificates to secure transactions, working in conjunction with your Web storefront server.

Part V: Electronic Payments Technology Chapter List Chapter 20: Payment Technology Issues Chapter 21: Electronic Payment Methods Through Smart Cards Chapter 22: Electronic Payment Systems Chapter 23: Digital Currencies

Chapter 20: Payment Technology Issues “If you think nobody cares if you’re alive, try missing a couple of house payments.” —Anonymous

Overview Online payment processing requires coordinating the flow of transactions among a complex network of financial institutions and processors. Fortunately, technology has simplified this process so that, with the right solution, payment processing is easy, secure, and seamless for both you and your customers. This chapter provides you with what you need to know about online payment processing issues: • • • • • •

Online payment processing basics The payment processing network How payment processing works What you should know about fraud What to look for in a payment processing solution Getting started

After you’ve read this chapter, you’ll understand the issues and essential elements of accepting payments online, the most important step in putting your Web site to work for you.

Online Payment Processing Basics Purchasing online may seem to be quick and easy, but most consumers give little thought to the process that appears to work instantaneously. For it to work correctly, merchants must connect to a network of banks (both acquiring and issuing banks), processors, and other financial institutions so that payment information provided by the customer can be routed securely and reliably. The solution is a payment gateway that connects your online store to these institutions and processors. Because payment information is highly sensitive, trust and confidence are essential elements of any payment transaction. This means the gateway should be provided by a company with in-depth experience in payment processing and security.

The Payment Processing Network Here’s a breakdown of the participants and elements involved in processing payments: Acquiring bank: In the online payment processing world, an acquiring bank provides Internet merchant accounts. A merchant must open an Internet merchant account with an acquiring bank to enable online credit card authorization and payment processing. Examples of acquiring banks include Merchant eSolutions and most major banks.

Authorization: The process by which a customer’s credit card is verified as active and that they have the credit available to make a transaction. In the online payment processing world, an authorization also verifies that the billing information the customer has provided matches up with the information on record with their credit card company. Credit card association: A financial institution that provides credit card services that are branded and distributed by customer issuing banks. Examples include Visa® and MasterCard® (see sidebar, “Visa and MasterCard Take Different Approaches to Authentication”). Customer: The holder of the payment instrument—such as a credit card, debit card, or electronic check. Customer issuing bank: A financial institution that provides a customer with a credit card or other payment instrument. Examples include Citibank and Suntrust. During a purchase, the customer issuing bank verifies that the payment information submitted to the merchant is valid and that the customer has the funds or credit limit to make the proposed purchase. Internet merchant account: A special account with an acquiring bank that allows the merchant to accept credit cards over the Internet. The merchant typically pays a processing fee for each transaction processed, also known as the discount rate. A merchant applies for an Internet merchant account in a process similar to applying for a commercial loan. The fees charged by the acquiring bank will vary. Merchant: Someone who owns a company that sells products or services. Payment gateway: A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments. The service is usually operated by a third-party provider such as VeriSign. Processor: A large data center that processes credit card transactions and settles funds to merchants. The processor is connected to a merchant’s site on behalf of an acquiring bank via a payment gateway. Settlement: The process by which transactions with authorization codes are sent to the processor for payment to the merchant. Settlement is a sort of electronic bookkeeping procedure that causes all funds from captured transactions to be routed to the merchant’s acquiring bank for deposit[1]. Visa and MasterCard Take Different Approaches to Authentication Online merchants could face integration hassles as they deploy forthcoming and competing credit card payer authentication technologies from Visa USA and MasterCard International Inc. The technologies, Visa’s Verified by Visa and MasterCard’s Secure Payment Application service, take distinctly different approaches. Visa performs

authentication on the merchant site, whereas MasterCard handles it on the customer’s PC automatically, using a previously downloaded applet. As a result, merchants that accept credit cards will be required to support two authentication mechanisms. Furthermore, some observers speculate the companies’ respective systems may be no more successful in gaining market acceptance than the illfated Secure Electronic Transaction (SET) authentication protocol, a protocol spearheaded by Visa and MasterCard. Visa sweetened the bait for its system recently when it announced that online merchants using Verified by Visa will have no liability for any transactions processed by the service. Verified by Visa, also known as Visa Payer Authentication, authenticates credit card users with a password and requires no client software. MasterCard’s Secure Payment Application service, which the Purchase, N.Y., company will pilot in April, also uses a password or PIN and requires an applet for authentication. MasterCard and Visa, which formerly cooperated, now find fault with each other’s approaches. Visa’s service, for instance, will extend transaction processing times, take customers off the merchant sites for authentication, and require complex integration. MasterCard’s service, Visa countered, amounts to a digital wallet, which consumers have been loath to use. About the only thing MasterCard and Visa seem to agree on is that SET, which was launched in December 1997, was a failure. SET required long download times for customers, used clumsy digital certificate technology, and created integration hassles for merchants and banks that issued the credit cards. It had all but faded away by late 1998. But with Visa and MasterCard now going separate ways, some merchants see little reason to try authentication technology. You’re creating another layer of complication. After customers go through the trouble of giving you their credit card number, they now have the problem of remembering one more password.

How Payment Processing Works Payment processing in the online world is similar to payment processing in the offline or “Brick and Mortar” world, with one significant exception. In the online world, the card is “not present” at the transaction (see Figure 20.1)[1]. This means that the merchant must take additional steps to verify that the card information is being submitted by the actual owner of the card, as shown in Figure 20.1. Payment processing can be divided into two major phases or steps: authorization and settlement (see sidebar, “Payment Processing— Authorization and Settlement”).

Payment Processing—Authorization and Settlement Authorization verifies that the card is active and that the customer has sufficient credit available to make the transaction. Settlement involves transferring money from the customer’s account to the merchant’s account. Authorization: Online 1. A customer decides to make a purchase on a merchant’s Web site, proceeds to checkout, and inputs credit card information. 2. The merchant’s Web site receives customer information and sends transaction information to the payment gateway. 3. The payment gateway routes information to the processor. 4. The processor sends information to the issuing bank of the customer’s credit card. 5. The issuing bank sends the transaction result (authorization or decline) to the processor. 6. The processor routes the transaction result to the payment gateway. 7. The payment gateway passes result information to the merchant. 8. The merchant accepts or rejects the transaction and ships goods if necessary. Because this is a “card not present” transaction, the merchant should take additional precautions to ensure that the card has not been stolen and that the customer is the actual owner of the card. See the “What You Should Know About Fraud” section later in this chapter for more information on preventing fraudulent transactions (see Figure 20.1). Authorization: “Brick and Mortar” 1. A customer selects item(s) to purchase, brings them to a cashier, and hands the credit card to the merchant. 2. The merchant swipes the card and transfers transaction information to a point-ofsale terminal. 3. The point-of-sale terminal routes information to the processor via a dial-up connection (for the purposes of the graphic shown in Figure 20.1, the point-ofsale terminal takes the place of the payment gateway in the offline world). 4. The processor sends information to the issuing bank of the customer’s credit card. 5. The issuing bank sends the transaction result (authorization or decline) to the processor. 6. The processor routes the transaction result to the point-of-sale terminal.

7. The point-of-sale terminal shows the merchant whether the transaction was approved or declined. 8. The merchant tells the customer the outcome of the transaction. If approved, the merchant has the customer sign the credit card receipt and gives the item(s) to the customer (see Figure 20.1). Payment Processing—Settlement The settlement process transfers authorized funds for a transaction from the customer’s bank account to the merchant’s bank account, as shown in Figure 20.2[1]. The process is basically the same whether the transaction is conducted online or offline[1].

What You Should Know About Fraud Credit card fraud can be a significant problem for customers, merchants, and credit card issuers[2]. Liability for fraudulent transactions belongs to the credit card issuer for a cardpresent, in-store transaction, but shifts to the merchant for “card not present” transactions, including transactions conducted online. This means that the merchant does not receive payment for a fraudulent online transaction. Fortunately, there are steps you can take to significantly limit your risk as an online merchant. The following important fraud prevention steps should be adhered to: 1. Choose a payment services provider that is well-established and credible. Your provider should also have in-depth experience in and a strong track record for transaction security. 2. Make sure your payment gateway provider offers real-time credit card authorization results. This ensures that the credit card has not been reported as lost or stolen and that it is a valid card number.

3. One of the simplest ways to reduce the risk of a fraudulent transaction is to use Address Verification Service (AVS). This matches the card holder billing address on file with the billing address submitted to ensure that the card holder is the card owner. 4. Use Card Security Codes, known as CVV2 for Visa, CVVC for MasterCard, and CID for American Express®. For American Express, the code is a four-digit number that appears on the front of the card above the account number. For Visa and MasterCard, the code is a three-digit number that appears at the end of the account number on the back of the card. The code is not printed on any receipts and provides additional assurance that the actual card is in possession of the person submitting the transaction. As a merchant, you can ask for this code on your online order form. Even if you do not use this for processing, simply asking for it acts as a strong deterrent against fraud. 5. Watch for multiple orders for easily resold items such as electronic goods purchased on the same credit card. 6. Develop a negative card and shipping address list and cross-check transactions against it. Many perpetrators will go back to the same merchant again and again to make fraudulent transactions[1]. [2]

Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.

What to Look for in a Payment Processing Solution Finding a reliable, secure, and flexible payment processing solution for your business is critical, so it’s important to take the time to investigate and assess the options available to you. A payment processing solution should: 1. Reliably and cost-effectively accept and process a variety of payment types, including credit cards and electronic checks. Not only does this reduce lost sales, but it also enhances the quality of your site by allowing your customers the freedom and flexibility to pay you quickly and conveniently. 2. Provide real-time credit card authorization results allowing you to accept or reject orders immediately and reduce the risk of fraudulent transactions. 3. Easily track and manage payments from multiple payment types or processors so you can spend more time on your business, not on managing transactions. 4. Provide recurring billing payment services, allowing you to set up scheduled payment charges to your customers. For example, you can set up automatically recurring charges for items such as membership dues or for installment payments. Recurring billing is an important feature that provides added convenience for both you and your customer. 5. Be able to act as a virtual terminal to allow for processing offline transactions. This gives you the flexibility to process orders received via telephone, fax, e-mail, or in person. 6. Provide and store transaction records allowing you to easily search for transactions and create transaction reports.

7. Scale rapidly and seamlessly to accommodate increased transaction volumes so your systems grow as your business grows. 8. Provide flexible, easy integration with the merchant’s Web site. The sooner you can start accepting payments, the sooner you start generating revenue from your site. 9. Be able to work with all the leading Internet merchant accounts, which allows you to switch your banking relationship and not have to worry about installing new software or performing new integrations. 10. Be provided by a well-established and trustworthy company. This ensures that your payment service provider will continue to provide reliable payment services as well as new features[1].

Getting Started Now You can start accepting payments online in three easy steps: 1. Choose and purchase a payment solution that fits your needs. 2. Set up the payment solution on your Web site. 3. Set up your Internet merchant account[1]. Accepting payments online is an important step in growing your business.

Summary Over 80 percent of U.S. households are online, and more than half of these households shop from home on a weekly basis. In fact, according to Ipsos-Reid, a leading research company, of the 120 million Americans who use the Internet, half of them will spend at least $700 shopping online in 2004. This means that if you’re not selling online, you’re missing a significant revenue opportunity. And, with advances in technology, selling online has never been easier or more cost-effective. An online store allows you to be open for business 24 hours a day, 7 days a week. Not only is this an important convenience for your customers, it also means more revenue for you. An online store also helps you to reduce your overhead costs because you don’t need to hire reception staff and people to take orders. With the right payment processing tools, these functions are all done automatically for you. And lastly, an online store helps you to reach new markets—across the country or even outside the United States. An online store is no longer an option for a successful business, it’s a critical step in managing and growing your business. The most important part of selling online is accepting payments from your customers ranging from a single transaction (the purchase of an item from your Web site), to a series of transactions from a customer (the payment of membership fees or installment payments via your Web site). Online payment processing offers a customer the convenience of submitting their credit card or other forms of payment on your Web site, and for you to actually receive the money from this transaction. Recurring payment

processing allows you to set up regularly scheduled payments for your customers for a series of transactions.

Chapter 21: Electronic Payment Methods Through Smart Cards “Crito, I owe a cock to Asclepius; will you remember to pay the debt?” —Socrates (470–399 B.C.)

Overview The electronic payment card has been in existence for many years. It started in the form of a card embossed with details of the cardholder (account number, name, expiration date), which could be used at a point of sale to purchase goods or services. The magnetic stripe was soon introduced as a means of holding more data than was possible by embossing alone. The magnetic stripe also allowed cardholder details to be read electronically in a suitable terminal, so that checks could be made with little or no human intervention about the cardholder’s creditworthiness or whether the card had been reported lost or stolen. Card technology has advanced over the years to keep ahead of the worldwide increase in card-related crime. As the criminal fraternity found ways of producing sufficiently good counterfeit cards, the card companies introduced new ways of combating the problem. A succession of antifraud measures have been introduced over the years, such as the hologram, the Card Verification Value (CVV, a value stored on the magnetic stripe that can be used to determine if a card has been produced illicitly), and in some cases, photographs of the cardholder[2]. Magnetic stripe cards have now been developed to the point where there is little or no further scope for introducing more anticrime measures. This has caused the card associations to look at new technologies to take the plastic card well into the twenty-first century. One technology that offers many benefits is the smart card—essentially, a small computer chip embedded into a plastic card with the same dimensions as the magnetic stripe card. The only difference the cardholder sees is a small metal area on the face of the card that contains a set of electrical contacts through which the chip can be accessed. From the anticrime perspective, there are a number of benefits in adopting the smart card. The card itself (or in conjunction with the terminal) can make decisions about whether or not a transaction can take place. Secret values can be stored on the card that are not accessible to the outside world—allowing, for example, the card to check the cardholder’s PIN without having to go online to the card issuer’s host system. Also, there is the possibility of modifying the way the card works, while it is inserted in a point-ofsale terminal—even to the point of blocking the card from further transactions if it has been reported lost or stolen.

As well as these antifraud measures, the smart card is seen as offering a number of other benefits to the card issuer and cardholder. These additional benefits are an integral part of building the business case for introducing smart card technology. Some of the other benefits of introducing smart cards are: •

• •

The ability to have more than one payment application resident on the card. For example, a card could contain an “electronic purse” to provide the equivalent of cash, usually for lower-value transactions, such as parking, tickets, newspapers, and so forth. The ability to have other applications, such as loyalty schemes, and access to information facilities (libraries) coresident on the card. The possibility of reducing online validation costs by allowing the card to operate offline more of the time.

There are many issues to be resolved before such all-embracing cards become commonplace, the most obvious ones being who owns the card and who controls which applications can be loaded or deleted. Today, the banks are interested mainly in providing payment-related services to their customers and most of the current activity surrounding the provision of smart card-based credit/debit services—sometimes with an additional electronic purse facility. [2]

Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.

The Solution In the early 1990s, the major card associations (Europay, MasterCard, and Visa) recognized that for smart cards to become acceptable, it was necessary to standardize the way they work, at least for banking applications. Considerable work was undertaken to reach agreement on a standard culminating in the so-called Europay MasterCard Visa (EMV) specifications.

EMV Specifications EMV specifications define the physical characteristics (size, shape, thickness, position of contacts), the electrical characteristics (signals to be fed to each contact), command set (how to access data and functions on the card), overall card security methodologies (static data authentication, dynamic data authentication), and the data to be stored on cards for payment systems. The EMV specifications do not fully describe particular payment applications—that being left to individual card associations to define. They do describe the basic framework under which all payment applications will work. It is important to appreciate that although the EMV specifications describe how cards, terminals, and host systems interact, they do not describe how cards will be personalized, because different card manufacturers use different methodologies.

Visa Specifications Visa has produced a specification that deals with the details of how a credit/debit application will operate in a Visa world. This is known as the Visa Integrated circuit card (ICC) Specification (VIS).

Smart Debit/Credit VIS refers to an application called Chip Card Payment Service (CCPS). This name is gradually being replaced by the term Visa Smart Debit/Credit. The Visa Smart Debit/Credit has recently been introduced to a significant number of countries in the last year.

Visa Cash The Visa electronic purse product is called Visa Cash. It is available in two basic forms: disposable and reloadable. There are two types of reloadable Visa Cash cards: the DESbased version and the public key version. The public key variant offers improvements in security because the public key algorithm is implemented on the card itself. Visa Cash is in use in many different countries around the world.

MasterCard Specifications MasterCard has released a set of specifications describing their product, which they call Debit and Credit on Chip. These are functionally equivalent to the Visa VIS specification, although there are small variations. MasterCard has recently implemented Debit and Credit on Chip on the Multos open platform card. The MasterCard electronic cash product is the Mondex purse. This can coreside on the same Multos card as Debit and Credit on Chip.

Other Specifications In the UK, the Association for Payment Clearing Services (APACS) has developed a specification detailing the chip credit and debit features that will be implemented in the UK. This is known as the UK ICC Specification (UKIS), and is effectively a subset of the Visa VIS specification. UKIS does not implement the PIN on the card feature because PINs at point of sale are not used in the UK. It is understood that Europay has recently developed a credit/debit smart card scheme (see sidebar, “Point-of-Sale Solutions Are Getting Smarter”). Point-of-Sale Solutions Are Getting Smarter With the help of loyalty-based smart-card programs, retailers and banks are hoping to increase spending and boost customer retention. For solution providers, the promise of

smart-card technology may lead to increased revenue despite flagging POS terminal sales. Up until now, smart cards haven’t made much headway in the United States. The U.S. telecommunications infrastructure is widespread and operates at affordable rates. That’s allowed magnetic stripe cards to function very well at the point of sale. But today, there are two main drivers behind smart-card technology: adding value at the POS and fraud on the Internet. One way to add value at the POS is with loyalty programs that keep customers coming back for more. Many retailers across the United States already have loyalty programs in place, allowing customers to accrue “points” through purchases and redeem them later on. But, smart-card-based loyalty programs offer benefits that stripe or bar-code systems can’t. Magnetic stripe cards can be duped easily. Smart cards deliver a more secure solution. And, with smart cards, there’s no need to upload transaction information to a server. A chip on the card allows for real-time transactions and real-time receipts. In addition, smart cards can store the loyalty programs of up to 30 merchants, so customers don’t need to carry multiple cards. The main reason why smart cards aren’t as popular as they could be, is that card issuers aren’t pushing them. If you put smart cards in the market, the infrastructure will follow. What you’re doing with smart cards is distributing the database down to the chip. You’re running loyalty and gift card programs right out of the terminal, without a backend processing and tracking system.

How to Help Banks Move to Smart Cards In order to migrate to smart-card-based payment systems, banks will have to make a number of changes to their existing systems. Among these are: • • •

Enhancements to the card issuing process Enhancements to the card personalization process Enhancements to the systems that handle card transactions[1]

Enhancements to the Card Issuing Process Existing systems were developed, often many years ago, to handle the types of data needed for magnetic stripe cards. Smart cards require considerably more data to be generated, including cryptographic keys for the cards themselves. In most instances, changing existing systems represents a major investment of resources.

Enhancements to the Card Personalization Process Banks generally personalize their cards in one of two ways: either using an in-house facility or using an external personalization bureau. The choice is usually based on the size of the cardholder base, because setting up an in-house facility is an expensive exercise.

Enhancements to the Systems that Handle Card Transactions Systems are in place today for handling a number of magnetic-stripe-based transactions, such as ATM cash dispensing, online card and PIN verification, and offline bulk transaction processing. By using smart cards, there is a need to extend these systems to handle the transaction verification mechanism used in smart debit and credit cards, or in the case of electronic purse schemes, like Visa Cash, to handle the secure loading of ecash onto the card.

The Personalization Preparation Process (P3) Today’s magnetic stripe cards are generally produced as depicted in Figure 21.1[1]. The issuer host system embodies the database of all cardholder details and provides facilities to generate data to produce a new card.

The Existing Magnetic Stripe Process Often, cards are produced in batches and it is the responsibility of the host system to assemble all data for a given batch of cards. A batch might be generated as a result of the normal replacement cycle (two or three years) or possibly to replace those cards that have been reported lost or stolen during the day. The host system produces the data in a series of records, one record per cardholder. The data is known as a Personalization Data File. Each record of the Personalization Data File comprises a number of modules. These normally include: • • •

Data to be embossed onto the card. Data to be encoded onto the magnetic stripe of the card. Data to be printed on a “paper carrier.” This carrier is used to hold the card, while in its delivery envelope, and is printed, for example, with the cardholder’s name and address.



Data for an ID photograph[1].

Most of the information for these modules is held in the cardholder database. Some items in the magnetic stripe module need to be generated using a security module. These include a PIN Verification Value (PVV), or equivalent, and a Card Verification Value (CVV). Both these items are derived using a cryptographic process that involves the use of secret keys. It is worth noting that although the data in the Personalization Data File is normally handled carefully, there is nothing inherently secret about it and, for that reason, it is not normally encrypted. It only becomes a useful commodity when it is combined with a real plastic card, which happens in the personalization bureau. Such facilities are highly secure establishments with tight access control procedures and many internal mechanisms to guard against finished cards being lost or stolen. Normally, cards in their paper carriers are inserted directly into envelopes and passed straight to the postal system. The PIN mailer for a card is normally produced in a separate establishment from the cards themselves, often as a separate output from the issuer host system. This separation of PIN mailer and finished card is normally an essential part of the card issuance process. Often, PIN mailers are not posted until the cardholder acknowledges receipt of the card. With the arrival of the smart card, the issuer needs to produce an extra “module” of data, which is intended to be programmed into the chip itself. Of course, there will be many items of information in this chip data, which are common to the magnetic stripe and the embossing data. Examples of this are a Primary Account Number (PAN) and the cardholder name. However, there are some new items that are specific to smart cards. Some examples of these are: Upper consecutive offline limit: This is a value held by the card that determines its spending limit. After this limit has been exceeded, the card forces the transaction to be completed online. This is part of the inherent risk management features of a chip card. Signature of static card data: This is a value calculated using a public key cryptographic algorithm at the time the card data is generated. It can be validated by each terminal accepting the card and is used to give some confidence that the card is genuine. Issuer certificate: This data is set up by the issuer in conjunction with the card association to which the issuer belongs (Visa or MasterCard). It is placed onto every card issued and contains the public key of the issuer. It is used by the terminal as part of the process to validate the signature in the second item in this list. Unique Derived Keys (UDKs): These are DES keys, unique to each card, which are placed on the chip and used as part of the transaction validation process. Basically, the transaction details are passed to the card, which uses the UDK to generate a cryptogram (similar to a MAC) that is passed back to the issuer for validation. Using this technique, the issuer can be sure that the transaction was handled by a valid card[1].

The various credit and debit specifications define in excess of 40 such data items, which need to be generated and placed on smart cards. It is the issuer’s responsibility to generate these items, something that existing card systems were never designed to handle. Note The advent of chip cards has meant that for the first time, some of the data passing from issuer to personalizer is now secret and must only be sent in encrypted form. The UDKs previously described are an example of such secret data.

The Personalization Preparation Process (P3) System There is a need for a product that is able to generate the new data required by the various smart card schemes. This means that a card issuer can migrate to smart cards without having to make changes to an existing cardholder database host system. As noted before, this can be a costly and time-consuming exercise and often proves to be a major barrier for a bank in moving to smart cards. P3 is a compact name for personalization preparation process, which goes some way to describing what the system achieves. Its main objectives are: •

• •



• •

To take an existing Personalization Data File in an industry-accepted format and add to it the extra data required for the smart card scheme concerned. Currently, P3 supports the Visa Cash scheme (Public Key or DES-based variants), the Visa “Easy Entry” scheme, the Visa Smart Debit/Credit scheme, and the UKIS scheme. P3 will be enhanced to support other schemes in the future. To achieve this, it securely stores all the cryptographic keys and certificates required by the preceding schemes. To generate issuer public and private key sets (RSA public key algorithm), and to get the public key into a form in which it can be sent to the scheme’s CA so that it can produce the issuer certificate. The certificate so produced can be imported back into the P3 system and stored for use in the personalization preparation process. To produce the output data in a format that can be used by most card personalization bureaus around the world. Sensitive card data, such as keys, is encrypted in the output stream. To store details about regularly performed jobs, so that record processing can be performed with the minimum of user intervention. To provide a security environment with controlled access that aligns with the operating procedures found in many personalization bureaus. Using the security features of Windows NT, a P3 user can set up system managers, administrators, and operators to perform the required tasks for normal operation[1].

The P3 system fits into an existing card issuing process, as shown in Figure 21.2[1]. There are two possible configurations of P3. It could belong to and be co-sited with the issuer host system. Alternatively, P3 could be operated by a Personalization Bureau who may act on behalf of several issuers.

Scheme Certification Authorities (CA): Part of the security of the various smart card schemes includes the need for an issuer to generate an RSA public/private key pair. The private key is retained securely in a Host Security Module and used to “sign” card data to produce a signature that is placed on the card. The public key is transmitted to the scheme provider (Visa, Europay, or MasterCard), where it is certified using the “scheme private key” to produce the issuer certificate. This is transmitted back to the issuer, where it is stored so that it can be placed on every card. The certification process is slightly different for each of the scheme providers, but the principle is the same. Issuer host system: P3 receives personalization data from the existing issuer host system, as described in other parts of this document. Personalization system: P3 adds the appropriate smart card data to the cardholder record before passing the combined data to the personalization system[1]. After cards have been issued, they may be used to obtain goods or services. If the card is a credit or debit card, it is generally used at a point of sale or at an ATM. As part of the transaction, the card generates an Authorization Request Cryptogram (ARQC) using unique keys held on the card. This is passed back as part of the transaction message to be validated by the bank’s host validation system. The host system is able to validate the ARQC and produce an Authorization Response Cryptogram (ARPC), which is sent back to the card. The card can validate this ARPC. This mutual authentication process gives a

very high assurance that the card is genuine, and that the bank with which it is in communication is the one that originally issued the card. If the card is an electronic purse card, normal purchases are carried out as offline transactions. However, there is a need to go online when the card is to be reloaded with funds. In the case of Visa Cash, a card generates a Load Request, which involves a cryptographic signature known as S1. This is validated by the host system, which then generates the Load Authorization signature (S2). The card validates this and finally produces a Load Completion Signature (S3), which is sent back to the host system to confirm that funds have been loaded. Both of the preceding online transaction processes involve cryptographic keys. These keys have to be shared between the online host system and P3. Facilities are provided in P3 to allow this. At the time of writing, the P3 system is able to support the following applications. Work is in progress on other applications, which will be announced in the 5th edition of this book. • • • • •

Visa Cash (DES-based) Visa Cash (Public Key) Visa Easy Entry Visa Smart Credit Debit APACS UKIS application[1]

Smart Card Credit, Debit, Visa Cash Load, and Unload Processing HSM Functions Finally, as outlined previously, an online host system handling credit and debit transactions from smart cards needs to be able to process the ARQC/ARPC values. To be able to handle the Visa Cash Load (and Unload) functions, the online host system must be able to handle the S1, S2, and S3 signatures as previously described. [1]

“Smart Cards for Payment Systems,” © 2003 THALES e-SECURITY INC. All rights reserved. THALES e-SECURITY INC., 2200 N. Commerce Parkway, Suite 200, Weston, FL 33326, U.S.A.

Summary The payment card has been in existence for many years. It started in the form of a card embossed with details of the cardholder (account number, name, expiration date), which could be used at a point of sale to purchase goods or services. The magnetic stripe was soon introduced as a means of holding more data than was possible by embossing alone. In the end, the smart card appeared.

Finally, from the anticrime perspective, there are a number of benefits to adopting the smart card. The card itself (or in conjunction with the terminal) can make decisions about whether or not a transaction can take place. Secret values can be stored on the card, which are not accessible to the outside world—allowing, for example, the card to check the cardholder’s PIN without having to go online to the card issuer’s host system. Also, there is the possibility of modifying the way the card works, while it is inserted in a point of sale terminal—even to the point of blocking the card from further transactions if it has been reported lost or stolen.

Chapter 22: Electronic Payment Systems “We have a criminal jury system which is superior to any in the world; and its efficiency is only marred by the difficulty of finding twelve men every day who don’t know anything and can’t read.” —Mark Twain (1835–1910)

Overview As more B2B trading partners conduct business and provide customer service over the Web, it makes sense to handle invoicing, billing, and payment processing in the same fashion. B2B trading partners have specific motivations for online billing: billers want to receive payments faster and with less manual processing, whereas payers want to streamline the cumbersome payment-approval process. Thus, the payment stage of any electronic bill presentment and payment (EBPP) implementation must be able to integrate tightly with accounts receivable (A/R) and accounts payable (A/P) systems, support backend payment-processing workflows and procedures, and provide detailed reporting capabilities. When it comes to online billing, getting your bills to the Web is just one part of the challenge—accepting payments electronically finishes the equation. Without payment, your online billing presence is only a one-way street. In other words, in the business-to-consumer (B2C) sector, EBPP is a top priority, especially in the utility, telecommunication, credit-card, and financial-service markets. The trend has been slower to catch on in the business-to-business (B2B) sector, where many large companies have well-established systems and processes for handling payments from their B2B trading partners. To handle payments for billing interactions, market giant CheckFree Corp. (http://www.checkfree.com) is the undisputed leader. But, other biller-centric vendors, including Metavante (http://www.metavante.com) and Princeton eCom (http://www.princetonecom.com), also have strong offerings and are becoming market forces. Billers seeking full-service EBPP solutions, which include presentment and payment services, should consider this class of vendors. For basic transaction processing and related services, CyberCash (http://www.cybercash.com/), CyberSource Corp. (http://www.cybersource.com), VeriSign, and others of this ilk make sense. But, such services are more broad-based commerce payment solutions that are not necessarily focused on bill payment. For companies that want to implement secure payment for their commerce sites and integrate these same services into their EBPP applications, these services make sense.

Finally, a number of electronic-check vendors, including PayByCheck.com (http://www.paybycheck.com) and X.com Corp. (http://secure.paypal.x.com), have extended their services beyond person-to-person payment with offerings for businesses. In the near term, these solutions are most well-suited for small-to-midsize companies that merely want to give their payers a simple way to pay via electronic checks. It remains to be seen whether major billers will rely on such services for high volumes of payments.

State of the EBPP Market Although the online billing market has received plenty of attention, it hasn’t taken off as fast as many analysts had predicted. In the B2C market, it’s a classic chicken-and-egg situation: billers are reluctant to get into online billing until a critical mass of consumers shows a willingness to pay online, and consumers are reluctant to pay online until more of their bills are available that way. Of course, there are other hurdles impeding widespread adoption, such as finding an acceptable cost to consumers. In addition, privacy and security concerns continue to make customers hesitant. But, momentum for online billing is finally starting to build. Forrester Research predicts that 70 percent of all U.S. households will be paying bills online by 2008. For billers, EBPP is not just a cost-cutting or timesaving application, but a way to get closer to their customers. In addition, many large businesses are now looking at EBPP for B2B transactions with their supply-chain partners (see sidebar, “Bill and Invoice Presentment and Settlement (BIPS) Access and Distribution Models”). Whether in B2C or B2B, most biller-customers now consider EBPP a strategic application that is a key part of their larger e-commerce and customer-relationship management strategies. It’s a value-added service for customers that access the biller’s Web site for purchases, customer service, support, and so on. At the same time, savvy billers in the B2C space realize they have to provide options by syndicating their content to multiple payment sites or consolidators. Many consumers would rather have all their bills in one place, so billers need to offer this alternative. Bill and Invoice Presentment and Settlement (BIPS) Access and Distribution Models There are two basic models for BIPS: the biller-direct model (whether hosted internally or outsourced) and the consolidator model. In the biller-direct approach, the customer goes directly to the biller’s site to access and pay bills. In the consolidator model, a third party aggregates billing data from many billers, providing customers with one site to visit to pay multiple bills. Both the biller-direct approach and the consolidator approach have advantages and disadvantages, but both models will continue to coexist. Biller-Direct Model

In the biller-direct model, the biller makes the billing data available to customers over the Web or through e-mail. Customers can go directly to the biller’s site to access and pay their bills, with no other parties involved. The biller-direct model provides a one-to-one direct link between the biller and the customer. Billers may host their own biller-direct sites, or enlist the services of a biller service provider (BSP). BSPs can include application service providers (ASPs) or service bureaus (such as Bell & Howell, EDS, Pitney Bowes, or DST Output), or any other entity that can handle any or all aspects of BIPS. Billers can also use such BSPs to syndicate billing data to consolidators or to consumer service providers (CSPs) such as Web portals, thus handling the technical intricacies for the biller, while extending the biller’s reach to multiple customer distribution points. Distribution or Syndication Model As an alternative to having customers visit a dedicated biller-direct site (whether hosted by a biller or outside service provider), billers can choose to work with third-party intermediaries that provide alternative end-points from which customers can access, view, and pay their bills. The most established distribution model available today is the consolidator model, in which a third party acts as the aggregator for multiple billers. The consolidator provides a single site that allows customers to access multiple bills from their different billers. The leading consolidator in the market today is CheckFree; newer players gaining traction include BillingZone. Under a consolidator model, customers log on to the consolidator’s site and can view and pay all of their bills in one place. The consolidator provides an important convenience to customers, and provides a vehicle to attract more users to pay their bills online. Greater customer exposure leads to increased customer adoption, which can reduce the total cost of billing. For this service, consolidators typically collect a transaction fee or “click charge” from billers for every transaction conducted. One limitation of the consolidator model has been the inability of consolidators to attract enough billers to give customers a single site from which they can access all of their bills. Thus, many billers are turning to other distribution points in an effort to give their customers the flexibility to access their bills through the distribution point of their choice. Thus, many billers are now turning to consumer service providers (CSPs) in their strategies to syndicate their billing data to multiple end points and increase customer adoption. Portals such as AOL and Yahoo! act as consumers’ gateway to the Web, attract large volumes of user traffic, and are ideally positioned to connect users and their bills. Banks and financial institutions can also act as CSPs for their customers. Another emerging approach for bill distribution is to work with intermediaries that serve as distribution pipes or “switches” for online billing. For example, services from organizations such as MasterCard RPPS and the Spectrum alliance (a joint venture of Wells Fargo, First Union, and JP Morgan Chase), provide billers with a trusted

intermediary that handles the intricacies of bill distribution to various customer end points, and also handles the return payment processing. Such services act as “behind the scenes” intermediaries that provide billers with a way to greatly extend their reach without having to manage processes or relationships with multiple distribution points[1].

Dozens of companies are providing software and services for online billing. In addition, there has been considerable activity in mergers and acquisitions. The most notable moves have been made by payment-processing market leader CheckFree, which acquired chief rival TransPoint, purchased software vendor BlueGill Technologies, and formed a strategic alliance with Bank of America in which the bank acquired 16 percent of CheckFree’s stock. [1]

“Bill and Invoice Presentment and Settlement: The Doculabs Report,” © 2003 Doculabs. All rights reserved. Doculabs Headquarters, 120 S. LaSalle St, Suite 2300, Chicago, IL 60603.

Payment Considerations No matter what method of EBPP you implement, realize that payment processing can be highly complex. For your customers, you will need to support multiple electronic payment system options, which might include credit cards, electronic checks, automatic balance transfers, and debit cards. Electronic fund transfers are the most prevalent transactions in the B2B world, but some business customers prefer to pay by other means. In addition, whatever payment methods you accept, you’ll need to integrate those services with your own A/R system. Payment processing is made even more complicated by the number of parties that can be involved. For example, accepting credit-card payments means interacting with the creditcard companies or a third party like CyberCash. Accepting an electronic fund transfer means the processing will pass from the customer’s financial institution to the automated clearing house (ACH) network for settlement. And, if you syndicate your bill presentment to multiple sites, you must work with multiple consolidators, portals, and consumer service providers (CSPs) to get paid. If you’re a biller, this means the payment service you choose must be able to integrate with the many channels that may be involved in processing your payments. Although accepting electronic payments usually means you get money faster, you should realize that most electronic-payment system mechanisms are neither real time nor online. The ACH network and credit-card infrastructures are batch-processing-intensive. No matter which service provider you choose, some level of integration or customization will be required for you to be able to accept batch-payment data transfers from external parties.

Another key concern is security. Be sure to choose a vendor with a sound approach for encrypting its data transfers. Related to this is the data-center infrastructure the payment provider offers. The payment vendor should have clearly documented backup and recovery procedures, and should ensure high levels of availability, reliability, and performance through its service-level agreements (SLAs). The payment vendor should provide you with reporting or audit-trail data for your internal analysis, ideally accessible through a Web-based administration interface. Finally, standards compliance is becoming more important. For example, XML will play a critical role as a standard format for billing data, making it easier for trading partners to ingest such data into their own backend systems. In addition, emerging standards for financial transactions, such as Open Financial Exchange (OFX) and Interactive Financial Exchange (IFX), will also play a role. OFX, created by CheckFree, Intuit, and Microsoft, defines a means for financial-services companies to exchange financial data over the Internet. IFX is a similar initiative designed specifically for online bill presentment and payment. All these standards will play a role in providing an alternative to EDI, an expensive approach to electronic commerce that to date has been implemented only by very large companies with many trading partners and a strict B2B focus. Of the three, XML has the most momentum, thanks to the general push for more standard methods of B2B integration. OFX and IFX are in the medium adopter stage.

Using Payment Service Providers Choosing the right payment service provider can relieve a lot of the headaches of handling payments and interacting with so many different parties. In addition, some payment processors offer a bevy of value-added services that make their packages compelling to billers. For example, some payment processors also offer services as diverse as presentment, customer enrollment, validation, reporting, and even financing and cash-management services. Of course, these capabilities come at a cost. Different payment processors offer different pricing models. Some processors charge a percentage of the dollar value of the transaction. Others charge a flat fee for every transaction, regardless of the dollar volume. Still others charge based on volume or the number of bills converted or presented. In most cases, the biller swallows the costs of online billing, just as in traditional billing operations. Although customers of the consumer-focused consolidator sites have shown a willingness to pay for online billing, they are not likely to pay more than it would cost to mail in their payments. In the B2B world, some customers may be willing to bear some of the costs of e-billing by paying for things like financial services, but the model is still untested.

So, when it comes to picking a payment service, what are your options? As previously mentioned, there exists three major classes of payment services that organizations can use as part of their EBPP deployments: biller focused, commerce focused, and payer focused. In the biller-focused area, CheckFree is the leader. The company processes 49 million electronic payments per month, has an infrastructure that can handle massive volumes, and has been active in forming partnerships and making strategic acquisitions. CheckFree offers sound capabilities and services beyond payment, including consolidation and presentment. But, competitors are poised to chip away at CheckFree’s lead. Princeton eCom is a strong player in this market, with one key advantage over CheckFree: it offers an electroniclockbox service as part of its offering. This approach makes especially good sense for small and midsize companies (Princeton eCom’s target market) that want to get their lockbox and online payment services in an integrated package. Metavante enters the market with a wealth of experience in the statement-generation-software and paymentprocessing markets. Its foray into online billing could make the company a formidable player, as it has a strong customer base with financial institutions, particularly in the Midwest. In the commerce-focused area, the major players include CyberCash, CyberSource, and VeriSign. All three provide good payment services, with support for a wide variety of different payment types. CyberSource has the edge in terms of its breadth of payment services, with offerings for fraud screening[2], tax calculation, distribution control, and fulfillment management. VeriSign has the advantage in terms of secure transfer services. In addition to payment, the company offers services for secure messaging, PKI, certificate processing, and other site trust services that payment-only vendors lack. In the payer-focused area, most people immediately think of sites like PayPlace.com and ProPay.com. Although such sites provide a nifty solution for applications such as online auction payments or letting a group of people settle a vacation tab, they are not appropriate for more sophisticated online billing, especially in the B2B arena. But, two vendors that come from this space, X.com and PayByCheck.com, are now adapting their solutions for billers. Both services make it simple for billers to set up accounts and simply include a link to the service providers’ site, where customers make their payments online. X.com has released a new premium package of its PayPal service in which the payment funds are swept from the biller’s PayPal account automatically through the ACH and into the biller’s external bank account on a scheduled basis. PayByCheck.com is pursuing a similar strategy, but the company lags PayPal in terms of market momentum and customer base. [2]

Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.

Future Direction There are dozens of payment service providers in the market, but expect to see more consolidation in 2004. In addition, expect the payment processors to encroach on each other’s market spaces, as multiple vendors try to extend their services to appeal to retailers, consumers, banks, and B2B trading partners alike. Finally, payment services eventually will become a commodity, with only a few vendors handling this discrete portion of the EBPP cycle. The vendors that survive will be those that offer simple, reliable services at a good price or offer payment as part of a larger package of value-added services for EBPP. However, if you are thinking about EBPP, there’s no need to wait for a shakeout in the payment services arena; switching will be progressively simpler as the baseline services grow more commoditized and as standards become more firmly established.

Summary In the EBPP market, payment processing is one of the most complex parts of the sale. For most IT shops, the solution is to use a third-party payment service provider to handle the dirty work. A number of different types of electronic payment service providers are in business, including biller-focused, commerce-focused, and payer-focused providers. The billerfocused providers should continue to dominate the market for e-billing, with the commerce-focused providers playing a more limited role. Many of the payer-focused providers are beginning to add merchant- and biller-focused offerings to their arsenals, but it remains to be seen if a significant percentage of the market will use such services for mission-critical B2B payments. Finally, with so many players in the market, consolidation is likely. Considerable consolidation already exists in the biller-focused market (led by CheckFree), and it is expected to continue in the other markets as well. Ultimately, electronic payment system services will become a commodity offering. The vendors that remain will be differentiated by the value-added services they offer. In addition, as standards emerge and gain acceptance, increased commoditization should reduce switching costs.

Chapter 23: Digital Currencies “There are three great friends: an old wife, an old dog, and ready money.” —Benjamin Franklin (1706–1790) New technology has made it possible to pay for goods and services over the Internet. Whereas some of the methods link existing electronic banking and payment systems such as credit and debit card networks with new retail interfaces via the Internet, new means of payment known as digital currencies have also been developed to facilitate global electronic commerce.

Introducing Digital Currencies Electronic money (also known as digital currency) based on stored-value, smart card, or other technologies has been developed to facilitate consumers and businesses to engage in global electronic commerce (see sidebar, “Digital Currency”). These cater to the increasing population of online consumers who don’t have a credit card or those who are reluctant to provide their credit card number online. These newly developed payments systems share some common characteristics or aims, namely: Integrity: Keeping risk in the system at a minimum, as well as maintaining reliability and broad public confidence in the system’s workings Accessibility: Making the payments’ system conveniently available through one or more providers, regardless of the income or the socioeconomic status of the user Efficiency: Ensuring transaction speed, encouraging innovation, and demanding costeffectivenes[2] It is also necessary to make provisions for: • • •

Anonymity and traceability of payments Fungibility (ability to make change of funds into new denominations on demand) and convertibility of currencies Security and infrastructure issues[2] Digital Currency

Digital Gold or Digital Currency is quickly becoming popular among online users. It is very easy to open an account, fund it, and transfer money all over the world using some of the well-known gold systems, such as e-gold, osgold, e-bullion, evocash, and so on. This is a new wave of the future in moving money worldwide, whether it is to send your family money or to pay for merchandise online, from those merchants who accept this

form of exchange. All of this is done instantly without delay and without heavy transfer fees. The basics of digital currency is to offer worldwide flexibility and mobility. This is how it works with e-gold as an example: 1. You fill out a simple form to open a free e-gold account. 2. Then, you need to fund the account by utilizing a gold exchange service. 3. Depending on the exchanger, the fees will vary, but are usually very reasonable and their service is speedy. 4. You can wire money to the exchanger, send them a check, or some even take credit cards to fund your account. 5. After your account is funded, you are ready to send your gold to anyone in the world who has an e-gold account for a maximum transfer fee of 50 cents. No matter how big or small the transfer is to another e-gold user, the fee will never exceed 50 cents with e-gold! With other digital currencies, the fee can be as low as 25 cents with osgold or as high as $1 dollar through evocash. Can you see how much money you can save in transfer fees alone? Especially when you consider that a typical bank wire costs around $14.00, it would end up costing you a bundle if you had to wire money to many people often! Now, let’s say the person you just moved the funds to through e-gold wants to take it out to use in the real world. Easy! By utilizing a similar gold exchange service, your recipient can exchange his e-gold to cash for a small fee. Or, even better, they can get a debit card and transfer their gold to their card and use it at any ATM to withdraw their money for a small ATM fee! Now, think of how convenient this will be globally! Places like e-bullion offer a debit card at just $34.95. You can get an exchange service to transfer your e-gold to your e-bullion account and then you can withdraw that money with an e-bullion debit card! Welcome to technology! Some say that gold is more stable and holds its own value, whereas paper money has no real value. Think of these digital currencies as a worldwide bank account that is open 24 hours a day, 7 days a week, and can be accessed online with a few clicks of your mouse! How incredibly mobile and accessible is that? With places like evocash, you can earn 9% interest for keeping your money with them! Remember to treat your digital currency like you would your regular bank account and never give out your passwords. It’s a smart idea to change your password often by using a combination of letters and numbers that others will not be able to guess. In addition, be sure keep sensitive information about your accounts in a safe place outside of your computer’s hard drive. Top Three Most Popular Digital Currencies •

E-gold is backed by gold itself, circulated electronically—a worldwide, free market currency. You can sign up for a new e-gold account at http://www.egold.com/.





Evocash is the Internet system that is transforming financial business worldwide. They have recently redesigned their Web site (http://www.evocash.com/index.cfm?w=1024) to be more user-friendly. E-Bullion’s Web premier online payments system offers customers a global ecommerce system (http://www.e-bullion.com/)[1].

[2]

“Electronic Commerce,” Copyright 2002 National Computer Board. All rights reserved. National Computer Board, 7th Floor, Stratton Court, La Poudrière Street, Port-Louis, Mauritius, 2003. [1]

“Digital Currency,” Copyright © 1998–2002 by mytopsecrets.com. All Rights Reserved. Mytopsecrets.com, P.O. Box 1715, Glen Burnie, MD 21060-1715, 2003.

Applications Digital currencies enable new types of payments, goods, and services (information and online entertainment)—such as microproducts and micropayments. They share some fundamental properties, namely: • • • • •

They represent monetary value. They are exchangeable as payments for goods and services, currency and coin, and other tokens. They can be stored and retrieved. They are tamper-resistant in that they are difficult to copy or forge[2]. Digital currencies are intended to permit their users to move funds electronically within an environment. They include “tokens” of value expressed in digital form, in the same sense that a casino chip is a token of value expressed in physical form. Furthermore, digital currencies are designed to serve as the electronic version of paper cash, carrying the same attributes as the physical medium— anonymity and liquidity. There are basically two types of digital currency systems: purely electronic digital cash refers to digital money systems that use computers to transfer value over networked environments, such as the Internet, and stored-value “smart cards” retain value on a microchip embedded on a card, and are used in the “physical” world at the point of sale, or through computers equipped with a smart card reader.

Characteristics of Purely Electronic Digital Currencies Digital currencies rely on advanced information technologies and high-speed communications networks to store, transmit, and receive representations of value. Furthermore, digital currencies for the most part depend upon technological developments in cryptography to provide security in an open networked environment— such as public key infrastructure and encryption mechanisms. They rely on reduced costs and economies of scale created by technological advances.

Digital currencies require “loading” from funds held within the financial system. This involves “the exchange of cash or deposits for digital value backed by an issuer.” An instance of this could take place over the Internet by downloading electronic money onto a PC hard drive, or by a consumer transferring electronic cash onto a smart card at an ATM and simultaneously debiting his bank account.

Characteristics of Stored-Value Cards The principal function of stored-value or smart cards is the portable storage and retrieval of data. These applications have evolved from existing electronic funds transfer mechanisms using debit cards, such as prepaid cards and copy machine cards. The embedded integrated circuit on the card defines the capabilities of the product, and possible components may include a microprocessor, nonstatic random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM), other nonvolatile memory, and special purpose coprocessors. These characteristics make smart cards a viable medium for a digital currency payment system. In making a payment through stored-value cards, the following points can be noted: • • • •

There are no backend settlements involved. There is no audit trail for transactions. If a card is lost, the same result is achieved when actual cash is lost—it’s gone. Developers are working on ways to deliver card-to-card funds transfers[2].

Stored-value cards have met with high approval ratings among consumers in Europe, and are gaining increasing popularity in the United States. Stored-value smart cards are capable of more than facilitating payments. They can offer added-value information, including digital certificates for identification purposes, and may authenticate a secure transaction. It is worth noting that computer hardware manufacturers have started to include smart card readers with their PCs and PC keyboards. The ubiquity of this digital currency system in on the rise. So, why use digital currencies? Let’s take a look.

Using Digital Currencies Digital currencies are cheaper, faster, safer, global, and more private than traditional credit cards and bank wires. In other words, digital currencies will prove to be as worldchanging as the invention of the printing press and gunpowder. Digital currencies link together financial institutions and markets across the globe in a way that allows instantaneous value transfers with a mere fraction of the cost associated with traditional bank wires and credit cards. The architects of the new digital economy are busily at work creating new financial products and linking digital currencies to “old-world” financial

networks, allowing you to easily convert your digital currencies to cash anywhere in the world. Here are some of the reasons that digital currencies are the best way to do business on or off the Net!

Digital Currencies Are Cheaper! Transaction costs using credit cards or PayPal (for example) range from 2.2% to 4.2%. International bank wires cost, on average, $43 to $73 using Western Union. Digital currencies allow transactions to take place from as low as 0.1% (GoldMoney), to 2% on the very high end (Standard Transactions). In other words, the cheapest digital currency on the Net allows online transactions for forty-five times less than credit cards. Even the most expensive digital currency costs less than a credit card transaction! Digital currencies lower transaction costs by three orders of magnitude! This means that transactions that were previously too expensive to make because of the time, money, and effort involved are now feasible using digital currencies, such as e-gold, gold-grams, Standard Dollars, Standard Gold, e-Bullion, and Hansa Dollars. For retail merchants who process a high volume of credit card transactions, the savings can be significant! The savings in transaction costs can then be passed along to their customers in the form of lower prices, which helps merchants accepting digital currencies to gain a competitive advantage.

Digital Currencies Are Faster! The average credit card transaction can be reversed for three to six months after the sale takes place. This leaves merchants in a vulnerable position. Cheapskates reverse the charges on a regular basis against merchants who deliver the goods. This kind of theft drives up prices for everyone to cover the cost of lost goods and money due to fraudulent credit card use[5]. Bank wires in-country take at least three days to clear. International bank wires can take up to two weeks to clear! Digital currencies solve these problems by allowing instantaneous and nonreversible transactions! For merchants, this means that all sales are final. They don’t have to worry about having their account frozen because some hacker used a stolen credit card at their store. This also means that when you need to send money to a friend or family member anywhere in the world, you can do it in a few seconds, and they can withdraw it as cash from an ATM machine the very next morning. That’s fast!

Digital Currencies Are International! PayPal, for example, only works in the United States. In order for people outside the United States to sell their product or service on the Web, they have needed an international credit card merchant account. The problem is, outside the United States and Europe, merchant accounts can be difficult to obtain. This creates a barrier to entry that makes it harder for international entrepreneurs to offer their products and services to the world. Digital currencies solve this problem by allowing instantaneous transfers of money anywhere in the world! As the network of exchange agents grows, it is now possible to quickly and easily convert your digital currency to cash in any country in the

world. A Standard Reserve “Instant World Account” allows account holders to convert their Standard Gold or Standard Dollars into cash at any ATM machine on the planet! Ebullion offers an anonymous numbered offshore debit card. This means that no matter where you are, if you can find an ATM machine, you can convert your Digital Currency into local currency!

Digital Currencies Are Safer! Credit card fraud is becoming increasingly prevalent as hackers steal card numbers from computer networks, crooks root through your garbage and steal your identity, and other nefarious thieves devise ways to get your account number. Digital currencies offer a higher level of security than credit cards. Even the lowest level of security for digital money, an account number and password, is one order of magnitude safer than a credit card. All a thief needs to steal a credit card is the account number. With digital currencies, the merchant never sees your password, so it is impossible for a thief to steal it, unless you give it to him yourself (by letting him access your computer). For example, GoldMoney supports digital certificates for customer identification. These certificates cryptographically verify that you are you. This prevents thieves from accessing your account. E-bullion and E-gold are now offering similar security measures to their clients. It is also possible to combine digital certificates with an affordable biometric fingerprint reader to make sure that absolutely no one has access to your account but you. This is the highest level of security currently available on the Net, but there are other improvements still to come.

Digital Currencies Allow Person-to-Person Payments! Digital currencies allow one thing that credit cards never will: person-to-person payments. As previously mentioned, PayPal is limited to the United States. So, what do you do when you want to buy a collector’s doll that you found in an online classified ad, but the owner lives in New Zealand and you live in the United States? Digital currencies allow you to spend your money to anyone else who has a digital currency account. It only takes a few moments for your friend to open his own account by using the Internet, and in most cases it doesn’t cost a penny! Person-to-person payments allow small-scale merchants to get started without the added expense of maintaining a credit card merchant account. This means lower costs of entry into the marketplace and lower costs of doing business!

Digital Currencies Allow You to Protect Your Privacy! It is a known fact that traditional banks store massive databases that track all of your account activity in the name of “know your customer,” “fighting the war on drugs,” and, more recently, “the war on terrorism.” In reality, banks conveniently use those databases to sell information about their customers’ spending habits to other companies, and governments use that data to find excuses to confiscate your money and property. So, not only does your government have access to all of your spending habits, but so does any individual or organization who is willing to pay for it.

Most digital currencies are housed in “capital-friendly” jurisdictions with strict privacy protection laws[6]. For someone to get your account information, they have to obtain a court order in the country where your digital currency is headquartered. This means that true crimes can be prosecuted, but your privacy will remain intact if you are just an average law-abiding customer. Think of it as guaranteeing yourself the right to “due process.” Furthermore, it is impossible to use digital currencies for money-laundering. You have to spend your national money (such as U.S. dollars) through an exchange agent in order to purchase digital currency in the first place. Because exchange agents all have accounts at banks with anti-money-laundering practices in place, this means that all money used to purchase digital currencies is theoretically “clean.” Clean money in, clean money out! So, digital currencies are able to provide privacy to their customers, and still be able to guarantee that they are not being used for money laundering. Digital currencies are “orthogonal” to the traditional financial world. As long as all the money coming in and out goes through banks with anti-money-laundering practices in place, then money laundering is impossible. Furthermore, all of the digital currencies in business at this time are firmly committed to discouraging crime and money laundering, while at the same time protecting the privacy of their account holders. This means you can use digital currencies to do business with confidence that you are in good company! You can obtain a Standard Reserve Instant World Card or an e-bullion Debit Card and withdraw your digital currency from any ATM machine in the world as cash. But, because the cards are processed in an offshore jurisdiction, you can be assured that your privacy is protected. Because both of these companies are diligent in preventing money laundering, you can be assured that you are in good company[8]. So, are there any economic consequences of using digital currencies? In other words, do digital currencies have any serious consequences for the structure of the economies? Let’s take a look. [5]

Vacca, John R., Identity Theft, Prentice Hall PTR, 2003.

[6]

Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad Ebusiness Privacy Plan, McGraw-Hill Professional, 2001. [8]

“Why Use Digital Currencies,” Copyright © The Gold Economy Magazine 2001-2002 [© Copyright 1996-2003 EscapeArtist Inc. All Rights Reserved. EscapeArtist.com Inc., 843-1243 World Trade Center, Panama, Republic of Panama 843], 2003.

The Economic Consequences of Using Digital Currencies The later years have seen the explosive growth of the Internet as one of its main features; furthermore, much has been talked and written about the coming of the online economy and electronic commerce. One of the most important aspects of this development has been the growing demand for methods of secure payments over the Net. This demand, coupled with advances in cryptology, has facilitated the growth of digital cash or digital

currency—cash or currency constituted not of pieces of paper or metal objects, but streams of digits.

Anonymity An important quality of digital cash is that it has the potential of being entirely anonymous, through the use of mathematical “blinding” techniques, both with regards to usage and holdings. This means that, as with physical cash, there are few, if any, traces for the government or other institutions to survey. When using credit cards, digital signatures are left that can be linked to the specific individual, describing where, when, and what was purchased for how much. This feature of credit cards has made many people claim that technological developments lead to greater control by the state or government over the individual. The anonymity of digital cash would be a development in the opposite direction. In other words, the widespread use of digital cash would render the prospect of a 1984 scenario, in which governmental surveillance creates a society of fear, suspicion, and suppression unlikely, and act as a guarantor of individual freedoms. Of course, all of this remains to be seen! This anonymity does have its drawbacks, however. One example of this is criminal cases in which evidence of financial transactions are often integral requirements for correct judgement and sentencing. Thus, the financial anonymity of digital cash can make it harder to convict criminals than it might otherwise have been. Anonymous financial transactions and holdings also make it generally easier for money laundering to take place. It can be argued, however, that this is relatively easy as it is today with few currency controls and falling costs of overseas banking. With the advent of anonymous digital cash, the costs and risks associated with money laundering would fall considerably. Tax evasion would also become easier for similar reasons. Just as the increasing ease of international capital movements has caused governments worldwide to shift the burden of taxation from mobile to stationary capital, one consequence of the reduced disincentives to evade taxes may be increased taxation of geographically fixed assets. Hassle-free money laundering could lead to the extension of organized crime.

The End of Fiat An intriguing property of digital cash is that, in theory, anyone can issue it, and it is by no means clear that banks will be the most successful players. The be all and end all of a successful currency is confidence, and the issuers who command respect among consumers have a huge advantage over others. Companies like Microsoft, Visa, and Coca-Cola would, therefore, have a good base from which to start due to their impeccable reputations and solid brand names.

An important determinant for which currencies will be accepted and trusted by consumers is what they are backed up with. At present, the vast majority of currencies are fiat-based (not to be confused with Fiat, the Turin, Italy-based car company). This means that they have no intrinsic value and are not linked to anything of market value. The only reason why people accept such paper currencies is that they expect everyone else to do the same. Such a system, however, could not possibly originate from scratch. Digital currencies would, therefore, either have to be proxies for governmentally issued currencies, so that for instance, one “Coca-Cola-Dollar” can be exchanged into 3 USD, or backed by assets, such as precious metals, equities, or bonds in a fixed ratio. Which of these two routes would dominate depends largely on the performance and reliability of the governmentally issued currencies. But, comparative economic studies show that currencies based on, for instance, precious metals are more reliable and stable than fiat currencies. This is exemplified by the successful operation of the pre-World War I gold standard, which played an integral part in the “Golden Age” of market liberalism.

Currency Competition Restored Another implication of the prospect of digital cash is increased currency competition. In the current situation, currency competition is limited to competition among the various governmentally issued currencies. This means that if you distrust your local currency, as many people in Asia do at present, you may choose to accept only USD or GBP, and choose to keep your cash holdings in these currencies. The currency competition is, however, presently limited by the relatively dominant position of a local currency in an economy. Currency competition has increased in recent years as a result of deregulation of financial transactions and currency regulation falling out of fashion. Some industry analysts claim that they can already see the results of this in the relatively stable, noninflationary period that major currencies, such as USD, DM, and sterling, have experienced. Digital cash offers the prospect of competition much more intensive and extensive than what exists at present. The various players would have to compete on qualities, such as inflation, reliability, stability, confidence, and ease of use. For private banks, there is an incentive to push the level of fractional reserve banking as high as possible. This means that they issue more in terms of credit letters such as loans, short-term credits, and, potentially, digital cash, than they have reserves to repay, by gambling on the unlikelihood that a majority of their creditors will want to withdraw their funds simultaneously. The market mechanism balances this incentive to hold fractional reserves with the consumers’ desire for minimal risk (and, thus, a high ratio of assets to credits). The free

operation of currency competition would thus drive the process toward the ideal balance according to the preferences of the consumers. Consumers would probably get information about the reliability of the various digital currencies through the media and special consumer interest groups, and through the development of brand name reputations in the same way as they do with goods such as cars and furniture today.

Regulating the Regulators The widespread use of digital cash would redefine the role of regulators, such as central banks and the Federal Reserve. With the establishment of a competitive market in which the laws of supply and demand determine the nature of the currencies in use governmentally, supplied currencies would either have to compete in accordance with the preferences of the consumers or obtain special privileges. Given the immense financial security of most major governments compared with most corporations, it seems likely that governments, if sufficiently aware of the situation, would be able to compete on equal if not better terms than the private sector. When it comes to regulating the digital cash industry, however, governments would face severe difficulties due to its international nature. If a particular government decided to place restrictions on, or even forbid, the use of privately issued digital cash, nothing could keep the citizens of that very country from using digital cash issued abroad. The only way in which it would be possible to effectively limit the use of digital cash, would be if a broad coalition of governments issued a collaborative policy to this purpose. Even then, small countries could act as free zones for digital cash issuance in the same way as they do with regards to offshore banking today. The current failure of governments to effectively combat illegal material on the Internet shows that the ongoing developments of information technology place real restrictions on the governments’ power and that, in the absence of extensive and effective international agreements, digital cash would face very limited threats from the regulators. Also worth noting is that some regulators seem reluctant to regulate digital cash. In particular, Alan Greenspan, of the U.S. Federal Reserve, has taken a surprisingly noninterventionist approach. This may be due to his background in Austrian economics, which advocates free banking and return to the gold standard. But, with a major economic power such as the United States seemingly willing to accept the unhindered development of digital cash, it will in turn be up to the consumers to decide whether it is preferable to the governmentally issued fiat currencies of today[4]. Finally, let’s look at the future of digital currencies. This final part of the chapter focuses on the emerging digital money-like products that will supplant most conventional

government issued money and existing payments systems over the next couple of decades. [4]

Tynes, Johannes Skylstad, “Economic Consequences of Digital Cash,” Copyright © London School of Economics and Political Science 2002, London School of Economics and Political Science, Houghton Street, London WC2A 2AE, 2003.

The Future of Digital Currencies The age of digital money is upon us. The new technologies of the Internet, digital electronics, public key encryption, and the rapid price declines of computing power and telecommunications bandwidth are having a dramatic effect on the financial world. These new technologies are enabling the development of financial markets, procedures, and instruments that economists in the past could only theorize about. Financial transactions can be settled in real time even though the contracting parties may be thousands of miles apart. Money and other assets can be moved at almost the speed of light to any point on the globe for a minuscule cost. Easy-to-use encryption programs enable almost anyone to move data or money around the globe with almost complete security. It is now possible for private digital currency issuers to compete without the high information and transaction costs that burdened the multiple-issuer systems in the past. Moreover, new, private monies are emerging, including “digital gold.” The technical barriers have been overcome, as well as many of the economic challenges. Digital money or digital currency is the monetary value of government—or privately issued currency units stored in electronic form in an electronic device. Digital money is one type of a digital financial instrument that fulfills most or all of the functions of money. The monetary value stored in the electronic device can be transferred to other such devices, allowing the users to engage in payment transactions. This is different from traditional electronic payment systems, such as credit and debit cards and wire transfers, which usually require online authorization and may involve debiting and crediting bank accounts for each transaction. A prepaid monetary value may be stored in a computer chip on a card (“smart card”), stored on a computer chip in a wireless device[7], or stored on a computer disk drive. Money transfers with cards are most often made through card reader/writers, whereas transfers using computers or wireless devices are made over wired or wireless communication networks, such as the Internet. Cards, wireless devices, and computers can also be used to merely authorize monetary transfers from one account to another. These accounts may be bank accounts or reserve assets held in nonbank institutions. Stock, bond, mutual fund, and gold deposit accounts may allow ownership transfer of assets, even in micro amounts, to be made by computer or wireless devices. To prevent fraud, all such transfers need to be protected by cryptographic codes. The technology now exists to make such transfers anonymous, like paper currency transactions, if the user so chooses. Financial cryptographers have developed methods whereby people will be able to securely hold bearer digital cash, bonds, stock, and even financial derivatives, and make very low-cost and anonymous transactions with them. A U.S. dollar in paper form is a

bearer instrument. That is, the person who holds it is normally considered to be its lawful owner. There is no list of owners of paper currency (a registration record); ownership is conveyed by physical possession. The advantage of bearer instrument transactions is that settlement is in real time, and, therefore, there is no risk of nonpayment, as there is in book entry transactions such as checks and credit cards. There are no chargebacks to the merchant, and the risk of fraud (in the absence of counterfeiting) is greatly reduced. Bearer instruments are also anonymous, which can protect the owner from corrupt governments or criminal types. However, because of this anonymity, many governments do not like or have prohibited certain types of bearer instruments because they make it hard for tax officials to collect revenue. Digital monetary and financial products are “disruptive” technologies, in that their creation upsets the existing legal and public policy order as to how money and financial products and institutions are regulated and organized. National borders are ceasing to have the relevancy they once did. Both businesses and governments need to build the appropriate legal order for the digital age and understand how it should be managed. This requires changes in laws and regulations, leaving businesses in a thicket of uncertainty during the transition period. Central bankers, treasury officials, law enforcement authorities, and intellectual property administrators (patent officials, etc.) will by necessity have to adjust to a different world. Their challenge will be to create a new set of rules and procedures that bring the necessary order without impinging on the rights of privacy of individuals and institutions, or destroying the economic efficiencies that the new technology is bringing.

Policy Implications of Digital Payments Systems Many legal issues will arise as digital money becomes more prevalent. Given that most digital money will be global in the sense that the Internet will facilitate its movement or use outside its issuing jurisdiction, the lack of legal uniformity between countries raises many policy issues. For instance, who has the liability if a failure does occur in a particular digital money system because of fraud or for some other reason? When digital money payments are made across national borders, who has jurisdiction? Does digital money violate the monopoly rights of central banks to issue money? May a central bank issue digital money? Do nonbank issuers of digital money need to be regulated, and if so, who should the regulator be? Who is going to determine if the clearing organizations have sufficiently robust and fraudproof systems? Given that various digital money systems are now being developed and offered, the answers to the preceding questions will probably slowly evolve over the next few years as real problems emerge. Already, multilateral financial institutions, such as the Bank for International Settlements and the International Monetary Fund, have established working groups to try to develop recommendations for their members in dealing with the previously mentioned issues. These BIS and IMF recommendations will be of particular interest to the world’s central bankers who are facing the front line of change. To the extent people use privately issued digital money for transactions, the demand for

government money is reduced. If people are willing to hold liquid balances in the form of digital money, the quantity of demand deposits (checking accounts) that people need or desire is smaller, thus reducing the central bank’s supply of money. The same principle holds true for other money substitutes, from very limited money substitutes (balances held on telephone cards, or frequent flyer miles), to broad, money-like products (digital gold). As these broad and narrow-use money substitutes grow in popularity because of their ease of use in the digital age, the amount of money supplied by central banks will decline. Until some nongovernment money reaches a critical mass, whereby most users and businesses find they can do a substantial portion of their business in the “new money,” virtually all digital money and money substitute products will be reconverted to central-bank-issued money at some point. However, even during this period of partial and temporary substitution of digital money for central bank money, the demand for central bank money will gradually decline. Justifiable concerns have been raised about the innovations in payments technology and the development of digital money and their impact on inflation. For monetary systems with a quantity anchor (such as the U.S. dollar and other fiat currencies), technology changes resulting in an increase in the money multiplier or a decrease in money demand, will increase the price level unless base money is reduced by an appropriate amount. If digital money is issued by an institution other than a bank, which has no reserve requirement, the growth in digital money will increase the money supply unless the central bank takes corrective action. The increases in the money supply resulting from the new technologies will be both gradual and easily recognized, and, hence, would be neutralized by the central bank, by appropriate reductions in the monetary base. As with all innovations with payments technology, the introduction of digital cash has a one-time effect on the price level. The money multiplier would be larger, but stable at its new level. If digital money is issued by a bank at the expense of deposits, and is subject to the same reserve requirements as deposits, the monetary effect would be approximately neutralized. If digital cash issued by banks is subject to a 100% reserve, or if digital cash is issued by a nonbank, with a 100% reserve, no new money is created. With any price rule digital money system (commodity-backed systems), inflation by definition is not a problem. In general, electronic payments and digital money systems increase the efficiency by which the existing money supply can make payments, thus reducing the demand for money. These improvements tend to take place gradually over time, and are observed as an increase in the velocity of money, which requires a compensating adjustment in base money by the Federal Reserve. In summation, there is no reason for great concern in terms of monetary policy management by central banks as a result of these new technological innovations. The changes will be gradual and obvious, giving plenty of time to make policy adjustments to prevent inflation. One effect of the decrease in demand for central bank money will be the disappearance of central bank seigniorage revenue. At present, the world’s central banks obtain a considerable income from issuing paper banknotes, which are noninterest bearing central

bank liabilities. Among the G-10 countries, seigniorage as a percent of GDP, ranged from a low of .34% in the UK to a high of .71% in Italy in 2002. This seigniorage not only provides for all of the central bank operations, but also provides their treasuries with significant revenue. However, it is also apparent that the efficiency gains for the economy from digital money swamp any negative effect on government revenue of the loss of seigniorage revenue, which has been in effect a tax on the banking system. It can be expected that the growth of digital money will have a direct and significant impact on the common measures of the money supply, particularly currency and demand deposits (M1 and M2). Given that many central bankers target these monetary aggregates in the conduct of their monetary policy, the focus of monetary policy may need to change. The growth of digital money could ultimately cause a substantial drop in banks’ demand for settlement balances. In the major economies, cash is the largest component of central bank liabilities. Extensive use of digital money is likely to shrink the balance sheets of the central banks significantly. At some point, the shrinkage might restrict the central banks’ ability to conduct open market operations or foreign exchange sterilization operations. However, to the extent that the new digital monies are fully backed by assets such as gold or high-quality financial instruments, the need to conduct open market operations will diminish, because the supply of money for transactions should automatically adjust to demand. As more and more transactions are settled on a real-time basis, the risk of nonpayment and fraud declines, and, hence, the need for regulation and monitoring also declines. The role of the central bank may ultimately shrink to doing little more than defining the numeraire for the national money. The definition is likely to be a modern version of the gold standard. Specifically, a national currency in the future may well be defined as a monetary unit that is equal to a basket of specified commodities with a one world price, such as gold and crude oil, and even some services. Any good or service having a one world price that is set in organized auction markets could be a candidate for a currency basket that would be used to define the value of the monetary unit. Some central banks might also continue to serve as a lender of last resort to large financial institutions by using off balance sheet transactions. The need for such a lender of last resort would seem to diminish in a world of instant information on almost all activities, institutions, and real-time settlements. In the new century, the kind of financial shocks and surprises experienced in the past ought to be increasingly rare, unless financial regulators interfere too much with the market adjustments that will naturally occur in a world of increasingly perfect information. The rapidity of adoption of digital money systems by consumers depends on how their cost, convenience, and anonymity is perceived in relation to paper currency and coin. Eventually, electronic transfer and digital money systems will replace paper and coin, because they can greatly reduce transaction costs and will ultimately become more convenient. At the current level of technological advance, it appears that within relatively few years, whether they involve a few cents or millions of dollars, almost all monetary transactions will move over the Internet, or by wireless device, or by chip card for small

transactions. The question of anonymity will remain an impediment, until policymakers understand that the fundamental desire and right to personal privacy must be accommodated with the new technologies, to an extent no less than people now have with cash. The role of central banks will change, and will likely shrink, as a result of the new technologies. One danger to the world economy is that central banks will try to hold on to their traditional roles by restricting the new technologies or regulating them in such a way as to make them noneconomic. Regulators should keep a hands-off approach until a problem has been clearly demonstrated and, at that time, devise corrective actions to do the least damage to innovation and financial freedom. Law enforcement officials around the world have been concerned about the potential abuse of digital money systems for the purpose of money laundering, and, therefore, are trying to restrict or ban them. Officials in various government and regulatory agencies, such as the Financial Crimes Enforcement Network, assert that they should have more power and ability to monitor all transactions. It is true that digital money systems, particularly anonymous ones, may indeed make the job of money laundering easier. On the other hand, many government law enforcement agencies throughout the world have abused basic rights to financial privacy. The benefits of digital money greatly outweigh the potential criminal abuses, and, hence, measures to restrict the use of digital money should be resisted. Without the availability of anonymous systems, there will be strong resistance on the part of many individuals to fully move to e-payments systems and digital money. The existing efforts against money laundering, primarily by the United States and major European governments, have not proven to be the least bit cost-effective. For instance, in the United States in 2002, only 1,376 people were convicted of money laundering, yet the cost to the private and public sectors of the anti-money-laundering efforts exceeded 50 billion dollars, which comes out to more than 4 million dollars per conviction. For example, the British state has been able to take out 0.008 percent of the criminal money that has flowed through London. There is no evidence that authorities in the United States are having much more success. Money launderers do not have a statistically significant chance of being caught and losing the profits from their misdeeds, and, therefore, the deterrent effect of such laws is negligible. Privacy advocates have also documented that the money laundering laws are very arbitrarily enforced in many countries, including the United States. Money laundering is a crime of motive, rather than one of specific activity, hence its enforcement, by the very nature of the crime, is highly subjective. This subjectivity leads to selective and politically biased enforcement. Because of the constant threat of the vagueness of the money laundering laws and regulations, constructive financial innovation has been retarded, particularly in the development of digital monies. The money laundering laws have propelled the United States to adopt attitudes insensitive to foreign countries’ rights to self-determination, and to violate the sovereignty of foreign states. The United States tries to impose policies on foreign states and businesses that the United States would never accept if the situation were reversed.

The United States and the European Union have no business telling smaller developing nations that they are involved in “harmful tax competition,” or that they should abolish bank and corporate secrecy laws. Small nations have a need and a right to attract foreign capital, and it is perfectly legitimate for them to compete against harmful tax, regulatory, and privacy policies that larger nations impose on their own citizens. Anti-money-laundering legislation has not only proven to be ineffective and counterproductive, but also greatly undermines the financial privacy rights of individuals. Such laws require widespread reporting on the financial activities of bank customers by bank employees to their governments, thus undermining the separation of business from law enforcement, and ultimately the financial privacy necessary for civil society. The fact is, the new technologies of various forms of encrypted e-payments will make the task of enforcing the money laundering laws even greater, unless governments are permitted a level of financial privacy intrusion that most civilized people will find unacceptable. However, widespread adoption of digital money will actually reduce the number of crimes most people care about, such as murders, thefts, and robberies. In 2002, there were approximately 52,000 murders in the United States, and a substantial number involved people trying to take someone else’s physical money. A move to digital money would reduce the murder, theft, and robbery rates. Stealing digital money is a much more complex undertaking than stealing paper currency, and will be beyond the capabilities of most common criminals. If there is no physical money to steal, the incentive for criminals to steal and kill people for money will be greatly reduced. Abolishing the anti-moneylaundering laws is likely to speed up the use of digital money, resulting in less total crime, and less wasted money by governments, even though it will make life slightly easier for money launderers. Eventually, knowledgeable people are likely to conclude that the “war on money laundering” is going to be no more successful than was liquor prohibition in the United States during the 1920s. It will become increasingly obvious that the resources utilized in the “war on money laundering” could be better spent attacking the underlying crimes. The knowledge of how to utilize high levels of encryption is now widespread. This knowledge, coupled with the Internet, smart cards, and related technology, ultimately means that it is almost futile to try to prohibit the hardto-define crime of money laundering.

Recommendations Digital payments and monetary systems are coming of age, and will replace most existing money and payments systems over the next couple of decades. These changes will bring enormous economic benefits by greatly increasing the efficiency and reducing the costs of your payments systems. In addition, the absence of paper currency and coin, which is readily subject to theft or loss, should greatly reduce crime. The U.S. government has a choice of either embracing the new technologies and helping them along (mainly by getting out of the way), or taking a “Luddite” approach and attempting to restrict and deny the inevitable. A civil society depends on a government that does not unduly restrict liberty and economic opportunity.

The following recommendations will seem radical and frightening to those who do not understand the new technologies and where we are headed. However, those who do understand the new technologies, and desire a civil society that provides liberty, privacy, and economic opportunity, will see these recommendations as desirable and necessary. First, remove all restrictions on issuing digital bearer financial instruments, including stocks and bonds. Financial cryptographers have already figured out how to issue such instruments in cyberspace, and many feel that they do not need the government’s permission. Rather than create a new class of cybercriminals, governments should recognize the reality, and do something that is both good for the economy and that supports civil liberties. Second, remove the capital gains tax from trading in commodities and private currencies, in order to allow the full development of commodity-backed digital currencies (such as gold) and other digital currencies. The capital gains tax on commodities does not bring any revenue over the long run to government, given that losses and gains offset each other. In the real world, it is probably a net loss for the government, because people will be more prone to report their losses rather than their gains, and it reduces the efficiency of the commodities markets. Over the long run, “capital gains” from currency trades are most often created when a government has debased its own currency. Third, remove all restrictions on anonymous digital money and payments systems. Restrictions are almost impossible to enforce, and privacy is a basic human right. Finally, repeal the Bank Secrecy Act and the subsequent related anti-money-laundering legislation. The existing legislation and implementation is not cost-effective, is subject to abuse, interferes with basic civil liberties to an unacceptable degree, and actually results in higher levels of crime[3]. [7]

Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

[3]

Rahn, Dr. Richard W., “Digital Money,” House Committee on Financial Services, 2002.

Summary This chapter discussed the market implications of adopting electronic payment systems and digital currencies in electronic commerce. The key to understanding and exploiting electronic commerce is to recognize it as a market mechanism, where all components of a market interact and must be analyzed collectively. For example, electronic payment systems bring more than lowered transaction costs, affecting product choices, pricing, and competition. This chapter also examined economic implications of electronic payment systems—especially micropayments enabled by digital currencies in terms of size advantage, the lemons problem, digital product pricing, product differentiation—the commoditization of consumer information and advertisements, and copyrights. In short, electronic payment systems are one of the critical factors that allow process innovations via electronic commerce. Finally, these process innovations may either promote

competitive and efficient markets or worsen the trend toward the vertical integration and monopolization in the globalized economy.

Part VI: E-Commerce Solutions and Future Directions

Chapter List Chapter 24: International E-Commerce Solutions Chapter 25: Business-to-Business and Business-to-Consumer Chapter 26: Summary, Conclusions, and Recommendations

Chapter 24: International E-Commerce Solutions “Most people are more comfortable with old problems than with new solutions.”

—Anonymous

Overview The Internet connects potential customers with merchants in many different countries. International e-commerce payment solutions provide a channel for money to cross oceans and borders as follows: eBay Payments: Billpoint International Buyer Support (http://www.billpoint.com/services/international.html) Bibit Payment Services: A world leading Payment Service Provider (http://www.bibit.com/index.shtml) Mondex Smart Card International services: A MasterCard OnLine service (http://www.mastercardonline.com/errors/keytoo_small.html) Planet Payment™: Leading provider of Internet payment solutions (http://www.planetpayment.com/) Visa TravelMoney: Security and convenience for all your travel needs (http://usa.visa.com/personal/cards/visa_travel_money.html) WorldPay: Multicurrency processing (http://www.worldpay.com/usa/index.html)[1] [1]

Cruz, Ray, “Merchant E-Commerce Alternatives,” All rights reserved © BYTE4U 2000-2002, P.O. Box 691541, West Hollywood, CA 90069, U.S., 2002.

-Commerce Credit Card Payment Alternatives: U.S. and International The following services allow buyers to use their own conventional credit cards without requiring the merchant to establish an actual merchant credit card processing account: BillCC.com: Serves as reseller/retailer of your products for a commission (http://www.billcc.com/html/how_it_works.html) ClickBank: No monthly fees! (http://www.clickbank.com/overview.html?raycruzer) Entrepreneur.com: Credit cards or E-cash? (http://www.entrepreneur.com/Magazines/MA_SegArticle/0,1539,283929----1-,00.html) DigiBuy: Electronic commerce solution for publishers of software, shareware, electronic art, information, and data (http://www.digibuy.com/)

iBill Complete: Internet Billing Company (http://www.ibill.com/Services/iBillComplete/) Kagi! Worldwide Internet Store (We charge—You deliver): Premiere e-commerce service company that provides turn-key online stores for thousands of products distributed over the Internet (http://www2.kagi.com/) Revecom: Multicurrency payment processing (http://www.paysystems.com/)[1]

Alternative International E-Commerce Payment Solutions A popular alternative for international e-commerce payments solutions today, especially on Web auction exchanges, is the person-to-person payment system, such as PayPal (https://www.paypal.com/refer/[email protected]). Many former Buy-It! Button merchants are switching to PayPal. These systems allow you to make payments to anyone with an e-mail address, even if they do not have an account. You can also place a PayPal button on your Web page to accept payments by setting up an account. PayPal claims to have over 10 million accounts and is a major player on eBay and other auction sites. An attractive feature of PayPal is the relatively low fee of 2.9%. With no setup fees, this is an attractive option for e-commerce vendors. One drawback is the inconvenience for the buyer of having to set up a PayPal account before being able to use his credit card to buy your product. Through PayPal, the consumer retains all the protections provided by his own credit card issuing banks and institutions, such as Visa and MasterCard. If the buyer demands a refund or obtains a chargeback through the bank, PayPal makes the adjustment on the vendor’s PayPal account. With c2it (http://www.cj.com/expired.jsp?PID=677520&AID=5439511), you can send, receive, and move money within the United States for free. However, c2it does not provide the pay button, shopping cart, or recurring payments offered by PayPal. When sending money by c2it internationally, c2it will charge $10 per International Check and $15 per International Direct Deposit. In addition to the transaction fee, any difference between the foreign exchange rate given to you and the foreign exchange rate received by c2it will be kept by c2it. Currently, you can use any U.S.-based checking, savings, and money market accounts to send and receive money by c2it. You can also use any MasterCard or Visa credit card accounts. You do not have to link a Citibank account to use c2it. MasterCard and Visa debit cards may only be used to Send Cash and Add Cash at this time, and may not be used for transferring money between linked accounts. Although this is one of the most versatile and low-cost person-to-person payment services, it is not designed for ecommerce merchants. Guess who created the first ATM in the world? Yes, Citibank in New York. Another payment option is ClickBank, which charges a higher flat fee of 7%, but makes the purchase more convenient for the consumer. The merchant pays the 7% fee for each transaction and also pays an initial setup fee of $49.95. For low-volume start-ups, this

may still be a lower cost than establishing an actual merchant account with Visa or MasterCard. BillCC.com, iBill, and Revecom provide alternative e-business opportunities using their own merchant accounts to sell your products, subject to careful controls. Without the specific approval of the underwriting banks, using one company’s merchant account to sell another merchant’s products is called factoring, and is a violation of Visa and MasterCard rules. If your business is international in nature, or your customers are from other countries, you may need an international payment service such as the Global Debit Card. This system uses CIRRUS ATM cards and MasterCard debit cards to access cash and make purchases throughout the world. You may also become a B2B reseller of the debit cards by signing up with the Financial Services International network. If you, as the seller or merchant, can accept debit cards, this will enable purchases from virtually anywhere in the world. The Global Debit Card does not require a social security number and includes a CIRRUS PLUS debit card and a MasterCard debit card for the same account. Although a U.S. mailing address is required to apply for the debit card, the card applicant can establish a U.S. mailing address for a minimum of $40 plus postage to the applicant’s foreign address using the U.S. Mailing Address service at usmailingaddress.com (http://www.usmailingaddress.com/mgoldmine/). Funds may be deposited in the debit account through Western Union or Money-Gram in U.S. dollars. Kagi is an Internet store specializing in products created by thousands of individuals around the globe. Kagi started with downloadable software and has since become a seller of all sorts of other products, such as music, videos, and other physical goods. Kagi makes it easy for people to pay for products and frees the seller from handling all the payment processing. Mainly, Kagi processes software payments. DigiBuy is an electronic commerce solution for publishers of software, shareware, electronic art, information, and data. Using DigiBuy’s turnkey service, you can quickly and inexpensively build a secure storefront to merchandise your products, take orders online, process payments, and distribute digital products over the Internet from points around the globe. Planet Payment™ is a leading provider of Internet payment solutions for e-businesses (globally) in nearly any currency. Planet Payment features multicurrency credit card acceptance services (http://www.planetpayment.com/), advanced payment gateway (http://www.planetpayment.com/) technology, and value-added products and services. Planet Payment’s state-of-the-art Internet payment service enables e-businesses to accept MasterCard, Visa, American Express, and other major cards in a secure online environment in over 140 currencies (http://www.planetpayment.com/). These affordable solutions are compatible with most shopping carts and Web site technologies, so implementation and setup is complete within minutes.

WorldPay pioneered multicurrency processing in association with NatWest bank in 1996. The WorldPay multicurrency processing system enables you to offer your products and services in over 120 different currencies, and to receive payment for them from a range of 14 remittance currencies. WorldPay manages the uncertainty of foreign exchange rates for you, allowing your shoppers the unique choice of purchasing goods and services from you in a currency that they recognize and understand. More international payment solutions are listed next. Smart cards and digital wallets use traditional credit card accounts to enhance online shopping in different ways. Smart cards have embedded chips that when read by a smart card reader verify that the original card is present at the moment the transaction is being enacted. Digital wallets hide the credit card account number when the transaction takes place and also fill in shopping cart forms for you with ease. Another credit card processing alternative is using e-cash systems, such as eCharge, Qpass, iPin, and trivnet. Merchants can set up accounts with each of these resources to enable e-cash online payments. Your Internet business can be facilitated by marketing your products on the Internet without the overhead of having your own merchant account. Another alternative is token money that can be traded for real products. Several auction portals and merchant account alternatives, as well as e-cash options, are listed in the following sections.

Auction Resources If you’re selling collectors’ items or unique products, this may be a good way to start. The following are some currently available auction resources: • • • •



AuctionAddict.com Online Auction (http://auctionaddict.com/) Bay9 Auctions (http://www.xuppa.com/auctions/?link=comjAUC&AID=3888609&PID=677520) EBay: Your personal trading community (http://pages.ebay.com/) uBid.com: Online auction (http://www.ubid.com/cat/get_cat_page.asp?CatID=26&s=uwb63172&AID=559 0877&PID=677520) Yahoo! Auctions (http://auctions.yahoo.com/)[1]

Smart Cards Smart cards are more secure because of embedded chips that verify the card’s presence in a smart card reader. In the near future, all new PCs will ship with standard smart card readers. The following are some currently available smart cards: • •

Blue: American Express (http://home4.americanexpress.com/blue/meta.asp?Entry=86) Fusion Visa: FleetBoston Financial (http://www.fusioncard.com/home/)

• •

Mondex: MasterCard International (http://www.mondex.com/) Smart Visa: The Card with Intelligence (http://usa.visa.com/personal/cards/visa_smart.html)[1]

Digital Wallets Digital wallets use a standard credit card account and disguise your real credit card number with a one-use number. The advantage is more security and convenience because payment forms are filled in automatically. The following are some currently available digital wallets: • • • •

deskshop: Discover Bank (http://www2.discovercard.com/shopcenter/deskshop/main.shtml) MBNA ShopSafe: MBNA America Bank (http://www.mbnashopsafe.com/) Microsoft Passport (http://www.passport.net/Consumer/default.asp) Q*Wallet (http://www.qwallet.com/)[1]

Person-to-Person Payments Person-to-person payments systems support e-mail-based payments directly to another person’s bank account. The following are some currently available person-to-person payments systems: • • •

Billpoint: eBay and Wells Fargo (http://www.billpoint.com/) c2it: Citibank (http://www.cj.com/expired.jsp?PID=677520&AID=5439511) PayPal.com (https://www.paypal.com/refer/[email protected])[1]

Micropayment Systems: eCash These offer secure payment alternatives for small ticket items. The following are some currently available micropayment systems: • •

ECharge: Secure alternative to using credit cards (http://www.echarge.com/) Trivnet: Making Online Commerce Pay (http://www.trivnet.com/)[1]

Token Value and Store-Based Credit Finally, you can earn credits to shop at various stores by using these token-based alternatives to real money. The following are some currently available token value and store-based credit systems: • • •

Flooz (http://www.flooz.com/) InternetCash (http://www.internetcash.com/) Praxell (http://www.praxell.com/)[1]

Summary This chapter does not endorse any e-commerce service listed on this site. The information provided is to help you become aware of numerous options that you should investigate on your own. After you’re ready to start making money, many of the links in this chapter will take you directly to the service you need to start processing transactions on the Web without a traditional merchant account!

Chapter 25: Business-to-Business and Business-to-Consumer “All of the animals except man know that the principal business of life is to enjoy it.” —Anonymous

Overview Today’s business-to-business (B2B) e-commerce environment offers companies of all sizes dynamic and exciting business opportunities, but it is rife with uncertainties and challenges. Although most analysts still expect the volume of goods and services sold through B2B e-commerce to climb into the trillions of dollars worldwide in the next few years, the uncertainty seems to be growing. In the face of all of the confusion surrounding B2B e-commerce, most companies are struggling to understand where their real opportunities lie and how they can make strategic technology investments that align with today’s business objectives while providing the flexibility to help them respond to rapid changes in the business landscape. To help companies make informed decisions and capitalize on the right opportunities, this chapter discusses solutions designed to help companies integrate business partners more effectively. Although this notion encompasses a wide range of business challenges and solutions (including supply chain management, procurement, and CRM), this chapter focuses specifically on one concept: supplier enablement. The supplier enablement initiative and technology solutions (whether they be B2B or B2C) are aimed at helping companies of all sizes to sell to their trading partners more effectively by integrating with customers’ procurement systems, as well as e-marketplaces and other electronic sales channels—all from a single e-business foundation. No matter how large or small a business is, or how complex or simple its business processes, supplier enablement solutions makes it easier for a company to reach its customers through whatever purchasing method they prefer. More specifically, the supplier enablement solutions leverage existing and new technology investments, open technology standards, and partnerships to empower suppliers to reach the broadest set of buyers. This was done by selling both directly from and beyond their own Web site, through a range of cost-effective, high-performance solutions that offer superior scalability, reliability, and time-to-market.

Roles and Challenges in Business-to-Business E-Commerce Before solving key issues in B2B e-commerce, it is important to understand the key roles that companies or individuals within companies play. There are four primary roles in B2B e-commerce. Every company plays at least one of them, and many companies play multiple roles. Figure 25.1 shows three of the roles (Web services live within and between the three others)[1].

Suppliers: Businesses that market and sell goods or services directly to business customers through traditional or other sales channels, ideally selling directly to their customers’ Web-based procurement systems and electronic marketplaces. Buyers: Customers and businesses that purchase goods and services directly from suppliers, either through traditional means or electronically through self-service procurement systems, ERP-based procurement applications, and electronic marketplaces (private or public). Examples of buy-side applications include those from vendors such as SAP, Ariba, Clarus, PeopleSoft, Commerce One, Oracle, and many others. Market makers: Third-party organizations that run e-marketplaces using Internet technologies to connect multiple buyers with multiple suppliers so that participants can reach new trading partners, conduct e-commerce, and take advantage of Web services such as payment, logistics, and collaboration. Web service providers: Third-party organizations that provide buyers, e-marketplaces, and suppliers with Web-based services (including payment, authentication, logistics, credit, business registries, and many others) necessary for completing B2B e-commerce transactions and collaboration[1]. Each role has distinct business and technical challenges, but there are some common themes. For buyers, market makers, and Web service providers, the primary issue is liquidity. Success depends on the ability to reach the critical mass of trading partners and transaction volume necessary to provide sufficient return on investment and create a viable, sustainable business. Suppliers face the difficult challenges of maintaining the ability to sell effectively to all their customers, both in traditional channels and through emerging e-commerce channels, while finding a way to differentiate themselves from the competition in those new electronic environments.

As a result, although it has been relatively easy to convince buyers and market makers of the value of B2B e-commerce, suppliers have been much slower to come around. And, without a critical mass of suppliers, the savings from procurement systems can’t be maximized and the liquidity that e-marketplaces require will be impossible to achieve. [1]

“Empowering Suppliers for Integrated Business-to-Business E-Commerce,” © 2002 Microsoft Corporation. All rights reserved. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, 01100, 2003.

The Supplier’s Perspective Arguably, the number one reason that suppliers have been reluctant to take advantage of B2B e-commerce is that although electronic trading offers clear, easy-to-understand benefits for buyers, the value proposition for suppliers has been much less clear. Suppliers must look at the e-commerce landscape as it relates to their own business ecosystem and their ongoing efforts to drive maximum revenue and benefits. And, all suppliers have different types of customers who must be served through some combination of traditional and electronic methods. In addition, e-commerce systems must integrate with and take advantage of existing internal systems (see Figure 25.2)[1]. Finally, electronic channels must offer suppliers the ability to differentiate themselves and expose their business value to their customers in order to compete effectively.

From the supplier’s perspective, a technology investment must fulfill a number of objectives that are common to companies of every size and complexity: •

It must make measurable impact on the supplier’s business through: o Increased revenue o Increased efficiency o Lower costs of doing business o Increased agility

Improved customer service and satisfaction It must allow suppliers to differentiate themselves and compete more effectively by providing: o The ability to expose the supplier’s full value proposition and brand in electronic form o Lower cost and faster acquisition of new customers o Increased business from existing customers It must leverage the existing strengths and investments of the supplier through: o The ability to enhance and complement existing business processes o The ability to enhance and complement existing technology investments (ERP, supply chain, CRM, logistics, collaboration, etc.) o The ability to increase overall business intelligence and decision-making abilities[1] o





A Variety of Selling Channels A wide range of electronic selling channels exist today. One hypothetical example: imagine a maker of industrial supplies based in Brazil that sells products directly to customers all over the world via its Web site, to its biggest customers in North America and Europe through their electronic procurement systems, and to a wide range of additional customers through vertical and regional marketplaces. Because all of those external systems may use different platforms, technologies, communication standards, and data formats, integration can be complex and costly. To be truly valuable for the supplier, a solution must insulate a supplier’s processes and strengths from the complexities that exist outside of its control.

Why Item Number and Price Aren’t Enough Some solutions offer suppliers the ability to make their goods and services available and take orders electronically, but stop far short of truly empowering the supplier. In some cases, these solutions actually threaten their existing business by reducing a company’s ability to differentiate itself and expose the true value of its products or services. For example, if a supplier of automobile parts has traditionally competed by offering superior, customized products and great service at a premium price, simply publishing a catalog of goods and services to a marketplace or procurement system could make those items appear as peers to lower-priced, lower-quality items. Buyers may only see the part number, description, and price, leading them to choose the lower-priced item. This disempowers the supplier and can result in misinformed buying decisions by their business customers and, ultimately, lost sales for the supplier. Additionally, many sellers want to promote their brand and capabilities along with their products and services, and need a way to effectively interact with their customers and build stronger customer relationships, even while selling electronically.

Basic Supplier Challenges For suppliers that are considering whether to embrace B2B e-commerce, it is important to understand the business and technical challenges, as well as the functionality necessary to achieve success online. These challenges fall in three major categories: • • •

Making products and services available to multiple business customers Receiving orders from multiple customers Managing the online business[1]

Making Products and Services Available to Multiple Business Customers The first step in any electronic selling environment is providing suppliers with the ability to get their products and services to market. Several challenges must be overcome to make this possible.

Catalog Considerations What separates a good catalog from a bad catalog? The characteristics of successful electronic catalogs include the ability to create and manage custom catalogs, including catalogs that provide customized pricing for individual customers or specific selling channels. Interaction with existing sources of product, pricing, and inventory information (ERP, supply chain, and other back office applications) is also critical. Additionally, an effective catalog system should provide Web-ready information (photos, short and long descriptions, links to additional information, etc.) and proper classification data (such as UNSPSC) to be effective with customer applications.

Catalog Publishing Any effective solution must provide the ability to publish product and pricing information. This can be done in whatever format is required to meet the needs of any customer, without adding new layers of complexity for the supplier.

Direct Buyer Interaction As a supplement to catalog publishing and directly tying it to the suppliers’ ability to differentiate themselves, an effective sell-side e-commerce application must go beyond simply passing data between buyer and supplier. It must also enable collaboration between applications and the people that use them. This functional requirement is known as Remote Shopping and has been given different names by technology vendors of buyside applications (Round Trip/OCI—SAP/Commerce One; Punch Out—Ariba; Tap Out —Clarus). Not only does the supplier’s solution need to have this capability, but it must also understand the standard ways that different customers have of interacting.

Business Exposure and Search Ability Even if you can make your products and services available, how do you make them easy to find? How do you make it easy to begin an electronic relationship with your company?

Receiving Orders from Multiple Customers After a supplier has made its products and services available electronically, it must then be able to deal with the various types of orders that will be generated. Although “many orders from many customers” is a good problem to have, it comes with two key challenges: accepting multiple orders and order management.

Accepting Multiple Orders Much like the challenge of making products and services available to customers who use different platforms and technologies, receiving orders from multiple customers using different order formats and delivery and communication protocols can be difficult. An effective supplier solution must insulate the supplier from this complexity by seamlessly handling the delivery and transformation of all orders, regardless of format or protocol. This offers a dramatic benefit to both buyers and suppliers because it allows each to use its preferred business processes and order formats while communicating easily with the other. In addition, inside a supplier’s systems, data and information from all customers will be similar.

Order Management Equally challenging are the many ways that incoming orders can be managed. This varies greatly depending on the existing processes of the supplier. As a result, suppliers must have the ability to process orders locally within the sell-side environment and integrate them directly with existing order management and back office applications. For that to be truly manageable, the solution must be intelligent enough to orchestrate and execute the supplier’s business processes, depending on the characteristics of the order.

Managing the Online Business The third key challenge (and opportunity) for suppliers when choosing a solution for effective online selling is understanding how the solution will interact with their existing technology infrastructure, as well as what additional value it will provide to the organization. Many e-commerce solutions focus primarily on external integration and data exchange, but fail to address key internal challenges for the supplier.

Existing Technology Investments Suppliers of all sizes and complexity have made investments in applications such as enterprise resource planning (ERP), accounting, supply chain management (SCM),

customer relationship management (CRM), and more, all of which may run on different technology platforms. Attempting to replace or work around these applications is expensive and complicated. It is also unnecessary, especially when the tools and technologies exist to allow suppliers to leverage those systems to their fullest while adding incremental value.

Existing Business Processes In addition to existing systems, most businesses have internal processes that provide significant value to the organization. An effective solution should leverage those processes and complement them by providing the necessary tools and workflow features.

Business Intelligence After the challenges and functional requirements previously described are met, the supplier has the opportunity to leverage a B2B e-commerce solution to enhance its decision-making capabilities. It is not enough for a sell-side solution to simply provide an electronic means to trade with multiple customers. It must provide, at a minimum, strategic information about what a company is selling and to whom. A B2B e-commerce system begins to provide real value when it can deliver the data needed to help suppliers answer such questions as: • • • •

Which channel (procurement, marketplaces, my Web site, etc.) is generating the most orders or revenue? Which customers are buying which products and services? Which products and services are providing the highest margins? If I am paying to participate in an electronic marketplace, is there sufficient return on investment[1]?

Enabling Technologies To meet the needs of suppliers in today’s marketplace, the functional requirements of a B2B e-commerce solution must fulfill the objectives and challenges previously described. Whereas some may be more important than others to different suppliers, they make up the basic building blocks of any effective sell-side B2B solution. Now, let’s look at B2C electronic information systems. This part of the chapter explores the common pitfalls in the design and implementation of a successful e-commerce information architecture. After identifying the most common problems, this part of the chapter shows how to architecturally guarantee continuous Web site availability and scalability, successfully implement a clickstream data warehouse, and create a contractual environment with technology suppliers that ensures the business success of the ecommerce enterprise.

Business-to-Consumer Business-to-consumer (B2C) electronic commerce enterprises are information-driven entities that have some of the most extreme information technology solution requirements found in the commercial business world. From the moment B2C e-commerce Web sites go online, they must provide the functionality, capacity, and continuous availability required for the potentially millions of users accessing Web site content. These extreme functionality, capacity, and availability requirements apply whether the enterprise is a new e-commerce start-up or the e-commerce presence of an existing brick-and-mortar business. But, are the millions of e-commerce site users necessarily also site customers? Obviously not—site users can be anyone from casual visitors, to advertising click-throughs, to targeted prospects, to actual customers. Although traditional brick-and-mortar commerce enterprises typically have no easy way to record and analyze user behavior until they become customers (if even that), e-commerce enterprises can record and analyze all activities of all types of users, all of the time (see Figure 25.3)[2]. The ability to record and analyze all site user behavior in minute detail gives e-commerce enterprises a significant edge over brick-and-mortar competitors who have little direct visibility to the behavior of anyone besides actual customers (see Figure 25.4)[2].

E-Commerce Information System Architecture Electronic commerce enterprises typically have five categories of business activity that are realized in up to a dozen potential business activity fulfillment mechanisms. The correspondence between the business activities and their fulfillment mechanisms is shown in Figure 25.5[2]. A particular e-commerce enterprise may not have a full suite of the fulfillment mechanisms, depending on its business model and its maturity as a business. For example, not all electronic commerce enterprises have telephone call centers. At a minimum, they require only a Web-based customer service interface. But, a fully-functional e-commerce enterprise generally will have aspects of all the business activities and the fulfillment mechanisms.

External User Acquisition Systems: These systems lead a customer to an e-commerce enterprise, including all advertising media Web and otherwise, Web search engines, site tie-ins, and so on.

User Activity-Driven Frontend Systems: These systems include the Web content sites, the voice-based telephony call centers, and the adjunct support systems such as e-mail that provide the electronic presence of an e-commerce enterprise. Backend Operational Systems: On the Web, order entry becomes a very broad category that includes much more than the ordering of products by customers. Order entry and fulfillment is the action-driven outcome of user analysis of site content, customers or otherwise. This can include product orders, information downloads, requests for more information, information tailoring requests (like My Yahoo), financial orders such as stock purchase, sale, or funds transfer, general order status requests, and so forth. Backend Management-Oriented Systems: These include financial management and reporting systems as well as a clickstream/callstream user relationship management data warehouse containing a detailed history of user activity[2].

E-Commerce Information System Architecture Stakeholders The e-commerce information architecture components have associated cadres of interested stakeholders, which are described in Figure 25.7[2]. The first set of stakeholders is the site’s user community, whose attention is garnered either by external acquisition systems, such as search engines, Web ads, e-mail, or other media advertising, or by the internal content of the site’s frontend Web servers and call centers. If the eyeball acquisition mechanisms or the site and call center fail to intrigue or at least be useful to users, they fail these very important stakeholders.

Note Not all sites have call center systems, but all e-commerce sites have Web servers by definition. The next set of stakeholders is the e-commerce enterprise’s operational personnel, who are responsible for the care and feeding of the frontend Web servers, call centers, and the operational tie-ins to external user acquisition media. In many cases, e-commerce

operational personnel are solely focused on these frontend systems despite the obvious need for backend system functionality. For more enlightened e-commerce enterprises, operational personnel also have a stake in order entry/order fulfillment systems, which centrally fulfill site-oriented activities, which may include things like user registration, requests for information, downloads, product or service (stock/auction) orders, and so on. Web server site content may also be distributed centrally from such a system. E-commerce executive management and stockholders have a stake in the success of all the systems of an enterprise, but they are acutely interested in a well-implemented enterprise financial management system. These systems enable up-to-the-moment financial management of the enterprise, directly linked to the actual revenue and cost streams associated with frontend and backend operational systems. Without such a system, management is essentially flying blind from a financial perspective, which is very dangerous and, unfortunately, a very common situation with young e-commerce enterprises. A properly implemented enterprise financial management system can also satisfy the financial reporting requirements set forth by the SEC and investment bankers, which are among the required prerequisites for successful initial public offerings. Although enterprise financial management is a fundamental need, the clickstream/callstream data warehouse gives user relationship management stakeholders the tools they need to make the e-commerce enterprise grow and prosper over the longterm. The existence of an effective user relationship management clickstream/callstream data warehouse is one of the most important long-term success differentiators in the ecommerce business sphere. These systems record all the activity of prospects and customers, whether the contact mechanism is via the Web or a call center. Examples of captured Web clickstream information include items such as the referring site, which tests the effectiveness of external media user acquisition campaigns, the Web pages visited by the site user, the time spent there, and what the user might have bought. The call center user contact records what the user did in this contact environment, either by automated voice-activated telephone scripts or by contact with human call center personnel. This automatically collected treasure trove of user behavior information theoretically gives the e-commerce enterprise a huge advantage over brick-and-mortar competitors, who cannot easily record customer and prospect behavior. Although Web server clickstream and call center log files provide the necessary source information, the resultant historical data warehouses can become extremely large, making them probably the most difficult e-commerce system to implement. But, once implemented, these systems affect all aspects of the enterprise and all stakeholders, including: • • • • • • •

User behavior analysis/trending Web site page performance Effectiveness of user acquisition strategies Effectiveness of special offers User-behavior-driven Web page presentation Presentation of Web ads according to user behavior Enrichment of user data with externally purchased psychodemographic profiles

• •

Individualized call center script control Overall business strategy insights[2]

A summary of the interests of the various e-commerce stakeholders is shown in Figure 25.8[2].

The Principal Problem with E-Commerce Information Systems So, what is the principal problem with this complex e-commerce information architecture landscape? The lack of focus on backend e-commerce information systems, as shown in Figure 25.9[2].

Many e-commerce start-ups are expert-heavy in frontend Web servers and business domain knowledge. This is good, but they often lack corresponding expertise in the

details of the backend information systems that enable critical functions, such as order entry and fulfillment, financial management, and the analysis of user behavior on their Web sites. This lack of depth in a total e-commerce IT solution leads to the following fundamental business problems: • • •

The lack of a highly available and highly scalable operational infrastructure The lack of a clickstream/callstream data warehouse The alignment of information technology vendor and e-commerce enterprise business goals[2]

The Lack of a Highly Available and Highly Scalable Operational Infrastructure Many e-commerce enterprises fail to properly construct an inherently scalable, redundant, and reliable 24 x 7 x Forever Web enterprise system architecture. E-commerce enterprises must have speedy and highly available systems, including at least the Web server/call center frontend systems and the backend order-entry and fulfillment systems. If any of the required systems are not continuously available, nor able to gracefully handle unpredictable spikes in site activity, then the user sees this immediately and the site risks the extremely negative business impact of wandering eyeballs. Wandering eyeballs lead users to competing sites that are at most a few clicks away. These wayward forays by users can lead to a permanent loss of time spent at the site. This causes a reduction in lifetime user value that can range from a significant percentage for existing users, to a potential total loss of the lifetime user value of a sales prospect or visitor who may vow to never return again.

The Lack of a Clickstream/Callstream Data Warehouse Many e-commerce enterprises fail to undertake the difficult design and implementation of a highly scalable clickstream/callstream data warehouse, which records the activities of all users of a particular Web site and its associated call centers. The knowledge derived from the analysis of the information in the clickstream/callstream data warehouse is the key to long-term competitive advantage of an e-commerce enterprise, making the implementation of an effective clickstream/callstream data warehouse an early priority in the life of an e-commerce enterprise.

The Alignment of Information Technology Vendor and E-Commerce Enterprise Business Goals E-commerce enterprise employees have a natural tendency to try to become e-commerce knowledge and management superhumans, attempting to orchestrate a hodge-podge of information technology vendors, including hardware, software, and services, none of who have any real stake in the success of the overall solution. Often, a better approach is to carefully choose a single overall solution vendor, with contractually guaranteed responsibility over the multiple solution component suppliers. Such an arrangement

orients the responsible vendor’s business interests and the success of the total ecommerce solution, with that of the e-commerce enterprise, creating natural, synergistic incentives for e-commerce enterprise success. It is easy to lay blame and identify problems, but how does one construct a viable solution model that conquers these three fundamental e-commerce enterprise dilemmas? The next part of the chapter explores solutions to each of these important problems.

Problem One: A Highly Available and Highly Scalable E-Commerce Operational Infrastructure Because e-commerce enterprises are information entities at their core, the problem of high availability becomes particularly acute. A highly available implementation of the information architecture of an e-commerce enterprise also needs to deliver high levels of performance, even in the face of failure, which places special performance design and implementation requirements on this highly available architecture. Typical e-commerce enterprises take care of the first level of these requirements by sitting their Web servers at Web site-hosting service providers, such as Exodus, AboveNet, Frontier GlobalCenter, and others. These site-hosting service providers typically have multiple geographically separated, secure buildings that are sited on top of central-location Internet backbone connections for fast access. The e-commerce enterprise’s Web servers are placed at one or more of the Web-host service provider sites, creating fast, replicated Web server access for site users. In addition, the site-hosting service providers typically create a high availability environment for the hosted site servers, including such features as redundant Internet backbone connections, redundant uninterruptable power grids, nonwater-based fire suppression, and caged-system physical security measures. An architectural diagram of this type of environment is shown in Figure 25.10[2].

Multiple replicated-content Web servers reside at these sites, providing a continuous Web presence for the e-commerce enterprise. Users enjoy fast and reliable access, and operational personnel can theoretically sleep at night.

But, not all of the critical e-commerce systems can be replicated as easily as the Web server frontends. Backend systems tend to be centralized by their very nature and this creates a new set of single-point-of-failure problems that go beyond the site and environmental redundancy provided by the site-hosting service provider. For example, backend order entry, processing, and fulfillment systems are usually centralized. A customer who places an order from a particular Web server may later inquire about its status from another server, and all the order information needs to be stored in a centralized database so that this functionality can be delivered from any point of entry. But, the system that houses this centralized order database becomes a major single point of failure that requires a redundant architecture on top of that provided by the Web hosting service provider. Any failure in the hardware or software of the centralized backend order system can stop an e-commerce site, and the types of “orders” can be anything from a purchase of physical goods, served-up advertisements, auction site bids, stock market buy and sell orders, to site content information. These centralized information systems must have a redundant, clustered, highly available implementation within a particular site-hosting environment, or they become a single point of failure. In addition to a fully redundant site-hosting architecture, it is also necessary to replicate the host site systems between at least two geographically remote locations for protection against catastrophic host site disasters, such as widespread power failures, earthquakes, storms, terrorism, and war. The replicated, multisite strategy also enhances localized Internet site access performance, by shortening the pathway from the client to the nearest geographic server. In addition, the business model of many e-commerce enterprises causes the clickstream/callstream data warehouse to become so critical to operations that it, too, must be clustered and remotely replicated to ensure the viability of the enterprise. Taking all of the preceding issues into consideration, a fully redundant, geographically replicated, high-availability e-commerce system architecture, including all frontend and backend systems, is shown in Figure 25.11[2].

Problem Two: The Design and Implementation of an Effective Clickstream/Callstream Data Warehouse It is a cliché, but the Web changes everything about the design of a B2C commerceoriented data warehouse. The wide scope of this change is best appreciated by reviewing the typical data warehouse schema of traditional brick-and-mortar retailers, a simple example of which is shown in Figure 25.12[2].

Although traditional brick-and-mortar retail data warehouses differ greatly in the details of their specific implementations, all have some version of four key dimensions: Time, Product, Geography, and Promotion, as well as a Sales Fact table containing sales transaction data. There is also no notion of a customer dimension in this old-style data warehouse. Until recently, it was so difficult to capture the identity of a specific customer and his associated market basket that this key analytical dimension, perhaps the most important of all the dimensions, was left out. Nevertheless, the information contained in this type of schema has changed the face of retailing, greatly improving inventory management, store layout, and mass-media advertising effectiveness. By using newer IT customer identification techniques, such as loyalty cards or linkage to checking and credit card payment databases, forward-looking brick-and-mortar retailers have been able to add the Customer Dimension and associated market basket analytical capabilities to their data warehouses. This enhancement has driven the ongoing movement toward one-to-one customer relationship management (CRM). Customer/market-basket analysis is a great advance, but there are two classes of potential customer activity that are not captured by loyalty cards or other brick-and-mortar information system tie-ins. Sales prospects are potential customers that do comparison shopping at different stores, catalogs, and assess various advertisements. They move in and out of a particular retailing environment without leaving a trace of their activity, unless, of course, they actually buy and become a customer. And casual visitors, just browsing your store, catalog, or advertisements are similarly anonymous. Web-based ecommerce is unique in that it can capture all the presales activity of prospecting potential customers as well as browsing visitors, greatly enhancing the enterprise’s overall market knowledge, and permitting much more sophisticated customer acquisition and retention strategies. As mentioned earlier, in an e-commerce environment, you lump visitors, prospects, targets, and customers into the general category of users. Let’s now start with the data warehouse schema of a forward-looking brick-and-mortar retailer and see how it changes in an electronic commerce environment.

The E-Commerce Data Warehouse Site Activity Fact Table Records Much More Than Just Sales Activity The traditional brick-and-mortar Sales Fact Table becomes the User Activity Fact Table in the e-commerce environment. Although actual sales transaction information is all that is typically known in the brick-and-mortar world, e-commerce sites can record all site user activity, including that of prospecting buyers, targeted users, and casual visitors (see Figure 25.13[2].

On the Web, the presales activity of actual customers can be recorded in minute detail. Facts that can be recorded in a User Activity Fact Table include activity source, time spent on the activity, activity cost, and activity revenue. For example, an activity source might be a parent Web page URL, or the TCP/IP address of a site user coming into the site. Time spent is the elapsed time spent on a particular site Web page or frame. The site activity cost is the dollar cost to the enterprise for the activity on the page or frame, and the activity revenue is the revenue gained from the site activity, both of which can be any number greater than or equal to zero. Each of these site activity facts has a composite key from the associated e-commerce data warehouse dimension tables, which are explained next. The voluminous clickstream detail creates an explosion of fact table information that makes scalable data warehouse environments an absolute necessity.

E-Commerce Site Users Are More Than Customers The leading-edge Customer Dimension from the brick-and-mortar world becomes the User Dimension in an e-commerce environment. External e-commerce site users are visitors that can be any one of customers, prospecting potential buyers, or casual visitors, and all their site activity is easily recorded by Web logging mechanisms. Note E-commerce site users do not necessarily have to be external to the enterprise. If customer service and call center personnel use a Web-based system, then customer service call center site activity can be recorded in the same data warehouse schema that is used for external clickstream activity (see Figure 25.14)[2]. This realization is an important breakthrough, because it links all user contact activity in a single data store, whether the method of contact is via the Web, the telephone, or e-mail. All electronic user activity is recorded, regardless of media, in the unified clickstream/callstream data warehouse. In addition, the knowledge gained from the full spectrum of user activity

stored in this unified analytical model gives significant competitive market and customer knowledge advantages to e-commerce enterprises.

In the press and analyst reports, much is made about the difficulty of identifying a visitor to a Web site, because, at a minimum, all that is known about a visitor is his originating IP address and nothing else. Although this is a problem, it pales when compared to that of the traditional brick-and-mortar retailer who typically has no idea who visited a store (walked in and then out of his store), what they did while there, or which potential customers scanned and silently rejected expensive print or media ad campaigns or never read them at all (see Figure 25.15)[2]. In contrast, the e-commerce entity can capture the details of all client visits and Web ad-induced click-throughs, and although they may not know the client’s exact identity, they at least know that he got to the site and what he did there. The analysis of his behavior is significant, even if his actual identity is unknown. This is a significant increase in customer/prospect/visitor knowledge, and it gives electronic enterprises a significant competitive advantage over brick-and-mortar competitors.

Geography Gains Fine Detail on the Web The traditional brick-and-mortar, physically-oriented geography dimension goes virtual in e-commerce, and the result is three new location-oriented dimensions. Please see Figure 25.16[2].

Physical Geography Physical geography is the physical location of the site user. The physical geography of a user may not necessarily be derived from a user’s IP address, but to the extent that it is known, it provides insight into geographic customer behavior patterns. For example, a global Web e-commerce enterprise can market summer items in July to users in the Northern hemisphere, while simultaneously marketing winter items to users in the Southern hemisphere where the seasons are reversed.

Web Geography Web geography is the identity of the source site that got the user to the e-commerce site. This source is at least a TCP/IP address. But, source site information can be enriched with other identifying factors, including Internet Service Provider ID, portal site ID, search engine ID, advertising server provider ID, customer service toll-free number, and so on. The idea behind Web geography is to identify, as completely as possible, the mechanism used to enter the e-commerce enterprise. Identifying the location of these access origination sites is one of the keys to customer-acquisition campaign effectiveness, much like advertisements in geographical newspapers enhance sales in brick-and-mortar stores in a particular geography. Advertising efforts should be concentrated on these point-ofentry sites.

Site Geography

Site geography is a map of the pages within a Web site, including page and frame parent information. Site geography defines the path a user takes through the content of a Web site, and the analysis of these paths is crucial to a complete knowledge of user behavior and site effectiveness.

Time Goes Individual on the Web Because e-commerce enterprises have users that can be located across the globe, the traditional Time Dimension splits into the financially oriented Fiscal Time Dimension and a physical geography-specific User Time Dimension, as shown in Figure 25.17[2].

Fiscal Time defines the fiscal year of the e-commerce enterprise, but User Time defines the user-oriented time of day characteristics such as morning, afternoon, evening, the season of the year, and so on. E-commerce seasonality is nonintuitive without the User Time dimension. For example, Northern hemisphere users can be in User Time summer, while Southern hemisphere users are simultaneously in the User Time winter season.

Content: Not Just Products on the Web The traditional brick-and-mortar Product Dimension changes dramatically into the content and activity dimensions in an e-commerce environment. An e-commerce site’s business is defined by its content and that may include products for sale, but is rarely exclusively so. Examples of other e-commerce offerings include interest-group information, downloads, internal advertising, external advertising (click-throughs), customer service, and so on. All of this is described in the Content Dimension (see Figure 25.18)[2].

Coupled with content is the notion of Activity, which indicates what someone did in response to the content. Examples of activities include click-downs to related pages, click-throughs to external advertising, information downloads, purchases, service calls, help, and so forth. All of this is captured in the Activity Dimension.

Advertising Goes External on the Web The traditional brick-and-mortar Promotion Dimension expands its focus beyond internally focused advertising and sales promotions to include externally focused promotions on the Web. Most e-commerce Web sites get revenue not only from sales, but also from external promotional tie-ins, some almost exclusively so. Although brick-andmortar retailers advertise brand name merchandise for sale and often get compensated for those efforts to build an external brand, e-commerce enterprises can have external advertising relationships that extend far beyond those found in traditional commerce. For example, electronic ad servers serve up advertisements that are targeted at a user’s behavior profile and, in return, the site receives click-through revenue based on user adclick activity. The increased focus on external advertising revenue in e-commerce, and the different business goals of internal and external promotions, cause the single traditional promotion dimension to split into the Internal and External Promotion Dimensions (see Figure 25.19)[2].

Another distinguishing characteristic is that Web-based promotions are much more finely targetable than with traditional brick-and-mortar retailers. Also, customer-acquisition media, such as Internet interest sites and chat rooms, are more finely targeted with richer media than was previously possible. This means, for example, that a mountain climbing gear retailer may prosper on the Web, where it might have to be part of a sporting goods chain to survive in the brick-and-mortar world. This ability to more finely target a wider geography and, hence, larger interest group, is one of the key drivers behind the profusion of business-to-consumer electronic commerce enterprises.

A Complete Clickstream/Callstream Data Warehouse Schema The end result is the clickstream/callstream data warehouse schema shown in Figure 25.20[2]. As you can see, the Web changes everything.

Problem Three: Alignment of Information Technology Vendor and ECommerce Enterprise Business Goals E-commerce solutions have grown up in a modern, open systems technology environment. Although open systems solutions have many advantages, they also can create fundamental business goal alignment problems between the information technology product vendors and e-commerce enterprise that can thwart effective ecommerce information technology solutions. As mentioned earlier, e-commerce enterprise employees have a natural, job performance-driven tendency to try to become ecommerce knowledge and management Supermen or Superwomen, attempting to orchestrate a hodge-podge of information technology vendors, including hardware, software, and services, none of who have any real stake in the success of e-commerce enterprise. Although a low cost, best-of-breed e-commerce solution, integrated by in-house personnel may seem attractive, there are several pitfalls. Unfortunately, the individual

suppliers of information technology have no real stake in the success of the total ecommerce solution. They care only about their piece of it, and their economic incentive is focused primarily on the initial sale, not on the long-term success of the e-commerce enterprise. The myriad of best-of-breed, point-product solution vendors creates the need for deep in-house integration expertise that is vulnerable to employee knowledge, mobility, and reorganization issues. Furthermore, long-term integration costs are borne solely by the e-commerce organization, and this can be an increasingly burdensome issue as time progresses, and the complexity of integration issues grow. A natural reaction to these problems is to outsource at least a portion of the solution to a solution integrator. Although outsourcing creates an attractive short-term management solution to the problems of an IT-lead, best-of-breed e-commerce solution integration, the motivations of the outsourcer and the e-commerce enterprise are still not properly aligned. These problems surface in a number of subtle ways. In an outsourced solution, the integration vendor is the primary provider of the solution, and they are likely the sole source of the intellectual capital for the solution. Because the contracting e-commerce enterprise is relieved of much of the responsibility for the creation of internal solution expertise, the resulting outsourced solution is limited by the knowledge, business relationships, and integration expertise of the integration vendor. These limitations can lead to long-term solution issues that cannot be easily solved by the contracting enterprise, because the expertise required to do so is nonexistent by definition —it was outsourced. This is bad enough, but the motivations of the integration vendor are rarely aligned with e-commerce enterprise business success. Most integration contracts are based on internally focused time and materials pricing, which has nothing to do with e-commerce business success. Furthermore, there is an implicit “forever” term to outsourcing contracts, meaning that the e-commerce enterprise will pay for this external solution expertise forever, because they are abdicating the development of the same in-house solution capabilities. When coupled with the time and materials nature of integrator pricing, this can lead to an incentive for the outsourcer to never solve any fundamental business problems, because if they did, it would only reduce their revenue. An additional worry is the practical inability to write umbrella outsourcing contracts that address all the potential information technology modifications required to support unanticipated changes in business conditions. In an Internet environment, the contractinduced inability to rapidly adjust to changing business conditions can be fatal to the enterprise. Finally, these insidious issues associated with totally outsourced solutions lead to a middle ground. Although this situation is not without problems, it better aligns business goals of the e-commerce enterprise and integration solution vendor. In order to solve the implied “forever” solution term with the integration vendors, the outsourcing contract must be fixed-term and nonrenewable, and it must mandate sign-off criteria and specify knowledge transfer to responsible individuals in the e-commerce information technology

organization. Although this type of arrangement can still lead to higher initial solution costs and a solution limited by the knowledge of the integrator, the business drivers behind the motivations of both parties are much more aligned to the success of the ecommerce enterprise. The integration vendor takes time-limited and performance-goalspecific responsibility for a successful solution, and the resultant knowledge transfer causes the contracting e-commerce information technology organization to learn the skills required for long-term stewardship of the solution. [2]

Sequent, “Business to Consumer (B2C) Electronic Commerce Information Systems,” IBM NUMA-Q, 15450 S.W. Koll Parkway, Beaverton, Oregon 97006-6063 [DM Review, 240 Regency Court, Suite 201, Brookfield, WI 53045, United States], 2003.

Summary The future direction of B2B e-commerce remains unclear. Today, it is impossible to know with clarity exactly what the ideal scenario will be for buyers, suppliers, and emarketplaces. Will long-standing relationships be maintained, or will new value-added services offered by e-marketplaces replace them? No matter how B2B e-commerce shakes out, there are several factors that appear to be a certainty: •







Suppliers will remain competitive and empowered by implementing rich solutions that meet the new challenges and continue to add greater value and benefit in the future. Simply integrating and passing data is no longer enough. Buyers will continue to implement technology to improve their processes and reduce costs. In order to get the most from these systems, they will need to trade electronically with suppliers from every level of business size and complexity, using the standards they have invested heavily in and worked hard to develop. Market makers will develop new business models and value-added services to attract buyers and sellers across vertical, regional, and other markets. Like buyers, market makers need maximum transaction volume from electronic suppliers to reach liquidity in their markets for success. Web services will become ubiquitous as technologies allow these services to be built effectively, exposed properly to customers on the Web, and have the ability to be programmatically discovered and implemented[1].

So, the issue becomes when and how (not if) you will e-commerce-enable your business. How much e-commerce can accelerate your e-business success is in part determined by the technology platform that you choose today and the intelligence you put behind your decisions. Finally, it may come as a great surprise, but most electronic commerce enterprises are not prepared for success. Electronic commerce enterprises climb a steep information technology ramp that must provide bulletproof continuous availability, scalability for millions of users, and sophisticated user-relationship-management clickstream data warehouses in the first months of business. Ironically, a hugely successful Web site can mean either an exploding business success or an exploding business plan, depending on

how well the e-commerce enterprise plans and executes its information technology infrastructure.

Chapter 26: Summary, Conclusions, and Recommendations “Finally, let me say just this in conclusion.” —Anonymous The Internet has forever altered the business arena, creating a world in which the customer is in command and the only constant is change. To succeed in this new world of e-business requires an infrastructure that gives you maximum performance, real-time responsiveness, application flexibility, and simplified management.

Summary A short time ago, the Internet was primarily about surfing the Web and visiting cool sites. Then, people began to realize the Internet could transform the business landscape. The race was on to develop new and hybrid business models in order to compete in the dot.com or “click-and-mortar” arena. Unfortunately, as many companies found out during the last two e-tailing seasons, simply having an Internet-based business plan is not enough. Companies are discovering that customers take e-business applications just as seriously as they take traditional business applications. They demand the same level of performance and availability, and many ebusinesses are finding their infrastructure isn’t ready to meet the demands of serious ebusiness. The question facing businesses today, therefore, is what’s going to happen to their infrastructure and their business model when those 68 million online customers become 680 million—or 6 billion? Looking ahead, what will happen when they begin accessing the Internet from wireless smart phones and PDAs, over high-speed cable modem or digital subscriber line connections[4]? Thus, this part of the chapter summarizes and explores some of the implications to both business and business computing of the continuing evolution of e-business.

The Next Generation of E-Business Follow the business news and it’s easy to be convinced that the e-business revolution isn’t complete; the fact is, the revolution has hardly started. A recent survey by Price Waterhouse Coopers and The Conference Board stated that large enterprises were moving into e-business at a much slower pace than previously expected. Nearly 78 percent of the large enterprises surveyed were not yet processing transactions online. For 83 percent of the companies, e-business was generating less than 8 percent of revenue.

Also, according to analysts at the International Data Corp., there were fewer than 600 million Web users worldwide. But, the vast untapped potential on each side of the digital marketplace is only the beginning. Also, driving change is the next-generation Internet, which provides very high bandwidth at very low cost. The result will not only be vast numbers of new users, but users who will be logging on with an array of new devices. For example, IDC estimates that mobile commerce will grow to 52 million users in 2004, creating a $54-billion channel[3]. What that means is over the next few years, you will see a marketplace that is defined by explosion and convergence: an explosion of new devices, new users, new media and transactions, and a convergence of standards to bring it all together. As a result, every business today must begin to ask some strategic questions with this continuing evolution in mind: how do you evolve your infrastructure, what are the right architectures and interfaces to build on, and what products and services do you need? The answers to these questions will define the infrastructure for the next generation of e-business.

The Next-Generation Infrastructure What will the infrastructure for serious e-business look like? The answer is that the nextgeneration infrastructure will be as diverse as the organizations that build it. Each company will customize its infrastructure based on its strategy and growth plans, and will depend on the continuing development of open Internet standards to ensure interoperability with trading partners and customers alike. There are, however, three key characteristics of a serious e-business infrastructure: it must provide disciplined systems management, it must be flexible enough to absorb the new technologies that are coming at us at a blinding rate, and it must be able to provide the optimized performance to handle the demands of different e-business workloads. These characteristics, in turn, define three key requirements for the servers that will form the foundation of that infrastructure. To support serious e-business, servers must provide new ways to manage end-to-end growth, risk and costs, choice in selecting, building and deploying applications, and extreme performance matched with scalability, reliability, and security.

New Ways to Manage In the changing e-business environment, no one can afford for IT staffing to grow at the same rate as the IT infrastructure. New ways must be found to control software licensing costs as well. Simpler, more effective management can play a crucial role in the critical transition of IT from a cost center to a profit center in the new world of e-business.

Choice in Applications As the next generation of e-business unfolds, value will often be determined by the ability to deliver new services customized to meet changing customer needs faster than the competition. Today, however, there is often a conflict between those responsible for

ensuring quality of service and those charged with rapidly deploying new business applications. What’s required is the freedom to run any application on the server that offers the right combination of cost, performance, and growth capabilities for the job—as well as the ability to integrate critical data wherever it resides on the network.

Extreme Performance Experience has demonstrated that e-business is based on three types of tasks: the traditional data/transaction processing jobs, such as “back-office” tasks, the newer generation of “front-office” and Web-serving applications, and a variety of network management jobs. Each of these tasks calls for varying levels of performance, and each demands a server optimized for the job. In other words, one size does not fit all in an ebusiness infrastructure. Finally, delivering information in a way that doesn’t keep customers waiting requires much more than fast servers. It will involve a whole new level of connectivity supporting an unprecedented level of integration across the virtual enterprise so that customercritical information is available whenever and wherever needed. [4]

[4] Vacca, John R., Wireless Data Demystified, McGraw-Hill Professional, 2003.

[3]

Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

Conclusions In a business-technology environment of constant and ongoing transformation, not only do business systems need to change and evolve, but decision-making perspectives do, as well. Where once the main decision for executives seeking an e-business solution was whether to build or buy, the critical issue today is finding the fastest path to fluid integration of key business processes and enterprise business systems. In the next phase of e-business, customers want one vendor to provide all the pieces that make automated buying and selling of direct goods seamless, linking transactions to order fulfillment, manufacturing supply chains, inventory replenishment, and transportation. Customers don’t want to deal with the hassle of integrating all the disparate software pieces, costing them millions of dollars and years of work. No longer are the choices for enterprise e-business solutions limited to (1) buying more than is needed and living with a “closed” system in order to minimize surprises, time to market, and the lack of reliable support, and (2) building a system from scratch in order to achieve a custom solution, while surrendering to the variables of time and budget—with no guarantee of ultimate functionality, scalability, interoperability, or support. Today, it’s possible to find an e-business solution that offers the best of both worlds. The best “buy” provides all the functionality that’s needed to be competitive today without requiring a business to buy more than necessary. The right system for e-business now comprises:

The right system for e-business, enabling best practices, rapid integration through fewer “moving parts” or variables, and 24-hour, 7-day customer service; this system is modular, distributed, and absolutely reliable. The right company for now and the long run, focused on solving business problems, with a proven record of engineering excellence, with a proven, sizable customer base and the ability to guarantee comprehensive future customization to fit unique and changing business conditions[1].

Build versus Buy As IT systems age, the Internet matures, and behemoth computing companies are left in the dust, one problem remains constant: how to find an IT solution that directly contributes to the larger mission of the enterprise—and fast. This eternal quest has been framed in different languages over the decades, but none so persistent as “build or buy?” The classic build-or-buy struggle has been ongoing for 29 years and is now expressed through three approaches: • • •

Development suites Point solutions Packaged solutions[1]

Development Suites Development suites allow IT departments to build whatever they need without requiring that they buy more than they need. Key challenges lie in the time and money required to build, test, and troubleshoot new systems while ensuring interoperability, scalability, and security. Furthermore, the true and total cost of the application may be difficult to calculate accurately.

Point Solutions Point solutions focus on one specific problem each. So, in order to address larger business problems for the enterprise, additional functionality must often be added by stitching together multiple point solutions and/or development suites. Meanwhile, IT departments can find themselves left alone without support for custom integrations between changing versions of software. Support from vendors is a vital consideration when mission-critical operations are on the line.

Packaged Solutions Packaged solutions seek to meet business challenges through software that addresses complete business problems. These end-to-end systems facilitate integration with existing mission-critical system investments and business-process modeling. These solutions are fully tested in real-world settings, undergo constant improvement, and are backed by 24hour, 7-day support. Though all three of these approaches are very different and have

their own advantages and disadvantages, at the center of all three are the following issues: • • • •

Openness Best-of-breed Scalability Time to market[1]

This part of the chapter discusses the preceding decision points and also the fundamental importance of something even more critical to e-business success: ease of integration. In other words, it’s important to “Buy for the life of the site”—not its birth. That means bringing in tested functionality demanded by e-business customers today, while ensuring that the supporting vendor and the next generation of that system will be available (and work with other key enterprise systems) tomorrow. The fact is that “buy” no longer means “one size fits all.” A genuine solution can and should provide a number of key advantages for the organization seeking to increase its agility through e-business: • • •

Enterprise-ready technology Enterprise-worthy functionality and support Stable, partnership-oriented vendor[1]

Enterprise-Ready Technology Without the right foundation, no e-business system is stable. The success of a system is dependent on its ability to solve a business problem while simultaneously ensuring unrivaled scalability and performance, foolproof security, and open enterprise standards to facilitate content exchange and integration with existing business-critical applications.

Enterprise-Worthy Functionality and Support E-business waits for no one. The right system is an enterprise-grade, modular, stable, distributed, end-to-end solution that can be immediately rolled out onto the Web platform. It offers the high-quality experience customers seek, facilitates best practices, has been stringently tested, simplifies enterprise application integration, and enables facile evolution as enterprise needs change.

Stable, Partnership-Oriented Vendor Real solutions solve problems now and later. This is made possible by working with a committed vendor with a proven record of working with its customers to meet their goals. No solution is complete without full support from knowledgeable representatives that is available 24 hours a day and 7 days a week.

Open Systems: Pathway to Freedom? The open-systems issue is often the first to be addressed in the evaluation of potential ebusiness systems. Open standards do offer the possibility to more easily extend individual systems and combine disparate systems. However, when an open standards-based system leaves many business problems unsolved, its very openness can appear more like open air. Some leave room for a variety of options that must be carefully evaluated as to safety, security, and straightforward integration, but provide no up-front solutions. It’s also important to note than many otherwise open solutions are coupled with a specific application server. This can neutralize the advantage of being free from proprietary architectures, as any additional point solutions required will need to operate with that same application server. Development suites promise any IT group the ability to build tailored systems for each situation, thereby leaving the door open to freedom of choice in the future. However, it’s noteworthy that the organization is vulnerable to development time and expense factors that can be prohibitive when attempting to bring a finished product to market. End-to-end systems based on proven enterprise architecture are the fruit of hundreds of hours of testing, tuning, and perfecting. The practical meaning of openness for the enterprise is the ease with which a system can be extended by modifying existing objects or by adding new objects and components and integrated with external systems. Beyond simplistic issues of language and application-server choice, five key levels of extensibility exist: 1. 2. 3. 4. 5.

Look and feel, ease of navigation Business logic Business components Enterprise Application Integration (EAI) Content exchange[1]

In the heat of implementation, these are the measures by which the practical openness of an approach must be judged. At the business level, key considerations in the purchase of any solution should be: Whether it reliably solves a business problem today Whether it is architected to readily integrate with existing systems Whether the vendor will ensure its efficacy at solving that business problem tomorrow[1]

The Reality of Plug and Play The promise of plug and play for the enterprise has been that, through an alliance with a specific application server, the enterprise will have the freedom to choose best-of-breed

applications from expert vendors, with the assurance that each application will be easily installed and work cooperatively with other plug-and-play software. This ideal has not yet been realized. One of the major reasons for this underperformance is that most complex aspects of an enterprise e-business application don’t reside at the level of the application server, but rather one layer below. This lower layer includes: • • •

Data repository Data models, such as the definition of a user profile, purchase order, or product Business logic, such as the workflow of a shopping cart for an order-entry application[1]

Whether they’re related to enterprise resource management or to higher-level business functionality, these e-business objects are critical and complex, often 10–100 times more complex than the underlying application server. And, the standard for the technology used to program that layer has never been a matter of agreement. In reality, the application server or “plumbing” of an e-business system is the smallest system cost, yet it is often the subject of intense, unmerited focus. The real challenges of an e-business solution are: • • •

Ensuring that all databases are consistent Mapping the meanings of all data models across these objects Encoding a precise translation from rules and operations in real business operations to underlying business objects[1]

Meeting these challenges is absolutely vital when starting from scratch or choosing parts of solutions from vendors who use different databases and differing business logic. An end-to-end e-business application ensures a consistent underlying data repository, a common data model, and streamlined business logic.

Scalability and Performance: Practical Definitions The terms performance and scalability are often used interchangeably, when they are actually two different concepts. Both are of utmost significance for an enterprise ebusiness system, and the two are related. Here are their definitions: Scalability: The ability of a system with multiple available processors to call as many of those processors into service as necessary when system load increases, as well as the ability of that system to be expanded Performance: The ability to effectively increase throughput as needed on a single CPU in response to increased system load[1] Very often, those making IT buying decisions do so with a heavy emphasis on scalability and performance, and rightly so. Many times in technology-evaluation situations, the word scalability is used when performance is the real issue. It’s important to note that

performance benchmarks on individual applications or on the underlying plumbing of a system are irrelevant if the overall system doesn’t scale. Furthermore, linear scalability and geometric scalability are two different things: Linear scalability: The ability to increase system resources by adding CPUs, with each CPU adding a linear increase in capacity Geometric scalability: The ability of a system to increase system resources by calling upon a complex array of additional resources—typically less efficient than linear scalability Linear scalability is essential because, without it, the cost of hardware required to ensure scalability becomes prohibitive. Linear scalability scales in four dimensions, across: 1. 2. 3. 4.

Multiple threads within the same process Multiple processes/CPUs within the same machine Multiple machines (load balancing) Multiple tiers of machines[1]

Building scalability into end-to-end solutions is much more straightforward than when dealing with systems made with a patchwork of different applications or those built from scratch.

Easing Integration and Speeding Time to Market Stated simply, integration can make or break an implementation. Backend and legacy systems in most enterprises not only represent considerable investments, but are responsible for mission-critical aspects of daily business. The difficulty of troubleshooting an integration is multiplied when numerous solutions and vendors are involved, not all of whom provide 24-hour-a-day, 7-day-a-week support. All too often, the focus turns to solving technical problems and moves away from a tightly aligned answer to the original business problem. By approaching an e-business system as a time-critical, feature-rich solution that must be flexible enough to change in the future, a vendor offers customers the real prize: faster time to market and freedom to evolve.

Considering the Total Cost of Application Anyone considering an e-business system is likely to be concerned with budgetary implications for obvious reasons. Unfortunately, it’s easy to factor in the up-front costs of tools, applications, and systems without considering the total cost of implementing an application. The total cost of an application consists of four basic elements: 1. “Plumbing” or application-server costs: typically 5% of the total 2. Scoped-out functionality: about 35% of the total cost

3. Unplanned functionality: up to 50% of the total cost 4. Integration: about 10% of the cost and a high percentage of the time[1] All too often, as the unplanned functionality of a system increases, its performance has a correlating decrease. To address this shortcoming, some vendors suggest eliminating functionality. Although this may have been an acceptable alternative in the early days of e-business, it is no longer viable, given concerns with quality of service, customer satisfaction, and reduction of churn. Note The combination of increasing costs to capture and accumulate new Internet subscribers and intense competition in the marketplace has made customer retention and churn minimization critical factors in the survival of service providers. Occurring when new subscribers sign up for service while others are discontinuing their use, churn poses serious challenges to a provider’s ability to turn a profit. Effective churn management stems from a provider’s ability to determine the reasons for this customer behavior. This means that information is a provider’s best defense against churn. Root cause analysis of churn also removes ambiguity in the business planning stage, and allows service providers to create products, services, and e-business practices that make their e-business more efficient and profitable. The problem is that customers don’t have robust, interoperable software suites for end-toend e-commerce from a single vendor, and they have to cobble together solutions from different vendors, which is a costly and slow process. In other words, technology changes too rapidly and the market is too uncertain to plan and never fully execute. A Web site is a work in progress; you are always and changing and improving it. Buying a solution gives you a steady foundation from which to grow and easily adapt to changing customer demands and changing business models. Once functionality has been purged from an e-business system, it is likely to be gone forever. Therefore, the significance of making performance and functionality prime components of an e-business system from the beginning is clear. And, that’s eminently possible with an end-to-end system designed to offer those fundamentals from the start. When an e-business solution doesn’t address these principles organically, the development process and performance tuning are unending. Additional hardware resources, development dollars, and precious time must be added to the project, affecting the organization’s ability to reach the market in a timely fashion. When all is said and done, such delays mean business must be put on hold. Finally, in the rush to establish e-business leadership, it’s critically important to focus on the real issues of end-to-end functionality, integration, and support. No longer are the choices limited to toolkits, mix-and-match systems, or “closed” packaged applications. Today’s enterprise needs an end-to-end solution fast, and it can’t accept the risks of uncertain performance, integration, or functionality in the rush to market.

[1]

“Beyond ‘Build vs. Buy’: Winning at E-Business through Reliable End-to-End Integration,” © 2000 BroadVision, Inc. All rights reserved. BroadVision, Inc. 585 Broadway, Redwood City, California 94063.

Recommendations Substantial business benefits result from using the Internet for customer service. The Web is open 24 hours a day. And every time a customer finds an answer online, it eliminates the cost of a phone call or an e-mail reply. This yields significant savings and frees up operators to handle issues that really warrant their attention. Customer service on the Web, also known as e-service, is scalable, allowing companies to handle spikes in customer queries without having to temporarily add operators or phone lines. Most importantly, e-service ensures customers get answers to their questions immediately, resulting in higher levels of customer satisfaction and retention. E-service adoption by organizations has yielded many important lessons. Many benefits are gained from simply implementing the right e-service software, but even greater success is achieved by applying proven best practices. In other words, becoming a successful e-service practitioner requires more than just technology, it requires expertise. With the preceding in mind, this last part of the chapter pinpoints 15 essential best practices or recommendations for effective e-service. These field-proven best practices impact both the cost savings and increased customer satisfaction companies experience as a result of their e-service initiatives. These best practices have been organized into three categories: People and processes: These are project management strategies that impact the effectiveness of the e-service initiative and ensure a speedy, successful project launch and substantially enhanced long-term results. Site smarts: These are tips and tricks in Web site design and the presentation of answers to customer questions. These simple principles can be applied with great effect to virtually any e-service implementation. Software smarts: These are insights that relate specifically to getting optimum value[2].

Why E-Service? Before enumerating the top 15 best practices for e-service, it’s a good idea to review the benefits effective e-service implementations deliver.

Cost Savings E-service has been proven to consistently yield significant cost savings. There is virtually no incremental cost when a customer finds an answer on a Web site. If that customer

sends an e-mail, on the other hand, it can cost several dollars for a customer service representative (CSR) to respond. A phone call can cost $20–$30 or more. Multiply that per-inquiry savings by thousands of inquiries and the savings can be quite substantial.

Customer Satisfaction E-service makes for satisfied customers. When customers have questions, they want answers fast. If they find their answer with a click or two of the mouse, they feel good. This equates to higher customer loyalty and retention. Effective e-service can have a very positive impact on e-business revenue. As customers consistently find answers online over time, their comfort level with the site and the company grows. This is a competitive advantage over companies that make them wait days for e-mail replies and put them on hold. Quality e-service instills confidence, strengthens relationships, and offers a 24 × 7 resource to customers.

Rapid Scalability E-service is useful for dealing with short-term spikes in customer inquiries—such as those occurring in seasonal businesses, during product launches, or due to a problematic event. Rather than temporarily adding staff and phone capacity, e-service allows companies to simply add relevant knowledge items to their Web sites. This eliminates much of the e-mail and call volume that might otherwise deluge the company, minimizing the cost and disruptions typically associated with such situations. This scalability is invaluable for sustaining business growth. E-service adopters have been able to support more customers with more products and services—without having to continually expand their call center capacity and/or customer service staffs (see Figure 26.1)[2].

Improved Staff Productivity E-service makes customer service staff more productive by shielding them from repetitive queries—allowing them to focus on issues that actually require personal attention. This change also tends to improve morale and reduce turnover. Plus, giving CSRs access to the e-service knowledge base ensures they have the information to give customers fast, consistent answers. With all these proven benefits, e-service best practices are clearly worth applying. By excelling at e-service, companies save money, delight customers, beat the competition, handle crises with ease, and get more value performance from their customer service staffs.

The Top 15 Proven Best Practices for E-Service The more often customers have a positive experience with a company’s e-service, the more the company experiences these diverse benefits. A primary, quantifiable goal of any e-service implementation is to maximize the percentage of customers who find answers for themselves on the company Web site. The easier and faster customers can pinpoint the information they’re looking for, the greater the resulting business rewards. Therefore, e-service best practices are focused on achieving high self-service percentages. More specifically, these best practices ensure: • • • •

Customers use e-service knowledge items on the Web site to find answers to their questions whenever possible, rather than using e-mail or the phone Online knowledge items provide answers for the most common questions Customers can quickly and easily find the answer/knowledge item Knowledge items answer customers’ questions fully and effectively

These are the fundamental characteristics of any effective e-service implementation. By focusing on these characteristics, even relatively small companies save literally millions of dollars in service and support overhead while significantly improving customer satisfaction.

People and Processes The first set of e-service best practices involve people and processes. These practices are essentially project management strategies ensuring rapid time-to-benefit and optimum long-term results for e-service initiatives. Based on the experiences of organizations across all sectors, three strategies in particular have been shown to be essential in achieving maximum return on investment (ROI).

E-Service Best Practice #1: The E-Service Champion Someone has to “own” e-service. The long-term owner of an e-service implementation does not have to be the executive or manager who initiated it—although this is often the case. It must be someone who fully understands the objectives of the implementation and business needs, and supervises the application of best practices. The champion is needed beyond the launch of the project. E-service is a highly dynamic business solution. It constantly adapts to the changing needs of the company and its customers as new products and services are introduced, markets and technologies evolve, and use of the site grows. Without a champion, site content is likely to be neglected and become stale. Support across the organization for the success of the e-service initiative will fade. Eventually, this will manifest in reduced effectiveness and lower ROI. Champions provide both direction and accountability for e-service projects. That’s why the most successful first-wave adopters have (almost without exception) had very strong e-service champions leading the way.

E-Service Best Practice #2: Ensuring Cross-Department Collaboration Although strong individual leadership is essential to e-service success, it is equally critical to make sure an e-service effort is fully supported by the diverse parties-ofinterest whose participation makes it work. Without this support, key e-service processes break down and undermine the timely creation of effective self-service content. These processes typically involve people from different departments. For example, whereas a customer support manager may champion e-service, someone in marketing may administer the corporate Web site itself. The Web site administrator must be involved to ensure any changes to the site helps drive customers to the e-service content. These changes will be described in more detail next. Similarly, product management groups and other technicians typically generate a lot of content. It is advisable to have their buy-in on the e-service effort and prepare them to collaborate on the creation of content. Often, these groups have a variety of existing materials that can be very useful in creating content. One way to motivate groups to participate in the e-service processes is to appeal to their self-interest. For example, e-service provides valuable feedback to product managers about the problems customers encounter, which can be used to improve next-generation products or even spawn ideas for new ones. Similarly, because e-service draws customers to the Web site, it can help marketing to do online cross-selling and up-selling. Depending on the nature of the individual business, other participants may also be enlisted in the e-service effort: accounting, shipping, sales, suppliers, distributors, and so forth. Regardless of the specific participants involved, every e-service champion should determine whose help will be needed and get commitment from the beginning of the

project. That way, when the time comes for them to contribute to the process, there will be no surprises and arguments.

E-Service Best Practice #3: Committing to Continuous Improvement Because e-service technology delivers substantial benefits quickly, it is easy for organizations to become complacent about their implementations. Even an initial selfservice rate of 60–70% results in rapid payback on a software investment. Many companies enter a period of complacency soon after their e-service system is up and running. As valuable as a self-service rate of 60–70% may be, a rate of 85–95% is even better. And, those rates are achievable for companies. E-service, by its nature, provides the feedback necessary to “tweak” implementations to increase the effectiveness of content and site navigation. By taking advantage of these built-in feedback mechanisms (which range from customers’ own comments about content to site traffic statistics), diligent eservice managers can increase ROI by 200% and more.

Site Smarts In addition to the preceding management considerations, e-service implementers significantly boost their ROI by employing straightforward best practices regarding site design and navigation. These simple suggestions radically improve self-service rates and ensure as many customers as possible use e-service content. As intuitively obvious as many of these best practices may seem, they are often overlooked by e-service users. Based on empirical evidence from thousands of active e-service sites, the top seven best practices for e-service site design and navigation follow.

E-Service Best Practice #4: Help Is Just a Click Away The faster customers get to helpful knowledge items, the better. The optimum solution is to clearly identify links on the home page (which can be labeled “Customer Service,” “Need help?” or something similar) that leads directly to a list of top ten answers. By contrast, a surprising number of early e-service implementers made the mistake of nesting e-service content within other areas of the site. As a result, customers sent e-mails or made phone calls to CSRs without realizing they could have found the answers to their questions themselves. Another common mistake is forcing the customer to navigate through one or more layers of knowledge categories before finding actual answers. This may seem like an intelligent way to manage the navigation process, but it tends to be counterproductive. Users need to see answers right away. Because the bulk of their needs can be addressed with a relatively small number of knowledge items, it’s best to present those knowledge items to them as quickly as possible.

If it turns out that those knowledge items aren’t what they’re looking for, they can then continue searching. Plus, now that they see what the knowledge items on the site look like, they proceed with their search with more confidence.

E-Service Best Practice #5: Customers See Content Before Phone Numbers or E-mail Many Web site managers consider it a given that the company’s toll-free number is displayed prominently on the site—sometimes on every page. Conventional site designers tend to put a “Contact us” link on the home page and everywhere else. But, successful e-service practitioners found this to be counterproductive. If you give customers a phone number or an e-mail link to use, then they assume this is your preferred contact method. As a result, e-service content is ignored or never even browsed. An alternative approach proven to be more effective for both customer service teams and the customers themselves is to provide support phone numbers and/or an e-mail form after they have viewed at least one knowledge item from the e-service system. As soon as they enter the e-service area, they then have ready access to phone or e-mail support—but not before. This approach is not customer-unfriendly in any way. Customers like knowing a site has lots of useful content. But, they have to be directed to that content at least once to experience its benefits. Once they have that first positive experience, they’re hooked. And, by habituating customers to using the Web site as a self-help resource, e-service adopters can reduce their service and support costs. On the other hand, some Web site managers don’t display any type of contact information, and simply do not want to be contacted at all. It makes one wonder why they’re advertising in the first place or why the page even exists. This can be quite irritating and very annoying to prospective customers. In fact, there are some Web pages that do have an e-mail contact link, but when you try to send an e-mail, it bounces back as undeliverable. Or, to make matters worse, there are Web sites that don’t respond to any e-mail contact at all, no matter how many times you send a message or inquiry. The ISPs that sponsor these types of sites should simply just drop them from their customer list and sever the link. Their existence is not doing anyone any favors.

E-Service Best Practice #6: Everything Customers Need Can Be Found in E-Service Many companies have an abundance of useful information on their site, but it’s scattered across various areas. Product information is in one place, shipping information is in another, return policies are somewhere else. Often, there is a good reason for this information to be in these different places. Implementing e-service doesn’t mean removing this information or completely redesigning the corporate Web site.

It is important to make sure this information can be found within the e-service area. Once a customer enters the e-service area looking for assistance, they should not have to leave it and look elsewhere to find what they need. For example, a leading sporting goods manufacturer had an excellent product selection tool in the sales area of its site. As good as it was, it turned out that many customers didn’t use it and instead called the company’s CSRs to get walked through the selection process. After the company started its e-service initiative, it made the very same tool available in its e-service section—as the answer to the question “Which item is right for me?” Remarkably, use of the tool rose dramatically—and phone calls dropped. That’s because customers found the tool during their quest for help, rather than during a less directed browsing of the site. It’s worthwhile to look at the information on the company site as a whole and evaluate whether any of it could also be used as an answer to a FAQ. This simple repurposing of existing content can substantially improve customer satisfaction and self-service rates.

E-Service Best Practice #7: Get Visual and Interactive Well-written text can be very helpful, but often something more is required to answer a customer’s question. The interactive product specification tool previously mentioned is a prime example. Customers can choose from a list of various parameters and, at the end, are given the exact model that applies to their needs—with a hyperlink that leads them right to the appropriate Web page. Many companies selling technical products offer schematics or diagrams, some allowing customers to click their way through a given procedure or repair. Several companies are adding streaming video to their e-service content. In many cases, the necessary visual content may already exist in the form of online manuals or computer-based training. The trick is to get that content from its current location onto the e-service site, and to make it available as an answer to the appropriate question. In other cases, it may be worthwhile to develop the necessary content expressly for eservice purposes. The cost of doing so is often minimal and can be justified by looking at the number of phone and e-mail support incidents generated by the issue.

E-Service Best Practice #8: More Links in More Places Customers don’t always begin their visit to a Web site looking for help. Sometimes, they start by browsing or merely shopping and then encounter an issue that creates a question in their minds. Often, this question may have to do with a feature or process on the site itself. That’s why it’s often wise to put additional prominent links back to the site’s eservice content area in many places.

In fact, many of the most successful e-service implementers keep a prominent link to their e-service content in a consistent place throughout the site. This reminds customers the e-service content is available and it includes material that is relevant to any topic they may have questions about. By reinforcing this message with a consistent visual cue, customers can be conditioned to use e-service with greater frequency, rather than calling or e-mailing. Habits are hard to break, so it’s important to be consistent in pointing out that help can be found online.

E-Service Best Practice #9: Tell Your Customers About It A large percentage of customers are in front of their PCs when on the phone. So, it’s a good idea to put a suggestion about using e-service on call center “hold” messages. That way, users can take action as they wait for a CSR to get free. In many cases, they can solve their problem while they’re on hold. CSRs can reinforce the e-service message if they realize during the call the question could have been answered online. By politely showing the customer where to find the answer, the CSR encourages the customer to try the Web next time.

E-Service Best Practice #10: Always Provide a Way Out Although it’s critical to not present phone or e-mail channels before customers check online content, the converse is also true. After a customer responds to the invitation to examine the e-service resource, he or she must not feel trapped in a dead end. This creates a disincentive to try e-service again. So, immediate contact with a CSR (whether by phone, e-mail, or real-time chat) must always be available as an option within the eservice system.

Software Smarts In addition to project management and site implementation, the most crucial and effective e-service best practices relate to the use of features and functionality available in a company’s e-service software-of-choice. The configuration of basic system capabilities makes a dramatic difference in the percentage of customers successfully solving their problems online.

E-Service Best Practice #11: Auto Suggest Answers to E-Mails Before They’re Sent Customers often launch an e-mail from a Web site without realizing the answer to their question is just a click away. Users can avoid responding to these e-mails manually by having their software scan e-mail text and automatically suggest relevant knowledge items to the customer. This eliminates the delay that occurs if the e-mail was sent and replied to later. It also teaches customers that answers to their questions can be found on the site encouraging them to find their own answers on subsequent site visits.

E-Service Best Practice #12: Take Advantage of Reports and Other Feedback The most successful RightNow users take advantage of the software’s reporting functions to continually improve their e-service content[2]. A prime example of this is the Keyword Search report, which shows the search terms customers use most frequently. If there’s a commonly used search term in the report and no corresponding e-service knowledge items, then something is amiss. Savvy e-service managers respond to such situations by developing and/or reorganizing knowledge items to address the search terms customers are entering.

E-Service Best Practice #13: Activate Appropriate Escalation/Workflow Rules If responding to e-mails within 24 hours is a primary objective, for example, then workflow rules can be used to alert managers to events that remain unanswered after 18 hours. Workflow tools can route e-mails containing specific terms to assigned subjectmatter experts—eliminating the delays and confusion arising from manual routing. These rules can serve other purposes as well. For example, if a certain e-mail subject line characterizes a new breed of computer virus, then e-mails fitting the profile can be automatically deleted. A reply to the e-mail can also be automatically sent, informing the sender of what happened and suggesting that they check their e-mail system for infection.

E-Service Best Practice #14: Use Emotional Indicators to Spot Crisis Customers Using emotional indicators to spot crises customers is a special case of the previously mentioned routing technique. Many times, customer service teams score more points with the customer by rescuing a bad situation than they do when they take care of a more mundane issue.

Getting Started E-service isn’t just a technology. It’s a strategic activity for any company selling in a competitive marketplace. Also, e-service best practices are as important for achieving customer delight and reducing operating expenses as e-service software. The combination of e-service best practices with a proven software platform delivers a remarkable solution for achieving rapid business results. These best practices include: 1. 2. 3. 4.

Have a “Champion” lead the corporate e-service effort. Ensure buy-in for essential collaboration across multiple departments. Commit to continuous improvement of content and processes. Make sure customers can get to e-service content with a single mouseclick.

5. Direct customers to e-service content before giving them phone number or e-mail links. 6. Make useful information on the site available from within the e-service area. 7. Use graphical and/or interactive material wherever possible. 8. Add as many links across the entire site as necessary to e-service content. 9. Promote e-service on “hold” messages and during phone conversations. 10. Always provide the ability to speak or chat with a live operator. 11. Autosuggest answers to customer e-mail inquiries before they’re sent to CSRs. 12. Take full advantage of built-in reports and other feedback. 13. Activate appropriate escalation/workflow rules. 14. Use emotional response indicators to respond quickly to customer crises[2]. There is, of course, one more critical best practice on which all of these other practices depend:

E-Service Best Practice #15: Get Started Now and Enhance Implementation Over Time The most successful e-service practitioners aren’t those who wait until they’ve developed a perfect system to launch it. They start with “seed” knowledge items and base functionality and expand from there. Almost without exception, e-service winners have started with limited content and a simple set of e-service functions. What ultimately makes them winners is that they get started sooner rather than later, and then continuously refine their e-service implementation to incorporate the preceding best practices. By taking this incremental approach, they begin to experience the benefits of eservice immediately and then expand those benefits over time. Finally, e-service has proven to offer tremendous bottom-line benefits to companies in virtually every market segment. E-service best practices are critical to achieving those benefits. But, no one gets from here to there without taking the first step. In other words, that first step is the most important best practice of all. [2]

“The Insider’s Guide to e-service Best Practices: 15 Best Practices Smart Companies Use to Maximize the Business Benefits of Customer Service on the Web,” RightNow® Technologies, Inc. ©2002, RightNow Technologies, Inc., 40 Enterprise Blvd., Bozeman, MT 59718-9300, 2003.

Related Documents


More Documents from ""

Financial Reforms
November 2019 24
Forex Market
November 2019 25
Fdi-all
November 2019 21
Virtual Reality1
April 2020 9
India Banking Sector
November 2019 26