SECURE SOCKET LAYER: WEB SITE:http://www.ecommerceguide.com/solutions/secure_pay/article.php/3510761/SSL-Your-Key-to-E-CommerceSecurity.

htm The e-commerce business is all about making money and finding ways to make more money. It's hard to make (more) money, when consumers don't feel safe executing a transaction on your Web site. That's where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help you to unlock (more) money from your customers. What is SSL? Since its introduction in 1994, SSL has been the defacto standard for e-commerce transaction security and is likely to remain so into the future. SSL is all about encryption. SSL encrypts data, like credit cards numbers (as well other personally identifiable information) which prevents the "bad guys" from stealing your information for malicious intent. You know that you're on an SSL protected page when the address begins with "https" and there is a padlock icon at the bottom of the page (and in the case of Mozilla Firefox in the address bar as well). Your browser encrypts the data and sends to the receiving website using either 40-bit or 128-bit encryption. Your browser alone cannot secure the whole transaction and that's why it's incumbent upon e-commerce site builders to do their part. SSL Certificates At the other end of the equation, and of greatest importance to e-commerce site builders is the SSL certificate. The SSL certificate sits on a secure server and is used to encrypt the data as well as to identify the site. The SSL certificate helps to prove the site belongs to who it says it belongs to and contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, the root and the country it was issued in. SSL certificates come in 40-bit and 128-bit varieties, though 40-bit encryption has been hacked. As such, you definitely should be looking at getting a 128-bit certificate. Though there a wide variety of ways in which you could potentially acquire a 128-bit certificate, there is one key element that is often overlooked in order for full two-way 128-bit encryption to occur. According to Chad Kinzelberg, VP Security Services at SSL certificate vendor VeriSign, in order to have 128-bit encryption you need a certificate that has SGC (server grade cryptography) capabilities. How to Get an SSL Certificate The Wrong Way There are two principal ways of getting an SSL certificate: you can either buy one from a certificate vendor or you can "self-sign" your own certificate. That is, using any number of

different tools (both open source and proprietary) you can actually sign your own SSL certificate and save the time and expense of going through a certificate vendor. Though, technically speaking, the data may be encrypted, there still is a fundamental problem with self-signing that defeats part of the purpose of having an SSL certificate in the first place. "The problem is 'how does the rest of ecosystem know the site is legitimate?'" explained VeriSign Kinzelberg. "Self-signing a certificate is like issuing yourself a driver's license. Roads are safer because governments issue licenses." "We're making sure that the roads are safe. This is the role of the certificate authorities. Certificate authorities make sure the site is legitimate," he added. Self-Signed certificates will trigger a warning window in most browser configurations that will indicate that the certificate was not recognized. VeriSign Kinzelberg admits that there are a lot of people that will click through anyway just like there are a lot of people that will click through an expired SSL certificate as well. "We, as an industry, want to educate people that that's the kind of thing they should not be doing. It's not safe e-commerce activity," Kinzelberg said. A site that conveys trust is also more likely to be a site that makes (more) money. There is research that suggests that having a recognizable SSL certificate may in fact have a direct correlation to increased e-commerce sales. VeriSign in particular has done some research that shows that users who visit sites that have a recognizable trust mark (like the VeriSign Secure Site seal) are more comfortable shopping on those sites, have fewer abandoned shopping carts and better repeat purchases. Joan Lockhart, VP of Marketing at SSL certificate vendor GeoTrust, argues that the price of an SSL certificate, from the least expensive provider to the most expensive provider, is a miniscule cost in the overall scheme of e-commerce. "The margin on a single transaction could pay for the cost of a certificate, so it's not really about ROI," Lockhart said. "It's about conveying trust to your consumers." Choosing an SSL Certificate Vendor According to GeoTrust Lockhart there are several things that buyers should look for when purchasing a certificate:
y y y y

Reputation and credibility of the CA (Have they been in business for awhile? Do they have lots of customers?) Ubiquity of the root (is it embedded in all of the popular browsers?) Root is owned by the CA (and not chained to someone else's root) Lifecycle management tools (how easy is it to install, renew, reinstall, and revoke if compromised, etc.)

y y

Ease of acquiring the certificate Who is doing the vetting (is it the CA itself, or in the case of some resellers, do they delegate this to their resellers?)

SECURE ELECTRONIC TRANSATION WEB SITE: http://lecture-notes-forstudents.blogspot.com/2011/07/set-secure-electronictransactions.html When it comes to e-commerce, first thing with pings someone mind is security!! Industry gurus have been putting heart n soul, in order to address this concern. SET was one of endeavor on same lines. Secure Electronic Transaction (SET) is a standard protocol that is used for securing credit card transactions over insecure networks. With the increase in security concerns over Internet SET has emerged as popular protocol for addressing transactions over Internet. Please note clearly, SET itself is not a payment system. It is a a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network in a secure fashion! SET, developed by VISA and MasterCard (Credit card leaders) is based on X.509 certificates having several extensions. [Just FYI: X.509 is an ITU-T standard for a public key infrastructure (PKI. It specifies standard formats many things such as public key certificates, attribute certificates etc ] SET features SET has been developed with following features:
y

Maintains confidentiality of information: Information is provided only to the concerned recipent. SET takes care of Integrity of data. SET employs a particular subset of protocol for carrying out cardholder account authentication. SET employs a particular subset of protocol for carrying out Merchant authentication.

y y

Understanding SET Protocol SET itself is a family of protocols. The major ones are used for important tasks such as cardholder registration, merchant registration, purchase request, payment authorization, and payment capture. Apart from these major ones there are many minor protocols that are used for conducting tasks like error handling. SET is little complicated than its counterparts such as SSL. Because of this complexity this protocol is hardly used. However, it contains many features of interest such as :
y

The model is different from the others. In the registration protocols, the applicant do not need to possesses any digital proof for his identity. He just needs to

authenticates himself by filing a simple registration form. Authentication is done outside this protocol when the cardholder s bank examines the completed form.
y

An important innovation that has been introduced in SET is the dual signature. Like electronic signature dual signature is used to guarantee the authentication and integrity of data. Dual signature links two messages that are intended for two different recipients. A customer needs to send the order information (OI) to the concerned merchant and the payment information (PI) to the corrosponding bank. Through this dual signature the receipent only gets to know information he requires rather then getting any other information of the sender. E.g. The merchant does not need to get information about customer's credit card details where as bank does not need to know the details of the customer's order. However, a link is needed so that the customer can prove that the payment is intended for this order. SET also uses several types of digital envelopes. It can be understood as an encrypted message that uses both secret key and public key cryptography methods. The secret key is used for encrypting and decrypting the message where as the public key method is meant for sending the secret key to the other party. A digital envelope includes two parts: 1. One part is encrypted using a public key which contains a fresh symmetric key K and identifying information. 2. Other part is encrypted using K which conveys the full message text. SET employs cryptographic techniques to provide security during a online transaction. Digital certificates and public key cryptography are commonly used to allow parties for authenticating each other and for exchanging information in a secure manner. You must be curious to know how SET works

How it works! As we all know people today pay for online purchases by usually sending their credit card details to the merchant. There is protocol such as SSL or TLS available that keeps the sender s credit card details safe from eavesdroppers however are not able to protect merchants from dishonest customers or vice-versa. SET has been developed keeping in mind the limitations of existing protocols. SET requires both cardholders as well as merchants to register before they engage themselves in any transactions. Any card holder can register by contacting a certificate authority. He needs to supply security details and the public half of his proposed signature key to the certificate authority. During the registration authorities verify the applicant. After verification and granting approval authority provides the applicant with a certificate that provides a confirmation that his signature key is valid. All orders and confirmations have a digital signature. This is used to provide authentication in case of any dispute between the parties. Major participants in a SET system are: Cardholder Merchant

Issuer Acquirer Payment gateway Certification authority Understanding a SET Transaction Following are the sequence of events that are required for a transaction: 1. Customer needs to obtains a credit card account with a bank which supports electronic payment and SET. 2. The customer will receives an X.509v3 digital certificate which is duly signed by the bank. 3. Merchants have their own certificates. 4. The customer places an order with the Merchant. 5. The merchant sends a copy of its certificate so that the customer can verify that the store is valid 6. The order and payment are sent between the two parties. 7. The merchant then requests for payment authorization. 8. The merchant has to confirms the order. 9. The merchant needs to ship the goods or provide appropriate service to the customer. 10. The merchant needs to requests payment Key Role Players in a SET Transaction A SET purchase involves three parties: 1. The cardholder (One who has to pay) 2. The merchant 3. Payment gateway (It is essentially a bank). Card holder needs to share information as follows with the other two parties: The cardholder needs to shares the order information with the merchant. He does not need to provide this information to the payment gateway. The cardholder shares the payment information with the payment gateway and not with the merchant. A set of dual signature is used to accomplish this partial sharing of information among the parties. It allows all parties to confirm that they are handling the same transaction. This is done as follows: Each party receives the hash of the withheld information. The cardholder needs to sign the hashes of order information as well as payment information. Once the card holder signs both hashes each party needs to verify and confirm that the hashes they possess agree with the hash signed by the cardholder. Further, the cardholder and merchant needs to compute equivalent hashes which payment gateway needs to compare. After comparing payment gateway needs to confirm their agreement on the details withheld from him.