The document summarizes the state of eCommerce in 1999 and discusses various challenges and trends. It covers topics like choosing an eCommerce payment provider, authentication alternatives to SSL/credit cards like digital wallets, and the future of technologies like SET. Key points discussed include the lack of integration among eCommerce software suites, difficulties implementing public key infrastructure for payments, and how digital wallets and new authentication methods need widespread adoption to be truly useful.

1. The State of eCommerce
David Strom
david@strom.com
(516) 944-3407
TISC Boston 11/12/1999

2. Consider the shopper
• Can’t find your store
• Can’t find the right product
• Can’t determine prices and shipping ahead
of time
• Can’t pay easily
• Can’t get decent service and support
2

3. Consider the developer
• Poor quality of tools to build storefronts
• Need to integrate several products for any
solution
• Have to deal with credit card snooping
perceptions
• And still have to satisfy customers!
3

4. It is a wonder anyone can buy
anything on the web!
• BMW with page not found error
• Gap missing any search function
• Netmar payment screen confusing
• Singapore jewelry directory outdated
4

5. Rent, buy, or build your store
• Rent: outsource to a CSP
• Buy suite of software
• Build it yourself
5

6. The cold hard reality of suites
• Suites are nothing more than collection of
products
• Lack integration among various elements
• Difficult to setup, customize, and use
• Require you to live “inside” their structure
• Limited payment options
• Sounds like early MS Office
6

7. Trends
• Suites will get better, but no one will really
care
• Rental options will continue to get cheaper
and more functional
• Web/database integration still difficult
problem that suites are ignoring
• Backoffice integration still difficult problem
but getting better
7

8. Technology status report
• SSL vs. SET
• eWallets
• eCommerce hosting providers
• Payment providers
8

9. SSL vs. SET
SSL SET
• Server authentication • Server authentication
– Merchant certificate as – Merchant certificate tied to
legitimate business accept payment brands
• Possible for client • Customer authentication
authentication – Digital certificate tied to
– Not tied to payment method certain payment method
• Privacy • Privacy
– Encrypted message to – Encrypted message does not
merchant includes account pass account number to
number merchant
• Integrity • Integrity
– Message authenticity check – Hash/message envelope
9

10. SET issues
• Implementation of SET has some big drawbacks:
– Lack of interoperability among systems
– Management of public key infrastructure
– Distribution of digital certificates requires action on the
part of the consumer
– Will banks want to become cert authorities?
• And who will pay for all this?
• Meanwhile, eCommerce goes on
10

11. The future of SET
• Non-repudiation of transactions through
digital certificates for both merchant and
customer
• SET may be the industry standard for
payments, but yet to be implemented
• It will be far more difficult for a customer to
claim no knowledge of a transaction
• Demonstrations continue
11

12. Some problems with eWallets
• Not transferable to other wallets
• Tied to a single PC
• Not available for use at many web storefronts
• Just solve a small part of the overall payment
process
• And they just don’t work!
12

13. Trends
• eWallets will eventually go away
• SET becomes a server-side issue
• SSL still dominates eCommerce
transactions for many years
13

14. Interoperability is the key
• Wallets will become widely used when the
following events occur:
– Mass distribution of wallets to consumers is
easily made
– Will be accepted by all merchants, regardless of
wallet brand or payment brand
– Don’t require PKI knowledge or computing
expertise
14

15. Turnkey eCommerce hosting
providers
• GeoShop/Yahoo
• ViaWeb/Yahoo
• iCat
• Shopsite/Open Market
• iTool
• Shopzone
• Encanto
15

16. What they have in common
• Relatively easy to setup simple storefronts
• Relatively difficult to setup anything else!
• Payments, order processing still mostly a
manual effort
• Limited catalog and page controls
• But good to learn about eCommerce!
16

17. Case study: Encanto
• Started out selling hardware appliance
• Now sells eCommerce hosting services and
gives away the box
• Will they make it on monthly fees?
• Best explanation of payment process around
but took it off their web site!
17

18. The state of payment systems
• Today the vast majority of web payments
are with SSL forms and credit cards
• Many new directions for payments, but still
far from general acceptance
• Banks at odds with software developers
18

19. Remember the old payment
providers?
• Digicash
• Cybercash (first generation)
• First Virtual
• Mondex
• GlobeID
19

20. Why didn’t they work?
• Too complex to implement
• Too much cumbersome infrastructure
• Not too many stores took their kind of
money
• Too many other technical challenges
• Solved the wrong problem first (credit card
snooping)
20

21. Today’s sessions
• Choosing the right payment provider
• New alternatives to PKI for authentication
• Securing and integrating web and database
servers
• Web switching and caching
• Preventing cyberfraud
• PKI application implications
21

22. Our moderators
• Christy Hudgins-Bonafield
• Victor Danevich
• Greg Yerxa
• Greg Shipley
• Jon Udell
22

23. Session 1:
Choosing the right eCommerce
payment provider
Christy Hudgins-Bonafield
Brian Boesch, Cybercash
David Strom, David Strom Inc.

24. Why use any payment system?
• Automate existing business practice
(POs, procurement, supply chain, etc.)
• Non-human transactions, businss-to-
business
24

25. Three choices
• Outsource everything
(Evergreen, BofA, Amazon zShops)
• Use Cybercash online system
• Use PC POS (Tellan, PC Authorize)
25

26. Issues
• Real time or batch authorization
• Real time or batch capture/posting of
transactions
• Fraud detection
• Whether or not physical goods are involved
• Scalability, reliability
• Where and how customer account data is
stored
26

27. Diversity issues
• Shopping carts used to keep track of
sessions vs. committed order processing
• Rich reporting
tools, backup, management, history/log
• Open interfaces to extract information and
use across different legacy payment models
27

28. Three different levels of security
• Transaction level
• Session level
• Membership and directory level
28

29. What is the goal?
• To safeguard user identity and payment
information
• Across all transactions, sessions, and
wherever membership information is stored
• And to ensure that accurate transactions
occur!
29

30. Transaction level security
• Identity must be coupled with transactions
• Transactions must be persistent and grouped
for optimal payment authorization and
processing
30

31. Session level security
• Identity must be constantly verified during
eCommerce session and especially when
transactions committed for payment
authorization.
• Cookies, tokens, SSL
31

32. Membership level security
• Persistent way to store identity and payment
methods.
• Must be secure – or face legal
consequences!
• Critical for business-to-business automation
• Must leverage existing business PO
authorization systems
32

33. All of these are tied to your
shopping cart
• Usually, cart processes payments and sends
to banking network
• Demonstration from Perfectotech.com
• strom.com/pubwork/ecommerce/testcart.htm
33

34. Session 2:
Authentication alternatives for
secure eCommerce
David Strom
(516) 944-3407

35. The old method: SSL/credit cards
• How to deal with returning customers?
• How to deal with breaks in shopping
session?
• How to deal with peak loads?
• Are they really secure? (Perception vs.
reality)
35

36. Current authentication methods
• Cookies
• Database logins
• Certs and PKI infrastructure
36

37. Do you really want to do this?
• Setup CA server
• Generate a secure root CA
• Train Reg Authorities to manage certs
• Develop customer cert policies
37

38. New ways to authenticate
shoppers
• 1Clickcharge.com
• qPass.com
• Cybercash’s InstaBuy.com
• ISP bill-backs (iPin, Trivnet)
• eCharge.com
• Personalized shopping portals
(Shopnow, iGive, eBates)
• ECML 38

39. Characteristics
• Mainly for digital content delivery
• Per day pass (WSJ)
• Charge 8- 12% per transaction
• Universal membership
• Aggregate lots of small transactions into
one monthly bill
• Don’t leave site while completing purchase
• Build on “community” and “standards” 39

40. ShopNow, eBates
• Each user registers and sets up own mini
mall with links to stores
• Basic rebate program but large collection of
stores
40

41. iGive
• Percentage of sales goes towards charities
• Clickthroughs also are measured and
accumulate $
• Members have earned $300k for charities so
far
41

42. iPin, Trivnet
• Digital content only
• Aggregates purchases and bills your ISP
directly
• Only works if your ISP and merchant are
signed up
• Does this sound familiar?
42

43. Advantages
• Ease of use -- maybe
• No credit card transmission over the
Internet
43

44. Disadvantages
• Need to reach critical mass of users almost
at launch
• Still rely on username/password
combination which can be cumbersome
• Small companies without a lot of depth
• Standards still in play
44

45. Why use these any of these
services?
• Save money
• Build loyalty, return visits
• Make eCommerce easier? Not sure.
45

46. Panel
• Brian Smiga, 1ClickCharge
• Jamie Fullerton, Inflo
• Ted Goldstein, Brodia/ECML.org
46