E-commerce Security and Payment
•Download as PPTX, PDF•
10 likes•6,828 views
The presentation discussed the what is e-commerce security and its dimensions, threat concerns, ways to protect e-commerce site from hacking and fraud. It also includes the different e-commerce payment methods.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to E-commerce Security and Payment
Similar to E-commerce Security and Payment (20)
More from Laguna State Polytechnic University
More from Laguna State Polytechnic University (20)
Recently uploaded
Recently uploaded (20)
E-commerce Security and Payment
- 2. Hello! FOR-IAN V. SANDOVAL You can find me at https://www.slideshare.net/fvsandoval
- 3. “◎“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” ◎– Bruce Schneier
- 5. TABLE OF CONTENTS • E-commerce security and its dimensions • E-commerce Threat Concerns • E-commerce Threats • Ways to Protect your Ecommerce Site from Hacking and Fraud • E-Commerce Payment Methods
- 6. WHAT IS E-COMMERCE SECURITY? E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction.
- 7. DIMENSION OF E-COMMERCE SECURITY
- 8. E-COMMERCE THREATS Threats: anyone with the capability, technology, opportunity, and intent to do harm. Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees, and hackers are included in this profile.
- 9. E-COMMERCE THREATS CONCERN 1. Loss of Privacy/confidentiality, data misuse/abuse
- 10. E-COMMERCE THREATS CONCERN 2. Cracking, eavesdropping, spoofing, rootkits
- 11. E-COMMERCE THREATS CONCERN 3. Viruses, Trojans, worms, hostile ActiveX and Java
- 12. E-COMMERCE THREATS CONCERN 4. System unavailability, denial of service, natural disasters, power interruptions
- 13. Intellectual Property Threats use existing materials found on the Internet without the owner's permission, e.g., music downloading, domain name (cybersquatting), software pirating
- 14. Client Computer Threats – Trojan horse – Active contents – Viruses
- 15. Communication Channel Threats – Sniffer program – Backdoor – Spoofing – Denial-of-service
- 16. Server Threats – Privilege setting – Server Side Include (SSI), Common Gateway Interface (CGI) – File transfer – Spamming
- 17. COUNTER MEASURE A procedure that recognizes, reduces, or eliminates a threat
- 18. Intellectual Property Protection – Legislatures – Authentication
- 19. Client Computer Protection - Privacy (Cookies Blockers, Anonymizer) - Digital Certificate - Browser Protection - Anti-virus Software - Computer forensic experts
- 20. Communication Channel Protection - Encryptions - Protocol - Digital Signature
- 21. Server Protection - Access Control & Authentication - Firewall
- 22. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Start by Going with an e-commerce Platform You Know is Secure • A secure online checkout • Enterprise-level, layered security • Encryption for all customer data, including tools that don't store any of the credit card information • Constant fraud monitoring • PCI compliance and scans • Card verification value • Address verification system
- 23. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Some Words on the Address Verification System (AVS) and the Card Verification Value (CVV)
- 24. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Have a Backup Plan
- 25. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Prevent Chargebacks with Tracking Numbers and a Human Monitoring All Orders
- 26. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD An Automated Fraud Detection System Helps Too
- 27. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Configure System Alerts For When Suspicious Activity Occurs
- 28. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Force Yourself and All Employees to Have Strong Passwords
- 29. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD Set Limits on Purchases from Accounts on a Given Day
- 31. CASH ON DELIVERY (COD)
- 32. ELECTRONIC FUND TRANSFER (EFT)
- 33. PAYMENT CARDS – CREDIT CARD
- 34. PAYMENT CARDS – DEBIT CARD
- 35. PAYMENT CARDS – CHARGE CARD
- 36. SMART CARD
- 37. ELECTRONIC CASH (E-CASH / E-MONEY)
- 38. E-WALLET
- 39. DIGITAL CASH
- 41. Thanks! Any questions? You can find me at https://web.facebook.com/forian.sandoval
Editor's Notes
- - Eavesdropping is secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary.[1] The practice is commonly believed to be unethical. - A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
- Sniffer program. A computer program that analyzes data on a communication network to gather intelligence, such as detecting passwords of interest that are transmitted over the Internet. Sniffers are used by crackers on compromised systems to spy on network traffic and steal access information for even more systems. 2. Backdoor. A backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device (e.g. a home router), or its embodiment, e.g. as part of a cryptosystem, an algorithm, a chipset, or a "homunculus computer"[1] (such as that as found in Intel's AMT technology). Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems. 3. a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage. 4. A denial-of-service attack is a security event that occurs when an attacker takes action that prevents legitimate users from accessing targeted computer systems, devices or other network resources.
- Encryption * Public-key encryption (asymmetric) vs Private-key encryption (symmetric) (Figure 5-6) * Encryption standard: Data Encryption Standard (DES), Advanced Encryption Standard (AES) Protocol * Secure Sockets Layer (SSL) (Figure 5.10) * Secure HyperText Transfer Protocol (S-HTTP) Digital signature * Bind the message originator with the exact contents of the message * A hash function is used to transform messages into a 128-bit digest (message digest). * The sender’s private key is used to encrypt the message digest (digital signature) * The message + signature are sent to the receiver * The recipient uses the hash function to recalculate the message digest * The sender’s public key is used to decrypt the message digest * Check to see if the recalculated message digest = decrypted message digest
- Access control and authentication * Digital signature from user * Username and password * Access control list Firewalls (Figure 5.11) * International Computer Security Association's classification: Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of trusted addresses (prone to IP spoofing) Application level proxy server: examines the application used for each individual IP packet (e.g., HTTP, FTP) to verify its authenticity. Stateful packet inspection: examines all parts of the IP packet to determine whether or not to accept or reject the requested communication.
- The Payment Card Industry Data SecurityStandard (PCI DSS) is a set of security standardsdesigned to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
- We've all encountered the CVV. It's the little three digit code on the back of your credit card. With reputable ecommerce platforms with solid checkouts you're going to have this system already configured. If not, you might have to go out and find an app or a service for that. However, it's a wonderful way to prevent fraud from people who have only stolen the credit card numbers and not the CVV. The AVS is a little different. Customers don't see this on the frontend of the site, but once again, most reputable platforms provide this service. Basically, it checks to see if the address in the billing address field matches that of the address on file for the credit card. For instance, a fraudulent user might want to send a product to their address, but a stolen credit card would have another person's address on file, triggering a warning for you.
- Fraud generally doesn't cause any problems with your content, but hacking does. Even with all of your security you might end up getting hacked. In that case, there's a possibility of having to relaunch your site or bring it back from the dead.
- Tracking numbers give you a clear picture of how much inventory you have and what happens to a package after it's sent out from your warehouse. Most ecommerce platforms don't require tracking numbers and you can skip the whole UPS/USPS/FedEx tracking thing, but I recommend against that. It's the only evidence you have against someone who claims they never received their package.
- Check with your ecommerce platform to see which types of fraud detection tools they use. Sometimes you have to pay a little extra for this.
- Every time a suspicious user is on your site, you should know. Every time a person makes a purchase with a fishy address, you should know. This notification shouldn't be sent to a random folder you made in your email inbox, because it's big news that should be addressed instantly.
- Don't write passwords down, and try to change them every month. There's really no reason to remember passwords with tools like Dashlane and Roboform. These password managers make up complicated passwords to combat brute force attacks, and you don't have to think of what you made your password last time.
- Let's face it. Sometimes you're not going to be able to take a look at every single sale that goes through your site. Therefore, a random fraudulent purchase might slip through the cracks and get through. However, many ecommerce platforms allow for setting limits on purchases in a given day or other time frame. For example, you might set a limit of $1,000 per day per customer. This way, if someone comes to your site and tries to buy $5,000 worth of merchandise, your website stops the transaction and notifies you. You're given a little extra time to breath and look at the transaction, and you might even scare away a criminal.
- Cash on delivery (COD), sometimes called collect on delivery, is the sale of goods by mail order where payment is made on delivery rather than in advance. If the goods are not paid for, they are returned to the retailer.
- Electronic funds transfer (EFT) is the electronic transfer of money from one bank account to another, either within a single financial institution or across multiple institutions, via computer-based systems, without the direct intervention of bank staff. EFT's are known by a number of names. In the United States, they may be referred to as electronic checks or e-checks. The term covers a number of different payment systems, for example: cardholder-initiated transactions, using a payment card such as a credit or debit card direct deposit payment initiated by the payer direct debit payments for which a business debits the consumer's bank accounts for payment for goods or services wire transfer via an international banking network such as SWIFT electronic bill payment in online banking, which may be delivered by EFT or paper check transactions involving stored value of electronic money, possibly in a private currency.
- Credit cards such as a Visa or a MasterCard, has a preset spending limit based on the user’s credit limit.
- Debit cards removes the amount of the charge from the cardholder’s account and transfers it to the seller’s bank.
- A charges card is a card that provides a payment method enabling the cardholder to make purchases which are paid for by the card issuer, to whom the cardholder becomes indebted. The cardholder is obligated to repay the debt to the card issuer in full by the due date, usually on a monthly basis, or be subject to late fees and restrictions on further card use. It can also be a smart card. Though the terms charge card and credit card are sometimes used interchangeably, they are distinct protocols of financial transactions. Credit cards are revolving credit instruments that do not need to be paid in full every month. There is no late fee payable so long as the minimum payment is made at specified intervals (usually every thirty days). The balance of the account accrues interest, which may be backdated to the date of initial purchase. Charge cards are typically issued without spending limits, whereas credit cards usually have a specified credit limit that the cardholder may not exceed.
- A smart card resembles a credit card in size and shape, but inside it is completely different. First of all, it has an inside -- a normal credit card is a simple piece of plastic. The inside of a smart card usually contains an embedded microprocessor. The microprocessor is under a gold contact pad on one side of the card. Think of the microprocessor as replacing the usual magnetic stripe on a credit card or debit card.
- Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that government-issued currency operates in the physical world. A system that allows a person to pay for goods or services by transmitting a number from one computer to another. Like the serial numbers on real currency notes, the E-cash numbers are unique. This is issued by a bank and represents a specified sum of real money. It is anonymous and reusable.
- E-Wallet allows you to store multiple credit card and bank account numbers in a secure environment, and eliminate the need to enter in account information when making your payment. Once you have registered and created E-Wallet profiles, you can make payments faster and with less typing.
- Based on algorithm that generates unique tokens that can be used in “real” world Example: Bitcoin a type of digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank.
- Virtual Money can be defined as a digital representation of value that is issued and controlled by its developers, and used and accepted among the members of a specific (virtual) community. Unlike regular money, it is relying on a system of trust and not issued by a central bank or other banking authority. Circulate within internal virtual world Example: Linden Dollars in the virtual world called Second Life, Facebook Credits