Special Offers

FREE Web Site Design You only Pay for hosting

Website Hosting From
Per Month
5 Pages 6.99
10 Pages 8.99
E-Commerce 12.99

click here to get your website NOW...

E-Commerce
Home > E Commerce >

E-Commerce

Cequin E Commerce Web Site Design Services

We can setup and maintain your online store using our own Cequin shopping cart or open source zen-cart. Either way you will have a compehensive e commerce solution.

The e commerce web site will be completely customised to your requirements. The Cequin cart has the additional features of generating search engine friendly product pages.

For payment receipt the shopping cart can be linked to PayPal, WorldPay etc.

E Commerce Security Principles

Most ecommerce merchants leave the mechanics to their hosting company or IT staff, but it helps to understand the basic principles. Any system has to meet four requirements:

  • privacy: information must be kept from unauthorized parties.
  • integrity: message must not be altered or tampered with.
  • authentication: sender and recipient must prove their identities to each other.
  • non-repudiation: proof is needed that the message was indeed received.

Privacy is handled by encryption. In PKI (public key infrastructure) a message is encrypted by a public key, and decrypted by a private key. The public key is widely distributed, but only the recipient has the private key. For authentication (proving the identity of the sender, since only the sender has the particular key) the encrypted message is encrypted again, but this time with a private key. Such procedures form the basis of RSA (used by banks and governments) and PGP (Pretty Good Privacy, used to encrypt emails).

Unfortunately, PKI is not an efficient way of sending large amounts of information, and is often used only as a first step - to allow two parties to agree upon a key for symmetric secret key encryption. Here sender and recipient use keys that are generated for the particular message by a third body: a key distribution center. The keys are not identical, but each is shared with the key distribution center, which allows the message to be read. Then the symmetric keys are encrypted in the RSA manner, and rules set under various protocols. Naturally, the private keys have to be kept secret, and most security lapses indeed arise here.

Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. To vastly simplify matters (as throughout this page), a plain text message is run through a hash function and so given a value: the message digest. This digest, the hash function and the plain text encrypted with the recipient's public key is sent to the recipient. The recipient decodes the message with their private key, and runs the message through the supplied hash function to that the message digest value remains unchanged (message has not been tampered with). Very often, the message is also timestamped by a third party agency, which provides non-repudiation.

What about authentication? How does a customer know that the website receiving sensitive information is not set up by some other party posing as the e-merchant? They check the digital certificate. This is a digital document issued by the CA (certification authority: Verisign, Thawte, etc.) that uniquely identifies the merchant. Digital certificates are sold for emails, e-merchants and web-servers.

Secure Socket Layers

Information sent over the Internet commonly uses the set of rules called TCP/IP (Transmission Control Protocol / Internet Protocol). The information is broken into packets, numbered sequentially, and an error control attached. Individual packets are sent by different routes. TCP/IP reassembles them in order and resubmits any packet showing errors. SSL uses PKI and digital certificates to ensure privacy and authentication. The procedure is something like this: the client sends a message to the server, which replies with a digital certificate. Using PKI, server and client negotiate to create session keys, which are symmetrical secret keys specially created for that particular transmission. Once the session keys are agreed, communication continues with these session keys and the digital certificates.

PCI, SET, Firewalls and Kerberos

Credit card details can be safely sent with SSL, but once stored on the server they are vulnerable to outsiders hacking into the server and accompanying network. A PCI (peripheral component interconnect: hardware) card is often added for protection, therefore, or another approach altogether is adopted: SET (Secure Electronic Transaction). Developed by Visa and Mastercard, SET uses PKI for privacy, and digital certificates to authenticate the three parties: merchant, customer and bank. More importantly, sensitive information is not seen by the merchant, and is not kept on the merchant's server.

Firewalls (software or hardware) protect a server, a network and an individual PC from attack by viruses and hackers. Equally important is protection from malice or carelessness within the system, and many companies use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized employees.

Transactions

Sensitive information has to be protected through at least three transactions: credit card details supplied by the customer, either to the merchant or payment gateway. Handled by the server's SSL and the merchant/server's digital certificates.

  • credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway.
  • order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Handled by SSL, server security, digital certificates (and payment gateway sometimes).
Distance Selling Regulations & E-Commerce

Buying online - from a computer, digital TV or mobile phone - offers convenience, wider choice, competitive prices and easier access to information about what is available. But evidence shows that some consumers still lack confidence in e-commerce.

DTI's internet consumer strategy describes how we are working to enhance consumer confidence by developing a modern market framework for internet shopping; by promoting codes of practice and easier ways of settling disputes which arise; and by making sure that we all have access to clear, accurate and up to date guidance.

The Law

Existing consumer protection law, including that on the sale of goods and misleading advertising, applies on-line. Please click here for the advice from the Office of Fair Trading web site.

Additional pieces of legislation have been drawn up with the Internet in mind:

Distance Selling Regulations give protection to consumers who shop by phone, mail order, via the Internet or digital TV: The protection includes:

  • The right to receive clear information about goods and services before deciding to buy;
  • Confirmation of this information in writing;
  • A cooling off period of seven working days in which the consumer can withdraw from the contract;
  • Protection from credit card fraud.