Compare and Contrast the following sites:
Shopify, Big Cartel, bigcommerce, and Prestashop are all onlinestore builders with fully integrated shopping carts whereas zen cart and 1shoppingcart are just shopping cart software.
Price + Special Features Comparison
- Shopify: Basic plan = $29/ Month
- Online Store
- Social Media Integration
- Unlimited Products
- Big Cartel: Titanium plan = $29/ Month
- Online Store
- Inventory Tracking
- 300 Products
- Bigcommerce: Standard plan = $29.95/ Month
- Online Store
- Unlimited Storage
- Unlimited Products
- Prestashop: Free to use
- 2,000+ professional ecommerce website templates $124+
- mobile-responsive design
Cart Price + Special Features Comparison
- Zen Cart: Free open source software
- You are free to modify the source code in whatever ways your application requires.
- Many popular payment gateways built-in, you can start accepting payment immediately.
- 1Shoppingcart: 1 Month Free Trial* + Standard Monthly Price* of $24.95
- Unlimited Products
- Full Featured Email Marketing
- Integrated Post-Sale Upsells
- Over 1GB Online Storage
Hosting options available for use with shopping cart software.
Zen Cart: “Works with any* hosting company”
Shopping cart vulnerabilities and best-practice preventative measures.
Shopping carts are vulnerable to viruses and attacks.
6 Essential Requirements for a Secure e-Commerce Site
- Use Enhance Verification SSL
- Use PCI and Vulnerability Scanning Services
- Use penetration testing to stay ahead of the bad guys
- Use multi-factor authentication
- Trust seals matter. Use them
- Use a Managed DNS
What software is needed to install and setup pre-built shopping cart software.
It is all determined by what shopping cart you will use but Paypal is currently the most convenient pre-built software that can be easily integrated into websites
Identify security issues associated with E-commerce and discuss methods to mitigate risks.
Describe the differences between Transaction Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL).
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.
SSL is an encrypted connection between web server and visitors browser allowing for private information to be transmitted without eavesdropping, data tampering or message forgery.
TLS ensures privacy between communication applications and their users.
Explain transaction security
Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser’s bank in a way that ensures privacy and confidentiality. SET makes use of Netscape’s Secure Sockets Layer (SSL), Microsoft’s Secure Transaction Technology (STT), and Terisa System’s Secure Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (PKI).
What are security and payment processing issues involved in developing a site (e.g., SSL, Digital Certificates, SET Protocol, Cyber Cash)?
SSL security certificate is critical. SSL certificates prevent cyber criminals from intercepting financial data. They encrypt credit card numbers/ passwords/ log -ins.
Extended validation is considered the best bet, when developing a e-commerce site. It requires a more thorough authentication process.
Payment security is complex. Many vulnerabilities exist in the payments processing chain, especially in the interactions between consumers, merchants and acquirers. The sheer volume of consumers and merchants provides a large window of opportunity for thieves to capture data that can be fraudulently turned into profit. J None of the technologies that exist today solves all the security problems in the payments processing chain. However, a select few technologies focus on solving the biggest problems and greatest vulnerabilities that affect most merchants, and they can do so in a cost-effective manner. Merchants can use these solutions to reduce their overall level of vulnerability. J New security methods are now available to secure sensitive cardholder data from compromise as close to the initiation of the transaction as possible. In addition, these technologies can help reduce a merchant’s PCI compliance burden.
Payment processing chain:
- A consumer wants to buy goods or services and pay for it using his credit card. The cardholder data is entered into the merchant’s payment system, which could be a point-of-sale (POS) terminal/software or an e-commerce Web site.
- The card data (PAN) is sent to an acquirer/payment processor, whose job it is to route the data through the interchange system for processing.
- The acquirer/processor sends the data to the payment brand (e.g., Visa, MasterCard, American Express, etc.), who forwards it to the issuing bank.
- The issuing bank verifies that the card is legitimate, not reported lost or stolen, and that the account has the appropriate amount of credit/funds available to pay for the transaction.
- If so, the issuer generates an authorization number and routes this number back to the card brand. The issuing bank agrees to fund the purchase on the consumer’s behalf.
- The card brand forwards the authorization code and the PAN back to the acquirer/processor.
- The acquirer/processor sends the authorization code and either the PAN or a viable substitute number for the PAN (i.e., a token) back to the merchant.
- The merchant concludes the sale with the customer.
- The merchant may retain the transaction data long term for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs.
Where encryption fits in the payments process
- When the cardholder data (the PAN) is captured at the POS (with a physical swipe or data entry), the data is encrypted.
- The data is encrypted as it traverses any in-store network.
- The merchant sends the encrypted PAN to the acquirer/processor.
- The payment processor decrypts the data and sends it via a secure channel to the appropriate network or association for authorization. When the transaction is authorized for payment, it gets sent back to the payment processor.
- After authorization, the acquirer/processor returns the encrypted PAN along with the transaction response to the merchant.
- The merchant may retain the encrypted transaction data long term for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs
The problems that data encryption solves
Data encryption solutions solve for the problem of live (clear text) data in transmission as it moves upstream to the acquirer by encrypting the data as close to the point of capture as makes sense for a particular merchant. It also can solve for the problem of having clear text cardholder data in electronic storage environments when the data is kept for auxiliary use. These are two of the greatest vulnerabilities for most merchants, and by applying data encryption technology, merchants can reduce their risk of liability stemming from a data breach. If a breach does occur and a thief obtains encrypted data, he can’t use it without also obtaining the decrypting key. End-to-end encryption is not currently a requirement in PCI DSS. However, according to George Peabody, principal analyst with the Mercator Advisory Group, “end-to-end encryption may well be the end game recommendation of PCI and, if data breaches continue to plague the payments industry and occupy headlines, that recommendation may become a mandate within two years.”
Where tokenization fits in the payments process
- When the cardholder data (the PAN) is captured at the POS (with a physical swipe or data entry), the data is encrypted.
- The data is encrypted as it traverses any in-store network.
- The merchant sends the encrypted PAN to the acquirer/processor.
- The payment processor decrypts the data and sends it via a secure channel to the appropriate network or association for authorization. When the transaction is authorized for payment, it gets sent back to the payment processor.
- After authorization, the acquirer/processor returns the encrypted PAN along with the transaction response to the merchant.
- The merchant may retain the encrypted transaction data long term for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs.
The problems that tokenization solves
Tokenization solves the problem of having live cardholder data in storage or in use in business applications after the transaction approval. This process eliminates the possibility of having real card data stolen at this point because it doesn’t even exist here. And unlike encrypted data, the use of tokenized data reduces the scope of PCI audits, again because there is no cardholder data that must be secured. Merchants can save significant time and money by reducing the scope of their PCI audits.
SSL security certificate is critical. SSL certificates prevent cyber criminals from intercepting financial data. They encrypt credit card numbers/ passwords/ log -ins.
Extended validation is considered the best bet, when developing a e-commerce site. It requires a more thorough authentication process.
What is https and htaccess?
HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering.HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.
A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.
How to obtain an SSL certificate and secure transactions?
- Purchase an SSL certificate from a vendor
- Install Certificate on your host
- Update site using https
Compare and contrast the appropriateness of employing a merchant account or a payment gateway to handle online transactions.
Merchant Account:
A merchant account is a type of bank account that allows businesses to accept payments by payment cards, typically debit or credit cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions.
Payment Gateway:
A payment gateway is an e-commerce application service provider service that authorizes credit card payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar.
Discuss the process, advantages, disadvantages, and costs associated with opening a merchant account.
First off, card processing is actually quite regional and the options differ based on the location of your business (e.g. in the US or outside the US, for example) as well as where customers primarily are located. Lastly, the business needs you have may dictate specific integrations or gateways that you need to use, and then the decision process can be based around technology offerings available from the different platforms.
With Stripe, PayPal and Intuit “GoPayment”, you are leveraging a Payment Service Provider (“PSP”) and not generally establishing a directly acquired merchant account.
Describe the process, advantages, disadvantages, and costs associated with using a payment gateway.
Advantages:
- Process is integrated with the shopping cart.
- Guaranteed fraud protection Mechanisms in place.
- PayPal guarantees customer personal data protection.
- PayPal supports multicurrency payment processing.
- PayPal has ease of access and use.
- PayPal has relatively good rates on money transfer.
Disadvantages:
- PayPal can freeze your money and account at will.
- Although PayPal may be global not all online businesses have adopted it.
E-commerce Quiz