Java E-Commerce Martin Cooke, 2002 1 Money, architecture & enterprise Today s lecture Online monetary transactions Tiered architectures Java Enterprise (J2EE) Online monetary transactions* Martin Cooke *security is covered in later lectures 13/02/2004 Java E-Commerce Martin Cooke, 2004 2 Categories of payment and information flow C2B: (payment flow) most online retailers B2C: (information flow) online billing C2C: peer-to-peer payments eg ebay B2B: needs more electronic paperwork than C2B B2B E-commerce is not new EDI: Electronic Data Interchange EFT: Electronic Funds Transfer C2B: How to spend money on the net Credit card schemes Digital cash Micropayments ewallets Online credit card transactions I: Via merchant account May already have one for terrestrial business CNP ( card-not-present ) category (cf phone ordering) Difficult to obtain, especially for new businesses with limited assets II: Via Payment Solution Provider Funnel small businesses transactions through PSP merchant bank Costs more; payments delayed Typically: Set up in 24 hours Annual fee: $ 500 Transaction fee: 4-5% 13/02/2004 Java E-Commerce Martin Cooke, 2004 4 13/02/2004 Java E-Commerce Martin Cooke, 2004 5 13/02/2004 Java E-Commerce Martin Cooke, 2004 6
Java E-Commerce Martin Cooke, 2002 2 Question Online CNP transactions Implementation You come across a form box on a site asking for your credit card details. Why might you be loathe to give them? Credit card number Expiration date Shipping & billing info MERCHANT Basic formbased acquisition Merchant uses conventional POS terminal Pros Simple to add to existing site Cons Security! Insecure link, card details held by merchant not fully automated Business may not be what they claim Insecure transfer Business may store details on their system System may not be secure One-off purchase, lifetime of risk? You may not have a credit card BUYER S BANK (or credit card Associate) verified verify buyer ACQUIRING BANK ie merchant s bank Indicates secure internet transfer (usually Secure Socket Layer - SSL) 13/02/2004 Java E-Commerce Martin Cooke, 2004 7 13/02/2004 Java E-Commerce Martin Cooke, 2004 8 13/02/2004 Java E-Commerce Martin Cooke, 2004 9 Implementation Implementation Implementation Pros Cons Pros Cons Pros Cons Basic formbased acquisition Merchant uses conventional POS terminal Simple to add to existing site Security! Insecure link, card details held by merchant not fully automated Basic formbased acquisition Merchant uses conventional POS terminal Simple to add to existing site Security! Insecure link, card details held by merchant not fully automated Basic formbased acquisition Merchant uses conventional POS terminal Simple to add to existing site Security! Insecure link, card details held by merchant not fully automated As above, plus secure link Use of Secure Better security Sockets Layer (SSL) as above apart from secure link As above, plus secure link Use of Secure Better security Sockets Layer (SSL) as above apart from secure link As above, plus secure link Use of Secure Better security Sockets Layer (SSL) as above apart from secure link 3 rd party payment gateway Association for Payment Clearing Systems (APACS) Automated consumer credit card details held by merchant (for refunds) 3 rd party payment gateway Association for Payment Clearing Systems (APACS) Automated consumer credit card details held by merchant (for refunds) Secure Electronic Transaction (SET) Owned by VISA & Mastercard Secure and private burden on cardholder 13/02/2004 Java E-Commerce Martin Cooke, 2004 10 13/02/2004 Java E-Commerce Martin Cooke, 2004 11 13/02/2004 Java E-Commerce Martin Cooke, 2004 12
Java E-Commerce Martin Cooke, 2002 3 Data integrity Data integrity Cardholder Is cardholder who s/he claims to be? Cardholder certificate eg account info + secret value encoded using one-way hash 13/02/2004 Java E-Commerce Martin Cooke, 2004 13 13/02/2004 Java E-Commerce Martin Cooke, 2004 14 13/02/2004 Java E-Commerce Martin Cooke, 2004 15 Data integrity Date integrity Date integrity Cardholder Merchant Is cardholder who s/he claims to be? Cardholder needs to confirm identity of merchant eg is it the British Gas or an interloper? Cardholder certificate eg account info + secret value encoded using one-way hash Use of merchant certificates Cardholder Merchant Interoperability Is cardholder who s/he claims to be? Cardholder needs to confirm identity of merchant eg is it the British Gas or an interloper? Protocol should be independent of particular transport security mechanisms Cardholder certificate eg account info + secret value encoded using one-way hash Use of merchant certificates Build security into applications and messages; don t rely on secure infrastructure Cardholder Merchant Interoperability Is cardholder who s/he claims to be? Cardholder needs to confirm identity of merchant eg is it the British Gas or an interloper? Protocol should be independent of particular transport security mechanisms Cardholder certificate eg account info + secret value encoded using one-way hash Use of merchant certificates Build security into applications and messages; don t rely on secure infrastructure We ll examine SET in detail when considering security 13/02/2004 Java E-Commerce Martin Cooke, 2004 16 13/02/2004 Java E-Commerce Martin Cooke, 2004 17 13/02/2004 Java E-Commerce Martin Cooke, 2004 18
Java E-Commerce Martin Cooke, 2002 4 Administers credit card payment Business licences CashRegister system, which takes over all processing of the transaction security validation fraud control Recently bought by VeriSign PayFlow Claims 3 seconds average transaction time CashRegister Buy credit from a digital cash vendor Pay by cheque or at outlet such as newsagent internetcash.com (downgraded as of 11/2/2003) Use at retail sites which accept digital cash Can be given as presents or received as rewards Digital cash Mechanism to avoid credit-card transaction fees for low cost items (under $10) Shareware Pay-per-document Micropayments accumulate and result in a bill similar to that for a utility (cf individual phone calls). Idea is to add payments to your phone bill (cartio.com - defunct 2003, Millicent - defunct 2003) Payments can be validated without consulting a bank Can be used in association with affiliate programs and other reward schemes Micropayments 13/02/2004 Java E-Commerce Martin Cooke, 2004 19 13/02/2004 Java E-Commerce Martin Cooke, 2004 20 13/02/2004 Java E-Commerce Martin Cooke, 2004 21 Much information relating to e-commerce is unreliable 50% of the sites mentioned in books (published in 2001) used to prepare this lecture were either Suspended Taken over Non-existent Caution! Hold details of your credit card(s) Billing and shipping addresses digital cash, digital cheques Enable 1-click purchase Amazon.com E-wallets C2C: Peer-to-peer payments Eg paying for auction purchases PayPal: send cash to anyone with an email address over the net Free for individuals Acquired by ebay Buyers submit electronic payments to sellers current account 13/02/2004 Java E-Commerce Martin Cooke, 2004 22 13/02/2004 Java E-Commerce Martin Cooke, 2004 23 13/02/2004 Java E-Commerce Martin Cooke, 2004 24
Java E-Commerce Martin Cooke, 2002 5 B2B Terminology More complex than C2B Larger amounts Multiple accounts Richer information trail required Format compatible with other aspects of business Clareon Uses XML (next lecture) Tiered architectures Distributed architecture System composed of programs running on multiple hosts Tier One of those host computers But can have virtual distributed apps running on a single host Tier can also signify a logical partition of processing Examples: Client eg web browser Server Object server Enterprise server Database server Web server 13/02/2004 Java E-Commerce Martin Cooke, 2004 25 13/02/2004 Java E-Commerce Martin Cooke, 2004 27 More terminology Importance of tiers 1 tier Presentation logic How information is presented to the client Business logic Collection of objects and methods which are different from business to business eg flight, customer, checkavailability(), Data logic How to ensure data is persisted, secure, and transactionally safe Allow separation of concerns Coding paradigms different for each tier required skill set differs too Along with security, this is probably the most important aspect of e-commerce system design STANDALONE APPLICATION + Simplicity no networking + High-performance + Self-contained - Can t access remote services - Potential for spaghetti code 13/02/2004 Java E-Commerce Martin Cooke, 2004 28 13/02/2004 Java E-Commerce Martin Cooke, 2004 29 13/02/2004 Java E-Commerce Martin Cooke, 2004 30
Java E-Commerce Martin Cooke, 2002 6 2 tiers 3 tiers 4 tiers S (WEB)SERVER S (WEB)SERVER database (WEB)SERVER APPSERVER database + Quite simple + Separation of presentation logic from business logic - Little potential for resource sharing, a big problem for ecommerce applications + Separation of presentation, business and data logic + Concurrent data access + Shared resources - More expertise required - More security - needs object-relational mapping + (near) automatic handling of transactions, security, persistence, + supports just about anything - learning curve - can be inefficient due to generality - expensive (but see JBoss) 13/02/2004 Java E-Commerce Martin Cooke, 2004 31 13/02/2004 Java E-Commerce Martin Cooke, 2004 32 13/02/2004 Java E-Commerce Martin Cooke, 2004 33 Homework (1) Read Chaffee article on tiers at http://www.javaworld.com/ javaworld/jw-01-2000/jw-01-ssj-tiers_p.html Problems with tier classifications HTML form communicating with a webserver 1.5 tier systems (is web form a program?) Applet running on a browser, downloaded from webserver 1 tier, but depends what the applet does Another view (from Sun) 13/02/2004 Java E-Commerce Martin Cooke, 2004 34 13/02/2004 Java E-Commerce Martin Cooke, 2004 35 13/02/2004 Java E-Commerce Martin Cooke, 2004 36
Java E-Commerce Martin Cooke, 2002 7 Enterprise system design concerns J2EE Java Enterprise Extensibility Maintainability Division of labour along skill lines Scaleability Portability Availability Interoperability Focus on business logic Separation of code with differing rates of change 13/02/2004 Java E-Commerce Martin Cooke, 2004 38 13/02/2004 Java E-Commerce Martin Cooke, 2004 39 Read about J2EE (see course website for doc) Homework (2) Resources J2EE book Online documents developer.java.sun.com/developer/technicalarticles/ J2EE/patterns Design patterns www.jdance.com/designpatterns.shtm 13/02/2004 Java E-Commerce Martin Cooke, 2004 40 13/02/2004 Java E-Commerce Martin Cooke, 2004 42
Java E-Commerce Martin Cooke, 2002 8 java.sun.com/j2ee javaworld.com jguru.com IBM developer Websites 13/02/2004 Java E-Commerce Martin Cooke, 2004 43