As Taught by Prof. Tim Richardson School of Marketing and e-Business, Faculty of Business


IEC 719 "bare bones outline"

1. E-commerce payment systems

Online Credit Card-based Systems
Credit card security in e-commerce (B2C)
Electronic Commerce Modeling Language

2. Electronic Commerce and Banking (B2B), (B2C)

3. E-commerce Law and Regulations Intellectual Property and copyright concerns
Copyright Protection Techniques

Taxation issues
what is covered under existing legislation, what is not

4. Security concerns

(It is not intended that the presentation of these security topics will result in the participants learning everything they need to know - but rather
1. create an awareness of the business and marketing consequence of these topics
2. identify resources they can access should they need to know a lot more)

Copyright Protection Techniques
principles of competitor monitoring
Competitor Intelligence, role in new product development
Security monitoring services
Firewall and other hardware and software considerations
viruses and electronic sabotage

Books and Textbooks used in IEC 719
Electronic Commerce: Security, Risk Management and Control by Greenstein and Feinman. This is one of the few books specifically on the subject of e-commerce security and was first made available to your professor (WTGR) in the 2nd week of August 2000. It appears that this book is a good match for IEC 719 but sufficient time has not been spent on confirming how closely it fits the Course Outline for 719. At first glance it is "recommended". We will work in relevant chapters to the course outline as we move along.
A great web site, hosted by the publisher is at

ISBN 0-07-229289-x
400 pages soft cover
E-commerce Security: Weak Links, Best Defenses by Dr. Anup Ghosh of Reliable Software Technologies
It appears that this book is a good match for IEC 719 but sufficient time has not been spent on confirming how closely it fits the Course Outline for 719. (A review copy was received 3rd week in August 2000)  At first glance it is "recommended" - though it is not so "text" oriented as the Greenstein/Feinman book. We will work in relevant chapters to the course outline as we move along.

ISBN 0-471-19223-6
260 pages, soft cover

Electronic Commerce: A Managerial Perspective. This book's publication date is listed as 2000. It is an exceptionally good book.  This text will be a key book used in IEC 702 in Sept 2000 and is recommended for IEC 902 as well as IEC 719. One of the first books to be written as a text with questions and exercises at the end of each chapter. A companion website was operating, including the downloadable powerpoints when last checked in Aug 2000.

For IEC 719 we will use 
Chpt 8 - Electronic Payment Systems 
Chpt 10 the section on Legal Issues

ISBN 0-13-975285-4
500 pages, hard cover

publisher web site
Electronic Commerce This book's publication date is listed as Nov 1999. Copies were reviewed in February 2000 and it is considered to be an excellent textbook. As part of the "Course Technology"family it is well supported and the ccompanying web site is extensive. This text will be a key book used in IEC 702 and IEC 719 in Sept 2000 - Companion website. online table of contents

For IEC 719 we will use 
Chpt 7 Electronic Payment Systems
Chpt 5 Security Threats to Electronic Commerce
Chpt 6 Implementing Security for Electronic Commerce
Chpt 11 Legal and Tax Issues

ISBN 0-7600-1179-6
380 pages, soft cover

The Business of the Internet, by Neal Hannon 
This book was first published in Jan 1998. As part of the "Course Technology" family it is well supported and has an accompanying web site. There are some good chapters on Intranets and Business Security issues. We use this book in IEC 702, IEC 719 and IEC 802

For IEC 719 we will use
Chpt 6 Business Security Issues

ISBN 0-7600-4957-2
260 pages, soft cover
Using the Web to Compete in a Global Marketplace was finished by Browning Rockwell in April 1998. Rockwell got several experts to write key chapters so he is the editor, not author.. Browning Rockwell has created the Global Information Network (GIN), an extensive companion Web site to support this book. Rockwell also runs a consulting company.

For IEC 719 we will refer to
Chpt 5 Legal Factors
Chpt 6 Technical and Security Issues

ISBN 0-471-25262-x
300 pages, soft cover

the main required text
Kalakota and Whinston's 1996 book was one of the first books used across North America in e-commerce courses. We used this book at Seneca in 1998 and 1999 but since then, more recent publications have come out which are more up-to-date, however,,,, there is still some material in this book which is worthwhile and in particular, Chpt 6, which deals with the basics of e-payment systems

Copies of this book are available in the Seneca bookstore


1 Sept
Intro to 
IEC 719
  •  introduction of relevance of the topics
  •  outline of major concepts
  • explanation of major assignments and projects
Chapter 7


Before we begin to discuss the different types of payment systems, let's take a perspective from the introduction to Chapters 7 that Schneider and Perry wrote and look at one of the big reasons why companies want to effect EPS.

The answer to that reason is the same fundamental answer to why all companies are trying variants of e-commerce - the answer is "to cut costs".

A substantial amount of the costs medium and large sized companies incur is the costs associated with billing. These costs include the printing and paper costs of making the invoice/bill and envelopes, as well as the postage costs for mailing the bills. Utility companies, for example, can spend $1 to $1.50 on each customer each month sending out tens our thousands of bills.

When you are able to implement an electronic payment system for these types of situations it can save a large company $X00,000's of dollars each billing cycle - in addition, you also have the environmental consideration of saving trees, literally.




Chapter 8
main link for the books web site
This text "Electronic Commerce: A Managerial Perspective", is a required purchase, and will also be used in IEC 702 and IEC 802 + it has an accompanying web site
+ dowloadable .ppt slides for each chapter

Chpt 8 "Electronic Payment Systems"

. Evaluation of payment systems, present, and future [those that may win out in the future market competitiveness of Christmas 2001 and beyond] is based on how they are able to make the customer feel that the transaction is secure, and how they are able to make the vendor feel the transaction will go through as they commit to shipping out the item bought. In study after study through 1999 and 2000, it is reported that the number one hesitation customers have in making a purchase online is security related. Therefore any successful Electronic Payment Systems that achieves market dominance in the future has to be perceived by the customers, and merchants as secure.


There are 36 slides in this .ppt and some of them deal very effectively with the current analysis of SET and whether SET is a success or failure.

The 4 Basic Security requirements in Electronic Payment Systems (from slide 6)

  1. Authentication: A way to verify the buyer’s identity before payments are made
  2. Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission
  3. Encryption: A process of making messages indecipherable except by those who have an authorized decryption key

  4. Non-repudiation: Merchants need protection against the customer’s unjustifiable denial of placed orders, and customers need protection against the merchants’ unjustifiable denial of past payment
SET - Secure Electronic Transaction, p. 285
in SET protocol there are 4 entities
  • cardholder
  • merchant
  • Certificate Authority
  • payment gateway - "the role of the payment gateway is to connect the Internet and proprietary networks of banks"
Class Chapter 7


Schneider and Perry write in the beginning of chapter 7 a caution that still holds true 12 months after the book was released in Dec 1999;
"Implementation of electronic payment systems is in its infancy and still evolving. The technical, economic, cultural and legal components of electronic payment systems are not fully understood.. As a result there are a number of competing proposals for implementations of electronic payment systems"
. As a result of the fact that EPS "are not fully understood" and "there are a number of competing proposals", we propose that participants in this course endevour to learn about the fundemental building blocks of payment systems so that when you become aware for competing formats that seem to be moving towards market dominance in 2001/2002, you will be able to understand enough about the critical components that you can judge which one(s) to have your company adopt.

For example; in the Schneider and Perry book they discuss four technologies

  • electronic cash
  • software wallets
  • smart cards
  • credit/debit cards
It is not apparent which one will win out at this stage and as we approach Christmas 2000 it seems that after the Christmas period some of these new technologies, (and the particular EPS brands that are being launched) will prove to be winners or losers over this annual buying period frenzy. By January 2001 we should be able to find articles and reports that some of these technologies did better than others and this may prove helpful in winnowing out which new payment systems may end up being dominant.


"When customers arrive at a store's electronic checkout counter, merchants want to offer them payment options that are safe, covenient and widely accepted. The key is to figure out which choices work best for your company and for your customers"
Schneider and Perry page 212






Chapter 10

Electronic Commerce: Security, Risk Management and Control by Greenstein and Feinman.
While we will use this textbook primarily for the 3rd and 4rth section of this course, Chapter 10 in this book has a good explanation of SET and also compares SET to SSL

One of the helpful things about the web site for this text is the accompanying list of terms for each chapter, for the terms associated with Chapter 10, go to

This text also has downloadable powerpoints. The main site from the publisher is at

The particular powerpoint for Chapter 10 is at

Explanation of SET - Secure Electronic Transaction   Chpt 10, p. 295-296

"SET was developed jointly by MasterCard and Visa with the goal of providing a secure payment environment for the transmission of credit card data. SET specification Version 1.0 was published in May 1997..."
"The basics of SET, Version 1.0 are

  • Confidentiality of information through the use of encryption
  • Integrity of data through the use of digital signatures
  • Cardholder authentification through the use of digital signatures and certificates
  • Merchant authentification through the use of digital signatures and certificates
  • Interoperability through the use of defined protocols and message formats
Secure Electronic Transaction vs. Secure Sockets Layer

According to Greenstein and Feinman (p. 297) "The initial version of SET protocol is considered to be a stronger security mechanism than other transmission protocols, such as SSL, because of SET's stronger authentification features"

Greenstein and Feinman point out that SSL is good at providing confidentiality during the transmission of the data, but alone it does not authenticate either the sender or the receiver of the message. As we discussed in Chpt 8 of the Turban book, Authentication is one of the 4 Basic Security requirements in Electronic Payment Systems.



Chapter 10
Certificate Authorities

Chapter 8
main link for the books web site
SET - Secure Electronic Transaction

The role of Certificate Authorities

Greenstein and Feinman explain, p. 298 that the "SET protocl requires that all parties involved in the transaction hold a valid digital certificate ... this means that both the buyer and seller must have a registered certificate from an approved certificate authority..."

Turban, Lee, King and Chung in "Electronic Commerce: A Managerial Perspective", explain, Chapt 8, p. 280, that
"A Certificate Authority is a body, either public or private, that seeks to fill the need for trusted third-party services in e-commerce. A Certificate Authority accomplishes this by issuing digital certificates that attest to certain facts about the subject of the certificate"

3 Sept
a course titled
CSci 701 Electronic Commerce taught in the School of Engineering and Applied Science
An on-line Powerpoint presentation on 
Electronic Payment Systems
This ppt was written by Shelly Heller
The root directory listing all the ppt slide
presentations is at
Thanks to  Jayashree  Nair for finding this site
Certificate Authorities

PKI and Certificate Authorities

Verisign and the browsers
"There are two leading Certificate Authorities, Verisign and Thawte. Verisign are the market leaders. By their own claims "VeriSign's digital certificate technology has been pre-installed into all the major Web browsers"

Verisign have their public key built in to all common browsers (e.g. Netscape Communicator and Microsoft Internet Explorer) the customer's browser can verify the certificate (to identify the company) and then use the company's authenticated public key when exchanging data with the Web site. The one leap of faith here is that the customer trusts the built-in certificate (which they may not even be aware of). Since they're running the browser code anyway, that leap of faith is not so big. 

. Our purpose in discussing Verisign in this section of the course (we will also refer to the company in the 4th section that deals with Security Concerns) relates to its role as a CA - Certificate Authority.

"To date, VeriSign has issued over 215,000 Web site digital  certificates and over 3.9 million digital certificates for individuals"

Verisign's affiliates in Canada are CIBC and VPN Tech Inc.

OUR IEC matrix  describing  the different Electronic Payment Systems

working on adding in additional information and updating existing information will be one of the tasks for incoming students to IEC 719

an additional reference  - mb digital's matrix of Electronic Payment Systems

Class Electronic 
. To give you an idea of how fast this Electronic Payment Systems environment is moving; just as we were finishing the arrangement of information on this web page for outlineIEC719a.htm, a story was written in the Toronto Star [Nove 24, 2000] about how Scotiabank had teemed up with SONY to create e-gift certificates.


This electronic payment system is based on a smart card gift certificate. Scotiabank has been piloting a smart-card technology in the Barrie area of Ontario. 65,000 residents are using smart cards to do everything from debit transactions to keeping track of loyalty programs to buying things from vending machines.

The gift cetificates can be bought in any demonination and do not have to be spent all at once, they can also be "reloaded".

From the website you can see their press release describing in more detail what they did

"The computer chip on the electronic gift card -- developed by Scotiabank's e-commerce subsidiary e-Scotia -- is read and adjusted with each purchase until the dollar amount runs out. Customers also have the option to re-load the card if they wish. "This marks the first time that a Canadian bank has used this smart card technology to offer electronic gift card gift certificates on a national scale," said Albert Wahbe, Chairman and CEO of e-Scotia and Scotiabank's Executive Vice-President Electronic Banking."
Strategic Alliances in the Electronic Payment Systems community
Electronic Commerce Modeling Language is an alliance of high-tech companies and financial companies to agree on a standard for electronic wallets
A search of the W3C site 04Sept2000 and a look through the ECML site dd not reveal any current information as to the status of how this alliance is progressing towards a situation where the process will become commonly used in transactions
Schneider and Perry note in Chpt 7, p. 230 that "recently a consortium of several high-tech companies and credit card companies proposed another standards initiative to replace the competing electronic wallet standards with a single standard. The consortium of AOL, IBM, Microsoft, Visa and MasterCard has agreed on a technology called ECML".
While there is optomism for ECML, Schneider and Perry caution that "... it is not clear how the proposed ECML standard will incorporate the privacy standards that the W3C has set forth"
Online Shoppers Can Kiss Credit Cards Goodbye
sourced from Yahoo! Singapore - News  (Yahoo has since taken down the link so we have quoted below the essential points)
1999 November 20th                                  By Sherman Fridman, Newsbytes.

Fridman writes that "Shopping online could become much easier for people without credit cards under a new Internet Automatic Teller Machine plan developed by Cash Technologies Inc. 

Market: "Today nearly half of the US population, and one-fourth of those who qualify, do not have credit cards," 

"In order to turn these cardless customers into online spenders, Cash Technologies announced that it has reached agreements with,  an online digital music Website, and privately held Sensar Inc., a manufacturer of "iris recognition products," to begin a pilot project using ATM cards to purchase music products at MP3's Website." "Instead of credit cards, MP3 would use Sensar's iris recognition devices and Cash Technologies' EMMA (E-commerce Messaging Management Architecture) transaction processing system." "MP3 customers participating in the pilot project will be able to use their regular bank ATM card to shop securely over the Internet at MP3's Website. The use of Sensar's iris camera attached to the customer's PC will eliminate the need to send person ID numbers via the Internet, removing the key stumbling block that has prevented the use of ATM cards on the Internet. "

Why is this article interesting? Because it reflects one one many around the world which highlight that older payment systems cannot keep up with the changing demands of on-line B2C and B2B situations




Credit Card 
and their


The big three credit card companies welcome e-business because in these early stages the primary way that people buy products online in B2C situations is with a major credit card - which is good for their business. What worries these companies is
  • the continued concerns of internet shoppers over security
  • the threat from new types of payment systems
  • rapidly rising numbers of charge backs
Visa, Mastercard and Amex have been incurring big losses due to credit card fraud and charge backs. Most of the charge backs have been related to customers of adult web sites who later withdraw from a service and find it difficult because the web site keeps debiting their card. This has become such a big problem that Visa, Mastercard and Amex have had to hire many many people to deal with incoming telephone complaints from customers. - at the same time  they have become much more stringent in evaluating new companies who would like to get a merchant account so they can charge customers credit cards.

What you should look for in reading the material in these next few boxes is information about new products the bog three are bringing out as the forecast what the new payment processes are moving towards. Also, look for ways they are trying to reinforce use of their existing product mainstays - the credit card, at the same time hedge their bets by striking alliances with new situations.

"Visa and MasterCard hold a 75 percent share of the general-purpose credit and charge card network   market in the United States. In large part because board members of one serve on the governing  committees of the other, Visa and MasterCard   effectively act as a single entity, and have conspired to limit competition in the U.S. card industry.”
from the AMEX web site which also gleefully describes the current U.S. Justice Dept. case against VISA and MasterCard
Harvey Golub, chairman and chief executive officer of American Express...“Visa and MasterCard’s    anticompetitive behavior has damaged the interests of consumers; eliminated banks’ freedom of choice to carry out business as they see fit; increased operating costs to merchants, particularly in the debit card arena;  and retarded innovation in the credit card industry.”


Visa's section on their web site titled "Internet shopping" unfortunately is not about the business aspects involved but simply a portal to a lot of web sites were you can buy product using your Visa card

Electronic Wallets are one of the new  features being used in electronic payment systems, unfortunately, the link on Visa's site which is supposed to explain this was down in August 2000 when we first checked

"Visa Sets new security rules for online purchases"
title of Reuters story Aug 10th, 2000

Visa announced it was setting 10 new security rules for transactions done over the internet

the full story is available on Yahoo at
These rules are in effect things which merchants (who handle Visa cards) must do or Visa will withdraw their merchant account. The rules are aimed at making sure these merchants have more stringent security processes as well as beter encryption etc.

Read about Visa's product "Visa ePay"
One of the selling points of this product, targeted at vendors who want a better way of collecting money, is that , your customers' financial   institutions secure funds from their accounts before sending payment orders to your financial institution. This        authorization and settlement of transactions in good funds  means payment assurance and one-time processing 
How Visa ePay works

kewl partnerships
Visa has partnered with Palm. "The Palm VII organizer uses a wireless radio transmitter and web clipping technology along with the new Palm.Net(sm) service to let users get information, conduct e-commerce transactions, and perform instant messaging...Visa's ATM Locator pinpoints the location of any of Visa's 531,000 ATMs in 120 countries worldwide."

Single-use credit card numbers

"... By mid-October,[2000] consumers will be able to obtain a numer  from a secure Web site and use it - just once - to buy from any online merchant  accepting Visa."

full story from Rachel Ross, Toronto Star Technology Reporter at

On this page, Mastercard have an interesting little demo about how e-wallets work plus they have a link to another page that has some very good explanations of the fundamentals of e-wallets
including points explaining the difference between Server Based and Client Based systems

It was also interesting to note that Mastercard had a special section on their site with various .gifs you could use on your own e-commerce site, and they made it quite easy to find this page - they call it their "brand center"

AMEX has a section on their web site titled "Security on the Internet", some might think it is very "lite" and CYA oriented

AMEX use of Digital Certificates
"AMEX currently offers a blue card embedded with a smart chip containing a digital certificate.  "Smart chip technology is very  flexible, and we specifically designed the blue card on a multi-application platform," says  AMEX spokesperson Molly South. 

The card is inserted into a free smart card reader plugged into the user's computer.  The card, together with a PIN number, allows consumers to buy on the Net using their certificate. The card allows access to an online wallet, which contains information such as shipping and  ordering preferences.  This information is automatically transmitted to the merchant's online  order forms.  The system provides instant user-friendly security for both consumer and  merchant.  AMEX officials are hoping it will encourage more widespread consumer  acceptance of online shopping.  Initiatives like this could, however, eventually become the  thin edge of the wedge for developing a universal digital signature for individuals."

by Paul Zaleski, a reporter and staff researcher for Offshore Finance USA magazine.

Single-use credit card numbers

"Last week, (Sept 7th, 2000) American Express announced it will issue single-use credit card numbers to help reduce the risk posed by hackers who steal and reuse numbers from online
 merchants' databases..."

full story from Rachel Ross, Toronto Star Technology Reporter at



Credit Card 
Debit Card 

Datacash, based in the U.K. operates primarily in England and Scotland; with about 800 merchants signed up, it enables vendors to receive credit card and debit card payments via their respective websites.
"The DataCash Payment Gateway is a combination of an online service and a suite of software modules that acts as a real-time payment mechanism for Electronic Commerce over the Internet. DataCash checks the validity of the Credit Card details entered by the cardholder and initiates the transfer of the monies to the bank account of the Merchant."
4 .
ecomm info from DePaul University David Eves (IEC April 2000) found this extensive web site on DePaul Univ's web site  that has many many e-commerce links

Also included is an on-line powerpoint presentation on Digital Cash

Cybercash has incorporated SET into its suite of Internet Payment solutions
Chpt10, p. 296, Greenstein and Feinman