1

Chapter 12

Electronic Commerce Systems

COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and South-

Western are trademarks used herein under license

Objectives for Chapter 12 Topologies that are employed to achieve connectivity

across the Internet Protocols and understand the specific purposes

served by several Internet protocols Business benefits associated with Internet commerce

and be aware of several Internet business models Risks associated with intranet and Internet electronic

commerce Issues of security, assurance, and trust pertaining to

electronic commerce Electronic commerce implications for the accounting

profession

Internet Technologies Packet switching

messages are divided into small packets each packet of message takes different route

Virtual private network (VPN) a private network within a public network you may connect to UTEP via a VPN

Extranets password controlled network for private users – often

outside the company, but includes trading partners (vendors & customers)

World Wide Web an Internet facility that links users locally and globally

Internet addresses e-mail address URL address IP address

What is E-Commerce? The electronic processing and

transmission of business dataelectronic buying and selling of goods and

serviceson-line delivery of digital productselectronic funds transfer (EFT)electronic trading of stocksdirect consumer marketing electronic data interchange (EDI) the Internet revolution

5

Benefits of E-CommerceAccess to worldwide customer and/or

supplier baseReductions in inventory investment

and carrying costsReductions in procurement costsBetter customer service Rapid creation of business partnerships to

fill emerging market niches Reductions in retail prices through lower

marketing costs

6

Risks Associated with E-commerce

7

General Concerns

Data Security: Are stored and transmitted data adequately protected?

Business Policies: Are policies publicly stated and consistently followed?

Privacy: How confidential are customer and trading partner data?

Business Process Integrity: How accurately, completely, and consistently does company process its transactions?

8

Intranet Risks Intercepting Network Messages

sniffing: interception of user IDs, passwords, confidential e-mails, and financial data files

Accessing Corporate Databases connections to central corporate databases

increase risk that data will be viewed, corrupted, changed, or copied by employees

Uncontrolled Expansion ill-conceived network decisions create serious

threat

9

Internet Risks to Businesses

IP Spoofing: masquerading to gain access to Web server and/or to perpetrate unlawful act without revealing one’s identity

Technology Failures: disruption caused by hardware failure causes e-business to lose customer credibility and sales revenues

Malicious Programs: viruses, worms, logic bombs, and Trojan horses pose threats to both Internet and Intranet users

DOS Attack

Sender Receiver

Step 1: SYN messages

Step 2: SYN/ACK

Step 3: ACK packet code

In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves thereceiver with clogged transmission ports, and legitimate messages cannot be received.

11

Controls

12

Network Control Objectives

establish communications session between sender and receiver

manage flow of data across network

detect errors in data caused by line failure or signal degeneration (static)

detect and resolve data collisions between competing nodes

POLLING METHOD OF CONTROLLING DATA COLLISIONS

MASTERLocked Locked

Locked

Polling Signal

Data Transmission

The “master” polls “slave” sites to determine if they have data to transmit.If a slave responds in affirmative, Master locks network while data are transmitted.

Allows priorities to be set for data communications across the network

SLAVE

SLAVE

SLAVE

SLAVE

WAN

Server

Token Ring

Node

Node

Node

Central Files

Local Files

Local Files

Local Files

Contains data

Empty token

15

Carrier Sensing Random access technique that detects

collisions when they occur (stepping out in traffic)

Widely used--found on Ethernets. Node wishing to transmit “listens” to line to

determine if it is in use. If line is busy, it waits a pre-specified amount of time (seconds) to transmit.

Collisions occur when two nodes listen, hear no messages transmitting, and then simultaneously begin transmitting. Data collides and two nodes are instructed to hang up and try again.

Disadvantage: Becomes a problem as network traffic increases. Line may not be used optimally when multiple nodes are trying to transmit simultaneously.

16

Encryption Techniques

In general --- Private Key (less secure) Public Key (more secure)

17

EncryptionProgram

EncryptionProgram

CommunicationSystem

CommunicationSystem

CleartextMessage

CleartextMessage

Data Encryption

Ciphertext

Ciphertext

Company A

Company B

Private Key

18

Public Key Encryption

Two keys Sender encodes message with Public

key Recipient decrypts with Private key After encryption, Sender cannot decrypt

Company A Company B

E-Commerce Security: Digital AuthenticationDigital signature: electronic

authentication technique that ensures that transmitted message originated with authorized sender and that it was not tampered with after the signature was applied

Digital certificate: like an electronic identification card that is used in conjunction with a public key encryption system to verify authenticity of the message sender

20

E-Commerce Security: FirewallsFirewalls - software and hardware that

provide focal point for security by channeling all network connections through controlled gateway

Network level firewalls - low cost/low security access control. Uses screening router to its destination. This method does not explicitly authenticate outside users. Hackers may penetrate system using an IP spoofing technique.

Application level firewalls - high level/high cost customizable network security. Allows routine services and e-mail to pass through, but can perform sophisticated functions such as logging or user authentication for specific tasks.

Assurance

“Trusted” third-party organizations offer seals of assurance that businesses can display on their Web site home pages: BBB TRUSTe Veri-Sign, Inc ICSA AICPA/CICA WebTrust AICPA/CICA SysTrust

Implications for AccountingPrivacy violation

major issues:a stated privacy policyconsistent application of stated privacy

policieswhat information is the company capturingsharing or selling of informationability of individuals and businesses to

verify and update information on them 1995 Safe Harbor Agreement

establishes standards for information transmittal between US and European companies

Implications for Accounting

Audit implication for XBRL taxonomy creation: incorrect

taxonomy results in invalid mapping that may cause material misrepresentation of financial data

validation of instance documents: ensure that appropriate taxonomy and tags have been applied

audit scope and timeframe: impact on auditor responsibility as a consequence of real-time distribution of financial statements

Implications for Accounting

Continuous process auditing auditors review transactions at frequent

intervals or as they occur intelligent control agents: heuristics

that search electronic transactions for anomalies

Electronic audit trails electronic transactions generated

without human intervention no paper audit trail

Implications for AccountingConfidentiality of data

open system designs allow mission-critical information to be at the risk to intruders

Authentication in e-commerce systems, determining the

identity of the customer is not a simple task

Nonrepudiation repudiation can lead to uncollected

revenues or legal action use digital signatures and digital

certificates

Implications for Accounting

Certification authority (CA) licensing trusted 3rd party vouches for identity

Data integrity determine whether data has been

intercepted and alteredAccess controls

prevent unauthorized access to data Changing legal environment

provide client with estimate of legal exposure

27

Protocols

28

Protocol FunctionsFacilitate physical connection

between network devices.Synchronize transfer of data

between physical devices.Provide basis for error checking

and measuring network performance.

Promote compatibility among network devices.

Promote network designs that are flexible, expandable, cost-effective.

29

Internet ProtocolsTransfer Control Protocol/Internet

Protocol (TCP/IP) - controls how individual packets of data are formatted, transmitted, received

Hypertext Transfer Protocol (HTTP) - controls web browsers – not the same as HTML

File Transfer Protocol (FTP) - used to transfer files across Internet

Simple Network Mail Protocol (SNMP) - e-mail

Secure Sockets Layer (SSL) and Secure Electronic Transmission (SET) - encryption schemes

HTML: Hyper Text Markup Language

Format used to produce Web pages Defines page layout, fonts, and graphic elements used to lay out information for display in an

appealing manner like one sees in magazines and newspapers

using both text and graphics (including pictures) appeals to users

Hypertext links to other documents on the Web Even more pertinent is HTML’s support for

hypertext links in text and graphics that enable the reader to ‘jump’ to another document located anywhere on World Wide Web.

XML: eXtensible Markup Language

XML is meta-language for describing markup languages.

Extensible means that any markup language can be created using XML. Includes creation of markup languages capable

of storing data in relational form, where tags (formatting commands) are mapped to data values

can be used to model the data structure of an organization’s internal database

Comparing HTML and XML

XBRL: eXtensible Business Reporting Language

XBRL is an XML-based language for standardizing methods for preparing, publishing, and exchanging financial information, e.g., financial statements.

XBRL taxonomies are classification schemes. Advantages:

Business offer expanded financial information to all interested parties virtually instantaneously.

Companies that use XBRL database technology can further speed the process of reporting.

Consumers import XBRL documents into internal databases and analysis tools to greatly facilitate their decision-making processes.

34

Networks

35

Local Area Network (LAN)

Computers located close together (in same building/campus) linked together to share data/software/hardware

Physical connection of workstations to LAN is achieved through network interface card (NIC)

Server stores network operating system, application programs, and data to be shared.

36

Topologies

37

Star Topology

Network of workstations with large central computer (host)

Host computer has direct connections to workstations

All communications must go through host computer. Can do local processing even if host is down.

Local Data Local Data

Local Data

Local Data

Central Data

Topeka St. Louis

KansasCity

DallasTulsa

Star Network

39

Ring Topology

Configuration eliminates central site. All nodes are of equal status (peers).

Responsibility for managing communications is distributed among nodes.

Common resources shared by all nodes can be centralized/managed by file server that is also node.

Server

Ring Topology

Local Files

Local Files

Local Files

Local Files

Local Files

CentralFiles

41

Bus Topology

Nodes are all connected to common cable - the bus.

Communications and file transfers between workstations are controlled by server.

Generally less costly to install than ring topology.

Server

Bus Topology

Node

Node

Node

Node

Local Files

Local FilesLocal Files

Local Files

Local FilesNode

Central Files

Print Server

Client-Server TopologyThis configuration distributes the

processing between user’s (client’s) computer and central file server.

Both types of computers are part of network, but each is assigned functions that it best performs.

This approach reduces data communications traffic, thus reducing queues and increasing response time.

Server

Client-Server Topology

Client

Client

Client

Client

RecordSearchingCapabilities

Data ManipulationCapabilities

ClientData ManipulationCapabilities

Data ManipulationCapabilities

Data ManipulationCapabilities

Data ManipulationCapabilities

Common Files

45

Wide Area Network (WAN)

WAN is network dispersed over wider geographic area than LAN. Typically requires use of: gateways to connect different types

LANs bridges to connect same type LANs

WANs may use common carrier facilities telephone lines or Value Added

Network (VAN).

LANLAN

Bridge

GatewayGateway

LAN

LAN

WAN

Gateway

47

Electronic Data Interchange (EDI)

Exchange of business transaction information: between companies in standard format via computerized information system

In “pure” EDI systems, human involvement is not necessary to approve transactions. (Very few pure EDI systems.)

EDI System

PurchasesSystem

EDI TranslationSoftware

EDI TranslationSoftware

CommunicationsSoftware

CommunicationsSoftware

OtherMailbox

OtherMailbox

Wal-Mart’smailbox

Our Company’smailbox

Sales OrderSystem

ApplicationSoftware

ApplicationSoftware

Direct Connection

VAN

Wal-Mart Our Company

Direct Connection for

Many Transactions

VAN for FewTransactions

49

Advantages of EDI

Reduction or elimination of data entry

Reduction (not elimination) of errors paper paper processing and postage inventories (via JIT systems)

50