Ensuring information security of trade enterprises, retail chains and their infrastructure. Ensuring information security of trade enterprises, retail chains and their infrastructure The security components of e-commerce are

The number of Internet users has reached several hundred million and a new quality has appeared in the form of a “virtual economy”. In it, purchases are made through shopping sites, using new business models, their own marketing strategy, etc.

Electronic commerce (EC) is the business of selling goods over the Internet. As a rule, there are two forms of EC:

trade between enterprises (business to business, B2B);

trade between businesses and individuals, i.e. consumers (business to consumer, B2C).

EC gave birth to such new concepts as:

An electronic store is a showcase and trading systems that are used by manufacturers or dealers when there is a demand for goods.

Electronic catalog - with a wide range of products from various manufacturers.

An electronic auction is an analogue of a classic auction using Internet technologies, with a characteristic link to a multimedia interface, an Internet access channel and showing the characteristics of a product.

An electronic department store is an analogue of an ordinary department store, where ordinary firms display their goods, with an effective product brand (Gostiny Dvor, GUM, etc.).

Virtual communities (communities) in which buyers are organized by interest groups (fan clubs, associations, etc.).

The Internet in the field of EC brings significant benefits:

the savings of large private companies from the transfer of purchases of raw materials and components to Internet exchanges reaches 25 - 30%;

participation in the auction of competing suppliers from all over the world in real scale time leads to a decrease in the prices programmed by them for the supply of goods or services;

higher prices for goods or services as a result of competition from buyers from all over the world;

savings by reducing the number of required employees and the amount of paperwork.

The dominant position in the EC in Western countries has become the B2B sector, which by 2007, according to various estimates, will reach from 3 to 6 trillion. dollars.

The first to benefit from the transfer of their business to the Internet were companies selling hardware and software and providing computer and telecommunications services.

Each online store includes two main components: an electronic storefront and a trading system.

The electronic storefront contains information on the goods being sold on the Web site, provides access to the store database, registers customers, works with the shopper's electronic "basket", places orders, collects marketing information, and transfers information to the trading system.

The trading system delivers the goods and prepares the payment for it. Trading system is a collection of stores owned by different firms leasing space on a Web server that is owned by a separate company.

The online store functioning technology is as follows:

The buyer on the electronic storefront with a catalog of goods and prices (Web-site) selects the desired product and fills out a form with personal data (name, postal and e-mail addresses, preferred method of delivery and payment). If you pay via the Internet, then special attention is paid to information security.

Transfer of the ordered goods to the trading system of the online store, where the order is completed. The trading system operates in a manual or automated manner. The manual system operates on the principle of the Sendtorg, when it is impossible to purchase and set up an automated system, as a rule, with an insignificant volume of goods.

Delivery and payment of goods. Delivery of goods to the buyer is carried out in one of the possible ways:

by the courier of the store within the city and the surrounding area;

specialized courier service (including from abroad);

self-pickup;
telecommunication networks deliver such a specific product as information.

Payment for goods can be made in the following ways:

preliminary or at the time of receipt of the goods;

cash to the courier or when visiting a real store;

by postal order;

Bank transaction;

cash on delivery;

using credit cards (VISA, MASTER CARD, etc.);

through electronic payment systems through individual commercial banks (TELEBANK, ASSIST, etc.).

Recently, e-commerce or trade through the Internet has been developing quite rapidly in the world. Naturally, this process is carried out with the direct participation of financial institutions. And this method of trading is becoming more and more popular, at least where new electronic market you can take advantage of a significant part of the enterprises and the population.

Commercial activity in electronic networks removes some physical limitations. Companies, by connecting their computer systems to the Internet, are able to provide customers with support 24 hours a day, seven days a week. Product orders can be accepted at any time from anywhere.

However, this "medal" has its downside. Abroad, where e-commerce is most widely developed, transactions or the cost of goods are often limited to $ 300-400. This is due to the insufficient solution of information security problems in computer networks. According to the UN Committee on Crime Prevention and Control, computer crime has become one of the international problems. In the United States, this type of criminal activity ranks third in terms of profitability after arms and drug trafficking.

World turnover ecommerce via the Internet in 2006, according to forecasts by Forrester Tech., could be from 1.8 to .2 trillion. dollars. Such a wide forecast range is determined by the problem of providing economic security ecommerce. If the level of security remains at the current level, then the global turnover of e-commerce could be even lower. It follows from this that it is the low security of the e-commerce system that is a deterrent to the development of e-business.

The solution to the problem of ensuring the economic security of e-commerce is primarily associated with the solution of issues of protecting information technologies used in it, that is, with ensuring information security.

Unfortunately, e-commerce business leaders are fully aware of the severity of information threats and the importance of organizing the protection of their resources only after the latter are exposed to information attacks. As you can see, all of the above obstacles relate to the field of information security.

Among the main requirements for conducting commercial transactions are confidentiality, integrity, authentication, authorization, guarantees and secrecy.

In achieving the security of information, ensuring its accessibility, confidentiality, integrity and legal significance are basic tasks ... Each threat must be considered in terms of how it can affect these four properties or qualities of secure information. Confidentiality means that restricted information should only be available to the intended recipient. Under integrity information is understood as its property of existence in an undistorted form. Availability information is determined by the ability of the system to provide timely unimpeded access to information for subjects having the proper authority to do so. Legal significance information is gaining importance in recent years, together with the creation of a regulatory framework for information security in our country.

While the first four requirements can be met by technical means, the fulfillment of the last two depends both on the technical means and on the responsibility of individuals and organizations, as well as on compliance with laws that protect the consumer from possible fraudulent sellers.

Within the framework of ensuring comprehensive information security, first of all, it is necessary to highlight the key e-business security concerns , which include: protection of information during its transmission through communication channels; protection of computer systems, databases and electronic document management; ensuring long-term storage of information in in electronic format; ensuring the security of transactions, secrecy of commercial information, authentication, protection of intellectual property, etc.

There are several types of e-commerce threats:

Penetration into the system from the outside.

Unauthorized access within the company.

Intentional interception and reading of information.

Intentional violation of data or networks.

Incorrect (fraudulent) user identification.

Hacking hardware and software protection.

Unauthorized user access from one network to another.

Virus attacks.

Denial of service.

Financial fraud.

To counteract these threats, a number of methods based on various technologies are used, namely: encryption - data encryption, preventing it from being read or distorted; digital signatures that verify the identity of the sender and recipient; stealth technologies using electronic keys; firewalls; virtual and private networks.

None of the protection methods are universal, for example, firewalls do not scan for viruses and cannot ensure data integrity. There is no absolutely reliable way to counter hacking of automatic protection, and it is only a matter of time before it is hacked. But the time of breaking such protection, in turn, depends on its quality. I must say that software and hardware for protecting connections and applications on the Internet has been developed for a long time, although new technologies are being introduced somewhat unevenly.

What kind threats lie in wait for an e-commerce company at every stage :

substitution of the web page of the server of the electronic store (redirecting requests to another server), which makes available information about the client, especially about his credit cards, to third parties;

creation of false orders and various forms of fraud on the part of employees of an electronic store, for example, manipulation with databases (statistics indicate that more than half of computer incidents are associated with the activities of their own employees);

interception of data transmitted over e-commerce networks;

the penetration of intruders into the company's internal network and the compromise of the components of the electronic store;

implementation of denial of service attacks and disruption or disruption of an e-commerce site.

As a result of the implementation of such threats, the company loses customer confidence, loses money from potential and / or incomplete transactions, disrupts the operation of the electronic store, spends time, money and human resources to restore its functioning.

Of course, the threats associated with the interception of information transmitted over the Internet are inherent not only in the field of e-commerce. Of particular importance in relation to the latter is the fact that information that is of great economic importance is circulated in its systems: credit card numbers, account numbers, the content of contracts, etc.

At first glance, it may seem that each such incident is nothing more than an internal affair of a specific e-business entity. However, remember the year 2000, which was marked by cases of massive outages of the leading e-business servers, whose activities are truly nationwide: Yahoo !, eBay, Amazon, Buy, CNN, ZDNet, Datek and E * Trade. An investigation by the FBI showed that these servers went down due to a multiply increased number of service requests sent to them as a result of implemented DoS attacks. For example, the flow of requests to the Buy server exceeded the average by 24 times, and the maximum - 8 times. According to various estimates, the economic damage suffered by the American economy from these shares fluctuates around the one and a half billion mark.

Ensuring security is not only a prerequisite for a successful e-business, but also the foundation for trusting relationships between counterparties. The very essence of e-business involves active information exchange, conducting transactions through an unprotected public network, which are simply impossible without a trusting relationship between business entities. Therefore, security is complex in nature, including tasks such as access to Web servers and Web applications, user authentication and authorization, data integrity and confidentiality, implementation of electronic digital signatures, and so on.

With the increasing commercialization of the Internet, more and more attention is paid to the protection of information transmitted over the network. Specialized protocols designed to organize secure interaction over the Internet (for example, SET, SOCKS5, SSL, SHTTP, etc.) have gained wide acceptance all over the world and are successfully used by foreign developers to create banking and trading electronic systems based on the Internet.

Abroad, an independent consortium, the Internet Security Task Force (ISTF), is an independent consortium, which consists of representatives and experts from information security vendors, e-business and Internet service providers.

The ISTF consortium allocates twelve areas of information security , on which the attention of e-business organizers should first of all be focused:

mechanism for objective confirmation of identifying information;

the right to personal, private information;

defining security events;

protection of the corporate perimeter;

identification of attacks;

control of potentially dangerous content;

access control;

administration;

reaction to events.

It is known that the use of electronic digital signature (EDS) algorithms allows reliable protection against many threats, but this is true only if these algorithms are woven into sound interaction protocols, a legally correct structure of relations and a logically closed trust system.

Information security is based on a simple logic of the processes of calculating a digital signature and verifying it with a pair of corresponding keys, however, the logic is based on fundamental mathematical research. Only the owner of the private key can compute a digital signature, and anyone who has a public key corresponding to the private key can verify it.

Of course, specialists in this field should be involved in ensuring information security, but the heads of state authorities, enterprises and institutions, regardless of the form of ownership, who are responsible for the economic security of certain economic entities, must constantly keep these issues in their field of vision. For them, below are the main functional components of the organization of an integrated information security system:

communication protocols;

means of cryptography;

means of access control to workplaces from networks common use;

antivirus complexes;

intrusion detection and auditing programs;

funds centralized management control of user access, as well as the secure exchange of data packets and messages of any applications over open networks.

On the Internet, there have long been a number of committees, mostly volunteer organizations, that carefully guide proposed technologies through the standardization process. These committees, which make up the bulk of the Internet Engineering Task Force (IETF), have standardized several important protocols, accelerating their adoption on the Internet. Protocols such as the TCP / IP family for data transmission, SMTP (Simple Mail Transport Protocol) and POP (Post Office Protocol) for e-mail, and SNMP (Simple Network Management Protocol) for network management are direct results of the IETF's efforts. The type of protection product used depends on the needs of the company.

Protocols for secure data transmission are popular on the Internet, namely SSL, SET, IP v.6. The listed protocols appeared on the Internet relatively recently, as a need for protection valuable information, and immediately became de facto standards. Let us recall that the Internet was created several decades ago for the scientific exchange of information that has little value.

Unfortunately, in Russia they are still very cautious about the possibility of introducing the Internet into those areas of activity that are associated with the transmission, processing and storage of confidential information. This caution is explained not only by the conservatism of domestic financial structures, fearing the openness and availability of the Internet, but, in part, by the fact that most of the information security software of Western manufacturers enter our market with export restrictions regarding the cryptographic algorithms implemented in them. For example, export versions of the software for WWW servers and browsers from manufacturers such as Microsoft and Netscape Communications have restrictions on the key length for the one-key and two-key encryption algorithms used by SSL, which does not provide full protection when working on the Internet.

However, e-commerce applications, in addition to internal threats, are also subject to external threats from the Internet. And since it is impractical to assign each anonymous visitor a separate login ID (since the application does not grow), companies need to use a different kind of authentication. In addition, you need to prepare your servers to fend off attacks. Finally, you should be extremely careful with critical data such as credit card numbers.

Data encryption

The business website processes sensitive information (such as consumer credit card numbers). The transmission of such information over the Internet without any protection can lead to irreparable consequences. Anyone can overhear the transmission and thus gain access to confidential information. Therefore, the data must be encrypted and transmitted over a secure channel. To implement secure data transmission, the Secure Sockets Layer (SSL) protocol is used.

To implement this functionality, you need to purchase a digital certificate and install it on your server (s). For a digital certificate, you can contact one of the certification bodies. Well-known commercial certification bodies include: VerySign, CyberTrust, GTE.

SSL is a scheme for protocols such as HTTP (called HTTPS if secure), FTP, and NNTP. When using SSL for data transmission:

the data is encrypted;

a secure connection is established between the source server and the destination server;

server authentication is activated.

When a user submits a credit card number using SSL, the data is immediately encrypted so that a hacker cannot see its contents. SSL is independent of the network protocol.

The Netscape server software also provides authentication — certificates and digital signatures — to verify the identity of the user and the integrity of messages, and to ensure that the message does not change its route.

Authentication implies confirmation of the user's identity and digital signature to verify the authenticity of documents involved in the exchange of information and financial transactions. A digital signature is data that can be attached to a document to avoid forgery.

Intrusion detection

Intrusion Detection Systems (IDS) can identify patterns or traces of attacks, generate alarms to alert operators, and induce routers to disconnect from intruder sources. These systems can also prevent attempts to cause denial of service.

Website data protection

To protect site data, it is necessary to analyze the data used by the site and define a security policy. This data can be HTML code, customer and product details stored in the database, catalogs, passwords, and other authentication information. Here are some basic principles that can be used when defining a data security policy:

Keep sensitive data behind an internal firewall on a secure internal network. A minimum number of access points should be provided for sensitive data. It should be remembered that adding security levels and complicating access to the system affects the operation of the system as a whole.

Databases storing low-sensitivity data can be located on DMZ servers.

Passwords can be stored after conversion using one-way algorithms. However, this makes it impossible to implement the generally accepted (and popular) ability to handle messages like "I forgot my password, please email me", although you can create a new password and send it as an alternative.

Sensitive information such as credit card numbers can be stored in databases after encryption. Only authorized users and applications can decrypt it every time the need arises. However, this also affects the speed of the system as a whole.

You can also protect site data by using middle tier components. These components can be programmed to authenticate users, allowing only authorized users to access the database and its components and protecting them from external threats.

You can implement additional security functions of the server side of the system. For example, you can use custom SQL Server security features to prevent unauthorized internal database access.

Note that it is equally important to protect backups containing consumer information.

The situation is aggravated by the fact that every week more and more new ways of penetrating or damaging data are discovered, which only professional organizations specializing in information security are able to monitor.

The integration of commerce on the Internet promises a fundamental change in the security situation. With the increasing commercialization of the Internet, more and more attention is paid to the protection of information transmitted over the network. Therefore, progress in the field of information security largely determines the development of the e-commerce process.

In Russia, the development of e-commerce is constrained by:

The absence or weak development of the EC infrastructure, in particular, a reliable and ubiquitous infrastructure for delivering goods to the buyer (courier services, etc.), especially through an "electronic store" located in another city.

Lagging state law enforcement practice and, as a consequence, the absence or weak guarantees of the execution of transactions concluded in electronic form.

The presence of objective and subjective prerequisites for the development of fraud associated with the use of the Internet for commerce.

Weak marketing study of EC projects.

Difficulties in repaying goods, in particular, lack of public confidence in commercial banks.

The low level of income of the majority of the population of Russia makes money more significant wealth than time, so many Russians do not agree to pay shipping costs along with the cost of the goods, and prefer to shop in regular stores. Therefore, EC can spread widely in Russia only after a significant improvement in the economic situation in the country.

Safety - the state of protection against possible damage, the ability to contain or parry dangerous influences, as well as to quickly compensate for the damage caused. Security means that the system maintains stability, stability and the possibility of self-development. One of the most popular topics for discussion is the security of e-commerce.

But until now, despite all the valuable opinions and statements, there is no practical, "earthly" guide to what is still the subject of e-commerce security. This article provides some points of view on this issue, and attempts to separate myths from reality. Let's try to answer some basic questions that are obvious to experts.

Systems can be made secure. Systems can only be protected from known threats, with the number of associated risks reduced to an acceptable level. Only you yourself can find the right balance between the desired level of risk reduction and the cost of the solution. Security in general is one of the aspects of risk management. And information security is an aggregate common sense, business risk management and basic technical skills under the direction of decent management, judicious use of specialized products, capabilities and expertise, and the right development technologies. At the same time, a web site is just a means of delivering information to a consumer.

Website security is a purely technical issue. Too often, security is more of a control over the development process, correct configuration management operating system and overall consistent site management. True security is under your direct control - what is acceptable in design internal systems may not be suitable for fully shared services. System problems affecting only a few trusted employees within an enterprise become apparent when moving to shared environments.

The media regularly report on all security weaknesses and risks. Often, the media only report on those problems that can attract everyone's attention and do not require special skills to understand the underlying problem. Such messages rarely reflect real threats to the business from a security perspective and often have nothing to do with security at all.

Credit card information on the Internet is not secure. In fact, credit card information is much less susceptible to theft when transmitted over the Internet than from a nearby store or restaurant. An unscrupulous business may be interested in the unauthorized use of such information, and how you work with it - via the Internet or not - is no longer so important. It is possible to increase the security of the information transmitted itself by using secure transmission channels and reliable sites. An essential ingredient in many e-commerce systems is the need for reliable consumer identification. The method of identification directly affects not only the degree of risk, but even the type of criminal prosecution.

Passwords identify people. Passwords provide only basic verification - that someone authorized to use a particular system is connecting. People tend not to hide their passwords too much from others - especially from close relatives and colleagues. More sophisticated authentication technology can be much more cost effective. The level of authentication used should reflect the risk of access to information by random persons, regardless of the consent of its actual owner.

Once configured and installed, a security solution remains reliable over time. Enterprises don't always install systems properly, business changes, and so do threats. You need to make sure that the systems maintain security profiles and that your profile is continually reevaluated in terms of business development and the external environment. Technology is equally important, but it should be seen as part of a broader spectrum of security controls. Firewalls are commonly referred to as the solution for protecting the content of e-commerce sites, but even these have their weak points.

Firewalls are impenetrable. By implementing a firewall, you can rest on your laurels in the confidence that attackers will never get through it. The problem is that they need to be configured so that some traffic still flows through them, and in both directions. You need to think carefully about what you are trying to protect. Preventing an attack on your home page is very different from preventing your web server from being used as a path to your server systems, and the firewall requirements are very different in both cases. Many systems require complex, multi-layered security to ensure that only authorized users can access more sensitive data. Email is usually the key to any e-commerce site. However, it introduces a number of security challenges that cannot be ignored, which fall into two main categories:
Protecting email content - it can be garbled or read.
Protecting your system from inbound attacks email.
If you intend to work with confidential or sensitive to the integrity of mail information, there are many products to protect it.

Viruses are no longer a problem. Viruses still pose a serious threat. The latest hobby of virus creators is files attached to emails, which, when opened, execute macros and perform actions unauthorized by the recipient. But other means of spreading viruses are also being developed - for example, through HTML web pages. You need to make sure that your antivirus products are up to date. If they were designed to scan for viruses, they may turn out to be capable of only detecting viruses, but not eliminating them.

A company that has a public key certificate from a respected Certification Authority (CA) is already trustworthy in its own right. The certificate simply implies something like: "At the time of the certificate request, I, the CA, have performed known actions to verify the identity of this company. You may or may not be satisfied. I am not familiar with this company and do not know if you can trust it, and even - what exactly is her business.Until I am informed that the public key has been discredited, I do not even know that it, for example, has been stolen or transferred to someone else, and it’s up to you to check, not is canceled. My liability is limited to the provisions of the Policy Statement, which you should read before using the keys associated with this company. "

Digital signatures are the electronic equivalent of handwritten signatures. There are some similarities, but there are many very significant differences, so it is unreasonable to consider these two types of signatures to be equivalent. Their reliability also depends on how rigorously it is established that the private key is actually in private use. The key differences are also that:
- Handwritten signatures are entirely under the control of the signer, while digital signatures are created using a computer and software that may or may not work in a way that can be trusted to perform the actions they perform.
- Handwritten signatures, unlike digital ones, have an original that can be copied.
- Handwritten signatures are not too closely related to what is signed with them, the content of the signed papers can be changed after signing. Digital signatures are intricately linked to the specific content of the data that they signed.
- The ability to perform a handwritten signature cannot be subject to theft, unlike a private key.
- Handwritten signatures can be copied with varying degrees of similarity, and copies of digital signatures can be created only by using stolen keys and have 100% identity of the signature of the real owner of the key.
- Some authentication protocols require you to digitally sign data on your behalf, and you never know what was signed. You can be forced to digitally sign just about anything.

Security products can be rated according to their functionality, just like business packages. They also require an assessment of the security of their implementation and those threats from which they cannot protect (which may not be documented). In general, business applications are selected based on their functionality and ease of use. It is often taken for granted that the functions are performed as expected (for example, the tax computation package calculates taxes correctly). But this is not fair for security products. The biggest question here is how the protection functions are implemented. For example, a package might offer powerful password authentication for users, but still store passwords in a simple text file that almost anyone can read. And that would not be obvious at all and could create a false sense of security.

Security products are easy to install. Most products are shipped with default settings. However, organizations have different security policies and configurations of all systems and workstations rarely match. In practice, the installation should be tailored to the organization's security policy and each of the specific platform configurations. Validating maintenance mechanisms for rapidly growing numbers of users and other attributes of creating a secure environment for hundreds of existing users can be a complex and time-consuming process.

PKI products protect e-commerce out of the box. PKI products provide a basic toolkit to help implement security solutions, but only as part of the entire package, which also includes legal, procedural, and other technical elements. In practice, this is often much more difficult and expensive than setting up a basic PKI.

Security consultants deserve absolute trust. Remember that security consultants will have access to all of your most sensitive processes and data. If the consultants invited do not work for a reputable firm, it is necessary to obtain information from a disinterested source about their competence and experience - for example, talk to their previous customers. There are many consultants who claim to be information security professionals, but in fact have little or no idea what it is. They can even create a false sense of security by convincing you that your systems are more secure than they really are.

Conclusions.

So before flipping through the most up-to-date safety brochures, sort out the essentials:
- Carefully calculate the types of risks that threaten your e-commerce business and what they would cost you, and do not spend more on protection than this estimated cost of risk.
- Strike a balance between procedural and technical security controls.
- Develop a complete project in which security would be one of the fundamental components, and would not be introduced post facto, after some thought.
- Select security products that are appropriate for this project.

Information security of electronic commerce (EC)

Electronic commerce (EC) is the business of selling goods over the Internet. As a rule, there are two forms of EC:

* trade between enterprises (business to business, B2B);

* trade between enterprises and individuals, i.e. consumers (business to consumer, B2C).

EC gave birth to such new concepts as:

* Electronic store - a showcase and trading systems that are used by manufacturers or dealers when there is a demand for goods.

* Electronic catalog - with a wide range of products from various manufacturers.

* An electronic auction is an analogue of a classic auction using Internet technologies, with a characteristic link to a multimedia interface, an Internet access channel and displaying the characteristics of a product.

* An electronic department store is an analogue of an ordinary department store, where ordinary firms display their goods, with an effective product brand (Gostiny Dvor, GUM, etc.).

* Virtual communities (communities) in which buyers are organized by interest groups (fan clubs, associations, etc.).

The Internet for EC brings significant benefits:

* the savings of large private companies from the transfer of purchases of raw materials and components to Internet exchanges reaches 25 - 30%;

* participation in the auction of competing suppliers from all over the world in real time leads to a decrease in the prices programmed by them for the supply of goods or services;

* increase in prices for goods or services as a result of competition from buyers from all over the world;

* savings by reducing the number of required employees and the volume of paperwork.

The dominant position in the EC in Western countries has become the B2B sector, which by 2007, according to various estimates, will reach from 3 to 6 trillion. dollars. The first to benefit from the transfer of their business to the Internet were companies selling hardware and software and providing computer and telecommunications services.

Each online store includes two main constituents:

electronic showcase and trading system.

The trading system delivers the goods and prepares the payment for it. A trading system is a collection of stores owned by different firms that lease space on a Web server that is owned by a separate company.

Online store functioning technology as follows:

The buyer on the electronic storefront with a catalog of goods and prices (Web site) selects the desired product and fills out a form with personal data (name, postal and e-mail addresses, preferred method of delivery and payment). If you pay via the Internet, then special attention is paid to information security.

Transfer of the finished goods to the trading system of the online store,

where order picking takes place. The trading system operates in a manual or automated manner. The manual system operates on the principle of the Sendtorg, when it is impossible to purchase and set up an automated system, as a rule, with an insignificant volume of goods.

Delivery and payment of goods... Delivery of goods to the buyer is carried out

one of the possible ways:

* by the courier of the shop within the city and the surrounding area;

* specialized courier service (including from abroad);

* self-pickup;

* such a specific

commodity as information.

Payment for goods can be made in the following ways:

* preliminary or at the time of receipt of the goods;

* cash to the courier or when visiting a real store;

* postal order;

* Bank transaction;

* cash on delivery;

* by credit cards (VISA, MASTER CARD, etc.);

through electronic payment systems through separate commercial

banks (TELEBANK, ASSIST, etc.).

Recently, e-commerce or trade through the Internet has been developing quite rapidly in the world. Naturally, this process

carried out with the direct participation of credit and financial institutions. And this method of trading is becoming more and more popular, at least where the new electronic market can be used by a significant part of enterprises and the population.

Commercial activity in electronic networks removes some physical limitations. Companies connecting their computer systems to

Internet, are able to provide customers with support 24 hours a day without holidays and weekends. Product orders can be accepted at any time from anywhere.

The volume of the global turnover of e-commerce via the Internet in 2006,

according to forecasts of the Forrester Tech. company, it could be from 1.8 to .2 trillion. dollars. Such a wide forecast range is determined by the problem of ensuring the economic security of e-commerce. If the level of security remains at the current level, then the global turnover of e-commerce could be even lower. It follows from this that it is the low security of the e-commerce system that is a deterrent to the development of e-business.

The integration of business processes into the Internet environment is leading to a fundamental change in the security situation. Generation of rights and responsibilities on the basis of an electronic document requires comprehensive protection against the entire set of threats, both of the sender of the document and its recipient. Unfortunately, e-commerce business leaders are fully aware of the severity of information threats and the importance of organizing the protection of their resources only after the latter are exposed to information attacks. As you can see, all of the above obstacles relate to the field of information security.

Among the main requirements for conducting commercial transactions are confidentiality, integrity, authentication, authorization, guarantees and secrecy.

In achieving the security of information, ensuring its accessibility, confidentiality, integrity and legal significance are basic tasks ... Each threat must be considered in terms of how it can affect these four properties or qualities of secure information.

Confidentiality means that restricted information should only be available to the intended recipient. Under integrity information is understood as its property of existence in an undistorted form. Availability information is determined by the ability of the system to provide timely unimpeded access to information for subjects having the proper authority to do so. Legal significance information is gaining importance in recent years, together with the creation of a regulatory framework for information security in our country.

Within the framework of ensuring comprehensive information security, first of all, it is necessary to highlight the key security concerns of electronic business which include:

protection of information during its transmission via communication channels; protection of computer systems, databases and electronic document management;

ensuring long-term storage of information in electronic form; ensuring the security of transactions, secrecy of commercial information, authentication, protection of intellectual property, etc.

There are several types of e-commerce threats:

 Penetration into the system from the outside.

 Unauthorized access within the company.

 Intentional interception and reading of information.

 Intentional violation of data or networks.

 Incorrect (fraudulent) identification

user.

 Hacking hardware and software protection.

 Unauthorized user access from one network to another.

 Virus attacks.

 Denial of service.

 Financial fraud.

What kind threats lie in wait for an e-commerce company at every stage :

 Substitution of the web page of the e-shop server (redirecting requests to another server), which makes available information about the client, especially about his credit cards, to third parties;

 creation of false orders and various forms of fraud on the part of employees of an electronic store, for example, manipulation of databases (statistics indicate that more than half of computer incidents are associated with the activities of their own employees);

• interception of data transmitted over e-commerce networks;

• penetration of intruders into the internal network of the company and compromise of the components of the electronic store;

The concept of "safety" in Russian is interpreted as a state in which there is no danger, there is protection from it. In terms of language, the concept of "safety" is the opposite of the concept of "danger". It characterizes a certain state of any system (social, technical or any other), process or phenomenon.

Security is a state in which there is no possibility of causing damage to the needs and interests of the subjects of relations.

The threat, according to the dictionary of the Russian language, is defined as an immediate danger. The danger is of a general, potential nature, but since contradictions between the subjects of relations arise constantly, then the danger to interests can exist constantly.

One of the accepted definitions is the following: a security threat is a set of conditions and factors that create a threat to vital interests, that is, a threat is represented by a certain set of circumstances (conditions) and causes (factors).

From a legal point of view, the concept of "threat" is defined as the intention to inflict evil (damage).

Thus, a security threat can be defined as “activities that are viewed as hostile to interests”.

With all the variety of types of threats, they are all interconnected and affect interests, as a rule, in a complex manner. Therefore, a security system is created to weaken, neutralize and parry them.

The concept of "protection" ("security") means the protection of the subject of relations from threats.

Ensuring security is a specially organized activity aimed at maintaining the internal stability of an object, its ability to withstand the destructive, aggressive effects of various factors, as well as to actively counter existing species threats.

The security system is designed to identify threats to interests, to maintain the readiness of forces and means of ensuring security and control them, to organize the normal functioning of security facilities.

As applied to e-commerce, the definition of security can be formulated as follows.

E-commerce security- this is the state of protection of the interests of the subjects of relations, performing commercial operations (transactions) using e-commerce technologies, from threats of material and other losses.

Ensuring security, regardless of the form of ownership, is necessary for any enterprises and institutions, ranging from government organizations and ending with a small tent engaged retail... The differences will consist only in what means and methods and to what extent are required to ensure their safety.

Market relations with their integral part - competition are based on the principle of "survival" and therefore necessarily require protection from threats.

According to the established international security practice, the objects of protection, taking into account their priorities, are:

- Human;
- information;
-- material values.

Based on the concept of security and the objects of protection listed above, we can say that the concept of "security" of any enterprise or organization includes (Fig. 120):

? physical security, which is understood as ensuring protection from encroachments on the life and personal interests of employees;
? economic security, which is understood as the protection of the economic interests of the subjects of relations. Within the framework of economic security, the issues of ensuring the protection of material assets from fire, natural disasters, theft and other encroachments are also considered;
? information security, which means the protection of information from modification (distortion, destruction) and unauthorized use.

Everyday practice shows that the main threats to physical security include:

- psychological terror, intimidation, extortion, blackmail;
- robbery for the purpose of taking possession of material values or documents;
- kidnapping of company employees or their family members;
- murder of a company employee.

Rice. 120.

Nowadays, no one can feel safe. Without touching upon specific issues of ensuring physical security, we can say that in order to commit a crime, criminals first collect information about the victim, study her “weak points”. Without the necessary information about the target of the attack, the degree of risk for criminals increases significantly. Therefore, one of the main principles of ensuring physical security is to conceal any information about the company's employees, which criminals can use to prepare a crime. In general, the following types of threats to economic security can be formulated:

- general insolvency;
- loss of funds for transactions with false documents;
- undermining confidence in the firm.

Practice shows that the presence of these threats is primarily due to the following main reasons:

- leakage, destruction or modification (for example, distortion) of commercial information;
- lack of complete and objective information about employees, partners and clients of the company;
- the dissemination of biased information compromising the company by competitors.

Information security is one of the key points in the security of the company.

According to Western experts, the leak of 20% of commercial information in sixty cases out of a hundred leads to the bankruptcy of the company. Therefore, physical, economic and information security are very closely interconnected.

Commercial information has different forms of presentation. This can be information transmitted orally, and documented information recorded on various physical media (for example, on paper or on a floppy disk), and information transmitted through various communication lines or computer networks.

Attackers in the information sphere use different methods of obtaining information. This includes "classic" methods of espionage (blackmail, bribery, etc.), methods of industrial espionage, unauthorized use of funds computing technology, analytical methods... Therefore, the range of threats to information security is extremely wide.

The widespread use of computer technology and e-commerce technologies is opening up a new area for industrial espionage and various other offenses.

Through technical means industrial espionage not only different ways they eavesdrop or spy on the actions of competitors, but also receive information that is directly processed in computer technology. The greatest danger here is the direct use of computer technology by attackers, which has given rise to a new type of crime - computer crimes, i.e. unauthorized access to information processed in a computer, including with the help of e-commerce technologies.

Countering computer crime is difficult, mainly due to:

? the novelty and complexity of the problem;
? the complexity of timely detection of a computer crime and identification of the attacker;
? the possibility of performing a crime using remote access means, i.e., the attacker may not be at the scene of the crime at all;
? difficulties in collecting and legalizing evidence of a computer crime.

Summarizing the above types of security threats, we can distinguish three components of the security problem:

- legal protection;
- organizational protection;
- engineering and technical protection.

The meaning of the legal provision of protection follows from the name itself.

Organizational protection includes the organization of security and the operation of the facility.

Engineering and technical protection is understood as a set of engineering, software and other means aimed at eliminating security threats.

The principles of creation and operation of security systems can be divided into three main blocks: general principles of protection, organizational principles, principles of implementation of the protection system (Fig. 121).

1. General principles provide protection

The uncertainty principle due to the fact that when providing protection, it is not known who, when, where and how will try to violate the security of the protected object.

Rice. 121.

The principle of the impossibility of creating an ideal protection system. This principle follows from the principle of uncertainty and limited resources, which, as a rule, have a security system.

Principle minimal risk lies in the fact that when creating a protection system, it is necessary to choose the minimum degree of risk based on the characteristics of security threats, available resources and the specific conditions in which the protected object is at any time.

The principle of protecting everyone from everyone. This principle implies the need to protect all subjects of relations against all types of threats.

2. Organizational principles

The principle of legality. The importance of adhering to this obvious principle cannot be overemphasized. However, with the emergence of new legal relations in Russian legislation, along with well-known objects of law, such as "state property", "state secrets", new ones appeared - "private property", "enterprise property", "intellectual property", "commercial secrets", “Confidential information”, “information with limited access”. The regulatory legal framework governing security issues is still imperfect.

The principle of personal responsibility. Each employee of the enterprise, company or their client is personally responsible for ensuring the security regime within the framework of their authority or relevant instructions. Responsibility for violation of the security regime must be specified and personified in advance.

The principle of separation of powers. Probability of violation trade secrets or the normal functioning of the enterprise is directly proportional to the number of knowledgeable persons with information. Therefore, no one should be introduced to confidential information unless it is required to carry out their job duties.

The principle of interaction and cooperation. An internal safety atmosphere is achieved by a trusting relationship between employees. At the same time, it is necessary to ensure that the personnel of the enterprise correctly understand the need to carry out measures related to ensuring security, and, in their own interests, contribute to the activities of the security service.

3. Principles of implementation of the protection system

The principle of complexity and individuality. The safety of the protected object is not ensured by any one measure, but only by a set of complex, interrelated and overlapping measures, implemented individually depending on specific conditions.

The principle of successive lines. The implementation of this principle makes it possible to timely detect an encroachment on security and organize a consistent response to the threat in accordance with the degree of danger.

Protection principle of protective equipment is a logical continuation of the principle of protecting “all from all”. In other words, any protection measure itself must be adequately protected. For example, a means of protection against attempts to make changes to the database must be protected by software that implements the differentiation of access rights.

Security comprehensive protection objects is generally an individual task, which is due to economic considerations, the state in which the object of protection is located, and many other circumstances.

The methodology for constructing a security system is shown in Fig. 122.

Rice. 122.

Before proceeding with the creation of a security system, it is necessary to determine the objects of protection, the destruction, modification or unauthorized use of which may lead to a violation of interests, losses, etc.

Having identified the objects of protection, it is necessary to identify the areas of their interests and analyze the many threats to the security of the objects of protection. If the security threats are deliberate, then you need to develop an alleged attacker model. Next, you need to analyze possible threats and sources of their occurrence, select adequate means and methods of protection and thus formulate tasks and determine the structure of the security system.

To analyze the problem of ensuring the security of e-commerce, it is necessary to determine the interests of the subjects of relationships arising in the process of e-commerce.

It is customary to distinguish the following categories of e-commerce: business-to-business, business-to-consumer, business administration. At the same time, regardless of the category of e-commerce, there are three classes of subjects: financial institutions, customers and business organizations (Fig. 123).

Financial institutions can be different, but first of all these are banks, since it is in them that all other e-commerce subjects have accounts that reflect the movement of funds. The rules and conditions for the movement of these funds are determined by the payment system used.

Clients (buyers, consumers) can be both individuals and legal entities.

Business organizations are any organization that sells or purchases something over the Internet.

Rice. 123.

The open nature of Internet technologies, the availability of information transmitted over the Web means that the common interests of e-commerce subjects are to ensure the information security of e-commerce. Information security includes ensuring the authentication of interaction partners, the integrity and confidentiality of information transmitted over the Network, the availability of services and the manageability of the infrastructure.

The range of interests of e-commerce subjects in the field of information security can be divided into the following main categories:

- availability (the ability to get the required service in a reasonable time);
- integrity (relevance and consistency of information, its protection from destruction and unauthorized changes);
- confidentiality (protection of information from unauthorized acquaintance).

Information security is one of the most important components of the integral security of e-commerce.

The number of attacks on information systems around the world doubles every year. In such conditions, the information security system of e-commerce must be able to withstand numerous and varied internal and external threats.

The main threats to information security of e-commerce are related (Fig. 124):

- with deliberate infringement of the interests of e-commerce subjects (computer crimes and computer viruses);
- with unintentional actions of the service personnel (mistakes, omissions, etc.);
- with the influence of technical factors that can lead to the distortion and destruction of information (power failures, software failures);

Rice. 124.

With the impact of so-called man-made factors (natural disasters, fires, large-scale accidents, etc.).

The widespread introduction of the Internet could not but affect the development of electronic business.

One of the types of e-business is considered to be e-commerce. In accordance with UN documents, a business is recognized as electronic if at least two of its four components (production of goods or services, marketing, delivery and settlements) are carried out using the Internet. Therefore, in this interpretation, it is usually assumed that the purchase belongs to e-commerce, if, at a minimum, marketing (demand management) and settlements are made by means of the Internet. A narrower interpretation of the concept of "electronic commerce" characterizes the systems of cashless payments based on plastic cards.

Security is a key issue for implementing e-commerce.

The high level of online fraud is a deterrent to the development of e-commerce. Buyers, retailers and banks are afraid to use this technology due to the risk of financial losses. People mainly use the Internet as an information channel to get information of interest to them. Only a little over 2% of all catalog and database searches on the Internet end up with purchases.

Here is a classification of the possible types of e-commerce fraud:

transactions (non-cash transactions) performed by fraudsters using the correct card details (card number, expiration date, etc.);
obtaining customer data through database hacking trade enterprises or by intercepting the customer's messages containing his personal data;
Butterfly shops, which, as a rule, appear for a short time, in order to disappear after receiving funds from buyers for non-existent services or goods;
an increase in the value of the goods in relation to the price offered to the buyer or repeated debits from the client's account;
shops or sales agents designed to collect information about card details and other personal data of the buyer.

SSL protocol

Protocol SSL(Secure Socket Layer) was developed by the American company Netscape Communications. SSL secures data between service protocols (such as HTTP, NNTP, FTP, etc.) and transport protocols (TCP / IP) using modern point-to-point cryptography. Previously, it was possible without special technical tweaks to view the data exchanged between clients and servers. A special term was even coined for this - "sniffer".

The SSL protocol is designed to solve traditional problems of ensuring the protection of information interaction:

the user and the server must be mutually sure that they exchange information not with fake subscribers, but with those that are needed, not limited to password protection;
after establishing a connection between the server and the client, the entire information flow between them must be protected from unauthorized access;
and finally, when exchanging information, the parties must be sure that there is no accidental or deliberate distortion in its transmission.

SSL protocol allows the server and client to authenticate each other, negotiate an encryption algorithm, and generate common cryptographic keys before starting information communication. For this purpose, the protocol uses two-key (asymmetric) cryptosystems, in particular, RSA.

The confidentiality of information transmitted over an established secure connection is ensured by encrypting the data stream on the generated common key using symmetric cryptographic algorithms (for example, RC4_128, RC4_40, RC2_128, RC2_40, DES40, etc.). The integrity of the transmitted data blocks is controlled by using the so-called message authentication codes (Message Autentification Code, or MAC), calculated using hash functions (for example, MD5).

SSL protocol includes two stages of interaction between the parties to the protected connection:

establishing an SSL session;
data flow protection.

At the stage of establishing an SSL session, the server and (optionally) the client are authenticated, the parties agree on the cryptographic algorithms used and form a common "secret", on the basis of which common session keys are created for the subsequent protection of the connection. This step is also referred to as the "handshake procedure".

At the second stage (data flow protection), application-level information messages are cut into blocks, a message authentication code is calculated for each block, then the data is encrypted and sent to the receiving side. The receiving side performs the opposite actions: decryption, verification of the message authentication code, assembly of messages, transfer to the application layer.

The most common software package for SSL support is SSLeay. It contains C source code that can be embedded in applications such as Telnet and FTP.

SSL uses public (public) key cryptography, also known as asymmetric cryptography. It uses two keys, one to encrypt and the other to decrypt the message. The two keys are mathematically linked in such a way that data encrypted using one key can only be decrypted using the other, which is paired with the first. Each user has two keys - public and secret (private). The user makes the public key available to any correspondent on the network. The user and any correspondent with the public key can be confident that data encrypted with the public key can only be decrypted using the private key.

If two users want to be sure that the information they exchange will not be received by the third, then each of them must transfer one component of the key pair (namely the public key) to the other and store the other component (the secret key). Messages are encrypted using the public key, decrypted only using the secret key. This is how messages can be transmitted over an open network without fear of anyone reading them.

The integrity and authentication of the message is ensured by using an electronic digital signature.

Now the question is how to distribute your public keys. For this (and not only) a special form was invented - a certificate. The certificate consists of the following parts:

the name of the person / organization issuing the certificate;
subject of the certificate (for whom this certificate was issued);
public key of the subject;
some temporary parameters (certificate validity period, etc.).

The certificate is "signed" with the private key of the person (or organization) that issues the certificates. Organizations that perform such operations are called Certificate authority (CA). If you go to the security section in a standard Web browser that supports SSL, you will see a list of known organizations that "sign" certificates. It's technically straightforward to set up your own CA, but you also need to sort out the legal side of things, and this can be a big problem.

SSL is by far the most common protocol used in building e-commerce systems. With its help, 99% of all transactions are carried out. The widespread adoption of SSL is primarily due to the fact that it is an integral part of all browsers and Web servers. Another advantage of SSL is the simplicity of the protocol and the high speed of the transaction.

At the same time, SSL has a number of significant disadvantages:

the buyer is not authenticated;
the seller is authenticated only by the URL;
the digital signature is used only for authentication at the beginning of the SSL session establishment. To prove the transaction in case of conflict situations, it is required either to store the entire dialogue between the buyer and the seller, which is expensive in terms of memory resources and is not used in practice, or to store paper copies confirming the receipt of the goods by the buyer;
confidentiality of card details for the merchant is not ensured.

SET protocol

Another secure transactions protocol on the Internet is SET(Security Electronics Transaction). SET is based on the use of digital certificates according to the X.509 standard.

The secure transaction protocol SET is a standard developed by MasterCard and VISA with significant contributions from IBM, GlobeSet and other partners. It allows shoppers to purchase goods over the Internet using the most secure payment mechanism available today. SET is an open standard multilateral protocol for making secure payments using plastic cards on the Internet. SET provides cross-authentication of the account of the cardholder, the merchant and the merchant's bank to check the readiness of payment for the goods, the integrity and secrecy of the message, encryption of valuable and sensitive data. Therefore, SET can be called a standard technology or a system of protocols for making secure payments using plastic cards over the Internet.

SET allows consumers and sellers to authenticate all participants in a transaction taking place on the Internet using cryptography, including using digital certificates.

Potential e-commerce sales are limited by achieving the required level of information security that buyers, sellers and financial institutions together who are concerned about securing online payments provide. As mentioned earlier, the basic tasks of protecting information are to ensure its availability, confidentiality, integrity and legal significance. SET, unlike other protocols, allows you to solve the specified problems of information protection.

As a result of the fact that many companies are developing their own e-commerce software, another problem arises. In the case of using this software, all participants in the operation must have the same applications, which is practically impracticable. Therefore, a way is needed to provide a mechanism for communication between applications from different developers.

In response to the issues listed above, VISA and MasterCard, together with other technical companies (such as IBM, which is a key developer in the development of the SET protocol), have defined the specification and set of protocols for the SET standard. This open source specification very quickly became the de facto standard for e-commerce. In this specification, encryption of information ensures its confidentiality. Digital signatures and certificates provide identification and authentication (authentication) of participants in transactions. A digital signature is also used to ensure data integrity. An open protocol suite is used to provide interoperability between different vendor implementations.

SET provides the following specific security requirements for e-commerce transactions:

confidentiality of payment data and confidentiality of order information transmitted along with payment data;
maintaining the integrity of payment data; integrity is ensured using a digital signature;
special cryptography with a public key for authentication;
cardholder authentication by means of a digital signature and cardholder certificates;
authentication of the seller and his ability to accept payments by plastic cards using the digital signature and certificates of the seller;
confirmation that the seller's bank is an operating organization that can accept payments by plastic cards through communication with the processing system; this confirmation is provided using a digital signature and certificates of the merchant's bank;
willingness to pay for transactions as a result of public key certificate authentication for all parties;
security of data transmission through the predominant use of cryptography.

The main advantage of SET over many existing information security systems is the use of digital certificates (X.509 standard, version 3), which associate the cardholder, merchant and merchant's bank with a number of banking institutions of the VISA and MasterCard payment systems.

an open, fully documented standard for the financial industry;
based on international standards of payment systems;
relies on existing technologies and legal mechanisms in the financial industry.

Incidentally, a joint project between IBM, Chase Manhattan Bank USA NA, First Data Corporation, GlobeSet, MasterCard and Wal-Mart allows holders of the Wal-Mart MasterCard issued by Chase Bank to purchase goods from Wal-Mart Online, which is one from largest nodes e-commerce USA.

Let us consider in more detail the process of interaction between participants in a payment transaction in accordance with the SET specification, shown in the figure from the IBM website:

On the picture:

Card holder- a buyer placing an order.
Buyer's bank - financial structure that issued a credit card to the buyer.
Salesman- an electronic store offering goods and services.
Seller's bank- a financial structure that provides services to the seller's operations.
Payment gateway- a system, usually controlled by the merchant's bank, which processes requests from the merchant and interacts with the buyer's bank.
Certifying organization- a trusting structure that issues and verifies certificates.

The relationship of the participants in the operation is shown in the figure with continuous lines (interactions described by the standard or the SET protocol) and dashed lines (some possible operations).

The dynamics of relationships and information flows in accordance with the specification of the SET standard includes the following actions:

Participants request and receive certificates from a certifying organization.
The owner of the plastic card looks through the electronic catalog, selects the goods and sends the order to the seller.
The seller presents his certificate to the cardholder as proof.
The cardholder presents his certificate to the merchant.
The merchant asks the payment gateway to complete the verification operation. The gateway verifies the information provided with the information of the bank that issued the electronic card.
After verification, the payment gateway returns the results to the merchant.
Some time later, the merchant asks the payment gateway to perform one or more financial transactions. The gateway sends a request to transfer a certain amount from the buyer's bank to the seller's bank.

The presented scheme of interaction is supported in terms of information security by the Chip Electronic Commerce specification, created for the use of smart cards of the EMV standard on the Internet (www.emvco.com). It was developed by Europay, MasterCard and VISA. The combination of the EMV microprocessor standard and the SET protocol provides an unprecedented level of security at all stages of the transaction.

On June 20, 2000, RosBusinessConsulting company posted on its website a message that one of the world's largest payment systems VISA published on June 19, 2000 its initiatives in the field of e-commerce security. The steps are designed to make online shopping safer for buyers and sellers, the system said. VISA believes that the introduction of new initiatives will reduce the number of disputes over transactions on the Internet by 50%. The initiative has two main parts. The first part is the Payment Authentication Program, which is designed to reduce the risk of unauthorized use of the cardholder's account and improve the service for online shoppers and merchants. The second is the Global Data Security Program, which aims to create security standards for e-commerce companies to protect cardholder and cardholder data.

Comparative characteristics of SSL and SET protocols

Payment systems are the most critical part of e-commerce and the future of their presence on the network depends largely on the capabilities of information security and other service functions on the Internet. SSL and SET are two well-known data transfer protocols, each of which is used in Internet payment systems. We will try to compare SSL and SET and evaluate some of their most important characteristics.

So, let's consider the most important function of authentication (authentication) in the virtual world, where the usual physical contacts are absent. SSL only provides point-to-point communication. We remember that there are at least four parties involved in a credit card transaction: the consumer, the merchant, the issuing bank, and the receiving bank. SET requires authentication from all parties involved in the transaction.

SET prevents the merchant from accessing information about the plastic card and the issuing bank from accessing the customer's private information regarding his orders. SSL allows controlled access to servers, directories, files, and other information. Both protocols use modern cryptography and digital certificate systems to certify digital signatures interacting parties. SSL is primarily intended to protect communications on the Internet. SET provides protection for e-commerce transactions in general, which ensures the legal value of the protected valuable information. At the same time, the transaction through SET is slower than in SSL, and its cost is much higher. The latter characteristic is very relevant for today's Russian market, where risks and operating costs are not yet considered.

It should be added that by using SSL, consumers run the risk of disclosing the details of their plastic cards to the merchant.

The implementation and operation of SET has been carried out for many years in several dozen projects around the world. For example, the first SET transaction took place on December 30th, 1996 at PBS (Danish Bank) in a joint project between IBM and MasterCard. Similar work was carried out in 1997 at the largest Japanese bank Fuji Bank, where the protocol had to be adapted to specific Japanese legislation. Over the past time, such implementation projects have made it possible to work out the functions of the protocol and the corresponding documentation.

By the way, IBM has a complete set of products that covers all key aspects of complex use of SET in general and provides a developed infrastructure:

IBM Net.commerce Suite for e-commerce merchants;
IBM Consumer Wallet for cardholders;
IBM Payment Gateway - payment gateway for banks;
IBM Net. Payment Registry is an authentication and certification product.

SET operates on a variety of computing platforms from companies such as IBM, Hewlett Packard, Sun Microsystems, and Microsoft.

In turn, SSL is used primarily in Web applications and to secure communications on the Internet. There is also a free version of SSL called SSLeay. It contains C source code that can be embedded in applications such as Telnet and FTP. Because of these qualities, SSL is widely adopted on corporate intranets and in systems with fewer users.

Despite the technological sophistication of the SET protocol, its use in the world is very limited. There are many reasons for this, the decisive one being the high cost of implementing an e-commerce system based on the SET protocol (the cost of a SET solution ranges from $ 600 to 1500 thousand).

The SSL protocol only provides confidentiality of transaction data when it is transmitted over the public network, but at the same time it is significantly cheaper to implement. As a result, the vast majority of modern e-commerce systems use SSL.

The experts and developers of the SET protocol were wrong in predicting the rapid and widespread adoption of this standard. Moreover, there is persistent talk that the SET protocol is already yesterday and its chances of survival are slim.

Such conversations began in the summer of 2000, when VISA International made a statement, according to which the 3D SET protocol (a kind of SET) is becoming the standard for the European Union, Latin America and some other European countries, including Russia. At the same time, in the largest American market, the 3D SSL protocol (another name for the protocol is 3D Payer) was proclaimed as a standard.

Head of the Russian representative office of Visa Int. Lu Naumowski agrees that SET has not found demand:

"This is a very good technology. But judging by the reaction of banks, not only Russian, but also foreign, it is expensive. An issuing bank that uses the SET protocol to track card transactions has to keep a database of acquiring banks and merchants by itself. We tried to find a cheaper alternative to this protocol. "

In May 2001, the specifications for the 3D Secure standard were published, claiming the role of the global authentication standard in the Visa payment system. By a decision of the European Union in July 2002, all online stores were identified at the level of this protocol. Therefore, the acquiring bank of such online stores must be able to provide them with this protocol. In the absence of 3D Secure, he himself bears full responsibility for disputed transactions. If he uses 3D Secure, but the issuing bank does not, then the latter takes responsibility.

The principle of 3D Secure operation is that there are three different domains - the issuing bank, the online store and Visa, through the domain of which there is a message between the buyer, seller and banks. It is very important that all messages go over the Internet. At the same time, Visa ensures the confidentiality of information. After the buyer clicks on the Verified by Visa slogan on the website and enters his password, this information goes to the issuing bank and identification takes place. The issuing bank sends a request to the online store via the Visa domain, after which this store is identified by its acquiring bank. Thus, the cardholder's data is known only to the issuing bank. At the same time, the cardholder is confident that the store has Verified by Visa, that is, it is certified by Visa through an acquiring bank. If the issuing bank does not receive confirmation from the Visa domain that the store has Verified by Visa, the transaction will not take place.

Of course, the cardholder can make purchases in other online stores that do not have the Verified by Visa status. Then the issuing bank is responsible for the controversial transactions, and it will have to warn its customers about it.