Any new technology or application generates myth and legend as quickly as it attracts users and advocates. Electronic commerce is no exception, as shown by its principal myth about insecurity.
Visions of predatory hackers hovering in cyberspace to snatch, steal, and amend vital information or payment data fill the public imagination. One recent survey found that 65% of U.S. consumers believe it is unsafe to take part in electronic commerce. Another suggested that just 5% of Internet users would risk sending payment card details over open lines, though a majority trusted telephone banking and almost all believed that cash dispensers are secure.
Total security can never be guaranteed, either in the physical world or the virtual universe. Companies looking at electronic commerce must evaluate the level of fraud that they can accept, bearing in mind that the real risk of fraud losses on commercial transactions is comparatively small.
To set this risk in context: Forrester Research says most companies can expect to lose $1 per $1,000 of transactions on the Internet because of fraud. In contrast, the global average loss on land-line telephone calls is $25 per $1,000, while the fraud loss on cell phone calls in emerging markets is as high as $400 per $1,000.
The problem, then, is one of perception rather than fact. As the cost-benefits and flexibility of the Internet are making private networks and closed land-lines obsolete for commercial use, most attention has been concentrated on defining security systems that will protect data on open networks and, perhaps more important, create and maintain widespread public and commercial confidence.
Software and hardware companies including Microsoft, IBM, Netscape, and Verisign, global payment systems such as Visa and MasterCard, and business advisers and consultants have recognized this and have invested substantial resources in developing a wide range of security systems and services.
One of the best known of the available solutions is public key infrastructure, or PKI, technology. It is a cryptographic system loosely analogous to a bank night safe.
Many public keys are issued to allow packages to be put in the safe, but only the bank possesses a private key to retrieve them. For Internet transactions, messages are locked by freely available public keys, but can only be unlocked by the recipient's private key.
One well-known protocol for Internet transactions is Secure Sockets Layer, or SSL, currently symbolized by the broken key visible at the bottom of Internet browser programs such as Netscape. When confidential information has to be sent across an open network, it is encrypted. The user knows this because the broken key becomes whole. The information is secure during its journey, but the system does not guarantee the sender's identity.
A third option is the Secure Electronic Transaction, or SET, protocol, which encrypts payment card transaction data. It differs from SSL in that it verifies that both parties to an electronic commerce transaction are genuine.
All these approaches have been tested to varying degrees and have proven effective from a practical standpoint. The Business Software Alliance estimates that it would take a casual hacker 38 years to crack a code such as SET.
The apparent strength of these systems, however, can also be a drawback. They are based on algorithms so complex that they can be difficult to install and manage. Additionally, they can place undue strain on network capacity and operations. Given that some commercially available forms of encryption are more advanced and intricate than those used to protect nuclear missile codes in the United States, it is hardly surprising that many companies feel that the effort is not worth the investment.
Moreover, there is a real fear that the cost of implementing and running these security systems will outweigh the financial impact of the potential frauds that they would prevent. In effect, high levels of security may not allow companies to capitalize on the business opportunities created by rapid advances in network and computer technology. To keep pace with business needs, solutions need to be user-friendly and cost-effective, while maintaining high levels of effectiveness and reliability.
In time, these products will be supplemented by further innovations. Banks and payment systems are working on security that will be compatible with a new generation of chip cards and make it possible for consumers or businesses to buy goods and services electronically from any convenient terminal.
The points of interaction may be an interactive television, hand-held computer, smart telephone, or a kiosk in a shopping mall.
Advances in fingerprint identification and other biometrics are opening up new possibilities in securing electronic transactions. Traditionally, authentication was a combination of what you had and what you knew (e.g., a debit card and a personal identification number). Using biometrics changes that to a combination of what you have and what you are (e.g., a debit card and a retinal scan).
In much the same way that VHS became a global standard for video, global standards for security will also emerge, with the market choosing the most effective and freely available technology. In the United States, for example, PKI has become a de facto standard for most electronic commerce applications. The point is that changes are occurring at a rapid rate and on a regular basis.
So, despite the general atmosphere of mistrust, the security of users, data, and payments should not be the only issue for companies wondering how to take advantage of the new markets and economies opened by electronic commerce. Instead, consideration should be given to a wider range of risks that are far more likely to have a significant impact on their efforts. Among these are:
Compromising the brand. If a business is hit by internal fraud or fails to deliver on the goods and services it has promised, it could lose public confidence. This can be devastating for Internet startup companies.
Choosing the wrong technological package. Organizations should not be panicked into selecting systems that do not meet their business needs simply because they are available immediately or are less expensive. Innovations are always occurring in the marketplace, and sometimes waiting or spending a bit more can be beneficial. In any case, the selection process should be proactive and guided by business needs, rather than reactive and guided by preconceived security requirements.
Overcomplexity. Some systems are so difficult to use that neither consumers nor corporations will persist with them. Consumers will need a security system that is sufficiently rigorous for peace of mind, but one that remains simple enough to be unobtrusive or even invisible. And selling that peace of mind will require that the technology have sufficient credentials to allow for a clear and understandable marketing message surrounding security.
Budgetary risk. Companies should be prepared to cut their losses and move on to more appropriate security if they have invested in a technological dead end. Sticking with outdated or bad technology will not increase the likelihood of success.
Contingency risk. There should be backup for possible technology failure, and secure storage must be available for the mass of information that will be generated.
The risk of success. Businesses must choose systems and suppliers that enable them to conduct secure electronic commerce with expansion in mind. Some suppliers or systems may not be able to meet future needs. In an environment as competitive as this one, any delay can be catastrophic.
Regulatory risk. For purposes of electronic home banking or on-line trading, there are a host of issues regarding compliance with regulatory control requirements, cross-border mandates, and the unique requirements of reporting in various countries.
Managing these risks requires an enterprise-wide strategy. Every organization, large or small, should begin devising such a strategy now.
A comprehensive analysis of all risks involved with any venture into electronic commerce is a good start. The main thing is to have the analysis and planning driven by business needs rather than technological fears.
From an organizational standpoint, business strategy should drive the definition and shape of the technology, rather than having the technological selection determine business strategy.
Above all, security fears should not get in the way of a business considering e-commerce. Though every business today may not be involved in electronic commerce, it will soon be an option that no one can afford to ignore.
