University Web Developers' Mailing List

eBusiness Faq

This faq discusses different eBusiness (or eCommerce) solutions in use in a university environment.

What is eBusiness?

The concept behind eBusiness is simple. At one end of the wire is someone who wants to buy something. At the other end is the people who sell it. An eBusiness site provides a way for the customer to see what products are available, order the products, provide shipping information, and pay for those products. This has to be done in a "secure" way so that criminals can't steal confidential information, money, or products.

What are some ways to use eBusiness on my web site?

There are many levels of "eBusiness" solutions. Some are simple to implement, others require very expensive specialized programming and databases.

• One simple eBusiness solution is to use the web just for advertising the products, then provide a telephone number to do the rest (ordering, obtaining payment information, getting shipping information, etc.). This is especially useful if the organization already supports telephone ordering. It also avoids many of the security issues, as all the confidential information (like credit card numbers) would be received over the phone, not the web.

• The next step up from this is to provide an on-line order form that gathers together the information, then e-mails it to the person responsible for filling the orders. This would then be handled the same way as the telphone processing.

  This is ok for non-confidential information, but could pose serious security problems for confidential information. Information exchanged using e-mail is not normally encrypted. Criminals could eavesdrop and obtain credit card numbers, etc.

• The next step up from this is to have a back-end database program with a web front-end for displaying the products and handling order forms. Depending upon your needs, this might be a very simple Perl program, or a complete million dollar integrated business system with hooks into accounting, inventory, shipping and other databases. This kind of solution would require a substantial amount of custom programming work and would be more expensive than the other alternatives. Often people choose to outsource this to eBusiness companies instead of doing this work themselves.

What about eBusiness and Security?

It is very important that confidential information (like credit card numbers) remain confidential. If you do not adequately protect this confidential information, then you could be open to legal action if this information ever gets into the wrong hands.

Security should include the following areas:

• All communications over the network containing confidential information must be encrypted. This includes communications between customers and the web site, communications between the web site and company employees, and communications internally in the system (such as communications between two databases over the network).

  The best way of doing this is by using "Secure Socket Layers" (SSL). This encrypts all communication happening between the web server, and the web browsers. If SSL is set up on your web server, you should be able to turn it on by using "https://" instead of "http://" in the URLs to your web pages. If this doesn't work, you have to talk to your sevice provider to find out how to use SSL at your institution.

  For more information on SSL please see the following web sites:

  • Netscape's Directory info on SSL at http://directory.netscape.com/Computers/Security/Internet/SSL-TLS
  • Netscape's "Introduction to SSL" at http://developer.netscape.com/docs/manuals/security/sslin/index.htm

• Confidential information in the database should also be encrypted. There have been several cases where hackers have broken into computer systems, copied their databases, and obtained thousands of credit card numbers. Encrypting the credit card numbers in the database will add additional protection if hackers get into your system.

• All printed material going to networked printers should be encrypted. There is no sense in encrypting all web-based information going over the network if hackers can capture the documents being printed on your network printers. The best solution is to use SSL to display the documents on your web browser, then print to a locally connected printer, not a network printer.

• Use other appropriate security techniques, such as firewalls, monitoring of people hacking into your systems, etc. For example, you might think that using e-mail between two computers in the same locked-up computer room is "secure enough" because the network traffic doesn't go outside that room. However, if a hacker breaks into one of the computers in that room, he can set up a "snooper" program that will monitor all network traffic going on between all computers in that room, even if he didn't hack into your web or database server.

Can you show me a typical configuration?

A typical configuration for a secure eBusiness web site would look something like this:

• a customer would use a web browser with a SSL connection to place an order. (so the order is protected)

• This order would be stored in the database on the server, with important information encrypted. (so hackers couldn't use it even if they break into the system)

• An e-mail message would go to the person who handles the order saying a new order has arrived, but not containing any confidential information. (still get the e-mail notification, without any security problems)

• The person who processes the order would log into the "Order processing web site" using a web browser and SSL to view the order in a secure manner. (this secures the employee's ability to view the order and process it)

• If this person needs to print the orders, it would be printed on a local printer that is connected directly to their microcomputer, not a network printer. (This prevents snooping of the printed documents by hackers)

How are credit cards handled?

Some eBusiness solutions provide the ability to automatically handle credit-card transactions online. A customer provides credit-card information, and the credit-card transaction is automatically processed. This requires a way for you to verify and charge credit card transactions over the web.

There are several companies which provide this service. Please refer to the Yahoo "Credit Card Merchant Services" list at "http://dir.yahoo.com/Business_and_Economy/Business_to_Business/Financial_Services/
Transaction_Clearing/Credit_Card_Merchant_Services/" for some of these vendors.

What Commercial eBusiness tools are available?

Many universities have "rolled their own" eBusiness tools. However, there are a few commercial products out there. Here's some names that have come up in the UwebD list:

• Vignette: (http://www.vignette.com/)
• BroadVision: (http://www.broadvision.com/)
• Inso's Dynabase: (http://www.inso.com/)

Where can I get more information on eBusiness?

This FAQ just scratches the surface of using eBusiness. Please visit the following web sites for more detailed information on eBusiness techniques and issues.

• Yahoo's "Electronic Commerce" web site at http://dir.yahoo.com/Business_and_Economy/Electronic_Commerce/ has links to a lot of eBusiness web information.

• For more information on Internet Security issues, visit the Yahoo Security and Encryption site at http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/.

• Also visit Netscape's site on WWW security found at http://dir.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/Security_and_Encryption/.

• The National Association of College and University Business Officers web site at http://www.nacubo.org may have some information on eBusiness in a University setting. Look in the "Marketplace" section for books they publish on various topics, including eBusiness.