ITS 380-001 Global E-Commerce Systems

Xueying Mei

CH5 – E-commerce Security and Payment Systems


P.334   Case Study Questions:

Q1: What are the three types of mobile payments, and how do they differ?


Mobile payments with a credit card. 

Mobile payments that involve swiping or inputting credit card information into a mobile device (like a smartphone or tablet) or small card reader (called a dongle) that plugs into the headphone jack of a mobile device are particularly cost-efficient options for small-business owners. Not only might the business owner already own the mobile device required to process credit or debit card transactions (once he/she has established a merchant account with a payment provider), fees tend to be nominal, and flexible based on the business’s transaction frequency.

The technology is simple to use, and doesn’t require an investment in point of sale terminals, or that a business have a sophisticated infrastructure. Businesses that choose a mobile payment processor that guarantees payment card industry (PCI) compliance can manage the risk associated with handling sensitive customer data to ensure it is appropriately encrypted during transaction processing.

This form of mobile payment options also gives customers the added convenience of paying with a credit card at a business’s physical storefront, or at remote events like trade shows, festivals, or even, at the client’s home or place of business. Despite the point of sale conveniences, the customer must still carry a wallet or card in order to pay.

Mobile wallets. 

Mobile wallets, by contrast, empower customers to leave their physical wallets and cards at home. Once the customer has established a mobile wallet and uploaded the forms of payment he/she wants to keep securely stored in it, the customer can access the mobile wallet’s app to pay at the point of sale, using a mobile device.

While the merchants who are now equipped with the near-field communications (NFC) readers at point of sale terminal required to use the technology are on the rise (thanks in part to the recent launch of mobile wallet technologies like ApplePay), mobile wallet acceptance is still inconsistent.  If a merchant isn’t equipped with NFC terminal, consumers may not be able to use their mobile wallet to pay.

Digital wallets. 

Similar to mobile wallets, digital wallets securely store a registered user’s financial and credit card information, negating the need to enter card information or present a physical card to a merchant. (PayPal was one of the first versions of digital wallet technology). Digital wallet technology could be considered the “forefather” of the mobile payment movement; however, they are not inherently designed for use on mobile devices. However, some are now accessible on a mobile device, if the customer has downloaded the provider’s mobile app.

Unlike a mobile payment transaction that involves the merchant entering the customer’s card information into a reader, both digital and mobile wallet transactions empower customers. Customers (not the merchant) initiate the transaction, and choose the payment processor. Subsequently, digital and mobile wallets lower the risk merchants absorb when customers use credit or debit cards to pay: Merchants do not handle any aspect of processing, handling or storing customer’s sensitive financial data when a mobile or digital wallet is used to pay.

Though mobile payment technology can provide value to businesses and customers, there are subtle differences to the technology’s purpose and capabilities that can have significant impact on ease of use and benefits. By identifying the type of mobile payment that will best suit your business model and your customers, you can determine which type or types of mobile payment technology stand to deliver optimal results.


Q2: Who are the largest adopters of mobile payment methods? Why?


A survey of consumers in the United States, United Kingdom and Australia released last week from ETA member Transaction Network Services (TNS) says that American consumers have the highest adoption of mobile payments, with 59 percent of respondents saying they prefer the convenience of mobile payment apps. Fifty-two percent of British and Australian consumers agreed that they are likely to use mobile payment apps.

Adoption was unsurprisingly highest among younger consumers, the report found. For consumers aged 16-24, 71 percent said they were likely to use mobile payment apps on their smartphones. For those aged 25-34, 73 percent said the same. Only 28 percent of surveyed consumers aged 55-64 indicated they were likely to use mobile payment apps. The group with the highest adoption were young Americans, with 82 percent of 25-34-year-old saying they were likely to use mobile payment apps.

Wearable contactless payment types were popular among survey respondents despite concerns over their security. Just under half (44 percent) of respondents across the three countries said they are willing to make a payment via a wearable device like a ring, bracelet or smartwatch. American consumers favored them slightly more at 47 percent.

However, nearly two-thirds (64 percent) of American consumer said that concerns over the security of contactless payments via wearables would keep them from using them to make a purchase.

Overall contactless payments usage in the United States lagged behind the UK and Australia despite the higher preference for mobile payments. According to the report, 60 percent of US respondents make on average at least one contactless payment each week, compared to 75 percent of Australians and 79 percent of Britons. Both the UK and Australia have higher adoption of dual-interface contactless bankcards. Major American issuing banks including JP Morgan Chase, American Express, and Bank of America have recently announced plans to transition their portfolios to contactless cards.

Q3: Why are digital wallets provided by Apple, Google, and Samsung not growing as fast as expected?


1.       Mobile payments are not convenient.

The proximity mobile payment process is still not the seamless, "frictionless" experience it needs to become to gain widespread adoption, according to Forrester's Miller.

For example, when consumers use debit cards via Apple Pay to make purchases, they must take out their smartphones, use a thumbprint to unlock the phone and mobile wallet, select the card to use (if multiple cards are available), and hold their devices close to payment terminals. After transactions are made, consumers must usually still enter their PIN or provide a signature.

In other words, the mobile payment experience isn't that much better than using an actual credit or debit card.

2.       Mobile payments do not offer special motivation.

Most mobile payment services and wallets don't offer enough added value to entice hesitant consumers. For example, mobile payment users typically can't redeem loyalty points or special offers at the PoS when making a purchase.

However, some branded mobile apps with payment features have successfully tied together loyalty programs and point redemption, according Miller. Starbucks's mobile app, for example, effectively combines the coffee chain's loyalty program with mobile payments, he says, but few such success stories exist.

"There needs to be an incentive for people to integrate mobile solutions and wallets into their everyday lives," says Maxime de Nanclas, COO and cofounder of Mobeewave, a startup that developed a mobile peer-to-peer payment application called PayMeTap. "Mobile wallets need to integrate a greater number of loyalty programs with major retailers. They need to provide value outside of consumer-retailer transactions."

3.       Mobile payment infrastructure is slow to evolve.

Mobile payments haven't become mainstream, because the infrastructure required to enable them is still evolving, according to Miller. For example, U.S. merchants have replaced or are currently replacing older PoS terminals with new ones that support credit and debit cards with embedded chips. Such cards are based on the Europay, MasterCard, and Visa (EMV) global standard, and they are designed to be more secure than magnetic-stripe cards.

The EMV standard is already widely deployed in many countries but is still being rolled out across the United States. As part of the transition, many U.S. businesses are moving to EMV terminals that also support Near Field Communication (NFC) transactions, Miller says. (NFC chips are built into many of the latest Android and iOS smartphones, as well as other devices, such as smartwatches.)

Consumer adoption of NFC-equipped smartphones is gaining momentum, and 50 percent of consumers in North America, Japan and a number of Western European countries are expected to use smartphones or wearables for mobile payments by 2018, according to Gartner. However, the transition to NFC-capable terminals will "take years" to complete, according to Miller, and that means it will also be years before proximity mobile payments take hold.

4.       Modern mobile payment experience is inconsistent.

Consumers today have many mobile payment and wallet options, including Apple Pay, Android Pay, Samsung Pay, PayPal, Visa Checkout, Walmart Pay, and bank-branded mobile wallets from Wells Fargo and Chase.

This diversity of offerings slows the adoption of mobile payments, according to Steve Gilde, global payments executive at IR, a company that provides performance management software for IT infrastructure, payments, and communications. Consumers are confused by it all, and they just want payment methods that are simple, easy-to-use, ubiquitous, and that always works, he says. "It's hard for any one mobile wallet provider to say they deliver that today."

"What the consumer wants instead [of the confusing array of mobile payments] … is a simplified mobile commerce experience," wrote Karen L. Webster, CEO of, a website that covers digital payments and ecommerce, in a recent blog post.

Consumers want "an account that's smart enough to keep track of all of their loyalty memberships, coupons, promo codes, and to apply those discounts automatically to their purchase at checkout — without the friction that gets in the way of actually checking out," Webster wrote.

5.       Ingrained behavior is tough to change.

Paying with smartphones, smartwatches or other devices simply isn't an ingrained consumer behavior … yet. Changing such behaviors can take years. 

Today, only 31 percent of U.S. mobile payment users always use mobile payments at locations where they are accepted, according to the previously cited Auriemma Consulting Group study. The most common reason? Consumers simply forgot to pay with their mobile devices. "Reaching for the phone instead of the wallet isn't an automatic reflex, even for mobile pay enthusiasts," says Marianne Berry, managing director of the firm's Payment Insights practice.

6.       Mobile payment security concerns.

Mobile payments may or may not be more secure than other forms of payment, but some consumers at least fear that they aren't and therefore shy away from using smartphones and wearables at cash registers.

All-too-common data breaches at banks, credit card companies, retailers, and others are widely reported in the media, fueling consumer anxieties. Thieves have access to incredibly sophisticated tools to grab consumers' passwords, login credentials, and other personal data, according to Gilde. And despite recent high-profile encryption battles between Apple and the U.S. government, concerns exist among some consumers that smartphones collect too much information about their purchases and other activities.

According to the 2015 Mobile Payment Security Study of more than 900 cybersecurity professionals, the threat is real. Nearly half of survey respondents said mobile payments aren't secure, and 87 percent said the number of mobile payment data breaches will increase in the near future.

However, some cybersecurity professionals still choose to use mobile payments, according to John Pironti, risk advisor for ISACA, the group that organized the survey. "This shows that fear of identity theft or a data breach is not slowing down adoption — and it shouldn't — as long as risk is properly managed and effective and appropriate security features are in place," Pironti told


Q4: What is Zelle and why did it grow so fast in the last few years?


Like Venmo, Zelle is a person-to-person mobile payments platform developed by more than 30 major American banks. The service offers a standalone app that users can download to their smartphones, but it's also integrated within the mobile banking apps of major participating banks, including Bank of America, Chase, Citi and Wells Fargo. Many consumers who already have their banks' mobile apps can start using Zelle right away.

However, unlike Venmo, money transferred using Zelle moves directly from one bank account to another. Most banking transfers between accounts require account numbers to initiate transactions, and these transactions can take up to several business days. Zelle eliminates this need, allowing users to transfer funds from one checking account to another in a matter of minutes.

To initiate a transfer, you simply need the email address or phone number of the person you're sending money to. Zelle sends the recipient a text or email indicating there's a payment waiting for them, along with a link to accept it. If the recipient's bank is a participating partner, the recipient simply needs to register for the service through their bank's website or mobile app with an email address or phone number.

Once registered, the recipient can accept the payment; it is typically transferred into the recipient's account within a matter of minutes (first-time users may have to wait up to three days). If the recipient's bank is not a participating member, they can still receive the funds by downloading the Zelle mobile app, register with an email or phone number, and enter a debit card to receive the funds.

Zelle is the US big banks’ answer to the exponential growth that the P2P mobile payments market has seen over the last few years. A ready-made platform that banks can build into their existing apps, Zelle offers significant advantages to both banks and customers.

Banks are hoping that the advantage of instant transfers (as opposed to the waiting period customers of third-party providers like Venmo see), in combination with the assurance of a bank’s security framework, will be enough to see Zelle become a leading contester in the $200 billion US P2P payments market and a means to regain control of the customer relationship.

However, the key to success for banks lies not just in where millennials make payments, but where they are spending their time. And this is where Zelle — and even Venmo — falls short as a solution that can not only capture, but firmly hold onto the engagement of the millennial market into the future once Facebook, Snapchat, and the likes develop and enhance their own financial services. As a service that is aimed at improving the payments experience and being attractive to millennials, Zelle stops one step short of what millennials are looking for (and where they’re looking for it).

A generation defined by their access to instantaneous services — a taxi in one tap, a pizza in a click — millennials are increasingly expecting companies and services to be available to them at any channel of choice, at any time. Having to leave a social or messaging app, where users are spending so much of their time, and switch to Zelle’s app (or a Zelle powered banking app) in order to make a P2P transfer really isn’t the type of quick and seamless user experience that is coming to be expected.

In order for banks to be attractive to the millennial market and to see long term growth and retention of this market, they must look at opening new service channels and meeting customers wherever they are, and not vice versa. We’re now at a time where it’s no longer enough to simply be mobile-first. With users now spending around 2.5 hours every day on social and messaging apps, banks need to be social-first.


P.337-338   Projects:

Q1: Imagine you are the owner of an e-commerce website. What are some of the signs that your site has been hacked? Discuss the major types of attacks you could expect to experience and the resulting damage to your site. Prepare a brief summary presentation.


Some of the signs that a web site has been hacked:

1.       Fake antivirus messages or warning.

2.       Opening multiple unnecessary tool bars.

3.       Web browsers flag the presence of harmful attacks when the website domain is entered by the customers.

Such indications can be received by the owner when his website is hacked.

Some of the damages he will have to face is mentioned below:

1.       The owner may receive complaints from the customers indicating the inefficiency of the site.

2.       When a website is hacked the owner could not promise security to personal information stored by the customers while registering.

3.       The reputation of the website will be affected and the customers may switch to some other ecommerce sites which are more secured.

4.       The domain name can be black listed.


Q2: Given the shift toward m-commerce, do a search on m-commerce (or mobile commerce) crime. Identify and discuss the security threats this type of technology creates. Prepare a presentation outlining your vision of the new opportunities for cybercrime that m-commerce may provide.


Mobile computing facilitates the mobility to research, communicate, and purchase goods and services from anywhere at any time without being bind to a desktop.

Mobile commerce operated on a radio frequency platform is prone to passive attacks or listening to ongoing conversation

In most mobile devices (laptops, WLANs, personal digital assistants (PDAs), etc) do not contain the same capabilities as mobile phones (e.g. Smart Cards to improve security, roaming to improve remote connectivity), thus limiting their use in wireless environments.

There are two major technical security concerns in a mobile commerce environment: identification integrity, and message integrity. The identification integrity refers to the signature elements found in the messages in order infer from where the message is originating. The message integrity refers to details in order to establish that the message is received as sent and no third party has attempted to open, modify or alter the contents.

Identification integrity and message integrity are also involved in mobile security. Unfortunately, the current platform in which mobile communication is built on does not offer full scale security measures when it comes to transaction integrity. The mobile ad hoc wireless networks have some limitations in particular which needed to be taken into consideration. These issues are discussed briefly below.

Transaction Management:

Transaction can be difficult to enforce and network intermitted disconnections will affect a particular service in a secure M-commerce operation, succession to fail accordingly the secure connectivity would be considered unfinished and will be subjected to abort.

Delivery of Service:

Due to unique characteristic of complexities of ad hoc wireless network, existing service discovery and delivery protocols do not seem to suit the needs of an ad hoc network making then unsuitable for m-commerce oriented scenarios. Service advertisements and deliveries may need to be disseminated by a mix of a store and forward strategy as well as local multicasting to cope with intermittent online connectivity.

Trust System:

One of the important factors of online communication in terms of security is trust, it assists the participating entries to ensure secure transaction by reducing the chances of risk involved in transactions. On the other hand, as the mobile network cannot rely solely on network service providers to facilitate security services such as Certification Authority.

Mobile cybercrimes are still relatively rare, but in recent years major security scares, viruses, and other mobile crimes. m-commerce crime trends to watch out for now and in the coming years as criminals look to take advantage of the security.

opportunities of mobile cybercrimes that m-commerce may provide.

Rootkit installation:

rootkit is a particularly stealthy type of software that installs itself on a user’s device and hides itself from the normal modes of detection, letting it operate in secret to get privileged access to a computer and its user’s information. In the past, these malicious programs were limited to laptops and desktop computers, but they’re becoming a threat from mobile phones. A rootkit when installed on a phone, could affect every part of the phone from the touch screen to the passwords. These programs can not only steal information, they could potentially even reroute calls from legitimate businesses to criminal operations.

Risky QR codes:

QR codes can be a cool way for consumers to find out more about products and find a wealth of information with very little effort, but they’re not always safe. Mobile phone users never quite know where the codes will take them once scanned, and in a growing number of cases, QR codes are leading to sites that download a virus or malware onto the user’s mobile device


Smishing tries to trick individuals into revealing personal, private information. Smishers send their victims an SMS (text) message, baiting them into divulging personal details like bank account, credit card, or social security numbers. Smishers often pose as businesses, drawing in those who believe they’re simply helping keep their accounts in good standing, avoiding bogus charges the smishers say they’ll owe if they don’t comply, or sometimes even trying to win a (fake) prize.

Social engineering:

Social engineers scam mobile users by either tricking them into giving them private information or by tricking companies that the individual uses. Sometimes, criminals will hack into bank accounts and change customer contact information. When frauds occur, the bank will contact not the customer but the criminal, who will verify the charges.

Viruses and Malware:

security may be leading many mobile users to become unwitting victims of cybercrimes. While viruses and malware that attack mobile phones are still rare in comparison to those designed to attack PCs, the growing number of smartphones and tablets has become a new, ever bigger target for criminals. Experts advise not only mobile customers but also businesses to prepare for a growth in this kind of attack by creating more secure apps or payment systems, and offering better support to consumers.