Web-Based Electronic Commerce: %=PageDesc=%
Copyright (c) 1997 HREF Tools Corp. All Rights Reserved.
Permission granted to Borland for use at the 1997 Borland Developer's Conference..
Building a Web-Based Electronic Commerce Application with
by Ann Lynnworth, co-founder, HREF Tools Corp.
ECommerce, Before the Web
The first attempts at electronic commerce, called Electronic Data Interchange (EDI), were strictly for
established relationships between large companies. Traditional EDI occurs over secure, independent
value-added networks or direct dedicated links that directly connect customers to suppliers. EDI provides
not only the physical connection between business, but also management, translation and messaging
services as well. Today, there are over 57,000 EDI enabled businesses conducting electronic transactions.
EDI, due primarily to the high communications costs involved, works well only for large scale
relationships and has therefore been quite limited.
By substituting the Internet for the private Value Added Network (VAN), costs can be reduced anywhere
from 70% to 90%, according to PaineWebber research. The same solutions that EDI has provided can be
extended even to single-user customers in a cost effective way.
The reason that ecommerce is expected to take off so rapidly in the late 90s is because most companies
already have existing systems which can be "web-enabled" with minimal re-write.
What the Key Players are Offering
The database vendors are based in two camps as far as their approach to the market. IBM, Oracle and
Microsoft have tightly integrated products, while Sybase and Informix are taking a best-of-breed
partnership approach. While multi-vendor solutions can be expensive and difficult, they do offer the
advantage of far greater flexibility.
An estimated 70% of corporate data resides on IBM mainframes and other mostly proprietary
IBM hardware. This leaves IBM uniquely positioned to play a key role in corporation’s entrance into
electronic commerce on the web. IBM’s strategy is a complete end-to-end solution using both IBM
hardware and software. It offers its own web and merchant servers, tied to its DB2 relational database.
Oracle holds approximately 65% of the Fortune 500 client-server relational database market.
Like IBM, Oracle offers a tightly integrated, software only, solution to its customers. Its proprietary web
and merchant servers link to Oracle’s Universal Server for real-time transactions and dynamic
Microsoft is meanwhile pulling customers toward the combination of Windows NT, its Internet
Information Server (IIS), and SQL Server 6.5. Looking ahead to the year 2000, the Gartner Group
projects Windows NT to be the operating system with the largest growth and a market share that is double
that of Unix in terms of dollars.
Informix is highlighting the use of the “multi media” data types such as video, audio, spatial data
and HTML as they seek to bring the Informix Universal Server to market. They have partnered with
Netscape, Gemplus and Hewlett-Packard.
Sybase is third in market share in the RDBMS market (behind Oracle and Informix), and has
thus far partnered with Netscape for a web server offering.
Where Delphi Fits In
With Delphi Client-Server, and the link to the AS400, middleware applications are the perfect bridge
between the Internet and all these existing database backends. With Windows NT gaining in momentum,
the advantages of Delphi will continue to give its users a large competitive advantage.
Using the Web to Make Money
The three ways that sites are earning money over the web today are with advertising, subscriptions and the
transactional model. The advertising model derives revenue from the sale of viewable Web page space in
the form of banners, similar to ads placed in newspapers and magazines. The subscription model charges
users for acces to the Web site content itself, just as magazines and newspapers charge a purchase price.
Transactional sites derive revenue from the sale of goods through a Web-based front end, such as an
Using the Web to Save Money
The less obvious side of "capitalizing" on the Web is to use it to save money by offering customer service
options over the web, directly to customers. Technical support and order tracking are two of the most
common operations to be converted from human telephone-based services to online web-based systems.
Even small companies and organizations can afford to have 24-hour information available to prospective
customers and members.
ECommerce, Looking Ahead
The room for growth in electronic transaction processing is extreme. Direct contact payments in the U.S.
at the point of sale totaled in excess of $3.6 trillion in 1995, only 20% of which was conducted with credit
or debit cards. According to First Data Corporation, a leading transaction processor, only 3% of the $460
billion supermarket industry is transacted with credit or debit cards. Only 1% of the $300 billion
professional services industry is transacted electronically. Less than 12% of the gasoline and service
station business is electronic, and less than 1% of the fast food restaurnats have point-of-sale payment
readers. Thus anywhere from 88% to 99% of transactions in those markets remain for conversion.
PaineWebber estimates the value of goods and services sold on the Web to be in excess of $6.5 billion by
the year 2000, and $1 trillion by 2010. "Much of the required infrastructure is already in place, and
current much more is being built. We believe a robust, online retailing environment could quickly
become commonplace reality as early as year-end 1997."
Different Models of Electronic Commerce
Business to Business
This model is marked by multiple transactions from the same customer to the same vendor. Without
repeat business, there is no incentive to provide expensive, customized client-side solutions. There has to
be a certain threshhold of business activity between two firms before automation pays off. On the high-
volume side, trillions of dollars flow through the world’s existing banking infrastructure every day. On
the consumer side, utility companies, magazine publishers, insurance carries and other businesses that
require monthly payments are putting automatic payment mechanisms in place. The key here is repeat
business from a customer, in a predictable fashion.
In this scenario, shipment of goods is generally triggered by a “promise” to pay, in the form of a purchase
order or signing of a monthly contract. In some cases, credit cards are used to “guarantee” payment.
The communication channel may be a private line, or a highly secured TCP/IP channel. Users can be
expected to "authenticate" themselves by providing a username and password, and possibly a digital
CashLink in Auckland, New Zealand is one of many companies who are developing business-to-business
solutions using the Internet as the network, a web browser as the client, and a relational database as the
Direct: Consumer/Retail purchases
The current challenge is to bring cost-effective solutions to the consumer market. In this scenario, the
sale is closed via credit card (or some alternative currencies, discussed below). While the channel is
generally secured for transmission of data, the customer is generally not required to have a login name or
password. The emphasis is on convenience, quick delivery of goods, and generally at lower cost to the
SecureTax in Georgia, U.S., is an example of a company selling a $10 pay-per-use software rental to
thousands of consumers over the web. Opened in January 1997, their web site offers U.S. citizens tax
calculations for all the federal and state tax forms.
SET: Visa and Mastercard have announced the Secure Electronic Transaction (SET) specification to
enable credit card transactions to be conducted safely across the Internet. Set is designed primarily to
protect the credit card companies from fraud, not the consumer, who will bear no liability beyond the $50
limit of physical credit card transactions. Under SET, merchant and consumer can deal directly with each
other. Credit card numbers, payment information and identification can be securely sealed and delivered.
SET uses public key encryption from RSA Data Security, plus digital certificates tso that card holders can
be identified and verified. Microsoft, IBM, GE, Netscape, CyberCash and others have committed to
JEPI: The World Wide Web Consortium (W3C) and CommerceNet formed the Joint Electronic Payments
Initiative (JEPI) to accelerate the development of the ecommerce marketplace through the adoption of
payment system standards. JEPI seeks to build an open standard framework mechanism so that any
browser, server and payment middleware can all negotiate and interact with one another. This will
facilitate the implementation of solutions and help ensure compatibility across payment systems.
Participants include IBM, Microsoft, CyberCash, Open Market, VeriFone and others.
As far as integrating credit card payment with the web, the leading players are VeriFone and First Data
Corporation. VeriFone has been in the credit card authorization market for 20 years and holds an
estimated 75% of the existing U.S., and 65% of the global, retail electronic card swipe terminal payment
systems. They have over 4.7 million systems installed in over 100 countries. FirstData Corporation, the
large electronic payment and transaction processor, is providing solutions for large merchants and
acquirer banks who want to outsource their credit card settlement infrastructure. The Fist Data network
currently authenticates 85% of all credit card transactions. First Data provides services to over 1.7 million
merchants and over 1400 financial institutions.
VeriFone plans to offer an Internet plug-in for its existing private card processing system. This vPOS
system costs $1500 per license, about double the cost of a physical terminal. FirstData plans its own suite
of software products to allow large institutions, such as banks, to link their online ecommerce services to
First Data. Merchants or financial institutions collect customer credit card transactions online, then use
the First Data POS software to transmit the payment directly to First Data through the Internet, which in
turn provides real-time, on-line authorization and settlement. First Data uses RSA encryption and
complies with the SET protocols.
Micro Payments / New Currencies
- DigiCash. This "e-cash" method uses encryption to generate and transmit
data packets that represent actual monetary value and can be passed from
party to party as the digital equivalent of physical currency. Mark Twain
Bank in St. Louis, Missouri, has been supporting e-cash since October 1995.
- First Virtual. This system is based on giving merchants and buyers a PIN
which they use to transact business. The buyer’s credit card number is
stored off the Internet, by a trusted third party. Information transfer and
delivery of payment is handled through e-mail and back office automation.
This system is ideal for merchants selling electronic files. There are over
2000 merchants and 140,000 buyers using this system worldwide.
- CyberCash. The CyberCash wallet software plugs into the buyer’s web
browser and contains the buyers confidential information. The buyer
deposits funds into a debit account, and then draws down on this balance
electronically while purchasing. The secure data goes only to CyberCash,
and not to the merchant. Transactions can be delivered in real-time (15
seconds). Transaction fees are paid by the merchant; the software is free
for the buyer and the merchant.
- SmartCards. These are electronic cards containing an embedded microprocessor. They are reloadable,
tamper resistant, and represent a nonrestricted negotiable value that can be transferred for a variety of
purposes. They can be used off- or on-line. The card can be imprinted with identification information
such as a photo, signature and logo. This provides more security than the current ATM and credit card
system. Estimated growth of the SmartCard industry is from approximately 1 billion units in 1997 to 2
billion in the year 2000.
-Page:b=,439b.htm,,Three-tier Client-server Solutions
Three-tier Client-server solutions
In all of these situations, a client application is used to communicate with a
"middleware" application running on an application server, which then
communicates with a database server. While custom clients written in Delphi,
Java and C++ will become increasingly common for scenarios involving repeat
customers, the thin HTML client is likely to persist for some time on the
Consider bandwidth and client operating system in order to determine
which options are viable for your situation.
This paper focuses on scenario (A).
| ||(A) CGI||(B) Java||(C) Active/X||(D) Custom client|
|Network||Public Internet||Public or Corporate||Corporate||Corporate|
|Bandwidth||Wide range.||Wide range.||Medium to Fast||Medium to Fast|
|Client O/S||Any||Any||Win 95 or NT||Win 95 or NT|
|Client must download:||HTML, multimedia.
||Java applet to run inside web browser.||Active/X to run inside web browser.
||EXE, multimedia, plus required DLLs, DPLs|
-Page:c=,439c.htm,,Public Internet Solution
Public Internet Solution
Client: web browser
While there are some situations that warrant writing custom web browsers in Delphi,
you can generally assume that the client-side software will be provided by Netscape or Microsoft.
Middleware: Web Server plus Delphi application
On the Windows NT platform, there are a variety of choices for the middleware. Web servers are
available from Microsoft, Netscape, Purveyor, O’Reilly & Associates, and others. Delphi applications can
be written from scratch or with components provided by third parties.
Back end: SQL database
Because Delphi Client/Server connects to such a wide range of databases, the SQL database choice is wide
open and certainly includes the major players: Oracle, Informix, Sybase, DB2, SQL Server.
Example ECommerce Application
This example shows one way of building your own merchant server using Delphi. It is meant for direct
sales placed by credit card, and uses IC Verify software to authorize the charges. A 1200 baud modem
and a standard telephone line is used. Transactions are settled in real time.
The next section of this presentation will review each of these
steps more closely.
- The public web "store" creates order and posts
it to the charging module. The store can run on a separate web server machine, anywhere on the Internet.
- The data is posted to the ICV Interface module, a web application running on the charging machine. This module takes the surfers data and posts it to the charge request queue in the local database.
- The charging module wakes up when to handle entries in its queue. It validates the card information as much as possible, and then uses a modem to run the charge and settle the
batch, using IC Verify's software. Depending on bank policies, the
cash will be in the merchant's bank account in anywhere from 8 to 72 hours.
- The notification module wakes up when a transaction
is complete. It sends a message by e-mail to the store owner, and
posts to the history file.
- The remote administration module is used by the store
owner to check order status and run reports. This module is not
open to the public and carries a login procedure.
Complete logging of transactions is required, both to track the actual charges processed as well as to track
the path customers followed in making their purchases. Tracking customers anonymously, as individuals,
provides essential marketing data.
1. Shopping cart accepts an order.
A minimum of four fields must be posted:
unique ID, sale amount, credit card number and expiration date. This information is transmitted over HTTPS (not HTTP) using SSL.
Sample HTML to post data
Hidden fields are used to transfer the data from the
shopping cart web server to the charging server. Note the
use of HTTPS in the FORM ACTION statement.
<FORM METHOD=POST ACTION="https://www.href.com/ssl/webhub.exe?ICV:CHARGE">
<INPUT TYPE=HIDDEN NAME="LitOrderTotal" VALUE="50.00">
<INPUT TYPE=HIDDEN NAME="Lastname" VALUE="Lynnworth">
<INPUT TYPE=HIDDEN NAME="CCNum" VALUE="0000000000000000">
<INPUT TYPE=HIDDEN NAME="ExpDate" VALUE="9904">
<INPUT TYPE=SUBMIT VALUE="No Changes -- Purchase Now !" NAME="BtnConfirm">
-Page:e1=,439e1.htm,,Validate the Transaction
The rules are as follows: All four fields are required, the amount must be positive,
the expiration date must be YYMM, and the credit card number
must pass the checksum test. This last check can be done with the
TWebCreditCard component. Set the CardNumber property to the
value to check. The Accept property indicates True/False.
-Page:f=,439f.htm,,Post the Transaction
3. Order is posted to a database.
If the data passes validation, it is posted to the request
-Page:g2=,439g2.htm,,Delphi to IC Verify (Request File)
IC Verify runs as a simple DOS program which accepts command
Write the Request File
The request file can include multiple requests for high volume
with TStringList.create do try
-Page:g3=,439g3.htm,,Delphi to IC Verify (Shell)
Once the request file is ready, we shell out to DOS,
passing in certain values on the command line (merchant code,
data filename, etc.)
with TWindowsShell.Create(Self) do try
The CheckFile routine interprets the response file which
IC Verify creates upon completion of a transaction.
-Page:g=,439g.htm,,Run the Charge
5A. Running the Charge
While the charge is running, the surfer is sent an informational
It is necessary to give the surfer a quick response,
regardless of how long the charging phone call takes. While
the call typically takes less than 5 seconds, during peak times it can go slower.
Therefore a quick response page is provided immediately. When that page is generated, the approval status is not yet known.
To make things as convenient as possible, the web application
provides a link which, when clicked, either takes the surfer to a
"not yet" page, or to the actual approved/denied
The state of the surfer's transaction is maintained on
the server. It is not sent over insecure lines or dependent on
cookies. Instead a numbering technique is used to
assign each surfer a unique Session ID, to which his or her data
is associated. This Session ID is visible in the URL:
The components within the web application must restore state for
surfer 392032 when he or she returns, and then respond accordingly.
The surfer may inquire about the transaction status at any time, using
the encoded link.
If the transaction is complete, the web application will "bounce"
the surfer to a URL on the original shopping cart web server machine, to
indicate the result: Approved, Denied,
InvalidCard, or Insufficient Data.
This final page can be served quickly by the insecure HTTP protocol on
the shopping cart web server.
-Page:i=,439i.htm,,Store Owner Notification
After an order is taken, the store owner is notified about the sale by e-mail or fax. Packing lists and invoices can be printed; orders can be faxed to third party vendors for direct shipment.
SSL: Between the client and the server
Transmission of data between the web browser (client) and the web server is made secure by use of the
Secure Hyper Text Transfer Protocol (HTTPS). Netscape and Microsoft web browsers support this
automatically. Web server owners need to obtain the appropriate version of their server software as well
as a digital certificate proving their identity in order to support this protocol. Rules vary inside vs outside
Digital certificates for the web/merchant server
VeriSign is the major provider of digital certificates in the U.S. Certificates cost $290 per year, and work
only on a single web server and domain name.
The Alibaba web server offers the possibility of creating your own certificates for testing purposes.
FTP site control, Email attachments, unlock codes.
For merchants selling electronic files, the risk on ecommerce is low and the benefits are high. There are
various methods available for ensuring that only paying customers receive files. These include dynamic
management of FTP and HTTP download sites, direct transmission of files using HTTP and e-mail, and
distribution of unlock codes which are applied to publicly available files.
Fax/email/post order to warehouse.
The situation is slightly more complicated for businesses selling hard goods. Credit cards may not be
charged more than 24 hours in advance of shipment. The shipping warehouse may need to sign off on
shipment before the card can actually be charged. The ecommerce application would transmit the order to
the shipping center, accept data about the shipment status, and then complete the transaction. Details
would of course vary depending on the existing information systems in use by the companies involved.
Pay per use or per hour.
An upcoming trend is toward software rental instead of outright licensing. Applications for tax filing to
astrology chart generation are being web-enabled and charged for over the web.
Subscriptions to content on the web, and in e-mail, are becoming increasingly popular, again because of
the low-risk involved in electronic products. Electronic inventory simply doesn’t carry the same cost as
Growth of the Web
New technologies for home users will bring higher bandwidth and thus better features to consumers.
ISDN, cable modems, satellite delivery, ADSL and local modem dial-up stations will compete for the
estimated 70 million additional web users by the year 2000.
In July 1996, the total number of published web pages was over 44 million. That is projected to exceed 1
billion by the year 2000. Advertising on the web was in excess of $70 million in 1996 and is expected to
exceed $2 billion by 2000.
Sites enabling commerce
Clearly the close to 1 million “under construction” web sites are going to mature and start offering sales
over the web. This is an exceptionally exciting time, as we all shape the face of the systems which we will
live with for the next decade.