-Macros

mcImageDir=

-Chunk:chPageHeader

Web-Based Electronic Commerce: %=PageDesc=% %=sequenceButtons=%

-Chunk:chPageFooter

%=sequenceButtons=%

Copyright (c) 1997 HREF Tools Corp. All Rights Reserved.
Permission granted to Borland for use at the 1997 Borland Developer's Conference..

-Page:homepage=,439.htm,,Background

Building a Web-Based Electronic Commerce Application with Delphi

by Ann Lynnworth, co-founder, HREF Tools Corp.

Background

ECommerce, Before the Web

The first attempts at electronic commerce, called Electronic Data Interchange (EDI), were strictly for established relationships between large companies. Traditional EDI occurs over secure, independent value-added networks or direct dedicated links that directly connect customers to suppliers. EDI provides not only the physical connection between business, but also management, translation and messaging services as well. Today, there are over 57,000 EDI enabled businesses conducting electronic transactions. EDI, due primarily to the high communications costs involved, works well only for large scale relationships and has therefore been quite limited.

ECommerce, 1995-1997

By substituting the Internet for the private Value Added Network (VAN), costs can be reduced anywhere from 70% to 90%, according to PaineWebber research. The same solutions that EDI has provided can be extended even to single-user customers in a cost effective way.

The reason that ecommerce is expected to take off so rapidly in the late 90s is because most companies already have existing systems which can be "web-enabled" with minimal re-write.

What the Key Players are Offering

The database vendors are based in two camps as far as their approach to the market. IBM, Oracle and Microsoft have tightly integrated products, while Sybase and Informix are taking a best-of-breed partnership approach. While multi-vendor solutions can be expensive and difficult, they do offer the advantage of far greater flexibility.

An estimated 70% of corporate data resides on IBM mainframes and other mostly proprietary IBM hardware. This leaves IBM uniquely positioned to play a key role in corporation’s entrance into electronic commerce on the web. IBM’s strategy is a complete end-to-end solution using both IBM hardware and software. It offers its own web and merchant servers, tied to its DB2 relational database.
Oracle holds approximately 65% of the Fortune 500 client-server relational database market. Like IBM, Oracle offers a tightly integrated, software only, solution to its customers. Its proprietary web and merchant servers link to Oracle’s Universal Server for real-time transactions and dynamic applications.
Microsoft is meanwhile pulling customers toward the combination of Windows NT, its Internet Information Server (IIS), and SQL Server 6.5. Looking ahead to the year 2000, the Gartner Group projects Windows NT to be the operating system with the largest growth and a market share that is double that of Unix in terms of dollars.
Informix is highlighting the use of the “multi media” data types such as video, audio, spatial data and HTML as they seek to bring the Informix Universal Server to market. They have partnered with Netscape, Gemplus and Hewlett-Packard.
Sybase is third in market share in the RDBMS market (behind Oracle and Informix), and has thus far partnered with Netscape for a web server offering.

Where Delphi Fits In

With Delphi Client-Server, and the link to the AS400, middleware applications are the perfect bridge between the Internet and all these existing database backends. With Windows NT gaining in momentum, the advantages of Delphi will continue to give its users a large competitive advantage.

Using the Web to Make Money

The three ways that sites are earning money over the web today are with advertising, subscriptions and the transactional model. The advertising model derives revenue from the sale of viewable Web page space in the form of banners, similar to ads placed in newspapers and magazines. The subscription model charges users for acces to the Web site content itself, just as magazines and newspapers charge a purchase price. Transactional sites derive revenue from the sale of goods through a Web-based front end, such as an online catalog.

Using the Web to Save Money

The less obvious side of "capitalizing" on the Web is to use it to save money by offering customer service options over the web, directly to customers. Technical support and order tracking are two of the most common operations to be converted from human telephone-based services to online web-based systems. Even small companies and organizations can afford to have 24-hour information available to prospective customers and members.

ECommerce, Looking Ahead

The room for growth in electronic transaction processing is extreme. Direct contact payments in the U.S. at the point of sale totaled in excess of $3.6 trillion in 1995, only 20% of which was conducted with credit or debit cards. According to First Data Corporation, a leading transaction processor, only 3% of the $460 billion supermarket industry is transacted with credit or debit cards. Only 1% of the $300 billion professional services industry is transacted electronically. Less than 12% of the gasoline and service station business is electronic, and less than 1% of the fast food restaurnats have point-of-sale payment readers. Thus anywhere from 88% to 99% of transactions in those markets remain for conversion.

PaineWebber estimates the value of goods and services sold on the Web to be in excess of $6.5 billion by the year 2000, and $1 trillion by 2010. "Much of the required infrastructure is already in place, and current much more is being built. We believe a robust, online retailing environment could quickly become commonplace reality as early as year-end 1997."

-Page:a=,439a.htm,,Different Models

Different Models of Electronic Commerce

Business to Business

This model is marked by multiple transactions from the same customer to the same vendor. Without repeat business, there is no incentive to provide expensive, customized client-side solutions. There has to be a certain threshhold of business activity between two firms before automation pays off. On the high- volume side, trillions of dollars flow through the world’s existing banking infrastructure every day. On the consumer side, utility companies, magazine publishers, insurance carries and other businesses that require monthly payments are putting automatic payment mechanisms in place. The key here is repeat business from a customer, in a predictable fashion.

In this scenario, shipment of goods is generally triggered by a “promise” to pay, in the form of a purchase order or signing of a monthly contract. In some cases, credit cards are used to “guarantee” payment.

The communication channel may be a private line, or a highly secured TCP/IP channel. Users can be expected to "authenticate" themselves by providing a username and password, and possibly a digital certificate.

CashLink in Auckland, New Zealand is one of many companies who are developing business-to-business solutions using the Internet as the network, a web browser as the client, and a relational database as the backend.

Direct: Consumer/Retail purchases

The current challenge is to bring cost-effective solutions to the consumer market. In this scenario, the sale is closed via credit card (or some alternative currencies, discussed below). While the channel is generally secured for transmission of data, the customer is generally not required to have a login name or password. The emphasis is on convenience, quick delivery of goods, and generally at lower cost to the customer.

SecureTax in Georgia, U.S., is an example of a company selling a $10 pay-per-use software rental to thousands of consumers over the web. Opened in January 1997, their web site offers U.S. citizens tax calculations for all the federal and state tax forms.

Payment Methods

Credit Cards

SET: Visa and Mastercard have announced the Secure Electronic Transaction (SET) specification to enable credit card transactions to be conducted safely across the Internet. Set is designed primarily to protect the credit card companies from fraud, not the consumer, who will bear no liability beyond the $50 limit of physical credit card transactions. Under SET, merchant and consumer can deal directly with each other. Credit card numbers, payment information and identification can be securely sealed and delivered. SET uses public key encryption from RSA Data Security, plus digital certificates tso that card holders can be identified and verified. Microsoft, IBM, GE, Netscape, CyberCash and others have committed to support SET.
JEPI: The World Wide Web Consortium (W3C) and CommerceNet formed the Joint Electronic Payments Initiative (JEPI) to accelerate the development of the ecommerce marketplace through the adoption of payment system standards. JEPI seeks to build an open standard framework mechanism so that any browser, server and payment middleware can all negotiate and interact with one another. This will facilitate the implementation of solutions and help ensure compatibility across payment systems. Participants include IBM, Microsoft, CyberCash, Open Market, VeriFone and others.
As far as integrating credit card payment with the web, the leading players are VeriFone and First Data Corporation. VeriFone has been in the credit card authorization market for 20 years and holds an estimated 75% of the existing U.S., and 65% of the global, retail electronic card swipe terminal payment systems. They have over 4.7 million systems installed in over 100 countries. FirstData Corporation, the large electronic payment and transaction processor, is providing solutions for large merchants and acquirer banks who want to outsource their credit card settlement infrastructure. The Fist Data network currently authenticates 85% of all credit card transactions. First Data provides services to over 1.7 million merchants and over 1400 financial institutions.
VeriFone plans to offer an Internet plug-in for its existing private card processing system. This vPOS system costs $1500 per license, about double the cost of a physical terminal. FirstData plans its own suite of software products to allow large institutions, such as banks, to link their online ecommerce services to First Data. Merchants or financial institutions collect customer credit card transactions online, then use the First Data POS software to transmit the payment directly to First Data through the Internet, which in turn provides real-time, on-line authorization and settlement. First Data uses RSA encryption and complies with the SET protocols.

Micro Payments / New Currencies

DigiCash. This "e-cash" method uses encryption to generate and transmit data packets that represent actual monetary value and can be passed from party to party as the digital equivalent of physical currency. Mark Twain Bank in St. Louis, Missouri, has been supporting e-cash since October 1995.
First Virtual. This system is based on giving merchants and buyers a PIN which they use to transact business. The buyer’s credit card number is stored off the Internet, by a trusted third party. Information transfer and delivery of payment is handled through e-mail and back office automation. This system is ideal for merchants selling electronic files. There are over 2000 merchants and 140,000 buyers using this system worldwide.
CyberCash. The CyberCash wallet software plugs into the buyer’s web browser and contains the buyers confidential information. The buyer deposits funds into a debit account, and then draws down on this balance electronically while purchasing. The secure data goes only to CyberCash, and not to the merchant. Transactions can be delivered in real-time (15 seconds). Transaction fees are paid by the merchant; the software is free for the buyer and the merchant.
SmartCards. These are electronic cards containing an embedded microprocessor. They are reloadable, tamper resistant, and represent a nonrestricted negotiable value that can be transferred for a variety of purposes. They can be used off- or on-line. The card can be imprinted with identification information such as a photo, signature and logo. This provides more security than the current ATM and credit card system. Estimated growth of the SmartCard industry is from approximately 1 billion units in 1997 to 2 billion in the year 2000.

-Page:b=,439b.htm,,Three-tier Client-server Solutions

Three-tier Client-server solutions

In all of these situations, a client application is used to communicate with a "middleware" application running on an application server, which then communicates with a database server. While custom clients written in Delphi, Java and C++ will become increasingly common for scenarios involving repeat customers, the thin HTML client is likely to persist for some time on the public Internet.

Consider bandwidth and client operating system in order to determine which options are viable for your situation.

This paper focuses on scenario (A).

(A) CGI (B) Java (C) Active/X (D) Custom client

Network Public Internet Public or Corporate Corporate Corporate

Bandwidth Wide range. Wide range. Medium to Fast Medium to Fast

Client O/S Any Any Win 95 or NT Win 95 or NT

Client must download: HTML, multimedia. Java applet to run inside web browser. Active/X to run inside web browser. EXE, multimedia, plus required DLLs, DPLs

Language Delphi 2/3,C++,Perl, JavaScript Java Delphi 3, VB, C++ Java, Delphi 2/3, VB or C++

	(A) CGI	(B) Java	(C) Active/X	(D) Custom client
Network	Public Internet	Public or Corporate	Corporate	Corporate
Bandwidth	Wide range.	Wide range.	Medium to Fast	Medium to Fast
Client O/S	Any	Any	Win 95 or NT	Win 95 or NT
Client must download:	HTML, multimedia.	Java applet to run inside web browser.	Active/X to run inside web browser.	EXE, multimedia, plus required DLLs, DPLs
Language	Delphi 2/3,C++,Perl, JavaScript	Java	Delphi 3, VB, C++	Java, Delphi 2/3, VB or C++

-Page:c=,439c.htm,,Public Internet Solution

Public Internet Solution

Client: web browser

While there are some situations that warrant writing custom web browsers in Delphi, you can generally assume that the client-side software will be provided by Netscape or Microsoft.

Middleware: Web Server plus Delphi application

On the Windows NT platform, there are a variety of choices for the middleware. Web servers are available from Microsoft, Netscape, Purveyor, O’Reilly & Associates, and others. Delphi applications can be written from scratch or with components provided by third parties.

Back end: SQL database

Because Delphi Client/Server connects to such a wide range of databases, the SQL database choice is wide open and certainly includes the major players: Oracle, Informix, Sybase, DB2, SQL Server.

-Page:d=,439d.htm,,Example Application

Example ECommerce Application

This example shows one way of building your own merchant server using Delphi. It is meant for direct sales placed by credit card, and uses IC Verify software to authorize the charges. A 1200 baud modem and a standard telephone line is used. Transactions are settled in real time.

Overall Organization

The public web "store" creates order and posts it to the charging module. The store can run on a separate web server machine, anywhere on the Internet.
The data is posted to the ICV Interface module, a web application running on the charging machine. This module takes the surfers data and posts it to the charge request queue in the local database.
The charging module wakes up when to handle entries in its queue. It validates the card information as much as possible, and then uses a modem to run the charge and settle the batch, using IC Verify's software. Depending on bank policies, the cash will be in the merchant's bank account in anywhere from 8 to 72 hours.
The notification module wakes up when a transaction is complete. It sends a message by e-mail to the store owner, and posts to the history file.
The remote administration module is used by the store owner to check order status and run reports. This module is not open to the public and carries a login procedure.
Accountability/logging. Complete logging of transactions is required, both to track the actual charges processed as well as to track the path customers followed in making their purchases. Tracking customers anonymously, as individuals, provides essential marketing data.

The next section of this presentation will review each of these steps more closely.

-Page:e=,439e.htm,,Shopping Cart

1. Shopping cart accepts an order.

A minimum of four fields must be posted: unique ID, sale amount, credit card number and expiration date. This information is transmitted over HTTPS (not HTTP) using SSL.

Sample HTML to post data

Hidden fields are used to transfer the data from the shopping cart web server to the charging server. Note the use of HTTPS in the FORM ACTION statement.

<FORM METHOD=POST ACTION="https://www.href.com/ssl/webhub.exe?ICV:CHARGE">
<INPUT TYPE=HIDDEN NAME="LitOrderTotal" VALUE="50.00">
<INPUT TYPE=HIDDEN NAME="Lastname" VALUE="Lynnworth">
<INPUT TYPE=HIDDEN NAME="CCNum" VALUE="0000000000000000">
<INPUT TYPE=HIDDEN NAME="ExpDate" VALUE="9904">
<INPUT TYPE=SUBMIT VALUE="No Changes -- Purchase Now !" NAME="BtnConfirm">
</FORM>

-Page:e1=,439e1.htm,,Validate the Transaction

2. %=PageDesc=%

The rules are as follows: All four fields are required, the amount must be positive, the expiration date must be YYMM, and the credit card number must pass the checksum test. This last check can be done with the TWebCreditCard component. Set the CardNumber property to the value to check. The Accept property indicates True/False.

-Page:f=,439f.htm,,Post the Transaction

3. Order is posted to a database.

If the data passes validation, it is posted to the request queue database.

-Page:g2=,439g2.htm,,Delphi to IC Verify (Request File)

4A. %=PageDesc=%

IC Verify runs as a simple DOS program which accepts command line input.

Write the Request File

The request file can include multiple requests for high volume stores.

function TWebVerify.quotedField(value:string):string;
begin
  result:='"'+value+'"';
end;

procedure TWebVerify.WriteRequestFile;
begin
  with TStringList.create do try
    text:=quotedField(transactionType)+','
             +quotedField(fClerk)+','
             +quotedField(Comment)+','
             +quotedField(fCardNo)+','
             +quotedField(ExpirationDate)+','
             +quotedField(Amount)+','
             +quotedField(fReferenceInfo);
    saveToFile(DataDir+cRequestFile);
  finally
    free;
    end;
end;

-Page:g3=,439g3.htm,,Delphi to IC Verify (Shell)

4B. %=PageDesc=%

Once the request file is ready, we shell out to DOS, passing in certain values on the command line (merchant code, data filename, etc.)

procedure TWebVerify.DoExecute;
begin
  fApproval:='';
  fICVText:='';
  //
  writeRequestFile;
  //
  with TWindowsShell.Create(Self) do try
      Flags:=[shlWaitTillDone];
      Command:=CmdDir+CmdCharge;
      Parameters:=getParamstring;
      execute;
      end;
  finally
    free;
    end;
  CheckFile(false);
  DoExecDone;
end;

The CheckFile routine interprets the response file which IC Verify creates upon completion of a transaction.

-Page:g=,439g.htm,,Run the Charge

5A. Running the Charge

While the charge is running, the surfer is sent an informational message.

-Page:h2=,439h2.htm,,Saving State

5B. %=PageDesc=%

It is necessary to give the surfer a quick response, regardless of how long the charging phone call takes. While the call typically takes less than 5 seconds, during peak times it can go slower.

Therefore a quick response page is provided immediately. When that page is generated, the approval status is not yet known.

To make things as convenient as possible, the web application provides a link which, when clicked, either takes the surfer to a "not yet" page, or to the actual approved/denied page.

The state of the surfer's transaction is maintained on the server. It is not sent over insecure lines or dependent on cookies. Instead a numbering technique is used to assign each surfer a unique Session ID, to which his or her data is associated. This Session ID is visible in the URL:

http://www.href.com/ssl/webhub.exe?ICV:CCSTATUS:392032

The components within the web application must restore state for surfer 392032 when he or she returns, and then respond accordingly.

-Page:h=,439h.htm,,Surfer Inquiry

6. %=PageDesc=%

The surfer may inquire about the transaction status at any time, using the encoded link.

If the transaction is complete, the web application will "bounce" the surfer to a URL on the original shopping cart web server machine, to indicate the result: Approved, Denied, InvalidCard, or Insufficient Data.

This final page can be served quickly by the insecure HTTP protocol on the shopping cart web server.

-Page:i=,439i.htm,,Store Owner Notification

7. %=PageDesc=%

After an order is taken, the store owner is notified about the sale by e-mail or fax. Packing lists and invoices can be printed; orders can be faxed to third party vendors for direct shipment.

-Page:j=,439j.htm,,Security

Security issues

SSL: Between the client and the server

Transmission of data between the web browser (client) and the web server is made secure by use of the Secure Hyper Text Transfer Protocol (HTTPS). Netscape and Microsoft web browsers support this automatically. Web server owners need to obtain the appropriate version of their server software as well as a digital certificate proving their identity in order to support this protocol. Rules vary inside vs outside the U.S..

Digital certificates for the web/merchant server

VeriSign is the major provider of digital certificates in the U.S. Certificates cost $290 per year, and work only on a single web server and domain name.

The Alibaba web server offers the possibility of creating your own certificates for testing purposes.

-Page:k=,439k.htm,,Product Delivery

Product delivery

Electronic products

FTP site control, Email attachments, unlock codes.

For merchants selling electronic files, the risk on ecommerce is low and the benefits are high. There are various methods available for ensuring that only paying customers receive files. These include dynamic management of FTP and HTTP download sites, direct transmission of files using HTTP and e-mail, and distribution of unlock codes which are applied to publicly available files.

Hard goods

Fax/email/post order to warehouse.

The situation is slightly more complicated for businesses selling hard goods. Credit cards may not be charged more than 24 hours in advance of shipment. The shipping warehouse may need to sign off on shipment before the card can actually be charged. The ecommerce application would transmit the order to the shipping center, accept data about the shipment status, and then complete the transaction. Details would of course vary depending on the existing information systems in use by the companies involved.

Software rental

Pay per use or per hour.

An upcoming trend is toward software rental instead of outright licensing. Applications for tax filing to astrology chart generation are being web-enabled and charged for over the web.

Subscriptions

Subscriptions to content on the web, and in e-mail, are becoming increasingly popular, again because of the low-risk involved in electronic products. Electronic inventory simply doesn’t carry the same cost as physical inventory.

-Page:L=,439L.htm,,Different Models

Growth of the Web

Users/consumers

New technologies for home users will bring higher bandwidth and thus better features to consumers. ISDN, cable modems, satellite delivery, ADSL and local modem dial-up stations will compete for the estimated 70 million additional web users by the year 2000.

Companies/domains/providers

In July 1996, the total number of published web pages was over 44 million. That is projected to exceed 1 billion by the year 2000. Advertising on the web was in excess of $70 million in 1996 and is expected to exceed $2 billion by 2000.

Sites enabling commerce

Clearly the close to 1 million “under construction” web sites are going to mature and start offering sales over the web. This is an exceptionally exciting time, as we all shape the face of the systems which we will live with for the next decade.