ÇáãÓÇÚÏ ÇáÔÎÕí ÇáÑÞãí

ãÔÇåÏÉ ÇáäÓÎÉ ßÇãáÉ : Trusted Environment for E-Commerce in Malaysia: An Overview



íÇÓãíä
07-27-2009, 11:12 AM
Trusted Environment for E-Commerce in Malaysia: An Overview



Zeti Zuryani Mohd Zakuan

Rizauddin Saian

Universiti Teknologi MARA Perlis,

02600 Arau, Perlis, Malaysia.



zeti@perlis.uitm.edu.my (zeti@perlis.uitm.edu.my)

rizauddin@perlis.uitm.edu.my (rizauddin@perlis.uitm.edu.my)





Abstract

Studies conducted in e- commerce identify security as one of its major concern. Trust element is found to be crucial in ensuring a secured environment for e-commerce. Thus, security technology needs to be utilized in order to promote such a secured environment. In Malaysia, the government has introduced Public Key Infrastructure (PKI) scheme which is one of the latest security technology in order to tackle the problem. In order to facilitate the implementation of PKI, the government has enacted the Digital Signature Act 1997. Apart from this, the government also has recently enacted Electronic Commerce Act 2006 to cater for the development of e- commerce in Malaysia. This paper will provide a general view on the security technologies adopted and the law available in providing a trusted environment for e-commerce in Malaysia.

Keywords: E- commerce, Information Security, Public Key Infastructure, Digital Signature.

1 INTRODUCTION


Internet boom in the nineties has triggered the adoption of e-commerce in Malaysia. Nevertheless, it is still in its infancy stages even now. Studies conducted in e- commerce identify security as one of the reasons why Malaysians shy away from e-commerce. E-commerce requires payment to be made electronically. The main form of settling transactions across the internet would primarily be through the utilization of credit cards.[1] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn1) Trust element is found to be crucial in ensuring a secured environment for e-commerce. Most of the cardholders said that credit card fraud is one of the reasons they avoid the service. Thus, security technology needs to be utilised in order to promote such a secured environment. In Malaysia, the government has introduced Public Key Infrastructure (PKI) scheme which is one of the latest security technology in order to tackle the problem. In order to facilitate the implementation of PKI, the government has enacted the Digital Signature Act 1997. Apart from this, the government also has recently enacted Electronic Transaction Act 2006 to cater for the development of e- commerce in Malaysia. This paper will examine the security technologies adopted and the law available in providing a trusted environment for e-commerce in Malaysia.

1.1 E-commerce in Malaysia


In Malaysia, E-commerce emerged with the establishment of the Multimedia Super Corridor (MSC). The MSC was formed resulting from the ideas put forward by the previous Prime Minister of Malaysia[2] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn2), Tun Dr. Mahathir Mohamad, in 1996. The objective of this exercise was to transform the Malaysian economy from one that is founded on an agricultural and manufacturing based economy to one that is a knowledge based economy. In general, it was aimed to generate an electronic environment[3] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn3) so that the community as a whole can infuse these electronic facilities in their daily lives.

E-commerce is defined by the Malaysian E-commerce Committee as a “business transaction that is performed through a computer network either publicly or personally; it is a business, government, and user interaction with the objective of obtaining information, carrying out commerce, acquiring goods, performing purchases, and delivering goods and services”.[4] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn4) E-commerce has undoubtedly changed the concept of traditional trade and commerce that is based on the notion of face-to-face interaction to that of a faceless one. It has also become an arena for buyers and sellers to exchange information, goods, and services without the associated limitations of temporal and geographical boundaries. From the commercial aspect, e-commerce was introduced to provide opportunity to the user as well as merchants to accomplish more effective business transactions. On one hand, these vendors can also afford a more efficient service, encourage business growth, and reduce cost.[5] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn5) On the other hand, e-commerce can give more choices to users from the aspects of price and the quality of goods.

From time to time, the Malaysian government continues to emphasise on the development of e-commerce. In order to achieve a more favourable outcome, the government has set aside the amount of RM12.9 billion under the Ninth Malaysia Plan (2006-2010) for endeavours that are based on ICT. However, in the face of active promotional drives by the government to persuade users to use the Internet as a medium of trade, e-commerce is still not well received by the Malaysian public. It cannot be denied that the acceptance of e-commerce is, in actual fact, increasing year by year however this increase is not as hoped. It has been purported that this occurrence has been caused several issues that are seen as barriers to e-commerce acceptance by the Malaysian citizens. The findings of a research performed by Norhayati Abd. Mukti[6] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn6) was in line with this view. The said research was carried out on more than 50 businesses in the Klang Valley in Malaysia and it had revealed that 70% of respondents believed that security is the most important barrier to e-commerce. According to Norhayati Abd. Mukti, security would be one of the main barriers since the users are fairly sceptical toward the safety of electronic data transmission. E-commerce transactions require the user to expose sensitive information like credit card details to the merchant electronically. Only users with a high level of confidence in the system would use e-commerce, while users that are not confident with the safety of the information that is transmitted electronically would deliberately prevent themselves from using this service.

Research conducted overseas shows that issues relating financial, contractual, security and privacy are among the barriers to e-commerce adoption. In 1996, Cockburn & Wilson[7] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn7) reported that the most crucial problem facing the expansion of e-commerce is security. Cronin[8] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn8) in 1995 believes that privacy issues such as security, censorship and eavesdropping would discourage to ensuring data security. Wheeler[9] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn9) in 1997 discussed the topic of internet security and privacy as a hindrance to adopting of e-commerce. Thus, it is clear that security is more of the major problems in adopting e-commerce by the consumers.

2 SECURITY MEASURES ADOPTED IN E- COMMERCE TRANSACTION


In ensuring the security of using the credit card in a payment system for conducting e-commerce, there are several security steps that have been taken by the card issuing companies as well as the merchants. The security measures taken by card issuers have been taken to another level with the introduction of the smart card. Smart card technology had taken over the electronic credit card technology in 2006. The smart card is more dynamic with memory strength of 100 times more than the electronic credit card. The steps taken by the card issuers are to increase the level of trust of the users in getting involved with e-commerce in Malaysia.

2.1 Smart Credit Card


The whole world is now entering the era of the smart card. Recently, there have been many systems that have been developed for the purpose of creating a basic card that has the characteristics of electronic cash for use in the real world as well as cyberspace.[10] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn10) The smart card was invented by Roland Moreno from France and the idea has been patented in 1974. Nowadays, the use of the smart card has proliferated throughout Europe and France has become the main user of smart cards in the world. Meanwhile Gemplus is a mega-corporation in France that has become the main producer of smart cards.[11] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn11)

In general, there are various uses of the smart card. In Malaysia, its use has flourished and has been integrated into everyday life.[12] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn12) Firstly in the fields of medicine and health, pertinent personal information is uploaded into smart cards; information such as personal details, insurance policy, medicine schedule, treatment, medical history, and number to be dialled in case of emergency. This information is very important for all Malaysian residents. With the implementation of the smart card in this manner, information can be retrieved quickly and accurately. However, the use of the smart card is fairly limited. This limitation is caused by the low number of card reader machines that are in use all over the world. These card readers are used to detect the data that is coded within the card and translate it[13] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn13) into a language that can be easily understood. Before the smart card can be fully utilised, smart card readers need to be installed at the related premises. This is one of the main reasons why the implementation of the smart card is fairly slow in Malaysia.



Figure 2.1 Smart Card

The Malaysian government is also heading toward fully realising the benefits of the smart card. This is clear in the implementation of the MyKad system in figure 2.1, which is the national identification card for Malaysian citizens. The use of MyKad is quite limited since the card readers are not introduced and used widely. Some time is needed for the government to implement the smart card system fully in this country. According to the Public Relations Officer from the National Registry Department, Nur Ashikin Othman, MyKad is safe to use.[14] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn14) The security characteristics that were introduced into the smart card are the symmetric key cryptography that is put three times over through the Data Encryption Standard (DES) using a 128 bit key.


Figure 2.2 Bank Islam Card

The Bank Islam Card (BIC) in figure 2.2 is the first credit card in the country to incorporate a high level of security characteristics through the smart card technology. Other local banks have also followed suit in incorporating smart card technology into their products. According to the previous Deputy Financial Minister, Datuk Shafie Mohd Salleh, local banks were expected to replace their usual credit cards that have the magnetic stripe, to a more secure credit card with an embedded smart chip beginning the second quarter of 2002 until early 2003.[15] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn15) The smart card is able store and transfer data between the involved parties.[16] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn16) The data that are stored are in the form of numerical values or information, or a combination of both. It is stored within and processed by the computer chip on the actual card. The data contained this chip would be transferred through the card reader. This computer chip not only has a large memory, but it also has the ability to compute. It does not rely on outside sources for operation.[17] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn17) The use of smart cards in the card credit industry is mainly for storing confidential information like the personal details of the user and the cryptographic key for the process of authentication.

Authentication is a process where the user is required to validate his or her identity to a system. A key would be used to encode and decode the information about the user for the merchant. This process can prevent the credit card from being validated by the system if the credit card falls into the hands of irresponsible individuals. Therefore, card abuse and credit card fraud can be avoided. The use of the smart card requires a terminal to be installed at the business premises. This terminal is a device that receives input and displays output. It acts as an interface between the user and the processor. The purpose of installing this terminal is to ensure that the card and the terminal can be used in conjunction in the process of authentication. Card reader machines are another tool that can be used for authentication purposes. It can also be installed on personal computers for the same function. Both these devices are pertinent for the process of validation, for without these tools, information about the user cannot be authenticated, and this would facilitate the credit card fraud activities.

Behind each potential security measure, there are also some drawbacks associated with each of them. The use of the smart card with the Personal Identification Number (PIN) verification method has several obvious weaknesses. It can be used with or without the permission of the identity owner.[18] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn18) If this occurs, the system would not be able to identify the individual that uses the PIN, which would imply a weakness in the system where PIN abuse can occur without detection. The use of simple and easy to memorise PINs can increase the possibility of the PIN being guessed. These PINs can be broken through repeated guesses using many registered keywords (brute-force attack).[19] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn19) Another weakness of authentication through PIN usage is that the use of long PINs may be difficult to memorise. This would sometimes force the user to write and put the PIN in places that are easily accessed. The consequence of this action is that the PIN that is written can be found by irresponsible individuals who would then use it for verification without the permission of the card holder.


2.2 Combination of Smart Card and Cryptographic Techniques


In order to achieve a high level of information secrecy of the smart card, cryptographic techniques are integrated within the smart card. The combination of the smart card and cryptography is said to be capable of providing the safest environment[20] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn20) for guaranteeing the confidentiality of information between the sender[21] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn21) and receiver.[22] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn22) Cryptography is a technique that is used to change the original message or information that can be understood easily into a different form that does not make any sense to an external observer. This technique needs an encryption process that is performed on the information contained within a computer chip. This encryption process can be carried out using two methods, which are symmetric encryption and asymmetric encryption, both of which requires an algorithm and a key. An algorithm is a set of instructions or rules that is defined clearly for solving a given problem.[23] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn23) A key is a value that is used as the base for encryption.[24] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn24) It functions by reproducing the information in a form that is different from the original and it is usually unintelligible.



Sender


Plain text


encrypt


Chiper

text


Plain text




decrypt


Figure 2.3: Symmetric encryption

Symmetric encryption in figure 2.3 requires the sender and the receiver of information to have the same key for encrypting and decrypting the information. The information would be transformed into an unreadable form by the key and algorithm. This symmetric encryption process begins with the original information in a form that is readable, also known as plain text, which is encrypted using the key by the sender to result in a form that cannot be read, which is known as chiper text. When the encoded text reaches the receiver, the receiver would decrypt the information using the same key. This process would change the information from the unreadable information into a form that can be read, which is the normal plain text.

The most popular symmetric encryption method is the Data Encryption Standard (DES).[25] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn25) DES was created by the IBM Corporation in 1977 for the use of the United States government. Several modifications had been made to the original algorithm according to the National Security Agency (NSA) to make it a more complete and robust algorithm. This algorithm has been dissected and researched for more than 20 years by cryptographers and it was found that this algorithm cannot be easily broken. DES uses a 56 bit key that is capable of producing 256 or 7x106 variations.[26] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn26) Based on this number, the chances of being able to get the correct variation and breaking the code are fairly remote.





Sender


Receiver


Key A


Key A


Key B


Key B


Key C


Key C


Plain Text


encrypt


Message

encoded


Message

Encoded

twice


encrypt


encrypt


Message

encoded

thrice


Message

decoded


Plain Text


decrypt


decrypt


Message

Decoded

twice


Figure 2.4: Symmetric encryption (Triple DES)

For a more improved level of security, the method of Triple DES can be used.[27] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn27) This method in figure 2.4 requires the use of three different keys. The sender and the receiver must have all three keys in their possession. If one of the keys is lost, then the information will remain as encoded text. The use of three keys has caused this method to become fairly complex and take a fair amount of time to execute. Information would be encrypted and decrypted three times using three different keys. Triple DES incorporated into the smart card is considered to be very secure. However, when compared to asymmetric encryption, which is the use of different keys (a public key and a personal key), the Triple DES method is still considered to be relatively unsecured.




Sender (A)


Receiver (B)


B’s Public Key






Plain Text Text


encrypt


Chiper Text


decrypt


Plain Text




B’s Private Key


Figure 2.5: Asymmetric encryption

Asymmetric encryption in figure 2.5 is a system that uses two different keys to encrypt and decrypt information, which are public and private keys. In order to send information, the sender would encrypt information with the public key of the receiver. When decrypting information, the receiver would decrypt the information using the personal key of the receiver. This method is also called public key encryption and was introduced by Whitfield Diffie and Martin Hellman in 1976.[28] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn28) This method requires the sender and receiver to own a pair of matching keys. The use of asymmetric encryption using public keys is explained in figure 2.5 If sender (A) wants to send information to receiver (B), sender (A) will encrypt information using public key B. Receiver B will then decrypt the information using personal key B. The safety of information en route between A and B would be guaranteed since only B has the personal key.
The use of public keys can guarantee to a high degree the safety of the information, but authentication of information is still questioned. In order to overcome this problem, the sender needs to encrypt the information twice at the parts of the message that is considered to be the most important or sensitive as explained in figure 2.6. For this purpose, firstly the sender needs to encrypt the parts of the message that is sensitive using the personal key of the sender. Then the sender needs to encrypt the whole message by using the public key of the receiver. The receiver would then decrypt the message using the personal key of the receiver. This results in the whole text being plain text, except for the parts that have been encrypted twice. In these sections, the receiver needs to decrypt the information using the public key of the sender. This method can verify the authentication of information. The receiver would be confident that the message actually originated from the receiver.



Sender

Private

key


Plain Text


encrypt


Message

encrypted

twice


Plain Text




encrypt


Sender

Public

key


Receiver

Private

key


encrypt


encrypt


Receiver

Public

key


Sender


Receiver

Figure 2.6: Asymmetric encryption (Twice)

The authentication of information can be ensured with the use of public or personal keys, or better known as Public Key Infrastructure (PKI) which can guarantee the authentication of the information sent by the sender to the receiver. Malaysia has taken prudent steps in certifying the use of PKI in guaranteeing the safety of data transmitted electronically. This is supported by the formation and enforcement of the Digital Signature Act 1997.[29] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn29) This Act directly gives the room for PKI to be implemented in reality in Malaysia. PKI requires digital signatures from the two involved parties in an electronic transaction, which are the information sender (card holder) and the information receiver (merchant). The digital signature here, as defined in this Act, is not a signature in written form, but rather the creation of a pair of public and personal keys for each involved party, i.e. card holder and merchant.[30] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn30) Then, these pairs of keys will be used by the related party to encrypt and decrypt the data that are transmitted electronically.

Digital signatures are created with the purpose of ensuring data authentication and validation of the data sender. The production of digital signatures is governed by the provisions under the Digital Signature Act 1997. These digital signatures can only be created by certification authorities that have been legally appointed. According to this Act, the Minister is bestowed the authority to perform the task and take responsibility in the creation of digital signatures. Section 3(1) provides authority to the Minister to appoint a committee for the purpose of controlling and supervising the activities of certification authorities. This committee is also known as the Malaysian Multimedia and Communication Committee[31] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn31) and it is responsible for all matters pertaining to the administration, enforcement, execution, and implementation of this Act. The main aim of forming this Act was to give validation to the parties involved in electronic data transmission. This validation can only be made by the certification authority that fulfils the criteria under Section 4 of the said Act. Under this Act, an individual can take action as a certified party if the individual possesses a valid license.[32] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn32) Applications for obtaining such a license can be made in writing to the Committee using the appropriate forms. The Committee can have the right to withhold the license of the applicant.[33] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn33) If this happens, the applicant does not have the authority to certify its customers.

In Malaysia, there are two certification authorities, which are Digicert Sdn. Bhd. that was established in 1998 and Msctrustgate in 1999.[34] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn34) Only these two organisations have the authority to produce certification to customers. When these authorities are successful in producing certification for the customer, the customer can use the digital signature for ensuring the safety of data during the data transmission process. When certification is produced, the credit card holder would have certification, digital signature, and a personal key for the purpose of using encryption technology. The security measures in the combination of smart card and cryptological technique are capable of averting any fraud from occurring. This is because the information that is transmitted has been changed into a form that would not be legible without using the algorithm and key. In order to gain access to this information, the individual must have the matching key, for without it, it would be near impossible for the individual to have access.

3 EXISTING LAW TO PROMOTE E- COMMERCE IN MALAYSIA


The issue of security in e-commerce can be addressed by taking into consideration the provision under the Digital Signature Act 1997, Computer Crimes Act 1997, Multimedia & Communication Act 1998 and Payment Systems Act 2003. Recently, the government has enacted the Electronic Commerce Act 2006 for encouraging electronic trading. Besides this, the Malaysian National Bank has also established guidelines as well as ethical codes for handling payment electronically in ensuring the safety of users when performing e-commerce transactions.

3.1 Digital Signature Act 1997


The Digital Signature Act 1997 was passed by the Parliament in 1997. It had received Royal Assent on 18 June 1997 and gazetted on 30 June 1997. This Act was enforced on 1 October 1998 and it was formulated with the intent of preparing a provision for digital signatures and also to monitor and control its use. More specifically, it was aimed at encouraging electronic business transactions as well as providing validation of laws regarding digital signatures. The production of digital signatures is bounded by the provision under the Digital Signature Act 1997. Digital signatures can only be produced by the certifying authority that has been legally elected. Section 3(1) provides for the power of the Minister in electing a committee for the intent of controlling and supervising the related activities of these certifying authorities. This committee is also known as the Malaysian Multimedia and Communication Committee,[35] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn35) which is responsible for connecting the administration, enforcement, execution, and implementation of this Act. The first certification or certifying authority officer was the Chief Director of Pos Malaysia. He was assigned with the task of monitoring and controlling the activities of these certification authorities. The main aim of forming this Act was to give certification about the parties involved in the electronic data transmission. This certification can only be made by the certification authority that fulfils the criteria under Section 4 of the said Act. Under this Act, an individual can act as a certification authority if that said person holds a valid license.[36] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn36) The application of obtaining such a license can be made in writing to the Committee in the provided forms. The Committee has the right to not release the license to the applying certification authority.[37] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn37) If this occurs, then the certification authority does not have the right to produce certification for their customers.

Weakness of the security system in smart cards that uses digital signatures is that it involves certifying authoritative parties that do not act as the middle-man in the production of digital signatures. This gives rise to the question of trust and reliability of these certifying companies. In addition, charge imposed for obtaining the digital signature is also a weakness of this system. This charge would in effect the process of customer identification to be less stringent.

3.2 Computer Crimes Act 1997


The Computer Crimes Act received Royal Assent on 18 June 1997 and gazetted on 30 June 1997. This Act aimed at preparing the provision for crimes related to the illegal misuse of computers. Activities that would jeopardise the safety of data during the transactions in e-commerce can be accounted from under the provision of this Act. Section 3 provides for the unauthorised access activities. This means that an activity that causes a computer to carry out a function with the intent of obtaining access to any data that is stored in that said computer. If convicted with this criminal act, the punishment that is sentenced is a fine of up to and not exceeding RM 50,000 or jail term of not more than five years, or both. When the data that have been obtained from this unauthorised access activity are used for performing a crime that involves fraud or deception, like produced false credit cards using valid data from the card holder, thus this becomes a felony under Section 4. If it involves crime under Section 4, the punishment that is sentenced is a fine of not more than RM150,000 or a prison term of not more than 10 year, or both.

The weakness of the Computer Crimes Act 1997 is that the provision under this Act is quite limited. The hi-tech devices and complex techniques used in performing these access activities without authority would make this Act seem backward. This Act does not clearly list the types of devices or instruments that are considered as computers. The definition of the computer under Section 2 is too general.




3.3 Multimedia and Communications Act 1998


The Multimedia and Communications Act 1998 was established to control the multimedia and communication industries. This Act was formed to instil the national policy objectives and create a framework for licensing and regulation of the multimedia and communication industries; establishing power and function for the Malaysian Multimedia and Communication Committee. There is one provision under this Act that would explain about fraud and activities related to access devices where it can be assumed to be related to fraud in the use of credit cards in e-commerce. This follows the definition of access devices under Section 6 that shows the characteristics of access devices as a credit card. According to Section 236, an individual is said to have performed an offence if the involved individual produces, installs, uses, imports, sells, supplies, or leases any modified access devices. Modified access devices are any access devices that have been tailored, created, changed, or falsified, or a component that can be identified in an access device or modified access device.[38] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftn38) Thus, any fraudulent activities that are performed using the credit card are offences under Section 236.

The most obvious weakness of this Act is that the prison sentence brought down upon these perpetrators under this section is not equivalent to the crime they committed. Prison sentences in Malaysia do not exceed five years, while overseas, fraud or embezzlement involving access devices would be sentenced with a prison term of between six and 20 years, depending on the severity of crime performed.

3.4 Payment Systems Act 2003


The Payment System Act (PSA) was gazette on 7 August 2003 and came into effect on 1 November 2003. The objective of the Act is to ensure the security, safety and efficiency of the payment system in Malaysia. The Act provides the legal framework to ensure protection in financial system as well as public confidence in the payment system. PSA also applies to those persons outside Malaysia who is an operator of a payment system if such payment system accepts payment or instalment instructions from participants in Malaysia unless otherwise prescribed by Bank Negara Malaysia. This Act provides for two players of the payment system namely the operator of the payment system and the issuer of designated payment system.

Section 5 provides for the operator of payment systems. According to this section, an operator who wants to operate a payment system is required to submit documents and obtain notification from Bank Negara Malaysia. These documents are important for the establishment of a surveillance mechanism to monitor the developments in the payment system for the formulation of appropriate policies as and when required. Bank Negara Malaysia also empowered to prohibit the operation of any payment system if it is detrimental to the reliable, safe, efficient and smooth operation of the country’s payment systems. Section 25 of PSA provides for the issuer of a designated payment instrument. According to the section, any issuer of a designated payment instrument is required to obtain approval from Bank Negara Malaysia. Under the Act, three payment instruments have been prescribed as designated payment instruments namely charge card, credit card and electronic money.

The weakness of the Act is that it regulates the working of the operator of the payment system and issuer of payment instruments. It does not confer any protection to the consumer when using the payment system. Fraudulent action committed by the third party is not covered by the Act.

3.5 Electronic Commerce Act 2006


The Act was passed by Parliament in 2006. The Act provides for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfill legal requirements and to enable and facilitate commercial transactions through the use of electronic means and other matters connected therewith. This Act applies only to commercial activities and does not apply to regulatory activities between the public and the government, wills, creation of trusts, power of attorneys and negotiable instruments. According to Section 4, the Act shall be supplemental and without prejudice to any other laws regulating commercial transactions.

In promoting e- commerce transactions, the Act came at the right moment. Section 7 clearly provides for the recognition of information in electronic form. From now on any information in electronic form shall not be denied legal effect, validity or enforceability. However, there are a few drawbacks of the Act. The Act does not provide for consumer protection. Any issues relating to consumer protection must be referred to Consumer Protection Act 1999 (CPA 1999). CPA 1999 has been amended in August 2007 to cover online transactions as provided in section. The Act also does not provide for cross border transactions. The issue is crucial since online transactions can be global and borderless.




4 CONCLUSION


The future of e-commerce in Malaysia is based on consumer trusts and confidence in it. Security is said to be the prime concern of e-commerce users in Malaysia. Therefore, the government and the online traders have a role to play in providing a secure environment for online transactions. The online traders have introduced hi-tech security measures for this purpose. Nevertheless, more regular and intensive research is needed to identify the weaknesses of the security system as the digital industry advances rapidly. As for the government, attempts have been made to introduce various laws which relates to cyber issues and e-commerce transactions. However, these are not enough. There are still several issues need to be resolved. Actions must be taken seriously by both online traders as well as the government in providing a secured environment for e-commerce in Malaysia.


REFERENCES


Abu Bakar Munir. 1999. Cyberlaw Policies And Challenges. Kuala Lumpur: Butterworths.
Anita Abdul Rahim & Nazura Abdul Manap, Theft of Information: Possible Solutions under Malaysian Law, Malayan Law Journal, 2000, 3MLJxc.
Brinson, J.D., Dara-Abrams, B., Dara-Abrams, D., Masek, J., Mc Dunn, R., White. B.2001. Analyzing E-commerce & Internet Law. New Jersey: Prentice Hall.
Computer Dictionary. 2001. Selangor: Fajar Bakti Sdn. Bhd.
CNETASIA, http://asia.cnet.com/newstech/communications/0,39001141,13032951,00.htm
Cockburn, C. & Wilson, T.D. 1996. Business use of the World Wide Web. International Journal of Information management 16(2): 83-102.

Cronin, G. 1995. Marketability and social implication of interactive TV and the information superhighway. IEEE Transactions on Professional Communication 39 (1): 24-32.

Din, N.M. and Jamaluddin, M.Z. 2003. Building A Trusted Environment For E- Business: A Malaysian Perspective, Journal of ICT, 1(1).
Green, D.H. 1988. Consumer in economy. 2nd Ed. Ohio: South Western Co.
Greinstein, M. & Feinman, T.M. 2000. Electronic Commerce: Security, Risk Management and Control. Singapore: Mc Graw Hill.
Wheeler, D.R. 1997. Global considerations of Internet security, privacy and protection. Proceedings of Pan –Pacific Conference XIV: 142-144.

Governor’s Keynote Address at the Banking and Financial Law School 2001 – Banking and ICT Developments – Legal Aspects. http://www.bnm.gov.my/index.php?ch=9&pg=15&ac=4
Haji Sallehudin bin Haji Mohd Lip. 2001. E-commerce, e-Trading and Internet Money Transaction. Malayan Law Journal – Articles. Kuala Lumpur.
Julian Ding. 1999. e- Commerce law & practice. Selangor: Sweet & Maxwell.
Lee Swee Seng. 2003. Legal Issues in B2C E-commerce in Malaysia. http://www.mlj.com/free/articles/sslee3.htm
Maram M Bahjat & Husnayati Hussin, E-commerce Website Ethical Analysis: Application of the BBBonline Guidelines, National ICT Seminar, 15 December 2003.
Nandan Kamath. 2001. Law Relating to Computers, Internet and E-commerce A Guide to Cyberlaws and The Information Technology Act, 2000 with Rules & Notification . New Delhi: Universal Law Publishing Co. Pvt. Ltd.
Norhayati Abd. Mukti. 2000. Barriers to Putting Business on the Internet in Malaysia, EJISDC. 2, 6, 1-6.
Nurzaid Muhd Zain. 2003. Perlaksanaan Biometrik: Ancaman dan Keselamatan. Seminar Proceedings. National ICT Seminar. 15 December 2003.
Maggs, P.B. 2003. Consumer Protection on the Internet. http://home.law.uiuc.edu/~pmaggs/intcom.h
Maggs, P. & Pendersen, S. 2002. New Developments in Internet Consumer Law in the United States of America. http://home.law.uiuc.edu/~pmaggs/newnet.htm
Rupa Mehta & Rohinton Mehta. 2001. Credit Cards: A Legal Guide With Special References to CREDIT CARD FRAUDS. New Delhi: Universal Law Publishing Co. Pvt. Ltd.
Smarts Cards And Security Overview. 2003. http://www.smartcardbasics.com/overview.html (http://www.smartcardbasics.com/overview.html)
Solutions for the Wireless Age. 2003. http://www.informatic.com/htmls/idcards.htm (http://www.informatic.com/htmls/idcards.htm)
Tunkel, D. & York, S. 2001. Hammond Suddards Edge e-commerce: A guide to the Law of Electronic Business. United Kingdom: Butterworths.
Verisign White Paper, Extending Managed PKI Services to Smart Cards for Greater Convenience and Security. 2004. http://verisign.com/products/smartcard/SmartCard.pdf.




[1] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref1) Julian Ding, e- Commerce law & practice, Sweet & Maxwell, Selangor, 1999, pp.167.


[2] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref2) Haji Sallehudin bin Haji Mohd Lip, E-commerce, e-Trading and Internet Money Transaction, Malayan Law Journal – Articles, Kuala Lumpur, 2001.


[3] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref3) Ibid


[4] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref4) Maram M Bahjat & Husnayati Hussin, E-commerce Website Ethical Analysis: Application of the BBBonline Guidelines, National ICT Seminar, 15 December 2003.


[5] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref5) Abu Bakar Munir, Cyberlaw Policies And Challenges, Butterworths, Singapore, 1999, pp. 235.


[6] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref6) Norhayati Abd. Mukti, Barriers to Putting Business on the Internet in Malaysia, EJISDC (2000), 2, 6, 1-6.


[7] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref7) C. Cockburn & T.D. Wilson. 1996. Business use of the World Wide Web. International Journal of Information management 16(2): 83-102.


[8] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref8) G. Cronin. 1995. Marketability and social implication of interactive TV and the information superhighway. IEEE Transactions on Professional Communication 39 (1): 24-32.


[9] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref9) D.R. Wheeler. 1997. Global considerations of Internet security, privacy and protection. Proceedings of Pan –Pacific Conference XIV: 142-144.


[10] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref10) D. Tunkel & S. York, Hammond Suddards Edge e-commerce: A guide to the Law of Electronic Business, pp.379.


[11] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref11) Rupa Mehta & Rohinton Mehta, Credit Cards: A Legal Guide With Special References to CREDIT CARD FRAUDS, pp.13.


[12] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref12) Ibid, pp.19.


[13] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref13) Computer Dictionary, Penerbit Fajar Bakti, Selangor, pp.80.


[14] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref14) CNETASIA, http://asia.cnet.com/newstech/communications/0,39001141,13032951,00.htm (12 November 2003).


[15] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref15) Utusan Malaysia, http://www.utusanmalaysiaonline.com.my/ (18 June 2003).


[16] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref16) Smarts Cards And Security Overview, http://www.smartcardbasics.com/overview.html (29 September 2003).


[17] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref17) Solutions for the Wireless Age, http://www.informatic.com/htmls/idcards.htm (23 August 2003).

[18] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref18) Nurzaid Muhd Zain, ‘Perlaksanaan Biometrik: Ancaman dan Keselamatan’, Seminar Proceedings, National ICT Seminar, 15 December 2003, pp. 155.


[19] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref19) Ibid.


[20] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref20) Verisign White Paper, Extending Managed PKI Services to Smart Cards for Greater Convenience and Security, http://verisign.com/products/smartcard/SmartCard.pdf (24 February 2004).


[21] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref21) The sender, in the context of credit card usage over the Internet, refers to the card holder that exposes card credit information to the merchant for payment.


[22] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref22) The receiver in the context of the real world refers to the card issuing bank and the receiver over the Internet refers to the merchant.


[23] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref23) Computer Dictionary, Fajar Bakti Sdn. Bhd., 2001, pp.17.


[24] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref24) Ibid., pp.334.


[25] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref25)M.Greinstein & T.M.Feinman, Electronic Commerce: Security, Risk Management and Control, Mc Graw Hill, Singapore, 2000, pp.233.


[26] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref26) Ibid.


[27] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref27)Ibid.,pp.234.


[28] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref28)Ibid.,p.234.

[29] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref29) N.M.Din and M.Z.Jamaluddin, Building A Trusted Environment For E- Business: A Malaysian Perspective, Journal of ICT, 1(1), p.33-44.


[30] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref30) Julian Ding, e-commerce Law & Practice, Sweet & Maxwell Asia, Selangor, 1999, p.202.


[31] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref31) Section 2 Digital Signature Act 1997.


[32] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref32) Section 4 (1) Digital Signature Act 1997.


[33] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref33) Section 8 (4) Digital Signature Act 1997.


[34] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref34) N.M.Din and M.Z.Jamaluddin, Building A Trusted Environment For E- Business: A Malaysian Perspective, Journal of ICT, 1(1), pp.33-44.

[35] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref35) Section 2 Digital Signature Act 1997.


[36] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref36) Section 4 (1) Digital Signature Act 1997.


[37] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref37) Section 8 (4) Digital Signature Act 1997.


[38] (http://www.shaimaaatalla.com/vb/newthread.php?do=newthread&f=77#_ftnref38) Section 236(4) Multimedia and Communications Act 1998.