buch.ch: Offering Additional Services with SuisseID

22. November 2010



For many years, buch.ch has been number 1 in the Swiss online book business. buch.ch achieved this position by providing fast service on the one hand and by providing innovative and user-friendly online shop functions constantly updated in view of the latest Internet developments. The introduction of SuisseID has been considered a relevant Internet development and that’s why buch.ch has implemented it as an option during client registration and login. SuisseID additionally enables implementing youth protection for its product line, thus offering products that, unlike other providers, buch.ch did not previously offer. For in addition to the unambiguous identification of clients, SuisseID also permits secure age verification for the buyer and, therefore, compliance with the legal youth protection regulations. buch.ch furthermore expects to reduce the number of solvency checks while improving customer data quality.


The Company buch.ch

buch.ch was launched in 1996 as first Swiss online bookshop. Back then, buch.ch was a unit of the Schneebeli bookshop. Since 2001, buch.ch is a subsidiary company of German-based buch.de internetstores AG, in which the Thalia Holding GmbH has a 60 % stake. For many years, buch.ch has been the leading Swiss online bookshop.
Together with its subsidiary company buch.ch, buch.de internetstores AG currently operates fourteen online shops in Germany, Austria, and Switerland under various brand names. For the 21 stationary Swiss bookshops belonging to the Thalia Holding and operating under brand names Thalia, Meissner, Stauffacher, and ZAP, buch.ch handles all of their online business.
The core business of buch.ch consists in distributing media such as books, CDs, DVDs, software (e.g. computer games), and games/toys (e.g. board games). With its ever more comprehensive product range, new functions and services, buch.ch meets many a customer’s desire to shop online.
buch.ch attach great importance in promptly handling received orders: the customer may download digital goods such as e-books onto the e-book reader directly following order completion. From October 2010, buch.ch also disposes of an e-book reader-integrated e-bookshop online: customers can buy and download e-books directly through their e-book reader. Physical articles are usually shipped within 24 hours after order completion. And buch.ch offers additional services: The customer may for example pick up the ordered article in the indicated bookshop himself or he may ask for complimentary gift-wrapping. In addition to regular means of payment, customers may pay with “UBS KeyClub” points or “Lufthansa Miles & More“ premium miles.

Presentation of business partners

Business software providers, Implementation partners
The software provider freiheit.com develops large individual software systems for the entire value-added chain in electronic retail as well as special company software on the basis of Internet technologies. freiheit.com disposes of comprehensive experience in the bookshop industry.

Online shop design
Advertisement agency p.AD. in Cologne provides its clients with services spanning across the entire communication mix. p.AD. creates integrated communication concepts at a high level and develops designs for online shops such as buch.de internetstores AG.


Decision in Favour of SuisseID

Continuously developing its online services ranks among the key competences of buch.ch. The company focuses on developing individual functions that set it apart from its competitors. SuisseID provides buch.ch with a further tool for differentiating itself from the competition. buch.ch wants to be at the forefront of current developments in electronic business traffic – the launch of SuisseID is part of that. Previously, buch.ch estimated costs and conducted profitability considerations (cf. Chapter "Investment Decision").


Online Shop Authentication with SuisseID

In den folgenden Kapiteln wird die Implementierung der SuisseID im Onlineshop von buch.ch aus verschiedenen Sichten betrachtet.

Business View and Objectives
In addition to the online shop for its own brands (buch.ch and bol.ch), buch.ch runs the online shop for the bookshops mentioned in Chapter "The Company buch.ch". All shops have access to the same catalogue data and systems. The contractually agreed cooperation with buch.ch enables bookshops to use those synergies while pursuing a multi-channel strategy. The individual shop determines marketing measures as well as layout and content.
Orders through the bookshops’ online presence are handled entirely by buch.ch (cf. Figure 1). The sole exception is orders for which the client desires in-shop pickup. The customer service automatically selects those orders and forwards them to the bookshops. buch.ch will then no longer be involved in procuring the respective articles and in their further handling.
As is normal for online shops, customers could previous log in with their usernames and passwords. This login possibility will continue to exist but customers may now alternatively sign in with a SuisseID. buch.ch is therefore among the first online shops offering a SuisseID login.
Various objectives confirm the decision by buch.ch to offer a SuisseID login. The first objective consists in user identification online. There are several methods for verifying user data – an e-mail can for example be sent to the user-indicated address. The e-mail contains a reception confirmation request that the user has to return before the customer account can be opened. It is also possible to verify data of a credit card used for payment. However, the uncertainty about whether the card is actually used by its owner remains. Thanks to its strong authentication and through legislation [cf. Quade, 2010a: p. 15] SuisseID provides certainty regarding user identity.


Figure 1: Business szenario buch.ch [according to Alioski 2008]


Figure 1: Business szenario buch.ch [according to Alioski 2008]


The second objective consists in secure client age verification. SuisseID makes this verification possible and buch.ch can broaden its product range with articles subject to youth protection legislation. buch.ch has previously been cautious in accepting such articles in its product range since the Internet does not allow reliable and customer-friendly age verification. Entering the ID card code, which contains the date of birth, does not provide certainty for the provider: the Internet offers tools allowing the generation of any codes (such as on ID cards) with any desired date of birth. Cigarette vending machines will then read the card code for releasing the purchase. Verifying age via the credit card infringes on data protection legislation since the customer cannot freely choose here whether the online shop may obtain the age. With SuisseID, the customer can freely choose whether an online shop may learn the age indicated with the Identity Provider/Claim Assertion Service (IdP/CAS) by the SuisseID provider.
The third objective consists in SuisseID enabling speedier processes in the area of debtor dunning and money collection. It is quicker and more promising to start a money collection procedure for customers that have used SuisseID to authenticate themselves at buch.ch but fail to pay later on. Even if the indicated address is incorrect, cash collection companies will have an easier time finding the correct customer address thanks to the person’s known identity. The company can initiate the necessary collection steps sooner.
buch.ch furthermore intends to use SuisseID to avoid multiple user registrations due to forgotten usernames, thus providing better customer communication quality and improved customer evaluations.

Application View
Among the most important application systems are the shop system, the catalogue system TALK and the inventory control system Storeways. The shop system and TALK were developed by freiheit.com. Storeways is an in-house development of buch.de internetstores AG. Figure 2 indicates the systems most important for the buch.ch business processes.
In addition to the indicated systems, a great number of supporting systems are used, mainly serving customer loyalty [Alioski, 2008]. All buch.de internetstores AG online shops and the stationary bookshops are presented as positions in the indicated systems.
For SuisseID customers, buch.ch offers various functions:

  • If the future customer does not have a buch.ch account yet, he may register with SuisseID and start an account.
  • Customers with an existing account authenticating at buch.ch for the first time using SuisseID may link their account to SuisseID. To this end, they have to enter the registered username and password once. Customers may alternatively enter their SuisseID in the “My account” category after they have logged in with username and password. When authenticating with SuisseID during the next visit, they will have access without username and password..


Figure 3: Application view buch.ch with SuisseID [according to Alioski 2008]


Figure 3: Application view buch.ch with SuisseID [according to Alioski 2008]


During registration or login with SuisseID, the user must first choose his SuisseID provider. The system will then access the Identity Provider/Claim Assertion Service (IdP/CAS) of the chosen SuisseID provider. The SuisseID connected to the computer will then serve to authenticate the user and the customer’s web browser will forward the data to the online shop.
When authenticating using SuisseID, the system will first check whether a customer has already registered that particular SuisseID. If the used SuisseID has not yet been registered with a buch.ch user account, the IdP/CAS-identified characteristics will be requested: name, first name, date of birth, and whether the person is 18 years old. CAS can request the characteristic “Is over 18” [cf. Quade, 2010a: p. 23].
The customer’s web browser will then display a page generated by the IdP/CAS (cf. Figure 3). It contains the data requested by the buch.ch registration function. If a customer releases the required characteristics, the IdP/CAS will transmit the data to buch.ch via the user’s web browser. The registration process can continue. The customer will once again see the buch.ch online shop on his browser and can now enter additional information, such as the address. If a customer does not release the requested information, the registration with SuisseID will be cancelled.
The inventory control system Storeways will then store the data received by the SuisseID IdP/CAS at the customer account. Storeways stores the customer master data and the usernames and passwords as well as the associated customer SuisseID. For authenticating and transmitting the requested characteristics, the system employs the process, defined in the SuisseID Specification, with SAML (Security Assertion Markup Language) [Bürge & Zweiacker, 2010].

Figure 3: Release of the identification document assertions for buch.ch

Figure 3: Release of the identification document assertions for buch.ch

Project Flow and Operation

Investitionsentscheidung
Prior to its investment, buch.ch conducted a profitability analysis. On the expense side: An offer by freiheit.com estimating 6.5 man-days for implementation and an estimated buch.ch-internal effort of 15 to 25 man-days. The internal efforts comprise the launch and the user training for the new functions with SuisseID. The launch includes the test and rollout of the new functions. Training the internal employees comprises an introduction to SuisseID, the functions that SuisseID makes available to the customer, and the support that buch.ch can provide when a customer has difficulties using SuisseID.
On the return side, various scenarios were discussed. Depending on the assumption, the investment will be either redeemed as early as 2010 or much later. Quick amortisation will happen when information on implementing SuisseID will develop the same advertisement dynamics as purchased marketing measures with identical costs routinely conducted by buch.ch. When however only calculating returns generated by additional purchases with articles subject to youth protection, amortisation will be much slower. For sales expectations with such articles are not high as buch.ch has learned from the experience of its parent company. There is however demand and buch.ch is generally situating itself along a very broad product range.
The uncertainty in these assumptions is similar to the chicken-egg problem that SuisseID still had in 2010 since there are still few SuisseID applications. As soon as a critical mass of SuisseID users has been reached, the benefit of the investments will be clearer.

Solution Development and Implementation
Software partner freiheit.com created the registration and authentication functions via SuisseID for buch.ch. It used the JAVA SDK (Java Software Development Kit) provided by the State Secretariat for Economic Affairs SECO [Staatssekretariat für Wirtschaft SECO, 2010].
For implementing the online shop functions, the design by advertisement agency p.AD required adjustments at various locations. The user login was complemented by function “Login with your SuisseID“ (cf. Figure 4).
For the use of SuisseID at the online shop, buch.ch has made available comprehensive online assistance for customers. On the login page, that support site can be accessed by clicking link “What is a SuisseID?”. The link is situated at the option for login with SuisseID (cf. Figure 4). In addition to an explanation of SuisseID, the customer can also learn how to register with SuisseID and what data buch.ch will obtain when using SuisseID.

Figure 4: Option “Anmeldung mit Ihrer SuisseID“

Figure 4: Option “Anmeldung mit Ihrer SuisseID“


Upon solution rollout on the productive shop system, functions could at first not be activated as planned. Errors occurred when communicating with the IdP/CAS of the SuisseID providers – errors that did not occur on the test systems. Following a server protocol analysis, freiheit.com could however quickly eliminate the error. It was located in the “Callback URL” that the IdP/CAS had received. The Callback URL is an Internet address to which the clients will be forwarded following the authentication by the SuisseID issuer. The address did not indicate the correct page of the productive online shop. While the customers were able to authenticate with IdP/CAS using their SuisseID, they were not logged into the online shop.
Marketing activities for the possible application of SuisseID at buch.ch are for example planned in the context of the youth protection-compliant adjustments and the broadened product range.

Continuous Maintenance and Planned Further Development
At the time of introducing the online shop functions, the SuisseIDs by providers SwissSign and QuoVadis were supported. The two providers Swisscom and the Bundesamt für Information und Technologie (BIT) were not yet supported upon launch since they were not yet operating IdP/CAS. As soon as their IdP/CAS are operative, adjustments will be required to the buch.ch information systems. The adjustments comprise the selection of further SuisseID providers during login and the communication with the IdP/CAS of the additional providers.
Customers that used a SuisseID upon registration or that have linked their account to SuisseID cannot change or delete that linkage of their customer accounts themselves. The buch.ch customer service can however implement changes. Customers have the possibilities of changing the date of birth received as IdP/CAS characteristic if they do for example not want to reveal their true age. Customers may however not change that they are older than 18, since that was a further characteristic received by IdP/CAS.


Experiences

Implementing the developed solution was possible within the context of the anticipated efforts. For buch.ch, efforts totalled 15 man-days and for freiheit.ch, 6.5 main-days.
First experiences are positive. As early as on the second day following the launch, customers registered and/or authenticated at the online shop using SuisseID.


Success Factors

From a B2C business perspective, one would hope that the SuisseID functionality could be further extended. There is particular interest in additional information to be stored in a complementing SuisseID directory [cf. Quade, 2010a: p. 23].The address of SuisseID owners features among the desired additional information. An address directory could facilitate shop registration for new customers. But existing addresses could more easily be maintained up-to-date after e.g. a move. buch.ch would also be willing to pay for the services of such an address directory since it would be advantageous if address data were flawless from the moment of registration on. Throughout, buch.ch would not necessarily request that the provider of such a directory had positively verified that customer address. When collecting money from a customer that is unwilling to pay, knowing his real identity is key. It will be possible to then determine the correct customer address if the address existing at buch.ch is false. An address directory would rather increase customer comfort by keeping the obstacle to online shop registration as low as possible.
A further success factor for SuisseID would be if it could be used like an OpenID [OpenID Schweiz, 2010; Quade, 2010b: p. 38]. Suddenly, the use of SuisseID would give access to hundreds of services worldwide. buch.ch believes that current Internet development trends point toward central user registration on the basis of the OpenID standard.

Solution Particularities
The particularity of this buch.ch solution consists in the offer expansion that SuisseID enables. Thanks to age verification, buch.ch can now include a broader range of articles previously not sold because of prohibited and comprehensive procedures regarding age verification. Those are mainly articles subject to youth protection legislation that may only be sold to persons of a certain age.

Lessons Learned
The fact that the customer must select his SuisseID provider constitutes an obstacle that one of the next versions of the functions should remedy. In order to somewhat reduce that obstacle, the current version stores a cookie in the customer’s web browser that contains the once-chosen SuisseID provider. The selection of SuisseID providers will only be shown again when the cookie has been deleted.
The SuisseID provider will in the future be determined via the certificate registration of the used SuisseID. During initial implementation, this procedure was not yet known. The possibility of registering the SuisseID certificate has been discovered during an exchange with other persons also working with SuisseID. This discovery was unfortunately made at a time when the functions were almost readily developed and any change would have exceeded the current project budget.


References

Alioski, Adrian (2008): "buch.ch: Kundenbindung im Internetbuchhandel". In: Schubert, Petra; Wölfle, Ralf (Hrsg.): Wettbewerbsvorteile in der Kundenbeziehung durch Business Software. München, Wien: Hanser Verlag. p. 201-216.

Bürge, Urs; Zweiacker, Marc (2010): SuisseID Specification V1.3. Bern: Staatssekretariat für Wirtschaft SECO.

OpenID Schweiz (2010): "Was ist OpenID?". Retrieved 26.10.2010 from http://www.openid.ch/what-is-openid/.

Quade, Michael (2010a): Fachbeitrag "Was ist die SuisseID?", in: Quade, Michael; Wölfle, Ralf; (2010): SuisseID in der Praxis - Grundlagen und Fallstudien zum elektronischen Identitätsnachweis der Schweiz, Basel: edition gesowip, 2010. p. 13-34.

Quade, Michael (2010b): Fachbeitrag "Einsatz der SuisseID", in: Quade, Michael; Wölfle, Ralf; (2010): SuisseID in der Praxis - Grundlagen und Fallstudien zum elektronischen Identitätsnachweis der Schweiz, Basel: edition gesowip, 2010. p. 35-40.

Staatssekretariat für Wirtschaft SECO (2010): "SuisseID - Die technischen Details". Retrieved 16.11.2010 fromhttp://www.suisseid.ch/unternehmen/technik/index.html?lang=de.


Betreiber der Lösung

buch.ch AG
Ines Bohacek Rothenhäusler, Geschäftsführerin
Lars Gnädinger, Leiter Informatik
Branche: Gross- & Einzelhandel
Unternehmensgrösse: Mittelunternehmenbuch.ch AG

Autoren der Fallstudie

Michael H. Quade
Fachhochschule Nordwestschweiz FHNW

22. November 2010
Quade; Michael (2010): Fallstudie buch.ch: Erweiterung des Angebots mit der SuisseID; in: Quade; Michael; Wölfle; Ralf; (2010): SuisseID in der Praxis - Grundlagen und Fallstudien zum elektronischen Identitätsnachweis der Schweiz; Basel: edition gesowip; 2010. S. 65-76.

Zu dieser Fallstudie sind keine Anhänge verfügbar.
1731
buchch-suisseid-en
http://www.experience-online.ch/de/9-case-study/1731-buchch-suisseid-en
3