ISO 32111:2023

INTERNATIONAL ISO
STANDARD 32111
First edition
2023-09
Transaction assurance in
E-commerce — Principles and
framework
Assurance des transactions de commerce électronique — Principes et
cadre
Reference number
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Framework of e-commerce transaction assurance . 1
5 Principles . 2
5.1 General . 2
5.2 Authenticity . . 2
5.3 Accountability . 3
5.4 Accessibility . 3
5.5 Security . 3
5.6 Privacy . 3
6 Participants in e-commerce transactions . 3
7 Activities during the transaction process . 4
7.1 General . 4
7.2 Activities during pre-transaction phase . 5
7.2.1 General . 5
7.2.2 Account registration . 5
7.2.3 Verification of registered information . 6
7.2.4 Preparation of third-party service. 6
7.2.5 Releasing transaction-related information . 6
7.3 Activities during in-transaction phase . 7
7.3.1 General . 7
7.3.2 Placement of electronic order . 7
7.3.3 Confirmation of electronic order . 7
7.3.4 Choice of payment method . 7
7.3.5 Payment for purchased products . 8
7.3.6 Delivery of purchased products . 8
7.3.7 Customs clearance . 8
7.3.8 Receipt with confirmation . 9
7.4 Activities during post-transaction phase . 9
7.4.1 General . 9
7.4.2 Performance evaluation . . 9
7.4.3 Resolving disputes . 9
7.4.4 Return of products . 10
7.4.5 Refund of payment . . 10
7.4.6 Compensation for transaction loss . 10
7.4.7 Maintenance and technical support . 10
8 Assurance elements .11
8.1 General . 11
8.2 Identity information . 12
8.3 Qualification information .12
8.4 Terms of use .12
8.5 Third-party service rule .12
8.6 Online reputation information .13
8.7 Product information .13
8.8 Transaction document . 14
8.9 Multiple payment methods . 14
8.10 Payment security rule . 14
8.11 Delivery rule . 14
iii
8.12 Customs clearance rule .15
8.13 Performance evaluation rule .15
8.14 Dispute resolution rule . 15
8.15 Return and refund rules .15
8.16 Compensation rules . 16
8.17 Maintenance and technical support rule . 16
Annex A (informative) List of principles in e-commerce and equivalent activities .17
Annex B (informative) List of principles in e-commerce and equivalent assurance elements .19
Annex C (informative) Correlation between transaction activities and assurance elements .21
Bibliography .22
iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use
of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO had not received
notice of (a) patent(s) which may be required to implement this document. However, implementers are
cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all
such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 321, Transaction assurance in E-commerce.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
Introduction
The rapid development and wide use of e-commerce has increased awareness of the importance
of fostering a trustworthy, reliable, and secure e-commerce transaction environment to ensure
e-commerce transaction activities.
The characteristics of e-commerce transactions, e.g. highly digital, non-face-to-face and cross-regional,
can bring challenges. The following are some of the challenges:
— more unknowns in the process of purchasing products;
— issues such as product quality, intellectual property, personal information protection, after-sale
services, and transaction security;
— risks in product delivery, e.g. damage, delay and failure.
The challenges of e-commerce transactions come from different elements in upstream/downstream
processes of e-commerce transactions, and eliminating those challenges necessitates the attention and
efforts of all stakeholders.
This document specifies the principles and framework of e-commerce transaction assurance to support
all parties in better understanding e-commerce transaction assurance activities.
It can assist in the following:
— identifying key elements to improve the assurance of the e-commerce transaction process;
— contributing to e-commerce transaction assurance programs;
— informing government or non-governmental organizations or individuals engaged in the e-commerce
industry;
— promoting sustainable development of the e-commerce industry.
This document can also facilitate future e-commerce assurance standards development by putting
forward key e-commerce assurance principles, identifying key stakeholders and elements and
demonstrating the e-commerce transaction process.
vi
INTERNATIONAL STANDARD ISO 32111:2023(E)
Transaction assurance in E-commerce — Principles and
framework
1 Scope
This document specifies the principles and framework for e-commerce transaction assurance, including
participants, activities and assurance elements. It does not describe specific e-commerce transaction
assurance requirements or methodologies in detail. It is intended to be used by organizations and
individuals engaged in e-commerce transactions.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
1)
ISO 32110 , Transaction assurance in E-commerce — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 32110 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Framework of e-commerce transaction assurance
The framework of e-commerce transaction assurance (see Figure 1) includes principles (see Clause 5),
participants in e-commerce transactions (see Clause 6), activities during the transaction process (see
Clause 7) and assurance elements (see Clause 8), as well as their inter-relationships.
Principles provide guidance for participants on how to participate in activities during the transaction
process and protect their interests. They also provide guidance for the smooth operation of activities in
e-commerce transactions.
Assurance elements associated with activities during the transaction process are the main content
of e-commerce transaction assurance. Assurance elements can support the accomplishment and
realization of the principles.
Participants engage in activities during the transaction process according to their responsibilities
and demands. No matter what role participants play in e-commerce transactions, they should identify
and consider the assurance elements associated with their role as much as possible and take effective
assurance measures.
1) Under preparation. Stage at the time of publication: ISO/FDIS 32110:2023.
Figure 1 — E-commerce transaction assurance framework
5 Principles
5.1 General
The principles listed here are undertaken in accordance with all applicable requirements consistent
with the protections for participants in the activities and the requirements on the assurance elements
for e-commerce transactions. The principles are as follows:
— authenticity;
— accountability;
— accessibility;
— security;
— privacy.
The principles can generally support all activities during the transaction process, however, the degree
of guidance of each principle towards different activities can differ. Annex A illustrates the list of
e-commerce principles and the equivalent activities.
All assurance elements can support the realization or accomplishment of the principles, however, some
assurance elements play a primary role in supporting the accomplishment of certain principles (see
Annex B).
5.2 Authenticity
Participants, products and information generated in e-commerce transactions, should be consistent
with what they claim to be.
5.3 Accountability
Participants in e-commerce transactions should be aware of the applicable requirements. Information
generated in e-commerce transactions, such as resolving disputes or tracing obligations, should be
recorded and stored properly to support e-commerce assurance.
5.4 Accessibility
Relevant services and information about e-commerce transactions should be easily obtained and
understood to allow participants to make informed decisions or perform certain actions or to reduce
any potential misunderstanding with due consideration to rules including privacy protection.
NOTE 1 Relevant services can include, e.g. logistics services, payment services.
NOTE 2 Relevant information can include, e.g. participant identity information, terms of use, product
information, ordering information, logistics information, payment information, reputation information.
NOTE 3 Regional or local rules on accessibility can apply.
5.5 Security
Information generated in e-commerce transactions should be from an authentic data source and
protected, for example, against leakage and unauthorized data disclosure. E-commerce activity
operations or relevant integrated software should be secured from current or potential danger.
NOTE Keeping software up to date and taking into account security advisories can support the security of
e-commerce assurance.
5.6 Privacy
Personal information, including information about an identifiable individual, such as personally
identifiable information (PII), should be collected, used, stored or disclosed properly, and protected, for
example, against leakage and unauthorized data disclosure.
6 Participants in e-commerce transactions
An organization or individual that engages in e-commerce transaction activities is a participant. This
document identifies major e-commerce transaction participants as the following:
— seller;
— e-commerce platform operator;
— buyer;
— logistics service provider;
— third-party payment service provider;
— software service provider (individual or organization offering software service, refer to
ISO 32110:20—, 3.2.11);
— collection agent for goods;
— manufacturer;
— rights holder;
— neutral party (individual or organization taking a neutral position between participants with
different interests, most of them being external and therefore neutral, impartial, and fair. Within
this document, they are collectively referred to as "neutral party," e.g. auditors who review the
operations of the e-commerce platform operators and certify them where applicable).
NOTE The roles of neutral parties can be important in e-commerce transaction assurance, yet this
document does not provide a detailed description on their role due to the differences in different contexts.
An individual or organization can play multiple roles from the above list of participants. For example,
an individual or organization can operate an e-commerce platform to sell products manufactured
by themselves or others. Meanwhile, an individual or organization can also operate an e-commerce
platform to provide one or more services for other parties to facilitate e-commerce transactions.
An individual or organization can be a seller, manufacturer, or rights holder at the same time. The
individual or organization can use this document according to the role they play.
For further description on the above participants, see ISO 32110.
7 Activities during the transaction process
7.1 General
There are three phases in the e-commerce transaction process:
— Pre-transaction phase
The process of preparation for the initiation of the e-commerce transaction before the order is
placed.
— In-transaction phase
The process that starts once the order is placed to the receipt of products.
— Post-transaction phase
The process that occurs after the receipt of products with confirmation from the buyer.
The main activities in the three phases of e-commerce transactions are listed in Figure 2. While they
pertain to different e-commerce transaction scenarios, some of the activities are optional. In each of
these activities, there are corresponding participants. Figure 2 divides the participants into "initiator"
and "engaged" from the perspective of who triggers the activities and who supports the initiator to
complete the activities.
Key
initiator
engaged
Figure 2 — Activities and relevant participants during the e-commerce transaction process
7.2 Activities during pre-transaction phase
7.2.1 General
The following four activities can take place during the pre-transaction phase:
— account registration;
— verification of registered information;
— preparation of third-party service;
— releasing transaction-related information.
7.2.2 Account registration
Account registration is the act of making an organization or individual known within a particular
domain, such as an e-commerce platform, and it can be a premise for them to conduct e-commerce
transactions.
The seller or buyer initiates the activity. The other participants engaged can include the e-commerce
platform operator, software service provider, manufacturer and rights holder.
The seller can be requested to provide identity information, qualification information, or other necessary
information to complete the account registration process. The buyer can be requested to provide
identity information. A secure registration according to the current status should be guaranteed, and it
is always recommended to also provide an option for non-registered account checkout.
The main assurance elements associated with this activity include identity information (see 8.2),
qualification information (see 8.3) and product information (see 8.7).
NOTE 1 The e-commerce platform operator can sell the product, acting as the seller.
NOTE 2 Manufacturers can sell the product directly on the platform, acting as the seller.
NOTE 3 In the account registration of the seller, other participants such as the manufacturer and the rights
holder can be potentially involved, which is indicated in Figure 2 as "engaged". For example, the manufacturer
sometimes can be requested to provide qualification information of the product to facilitate the account
registration.
7.2.3 Verification of registered information
Verification of registered information is the act of checking the identity of the sellers or buyers, or
confirming the consistency of the product with specific requirements.
The e-commerce platform operator, seller, or buyer can initiate this activity. The other participants
engaged are the manufacturer and rights holder.
The e-commerce platform operator, seller, or buyer can take different measures to verify the other
participant information, including identity information, qualification information and product
information.
The main assurance elements associated with this activity include identity information (see 8.2),
qualification information (see 8.3) and product information (see 8.7).
NOTE 1 For a product required license, the e-commerce platform operator sometimes verifies the product
license properly. For example, in the circumstance of electronic products, a CE certificate can be requested.
NOTE 2 For certain products, the buyer’s qualification can also be verified before enabling the buyer to place
an electronic order. Examples of certain products include alcohol, tobacco, firearms, R-rated comic books and
videos.
7.2.4 Preparation of third-party service
Preparation of third-party service is the act of integrating services such as logistics, payment and
software.
The e-commerce platform operator initiates this activity. The other participants engaged are the third-
party payment service provider, logistics service provider and software service provider.
The e-commerce platform operator can use technical measures and management measures to establish
internet and information services with related participants.
The main assurance element associated with this activity is the third-party service rule (see 8.5).
NOTE Some e-commerce platform operators can provide delivery services themselves.
7.2.5 Releasing transaction-related information
Releasing transaction-related information is the act of making information known to others through an
open network.
The seller, e-commerce platform operator and buyer can initiate this activity, and other participants can
be engaged. Released information can include terms of use, transaction documents, business activities,
payment, or logistics service information.
The e-commerce platform operator can use technical and management measures to facilitate release of
information. For example, the e-commerce platform operator can provide a template for the sellers to
upload product information.
The main assurance elements associated with this activity include identity information (see 8.2),
qualification information (see 8.3), terms of use (see 8.4), online reputation information (see 8.6) and
product information (see 8.7).
NOTE The initiation of releasing transaction-related information first occurs in the pre-transaction phase,
while in all e-commerce transaction processes, information can be updated and released.
7.3 Activities during in-transaction phase
7.3.1 General
The following seven activities can take place during the in-transaction phase:
— placement of electronic order;
— confirmation of electronic order;
— choice of payment method;
— payment for purchased products;
— delivery of purchased products;
— customs clearance;
— receipt with confirmation.
7.3.2 Placement of electronic order
The buyer initiates this activity. The other participants are the seller and e-commerce platform
operator.
The buyer selects the desired products and places electronic orders to the seller.
The main assurance element associated with this activity is the transaction document (see 8.8).
NOTE Ordering information can include product type and specification, quantity, amount, delivery address,
consignee information such as contact person, contact information, delivery time, and selected logistics service
provider.
7.3.3 Confirmation of electronic order
Confirmation of electronic order is the act of confirming an already existing electronic order, usually
made by the buyer and seller over open networks.
The seller and buyer initiate this activity. The other participant is the e-commerce platform operator.
After the buyer places the electronic order, the seller confirms with the buyer through the e-commerce
platform regarding the ordering information.
The main assurance element associated with this activity is the transaction document (see 8.8).
7.3.4 Choice of payment method
The buyer initiates this activity. The other participants are the seller, e-commerce platform operator
and third-party payment service provider.
ISO 321
...