On Tue, 18 Sep 2001 10:06:27 +1000
"Foote Jeremy (Platinion - SYD)" <[EMAIL PROTECTED]> wrote:
> Could anyone point me in the direction (a) white paper(s) on on-line
> credit card processing best practice. There are a lot of vendor specific
> information out there (here's your problem and here is the vendor x name's
> solution) and it may be that a vendor solution is required, I'm not sure.
> Thus far, I have determined that there are a few critical steps to ensure
> the security of on-line transactions.
> Client authentication -- to verify a users identity (In
> liability and integrity terms, should this be handled by the application by
> a third party vendor?)
> Channel security -- to allow private information transfer (man in
> the middle attacks aside, a 128 bit SSL solution is apparently the best
> option)
> Access control -- to enforce user permissions on data (my assumption
> here is a database security architecture. Users need to read product
> details from a database, write transaction details etc.)
> Does anyone have experience with this from an infrastructure
> consultants perspective?
>
> Jeremy Foote
> MCSE, CCNA, blah blah blah
>
Hi,
I might be able to help you since i have written an internet "real time" secure
payment
gateway system (Direct connection to the bank to check the credit card, ...) in
my previous job, that was 2 years ago.
So what i remember :
Client Authentification :
(Keep track of the transaction)
- The payment page was redirected from the merchant web site to our secure server
(it was a secure server)
- No free email address allowed.
- Logging of various information related the customer host.
- Checking of the credit card with a direct connection to a bank.
- The online merchant has to open an account within the Bank.
Then all the other is matter of insurance within VISA or other credit card vendor.
(I was not involved with the law stuff)
Channel security :
- SSL 128 bits between the customer page and our secure server.
- ISO8583 messages encrypted with 3-DES and digitally signed with MD5 and DES
between the secure server and the bank.
- Ability to reverse transaction and also to do reconciliation functions.
Access Control :
- Merchant product information are merchant problem.
- Payment detail are matter of the bank or the payment gateway provider.
In our case the merchant never know the credit card number of his client.
The merchant can be trusted by the customer since the bank offer some kind of
guarantee because
it delivers the merchant id to the merchant. (Paper to sign, etc, ...)
Hope this will help you.
You can also look at the pefet project on source forge (http://pefet.sourceforge.net),
you will find usefull paper and also java implementation
(not yet completely ready to go in production) of a payment gateway.
You can also look at the iso8583 standard and jpos. (don't have the link right now)
--
Christian Jean
+-------------------------------+-----------------------------+
|R&D Engineer |Tel : (65) 844 1301 |
|celestix Networks Pte Ltd |Fax : (65) 844 1125 |
|18 Tannery Lane #05-03 |mail: [EMAIL PROTECTED] |
|Lian Tong Building |web : http://www.celestix.com|
|Singapore 347780 | |
+-------------------------------+-----------------------------+
