On Monday, July 09, 2001 6:17 AM, Mykhailo Lyubich wrote: > What is the exact purpose of TransStain in PReq message? > (TransStain = HMAC(XID, CardSecret) TransStain allows the Issuer to confirm the cardholder's participation in the transaction without having to receive the entire signed message as part of authorization processing. CardSecret is only known to the cardholder and the Issuer. > What does the payment gateway proof and why this proof is required? The payment gateway does not verify the TransStain. > What can happen, if an attacker or unauthorized employee > is able to discover CardSecret? An attacker who obtains CardSecret will be able to generate TransStain for any XID. _________________________________________________________________ Tony Lewis ([EMAIL PROTECTED]) Chief Systems Architect, Internet Commerce Visa International Service Association
