Win a copy of Rust Web Development this week in the Other Languages forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

Security for credit card transactions

 
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys,

Littlebit background for my Question:
-------------------------------------
I have done things like credit card transactions authorization using POS (Point-of-Sale) terminals and magnetic/EMV cards. In this case, security issues are handled by properitory APIs developed by my company. Also the transactions goes on private network of an issuing bank (Visa,Mastercard). Here there are lot of parties involved like acquiring bank,issuing bank,merchant and customer. The protocol used is ISO 8583 and security is PKI.


Question:
---------
I would like to understand that if a merchant (who is using POS supplied by acquiring bank) wishes to setup is own site and allows customers to purchase online (Not really new now except security applied here!), How it actually processes the credit card transaction? What sort of security issues applies and what are the techniques?

Because, A person developing a site will have no clue how he is going to get authorization from customer's bank? Also some websites (Indian railway!) accepts debit cards also. In that case, certainly more secuirty is required, So how it basically all works on a public network like Internet?

Is there any Internet alternative of EMV cards? In case of magnetic credit cards, we have PAN number,CVV & Exp date so we just do manual key entry on a form and send. But in case of EMV card, it requires authentication between customer and device (device could be POS or Internet browser). so does anybody know, somewhere in the world this EMV thing happening on internet?
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by dilip agheda:
Hi Guys,

Littlebit background for my Question:
-------------------------------------
I have done things like credit card transactions authorization using POS (Point-of-Sale) terminals and magnetic/EMV cards. In this case, security issues are handled by properitory APIs developed by my company. Also the transactions goes on private network of an issuing bank (Visa,Mastercard). Here there are lot of parties involved like acquiring bank,issuing bank,merchant and customer. The protocol used is ISO 8583 and security is PKI.


Question:
---------
I would like to understand that if a merchant (who is using POS supplied by acquiring bank) wishes to setup is own site and allows customers to purchase online (Not really new now except security applied here!), How it actually processes the credit card transaction? What sort of security issues applies and what are the techniques?

Because, A person developing a site will have no clue how he is going to get authorization from customer's bank? Also some websites (Indian railway!) accepts debit cards also. In that case, certainly more secuirty is required, So how it basically all works on a public network like Internet?

Is there any Internet alternative of EMV cards? In case of magnetic credit cards, we have PAN number,CVV & Exp date so we just do manual key entry on a form and send. But in case of EMV card, it requires authentication between customer and device (device could be POS or Internet browser). so does anybody know, somewhere in the world this EMV thing happening on internet?





It's a bit confusing...Please highlight your application architecture and implementation requirement details...in terms of J2EE and Java.
 
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For internet transactions, all customers with cards when opening an account with the issuer, they get a certificate, this crtificate keys are related to the card number, and other information on the card, when a user is making an order, there are OI (order info.) that gets hashed to produce OIMD (Order information message digest), and the PI (Payment info.) that gets hashed also to produce PIMD (Payment information message digest, both of them are concatenated and hashed again to produce POMD (Payment order message digest) and then they get encrypted using the user private key that was generated at the time of creating the account (Assymetric encryption), the encryption will produce the DS (Dual signature), this action requires involvin a CA (Certificate authority) in the transaction, and it happen over SSL (Secure socket layer).
User sends the following
1- PI + DS + OIMD are concatenated and encrypted using Ks (one time session key symmetric encryption).
2- Ks encrypted using the aquirer public key (Assymetric encryption).
3- PIMD.
4- OI.
5- DS.
6- Customer certificate.
All this is sent to the merchant, the mechant can just see the OI, and validates it, then to validate the other information, merchant produces the OIMD from the OI, then produces the POMD using the OIMD and the sent PIMD, then decrypts the sent DS sent using the customer public key that is found at the sent certificate to get the POMD, and at the end compares the two POMDs, if equal, the mechant sends the following to the aquirer No. 1, 2, and 6 of what was sent by the customer.
The aquirer uses it's private key to generate the Ks, and then uses the Ks to generate the (PI + DS + OIMD) that are #1 at what is sent by the customer, now the acquirer has the PI + DS + OIMD + customer certificate, so he can't view the OI, the acquirer now uses the same method used by the merchant to authenticate and validate the payment, the acquirer generate the PIMD from PI and concatenates it to the OIMD and generates the POMD, then uses the customer public key from the certificate to decrypt the DS to generate the POMD and compares the two POMD, if equal, it acquires the money from the issuer.
 
reply
    Bookmark Topic Watch Topic
  • New Topic