• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Creditcard processing over Internet?

 
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Guys,

Littlebit background for my Question:
-------------------------------------
I have done things like credit card transactions authorization using POS (Point-of-Sale) terminals and magnetic/EMV cards. In this case, security issues are handled by properitory APIs developed by my company. Also the transactions goes on private network of an issuing bank (Visa,Mastercard). Here there are lot of parties involved like acquiring bank,issuing bank,merchant and customer. The protocol used is ISO 8583 and security is PKI.


Question:
---------
I would like to understand that if a merchant (who is using POS supplied by acquiring bank) wishes to setup is own site and allows customers to purchase online (Not really new now except security applied here!), How it actually processes the credit card transaction? What sort of security issues applies and what are the techniques?

Because, A person developing a site will have no clue how he is going to get authorization from customer's bank? Also some websites (Indian railway!) accepts debit cards also. In that case, certainly more secuirty is required, So how it basically all works on a public network like Internet?

Is there any Internet alternative of EMV cards? In case of magnetic credit cards, we have PAN number,CVV & Exp date so we just do manual key entry on a form and send. But in case of EMV card, it requires authentication between customer and device (device could be POS or Internet browser). so does anybody know, somewhere in the world this EMV thing happening on internet?
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ramesh Nagappan:
Dilip,

I do understand your problem... Could you give additional details related to your application architecture and infrastructure planned to use.

There is no "Magic Silver Bullet" or "Thumb-rule" unless we know the architectural dependencies in terms of implementation.

/Ramesh

 
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The merchant must has a payment gateway to make all the work needed for cards transactions, for small and medium e-business, the site is interfacing payment gateways, something like authorize.net, they make all the work for you for a pre-defined amount of money.
Large business like Amazon, they have their payment gateway and a team that working on securing, and maintaining it.
For what's happening at the background, please view my post at a similar question sent by you at:
https://coderanch.com/t/133896/Security/Security-credit-card-transactions
The mrchant at the description is the payment gateway.
 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dilip,
There seem to be quite a few questions here. I think one of them was how to get authorization from a customer's bank. There are credit card authorization providers out there that provide such a service. I have dealt with Vital, which did credit card authorizations for a government system I worked on. The POS should be responsible for gathering the credit card number, expiration date, security code (optional), name, etc and sending to the web app. The web app then contacts Vital for authorization and receives a code. In our case that code is then sent with the transaction to the settling bank. The security you need to be concerned with is between your web app and the POS, which can be handled using the Secure Pipe pattern mentioned in Chapter 9.
 
vipul patel
Ranch Hand
Posts: 146
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
Thanks for your reply. I do agree with you Ramesh: lot of things get clear only after the implementation architecture. We are working on it currently. Meanwhile, I wanted to have some idea on 'functional' architecture because apart from coding, this is the thing, I am trying to do first time.

In general, the idea of a project is 'support of credit card transaction over internet securely'.

Now a very basic question comes in my mind:

Is there any thing in J2EE available (Package) for doing this?

I have used things like jPos Library for ISO8583. In case of POS, Once I have an {PAN number,amount,CVV,Transaction Type} available, I construct ISO8583 Packet with Header 220 and send it to bank's host. which replies me in the same format with response code. But Now that POS Screen is my browser's form. and i press Submit, do i use a protocol similar to ISO8583 and append in the end of the HTTP request.

thanks,
 
They worship nothing. They say it's because nothing lasts forever. Like this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic