To authors - payment industry standards

Originally posted by Sudd Ghosh:
Hi,
I am very excited and glad to know that I'll soon be able to dive deep into the best practices in security schemes. I hope you have covered the security aspects as applicable to the payment processing industry, where the security needs are tremendous. Specifically, I would be interested in some of the following topics:

<RN> The focus of this book primarily builds around Java and J2EE based technologies. We also covered the XML Security standards and standards based technologies for Web services, Identity Management and Service Provisioning. The book does not delve into vertical-industry specific security aspects.The key reason is we want to make sure that we are agnostic about vertical-industry segments....as "information security" is a common goal to all industry segments. So as long as your application makes uses of Core Java technologies or Java based Web services, identity management solution...I am sure the patterns and best practices described in this book will help </RN>

Access control: Rule based dynamic approach and role based access
control.

<RN> The book digs into a lot of details and approaches for building RBAC in Java/J2EE applications and also making use of XACML standards for supporting XML Web services </RN>

Identification services.

<RN> The book has a dedicated chapter (Chapter 15) on Personal Identification using Smart cards and Biometrics. It discusses on the role of personal identification technolgies in combating identity crimes. We present the enabling technologies, architecture and implementation strategies for using smartcards and biometric technologies for identification and authentication services. </RN>

FIPS standards.

<RN> Although the book has no scope to address the details of FIPS. We did discuss about the FIPS-140-1 compliance for cryptographic devices, smartcard readers and biometric scanners. </RN>

Practical limitation of setting high water marks.

<RN> The book has no planned scope to discuss about HVM. From a security implementation standpoint, to support confidentiality and intergrity protection you would able to use "Secure Logger" and "Audit Interceptor" patterns for ensuring secure logging and auditing. </RN>


How to achieve end-to-end identity management in real time (ie, from customer to the acquiring and issuing bank and back to the customer).

<RN> We have a full-fledged case study that disusses on the end-to-end security design with federated Identity management. Refer to Chapter 14 - Case study showing a "Web Portal" that integrates multiple enterprise via Identity management. </RN>

Effects of encryption on real-time payment processing.

<RN> There is always a performance overhead due to encryption and validating digital signatures. This could be overcome by using cryptographic accelerators. You may refer to SecurePipe pattern (Chapter 9) for details </RN>

Goodluck

/Ramesh

Thanks and looking forward, Sudd

Originally posted by Tina Coleman:
I was disappointed to not get to see a table of contents and index for the book out on Amazon. I know that's not likely the authors' doing, but passing along that feedback. Speaking as someone who's done a good bit of .NET programming of late, I wonder if the authors could speak to how much of the text is J2EE-specific, and how much would be more widely applicable. I expect that since this is a patterns book, it should be more widely applicable. Definitely interested in some of the various topics listed in the book blurbs.