Data structure for payment processing system.

techguy

Hi Guys,

I'm currently working on my final year project which is payment system with a client and server (the server is really for settlement/authorization with a little bit of management of multiple epos clients.)

I'm currently trying to come up with a data structure scheme and process for processing and settling payment requests.

The general idea is that the epos client sends the customers account number, pin along with the amount to the server. The server will then process the request and send a response.

I've done some light reading on PCI PA-DSS and have gleaned some keywords form that. Another word I have noticed on the likes of laser/visa receipts is cryptogram.

Before I go and design my process and data structures i'd like to read up on the types of systems currently in use and the data that is transmitted back and forth between the client and server.

Any ideas greatly appreciated.

Cheers.

John_Mc

techguy wrote: »

Hi Guys,

I'm currently working on my final year project which is payment system with a client and server (the server is really for settlement/authorization with a little bit of management of multiple epos clients.)

I'm currently trying to come up with a data structure scheme and process for processing and settling payment requests.

The general idea is that the epos client sends the customers account number, pin along with the amount to the server. The server will then process the request and send a response.

I've done some light reading on PCI PA-DSS and have gleaned some keywords form that. Another word I have noticed on the likes of laser/visa receipts is cryptogram.

Before I go and design my process and data structures i'd like to read up on the types of systems currently in use and the data that is transmitted back and forth between the client and server.

Any ideas greatly appreciated.

Cheers.

Not really sure what you're looking for here. Your data structure can be whatever you want it to be, although it should make sense and obviously include all information you need. You're best off using Xml to transmit between the two.

The main concern is authenticating that the message you receive really came from the source. You can use a salted hash of some information together with a password known only to the client and server.

As part of accepting a message, you hash the same information with the password and compare to the one given. They should match or you should reject the message.

In terms of hashing, MD5 has been cracked so you should use SHA-1 or whatever is considered to be the most secure these days.

markpb

It might be worth looking at ISO-8583 which is used by a lot of systems for transfer of payment authorisation requests. The wiki page is particularly good. jPOS is an open-source implementation of the protocol so the source code might be of interest to you. APACS30 is also commonly used in the UK and Ireland between terminals and credit card hosts but I'm not sure the documentation for it is publicly accessible.

It might be worth bearing in mind that there are old protocols which have been around for years. They were designed to work over slow and unreliable communication links which is why they make use of bit masks and why they're not as bloatey as SOAP If you were designing a closed-loop system between an EPOS and host over a VPN or leased line, you could use something more verbose if you wanted (as long as what you wanted was a proprietary system that works with nothing else).

Cryptogram is nothing to do with your project - it's an encrypted block of data generated by EMV chip cards to authenticate the chip with the bank.

techguy

Thanks guys,

I've been doing a bit more reading/designing and I think i'm alright with my initial question, whatever that was

I had planned on hashing the data alright as a check.

I had looked into ISO8583 a while back, I have decided not to follow it for the moment.
I seem to be doing as you say, "A closed loop system between an EPOS and host over VPN"
My system is proprietary in that no epos clients clear payments, they are instead sent to the epos server which processes the payments. My plan is that you could create plugins for the server later that would do ISO 8583 payments or go the likes of Paypal etc.

Do you guys know of any books on the topic of EPOS systems?

Cheers.

markpb

techguy wrote: »

Do you guys know of any books on the topic of EPOS systems?

http://www.amazon.co.uk/Implementing-Electronic-Computer-Security-ebook/dp/B00305H9VU/ref=sr_1_16?ie=UTF8&qid=1329239050&sr=8-16

http://www.amazon.co.uk/transaction-identifying-describing-limitations-ebook/dp/B006790YUY/ref=sr_1_21?ie=UTF8&qid=1329239177&sr=8-21

http://www.amazon.co.uk/Payment-Industry-Security-Standard-Handbook/dp/0470260467/ref=sr_1_19?ie=UTF8&qid=1329239177&sr=8-19

techguy

Thanks Mark!