creating an in-aisle purchasing system from scratch
Post on 16-Apr-2017
178 Views
Preview:
TRANSCRIPT
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc Twitter: @jcleblanc
• Apple / Android pay type integrations
• Secure hardware prototype integrations with microelectronics
• Non-register integrations
• Generating, handling, and securing tokens
• Building an unbound physical payment architecture
• Creating secure payment transmission through potentially poorly secured hardware
A Bit on Tokens
Tokenization Luhn Algorithm
Token Durability Types
• Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred.
• Transaction: One time use, more secure, ideal for small businesses not tracking customers.
Process Create a surrogate value for customer credit card data
Attributes • 13 – 19 digits in length• Passes Luhn check validation
For our use case
Starting Value 4539248095434517Reverse Digits 7154345908429354
Multiply even digits by 27+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8)
Subtract 9 from numbers above 97+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8)
Sum all digits 90Mod 10 verify 0 (remainder)
The Luhn Algorithm
Apple / Android pay tokenization system
EMV payment tokenisation specification
Merchant register is changed to hardware transfer bridge
Network handles direct merchant requests. Vault stores surrogate to token lookup.
Customer to Device Interaction
Secure Element Host-based Card Emulation
Arduino with NFC or BLE Shield
Beacon BLE Hardware
How do you protect privileged information during data transmission?
Asynchronous Cryptography: Securing Data Through Transmission
Device Fingerprinting
Getting Paired Devices
{ requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ }}
Example Payload for Risk Assurance Data
The API Network
/device issue / delete a requester ID for a verified hardware device or terminal.
/pay issue / update / cancel a verified payment from a customer.
/key issue / update / delete a new encryption key set for a customer device (phone).
API Endpoints Needed
When generating new user tokens, how can we reduce the possibility of token collision?
Example Packages (Node) • node-uuid • hat
Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the
generated token
Using Respected Modules
The Token Vault
Token Vault Security• Strong physical and logical security measures per industry standards
(PCI DSS, OWASP, etc).• Secured internal network• Strong cryptography and security protocols• Restrict user access and roles to system• System is protected from vulnerabilities• ...
• Transactions are restricted to domains that are registered to valid token requesters.
Credit Card Vaulting
Credit Card InformationAddress InformationCard Holder Name...
7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866
https://developer.paypal.com/docs/api/vault/
CAP Theorem
• Consistency: Data to and from different nodes in the distributed system should always be identical.
• Availability: The vault is always available to service requests.
• Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node.
If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
Multiple Record Storage
Surrogate Token Payment Token Delete
5256771698017130 d66f1af4671091353be4c true
5355427967576526 d66f1af4671091353be4c false
5535770792529787 7e29c5c48f4475523ef56 false
Wrapup Links• Host Card Emulation (Android):
https://developer.android.com/guide/topics/connectivity/nfc/hce.html
• EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263
• Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto
• Android Build info: http://developer.android.com/reference/android/os/Build.html
Thank you!Slides: slideshare.net/jcleblanc
Jonathan LeBlanc Twitter: @jcleblanc
top related