James,
This system handles fresh local food home deliveries and one user won
the BBC local food retailer of the year a few years ago. It predates
supermarket home delivery and credit card payments was introduced in 2006.
One of the features is that orders are taken a day or so before packing
and delivery and with weighing and not availables the final bill is
calculated only after packing. Also most customers are regular and many
have standing orders for delivery without ordering
Credit card details were typed into a desktop app which sent them off to
the (hopefully) fully secure payment gateway. A token is returned which
is used for future payment(s). This token links the credit card details
and the retailer so that even if the token was used by a criminal, all
they could do was transfer money to the retailers account. The token
could therefore be stored without particular security.
The upgrade required is to allow customers to enter credit card details
on line. The payment company provide a "hosted payment page" which
allows customers to enter details and the token is returned which can be
used as before. The hosted payment page is called with an
"Authentication token" which is given to the retailer but must be held
securely - DPAPI is recommended. The developers know nothing about Linux
so it is an unexpected hurdle for me.
Thanks for your suggestion. Looks promising.
Roger
On 21/10/15 08:16, James Courtier-Dutton wrote:
>
>
> On 20 Oct 2015 13:26, "Roger Munford"
> <rogermunford@???
> <mailto:rogermunford@parussoftware.co.uk>> wrote:
> >
> > I am bringing an old desktop payment system up to date to work with
> the payment providers new system and also provide a wrapper for a
> website which transfers the user to their hosted payment page.
> >
> > The website is built on the traditional LAMP server. However the
> website requires a security key which " is secret and must never be
> revealed to anyone and you must ensure that the key is protected on
> your server by appropriate security measures such as DPAPI"
> >
> > I was looking for a Linux equivalent but there does not seem to be
> one, but I assume there must be a technique employed on Linux service
> to accomplish the same thing.
> >
> > The payment service providers are a windows shop and aren't very
> helpful.
> >
> > Can anybody point me in the right direction?
> >
> If you are having to become PCI DSS compliant, then things become far
> more difficult to get right.
> It is far more that just protecting encryption keys.
> Linux does have an api for storing keys securly in the kernel. Google
> linux kernel key management.
>
> In general, PCI DSS looks for separation of data at differing
> sensitivity levels. In some cases, dedicated hardware is used to
> encrypt credit card numbers.
> In other cases, you separate up the data and store it in different
> places. Eg. Credit card numbers on one server, and the rest of the
> data on another, and then you look to lock down the credit card server
> to the max and not run any services on it apart from the credit card
> access api and no web browsers.
>
> Kind regards
>
> James
>
>
>
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------