Upload
belen-lockett
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
University of Washington B2C Credit Card Infrastructure
University of WashingtonB2C Credit Card Infrastructure
University of Washington
Copyright University of Washington (Joe Frost, Scott B. Stephenson, Marcia Tufarolo) 2002. This work is the intellectual property of the Authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.
University of Washington B2C Credit Card Infrastructure
University of Washington
B2C Credit Card Infrastructure
University of Washington B2C Credit Card Infrastructure
UW Web Credit Card Application
University of Washington B2C Credit Card Infrastructure
Client Services Project Consulting
• Project Review Marcy Tufarolo
• Architecture & Security Scott Stephenson
• Application Demo Joe Frost
• Q&A
University of Washington B2C Credit Card Infrastructure
Project Goal
• Central infrastructure: Web-based credit card purchases
• Available to all UW areas
University of Washington B2C Credit Card Infrastructure
UW Web Credit Card Application
• Standard Methods• Secure Installation• Economies of Scale• Mainstream the Expertise
University of Washington B2C Credit Card Infrastructure
Project Approach
• Advisory Committee• Project Team
University of Washington B2C Credit Card Infrastructure
Project Approach
• Research– Internal– External
University of Washington B2C Credit Card Infrastructure
Project Approach
• Build vs Buy– Security
– Credit Card # not stored
– Co-branding
– Flexibility to change vendor– Integrate with UW banking
University of Washington B2C Credit Card Infrastructure
Project Approach
• Implementation– Design– Development
University of Washington B2C Credit Card Infrastructure
Application Overview
Purchaser
DepartmentApplication
OutsideServices
UW WebCredit Card
UW FinancialSystem
UW BankReconciliation
University of Washington B2C Credit Card Infrastructure
Major Processes
• Transaction Authorization• Transaction Processing• Settlement• Standard Reporting• Administrative Functions
University of Washington B2C Credit Card Infrastructure
Interfaces
• Departmental Application
• Generic Application– UW Web Conference
– UW Web Donation
– UW Web Store
University of Washington B2C Credit Card Infrastructure
Example Installations
• UW Tuition
• UW Computer Training
• Health Policy Conference
• KEXP Pledge Drive
University of Washington B2C Credit Card Infrastructure
Example Expansions
• Housing & Food Services
• Husky Store
• UWMC Gift Shop
University of Washington B2C Credit Card Infrastructure
Cost Recovery
• Self-Sustaining Operation
• Multiple Cost Models– Fixed fee per transaction
– Percent of transaction
University of Washington B2C Credit Card Infrastructure
Cost Recovery
• Recharge Module in Web CC
• Annual Review of Rates
University of Washington B2C Credit Card Infrastructure
Client Services Project Consulting
• Project Review Marcy Tufarolo
• Architecture & Security Scott Stephenson
• Application Demo Joe Frost
University of Washington B2C Credit Card Infrastructure
Design Challenges
• Open Architecture
• Security
• Performance, Stability & Scale
University of Washington B2C Credit Card Infrastructure
Open Architecture
• Provide a central, UW-wide service
• Integrate with departmental Web Apps
• Support all UW platforms and databases
University of Washington B2C Credit Card Infrastructure
Open Architecture
• Work with UW financial systems
• Work with UW banking structure
• Be secure, secure, secure!
University of Washington B2C Credit Card Infrastructure
Open Architecture
Solution: Well-defined protocollayered on top of SSL (https)
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
1. CheckoutPage
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
2. CheckoutRequest
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
3. Purchase DataRequest
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
4. Purchase Data
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
5. PurchaseRequest Page
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
6. PurchaseRequest
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
7. PurchaseConfirmation
Page
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
8. PurchaseConfirmation
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
9. AuthorizationRequest
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
10. Authorized
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
11. ConfirmPayment
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
12. PurchaseSuccessful
University of Washington B2C Credit Card Infrastructure
Payment Process
UW WebCredit Card Server
DepartmentServer Processing
Vendor
13. PurchaseReceipt
University of Washington B2C Credit Card Infrastructure
Security Highlights
• Java and ASP, Win2K and IIS
• Credit card data never stored
• SSL for all network communications
University of Washington B2C Credit Card Infrastructure
Security Highlights• Admin functions have 6 levels of access control
• Admin actions have an audit trail
• Financial transactions use RSA SecurID• Data is encrypted and encoded
University of Washington B2C Credit Card Infrastructure
Security Details
• Triple-DES encryption using Cryptix class libraries
• Base64-ASCII encoding at 6-bit boundaries and padded
• Objects compressed with GZIP
University of Washington B2C Credit Card Infrastructure
Security Details
• MD5 digest ensures objects not tampered with during transmission
• Cookies are secure, scoped to the server, volatile and W3C P3P compliant
• Purchase session expires after 15 minutes
University of Washington B2C Credit Card Infrastructure
Security Details
• Objects tied together with creation timestamp so cannot be used independently
• Completed, cancelled or expired purchase sessions cannot be reused
• Pages have ‘Pragma no-cache’ header and are immediately expired
University of Washington B2C Credit Card Infrastructure
Security Details
Ke3VFNix_W3RjfYPujNbuPqFJewtFh2v1q5PQPzrMrfJIkDz3rqEvmlTaAmiBCDj5E8LwOEeTzudRbAt4KlXC_agf0OAkorIY21vTcuoJNGLe2Re88ImRiVPqcKIh6u6wpDYYQaiidp7Kk9qHnPPpF5nB1KMxngMa0YMLSVZPIkqXOkZ_sEXGyx_MMmixUaGB9zXoq0zjlWG_07uF_MsSN0zKPl65LsN4ejQppj^8r1MCV1E_2T9Ra8EuM18O89IruDSjuB6i99C5lZjj_Dlhfg7
Example of EncryptedAnd Encoded Data
University of Washington B2C Credit Card Infrastructure
Performance, Stability & Scale
• Web Servers
– Win2K and IIS
– Virtual host: load balanced at n+1
– Hot swap-able & interchangeable
University of Washington B2C Credit Card Infrastructure
Performance, Stability & Scale
• Web Servers – Minimal server-side caching reduces memory consumption– Automatic monitoring with failures escalated to pagers– Leverage UW DRBR (disaster recovery)
University of Washington B2C Credit Card Infrastructure
Performance, Stability & Scale
• Database Servers– Win2K and MS-SQL– Primary and secondary with mirrored disk– Tape backup every two hours– Minimal database activity
University of Washington B2C Credit Card Infrastructure
Performance, Stability & Scale
• Database Servers– File UDL for easier fail-over– Automatic monitoring with failures escalated to pagers– Leverage UW DRBR
University of Washington B2C Credit Card Infrastructure
Client Services Project Consulting
• Project Review Marcy Tufarolo
• Architecture & Security Scott Stephenson
• Application Demo Joe Frost
University of Washington B2C Credit Card Infrastructure
Demonstration
• UW Computer Training
• UW Web Donation
• UW Web Credit Card
University of Washington B2C Credit Card Infrastructure
UW Computer Training
• Existing system
• Java, Informix, Apache Server
• Department application interfaceC&C Link
University of Washington B2C Credit Card Infrastructure
UW Web Donation
• New System
• ASP, MS-SQL, IIS
• Generic DonationDonation Link
University of Washington B2C Credit Card Infrastructure
UW Web Credit Card
• ASP, Java, MS-SQL, IIS
• Multiple Levels of SecurityCentral User Link
University of Washington B2C Credit Card Infrastructure
UW Web Credit Card Application
Client Services Project Consulting
http://depts.washington.edu/cac/projects