University of Washington B2C Credit Card Infrastructure University of Washington Copyright University of Washington (Joe Frost, Scott B. Stephenson, Marcia

University of Washington B2C Credit Card Infrastructure

University of WashingtonB2C Credit Card Infrastructure

University of Washington

Copyright University of Washington (Joe Frost, Scott B. Stephenson, Marcia Tufarolo) 2002. This work is the intellectual property of the Authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.


University of Washington

B2C Credit Card Infrastructure


UW Web Credit Card Application


Client Services Project Consulting

• Project Review Marcy Tufarolo

• Architecture & Security Scott Stephenson

• Application Demo Joe Frost

• Q&A


Project Goal

• Central infrastructure: Web-based credit card purchases

• Available to all UW areas



• Standard Methods• Secure Installation• Economies of Scale• Mainstream the Expertise


Project Approach

• Advisory Committee• Project Team


Project Approach

• Research– Internal– External


Project Approach

• Build vs Buy– Security

– Credit Card # not stored

– Co-branding

– Flexibility to change vendor– Integrate with UW banking


Project Approach

• Implementation– Design– Development


Application Overview

Purchaser

DepartmentApplication

OutsideServices

UW WebCredit Card

UW FinancialSystem

UW BankReconciliation


Major Processes

• Transaction Authorization• Transaction Processing• Settlement• Standard Reporting• Administrative Functions


Interfaces

• Departmental Application

• Generic Application– UW Web Conference

– UW Web Donation

– UW Web Store


Example Installations

• UW Tuition

• UW Computer Training

• Health Policy Conference

• KEXP Pledge Drive


Example Expansions

• Housing & Food Services

• Husky Store

• UWMC Gift Shop


Cost Recovery

• Self-Sustaining Operation

• Multiple Cost Models– Fixed fee per transaction

– Percent of transaction


Cost Recovery

• Recharge Module in Web CC

• Annual Review of Rates







Design Challenges

• Open Architecture

• Security

• Performance, Stability & Scale


Open Architecture

• Provide a central, UW-wide service

• Integrate with departmental Web Apps

• Support all UW platforms and databases


Open Architecture

• Work with UW financial systems

• Work with UW banking structure

• Be secure, secure, secure!


Open Architecture

Solution: Well-defined protocollayered on top of SSL (https)


Payment Process

UW WebCredit Card Server

DepartmentServer Processing

Vendor

1. CheckoutPage


Payment Process



Vendor

2. CheckoutRequest


Payment Process



Vendor

3. Purchase DataRequest


Payment Process



Vendor

4. Purchase Data


Payment Process



Vendor

5. PurchaseRequest Page


Payment Process



Vendor

6. PurchaseRequest


Payment Process



Vendor

7. PurchaseConfirmation

Page


Payment Process



Vendor

8. PurchaseConfirmation


Payment Process



Vendor

9. AuthorizationRequest


Payment Process



Vendor

10. Authorized


Payment Process



Vendor

11. ConfirmPayment


Payment Process



Vendor

12. PurchaseSuccessful


Payment Process



Vendor

13. PurchaseReceipt


Security Highlights

• Java and ASP, Win2K and IIS

• Credit card data never stored

• SSL for all network communications


Security Highlights• Admin functions have 6 levels of access control

• Admin actions have an audit trail

• Financial transactions use RSA SecurID• Data is encrypted and encoded


Security Details

• Triple-DES encryption using Cryptix class libraries

• Base64-ASCII encoding at 6-bit boundaries and padded

• Objects compressed with GZIP


Security Details

• MD5 digest ensures objects not tampered with during transmission

• Cookies are secure, scoped to the server, volatile and W3C P3P compliant

• Purchase session expires after 15 minutes


Security Details

• Objects tied together with creation timestamp so cannot be used independently

• Completed, cancelled or expired purchase sessions cannot be reused

• Pages have ‘Pragma no-cache’ header and are immediately expired


Security Details

Ke3VFNix_W3RjfYPujNbuPqFJewtFh2v1q5PQPzrMrfJIkDz3rqEvmlTaAmiBCDj5E8LwOEeTzudRbAt4KlXC_agf0OAkorIY21vTcuoJNGLe2Re88ImRiVPqcKIh6u6wpDYYQaiidp7Kk9qHnPPpF5nB1KMxngMa0YMLSVZPIkqXOkZ_sEXGyx_MMmixUaGB9zXoq0zjlWG_07uF_MsSN0zKPl65LsN4ejQppj^8r1MCV1E_2T9Ra8EuM18O89IruDSjuB6i99C5lZjj_Dlhfg7

Example of EncryptedAnd Encoded Data


Performance, Stability & Scale

• Web Servers

– Win2K and IIS

– Virtual host: load balanced at n+1

– Hot swap-able & interchangeable



• Web Servers – Minimal server-side caching reduces memory consumption– Automatic monitoring with failures escalated to pagers– Leverage UW DRBR (disaster recovery)



• Database Servers– Win2K and MS-SQL– Primary and secondary with mirrored disk– Tape backup every two hours– Minimal database activity



• Database Servers– File UDL for easier fail-over– Automatic monitoring with failures escalated to pagers– Leverage UW DRBR







Demonstration

• UW Computer Training

• UW Web Donation

• UW Web Credit Card


UW Computer Training

• Existing system

• Java, Informix, Apache Server

• Department application interfaceC&C Link


UW Web Donation

• New System

• ASP, MS-SQL, IIS

• Generic DonationDonation Link


UW Web Credit Card

• ASP, Java, MS-SQL, IIS

• Multiple Levels of SecurityCentral User Link




[email protected]

http://depts.washington.edu/cac/projects

Documents

University of Washington B2C Credit Card Infrastructure University of Washington Copyright University of Washington (Joe Frost, Scott B. Stephenson, Marcia