You could probably do a fairly decent job of mocking one up. In practice, most of the payment gateways wrap a lower level switch with their own communication scheme so they can integrate value-added services like fraud detection. Implementing low-level communication standards is really not required. If you want to do a decent mock-up and not spend time writing a lot of stuff from scratch, stick to the more business oriented tools with Java or .Net.
I'd suggest making a web service definition using IIS/.Net or Tomcat/JBoss/Java to define how your authorization and settlement is going to work. You can implement just about anything required by PCI DSS using tools available in the .Net/Java core libraries without having to resort to third party libraries.
相反,我将重点关注 PCI-DSS 合规性带来的挑战。加密卡详细信息很简单。编写安全密钥管理系统更具挑战性。总体目标是将您的卡详细信息加密到数据库中,并允许您的商家通过唯一的令牌 ID 引用这些卡详细信息。这是 PSP 所采用的通用模型,以便令牌 ID 可以安全地传递给您的商户或从您的商户安全地传递,同时卡详细信息本身保持安全,并且仅在与商户银行通信时解密(用于授权/结算等)
A very similar question has come up before, and I answered here
You might have a few minor misconceptions though. Payment Service Processors (or PSPs) will generally speak to an acquiring bank. It is the acquiring bank that then (behind the scenes) redirects an authorization request to the relevant card issuer. It is done this way because the acquiring bank (same bank used by your merchant) wants to try and ensure you only settle money into (or withdraw money from, for refunds) the bank account that has been authorised.
If you wanted to have the software accredited, then you would do that with each acquiring bank you want to support, but it would involve you fully implementing the communications to the merchant bank for both authorization requests and end-of-day settlement. If this is just a mockup system then going through accreditation would be a major hurdle, and most likely infeasable with the timescale you suggested.
Instead I would focus on the challenges that PCI-DSS compliance presents. Encrypting card details is the easy bit. Writing a secure key management system is much more challenging. The overall goal would be to encrypt your card details to a database, and allow your merchants to reference those card details by unique token ids. This is the general model that PSP's adapt so that the token id can be passed to/from your merchants safely, whilst the card details themselves are kept secure, and only decrypted during communication to the merchant bank (for authorization/settlement etc)
If you wanted to keep things simple, then instead you could focus on validating the communications from the merchants that would be using your service. You could (eg) ensure that the merchant only attempts to settle an amount less (or equal to) an amount already authorised against a particular card. You could have safeguards to prevent merchants from mistakenly flooding the service with auth requests (which could rapidly drain a cardholders available funds!)
发布评论
评论(2)
你也许可以做得相当不错的嘲笑工作。在实践中,大多数支付网关都使用自己的通信方案包装较低级别的交换机,以便它们可以集成欺诈检测等增值服务。实际上不需要实施低级通信标准。如果您想做一个像样的模型,而不是花时间从头开始编写大量内容,请坚持使用 Java 或 .Net 等更面向业务的工具。
我建议使用 IIS/.Net 或 Tomcat/JBoss/Java 进行 Web 服务定义来定义您的授权和结算将如何工作。您可以使用 .Net/Java 核心库中提供的工具实现 PCI DSS 所需的几乎任何内容,而无需求助于第三方库。
You could probably do a fairly decent job of mocking one up. In practice, most of the payment gateways wrap a lower level switch with their own communication scheme so they can integrate value-added services like fraud detection. Implementing low-level communication standards is really not required. If you want to do a decent mock-up and not spend time writing a lot of stuff from scratch, stick to the more business oriented tools with Java or .Net.
I'd suggest making a web service definition using IIS/.Net or Tomcat/JBoss/Java to define how your authorization and settlement is going to work. You can implement just about anything required by PCI DSS using tools available in the .Net/Java core libraries without having to resort to third party libraries.
以前曾出现过一个非常类似的问题,我回答了 这里
不过,您可能有一些小误解。支付服务处理商(或 PSP)通常会与收单银行联系。然后,收单银行(在幕后)将授权请求重定向至相关发卡机构。这样做是因为收单银行(您的商家使用的同一家银行)希望尝试并确保您仅将资金存入(或从已授权的银行账户中提取资金,以获得退款)。
如果您想让软件获得认可,那么您可以与您想要支持的每家收单银行一起这样做,但这将涉及您全面实施与商业银行的通信,以进行授权请求和日终结算。如果这只是一个模型系统,那么通过认证将是一个主要障碍,而且很可能在您建议的时间范围内不可行。
相反,我将重点关注 PCI-DSS 合规性带来的挑战。加密卡详细信息很简单。编写安全密钥管理系统更具挑战性。总体目标是将您的卡详细信息加密到数据库中,并允许您的商家通过唯一的令牌 ID 引用这些卡详细信息。这是 PSP 所采用的通用模型,以便令牌 ID 可以安全地传递给您的商户或从您的商户安全地传递,同时卡详细信息本身保持安全,并且仅在与商户银行通信时解密(用于授权/结算等)
如果您如果您想让事情变得简单,那么您可以专注于验证来自将使用您的服务的商家的通信。您可以(例如)确保商家仅尝试结算少于(或等于)特定卡已授权金额的金额。您可以采取保护措施来防止商家错误地向服务发送大量身份验证请求(这可能会迅速耗尽持卡人的可用资金!)
祝您好运,这是一个具有广泛范围的好主意。
A very similar question has come up before, and I answered here
You might have a few minor misconceptions though. Payment Service Processors (or PSPs) will generally speak to an acquiring bank. It is the acquiring bank that then (behind the scenes) redirects an authorization request to the relevant card issuer. It is done this way because the acquiring bank (same bank used by your merchant) wants to try and ensure you only settle money into (or withdraw money from, for refunds) the bank account that has been authorised.
If you wanted to have the software accredited, then you would do that with each acquiring bank you want to support, but it would involve you fully implementing the communications to the merchant bank for both authorization requests and end-of-day settlement. If this is just a mockup system then going through accreditation would be a major hurdle, and most likely infeasable with the timescale you suggested.
Instead I would focus on the challenges that PCI-DSS compliance presents. Encrypting card details is the easy bit. Writing a secure key management system is much more challenging. The overall goal would be to encrypt your card details to a database, and allow your merchants to reference those card details by unique token ids. This is the general model that PSP's adapt so that the token id can be passed to/from your merchants safely, whilst the card details themselves are kept secure, and only decrypted during communication to the merchant bank (for authorization/settlement etc)
If you wanted to keep things simple, then instead you could focus on validating the communications from the merchants that would be using your service. You could (eg) ensure that the merchant only attempts to settle an amount less (or equal to) an amount already authorised against a particular card. You could have safeguards to prevent merchants from mistakenly flooding the service with auth requests (which could rapidly drain a cardholders available funds!)
Good luck, its a great idea with plenty of scope.