A simple Rev credit card processing solution
Dar Scott
dsc at swcp.com
Tue Feb 8 16:30:41 EST 2005
On Feb 8, 2005, at 5:38 AM, Richard Miller wrote:
> I can now post a simple, effective, secure solution to processing a
> credit card through Rev.
Thanks for the detailed how-to.
From the CardPresent documentation I get the impression that the client
needs to have a certificate. Assuming I understand your example
correctly, it does not. That is OK, I think; merchant authentication
in CP is based on the shared secret in x_tran_key. The Revolution
documentation says that the client will be able to submit a certificate
only in the future, so it is good news that a method is available that
does not need it.
I wonder if there is a way to improve security in this. This uses the
Comodo CA root certificate. I would guess that there are many
certificates signed by Comodo. An owner of a signed certificate might
be able to exploit the Revolution SSL name-matching vulnerability
(bugzilla 2545). Perhaps security might be improved if you could use a
more specific root, perhaps one directly from authorize.net.
I noticed that CP response verification uses MD5, which Revolution can
do if it is desired.
Dar
--
**********************************************
DSC (Dar Scott Consulting & Dar's Lab)
http://www.swcp.com/dsc/
Programming Services and Software
**********************************************
More information about the use-livecode
mailing list