Creating an In-Aisle Purchasing System from Scratch
-
Upload
jonathan-leblanc -
Category
Technology
-
view
177 -
download
0
Transcript of Creating an In-Aisle Purchasing System from Scratch
![Page 1: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/1.jpg)
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc Twitter: @jcleblanc
![Page 2: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/2.jpg)
• Apple / Android pay type integrations
• Secure hardware prototype integrations with microelectronics
• Non-register integrations
![Page 3: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/3.jpg)
• Generating, handling, and securing tokens
• Building an unbound physical payment architecture
• Creating secure payment transmission through potentially poorly secured hardware
![Page 4: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/4.jpg)
A Bit on Tokens
![Page 5: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/5.jpg)
Tokenization Luhn Algorithm
![Page 6: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/6.jpg)
Token Durability Types
• Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred.
• Transaction: One time use, more secure, ideal for small businesses not tracking customers.
![Page 7: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/7.jpg)
Process Create a surrogate value for customer credit card data
Attributes • 13 – 19 digits in length• Passes Luhn check validation
For our use case
![Page 8: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/8.jpg)
Starting Value 4539248095434517Reverse Digits 7154345908429354
Multiply even digits by 27+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8)
Subtract 9 from numbers above 97+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8)
Sum all digits 90Mod 10 verify 0 (remainder)
The Luhn Algorithm
![Page 9: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/9.jpg)
Apple / Android pay tokenization system
EMV payment tokenisation specification
![Page 10: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/10.jpg)
![Page 11: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/11.jpg)
Merchant register is changed to hardware transfer bridge
Network handles direct merchant requests. Vault stores surrogate to token lookup.
![Page 12: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/12.jpg)
Customer to Device Interaction
![Page 13: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/13.jpg)
Secure Element Host-based Card Emulation
![Page 14: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/14.jpg)
Arduino with NFC or BLE Shield
![Page 15: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/15.jpg)
Beacon BLE Hardware
![Page 16: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/16.jpg)
How do you protect privileged information during data transmission?
![Page 17: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/17.jpg)
Asynchronous Cryptography: Securing Data Through Transmission
![Page 18: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/18.jpg)
![Page 19: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/19.jpg)
Device Fingerprinting
![Page 20: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/20.jpg)
Getting Paired Devices
![Page 21: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/21.jpg)
{ requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ }}
Example Payload for Risk Assurance Data
![Page 22: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/22.jpg)
The API Network
![Page 23: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/23.jpg)
/device issue / delete a requester ID for a verified hardware device or terminal.
/pay issue / update / cancel a verified payment from a customer.
/key issue / update / delete a new encryption key set for a customer device (phone).
API Endpoints Needed
![Page 24: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/24.jpg)
When generating new user tokens, how can we reduce the possibility of token collision?
![Page 25: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/25.jpg)
Example Packages (Node) • node-uuid • hat
Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the
generated token
Using Respected Modules
![Page 26: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/26.jpg)
The Token Vault
![Page 27: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/27.jpg)
Token Vault Security• Strong physical and logical security measures per industry standards
(PCI DSS, OWASP, etc).• Secured internal network• Strong cryptography and security protocols• Restrict user access and roles to system• System is protected from vulnerabilities• ...
• Transactions are restricted to domains that are registered to valid token requesters.
![Page 28: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/28.jpg)
Credit Card Vaulting
Credit Card InformationAddress InformationCard Holder Name...
7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866
https://developer.paypal.com/docs/api/vault/
![Page 29: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/29.jpg)
CAP Theorem
• Consistency: Data to and from different nodes in the distributed system should always be identical.
• Availability: The vault is always available to service requests.
• Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node.
![Page 30: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/30.jpg)
If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
![Page 31: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/31.jpg)
Multiple Record Storage
Surrogate Token Payment Token Delete
5256771698017130 d66f1af4671091353be4c true
5355427967576526 d66f1af4671091353be4c false
5535770792529787 7e29c5c48f4475523ef56 false
![Page 32: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/32.jpg)
Wrapup Links• Host Card Emulation (Android):
https://developer.android.com/guide/topics/connectivity/nfc/hce.html
• EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263
• Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto
• Android Build info: http://developer.android.com/reference/android/os/Build.html
![Page 33: Creating an In-Aisle Purchasing System from Scratch](https://reader038.fdocuments.in/reader038/viewer/2022110219/586f72711a28ab10258b5409/html5/thumbnails/33.jpg)
Thank you!Slides: slideshare.net/jcleblanc
Jonathan LeBlanc Twitter: @jcleblanc