Amaison Aug 5, 2006   12:14 AM GMT

in order to process payment on-line, you need two authentication: that of the customer and that of the merchant. if the transaction is at a point of sale with the merchant being on-line with a transaction processing terminal, the merchant authentication is installed within the machine and there is little to be added. the authentication of the customer can be done with a - single factor: the fact that he has a avlid credit card, which is quite weak authenticatino or with - two factors: - the fact that he as both a valid debit card and a unique password or two

0 pointsBadges:

Amaison Aug 5, 2006   12:17 AM GMT

in order to process payment on-line, you need two authentication: that of the customer and that of the merchant. if the transaction is at a point of sale with the merchant being on-line with a transaction processing terminal, the merchant authentication is installed within the machine and there is little to be added. the authentication of the customer can be done with a - single factor: the fact that he has a avlid credit card, which is quite weak authenticatino or with - two factors: - the fact that he as both a valid debit card and a unique password or - the fact that he as a smart card and a unique password or a biometric signature - three factors is rarely used in payment transaction. when payment is done through the internet, the merchant "terminal" is his web site that can be secured with SSL. but the authentication of the customer is very weak and is the major source of impersonation. two

0 pointsBadges:

ITDefensePatrol Aug 7, 2006   10:32 AM GMT

I mostly agree with previous. Note SSL is susceptible to man-in-the-middle attack. I assume you are merchant. You payment processor probably has guides. VISA also has guides (or is that Mastercard?). Verisign is a good source for authent. Others like PayPal also a good resource (for outsourcing heavy work). Go strong. Banks are required (newly in effect) to use strong auth (password insufficient) - see FFIEC guidances. All these have extensive guidance. Even you aren't required to follow these, not a bad idea - your bank, payment proc or other may make you do it anyways (now? later?). Get ahead of the issue now. password not acceptable. SSL basically OK (for now), but some risk.

0 pointsBadges:

TIMWATSON Aug 17, 2006   11:30 AM GMT

YOU MAY WISH TO CONSIDER A FREERADIUS SERVER, FREERADIUS DOT ORG, RUNNING SMALL WEB SERVER SOFTWARE SUCH AS ACME DOT COM. A LITTLE FAR OUT..., LINUXVIRTUALSERVER DOT ORG, ALONG WITH HEARTBEAT (INFO AT LVS DOT ORG (ABOVE)), AND THEN BEGIN ENCRYPTION HARDWARE/SOFTWARE BUILD USING ABOVE US A BASELINE. TIM.

0 pointsBadges: