I'm researching authentication methods, trying to determine what method is best for allowing customers to make payments online. Which, in your opinion, is best?
in order to process payment on-line, you need two authentication: that of the customer and that of the merchant.
if the transaction is at a point of sale with the merchant being on-line with a transaction processing terminal, the merchant authentication is installed within the machine and there is little to be added.
the authentication of the customer can be done with a
- single factor: the fact that he has a avlid credit card, which is quite weak authenticatino or with
- two factors:
- the fact that he as both a valid debit card and a unique password or
two
in order to process payment on-line, you need two authentication: that of the customer and that of the merchant.
if the transaction is at a point of sale with the merchant being on-line with a transaction processing terminal, the merchant authentication is installed within the machine and there is little to be added.
the authentication of the customer can be done with a
- single factor: the fact that he has a avlid credit card, which is quite weak authenticatino or with
- two factors:
- the fact that he as both a valid debit card and a unique password or
- the fact that he as a smart card and a unique password or a biometric signature
- three factors is rarely used in payment transaction.
when payment is done through the internet, the merchant "terminal" is his web site that can be secured with SSL. but the authentication of the customer is very weak and is the major source of impersonation.
two
I mostly agree with previous. Note SSL is susceptible to man-in-the-middle attack.
I assume you are merchant. You payment processor probably has guides. VISA also has guides (or is that Mastercard?). Verisign is a good source for authent.
Others like PayPal also a good resource (for outsourcing heavy work).
Go strong. Banks are required (newly in effect) to use strong auth (password insufficient) - see FFIEC guidances.
All these have extensive guidance. Even you aren't required to follow these, not a bad idea - your bank, payment proc or other may make you do it anyways (now? later?). Get ahead of the issue now.
password not acceptable. SSL basically OK (for now), but some risk.
YOU MAY WISH TO CONSIDER A FREERADIUS SERVER, FREERADIUS DOT ORG, RUNNING SMALL WEB SERVER SOFTWARE SUCH AS ACME DOT COM. A LITTLE FAR OUT..., LINUXVIRTUALSERVER DOT ORG, ALONG WITH HEARTBEAT (INFO AT LVS DOT ORG (ABOVE)), AND THEN BEGIN ENCRYPTION HARDWARE/SOFTWARE BUILD USING ABOVE US A BASELINE. TIM.
Free Guide: Managing storage for virtual environments
Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!
Discuss This Question: 4 Replies