University of Washington B 2 C Credit Card
University of Washington B 2 C Credit Card Infrastructure Copyright University of Washington (Joe Frost, Scott B. Stephenson, Marcia Tufarolo) 2002. This work is the intellectual property of the Authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors. University of Washington B 2 C Credit Card Infrastructure
University of Washington B 2 C Credit Card Infrastructure
UW Web Credit Card Application University of Washington B 2 C Credit Card Infrastructure
Client Services Project Consulting • Project Review Marcy Tufarolo • Architecture & Security Scott Stephenson • Application Demo Joe Frost • Q&A University of Washington B 2 C Credit Card Infrastructure
Project Goal • Central infrastructure: Webbased credit card purchases • Available to all UW areas University of Washington B 2 C Credit Card Infrastructure
UW Web Credit Card Application • • Standard Methods Secure Installation Economies of Scale Mainstream the Expertise University of Washington B 2 C Credit Card Infrastructure
Project Approach • Advisory Committee • Project Team University of Washington B 2 C Credit Card Infrastructure
Project Approach • Research – Internal – External University of Washington B 2 C Credit Card Infrastructure
Project Approach • Build vs Buy – Security – Credit Card # not stored – Co-branding – Flexibility to change vendor – Integrate with UW banking University of Washington B 2 C Credit Card Infrastructure
Project Approach • Implementation – Design – Development University of Washington B 2 C Credit Card Infrastructure
Application Overview University of Washington B 2 C Credit Card Infrastructure
Major Processes • Transaction Authorization • Transaction Processing • Settlement • Standard Reporting • Administrative Functions University of Washington B 2 C Credit Card Infrastructure
Interfaces • Departmental Application • Generic Application – UW Web Conference – UW Web Donation – UW Web Store University of Washington B 2 C Credit Card Infrastructure
Example Installations • UW Tuition • UW Computer Training • Health Policy Conference • KEXP Pledge Drive University of Washington B 2 C Credit Card Infrastructure
Example Expansions • Housing & Food Services • Husky Store • UWMC Gift Shop University of Washington B 2 C Credit Card Infrastructure
Cost Recovery • Self-Sustaining Operation • Multiple Cost Models – Fixed fee per transaction – Percent of transaction University of Washington B 2 C Credit Card Infrastructure
Cost Recovery • Recharge Module in Web CC • Annual Review of Rates University of Washington B 2 C Credit Card Infrastructure
Client Services Project Consulting • Project Review Marcy Tufarolo • Architecture & Security Scott Stephenson • Application Demo Joe Frost University of Washington B 2 C Credit Card Infrastructure
Design Challenges • Open Architecture • Security • Performance, Stability & Scale University of Washington B 2 C Credit Card Infrastructure
Open Architecture • Provide a central, UW-wide service • Integrate with departmental Web Apps • Support all UW platforms and databases University of Washington B 2 C Credit Card Infrastructure
Open Architecture • Work with UW financial systems • Work with UW banking structure • Be secure, secure! University of Washington B 2 C Credit Card Infrastructure
Open Architecture Solution: Well-defined protocol layered on top of SSL (https) University of Washington B 2 C Credit Card Infrastructure
Payment Process 1. Checkout Page Department Server Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server 2. Checkout Request Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server Processing Vendor 3. Purchase Data Request UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process 4. Purchase Data Department Server Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server 5. Purchase Request Page Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server 6. Purchase Request Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server 7. Purchase Confirmation Page Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server 8. Purchase Confirmation UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure Processing Vendor
Payment Process Department Server Processing Vendor UW Web Credit Card Server 9. Authorization Request University of Washington B 2 C Credit Card Infrastructure
Payment Process 10. Authorized Department Server Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server Processing Vendor 11. Confirm Payment UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process 12. Purchase Successful Department Server Processing Vendor UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure
Payment Process Department Server 13. Purchase Receipt UW Web Credit Card Server University of Washington B 2 C Credit Card Infrastructure Processing Vendor
Security Highlights • Java and ASP, Win 2 K and IIS • Credit card data never stored • SSL for all network communications University of Washington B 2 C Credit Card Infrastructure
Security Highlights • Admin functions have 6 levels of access control • Admin actions have an audit trail • Financial transactions use RSA Secur. ID • Data is encrypted and encoded University of Washington B 2 C Credit Card Infrastructure
Security Details • Triple-DES encryption using Cryptix class libraries • Base 64 -ASCII encoding at 6 -bit boundaries and padded • Objects compressed with GZIP University of Washington B 2 C Credit Card Infrastructure
Security Details • MD 5 digest ensures objects not tampered with during transmission • Cookies are secure, scoped to the server, volatile and W 3 C P 3 P compliant • Purchase session expires after 15 minutes University of Washington B 2 C Credit Card Infrastructure
Security Details • Objects tied together with creation timestamp so cannot be used independently • Completed, cancelled or expired purchase sessions cannot be reused • Pages have ‘Pragma no-cache’ header and are immediately expired University of Washington B 2 C Credit Card Infrastructure
Security Details Example of Encrypted And Encoded Data Ke 3 VFNix_W 3 Rjf. YPuj. Nbu. Pq. FJewt. Fh 2 v 1 q 5 PQPzr. Mrf. JIk. Dz 3 rq. Evml. Ta Ami. BCDj 5 E 8 Lw. OEe. Tzud. Rb. At 4 Kl. XC_agf 0 OAkor. IY 21 v. Tcuo. JNGLe 2 Re 88 Im. Ri. VPqc. KIh 6 u 6 wp. DYYQaiidp 7 Kk 9 q. Hn. PPp. F 5 n. B 1 KMxng. Ma 0 YMLS VZPIkq. XOk. Z_s. EXGyx_MMmix. Ua. GB 9 z. Xoq 0 zjl. WG_07 u. F_Ms. SN 0 z. KPl 6 5 Ls. N 4 ej. Qppj^8 r 1 MCV 1 E_2 T 9 Ra 8 Eu. M 18 O 89 Iru. DSju. B 6 i 99 C 5 l. Zjj_Dlhfg 7 University of Washington B 2 C Credit Card Infrastructure
Performance, Stability & Scale • Web Servers – Win 2 K and IIS – Virtual host: load balanced at n+1 – Hot swap-able & interchangeable University of Washington B 2 C Credit Card Infrastructure
Performance, Stability & Scale • Web Servers – Minimal server-side caching reduces memory consumption – Automatic monitoring with failures escalated to pagers – Leverage UW DRBR (disaster recovery) University of Washington B 2 C Credit Card Infrastructure
Performance, Stability & Scale • Database Servers – Win 2 K and MS-SQL – Primary and secondary with mirrored disk – Tape backup every two hours – Minimal database activity University of Washington B 2 C Credit Card Infrastructure
Performance, Stability & Scale • Database Servers – File UDL for easier fail-over – Automatic monitoring with failures escalated to pagers – Leverage UW DRBR University of Washington B 2 C Credit Card Infrastructure
Client Services Project Consulting • Project Review Marcy Tufarolo • Architecture & Security Scott Stephenson • Application Demo Joe Frost University of Washington B 2 C Credit Card Infrastructure
Demonstration • UW Computer Training • UW Web Donation • UW Web Credit Card University of Washington B 2 C Credit Card Infrastructure
UW Computer Training • Existing system • Java, Informix, Apache Server • Department application interface C&C Link University of Washington B 2 C Credit Card Infrastructure
UW Web Donation • New System • ASP, MS-SQL, IIS • Generic Donation Link University of Washington B 2 C Credit Card Infrastructure
UW Web Credit Card • ASP, Java, MS-SQL, IIS • Multiple Levels of Security Central User Link University of Washington B 2 C Credit Card Infrastructure
UW Web Credit Card Application Client Services Project Consulting projects@cac. washington. edu http: //depts. washington. edu/cac/projects University of Washington B 2 C Credit Card Infrastructure
- Slides: 51