330 likes | 356 Views
The future of retail is in removing the divide between the offline shopping state and the enhanced online buying experience. To create this type of enhanced retail experience, we can remove complexities in the process, such as simplifying checkout. In this session we’ll learn how to use internet-connected microelectronics to attach to a buyer’s mobile device to provide the functionality to buy products right from the aisle.
 
                
                E N D
Creating an In-Aisle Purchasing System from Scratch Jonathan LeBlanc Twitter: @jcleblanc
• Apple / Android pay type integrations • Secure hardware prototype integrations with microelectronics • Non-register integrations
• Generating, handling, and securing tokens • Building an unbound physical payment architecture • Creating secure payment transmission through potentially poorly secured hardware
Tokenization Luhn Algorithm
Token Durability Types • Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred. • Transaction: One time use, more secure, ideal for small businesses not tracking customers.
For our use case Process Create a surrogate value for customer credit card data Attributes • 13 – 19 digits in length • Passes Luhn check validation
The LuhnAlgorithm 4539248095434517 7154345908429354 Starting Value Reverse Digits Multiply even digits by 2 7+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8) Subtract 9 from numbers above 9 7+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8) 90 0 (remainder) Sum all digits Mod 10 verify
Apple / Android pay tokenization system EMV payment tokenisation specification
Network handles direct merchant requests. Vault stores surrogate to token lookup. Merchant register is changed to hardware transfer bridge
Host-based Card Emulation Secure Element
How do you protect privileged information during data transmission?
Asynchronous Cryptography: Securing Data Through Transmission
Example Payload for Risk Assurance Data { requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ } }
API Endpoints Needed /device issue / delete a requester ID for a verified hardware device or terminal. issue / update / cancel a verified payment from a customer. /pay issue / update / delete a new encryption key set for a customer device (phone). /key
When generating new user tokens, how can we reduce the possibility of token collision?
Using Respected Modules Example Packages (Node) • node-uuid • hat Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the generated token
Token Vault Security Strong physical and logical security measures per industry standards (PCI DSS, OWASP, etc). • Secured internal network • Strong cryptography and security protocols • Restrict user access and roles to system • System is protected from vulnerabilities • ... • Transactions are restricted to domains that are registered to valid token requesters. •
Credit Card Vaulting https://developer.paypal.com/docs/api/vault/ Credit Card Information 7e29c5c48f44755598dec3549155ad6 6f1af4671091353be4c4d7694d71dc8 66 Address Information Card Holder Name ...
CAP Theorem Consistency: Data to and from different nodes in the distributed system should always be identical. • Availability: The vault is always available to service requests. • Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node. •
If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
Multiple Record Storage Surrogate Token Payment Token Delete 5256771698017130 d66f1af4671091353be4c true 5355427967576526 d66f1af4671091353be4c false 5535770792529787 7e29c5c48f4475523ef56 false
Wrapup Links Host Card Emulation (Android): https://developer.android.com/guide/topics/connectivity/nfc/hce.html • EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263 • Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto • Android Build info: http://developer.android.com/reference/android/os/Build.html •
Thank you! Slides: slideshare.net/jcleblanc Jonathan LeBlanc Twitter: @jcleblanc