Multibase provides a number of methods to ePay users for the development of web-page or program interfaces to ePay.
Using the mobile phone network for credit card clearance
Except for the security requirement, a cellular phone network interface to ePay is a simple application. Basically, all that is required is to establish a connection to the server, send the details and wait for a response.
However, the Australian banking system will not accept transactions from a system that does not adequately address the security of the credit card clearing request.
The mobile phone networks support encryption at the transport layer but the encryption only covers the wireless component of an Internet connection. Once the request leaves the wireless network and enters the Internet, the connection is in free text.
If a mobile phone based Internet connection can support 40 or 128 bit SSL via an HTTPS POST then there is end-to-end encryption and the standard methods can apply. If not, there is an alternative.
Mobile phone network interface via Triple DES encryption
Multibase has devised an alternative to SSL and HTTPS POST. This method relies on a simple TCP/IP connection to a Multibase developed TCP/IP server and uses Triple DES (TDES) encryption to provide security where necessary. For the purposes of this doocument, the Multibase TCP/IP server and its supporting database will be referred to as cellPay.
In this solution, the interface to the ePay system is implemented partly on the portable card reader and partly in cellPay.
cellPay process
An real-life solution which has been implemented is as follows, used by independent contractors working through one merchant.
When an contractor is issued with a card reader, the reader will be initialised with a terminal ID. Details of the card reader will be registered in the cellPay database via a secure web page interface.
To initiate transactions through the card reader, the contractor will log in to the card reader.
For each credit card transaction, the message a message is sent to the cellPay server, including a TDES encrypted data package containing the information necessary for the clearance and other information that needs to be.
The cellPay program decrypts the package and compares it with the information stored in its database. If they match, the transaction package will be considered valid and the transaction will be prepared to be sent to the banking system for clearance.
If the information does not match, either the terminal is not active or there has been an attempt to crack the system. In any case, an error response will be logged and sent back to the card reader.
If the package is valid, the cellPay server will generate a unique order number and using the merchant ID from the database together with the other information from the decrypted package, will create an ePay request. This request will be logged and sent to the Multibase ePay server gateway.
In essence, the cellPay server will act as a ‘proxy’ for the card reader and process a ‘normal’ ePay transaction.
The result from the banking system will be logged and returned to the card reader in clear text. There is no need to encrypt any response as encryption is only required to protect credit card numbers. The response codes returned from the banking system will be stored in the ePay database in full but a simplified set of response codes will be used in responding to the card reader.
Management of the system
Management interface: The cellPay management web site will be accessed through ePay’s existing Merchant Administration Centre, with a single login for the merchant administrator. Here, they will be able to access the various administration functions.
Set up terminals: The merchant can set up and switch off terminals, with immediate effect. Limits can be set on number or dollar value of transactions per period and/or per credit card per period.
Transaction reports: Reports of each transaction processed can be viewed online from the standard ePay Merchant Administration Centre, as well as the Camtech online reports. Reports can be made over the whole of the merchant, as well as by terminal.
Refunds: Refunds cannot be processed from the card reader. This is done from the standard ePay Merchant Administration Centre.
Stolen card reader or login details: If the system is compromised in any way, the login / terminal ID combination can be ‘switched off’ on the cellPay server.