0

For my final project in college I want to write my own payment processing system. It would have a backend payment processing server and client (merchant) frontend.

I would like to have the backend run and wait for connections/transactions from the client server i.e. the merchant. The backend would then do its magic and send a response to the merchant saying whether or not the payment was authorised.

I am aware of the difference between a payment processor and a bank. I want to develop the payment processor side and not the bank, nor will this system intergrate with any real banks or use real money.

In practice the payment processor talks to the issuing bank and gets authorization there. I think I could use a simple DB table of account numbers and balance for this. i.e. does the customer have enough money or not.

I want my main area of focus on this project to be on writing the backend server to be robust and handle requests concurrently. I also want to concentrate on encryption and security etc between client and server. I would like to study the PCI compliance regulations etc.

It is now early November with the deadline for the whole project in mid March 2012.

What do you guys think of my idea and do you think I could achieve something worthwhile given the time?

John Conde
  • 217,595
  • 99
  • 455
  • 496
jim
  • 8,670
  • 15
  • 78
  • 149
  • Are you planning to build also the ISO 8583 compliant messages handler (that's the core of the authorization tasks) ? Are you planning to add also 3DSec (VISA) or SecureCom (MSC) support ? – BigMike Nov 04 '11 at 10:18

2 Answers2

2

You could probably do a fairly decent job of mocking one up. In practice, most of the payment gateways wrap a lower level switch with their own communication scheme so they can integrate value-added services like fraud detection. Implementing low-level communication standards is really not required. If you want to do a decent mock-up and not spend time writing a lot of stuff from scratch, stick to the more business oriented tools with Java or .Net.

I'd suggest making a web service definition using IIS/.Net or Tomcat/JBoss/Java to define how your authorization and settlement is going to work. You can implement just about anything required by PCI DSS using tools available in the .Net/Java core libraries without having to resort to third party libraries.

  • Ok, well i've been doing some reading up on PCI DSS. I'd really like to write something that is compliant, that would get my project some serious recognition I think. I was unable to find any documents on the requirements for software programs to get approved. Any documents I found were related to merchants infrastucture etc. Any links to such documents or any guidance? Thanks. – jim Nov 05 '11 at 19:48
  • You need to look at the PA-DSS (Payment Application Data Security Standard, formerly known as PABP). This is the type of certification you seek if you are a software publisher that creates software that processes credit cards. PCI-DSS is, as you have seen, encompassing both software and infrastructure. –  Nov 05 '11 at 23:28
  • Cool, I found that shortly after posting my last comment. It looks like it may be achievable. Thanks for your help :) – jim Nov 06 '11 at 13:30
2

A very similar question has come up before, and I answered here

You might have a few minor misconceptions though. Payment Service Processors (or PSPs) will generally speak to an acquiring bank. It is the acquiring bank that then (behind the scenes) redirects an authorization request to the relevant card issuer. It is done this way because the acquiring bank (same bank used by your merchant) wants to try and ensure you only settle money into (or withdraw money from, for refunds) the bank account that has been authorised.

If you wanted to have the software accredited, then you would do that with each acquiring bank you want to support, but it would involve you fully implementing the communications to the merchant bank for both authorization requests and end-of-day settlement. If this is just a mockup system then going through accreditation would be a major hurdle, and most likely infeasable with the timescale you suggested.

Instead I would focus on the challenges that PCI-DSS compliance presents. Encrypting card details is the easy bit. Writing a secure key management system is much more challenging. The overall goal would be to encrypt your card details to a database, and allow your merchants to reference those card details by unique token ids. This is the general model that PSP's adapt so that the token id can be passed to/from your merchants safely, whilst the card details themselves are kept secure, and only decrypted during communication to the merchant bank (for authorization/settlement etc)

If you wanted to keep things simple, then instead you could focus on validating the communications from the merchants that would be using your service. You could (eg) ensure that the merchant only attempts to settle an amount less (or equal to) an amount already authorised against a particular card. You could have safeguards to prevent merchants from mistakenly flooding the service with auth requests (which could rapidly drain a cardholders available funds!)

Good luck, its a great idea with plenty of scope.

Community
  • 1
  • 1
PaulG
  • 13,871
  • 9
  • 56
  • 78