Home » Forums » Ubercart » Ideas and Suggestions
9 replies [Last post]
Sat, 03/14/2009 - 03:10
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57

Hi,

After some research I'll be starting work on implementing 3D Secure support in Ubercart which is independent of the gateway used. I have seen the USAePay module but does not have 3DSecure support in it.

There is also work done on Protx VSP Direct Payment Gateway. But this is again gateway dependent.
http://www.ubercart.org/contrib/5990

Another example is Turkish Banks Gateway which also has 3D secure support but is gateway dependent.
http://www.ubercart.org/contrib/5268

I am hoping to make it independent and supported in the base Ubercart so gateway implementations can just plug into it. Is there anyone already working on this? If so I'd be glad to help out.

Hoping for a positive feedback. Smiling

Top
Tue, 03/17/2009 - 09:04
#1 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15422
Re: 3D Secure Support

I get this request all the time, to be honest, but have never had a moment to even research it. Sticking out tongue

If you can dig in and integrate this, that'd be awesome. I don't quite understand atm where it needs to fit into the normal flow of checkout. If you know this and just need some implementation advice, feel free to post for help in your thread here and I'll keep an eye on it.

Also, welcome aboard the forums! Laughing out loud

Top
Tue, 03/17/2009 - 09:35
#2 View page
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57
Thanks

Many thanks for the positive feedback and welcome. Smiling

I was in touch with the 3DSecure representatives over this and have been studying how it fits in. It seems 3DSecure sits in between the payment gateway and checkout. There are two API calls that we need to make based on the credit card information given by the user. Once this is done we send the response of last API call over to the gateway. There are two values that need to be passsed. Will give you more information on this once am myself done with the study.

A good motive for this implementaion is that I have seen many payment gateway modules having 3DSecure built in. From what I understand 3DSecure is a protocol and hence we should be able to abstract this and allow other gateways to just plug into this standalone 3DSecure module.

I'll come back here with my updates regularly on this and holler if some trouble occurs.

Also I was in the process of porting the USAePay module to 6.x but it seems I was defeated. Smiling (http://drupal.org/node/370398)

Top
Sun, 03/22/2009 - 12:03
#3 View page
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57
Research and Findings

Hi,

I have started work on this after research. I had like to post my findings on the 3DSecure system here.

The 3DSecure system requires interaction between various parties to authenticate. I am giving a top level generic view of how the data flows.

1. The merchant needs to subscribe to a Merchant Plug-in(MPI) and an Access Control Server(ACS). Wikipedia[1] speaks on detail about what are these.

2. When a buyer checks out his payment information is collected and sent by Merchant to MPI for authentication request.

3. Once the MPI confirms, the merchant will redirect the user to the ACS for actual authentication.

4. The reply of a successful authentication will from the ACS is received by the merchant.

5. Merchant sends this information back to MPI which processes it and gives some values.

6. These values can then be sent to the payment gateway to avail the benefits of this authentication.

So the actual flow is:

Merchant -> MPI -> Merchant -> ACS (Customer redirect) -> Merchant -> MPI -> Merchant -> Gateway

The Merchant -> MPI -> Merchant Calls can be implemented thru cURL.

Merchant -> ACS (Customer redirect) -> Merchant calls are usually done through an inline frame or by redirecting the user fully to another page (will not give consistent site branding then). Wikipedia has interesting write up at the same page on all issues considering different approaches.

So any 3DSecure implementation can be worked out if there exists:

- A 3D Secure basic protocol module (which does all the data throwing between entities and the one I am creating right now)
- An MPI module (these calls tend to be specific to every MPI. hence can be abstracted in an MPI module.)
- A Gateway module (many of these already exist)

Therefore, The 3DSecure module:
1. Calls the MPI module for the authentication request.
2. Handles the ACS Authentication based on the MPI reply.
3. Gives response from ACS to MPI Module.
4. Passes the Processed data recieved from MPI to gateway module.

Where,
PAReq = Verify Enrollment Request

Am new to module creations and wondering if this is the right approach. Will need to leanr quite a bit of stuff.

I am trying to code this now and any feedback on possible advices/guidelines are greatly appreciated. Smiling

References:
[1] http://en.wikipedia.org/wiki/3-D_Secure

Top
Fri, 03/27/2009 - 20:40
#4 View page
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57
Problem with Credit Card number

Hi,

I have been implementing this and so far its going great. Am almost done and the problem I am having is that I cannot access the *full* credit card number at the last stage. As expected I get only the last 4 digits.

Merchant -> MPI -> Merchant -> ACS (Customer redirect) -> Merchant -> MPI -> Merchant -> Gateway

In this flow when I pass the received information from the MPI to the gateway the CC info that the gateway tries to access is truncated.

I am totally stumped as to how to proceed from here. Where can I store the credit card number or how can I get it? I dont want to store anywhere because I am sure that's the wrong way.

Any help is greatly appreciated.

Top
Sun, 03/29/2009 - 11:17
#5 View page
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57
Anyone?

Been asking this in IRC as well but no replies? Am I asking something really weird? Sticking out tongue

Come on folks some help please! Even if its to scold me that I am doing something really horrible!

Btw, The only way I can think of is to ask the user his credit card number once again. I dont know if thats a good idea.

Top
Mon, 03/30/2009 - 21:39
#6 View page
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57
Never Mind

Ah well never mind. After a lot of research and reading I managed to find a reasonably secure method.

My inspiration basically comes from http://www.ubercart.org/forum/bug_reports/4962/pci_dss_session_handling_... and the fact that PCI standards do actually allow storage of PAN number in encrypted form.

When the credit card data is first submitted and the only time I have access to the whole card number I grab the first 12 digits of the card and store it in the session and that too encrypted using Ubercart's own encryption. Drupal sessions are not stored in files (which can be accessed by others) but in the database (so an added plus). Once the full card number is required I decrypt the 12 digits from the session, remove the session (to allow only one call to this) and then fetch the last four digits from the standard order details and make the call to the gateway. So this session lasts only for the duration of this whole procedure. Kinda hackish but it seems good to me after having it discussed with some folks.

So according to the PCI standards:
- Am not storing the whole PAN number at any given time in a single consolidated location (which is allowed in encrypted form actually, http://www.ubercart.org/files/pci-dss-storage.png) but in broken forms and that too encrypted.
- Am not storing any other details which are not permitted to be stored (like CVV).
- The only detail that can be used to get the whole card number, i.e. the 12 digits, is stored only for the duration of the transaction. And this is only possible if the server is compromised. Then we have a whole host of other problems on our hands as mentioned by Ryan in the other post.

So I guess am done with modules and are pretty easy to implement in existing gateways and can be extended with MPI modules quite effortlessly. Now I see on how to contrib them here. Smiling

Top
Thu, 04/23/2009 - 10:51
#7 View page
n9986
n9986's picture
Offline
Joined: 03/14/2009
Juice: 57
Completed and Secure

Just thought I had update this thread.

I completed the 3D-Secure Module and its now even PCI Compliant certified by an official security audit. I will upload the module here later next week.

Top
Sat, 04/25/2009 - 18:07
#8 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15422
Re: Completed and Secure

Awesome news! Thanks for taking this on. Smiling

Top
Sun, 10/11/2009 - 08:17
#9 View page
cheokpl
cheokpl's picture
Offline
Joined: 10/11/2009
Juice: 2
3D Secure - MPI

Why we need to provide an API for merchant to integrate with the MPI server> If I develop the MPI server as a web service, then the merhant web site can directly connect to the web service by developing their own web service client without required the API.

Top