Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
How Appstore gets to skit round this restriction? Can CVV2 details be kept locally on an iOS device and still be in PCI compliance? Encrypt the CVV2 details locally, and only user has the key? While the rest of the credit card details like PAN are stored on server side?
SHORT ANSWER:
Your issuing bank doesn't require security code validation with every transaction.
LONG ANSWER:
Card security codes and magnetic stripe data are not permitted to be stored by PCI DSS. Furthermore, VISA (and possibly other networks) strictly forbid their storage:
http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html
Merchants storing this data can be hammered with hefty fines and dropped by processors. This happened to a client of mine.
Apple's e-commerce system asks for the security code when an account is created or whenever a new device accesses an existing account. In both instances, their platform initiates a zero-dollar transaction with the processing network to verify the customers' identity (username + password + security code):
https://discussions.apple.com/thread/2594628?start=0&tstart=0
Some issuing banks require security codes to be used with each transaction. In those cases, the iTunes store will prompt you for the code.
xixonia is correct that personal data is tokenized within Apple's infrastructure. Most of their servers never touch secure data, as all credentials and financial data is passed encrypted to an inner network of highly protected and monitored systems.
In addition, large retailers like Apple and Amazon use third-party fraud detection and prevention technologies that look for patterns of abuse.
"It is permissible for issuers and companies that support issuing
services to store sensitive authentication data if there is a business
justification and the data is stored securely"
Easier purchasing and subsequent transactions are NOT business justification.
A pertinent use case would be batch transactions. During purchase the card is authorized to confirm the card is active and the funds are available. The issuing bank typically encumbers, but does not withdraw, the transaction amount from the cardholder's account. During a subsequent capture transaction, the merchant settles with the processor and the funds are transferred. This might happen because:
The issuing bank requires it (e.g., voice authorization).
The payment network requires it (e.g., American Express used to).
The merchant does not know the full transaction amount (e.g., restaurant tip).
The merchant does not have persistent connection to the payment network (e.g., mobile operator).
Going this route triggers MUCH higher scrutiny under PCI DSS. Merchants who use third party checkout systems like Google Checkout and PayPal get minimal treatment (SAQ A). Merchants who store ANY cardholder data have the heavy burden of SAQ D.
The compensating controls for holding security codes & magnetic stripe data are even more strict:
Data must be stored using best practices (randomized salt + strong encryption cipher + restricted keys + mandatory access controls + audited access).
Data must be automatically removed after a set grace period (typically a day or two).
Data must be securely overwritten and on a medium that allows it (most solid state drives' wear leveling mechanisms prevent this).
Related
I am looking for a job as a system analyst and in interviews I come across tasks like this.
Imagine that you are working on a credit scoring system that decides whether a user is creditworthy. The user fills an application form and receives notification (say, in SMS) with the scoring result. Apart from the data provided by the user the system utilizes their credit bureau information.
What questions will you ask to clarify the task and what microservices will you propose to create for this system?
It is obvious that the solution I propose is too simple or not enough detailed, so I will be most grateful for the help.
I usually suggest that there will be 4 microsevices:
Service requesting information about the user from the bank database;
Service requesting credit bureau information;
Service performing scoring;
Service sending notifications.
Some questions that come to mind about clarify the task. Would be...
What is the intended use of the credit scoring system? Is it intended to be used by a financial institution to decide whether to grant a loan, or is it intended for some other purpose?
Who will be responsible for maintaining and updating the system? Will there be a dedicated team of developers and analysts working on the system, or will it be the responsibility of a single individual or department?
What data sources will be used to generate the credit scores? Will the system rely solely on information from the user's credit bureau, or will it also incorporate data from other sources, such as bank account information or employment history?
How will the system handle users who do not have a credit bureau file? Will there be a process in place to handle these cases, or will the system simply reject these users?
Based on the information, I came up with the same microservices as you.
A user data service that stores and manages information about users, including their personal and financial information.
A credit scoring service that calculates credit scores based on the data provided by the user and other sources.
A notification service that sends SMS messages to users with their credit scores and any other relevant information.
A data integration service that manages the flow of data between the different microservices and external data sources.
This is just one possible solution, and the specific services involved would be dependent on finding out more information on the business requirements.
The google documentation for the BillingClient queryPurchases method states the following:
"It's recommended for security purposes to go through purchases verification on your backend (if you have one) by calling the following API: https://developers.google.com/android-publisher/api-ref/purchases/products/get"
Here is the link:
https://developer.android.com/reference/com/android/billingclient/api/BillingClient.html#queryPurchases(java.lang.String)
I have set up an API, established communications with it from my server and have done some initial testing, but the more I look into it, the more I question the need for it. If your code can be de-compiled, then whatever verification you are doing on your back end could certainly be subverted within your app's code.
My understanding is that google caches these purchases on the local device and refreshes that cache periodically and this cache is where queryPurchases pulls the purchases from.
Exactly what type of attack would I be trying to prevent by doing back end verification on these purchases?
Google play handles the transaction and keeps a record of the purchase, your back end presents purchase receipts and it gets a response from Google , the user cannot inject a fake record on Google's billing systems and this is what your back end relies on, if the user did indeed purchase you in app item and their credit card was charged by Google then that record is reliable and there's no way a user can alter it even if they decompiled your application they wouldn't gain anything apart from being exposed as a malicious actor. A well implemented in app billing system is watertight and extremely difficult if not impossible to game.
Instagram, Snapchat etc. Terms of Service state that they do not allow any users under the age of 13 years, yet their platforms are flooded with young children.
My Question: In a web or mobile app for users under the age of 13 years, how can I design a verification flow that allows me to obtain "verifiable parental consent" in accordance with the US COPPA and EU GDPR laws?
I am aware that I can request the parent to provide their credit card information, which I believe will count as "verifiable parental consent". However, I am wondering if there are other options with a lower potential bounce-rate?
If this seems "too broad" a question, I am specifically looking for a verification flow that allows the parent to choose from different verification options. A flow chart would be great!
The short answer
there really isn't a good way to reliably verify someone's age without potentially alienating some segment of your user-base.
The long answer
Even your credit card solution doesn't really work for children between the ages of 13 and 18 years, where one wouldn't reasonably expect them to have credit cards or get their parents to verify age using theirs.
Some people would outright refrain from sharing other identifying documents like driver's licenses or passports out of concerns like identity-theft.
If your concerns are merely legal, then you can follow Facebook's Verification Model viz. an honor-based system coupled with a secondary mobile phone or email verification.
On the other hand, if your concerns are more towards improving user-experience, then any combination of some of the aforementioned sources of verification - Government-issued ID, Credit Cards, Phone Number, Email ID, etc. can be used depending how inclusive or exclusive you want to make your software service. You could also look to outsource this problem by relying on external authentication source(s) like Facebook Login and use the user-data collected to verify age-range.
What is the most secure way to post credit card information from my iPhone application to a Windows server?
My iOS app sells some goods, like dresses.
(IANA Credit card merchant, I only play one here after reading other SO questions)
If you are dealing with explicit credit card data then you should be PCI compliant across your whole system. See things like:
pci security standards
and
pci compliance guide
If you are automating this (IE buy a dress from your iPhone) the CC Merchant that you are dealing with should have well defined protocols for handling credit cards. You should be asking them how they want the data sent. My general understanding is that you do not retain anything and just pass it through to the company who does all the financial stuff for you and the just passes back a validation for the transaction.
Look Michael. There are following ways through which you can post your credit card information from your iPhone application to a windows server. First you can use a "https//" when you are posting your credit card information because all of your information go through a secured channel.
The second option to post your credit card information from you iPhone app to windows server is to connect yourself with a VPN connection. I usually use VPN connection when I want to secure my sensitive data. Currently I am using PureVPN connection, that encrypt all of my sensitive information and all the information passes through secured encrypted tunnel and no unauthorized person can access to my sensitive information.
I completely agreed with Shivam and Simons. Mostly we have all e-commerce sites hosted on "https" which allow users to freely put their CC details and shop wherever they want to. a part from this if you are willing to surf around and shop through an application on your IOS phone then i think you should considerably google for VPN. It is one of the best and most reliable tool these days which enable users not only to make e-commerce transaction through secure channel but also protects users data through all aspects. I think going for Certificates won't be a good option as it involves certain procedures and guidelines.
If it is a webservice that you connect to on your Windows server, you can make the server ssl enabled have the client (iphone app) POST your data using the https link.
If this is some proprietary service using some proprietary protocol, you can consider using public key cryptography. Encrypt data with a one time AES key. Send the encrypted data. Encrypt the AES key with your public key and send it along. The server decrypts the symmetric AES key with your private key and thereafter decrypts the data !
I'd personally prefer the first option (SSL) over the second anytime !
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
In my country apple does not support subscription, I can't make an app that can purchase monthly or period of time subscription, any alternatives?
Contact Apple and ask if this is a temporary or constant condition. If it's temporary, wait it out.
Otherwise, you can implement login screens and authentication mechanisms as you would have them in a WebApp. The latest Developer Agreements allow for this (as opposed to the previous agreements where you had to offer inAppPurchase as well). The caveat is that according to the agreement, you may not link to your 3rd party payment/signup site from within the app.
Set up payment processing with the provider of your choice (e.g. PayPal) and manage your own database of registered users. Then, when a user starts the app, ask them to log-in by supplying a username and password. Send those to your server (e.g. using a regular POST request), verify them and deliver the contents to the user if he is authenticated.
Make sure to keep the user logged in after that to avoid annoyance.
The main challenge with this approach will be to let users find out about your service in the first place as you are not allowed to openly send them over in the first place. Then again, if Apple doesn't offer the functionality in your country, you may be able to get through review with it.
In either case, contact Apple, then act accordingly.