Howard Brazee <howard.bra...@cusys.edu> writes: > And the IS community has to realize that any solution is flawed if it > requires these salesmen and/or everybody who does on-line shopping to > be experts in security.
we had been called in to consult with a small client/server startup that wanted to do payment transactions on their server ... the startup had also invented this technology called SSL they wanted to use. Part of the effort was deploying something called a "payment gateway" (we periodically claim is the original SOA) ... misc. past posts http://www.garlic.com/~lynn/subnetwork.html#gateway the effort is now frequently called "electronic commerce". given the ease that crooks can harvest account numbers and use them for fraudulent transactions ... I drew up a list of things required for commerce servers enabled for payment transactions ... like all individuals involved in any way needed to have FBI background checks (type required of individuals in sensitive positions at financial institutions). part of this was that long term numbers claim that insiders are involved in 70% of such events. related comments about current paradigm in threads about "naked transactions" http://www.garlic.com/~lynn/subintegrity.html#payments somewhat as the result of the work on "electronic commerce", in the mid-90s, we were invited to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments. as part of that activity there was detailed end-to-end threat & vulnerability studies done of different kinds & modes of retail payments. x9a10 financial standard working group produced an payment standard that slightly tweaked the paradigm and eliminate the threat and vulnerability from having account numbers and/or other transaction information revealed ... for *ALL* retail payments (point-of-sale, face-to-face, unattended, credit, debit, internet, ACH, stored-value, aka *ALL*). http://www.garlic.com/~lynn/x959.html#x959 x9.59 financial standard didn't do anything about hiding or encrypting the information in transactions ... but eliminated the ability of the crooks being able to use that information for fraudulent transactions. Now the major use of "SSL" in the world today is this earlier "electronic commerce" work to hide account numbers and transaction details. A side effect of x9.59 financial standard eliminates the need for that hiding and therefor the major use of "SSL" in the world today. -- 40+yrs virtualization experience (since Jan68), online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html