having any online, ubiquitously connected system with easy rule update and change is an interesting challenge no matter who or how it is deployed (especially with strict security and audit control for what is permitted and/or changed, aka the whole objective of the system in the first place, problem is also that traditionally, 90percent of fraud has been insider fraud)
some of the larger corporations are starting to even have further deployment of p-cards with the infrastructure providing statement->edi translation that flows everything directly into the backend accounts payable system. auto-industry with possibly 60,000 suppliers is one that comes to mind. a couple issues: 1) making it easier for the low-to-mid-range companies ... aka standard skewed scenario ... majority of the value flow thru relatively small number of operations. This is somewhat of a dichotomy between the major financial processors and possibly software vendors. The market that represents the majority of value and number of transactions would tend towards a small number of frequently roll-your-own and/or custom implementations which is possibly contrasted to web-oriented software vendors focusing on the volume (in terms of unit sales), cookie-cutter, mass-market (but possibly having lowere aggregate total number of transactions and value) 2) when p-cards are platformed on credit association infrastructures ... there is significant invention typically required regarding traditional fees (watching some of the GAO stuff on the various federal p-card awards comes to mind). 3) network that is optimized at processing thousands of 60-100byte authorizatiion transactions per second securely and in real time would be impacted by any significant increase in level-3 data. Note however, with various consolidation & outsourcing that it is approaching 90% of transactions are handled in possibly half-dozen to dozen centers ... increasing that inter-center bandwidth capacity would be relatively straight-forward (I believe that there have already been announcements about 20% of the traffic being moved off the traditional association networks to inter-center direct links). Note that X9.59 financial standard with token that works identically the same at POS and non-face-to-face (internet, etc) could be considered even more secure and ubiquituously applicable. Not only does not having seemless end-to-end transaction authentication in conjunction with transaction authorization an invitation for fraud ... but also making it really simple and easy for insiders to access the system and make rule changes is also an invitation to fraud. Typically, if you aren't worried about insiders and fraud/skimming/etc ... then you probably aren't good candidate for p-card rules in any case; just direct transaction presentment to backend automated accounts payable may be sufficient (x9.59 at POS and network supporting seemless, end-to-end strong transaction authentication). misc. refs: http://www.garlic.com/~lynn/subtopic.html#fraud Risk, Fraud, Exploits http://www.garlic.com/~lynn/aadsm2.htm#useire2 U.S. & Ireland use digital signature http://www.garlic.com/~lynn/aadsm4.htm#01 superfulous & redundant (addenda) http://www.garlic.com/~lynn/aadsm4.htm#9 Thin PKI won - You lost http://www.garlic.com/~lynn/aadsm5.htm#spki4 Simple PKI http://www.garlic.com/~lynn/aadsm6.htm#echeck Electronic Checks http://www.garlic.com/~lynn/aadsm6.htm#websecure merchant web server security http://www.garlic.com/~lynn/aadsm6.htm#terror9 [FYI] Did Encryption Empower These Terrorists? (addenda) http://www.garlic.com/~lynn/aepay3.htm#smrtcrd Smart Cards with Chips encouraged ... fyi http://www.garlic.com/~lynn/aepay7.htm#netbank2 net banking, is it safe?? ... security proportional to risk http://www.garlic.com/~lynn/ansiepay.htm#aadsach NACHA to Test ATM Card Payments for Consumer Internet Purchases http://www.garlic.com/~lynn/2000e.html#19 Is Al Gore The Father of the Internet?^ http://www.garlic.com/~lynn/2001c.html#8 Server authentication http://www.garlic.com/~lynn/2001h.html#61 Net banking, is it safe??? Anders Rundgren <[EMAIL PROTECTED]> at 9/30/2001 10:02 AM wrote: Having a local security device that can "connect back" to the buyer's own organization, a single virtual account and schemes like 3D Secure can eliminate the need for external user administration as well as supporting immediate updates, revocation and enablement. In addition you get full transaction record for free.
