Re: Payment Providers

[paul]

  BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
 5. Established, tested cpan modules for dealing with them
 I only know of  Business::PayPal::API in CPAN which seems to work
ok. The downside is that its PayPal :)
 My initial inclinations were the big guns like Datacash and
Paypoint,  
 but of some concern was datacash's website being hosted on IIS, and 

 the fact that neither of them have modules on cpan (and frankly, the
 
 perl examples for datacash were more than a little embarrassing for 

 them).
 So, recommendations? Horror Stories? Legal guidance?
 --James
  I've not seen a good implementation/example in perl from any
payment provider. And yes, the datacash examples are awful.
 Anywhere I've worked we've rolled our own. Since most providers use
SOAP or key values via HTTPS it is not that much work to do a perl
implementation.
 As for which provider I'd use I have no idea, I guess the one that
gives you the best deal. Technically they all seem to have their good
and bad points.
 Paul.
 

Re: Payment Providers

[Nicholas Clark]

On Thu, Oct 01, 2009 at 09:02:07PM +0100, James Laver wrote:
 I'm looking for a card processing service to take payments with.
 
 Essential features:
 1. No javascript required to make a payment (that means you, NetBanx).

The new Unified Payment Pages now work just fine without JavaScript.
If we have documentation saying otherwise, could you point it out so that
I can ask for it to be corrected?

 2. No insistence on 3dsecure (because really, it's horrifically  
 insecure).

And badly implemented by quite a few providers.
(There's XML, and a DTD. If the XML validates against the DTD, that means
that it's *VALID*, dammit, so don't reject it)

However, one can't take payments from Maestro unless one has 3D insecure.
(And it seems that even easyJet are no longer large enough to wiggle out
of that one)

 3. I don't have to store any credit card details at all.
 4. They deal with as many of the legal issues as possible so I don't  
 have to. Particularly PCI DSS.

Point 4 would imply point 3 is met.

You don't say, whether you have a merchant account with a bank, or whether
you want the payment service provider to deal with that part. 
Point 4 implies that you'd like them to deal with it, and just make money
appear in my account. Doing this might restrict your options on 3D insecure/
Phished by Visa.

 5. Established, tested cpan modules for dealing with them

I don't know about that for *any* providers.

 My initial inclinations were the big guns like Datacash and Paypoint,  
 but of some concern was datacash's website being hosted on IIS, and  
 the fact that neither of them have modules on cpan (and frankly, the  
 perl examples for datacash were more than a little embarrassing for  
 them).

Paypal probably meets most of your criteria too :-)

Nicholas Clark

Re: Payment Providers

[Dominic Thoreau]

2009/10/1 James Laver james.la...@gmail.com:
 I'm looking for a card processing service to take payments with.

 Essential features:
 1. No javascript required to make a payment (that means you, NetBanx).
 2. No insistence on 3dsecure (because really, it's horrifically insecure).
 3. I don't have to store any credit card details at all.
 4. They deal with as many of the legal issues as possible so I don't have
 to. Particularly PCI DSS.
 5. Established, tested cpan modules for dealing with them

 My initial inclinations were the big guns like Datacash and Paypoint, but of
 some concern was datacash's website being hosted on IIS, and the fact that
 neither of them have modules on cpan (and frankly, the perl examples for
 datacash were more than a little embarrassing for them).

 So, recommendations? Horror Stories? Legal guidance?

Okay, I've been quiet on this so far, and I admit I can't actually
address most of your points. Also, the disclaimer here is going to be
*very* obvious.

At my $employer , the CEO is also running another company, whose
primary business is handling credit card transactions. I'm moderately
sure that they don't have a CPAN module, but they are a perl shop, so
it shouldn't be outside their skills to make one.

In the interests of not spamming the whole list I'll not mention them
directly here - just say that they've got their office on one of the
main canals in Amsterdam, and leave it to James to email me offlist if
he wants details.

Disclaimer: I'm not actually employed by said company, but as far as I
know they may well be providing the profit that the boss is using to
keep us afloat (if we need that, I'm not exposed to the numbers that
much)
-- 
Better to remain silent and be thought a fool than to speak out and
remove all doubt.
-- Abraham Lincoln

Re: Payment Providers

[Tom Hukins]

On Fri, Oct 02, 2009 at 10:26:06AM +0100, Nicholas Clark wrote:
 However, one can't take payments from Maestro unless one has 3D insecure.
 (And it seems that even easyJet are no longer large enough to wiggle out
 of that one)

Nor are Google:
http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro

 Paypal probably meets most of your criteria too :-)

They meet all of them.

Tom

Re: Payment Providers

[Damon Allen Davison]

On Fri, Oct 2, 2009 at 10:49 AM, Tom Hukins t...@eborcom.com wrote:
 Nor are Google:
 http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro

 Paypal probably meets most of your criteria too :-)

 They meet all of them.

What do you all think of Google Checkout?

https://checkout.google.com/seller/developers.html?hl=engl=GB

James has just saved me asking this question for myself.

-d.

-- 
Damon Allen Davison
http://allolex.net
http://musicindustryrules.com
http://thegannet.net

Re: Payment Providers

[Ovid]

--- On Fri, 2/10/09, Nicholas Clark n...@ccl4.org wrote:

 From: Nicholas Clark n...@ccl4.org
  2. No insistence on 3dsecure (because really, it's
 horrifically  
  insecure).
 
 And badly implemented by quite a few providers.
 (There's XML, and a DTD. If the XML validates against the
 DTD, that means
 that it's *VALID*, dammit, so don't reject it)
 
 However, one can't take payments from Maestro unless one
 has 3D insecure.
 (And it seems that even easyJet are no longer large enough
 to wiggle out
 of that one)

OK, I give.  That's two references to how insecure 3D secure is. Given that I 
know nothing about it other than the annoying fact that I've forgotten my 
password for it, could someone explain why its broken?

Cheers,
Ovid
--
Buy the book - http://www.oreilly.com/catalog/perlhks/
Tech blog- http://use.perl.org/~Ovid/journal/
Twitter  - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6

Re: Payment Providers

[Richard Huxton]

Ovid wrote:
 
 OK, I give.  That's two references to how insecure 3D secure is.
 Given that I know nothing about it other than the annoying fact that
 I've forgotten my password for it, could someone explain why its
 broken?

Well firstly you, I and *everyone* forgets their password. And then it
just lets you generate a new one. Which makes it meaningless even if 90%
of users didn't end up using PAZZWORD anyway.

Secondly - who's providing that 3d-secure form? How do you know it's
your bank and not someone collecting PAZZWORDs?

-- 
  Richard Huxton
  Archonet Ltd

Re: Payment Providers

[Nicholas Clark]

On Fri, Oct 02, 2009 at 10:49:04AM +0100, Tom Hukins wrote:
 On Fri, Oct 02, 2009 at 10:26:06AM +0100, Nicholas Clark wrote:
  However, one can't take payments from Maestro unless one has 3D insecure.
  (And it seems that even easyJet are no longer large enough to wiggle out
  of that one)
 
 Nor are Google:
 http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro

Then again, Maestro screwed up and is screwed.

Switch was if you see a Switch logo, you can use your Switch card
Maestro is, well, printed A4 sheets in shop windows with
Austrian Maestro Only

It's one logo applied to 15 or so different debit card schemes, without
guaranteeing any sort of interoperability. Which destroys any sort of brand
value it might have had. There's a technical term for this, but apparently
I'm not supposed to use it in front of small children*.

Maestro is being replaced by Mastercard Debit, which is not tainted with this
incompetence.

In the UK, at least HSBC and RBS are replacing Maestro. With *Visa* Debit.

Oh yes, and Switch was screwed because not all Switch cards pass the Luhn
check. Card length limit is 19 digits, and HSBC used to issue Switch cards
that were $BIN . $sort_code . $account_number, which used up all 19 digits,
so they had no ability to make the card meet the spec about the checksum.
Various *merchant acquirers* seem not to know this, as they reject them
rather than trying to auth.

Then again, a certain large UK bank not owned by the government will happily
auth *anything*, then refuse to settle it, and then complain that one is
sending it bogus data. *You* bloody *authed* it. Oh well, if we can't get
through to the issuing bank in time, we just auth it anyway

Yeah right.

And nearly all of them have test auth systems that differ from their live
systems. Some of which you can DOS by accident, some with data files that
meet the specs.

Nicholas Clark

* even if she throws up on me.

Re: Payment Providers

[Nicholas Clark]

On Fri, Oct 02, 2009 at 03:13:35AM -0700, Ovid wrote:
 --- On Fri, 2/10/09, Nicholas Clark n...@ccl4.org wrote:
 
  From: Nicholas Clark n...@ccl4.org
   2. No insistence on 3dsecure (because really, it's
  horrifically  
   insecure).
  
  And badly implemented by quite a few providers.
  (There's XML, and a DTD. If the XML validates against the
  DTD, that means
  that it's *VALID*, dammit, so don't reject it)
  
  However, one can't take payments from Maestro unless one
  has 3D insecure.
  (And it seems that even easyJet are no longer large enough
  to wiggle out
  of that one)
 
 OK, I give.  That's two references to how insecure 3D secure is. Given that I 
 know nothing about it other than the annoying fact that I've forgotten my 
 password for it, could someone explain why its broken?

There's a description about how little it takes to reset the password in the
link Tom gave:

http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro

Ben Laurie explains it here:

http://www.links.org/?p=591

It's indistinguishable from a phising scam.

Even better, which Ben doesn't cover, is that some banks have implemented it by
outsourcing it to a third party, which then serves the pages from *its* domain.

(Rather than having DNS delegated, so that 3dinsecure.rbs.gov.uk is a CNAME
pointing to an IP owned and hosted by the outsourcer)

So you get a popup saying I'm from your bank; tell me your secrets popping
up in new window (believe it or not, originally with branding guidelines that
were don't show a URL bar etc), served from a domain which is nothing to do
with your bank.

And often this is the first time that you, the card holder, have encountered
the thing. Because your bank didn't bother to tell you about it in a
communication from them that you trust is from them.

It's almost like some enterprising chap in Nigeria wrote the specs for the
banks, to save the the costs of having to do it themselves.

Nicholas Clark

Re: Payment Providers

[Nicholas Clark]

On Fri, Oct 02, 2009 at 11:34:15AM +0100, Nicholas Clark wrote:

 (Rather than having DNS delegated, so that 3dinsecure.rbs.gov.uk is a CNAME
 pointing to an IP owned and hosted by the outsourcer)

Oh yes. If anyone knows anyone who might know someone at the registrar who
might cause rbs.gov.uk to come into existence, and then have it so that
everything served by it over HTTP is a 302 to rbs.co.uk, that would appeal
to my sense of irony. (And annoyance, as a UK taxpayer, at all the various
stupidities involved, that I'm paying for, because of incompetence from
people who are not just still employ*able*, but employ*ed*)

Nicholas Clark

Re: Payment Providers

[Dominic Thoreau]

2009/10/2 Nicholas Clark n...@ccl4.org:

 (And annoyance, as a UK taxpayer, at all the various
 stupidities involved, that I'm paying for, because of incompetence from
 people who are not just still employ*able*, but employ*ed*)

Direct also your ire to the employees of the DWP, because most of
those staff members in the JobCentre are just as institutionalized as
their customers.


Dominic

Re: Payment Providers

[David Precious]

On Friday 02 October 2009 11:13:35 Ovid wrote:
 OK, I give.  That's two references to how insecure 3D secure is. Given that
 I know nothing about it other than the annoying fact that I've forgotten my
 password for it, could someone explain why its broken?

Well, there's the fact that, for years, we've been trying to educate Internet 
users not to enter details into untrusted websites, and now all of a sudden 
they're expected to trust some random page that appears in a popup/iframe from 
some domain entirely unrelated to the one they're in the middle of trying to 
give their card details to?  Like, for instance, securesuite.co.uk - would you 
trust that random domain?  (Incidentally, that's the domain that RSA forgot to 
renew at one point...!)

See, for instance,
http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam

It's a poor attempt towards three-factor authentication, but relying upon 
entering a password - which will be picked up by the same keylogging/sniffing 
techniques they'd use to grab the rest of your details if you're entering them 
on a compromised machine.  However, now, the bank has shifted liability to the 
customer, claiming that since the transaction was authorised with their 
secret password, they have no right to repudiate the transaction.

Cheers

Dave P

Re: Payment Providers

[James Laver]

On 2 Oct 2009, at 12:07, David Precious wrote:

It's a poor attempt towards three-factor authentication, but relying  
upon
entering a password - which will be picked up by the same keylogging/ 
sniffing
techniques they'd use to grab the rest of your details if you're  
entering them
on a compromised machine.  However, now, the bank has shifted  
liability to the
customer, claiming that since the transaction was authorised with  
their

secret password, they have no right to repudiate the transaction.


Yes, those lovely three factors:
- Something you know
- Something you know
- Something you know

Clever, huh.

Firstly, they shift liability to the bank, which is why retailers like  
it. Unfortunately the bank shifts liability to the customer with the  
defence but noone else knows your 3dsecure password, it was you,  
there was no fraud. HSBC revealed to me that they've had 'zero fraud'  
since the introduction of the scheme, which means they're pinning  
this, exactly like they've all been pinning chip and pin fraud on the  
bank customer, because of the same defence (and they got away with  
that one in court, somehow).


Because of this, banks are loathe to let you opt out. I've been unable  
to do so with HSBC.


I've been writing a paper about attacks on the 3dinsecure system and  
it's all remarkably easy:
1. I steal your card (or memorise your details while you're paying  
with it), you haven't registered yet, I register for you, thus  
choosing the password I want
2. I steal your card (or memorise your details while you're paying  
with it) and go through a simple reset procedure, which generally only  
requires information I could extract from you during an hour at the  
pub without you realising
3. I set up a fake page that looks like a 3dsecure page on my site and  
cream off the details before submitting them myself so the payment  
goes through. Since it's all handled by third parties, you'd never  
know what's legitimate and what isn't.


And many, many more, wait for the paper to be released :) It doesn't  
take an evil genius to see gigantic holes in the system, it's shaped  
like a swiss cheese.


--James

Re: Payment Providers

[James Laver]

On 2 Oct 2009, at 10:26, Nicholas Clark wrote:


The new Unified Payment Pages now work just fine without JavaScript.
If we have documentation saying otherwise, could you point it out so  
that

I can ask for it to be corrected?


Ah no, my experience was as a customer of the companies house website,  
where it ships in an iframe laden with javascript.



And badly implemented by quite a few providers.
(There's XML, and a DTD. If the XML validates against the DTD, that  
means

that it's *VALID*, dammit, so don't reject it)


The spec is ridiculous, but nothing is more ridiculous than  
programmers reading a spec and getting it wrong.


However, one can't take payments from Maestro unless one has 3D  
insecure.
(And it seems that even easyJet are no longer large enough to wiggle  
out

of that one)


If the card company mandates it, not a lot I can do about that, so be  
it.



Point 4 would imply point 3 is met.

You don't say, whether you have a merchant account with a bank, or  
whether

you want the payment service provider to deal with that part.
Point 4 implies that you'd like them to deal with it, and just make  
money
appear in my account. Doing this might restrict your options on 3D  
insecure/

Phished by Visa.


This was part of my concern. I know paypal just do CVC checking and to  
hell with 3dsecure (very sensible). I don't have an account with a  
merchant bank, I'd like all of that taken care of.1



Paypal probably meets most of your criteria too :-)


I'd thought about paypal, but no. It would be nice to have it as an  
option though (which Datacash offer for example).


Cheers,
--James

Re: Payment Providers

[Nicholas Clark]

On Fri, Oct 02, 2009 at 01:11:36PM +0100, James Laver wrote:
 On 2 Oct 2009, at 10:26, Nicholas Clark wrote:
 
 The new Unified Payment Pages now work just fine without JavaScript.
 If we have documentation saying otherwise, could you point it out so  
 that
 I can ask for it to be corrected?
 
 Ah no, my experience was as a customer of the companies house website,  
 where it ships in an iframe laden with javascript.

Yes, that's the old stuff. That's, um, not exactly something to be proud of/
not exactly a good advertisement of what we now can do.

 However, one can't take payments from Maestro unless one has 3D  
 insecure.
 (And it seems that even easyJet are no longer large enough to wiggle  
 out
 of that one)
 
 If the card company mandates it, not a lot I can do about that, so be  
 it.

We had a chat at lunch, and (IIRC) Tom said that he thinks that Amazon are
now not taking Maestro. We're inferring that Amazon have said We don't do 3D.
We aren't prepared to loose 6% of our business from it, Mastercard have said
But to take Maestro, you must do 3D, and Amazon said OK, we won't take
Maestro then*

If enough big sites take this attitude, then it will get the fate it deserves,
whatever the banks think or want, because customers won't use those cards any
more, because they aren't useful.

Nicholas Clark

* Well, really I'm hoping that they said Screw you hippy

Re: Payment Providers

[Tom Hukins]

On Fri, Oct 02, 2009 at 01:40:55PM +0100, Nicholas Clark wrote:
 We had a chat at lunch, and (IIRC) Tom said that he thinks that
 Amazon are now not taking Maestro.

You remember correctly, but I'm wrong.  I managed to end up looking at
the list of card types accepted on amazon.com and somehow convinced
myself I was on the UK site.  I probably need a holiday.

Tom

Re: Payment Providers

[James Laver]

On 2 Oct 2009, at 13:40, Nicholas Clark wrote:

Yes, that's the old stuff. That's, um, not exactly something to be  
proud of/

not exactly a good advertisement of what we now can do.


Ah, well at least that's changed :)

We had a chat at lunch, and (IIRC) Tom said that he thinks that  
Amazon are
now not taking Maestro. We're inferring that Amazon have said We  
don't do 3D.
We aren't prepared to loose 6% of our business from it, Mastercard  
have said
But to take Maestro, you must do 3D, and Amazon said OK, we won't  
take

Maestro then*


6%? I know of sites with much larger dropouts than that. And one day  
some of them will finally realise it's stupid and stop taking 3dsecure  
at all.


If enough big sites take this attitude, then it will get the fate it  
deserves,
whatever the banks think or want, because customers won't use those  
cards any

more, because they aren't useful.


I'm hoping that'll happen too. HSBC ditched maestro in favour of visa  
debit a few months ago. I've found maestro to be shocking actually.  
Like the DVLA take Solo (which noone takes) but not Maestro (what's  
with that?). My natwest maestro card needed replacing about once a  
month because the chip kept rubbing off too (though I don't know if  
they have some centralised manufacture or what).


But then again, it's all about the liability shift. Smaller retailers  
rightfully look at the risk and say 'fuck it', not realising that the  
liability ends up with the customers (and probably not caring). Chip  
and pin did the same and the only bank I know of that instantly  
refunds you with a crime reference number is Barclays (in fact I had a  
rather long discussion with a Barclays manager about it after HSBC  
wouldn't let me take out cash in branch with my chip and signature  
card that they issued to me).


I hope 3dinsecure goes to hell.

--James

Re: Payment Providers

[Bob Walker]

On Fri, 2 Oct 2009, James Laver wrote:



6%? I know of sites with much larger dropouts than that. And one day some of 
them will finally realise it's stupid and stop taking 3dsecure at all.




In my experience sites are forced to by their bank.

--
bob walker

buses should be purple and bendy

Re: Payment Providers

[James Laver]

On 2 Oct 2009, at 14:18, Bob Walker wrote:


In my experience sites are forced to by their bank.


That's unusual.

Banks usually don't care, but they will give liability to the retailer  
in case of fraud on non-3ds transactions.


--James

Re: Payment Providers

[Bob Walker]

On Fri, 2 Oct 2009, James Laver wrote:



Banks usually don't care, but they will give liability to the retailer in 
case of fraud on non-3ds transactions.



Like I said forcing them.


--
bob walker

buses should be purple and bendy

Re: Payment Providers

[Peter Corlett]

On 2 Oct 2009, at 16:28, Bob Walker wrote:

On Fri, 2 Oct 2009, James Laver wrote:
Banks usually don't care, but they will give liability to the  
retailer in case of fraud on non-3ds transactions.

Like I said forcing them.



It's not *quite* so clear-cut.

The costs due to fraud might be less than the costs of losing sales  
due to VBV/3DSecure, in which case the retailer might be happy to risk  
the fraud, especially if they have other fraud-avoidance mechanisms in  
place.

Re: Payment Providers

[Ovid]

- Original Message 

 From: Peter Corlett ab...@cabal.org.uk
 
 It's not *quite* so clear-cut.
 
 The costs due to fraud might be less than the costs of losing sales due to 
 VBV/3DSecure, in which case the retailer might be happy to risk the fraud, 
 especially if they have other fraud-avoidance mechanisms in place.

This has to be one of the most important comments about all of this.  When I 
originally went to uni to be an economist, I was amazed to discover in research 
how much in-house accounting dealt with which costs us less rather than 
which is right.  It's rather sad.

 
Cheers,
Ovid (the hippie)
--
Buy the book - http://www.oreilly.com/catalog/perlhks/
Tech blog- http://use.perl.org/~Ovid/journal/
Twitter  - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6

Re: Payment Providers

[James Laver]

On 2 Oct 2009, at 22:16, Ovid wrote:


- Original Message 


From: Peter Corlett ab...@cabal.org.uk

It's not *quite* so clear-cut.

The costs due to fraud might be less than the costs of losing sales  
due to
VBV/3DSecure, in which case the retailer might be happy to risk the  
fraud,

especially if they have other fraud-avoidance mechanisms in place.


This has to be one of the most important comments about all of  
this.  When I originally went to uni to be an economist, I was  
amazed to discover in research how much in-house accounting dealt  
with which costs us less rather than which is right.  It's  
rather sad.


Yes, but you have to balance both viewpoints here.

Personally, I'm on the side of people not being forced to use 3dsecure  
(I want to be fully opted out). I don't want to be lumbered with the  
costs of fraud because I know how to take care of my end and if my  
details get out, it's not me that did it. I don't think it's  
reasonable I get charged because the bank or retailer messes up.
On the other hand, the retailer wants to not be liable when there's  
any fraud because they shouldn't have to lose out on the goods. They  
don't think it's reasonable they lose out on the goods because the  
bank or customer messes up.


Which side wins? Well, the retailer gets to choose. And it'll come  
down to a strict profit sum, whether costs of lost revenue is greater  
than costs of potential fraud. If you don't like it, there are other  
retailers waiting to take your money.


--James

Re: Payment Providers

[David Brownlee]

2009/10/1 James Laver james.la...@gmail.com

 I'm looking for a card processing service to take payments with.

 Essential features:
 1. No javascript required to make a payment (that means you, NetBanx).
 2. No insistence on 3dsecure (because really, it's horrifically insecure).
 3. I don't have to store any credit card details at all.
 4. They deal with as many of the legal issues as possible so I don't have
 to. Particularly PCI DSS.
 5. Established, tested cpan modules for dealing with them

 My initial inclinations were the big guns like Datacash and Paypoint, but
 of some concern was datacash's website being hosted on IIS, and the fact
 that neither of them have modules on cpan (and frankly, the perl examples
 for datacash were more than a little embarrassing for them).


We've used RealEx payment systems. They have a few integration options (sans
javascript), provided (relatively shocking) reference perl code, have
3dsecure as optional, and helpful if not always on the ball support.

Just a datapoint.

Re: Payment Providers

[Bob Walker]

On Thu, 1 Oct 2009, James Laver wrote:


So, recommendations? Horror Stories? Legal guidance?



3d secure is normally optional until your bank tells you otherwise.

SecureTrading seem fine. Dont know about perl interfaces but all you have 
to do is pass xml to a java app. So really shouldnt be that hard.


there are two i wouldnt recommend but they are stories best kept for the 
pub.



--
bob walker

buses should be purple and bendy