Payment System Implementation Issues

Implementing a payment system and integrating it with a payment gateway raises certain issues that must be addressed.

Integration

Integrating the payment processing system of the electronic storefront with the payment gateway interface object requires that no sensitive parameters be derived from data passed from the client side. For example, the total price of the items selected should always be calculated by looking up the shopping cart contents and price lists from tables on the server side and never depending on any client-side data.

Temporary Information

If any temporary information needs to be stored on the server side, it should be stored outside the Web document root directory in a separate temporary file area. This way, attackers can't retrieve intermediate or temporary files by requesting them over a Web browser. All temporary information stored should be destroyed as soon as it is no longer needed. Care should be also taken to ensure that temporary information stored from two concurrent sessions do not overwrite one another.

SSL

Although SSL doesn't imply server-side security, it is essential that SSL be used between the customer and the electronic storefront Web site and between the storefront application and the payment gateway so that eavesdroppers can't lay their hands on sensitive data traveling across the Internet.

Storing User Profiles

Many electronic retail storefronts allow users to create a profile and store it on the businesses' system. In many cases, the stored profile also contains payment information, including credit card information. In such cases, extreme care should be taken to ensure that stored user profiles not be compromised in any way.

Vulnerabilities Caused by Poor Integration of Shopping Cart and Payment Gateway

A vulnerability was reported on January 4, 2002, concerning the Miva Merchant shopping cart (versions 3.x) and VeriSign's PayFlow link payment system. The vulnerability causes the shopping cart to accept invalid credit card transactions as valid. In essence, the bug isn't in the payment processing system but in the way the shopping cart application is integrated with the payment gateway.

There are two ways to exploit the Miva Merchant shopping cart. The first method is to edit the HTML code by saving the HTML contents of the final checkout page so that, instead of the payment form invoking the PayFlow URL, it directly invokes the final payment acceptance URL within the shopping cart, thus entirely skipping the validation stage. The second way of exploiting the system is to sign up for a free test merchant account with VeriSign's PayFlow system. The test merchant account will validate certain credit card numbers that have been designated as test numbers for developers who want to test their applications. Again, the way to exploit the shopping cart is to edit the HTML code on the checkout page, and instead of the HTML form invoking the PayFlow URL, the form invokes the test account validation URL. Then a fake "testing" credit card number can be used to validate the purchases. Full details of the exploitations are available at http://securitytracker.com/alerts/2002/Jan/1003102.html.