Testimonials

SimbirSoft Ltd. is the most client-centered company I have ever worked with. Everything is always clear, neat, efficient and warm, without the complicated programming dialect.
Starting working with Getting to know SimbirSoft Ltd. in 2001 I still appreciate our cooperation. They successfully completed tasks with various degrees of complexity: from building in 2001 -2002 a site for Yacht Racing “Volga Cup” with a Yacht coordinated on-line tracking system (for the first time in Russia) to developing and implementing of a complex interactive television operational system TV-Charm in 2005-2008 (for the first time in Russia as well!). Meanwhile there have been accomplished plenty of various little tasks. The whole list of the solutions worked out by SimbirSoft Ltd. for us would be too long to post.
I do recommend. It’s worthy.

Founter of "TV-Sharm"
Artem Sarksjan
www.3es.ru

Avactis Shopping Cart – Payment Modules

Avactis Shopping Cart – Payment Modules is a set of modules responsible for credit card payment processing in the online store software platform. These modules provide interaction between an online store and payment gateways. The project was designed according to all state-of-the-art safety requirements and corresponds to the Payment Card Industry Data Security Standard (PCI DSS) designed by international payment systems Visa and Master Card.

Customer:
 Pentasoft Ltd.

Industry sector:
Web, Online store, eCommerce solutions.

PROBLEM:

Usability and versatility are of paramount importance for any software. According to the present perception an online store has to enable its users with various payment methods. Credit card payment is considered to be the most convenient for the majority of users. Payment Modules is a project meant to provide an opportunity to pay with credit cards in Avactis online stores.

SOLUTION:

There exist special payment gateways allowing the interaction between credit card identification data and banks. Payment Modules allow the interaction between Avactis online stores and payment gateways to enable credit card payment processing.

General description:
Payment Modules are meant to provide an opportunity to pay with credit cards in Avactis online stores. To solve the task, cooperation with payment gateway systems was established. Safety of customer personal information is of highest importance in this project. All modules can be divided into 3 groups: Direct, Redirect and Offline. Direct and Redirect modules are used for a direct interaction with a payment gateway during order processing: no personal user information is saved into the database. All of the information is transmitted to the payment gateway over a secure connection (HTTPS).

Redirect modules process no personal data at all. After choosing a payment method, a customer is redirected to the payment gateway site. All personal data is entered on that site. After the payment is done the customer is redirected back to the store. Direct modules gather customer personal information on the store site. At the last step of the checkout process, when all the information needed for the payment is gathered, this module sends the data in a background HTTPS request to the payment gateway server. The server response contains the committed transaction status and related data.

The data gathered by a Direct module is encrypted with the Blowfish cryptographic algorithm and saved in a customer session. A secret key is randomly generated for every unique customer and stored in a GET parameter of the HTTPS request. Thus we achieve physical separation of the encrypted data and the secret key.

The Offline credit card processing module does not interact with any of the payment gateways but saves the customer information in the database for further processing. The saved information is encrypted with the RSA 512 or 1024 Asynchronous Encryption algorithm. To view the stored credit card information, the store administrator has to upload his private key from his local workstation. The private key is generated by Avactis when the Offline credit card module is activated and is only saved at the store administrator’s workstation. Thus, no one, including the Avactis support team, can view the credit card holder information. Even if someone happens to get access to the database it will take him years to decrypt the data.

Avactis Payment Modules are designed in full conformity with the Payment Card Industry Data Security Standard (PCI DSS). There are six categories of PCI compliance security standards (www.pcicomplianceguide.org/pci-basics.php). To protect the information, we worked out the following solutions:

  • To maintain a secure network, time-proven software is installed at Avactis servers, such as CentOS, Plesk, Advanced Policy Firewall, Rootkit Hunter. Constant control and permanent monitoring of the server state is in place.
  • Cardholder data is encrypted with RSA algorithm. A private key is saved only at the store administrator’s local workstation. For temporary storage the data is encrypted with the Blowfish algorithm. A private key is transmitted only in a GET parameter of the HTTPS request.
  • For every order, the administrator should upload the private key from his workstation to view the credit card information. Once the key is loaded, the data is decrypted and displayed on the screen, the key is deleted (i.e. it is not saved on the server). The whole operation runs over an HTTPS connection which ensures reasonable protection from eavesdroppers and man-in-the-middle attacks.
  • All decryptions of cardholder data are recorded in the application log. The administrator always can see a report on cardholder data views.

Platform:
Web
Avactis Shopping Cart

Main techniques and libraries used:
PHP, MySQL, Apache, curl, openssl, gmp.