Skip navigation
All Places > In the News > Blog > 2019 > January
2019

These days, payments can be done multiple ways: EMV, credit, mobile wallets (Apple Pay, Android Pay, etc.), to name just a few.

 

This flexibility of payment options is great in most respects, but it creates challenges for developers. How can they write a single app that integrates all payment options? And how can they keep transactions secure, no matter which type of payment method their applications use?

 

The triPOS Cloud API is a tool that can help answer these questions. It provides access to a turnkey payment processing solution that supports all major payment methods, including EMV, credit, PIN debit and mobile wallets (Apple Pay, Android Pay, etc.). The triPOS Cloud interfaces with custom business management software via a REST API.

 

This tutorial provides an overview of integrating with triPOS Cloud payment processing and Express, a server-side web service. You will learn how to quickly process a payment transaction using a specific REST API.

 

The Payment Processing Environment

The triPOS Cloud payment processing environment contains the following elements, as illustrated in Figure 1:

 

  • triPOS Cloud - the API
  • Merchant environment - POS, router and PIN Pad
  • Express Gateway - API gateway

 

By using the API during certification, a physical PIN pad is not necessary. A null simulator can replace the PIN Pad. However, you still need an Express test account to interact with the Express Gateway.

 

Figure 1

 

We will now discuss how you can process a sample sale request within minutes.

 

Step 1: Apply for an Express account

First, apply for an Express test account at http://www.elementps.com/Create-a-Test-Account. This will give you the account information to add to the headers of your API request.

 

After your application is accepted, you will receive the following account information to add to the headers of your API request:

 

  • AccountID
  • AccountToken
  • ApplicationID
  • AcceptorID

 

You will also receive the Express test URLs and other important documentation for working with the triPOS Cloud and Express gateway.

 

Step 2: Build your API request with a REST client

 To build the API request, we will use a third-party REST client: the Advanced REST client (ARC).

 

The triPOS Cloud accepts JSON-formatted request messages and returns responses in the same format as the request.

 

Each request is identified by a transaction type and is accompanied by data elements belonging to the request. Keep in mind that a typical triPOS Cloud request is simpler than an Express request because card information is not included. Card information is obtained downstream via direct interactions between triPOS Cloud and the PIN pad.

 

Each request requires a header with specific fields:

  • If the request is a POST/PUT request, it needs parameters to be sent in the request body.
  • For GET and DELETE, any parameters will be sent up in the URL’s query string.
  • For any type of request, some values such as PaymentType may be sent in the URL. For more info, see the API documentation.

 

In Step 1, you received the values for building the API request header. Build the header as shown in Figure 2 under the ARC Headers tab.

 

 Figure 2

 

To build the API body, you have to switch to the ARC Body tab as shown in Figure 3.

 

Figure 3

 

Construct the request as shown in Figure 3.

Step 3: Run your API request with the REST client

 Run your API request by simply clicking the Send button in the upper right corner.

 

Step 4: Analyze the response

If everything is successful, an HTTP-200 response is returned, as shown in Figure 4.

 

 

Figure 4

 

Now run the request a second time.

 

You will get an HTTP-400 response as shown in Figure 5, because your request-id should be unique with every request you make.

 Figure 5

 

But how can we make a valid request-id/UUID?

With the Online UUID Generator Tool (use version 1) we can retrieve a valid UUID. When adding this in the request it will give a successful response.

 

Let’s change the request URL to the production URL (https://tripos.vantiv.com/api/v1/sale) and run the request again.

 

The response will be an HTTP-401 as seen in Figure 6.

 

Figure 6

 

This is expected because you have a test account, not a production account, and you are therefore not authorized to use the API in production.

 

Conclusion

We successfully processed a sample sale request and also discussed the main error messages you can expect when the sample sale request is not correct. This quick review showed you just a small bit of the triPOS Cloud API. The triPOS cloud API is further described in this Swagger specification.

 

About the Author:

Cordny Nederkoorn is a software testing and marketing consultant with over 10 years of experience in finance, e-commerce and web development. He is also the founder of TestingSaaS, a testing and marketing agency for companies related to Software as a Service (SaaS).

 Adopting a P2PE solution is a great start to securing your retail payments, but it isn’t the end of your security responsibilities as a merchant organization. You still need to enforce best practices for developing in-house applications that interact with the P2PE system, and control the in-store retail experience to ensure security at every level.

 

Here is a checklist that can help merchant organizations and their developers ensure the key parameters are in place when building apps that involve P2PE payment processing: 

 

1. Be familiar with the PIM

The P2PE implementation manual (PIM) is an important document that is provided by a P2PE solution provider to their customers. Across the P2PE lifecycle, the PIM is the key responsibility of the customer. The P2PE provider is responsible for every other step of the payment cycle. Being familiar with the PIM will come in handy not just to troubleshoot minor day-to-day issues that arise, but to also respond quickly in an emergency. Knowing your way around the system is key to responding appropriately to an attack, and the PIM makes this possible.

 

2. Compliance needs real-time monitoring

There are many regulations to adhere to when handling payments. It takes a dedicated compliance process to ensure these regulations are enforced at every point of interaction in the app.

 

This is a challenge in today’s distributed cloud-native apps. There are numerous API-based integrations, and each of them should be reviewed to ensure they are secure. The system is dynamic, with integrations being added and removed on a daily basis. As the system changes, these events should be monitored for compliance. This requires real-time monitoring that takes into account new components as they’re added. Every event and activity that occurs in the app should be reviewed to enforce compliance and stored in an archive for auditing at a later point.

 

3. Update to the latest versions

Security patches are the main reason to keep your application components and PCI-P2PE version updated. With new threats arising frequently, the best thing you can do to enforce security is to keep your system updated. This includes software updates and replacing outdated hardware like PEDs.

 

4. Never store customer information in plain-text format

 

Never ever (ever) store customer data in plain text format

 

The whole point of P2PE is that it enforces strong defaults for encryption and decryption of card data and customer data starting from the PED (PIN Entry Device) and every step thereafter. If by any chance customer data or card data enters your system at any point of the payment cycle, or in any part of the application, it’s important to not store this data in plain-text format. This makes the data open for misuse. Instead, set up a way to monitor these events in real-time, and either encrypt the data or erase it automatically. Remember that these events should also be recorded for auditing purposes.  

 

5. Get certified by an external QSA

Though P2PE systems put the onus of security on the P2PE vendor, you still need to do due diligence to examine your system regularly. An external QSA (Qualified Security Assessor) doesn’t just help to catch potential vulnerabilities, but can also advise on optimizing system performance to quicken transactions, simplify workflows, and reduce the scope of PCI DSS audits.

 

6. Exercise caution with new payment types

With the advancement of mobile technologies, new payment methods like NFC are emerging. They are opportunities to enrich the customer experience, but they also need to be monitored for new types of security threats. Emerging technologies are prime targets for hacking, as there may be loopholes that are yet undiscovered. Appropriate defense requires monitoring with the help of machine learning.

 

7. Leverage machine learning

 

How machine learning algorithms help detect fraud

 

Combating payment industry fraud is all about the use of data. To come out on top, merchant organizations and vendors need to be able to use data better than the criminals. The only way to counter today’s complex attacks is to use machine learning.

 

Machine learning lets merchants and vendors identify attacks from patterns and anti-patterns that emerge from data — which could be a new transaction from a strange location, suspicious IPs, a sudden rise in the number of transactions on a card, and numerous other parameters.

 

ML algorithms can help spot threats and identify the sources as well. When considering a payments vendor, assess their machine learning capabilities and consider using a third-party security solution if required.

 

8. Separate retail and online payments

P2PE is specifically designed for managing retail payments. It is not meant for eCommerce transactions. It’s important that you enforce clear separation of concerns here. If the same product is available in-store and online, you’ll need to maintain inventory status in real-time and system-to-system communication to avoid conflicts between the two channels. Additionally, a data breach in the eCommerce portal may just affect retail, and vice versa. Hence, security measures should be compartmentalized when needed, and comprehensive at other times.

 

In conclusion, P2PE greatly assures security for retail payments, but simply opting for a P2PE vendor doesn’t automatically guarantee security. It takes a shared responsibility between you as a merchant organization and your P2PE vendor. By following this checklist, you can ensure your P2PE lifecycle is compliant and secure end-to-end. 

 

Related: 

Browser frames — also known as iframes — have been around since Netscape introduced them in 1996. Back then, iframes were sometimes used in ways that appear wacky by modern standards, such as for the structuring of content on a web page.

 browser iframes have been around since 1996

 

As a result of practices like these, iframes have gained a negative reputation in some quarters. Some developers dismiss iframes as “the web programming equivalent of the goto statement” — a hack that you use when you have to, but not an elegant solution or a best practice to follow.

 

some developers dismiss iframes 

But such criticisms of iframes are not really fair. It’s true that, like any technology, they can be abused and misused. That does not mean, however, that iframes do not have legitimate uses — some of which make them the best solution to a given web programming challenge.

 

One ideal use case for iframes is the integration of a hosted payments page into a website. Let’s take a look at why iframes are a good solution in this scenario.

 

What is a hosted payment page?

A hosted payment page is any type of web page that allows a user to make a payment online.

 

Hosted payment pages typically have to do three main things:

 

  • Accept payment information from a debit card, credit card or other payment method
  • Pass the payment information securely to a server that processes it
  • Receive and display information about the transaction to the end-user

 

Benefits of using an iframe for hosted payments

What do hosted payments have to do with iframes? The basic answer is that iframes provide an easy way to integrate a payment page into a website with minimal fuss and security risk on the part of the developers who are implementing the website.

 

More specifically, using iframes for hosted payments provides several distinct benefits for developers and end-users alike:

 

  • It’s easy for developers to implement. Typically, they only need to include a small amount of code within their website to insert the payment page within an iframe. They simply set up the iframe; the payment provider handles the rest.
  • End-users never leave the main website. Although they technically pay via a different website (the one running inside the iframe), from their perspective, they remain on the same page and site. This helps to keep users confident about the security of the payment they are issuing, since navigating to a different site could leave them concerned about whether they can trust the payment site. It also simplifies the overall payment experience.
  • Iframes mitigate the risk of users navigating away from a page before payment is complete. If you move users to a new website to submit a payment, they may become confused and press the back button or otherwise navigate away from the new site. Doing so can interrupt the payment process — and it poses an especially greater challenge if the payment is already in progress. By keeping the payment within an iframe on your site, you avoid unintended navigation issues.
  • You can update your website without worrying much about how the changes will impact the hosted payment page. As long as you leave the iframe in place, changes to the rest of the site are unlikely to impact payments processing.
  • Iframes are flexible and easy to configure. A few lines of CSS or element property definitions suffice for defining the size, layout and other features of an iframe. You can therefore easily customize how a hosted payment page appears within your website.
  • You can have the payment page time out without disrupting the overall site. This is useful in cases where a customer starts a payment but does not complete it in time. You don’t want to leave the payment page open indefinitely, because that would be a security risk. But you also don’t want your entire website to time out and shut down automatically, because that would reduce the likelihood that the customer will come back later and complete the payment. By placing the payment page inside an iframe, you can easily have just that element time out, but keep the rest of the site running and ready for the customer to use.
  • Iframes make it easy to support different screen sizes and layouts, without having to worry about the specifics of the payment page content. If your iframe is not large enough to display the entire payment page at once, or your end-user’s screen is too small, the browser will automatically create scroll bars to make content visible. In this way, iframes make it easy to integrate hosted payment pages that work well with a variety of different devices and screen types.

 

The bottom line: Iframes provide an easy, flexible and secure way to make hosted payment pages available with minimal effort on the part of your developers — and they simplify transactions for your customers.

 

About the Author:  

Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.

Why You Should Share Code on GitHub

GitHub is a massively popular tool among developers these days — and with good reason. It offers all of the functionality of Git, and much more to boot. Indeed, GitHub has become so important to modern software production that if you’re not using it, you’re likely making a mistake.

 

Let me explain. In this article, I’ll discuss all of the benefits of sharing code via GitHub. This will illuminate why many open source projects (plus some non-open source projects) are hosted on GitHub and why the platform has become the default code-sharing solution for software projects.

 

The Sheer Number of Developers and Projects

 

GitHub has over 31 million developers around the globe

 

Let’s face it — Most programmers are already familiar with GitHub. It is, therefore, imperative to share code on a platform most contributors are familiar with. Currently, GitHub has over 31 million developers around the globe (more in 2018 alone than GitHub’s first six years combined), 2.1 million organizations, and 100 million repositories. The stats are only getting better each year.

 

The benefits that come with this is that a project is open to contributions from developers all over the world. Some projects on GitHub start with only a few contributors, but rapidly grow to having hundreds, if not thousands, of developers working on them. This way, bugs get fixed quicker, updates are released frequently, and project continuity is ensured.

 

Available Integration Options and Apps

One thing that makes GitHub very powerful and attractive to developers is the integration options it provides with apps and other services via the GitHub Marketplace. Integrations allow developers to supplement the functionalities provided by GitHub. You can possibly connect GitHub to your existing tooling and work without having to exit first. But it doesn’t stop there — GitHub also allows developers to create custom apps for their own needs using GitHub’s API.

 

Code hosted on GitHub can easily be linked and used on other platforms. With the click of a button, you can effortlessly turn a GitHub repository into a fully functional application on platforms like Heroku, Azure, or AWS. GitHub provides far better integration support than many other similar hosting platforms.

 

Catch Vulnerabilities with Security Alerts

Many projects have dependencies. Dependencies sometimes introduce vulnerabilities. And vulnerabilities, if not patched early enough, expose us to serious security risks. GitHub helps developers catch vulnerabilities in dependencies by notifying them of known vulnerabilities. Admins receive vulnerability notifications and can add others to the list. Additionally, fixes to some vulnerabilities are proposed, and sometimes safer versions are selected automatically using machine learning.

 

The GitHub security alert feature is very useful, and ensures that developers build quality applications that are safe. As a programmer, you can enjoy the benefits of being notified of vulnerabilities and possible solutions.

 

Resolve Issues and Improve Code Quality

Another feature that makes GitHub very appealing to developers is Issues. Issues is GitHub’s own bug tracker. It helps note ideas, bugs, tasks, and enhancements for a project. Once code is shared on GitHub, that’s not the end, as software is rarely ever written once. Code evolves, and Issues enables its evolution by allowing contributors to suggest ideas to projects and report bugs.

 

GitHub Issues takes collaboration to a different level. Because ideas and bugs can be suggested with Issues, contributions to projects are not limited to only the code-savvy. With millions of developers on the platform, project ideas can quickly be turned into features, and bugs can be completely eradicated.

 

The list could go on and on. GitHub is truly a boon (for open source projects especially). With Microsoft now owning the platform, we can expect even more from GitHub.

 

Closing Thoughts

For the record, GitHub may not be the perfect fit for every developer or every situation. For example, if you’re developing code that is not open source and that has high security or privacy needs, you probably don’t have anything to gain by putting it on GitHub, even in a private repository.

 

By and large, however, it’s hard to think of situations where GitHub is not advantageous. It’s easy to see why there has been a surge in the number of companies embracing the open source approach. The integration choices, the number of developers on the platform, security features, and issue reporting system (to mention just a few main items), make GitHub the first-choice platform for sharing code. 

Sick of hearing about New Year’s resolutions you know you won’t keep because they’re too darn hard? Here’s an easy one for you: make your bed.

 

Make Your Bed: Little Things That Can Change Your Life ... and Maybe the World

 

If you want to know why I make that recommendation, read my notes from Make Your Bed by Admiral William H. McRaven. The book is an expansion of the commencement speech Adm. McRaven gave at the University of Texas in 2014. (You might have seen it on YouTube; it has over 7 million views.)

 

Below are insightful excerpts from Make Your Bed: Little Things That Can Change Your Life … and Maybe the World that I hope will steer you and your team towards a more productive and rewarding future.

 

The 10 lessons I learned from Navy SEAL training

 

  1. Start your day with a task completed. Making my bed correctly was not going to be an opportunity for praise. It was expected of me. It was my first task of the day and doing it right was important. It demonstrated my discipline. It showed my attention to detail.
  2. You can’t go it alone. It takes a team of good people to get you to your destination in life. You cannot paddle the boat alone.
  3. Only the size of your heart matters. SEAL training was always about proving something. Proving that size doesn’t matter. Proving that the color of your skin wasn’t important. Proving that money didn’t make you better. Proving that determination and grit were always more important than talent.
  4. Life’s not fair — drive on! Life isn’t fair and the sooner you learn that the better off you will be.
  5. Failure can make you stronger. In life you’ll face a lot of failures. But, if you persevere, if you let those failures teach you and strengthen you, then you will be prepared to handle life’s toughest moments.
  6. You must dare greatly. The British Special Air Service’s motto was “Who Dares Wins.” To me the motto was more than about how the special forces operated as a unit; it was about how each of us should approach our lives.
  7. Stand up to the bullies. Courage is a remarkable quality. Without it, others will define your path forward. Without it, you are at the mercy of life’s temptations.
  8. Rise to the occasion. “No matter how dark it gets, you must complete the mission. This is what separates you from everyone else.” Somehow those words stayed with me for the next 30 years.
  9. Give people hope. If that one person could sing while neck deep in mud, then so could we. If that one person could endure the freezing cold, then so could we. If that one person could hold on, then so could we.
  10. Never, ever quit! If you quit, you will regret it for the rest of your life. Quitting never makes anything easier.

 

If you do these things, then you can change your life for the better … and maybe the world!

 

For more On the Edgecontent, please visit the Worldpay Partner Advantagewebsite.

 

Jim Roddy is a Reseller & ISV Business Advisor for Worldpay’s PaymentsEdge Advisory Services. He has been active in the POS channel since 1998, including 11 years as the President of Business Solutions Magazine, six years as a Retail Solutions Providers Association (RSPA) board member, and one term as RSPA Chairman of the Board. Jim is regularly requested to speak at industry conferences and he is author of Hire Like You Just Beat Cancerand On The Edge with Jim Roddy.