SlideShare ist ein Scribd-Unternehmen logo

Creating an In-Aisle Purchasing System from Scratch

Als PPTX, PDF herunterladen
Jonathan LeBlanc
Jonathan LeBlanc

The future of retail is in removing the divide between the offline shopping state and the enhanced online buying experience. To create this type of enhanced retail experience, we can remove complexities in the process, such as simplifying checkout. In this session we’ll learn how to use internet-connected microelectronics to attach to a buyer’s mobile device to provide the functionality to buy products right from the aisle.

Technologie
1 von 33
Creating an In-Aisle Purchasing System from Scratch Jonathan LeBlanc Twitter: @jcleblanc
• Apple / Android pay type integrations • Secure hardware prototype integrations with microelectronics • Non-register integrations
• Generating, handling, and securing tokens • Building an unbound physical payment architecture • Creating secure payment transmission through potentially poorly secured hardware
A Bit on Tokens
Tokenization Luhn Algorithm
Token Durability Types • Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred. • Transaction: One time use, more secure, ideal for small businesses not tracking customers.
Process Create a surrogate value for customer credit card data Attributes • 13 – 19 digits in length • Passes Luhn check validation For our use case
Starting Value 4539248095434517 Reverse Digits 7154345908429354 Multiply even digits by 2 7+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8) Subtract 9 from numbers above 9 7+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8) Sum all digits 90 Mod 10 verify 0 (remainder) The Luhn Algorithm
Apple / Android pay tokenization system EMV payment tokenisation specification
Merchant register is changed to hardware transfer bridge Network handles direct merchant requests. Vault stores surrogate to token lookup.
Customer to Device Interaction
Secure Element Host-based Card Emulation
Arduino with NFC or BLE Shield
Beacon BLE Hardware
How do you protect privileged information during data transmission?
Asynchronous Cryptography: Securing Data Through Transmission
Device Fingerprinting
Getting Paired Devices
{ requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ } } Example Payload for Risk Assurance Data
The API Network
/device issue / delete a requester ID for a verified hardware device or terminal. /pay issue / update / cancel a verified payment from a customer. /key issue / update / delete a new encryption key set for a customer device (phone). API Endpoints Needed
When generating new user tokens, how can we reduce the possibility of token collision?
Example Packages (Node) • node-uuid • hat Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the generated token Using Respected Modules
The Token Vault
Token Vault Security • Strong physical and logical security measures per industry standards (PCI DSS, OWASP, etc). • Secured internal network • Strong cryptography and security protocols • Restrict user access and roles to system • System is protected from vulnerabilities • ... • Transactions are restricted to domains that are registered to valid token requesters.
Credit Card Vaulting Credit Card Information Address Information Card Holder Name ... 7e29c5c48f44755598dec3549155ad6 6f1af4671091353be4c4d7694d71dc8 66 https://developer.paypal.com/docs/api/vault/
CAP Theorem • Consistency: Data to and from different nodes in the distributed system should always be identical. • Availability: The vault is always available to service requests. • Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node.
If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
Multiple Record Storage Surrogate Token Payment Token Delete 5256771698017130 d66f1af4671091353be4c true 5355427967576526 d66f1af4671091353be4c false 5535770792529787 7e29c5c48f4475523ef56 false
Wrapup Links • Host Card Emulation (Android): https://developer.android.com/guide/topics/connectivity/nfc/hce.html • EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263 • Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto • Android Build info: http://developer.android.com/reference/android/os/Build.html
Thank you! Slides: slideshare.net/jcleblanc Jonathan LeBlanc Twitter: @jcleblanc

Empfohlen

Tokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelTokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelIntel - API Security & Tokenization
 
Brains and chains
Brains and chainsBrains and chains
Brains and chainsFelicity Mecha
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Zach Gardner
 
Iot fit for purpose v0 2
Iot fit for purpose v0 2Iot fit for purpose v0 2
Iot fit for purpose v0 2Conclusion Connect enabling industry 4.0 with IoT
 
IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect Getting value from IoT, Integration and Data Analytics
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEric Larcheveque
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...Venkat Projects
 

Empfohlen

Tokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelTokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelIntel - API Security & Tokenization
 
Brains and chains
Brains and chainsBrains and chains
Brains and chainsFelicity Mecha
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Zach Gardner
 
Iot fit for purpose v0 2
Iot fit for purpose v0 2Iot fit for purpose v0 2
Iot fit for purpose v0 2Conclusion Connect enabling industry 4.0 with IoT
 
IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect IoT Fit for purpose - how to be successful in IOT Conclusion Connect
IoT Fit for purpose - how to be successful in IOT Conclusion Connect Getting value from IoT, Integration and Data Analytics
 
Edcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEdcon - Hardware wallets and smart contracts
Edcon - Hardware wallets and smart contractsEric Larcheveque
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...identity based encryption transformation for flexible sharing of encrypted da...
identity based encryption transformation for flexible sharing of encrypted da...Venkat Projects
 
DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDataArt
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataMaximilian Ott
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET Journal
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteriasabin kafle
 
GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)John Teeter
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT AgentFernando Lopez Aguilar
 
Novelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti
 
Blockchain & microsoft
Blockchain & microsoftBlockchain & microsoft
Blockchain & microsoftİbrahim KIVANÇ
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID AccessMarketingArrowECS_CZ
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDSebastián Guerrero Selma
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iotChintan Patel
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Distributed Intelligence
Distributed IntelligenceDistributed Intelligence
Distributed IntelligenceNuri Cankaya
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptxalirezafiroozian
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Bigdata based fraud detection
Bigdata based fraud detectionBigdata based fraud detection
Bigdata based fraud detectionMk Kim
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercatoCDagata
 
Blockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engBlockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engDavid Vangulick
 
Blockchain for Business
Blockchain for BusinessBlockchain for Business
Blockchain for BusinessAhmad Gohar
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in CordaGuy Hochstetler
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 

Weitere ähnliche Inhalte

Was ist angesagt?

DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDataArt
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataMaximilian Ott
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET Journal
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteriasabin kafle
 
GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)John Teeter
 
Novelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti
 

Was ist angesagt? (7)

DeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana MatvienkoDeviceHive overview, Tatyana Matvienko
DeviceHive overview, Tatyana Matvienko
 
Confidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing DataConfidential Computing - Analysing Data Without Seeing Data
Confidential Computing - Analysing Data Without Seeing Data
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
 
GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)GreenButton Technical Overview (July 2014)
GreenButton Technical Overview (July 2014)
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT Agent
 
Novelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain MeetupNovelti Intro at Machine Learning Spain Meetup
Novelti Intro at Machine Learning Spain Meetup
 

Ähnlich wie Creating an In-Aisle Purchasing System from Scratch

1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iotChintan Patel
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Distributed Intelligence
Distributed IntelligenceDistributed Intelligence
Distributed IntelligenceNuri Cankaya
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Bigdata based fraud detection
Bigdata based fraud detectionBigdata based fraud detection
Bigdata based fraud detectionMk Kim
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercatoCDagata
 
Blockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engBlockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engDavid Vangulick
 
Blockchain for Business
Blockchain for BusinessBlockchain for Business
Blockchain for BusinessAhmad Gohar
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in CordaGuy Hochstetler
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
Webinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using BlockchainWebinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using BlockchainJK Tech
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
6 atec ant block chain
6 atec ant block chain6 atec ant block chain
6 atec ant block chainChris Skinner
 

Ähnlich wie Creating an In-Aisle Purchasing System from Scratch (20)

Blockchain & microsoft
Blockchain & microsoftBlockchain & microsoft
Blockchain & microsoft
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
1 importance of light weight authentication in iot
1 importance of light weight authentication in iot1 importance of light weight authentication in iot
1 importance of light weight authentication in iot
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014
 
Distributed Intelligence
Distributed IntelligenceDistributed Intelligence
Distributed Intelligence
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Bigdata based fraud detection
Bigdata based fraud detectionBigdata based fraud detection
Bigdata based fraud detection
 
Blockchain e mercato
Blockchain e mercatoBlockchain e mercato
Blockchain e mercato
 
Blockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v engBlockchain general presentation nov 2017 v eng
Blockchain general presentation nov 2017 v eng
 
Blockchain for Business
Blockchain for BusinessBlockchain for Business
Blockchain for Business
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
 
Webinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using BlockchainWebinar - Loyalty Reward Points Using Blockchain
Webinar - Loyalty Reward Points Using Blockchain
 
Crypto box - crypto casino
Crypto box - crypto casinoCrypto box - crypto casino
Crypto box - crypto casino
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
6 atec ant block chain
6 atec ant block chain6 atec ant block chain
6 atec ant block chain
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 

Mehr von Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessJonathan LeBlanc
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer WorkshopJonathan LeBlanc
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security PracticesJonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI ElementsJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyJonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data SecurityJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityJonathan LeBlanc
 

Mehr von Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 

Kürzlich hochgeladen

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Kürzlich hochgeladen (20)

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Creating an In-Aisle Purchasing System from Scratch

  • 1. Creating an In-Aisle Purchasing System from Scratch Jonathan LeBlanc Twitter: @jcleblanc
  • 2. • Apple / Android pay type integrations • Secure hardware prototype integrations with microelectronics • Non-register integrations
  • 3. • Generating, handling, and securing tokens • Building an unbound physical payment architecture • Creating secure payment transmission through potentially poorly secured hardware
  • 4. A Bit on Tokens
  • 6. Token Durability Types • Durable: Long lived (~ 48 months), allows customer tracking, merchant preferred. • Transaction: One time use, more secure, ideal for small businesses not tracking customers.
  • 7. Process Create a surrogate value for customer credit card data Attributes • 13 – 19 digits in length • Passes Luhn check validation For our use case
  • 8. Starting Value 4539248095434517 Reverse Digits 7154345908429354 Multiply even digits by 2 7+(2)+5+(8)+3+(8)+5+(18)+0+(16)+4+(4)+9+(6)+5+(8) Subtract 9 from numbers above 9 7+(2)+5+(8)+3+(8)+5+(9)+0+(7)+4+(4)+9+(6)+5+(8) Sum all digits 90 Mod 10 verify 0 (remainder) The Luhn Algorithm
  • 9. Apple / Android pay tokenization system EMV payment tokenisation specification
  • 10.
  • 11. Merchant register is changed to hardware transfer bridge Network handles direct merchant requests. Vault stores surrogate to token lookup.
  • 12. Customer to Device Interaction
  • 14. Arduino with NFC or BLE Shield
  • 16. How do you protect privileged information during data transmission?
  • 17. Asynchronous Cryptography: Securing Data Through Transmission
  • 18.
  • 21. { requsterid: ‘1234’, usertoken: ‘443478943234’, device: { ... }, payment: { price: ’20.22’, currency: ‘CAD’, quantity: ‘2’ } } Example Payload for Risk Assurance Data
  • 23. /device issue / delete a requester ID for a verified hardware device or terminal. /pay issue / update / cancel a verified payment from a customer. /key issue / update / delete a new encryption key set for a customer device (phone). API Endpoints Needed
  • 24. When generating new user tokens, how can we reduce the possibility of token collision?
  • 25. Example Packages (Node) • node-uuid • hat Reducing Collision Risk • hat.rack() function • Additional params to node-uuid or hat to further randomize the generated token Using Respected Modules
  • 27. Token Vault Security • Strong physical and logical security measures per industry standards (PCI DSS, OWASP, etc). • Secured internal network • Strong cryptography and security protocols • Restrict user access and roles to system • System is protected from vulnerabilities • ... • Transactions are restricted to domains that are registered to valid token requesters.
  • 28. Credit Card Vaulting Credit Card Information Address Information Card Holder Name ... 7e29c5c48f44755598dec3549155ad6 6f1af4671091353be4c4d7694d71dc8 66 https://developer.paypal.com/docs/api/vault/
  • 29. CAP Theorem • Consistency: Data to and from different nodes in the distributed system should always be identical. • Availability: The vault is always available to service requests. • Partition Tolerance: The distributed system can continue to work even in the event of underlying data communications network failure, or hardware failure in a node.
  • 30. If consistency is dropped, how do we ensure that the payment token retrieved is the correct and newest one?
  • 31. Multiple Record Storage Surrogate Token Payment Token Delete 5256771698017130 d66f1af4671091353be4c true 5355427967576526 d66f1af4671091353be4c false 5535770792529787 7e29c5c48f4475523ef56 false
  • 32. Wrapup Links • Host Card Emulation (Android): https://developer.android.com/guide/topics/connectivity/nfc/hce.html • EMV Tokenisation specification: https://www.emvco.com/specifications.aspx?id=263 • Asynchronous cryptography example: https://github.com/iddatasecuritybook/chapter7/tree/master/asymmetric-crypto • Android Build info: http://developer.android.com/reference/android/os/Build.html

Hinweis der Redaktion

  1. What does this type of system enable? Walk around payment checkout Direct hardware / beacon payments in aisle Direct table purchases
  2. What we’ll learn today
  3. What does the token look like – 13-19 digit numeric value that passes account and Luhn check validation Durable vs transaction based tokens Durable: merchant preferred as it allows CC ad data storage. Faster purchases (don’t have to request a new token each time). Transaction: more secure, don’t need to track customer details. Good for small businesses
  4. tokenization
  5. Luhn algorithm https://www.rosettacode.org/wiki/Luhn_test_of_credit_card_numbers http://www.freeformatter.com/credit-card-number-generator-validator.html
  6. What we’ll model our breakdown around EMV payment tokenisation specification Apple / Android pay tokenization system
  7. How the apple / android pay system works (diagram)
  8. How our modified system will work
  9. Device / User integration
  10. Secure element functionality on the phone vs HCE
  11. Device hardware – arduino with BLE / NFC shield
  12. Beacon hardware
  13. Protecting card data prior to storage
  14. Asynchronous Cryptography
  15. Creating risk assurance information for verification by the API network
  16. The API network
  17. The endpoints needed for the network /device – create new verified endpoint device (providing a requester ID) /pay – make an encrypted payment /issue – issue new key set for data encryption (new mobile device)
  18. How do we ensure minimal collision in generated tokens?
  19. Node-uuid and hat Hat.rack func
  20. Some storage rules / regulations
  21. https://www.voltage.com/pci/tokenization-of-credit-card-numbers-and-the-cap-theorem/ The theorem states that for distributed data storage systems a system designer has to choose between two of the three following menu items: Consistency. In the card vault example this would imply that no matter which distributed tokenization service was used for tokenization or de-tokenization they would all return the exact same token for a given PAN. It would not be permissible, for example, to return two different tokens for a given PAN. Availability. The card vault is always available to service a request to tokenize or de-tokenize. Partition tolerance. This is perhaps the least understood of the three choices. In summary, for a distributed storage system the system can continue to operate even in the event of underlying data communications network failure, or hardware failure in a node.
  22. How do we ensure the consistency of tokens
  23. Store multiple records of token to payment token mapping with the outdated records flagged for deletion