Payflow Pro Certificate Change - payflowpro

We have the ability to use a Payflow Pro account to handle credit card transactions in our software, and one of our customers sent us an email that was sent to them from PayPal and I am just trying to figure out if this affects Payflow Pro accounts as I do not see any information relating to a certificate in our code. The code appears to be a post to their web service. I have performed a test with posting to their Pilot URL, but I am not sure that would be sufficient and want to make sure that we are covered when the official switch occurs. The code base is VB6 utilizing WinHttpRequest to perform the post in most cases, and there is also a smaller percentage that would post utilizing the Pay Flow Pro Com Control dll. Can anyone confirm whether or not Payflow Pro will be affected or provide any additional suggestions for testing purposes?
In keeping with industry standards set by the Certification Authority/Browser (CA/B) Forum, PayPal will discontinue supporting 1024-bit key length certificates and will migrate to 2048-bit certificates before the end of 2013.
We have completed the installation of 2048-bit certificates for all API endpoints in our PayPal Sandbox and Payflow Pilot environments, and we will be doing the same for our production environments starting on August 5, 2013. A complete upgrade schedule is available here.
We strongly encourage merchants to thoroughly test any existing integration(s) in the PayPal Sandbox and/or Payflow Pilot environments to ensure this migration will not cause any unforeseen issues.

If you're using any recent technology to send information to Payflow Pro, I'd say you have nothing to worry about. Especially if you've used their test environment. They are upgrading their SSL certificate when you post the information to Payflow Pro. There are technologies and SSL implementations in the wild that would not support this switch.
If you want to know for sure, edit your question with the technologies you're using to send the information to Payflow Pro.

Related

Cost of developing a Google Assistant App?

What costs are involved with developing and/or releasing a Google Assistant App?
eg: Can you develop an app using DialogFlow and a backend (say Firebase) without having to pay while you learn?
First of all - you don't need to use Dialogflow or Firebase to develop your action. Both are suggested, but neither are required. You can use any NLP you want, or none at all if you use the Actions SDK (but you want an NLP). You can use any backend at all, including running it off your local machine and tunneling to it via ngrok, but you don't want to do that for production.
But, during development (and even during a light deployment before your action becomes massively popular and a stand-out hit), you have lots of solutions that will be free.
Dialogflow is free for use with the Google Assistant. Period. There is an Enterprise edition which offers additional services and support for a cost, but you won't need them. There are restrictions, but you won't bump into them until you hit 3 requests per second - which you shouldn't during development.
Firebase's free tier (the Spark Plan) is good for very simple experimentation, but once you start doing network calls to outside Google's network (if you are trying to call the network API for other services), you will be blocked. No worries! The "Blaze Plan" paid tier does require a way to bill you, but they don't start billing you until you get quite a bit of usage: 2 million function calls / month and similarly scaled usage of CPU, memory, and network. So even the "Blaze Plan" will be free during development (and for basic usage).
Updated, December 2020
Things have changed a bit since the original answer was posted, but the underlying basics remain true - there is no charge to develop for Actions on Google.
Dialogflow now has an "Essentials" edition and a more advanced "CX" edition. While you can still use both to build Actions, they're not really intended for this purpose anymore.
Instead, Google has included the Actions Builder into the Actions Console to handle the NLP work. The Actions SDK works with this, but can also just pass along all the STT information to your webhook. Both are also free to use.
Dialogflow is for free if you don't use it as an enterprise:
https://dialogflow.com/pricing/
And Firebase free tier should be enough if you not using firebase
already for other projects. enter link description here
But of course you have to calculate your own time so in case of the
spent time probably not.
For everything else yes it is, as long as you not using it already somewhere. You can for development also host your server local and use an ngrok tunnel as sever address for Dialogflow.
As an addition to shortQuestion's answer:
The free plan in Firebase should be enough if you're just using it for learning and developing apps for personal use. If you want to go a bit further you'll need to upgrade the plan.
You can sign up with a free trial for actions on Google to get 300$ of credits during a 12 month period which would be more than enough to do anything you want.
The costs of Firebase/Actions on Google on a higher plan aren't anything to worry about though, you'd be talking about a few cent per multiple hundred thousand requests.

Paypal ASP.NET without credit card management

I'm starting to use Paypal SDK to implement the payment service for a ASP.NET site. I wrote the code following the SDK example and everything worked fine, of course I'm managing the whole process (credit card data entry and submission included). The site owner however complained about credit card data management and thus asked me to re-implement the whole procedure without managing the credit card data 'internally' at all but leaving Paypal doing this part of the job.
This mean that NO data of the credit card should be entered in forms belonging to the site I'm coding.
As far as I can see (but I'm just a newbie in Paypal SDK) there's not a way to do what I'm asked for using SDK API calls.
Given my lack of experience I'm not sure about what I'm stating then I can only suppose that I'm missing something so... there's a way to do so trough API calls?
Best Regards,
Mike
What your site owner is likely asking you to do is to leverage PayPal's Vault API (part of its REST APIs) to store credit card information so your site doesn't have to. If you store the credit card information on your site, you have to ensure the data is stored in a PCI-compliant manner, which may be too costly for some sites. The Vault API will return a credit card token that can only be used by your REST application for making payments. The API also allows you to get the details of the credit card using the token, but will mask the full credit card number.
There are some examples on how to do this in the PayPal .NET SDK Samples. If there's a use case that's missing, feel free to let us know over on GitHub.
PayPal basics for ASP.net c#
http://www.codeproject.com/Articles/42894/Introduction-to-PayPal-for-C-ASP-NET-developers
http://www.codeproject.com/Questions/718003/How-implement-Strong-cryptography-with-associated
http://forums.asp.net/t/1977404.aspx?Integrate+with+Paypal+account+within+Net+project
http://www.west-wind.com/presentations/PayPalIntegration/PayPalIntegration.asp

Do need to worry about PCI compliance if I use Stripe or Authorize.net with WooCommerce? And what do I have to do?

I'd like to set up a Wordpress site and use WooCommerce. In terms of payment processors, I'd like to use either Authorize.net CIM or Stripe. At the top of each of those pages, it says that an SSL certificate is required, so based on that fact and the PCI-DSS Compliance article on the WooCommerce site, I assumed that PCI Compliance would be necessary. Is that correct?
If I do need to worry about PCI Compliance, what does that mean I need to do? I'm familar with the 12 requirements, I just don't understand the practical implications for me.
Specifically, I understand that many of the PCI requirements are covered by the hosting provider. Others PCI requirements are covered by the coding. Both of those things I don't have to really worry about, once it's set up. One thing I know I'll need to do, though, is enable SSL on the site. Is there anything else I am responsible to do, though? For example, annually get my site scanned for PCI Compliance? Manage my store in a particular way?
Any info is more than welcome! Things are a bit vague for me regarding this and PCI Compliance.
This is Stripe's response on unofficial site
Cristina Cordova, works at Stripe
Answered Aug 22, 2013
*
I work at Stripe. As others have mentioned, anyone accepting credit
card payments must be PCI compliant. With many other service providers
in the online payments space, becoming PCI compliant is a very
complicated process requiring businesses to fill out lots of paperwork
and work with several expensive third parties. With Stripe, it's
easy:
1.Serve your payment page over SSL, i.e., the page's web address
should begin with "https", not "http".
2.Use Stripe.js as the only means
by which you accept payment information and transmit it directly to
Stripe's servers.
By taking these steps, you completely avoid handling
sensitive card data, and keep your systems out of PCI scope. Using SSL
ensures that your pages are secure. Stripe.js makes it easy to collect
credit card (and other similarly sensitive) details without having the
information touch your server. Those details are sent directly to
Stripe, which is a PCI Level 1 Service Provider. Assuming you've
taken the steps above, Stripe can provide you with a completed Self
Assessment Questionnaire, which details the means by which you're
handling credit card data.
Stripe's official guidance on PCI compliance:
https://stripe.com/docs/security

Does this change in the paypal´s api affect Drupal6´s Ubercart-Paypal Integration?

I´ve just got this message today. Does this change in the paypal´s api affect Drupal´s 6 Ubercart-Paypal Integration?
In keeping with industry standards set by the Certification
Authority/Browser (CA/B) Forum, PayPal will discontinue supporting
1024-bit key length certificates and will migrate to 2048-bit
certificates before the end of 2013.
We have completed the installation of 2048-bit certificates for all
API endpoints in our PayPal Sandbox and Payflow Pilot environments,
and we will be doing the same for our production environments starting
on August 6, 2013.
We strongly encourage merchants to thoroughly test any existing
integration(s) in the PayPal Sandbox and/or Payflow Pilot environments
to ensure this migration will not cause any unforeseen issues.
Please have the team or person responsible for your integration refer
to the following:
If you need to import the new PayPal Sandbox and/or Payflow Pilot
server certificates to your application or system truststore, you can
download production and Sandbox certificates from
https://ppmts.custhelp.com/app/answers/detail/a_id/952.
If you don't typically import the server certificates to your
truststore, you can proceed with testing with no other action
required.
If you have any questions, please contact PayPal Merchant Technical
Services by filing a ticket; refer to PP-LIVE-3503. You may also visit
our Live Site Status blog.
Sincerely,
PayPal
You should be fine unless you're using Payflow. Most people on Ubercart are using Website Payments Pro/Standard.
There's no reason to update anything for a normal Ubercart install to keep working. See
https://drupal.org/node/2030733
Where maintainers TR and Longwave weigh in.

DoD PKI CAC authentication in Tomcat (embedded in JBoss)

I need to support DoD issued CAC-based authentication in my web application deployed in JBoss. Could someone give me pointers on where to start, the steps involved, etc?
Also, which JCE provider should I go with (OpenSSO, BountyCastle, etc)? I tried to google for a list of (active/current) providers but couldn't really find it. Is there a list of JCE providers that are most popular (by virtue of their underlying security algorithms? Thanks.
I haven't worked with CAC cards, but PKI integration is typically handled by PKCS#11 middleware installed on the client CPU. On the server, you may need to intercept the request at the apache module level to enable PKI/SSO, here's a slideshow with more info on how they did it for forge.mil:
http://www.slideshare.net/rbulling/enabling-web-apps-for-dod-security-via-pkicac-enablement-forgemil-case-study
If you need to do other web based interactions with the card (non PKCS11 functions like if you want to talk to one of the other apps installed on the card from your web app, or install an applet on the card) you'll need some kind of browser plug-in to send raw APDUs or higher level commands via PCSC. My company makes a plug-in for this purpose, it's available at https://cardboss.cometway.com.
Finally, I like bouncycastle... I doubt you will find any lists of JCE providers sorted by popularity.

Resources