• Replies 14 replies
  • Subscribers 341 subscribers
  • Views 54 views
  • Users 0 members are here
Related

V11 Test Credit Card server (UK) (CommsXL/TNSi)

Wayne Evans
$organization

Hello

I'm trying to find out some information about how V11 handles LIVE Credit Cards and TEST Credit Cards.

 

LIVE

I'll list my setup as it may differ from others; Currently, we have an in-house credit card server running

Tessitura Credit Card Server

CCServer (Client and Web)

CCServer Manager (Client and Web)

CCSmart Server (Client and Web)

CCSyncro Server (C&P)

CCSyncro Local (C&P)

We use CommsXL/TNSi as a bureau service

Our Web/Client transactions hits the Tessitura Credit Card Server.  That drops a file into a folder.  CCServer picks the file up and sends it over ISDN to CommsXL/TNSi.  TNSi puts the reply back in the folder and Tess CCard Server picks the reply up and sends it to the client.

 

TEST

Tessitura Credit Card Server

CCServer (Client and Web) (this is placed in loop back mode e.g. authorise everything)

 

With the new version of the Credit Code setup, 

Q1. Do we need to go down the hosted route for "Hosted SecureCXL Service" OR if we choose "Internal Transcend Server", will that use the same setup as now e.g. drops a file in a folder etc... (we don't have Transcend in the UK...I think)?

Q2. If we are forced down the Hosted SecureCXL Route, how do we setup a test credit card server so we can put through e.g. Visa No: 4111111111111111 and get an auth code back so the test transaction can proceed in Tessitura

Thanks

Wayne

Parents
  • $organization

    Hi Wayne,

    Yes, the man in the middle attack you describe is possible. Our auditors have classified this as a low risk vulnerability. They have told us that although a user has no way of knowing that an attacker has launched a man-in-the-middle attack, it should be noted that a successful attack would require use of an unsecured wireless network, control of a network device between the client and server, or a way to trick the client into connecting to the attacker’s IP address. They list DNS cache poisoning as a possible technique to do this. This is why it’s important to run Tessitura over a secure network.

     

    This vulnerability is something that is well known and is on our roadmap. Implementing the Payment Gateway Service is a step toward making this and a lot of other future enhancements possible.  We currently do not have a date for this change, as it will require extensive work in the Tessitura Client and the Web API to change the communication with the Payment Gateway Server.

     

    As to recommending Force Encryption be turned on in SQL Server, in addition to protecting data, it protects users’ Tessitura credentials from such an attack.

     

    Rob™

     

    From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Wayne Evans
    Sent: Thursday, May 31, 2012 11:19 AM
    To: Rob Pedersen
    Subject: RE: [Tessitura Technical Forum] V11 Test Credit Card server (UK) (CommsXL/TNSi)

     

    Just to clarify so I understand this, the V11 interface between client and Payment Gateway Service IS NOT PCI compliant yet, but will be in the future when it gets encrypted using REST.  

    Is there any date when this will be made active?

    However, Tessitura recommend setting SQL Server --> Force Encryption ON, so all the comms with the SQL server are encrypted.  (I'm assuming this is a SQL Server side setting I will need to switch on - I'll do my homework on this)

     

    I am able to do a man in the middle attack on my PC sending a transaction to the payment gateway and read the unencrypted card details using wireshark (filter:  ip.dst==10.5.6.181&&tcp.port==12002)

    I used credit card number 4111 1111 1111 1111 Expiry: 05/12 and CVV 123 and works postcode CV37 6BB:

     

    0000  00 19 bb b1 49 00 6c 62  6d 87 07 5d 08 00 45 00   ....I.lb m..]..E.

    0010  00 96 43 4b 40 00 80 06  00 00 0a 02 07 66 0a 05   ..CK@... .....f..

    0020  06 b5 7f 67 2e e2 27 ca  91 ff 40 71 04 f8 50 18   ...g..'. ..@q..P.

    0030  01 00 22 aa 00 00 24 42  4f 54 24 41 55 54 48 4f   .."...$B OT$AUTHO

    0040  52 49 5a 45 7c 09 09 31  34 32 32 30 31 34 09 41   RIZE|..1 422014.A

    0050  09 34 31 31 31 31 31 31  31 31 31 31 31 31 31 31   .4111111 11111111

    0060  31 09 30 35 31 32 09 35  30 30 09 30 30 30 09 09   1.0512.5 00.000..

    0070  09 09 57 61 79 6e 65 20  45 76 61 6e 73 09 09 43   ..Wayne  Evans..C

    0080  56 33 37 20 36 42 42 09  09 09 31 32 33 09 09 09   V37 6BB. ..123...

    0090  09 09 09 09 09 09 09 09  09 09 09 09 09 4e 09 24   ........ .....N.$

    00a0  45 4f 54 24                                        EOT$  

     

    Is there a date when we are able to use the encrypted transmissions as I'd thought we'd finally nailed PCI-DSS.

     

    Thanks

    Wayne

    From: Nick Insell <bounce-nicholasinsell2570@tessituranetwork.com>
    Sent: 5/31/2012 9:21:14 AM

    Thanks Rob that makes perfect sense!




    This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

Reply
  • $organization

    Hi Wayne,

    Yes, the man in the middle attack you describe is possible. Our auditors have classified this as a low risk vulnerability. They have told us that although a user has no way of knowing that an attacker has launched a man-in-the-middle attack, it should be noted that a successful attack would require use of an unsecured wireless network, control of a network device between the client and server, or a way to trick the client into connecting to the attacker’s IP address. They list DNS cache poisoning as a possible technique to do this. This is why it’s important to run Tessitura over a secure network.

     

    This vulnerability is something that is well known and is on our roadmap. Implementing the Payment Gateway Service is a step toward making this and a lot of other future enhancements possible.  We currently do not have a date for this change, as it will require extensive work in the Tessitura Client and the Web API to change the communication with the Payment Gateway Server.

     

    As to recommending Force Encryption be turned on in SQL Server, in addition to protecting data, it protects users’ Tessitura credentials from such an attack.

     

    Rob™

     

    From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Wayne Evans
    Sent: Thursday, May 31, 2012 11:19 AM
    To: Rob Pedersen
    Subject: RE: [Tessitura Technical Forum] V11 Test Credit Card server (UK) (CommsXL/TNSi)

     

    Just to clarify so I understand this, the V11 interface between client and Payment Gateway Service IS NOT PCI compliant yet, but will be in the future when it gets encrypted using REST.  

    Is there any date when this will be made active?

    However, Tessitura recommend setting SQL Server --> Force Encryption ON, so all the comms with the SQL server are encrypted.  (I'm assuming this is a SQL Server side setting I will need to switch on - I'll do my homework on this)

     

    I am able to do a man in the middle attack on my PC sending a transaction to the payment gateway and read the unencrypted card details using wireshark (filter:  ip.dst==10.5.6.181&&tcp.port==12002)

    I used credit card number 4111 1111 1111 1111 Expiry: 05/12 and CVV 123 and works postcode CV37 6BB:

     

    0000  00 19 bb b1 49 00 6c 62  6d 87 07 5d 08 00 45 00   ....I.lb m..]..E.

    0010  00 96 43 4b 40 00 80 06  00 00 0a 02 07 66 0a 05   ..CK@... .....f..

    0020  06 b5 7f 67 2e e2 27 ca  91 ff 40 71 04 f8 50 18   ...g..'. ..@q..P.

    0030  01 00 22 aa 00 00 24 42  4f 54 24 41 55 54 48 4f   .."...$B OT$AUTHO

    0040  52 49 5a 45 7c 09 09 31  34 32 32 30 31 34 09 41   RIZE|..1 422014.A

    0050  09 34 31 31 31 31 31 31  31 31 31 31 31 31 31 31   .4111111 11111111

    0060  31 09 30 35 31 32 09 35  30 30 09 30 30 30 09 09   1.0512.5 00.000..

    0070  09 09 57 61 79 6e 65 20  45 76 61 6e 73 09 09 43   ..Wayne  Evans..C

    0080  56 33 37 20 36 42 42 09  09 09 31 32 33 09 09 09   V37 6BB. ..123...

    0090  09 09 09 09 09 09 09 09  09 09 09 09 09 4e 09 24   ........ .....N.$

    00a0  45 4f 54 24                                        EOT$  

     

    Is there a date when we are able to use the encrypted transmissions as I'd thought we'd finally nailed PCI-DSS.

     

    Thanks

    Wayne

    From: Nick Insell <bounce-nicholasinsell2570@tessituranetwork.com>
    Sent: 5/31/2012 9:21:14 AM

    Thanks Rob that makes perfect sense!




    This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

Children
No Data