We performed load testing a of new application with a client recently and a recurring question repeatedly came up: “How long was the transaction in OLS.Switch and how long was it at the endpoint ?”

It is an important question – one that is used to monitor application performance as well as to assist in troubleshooting purposes – and one we can clearly answer – the transaction took – a total of 5.6 seconds – and we waited up to our configured endpoint timeout of 5 seconds before we timed-out the transaction. Or – the transaction took 156 ms – 26 ms of those against a local response simulator.

In our application we use a profiler to trace execution time of each of our Transaction Participants: In which we see in our application logs as:

A normal transaction:

  open [0/0]
  parse-request [7/7]
  create-*******-tranlog [9/16]
  populate-********-tranlog [1/17]
  validate-********* [42/59]
  validate-********* [1/60]
  validate-******** [0/60]
  create-*********-request [24/84]
  query-****** [26/110]
  prepare-**********-response [40/150]
  close [6/156]
  send-response [0/156]
  end [157/157]

A timed-out transaction:

  open [2/2]
  parse-request [23/25]
  create-*******-tranlog [91/116]
  populate-*******-tranlog [1/117]
  validate-******* [67/184]
  validate-*******-card [31/215]
  validate-************** [1/216]
  create-********-request [32/248]
  query-******* [5000/5248]
  prepare-***********-response [67/5315]
  close [284/5599]
  send-response [0/5599]
  end [5600/5600]

(* note these traces are from a test app running on my macbook and are for illustrative purposes only *)

While we can answer the question by reviewing application logs – it is harder to perform any analysis on a series of transactions, specifically for external duration. We can do currently for total duration, however – this is valuable from the device perspective for how long a transaction took to process.

Logging the external duration along with our total duration for switched-out transactions and we now have:

Just a short note to share that OLS has received word from our QSA via a “PCI Certificate of Validation” Letter for our newly launched hosted payment service offering OLS.Host.

Congrats to our Operations, Systems and Security Gurus for all of their hard work on this !

The TR-39 Audit Procedures state that ISO 9564–1 Format 0 (ISO-0) and Format 3 (ISO-3) are the only approved formats:

4.1.3 X9 Approved PIN Block Formats

Documented procedures exist and are followed that ensure any cleartext PIN-block format combined with a PIN encryption process has the characteristic that, for different accounts, encryption of the same PIN value under a given encryption key does not predictably produce the same encrypted result. (Note: any cleartext PIN block, formats 0 and 3 meet this requirement, as specified in X9.8-1).

Reference X9.8-1 – Sec. 4(c), Sec. 6.2, Sec. 8.3.1, Sec.8.3.2, and Sec. 8.3.5

In case you are curious here are Visa’s PIN Security Requirements

Requirement 3:

For online interchange transactions, PINs are only encrypted using ISO 9564–1 PIN block formats 0, 1 or 3. Format 2 must be used for PINs that are submitted from the IC card reader to the IC card. Other ISO approved formats may be used.

This requirement further states:

PINs enciphered using ISO format 0 or ISO format 3 must not be translated into any other PIN block format other than ISO format 0 or ISO format 3. PINs enciphered using ISO format 1 may be translated into ISO format 0 or ISO format 3, but must not be translated back into ISO format 1.

(This last paragraph addresses an attack on Pin Blocks that can be translated in to format 1 on a HSM which would expose the clear PIN)

Let’s take a look at a few Pin Block formats:

For our examples:

P – PIN Number

F – Hex 0xF

A- Last 12 digits of PAN not including check digit

R – Random Hex Character (0-9, A-F)

Let us use the account number 4111111111111111 and PIN Number 1234 (examples use a PIN Length of 4 but could be 4-12 digits)

“Pin Pad” format or IBM 3624

PPPP FFFF FFFF FFFF

our Pin Block

1234 FFFF FFFF FFFF

Notes: Not allowed and is an old legacy method – not approved to be used.

ISO-0

04PP PPFF FFFF FFFF   (0 = ISO-0 Format, 4 = length of PIN)

XOR with

0000 AAAA AAAA AAAA (Formatted PAN)

our Pin Block:

0412 34FF FFFF FFFF

XOR

0000 1111 1111 1111

=

0412 25EE EEEE EEEE

Notes: Introduces variability in the PIN block by XOR’ing with a Formatted PAN – Best practice is to use ISO-3 instead of ISO-0 as there are attacks against ISO-0

ISO-1

1412 34RR RRRR RRRR (1 = ISO-0 Format, 4 = length of PIN)

our Pin Block:

1412 348D 665A C5A3

Notes: Introduces variability in the PIN block by using Random padding chars – Best practice is not to allow HSM’s to accept or use this PIN Block format. Not allowed by TR-39 but is VISA.

ISO-3

34PP PPRR RRRR RRRR (3 = ISO-3 Format, 4 = length of PIN)

XOR with

0000 AAAA AAAA AAAA (Formatted PAN)

our Pin Block:

3412 34C8 CBA4 285C

XOR

0000 1111 1111 1111

=

3412 25D9 dAB5 394D

Notes: Introduces variability in the PIN block by using Random padding chars and  by XOR’ing with a Formatted PAN – Best practice is to use this format.

OLS is in the market for a sales representative.

Please refer to our LinkedIn job posting for more details.

An example of a Bin Range:

If a CardNumber’s Bin or IIN – matches our Bin Range configurations – We will select the appropriate EndPoint. In this example if we have a VISA or MC Card we switch it out to a FDR Gateway. If we were connecting to a to MasterCard MIP or Visa VAP or DEX then we would have a MC and VISA EndPoint defined with our BankNet and VisaNet interfaces and switch the transactions to those endpoints.

An example of a Card Type:

We have certain transaction types that we know where they go because of their Card Type – Many of these are internal authorization hosts such as implementations of Authorized Returns, MethCheck, Loyalty, Couponing. Others are transactions where the transaction type also dictates the card type – such as those to GreenDot, InComm and other external hosts where a BIN Range lookup is unnecessary.

Source (Port) Based Routing

We recently had a requirement for Source-Based Routing – where depending on the source port that would dictate the outbound transaction path(s).

In our Server we accept the incoming transaction and then place a Context varaible we call PORT that tells us which Server Port the transaction came in on. One we have that additional data we can perform a Logic Branch in our Transaction Manager that looks like this.

This allows us to define transaction paths based on the incoming port of the server, so in this example.

<participant class=”com.ols.switch.CaseSwitch” logger=”Q2″ realm=”Switch”>
<property name=”switch” value=”PORT” />
<property name=”case 5001" value=”LookUpResponse Log Close Send Debug” />
<property name=”case 5002" value=”QueryRemoteHost_xxx Log Close Send Debug” />
<property name=”case 5005" value=”QueryRemoteHost_yyy Log Close Send Debug” />
<property name=”default” value=”Log Close Debug” />
</participant>

Port 5001 – we perform an authorization locally

Port 5002 – we switch out the transaction and reformat it to endpoint xxx – message format and interchanges requirements.

Port 5005 – we switch out the transaction and reformat it to endpoint yyy – message format and interchanges requirements.

We interface to many different systems and sometimes we get to talk to IBM Mainframes or message formats that uses Signed Overpunch

Where we see numberic values like “100000{” , “100999I”, or “100495N”

Signed Overpunch is used in order to save a byte the last character can indicate both sign (+ / -) and value.

These types are defined in COBOL Copybook this looks like:

S9(3)V9(4);

which equate to :

100000{ = 100.0000

100999I = 100.9999

100495N = -100.4955

Here is a snippet of Java Code that we use to handle this:

    public static final char[] gt_0 = {
        '{', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I'
    };
    public static final char[] lt_0 = {
        '}', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R'
    };

   protected static String convertToCobolSignedString (String aString) {
        int aInt = Integer.parseInt(aString);
        char[] conv = (aInt >= 0) ? gt_0 : lt_0;
        int lastChar = (int) aInt % 10;
        StringBuffer sb = new StringBuffer (Integer.toString(aInt));
        sb.setCharAt (sb.length()-1, conv[lastChar]);
        return sb.toString();
    }

Here is the data-structure that defines our Velocity Limits:

Here is a snapshot of a configured Velocity Limit based on Accumulated Transaction Amounts:

Here is a snapshot of a configured Velocity Limit based on Transaction Counts over a given period:

Issuer side implementations are easier test – you can feed into the authorization host both simulated network and local transaction sets to test implemented authorization rules and other features.

In 2009 we built and launched a new Issuing Payment Switch and tested it using Continuous Integration techniques. This system has 3 primary interfaces.

1. Network – connected to an association’s network to recieve incoming transactions based on BIN ranges.
2. Local – Card Management style interface – Manage Cardholder, Cards, and Accounts on the system – and allow local transaction sets to be performed.
3. Flat File generation: Authorized File, Financial File, and a Card Status and Balances File. Flat file processing – clearing/settlement/reconciliation files.

Continuous Integration as defined by Martin Fowler:

Continuous Integration is a software development practice where members of a team integrate their work frequently, usually each person integrates at least daily – leading to multiple integrations per day. Each integration is verified by an automated build (including test) to detect integration errors as quickly as possible. Many teams find that this approach leads to significantly reduced integration problems and allows a team to develop cohesive software more rapidly. This article is a quick overview of Continuous Integration summarizing the technique and its current usage.

CI’s general steps:

1. Maintain a code repository
2. Automate the build
3. Make the build self-testing
4. Everyone commits every day
5. Every commit (to mainline) should be built
6. Keep the build fast
7. Test in a clone of the production environment
8. Make it easy to get the latest deliverables
9. Everyone can see the results of the latest build
10. Automate Deployment

Our CI model is based on an implementation that is scheduled multiple times a day – It checks out the code from our software repository, compiles it, builds a new database and schema and required setup data, starts our software services up – performs unit tests, shutdown the software services, and we receive an email and attachments that tell us if the code compiled and the results of the unit tests and which ones were successful and unsuccessful. The email attachments we receive contain the run log zipped of the transactions, and a unit test report.
Our Unit tests are written using the Groovy Programming Language and we leverage the TestNG testing framework. We act as a network client to our switch which was built and ran from the current source, and perform both Network and Local Side testing. The system is also setup using some of the Local Transaction sets, Here is a short list of a few of the transaction types:
Local:

• Add Cardholder
• Add Card
• Add Account
• Debit Account (Load Funds)
• Set Cardholder/Card/Account Status (Active/Lost/Stolen/Suspended/etc)
• Local Debit and Credits
• Balance Inquiry
• Expire Authorization
• View Transaction History

Network:

• Authorization
• Completions
• Chargebacks
• Representments
• Force Posts
• Returns
• Reverals

The combination of local and network transaction types are tested against various test cases.
If we setup a Cardholder with AVS information and run an AVS Authorization – do we get the expected results, and for each AVS result code ? Does an authorization on a statused card get approved ? Do transactions with amounts greater then, equal to, or less then the cardholder’s available balance get authorized or declined properly ? Authorization on a Card not Found ? You get the idea.
We build and test our issuer platform a few times a day – each developer can also run the test suite locally on their development environment, this ensures that future changes doesn’t impact existing functionality. On a test failure – relevant information in included in the autotest emails so issue discovery can be identified by our business analysts and developers without logging into test systems.
Oh, and Please don’t break the build

In payment systems I don’t really care as much about the type of card, Credit vs Debit at a basic level to me — one has PIN’s and requires usage of HSM’s and require real-time reversals and one uses clearing files and the other reconciliation files. But I digress.

At the bottom of the picture there are some statistics, Kiplinger being a personal finance website and not to mention various “Letters“, these are mostly consumer related, but his one caught my eye:

Which makes me chuckle because lots of prospects tell us they need a system to be able to support the worlds average TPS (Transaction Per Second), or a small fraction of.

In the Payment Systems World, we’ve now entered “The Freeze.” This is the industry-wide term associated with the period running from approximately the Thursday before Thanksgiving (which is the last Thursday of November in the US) through to about the second full week in January. During that period, we don’t do any production releases, unless it’s a fix of a critical nature. We advocate the same practice for our clients. We also recommend that they not undertake material changes to hardware configurations, databases, scripts, or any other piece of supporting or underlying technology.

Traditionally, it’s been a good time for us to focus on big projects that have a Q1 delivery date. We can stay under the covers and make some serious progress on those bigger initiatives.

We also send out a customer letter re-emphasizing how to get a hold of us. The letter stresses the importance of vigilance and watchfulness over key production systems. It reminds our clients that we’re Always Available. Our firm was founded on the back of 24×7x365 support of mission-critical production systems. We get paid to make sure our clients can – to the fullest extent possible – enjoy the holidays with their family knowing that we’ve got their back on support.

Why all the heightened concern? It’s the nature of payment systems: there’s tremendous upsurge in volume in the freeze period. If you’ve got a latent bottleneck laying dormant and ready to strike, the unfortunate reality is that it’s going to nail you right between the eyes on a killer day like Black Friday, Cyber Monday or Christmas Eve. We service some Stored Value authorization endpoints that get massive 20x surges in volumes on December 24th. So, you’ve got to be ready.

We work the other ten-and-a-half months of the year to make this month-and-a-half as uneventful as possible.