Credit Card authorization from FC3

Brian Fahrlander brian at fahrlander.net
Wed Mar 2 12:04:13 UTC 2005 

On Tue, 2005-03-01 at 23:00 -0600, Thomas Cameron wrote:

> I will preface this by saying that the eCommerce stuff I've been
> involved in has been pretty much the traditional "buy a stuffed animal
> for my neice" kind of stuff, so I might not be the best person for this,
> but here goes:
> 
> It strikes me that you are selling things, just like any other eCommerce
> shop out there.  It just so happens that the things you are selling are
> units of time.  So it seems to me that all you need is a counter to tell
> you how many units of time the user has used, and then you calculate how
> much to charge their card.  There are about a bazillion eCommerce
> shopping cart programs out there, some F/OSS, some commercial.  IIRC
> Verisign has a really good shopping cart program that is fairly cheap.

    Well, the only thing I sell to them is access-time; it comes in one
size, with a variable quantity, and I don't think selling additional
items would be worth the detail.  There's no inventory, etc...and
they'll get a receipt printed at the ends of the session.

> So when your victim, er, customer comes in, you put them at a terminal
> and let them surf to their little heart's content.  Then when they are
> done, you have some sort of simple web interface that tells you how long
> they were logged in.  You charge for the number of units (hours, quarter
> hours, minutes, whatever you choose).  Swipe or enter the card, your
> shopping cart transmits it all, and you're done.

    Yeah, that's the idea.  The first swipe starts a 'validation' like
when you're at an automated gas pump.  If it's a legal card we've seen
before, we allow'em in and do whatever they need.  Later when they log
out, the elapsed time gets sent in traditional 'authorization' (payment)
transaction, and the account is charged.  That's really the heart of it.
I plan, too, to make an elapsed time meter that can run on the panel or
just a simple window, so they have some idea how much time has passed.

> I get the feeling that bringing PAM into it is going to add layers of
> complexity that don't need to be there.
> 
> Am I on the same page as you?

    Well, in general.  I see authentication-by-pam as an alternative to
a fingerprint or iButton device, with different particulars.  It would
be the way to make the fewest number of changes to the system by doing
it that way, and make it the most secure.

    I'm trying hard to keep the machines autonomous; if each one has to
have a coordinating server to make it work, that's a lot more money and
complication to add.  And simple things don't tend to break, ya know?
 
-- 
------------------------------------------------------------------------
Brian Fahrländer                 Christian, Conservative, and Technomad
Evansville, IN                                http://www.fahrlander.net 
ICQ: 5119262                                          AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050302/a0499fcb/attachment-0001.sig>

More information about the fedora-list mailing list