ClearCard Payment Solutions | Developer's Resources

Developer's Resources

CPNI White Paper

Glossary

Security Model

If you choose to use ClearCard to manage access to your site, there are two different methods of access control you can choose to use.

As with anytime a program provides many options, just the amount of choices can confuse the issue. The Authentication options you have available to you through ClearCard have two basic styles of authentication (http and ftp) and each of those has two types of 'member's lists' that can be updated using these options.

You will only want to select one method. While either is acceptable, the most commonly used method is the HTTP basic authentication. To activate, select 'yes' on the radio button. Now you must fill in a URL to the CGI on your computer that will listen for ClearCard's post of your new member's name/password information. This CGI will then write the information to an 'htpassword' file on your system. Every time a customer then logs into your system, it is this 'htpassword' file that is checked to see if the customer is in fact a valid member. To use the FTP method you will only need to supply the FTP information and the direct location of the 'htpassword' file. This method is much simpler and bypasses the need for a CGI 'listener', but it is not generally considered as secure as the former method.

While you are welcome to write your own CGI listener, ClearCard has a simple secure implementation we are happy to install for you.

First, let's explain what we mean by 'member lists'. Your members will sign-in using a name/password. Somewhere on your server this list exists (usually an htpassword file). Every time a user signs up using our member management signup page, you will want to be notified of the new member and their password. ClearCard will need to know where to send this information. Commonly, this is some CGI on your system that writes to a file. ClearCard can send this information to you either through the web (HTTP) and then that message will need to be read by some CGI on your side and then written to some file on your system(usually a htpassword file). OR ClearCard can use FTP protocol to write directly to the file on your system (usually a htpassword file).

See Process Flowchart -- Fig A.

As you will notice in the diagram (fig A) there are points on the flow chart represented as diamond shapes labeled 'htaccess'. These security points are not required but they do represent an interesting security model that ClearCard recommends you consider.

A customer signs up for your website. The signup information is sent to you with a special name/password coming from ClearCard. ClearCard's name/password is validated like a regular login. If this message validates properly then the customer's name/password is sent to your CGI. The CGI then adds its own name/password and attempts to write to the htpassword file. The CGI name/password is validated and if it is good then the customer's name/password is added to the member's name/password file as a valid member. As you can see this methodology provides a fairly airtight method of securing your member name/password data.