« Endpoint Connectivity: Best Practices | Main | Giving the Transaction Manager a workout »

Saturday, May 09, 2009

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Almost everything we do is non-persistent by design, or what you refer to as one-shot. Interestingly though, we do have many applications where these one-shot connections are multi-threaded, based on either the custom TPDU header or a transaction number in the application layer. But we still have timers similar to yours, they are just managed at the application layer for each transaction in progress, rather than a flat 60 seconds of no data received. However, this is relatively simple for us to maintain, because our own devices are managing the outbound connections at each site, and managing the inbound serial or TCP connections from the terminals themselves. In many cases, we are maintaining a persistent connection from the terminal to our remote device, and then using one-shot on our outbound connections towards the host. This way we can present the terminal with what it expects natively, while reducing the overhead required by the persistent connection to our hosts. One other point of contention with persistent sockets is duplicate transactions, when working with back-end providers with hosts that don't handle duplicates well. Outside of socket overhead, this is the primary reason we use one-shot everywhere. If a socket is hot towards the host, and you send a transaction on the socket and get no response, then there's no way to determine if it was the transaction or the response that was lost on the network. However, if the connection is one-shot and the socket fails to establish, then we can guarantee that the transaction did not reach the destination. This gives us the ability to immediately fail over to the backup destination on the other coast, without risking a duplicate transaction at the back-end provider.

The comments to this entry are closed.

AddThis Social Bookmark Button

Resources

  • Alejandro's jPOS Project
    Faced with payment systems challenges? Start here to learn more about Alejandro Revilla's jPOS project.
  • Dave Bergert's Blog
    Insights from my OLS colleague, Dave Bergert, CISSP, CISA, CompTIA Security+, and former Visa-certified QSA.
  • Glenbrook's Blog List
    Glenbrook Partners has compiled "a current summary of the latest content from some of our favorite payments and banking blogs." Dave, Alejandro and I are on the list.
  • soliSYSTEMS
    My friend Roque Solis is our go-to guy for RFID, smart cards, chip cards, integrated circuit cards, HSMs, cryptographic accelerators and public-key cryptography.
  • Specs Online - AMEX
    American Express puts its acquirer specs online for public retrieval.
  • Specs Online - FDMS
    First Data Merchant Services puts its acquirer specs online for public retrieval.
    [NOTE: This repository is accessible only via IE; this link will not work with Firefox or other browsers.]

Documents

  • The PCI Split
    Depicts how we split an implementation into PCI and non-PCI halves.
  • The Virtuous Spiral
    A good payment system unleashes customer creativity. Does yours?
Blog Widget by LinkWithin

  • Your attention to detail is a great asset. Use it wisely.