By: Alejandro Gómez Bucio, Dana Paola Valle Arroyo and José Antonio Alcalá López
Payment systems today face a new and ever-changing reality as increased regulation and fraud have transformed their business. As a result, authorized payment methods – such as POS, ATM, e-commerce, e-wallet systems – must be more focused on rules related to carrying out a transaction and have perfectly defined parameters that determine the authorization cancellation of a transaction. Unexpected authorizations may bring catastrophic consequences to the financial institutions and end up in the loss of millions of dollars for banks or banking switches.A review of the best practices of secure coding requires a review of logical errors with a meticulous inspection through each step of the code during the validation and routing of a transaction.
This requires a team with experience in this type of processes, knowledge of both the TAL language and payment systems (BASE24, Connex), and, of course, experience in identifying vulnerabilities in environments that allow proactive identification of attacks, as well as short- and long-term correction of security holes.
The Metabase Q team | Ocelot created this guide to set a precedent and present the bases to establish better programming practices, specifically in the TAL language, which runs in EFT systems, such as BASE24 and Connex.
The secure coding errors presented in this guide result from a thorough analysis performed on BASE24 system, which has been modified by third-party vendors other than the software owner (ACI Worldwide). On many occasions, the system is modified by different vendors over the years without following any specific standard, guided only by personal experience, practicality or speed, and sometimes without acknowledging the TAL language rules or of transactionality established by the BASE24 system itself.
In this guide, you will find:
Errors classified in categories depending on the type of impact and criticality.
Recommendations to avoid these errors.
Diagrams for a better understanding of the modular scheme handled by BASE24 and of the modules that might present the vulnerability.
Diagram of memory management within the code written in TAL.