It’s been quiet recently on this blog… because we’ve been busy! RDFa and JSON-LD standards are coming along nicely and the Web Payments work is progressing. Our payment standards effort has been focused on our PaySwarm implementation but we haven’t forgotten the specs and will get back to working on them as soon as we can. We missed an update post here for our PaySwarm Alpha 4 release and now we also have a PaySwarm Alpha 5 release . Below are the Alpha 4 and Alpha 5 release notes.
It’s been about 2.5 months since the last release. We’ve been focused on adding the last set of features that are needed for a commercial launch. Namely:
- Bank account registration (with ACH/credit network integration)
- Security fixes for theoretical SHA-1 vulnerability
- Settings management (credit cards, bank accounts, addresses, and access keys)
- Lots and lots of bug fixes and interface changes
The latest release can be found here:
There is still more to do, but all of the major features are now implemented. The messaging protocol (using JSON-LD) has stabilized, so we’ll probably do a spec update at some point in the next few months with all of the new stuff. We have a few minor features to go, but the commercial release is looking like it’s in good shape. We will try to make it before the holidays, but in all likelihood, it’ll be in the early part of next year (as we still want to do some burn-in testing on the system under heavy load).
Here are the major changes:
Bank Account and Credit Card Registration
The system now implements all the back-end calls to the US Federal Reserve-backed Automated Clearing House banking network. This allows people to use their bank accounts to deposit money into a PaySwarm Authority as well as withdraw money from a PaySwarm Authority. It works in the same way that registering a bank account in PayPal works.
You specify your banking account details, the PaySwarm Authority deposits two amounts into your account, you check your bank balance after a few days to view the amounts, you then type those amounts into the PaySwarm Authority. After you have verified your bank account, you can then pull money from your bank account into the PaySwarm Authority (with minimal fees charged by the banking network). You can also
transfer money from any account on your PaySwarm Authority to your bank account (with minimal fees charged by the banking network).
Credit-card-based deposit support was put in some time ago, and it has been updated in this release to streamline the use of credit cards. The bank rates for these deposits are higher – around 2%-4% of the deposit amount, depending on the credit card and credit card processor.
Melvin Carvalho posted an article on this mailing list pointing out a theoretical attack on SHA-1. While we didn’t believe that it was a very likely attack, we’ve upgraded all algorithms to use SHA-256, which has no known theoretical attacks at present. This change affects how all messages on the network are digitally signed, the WordPress software, how assets are listed, etc. It was a fairly sweeping change and the protocol is more secure because of it.
There is now a Settings page. On this page, there are screens for managing a set of monetary sources and destinations called ‘payment tokens’. These include all the credit cards and bank accounts you have registered with the system. These payment tokens can be used to move money into (credit cards, bank accounts) and out of (bank accounts) the PaySwarm Authority.
We have also added a section for managing ‘Access Keys’ (Public/Private Keypairs). These keys are used to digitally sign messages on the network. They are also used to sign assets, listings, digital contracts, and generally verify that you are who you say you are. If a key is compromised, it can be revoked in the settings page, which automatically deactivates that key, rendering it useless to the person who stole it from you. Generating a new key is easy and is typically done automatically for you via PaySwarm-compatible software.
General Browser Interface Improvements
The web pages for the site have been improved to make the whole experience easier. Items that were deemed too technical to show (such as URLs and micro-transaction amounts) have been played down or removed from the interface. Pages that resulted in JSON-LD data in the browser now result in HTML pages (such as identities, accounts, access keys, etc.). You can now view a human-readable version of the digital receipts for all of your purchases.
This item has to do with the technical protocol. Typically, when an item is listed for sale on the Web, you also list a number of financial accounts that should have money deposited into them if the sale is successful. We called these the ‘payees’ of a digital contract. We had implemented this as an ‘ordered list of payees’ before, which resulted in a fairly awkward expression of the data in RDFa and JSON-LD. The algorithm for calculating the total amount that should be paid was very technical and hard to figure out unless you were staring at the algorithm and knew a fair bit about how the calculations were being made.
We have since moved to ‘groups of payees’, which takes a great deal of the guess work out of how the algorithm works. Certain groups are applied before or after other groups. Vendor’s can create as many groups as they’d like and associate the groups in such a way as to make the order of calculation explicit without having to specify a numeric order of operations. The new mechanism is basically a dependency-based algorithm based on how the ‘groups’ have been associated in the PaySwarm listing. We’ll go into more depth about this in another e-mail, but there was a good bit of simplification that this approach provided.
Those are the major changes, here is a high-level changelog summary for the past 2.5 months:
- Added public key revocation features.
- Web interface fixes related to layout and fonts.
- Updates to transaction details view. Added link to transaction detail.
- Add transaction details link icon.
- Added ‘Access Keys’ tab to settings page.
- Button layout changes for accounts and budgets.
- Added ability to view public financial accounts.
- Consolidated actions for budgets and accounts in dashboard.
- Allow withdrawal details to be viewed, fix transfer destination display.
- Fixed JSON backslash-escape bug when generating window.data.
- Add withdraw modal and service to process withdrawals.
- Added ability to view public keys via a browser.
- Added view for financial account details.
- Simplified viewing account activity details/receipt details.
- Added support for promotion codes and pre-paid gift card-like tokens.
- Use ps:Receipt to wrap digital contracts.
- Include license agreement in purchase details.
- Payswarm Authority digital signatures for deposits.
- Use sha256 for digital signatures and auto-upgrade old passwords on login.
- New payee grouping mechanism.
- Add service to restore deleted payment tokens.
- Implement trash/recovery system for payment tokens.
- Do not display transactions voided due to insufficient funds.
- Add void reason to transactions that are voided.
- Limit number of concurrent unverified payment tokens.
- Add ability to manage bank accounts on settings page.
- Directly tie-in to credit card and banking networks.
- Address validation page improvements.
- Purchase page improvements.
- Use AngularJS for new interfaces.
- Added ability to view 3rd party public financial accounts.
- Make modals full-screen-scrollable.
- Lots of improvements to e-mails sent as a result of purchases, signup, etc.
- Add display for withdrawals.
- Add payment token verification implementation.
- Add some basic Withdrawal support to payment gateways.
- Use 30 minute session timeout.
- Add credit card selector.
- Use card logos on settings page.
- Add simple address creation and display interface on settings page.
- Add settings page.
We’re happy to announce the release of PaySwarm Alpha 5 . It has been almost two months since the last release. This release focused on fixing up a number of usability issues, CSS rendering issues, and a big chunk of it was focused on fixing Internet Explorer 9 bugs. In all, over 385 bug fixes were performed to the code base since the last release.
The latest release and demo can be found here:
We still have some bug smashing and load testing to go, but we’re inching ever closer to a launch of the service.
Here’s what is new in this release:
New Payment Token Verification Flow
The data stored on a PaySwarm Authority for credit card or bank account information is called a payment token. Some payment tokens are automatically usable, such as credit cards. Some payment tokens require verification before they can be used, such as bank accounts. The payment token verification flow for verifying bank accounts has been improved in this version of the software. The flow is pretty typical of most systems that interact with the banking network:
- Enter your bank account details.
- The PaySwarm Authority deposits two small amounts into your bank account. This can take up to 7 days due to the slowness of the legacy banking network.
- You enter both amounts into the PaySwarm system to prove that you have access to the receiving bank account.
- The bank account is marked as verified, and you can pull money out of the account.
The demo simulates step #2 of the process above by sending you an e-mail with the two amounts after a 1-2 minute delay.
While depositing money using a credit card is more immediate than a bank account, the banking network fees are higher, typically a credit card-based deposit is $0.15 + 2.19% where a bank account-based deposit is around $0.50 + 0.99%. In general, if you’re depositing $30 or more, it’s better to do it using a bank account-based deposit.
We have also added the ability to delete payment tokens and added checks to make sure that if a payment token fails to work that it’s automatically disabled.
To use this new feature:
- Login at: https://dev.payswarm.com/
- Click Settings (at the top of the screen).
- Click “Add Bank Account” at the lower-right of the screen.
Visual credit card/bank account selector
We have implemented a visual credit card and bank account selector that makes it easier to determine if your funding source is a credit card or bank account.
To use this feature:
- Login at: https://dev.payswarm.com/
- Select the drop-down beside one of your Accounts.
- Click “Deposit”
We were surprised to find out that even Internet Explorer 9 is fairly far behind the other browsers when it comes to standards-compliance and bugs. Firefox also gave us a few of problems that we didn’t expect. Google Chrome runs the entire website like a champ and was the easiest/best browser to work with when building and testing the product. The site has been tested and runs in each major desktop browser. Mobile is on our list of browsers to test, but we may not get to that until after the commercial release.
Those are the major changes, here is a high-level changelog summary for the past two months:
- Added more tests for auto-purchase, adding credit cards and bank accounts.
- Set bank account expiration time to 30 days.
- Debian/Ubuntu packaging fixes for install, startup and shutdown.
- Advanced CSS to visually differentiate between credit card and bank accounts.
- Fixing bugs in IE9 and Windows when dealing with EOT fonts.
- Change selector display of accounts and budgets.
- Fixes to ensure that CSS is more responsive when the screen is changed.
- Stacked modal fixes to ensure proper modal is displayed.
- Add bank agreement checkbox, ensure email is available.
- Ensure that modals are singletons to aid automated testing.
- IE9 fixes for input fields.
- Disable caching of non-static resources.
- Use SVG to fix IE9 rounded borders+gradient bug.
- Use href=”#” *only* for dropdown toggle links as it breaks IE9 if we don’t.
- Update to AngularJS v1.0.4.
- Updates to auditing tools to all financial algorithms work as expected.
- Define console.log when undefined (for IE9).
- Include placeholder polyfill for Firefox and IE.
- Handle declined withdrawals to bank account.
- Smooth the process of entering and verifying bank account details.
- Redirect back to login screen when switching identities w/expired session.
- Better generic error handling.
- Disable payment tokens when verify transactions fail.
- Make payment gateway-related errors more friendly.
- Improve registration identity selection.
- Context-based hover-help for input fields.
- Update jQuery to 1.8.3.
- Full code audit for every file in source control.
- Add URL query argument validation to all services.
- Update to Boostrap 2.2.1.
- Check and clamp budget values.
- Include bank account verification data in email in non-production mode.
- Make modals scrollable on webkit mobile devices.
- Make settings and dashboard look more consistent.
- Vendor registration requires an address to be set.
- Ensure that a purchase requires and address and account.
- Store asset provider and acquirer addresses in digital contract.
- Ensure key has not been revoked when verifying.
: If you have been following along, you may have noticed we went from alpha to beta and back to alpha. We jumped the gun on “beta” and after some consideration of our our release process and naming, we decided to stick with “alpha” for now.