Does anyone know where can I find any kind of technical documentation on Electronic Cash Register interface (ECRi).
It's supposed to be a standard for semi-integrated scenarios, where external application (POS) communicates with a credit card terminal using relatively simple commands (like start sale for $100), without having access to any sensitive credit card details (thus no need for PCI certification).
VeriFone Vx820 Duet is one of the terminals that implements this standard.
I assume communication is performed over TCP/IP, but I can't find anything more.
Is this really a standard, or just a common name for this kind of integration?
Are terminal vendors responsible for this kind of API -or- rather it is some application, that exposes this functionality, and is uploaded to the terminal by specific merchant/bank?
There are a lot of standards for ECR-EFT integrations, but there is no single protocol guaranteed to be implemented on both POS terminal and ECR side.
Generally, recognized standards are:
Polish FROB protocol - the one you're probably asking about is the new polish standard by Fundacja Rozwoju Obrotu Bezgotówkowego, which is supposed to become a part of ECR fiscal certification. You can register for free at the website and access the repository w/ code snippets, simulators and specifications. Kindly note, that the work on specs is still in progress so it may be subject to change. There were also minor bugs in simulators implementation at the time we were working on our own integration project, maybe something has changed since then.
Nexo - European approach to ECR-EFT unification
OPI - Open Payment Initiative
ZVT - German standard, far exceeding scope of current integrations
on the polish market there are a lot of semi-semi-standards, as a lot of ECR manufacturers implement each others proprietary protocols. There are options to implement only a few of them to gain a significant market coverage, but for that you'll have to do your own research and check with customer needs.
Let me know, if you have questions regarding specific markets or usages
Related
First and foremost, this post doesn't have any intention to strike down any parties as mentioned in my question.
In fact, I'm not sure whether i should ask this question to this forum or not, but after some thoughtful considerations i decided to just post it here due to my curiosity.
Shortly speaking, I'm working on IAM platform for one of my customer. I've prepared it using keycloak within a day which also cover custom provider to connect with their legacy user internal database.
But I got a pretty shock statement from my customer that they don't trust keycloak since it's free and open source. They only trust commercial products, and they suggested me to go with either forgerock or okta.
I have my own way to answer that statement, but I would also like to hear some feedbacks from the experts here with regards to that matter. Thanks in advance.
Maybe the customer concern is that there is no commercial support with Keycloak. It's a very practical concern, eg if you are not available at some future time and all apps are broken when something strange happens after upgrading the Authorization Server.
Of course on the technical side of things, keep code portable by implementing standards based solutions, so that you can switch providers. Avoid stuff like Keycloak Adapters if they are vendor specific.
DEPLOYMENT
As a containerized solution, Keycloak's deployment model supports multi cloud and means you can run in any cloud provider.
Then again, the Platform as a Service model of some providers is often attractive - no infra to manage and the hope of high availability. With some PAAS providers the trade off may be that there is less control over behavior.
WHAT ARE THE REAL REQUIREMENTS?
Commercial support
Guidance on app scenarios
High Availability
Ease of management
Extensibility
Portability
Different customers have different viewpoints and there is no right answer. The usual thing that software architects do is understand their audience, make recommendations, but let the customer decide - they are the boss after all.
My product needs to be deployed and installed on the client's server. How can I take care that my ruby code is encrypted and invisible
You can't. In order to execute the code, the CPU needs to understand the code. CPUs are much stupider than humans, so if the CPU can understand the code, then so can a human.
There are only two possibilities:
Don't give your client the code. (The "Google" model.) Instead, give them a service that runs your code under your control.
Give your client a sealed box. (The "XBox" model.) Give your client the code, pre-installed on a hardened, tamper-proof, secure computer under your control, running hardened, tamper-proof, secure firmware under your control, and a hardened, tamper-proof, secure OS under your control. Note that this is non-trivial: Microsoft employed some of the most brilliant hardware security, information security, and cryptography experts on the planet, and they still made a mistake that made the XBox easy to crack.
Unfortunately, you have excluded both those possibilities, so the answer is: you can't.
Note, however, that copying your code is illegal. So, if you don't do business with criminals, then it may not even be necessary to protect your code.
Here are some examples how other companies solve this problem:
Have a good relationship with your clients. People are less likely to steal from friends they like than from strangers they don't know, or people they actively dislike.
Make the product so good that clients want to pay.
Make the product so cheap that clients have no incentive to copy the code.
Offer additional values that you cannot get by copying the code, e.g. support, services, maintenance, training, customization, and consulting.
Especially in the corporate world, clients often prefer to pay, simply for having someone to sue in case something goes wrong. (You can see this as a special case of the last point.)
Note that copy protection schemes are not free. You at least have to integrate it into your product, which takes developer time and resources. And this assumes that the protection scheme itself is gratis, which is typically not the case. These are either pretty expensive, or you have to develop your own (which is also pretty expensive because experienced cryptographers and infosec specialists are not cheap, and cheap cryptographers and infosec specialists will not be able to create a secure system.)
This in turn increases the price of your product, which makes it more likely that someone can't afford it and will copy it.
Also, I have never seen a copy protection scheme that works. There's always something wrong with them. The hardware dongle is only available with an interface the client doesn't have. (For example, when computers stopped having serial and parallel ports in favor of USB, a lot of copy protection schemes still required serial or parallel ports and didn't work with USB-to-serial or USB-to-parallel adapters.) Or, the client uses a VM, so there is no hardware to plug the dongle into. Or, the copyright protection scheme requires Internet access, but that is not available. Or, the driver of the dongle crashes the client's machine. Or, the license key contains characters that can't easily by typed on the client's keyboard. Or, the copy protection scheme has a bug that doesn't allow non-ASCII characters, but you are using the client's name as part of the key. Or, the manufacturer of the copy protection scheme changes the format of dongle to an incompatible one without telling you, and without changing the type number, or the color and physical form of the dongle, so you don't notice.
Note that none of this is hypothetical: all of these have happened to me as a user. Several of these happened at vendors I know.
This means that a there will be significant amount of resources needed in your support department to deal with those problems, which increases the cost of your product even further. It also decreases client satisfaction, when they have problems with your product. (Again, I know some companies that use copy protection and get a significant amount of support tickets because of that.)
There are industries where it is quite common that people buy the product, but then use a cracked version anyway because the copyright protection schemes are so bad that the risk of losing your data due to a cracked version from an untrusted source is lower than losing your data due to the badly implemented copyright protection scheme.
There is a company that is very successful, and very loved by its users that does not use any copy protection in a market where everybody uses copy protection. This is how they do it:
Because they don't have to invest development resources into copy protection, their products are at least as good as their competition's for less development effort.
Because they don't have to invest development resources into copy protection, their products are cheaper than their competition's.
Because their product are not burdened with the overhead of copy protection, their products are more stable and more efficient than their competition's.
They have fair pricing, based on income levels in their target countries, meaning they charge lower prices in poorer countries. This makes it less likely that someone copies their product because they can't afford it.
A single license can be used on as many machines as you like, both Windows and macOS.
There is a no-questions-asked, full-refund return policy.
The lead-developer and the lead-designer personally respond to every single support issue, feature request, and enhancement suggestion.
Of course, they know full well that people abuse their return policy. They buy the product, use it for a project, then give it back. But, they have received messages from people saying "Hey, I copied your software and used it in a project. During this project, I realized how awesome your software is, here's your money, and here's something extra as an apology. Also, I showed it to my friends and colleagues, and they all bought a copy!"
Another example are switch manufacturers. Most of them have very strict license enforcement. However, one of them goes a different route: there is one version of the firmware, and it always has all features enabled. Nothing bad will happen if you use features that you haven't paid for. However, when you need support, they will compare your config to your account, and then say "Hey, we noticed that you are using some features you haven't paid for. We are sure that this is an honest mistake on your part, so we will help you this once, but please don't forget to send us a purchase order as soon as possible, thanks!"
Guess which manufacturer I prefer to work with, and prefer to recommend?
Traditional categorization of processes is talking about integration, human centric and document centric processes, with the last one as a good candidate for placing inside the DMS system (of course, the prerequisite is that there is a built-in support for BPM).
But I was unable to find some concrete,more detailed explanation of the distinction between those options.
Imagine a company, that have Enterprise BPM solution , and also a DMS system with quite good support for BPM (i.e. Filenet DMS).
In both systems you can create user screens and workflows (process logic) as well.
Also, most processes working with documents are also quite "human-centric".
I am perfectly aware of the fact, that choosing the target platform always depends on the requirements and specific circumstances, but I wonder, if there are some general rules, or principles, based on which I can better decide where to put the process layer of the whole solution.
Additional clarification:
I don't want to implement any new platform. As I indicated a little bit in the previous post, we already have BPM platform (Oracle) and DMS as well (Filenet with BPM support - Case Foundation). So the question is not about choosing the new platform...but more about setting the rules for using the existing products/platforms. There are a lot new projects in the queue...and for some of them (that are touching the area of working with documents) we need to decide the target platform/s. For example, when you have a simple process with a few steps, and in all steps there is some work with an existing document (the document - or at least his original version, is also input to this process), the requirements on the front-end are not very complicated etc...it would simpler to build the whole solution in the Filenet platform( mostly because of the cost). But I am wondering if there are some similar rules....Like you should think about that or that... when you want use only the DMS platform...or both platforms etc. You can call these rules the principles for development, references architectures or something like that....that is guiding you when designing the target architecture/s.
Thank you
I'm reposting the answer because I don't see a reason for deletion (by #Bohemian).
I think it adds value to anyone asking the same question. #Bohemian could have at least specified why he deleted the post.
Here it goes:
You gave us rather small amount of information. And what exactly is
the question? What do you mean by "where to put the process layer"?
You shouldn't constrain yourself to only those DM systems that claim
to have BPM built-in. That's marketing speak behind which often lay
two half-baked products. You should instead question which
standards-based integration points the system has, so you can
integrate effortlessly. And then invest in best-of-breed DM and best
BPM separately. All-in-one solutions are often too closed, difficult
to extend and above all, they bring free vendor-lock-in with them.
What are your business requirements, i.e. what do you have to do?
Implement BPM inside organization that already has DM or not? Do you
have some BPM platform already? Do you have any
constraints/requirements when choosing either of those (vendor,
technology foundation, Gartner quadrant...)?
What are the options you're considering for DM and which options are
you evaluating (if any) as a BPM platform? Have you already settled on
IBM or you can go elsewhere? Is open source an option?
What is your role/responsibility in this project?
EDIT - after the author's clarifications:
I have not worked with Oracle's BPM, but I can tell you that, although Case Foundation is more suited to Case Management, you can develop a complete Process Management solution with it (workflows, tasks, roles, deadlines, in-baskets, etc.).
If you go that path and later come across the business need to allow business users to define their own case templates, take a look at IBM Case Manager, as it builds on top of Case Foundation, but also brings additional WebUI features (built on IBM Content Navigator), suitable for business users (although, more often than not, it turns out the IT does that job).
A few IBM redbooks about Case & Content management that might help you make an informed decision:
Introducing IBM FileNet Business Process Manager - this is the former name for Case Foundation - the same product, new version.
Advanced Case Management with IBM Case Manager
Customizing and Extending IBM Content Navigator - you'll need this one for customizations, if you decide to go with CF (instead of Oracle).
Building IBM Enterprise Content Management Solutions From End to End - from ingestion to case/process management (contains Case Manager).
I agree with #Robert regarding integration, after all, before version 5.2 FileNet Content Platform Engine was FN Content Engine + FN Process Engine.
The word of advice I can give you is to first document all features that business requires from BPM. Then do a due diligence on both products, noting down which of those features each of those products supports. Then the answer, if not laid out in front of you, will at least be much easier.
You also have to take into account that IBM is oriented towards IBM BPM (former Lombardi) when process management is concerned. Former FN BPM is now more pushed into Case Management (but those two are very similar paradigms).
You should definitely post back about your experience, whichever option you choose.
Good "luck" :)
From some reading and input from a couple of seasoned developers, it appears that I'm down to a choice between Recurly and RailsKits.com SaaS Kit. I'm hopeful to get some broader experiences from folks in the community here as to the pros and cons perhaps you've experienced.
I'd really like to be sure that I put together an apples-to-apples comparison here.
First, I'm offering a service that has two subscription levels of about $1 and $5 / month recurring. These may be paid in either monthly, yearly or every three years (get some discounts at the longer subscription levels). I obviously need to keep transactional costs as low as possible, but I need to maintain this and be sure that recurring billing is reliable and not problematic.
I'll be building this atop Rails 3.
The bag seems mixed as you get a more robust admin feature set it seems with Recurly, yet I may be able to save enough with a SaaS Kit + (for example) https://merchant-apply.com/tesly to make it worth it.
I have reviewed Chargify vs Recurly and Recurly seems to be the winner for my particular model and so that's why I've kinda eliminated many other options at this point.
If you've faced this before, what has worked for you or do you have some practical input in this regard?
I work at Recurly, so I'll try to not make this a sales pitch :)
As I noted in the comments above, PCI compliance can be tricky, time-consuming, and expensive, so please check each product and see what is required for your business. You can see documentation on Recurly's PCI compliance requirements at http://docs.recurly.com/security/pci-compliance/. SaaS Kit reduces some elements of PCI compliance by storing the payment information with the gateway, but this means you cannot easily switch payment gateways - most gateways will not allow you to take your data with you. If you choose to use Authorize.net's CIM service with SaaS Kit, this will be an additional $20/month gateway fee for the credit card storage.
I also recommend you take a look at the API docs of each product. Depending on your integration complexity with Recurly, some merchants never need to work with the API (instead using hosted checkout pages and the admin virtual console inside Recurly), but other merchants will have a more complex billing scenario that involves use of the API. The docs for each product should give you a good idea of how easy they will be to work with.
I'd be happy to answer any questions you have as you continue to look!
Has anybody been in or has seen a kind of "Surgical Team" as described in The Mythical Man Month? Have you heard of somebody actually implementing "Mill's Proposal"?
There is a lot of detail about the various roles in the book itself, but for those who haven't read the book, I found a website and a blog post which give a good summary. I've quoted the roles from the website below:
The Surgical Team
The surgeon is the chief programmer and the el-presidente of the whole
team. He produces all the
specifications, codes the entire
system the team is responsible for,
tests it, and drafts its supporting
documentation.
The copilot is the surgeon’s assistant. His main purpose is to
share in the thinking about design
issues – to serve as a sounding board,
as it were. The copilot represents the
team in meetings with other teams. He
knows the code intimately, and serves
as insurance in case of disaster to
the surgeon.
The toolsmith supports the surgeon and builds specialized utilities and
tools as may be required by his
surgeon. Each team has its dedicated
toolsmith in addition to any central
services provided by the rest of the
project infrastructure. The tester is
responsible for maintaining test cases
for testing the surgeon’s work as he
writes it. He is both an adversary who
devises test cases to measure against
the formal specs and devises test data
to be used in debugging.
The language lawyer, which can serve several surgeons, I a widely consulted
specialist who delights in the mastery
of the intricacies of the programming
languages and the operating systems
upon which the software must perform.
The administrator handles money, people, space, and machines. The
surgeon is the ultimate boss, with the
last word on all these issues, but the
day to day management of the issues
and interfacing with the
administrative machinery of the
project is the role of a professional
administrator. One administrator may
serve more than one team.
The editor edits and revises the documentation as drafted or dictated
by the surgeon and oversees the
mechanics of its production.
The program clerk, trained as a secretary, is responsible for
maintaining all the machine-readable
and human-readable technical records
generated by the team. All the filing
and indexing is the responsibility of
the program clerk.
The secretaries handle the project correspondence and non-project files.
We did use the surgical team approach of Brooks' at a startup we set up about 10 years ago. We were five people at the company plus a few others at the uni lab supporting us. The experience was technically great, but it didn't last long for business reasons. :-)