SECURITY

This web site uses the Multibase ePay Payment Gateway, which processes online payments through the Camtech online payment service. Your credit card statement will show "Starlight Children's Foundation" or similar as the merchant.
The site forwards your transaction to the ePay payment gateway. The payment details are then forwarded by the ePay payment gateway via an encrypted link to the Camtech online payment system for processing. The Camtech payment gateway then interfaces with your nominated clearing bank to clear the transaction.

Link to the bank

The Camtech payment gateway accepts credit card details from the ePay Payment Gateway, converts them to the Australian Banking Standard 2805F (ISO 8583) and forwards them to the bank for processing.

The link to the banking network is a dedicated private connection that is inaccessible by Internet users. The Payment Gateway also uses enhanced security features such as digital envelopes and content keys (1024 Bit RSA/IDEA).

Approval of the transaction

Once the transaction has been approved, an encrypted response consisting of the transaction details and bank authorisation code is sent back to the Camtech payment gateway, which logs the transaction and sends the result back to the ePay Payment Gateway. Secure Sockets Layer (SSL) is used to encrypt the details between your web browser and the ePay Payment Gateway.

The ePay gateway deciphers this message and forwards the transaction details to the web site for you to view. A receipt is also emailed to you to confirm a successful transaction.

This entire process is typically completed within 6 to 15 seconds, making it the fastest real time Internet payment processing service in Australia.

What security precautions are in place to protect the loss, misuse or alteration of my personal information?

An online payment system is actually safer than traditional credit card handling, because there is no manual handling of credit card details. This site has security measures in place to protect the loss, misuse and alteration of the information under our control.

We use Camtech's Merchant Server, which is designed to maximise confidentiality, integrity and authenticity of cardholder payment information. All information is encrypted using a combination of secret-key and public-key cryptography in such a way that only the ePay Payment Gateway and the Camtech Payment Gateway are able to read the message. Integrity is maintained by the use of digital signatures while authenticity is assured with digital certificates.

This web site secures the transmission of your information to the web server with 128-bit SSL or higher encryption, depending on your browser capability.

What is secret-key cryptography?

In secret-key cryptography the same key is used to encrypt and decrypt a message. It is called secret- key because the same key is shared by all communicating parties who must keep the key a secret in order to maintain confidentiality. Our system uses DES as its secret-key encryption algorithm.

What is public-key cryptography?

In public-key cryptography, a pair of keys is used. One is kept secret (known as the private key) while the other can be freely published (known as the public key). The public and private keys are mathematically related so that data encrypted with one can only be decrypted by the other. This means that data encrypted with the public key can only be read by the owner of the private key, who keeps that private key a secret. Our system uses 1024-bit RSA as its public key encryption algorithm.

What is a digital signature?

A digital signature is a value computed from a message and the signer's private key. Since it uses the signer's private key, only the signer can generate this value. This makes it impossible for a rogue party to alterthe message and generate the correct digital signature for it. The receiver of the digital signature can verify it using the signer's public key. If the digital signature cannot be verified then either the signature is fraudulent or the message has been altered. Our system uses SHA- 1/RSA as its digital signature algorithm.

What is a digital certificate?

A digital certificate is a digital document that binds a public key to the identity of a particular entity. It allows a person to use the enclosed public key with the assurance that it belongs to the person identified in the certificate. Digital certificates are issued by a trusted third party known as a Certificate Authority (CA). The CA places its digital signature on the certificate so that a user of the certificate can be assured that the contents of the certificate are bound together and have not been modified. The CA will only issue a certificate to an entity that can provide sufficient identification and can demonstrate that the public key being included in the certificate is their public key. Camtech E-Commerce uses X.509 version 3 as its digital certificate format.

How does the security work in practice?

Step 1: Before a message is sent, a digital signature of the message is generated by the sender.

Step 2: The message, digital signature and sender's certificate are combined and encrypted with a randomly generated secret-key to form the encrypted message.

Step 3: The secret-key is then encrypted using the public key of the Camtech Payment Gateway to form what is known as a digital envelope. The encrypted message and the digital envelope are then sent to the payment gateway.

Step 4: The payment gateway decrypts the digital envelope using its private key to recover the secret-key, and then decrypts the encrypted message.

Step 5: The payment gateway verifies the integrity and authenticity of the message by verifying the enclosed digital signature and digital certificate.

Step 6: The payment gateway generates an Australian Banking Standard AS2805F (ISO8583) message which is forwarded to the bank for processing in real time.

Definition of terms used

IP address: When you are connected to the Internet, you computer has a unique Internet ID called an IP (Internet Protocol) address. Most people that connect through a dial-up or broadband service get a different IP address each time they log. On. You may have a permanently assigned IP address called a static IP address. If is difficult or impossible for a web site to collect personal information about you e.g. you name, email address from your IP address alone, though a static IP address makes this easier.

SSL encryption: SSL (Secure Sockets Layer) is a method by which information transmitted across the Internet is scrambled to the point where it's virtually indecipherable by anyone who might intercept the data before itreaches its destination. Almost all reputable online stores make use of SSL encryption to request credit card information and other sensitive data from their customers. Web pages where SSL encryption is activated a typically identified by a lock or key symbol displayed somewhere in your browser. Refer to your browser's documentation for the specific symbol and location.