Manual E-bill 499.41
Manual E-bill 499.41
Manual E-bill 499.41
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
When the <strong>bill</strong> recipient calls up the URL, a time stamp and hash value<br />
(token) are attached in order to allow the <strong>bill</strong> recipient to access a <strong>bill</strong> detail<br />
directly and without logging in again.<br />
Token structure: Biller-specific password + current time stamp + <strong>bill</strong><br />
amount<br />
Hash algorithm used: SHA-1<br />
The <strong>bill</strong>er-specific password is agreed with the <strong>bill</strong>er and then stored in<br />
PostFinance in the <strong>bill</strong>er’s master data. The time on the PostFinance server<br />
is used to generate the time stamp (format yyyyMMddhhmmss).<br />
Example of a URL with token attached:<br />
https:/ /w ww.yourcompany.ch/e<strong>bill</strong>presentment/show<strong>bill</strong>.aspx?individualPara<br />
ms=abcd1234×tamp=20050810143055&token=2d4b92e74b485ecc7<br />
0291ad3e9324b442d4f5d51<br />
The “timestamp” parameter must have the same value as the one in the<br />
hash value.<br />
The <strong>bill</strong>er has forwarded the URL to PostFinance as follows:<br />
https:/ /w ww.yourcompany.ch/e<strong>bill</strong>presentment/show<strong>bill</strong>.aspx?ts=2005081014<br />
3055<br />
When the <strong>bill</strong> recipient calls up the URL, the <strong>bill</strong>er receives the hash value<br />
on his platform and checks whether it matches the one he generated. If the<br />
hash value is valid, access to the <strong>bill</strong> detail is made available for a period<br />
defined by the <strong>bill</strong>er. When the timeout occurs, the <strong>bill</strong>er blocks access to<br />
the <strong>bill</strong> detail. This ensures that the URL of the <strong>bill</strong>er’s platform is never<br />
visible on the <strong>bill</strong> recipient’s client.<br />
Hyperlinks may only lead to the <strong>bill</strong>er’s page and the <strong>bill</strong> details may not<br />
contain any active elements, e. g. Java Script, ActiveX, etc. The <strong>bill</strong>er is also<br />
obliged to have adequate security measures against unauthorized attacks<br />
from the Internet in place for its own services (authentication).<br />
4.3.3 Combination of both options with and without the <strong>bill</strong><br />
presentment module<br />
Billers can choose to deliver the <strong>bill</strong> details either as a PDF as well as via<br />
a URL indicating the <strong>bill</strong> details. In this case, the <strong>bill</strong> details are presented<br />
as follows:<br />
• Via e-finance the <strong>bill</strong> details are called up on the <strong>bill</strong>er’s platform using<br />
the URL supplied.<br />
• Via data transmission the <strong>bill</strong> details are always made available to the<br />
<strong>bill</strong> recipients as a PDF.<br />
<strong>Manual</strong> E-<strong>bill</strong> Version October 2010 19/64