Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to receive a request for a webpage from a web browser. The processor may send webpage code of the webpage to the web browser and the webpage may load a secure webpage for a sensitive data field that is separate from the webpage. A secure server may provide the secure webpage, which may correspond to an identifier that points to the secure server. By receiving the sensitive data into the sensitive data field of the secure webpage, the sensitive data may be protected from a script loaded in the webpage. In addition, the processor may receive the sensitive data from the secure server.

Abstract: Conversations between an intelligent, machine-based chat bot and a user of a website or an application support a computing paradigm called Conversation as a Platform (CaaP) to dynamically generate payment agreements that enable asynchronous actions to be performed for e-commerce transactions which the user may use to confirm the transaction, change the terms (e.g., payment method, ship-to address, shipping method, etc.), or cancel the transaction. Upon opt-in by the user to the payment agreement, a cloud-based wallet provider gives a payment credential URL (Uniform Resource Locator) to the chat bot provider that is called to receive an actual payment credential, and which may also be used for subsequent transactions.

Abstract: According to examples, an apparatus may include a processor and a computer readable medium on which is stored machine readable instructions that may cause the processor to receive a request for a webpage from a web browser. The processor may send webpage code of the webpage to the web browser and the webpage may load a secure webpage for a sensitive data field that is separate from the webpage. A secure server may provide the secure webpage, which may correspond to an identifier that points to the secure server. By receiving the sensitive data into the sensitive data field of the secure webpage, the sensitive data may be protected from a script loaded in the webpage. In addition, the processor may receive the sensitive data from the secure server.

Abstract: Described herein is a system and method for validating short authentication data by a server. Short authentication data associated with a particular user is received and a random number generated. The random number is stored by a client device. The short authentication data is committed by calculating a commitment value using the short authentication data, the generated random number and a secret value known only to the server. The server does not persistently store the short authentication data and/or the generated random number. The commitment value is utilized by the server in conjunction with a conjunction transaction to validate a presented short authentication data associated with a particular user and received random number. If a calculated value associated with the presented short authentication data equals the stored commitment value associated with the particular user, the computer transaction is allowed to occur. Otherwise, the computer transaction is blocked.

Abstract: Techniques for implementing high integrity logs for distributed software services are provided. According to one set of embodiments, a key management service running on a key server can maintain a secret master key. The key management service can further generate, for each of a plurality of distributed software service instances, a service key that is unique to a current lifecycle of the software service instance, the generating being based on the master key; and transmit the service key to the software service instance, where the service key is used by the software service instance in creating a high integrity log.

Abstract: Described herein is a system and method for validating short authentication data by a server. Short authentication data associated with a particular user is received and a random number generated. The random number is stored by a client device. The short authentication data is committed by calculating a commitment value using the short authentication data, the generated random number and a secret value known only to the server. The server does not persistently store the short authentication data and/or the generated random number. The commitment value is utilized by the server in conjunction with a conjunction transaction to validate a presented short authentication data associated with a particular user and received random number. If a calculated value associated with the presented short authentication data equals the stored commitment value associated with the particular user, the computer transaction is allowed to occur. Otherwise, the computer transaction is blocked.

Abstract: Conversations between an intelligent, machine-based chat bot and a user of a website or an application support a computing paradigm called Conversation as a Platform (CaaP) to dynamically generate payment agreements that enable asynchronous actions to be performed for e-commerce transactions which the user may use to confirm the transaction, change the terms (e.g., payment method, ship-to address, shipping method, etc.), or cancel the transaction. Upon opt-in by the user to the payment agreement, a cloud-based wallet provider gives a payment credential URL (Uniform Resource Locator) to the chat bot provider that is called to receive an actual payment credential, and which may also be used for subsequent transactions.

Abstract: A first communication of a channel communication between a first party and a second party is received for a previous transaction in which the first party provided information for a payment instrument. The information for the payment instrument is stored with the information for the first communication of the channel communication of the previous transaction in storage. A current transaction between the first party and the second party using a second communication is detected. The information for the second communication is used to locate the information for the first communication for the previous transaction and the information for the payment instrument in the storage. The second communication and the first communication are evaluated to determine whether to authorize re-use of the information for the payment instrument for the current transaction. The information for the payment instrument is provided to the first party for use in the current transaction.

Abstract: Techniques for implementing call flow-based anomaly detection in a layered software system are provided. According to one set of embodiments, a service instance in the layered software system can receive an invocation message indicating invocation of an application programming interface (API) exposed by the service instance. The service instance can further create a log entry including information pertaining to the invocation of the API and a call flow tag, where the call flow tag includes an identifier of a call flow to which the invocation of the API belongs and an ordered series of one or more sub-identifiers indicating a position of the invocation within the call flow. The service instance can then write the log entry to a log store of the layered software system.

Abstract: Techniques for implementing high integrity logs for distributed software services are provided. According to one set of embodiments, a key management service running on a key server can maintain a secret master key. The key management service can further generate, for each of a plurality of distributed software service instances, a service key that is unique to a current lifecycle of the software service instance, the generating being based on the master key; and transmit the service key to the software service instance, where the service key is used by the software service instance in creating a high integrity log.

Abstract: A mechanism to export a payment instrument from a secured database to a user device based on a binding between the user device and an identifier associated with the owner of the payment instrument. A computing system performs the following: binds a device ID that is associated with a user device to a user ID that is associated with an owner of a payment instrument and records a representation of the binding in a secured database; generates an identifier that signifies that the user device that is associated with the device ID has been granted permission to export payment instrument information; returns the identifier to the user device; receives from the user device a payload that includes the identifier, the user ID, and the device ID; and exports an encrypted version of the payment instrument information to the user device.

Abstract: In an embodiment, a one-time use, cryptographically strong binding key is received from a user device that is outside the control of the computing system. Payment instrument information related to a payment instrument is received from the user device. An identifier for the binding key and an identifier for the payment instrument information is generated and the identifiers are returned to the user device. A payload including at least the identifiers for the binding key and the payment instrument information and a user identifier are received from the user device. The identifiers for the binding key and the payment instrument information are used to access the payment instrument information and the binding key. An association between the user identifier and the payment instrument information is stored in a secure database.

Abstract: Scalable handling of billing events that affect one or more accounts. A computing system partitions received events into a number of channels, perhaps by account identifier. The channels receive the events, process the events, and forwards the events to an aggregator to allow the events to be aggregated by account to allow for easier computation of a bill. The aggregator also performs de-duplication of events to help reduce the risk of double billing.

Abstract: Embodiments disclosed herein extend to the use of administrative roles in a multi-tenant environment. The administrative roles define administrative tasks defining privileged operations that may be performed on the resources or data of a particular tenant. In some embodiments, the administrative tasks are a subset of administrative tasks. The administrative role also defines target objects which may be subjected to the administrative tasks. In some embodiments, the target objects are a subset of target objects. An administrator may associate a user or group of users of the particular tenant with a given administrative role. In this way, the user or group of users are delegated permission to perform the subset of administrative tasks on the subset of target objects without having to be given permission to perform all administrative tasks on all target objects.

Abstract: Embodiments disclosed herein extend to the use of external access objects in a multi-tenant environment. First and second tenants contract for operations that users of the second tenant will perform in the first tenant. Identity criteria for the users are determined. These users are mapped to an external access object that represents the second tenant users when performing the operations in the first tenant. The external access object is also associated with the resources and/or data that the users of the second tenant will be allowed access to when performing the operations. The users of the second tenant provide a request for access to the resources and/or data to perform operations. Identity criteria are determined and the users are mapped to an external access object based on the identity criteria. It is determined if the user has permission to access the resources and/or data and perform the operations.

Abstract: A computing system partitions received events into a number of channels by account identifier. The channels receive the events and perform de-duplication of the events. This de-duplication can be performed with a filter that is updated to reflect the receipt of any original event. The filter may be used to either determine that the event is not a duplicate of another, or to determine that the event cannot be ruled out as being a duplicate of another. In the latter case, further processing may be performed to for definitively determine whether the event is truly a duplication, or in the alternative, the event may be immediately treated as a duplicate.

Abstract: In a distributed electronic messaging system authorized information comprising metadata concerning a message is passed along from one mail server to another mail server. A receiving computer determines if the sending computer has the necessary authorizations to pass along the metadata. If so, the authorized information is passed along with the message body, enabling repetitious actions to be eliminated. If the sending computer is not authorized to pass along the metadata, the metadata is stripped off the message, changed or annotated.

Abstract: Scalable handling of billing events that affect one or more accounts. A computing system partitions received events into a number of channels, perhaps by account identifier. The channels receive the events, and perform de-duplication of the events. This de-duplication may be performed using a Bloom filter that is updated to reflect the receipt of any original event. The Bloom filter may be used to either determine that the event is not a duplicate of another, or to determine that the event cannot be ruled out as being a duplicate of another. In the latter case, further processing may be performed to for definitively determine whether the event is truly a duplication, or in the alternative, the event may be immediately treated as a duplicate.

Abstract: A workflow manager application transfers message data received from an originating device via a communication network to a target application for processing. A graphical user interface displays the received message data and allows the user to view and designate one or more target applications for processing the message data. The workflow manger application is responsive to user input to transfer message data to the designated one or more target applications for processing the message data. Alternatively, the workflow manager application analyzes received message data to identify one or more target applications, and transfers the message data to the identified one or more target applications for processing.

Abstract: A workflow manager application transfers message data received from an originating device via a communication network to a target application for processing. A graphical user interface displays the received message data and allows the user to view and designate one or more target applications for processing the message data. The workflow manger application is responsive to user input to transfer message data to the designated one or more target applications for processing the message data. Alternatively, the workflow manager application analyzes received message data to identify one or more target applications, and transfers the message data to the identified one or more target applications for processing.