PROTX Form and 3d-secure

[♥radders]

The updated module covering 3D-Secure and Authenticate and Authorise is now complete and tested to the Protx simulator.

I look forward to seeing something in the contributions section soon.

Edited May 20, 2007 by radders

[sponna]

I look forward to seeing something in the contributions section soon.

 

Unfortunately I had to pay to have the development done and tested - once I've covered the cost, I'm more than happy to make it a contrib. However, as I'm currently a fair bit out of pocket, I'm keen to break even. Seems reasonable?

[♥radders]

That sounds good to me! Protx Form is a great payment option. I didn't know you were having to contract out the work on this one.

 

Did you ever discover if there was a problem with the current module's handling of International Maestro cards? I still can't see any obvious pattern to the occasional failure. My working hypothesis is that some people abandon the purchase when they are asked to provide a password and that this is across the board rather than on just one type of card.

[_Matt]

Unfortunately I had to pay to have the development done and tested - once I've covered the cost, I'm more than happy to make it a contrib. However, as I'm currently a fair bit out of pocket, I'm keen to break even. Seems reasonable?

Sounds entirely fair and I may take you up on it closer to the time, but you are rather relying on those that pay for it not turning round and posting it as a contribution themselves.

[sponna]

Hi,

 

Good point but I would have to make it a condition of sale up to the point that I break even on the development. After this I will make it available. To date I have one potential taker but then Protx are not quite ready at their end yet :(

[WS Evolution]

Does anyone have Protx Form working for International Maestro transactions with 3D secure turned on using the latest module?

 

Do most people believe that the latest version of the Form payment module will work for all transactions after switching to 3D secure?

 

Will protx continue to support the DIFFERED method?

 

If the 2.22 protocol in the module is correctly implemented no other changes are needed. According to Protx if you are using VSP Form protocol 2.22 no other action is needed, so as the latest OSC module uses 2.22 then it should work fine???

[GemRock]

As far as I remember, the 3d scheme is simply an online version of the chip&pin currently used across the UK. As far as protx is concerned, the 3d secure feature can be turned on or off (default) in your protx account admin panel, and has little to do with the protx payment module for osc as the module has already been using protocol 2.22, e.g, v1.09. So, basically, it is a matter of settings on the protx (admin) end, ie, on/off, and some rules.

For low value orders, it is inconvenient for customers to having to enter a 'pin' because they would have to register with their issuing bank first and then remember it. I personally obtained this online 'pin' years ago for my mastercard but never got a chance to use it because few merchant at that time actually use this 'verified by mastercard' (3d as it is now called) thing. Later when I did occasionally come across shops that had this scheme in place I simply changed to another visa card which did not ask for an online pin, as I already forgot my mastercard online pin.

For high value orders, it may be to your advantage to have this 3d in place because if anything goes wrong you wont get chargeback from the bank.

Btw, you can always have a go on protx test server to see how it works.

 

Ken

Edited June 21, 2007 by GemRock

[WS Evolution]

As far as I remember, the 3d scheme is simply an online version of the chip&pin currently used across the UK. As far as protx is concerned, the 3d secure feature can be turned on or off (default) in your protx account admin panel, and has little to do with the protx payment module for osc as the module has already been using protocol 2.22, e.g, v1.09. So, basically, it is a matter of settings on the protx (admin) end, ie, on/off, and some rules.

For low value orders, it is inconvenient for customers to having to enter a 'pin' because they would have to register with their issuing bank first and then remember it. I personally obtained this online 'pin' years ago for my mastercard but never got a chance to use it because few merchant at that time actually use this 'verified by mastercard' (3d as it is now called) thing. Later when I did occasionally come across shops that had this scheme in place I simply changed to another visa card which did not ask for an online pin, as I already forgot my mastercard online pin.

For high value orders, it may be to your advantage to have this 3d in place because if anything goes wrong you wont get chargeback from the bank.

Btw, you can always have a go on protx test server to see how it works.

 

Ken

 

I was under the impression that streamline where forcing the use of 3D for International Maestro transactions? Its that not correct. Further more they will be implementing 3D secure for all Maestro transaction in the near future.

[GemRock]

I happened to install a protx form payment module for a shop about 10 days ago and the shop uses a merchant account from streamline/natwest. from the info received there was no mentioning of 3d requirements and I know it for sure the 3d feature on protx server has not been turned on (because I did not set it on). another shop, which is with worldpay, did receive an email from worldpay but it was regarding the removal of switch logo from all pages and replacing it with the maetros logo by the end of June. Strangley though the switch logo can still be displayed on worldpay (server) pages until further notice.

 

Ken

[WS Evolution]

I happened to install a protx form payment module for a shop about 10 days ago and the shop uses a merchant account from streamline/natwest. from the info received there was no mentioning of 3d requirements and I know it for sure the 3d feature on protx server has not been turned on (because I did not set it on). another shop, which is with worldpay, did receive an email from worldpay but it was regarding the removal of switch logo from all pages and replacing it with the maetros logo by the end of June. Strangley though the switch logo can still be displayed on worldpay (server) pages until further notice.

 

Ken

 

Protx support are still saying that you require 3D secure to process International Maestro as of next month and their news letter hints of making it requirement for all Maestro in the future.

 

"As I understand the literature from Protx, we MUST implement 3D secure to continue to take Maestro after June"

 

"It's up to you - you have to be capable of 3D secure transactions but you do not have to activate the 3D secure facility. You will find as a result that it's impossible to process International Maestro cards without 3D secure and you will also be leaving yourself open to higher levels of fraud but these are all decisions you need to make."

Protx Support Team

 

however some cards, for example International Maestro, rely on 3D secure as part of the authorisation (or at least they will do shortly) and the implication of this is that you will not be able to take International Maestro cards

Protx Support Team

 

There are a number of changes being planned to the Verified by Visa and MasterCard SecureCode (collectively known as 3D Secure) systems over the next two years. On the 7th June 2007, the UK Switch card will become Maestro, and Switch will be discontinued. This means that you will no longer be able to display the Switch logo on your website. Protx Quarterly Newsletter - May 2007

 

Also, MasterCard have issued a rule which states that all International Maestro cards MUST have a full 3D Secure Authentication in order for the transaction to be authorised. This means that if you are not 3D Secure enabled you cannot accept International Maestro cards through your e-commerce account. We therefore strongly recommend that you set up 3D Secure on your account

Protx Quarterly Newsletter - May 2007

[WS Evolution]

I have changed PREAUTH to 'DEFERRED', but I am sure you can change it to 'AUTHENTICATE'

 

 

  if (MODULE_PAYMENT_PROTX_FORM_PREAUTH == 'true') {
	$transaction_type = 'DEFERRED';
} else {
	$transaction_type = 'PAYMENT';
}

 

 if (MODULE_PAYMENT_PROTX_FORM_PREAUTH == 'true') {
	$transaction_type = 'AUTHENTICATE';
} else {
	$transaction_type = 'PAYMENT';
}

 

[/code]

 

 

Also I have added control of 3D secure by adding:

 

$plain .= "Apply3DSecure=0" . "&";

 

to line 147 . A list of options for Apply3DSecure can be found in the Integration Guidelines:

 

0 = If 3D-Secure checks are possible and rules allow, perform the checks and apply the authorisation rules. (default)

1 = Force 3D-Secure checks for this transaction if possible and apply rules for authorisation.

2 = Do not perform 3D-Secure checks for this transaction and always authorise.

3 = Force 3D-Secure checks for this transaction if possible but ALWAYS obtain an auth code, irrespective of rule base.

 

 

I have not tested the changes yet.

Edited June 21, 2007 by WS Evolution

[gizm0man]

I have changed PREAUTH to 'DEFERRED', but I am sure you can change it to 'AUTHENTICATE'

  if (MODULE_PAYMENT_PROTX_FORM_PREAUTH == 'true') {
	$transaction_type = 'DEFERRED';
} else {
	$transaction_type = 'PAYMENT';
}

 

 if (MODULE_PAYMENT_PROTX_FORM_PREAUTH == 'true') {
	$transaction_type = 'AUTHENTICATE';
} else {
	$transaction_type = 'PAYMENT';
}

 

[/code]

Also I have added control of 3D secure by adding:

 

$plain .= "Apply3DSecure=0" . "&";

 

to line 147 . A list of options for Apply3DSecure can be found in the Integration Guidelines:

I have not tested the changes yet.

 

 

 

The existing module is capable of handling 3 d secure without any changes.

 

You are also correct in chnaging the hidden TxType field to 'AUTHENTICATE' to start using their new service AUTHENTICATE and AUTHORISE

But please note this system only goes live on 1st of August, so don't make any changes now unless you want to test it with the live server.

 

$plain .= "Apply3DSecure=0" . "&";

 

Rgarding the above code it is only an option. If you set up the 3d secure rule in the admin part of protx (which is much easier to do)

you won't need it.

 

Some one mentioned about redid the protx module to work with the ver 2.22 protocol, and also to work with 3d secure. I am not sure why??. The existing one is more than capable of doing the job.

 

IF it is a question of Authenticate and Authorise, it is just a matter of changing one TXType field to "AUTHENTICATE" from DEFERRED or PREAUTH (depends what you are using at the moment)

 

Hope it helps.

[GemRock]

Protx support are still saying that you require 3D secure to process International Maestro as of next month and their news letter hints of making it requirement for all Maestro in the future...

 

IMO, the maetros 3d secure thing is not very much a big deal. After all who would use a debit card to pay for online shopping? We all know if you use a debit card then the whole responsibility would fall on to you yourself, meaning if something goes wrong it'd be a matter between you & the seller, the bank would not be insterested nor liable to help you unless stated otherwise. On the other hand, if use a credit card then the card issuer would have a third party liability to help to sort out things, ie, the shopper would not be alone fighting. Yes it would be very odd indeed if someone from another country uses a debit card such as maetros to buy something online, s/he would be careless to say the least. I guess this is what behind the banks decision for the 3d secure for maetros as they don't believe or cant think of anyone would choose to use a debit and not credit card to buy online internationally, I am certainly not saying those who do may have a mental problem, though.

Ken

[WS Evolution]

IMO, the maetros 3d secure thing is not very much a big deal. After all who would use a debit card to pay for online shopping? We all know if you use a debit card then the whole responsibility would fall on to you yourself, meaning if something goes wrong it'd be a matter between you & the seller, the bank would not be insterested nor liable to help you unless stated otherwise. On the other hand, if use a credit card then the card issuer would have a third party liability to help to sort out things, ie, the shopper would not be alone fighting. Yes it would be very odd indeed if someone from another country uses a debit card such as maetros to buy something online, s/he would be careless to say the least. I guess this is what behind the banks decision for the 3d secure for maetros as they don't believe or cant think of anyone would choose to use a debit and not credit card to buy online internationally, I am certainly not saying those who do may have a mental problem, though.

Ken

 

 

I fully agree, but the reality its that some customers do use maetro online, so I would not want to loose those customers.

 

Give it a year or two and I would guess that online chip and pin will be standard. Surely customers will insist on having better online security. Once many shops have the chip and pin option its in the customers interest to use it and in the near future choose a shop that offers chip and pin over one that does not. More people will use it if the perceive it to be safe or safer.

 

After reading the protx docs and looking at the code the latest module is sufficient for 3D secure transaction. Like gizm0man agreed Changing the hidden TxType field to 'AUTHENTICATE' to start using their new service AUTHENTICATE and AUTHORISE are the only changes needed and only if you use the old pre authenticate option.

Edited June 22, 2007 by WS Evolution

[sponna]

Ref. the reason for updating the module, the changes were made to incorporate 3D-Secure and Authenticate and Authorise. All options are switchable from admin i.e. no changes needed for the 3D-Secure options or payment type within the code itself.

 

Thanks

[GemRock]

...Surely customers will insist on having better online security...

 

Remember though the chip&pin, be it off-line or on-line, is more to do with protecting the banks themseves rather than card holders. By using chip&pin, the responsibility is shift ed tothe card holder. I remember seeing a national TV program showing it is possible to 'cream' the chip&pin! What I do like chip&pin is that i dont have to sign everytime i use my cards.

just my two pence.

Ken

[jpmad4it]

what a pain in the bum this is!!!!

 

Is there any way that you can turn off accepting payments from switch / maestro in the Protx Admin area, just in case there is no free solution/contribution by D-Day in August???

[Recidivist]

Having problems with the post-Maestro/switch changes.

 

Does anyone know if there's an easy way to view the string which Protx sends back after a successful payment transaction? decrypt_protx.php does this perfectly for the string being sent TO protx, but I need to see what they send back.

 

Many thanks

 

KB

[Floob]

Important Notice

New VSP Payment system launch 1st August 2007

 

Dear Sir/Madam,

 

New VSP Payment system launch 1st August 2007

At 6am UK time on Wednesday 1st August, the new version of the Protx VSP Payment system will be launched on the Live environment.

 

There are a number of important changes to the system that will affect EVERY Live account, so please set aside some time to read this e-mail before the 1st August.

 

The enhanced system has already been loaded onto the Test environment. Please test copies of your production environment against this platform if you have any concerns about the upgrade. We have kept the VSP Protocol versions consistent, so you will not need to change your code at all, unless you use PREAUTH (see below).

 

There will be a short system outage at 6am UK time on 1st August 2007 whilst the upgrade is carried out. We will give you more details in subsequent e-mails of the expected down time, but as with all Protx upgrades, the maximum outage will be 2 hours (we expect, however, to be able to release the upgrade in a considerably shorter time period). We begin at 6am because settlement files will already have been submitted and transaction volumes are at their lowest from 5 - 8am.

 

 

--------------------------------------------------------------------------------

 

AUTHENTICATE and AUTHORISE vs PREAUTH and REPEAT

PREAUTH will now be discontinued on 1st September 2007

Following considerable feedback from our Live merchants and online community, we have managed to obtain a 1 month extension for our PREAUTH model.

 

This means that whilst AUTHENTICATE and AUTHORISE will still be available from the 1st August in the Live environment, PREAUTH will not be discontinued until 1st September. The two solutions will co-exist during August, allowing you to parallel test your systems. Both transaction types are available now on the Test server.

 

You should use AUTHENTICATE and AUTHORISE if you wish to defer charging your customer for long periods of time (7 days or more), or if you do not know the exact price of the goods at the time of order. Use DEFERRED if you know the exact payment amounts and can fulfil orders in under a week.

 

Full details of the AUTHENTICATE and AUTHORISE protocols can be found in the Integration documents on the TechSupport web site download area

 

 

--------------------------------------------------------------------------------

 

New Payment Pages and 3D-Secure Inline for VSP Server and VSP Form

An additional page has been added to the VSP Server and Form payment process. When you redirect your customers across to Protx they will be presented with a page containing the credit and debit card logos for the cards you support. They will first select the card they wish to use, and then be asked for the card details (card number, expiry date, CV2 etc.) on a subsequent screen. This enables us to keep the card details screen as simple as possible and not display input boxes (such as issue number) which are not necessary for some cards.

 

On completion of the card details screen, the customer will be shown our new order confirmation screen. This will display the contents of your Basket field (if you've sent one to us) and order, address and card summary details as well as the option to go back to change the card they have chosen to use.

 

If you have 3D-Secure enabled on your account, the Issuing Bank verification screen will now appear inside a Protx window (using Inline Frames, as recommended by the card schemes). This gives a more consistent user experience and allows the customer a route to continue the transaction even if the Issuing Bank 3D-Secure screen is having problems.

 

The final Authorisation screen now displays a simple progress-bar style animation so that customers know that the system is working whilst Protx are talking to your acquiring bank. This replaces the rather dull "Authorising please wait." message that used to appear.

 

The new pages are fully multi-language compliant. They can detect the language settings in your customer's browser and display the payment pages in that language. Once we're happy with the pages in English, we'll start getting some translations done. If you have specific language support requests, please let us know.

 

We're adding some final changes to the screens over the next few days, but those you see on the Test server now will be very similar to those that we'll migrate to Live on 1st August. We will, of course, put all the changes on the Test server first.

 

 

--------------------------------------------------------------------------------

Custom Templates

Once we've finalised the payment pages, we'll release the custom template kit. The new custom templates are XSLT and CSS combinations with no custom Protx fields or non-standard tags. The beauty of this is that you can build and test the pages on your own machines and see exactly what they will look like before you send them to the support team to upload. This will save both you and our support guys, a huge amount of time.

 

To test the kits locally you'll need an XSLT renderer. We've spoken to the developer of the Kernow GUI system (which uses the freeware command line Java app called Saxon) and he's happy for us to ship that along with our custom templates, so all you'll need to do is install the Java run-time, and you'll be away.

 

The great news is that EVERY page can be customised, which means that error pages, customer and vendor e-mails, the 3D-Secure page, even the authorisation screen, can look exactly like your site.

 

You will need to know XSLT, however, and we can't help you there. Our support team will ONLY check your pages before uploading, but we CANNOT undertake your debugging for you. There are plenty of books available on the subject, and your web developers will definitely be able to help you. XSLT is pretty standard these days.

 

As mentioned in previous mail shots, we cannot convert your old templates into the new format because the two are so wildly different. We hope you agree it's worth the effort changing formats though. Not only are we now using approved open standards, but the flexibility offered by the new system provides a huge improvement over the old templates.

 

The kits will be available to download by the end of this week (w/c 16th July 2007). Check the techsupport download area for updates.

 

 

--------------------------------------------------------------------------------

Maestro and 3D-Secure

MasterCard International require that UK and International Maestro cards can ONLY be accepted on e-commerce accounts if 3D-Secure is enabled.

 

UK issued Maestro cards (formerly Switch cards) can proceed for Authorisation as long as an Authentication was attempted. International Maestro cards can ONLY be Authorised if a full 3D-Authentication was obtained.

 

The ruling states that from the 30th June 2007, no site that is not 3D-Secure enabled can accept Maestro cards.

 

Protx have been as flexible as we can with this ruling, allowing an extra month's grace whilst we're completing testing of the new system, but from 1st August when the new system goes live, if you do not have 3D-Secure enabled on your account, or if you override the 3D-Secure checks for a given transaction, then Maestro (both Domestic and International) will not display as payment options in VSP Form and VSP Server, and will be rejected by VSP Direct with a StatusDetail explaining that 3D-Secure must be on if you wish to accept Maestro.

 

If you have a MOTO account, you will still be able to accept Maestro cards through VSP Terminal or you own systems.

 

Continuous Authority accounts will still be able to process against non-authenticated Maestro cards first registered before 31st July 2007, but the first payments on any new Maestro cards must be 3D-Secured or Continuous Authority will not be honoured.

 

We set up all new merchants with 3D-Secure automatically and have bulk-registered all existing customers with the scheme. We strongly recommend you test your account with 3D-Secure prior to 1st August, so that any issues can be resolved before the Maestro change comes into effect.

 

 

--------------------------------------------------------------------------------

New Live Site Payment System URLs

The addresses to which you should send your transaction requests are different in the new system.

 

We will set up automatic forwarders from the old style URLs to the new when the system is uploaded to live, so if you are unable to make the changes prior to 1st August, your transactions will still be registered correctly with the new system.

 

We have forwarders in place in the live environment already, which forward the new style URLs to the old system, so you can change your addresses as soon as you are ready.

 

After the 1st August, using the URLs below will avoid the overhead of the extra internal forwarding POST and hence speed up your transaction processing. We recommend you change the URLs in your scripts at your earliest convenience.

 

The table below shows the old style URL and the equivalent new address at which to direct your scripts.

 

These URLs all begin with https://ukvps.protx.com

 

Submission URLs

Old URL New URL

/vps200/dotransaction.dll?service=VendorRegisterTx /vspgateway/service/vspserver-register.vsp

/vpsDirectAuth/PaymentGateway.asp

or

/vpsDirectAuth/PaymentGateway3D.asp /vspgateway/service/vspdirect-register.vsp

/vpsDirectAuth/CallBack3D.asp /vspgateway/service/direct3dcallback.vsp

/vps2Form/submit.asp

or

/VSPAdmin/submit.asp /vspgateway/service/vspform-register.vsp

 

Sever and Direct Additional Transaction Type URLs

Old URL New URL

/vps200/dotransaction.dll?service=VendorReleaseTx /vspgateway/service/release.vsp

/vps200/dotransaction.dll?service=VendorAbortTx /vspgateway/service/abort.vsp

/vps200/dotransaction.dll?service=VendorRefundTx /vspgateway/service/refund.vsp

/vps200/dotransaction.dll?service=VendorRepeatTx /vspgateway/service/repeat.vsp

/vps200/dotransaction.dll?service=VendorVoidTx /vspgateway/service/void.vsp

/vps200/dotransaction.dll?service=VendorManualTx /vspgateway/service/manualpayment.vsp

/vps200/dotransaction.dll?service=VendorDirectRefundTx /vspgateway/service/directrefund.vsp

New Authorise URL, not in old system /vspgateway/service/authorise.vsp

New Cancel URL, not in old system /vspgateway/service/cancel.vsp

 

 

 

If you require any further assistance with regards to the new VSP payment system launch, please email the Protx Support Team

 

Kind regards

 

Protx

[Recidivist]

If you don't already use them, these Protx links are a useful resource:

 

Protx Support Forum and Protx Support Pages

 

KB

[Floob]

Just installed the latest version: 15th July 2007

 

Appeared to install ok (I replaced PROTX_FORM with PROTX_UK as I will need to install multiple versions)

But although I have set this to use 'UK' Zone, it appears for any customer in any zone.

 

In addition, when I pay, it returns me to my site with this URL:

http://www.xxxxx.com/catalog/checkout_paym...;error_message=

 

I get the protx email, but not the store email, nor is it in the osc database.

 

Here is the php file that has the problem above:

http://www.techpost.co.uk/protx_uk.txt

 

Here is the php file that works fine:

http://www.techpost.co.uk/protx_ukform.txt

 

Any ideas?

[sofaking]

It looks like it is all to do with the capital 'c' mentioned in fernyburn's posts.

 

Protx's LIVE and TEST servers were not getting the same codes sent back to the os shop

 

I'll have the contribution updated.

 

Cheers,

 

Michael.

[Floob]

It looks like it is all to do with the capital 'c' mentioned in fernyburn's posts.

 

Protx's LIVE and TEST servers were not getting the same codes sent back to the os shop

 

I'll have the contribution updated.

 

Cheers,

 

Michael.

 

Thanks, new version seems fine.

Although I did need to add the line

 

global $order;

 

to this code

 

// class constructor
function protx_form() {
  global $order;
  $this->code = 'protx_form';
  $this->title = MODULE_PAYMENT_PROTX_FORM_TEXT_TITLE;
  $this->description = MODULE_PAYMENT_PROTX_FORM_TEXT_DESCRIPTION;
  $this->sort_order = MODULE_PAYMENT_PROTX_FORM_SORT_ORDER;
  $this->enabled = ((MODULE_PAYMENT_PROTX_FORM_STATUS == 'True') ? true : false);

 

Without that, it didnt seem to obey the Payment Zone setting - hmmmm?

[sofaking]

Thanks, new version seems fine.

Although I did need to add the line

 

global $order;

 

to this code

 

// class constructor
function protx_form() {
  global $order;
  $this->code = 'protx_form';
  $this->title = MODULE_PAYMENT_PROTX_FORM_TEXT_TITLE;
  $this->description = MODULE_PAYMENT_PROTX_FORM_TEXT_DESCRIPTION;
  $this->sort_order = MODULE_PAYMENT_PROTX_FORM_SORT_ORDER;
  $this->enabled = ((MODULE_PAYMENT_PROTX_FORM_STATUS == 'True') ? true : false);

 

Without that, it didnt seem to obey the Payment Zone setting - hmmmm?

 

Glad to hear it worked out Floob.......I was going to add that line, when others were having a bit of bother with the register global problem.

 

Think I'll definately have it added when 1st August update for the submission URL's has to be done.

 

Another thing is that a new version of the form mayl be appearing sometime in the future......from spoona......thats what this thread is all about.

 

Take Care,

 

Michael.

[Floob]

Ok - so its 1st August and my Protx form has problems.

 

I go through the payment process and it just hangs on this page (after I press submit):

https://ukvps.protx.com/vspgateway/service/authorisation

 

I think at this point it is supposed to return me to my website. Is the fault with Protx or with us?

 

Anyone else having problems?