Guest Posted March 13, 2007 Share Posted March 13, 2007 Hi I posted this in the general support forum with no sucess so am trying here, sorry it's so long but I don't know how else to show all the details. I think that an updated Secpay module which handles the digest key and callback is needed, has anyone sorted this out? Anyway here is my original post:- Secpay payment module help needed please. 1. Firstly we received the following from SECPay about possible fraud. Dear Merchant We have noticed a recent increase in the number of merchants being targeted by fraudsters who are exploiting some merchants’ interface with SECPay to verify stolen or generated card numbers. We therefore strongly recommend all merchants who use a payment page hosted by SECPay (SECPage or SECCard) to implement a digest in your website’s communication with SECPay if you do not already do so. Please refer to the integration guide section 9 for details on how to implement this relatively straightforward change. http://www.secpay.com/docs/SECCardIntegrationGuide.pdf By implementing a digest you will be protected against this increasingly common method of fraud. For any further queries regarding this, please contact the Technical support team on 08701 904 146 or email support@secpay.com Kind regards Technical Support 2. Following this I looked on the contributions section and found the contribution for a SECPay module that implemented the digest key, I forwarded this to SECPay support to see if it was suitable and received the following message:- OSCommerce currently only uses the digest on callback to check that the transaction has come from us. To complete the loop and ensure that we check that transactions only originate from your site needs quite a bit of recoding of the secpay payment module. Form the transaction ID, this is mostly in the Contributions module $trans_id = STORE_NAME . date('Ymdhis'); $trans_id = preg_replace('/[^[:alnum:]]/', '_', $trans_id); Format the amount, borrowed from the amount field $amount = number_format($order->info['total'] * $currencies->get_value($sec_currency), $currencies->currencies[$sec_currency]['decimal_places'], '.', ''); Set $remote_password to your merchant's remote password. With the contributions module you should be able to use MODULE_PAYMENT_SECPAY_REMOTE_PASSWORD as well. $digest = MD5($trans_id . $amount . $remote_password); Then to send it, within $process_button_string tep_draw_hidden_field('digest', $digest) . This is fine but I don’t know what to do as my PHP programming skills are virtually non existent. For anyones information I have added the code for the SECPay module that had been contributed by Graham Bell on 8th Feb 2004. This enables you to add your SECPay digest key but does not do the whole job according to SECPay. <?php /* $Id: secpay.php,v 1.31 2003/01/29 19:57:15 hpdl Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2003 osCommerce Released under the GNU General Public License Notes:- Module uses 'secpay' as the default Digest Key. This must be changed to a valid digest key before going live. The Digest key is implemented as database resident (Configuration table) but may be hard coded if required. See notes in the before_process function. cb_flds in the hidden 'Options' form field uses the Session Id as default but any other field or combination of fields may be used. For details of the digest key and md_flds refer to the SECpay implementation manual at http://www.secpay.com/tech.html or their User Manual at http://www.secpay.com/sc_api.html */ class secpay { var $code, $title, $description, $enabled; // class constructor function secpay() { global $order; $this->code = 'secpay'; $this->title = MODULE_PAYMENT_SECPAY_TEXT_TITLE; $this->description = MODULE_PAYMENT_SECPAY_TEXT_DESCRIPTION; $this->sort_order = MODULE_PAYMENT_SECPAY_SORT_ORDER; $this->enabled = ((MODULE_PAYMENT_SECPAY_STATUS == 'True') ? true : false); if ((int)MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID > 0) { $this->order_status = MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID; } if (is_object($order)) $this->update_status(); $this->form_action_url = 'https://www.secpay.com/java-bin/ValCard'; } // class methods function update_status() { global $order; if ( ($this->enabled == true) && ((int)MODULE_PAYMENT_SECPAY_ZONE > 0) ) { $check_flag = false; $check_query = tep_db_query("select zone_id from " . TABLE_ZONES_TO_GEO_ZONES . " where geo_zone_id = '" . MODULE_PAYMENT_SECPAY_ZONE . "' and zone_country_id = '" . $order->billing['country']['id'] . "' order by zone_id"); while ($check = tep_db_fetch_array($check_query)) { if ($check['zone_id'] < 1) { $check_flag = true; break; } elseif ($check['zone_id'] == $order->billing['zone_id']) { $check_flag = true; break; } } if ($check_flag == false) { $this->enabled = false; } } } function javascript_validation() { return false; } function selection() { return array('id' => $this->code, 'module' => $this->title); } function pre_confirmation_check() { return false; } function confirmation() { return false; } function process_button() { global $order, $currencies, $currency; switch (MODULE_PAYMENT_SECPAY_CURRENCY) { case 'Default Currency': $sec_currency = DEFAULT_CURRENCY; break; case 'Any Currency': default: $sec_currency = $currency; break; } switch (MODULE_PAYMENT_SECPAY_TEST_STATUS) { case 'Always Fail': $test_status = 'false'; break; case 'Production': $test_status = 'live'; break; case 'Always Successful': default: $test_status = 'true'; break; } $process_button_string = tep_draw_hidden_field('merchant', MODULE_PAYMENT_SECPAY_MERCHANT_ID) . tep_draw_hidden_field('trans_id', STORE_NAME . date('Ymdhis')) . tep_draw_hidden_field('amount', number_format($order->info['total'] * $currencies->get_value($sec_currency), $currencies->currencies[$sec_currency]['decimal_places'], '.', '')) . tep_draw_hidden_field('bill_name', $order->billing['firstname'] . ' ' . $order->billing['lastname']) . tep_draw_hidden_field('bill_addr_1', $order->billing['street_address']) . tep_draw_hidden_field('bill_addr_2', $order->billing['suburb']) . tep_draw_hidden_field('bill_city', $order->billing['city']) . tep_draw_hidden_field('bill_state', $order->billing['state']) . tep_draw_hidden_field('bill_post_code', $order->billing['postcode']) . tep_draw_hidden_field('bill_country', $order->billing['country']['title']) . tep_draw_hidden_field('bill_tel', $order->customer['telephone']) . tep_draw_hidden_field('bill_email', $order->customer['email_address']) . tep_draw_hidden_field('ship_name', $order->delivery['firstname'] . ' ' . $order->delivery['lastname']) . tep_draw_hidden_field('ship_addr_1', $order->delivery['street_address']) . tep_draw_hidden_field('ship_addr_2', $order->delivery['suburb']) . tep_draw_hidden_field('ship_city', $order->delivery['city']) . tep_draw_hidden_field('ship_state', $order->delivery['state']) . tep_draw_hidden_field('ship_post_code', $order->delivery['postcode']) . tep_draw_hidden_field('ship_country', $order->delivery['country']['title']) . tep_draw_hidden_field('currency', $sec_currency) . tep_draw_hidden_field('callback', tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL', false) . ';' . tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'payment_error=' . $this->code, 'SSL', false)) . tep_draw_hidden_field(tep_session_name(), tep_session_id()) . // cb_flds uses the Session Id as default but any other field or combination of fields may be used tep_draw_hidden_field('options', 'test_status=' . $test_status . ',dups=false,cb_flds=' . tep_session_name()); return $process_button_string; } function before_process() { global $HTTP_GET_VARS; if ($HTTP_GET_VARS['code'] == 'A' && !empty($HTTP_GET_VARS['auth_code']) && empty($HTTP_GET_VARS['resp_code']) && !empty($HTTP_GET_VARS['osCsid'])) { // Hard code Digest Key here if required. // $DIGEST_PASSWORD = "secpay" ; list($REQUEST_URI, $CHECK_SUM) = split("hash=", $_SERVER['REQUEST_URI']) ; if ($HTTP_GET_VARS['hash'] != MD5($REQUEST_URI.MODULE_PAYMENT_SECPAY_READERS_DIGEST)) { tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, tep_session_name() . '=' . $HTTP_GET_VARS[tep_session_name()] . '&payment_error=' . $this->code, 'SSL', false, false)); } } } function after_process() { return false; } function get_error() { global $HTTP_GET_VARS; if ($HTTP_GET_VARS['code'] == "N") { $error = "TRANSACTION WAS NOT AUTHORISED. PLEASE TRY ANOTHER CARD."; } elseif ($HTTP_GET_VARS['code'] == "C") { $error = "There was a communications problem in contacing the bank, please try again."; } else { $error = MODULE_PAYMENT_SECPAY_TEXT_ERROR_MESSAGE; } return array('title' => MODULE_PAYMENT_SECPAY_TEXT_ERROR, 'error' => $error); } function check() { if (!isset($this->_check)) { $check_query = tep_db_query("select configuration_value from " . TABLE_CONFIGURATION . " where configuration_key = 'MODULE_PAYMENT_SECPAY_STATUS'"); $this->_check = tep_db_num_rows($check_query); } return $this->_check; } function install() { tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Enable SECpay Module', 'MODULE_PAYMENT_SECPAY_STATUS', 'True', 'Do you want to accept SECPay payments?', '6', '1', 'tep_cfg_select_option(array(\'True\', \'False\'), ', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Merchant ID', 'MODULE_PAYMENT_SECPAY_MERCHANT_ID', 'secpay', 'Merchant ID to use for the SECPay service', '6', '2', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Transaction Currency', 'MODULE_PAYMENT_SECPAY_CURRENCY', 'Any Currency', 'The currency to use for credit card transactions', '6', '3', 'tep_cfg_select_option(array(\'Any Currency\', \'Default Currency\'), ', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Transaction Mode', 'MODULE_PAYMENT_SECPAY_TEST_STATUS', 'Always Successful', 'Transaction mode to use for the SECPay service', '6', '4', 'tep_cfg_select_option(array(\'Always Successful\', \'Always Fail\', \'Production\'), ', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Sort order of display.', 'MODULE_PAYMENT_SECPAY_SORT_ORDER', '0', 'Sort order of display. Lowest is displayed first.', '6', '0', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, use_function, set_function, date_added) values ('Payment Zone', 'MODULE_PAYMENT_SECPAY_ZONE', '0', 'If a zone is selected, only enable this payment method for that zone.', '6', '2', 'tep_get_zone_class_title', 'tep_cfg_pull_down_zone_classes(', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, use_function, date_added) values ('Set Order Status', 'MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID', '0', 'Set the status of orders made with this payment module to this value', '6', '0', 'tep_cfg_pull_down_order_statuses(', 'tep_get_order_status_name', now())"); tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Readers Digest', 'MODULE_PAYMENT_SECPAY_READERS_DIGEST', 'secpay', 'Digest Key', '6', '0', now())"); } function remove() { tep_db_query("delete from " . TABLE_CONFIGURATION . " where configuration_key in ('" . implode("', '", $this->keys()) . "')"); } function keys() { return array('MODULE_PAYMENT_SECPAY_STATUS', 'MODULE_PAYMENT_SECPAY_MERCHANT_ID', 'MODULE_PAYMENT_SECPAY_CURRENCY', 'MODULE_PAYMENT_SECPAY_TEST_STATUS', 'MODULE_PAYMENT_SECPAY_ZONE', 'MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID', 'MODULE_PAYMENT_SECPAY_SORT_ORDER', 'MODULE_PAYMENT_SECPAY_READERS_DIGEST'); } } ?> I finally received the following from SECPay after I had emailed them as to how the system worked:- There are two passwords involved in digest/hash authentication. The Remote Password is used in generating the digest that you submit to us with the transactions. The Digest Key is used in generating the hash that we return in the callback. Both can be set through our merchant area under Remote Passwords (select the required password from the password type drop-down list). None of the contributed SECPay modules for osCommerce support digest checking from you to us so you will need to modify the module yourself in line with our advice, or seek assistance from someone experienced in PHP. So can anybody help me with this. Thanks Mark Quote Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.