SECPay Failing OSC 2.2

[Nev]

Can some please point me in the correct direction. I have set the SECPAY module to Test, The emails come through from secpay as a test transaction but when you authorise the test payment, oscommerce informs you that there was an error with your credit card.

 

Why is this, I thougt the test process would confirm back to OSC as a successful transaction and add the order to OSC.

 

I would appreciate if anyone can point me in the right direction.

 

OSC V2.2 (1104 Snapshot)

 

Thanks

Nev

[wkrecords]

ya credit card wasnt put in right?

 

for test i usually test anything but credit card

 

sec u have to make sure your server gives you a secure server instalation

you dont usually have it automatically which most people think

[singspiel]

Can you explain more.

 

I have the same problem.

 

Nev (Another Nev)

[zuzu]

Have you been able to solve the issue with having a succesful test with secpay but an error displayed on oscommerce?

 

regards

 

z

[Guest]

just about all 'merchant' processing companies require the credit card info to come from a site which has SSL if you do not have SSL enabled or your host does not support SSL, you may be out of luck . . . Also, with the test CC, you still need to insert a valid expiration date.

[lushlongboards]

i found a fix but I'm not sure if it constitutes a security risk (I don't think it does)

 

basically secpay.php (catalog/includes/modules/payment/secpay.php) is pre-checking the form for remote host data to include "secpay.com" which it never does ...

 

see funtion before_process around line 129 in secpay.php and comment out the two lines 137 and 140 as follows :

 

//            tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, tep_session_name() . '=' . $HTTP_POST_VARS[tep_session_name()] . '&payment_error=' . $this->code, 'SSL', false, false));

 

this works, the email comes through, OSC process the order and the stock is updated correctly.

 

hope that helps!

 

chris

[Mark Evans]

This problem is caused by some hosting companys disabling the ability to do a reverse lookup.

 

I will be commiting some changes soon which allows the extra checking to be disabled or enabled using the admin tool.

[Guest]

You are correct about the secpay.com check failing, but the most secure way of checking the call back is via the hash method described in there implementation manual. I have made changes to the secpay module using this method and it works fine. If any one wants more info let me know.

[lushlongboards]

hi jag - yes, that would be excellent, some pointers to fixed code would be ace :)

 

chris

[Guest]

To avoid spoofing of a SECPay callback the most secure approach is to check the MD5 hash that they return with every callback.

The MD5 hash is calculated by secpay using the digest key and the values from the fields that you specify in the md_flds parameter in the hidden ?Options? form field on the secpay payment form call. For details of the digest key and md_flds refer to their implementation manual at http://www.secpay.com/tech.html or their User Manual at http://www.secpay.com/sc_api.html

For testing purposes you can use a merchant Id and a Digest Key of ?secpay?

 

The secpay.php module has been amended to calculate a hash key from the information in the callback + the digest key held on the Configuration table in the database. The hash key that is calculated is compared with the hash key appended to the call back by secpay, if they are the same the checkout process continues other wise the user gets an error message. The user will obviously also get an error if the hashes match but there is something else wrong or you are testing using the ?always fail? setting.

Note that I have implemented the digest key as database resident but if you wish you can hard code it in the secpay.php file. There is a commented out line to show you where.

If you have secpay implemented and you want to use the database to hold the digest key then remove secpay, update the secpay.php file and then re-install the secpay module. this will add the digest key to the database with the default of 'secpay'. This default value will have to be changed when you go live.

 

Code is here

 

http://www.oscommerce.com/community/contributions,1863

[lushlongboards]

nice one :)

[holeyman]

i cant get secpay to cowrk correclty, where in the admin can i set the digest password?

 

cheers

[warrenthewindmill]

I've installed the new version of the secpay contribution but when I try to test it get the following errors:

 

Template : http://www.mysite.co.uk/checkout_process.php?valid=true&trans_id=mysite20040321085447&code=A&auth_code=9999&amount=34.99&ip=82.1.102.216&test_status=true&osCsid=4b5b3ff8e41e83416247c2a8bbacd961&hash=66b541bb189da1ef4114f9b7bc7e456c not found!

 

java.io.IOException: Server returned HTTP response code: 401 for URL: http://www.mysite.co.uk/checkout_process.php?valid=true&trans_id=mysite20040321085447&code=A&auth_code=9999&amount=34.99&ip=82.1.102.216&test_status=true&osCsid=4b5b3ff8

 

I'm setting up credit cards for the first time. Up to now have relied on Paypal.

Any help would be appreciated. Is there a step by step guide anywhere that explains what you have to do to set it up? I have the secpay Integration guide but maybe its a case of too much information?

[warrenthewindmill]

Problem solved. I had URL security set up on my test site and the callback was hitting the security. Remove URL logon and password and the problem goes away.

 

I have succesfully installed and gone live with SECPay and LLoyds TSB. No problems at all and sales are really starting to take off. It cost us ?350 to sign up with LLoyds and SECPay want ?10 per month on top of that but we have a much higher conersion rate from new customers up from less than 50% to around 90%.

 

We managed for 3 months with Paypal and personal cheques. Don't overlook the latter as we found many people who are happy to send a cheque. We built up cash which allowed us to pay for the CC signup costs.

 

The only way is up!!

 

I'd definitely recommend the SECPay/LLoyds option for UK traders