ThreeDSecure Component
Properties Methods Events Configuration Settings Errors
The ThreeDSecure component is used to implement a 3-D Secure MPI (Merchant Plug-In).
Syntax
nsoftware.InPay.Threedsecure
Remarks
This component is based on the 3-D Secure 1.0.2 specification, and simplifies the creation and handling of all messages to and from 3-D Secure Compliant Directory and Access Control servers. This is accomplished by adding an additional layer of abstraction between the developer and the 3-D Secure protocol. There is no need to deal with raw sockets, SSL handshakes, or XML packet formatting. All SSL communications to and from the Directory and Access Control servers are handled by the component.
This component can be easily integrated with an online payment system or shopping cart. There are three steps to integrating this component with an existing online payment system or shopping cart.
For help getting started and Visa Product Integration Testing (PIT) please see the following tutorials:
Getting Started | http://www.nsoftware.com/kb/articles/3dsecure.rst |
Visa Product Integration Testing (PIT) | http://www.nsoftware.com/kb/articles/pit.rst |
Before making any transactions the following properties must be set with values acquired from Visa:
MerchantBankId | |
MerchantCountryCode | |
MerchantName | |
MerchantNumber | |
MerchantPassword | |
MerchantURL | |
DirectoryServerURL |
Card Range Request (CRReq)
The component allows you to query the Directory Server for credit card ranges enrolled in the 3-D Secure program. This step is optional. If a submitted card is not within the currently retrieved ranges, then the card is not enrolled in 3-D Secure. Once the above configuration properties are set, sending a Card Range Request is simple. Set the MessageId (each message requires a unique MessageId), and then call the method RequestCardRanges. The card ranges will be returned in the fields Begin, End, and Action. After a successful Card Range Request the SerialNumber property will contain a serial number which indicates to the Directory Server the current state of your local cache. When submitting another Card Range Request, only the ranges which have changed since the last SerialNumber will be returned.
Verify Enrollment Request (VEReq)
Even if a card number is included in the ranges returned in the previous step, there is no guarantee that this card is actually enrolled in 3-D Secure. To determine if a card number is actually enrolled in the program, you must send a Verify Enrollment Request (VEReq). Update the MessageId and then set the CardNumber. Now call the VerifyEnrollment method. If the CardNumber is enrolled , the CardEnrolled property will contain "Y" (Yes). Otherwise it will contain "N" (No) or "U" (Service Unavailable). In addition, the ACSURL property will contain the URL for the Access Control Server to which a Payer Authentication Request must be sent.
Payer Authentication Request (PAReq)
After determining that the CardNumber in question is enrolled, a Payer Authentication Request (PAReq) must be sent to the ACSURL that was returned in the previous step. This request must be sent through the cardholder's browser, and thus cannot be sent by the component itself. The GetAuthenticationPacket method will return the compressed Payer Authentication Request (PAReq) packet, which can then be submitted through the cardholder's browser using the Javascript below.
Response.Write("<form name='downloadForm' action='" & ACSURL & "' method='POST'>") Response.Write(" <INPUT type='hidden' name='PaReq' value='" & GetAuthenticationPacket & "'>") Response.Write(" <input type='hidden' name='TermUrl' value='Termination URL that the ACS will post back to'>") Response.Write(" <input type='hidden' name='MD' value='Merchant Data needed to complete transaction'>") Response.Write("</form>") Response.Write("<script>" ) Response.Write("window.onload = submitForm;") Response.Write("function submitForm() { downloadForm.submit(); }") Response.Write("</script>" )
The TermUrl is the location of a page that will handle the rest of the ordering process. The Visa Access Control Server will post back to the URL entered in this field with the results of the Payer Authentication Request. The MD field should contain any additional information needed by the merchant to complete the transaction. This may include information such as a TransactionId, MessageId, or any other data needed to match the response with a pending authentication. This may be raw text, XML, or any other data type. It is not recommended that sensitive data such as a CardNumber be contained in this field. If this is unavoidable, such sensitive data must be encrypted.
Once a Payer Authentication Response (PARes) is received by the web page indicated in the TermUrl field, use the CheckAuthenticationResponse to decompress, verify, and parse the response. The result of the transaction will be contained in the AuthenticationStatus property. The Payer Authentication Response is digitally signed by the Access Control Server, and the certificate used to sign the response will be contained in the AuthenticationCertificate property. If this certificate does not match the RootCertificate the authentication fails and the component will throw an error. Likewise, if the information in the Payer Authentication Response does not exactly match that given in the original Authentication Request the component will throw an error. The properties that must be identical include MerchantBankId, MerchantNumber, TransactionId, TransactionAmount, CurrencyCode, and CurrencyExponent.
In addition to the previously set Merchant Properties, the following fields are required to build a valid Payer Authentication Request packet:
CardExpMonth | |
CardExpYear | |
CardNumber | |
CurrencyCode | |
CurrencyExponent | |
MessageId | |
TransactionAmount | |
TransactionDescription | |
TransactionDisplayAmount | |
TransactionId | |
RootCertificate |
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
ACSURL | Fully qualified URL of an Access Control Server. |
AuthenticationCAVV | Cardholder Authentication Verification Value. |
AuthenticationCAVVAlgorithm | Indicates the algorithm used to generate the AuthenticationCAVV value. |
AuthenticationCertificate | Contains the signing certificate for the PARes message returned by the ACS. |
AuthenticationECI | Value to be passed in the authorization message. |
AuthenticationErrorURL | Location where authentication errors are posted to. |
AuthenticationStatus | Indicates whether a transaction qualifies as an authenticated transaction. |
AuthenticationTime | Date and time Payer Authentication Response message was signed by the ACS. |
AuthenticationXID | The unique transaction identifier. |
BrowserAcceptHeader | HTTP accept header sent from the cardholder's browser. |
BrowserDeviceCategory | Indicates the type of cardholder device. |
BrowserUserAgentHeader | HTTP user-agent header sent from the customer's browser. |
CardEnrolled | Indicates whether the CardNumber can be authenticated. |
CardExpMonth | Expiration month of the credit card specified in CardNumber . |
CardExpYear | Expiration year of the credit card specified in CardNumber . |
CardNumber | Customer's credit card number to be authenticated. |
CardRanges | A collection of card ranges to be added to or removed from the cache. |
CurrencyCode | Identifies the type of currency used by the merchant. |
CurrencyExponent | Minor units of currency. |
DataPacketOut | Contains the data packet sent to the server. |
DirectoryServerURL | The address of the Directory Server. |
EnrollmentErrorURL | Location where card range and enrollment verification errors are posted to. |
ErrorPacket | Contains an XML-formatted error packet after receiving an invalid response from the Directory or Access Control Server. |
Extension | Any data necessary to support additional features. |
MerchantBankId | The number which identifies the merchant's bank or processor. |
MerchantCountryCode | Identifies the country where the merchant is located. |
MerchantName | Contains the name of the merchant. |
MerchantNumber | A unique number used to identify the merchant within the VisaNet system. |
MerchantPassword | Merchant's password. |
MerchantURL | Merchant's URL. |
MessageId | Unique identification number for each message. |
ProtocolVersion | Indicates the 3-D Secure protocol version. |
Proxy | A set of properties related to proxy access. |
RecurEndDate | The date after which no further authorizations should be performed. |
RecurFrequency | An integer indicating the minimum number of days between authorizations. |
RecurInstallments | An integer indicating the maximum number of permitted authorizations for installment payments. |
ResponsePacket | Contains the response returned by the Directory Server or ACS. |
RootCertificate | Contains the certificate used to verify the signature of the PARes message returned by the ACS. |
SerialNumber | Serial number indicating the state of the current card range cache. |
SSLAcceptServerCert | Instructs the component to unconditionally accept the server certificate that matches the supplied certificate. |
SSLCert | The certificate to be used during SSL negotiation. |
SSLServerCert | The server certificate for the last established connection. |
Timeout | A timeout for the component. |
TransactionAmount | Purchase amount to be authorized. |
TransactionDate | Optionally contains the date of the transaction. |
TransactionDescription | Brief description of goods to be purchased. |
TransactionDisplayAmount | Purchase amount to be authorized. |
TransactionId | Contains a unique transaction identifier. |
VendorCode | Vendor-specific error code or explanatory text. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
CheckAuthenticationResponse | Checks the response returned from the Access Control Server. |
Config | Sets or retrieves a configuration setting. |
GetAuthenticationPacket | Returns the Payer Authentication Request packet that is to be sent to the ACS. |
GetResponseVar | Parses additional information out of the response. |
Interrupt | Interrupts the current action. |
RequestCardRanges | Sends a Card Range Request message to the Directory Server. |
Reset | Clears all properties to their default values. |
VerifyEnrollment | Verifies that the CardNumber is enrolled in the 3-D Secure program. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
CardRange | Fired when the response to a card range request is received. |
DataPacketIn | Fired when receiving a data packet from the server. |
DataPacketOut | Fired when sending a data packet to the server. |
Error | Information about errors during data delivery. |
SSLServerAuthentication | Fired after the server presents its certificate to the client. |
SSLStatus | Shows the progress of the secure connection. |
Configuration Settings
The following is a list of configuration settings for the component with short descriptions. Click on the links for further details.
EscapeFields | Indicates whether merchant-set data fields are automatically escaped by the component before transmission. |
IgnoreInvalidCAVVAlgorithms | Indicates whether ignore invalid AuthenticationCAVVAlgorithm values. |
iReqCode | Returns the iReqCode returned in the response. |
UseResponseCAChain | Determines whether the certificate chain included in the Payer Authentication Response (PARes) is used when verifying the signature. |
AcceptEncoding | Used to tell the server which types of content encodings the client supports. |
AllowHTTPCompression | This property enables HTTP compression for receiving data. |
Authorization | The Authorization string to be sent to the server. |
BytesTransferred | Contains the number of bytes transferred in the response data. |
EncodeURL | If set to true the URL will be encoded by the component. |
FollowRedirects | Determines what happens when the server issues a redirect. |
GetOn302Redirect | If set to true the component will perform a GET on the new location. |
HTTPVersion | The version of HTTP used by the component. |
IfModifiedSince | A date determining the maximum age of the desired document. |
KeepAlive | Determines whether the HTTP connection is closed after completion of the request. |
MaxRedirectAttempts | Limits the number of redirects that are followed in a request. |
OtherHeaders | Other headers as determined by the user (optional). |
ProxyAuthorization | The authorization string to be sent to the proxy server. |
ProxyAuthScheme | The authorization scheme to be used for the proxy. |
ProxyPassword | A password if authentication is to be used for the proxy. |
ProxyPort | Port for the proxy server (default 80). |
ProxyServer | Name or IP address of a proxy server (optional). |
ProxyUser | A user name if authentication is to be used for the proxy. |
TransferredDataLimit | The maximum number of incoming bytes to be stored by the component. |
UseChunkedEncoding | Enables or Disables HTTP chunked encoding for transfers. |
ChunkSize | Specifies the chunk size in bytes when using chunked encoding. |
UsePlatformHTTPClient | Whether or not to use the platform HTTP client. |
UserAgent | Information about the user agent (browser). |
KerberosSPN | The Service Principal Name for the Kerberos Domain Controller. |
ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
FirewallAutoDetect | Tells the component whether or not to automatically detect and use firewall system settings, if available. |
FirewallHost | Name or IP address of firewall (optional). |
FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
FirewallPort | The TCP port for the FirewallHost;. |
FirewallType | Determines the type of firewall to connect through. |
FirewallUser | A user name if authentication is to be used connecting through a firewall. |
KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
Linger | When set to True, connections are terminated gracefully. |
LingerTime | Time in seconds to have the connection linger. |
LocalHost | The name of the local host through which connections are initiated or accepted. |
LocalPort | The TCP port in the local host where the component binds. |
MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
MaxTransferRate | The transfer rate limit in bytes per second. |
TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
UseIPv6 | Whether or not to use IPv6. |
TcpNoDelay | Whether or not to delay when sending packets. |
ReuseSSLSession | Determines if the SSL session is reused. |
SSLCipherStrength | The minimum cipher strength used for bulk encryption. |
SSLEnabledProtocols | Used to enable/disable the supported security protocols. |
SSLProvider | The name of the security provider to use. |
SSLSecurityFlags | Flags that control certificate verification. |
OpenSSLCADir | The path to a directory containing CA certificates. |
OpenSSLCAFile | Name of the file containing the list of CA's trusted by your application. |
OpenSSLCipherList | A string that controls the ciphers to be used by SSL. |
OpenSSLPrngSeedData | The data to seed the pseudo random number generator (PRNG). |
SSLAlgorithmList | A string that controls the cipher algorithms to be used by SSL. |
AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
FirewallData | Used to send extra data to the firewall. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
CodePage | The system code page used for Unicode to Multibyte translations. |