/n software 3-D Secure V2 .NET Edition

Questions / Feedback?

MPI Component

Properties   Methods   Events   Configuration Settings   Errors  

The MPI component is used to implement a 3-D Secure 1.0.2 MPI (Merchant Plug-In).




This component is based on the 3-D Secure 1.0.2 specification, and simplifies the creation and handling of all messages to and from 3-D Secure Compliant Directory and Access Control servers. This is accomplished by adding an additional layer of abstraction between the developer and the 3-D Secure protocol. There is no need to deal with raw sockets, SSL handshakes, or XML packet formatting. All SSL communications to and from the Directory and Access Control servers are handled by the component.

This component can be easily integrated with an online payment system or shopping cart. There are three steps to integrating this component with an existing online payment system or shopping cart.

For help getting started and Visa Product Integration Testing (PIT) please see the following tutorials:

Getting Startedhttp://www.nsoftware.com/kb/articles/3dsecure.rst
Visa Product Integration Testing (PIT)http://www.nsoftware.com/kb/articles/pit.rst

Before making any transactions the following properties must be set with values acquired from Visa:


Card Range Request (CRReq)

The component allows you to query the Directory Server for credit card ranges enrolled in the 3-D Secure program. This step is optional. If a submitted card is not within the currently retrieved ranges, then the card is not enrolled in 3-D Secure. Once the above configuration properties are set, sending a Card Range Request is simple. Set the MessageId (each message requires a unique MessageId), and then call the method RequestCardRanges. The card ranges will be returned in the fields Begin, End, and Action. After a successful Card Range Request the SerialNumber property will contain a serial number which indicates to the Directory Server the current state of your local cache. When submitting another Card Range Request, only the ranges which have changed since the last SerialNumber will be returned.

Verify Enrollment Request (VEReq)

Even if a card number is included in the ranges returned in the previous step, there is no guarantee that this card is actually enrolled in 3-D Secure. To determine if a card number is actually enrolled in the program, you must send a Verify Enrollment Request (VEReq). Update the MessageId and then set the CardNumber. Now call the VerifyEnrollment method. If the CardNumber is enrolled , the CardEnrolled property will contain "Y" (Yes). Otherwise it will contain "N" (No) or "U" (Service Unavailable). In addition, the ACSURL property will contain the URL for the Access Control Server to which a Payer Authentication Request must be sent.

Payer Authentication Request (PAReq)

After determining that the CardNumber in question is enrolled, a Payer Authentication Request (PAReq) must be sent to the ACSURL that was returned in the previous step. This request must be sent through the cardholder's browser, and thus cannot be sent by the component itself. The GetAuthenticationPacket method will return the compressed Payer Authentication Request (PAReq) packet, which can then be submitted through the cardholder's browser using the Javascript below.

Response.Write("<form name='downloadForm' action='" & ACSURL & "' method='POST'>")
Response.Write("  <INPUT type='hidden' name='PaReq'   value='" & GetAuthenticationPacket & "'>")
Response.Write("  <input type='hidden' name='TermUrl' value='Termination URL that the ACS will post back to'>")
Response.Write("  <input type='hidden' name='MD'      value='Merchant Data needed to complete transaction'>")
Response.Write("<script>"  )
Response.Write("window.onload = submitForm;")
Response.Write("function submitForm() { downloadForm.submit(); }")
Response.Write("</script>"  )

The TermUrl is the location of a page that will handle the rest of the ordering process. The Visa Access Control Server will post back to the URL entered in this field with the results of the Payer Authentication Request. The MD field should contain any additional information needed by the merchant to complete the transaction. This may include information such as a TransactionId, MessageId, or any other data needed to match the response with a pending authentication. This may be raw text, XML, or any other data type. It is not recommended that sensitive data such as a CardNumber be contained in this field. If this is unavoidable, such sensitive data must be encrypted.

Once a Payer Authentication Response (PARes) is received by the web page indicated in the TermUrl field, use the CheckAuthenticationResponse to decompress, verify, and parse the response. The result of the transaction will be contained in the AuthenticationStatus property. The Payer Authentication Response is digitally signed by the Access Control Server, and the certificate used to sign the response will be contained in the AuthenticationCertificate property. If this certificate does not match the RootCertificate the authentication fails and the component will throw an error. Likewise, if the information in the Payer Authentication Response does not exactly match that given in the original Authentication Request the component will throw an error. The properties that must be identical include MerchantBankId, MerchantNumber, TransactionId, TransactionAmount, CurrencyCode, and CurrencyExponent.

In addition to the previously set Merchant Properties, the following fields are required to validate a Payer Authentication Response packet:


Property List

The following is the full list of the properties of the component with short descriptions. Click on the links for further details.

ACSURLFully qualified URL of an Access Control Server.
AuthenticationCAVVCardholder Authentication Verification Value.
AuthenticationCAVVAlgorithmIndicates the algorithm used to generate the AuthenticationCAVV value.
AuthenticationCertificateContains the signing certificate for the PARes message returned by the ACS.
AuthenticationECIValue to be passed in the authorization message.
AuthenticationErrorURLLocation where authentication errors are posted to.
AuthenticationStatusIndicates whether a transaction qualifies as an authenticated transaction.
AuthenticationTimeDate and time Payer Authentication Response message was signed by the ACS.
AuthenticationXIDThe unique transaction identifier.
BrowserAcceptHeaderHTTP accept header sent from the cardholder's browser.
BrowserDeviceCategoryIndicates the type of cardholder device.
BrowserUserAgentHeaderHTTP user-agent header sent from the customer's browser.
CardEnrolledIndicates whether the CardNumber can be authenticated.
CardExpMonthExpiration month of the credit card specified in CardNumber .
CardExpYearExpiration year of the credit card specified in CardNumber .
CardNumberCustomer's credit card number to be authenticated.
CardRangesA collection of card ranges to be added to or removed from the cache.
CurrencyCodeIdentifies the type of currency used by the merchant.
CurrencyExponentMinor units of currency.
DataPacketOutContains the data packet sent to the server.
DirectoryServerURLThe address of the Directory Server.
EnrollmentErrorURLLocation where card range and enrollment verification errors are posted to.
ErrorPacketContains an XML-formatted error packet after receiving an invalid response from the Directory or Access Control Server.
ExtensionAny data necessary to support additional features.
MerchantBankIdThe number which identifies the merchant's bank or processor.
MerchantCountryCodeIdentifies the country where the merchant is located.
MerchantNameContains the name of the merchant.
MerchantNumberA unique number used to identify the merchant within the VisaNet system.
MerchantPasswordMerchant's password.
MerchantURLMerchant's URL.
MessageIdUnique identification number for each message.
ProtocolVersionIndicates the 3-D Secure protocol version.
ProxyA set of properties related to proxy access.
RecurEndDateThe date after which no further authorizations should be performed.
RecurFrequencyAn integer indicating the minimum number of days between authorizations.
RecurInstallmentsAn integer indicating the maximum number of permitted authorizations for installment payments.
ResponsePacketContains the response returned by the Directory Server or ACS.
RootCertificateContains the certificate used to verify the signature of the PARes message returned by the ACS.
SerialNumberSerial number indicating the state of the current card range cache.
SSLAcceptServerCertInstructs the component to unconditionally accept the server certificate that matches the supplied certificate.
SSLCertThe certificate to be used during SSL negotiation.
SSLServerCertThe server certificate for the last established connection.
TimeoutA timeout for the component.
TransactionAmountPurchase amount to be authorized.
TransactionDateOptionally contains the date of the transaction.
TransactionDescriptionBrief description of goods to be purchased.
TransactionDisplayAmountPurchase amount to be authorized.
TransactionIdContains a unique transaction identifier.
VendorCodeVendor-specific error code or explanatory text.

Method List

The following is the full list of the methods of the component with short descriptions. Click on the links for further details.

CheckAuthenticationResponseChecks the response returned from the Access Control Server.
ConfigSets or retrieves a configuration setting.
GetAuthenticationPacketReturns the Payer Authentication Request packet that is to be sent to the ACS.
GetResponseVarParses additional information out of the response.
InterruptInterrupts the current action.
RequestCardRangesSends a Card Range Request message to the Directory Server.
ResetClears all properties to their default values.
VerifyEnrollmentVerifies that the CardNumber is enrolled in the 3-D Secure program.

Event List

The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.

CardRangeFired when the response to a card range request is received.
DataPacketInFired when receiving a data packet from the server.
DataPacketOutFired when sending a data packet to the server.
ErrorInformation about errors during data delivery.
SSLServerAuthenticationFired after the server presents its certificate to the client.
SSLStatusShows the progress of the secure connection.

Configuration Settings

The following is a list of configuration settings for the component with short descriptions. Click on the links for further details.

EnableMCTokenizationDetermines whether the Master Card Tokenization extension should be sent in the VEReq.
EscapeFieldsIndicates whether merchant-set data fields are automatically escaped by the component before transmission.
IgnoreInvalidCAVVAlgorithmsIndicates whether ignore invalid AuthenticationCAVVAlgorithm values.
IgnoreLeadingZerosDetermines whether to ignore leading zeros when comparing transaction amounts.
iReqCodeReturns the iReqCode returned in the response.
TrimErrorMessageIdDetermines whether the error message should trim the message Id to 128 characters.
UseResponseCAChainDetermines whether the certificate chain included in the Payer Authentication Response (PARes) is used when verifying the signature.
AcceptEncodingUsed to tell the server which types of content encodings the client supports.
AllowHTTPCompressionThis property enables HTTP compression for receiving data.
AllowHTTPFallbackWhether HTTP/2 connections are permitted to fallback to HTTP/1.1.
AllowNTLMFallbackWhether to allow fallback from Negotiate to NTLM when authenticating.
AppendWhether to append data to LocalFile.
AuthorizationThe Authorization string to be sent to the server.
BytesTransferredContains the number of bytes transferred in the response data.
ChunkSizeSpecifies the chunk size in bytes when using chunked encoding.
CompressHTTPRequestSet to true to compress the body of a PUT or POST request.
EncodeURLIf set to true the URL will be encoded by the component.
FollowRedirectsDetermines what happens when the server issues a redirect.
GetOn302RedirectIf set to true the component will perform a GET on the new location.
HTTP2HeadersWithoutIndexingHTTP2 headers that should not update the dynamic header table with incremental indexing.
HTTPVersionThe version of HTTP used by the component.
IfModifiedSinceA date determining the maximum age of the desired document.
KeepAliveDetermines whether the HTTP connection is closed after completion of the request.
KerberosSPNThe Service Principal Name for the Kerberos Domain Controller.
LogLevelThe level of detail that is logged.
MaxHeadersInstructs component to save the amount of headers specified that are returned by the server after a Header event has been fired.
MaxHTTPCookiesInstructs component to save the amount of cookies specified that are returned by the server when a SetCookie event is fired.
MaxRedirectAttemptsLimits the number of redirects that are followed in a request.
NegotiatedHTTPVersionThe negotiated HTTP version.
OtherHeadersOther headers as determined by the user (optional).
ProxyAuthorizationThe authorization string to be sent to the proxy server.
ProxyAuthSchemeThe authorization scheme to be used for the proxy.
ProxyPasswordA password if authentication is to be used for the proxy.
ProxyPortPort for the proxy server (default 80).
ProxyServerName or IP address of a proxy server (optional).
ProxyUserA user name if authentication is to be used for the proxy.
SentHeadersThe full set of headers as sent by the client.
StatusLineThe first line of the last response from the server.
TransferredDataThe contents of the last response from the server.
TransferredDataLimitThe maximum number of incoming bytes to be stored by the component.
TransferredHeadersThe full set of headers as received from the server.
TransferredRequestThe full request as sent by the client.
UseChunkedEncodingEnables or Disables HTTP chunked encoding for transfers.
UseIDNsWhether to encode hostnames to internationalized domain names.
UsePlatformDeflateWhether to use the platform implementation to decompress compressed responses.
UsePlatformHTTPClientWhether or not to use the platform HTTP client.
UserAgentInformation about the user agent (browser).
CloseStreamAfterTransferIf true, the component will close the upload or download stream after the transfer.
ConnectionTimeoutSets a separate timeout value for establishing a connection.
FirewallAutoDetectTells the component whether or not to automatically detect and use firewall system settings, if available.
FirewallHostName or IP address of firewall (optional).
FirewallListenerIf true, the component binds to a SOCKS firewall as a server (IPPort only).
FirewallPasswordPassword to be used if authentication is to be used when connecting through the firewall.
FirewallPortThe TCP port for the FirewallHost;.
FirewallTypeDetermines the type of firewall to connect through.
FirewallUserA user name if authentication is to be used connecting through a firewall.
KeepAliveIntervalThe retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.
KeepAliveTimeThe inactivity time in milliseconds before a TCP keep-alive packet is sent.
LingerWhen set to True, connections are terminated gracefully.
LingerTimeTime in seconds to have the connection linger.
LocalHostThe name of the local host through which connections are initiated or accepted.
LocalPortThe port in the local host where the component binds.
MaxLineLengthThe maximum amount of data to accumulate when no EOL is found.
MaxTransferRateThe transfer rate limit in bytes per second.
ProxyExceptionsListA semicolon separated list of hosts and IPs to bypass when using a proxy.
TCPKeepAliveDetermines whether or not the keep alive socket option is enabled.
TcpNoDelayWhether or not to delay when sending packets.
UseIPv6Whether to use IPv6.
UseNTLMv2Whether to use NTLM V2.
CACertFilePathsThe paths to CA certificate files when using Mono on Unix/Linux.
LogSSLPacketsControls whether SSL packets are logged when using the internal security API.
ReuseSSLSessionDetermines if the SSL session is reused.
SSLCACertsA newline separated list of CA certificate to use during SSL client authentication.
SSLCheckCRLWhether to check the Certificate Revocation List for the server certificate.
SSLCipherStrengthThe minimum cipher strength used for bulk encryption.
SSLEnabledCipherSuitesThe cipher suite to be used in an SSL negotiation.
SSLEnabledProtocolsUsed to enable/disable the supported security protocols.
SSLEnableRenegotiationWhether the renegotiation_info SSL extension is supported.
SSLIncludeCertChainWhether the entire certificate chain is included in the SSLServerAuthentication event.
SSLProviderThe name of the security provider to use.
SSLSecurityFlagsFlags that control certificate verification.
SSLServerCACertsA newline separated list of CA certificate to use during SSL server certificate validation.
TLS12SignatureAlgorithmsDefines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True.
TLS12SupportedGroupsThe supported groups for ECC.
TLS13KeyShareGroupsThe groups for which to pregenerate key shares.
TLS13SignatureAlgorithmsThe allowed certificate signature algorithms.
TLS13SupportedGroupsThe supported groups for (EC)DHE key exchange.
AbsoluteTimeoutDetermines whether timeouts are inactivity timeouts or absolute timeouts.
FirewallDataUsed to send extra data to the firewall.
InBufferSizeThe size in bytes of the incoming queue of the socket.
OutBufferSizeThe size in bytes of the outgoing queue of the socket.

Copyright (c) 2021 /n software inc. - All rights reserved.
/n software 3-D Secure V2 .NET Edition - Version 2.2 [Build 7954]