MPI Class
Properties Methods Events Configuration Settings Errors
The MPI class is used to implement a 3-D Secure 1.0.2 MPI (Merchant Plug-In).
Class Name
IPWorks3DS_MPI
Procedural Interface
ipworks3ds_mpi_open(); ipworks3ds_mpi_close($res); ipworks3ds_mpi_register_callback($res, $id, $function); ipworks3ds_mpi_get_last_error($res); ipworks3ds_mpi_get_last_error_code($res); ipworks3ds_mpi_set($res, $id, $index, $value); ipworks3ds_mpi_get($res, $id, $index); ipworks3ds_mpi_do_checkauthenticationresponse($res, $responsedata); ipworks3ds_mpi_do_config($res, $configurationstring); ipworks3ds_mpi_do_getauthenticationpacket($res); ipworks3ds_mpi_do_getresponsevar($res, $name); ipworks3ds_mpi_do_interrupt($res); ipworks3ds_mpi_do_requestcardranges($res); ipworks3ds_mpi_do_reset($res); ipworks3ds_mpi_do_verifyenrollment($res);
Remarks
This class is based on the 3-D Secure 1.0.2 specification, and simplifies the creation and handling of all messages to and from 3-D Secure Compliant Directory and Access Control servers. This is accomplished by adding an additional layer of abstraction between the developer and the 3-D Secure protocol. There is no need to deal with raw sockets, SSL handshakes, or XML packet formatting. All SSL communications to and from the Directory and Access Control servers are handled by the class.
This class can be easily integrated with an online payment system or shopping cart. There are three steps to integrating this class with an existing online payment system or shopping cart.
For help getting started and Visa Product Integration Testing (PIT) please see the following tutorials:
| Getting Started | http://www.nsoftware.com/kb/articles/3dsecure.rst |
| Visa Product Integration Testing (PIT) | http://www.nsoftware.com/kb/articles/pit.rst |
Before making any transactions the following properties must be set with values acquired from Visa:
| MerchantBankId | |
| MerchantCountryCode | |
| MerchantName | |
| MerchantNumber | |
| MerchantPassword | |
| MerchantURL | |
| DirectoryServerURL |
Card Range Request (CRReq)
The class allows you to query the Directory Server for credit card ranges enrolled in the 3-D Secure program. This step is optional. If a submitted card is not within the currently retrieved ranges, then the card is not enrolled in 3-D Secure. Once the above configuration properties are set, sending a Card Range Request is simple. Set the MessageId (each message requires a unique MessageId), and then call the method RequestCardRanges. The card ranges will be returned in the properties CardRangeBegin, CardRangeEnd, and CardRangeAction. After a successful Card Range Request the SerialNumber property will contain a serial number which indicates to the Directory Server the current state of your local cache. When submitting another Card Range Request, only the ranges which have changed since the last SerialNumber will be returned.
Verify Enrollment Request (VEReq)
Even if a card number is included in the ranges returned in the previous step, there is no guarantee that this card is actually enrolled in 3-D Secure. To determine if a card number is actually enrolled in the program, you must send a Verify Enrollment Request (VEReq). Update the MessageId and then set the CardNumber. Now call the VerifyEnrollment method. If the CardNumber is enrolled , the CardEnrolled property will contain "Y" (Yes). Otherwise it will contain "N" (No) or "U" (Service Unavailable). In addition, the ACSURL property will contain the URL for the Access Control Server to which a Payer Authentication Request must be sent.
Payer Authentication Request (PAReq)
After determining that the CardNumber in question is enrolled, a Payer Authentication Request (PAReq) must be sent to the ACSURL that was returned in the previous step. This request must be sent through the cardholder's browser, and thus cannot be sent by the class itself. The GetAuthenticationPacket method will return the compressed Payer Authentication Request (PAReq) packet, which can then be submitted through the cardholder's browser using the Javascript below.
The TermUrl is the location of a page that will handle the rest of the ordering process. The Visa Access Control Server will post back to the URL entered in this field with the results of the Payer Authentication Request. The MD field should contain any additional information needed by the merchant to complete the transaction. This may include information such as a TransactionId, MessageId, or any other data needed to match the response with a pending authentication. This may be raw text, XML, or any other data type. It is not recommended that sensitive data such as a CardNumber be contained in this field. If this is unavoidable, such sensitive data must be encrypted.
Once a Payer Authentication Response (PARes) is received by the web page indicated in the TermUrl field, use the CheckAuthenticationResponse to decompress, verify, and parse the response. The result of the transaction will be contained in the AuthenticationStatus property. The Payer Authentication Response is digitally signed by the Access Control Server, and the certificate used to sign the response will be contained in the AuthenticationCertificate property. If this certificate does not match the RootCertificate the authentication fails and the class will throw an error. Likewise, if the information in the Payer Authentication Response does not exactly match that given in the original Authentication Request the class will throw an error. The properties that must be identical include MerchantBankId, MerchantNumber, TransactionId, TransactionAmount, CurrencyCode, and CurrencyExponent.
In addition to the previously set Merchant Properties, the following fields are required to validate a Payer Authentication Response packet:
| CardExpMonth | |
| CardExpYear | |
| CardNumber | |
| CurrencyCode | |
| CurrencyExponent | |
| MessageId | |
| TransactionAmount | |
| TransactionDescription | |
| TransactionDisplayAmount | |
| TransactionId | |
| RootCertificate |
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| ACSURL | Fully qualified URL of an Access Control Server. |
| AuthenticationCAVV | Cardholder Authentication Verification Value. |
| AuthenticationCAVVAlgorithm | Indicates the algorithm used to generate the AuthenticationCAVV value. |
| AuthenticationCertificate | Contains the signing certificate for the PARes message returned by the ACS. |
| AuthenticationECI | Value to be passed in the authorization message. |
| AuthenticationErrorURL | Location where authentication errors are posted to. |
| AuthenticationStatus | Indicates whether a transaction qualifies as an authenticated transaction. |
| AuthenticationTime | Date and time Payer Authentication Response message was signed by the ACS. |
| AuthenticationXID | The unique transaction identifier. |
| BrowserAcceptHeader | HTTP accept header sent from the cardholder's browser. |
| BrowserDeviceCategory | Indicates the type of cardholder device. |
| BrowserUserAgentHeader | HTTP user-agent header sent from the customer's browser. |
| CardEnrolled | Indicates whether the CardNumber can be authenticated. |
| CardExpMonth | Expiration month of the credit card specified in CardNumber . |
| CardExpYear | Expiration year of the credit card specified in CardNumber . |
| CardNumber | Customer's credit card number to be authenticated. |
| CardRangeCount | The number of records in the CardRange arrays. |
| CardRangeAction | The action to perform on the card range indicated by Begin and End . |
| CardRangeBegin | First number in a range of credit card numbers returned by the Directory Server. |
| CardRangeEnd | Last number in a range of credit card numbers returned by the Directory Server. |
| CurrencyCode | Identifies the type of currency used by the merchant. |
| CurrencyExponent | Minor units of currency. |
| DataPacketOut | Contains the data packet sent to the server. |
| DirectoryServerURL | The address of the Directory Server. |
| EnrollmentErrorURL | Location where card range and enrollment verification errors are posted to. |
| ErrorPacket | Contains an XML-formatted error packet after receiving an invalid response from the Directory or Access Control Server. |
| Extension | Any data necessary to support additional features. |
| MerchantBankId | The number which identifies the merchant's bank or processor. |
| MerchantCountryCode | Identifies the country where the merchant is located. |
| MerchantName | Contains the name of the merchant. |
| MerchantNumber | A unique number used to identify the merchant within the VisaNet system. |
| MerchantPassword | Merchant's password. |
| MerchantURL | Merchant's URL. |
| MessageId | Unique identification number for each message. |
| ProtocolVersion | Indicates the 3-D Secure protocol version. |
| ProxyAuthScheme | This property is used to tell the class which type of authorization to perform when connecting to the proxy. |
| ProxyAutoDetect | This property tells the class whether or not to automatically detect and use proxy system settings, if available. |
| ProxyPassword | This property contains a password if authentication is to be used for the proxy. |
| ProxyPort | This property contains the TCP port for the proxy Server (default 80). |
| ProxyServer | If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified. |
| ProxySSL | This property determines when to use SSL for the connection to the proxy. |
| ProxyUser | This property contains a user name, if authentication is to be used for the proxy. |
| RecurEndDate | The date after which no further authorizations should be performed. |
| RecurFrequency | An integer indicating the minimum number of days between authorizations. |
| RecurInstallments | An integer indicating the maximum number of permitted authorizations for installment payments. |
| ResponsePacket | Contains the response returned by the Directory Server or ACS. |
| RootCertificate | Contains the certificate used to verify the signature of the PARes message returned by the ACS. |
| SerialNumber | Serial number indicating the state of the current card range cache. |
| SSLAcceptServerCertEncoded | The certificate (PEM/base64 encoded). |
| SSLCertEncoded | The certificate (PEM/base64 encoded). |
| SSLCertStore | The name of the certificate store for the client certificate. |
| SSLCertStorePassword | If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store. |
| SSLCertStoreType | The type of certificate store for this certificate. |
| SSLCertSubject | The subject of the certificate used for client authentication. |
| SSLServerCertEncoded | The certificate (PEM/base64 encoded). |
| Timeout | A timeout for the class. |
| TransactionAmount | Purchase amount to be authorized. |
| TransactionDate | Optionally contains the date of the transaction. |
| TransactionDescription | Brief description of goods to be purchased. |
| TransactionDisplayAmount | Purchase amount to be authorized. |
| TransactionId | Contains a unique transaction identifier. |
| VendorCode | Vendor-specific error code or explanatory text. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| CheckAuthenticationResponse | Checks the response returned from the Access Control Server. |
| Config | Sets or retrieves a configuration setting. |
| GetAuthenticationPacket | Returns the Payer Authentication Request packet that is to be sent to the ACS. |
| GetResponseVar | Parses additional information out of the response. |
| Interrupt | Interrupts the current action. |
| RequestCardRanges | Sends a Card Range Request message to the Directory Server. |
| Reset | Clears all properties to their default values. |
| VerifyEnrollment | Verifies that the CardNumber is enrolled in the 3-D Secure program. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| CardRange | Fired when the response to a card range request is received. |
| DataPacketIn | Fired when receiving a data packet from the server. |
| DataPacketOut | Fired when sending a data packet to the server. |
| Error | Information about errors during data delivery. |
| SSLServerAuthentication | Fired after the server presents its certificate to the client. |
| SSLStatus | Shows the progress of the secure connection. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
| EnableMCTokenization | Determines whether the Master Card Tokenization extension should be sent in the VEReq. |
| EscapeFields | Indicates whether merchant-set data fields are automatically escaped by the class before transmission. |
| IgnoreInvalidCAVVAlgorithms | Indicates whether ignore invalid AuthenticationCAVVAlgorithm values. |
| IgnoreLeadingZeros | Determines whether to ignore leading zeros when comparing transaction amounts. |
| iReqCode | Returns the iReqCode returned in the response. |
| TrimErrorMessageId | Determines whether the error message should trim the message Id to 128 characters. |
| UseResponseCAChain | Determines whether the certificate chain included in the Payer Authentication Response (PARes) is used when verifying the signature. |
| AcceptEncoding | Used to tell the server which types of content encodings the client supports. |
| AllowHTTPCompression | This property enables HTTP compression for receiving data. |
| AllowHTTPFallback | Whether HTTP/2 connections are permitted to fallback to HTTP/1.1. |
| Append | Whether to append data to LocalFile. |
| Authorization | The Authorization string to be sent to the server. |
| BytesTransferred | Contains the number of bytes transferred in the response data. |
| ChunkSize | Specifies the chunk size in bytes when using chunked encoding. |
| CompressHTTPRequest | Set to true to compress the body of a PUT or POST request. |
| EncodeURL | If set to true the URL will be encoded by the class. |
| FollowRedirects | Determines what happens when the server issues a redirect. |
| GetOn302Redirect | If set to true the class will perform a GET on the new location. |
| HTTP2HeadersWithoutIndexing | HTTP2 headers that should not update the dynamic header table with incremental indexing. |
| HTTPVersion | The version of HTTP used by the class. |
| IfModifiedSince | A date determining the maximum age of the desired document. |
| KeepAlive | Determines whether the HTTP connection is closed after completion of the request. |
| KerberosSPN | The Service Principal Name for the Kerberos Domain Controller. |
| LogLevel | The level of detail that is logged. |
| MaxRedirectAttempts | Limits the number of redirects that are followed in a request. |
| NegotiatedHTTPVersion | The negotiated HTTP version. |
| OtherHeaders | Other headers as determined by the user (optional). |
| ProxyAuthorization | The authorization string to be sent to the proxy server. |
| ProxyAuthScheme | The authorization scheme to be used for the proxy. |
| ProxyPassword | A password if authentication is to be used for the proxy. |
| ProxyPort | Port for the proxy server (default 80). |
| ProxyServer | Name or IP address of a proxy server (optional). |
| ProxyUser | A user name if authentication is to be used for the proxy. |
| SentHeaders | The full set of headers as sent by the client. |
| StatusLine | The first line of the last response from the server. |
| TransferredData | The contents of the last response from the server. |
| TransferredDataLimit | The maximum number of incoming bytes to be stored by the class. |
| TransferredHeaders | The full set of headers as received from the server. |
| TransferredRequest | The full request as sent by the client. |
| UseChunkedEncoding | Enables or Disables HTTP chunked encoding for transfers. |
| UseIDNs | Whether to encode hostnames to internationalized domain names. |
| UsePlatformHTTPClient | Whether or not to use the platform HTTP client. |
| UserAgent | Information about the user agent (browser). |
| ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
| FirewallAutoDetect | Tells the class whether or not to automatically detect and use firewall system settings, if available. |
| FirewallHost | Name or IP address of firewall (optional). |
| FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
| FirewallPort | The TCP port for the FirewallHost;. |
| FirewallType | Determines the type of firewall to connect through. |
| FirewallUser | A user name if authentication is to be used connecting through a firewall. |
| KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
| KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
| Linger | When set to True, connections are terminated gracefully. |
| LingerTime | Time in seconds to have the connection linger. |
| LocalHost | The name of the local host through which connections are initiated or accepted. |
| LocalPort | The port in the local host where the class binds. |
| MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
| MaxTransferRate | The transfer rate limit in bytes per second. |
| ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
| TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
| TcpNoDelay | Whether or not to delay when sending packets. |
| UseIPv6 | Whether to use IPv6. |
| LogSSLPackets | Controls whether SSL packets are logged when using the internal security API. |
| OpenSSLCADir | The path to a directory containing CA certificates. |
| OpenSSLCAFile | Name of the file containing the list of CA's trusted by your application. |
| OpenSSLCipherList | A string that controls the ciphers to be used by SSL. |
| OpenSSLPrngSeedData | The data to seed the pseudo random number generator (PRNG). |
| ReuseSSLSession | Determines if the SSL session is reused. |
| SSLCACertFilePaths | The paths to CA certificate files on Unix/Linux. |
| SSLCACerts | A newline separated list of CA certificate to use during SSL client authentication. |
| SSLCheckCRL | Whether to check the Certificate Revocation List for the server certificate. |
| SSLCipherStrength | The minimum cipher strength used for bulk encryption. |
| SSLEnabledCipherSuites | The cipher suite to be used in an SSL negotiation. |
| SSLEnabledProtocols | Used to enable/disable the supported security protocols. |
| SSLEnableRenegotiation | Whether the renegotiation_info SSL extension is supported. |
| SSLIncludeCertChain | Whether the entire certificate chain is included in the SSLServerAuthentication event. |
| SSLNegotiatedCipher | Returns the negotiated ciphersuite. |
| SSLNegotiatedCipherStrength | Returns the negotiated ciphersuite strength. |
| SSLNegotiatedCipherSuite | Returns the negotiated ciphersuite. |
| SSLNegotiatedKeyExchange | Returns the negotiated key exchange algorithm. |
| SSLNegotiatedKeyExchangeStrength | Returns the negotiated key exchange algorithm strength. |
| SSLNegotiatedProtocol | Returns the negotiated protocol version. |
| SSLProvider | The name of the security provider to use. |
| SSLSecurityFlags | Flags that control certificate verification. |
| SSLServerCACerts | A newline separated list of CA certificate to use during SSL server certificate validation. |
| TLS12SignatureAlgorithms | Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True. |
| TLS12SupportedGroups | The supported groups for ECC. |
| TLS13KeyShareGroups | The groups for which to pregenerate key shares. |
| TLS13SignatureAlgorithms | The allowed certificate signature algorithms. |
| TLS13SupportedGroups | The supported groups for (EC)DHE key exchange. |
| AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
| FirewallData | Used to send extra data to the firewall. |
| InBufferSize | The size in bytes of the incoming queue of the socket. |
| OutBufferSize | The size in bytes of the outgoing queue of the socket. |