/n software 3-D Secure V2 Python Edition

Questions / Feedback?

MPI Class

Properties   Methods   Events   Configuration Settings   Errors  

The MPI class is used to implement a 3-D Secure 1.0.2 MPI (Merchant Plug-In).


class ipworks3ds.MPI


This class is based on the 3-D Secure 1.0.2 specification, and simplifies the creation and handling of all messages to and from 3-D Secure Compliant Directory and Access Control servers. This is accomplished by adding an additional layer of abstraction between the developer and the 3-D Secure protocol. There is no need to deal with raw sockets, SSL handshakes, or XML packet formatting. All SSL communications to and from the Directory and Access Control servers are handled by the class.

This class can be easily integrated with an online payment system or shopping cart. There are three steps to integrating this class with an existing online payment system or shopping cart.

For help getting started and Visa Product Integration Testing (PIT) please see the following tutorials:

Getting Startedhttp://www.nsoftware.com/kb/articles/3dsecure.rst
Visa Product Integration Testing (PIT)http://www.nsoftware.com/kb/articles/pit.rst

Before making any transactions the following properties must be set with values acquired from Visa:


Card Range Request (CRReq)

The class allows you to query the Directory Server for credit card ranges enrolled in the 3-D Secure program. This step is optional. If a submitted card is not within the currently retrieved ranges, then the card is not enrolled in 3-D Secure. Once the above configuration properties are set, sending a Card Range Request is simple. Set the message_id (each message requires a unique message_id), and then call the method request_card_ranges. The card ranges will be returned in the properties card_range_begin, card_range_end, and card_range_action. After a successful Card Range Request the serial_number property will contain a serial number which indicates to the Directory Server the current state of your local cache. When submitting another Card Range Request, only the ranges which have changed since the last serial_number will be returned.

Verify Enrollment Request (VEReq)

Even if a card number is included in the ranges returned in the previous step, there is no guarantee that this card is actually enrolled in 3-D Secure. To determine if a card number is actually enrolled in the program, you must send a Verify Enrollment Request (VEReq). Update the message_id and then set the card_number. Now call the verify_enrollment method. If the card_number is enrolled , the card_enrolled property will contain "Y" (Yes). Otherwise it will contain "N" (No) or "U" (Service Unavailable). In addition, the acsurl property will contain the URL for the Access Control Server to which a Payer Authentication Request must be sent.

Payer Authentication Request (PAReq)

After determining that the card_number in question is enrolled, a Payer Authentication Request (PAReq) must be sent to the acsurl that was returned in the previous step. This request must be sent through the cardholder's browser, and thus cannot be sent by the class itself. The get_authentication_packet method will return the compressed Payer Authentication Request (PAReq) packet, which can then be submitted through the cardholder's browser using the Javascript below.

The TermUrl is the location of a page that will handle the rest of the ordering process. The Visa Access Control Server will post back to the URL entered in this field with the results of the Payer Authentication Request. The MD field should contain any additional information needed by the merchant to complete the transaction. This may include information such as a transaction_id, message_id, or any other data needed to match the response with a pending authentication. This may be raw text, XML, or any other data type. It is not recommended that sensitive data such as a card_number be contained in this field. If this is unavoidable, such sensitive data must be encrypted.

Once a Payer Authentication Response (PARes) is received by the web page indicated in the TermUrl field, use the check_authentication_response to decompress, verify, and parse the response. The result of the transaction will be contained in the authentication_status property. The Payer Authentication Response is digitally signed by the Access Control Server, and the certificate used to sign the response will be contained in the authentication_certificate property. If this certificate does not match the root_certificate the authentication fails and the class will throw an error. Likewise, if the information in the Payer Authentication Response does not exactly match that given in the original Authentication Request the class will throw an error. The properties that must be identical include merchant_bank_id, merchant_number, transaction_id, transaction_amount, currency_code, and currency_exponent.

In addition to the previously set Merchant Properties, the following fields are required to validate a Payer Authentication Response packet:


Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

acsurlFully qualified URL of an Access Control Server.
authentication_cavvCardholder Authentication Verification Value.
authentication_cavv_algorithmIndicates the algorithm used to generate the AuthenticationCAVV value.
authentication_certificateContains the signing certificate for the PARes message returned by the ACS.
authentication_eciValue to be passed in the authorization message.
authentication_error_urlLocation where authentication errors are posted to.
authentication_statusIndicates whether a transaction qualifies as an authenticated transaction.
authentication_timeDate and time Payer Authentication Response message was signed by the ACS.
authentication_xidThe unique transaction identifier.
browser_accept_headerHTTP accept header sent from the cardholder's browser.
browser_device_categoryIndicates the type of cardholder device.
browser_user_agent_headerHTTP user-agent header sent from the customer's browser.
card_enrolledIndicates whether the CardNumber can be authenticated.
card_exp_monthExpiration month of the credit card specified in CardNumber .
card_exp_yearExpiration year of the credit card specified in CardNumber .
card_numberCustomer's credit card number to be authenticated.
card_range_countThe number of records in the CardRange arrays.
card_range_actionThe action to perform on the card range indicated by Begin and End .
card_range_beginFirst number in a range of credit card numbers returned by the Directory Server.
card_range_endLast number in a range of credit card numbers returned by the Directory Server.
currency_codeIdentifies the type of currency used by the merchant.
currency_exponentMinor units of currency.
data_packet_outContains the data packet sent to the server.
directory_server_urlThe address of the Directory Server.
enrollment_error_urlLocation where card range and enrollment verification errors are posted to.
error_packetContains an XML-formatted error packet after receiving an invalid response from the Directory or Access Control Server.
extensionAny data necessary to support additional features.
merchant_bank_idThe number which identifies the merchant's bank or processor.
merchant_country_codeIdentifies the country where the merchant is located.
merchant_nameContains the name of the merchant.
merchant_numberA unique number used to identify the merchant within the VisaNet system.
merchant_passwordMerchant's password.
merchant_urlMerchant's URL.
message_idUnique identification number for each message.
protocol_versionIndicates the 3-D Secure protocol version.
proxy_auth_schemeThis property is used to tell the class which type of authorization to perform when connecting to the proxy.
proxy_auto_detectThis property tells the class whether or not to automatically detect and use proxy system settings, if available.
proxy_passwordThis property contains a password if authentication is to be used for the proxy.
proxy_portThis property contains the TCP port for the proxy Server (default 80).
proxy_serverIf a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.
proxy_sslThis property determines when to use SSL for the connection to the proxy.
proxy_userThis property contains a user name, if authentication is to be used for the proxy.
recur_end_dateThe date after which no further authorizations should be performed.
recur_frequencyAn integer indicating the minimum number of days between authorizations.
recur_installmentsAn integer indicating the maximum number of permitted authorizations for installment payments.
response_packetContains the response returned by the Directory Server or ACS.
root_certificateContains the certificate used to verify the signature of the PARes message returned by the ACS.
serial_numberSerial number indicating the state of the current card range cache.
ssl_accept_server_cert_encodedThe certificate (PEM/base64 encoded).
ssl_cert_encodedThe certificate (PEM/base64 encoded).
ssl_cert_storeThe name of the certificate store for the client certificate.
ssl_cert_store_passwordIf the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
ssl_cert_store_typeThe type of certificate store for this certificate.
ssl_cert_subjectThe subject of the certificate used for client authentication.
ssl_server_cert_encodedThe certificate (PEM/base64 encoded).
timeoutA timeout for the class.
transaction_amountPurchase amount to be authorized.
transaction_dateOptionally contains the date of the transaction.
transaction_descriptionBrief description of goods to be purchased.
transaction_display_amountPurchase amount to be authorized.
transaction_idContains a unique transaction identifier.
vendor_codeVendor-specific error code or explanatory text.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

check_authentication_responseChecks the response returned from the Access Control Server.
configSets or retrieves a configuration setting.
get_authentication_packetReturns the Payer Authentication Request packet that is to be sent to the ACS.
get_response_varParses additional information out of the response.
interruptInterrupts the current action.
request_card_rangesSends a Card Range Request message to the Directory Server.
resetClears all properties to their default values.
verify_enrollmentVerifies that the CardNumber is enrolled in the 3-D Secure program.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

on_card_rangeFired when the response to a card range request is received.
on_data_packet_inFired when receiving a data packet from the server.
on_data_packet_outFired when sending a data packet to the server.
on_errorInformation about errors during data delivery.
on_ssl_server_authenticationFired after the server presents its certificate to the client.
on_ssl_statusShows the progress of the secure connection.

Configuration Settings

The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.

EnableMCTokenizationDetermines whether the Master Card Tokenization extension should be sent in the VEReq.
EscapeFieldsIndicates whether merchant-set data fields are automatically escaped by the class before transmission.
IgnoreInvalidCAVVAlgorithmsIndicates whether ignore invalid AuthenticationCAVVAlgorithm values.
IgnoreLeadingZerosDetermines whether to ignore leading zeros when comparing transaction amounts.
iReqCodeReturns the iReqCode returned in the response.
TrimErrorMessageIdDetermines whether the error message should trim the message Id to 128 characters.
UseResponseCAChainDetermines whether the certificate chain included in the Payer Authentication Response (PARes) is used when verifying the signature.
AcceptEncodingUsed to tell the server which types of content encodings the client supports.
AllowHTTPCompressionThis property enables HTTP compression for receiving data.
AllowHTTPFallbackWhether HTTP/2 connections are permitted to fallback to HTTP/1.1.
AppendWhether to append data to LocalFile.
AuthorizationThe Authorization string to be sent to the server.
BytesTransferredContains the number of bytes transferred in the response data.
ChunkSizeSpecifies the chunk size in bytes when using chunked encoding.
CompressHTTPRequestSet to true to compress the body of a PUT or POST request.
EncodeURLIf set to true the URL will be encoded by the class.
FollowRedirectsDetermines what happens when the server issues a redirect.
GetOn302RedirectIf set to true the class will perform a GET on the new location.
HTTP2HeadersWithoutIndexingHTTP2 headers that should not update the dynamic header table with incremental indexing.
HTTPVersionThe version of HTTP used by the class.
IfModifiedSinceA date determining the maximum age of the desired document.
KeepAliveDetermines whether the HTTP connection is closed after completion of the request.
KerberosSPNThe Service Principal Name for the Kerberos Domain Controller.
LogLevelThe level of detail that is logged.
MaxRedirectAttemptsLimits the number of redirects that are followed in a request.
NegotiatedHTTPVersionThe negotiated HTTP version.
OtherHeadersOther headers as determined by the user (optional).
ProxyAuthorizationThe authorization string to be sent to the proxy server.
ProxyAuthSchemeThe authorization scheme to be used for the proxy.
ProxyPasswordA password if authentication is to be used for the proxy.
ProxyPortPort for the proxy server (default 80).
ProxyServerName or IP address of a proxy server (optional).
ProxyUserA user name if authentication is to be used for the proxy.
SentHeadersThe full set of headers as sent by the client.
StatusLineThe first line of the last response from the server.
TransferredDataThe contents of the last response from the server.
TransferredDataLimitThe maximum number of incoming bytes to be stored by the class.
TransferredHeadersThe full set of headers as received from the server.
TransferredRequestThe full request as sent by the client.
UseChunkedEncodingEnables or Disables HTTP chunked encoding for transfers.
UseIDNsWhether to encode hostnames to internationalized domain names.
UsePlatformHTTPClientWhether or not to use the platform HTTP client.
UserAgentInformation about the user agent (browser).
ConnectionTimeoutSets a separate timeout value for establishing a connection.
FirewallAutoDetectTells the class whether or not to automatically detect and use firewall system settings, if available.
FirewallHostName or IP address of firewall (optional).
FirewallPasswordPassword to be used if authentication is to be used when connecting through the firewall.
FirewallPortThe TCP port for the FirewallHost;.
FirewallTypeDetermines the type of firewall to connect through.
FirewallUserA user name if authentication is to be used connecting through a firewall.
KeepAliveIntervalThe retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.
KeepAliveTimeThe inactivity time in milliseconds before a TCP keep-alive packet is sent.
LingerWhen set to True, connections are terminated gracefully.
LingerTimeTime in seconds to have the connection linger.
LocalHostThe name of the local host through which connections are initiated or accepted.
LocalPortThe port in the local host where the class binds.
MaxLineLengthThe maximum amount of data to accumulate when no EOL is found.
MaxTransferRateThe transfer rate limit in bytes per second.
ProxyExceptionsListA semicolon separated list of hosts and IPs to bypass when using a proxy.
TCPKeepAliveDetermines whether or not the keep alive socket option is enabled.
TcpNoDelayWhether or not to delay when sending packets.
UseIPv6Whether to use IPv6.
LogSSLPacketsControls whether SSL packets are logged when using the internal security API.
OpenSSLCADirThe path to a directory containing CA certificates.
OpenSSLCAFileName of the file containing the list of CA's trusted by your application.
OpenSSLCipherListA string that controls the ciphers to be used by SSL.
OpenSSLPrngSeedDataThe data to seed the pseudo random number generator (PRNG).
ReuseSSLSessionDetermines if the SSL session is reused.
SSLCACertFilePathsThe paths to CA certificate files on Unix/Linux.
SSLCACertsA newline separated list of CA certificate to use during SSL client authentication.
SSLCheckCRLWhether to check the Certificate Revocation List for the server certificate.
SSLCipherStrengthThe minimum cipher strength used for bulk encryption.
SSLEnabledCipherSuitesThe cipher suite to be used in an SSL negotiation.
SSLEnabledProtocolsUsed to enable/disable the supported security protocols.
SSLEnableRenegotiationWhether the renegotiation_info SSL extension is supported.
SSLIncludeCertChainWhether the entire certificate chain is included in the SSLServerAuthentication event.
SSLProviderThe name of the security provider to use.
SSLSecurityFlagsFlags that control certificate verification.
TLS12SignatureAlgorithmsDefines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True.
TLS12SupportedGroupsThe supported groups for ECC.
TLS13KeyShareGroupsThe groups for which to pregenerate key shares.
TLS13SignatureAlgorithmsThe allowed certificate signature algorithms.
TLS13SupportedGroupsThe supported groups for (EC)DHE key exchange.
AbsoluteTimeoutDetermines whether timeouts are inactivity timeouts or absolute timeouts.
FirewallDataUsed to send extra data to the firewall.
InBufferSizeThe size in bytes of the incoming queue of the socket.
OutBufferSizeThe size in bytes of the outgoing queue of the socket.

Copyright (c) 2021 /n software inc. - All rights reserved.
/n software 3-D Secure V2 Python Edition - Version 2.0 [Build 7722]