SecPay: Internet Payment Service Provider

[SECPay services]
-> SECCard Manual

SECCard User Manual

Index
Normal Processing
Synchronous processing
Server side processing
Batch Processing
Parameters

--- Mandatory Parameters

--- Optional Parameters

--- Address Formats

------- Shipping Address Parameters

------- Billing Address Parameters

--- Order Details Parameters

--- Callback Parameters

--- Presentation Parameters
Applet
Customer Field Encryption
Post Code Format Verification
Example Calls
XML Calls
Trouble with Thawte Certificates

 

Normal Processing Details

SECPay will host the 'checkout' process on our secure server. No sensitive data will be sent over the Internet without being encrypted using Secure Sockets Layer (SSL).

SECPay capture the card payment details as the last step in the sales process through our card details input template, and if authorisation is successful the merchant must supply the goods/services that he has agreed to sell to the customer in accordance with the agreed conditions of sale.

The merchant should embed a simple form into his site with a number of fields (normally hidden), this form will POST the following items of information to the SECPay secure server using the following SECPay servlet.

https://www.secpay.com/java-bin/ValCard

This servlet forms the basis of all authorisation requests to SECPay whether using this normal process, or other more sophisticated methods.

A test form for viewing the effects of altering the values of the fields posted to the ValCard servlet can be found at the following URL:

http://www.secpay.com/formexample.html

PLEASE NOTE :

When testing your interface either use a merchant id of 'test' or use either 'secpay' or your merchant_id and a setting of 'test_status' in the options parameter explained below .

Until your merchant account has been set up by the bank your merchant identifier will not work except with test status.

Remove the test_status setting from the options parameter when you go live OR set it to 'live' otherwise no transactions will be forwarded to the bank.

Preferably, MAKE SURE YOU REMOVE IT ENTIRELY (setting it to false will not make your site live). If you must keep it, then set it to 'live' (it will be removed by our server).

Customers that forward transactions to SECPay from a single IP address or send us more than three transactions any one hour from any one IP address must let us know their IP addresses or transactions will be blocked as they will be retreated as fraud.

back to index

PARAMETERS:

back to index

Mandatory parameters are :

merchant The merchant identifier is assigned by us and we use it in turn to lookup your merchant number and other details (to give added security). The merchant number supplied by the bank is never exposed to the Internet.
trans_id This is an identifier that you use to track this authorisation. Any string can be used as long as it does not contain spaces, spaces will be changed to '_' characters so are best avoided.
amount The total amount required for authorisation against the customers card. Please do not supply more than the prescribed number of decimal places as we will reject the transaction.
callback

This is the processing code secpay is required to call when we have completed the authorisation process. The resulting html output from the callback is presented relative to the authorisation server, and therefore you should not include any relative path graphics or links, as these will not work. Use absolute URLS. Also note, that any graphics included in the html output of your callback, or any redirects will cause a security warning to display to the customer before they know of the results of the transaction, unless they are located on a secure server.

The normal process call to a callback is a GET, but can be modified to a POST within the options parameter.

Callback can be viewed as two possible scenarios., static response to success or failure, or active code which processes the results of the parameters passed.

Scenario 1:

In the first scenario of static response, two scripts can be specified for success and failure, the first script being for success and the second for failure e.g.

callback=http://www.mysite.com/successcallback.html;http://www.mysite.com/failcallback.html

Scenario 2: (See also the section on callback parameters)

In the second scenario, active code is parsing and processing the parameters passed back to the callback script.

This code would normally be written in cgi/servlet/asp/javascript etc, and will be expected to receive a number of parameters.

The 'valid' parameter will always be set to 'true' or 'false' depending on the success or failure of the authorisation.

This must be trapped by your cgi/servlet/asp/script/javascript etc, and you must generate your own response html in the normal way for such methods.

In any case it is the responsibility of your cgi/servlet/asp/script to proceed with the sale or cancel the sale as appropriate.

Some examples are available for you to use as templates here in zip format or here in Unix tar format.

You can also supply your own parameters with the callback and then use them when the script is called. Anything can be supplied. If you do supply your own parameters then you must ensure they are URL encoded.

For example a callback might be "callback=http://www.abc.com/cgi-bin/callback.pl?fred=one&bruce=two+three", note the '+'. The fred and bruce parameters will be returned to you as given. This mechanism could be used to get back your own order and address parameters if you don't want to save them on your site and then look them up.

Our server side extensions can also be used to expand variables originally supplied to us in any form variable (except 'card_no'!) so for example the addresses or order details can be retrieved via the callback. e.g. http://www.mysite.com/callback?order=${order}&shipping=${shipping}&billing=${billing} will put the appropriate information onto the callback.

Security Note : It is strongly advised that you check the hash returned with the callback and supply a key. Alternatively you can check that the REMOTE_HOST calling you back is 'secpay.com', NOTE that many web servers do not do reverse DNS lookups so you may only be able to get the IP address. It is also possible to check that the amount supplied is the same as the amount authorised, as well as use of the MD5 hash that we append. These measures are especially important for software downloads initiated by the customer.

back to index

Optional parameters are :

currency The ISO 4217 three character alpha currency code. For this option to be useful a multi-currency account is required with your bank. NOTE : currency can also be supplied as an option (see below), most useful for users of SECBatch/SECVPN.
template

This is the HTML template we use for accepting the card payments. It is written using a server side scripting extension to HTML. This form template can be downloaded and customised to your in house look and feel if you cannot achieve this with our formatting parameters. However, we will need to host this on our server. It is available here. We would strongly recommend that you get your site working with our default template before requesting this.
err_template

This is the HTML template we use for displaying error messages, you can supply your own by using this parameter. NOTE : if this URL is wrong then there will be no template for displaying the error message to that effect, you have been warned...

options

There are a number of options settings which can be listed.
NOTE : different options should be comma delimited. e.g. test_status=true,dups=false.

Option Valid Values Description
amex true This indicates that you have an extra American Express merchant number and can accept these cards. Only applicable when testing, you must actually have an account when live!
card_type See Description

The type of card the customer is using to pay. As part of the pre-authorisation process, SECPay validate that the card number input is consistent with the card type.

NOTE : This parameter is for use with SECBatch/SECVPN only, and the values are case sensitive. Non SECBatch/SECVPN processes should use the card_type parameter if this is required.

The possible values are

Visa This does not include Visa debit cards such as Delta, Visa Debit or Connect.
Master Card Space is required.
Maestro This is in effect a Mastercard Debit card. Maestro must have Securecode enabled.
Solo See Switch.
Delta This Card Type applies to Visa Debit, Connect, Delta and Electron Cards
American Express Requires a Merchant Account with American Express. Space is required.
Diners Card Requires a merchant account with Diners Club.
JCB Japanese card not available from all banks.
cb_post true The default action method for callback is to GET to your server. This is necessary if the callback is static html, however if your callback is a Java Servlet, CGI or similar like ASP then you may prefer to POST. Note, you can only post if the callback is plain HTTP and not HTTPS and is not a redirect
cb_card_type true If used then the type of card used will be supplied as a callback parameter named "card_type". Useful for customers that charge for credit card transactions and charge differently by type.
ssl_cb true For historical reasons SECPay redirects https callbacks via the customers browser. This parameter will ensure a direct https callback is done instead.
currency Any valid currency code

The ISO 4217 three character alpha currency code. For this option to be useful a multi-currency account is required with your bank.

NOTE : This is for use with SECBatch/SECVPN only.

deferred true,full,reuse If this option is used then the initial authorisation will be for 1 (one) unit of currency (e.g GBP pound) only, the transaction will then show on the statement as Deferred and can be released by the user. When released the full amount will be authorised and the payment queued for settlement. This is very useful for those users that need to check stock levels before shipping products for example. Some other providers call this option pre-authorisation. If a value of 'full' is used rather than 'true' then the full amount will be authorised. This is for users that wish to authorise cards for validity against the total amount but don't wish to subsequently clear the funds.
A new value has now been added 'reuse'. This value will authorise for the full amount but on release will use the original auth code if still valid, otherwise it will seek a new auth like 'full'. By default it will reuse the same auth in the same day for debit cards and within the last 7 days for credit cards. The full syntax is 'reuse:<credit period>:<debit period>'. So the default is implicitly 'reuse:7:1'. Please note, it cannot be 100% guaranteed that if the original authorisation is re-used it will not result in a chargeback, the risk is greater the longer the period, especially with debit cards. Use at your own risk.
dups false By default SECPay will stop the same transaction id from the same user being used twice in the same hour (this is to stop duplicates), to turn this feature off use 'dups=false'. NOTE : We believe this feature reduces customer bills by approximately 10% and also reduces the administration overhead, it is a 'best efforts' feature however and can never be 100%. You must accept that occasionally you will get duplicates.
mail_message Any String This will put up a message on the confirmation email sent to both the customer and the merchant. This option is also available as a form field by the same name. Please keep this message reasonably short.
mail_subject Any String Sets the subject line on confirmation emails
mail_customer true/ship,bill,false true or ship - will use the ship address if supplied or the bill address if not.
bill - which will use the bill address if supplied else the ship address and
false - which will not send an email (but still save address details).

Note : A sending rule can also be supplied as a prefix to the above to determine when email should and should not be sent. i.e. mail_customer=<Rule>:<true/ship,bill,false>. The Rule can be inclusing or exclusive, denoted by a '-' (exclusive) or '+' (inclusive). The default rule is '+FARDLPQ', where R is refund, D is deferred, L is released, P is repeated, A is normal authorisation. For the faulure codes, F is referral, C is communication problem, S is refund failure, E is deferred failure, M is release failure, Q is repeat failure and N is normal payment failure. An alternative default rule would be '-CSEMN', this could be given explicitely as mail_customer=-CSEMN:true.

mail_merchants Email addresse(s) a colon ':' (not semi-colon ';') delimited list of email addresses for the merchant, will override default on database. To not send any emails to the merchant a single ':' will work.

Note : see mail_customer Note above for sending rules to merchant.

mail_attach_customer true, false Customer email style, true (default) - attach, false - inline
mail_attach_merchant true, false Merchant email style, true (default) - attach, false - inline
mail_html false, true, full Send email as html, false by default as NOT supported by all email readers. The true setting uses the <PRE> tag in html with minimal html used so does not look too bad even in a non-html mail reader and will line up columns correctly when html does work so is a reasonable compromise. The full setting gives complete html email but will show all the tags in old email clients.
auth_code/password Bank auth_code + remote password In this case 2 parameters must be supplied, an auth_code supplied by the bank to the merchant and password (merchant's remote password) these two parameters should be separated by a comma. This option is for forcing referrals through that required telephone authorisation from the bank. An example is given below:
auth_code="bankcode"
password="remotepassword"
repeat true

start/period/repetitions:amount

If used then extra information will be added to the callback which is useful for users of the repeat transaction function (see SECBatch download). To be precise the expiry date, the card type (if available), the last five digits of the card number and the name on the card will be returned so the merchant can contact the customer for newer details if the card expires or ceases to work. This sort of user initiated repetition gives you full control.

If the second form is used then repetitions can be automated This is a structured field, the first part is the start date in YYYYMMDD format (i.e. 20010201 is the first of February 2001). The second field after the '/' delimiter is the period, valid periods are 'daily', 'weekly', 'last' (i.e. last Friday in month), 'monthly', 'quarterly', 'half yearly' and 'yearly'. The next field after the '/' is the number of repetitions (optional), so 12 would mean 12 repetitions. Finally, after a ':' delimiter a repetition amount can be supplied, this is only required if different from the initial amount. Note that repetitions can occasionally fail, expired cards is probably the most common reason.

repeat_callback URL for scheduled repeat callbacks Used in conjunction with the repeat field. If supplied, we will generate a callback for each scheduled repeat. Should be set to the URL for repeat callbacks.
cv2 3 or 4 (Amex) digits from signature strip The variously called CV2 or CVV2 check digit designed to stop card number generator fraud.
req_cv2 false (default) or true Require the CVV2 check digit as a mandatory field in the SECPay Template. Ignored for API customers.
mand_cv2 false (default) or true If true then reject the transaction if the cv2 is supplied and does not match. This feature is part of active fraud and SECPay may charge for it's use.
default_cv2avs See cv2avs callback values Set a default for the CV2/AVS value. This can be used when testing to simulate a return from the bank or to give a default value in case nothing could be checked.
idempotent false (default), true If you don't know what this means you probably don't want to use it. If you are catching dups then the result of the previous transaction (the first occurrence) will be sent back to you and the callback will be as normal. This may mean that you will get duplicate callbacks (but not duplicates on the SECPay server). If your server is intelligent enough to cope with this (and you don't ship goods twice) then this option is friendlier to the customer.
token Encrypted string This is an encrypted set of parameters containing sensitive information. See the customer field encryption section below.
digest Authentication digest This field is a 32 byte hex string generated by the client by concatenating the trans_id, amount and customer remote password fields together The resulting string is then hashed using the MD5 algorithm. The same is done on the secpay server and the result compared. If they do not match then the transactions is treated as a fraudulent transaction and rejected.

Important note:
If you are planning on using the digest authentication system you must ensure that your trans_id does not contain spaces. If you must have spaces in your trans_id, please convert these to underscore '_' characters before encrypting.

usage_type
  • usage_type=E
    • Electronic Commerce - DEFAULT (can also be 'F' or 'G')
  • usage_type=M
    • Mail Order / Telephone Order (can also be 'N' or 'O')
  • usage_type=R
    • Recurring payments
  • usage_type=P
    • Card Holder Present
  • usage_type=C
    • Cash Advance only
The type of transaction, i.e. Electronic Commerce, Mail order etc.
test_status true, false, live This option is used to allow full testing of your software by forcing simulations of successful or failed credit card authorisations without contacting the bank. The testing of successful credit card transactions will initiate email order responses and allow you to view transactions in your Secure User Area.

To summarise:

  • test_status=true
    • Forces a successful credit card authorisation.
  • test_status=false
    • Forces a failed credit card authorisation.
  • test_status=live (or removing the test_status string completely)
    • Credit card authorisation is performed by the bank - THIS IS LIVE.

If you use 'secpay' as the merchant then this is a bucket account and you will the test transactions of other merchants too. Register and get your merchant account setup while awaiting your merchant number so you can test in you own private area.

Important Note:
Use this option when testing but remove or set to live for live transactions.

no_card_type false, true Don't require card_type. If false (default) - Template requires card_type, true - no card type required in default template
md_flds ':' delimited list This option allows you to specify the fields to use with the MD5 hash. It is composed like this : [[field name] [,<list item delimiter> [,<attribute name/value delimiter>]] /] <':' delimited list of fields>. See the callback download for more details.
map_flds ':' delimited list This option allows you to specify a list of fields to map from one name to another. They will be available as ${..} variables. Format is : <new name>=<old name>[:<new name>=<old name>]*. See the callback download for more details.
cb_flds ':' delimited list This option allows you to specify a list of fields to put into the servlet environment so they are subsequently available as ${..} variables. They will also be automatically added to the list of callback parameters. Format is : <name1>[:<name2>]*. See the callback download for more details.
allowed_ct ':' delimited list This option allows you to specify a list of card types that will be the only card types accepted. Note that this relies on the system being able to identify the card type from it's prefix, this is not an exact science because there are overlaps.
banned_ct ':' delimited list This option allows you to specify a list of card types that will be not be accepted by the system. Note that this relies on the system being able to identify the card type from it's prefix, this is not an exact science because there are overlaps.


order This is the details of your order. If these details are supplied then an order details summary will be viewable on our secure transaction viewer. See examples below for format of this parameter.

Please use this field in the way it was designed to be used, do not fill it with very large blocks of text as there are limitations in any piece of software as to field size. Structure it in the way documented below. Do not include HTML or Javascript in it. Failure to comply with this can temporarily affect our service and inconvenience other customers. Draft US law will make it an offence for one computer system to do this to another.

This field is provided as a convenience for the majority of customers that have simple requirements. It is not suitable for everyone. If you have complex requirements then please capture, store and present your own order details to the customer and do not send them to us.
shipping This can be either a single parameter supplying shipping address details or a set of such parameters. See below for a breakdown of the elements of the shipping address.
billing Similar to shipping but supplying billing address details. See below for a breakdown of the elements of the billing address. This parameter is required for those merchants using the AVS anti-fraud checks
backcallback An extra callback that if supplied will give the customer the option of abandoning the card entry dialogue and returning to the merchant's site. You must enter the URL that will be loaded when the back button is clicked into the backcallback field. There is an associated button that is normally hidden to go with this parameter, to make the button visible set show_back=submit. If the button is present but the parameter is not supplied then this button will act as a normal 'Submit'.
show_back Set to 'submit' when using the backcallback parameter, else the 'back' button on the payment form will act as a submit, and will attempt to authorise a payment.

Although the template can be used to completely customise your look and feel some customers wish to make only minor changes to the default template or do not have any ability to host. For these customers the following parameters may be useful. Download the template to view the details.

back to index

Presentation Parameters :

font_face The font used to render the template.
font_size The size of the font
font_color The colour of the font
bgcolor The background colour
background A background image - use with great care or extra and extremely off putting security warnings will be raised to the customer. Only recommended for customers with their own secure site (in which case an absolute URL must be supplied) or when the image is hosted with secpay.
branding Text or other branding to make the template look more like your own.
cb_message Any message you might wish to appear on a successful callback for the customer.
cb_fail_message Any message you might wish to appear on a failure callback for the customer.
<Field Name>_Text

A set of parameters that allow you to tailor the text against entry fields, useful for change prompts, foreign language prompts etc.

NOTE :case is important

Parameter Default Value
mandatory_Text Fields marked * are mandatory for all card types
customer_Text Name of Cardholder
card_type_Text Card Type
card_no_Text Card Number
expiry_Text Expiry Date (MM/YY)
issue_Text Issue No. (Switch use 0 if not known)
cv2_Text Last 3 digits on signature strip (security code)
start_date_Text Start Date (MM/YY)
authorise_Text <b><font color=red>Please do not press Authorise more than once.</font></b>
wait_Text <b>Please wait while your card details are authorised. This transaction is encrypted for your privacy. Do not exit or press back until confirmation received.</b>
error_table_Text The following fields are blank or invalid
<Card Type>_Text

A set of parameters that allow you to tailor the text against credit card types - or make them unavailable. The parameters are :

NOTE : case is important

Parameter Default Value
Master_Card_Text Master Card
Delta_Text Delta, Connect or Visa Debit
Visa_Text Visa
JCB_Text JCB
Solo_Text Solo
Switch_Text Switch
American_Express_Text American Express
Diners_Club_Text Diners
<Field Error Text>_Error

A set of parameters that allow you to tailor the text shown in the event of an error. Useful for tailoring error message text and foreign language errors.

NOTE : case is important

Parameter Default Value
card_no_Error Card No
card_type_Error Card Type
customer_name_Error Customer Name
start_date_Error Start Date
expiry_date_Error Expiry Date
issue_Error Issue No
cv2_Error Security Code
email_Error Email

 

Payment Form Parameters normally filled in on the form template on the secure server :

customer The name of the customer on the card
card_no The number of the credit/debit card
card_type

The type of card the customer is using to pay. The possible values are :

Setting Comment
Visa This does not include Visa debit cards such as Delta, Visa Debit or Connect. Also please note that Visa Electron Cards cannot be used on the Internet as they are Card Holder Present only.
Master Card Space is required.
Switch Does not always have an issue number, but if this is the card type pass a value of 0 if no issue number available. Issue number should be null if not a Switch card.
Solo See Switch.
Delta This Card Type applies to Visa Debit, Connect and Delta Cards
American Express Requires a Merchant Account with American Express. Space is required.
Diners Requires a Merchant Account with Diners Club.
JCB Japanese Credit Card. Not available from all banks.
start_date The start date on the card - if there is one
expiry The expiry date on the card
issue For Switch and Solo cards only

The SECPay secure server will then take the customer's payment details and carry out an initial validation, it will also take the billing address details if requested. The authorisation form then does checks on the validity of the card number, expiry date and issue number (where relevant). If it does not pass these checks then the form will be re-presented to the customer with an indication of the problem field and the customer will be asked to correct the problem.

Once the initial checks succeed the payment details will be sent through our firewall to a very secure machine in an encrypted form. They will be then be forwarded over a secure private network to the bank. The bank will process these details and respond appropriately.

The bank may reject the card for several reasons. The most common ones are, insufficient funds, cancelled card, or fraudulent claims (where the card has been contrived to pass standard checks but does not actually exist).

back to index

Order Details

This is a structured field and can either be supplied in the format defined below or as XML.

The order field has the following internal structure. It consists of a set of product identifier and amount pairs with a multiplier attached to the amount. as "prod,amountxquantity" The string requires some means of being delimited. Delimiters MUST NOT appear in the actual data (e.g. in the product code) or your string will not be parsed correctly and you will loose information. There are four delimiters, ';', ',', '=' and 'x'. An optional parameter 'delimit' is available at the start of the order string and can be used to change the defaults. For example, "prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2" can be fully specified as : "delimit=;,=x;prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2". The delimiters can be changed to allow strange things like this : "delimit=#+:*;prod:funny,;=book+item_amount:18.50*1#prod:sad,book+item_amount:16.50*2". Giving silly characters in the product description. It is still your responsibility to ensure the resulting string is well formed. The only way to be sure is to use XML!

The first member of each pair is called "prod" and is your product number or other identifier. The second member is either "amount" or item_amount which is the either the order line total, or the unit cost each item and may have the number of items appended preceded by an 'x'. There are three special prod values which can be passed, and will be stored by the system as specifics which are

SHIPPING, DISCOUNT and TAX can be used. If tax is not included in the price then a special value of "TAX" or "TAX @ 17.5%" can be used. Also their is a special code for discounts of "DISCOUNT".

Importantly, the sum of all the values should equal the total amount supplied for authorisation. It is your responsibility to ensure this as SECPay does not verify that the total for the order lines match the amount supplied for authorisation.

The pair of values is separated by ',' (comma) character, each pair is separated by an ';' (semicolon) character. If a multiplier is used then an 'x' character should follow the amount and be followed by a number.

 

Examples :

order="prod=funny_book,item_amount=18.50;prod=sad_book,item_amount=16.50"
prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2
prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2;prod=SHIPPING,item_amount=5.00
prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2;prod=SHIPPING,item_amount=5.00;prod=TAX @ 17.5%,amount=7.00
prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2;prod=SHIPPING,item_amount=5.00;prod=TAX @ 17.5%,item_amount=7.00;prod=DISCOUNT,item_amount=5.00
prod=funny_book,item_amount=18.50x1;prod=sad_book,item_amount=16.50x2

 

An XML example is (please preserve the class parameters and case on tags) : 

<order class='com.secpay.seccard.Order'>
  <orderLines class='com.secpay.seccard.OrderLine'>
    <OrderLine>
      <prod_code>funny_book</prod_code>
      <item_amount>18.50</item_amount>
      <quantity>1</quantity>
    </OrderLine>
    <OrderLine>
      <prod_code>scary_book</prod_code>
      <item_amount>10.00</item_amount>
      <quantity>5</quantity>
    </OrderLine>
  </orderLines>
</order>

Please note that as HTML and XML have the same quoting conventions (either single or double quotes) if you use the fragment above then you must use double quotes for the HTML, i.e. 

<input type="hidden" name="order" value='XML GOES HERE using double quotes'>
or
<input type="hidden" name="order" value="XML GOES HERE using single quotes">

This facility is supplied as a convenience for the customer so that all details can be viewed in a single place on our web site. We can take no responsibility for it's accuracy or completeness.

back to index

Address Details

back to index

The shipping address can be supplied as the following parameters:

ship_name Contact or customer's name
ship_company Company (if sold to company)
ship_addr_1 Generic address lines
ship_addr_2 Generic address lines
ship_city The city or town
ship_state The county, state, province or other area
ship_country The country
ship_post_code The country post code or zip
ship_tel The contact telephone number
ship_email Email address - this is also used for order confirmation and should always be supplied.
ship_url URL of web site.

The shipping details can alternatively be supplied as a single string, called 'shipping' with normal URL encoding, note that if a single string is used then the fields should be separated with commas. A minimal string would normally include the telephone number and the email to answer queries.

shipping=name=Fred+Bloggs,email=somebody@secpay.com,etc

back to index

The billing address can be supplied as the following parameters:

bill_name Contact or customer's name
bill_company Company (if sold to company)
bill_addr_1 Generic address lines
bill_addr_2 Generic address lines
bill_city The city or town
bill_state The county, state, province or other area
bill_country The country
bill_post_code The country post code or zip
bill_tel The contact telephone number
bill_email Email address - this is also used for order confirmation and should always be supplied.
bill_url URL of web site.

The billing details can alternatively be supplied as a single string, called 'billing'' with normal URL encoding, note that if a single string is used then the fields should be separated with commas. A minimal string would normally include the telephone number and the email to answer queries.

billing=name=Fred+Bloggs,email=somebody@secpay.com, etc

An XML Example is (note there is a 'billing' equivalent of course) : 

<shipping class='com.secpay.seccard.Address'>
  <name>Fred Bloggs</name>
  <company>Acme Co</company>
  <addr_1>1 The Road</addr_1>
  <addr_2>The Cresent</addr_2>
  <city>Metropolis</city>
  <state>Sunny State</state>
  <country>Atlantis</country>
  <post_code>AA23 1BB</post_code>
  <tel>01732 300200</tel>
  <email>sales\@secpay.com</email>
  <url>http%3A//www.secpay.com/</url>
</shipping>

Please note that as HTML and XML have the same quoting conventions (either single or double quotes) if you use the fragment above then you must use double quotes for the HTML, i.e. 

<input type="hidden" name="order" value='XML GOES HERE using double quotes'>
or
<input type="hidden" name="order" value="XML GOES HERE using single quotes">

This facility is supplied as a convenience for the customer so that all details can be viewed in a single place on our web site. We can take no responsibility for it's accuracy or completeness.

back to index

Callback Parameters :

As previously mentioned the callback url will be supplied with number of parameters :

trans_id This is the same as the parameter supplied to us and is the merchant's 'handle' on the transaction. It should be a unique string for the IP address / merchant.
valid This is true or false and indicates the acceptance or not of the card details. We do not supply other statuses, telephone referrals and most other standard responses are not relevant for Internet transactions (see above for description of message=). SECPay check for potential fraud and report these occurrences to the authorising banks.
auth_code ONLY MANDATORY WHEN 'valid=true'. The bank's authorisation code for your information only, do not show to customer.
cv2avs The Apacs approved text that is supplied as a result of the CV2 and AVS anti-Fraud checks. There are five core values defined, these are ALL MATCH, SECURITY CODE MATCH ONLY, ADDRESS MATCH ONLY, NO DATA MATCHES and DATA NOT CHECKED. With these core codes an address is only understood to match if and only if both the address proper and the postcode match at the same time. This is a little strict for some people so the following codes have been introduced too : PARTIAL ADDRESS MATCH / POSTCODE, PARTIAL ADDRESS MATCH / ADDRESS, SECURITY CODE MATCH / POSTCODE, SECURITY CODE MATCH / ADDRESS. Codes are only supplied when CV2 and/or Billing Address data is supplied, it is in your interests to supply this data to us. Note that at present all issuers should be issuing new cards with a CV2 security code on them however the AVS checks will only work with UK issued cards. Also note that Switch have not yet implemented these checks (but the cards should have the CV2 security code on them nevertheless).
message ONLY SUPPLIED WHEN 'valid=false'. The bank's failure message for your information only, do not show to customer.
resp_code ONLY SUPPLIED WHEN 'valid=false' AND code=N. The bank's failure code for your information only, do not show to customer. 2 or 83 : referral, 5 or 54 : Not Authorised, 30 : general error (retrying after 1 minute may succeed, depending on error)
amount This is the amount actually authorised by the bank. It should always be the same as the amount requested.
currency This is supplied for the convenience of customers trading in non-default currencies, i.e. non-GBP at present.
code The code field is a short code giving extensive details of failure states. It is of particular use to SECBatch/SECVPN users. Note : preauth checks can have several errors, e.g. P:NEC means the name, expiry date and card number fields are all invalid or not supplied.
A Transaction authorised by bank. auth_code available as bank reference
N Transaction not authorised. Failure message text available to merchant
C Communication problem. Trying again later may well work
F The SECPay system has detected a fraud condition and rejected the transaction. The message field will contain more details.
P:A Pre-bank checks. Amount not supplied or invalid
P:X Pre-bank checks. Not all mandatory parameters supplied
P:P Pre-bank checks. Same payment presented twice
P:S Pre-bank checks. Start date invalid
P:E Pre-bank checks. Expiry date invalid
P:I Pre-bank checks. Issue number invalid
P:C Pre-bank checks. Card number fails LUHN check
P:T Pre-bank checks. Card type invalid - i.e. does not match card number prefix
P:N Pre-bank checks. Customer name not supplied
P:M Pre-bank checks. Merchant does not exist or not registered yet
P:B Pre-bank checks. Merchant account for card type does not exist
P:D Pre-bank checks. Merchant account for this currency does not exist
P:V Pre-bank checks. CVV2 security code mandatory and not supplied / invalid
P:R Pre-bank checks. Transaction timed out awaiting a virtual circuit. Merchant may not have enough virtual circuits for the volume of business.
P:# Pre-bank checks. No MD5 hash / token key set up against account

test_status

Returned if the options parameter test_status was set to either 'true' or 'false'

 
hash This parameter is always returned. For those customers that have chosen to register a hash key with SECPay the key is concatenated onto the end of the callback URL. The start of the resulting string is removed before the first single '/' character and the whole string is then hashed using MD5. The merchant should do the same and ensure that the generated hash matches that returned. The protocol and domain (and port if supplied) are removed to ensure the code can be moved between servers without change, but still as much of the string as possible is still used. An example is available in the callback download.

If the default hashing scheme is not sufficient or there are special requirements then the md_flds option (see above) can be used.

A Java version of the MD5 algorithm is available with the callback download. If you use Perl any CPAN archive should contain an appropriate implementation. A C implementation is also available within the secbatch facility. We will make other implementations available when possible.

back to index

  

 

Synchronous Calls

Synchronous calls can be made to SECPay using cgi/servlet/asp functions as long as it is capable of issuing a post action. Parameters will need to be URL encoded and appended as part of the call.

back to index

Server Side Processing

For tighter integration with your server side processing, SECPay provide a set of library functions as a client side API which can be wrapped with your own code, and will make a synchronous and private connection with our secure server for authorisation.

SECPay can supply a client side API that can be used to call our secure server from either another web server or from a client machine for batch authorisation.

There are number of functions in the SECBatch API which are of the format:

<functionname>(parameters)

<functionname>Full(merchant, file)

The libraries, and full documentation are available for download for a number of platforms in the section on batch processing, as this uses the same technology.

Processes which can be carried out using the API's are as follows

Authorisation Standard authorisation processing
Release Release of deferred processing
Refund Refund of a transaction
Repeat Continuous Authority repeat billing
PreAuthoristation This verifies that the card data will pass our preliminary checks

An additional call is available for pre-authorisation of the card, this call will return a result string that must be parsed, please download secbatch and check the supplied examples.

preAuth(card_no, card_type, expiry, start, issue, result)

This call is simply a wrapper around an https service supplied by SECPay. This service is available at the following URL (please supply your own parameters).

https://www.secpay.com/java-bin/PreAuth?card_no=CN&card_type=CT&expiry=EX&issue=IS&start=SD

It is your responsibility to integrate these functions with your applications, though we can undertake this work on a consultancy paid basis. Please contact us if you require us to quote for this work.

back to index

Batch Processing

SECPay provide client-side example programs for sites that collect their own credit card details and wish to forward them to us for verification. Using a remote procedure call or a command line set of parameters. The API will take it's parameters from the function call or iteratively read a set of parameters from a file and repeatedly call the SECPay server.

secbatch <merchant id> <parameters>

or

secbatch <merchant id> <filename>

Where the file consists of a set of comma separated records with the following fields or parameters:

Format : secbatch <merchant> {other args}
Where other args are : <trans_id> <caller ip> <card name> <card number> <amount> <expiry> <issue> <start date> <order details> <shipping details> <billing details> <option list>
or : <file>

 

Transaction Identifier Your unique transaction identifier
IP address Identification such as IP address or Post Code
Customer Card Name The name on the card
Card Number Credit / Debit card number
Amount Total transaction amount
Expiry Date Expiry date on card normally MM/YY
Issue number Switch issue number if appropriate
Start Date Start date on card (if any)
Order Details Order detail as defined above
Shipping Address Shipping address details as defined above
Billing Address Billing address details (if different from shipping address)
Options Option list (if any)

Full parameter definition can be found in the section on parameters.

SECBatch can be downloaded from one of the links below. SECVPN is the preferred version for the future. SECVPN will benefit from all future exhancements and can easily be used as a COM object on Microsoft operating systems. It can also be called from Perl using the new JPL interface shipped with the newest Perl releases.

 

Java VPN Version(pkzip) SECVPN (pkzip) Documentation is available here
Java VPN Version(pkzip) SECVPN (gzip/tar) Documentation is available here
NT/W95 (Winsock V2) SECBatch (Dynamically linked) This program runs under Win95/98 or NT requires Winsock 2 and the latest security patches. These can be obtained from Winsock 1.2 for Windows 95. Take note of the instructions and disclaimers on this site.
Linux Version (ELF) SECBatch (Linux Version - ELF) This is a precompiled static version supplied with appropriate libraries. Also supplied is a dynamic shared object version with perl wrappers.
FreeBSD 3.4 (ELF) SECBatch (FreeBSD 3.4 - ELF) This is a dynamic shared object version with perl wrappers.
Other platforms Please contact SECPay If at all possible use SECVPN.

back to index

Applet Card Validation

An applet is available for credit card validation. Note that this applet will probably not work behind a firewall and we are aware of this issue. It is available here please view the source to tailor it for your site. This is a simple way to integrate SECPay with your application. It can also be run as a stand alone application and will eventually include order and address details, refunds, releases, remote reporting etc. For testing the dummy card number 4444333322221111 can be used.

back to index

Post Code Format Verification

SECPay is aware of the problems experienced by merchants and the possibilities of fraudulent customers. To counter this threat we will be bringing in a range of new services to verify customer and generally reduce the merchant exposure.

As a very small first step in this direction there is now a service available to check for well formed UK postcodes. It is available at :

https://www.secpay.com/java-bin/PreAuth?postcode=TN92LE

Or alternatively if more convenient ;

https://www.secpay.com/java-bin/PreAuth?incode=TN9&outcode=2LE

back to index

Examples of Calls

Note that a merchant of 'test' will allow you to test connectivity. For full testing use 'secpay' or register and use your own merchant id. This is a simple call :

Simple call (with source).

Form based call: This form has all of its fields exposed, and will work. Normally a lot of the fields would be hidden from the customer. The example can be called from here formexample.html or view the source here formexample.txt

back to index

XML Calls

SECPay now support a complete XML call (over https) and response facility. It is very easy to use and is useful for those customers that have their own secure server and some XML expertise.

There is an XML equivalent of each servlet. For example the main validation servlet ValCard has an associated servlet called XMLValCard. All XML calls are made to the XML equivalents. XML requests are called XMLRequest and all Responses are called XMLResponse, regardless of what is called. These XML objects are therefore flexible, extensible and orthogonal with all other call methods. A detailed DTD is not therefore supplied, in a sense this whole document is the DTD.

The call must be an HTTPS call and must be a POST. As this type of call will normally be done programatically the XML need not be contained within an HTML form field. In fact it is preferred if it is not. However some users may wish to use a containing field, any name would do but 'xml' might be sensible.

A Simple Request might be : 

		<XMLRequest><merchant>secpay</merchant><trans_id>xmltest</trans_id><amount>10.50</amount><options>test_status=true,dups=false</options><card_no>4444333322221111</card_no><expiry>1204</expiry><customer>Fred Bloggs</customer></XMLRequest>

Important Note: Please ensure that all of the XMLRequest is on a single line with no spaces between the elements.

The Response would be : 

		<XMLResponse>
			<valid>true</valid>
			<trans_id>xmltest</trans_id>
			<code>A</code>
			<auth_code>9999</auth_code>
			<amount>10.50</amount>
			<test_status>true</test_status>
			<hash>ff358bda726d08448b9d2df43eed9d51</hash>
		</XMLResponse>

Obviously other parameters and objects can be included, for example the shipping and billing addresses and a number of order lines could be included. Addresses and order lines must have the format defined above.

back to index

Thawte certificate root

Some old browsers did not include the Thawte root certificate, IE 3.0 is an example. If you have trouble communicating with our secure site using an old browser then please install the Thawte root from here.

Another problem that may be experienced is with root rollover in Netscape 3. The Thawte root certificate will expire on July 27 1998 in this browser, this is only a warning. To remove this warning follow these instructions :

  1. Choose Options, Security Preferences. 
  2. Select the "Site Certificates" tab.
  3. Find the entry marked "Thawte Server CA".  Delete that certificate. 
  4. Close that dialog box. 
  5. Now point your browser at http://www.thawte.com/roots/index.html This will contain a zip file containing the root certificates.
  6. Install the new certificate.