Credit card processing.. more info

wow at together.net wow at together.net
Sat Jan 22 13:42:29 EST 2005


We've received a bit more information on this issue of processing a credit
card transaction from within a Rev app, and I'm hoping someone here can
help interpret it. Please shed any light you can. This response comes from
the folks at e-Onlinedata / Authorize.net. Thanks. Richard

--------------------------------


Richard,
 
Take a look at our documentation page
(http://www.authorizenet.com/support/guides.php).  I just want to make sure
you are looking at the Card Present (CP) Implementation Guide PDF and not
the AIM guide (which is ecommerce).  It tells you in that document that the
URL you POST to is https://cardpresent.authorize.net/gateway/transact.dll. 
The data does not need to be encrypted because you are emulating the HTML
form POST using SSL.  SSL takes care of the encryption and decryption.  You
will be using our digital certificate, so you will not need one for each
kiosk.
 
The request string looks just like what you would see for a GET method on
an HTML form.  Here is some sample code in VBScript.  It won't apply to you
but you will get the idea of how to put it together.  You will want to use
a device type of 5 and a market type of 2.
 
                ' build the request string
                vPostData = _
                    "x_cpversion=1.0" & _
                    "&x_login=" & Server.URLEncode( x_login ) & _
                    "&x_tran_key=" & Server.URLEncode( x_tran_key ) & _
                    "&x_market_type=" & x_market_type & _
                    "&x_device_type=" & x_device_type & _
                    "&x_amount=" & x_amount & _
                    "&x_description=" & Server.URLEncode( merchant_name ) &
_
                    "&x_response_format=1" & _
                    "&x_delim_char=" & x_delim_char & _
                    "&x_test_request=" & x_test_request
                Select Case validation_method
                    Case 2 vPostData = vPostData & "&x_track2=" &
Server.URLEncode( x_track2 )
                    Case 3 vPostData = vPostData & "&x_card_num=" &
x_card_num & "&x_exp_date=" & x_exp_date
                    Case Else vPostData = vPostData & "&x_track1=" &
Server.URLEncode( x_track1 )
                End Select
 


                ' Send data via HTTPS POST to Authorize.net
                set objHttp =
Server.CreateObject("WinHttp.WinHttpRequest.5.1")
                objHttp.open "POST", auth_net_url, False
                objHttp.SetRequestHeader "Content-Type",
"application/x-www-form-urlencoded"
                objHttp.send (vPostData)
 
                If( objHttp.Status = "200" ) Then
                    ' we communicated with web server successfully so now
process the response
                    vResponseText = objHttp.responseText
 
                    ' Tokenize response . Separator is x_delim_char
                    vFieldArray = Split( vResponseText, x_delim_char, -1, 1
)
                    vNumFields = Ubound(vFieldArray)
...
 
 
Let me know if I you get stuck again.
 
Thanks,
Keith
 
-----------------------------------------------


Keith Bailey  |  Manager, Integration Services 
   
Authorize.Net  |  a Service of Lightbridge 
915 South 500 East  |  Suite 200  |  American Fork  |  UT  |   84003 
Telephone  801.492.6483  |  Fax  801.492.6500  |  

kbailey at authorize.net  |  www.authorize.net  |  www.lightbridge.com 
-----Original Message-----
From: richard at imprintertech.com [mailto:richard at imprintertech.com] 
Sent: Friday, January 21, 2005 10:22 AM
To: Keith Bailey
Subject: Re: Our conversation; re: Keith

Keith,

Thanks for getting back to me on this. It's been frustrating trying to get
an answer to this question. Any help you can offer is greatly appreciated.

We are running on Mac OS X. We have no problem emulating the HTML form
POST. The programming environment we are working in allows for that. The
problem is in opening the secure connection to AIM. Perhaps you can walk me
through this. Here's the situation.

1. We have a laptop somewhere in the field.

2. The only program available on this machine is a custom application
(there's no browser available).

3. We collect the card data and organize that data into an appropriate
POST. 

4. What happens next? Where is that data sent? What's the address? How do
we create a secure connection? How do we encrypt that data? This is where
we're stuck.

Thanks
Richard


On Jan 21, 2005, at 12:11 PM, Keith Bailey wrote:


Richard,
 
Hopefully I can help shed a little light on using AIM.  I couldn't tell
from your conversation if you are running on any specific OS or if your
kiosks are simply self-contained with custom applications running directly
on the hardware.  Since the Authorize.Net gateway is accessed through the
Internet, a certain platform or programming language is not needed, simply
the ability to emulate an HTML form POST using SSL.  Most languages have
libraries or objects that make this an easy task, such as WinHTTP or
XMLHTTP for Windows, LWP for Perl, curl for PHP, etc.  The process is to
build the request string with the field names and values, POST it and wait
for the response string to be returned within 3-10 seconds.  You can select
whether the response string is returned as a delimited array string or XML.
 
Let me know if you have any other questions.
 
Thanks,
Keith
 
 ---------------------------------------------------

Keith Bailey  |  Manager, Integration Services 
  
Authorize.Net  |  a Service of Lightbridge 
915 South 500 East  |  Suite 200  |  American Fork  |  UT  |   84003 
Telephone  801.492.6483  |  Fax  801.492.6500  |  

kbailey at authorize.net  |  www.authorize.net  |  www.lightbridge.com 
 -----Original Message-----
From: John Waldron [mailto:jwaldron at e-onlinedata.com]
Sent: Thursday, January 20, 2005 7:19 PM
To: Keith Bailey
Subject: FW: Our conversation; re: Keith
Importance: High

Keith....can you please help Richard with his questions on Integration for
his Kiosk......please let me know if I need to fill in any blanks.


Regards,
John Waldron
 
-------------------------------------------------------


-----Original Message-----
From: Richard Miller [mailto:richard at imprintertech.com]
Sent: Thursday, January 20, 2005 9:16 PM
To: jw at e-onlinedata.com
Subject: Our conversation; re: Keith

John,

As per our discussion, here is what we are looking at needing a solution
for.

We're working with a portable kiosk. It has a wireless connection. Our
customers are restricted to our custom application. There is no mouse or
keyboard available... touch screen only. We have a card reader attached to
the unit. How do we get the credit card information from our unit out to
e-onlinedata, processed, and then back to our unit?

We've reviewed the CP Guide. No problem collecting the card information and
configuring the data so that the appropriate information is sent to you. No
problem deciphering the data once it comes back to our unit. 

Where we are stuck is with this part of the CP Guide directions (identified
by the asterisks below):

--------------------------------------

How Does AIM Work?

When using AIM, transactions flow in the following way:


******** 1. The Merchant’s server initiates a secure connection to the
payment gateway and then initiates an HTTPS POST of the transaction data to
the gateway server ********

2. The payment gateway receives and processes the transaction data
3. The payment gateway then generates and submits the transaction response
to the Merchant’s server
4. The Merchant’s server receives and processes the response
5. Finally, the Merchant prints a receipt and obtains the cardholder’s
signature to complete the transaction


What is Required to Implement AIM?

Merchants must be able to perform the following functions in order to
submit transactions to the gateway using AIM:

******** 1. Establish a secure socket connection  ********
******** 2. Provide both server and client side encryption ********

3. Develop scripts on a Web server for the integration to the gateway
(e.g., for submitting transaction data and receiving system responses)


AIM Implementation

To implement AIM, a developer would design a script that can do the
following:

1. Securely obtain all of the information needed to process a transaction

******** 2. Initiate a secure HTTPS form POST from the merchant’s server to 
 https://cardpresent.authorize.net/gateway/transact.dll  ********

3. Receive the response from the gateway and process the response to
display the appropriate result to the end user

Note: For reasons of security, use only port 443 for AIM information
transfers.

---------------------------------------------------

Our application has been developed with a programming environment called
Revolution (www.runrev.com). It's like a high level version of C++. We're
guessing we need to use the built-in commands OPEN SECURE SOCKET and
ENCRYPT. Please read through this and let me know if this is the correct
way to go and if you expect it will work.

Thanks.
Richard Miller
Imprinter Technologies
802-238-5355

----------------------------------

OPEN SOCKET COMMAND (SSL & Encryption library)

Platform support:
Introduced in version 1.0 (Changed in version 2.5)

Establishes a TCP communications socket between your system and another
system.

open [datagram] socket [to] host[:port[|ID]] [with message callbackMessage]
open secure socket [to] host[:port[|ID]] [with message callbackMessage]
[with|without verification] [using certificate certificate and key key]

open socket to "127.0.0.0:8080"
open socket to "ftp.example.org:21|sendFiles"
open socket to (field "Outgoing") with message "mailConnectionUp"
open secure socket to "www.runrev.com:443" with message "wasConnected" with
verification

Description
Use the open socket command to open a connection to another system on the
Internet (or another IP network) to get and send data.

Parameters:
The host is the IP address or domain name of the host you want to connect
to.

The port is the port number you want to connect to. If you don't specify a
port, port 80 is used. (On most systems, port 80 is used for HTTP
connections.)

The ID is an optional connection name for the socket, and can be any
string. Specify an ID if you want to create more than one socket to the
same host and port number, so that you can distinguish between them.

The callbackMessage is the name of a message to be sent when the connection
is made.

Comments:
When a connection is made, the open socket command creates a new socket
that can be used to communicate with the other system. The handler
continues executing while the connection is being established. If you use
the write to socket command while the connection is opening, the data is
buffered and is sent to the host as soon as the connection is made.

Use the open datagram socket form if you want to send a connectionless UDP
datagram instead of opening a socket.

If you specify a callbackMessage, the message is sent to the object whose
script contains the open socket command, as soon as the connection is made.
The first parameter pf this message is the host and port number of the
socket. Use a callbackMessage to trigger actions (such as reading from the
socket) that must wait until the connection has been established. (To pause
the handler that contains the open socket command until the callbackMessage
is received, use the wait for messages form of the wait command.)

UDP/datagram sockets are not supported by SSL. When connecting to a remote
peer, the client verifies the servers certificate during the handshake
process and verifies it against a list of certificates. You can specify a
list of root CA to verify against using the sslcertificates property (see
sslurlloader sample). The sslcertficates property takes a return delimited
list of files or folders. In addition you can place system wide
certfificates in System/Library/OpenSSL/certs.

The most common CAs such as verisign can be found in the file root.pem. If
'without verification' is specified then server credentials are not
authenticated, and any connection is accepted. Some servers require that
the client submit a certificate as well, this will be supported in the next
alpha.

If the socket fails to open due to an error, a socketError message is sent
to the object that attempted to open the socket. (If the error is due to a
problem finding the specified host, the error message is returned in the
result, and no socketError message is sent.)

Note: When the accept command creates a socket, it assigns a number as the
connection name. If you are using both the open socket command and the
accept command to connect to the same port on the same host, make sure to
use a non-numeric connection name that won't conflict with the numbers
assigned by the accept command. This ensures that you can always refer to
two different sockets by distinct socket identifiers.

------------------------------------

ENCRYPT COMMAND (SSL & Encryption library)

Platform support:
Introduced in version 2.5
encrypt source using cypher with [password|key] passorkey[and salt
saltvalue] [and IV IVvalue] [at bit ] 

 See also: decrypt command, cipherNames function

Description
Encrypt and decrypt accept the source data that will be
encrypted/decrypted. cipher is the name of the cipher obtained using the
ciphernames function. passorkey specifies the password of key that will be
use for encryption/decryption. If you specify key then the key needs to be
the same size as the current cipher key length. If you specify password or
don't specify a key mode, then the password will be hashed with MD5, and
combined with a salt value (a random string which is designed to deter
hackers from using dictionary attacks with frequent hashed passwords) and
truncated to the cipher key length.

The syntax allows for passing an optional salt value, and optional IV
value. This will be supported in the next alpha. Currently the salt is a
fixed value of 'salu' which is combined with the password hash and used to
extract the key. If the user does not specify a salt is the next alpha then
a random salt with be generated, and appended to the ecrypted data, which
will be read and used when decrypted.

bit specifies the key length in bits (ie. 64, 128, 256) Some ciphers have
fixed key lengths and attempting to set the key length will result in an
arrow.

On failure encrypt/decrypt set the result to the appropriate ssl error
message. On success the variable it will contain the encrypted/decrypted
data.

To use OpenSSL functionality with Rev, make sure that the openssl shared
library is installed, and in a place where Rev can find it. It is
pre-installed with OSX. You can download and build OpenSSL at
www.openssl.org and sitribute with your apps. This alpha includes a
prebuilt openssl dll which is required to use OpenSSL for windows
(libeay32.dll) which needs to be in the application, current, or system
directory. If Revolution cannot load SSL, it will return the error in the
result "ssl library not found".

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .




More information about the Use-livecode mailing list