Professional Documents
Culture Documents
1. 2. 3. 4.
5.
ADMINISTRATION MODULE
5.1. ACCESS 5.2. USERS 5.3. CHECKING TRANSACTIONS 5.4. REFUNDS 5.5. CHECKING TOTALS
6.
INSTALLATION
6.1. GATEWAYrealizarPago 6.2. GATEWAYentradaXMLEntidad 6.3. GATEWAYoperaciones 6.4. DESIGN OF HASH ALGORITHM 6.5. TECHNICAL INSTALLATION SUPPORT SERVICE
7.
8.
9.
10.
MONITORING PROGRAMMES AND PENALTIES PCI-DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
Pg. 2
11.
ANNEXES
ANNEX I. ANNEX II. DESCRIPTION OF PAYMENT AND RESPONSE FORMS TABLE OF RESPONSE CODES
ANNEX III. TABLE OF ERRORS ANNEX IV. LIST OF COUNTRY CODES ANNEX V. SECURITY DIGITAL CERTIFICATES SSL/TLS
Page 3
Page 4
Page 5
Page 6
4.1.TYPESOFAUTHORIZATIONREQUESTS
Dependingontheneedsof each merchant,theVirtualPOSoffersa widevariety ofauthorization requestoptionswhichthemerchantcancombineaccordingtohisrequirements. Authorization(Ds_Transaction_Type=0orA) Thisis the most general situation. The transactionisinstigated by the cardholder who is present duringthesalesprocess.Onceithasreceivedthepurchaserequestfromthemerchant,theVirtual POSaskstheclientforthedetailstoauthorizethetransaction. If the cardholders bank has an authentication system, the cardholder will be asked by the card issuertoprovidethenecessaryproofforauthentication. Therequestforauthenticationtakesplaceinrealtimeandtheamountischargedimmediatelyto thecardholdersaccount(creditordebit).Itshouldbenotedthattheguaranteesarethesamefor bothtypesofcard. The transaction is automatically recorded by the Virtual POS and sent on a daily basis for batch processingtobecreditedtothemerchant. Thecardholderreceivesareceiptofthepaymenthehasmade. Preauthorization(Ds_Transaction_Type=1) NOTE:inaccordancewithinternationalbrandregulations,thisoperationisrestrictedto businessesworkinginthefollowingareas:hotels,travelagenciesorcarhirecompanies. Thisoptioncanbeusedwhentheexactamountcannotbedeterminedatthetimeofpurchase,or if, for any reason, the merchant does not want the amount to be charged to the customers accountimmediately. The transaction is transparent to the cardholder, who at all times proceeds in exactly the same way as the example given above, i.e. providing his/her details and authentication, if applicable, andreceivingtherelevantreceiptfromtheVirtualPOS. The request for preauthorization is carried out in real time, resulting in a retention of the sales amountfromthecardholdersaccount. The transaction is not recorded and therefore does not have any accounting impact on the cardholdersaccountandisnotpaidtothemerchant(inthecaseofdebitcards,someissuing entities debit the sum from the cardholders account, which is automatically cancelled afterafewdays). AllpreauthorizationsmustbesupportedbyaPreauthorizationConfirmationwithinamaximumof 7calendardays.Shouldthisnotbethecase,theywilllosetheirvalidityasapaymentguarantee. PreauthorizationConfirmation(Ds_Transaction_Type=2) Thisisanessentialcomplementtotheaboveoperation. Thecardholderisnotpresentandthereforethisisalwaysinstigatedbythemerchant.
Page 7
Preauthorization: 7 days Amount= Authorization: Sum of returned amounts <or= 120days Ifconditionsallow
Automaticrefund
Merchant
YES
Recurring Successive Authentication Confirmationof authentication Deferred Preauthorization Confirmationof Deferred Preauthorization
Recurring: amount, If the original was instalmentsandfinaldate authenticated Authentication:45days Preauthorization: 72hoursmaximum Amount=
Page 11
Merchant
YES
Sameasoriginal
NO
Cardholder
NO
Merchant
YES
Merchant
YES
4.2.OPERATINGRESTRICTIONS
Giventhatthesetransactionstakeplaceinavirtualenvironment,VirtualPOSoperationsaremore likelyto be subject to fraud, e.g. when itisnot actually the cardholder making the purchase. To reducetheriskinherentintheseoperations,CaixaCatalunyaoffersthepossibilityofimplementing a series of restrictions on the operating capacity of each merchant. These restrictions must be adaptedtovaluesthatdonothamperthemerchantssalesprospectsbutatthesametimeavoid exaggerateddeviationsinhisregularturnover(inmostcases,thiswouldmeanthatheissubject toattackfromstolenand/orfraudulentcards). Maximumnumberoftransactionsperday(authorizedanddeclined) Maximumamountpertransaction Maximumamountwhichcanbeaccumulatedinoneday Maximumnumberofdailytransactions(acceptedanddeclined)percard Maximumdailyamountpercard Maximumnumberofdailytransactions(acceptedanddeclined)peruser(IPaddress) Maximumdailyamountperuser(IPaddress) Ifthemerchantwishestomodifyanyoftheseparameters,heshouldsubmitarequesttoCaixade Catalunya.
4.3.ADDITIONALSECURITYMEASURES
Toprotecttheinterestsofthemerchantandreducethevolumeofincidentsasfaraspossible,we suggest adopting the following additional security measures whenever you accept payments with cards. SIGNSTODETECTINTERNETFRAUD When one of the following signs is present in an internet purchase, the merchant has to be concerned, but when several appear in a transaction, he must take care to avoid becoming a victimoffraud. First time shopper. Multiple transactions on one card over a very short period of time. Multiple transactions on one card (o similar cards) with a single billing address, but multiple shipping addresses. Transactions on similar account numbers.
Page 12
4.4.REGULATIONS
The Virtual POS, by its very nature, is subject to certain regulations which stem from its use in internationalpaymentsystemsanditsmanagementbyCaixaCatalunya. These regulations appear in the Retail Establishments Contract signed between Caixa Catalunya andthemerchant. Someofthemoreimportantofthesearelistedbelow: 1. The merchant can only process transactions that originate from the website/s detailedin the contractwithCaixaCatalunya. 2. Thewebsitemustfeaturethefollowinginformation,amongother: 2.1 The merchants name and that of the websites owner, whether an individual or
Page 14
3. 4.
5.
Page 15
5.1.ACCESS
TheAdministrationModuleofCaixaCatalunyasVirtualPOSallowsthemerchanttomakerefunds, consultthedetailsoftransactionsmadeandthetotalamountspaidbycredit/debitcards. ToaccesstheAdministrationModule,themerchantshouldselecttherelevantoptionintheservice menu of Caixa Catalunyas Online Banking system (www.cconline.es), or go to the following Internetaddress: https://canales.sermepa.es
5.2.USERS
CaixaCatalunyawillprovidethemerchantwithausername/passwordtoaccesstheAdministration Module as an administrator. In the user management option it will be possible to register new userswithoneofthefollowingtwoaccessprofiles: 1. Informative:forcheckingmovementsandtotalsonly. 2. Administrative: as well as checking movements and totals, you can make total or partial refundsofsalestransactions. Forsecurityreasons,werecommendyouchangethepasswords. TheUserssectioncontainsthefollowingsubsections: 1. Password: this allows you to change the access password with which you are currently connected. 2. Users: this allows you to perform all the functions relating to queries, registering, deregisteringandmodifyingmerchantusers. 3. Generate Users: by using a merchant code and terminal number you can automatically generate a user with access to the Administration Module with characteristics or permits established by default, and send the details of this user to the email of the merchant in question. Twokindsofuserscanberegistered: 1. Terminal:formanagingtransactionsmadeataspecificmerchantandterminal. 2. Merchant:formanagingtransactionsmadebyallamerchantsterminals.
5.3.CHECKINGTRANSACTIONS
Inordertochecktransactionsthathavetakenplaceduringthelast365calendardays,whether authorizedordeclined,youshouldselecttheQUERIESoptiononthemainpageandenterthestart andenddaterelatingtotheperiodforwhichyouwanttoobtainthisinformation. You can not send searches including more that 30 days. In case you need that you must send consecutivequeriesof30daysperiods.
Page 16
5.4.REFUNDS
The two final columns in the above screen, Check Refunds and Generate Refunds, allow the merchant to check any refunds made and generate total or partial refunds of the transactions shown. OnlyuserswhocanaccesstheAdministrationModulewithanadministrativeprofileareauthorized to make refunds. The transactions should be viewed by Merchant No. and Terminal No. (usually No.1,terminalinEuros). Tomakeapartialortotalrefundoftheselectedtransaction,youshouldclickontheredbuttonin the Generate Refund column corresponding to the transaction in question and then a page will appear in which you can enter the amount to be refunded. The refund amount should never exceedtheamountoftheoriginaltransaction. WhenyouhaveclickedontheACCEPTbutton,apagewillappearshowingthereceiptoftherefund whichcanbeprintedorsaved.
5.5.CHECKINGTOTALS
By pressing the TOTALS button on the lefthand side of the homepage, a list of the last 45 sessionswillappear.SelecttherequiredsessionandpressACCEPT. Ascreenwillthenappearshowingthetotalamountsandnumberoftransactions.
Page 17
Page 18
6.1.GATEWAYrealizarPago
Mark Up Language . . . . . . . . . . . . . . . . . . . HTML Is it 3DSecure available? . . . . . . . . . . . . . YES Can the merchant capture Card Data? . . . NO
HTMLlanguage.Thisgatewayisthemostcommonasitisusedwhenthemerchantdoesnthave any contact with the card data. The installation basically consists of entering certain computer instructions in the website which remotely execute the Virtual POS software resident in Caixa Catalunyassecureserver. Thepaymentpageofthemerchantswebsiteshouldincludeabuttonforthebuyertoassociatethe paymentwithhiscard. Thisbuttonshouldbelinkedtothehiddenpaymentformwhichisdetailedbelow.Whenthebuyer selects this button, the merchant should send the payment form for the transaction to the Caixa Catalunyaserveratthefollowingaddress:
https://sis.sermepa.es/sis/realizarPago Thewindow orframein whichtheVirtual POSopensmust havevertical andhorizontal movementbarssoitcanbeadaptedtothedifferentauthenticationpagesthatmaybeshownto thebuyerinsubsequentprocesses.ThecardholderwillinformhiscarddatadirectlyintheVirtual POSwebpageofCaixadeCatalunyasothemerchantswebsitedoesnthaveanycontactwithit. ThedetailswhichmustbeincludedinthepaymentformareshowninANNEXI. There is an additional field in the message where the main details relating to the purchase are transmittedincodebytheSecureHashAlgorithm(SHA1),seechapter6.4. Applicationstobeinstalled: MANDATORY:Apaymentforminstalledinthemerchantswebsite. MANDATORY:SHA1installedinthemerchantsInternetserver. OPTIONAL: Anapplicationforreceivingandprocessingonlineresponsestopayment authorizationrequests.
Once the cardholder has completed the payment process, the screen showing the result appears whichincludesa buttonsothecustomercanreturntoshoppingonthemerchantssite. Thewayinwhichthecustomercontinueshissessiononthemerchantswebsitewilldependonthe instructions associated with the button. These instructions, which the merchant will havegivenCaixaCatalunyainthequestionnaireprovidedwhenheregistered,mayinclude: CLOSEWINDOWinstruction:Onselecting ,thewindoworframeshowing the payment result closes and the session continues on the merchants web page which wasinthebackground. URL_OK and URL_KO instruction: On selecting , the browsing session continues on the same payment page, being redirected to a URL that the merchant will havegivenCaixaCatalunyainadvance.ThisURLcanbedifferentdependingonwhether thepaymenthasbeenauthorized(URL_OK)ordeclined(URL_KO). Youshouldbearinmindthatifthecustomer closesthe windowusingthe
Page 19
buttonon
6.2.GATEWAYentradaXMLEntidad
Mark Up Language . . . . . . . . . . . . . . . . . . . XML (single input) Is it 3DSecure available? . . . . . . . . . . . . . YES Can the merchant capture Card Data? . . . YES ThepurchaseformviathevirtualPOSwillconsistofasingleinput.TheinputvaluewillbetheXML document, which must be in the format of x-www-form-urlencoded. This form will be sent via a POST. This allows the merchant to capture card data but also is able to process 3DSECURE transactions. The merchant shouldprovide the information on the purchase to the following Web serveraddresssoitcanauthorizethetransaction: https://sis.sermepa.es/sis/entradaXMLEntidad Thewindow orframein whichtheVirtual POSopensmust havevertical andhorizontal movementbarssoitcanbeadaptedtothedifferentauthenticationpagesthatmaybeshownto thebuyerinsubsequentprocesses. ThedatathatcanbeincludedintheXMLdocument,andwhichareessentialforauthorization,are mainlydescribedinANNEXI. WecanidentifytwotypesofXMLdocument: 1.DATOSENTRADA:documentsentbythemerchant 2. NOTIFICACIONXML: document sent by the payment platform in response. For further details,seesection7.1ofthissection. Adescriptionofthefirstdocumentisgivenbelow:
Version1.<fuc_comercio> <!ELEMENTDATOSENTRADA (DS_VERSION, DS_MERCHANT_AMOUNT, DS_MERCHANT_CURRENCY, DS_MERCHANT_ORDER, DS_MERCHANT_MERCHANTCODE, Page 20
Anexampleofthemessageisgivenbelow:
In response to the request made, Caixa Catalunyas payment platform will return an XML document to the merchant with the result of the request. This response document (NOTIFICACIONXML) will be entered in the same way, as a form, in the field known as data after havingbeenputintotheformatxwwwformurlencoded. ThefieldsthisdocumentcanhaveareexplainedinANNEXI Exampleofnotificationformat:
Version1.<fuc_comercio> <!ELEMENTNOTIFICACIONXML Page 21
Anexampleofthemessageisgivenbelow:
<NOTIFICACIONXML> <Ds_Version>1.XXXX</Ds_Version> <Ds_Amount>100</Ds_Amount> <Ds_Currency>978</Ds_Currency> <Ds_Order>0001</Ds_Order> <Ds_MerchantCode>999008881</Ds_MerchantCode> <Ds_Terminal>1</Ds_Terminal> <Ds_Response>0</Ds_Response> <Ds_MerchantData>MisDatos</Ds_MerchantData> <Ds_SecurePayment>1</Ds_SecurePayment> <Ds_Card_Number>9999999999999999999</Ds_Card_Number> <Ds_ExpiryDate>0204</Ds_ExpiryDate> <Ds_TransactionType>0</Ds_TransactionType> <Ds_AuthorisationCode>222FFF</Ds_AuthorisationCode> <Ds_Signature></Ds_Signature> </NOTIFICACIONXML> Page 22
6.3.GATEWAYOperaciones
Mark Up Language . . . . . . . . . . . . . . . . . . . XML Is it 3DSecure available? . . . . . . . . . . . . . NO Can the merchant capture Card Data? . . . YES ItisforHOSTtoHOSTtransactionsworkingasanXMLconversation.Oftenusedtosendrefunds, subscriptions, and other operations where the cardholder is not present. Its not possible to process3DSECUREtransactions. It is very important to bear in mind that this resource is only valid for the following types of transactions(Ds_Merchant_TransactionType),becauseasthecardholderisnotpresenthecannot beauthenticated(3DSecureEnvironment): 1Preauthorization (only if the merchant is authorized to perform this type of operation andisworkinginnonsecuremode) 2Confirmationofpreauthorization 3Automaticrefund 6Successivetransactions 8Confirmationofauthentication 9Cancellationofpreauthorizations ANonsecure payment without authentication (by default, this operation is not permitted andcanonlybedonewithpriorauthorizationfromCaixaCatalunya). ODeferredPreauthorization PConfirmationofDeferredPreauthorization QCancellationofDeferredPreauthorization RDeferredRecurringPreauthorization SConfirmation of Deferred Recurring Preauthorization / Successive of Deferred Recurring Pre authorization ThecommunicationisdonebysendingtheXMLdocumenttotheaddressindicatedbytheVirtual POS.ThesystemwillinterprettheXMLdocumentandmaketherelevantvalidations,afterwhichit
Page 23
2.SpecificationofRETORNOXMLdocument. Thismessageistheonesentbytheplatformasaresultofthetransaction.
<!ELEMENTRETORNOXML(Ds_Version?,CODE,(OPERACION|RECIBIDO))> <!ELEMENTDs_Version(#PCDATA)> <!ELEMENTCODE(#PCDATA)> <!ELEMENT OPERACION (Ds_Amount, Ds_Currency, Ds_Order, Ds_Signature, Ds_MerchantCode, Ds_Terminal, Ds_Response, Ds_AuthorizationCode,Ds_TransactionType, Ds_SecurePayment, Ds_Reference ?, Ds_Language ?, Ds_CardNumber?,Ds_ExpiryDate?,Ds_MerchantData?,Ds_MerchantDTD)> <!ELEMENTDs_Amount(#PCDATA)> <!ELEMENTDs_Currency(#PCDATA)> <!ELEMENTDs_Order(#PCDATA)> <!ELEMENTDs_Signature(#PCDATA)> <!ELEMENTDs_MerchantCode(#PCDATA)> <!ELEMENTDs_Terminal(#PCDATA)> <!ELEMENTDs_Response(#PCDATA)> <!ELEMENTDs_AuthorizationCode(#PCDATA)> <!ELEMENTDs_TransactionType(#PCDATA)> <!ELEMENTDs_SecurePayment(#PCDATA)> <!ELEMENTDs_Reference(#PCDATA)> <!ELEMENTDs_Language(#PCDATA)> <!ELEMENTDs_CardNumber(#PCDATA)> <!ELEMENTDs_ExpiryDate(#PCDATA)> <!ELEMENTDs_MerchantData(#PCDATA)> <!ELEMENTRECIBIDO(#PCDATA)> Where: - Ds_Version:versionoftheDTDusedtovalidatetheXML. Page 25
Threeexamplesofmessagesappearbelow:
1Transactioncorrectandauthorized: <RETORNOXML> <DS_Version>1.0</DS_Version> <CODE>0</CODE> <OPERACION> <Ds_Amount>100</Ds_Amount> <Ds_Currency>978</Ds_Currency> <Ds_Order>0001</Ds_Order> <Ds_Signature>EEFF45687hgth</Ds_Signature> <Ds_MerchantCode>999008881</Ds_MerchantCode> <Ds_Terminal>1</Ds_Terminal> <Ds_Response>0</Ds_Response> <Ds_AuthorizationCode>222FFF</Ds_AuthorizationCode> <Ds_TransactionType>2</Ds_TransactionType> <Ds_SecurePayment>1</Ds_SecurePayment> <Ds_MerchantData>MisDatos</Ds_MerchantData> </OPERACION> </RETORNOXML> 2Transactioncorrectbutdeclined(190Declinedbytheissuerbank): <RETORNOXML> <DS_Version>1.0</DS_Version> <CODE>0</CODE> <OPERACION> <Ds_Amount>100</Ds_Amount> <Ds_Currency>978</Ds_Currency> <Ds_Order>0001</Ds_Order> <Ds_Signature>EEFF45687hgth</Ds_Signature> <Ds_MerchantCode>999008881</Ds_MerchantCode> <Ds_Terminal>1</Ds_Terminal> <Ds_Response>190</Ds_Response> <Ds_AuthorizationCode>222FFF</Ds_AuthorizationCode> <Ds_TransactionType>2Ds_TransactionType> <Ds_SecurePayment>1</Ds_SecurePayment> <Ds_MerchantData>MisDatos</Ds_MerchantData> </OPERACION> </RETORNOXML> 3Transactionincorrect(051ordernumberrepeated).Thiswillneverbeauthorized: <RETORNOXML> <CODE>SIS0051</CODE> <RECIBIDO> <DATOSENTRADA> <DS_MERCHANT_CURRENCY> 978 </DS_MERCHANT_CURRENCY> <DS_MERCHANT_MERCHANTURL> https://pruebaCom.jsp </DS_MERCHANT_MERCHANTURL> <DS_MERCHANT_TRANSACTIONTYPE> 2 </DS_MERCHANT_TRANSACTIONTYPE> <DS_MERCHANT_MERCHANTDATA> Pad+for+mouse </DS_MERCHANT_MERCHANTDATA> <DS_MERCHANT_AMOUNT> 45 Page 26
If during the installation process one error messages appeared, it would indicate that one of the parametersinthefieldssentwaswrong.Tolocatetheincorrectfield,youshouldsearchthetext for the SIS chain. The numerical value xxxx next to the <!SISxxxx:> instruction will indicate the type of error, as described in ANNEX III. Also, ANNEX III includes a second table withthemessageshowntothecardholderinthecaseofthedifferenterrors.
6.4.DESIGNOFHASHALGORITHMININTERNETSERVER
Caixa de Catalunya will provide the merchant a code to be used to sign the details provided by him, which not only allows the merchants identification to be verified but also that the details havenotbeenchangedatanytime.ItwillbeusedasasecurityprotocolinthepublicSecureHash Algorithm (SHA1) which guarantees the minimum security requirements in terms of authenticationoforigin. This same algorithm is also used so the merchant can be assured of the authenticity of the responsedetailsintheeventthatthemerchantoptsforURLnotification. The SHA1 code is not available for PHP versions lower than 4.3.0. If your server uses a previousversion,pleasegetincontactwithCaixaCatalunyastechnicalsupportservicetofindan alternativesolution. Thecalculationofthealgorithmisdifferentdependingonthegatewayyoureworkingon: GATEWAYrealizarPago Therearetwopossiblecasesforcalculatingtheelectronicsignature: For transactions with Ds_Merchant_TransactionType 5 or R: the merchants electronic signatureshouldbecalculatedthus: Digest=SHA1(Ds_Merchant_Amount+Ds_Merchant_Order + Ds_Merchant_MerchantCode +
FortransactionswithDs_Merchant_TransactionType=5orR(INITIALRECURRINGPAYMENT): themerchantselectronicsignatureshouldbecalculatedthus:
Page 27
If the merchant did not have an online URL notification, the Ds_Merchant_MerchantURL field shouldbeleftblank. Example
AMOUNT(Ds_Merchant_Amount)=1235(multipliedby100tocomeoutthesameastheDs_Merchant_Amount). ORDERNUMBER(Ds_Merchant_Order)=29292929 MERCHANTCODE(Ds_Merchant_MerchantCode)=201920191 CURRENCY(Ds_Merchant_Currency)=978 SECRETCODE=h2u282kMks01923kmqpo Resultingchain:123529292929201920191978h2u282kMks01923kmqpo SHA1result:c8392b7874e2994c74fa8bea3e2dff38f3913c46
(1) (2)
IsveryimportanttonoticethatisforbiddentostoretheCVV2,evenifyoureplanningtouseitin the Successive Transactions (Ds_Transaction_Type = 6 or S) coming from the recurrent transactions(5orR).ForthisreasonyoudonthavetowritetheCVV2whenyouresendingthe Successivetransaction(6orS)andwhencalculatingthesignatureofthistransaction. Example(ofconventionalsignature):
AMOUNT=1235(multipliedby100soitisequaltotheDs_Merchant_Amount). ORDERNUMBER=29292929 MERCHANTCODE=999008881 CURRENCY=978 CARDNO=4548812049400004 MERCHANTURL=http://www.sermepa.es MERCHANTSIGNATURE=h2u282kMks01923kmqpo Resultingchain:1235292929292019201919784548810000000003 SHA1result:8cbd9137533846152fc3b8921d909742e6b87f8e
For these two gateways, the same algorithm will be used to assure the merchant of the authenticityoftheresponsedataifthemerchantusesaURLnotificationsystem.
IntheRETORNOXMLdocument
-Ds_Signature=SHA1(Ds_Amount+Ds_Order+Ds_MerchantCode+Ds_Currency+Ds_Response+ Ds_CardNumber+Ds_TransactionType+Ds_SecurePayment+SECRETCODE) TheDs_CardNumberfieldwillonlyformpartofthesignatureifthecardnumberissent.Ifthecardissent withanasterisk,theDs_CardNumberfieldwillalsoformpartofthesignaturewiththevalueasterisked.
Page 28
- ListofDSAValidatedImplementations:
http://csrc.nist.gov/cryptval/shs.html
- SpecificationsoftheSecureHashStandard(SHA1): - WhatareSHAandSHA1?
http://www.rsasecurity.com/rsalabs/faq/365.html
6.5.TECHNICALINSTALLATIONSUPPORTSERVICE
CaixaCatalunyaofferstomerchantsandcompanieswhowishtoinstallaVirtualPOStheservices of its Technical Installation Support Service, which will be delightedto help with anytechnical or operationalqueriesfreeofcharge.
Times of service: WINTER: 16 September 30 June Monday - Thursday 8 am 6 pm Friday 8 am 3 pm SUMMER: 1 July 15 September Monday - Friday 8 am 3 pm.
POSsupport@ap.caixacatalunya.es
Similarly, for any incidents concerning communications, system instability or similar problems, CaixaCatalunyaoffersthe24hour365dayhelplineontel.902198747.Thistelephonewillnot helpinanyotherincidenceorquestion.
Page 29
7.1.ONLINERESPONSE
Ifthemerchantwantstoseetheresultofthepaymentsimmediatelyaftertheyhavebeenmade, therearefourresponsemechanismswhichcancoexistsimultaneously: 1.BygoingtotheAdministrationModuleviatheInternet. Youcancheck,printorexporttofilesthetransactionsmadeinthelast45days. 2.Byreceivingafilewithalistoftransactions. Thefileisgeneratedonaregularbasis(usuallyeveryday)andsenttoanemailaddress inencryptedform. 3.ByconsultingSOAP. ThisallowsthemerchanttoconsulttransactionsusingSOAPXMLtechnology. 4. Only in the gateways entradaXMLEntidad and operaciones, a XML document is returnedtothemerchantwiththeresultoftherequest. 5.ByimplementingtheOnlineResponsesolution. This means that at the same time as the cardholder receives the response to the card paymentrequest,themerchantswebsitereceivesamessagewiththesameinformation. There are two possible ways of receiving the Online Response, which can be combined, either usingbothatthesametimeoroneofthemasabackupiftheotherfails: Viaemail:receptionoftheresponsetothepaymentauthorizationrequestattheemail addressprovidedbythemerchantonregisteringfortheVirtualPOS. ViaURL:receptionoftheresponseattheURLaddressgivenonthepaymentform.This option requires a simple computer adjustment on the merchants website to facilitate receptionoftheresponseandintegrateitinthemerchantsdatabase.Thisoptionisonly valid for merchants with an active verification field installed. This is our recommended option. ToimplementtheonlineresponseviaURL,aURLaddresswhereresponsesshouldbesent will need to be given on the payment request form (Ds_Merchant_MerchantURL field). ThisURLshouldbeaCGI,Servletorsimilarinthelanguageregardedasappropriatefor themerchantsservertobeabletointerprettheresponsesentfromtheVirtualPOS.This pagewillbetransparenttotheuser(i.e.itwillnotbeloadedonthebrowser).Onit, youwillbeabletoreceiveandcompiledetailsofonlineresponsesandaddthemtoyour database. TheprotocolusedforresponsesviaURLcanbehttporhttps.The messageformatisan HTMLformsentusingthePOSTmethodwiththefieldsshowninAnnexI. Asintherequesttopayforapurchase,theonlineresponseincludesanelectronicsignaturethat guaranteestheintegrityoftheresponses. Thealgorithmwillbethesame,andtheformulaforcalculatingitis:
Digest=SHA-1(Ds_ Amount + Ds_ Order + Ds_MerchantCode + Ds_ Currency + Ds _Response + + SECRET CODE)
The connection used for notifying the online confirmation between the Virtual POS and the merchant can be SSL (see annex V). To prevent fraudulent communications, the merchant may optionallyactivateafiltertolimitthereceptionofonlineconfirmationsfromtheVirtualPOSonly.
Page 30
7.2.RECURRINGTRANSACTIONS
A recurring transaction is one where the purchase is made in instalments, for example the paymentofregularsubscriptionsordeferredpayments. CaixaCatalunyasVirtualPOSterminaliscertifiedsothatrecurringtransactionsmadewithVisaor MasterCardcardsviatheInternetwhereapositiveauthenticationhasbeenmadeofthecardholder cannotbereversedbythecardholderifhe/shethenclaimsnottohavemadethepurchase. In order to process recurring transactions you need to request authorization by means of the Virtual POS payment form, completing different fields depending on whether it is the first instalment(recurringtransaction)orsubsequentinstalments(successivetransactions): FIELD NAME Ds_Merchant_Amount Ds_Merchant_Currency Ds_Merchant_Order Ds_Merchant_MerchantCode Ds_Merchant_MerchantURL Ds_Merchant_MerchantName Ds_Merchant_ConsumerLanguage Ds_Merchant_MerchantSignature Ds_Merchant_Terminal Ds_Merchant_MerchantData Ds_Merchant_Transaction_Type Ds_Merchant_DateFrecuency Ds_Merchant_ChargeExpiryDate Ds_Merchant_SumTotal
Rec. (value 5 or R)/Suc.(value 6 or S) Recurring Recurring Recurring
Page 31
MANDATORY
Recurring/Successive Rec. /Suc. Rec. /Suc. (same value for all transactions) Rec. /Suc.
OPTIONAL
NO INFORMATION
Rec. /Suc. Rec. /Suc. Rec. /Suc. Rec. /Suc. Rec. /Suc. Rec. /Suc.
7.3.TESTENVIRONMENT
To carry out installation tests, Caixa Catalunya has enabled a test environment so the merchant canmaketransactionsinanenvironmentwhichisidenticaltotherealone,butwithoutthesales havinganyaccountingvalidity. Thecharacteristicsofthetestenvironmentaredetailedbelow: Payment URLs: GATEWAY realizarpago: https://sis-t.sermepa.es:25443/sis/realizarPago GATEWAY entradaXMLentidad: https://sis-t.sermepa.es:25443/sis/entradaXMLEntidad
GATEWAY operaciones: https://sis-t.sermepa.es:25443/sis/operaciones
Merchant code (Ds_Merchant_MerchantCode): 091358382 SECRET CODE (Ds_Merchant_MerchantSignature): qwertyasdf0123456789 Terminal numbers (Ds_Merchant_Terminal): 001 For payments in EUROS (Ds_MerchantCurrency = 978) to merchants protected by VERIFIED BY VISA and MASTERCARD SECURECODE 002 For payments in EUROS (Ds_MerchantCurrency = 978) to merchants in a NON-SECURE environment Cards accepted in the test environment: For 001 terminals (VbV and MasterCard SecureCode environments): card 4548 8120 4940 0004 (expiry date 12/05). This card has been activated to simulate a cardholder who needs to authenticate him/herself with the bank. To do so, you need to enter the ID code 123456. For 002 terminals (NON-SECURE environment), any expiry date later than the present date and earlier than 12/49 can be used:
4792-5877-6655-4414 4792-5877-6655-4422 4792-5877-6655-4430 4792-5877-6655-4448 4792-5877-6655-4455
If you want to do the tests using your own merchant identification, please to put in contactwiththeTECHNICALINSTALLATIONSUPPORTSERVICE(seesection6.5).Thetest merchant that Caixa Catalunya will provide you, it will have the same configuration that your merchant in real environment (same Merchant Id., same terminals configuration, same users to accesstotheAdministrationModule,).
Page 32
Page 33
8.1.ONLINEQUERIES
By using this service, merchants can query specific transactions regardless of whether there has been a response to them or not. The online query service offers the possibility of obtaining informationonalltransactionsthathavebeeninitiated. There are two types of queries: by transaction and by monitor. The query by transaction allows youtoobtaininformationonacertaintypeoftransaction(e.g.Authorization)relatingtoanorder, while the query by monitor gives you information on all the transaction types (e.g. Authorization andRefund)associatedwithanordernumber. Thepossiblevaluesofaquerybytransactionare: <Ds_TransactionType>=0(normalpaymenttransaction) <Ds_TransactionType>=1(unconfirmedpreauthorization) <Ds_TransactionType>=4(paymentbyreference) <Ds_TransactionType>=5(recurringpayment) <Ds_TransactionType>=7(authentication) <Ds_TransactionType>=A(traditionalpayment) The online query service is implemented with SOAPXML technology (Simple Object Access Protocol). This service offers a reliable and simple way of obtaining all the information on a specific transactionrequestedbythemerchant. Thepersonrequestingthisserviceshouldsubmitaquerywhichwillreturntheresultsofthedata requested.
8.1.a.SOAPCLIENT
C.CreateaCalltypeobjectwiththefollowingdetails:
SOAPMappingRegistry(previouslycreated) TargetObjectURI.URLofmessagingservice. Page 34
E.g. SOAPMappingRegistrysmr=newSOAPMappingRegistry()
D.InvoketheURLoftheSOAPservicewhichwillreturnaResponseobject:
E.g.: Responseresp=null resp=call.invoke(url,"") Parameterret=resp.getReturnValue() Objectvalue=ret.getValue()
ExampleofJAVASOAPclient(SERVLET)
importjava.util.* importjavax.servlet.* importjavax.servlet.http.* importjava.io.* Importjava.net.* importorg.apache.soap.* importorg.apache.soap.messaging.* importorg.apache.soap.transport.* importorg.apache.soap.util.xml.* importorg.apache.soap.encoding.* importorg.apache.soap.encoding.soapenc.* importorg.apache.soap.rpc.* publicclassSerSvlCIBERPACextendsHttpServlet { publicvoiddoPost(HttpServletRequestreq,HttpServletResponseres)throws ServletException,IOException { Stringrespuesta="" try { Stringxml_doc=req.getParameter("elXMLEnvio") respuesta=ejecutaCallRPCStyle(xml_doc) } catch(Exceptione) { e.printStackTrace() } } publicStringejecutaCallRPCStyle(Stringxml_doc)throwsServletException,IOException { Stringrespuesta="" StringencodingStyleURI=Constants.NS_URI_SOAP_ENC URLurl=newURL("http://smp3006/soap/rpcrouter") SOAPMappingRegistrysmr=newSOAPMappingRegistry() Callcall=newCall() call.setSOAPMappingRegistry(smr) call.setTargetObjectURI("urn:mensajeriaCIBERPAC") call.setMethodName("procesaMensajeRecibido") call.setEncodingStyleURI(encodingStyleURI) Vectorparams=newVector() params.addElement(newParameter("Mensaje",String.class,xml_doc,null)) call.setParams(params) Responseresp=null try { resp=call.invoke(url,"") } catch(SOAPExceptione) { e.printStackTrace() } Page 35
8.1.b.XMLSENDANDRESPONSE
This annex details how an XMLSCHEMA describes the incoming and outgoing messages of the Webservicefortransactionsqueries.
<schema targetNamespace="http://www.w3.org/namespace/" xmlns:t="http://www.w3.org/namespace/" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"attributeFormDefault="unqualified"> <elementname="Messages"> <complexType> <sequence> <elementref="t:Version"/> <elementref="t:Signature"/> </sequence> </complexType> </element> <elementname="Version"> <complexType> <sequencemaxOccurs="unbounded"> <elementref="t:Message"/> </sequence> <attributename="Ds_Version"type="string"use="required"/> </complexType> </element> <elementname="Message"> <complexType> <choice> <elementref="t:Transaction"/> <elementref="t:Monitor"/> <sequenceminOccurs="0"maxOccurs="unbounded"> <elementref="t:Response"/> </sequence> <elementref="t:ErrorMsg"/> </choice> </complexType> </element> <elementname="Transaction"> <complexType> <sequence> <elementref="t:Ds_MerchantCode"/> <elementref="t:Ds_Terminal"/> <elementref="t:Ds_Order"/> <elementref="t:Ds_TransactionType"/> <elementref="t:Ds_Merchant_Data"minOccurs="0"/> </sequence> </complexType> </element> <elementname="Monitor"> <complexType> <sequence> <elementref="t:Ds_MerchantCode"/> <elementref="t:Ds_Terminal"/> Page 36
BasedonthisXMLSCHEMA,shownbelowisanexampleofanincomingmessageandanoutgoing message. EXAMPLEOFSENDMESSAGE: <Messages> <Version Ds_Version="0.0"> <Message> <Transaction> <Ds_MerchantCode>111111111</Ds_MerchantCode> <Ds_Terminal>1</Ds_Terminal> <Ds_Order>132600</Ds_Order> <Ds_TransactionType>0</Ds_TransactionType> </Transaction> </Message> </Version> <Signature>a454dfdfdf079c9df8b871d7487drtyhj323d345</Signature> </Messages> EXAMPLEOFRESPONSEMESSAGE: <Messages> <Version Ds_Version="0.0"> <Message> <Response> <Ds_MerchantCode>111111111</Ds_MerchantCode> <Ds_Terminal>1</Ds_Terminal> <Ds_Order>132600</Ds_Order> <Ds_TransactionType>0</Ds_TransactionType> <Ds_Date>2002-06-27</Ds_Date> <Ds_Hour>13:24:43</Ds_Hour> <Ds_Amount>45</Ds_Amount>
Page 38
8.1.c.CALCULATINGTHESIGNATURE
Tocalculatethesignatureforanoutgoingmessage,thefollowingdataareused: DataofoutgoingXML+merchantsecretcode Digest=SHA-1(<version...</version> + merchant secret code) Tocalculatethesignaturefortheresponse,thefollowingdataareused: DataofresponseXML+merchantcode. Digest=SHA-1(<version...</version> + merchant code)
8.1.d.WSDLOFSERVICE
8.1.e.SOAPERRORCODES
TheSOAPtransactionqueryservicehasitsownerrorcodeswhicharedetailedbelow: ERROR XML0000 XML0001 XML0002 XML0003 XML0004 XML0005 XML0006 XML0007 XML0008 XML0009 XML0010 XML0011 XML0012 XML0013 XML0014 XML0015 DESCRIPTION VariouserrorsintheXMLStringprocessreceived ErroringeneratingtheDOMfromthedefinedXMLStringandDTD NoMessageelementintheXMLStringreceived ThetypeofMessageintheXMLStringreceivedhasanunknownorinvalidvalue intherequest NoDs_MerchantCodeelementintheXMLStringreceived TheDs_MerchantCodeelementisemptyintheXMLStringreceived ThelengthoftheDs_MerchantCodeelementiswrongintheXMLStringreceived TheDs_MerchantCodeelementdoesnothaveanumericalformatintheXML Stringreceived ThereisnoDs_TerminalelementintheXMLStringreceived TheDs_TerminalelementisemptyintheXMLStringreceived ThelengthoftheDs_TerminalelementiswrongintheXMLStringreceived TheDs_TerminalelementdoesnothaveanumericalformatintheXMLString received ThereisnoDs_OrderelementintheXMLStringreceived TheDs_OrderelementisemptyintheXMLStringreceived ThelengthoftheDs_OrderelementiswrongintheXMLStringreceived ThefirstfourpositionsoftheDs_OrderelementarenotnumericalintheXML
Page 40
8.2.SOAPSYNCHRONIZATION
Thisnewsynchronizationmethodallowsthemerchantto receivenotificationoftransactions bya SOAP service. To activate this service, the merchant needs to get in contact with the Technical SupportServiceofCaixaCatalunya. IftheSOAPsynchronizationoptionisenabledforamerchant,thismeansthattheplatformwill send notifications for Authorization, Preauthorization, Recurring Transaction and Authentication operations as SOAP requests to a service published by the merchant. For other transactions, notifications will be done synchronously in accordance with the chosen option in the merchants configurationforonlinenotifications. The unique factor of this notification is that Caixa Catalunyas payment platform waits for a response to the notification before presenting the results of the transaction to the cardholder making the purchase. If the merchant returns a response with a KO value, or there is an error duringthenotificationprocess,theplatformwillcancelthetransactionandpresentthecardholder withareceiptshowingaKOresult,i.e.theplatformconditionstheresultofthetransactiontothe responseobtainedfromthemerchantinthenotification.
Page 41
9.1.SETTLEMENTOFACCOUNTABLETRANSACTIONSFILE
This file provides information on transactions processed by the merchant which have been duly accounted forinhisfinancialaccount.Thefrequencyofthisfilecanbedaily,weeklyor monthly, although for merchants with a very high volume of transactions we particularly recommend it is sentdaily. Itshouldbenotedthatthisfiledoesnotdetailthetransactionsthathavebeenprocessedonthat day but the transactions actually settled. Usually, Caixa Catalunya settles transactions processed upto06.00onthesettlementday.Thesetimingsareapproximateasitwilldependonthevolume ofcomputerprocessesonanygivenday. The total of the transactions listed in each file will match the amount deposited daily in the merchantsfinancialaccount. Whenachargebackisrequestedbyacardholder onanyofthemerchantssales,the staffinour PAYMENT METHODS department will carry out a manual validation to check whether the claim is validornot.InthecaseswherethetransactiondoesnotmeettheregulationsofVisa,MasterCard or JCB, it will be returned to the issuing bank in the form of a representment without being chargedtothemerchantsaccount.Inothercases,itwillbechargedtothemerchant. Formerchantswhohaveaveryhighvolumeoftransactionsorwhoseofficeisalongwayfroma Caixa Catalunya branch, there is a remote management service available (via email) for requestingarepresentmentofchargebackschargedtotheiraccounts.ANNEXIIDISPUTING ACHARGEBACKshowstheprocessforthis. ThesettledtransactionsfilealsoincludeschargebacksthathavepassedtheCaixaCatalunyafilters and need to be charged to the merchant. These are identified by the field TRANSACTION TYPE (POS.71[2]=15).ThecodeforthereasonforeachChargebackisgiveninpos.178[2].
Page 42
LENGTH
2 10 10 10 168 RECORD TYPE: 10
DESCRIPTIONOFFIELD
PROCESSING DATE (DD-MM-YYYY) START DATE OF TRANSACTIONS (DD-MM-YYYY) END DATE OF TRANSACTIONS (DD-MM-YYYY) FILLER
MERCHANTHEADERRECORD INITIALPOS.
1 3 21 31 49 53 63 73 83
LENGTH
2 18 10 18 4 10 10 10 118 RECORD TYPE: 00
DESCRIPTIONOFFIELD
MERCHANTSCONTRACTNUMBER MERCHANTSCODE ASSOCIATED ACCOUNT NUMBER MERCHANTSBRANCHOFFICE PROCESSING DATE (DD-MM-YYYY) PROCESSING DATE (DD-MM-YYYY) END DATE OF TRANSACTIONS (DD-MM-YYYY) FILLER
DETAILRECORD INITIALPOS.
1 3 13 18 21 25 47 48 49 59 65
LENGTH
2 10 5 3 4 22 1 1 10 6 6 RECORD TYPE: 01
DESCRIPTIONOFFIELD
SETTLEMENT DATE (DD-MM-YYYY) REMITTANCE NUMBER INVOICE NUMBER REMITTANCE BRANCH CARD NUMBER CARD TYPE D- DEBITCARD/C- CREDIT CARD TRANSACTION DATE TRANSACTION TIME (HHMMSS) AUTHORIZATION NUMBER
Page 43
71
3 11 5 9 13 11 38 3 12 2 11 3 7
PAYMENT AMOUNT (WITH 2 DECIMALS) IN ORIGINAL CURRENCY ORIGINAL CURRENCY OF PAYMENT FILLER
TOTALMERCHANTRECORD INITIALPOS.
1 3 28 37 51
LENGTH
2 25 9 14 150 RECORD TYPE: 99 FILLER
DESCRIPTIONOFFIELD
TOTAL TRANSACTIONS TOTAL AMOUNT IN EUROS (WITH 2 DECIMALS AND +/- SIGNS) FILLER
FILETOTALRECORD INITIALPOS.
1 3 12 37 46 60
LENGTH
2 9 25 9 14 141 RECORD TYPE: 90
DESCRIPTIONOFFIELD
TOTAL NUMBER OF MERCHANTS FILLER TOTAL TRANSACTIONS TOTAL AMOUNT IN EUROS (WITH 2 DECIMALS AND +/- SIGNS) FILLER
Page 44
ShownbelowaretwolistsoneforVISAandtheotherforMasterCardshowingeachcodewitha descriptionofthereasonforthechargeback: VISA: 30 Service not provided or merchandise not received 41 Cancelled recurring transaction 53 Merchandise not as described or defective 57 Fraudulent multiple drafts 60 Copy illegible or invalid 62 Counterfeit transaction or falsification of magnetic strip 70 No verification/exception file 71 Authorization denied 72 No authorization 73 Expired card
Page 45
MASTERCARD: 01 Requested data transaction not received 02 Requested/required information illegible or missing 07 Warning bulletin file 08 Requested/required authorization not obtained 12 Account number not on file 31 Transaction amount differs 34 Duplicate processing 35 Card not valid or expired 37 No cardholder authorization 40 Fraudulent processing of transactions 41 Cancelled recurring transaction 42 Late presentment 46 Correct transaction currency code not provided 47 Exceeds floor limit Transaction fraudulent and not authorized 49 Questionable merchant activity 50 Credit posted as a purchase 53 Cardholder dispute - Merchandise defective/not as described 55 Merchandise not received 57 Card-activated telephone transaction 59 Services not provided 60 Credit not processed 63 Cardholder does not recognise. Potential fraud 4801 Requested Transaction data not received 4802 Requested/required item illegible or missing 4807 Warning bulletin File 4808 Requested/required Authorization not obtained 4812 Account number not on file 4831 Transaction amount differs 4834 Duplicate processing 4835 Card not valid or Expired 4837 No cardholder authorization 4840 Fraudulent processing of transactions 4841 Canceled recurring transaction 4842 Late presentment
Page 46
To differentiate the card type (Visa or MasterCard) you can refer to field pos. 47[2] in the settlementfile.
9.3.CONFIRMEDFRAUDFILE
ConfirmedFraudisthetoolusedbytheissuingbanktonotifythatatransactionhasbeensubject tofraud(thecardholderhasneithermadenorauthorizedthetransaction). This notification is completely independent of the existence of a previous or subsequent chargeback,orwhetherithasbeenchargedtothemerchantorarepresentmentissued.Thisisa method for notifying that a transaction has not been made by the cardholder so that VISA/MASTERCARD can identify which merchants are processing a high number of fraudulent transactions. A high number of Confirmed Frauds is an indicator that the merchant is either carrying out a fraudulent activity or is experiencing an attack by illegal buyers and has not put the necessary mechanisms in place to reduce this. If the level is very much higher than permitted, or if it happensoverseveralconsecutivemonths,thecardcompaniesmaydemandthecancellationofthe contractwiththatestablishmentand,onoccasions,mayevenheavilypenalizetheestablishment. The maximum permitted level of Confirmed Fraud is regarded as three times the average confirmedfraudindexforEuropeanmerchants.Atpresent,theEuropeanfraudaverageisaround 0.3% of monthly turnover. Therefore, any merchant whose monthly Confirmed Fraud figure exceeds0.9%willbeabovethepermittedlevel. AsinthecaseofChargebacks,CaixaCatalunyasendsadailyfileofConfirmedFraudtransactions reportedbythedifferentcardcompanies.Thisfile,asinthepreviouscase,issolelyforinformation purposesanddoesnothaveanyaccountingvalidity.Itspurposeistoinformtheestablishmentof the cards with which fraudulent transactions are being made so that its security department can getincontactwiththeclientslisted,canceltheiraccounts,addthemtotheirblacklistsortakeany othermeasuretheydeemnecessary. TheformatisverysimilartothatoftheChargebackfile:
AN INDICATOR OF THE FILE TYPE ("FC" for Confirmed Fraud files) MERCHANT ID NUMBER (F.U.C.) DATE OF RECEIPT OF CHARGEBACK OR FRAUD REPORT CARD NUMBER AMOUNT CURRENCY TRANSACTION DATE (of the original transaction) TRANSACTION TIME (of the original transaction)
Page 47
9.4.RETRIEVALREQUESTFILE
Retrieval request is an option that the cardholder and the issuing bank can use to check the integrity of a transaction, either because the cardholder does not remember the purchase, does notrecogniseit,orforanyotherreason. Everyonewhomakesapurchase(whetherinpersonornot)usingafinancialcardhastherightto ask for documentation from the merchant to justify the payment. The maximum period for this requesttobehonoredis12monthsfromthedateofthetransaction. Thisrequestisnormallymadebecausethecardholdercannotrememberthetransaction,orwants moredetailsofit,ormaintainshehasnotmadeitandwantsarefund.Insomecasesitisbecause hecannotassociatethenameofthemerchantwiththewebsiteonwhichhemadethepurchase. Caixa Catalunya will send the merchant a daily information file showing a single block of records (withoutheadings)withthefollowingfields,separatedby: LENGTH
10 10 17 10 5 3 2 10 19 9 1 6 8 23 12
DESCRIPTIONOFFIELD
PROCESSING DATE (DD-MM-YYYY) MERCHANT IDENTIFICATOR (MID) MERCHANT NAME SETTLEMENT DATE (DD-MM-YYYY) REMITTANCE NUMBER SETTLEMENT ORDER NUMBER REQUEST ORDER TRANSACTION DATE (DD-MM-YYYY) CARD NUMBER TRANSACTION AMOUNT (999999,99) SETTLEMENT CURRENCY CODE: E (EUROS) REQUEST TYPE ENVIRONMENT REFERENCE TRANSACTION ID
This documentation can also be requested by Caixa Catalunya when it considers it necessary to eitherdefendormakearepresentmentonatransaction,andmustbeprovidedbythemerchantif he/shewishestoavoidachargeback. The merchant is obliged to present this receipt. The deadline for its presentation is 7 workingdays.
Page 48
Page 49
Page 50
Requirement
Validated by
Independent security consultant or the company itself, if signed by a representative of the company. ----By a specialist company
Therequirementsintheabovetablearemandatory.Theseare: 1SELFASSESSMENTQUESTIONNAIRE:ThisisknownastheSAQ(AISinSpain)andconsistsofa questionnaireonthemerchantscomputersystemarchitectureandhowitprocessesandstores dataoncards.ItisdoneonanANNUALbasis.CaixaCatalunyahasthequestionnaireaswellas itsinstructionsandfrequentlyaskedquestions. 2 QUARTERLY SCANS: These controls have to be done by a company certified by VISA/MASTERCARD as a Quality Security Assessor (QSA). The merchant is responsible for contracting this service from one of these companies (Caixa Catalunya can provide a list of them).ThisscanisdoneonaQUARTERLYbasis. 3 SECURITY AUDIT: This is an IN SITU audit which must be done by a company certified by VISA/MASTERCARDasaQualitySecurityAssessor(QSA),whichwillassessthesecurityofthe computer systems involved in processing card data (Hardware, Software and Netware). The merchant is responsible for contracting this service from one of these companies (Caixa Catalunyacanprovidealistofthem).ThisauditisdoneonanANNUALbasis.
Page 51
FIELD NAME
Ds_Merchant_Amount
LENGTH
12 N
COMMENTS
Mandatory. The last two positions are regarded as decimals except for yen. Mandatory. 978 Euros 840 Dollars 826 Pounds 392 Yen TheresanagreementbetweenSpanishbankswhere its said that Spanish cards that want to process in Spanish merchants, the only available currency it is Euros. Mandatory. The first 4 digits must be numerical; the remaining digits should only use the following ASCII characters: from 30 = 0 to 39 = 9 from 65 = A to 90 = Z from 97 = a to 122 = z The code must be different from previous transactions. This field will be shown to the cardholder on the purchase confirmation page. This field will be shown to the cardholder on the purchase confirmation page. Mandatory. Fixed code assigned by Caixa Catalunya. Mandatory if the merchant wants online notification. ThemerchantsURLwhichwillreceiveaPOSTwith the transaction details. Optional. If sent, it will be used as URLOK, ignoring what has been configured in the Administration Module, if applicable. Optional. If sent, it will be used as URLKO, ignoring what has been configured in the Administration Module, if applicable. Optional. This will be the name that appears on the clients payment page, if there is one. Optional. 0 Client 1 Spanish 2 English 3 Catalan 4 French 5 German 6 Dutch 7 Italian Mandatory. See section 6.4. Mandatory. Optional. Optional information from the merchant to be sent in 8 Swedish 9 Portuguese 10 Valencian 11 Polish 12 Galician 13 Basque
Currency
Ds_Merchant_Currency
4N
Order code
Ds_Merchant_Order
min. 4N max.12 AN
Product description Name and surname/s of cardholder Merchant ID code FUC URL
Ds_Merchant_ProductDescription
Max.125 AN
Ds_Merchant_Titular
Max. 60 AN
Ds_Merchant_MerchantCode Ds_Merchant_MerchantURL
9N 250 AN
URLOK
Ds_Merchant_UrlOK
250 AN
URLKO
Ds_Merchant_UrlKO
250 AN
Merchantsname
Ds_Merchant_MerchantName
25 AN
Cardholders language
Ds_Merchant_ConsumerLanguage
3N
Ds_Merchant_MerchantSignature
40 AN
Ds_Merchant_Terminal
3N
Details of merchant
Ds_Merchant_MerchantData
1024 AN Page 52
COMMENTS
the online response (via URL or e-mail). Optional(bydefaultequalto0). 0 Standard payment (realizarpagoand entradaXMLEntidadgateways) A StandardPayment(onlyoperacionesgateway) 1 Pre-authorization (authorized merchants only) 2 Confirmation of pre-authorization 3 Partial or total refund 5 Recurring transaction 6 Successive transactions 7 Authentication 8 Confirmation of authentication 9 Cancellation of pre-authorization O-Deferred Pre-authorization P-Confirmation of Deferred Preauthorization Q-Cancellation of Deferred Pre-authorization R-Deferred Recurring Pre-authorization S-Confirmation of Deferred Recurring Preauthorization / Successive of Deferred Recurring Pre-authorization GATEWAY operaciones only allows the followingtypes:1,2,3,6,8,9,O,P,Q,R,S,A
Type of transaction
Ds_Merchant_TransactionType
1N
Total Amount
Ds_Merchant_SumTotal
12 N
MandatoryifTransactiontype5 This represents the sum total of the instalment amounts. The last two positions are decimals. (see 7.2) MandatoryofTransactiontype5 This gives the minimum interval in days between the instalment charges of a recurring payment (see 7.2) MandatoryifTransactiontype5 Date of the final instalment of a recurring payment (see 7.2) Format: YYYY-MM-DD Optional. This is the authorization code necessary to identify recurring/successive transactions in the case of refunds. Optional. Format YYYY-MM-DD. It represents the date of the successive recurring transaction, necessary to identify the transaction in the refunds of successive recurring transactions. Mandatory for the refunds of recurring transactions.
Ds_Merchant_DateFrecuency
3N
Ds_Merchant_ChargeExpiryDate
10 AN
Authorization code
Ds_Merchant_AuthorisationCode
6N
Ds_Merchant_TransactionDate
10 AN
Described below are the fields relating to the card details, given thepossibility thatthey may be captured by the merchant. These new fields will only have to be sent by merchants who capture the data on the card themselves (you should remember that this entails complying with the requirementsofthePCIDSSsecurityprogrammeexplainedinsection11ofthismanual). DATA
Card number Expiry date CVV2
(*)
FIELD NAME
<Ds_Merchant_Pan> <Ds_Merchant_ExpiryDate> <Ds_Merchant_CVV2>
LENGTH/TYPE
COMMENTS
Card number (*). This has the YYMM format (*). CVV2/CVC2 code on the card sent (*)
Thetransactiontypes2/3/6/8/9/P/Q/Sdonotrequirethatthecardnumber,expirydateandCVV2 was informed. In these cases the order (Ds_Merchant_Order) has to be the same that the original transaction. Page 53
COMMENTS
Version of the message. Not available for gateway RealizarPago. Format 1.xxxxxxxx where xxxxxxxx is the Merchant Code. Date of transaction (DD-MM-YYYY). Only available in gateway RealizarPago. Time of transaction (HH:MM). Only available in gateway RealizarPago. Same amount as request. Same as request. Four is regarded as the maximum length. Same as request. Same as request. Same as request. Three is regarded as the maximum length. Mandatory. See section 6.4. See ANNEX II Optional information sent by merchant in the payment form 0 if the payment is NOT secure 1 if the payment is secure
Date Time Amount Currency Order no. Merchant code Terminal no. Merchants signature Response code Merchant data
<Ds_Date> <Ds_Hour> <Ds_Amount> <Ds_Currency> <Ds_Order> <Ds_MerchantCode> <Ds_Terminal> <Ds_Signature> <Ds_Response> Ds_Merchant_MerchantData
Secure Payment
<Ds_SecurePayment>
1N
Note: in the case of pre-authorizationsonly,a0isreturnedif it is authorized and the cardholder has been authenticated with his/herbank,anda1ifitisauthorizedbutthecardholderhas not been authenticated with the issuer bank. Type of transaction sent in the payment form Card number sent in the payment form. This is returned masked. Not available for gatewayRealizarPago. The expiry date on the card sent in the payment form. Not available for gatewayRealizarPago. Country of issue of the card used for the payment. See ANNEX IV. Alphanumerical code of the authorization given by the card issuer or the Authorization Centre to which it has delegated this service. Value 0 indicates that the language of the client has not been determined(optional).OnlyingatewayRealizarPago. Two possible values: C Credit D Debit
Transaction type Card number Expiry date Card country Authorization code Language of Cardholder Type of Card
<Ds_AuthorisationCode>
6N
<Ds_ConsumerLanguage> <Ds_Card_Type>
3N 1 AN
Page 54
001
167
180
181 - 182
184
AUTHENTICATION ERROR
RESPONSE CODES INDICATING THAT THE TRANSACTION HAS BEEN DECLINED AND, FURTHERMORE, THE CARD ISSUER BELIEVES THE CARD IS POSSIBLY BEING USED FRAUDULENTLY AND ASKS THE MERCHANT TO PHYSICALLY WITHHOLD IT OR ACTIVATE IT VIRTUALLY ON A BLACKLIST
CODE BRIEF DESCRIPTION COMMENTS Transaction declined because the expiry date on the card used for payment has already passed. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist. Card blocked temporarily by the card issuer or suspected of being used fraudulently. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist. This transaction is not permitted for this type of card. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist. The card issuer does not permit automatic authorization. You need to contact the authorization centre by telephone for approval. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist. Card blocked by the card issuer because the cardholder has reported it as being lost or stolen. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist. Exclusive code for transactions where the 3-digit CVV2 (Visa) or CVC2 (MasterCard) number on the back of the card has been requested. ----The CVV2/CVC2 given by the buyer is wrong. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist. Transaction declined by the card issuer with no explanation given as to the reason. ----In addition, the card issuer believes the card is possibly being used fraudulently and asks for the card to physically withheld or activated virtually on a blacklist.
201
CARD EXPIRED
202
204
207
208 - 209
280
CVV2/CVC2 ERROR
290
Page 56
481
RESPONSE CODES RELATING TO RECONCILIATIONS OF DEFERRED PRE-AUTHORIZATIONS OR RECURRING DEFERRED PRE-AUTHORIZATIONS (Ds_Merchant_TransactionTypes = O or R)
CODE 9928 BRIEF DESCRIPTION CANCELLATION OF DEFERRED PREAUTHORIZATIONS DONE BY THE SYSTEM CANCELLATION OF DEFERRED PREAUTHORIZATIONS DONE BY THE MERCHANT COMMENTS The system has cancelled the Deferred Preauthorization after 72 hours. The cancellation of the Deferred Preauthorization has been accepted.
9929
ResponsecodessentbytheCAIXACATALUNYApaymentplatform:
RESPONSE CODES INDICATING THAT THE TRANSACTION HAS BEEN DECLINED BY THE CAIXA CATALUNYA PAYMENT PLATFORM
CODE 904 909 912 913 916 928 940 BRIEF DESCRIPTION MERCHANT NOT REGISTERED AT FUC SYSTEM ERROR ISSUER NOT AVAILABLE DUPLICATE TRANSMISSION AMOUNT TOO LOW TIME-OUT EXCEEDED TRANSACTION CANCELLED PREVIOUSLY AUTHORIZATION OPERATION ALREADY CANCELLED BY A PREVIOUS CANCELLATION COMMENTS There is a problem in the configuration of the MID (Merchant Identification). Contact Caixa Catalunya to solve. Error in the stability of the Caixa Catalunya payment platform or the Visa or MasterCard exchange systems. The authorization centre of the card issuer is not operational at this particular time. A transaction has recently been processed with the same order number (Ds_Merchant_Order). Itsnotacceptedtooperatewith this amount. The card issuer has not responded to the authorization request within the pre-established time-out. A cancellation or partial reversal is being requested for a transaction that has already been cancelled. A request to confirm a transaction is being made with an order number (Ds_Merchant_Order) which corresponds to a transaction that has already been cancelled. Page 57
941
943
947 949 950 9064 9078 9093 9218 9253 9256 9257 9261 9912 9913 9914 9928 9929
Other response codes different from the previous list can be shown starting with 9 (9xxx). To knowtheresponsereasonitwouldbenecessarytofindthecodewithoutthefirst9andtoloockof thexxxcodeinthepreviouslist.
Page 58
FIELD AFFECTED
Ds_Merchant_MerchantCode Ds_Merchant_MerchantCode Ds_Merchant_Terminal Ds_Merchant_Terminal Ds_Merchant_Order Ds_Merchant_Currency Ds_Merchant_Currency Ds_Merchant_Amount Ds_Merchant_Amount Ds_Merchant_Signature Ds_Merchant_Signature Ds_TransactionType Ds_TransactionType Ds_ConsumerLanguage Ds_ConsumerLanguage Ds_Merchant_MerchantCode Ds_Merchant_Currency Ds_Merchant_MerchantCode Ds_Merchant_TransactionType Ds_Merchant_Signature Ds_Merchant_Order Ds_Merchant_Order Ds_Merchant_Order
REASON
ErrorondismantlingentryXML Fieldismissing Formaterror Fieldismissing Formaterror Formaterror Fieldismissing Formaterror Fieldismissing Formaterror Fieldismissing Nodatainfield Formaterror Unknownvalue Valuehigherthan3digits Formaterror Merchant/terminal notexist sent
MESSAGE
MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008 MSG0008
does MSG0008 MSG0008 MSG0008 MSG0000 MSG0008 MSG0008 MSG0008 MSG0002 MSG0001 MSG0008 MSG0008
Currency does not coincide with theoneassignedtothisterminal Merchant/Terminal is no longer registered Methodofpaymentnotdefined Merchant/Terminal has methodofpaymentassigned Error in algorithm calculating no
HASH
Errorduringonlinenotification The card BIN has not yet been cleared Repeatedordernumber There is no transaction on which tomakearefund Theres more than one payment withthatDs_Merchant_Order
Page 59
FIELD AFFECTED
Ds_Merchant_Order Ds_Merchant_Amount Ds_Merchant_Order
REASON
The transaction you wish to refundisnotauthorized The amount to be refunded is higherthanpermitted Inconsistent data in validating a confirmation The transaction you wish to confirmdoesnotexist There is already a confirmation associated with this pre authorization Thepreauthorizationyouwantto confirmisnotauthorized The amount to be confirmed exceedsthepermittedamount Errorincardnumber
MESSAGE
MSG0008 MSG0008 MSG0008 MSG0008
SIS0060
Ds_Merchant_Order
MSG0008
SIS0061 SIS0062 SIS0063 SIS0064 SIS0065 SIS0066 SIS0067 SIS0068 SIS0069 SIS0070 SIS0071 SIS0072 SIS0074 SIS0075 SIS0076 SIS0078 SIS0089 SIS0092 SIS0093 SIS0094 SIS0112 SIS0114 SIS0115
Ds_Merchant_Order Ds_Merchant_Amount
MSG0008 MSG0008
MSG0008
Errorincardexpirydate
MSG0008
Cardexpired Transactioncannotbecancelled Fieldismissing The value has fewer than 4 positionsormorethan12 Thevalueisnotnumerical Unknownvalue Thevaluehasnot4positions Valuenotaccepted Card cannot be found in range table
MSG0000 MSG0000 MSG0008 MSG0008 MSG0008 MSG0005 MSG0008 MSG0008 MSG0006 MSG0004 MSG0008 MSG0000 MSG0008
Ds_TransactionType Ds_Merchant_Order
Card has not been authenticated as3DSecure Valuenotpermitted A GET has been called instead of aPOST There is no transaction on which topaytheinstalment The transaction on which you want to pay an instalment is not valid The transaction on which you want to pay an instalment is not authorized
Page 60
SIS0116
Ds_Merchant_Order
MSG0008
SIS0117
Ds_Merchant_Order
MSG0008
MESSAGE
SIS0118
Ds_Merchant_Amount
MSG0008
SIS0123
MSG0008
SIS0124
Ds_Merchant_DateFrecuency
MSG0008
SIS0132
MSG0008
SIS0133
MSG0008
SIS0199
MSG0008
SIS0200
MSG0008
SIS0219
MSG0008
SIS0220 SIS0221
MSG0008 MSG0008
FIELD AFFECTED
REASON
There is already a cancellation associated with the pre authorization Thepreauthorizationyouwantto cancelhasnotbeenauthorized The merchant does not accept cancellations as there is no extendedsignature There is no transaction available tobecancelled Inconsistentdatainthevalidation ofacancellation Invalidvalue There is no code forthedeferred paymentrequest The merchant does not allow the cardtobesent The cards checkdigit does not matchup ThenumberoftransactionsperIP exceeds the maximum permitted forthismerchant The cumulative IP amount exceeds the limit permitted for thismerchant The merchant cannot do pre authorizations The card does not allow pre authorizations Inconsistentconfirmationdetails The transaction exceeds an operating limit established by CaixaCatalunya TransactionTypenotactivatedfor thismerchant Unknown transaction Type or not allowedforthisgateway
MESSAGE
MSG0008
SIS0223
MSG0008
SIS0224
MSG0008
Ds_Merchant_TransactionDate
SIS0254
MSG0008
SIS0255
MSG0008
SIS0270 SIS0274
Ds_Merchant_TransactionType Ds_Merchant_TransactionType
MSG0008 MSG0008
Page 62
CODE MSG0000 MSG0001 MSG0002 MSG0003 MSG0004 MSG0005 MSG0006 MSG0007 MSG0008 Ordernumberrepeated
Page 63
Page 64
Page 65
Duetotheheydaythatinthelasttimeshashadtheelectroniccommerce,merchantsandService providers have turned out to be forced to guarantee the safety of the transactions by Internet using strong mechanisms that contribute authentication of (at least) one of the ends, and the confidentialityandintegrityoftheinterchangedinformation. ItisthiscontextwherethereappeartheprotocolsSSLandTLS.
The server's certificate SSL of the merchant must be expressed by a public recognized CA. Autosignedcertificatesarenotaccepted. Thecertificateslistedbelowhavebeentestedinoursystemandworkcorrectly.Thesecertificates ofCAareloadedinthecontainersofcertificatesofconfidenceofourapplications. IncasethemerchantwantstomakeuseofacertificateexpressedbyapublicrecognizedCAthat is not in the list, it will have to get in touch with Caixa de Catalunya to verify his validity and interoperabilitywiththedifferentapplications. In case the CA is accepted, it will be loaded in the applications and will be included in this documentandthemerchantwillbeinformedoftheacceptance. In case it should not be accepted the merchant will be informed so that it should obtain one expressedbythelist. TheaveragenecessarytimetoanalyzethevalidityornotofaCAforrequestofamerchantitwill be2weeks.
SERIALNUMBER
70BAE41D10D92934 B638CA7B03CCBABF
CADUCITY
02/08/2028
R2
Cybertrust
01A5
14/08/2018
R3
Usertrust
44BE0C8B500024B4 11D3362AFE650AFD
09/06/2019
R4 R5
Geotrust/Equifax Valicert
01
21/06/2020 26/06/2019
01
R6
Thawte
01
01/01/2021
R7
Thawte
01
01/01/2021
Page 66
SERIALNUMBER
CADUCITY
R8 R9
Verisign IPSCA
OU=SecureServerCertificationAuthority O=RSADataSecurity,Inc. C=US E=ips@mail.ips.es CN=IPSSERVIDORES OU=Certificaciones O=IPSSeguridadCA L=BARCELONA S=BARCELONA C=ES CN=ECACC OU=JerarquiaEntitatsdeCertificacioCatalanes OU=Vegeuhttps://www.catcert.net/verarrel (c)03 OU=ServeisPublicsdeCertificacio O=AgenciaCatalanadeCertificacio(NIFQ 0801176I) C=ES OU=FNMTClase2CA O=FNMT C=ES OU=EquifaxSecureCertificateAuthority O=Equifax C=US CN=AddTrustExternalCARoot OU=AddTrustExternalTTPNetwork O=AddTrustAB
02AD667E4E45FE5E 576F3C98195EDDC0 00
08/01/2010 30/12/2009
R10
AgenciaCatalanade Certificacin
EE2B3DEBD421DE14 A862AC04F3DDC401
08/01/2031
36F11B19
35DEF4CF
01
IntermediatesCAs
ID I1 COMPANY ACE/Verisign SUBJECT
I1OU=www.verisign.com/CPSIncorp.byRef. LIABILITYLTD.(c)97VeriSign OU=VeriSignInternationalServerCA Class3 OU=VeriSign,Inc. O=VeriSignTrustNetwork CN=ComodoClass3SecurityServicesCA OU=(c)2002ComodoLimited OU=TermsandConditionsofuse: http://www.comodo.net/repository OU=ComodoTrustNetwork O=ComodoLimited C=GB CN=DigiSignCADigiSSLXp OU=TermsandConditionsofuse: http://www.digisign.com/repository O=DigiSignLimited L=Dublin S=Dublin C=IE E=practices@starfieldtech.com CN=StarfieldSecureCertificationAuthority OU= http://www.starfieldtech.com/repository O=StarfieldTechnologies,Inc. L=Scottsdale S=Arizona C=US CN=ThawteSSLDomainCA O=ThawteConsulting(Pty)Ltd. C=ZA CN=VeriSignClass3SecureServerCA OU=Termsofuseat https://www.verisign.com/rpa(c)05 OU=VeriSignTrustNetwork O=VeriSign,Inc. C=US E=ips@mail.ips.es CN=CLASEB3ipsCAIPSSeguridad2005 OU=Certificaciones O=IPSSeguridadCA L=Barcelona S=Barcelona C=ES
ISSUER
R1
SERIALNUMBER
254B8A853842CCE3 58F8C5DDAE226EA4 78EE48DE185B2071 C9C9C3B51D7BDDC1 0200029A
CADUCITY
25/10/2011
I2
Comodo
R2
28/08/2008
I3
Digisign
R3
0B41F1C471626DD1 D35542AFC562BBCB
09/06/2019
I4
Starfield Technologies
R5
0104
09/06/2024
I5 I6
Thawte
R7
ACE/Verisign
R1
19/01/2015
I7
IPSCA
R9
009033
31/12/2009
Page 67
SUBJECT
CN=ECAL OU=AdministracionsLocalsdeCatalunya OU=Vegeu https://www.catcert.net/verCIC2(c)03 OU=ServeisPublicsdeCertificacioECV2 L=PassatgedelaConcepcio1108008 Barcelona O=AgenciaCatalanadeCertificacio(NIFQ 0801176I) C=ES CN=UTNUSERFirstHardware OU=http://www.usertrust.com O=TheUSERTRUSTNetwork L=SaltLakeCity S=UT C=US
ISSUER
R10
SERIALNUMBER
3D97D3930439622A 3E1C4DA6BED1730E
CADUCITY
08/01/2019
I9
UserTrust
R13
26211BF52AEB51B0 0BFS9FDD8D36DA9E
30/05/2020
URLofthecompanieslistedabove: COMPANY URL ACE/Verisign http://www.ace.es Comodo http://www.comodogroup.com/index.html DigiSign http://www.digisign.com Geotrust/Equifax http://www.quickssl.com StarfieldTechnologies http://www.starfieldtech.com Thawte http://www.thawte.com IPSCA http://www.ipsca.com AgenciaCatalanade http://www.catcert.net Certificacin CyberTrust http://www.cybertrust.com
Page 68
Page 69
Page 70
Page 71