DalPay Internet Billing. Checkout Integration Guide Recurring Billing

Transcription

1 DalPay Internet Billing Checkout Integration Guide Recurring Billing Version 1.3 Last revision: 01/07/2011 Page 1 of 16

2 Version 1.3 Last revision: 01/07/2011 Page 2 of 16

3 REVISION HISTORY 4 INTRODUCTION 5 AN IMPORTANT NOTE REGARDING 3-D SECURE AND RECURRING PAYMENTS 6 WHAT THE CUSTOMER SEES 7 Step 3a: DalPay Checkout with Monthly Rebilling 7 Step 3b: DalPay Checkout with Monthly Rebilling After Three Days 8 Step 3c: DalPay Checkout with Monthly Rebilling After Three Days Rebilled Monthly Five Times 9 GETTING STARTED IMPLEMENTATION NOTES 10 REBILLINGS INITIALLY BLOCKED 10 TRANSACTION POST API 11 Transaction Post API input parameters for rebillings 11 Example Monthly Rebilling 12 Example Monthly Rebilling After Three Days 12 Example Monthly Rebilling After Three Days Rebilled Monthly Five Times 12 REBILLING API 13 Rebilling API input parameters 13 Rebilling API response parameters 14 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE 15 What Must Never Be Stored 15 DalPay Checkout and Compliance 16 FIGURE 1: Extract from the PCI DSS Version Version 1.3 Last revision: 01/07/2011 Page 3 of 16

4 Revision History Version Date Change Notice Pages Remarks Released Affected 1.0 July 1, 2007 First release All PCI DSS 1.1 applies 1.1 July 1, 2009 Screen shot changes p. 6, PCI DSS 1.2 applies Figure Jan 1, 2010 Screen shot changes p. 6-8 PCI DSS applies 1.3 July 1, 2011 Screen shot changes p. 6-8, Figure 1 PCI DSS 2.0 applies The latest version of this document can be downloaded here: n_guide.pdf Version 1.3 Last revision: 01/07/2011 Page 4 of 16

5 Introduction This integration guide describes the recurring billing features of DalPay Checkout, DalPay s hosted payment page integration method for payment card or bank epayment transactions. It should be read in conjunction with the latest version of the DalPay Checkout Integration Guide which can be downloaded here: DalPay Checkout's pre-authorized automatic recurring billing system (sometimes known as a rebilling, recurring payment transaction, or in the United Kingdom as a continuous authority transaction) provides a customer friendly way for a merchant to charge a customer's credit or debit card, or bank account, at card association approved intervals. DalPay Checkout does not require merchants to collect, transmit or store sensitive cardholder or bank account information to process transactions. DalPay Checkout is equivalent to Authorize.net s SIM (Server Integration Method) or Simple Checkout. For our solution equivalent to Authorize.net s AIM (Advanced Integration Method) see the DalPay Direct Integration Guide. Version 1.3 Last revision: 01/07/2011 Page 5 of 16

6 An Important Note Regarding 3-D Secure and Recurring Payments Recurring payments do not generally receive chargeback protection, even if the initial transaction was 3-D Secure* authenticated. The same is true for bank epayment transfers initially authenticated by Transaction Authentication Number (TAN) but that are subsequently put through as a recurring transaction via SEPA direct debit. Further, payment card rebillings are sent on a terminal without the Card Security Code (CVC2/CVC2/CID) but with a Recurring Payment Indicator. Recurring transactions are Address Verification Service/System (AVS) checked. Installment Transactions also do not receive 3-D Secure protection, even if the Installment Payment Data field has been passed. (TIP: Installment transactions are often confused with recurring transactions. An installment transaction is a single purchase of goods and services billed to a payment card account in multiple segments, over a period of time agreed between the cardholder and merchant. The distinction between the two transactions is that, a recurring transaction is payment for goods or services that are received over time, however, an installment transaction represents a single purchase, with payment occurring on a schedule agreed by a cardholder and merchant.) *Verified by Visa, MasterCard SecureCode, JCB J/Secure or AMEX SafeKey. Version 1.3 Last revision: 01/07/2011 Page 6 of 16

7 What the Customer Sees You can view larger versions of these co-brandable screens here: Step 3a: DalPay Checkout with Monthly Rebilling Version 1.3 Last revision: 01/07/2011 Page 7 of 16

8 Step 3b: DalPay Checkout with Monthly Rebilling After Three Days TIP: POST customer contact and address information to DalPay for single page checkout. (See the DalPay Checkout Integration Guide.) Version 1.3 Last revision: 01/07/2011 Page 8 of 16

9 Step 3c: DalPay Checkout with Monthly Rebilling After Three Days Rebilled Monthly Five Times TIP: POST customer contact and address information to DalPay for single page checkout. (See the DalPay Checkout Integration Guide.) Version 1.3 Last revision: 01/07/2011 Page 9 of 16

10 Getting Started Implementation Notes TIP: You must charge the customer's card 'now' and in the same transaction POST setup the recurring billing. DalPay Checkout s Pre-authorized Recurring Billing and Rebilling API is equivalent to PayPal s Payflow Link Recurring Billing, WorldPay s FuturePay, Moneybooker s Merchant Query Interface, or Authorize.net s Automated Recurring Billing (ARB). You can start, stop, and change the amount of a rebilling either from the customer s Recurring Billing Profile under rebillings in the Merchant Menu, or via the Rebilling API (see p. 13). If you wish to automatically refund transactions via API please contact DalPay Support for guidance. To receive notification of transaction status changes to a listening script on your server, including accepted/declined rebillings, and other exceptions, please refer to the Merchant Server Notifications Integration Guide. Cardholders should be routinely notified of the amount of the recurring payment to be charged, at least 10 days in advance. The advance notification should include the amount to be charged, and alert the cardholder if the transaction amount exceeds the expected initial pre-authorized amount. (See also the notes related to the Rebilling API on p. 13.) Please note that negative option recurring billing is expressly prohibited. Rebillings Initially Blocked When issued a fresh DalPay account, rebillings may be initially blocked. Contact DalPay Support to unblock rebillings and/or to raise the maximum rebilling amount per transaction. (TIP: Can be different from the maximum order amount for the order page.) Version 1.3 Last revision: 01/07/2011 Page 10 of 16

11 Transaction Post API To setup an ongoing DalPay Checkout recurring billing transaction, the following HTTP name/value pairs should be HTTP posted to our gateway web service under SSL in addition to the one-off transaction fields. Post in the one-off variables (item1_desc, item1_price, item1_qty, etc.) AND at least the recurring rebill_type, and rebill_desc value pairs as well, so that both the 'now' charge and future recurring charge are initiated. There can be a different amount for the 'now' charge and the future recurring charge. QUICK TIP: Input should be percent encoded and correctly escaped (using htmlentities encoding for example). Default character encoding is UTF-8 but legacy encoding can be set per pageid as needed. Legacy encodings are stored internally as UTF-8. Transaction Post API input parameters for rebillings Name Type Size Min- Max Example Value Rebilling Fields {{one-off charge variables}} rebill_type TEXT 1-20 monthly OR quarterly OR sixmonthly OR yearly Notes Please refer to the DalPay Checkout Integration Guide. Rebilling every month for Rebilling every quarter for Rebilling every half year for Rebilling every year for rebill_desc TEXT With rebill after parameter monthly OR quarterly OR sixmonthly OR yearly Premium Membership (Monthly) Rebilling every month for after initial 3 days. Rebilling every quarter for after initial 10 days. Rebilling every half year for after initial 10 days. Rebilling every year for after initial 3 days. Rebilling line item description. (Used as item description at time of rebilling.) rebill_count* TEXT Number of times to rebill. Fields marked with * in the table above are optional. Version 1.3 Last revision: 01/07/2011 Page 11 of 16

12 Example Monthly Rebilling isa&cust_name=ms Secretary&cust_address1=100 Jump Street&cust_city=Some d&cust_phone= &num_items=1&item1_desc=First Charge (Now)&item1_price=1.00&item1_qty=1&rebill_type=monthly-10.99&rebill_desc=Premium Membership (Monthly) Example Monthly Rebilling After Three Days isa&cust_name=ms Secretary&cust_address1=100 Jump Street&cust_city=Some d&cust_phone= &num_items=1&item1_desc=First Charge (Now)&item1_price=1.00&item1_qty=1&rebill_type=monthly &rebill_desc=Premium Membership (Monthly) Example Monthly Rebilling After Three Days Rebilled Monthly Five Times isa&cust_name=ms Secretary&cust_address1=100 Jump Street&cust_city=Some d&cust_phone= &num_items=1&item1_desc=First Charge (Now)&item1_price=1.00&item1_qty=1&rebill_type=monthly &rebill_desc=Premium Membership (Monthly)&rebill_count=5 Version 1.3 Last revision: 01/07/2011 Page 12 of 16

13 Rebilling API To stop, restart, or change the amount for existing rebilling transactions, the following parameters should be HTTP posted to our gateway web service under SSL. TIP: This feature must be enabled, and the rebilling API password issued, by DalPay Support per merchant account. The amount may be varied using rebill.changeamount only with the preauthorized consent of the customer. The right of the merchant/supplier to vary the amount must be explicitly and clearly stated in your terms and conditions. The customer must check a confirmation checkbox confirming their consent (with clear link to your terms and conditions) at the time they trigger any change in rebilling amount from your site s control panel; for example in opting to receive additional services, or an upgraded service plan. You must provide a feature for the customer to lookup the details of the services invoiced for in their account login at your website. An itemized receipt every billing period must also be sent containing clear details of what was charged for, unless they explicitly opt out of receiving the notification. Web service Location: Rebilling API input parameters Name Type Example Value Notes merchantid TEXT Your 6 digit merchant number. password TEXT rftht5y2 As directed by DalPay. action TEXT rebill.stop, rebill.start, rebill.changeamount Stop existing rebilling, restart existing inactive rebilling, change amount to be rebilled in next period for specified order number. ordernumber TEXT DalPay order number. amount TEXT New rebill amount (only for action rebill.changeamount). Version 1.3 Last revision: 01/07/2011 Page 13 of 16

14 Rebilling API response parameters Name Type Example Value Notes response_code TEXT 000, 001, 002, 003, 004, 005, 100, 101, 300, 301, 302, , 400 or = success, 001 = unknown or invalid MerchantID, 002 = password incorrect, 003 = service has not been enabled for this merchant, 004 = missing or invalid action parameter, 005 = this IP is not in the allowed list (IP=$remote), 100 = invalid or unknown order number, 101= no rebilling was found for this order number, 300 = rebilling already stopped, 301 = rebilling already started, 302 = invalid amount passed (only for action rebill.changeamount), 303 = on demand rebilling is only allowed for rebillings that are NOT active, 304 = on demand rebilling is not allowed more than once each day, 400 = please use this script only through a secure server (https), 600 = error contact support. response_text TEXT Success, Unknown or invalid MerchantID, Descriptive text for the response code. Will repeat for each response as necessary. Version 1.3 Last revision: 01/07/2011 Page 14 of 16

15 Payment Card Industry Data Security Standard Compliance DalPay operates its own PCI DSS Level 1 certified platform (the highest level of payment service provider compliance) as gateway and front-end processor. What Must Never Be Stored Please note that under the Payment Card Industry Data Security Standard (PCI DSS), Cardholder Data must be stored encrypted and Sensitive Authentication Data must NOT be stored. At the time of writing, Cardholder Data in the context of Card-Not-Present transactions is defined as Primary Account Number (PAN) AKA card number, Cardholder Name, and Expiration Date. Sensitive Authorization Data in the context of Card-Not-Present transactions is defined as the CVV2/CVC2/CID/CAV2 (the three digit or four digit Card Security Code): You must never store the CVV2/CVC2/CID/CAV2, and it is prohibited to store the full Primary Account Number yourself if you are posting transactions to the DalPay Gateway via either DalPay Checkout, as DalPay performs PCI DSS compliant storage of this sensitive information. Storage of a truncated card number (i.e. the first 6 and last 4 digits of the card number only) is permitted if it is based on the DalPay Checkout Instant Silent Post, or DalPay Merchant Server Notification response fields. If a merchant collects customer information via mail order or telephone order and is authorized to use the DalPay Virtual Terminal feature via the DalPay Merchant Menu to self-key the transaction then the merchant must at a minimum have returned to the DalPay Risk Department a Payment Card Industry Data Security Standard Self-Assessment Questionnaire A or C-VT and Attestation of Compliance, including attestation that they do not store the CVV2/CVC2/CID/CAV2 after authorization by the issuing bank or stand-in processor, on any media, including on any paper form. Version 1.3 Last revision: 01/07/2011 Page 15 of 16

16 DalPay Checkout and Compliance Using DalPay Checkout may simplify compliance with the Payment Card Industry Data Security Standard (PCI-DSS), and Payment Application Data Security Standard (PA-DSS) if a third-party shopping cart is used*. This however is only true if you DO NOT collect, transmit or store sensitive cardholder or bank account information. Your shopping cart must be configured NOT TO collect or store any cardholder data (i.e. name on card, card number, expiry date, card security code, 3-D Secure password, or PIN) or bank account information, instead being configured to redirect to DalPay Checkout when it is time for customers to enter their payment card or bank account information. Your operating jurisdiction may require specific protection of other cardholder or transaction data as well, or proper disclosure of your company's practices if consumer-related personal data is being collected during the course of business. (In Iceland for example DalPay is subject to, and compliant with the requirements of Act no. 77/2000 on The Protection of Privacy as regards the Processing of Personal Data.) *Please consult a Qualified Security Assessor regarding PCI DSS and PA-DSS compliance. FIGURE 1: Extract from the PCI DSS Version Version 1.3 Last revision: 01/07/2011 Page 16 of 16