DalPay Internet Billing. Technical Integration Overview

Transcription

1 DalPay Internet Billing Technical Integration Overview Version 1.3 Last revision: 01/07/2011 Page 1 of 10

2 Version 1.3 Last revision: 01/07/2011 Page 2 of 10

3 REVISION HISTORY... 4 INTRODUCTION... 5 DALPAY CHECKOUT INTEGRATION... 6 Via Simple Button Factory... 7 Via Shopping Cart... 7 Via API Integration... 7 DALPAY DIRECT INTEGRATION... 8 DALPAY VIRTUAL TERMINAL... 8 AN IMPORTANT NOTE TO MERCHANTS ON PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE... 9 What Must Never Be Stored... 9 DalPay Checkout and Compliance DalPay Direct and Compliance FIGURE 1: Extract from the PCI DSS Version Version 1.3 Last revision: 01/07/2011 Page 3 of 10

4 Revision History Version Date Change Notice Pages Remarks Released Affected 1.0 Jan 1, 2009 First release All PCI DSS 1.2 applies 1.1 July 1, 2009 Introduction update, Screen shot changes 1.2 July 1, 2010 PCI DSS extract update 1.3 July 1, 2011 PCI DSS extract update p. 6, 7 PCI DSS 1.2 applies p. 10 PCI DSS applies p. 10 PCI DSS 2.0 applies The latest version of this document can be downloaded here: Version 1.3 Last revision: 01/07/2011 Page 4 of 10

5 Introduction This integration guide gives an overview of the main methods for integrating with DalPay to accept debit or credit cards and bank epayment transactions. DalPay s own PCI DSS Level 1 certified platform (the highest level of payment service provider compliance) acts as gateway and front-end processor. The two integration methods are: DalPay Checkout DalPay s hosted payment page integration method for card-not-present or bank epayment transactions. DalPay Checkout does not require merchants to collect, transmit or store sensitive cardholder or bank account information to process transactions. DalPay Checkout is equivalent to Authorize.net s SIM (Server Integration Method) or Simple Checkout. DalPay Direct DalPay s most flexible integration method to connect acquiring banks via DalPay s payment gateway for card-not-present or bank epayment transactions. DalPay Direct requires merchants to collect payment card or bank account information on their own SSL-secured webpage, and offers the highest degree of customization and control over the checkout experience DalPay Direct is equivalent to Authorize.net s AIM (Advanced Integration Method). The different accounts offered by DalPay are the direct merchant account, sponsored merchant account, and the supplier account. Integration varies case by case, but in general if you have applied for a direct merchant account from one of our supported acquiring banks you will implement DalPay Direct. if you have a supplier or sponsored merchant account you will implement DalPay Checkout. Make an Online Application (without obligation & free of charge all countries): The type of DalPay account you will be offered is based on: the type of products or services that you sell, if you are an established business with processing history or a startup, the country where your business is registered (e.g. within the EU/EFTA or elsewhere), if sales are via your website and/or via telephone order/mail order (MOTO). Version 1.3 Last revision: 01/07/2011 Page 5 of 10

6 DalPay Checkout Integration DalPay Checkout is a hosted payment processing solution that securely handles all of the steps in processing a transaction, including: Collection of customer payment information through a secure hosted form, Generation of a receipt page with a copy to the customer by , Secure transmission to the DalPay payment gateway for transaction processing, Secure storage of cardholder information (including for optional recurring billing). DalPay Checkout does not require merchants to collect, transmit or store sensitive cardholder or bank account information to process transactions. This method allows a merchant to use a simple buy now button (Simple Button Factory), or post customer contact and address information securely to DalPay (via Shopping Cart or API Integration) for single page checkout. DalPay Checkout s co-branded checkout sequence prompts the user for their payment card details on DalPay s secure web form or redirects them (if required) for online bank epayment transactions and 3-D Secure authentication. Version 1.3 Last revision: 01/07/2011 Page 6 of 10

7 Via Simple Button Factory DalPay Buy Now buttons are for online merchants who sell one item per order (different product variations such as size or quantity, and order quantity for that single item are supported, as is setup of recurring billing). DalPay Buy Now buttons are equivalent to PayPal Payment Buttons or Authorize.net s Simple Checkout. They do not require programming skills. Via Shopping Cart DalPay Checkout integrates with leading AJAX and legacy shopping carts. For shopping cart issues contact: [email protected] Via API Integration The DalPay Checkout APIs are a subset of the DalPayAPI which is a RESTful web service using HTTP POST over SSL. POST the payment type, customer contact and address information securely to DalPay Checkout and achieve single page checkout (showing Page 3 only). If you pass in any name-value pairs incorrectly, the DalPay Checkout system ignores the variables incorrectly posted and displays to the customer all three DalPay Checkout pages; Page 1: payment type and customer country, followed by Page 2: customer contact details and cardholder address ( and phone are mandatory), then Page 3: payment card details. On success, transaction details are posted back to your server via Instant Silent Post with callback for displaying a dynamic custom receipt message. To inquire about integrating your platform: [email protected] Version 1.3 Last revision: 01/07/2011 Page 7 of 10

8 DalPay Direct Integration DalPay Direct is a customizable payment processing solution that gives the merchant full control over the customer s checkout experience, including: Collection of customer payment information securely on merchant s website, Merchant-side generation of a receipt to the customer, Secure transmission to the DalPay payment gateway for transaction processing, Secure storage of cardholder information (including for optional recurring billing). DalPay Direct is equivalent to Authorize.net s AIM (Advanced Integration Method). The DalPay Direct APIs are a subset of the DalPayAPI which is a RESTful web service using HTTP POST over SSL. (You must have a direct merchant account at one of DalPay s supported acquiring banks to use DalPay Direct.) For DalPay Direct issues contact: [email protected] DalPay Virtual Terminal The DalPay Virtual Terminal extends your DalPay account to process orders received via mail order or telephone (MOTO). Virtual Terminal requires collection of the same transaction information as DalPay Checkout (minus 3-D Secure authentication), but allows the merchant to self-key the transaction instead of the customer checking out online. Orders placed by a merchant directly using the Virtual Terminal do not receive the benefit of: i) fraud scrubbing by the DalPay Automated Anti-Fraud Inspection System (which only works fully when customers enter orders themselves online via DalPay Checkout) or ii) 3-D Secure* protection. A MOTO order entered using the Virtual Terminal is therefore a higher risk transaction and subject to different risk controls and guidelines. *Verified by Visa, MasterCard SecureCode, JCB J/Secure or AMEX SafeKey liability shift. Version 1.3 Last revision: 01/07/2011 Page 8 of 10

9 An Important Note to Merchants on Payment Card Industry Data Security Standard Compliance DalPay operates its own PCI DSS Level 1 certified platform (the highest level of payment service provider compliance) as gateway and front-end processor. What Must Never Be Stored Please note that under the Payment Card Industry Data Security Standard (PCI DSS), Cardholder Data must be stored encrypted and Sensitive Authentication Data must NOT be stored. At the time of writing, Cardholder Data in the context of Card-Not-Present transactions is defined as Primary Account Number (PAN) AKA card number, Cardholder Name, and Expiration Date. Sensitive Authorization Data in the context of Card-Not-Present transactions is defined as the CVV2/CVC2/CID/CAV2 (the three digit or four digit Card Security Code): You must never store the CVV2/CVC2/CID/CAV2, and it is prohibited to store the full Primary Account Number yourself if you are posting transactions to the DalPay Gateway via either DalPay Checkout or DalPay Direct, as DalPay performs PCI DSS compliant storage of this sensitive information for the merchant. Storage of a truncated card number (i.e. the first 6 and last 4 digits of the card number only) is permitted if it is based on the DalPay Checkout Instant Silent Post, DalPay Direct Transaction Post response, or DalPay Merchant Server Notification response fields. If a merchant collects customer information via mail order or telephone order and is authorized to use the DalPay Virtual Terminal feature via the DalPay Merchant Menu to self-key the transaction then the merchant must at a minimum have returned to the DalPay Risk Department a Payment Card Industry Data Security Standard Self-Assessment Questionnaire A or C-VT and Attestation of Compliance, including attestation that they do not store the CVV2/CVC2/CID/CAV2 after authorization by the issuing bank or stand-in processor, on any media, including on any paper form. Version 1.3 Last revision: 01/07/2011 Page 9 of 10

10 DalPay Checkout and Compliance Using DalPay Checkout may simplify compliance with the Payment Card Industry Data Security Standard (PCI-DSS), and Payment Application Data Security Standard (PA-DSS) if a third-party shopping cart is used*. This however is only true if you DO NOT collect, transmit or store sensitive cardholder or bank account information. Your shopping cart must be configured NOT TO collect or store any cardholder data (i.e. name on card, card number, expiry date, card security code, 3-D Secure password, or PIN) or bank account information, instead being configured to redirect to DalPay Checkout when it is time for customers to enter their payment card or bank account information. DalPay Direct and Compliance For DalPay Direct merchants who process and transmit sensitive information to the DalPay Gateway, the PCI DSS is still fully applicable*. The PCI DSS mandates rendering the full PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks). Please refer to Figure 1 and the PCI Data Security Standard itself for further information. *Please consult a Qualified Security Assessor regarding PCI DSS and PA-DSS compliance. FIGURE 1: Extract from the PCI DSS Version Version 1.3 Last revision: 01/07/2011 Page 10 of 10