DalPay Checkout Integration Guide

Transcription

DalPay Checkout Integration Guide
DalPay Internet Billing
Checkout Integration Guide
Online Payments
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 1 of 38
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 2 of 38
REVISION HISTORY
4
INTRODUCTION
5
HOW DOES DALPAY CHECKOUT WORK?
FIGURE 1: Transaction Flow
5
5
WHAT THE CUSTOMER SEES
6
Payment Card Details Screen Only (Single Page Checkout)
Step 1: Payment Type and Customer Country
Step 2: Customer Information (Contact Details, Billing Address)
Step 2a: Customer Information (Different Shipping Address)
Step 3: Payment Card Details
Step 4c: Confirmation Receipt Page (Simple Continue Button Mode)
Step 4d: Confirmation Receipt Page (Instant Silent Post Mode)
6
7
8
9
10
11
12
GETTING STARTED IMPLEMENTATION NOTES
13
ORDER PAGES INITIALLY BLOCKED
ENABLING THE INTERNAL TEST CARD
TRANSACTION TYPES
TRANSACTION STATES
13
14
15
16
TRANSACTION POST API
17
Transaction Post API input parameters
Example Input Minimum Mandatory Fields
Example Input Adding Shipping Fields
Example Input Adding Discount Field
Example Input Adding Sales Tax Field
Most Frequent Account Setting-Related Errors
Common Error Messages
17
21
21
21
21
22
23
INTERNATIONALIZATION
25
INTERNATIONAL LANGUAGE SUPPORT
INTERNATIONAL CURRENCY SUPPORT
25
26
INSTANT SILENT POST
27
Order Page Silent Post Settings
Silent Post Fields
Dynamic Custom Receipt Message
Response From Your Listening Script
Responding With a Login or Custom Download Link Generated On-The-Fly
27
28
31
32
33
AFFILIATE MARKETING FEATURES
34
CONFIRMATION PAGE AFFILIATE CODE SETTINGS
34
WEBSITE COMPLIANCE
35
Website Content
Minimum Test Plan
35
35
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE
37
What Must Never Be Stored
DalPay Checkout and Compliance
FIGURE 2: Extract from the PCI DSS Version 2.0
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
37
38
38
Page 3 of 38
Revision History
Version
Change Notice
1.0
Date
Released
July 1, 2007
Pages
Affected
All
Remarks
1.1
July 1, 2009
Introduction,
pay_type update,
Screen shot changes
Screen shot changes
p. 5, 6-12,
15
PCI DSS 1.2 applies
1.2
Jan 1, 2010
p. 6-12
PCI DSS 1.2.1 applies
1.3
July 1, 2011
Screen shot changes,
Figure 2
p. 38
PCI DSS 2.0 applies
First release
PCI DSS 1.1 applies
The latest version of this document can be downloaded here:
https://www.dalpay.com/en/dalpayapi/DalPay_Checkout_Integration_Guide.pdf
Supporting files:
https://www.dalpay.com/en/dalpayapi/DalPay_ISO_3166-1_country_list_en.csv
https://www.dalpay.com/en/dalpayapi/DalPay_CA_abbr_provinces_en.csv
https://www.dalpay.com/en/dalpayapi/DalPay_US_abbr_states_en.csv
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 4 of 38
Introduction
This integration guide describes DalPay Checkout, DalPay’s hosted payment
page integration method for payment card or bank ePayment transactions.
DalPay Checkout is a hosted payment processing solution that securely
handles all of the steps in processing a transaction, including:
•
•
•
•
Collection of customer payment information through a secure hosted form,
Generation of a receipt page with a copy to the customer by email,
Secure transmission to the DalPay payment gateway for transaction processing,
Secure storage of cardholder information (including for optional recurring billing).
DalPay Checkout does not require merchants to collect, transmit or store
sensitive cardholder or bank account information to process transactions.
DalPay Checkout is equivalent to Authorize.net’s SIM (Server Integration
Method) or Simple Checkout. For our solution equivalent to Authorize.net’s
AIM (Advanced Integration Method) see the DalPay Direct Integration Guide.
How Does DalPay Checkout work?
FIGURE 1: Transaction Flow
1. The customer clicks on a buy now button*, or enters
their contact and address information via a form or
shopping cart installed at the merchant’s website.
2. The merchant’s website redirects the customer
securely to DalPay Checkout - to enter any missing
contact information, and their payment card or bank
account details.
3. DalPay redirects the customer securely (if needed) to
their bank’s website for online bank ePayment or 3-D
Secure** authentication, and back to DalPay Checkout.
4. If setup, the merchant’s server receives a Silent Post
response for the successful transaction from DalPay’s
server, and returns an optional dynamic custom receipt
message.
5. DalPay Checkout displays its confirmation receipt
page (the fixed custom confirmation page message and
if received the dynamic custom receipt message) and
sends a copy of the receipt to the customer by email.
*DalPay Buy Now buttons are for one item per order (different product variations such as
size or quantity, and order quantity for that single item are supported, as is setup of recurring
billing). Equivalent to PayPal Payment Buttons or Authorize.net’s Simple Checkout.
**Verified by Visa, MasterCard SecureCode, JCB J/Secure or AMEX SafeKey.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 5 of 38
What the Customer Sees
You can view larger versions of these co-brandable screens here:
https://www.dalpay.com/en/support/customer_checkout_screens.html
Payment Card Details Screen Only (Single Page Checkout)
TIP: POST customer contact and address information to DalPay for single page checkout. (See
p. 17.)
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 6 of 38
Step 1: Payment Type and Customer Country
TIP: Icons to accompany selection of the pay_type on your webpage:
https://www.dalpay.com/en/dalpayapi/checkout/icons_for_dalpay_checkout.zip
TIP: The ISO 3166-1 alpha-2 list for selection of cust_country_code:
https://www.dalpay.com/en/dalpayapi/DalPay_ISO_3166-1_country_list_en.csv
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 7 of 38
Step 2: Customer Information (Contact Details, Billing
Address)
TIP: alpha-2 lists for cust_state; Canada, and the United States:
https://www.dalpay.com/en/dalpayapi/DalPay_CA_abbr_provinces_en.csv
https://www.dalpay.com/en/dalpayapi/DalPay_US_abbr_states_en.csv
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 8 of 38
Step 2a: Customer Information (Different Shipping Address)
TIP: If an order page’s settings are set to ‘address’ or ’address+phone’ these Shipping
Address fields are revealed beneath the Billing Address fields, after the customer selects
the radio button for ‘Use different shipping address’.
TIP: alpha-2 lists for ship_state; Canada, and the United States):
https://www.dalpay.com/en/dalpayapi/DalPay_CA_abbr_provinces_en.csv
https://www.dalpay.com/en/dalpayapi/DalPay_US_abbr_states_en.csv
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 9 of 38
Step 3: Payment Card Details
This step is followed* by a decline screen or confirmation receipt page if the
transaction was accepted and charged.
*3-D Secure authentication via redirect is also attempted at this stage.
TIP: If a bank ePayment transaction was selected, the customer is prompted to redirect to
their bank to enter details and authenticate the transaction.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 10 of 38
Step 4c: Confirmation Receipt Page (Simple Continue Button
Mode)
TIP: The continue button can be replaced with your own message from the ‘Simple Continue
Button Label’ setting in the order page settings.
Clicking on the Simple Continue button takes a customer to the URL set in the
‘PostURL’ for that order page.
You can also set the ‘Simple Continue Button Force Press’ mode from the order
page settings. (That pops up a dialog box prompting the user if they try to
leave the confirmation receipt page without clicking on the button.)
IMPORTANT NOTE:
If Silent Post Callback is enabled the Simple Continue Button is replaced by Instant Silent
Post’s ‘Dynamic Custom receipt message’ as returned from a listening script on your server.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 11 of 38
Step 4d: Confirmation Receipt Page (Instant Silent Post
Mode)
TIP: When ‘Silent Post Callback’ is enabled, with a silent post password set, the DalPay server
POSTs order related fields set in ‘Silent Post Fields’ in realtime to a listening script on your
server for successfully charged accepted orders only (not declined transactions).
Your script validates the response, then performs its actions (for example
starting a process for service delivery) and returns a dynamic custom receipt
message. (See p. 27.)
TIP: If you require notification of all transaction status changes to a listening script on
your server, including declines, chargebacks, accepted/declined rebillings, and other
exceptions, please refer to the Merchant Server Notifications Integration Guide.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 12 of 38
Getting Started Implementation Notes
The DalPay Checkout APIs are a subset of the DalPayAPI which is a RESTful
web service using HTTP post over SSL.
POST payment type, customer contact and address information securely to
DalPay Checkout and achieve single page checkout (showing page 3, payment
card details only).
If you pass in any name-value pairs incorrectly, the DalPay Checkout system
ignores the variables incorrectly posted and displays to the customer all three
DalPay Checkout pages; Page 1: payment type and customer country,
followed by Page 2: customer contact details and cardholder address (email
and phone are mandatory), then Page 3: payment card details.
On success, transaction details are posted back to your server via Instant
Silent Post with callback to display a dynamic custom receipt message at the
bottom of the DalPay Confirmation Receipt page.
Order Pages Initially Blocked
When issued a fresh DalPay account, up to five order pages can
be setup within it free of charge, and all will be initially blocked.
Only orders placed using the Visa internal test card from self-whitelisted IPs
are permitted when an order page is blocked.
You must complete your website content (including terms and conditions;
delivery policy, refund policy and privacy policy) and then run test orders.
Only after demonstrating full line item detail being passed in item descriptions,
and completed website content, can the Risk Department sign you off to go
live, and set the order page(s) active:
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 13 of 38
Enabling the Internal Test Card
The internal test Visa card is enabled from the Merchant Menu, ‘Run test
order’. Click on 'New' to get a fresh {{Name on Card Code}} such as FhXgiByJ
and then enable it (‘no’ to ‘yes') for 360 minutes of use.
(You can re-use each Name on Card Code, enabling for 360 minutes each
time. Clicking to enable a Name on Card Code automatically adds your IP to
the AllowedIPs whitelist for that Name on Card Code.)
Once a Name on Card Code is enabled, you select Visa and use the test card
number and that Name on Card Code:
(pay_type = ‘Visa’)
Card Number = 4222222222222
Name on Card = {{Name on Card Code}}
Expiry Date = 07/12
Card Security Code = ‘999’.
If you wish to receive a decline response from the test card set the Next
action to ‘declined’:
(And to ‘error’ if you wish to receive an error response from the test card.)
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 14 of 38
Transaction Types
Debit (debit)
Transaction debits are authorized and captured immediately and will be
settled within 24 hours, being automatically settled by 06:00 UTC on the
current or following day. Debits may be refunded (or voided if supported).
Void (void)
Transaction voids will cancel an existing debit or captured pre-authorization (if
supported). In addition, non-captured pre-authorizations can be voided to
prevent future capture. Voids can only occur if the transaction has not been
settled. For both unsettled debits and pre-authorizations an authorization
reversal will be attempted first (if supported).
Refund (refund)
Transaction refunds will reverse a previously settled transaction. If the
transaction has not been settled, an authorization reversal (void) will be tried
first automatically instead of a refund.
Only if Approved and Enabled by DalPay Support:
Pre-Authorization (auth_only)
Transaction pre-authorizations (if supported) are authorized immediately but
are not flagged for immediate settlement. These transactions must later
be flagged for settlement using the capture transaction type.
Pre-authorizations remain active for three to thirty days depending on the card
issuing bank.
Capture (capture)
Transaction captures (if supported) flag existing pre-authorizations for
settlement. Only pre-authorizations can be captured. Captures can be
submitted for an amount equal to, or less than the original pre-authorization.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 15 of 38
Transaction States
Accepted
State accepted transactions have been successfully charged to a customer’s
debit or credit card, or a refund successfully credited.
Declined
State declined are transactions not charged to a customer’s payment card or
bank account, either due to a hard decline by the card issuer, or a block due to
a fraud scrubbing reason.
Error
State error are transaction attempts that passed gateway validation but were
rejected either by the DalPay processor or one of our upstream providers
before authorization could be attempted with the issuing bank.
Pending or Posted
State pending or posted are transactions posted by the DalPay gateway but
waiting for confirmation due to a delayed or batch-oriented settlement model.
Redirected
State redirected is where a customer has been temporarily redirected away
from DalPay Checkout either to their bank for an online ePayment transfer, or
payment card issuer for 3-D Secure authentication.
Suspended
State suspended is where an event such as a confirmation receipt email
bouncing back from the customer, as detected by DalPay, has caused the
transaction to be put on hold pending possible refund.
Voided
State voided are transactions refunded before being settled with the acquiring
bank, so the customer’s payment card was not charged the amount, only
authorized.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 16 of 38
Transaction Post API
To initiate a DalPay Checkout transaction, the following HTTP name/value pairs
should be HTTP posted to our gateway web service under SSL.
QUICK TIP: Input should be percent encoded and correctly
escaped (using htmlentities encoding for example). Default character
encoding is UTF-8 but legacy encoding can be set per pageID as
needed. Legacy encodings are stored internally as UTF-8.
At least one line item entry (for order information) must be posted.
Post each individual line item that makes up an order using item1_desc, item2_desc, etc;
posting of aggregate total invoice/cart amounts is strongly discouraged and may result in your
account not being approved to go live by the Risk Department. (See p. 19.)
Web service Location: https://secure.dalpay.is/cgi-bin/order2/processorder1.pl
Transaction Post API input parameters
Name
Type
Size
MinMax
Example Value
Notes
mer_id
TEXT
6-6
999994
6 digit merchant number.
pageid
TEXT
1-3
1
next_phase*
TEXT
1-20
paydata
pay_type
TEXT
1128
Visa
Visa Electron
Mastercard
Maestro
American Express
Discover
Carte Blanche
JCB
China Unionpay
OR
Bank Epayment
The order page sub-account
within the merchant account
specified by mer_id. Each
selling URL or currency should
have its own order page.
Initiate single page checkout if
all required fields are present.
Payment type for correct
routing. Some merchants will
have a subset of the full set of
card types enabled.
Transaction
Setup Fields
valuta_code*
TEXT
3
USD, GBP, EUR, ISK
langcode*
TEXT
2-5
en, es, is,
en-GB, en-US, en-CA
Version 1.3
When targeting US customers
do not offer Visa Electron,
Maestro, Cart Blanche or China
Unionpay as they are not
issued/familiar in the US.
For pay_type icons see end
note+
ISO 4217 code for checkout
currency. (Will be converted
using a rate favourable to the
cardholder if different from
order page valuta setting.)
ISO 639-1 code for checkout
language.
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 17 of 38
Customer
Contact Details
cust_name
TEXT
1-40
Ms Secretary
Customer’s name (can be
different from cardholder
name).
Customer’s company name.
cust_company*
TEXT
1-40
Acme Inc
cust_email
TEXT
5-80
[email protected]
cust_phone
TEXT
7-20
+3544122600
cust_fax*
TEXT
7-20
4661935
cust_address1
TEXT
1-60
100 Jump Street
Billing address line 1.
cust_address2*
TEXT
1-30
Second Floor
Billing address line 2.
cust_city
TEXT
1-30
Some City
Billing city.
cust_state
TEXT
1-20
cust_zip
TEXT
1-10
cust_country_code
TEXT
2-3
FL, AE, BC, Lincolnshire,
Biscay
OR
N/A if no state
33101,
SE1 9LT OR
99999 if no postal codes
US, GB, IS
USA, GBR, ISL
Billing state, county or
province.
If cust_country_code = ‘CA’ or
‘US’ see end note++
Billing ZIP or Postcode. Refer
to the International Postal
Codes Integration Guide.
Billing country ISO 3166-1
alpha-2 or alpha-3. See end
note+++
ship_address1**
TEXT
1-60
100 Jump Street
Shipping address line 1.
ship_address2**
TEXT
1-30
Second Floor
Shipping address line 2.
ship_city**
TEXT
1-30
Some City
Shipping city.
ship_state**
TEXT
1-20
ship_zip**
TEXT
1-10
FL, AE, BC, Lincolnshire,
Biscay
OR
N/A if no state
33101,
SE1 9LT OR
99999 if no postal codes
ship_country_code**
TEXT
2-3
US, GB, IS
USA, GBR, ISL
ship_phone**
TEXT
7-20
+3544122600
Shipping state, county or
province.
If ship_country_code = ‘CA’ or
‘US’ see end note++
Shipping ZIP or Postcode.
Refer to the International
Postal Codes Integration
Guide.
Shipping country ISO 3166-1
alpha-2 or alpha-3. See end
note+++
Numeric with or without +
prefix.
Must be in valid email address
format.
Numeric with or without +
prefix.
Numeric with or without +
prefix.
Customer Billing
Address
Customer
Shipping
Address
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 18 of 38
Order
Information
Details
num_items
TEXT
1-20
1
item1_desc
TEXT
1256
Some Widgets,
Service (1 year),
Online Widget delivered in
1-2 weeks
item1_price
TEXT
1-10
129.00
item1_qty
TEXT
1-20
1
item2_desc*
TEXT
1128
item2_price*
TEXT
1-10
Some Widgets,
Service (1 year),
Online Widget delivered in
1-2 weeks
500.00
item2_qty*
TEXT
1-20
1
…
Shipping/
Delivery Fields
item7_desc*
TEXT
item7_price*
item7_qty*
TEXT
TEXT
1256
1-10
1-20
USPS Priority Mail,
FedEx Express Saver, ...
20.07, 40.56
1
The maximum number of line
items posted. For example: if
your last product is
item7_desc, item7_price and
item7_qty, num_items value
has to be 7.
Line item description. If a
service specify time that
service purchase covers. If
delivery time varies specify
timeframe in the line item
description.
Value in the currency set as
valuta_code for this pageID.
The multiplier for item1_price.
Line item description as above.
Value in the currency set as
valuta_code for this pageID.
The multiplier for item2_price.
You can send in as many
additional optional line items
up to the num_items. Only the
first is mandatory.
Only ship to the billing address
with a full AVS match unless
you have performed secondary
screening on the ship address.
Ship with signature on delivery
recommended.
Send a line item for the
shipping cost as the last item
posted (for example item7).
Use sales_discount_exclude
and/or sales_tax_exclude to
exclude shipping from discount
or tax as applicable.
Discount Fields
sales_discount_amou
nt*
TEXT
1-10
19.95
sales_discount_factor
*
sales_discount_exclud
e*
TEXT
1-10
0.05 (5%) , 0.25 (25%)
TEXT
1-20
2,4,5 (exclude items 2, 4 and
5 from the discount
calculation)
Version 1.3
Fixed discount amount (will be
subtracted from the total
calculated for the item fields).
Will be displayed as a % as
well.
Discount multiplier based on
the item fields totalled.
Exclude items, such as line
item for shipping/delivery cost,
from the discount.
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 19 of 38
Taxation Fields
sales_tax_amount*
TEXT
1-10
10.00
sales_tax_factor*
TEXT
1-10
0.10 (10%) , 0.175 (17.5%)
sales_tax_exclude*
TEXT
1-20
2,4,5 (exclude items 2, 4 and
5 from the tax calculation)
user1*
TEXT
1256
User2*
TEXT
1256
This is an order note
field. Don’t deliver
before 10am. Thank you.
{3a768eea-cbda-4926-a82d831cb89092aa}
Rebilling Fields
Fixed taxation amount (will be
added to the total calculated
for the item fields). Will be
displayed as a % as well.
Taxation multiplier based on
the item fields totalled.
Exclude items, such as line
item for shipping/delivery cost,
from taxation.
For automatic pre-authorized
recurring billing for
subscriptions please refer to
the DalPay Checkout Recurring
Billing Integration Guide.
User Fields
Fields you set and wish passed
through to you such as GUIDS
or other data.
Not visible to customers during
checkout. Included in the
merchant confirmation email.
and stored in the transaction
database.
User fields can be posted back
via Instant Silent Post and can
be included in Merchant Server
Notifications.
Maximum of 256 characters
per user field.)
(You can pass in up to 10 user
fields, i.e. user1, user2, user3,
user4, user5, ... , etc.
Fields marked with * in the table above are optional.
Fields marked with ** are optional until one in their group is passed in when they become
mandatory within that group.
End Notes
+For single page checkout customers must, choose the pay_type on your website prior to
redirect to DalPay Checkout. Icons to use are here:
https://www.dalpay.com/en/dalpayapi/checkout/icons_for_dalpay_checkout.zip
++If cust_country_code or ship_country_code is:
'CA' then validate against this list:
http://www.dalpay.com/en/dalpayapi/DalPay_CA_abbr_provinces_en.csv
'US' then validate against this list:
http://www.dalpay.com/en/dalpayapi/DalPay_US_abbr_states_en.csv
+++The alpha-2 to send in for each country is shown in the list here:
https://www.dalpay.com/en/dalpayapi/DalPay_ISO_3166-1_country_list_en.csv
(The CSV file is UTF-8 to preserve the correct names of some of the more exotic countries.)
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 20 of 38
Example Input Minimum Mandatory Fields
https://secure.dalpay.is/cgibin/order2/processorder1.pl?mer_id=999994&pageid=2&next_phase=paydata&pay_type=V
isa&cust_name=Ms Secretary&cust_address1=100 Jump Street&cust_city=Some
City&cust_state=FL&cust_zip=33101&cust_country_code=US&[email protected]
d&cust_phone=+354 412 2600&num_items=1&item1_desc=8Gb iPod Nano
Green&item1_price=129.00&item1_qty=1
Example Input Adding Shipping Fields
https://secure.dalpay.is/cgibin/order2/processorder1.pl?mer_id=999994&pageid=2&next_phase=paydata&pay_type=V
isa&cust_name=Ms Secretary&cust_address1=100 Jump Street&cust_city=Some
City&cust_state=FL&cust_zip=33101&cust_country_code=US&[email protected]
d&cust_phone=+354 412 2600&ship_address1=Another Address&ship_city=New York
City&ship_state=NY&ship_zip=10001&ship_country_code=US&ship_phone=+354 665
3142&num_items=1&item1_desc=8Gb iPod Nano Green&item1_price=129.00&item1_qty=1
Example Input Adding Discount Field
https://secure.dalpay.is/cgibin/order2/processorder1.pl?mer_id=999994&pageid=2&next_phase=paydata&pay_type=V
isa&cust_name=Ms Secretary&cust_address1=100 Jump Street&cust_city=Some
City&cust_state=FL&cust_zip=33101&cust_country_code=US&[email protected]
d&cust_phone=+354 412 2600&ship_address1=Another Address&ship_city=New York
City&ship_state=NY&ship_zip=10001&ship_country_code=US&ship_phone=+354 665
3142&num_items=1&item1_desc=8Gb iPod Nano
Green&item1_price=129.00&item1_qty=1&sales_discount_amount=19.95
Example Input Adding Sales Tax Field
https://secure.dalpay.is/cgibin/order2/processorder1.pl?mer_id=999994&pageid=2&next_phase=paydata&pay_type=V
isa&cust_name=Ms Secretary&cust_address1=100 Jump Street&cust_city=Some
City&cust_state=FL&cust_zip=33101&cust_country_code=US&[email protected]
d&cust_phone=+354 412 2600&ship_address1=Another Address&ship_city=New York
City&ship_state=NY&ship_zip=10001&ship_country_code=US&ship_phone=+354 665
3142&&num_items=1&item1_desc=8Gb iPod Nano
Green&item1_price=129.00&item1_qty=1&sales_tax_amount=10.00
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 21 of 38
Most Frequent Account Setting-Related Errors
The order page (pageid) specified is currently blocked from live orders. This is
usual during testing, prior to go live approval from the Risk Department.
TIP: Use the Visa test card and, an enabled Name on Card Code with your IP whitelisted.
The merchant account (mer_id) is currently set as inactive. This is usually
because you have had no transactions for 90 days and/or have not logged in
to the Merchant Menu for 90 days. Contact DalPay Support.
Both Common when testing. A transaction was posted from localhost or
other local device with no referer in the HTTP header being sent.
If testing contact DalPay Support to temporarily disable referer checking for this order page.
TIP: Do not include DalPay Checkout transaction post links directly in e-mail as they will fail
the referer check. Contact DalPay Support regarding invoicing solutions.
Common when testing. The webpage that the transaction post request is
coming from is not the same as set in the ‘Order page location’ for this order
page. If testing contact DalPay Support to request the referer check be temporarily disabled,
or permanently changed from ‘strict’ to ‘domain only’.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 22 of 38
Common Error Messages
Error Message:
Explanation:
This merchant account has been
deactivated
Account is set as inactive. Contact DalPay
Support.
Check format of input fields, and form
submission method (i.e. must be POST not GET
or PUT).
Please use POST method only,
Missing POST data,
Too much POST data,
Error reading POST data
Internal Server Error
The selected paytype is not activated
for this merchant account, please
choose another paytype
Sorry, we cannot accept new orders
for this merchant account at the
moment
Sorry, we cannot accept new orders
for this merchant account at the
moment. Additionally, test code
FhXgiByJ is not enabled!
Sorry, we cannot accept new orders
for this merchant account at the
moment. Additionally, your IP
194.144.200.200 is not in the
AllowedIP list to use Name on Card
test code FhXgiByJ
Sorry, we cannot accept new orders
for this merchant account at the
moment. Additionally, your IP
194.144.200.200 is not in the
AllowedIP list to use Name on Card
test code FhXgiByJ AND is it is not
enabled
Sorry, we cannot accept this card
number
Sorry, we cannot accept orders from
IP number 194.144.200.200
Sorry, we cannot accept email address
[email protected]
Version 1.3
You sent malformed or incorrectly delimited
input fields.
pay_type sent in is not enabled for this account
or order page.
The order page (page_id) is blocked from
accepting new orders. Usual during testing.
The Name on Card Code is not enabled.
Re-enable this Name on Card Code, for 360
minutes at a time, from ‘Run Test Order’.
The IP you used to place the Test Order is not
in the AllowedIPs list for the Name on Card
Code used (although the code is enabled).
Add IP to the AllowedIPs list for that Name on
Card Code from ‘Run Test Order’ at the
Merchant Menu.)
The Name on Card Code is not enabled. The IP
you used to place the Test Order is not in the
AllowedIPs list for the Name on Card Code
used.
Enable the Name on Card Code, and ensure IP
is added to the AllowedIPs list for that Name
on Card Code.
Payment card number entered is blocked due
to chargeback, order attempt from commercial
or open proxy, or for other fraud-loss reason.
Contact DalPay Support.
IP of the computer used to place the order is
blocked due to chargeback, order attempt from
commercial or open proxy, or for other fraudloss reason. Contact DalPay Support.
cust_email blocked due to chargeback, order
attempt from commercial or open proxy, or for
other fraud-loss reason. Contact DalPay
Support.
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 23 of 38
This merchant does not supply
products to Iceland, from where your
order seems to originate (determined
from your IP address 194.144.200.200)
Order attempt was identified as coming from a
country or state currently blocked for this
order page.
Your order could not be processed
because our fraud detection system
flagged your order as high risk.
See ‘blocking’ from the Merchant Menu to
unblock the country temporarily.
The transaction fraud score after fraud
scrubbing exceeded the currently set fraud
score threshold or attribute for this order page.
Order quantity and amount must be
greater than zero
Choose ‘Accept future transactions for this
card’ from the Transaction details screen’ to
whitelist this card number, then try again.
Check for missing item1_qty, item1_price and
item1_desc fields.
Due to security issues we can only
accept single transactions to a
minimum of 5.00 USD
99:Test order decline info
333:Test order test error text
Version 1.3
Check that the discount sent in via
sales_discount_amount or sales_discount_factor is
not more than the total value of all item fields.
You are sending in a total amount lower than
The Minimum Order Amount set for this order
page. Contact DalPay Support to raise or lower
this. (Will not generally be lowered below USD
1, GBP 1, EUR 1, or equivalent.)
You have the Name on Card Code set to
ResultCode ‘declined’ (see p. 14).
You have the Name on Card Code set to
ResultCode ‘error’ (see p. 14).
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 24 of 38
Internationalization
DalPay supports full internationalization to allow you to sell internationally,
across borders, to expand your market reach.
Despite English being ‘the global language’ approximately seventy percent of
the world’s population can't use an English-only website, so DalPay’s language
localisation helps you to sell to an international audience.
International Language Support
Your can override the default order page setting for the checkout language
(which could be any of the supported languages) by sending in the langcode
name-value pair. The value should be the ISO 639-1 two or four letter code for
that language.
Example langcode values:
en
es
fr
de
pt
ar
ja
ko
US English
Standard
Spanish
French
German
Portuguese
Standard
Arabic
Japanese
Korean
(Please note that the ISO 639-1 two letter code for language sometimes
differs from the ISO 3166-1 two letter code for the country in which that
language is spoken.)
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 25 of 38
International Currency Support
If you are using a multicurrency shopping cart or otherwise want to allow
customers to checkout in their own currency you can override the default
order page setting for the checkout currency by sending in the valuta_code
name-value pair. The value should be the ISO 4217 three letter code for that
currency.
Example valuta_code values:
USD United States dollars
GBP
Great British pounds
EUR
European Union euros
JPY
Japanese Yen
CAD
Canadian dollars
AUD Australian dollars
ZAR
South African rands
ISK
Icelandic crowns
Please note that, 'Allow Post Valuta Override'
must be set to ‘yes’ for each order page. Contact DalPay Support if ‘no’.
>
Version 1.3
>
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 26 of 38
Instant Silent Post
DalPay’s Instant Silent Post is for receiving a POST of order related fields to a
listening script on your server, as soon as the order was successfully charged.
Instant Silent Post is equivalent to Authorize.net's Silent Post feature with
Relay Response in their Server Integration Method (SIM) or Simple Checkout,
PayPal's Payment Data Transfer (PDT), 2Checkout's Direct Return feature, or
CCBill's Background Post Postback. It is for accepted orders only.
TIP: If you require notification of all transaction status changes to a listening script on
your server, including declines, chargebacks, accepted/declined rebillings, and other
exceptions, please refer to the Merchant Server Notifications Integration Guide.
Order Page Silent Post Settings
>
When ‘Silent Post Callback’ is enabled, with a silent post password set, the
DalPay server POSTs order related fields set in ‘Silent Post Fields’ in realtime
to a listening script on your server. It only posts for successfully charged,
accepted orders (not declined transactions).
Your script validates the response, then initiates its actions (for example
starting a process for service delivery) and returns a dynamic custom receipt
message for display to the customer on the DalPay Confirmation Receipt Page.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 27 of 38
Silent Post Fields
You may include any combination of the following fields in ‘Silent Post Fields’.
By default the Silent Post fields are set to:
user1,user2,total_amount,order_num
The order of the fields does not matter, provided correctly separated by a
comma, as they are HTTP POSTed to your listening script as name-value pairs.
Silent Post Field
Size
MinMax
Example Value
Notes
SilentPostPassword
8128
ThUj73dw
order_num
14
999994.5282761
As set in ‘Silent Post Password’
per order page, from the
DalPay Merchant Menu.
Always posted.
DalPay order number.
order_datetime
19
2010-01-19 14:41:37
(YYYY-MM-DD HH:MM:SS)
pageid
1-3
1
orderpage_url
2083
pay_type
1128
masked_card_num
1219
http://www.icelandicshop.com/history.php
Visa
Visa Electron
Mastercard
Maestro
American Express
Discover
Carte Blanche
JCB
China Unionpay
OR
Bank Epayment
422222XXX2222,
550000XXXXXX0004,
340000XXXXX0009,
601100XXXXXX0004,
300000XXXX0004,
308800XXXXXX0008,
490300XXXX0004
622888XXXXXX8888
last4
4
2222, 0004, 0009, 0004,
0004, 0008, 0004
8888
card_name
40
MR JON JONSSON
Transaction
Fields
Version 1.3
Date and time order was
accepted by DalPay in
timezone set for the merchant
account. (Default is US Central
Standard Time.)
The order page where this
order originates.
The URL of the order page.
where this order originates.
The payment type used.
First six and last four digits of
payment card number used.
Length 13 or 16 for Visa, 16
for MasterCard, 15 for AMEX,
16 for Discover, 14-16 for
Diners/Carte Blanche, 16 for
JCB, 12-19 for Maestro (UK
and International), 16 for
China UnionPay.
Last four digits of payment
card number used.
Cardholder name on the card.
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 28 of 38
remote_addr
IP of device used to place
order.
Hostname of device used to
place order.
Value of order in currency of
valuta_code posted.
ISO 4217 code posted or
valuta setting for order page.
The currency exchange rate
used to convert from the
posted valuta_code into the
currency set in the order page.
(fxdaily rate from oanda.com
is used.)
Amount of discount in
currency of valuta_code
posted.
Discount as a percentage of
total_amount.
Amount of tax added in
currency of valuta_code
posted.
Tax as a percentage of
total_amount.
ISO 639-1 code of language
used for checkout.
194.144.200.200
total_amount
1115
1255
1-10
valuta_code
3
USD, GBP, EUR, ISK
xrate
9
1.0000000 (no conversion)
1.5446000 (from GBP to
USD),
1.2886000 (from EUR to USD)
sales_discount_amou
nt
1-10
19.95
sales_discount_perc
1-10
15.47
sales_tax_amount
1-10
10.00
sales_tax_perc
1-10
7.75
langcode
2-5
en, es, is,
en-GB, en-US, en-CA
cust_name
1-40
Ms Secretary
cust_company
1-40
Acme Inc
Customer’s name (may be
different from card_name).
Customer’s company name.
cust_email
5-80
[email protected]
Customer’s email.
cust_phone
7-20
+3544122600
cust_fax
7-20
4661935
Numeric with or without a +
prefix.
Numeric with or without a +
prefix.
cust_address1
1-60
100 Jump Street
Billing address line 1.
cust_address2
1-30
Second Floor
Billing address line 2.
cust_city
1-30
Some City
Billing city.
cust_state
1-20
Billing state, county or
province.
cust_zip
1-10
cust_country_code
2
FL, AE, BC, Lincolnshire,
Biscay
OR
N/A if no state
33101,
SE1 9LT OR
99999 if no postal codes
US, GB, IS
avs_response
2
B, R, G, U, S, N, ...
remote_host
194-144-200-200.xdsl.com
139.00
Customer
Contact Details
Customer Billing
Address
Version 1.3
Billing ZIP or Postcode. Refer
to the International Postal
Codes Integration Guide.
Billing country ISO 3166-1
alpha-2.
Refer to the Address
Verification Integration Guide.
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 29 of 38
Customer
Shipping
Address
ship_address1
1-60
100 Jump Street
Shipping address line 1.
ship_address2
1-30
Second Floor
Shipping address line 2.
ship_city
1-30
Some City
Shipping city.
ship_state
1-20
Shipping state, county or
province.
ship_zip
1-10
FL, AE, BC, Lincolnshire,
Biscay
OR
N/A if no state
33101,
SE1 9LT OR
99999 if no postal codes
ship_country_code
2
US, GB, IS
ship_phone
7-20
+3544122600
Shipping ZIP or Postcode.
Refer to the International
Postal Codes Integration
Guide.
Shipping country ISO 3166-1
alpha-2.
Numeric with or without a +
prefix.
All fields are optional except SilentPostPassword which is always included.
Example Silent Post for default fields:
SilentPostPassword = ThUj73dw
total_amount = 139.00
order_num = 999994.5282761
user1 = This is an order note field. Don’t deliver
user2 = {3a768eea-cbda-4926-a82d-831cb89092aa}
before 10am. Thank you.
(The DalPay Silent Post server always sends the SilentPostPassword namevalue pair based on the setting in the order page. If any silent post field is set
in ‘Silent Post Fields’, but has no value at silent post time, it will not be
posted.)
After receiving the Silent Post fields your listening script must then return also in realtime - a dynamic custom receipt message on standard output.
The DalPay Silent Post server will wait for up to 20 seconds for the dynamic
custom receipt message response from your script.
The dynamic custom receipt message returned can be up to 2048 characters
long, and include basic HTML tags for formatting the message within the
DalPay Confirmation Receipt Page.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 30 of 38
Dynamic Custom Receipt Message
The response from your listening script is displayed at the bottom of the
confirmation receipt page presented to the customer.
If your script does not respond correctly, or if there is a timeout,
the customer will see the following:
i.e. “Your order has been accepted, however we were not able to
redirect you back to the merchant. The merchant has been informed
about this problem. You can reach the merchant at [OrderEmail].”
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 31 of 38
You can view details of silent posts in the transaction details screen, and
manually retry a failed silent post from ‘Silent Post Errors’ in the Merchant
Menu.
Response From Your Listening Script
If the validation you performed is successful (i.e. in the example it would be
based on the user2 field GUID or hash sent in, and SilentPostPassword)
including basic sanity checking (such as the format of order_num and amount
in total_amount), then your listening script should return similiar to this:
<!--success--><a
href="http://www.some_website.com/orderaccepted.php"><strong>CLICK
HERE</strong> to return to your account</a>
if validation fails, then return at a minimum this type of response:
<!--success--><!--order attempt failed validation --><a href="http://www.
some_website.com/orderfailed.php">Order was not completed. <strong>PLEASE
CONTACT SITE SUPPORT</strong>. Click here to return to your account</a>
Note the specific <!-- --> comment tags which must be used. The returned
links must be on the same website as set in the order page location settings
for this order page.
(If you want the customer to be returned automatically to a particular page
you may in addition to the static link include an auto refresh tag:
<meta HTTP-EQUIV="REFRESH" CONTENT="10;URL=
http://www.some_website.com/orderaccepted.php">
However, it must go to the same page as included in the link, and be delayed
from activating for a minimum of 10 seconds as in the example given.)
Inclusion of such a delayed auto redirect must be signed off by
DalPay Support. Merchants implementing an automatic redirect
without specific sign-off by DalPay may have their order page
suspended without notice. Check with us before putting it live.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 32 of 38
Responding With a Login or Custom Download Link
Generated On-The-Fly
As you generate the output for the dynamic custom receipt message on your
server, and the Silent Post is always for a successfully charged transaction,
you can include a site login or customer specific download link, such as:
<!--success--><br />Site Username: your_site_generated<br /> Site
Password: xyz12abc_your_site_generated<br /><br /><a
href="http://www.some_website.com/orderaccepted.php"><strong>CLICK
HERE</strong> to return to <strong>Test Page</strong> website</a>
The output of the dynamic custom receipt message is not included in the
confirmation receipt emails, only on the confirmation receipt page, so make
sure to send logins or download links via email or SMS, or other method your
customers prefer if you send them in the dynamic custom receipt message.
The separate fixed confirmation page/email message in the order page
settings should include any https:// links to your logo and link to permanent
items such as a link to your terms and conditions. It IS included in the
confirmation receipt email sent to the customer.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 33 of 38
Affiliate Marketing Features
Confirmation Page Affiliate Code Settings
>
The confirmation page affiliate code setting in each order page is for your
affiliate tracking code(s). As the confirmation receipt page is only displayed
after the customer has successfully paid, you can safely include your
JavaScript and static script tags here to track conversions. (They are included
invisibly at the top of the page as shown below.)
You must use only the SSL (https:) versions of any affiliate tracking codes.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 34 of 38
Website Compliance
Website Content
Your website must include at a minimum a delivery policy, refund policy, and site privacy
policy.
There must be conspicuous links to these and your terms and conditions on the site.
The DalPay Risk Department must sign off your website content before allowing you to go
live.
You must be in compliance with DalPay and card association rules for website content.
DalPay has specific acceptance and compliance policies for different account and
business types.
Please refer to the compliance guidelines here:
https://www.dalpay.com/en/compliance/
Minimum Test Plan
You must have completed the minimum test plan for your account and business type to
the satisfaction of DalPay Support before going live.
Test Plans vary between sites, but an example of a minimum test plan would be:
1. The correct customer information fields are being passed to DalPay Checkout resulting
in single page checkout (Step 3 asking for payment card details).
2. In the case of a low-cost service with pre-authorized recurring billing, the order is routed
to pageid = '01'; in the case of a high value one-off purchase, the order is routed to pageid
= '02'.
3. The Instant Silent Post dynamic custom receipt message is returned to us, based on
the following cases:
3.1 DalPay accepted order fields (order_num, total_amount) plus user1 or user2 sanity
checking passes your end returning:
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 35 of 38
<!--success--><a
href="http://www.some_website.com/orderaccepted.php"><strong>CLICK
HERE</strong> to return to your account</a>
In this case the service delivery started by the DalPay Silent Post in updating the purchase
at your site’s end is clearly visible as being completed when we click through using that
link on the DalPay confirmation receipt page.
3.2 The sanity check of the order_num and total_amount plus user1 or user2 field sent in
to us with the order, as silent posted back to you, fails validation your end:
<!--success--><!--order attempt failed validation --><a href="http://www.
some_website.com/orderfailed.php">Order was not completed. <strong>PLEASE
CONTACT SITE SUPPORT</strong>. Click here to return to your account</a>
In this case when we click the link to view our account, it is clear that the purchase was
NOT completed and that your listening script did not start service delivery.
Internal Visa test orders (see p. 14) must have been run demonstrating both of these
cases, as viewable from the Silent Post response for the test transactions. from ‘search
transactions’.
(Of course the return URL syntax and specific response and destination links will be
different for your implementation, but the test orders must show the clear difference
between a successfully validated silent post starting service delivery, and a silent post
failing validation your end and informing the customer even though their card was
successfully charged by DalPay.)
Please contact DalPay Support for further guidance.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 36 of 38
Payment Card Industry Data Security Standard Compliance
DalPay operates its own PCI DSS Level 1 certified platform (the highest level
of payment service provider compliance) as gateway and front-end processor.
What Must Never Be Stored
Please note that under the Payment Card Industry Data Security Standard
(PCI DSS), Cardholder Data must be stored encrypted and Sensitive
Authentication Data must NOT be stored.
At the time of writing, Cardholder Data in the context of Card-Not-Present
transactions is defined as Primary Account Number (PAN) AKA card number,
Cardholder Name, and Expiration Date.
Sensitive Authorization Data in the context of Card-Not-Present transactions is
defined as the CVV2/CVC2/CID/CAV2 (the three digit or four digit Card
Security Code):
https://www.dalpay.com/en/support/card_security_code.html
You must never store the CVV2/CVC2/CID/CAV2, and it is prohibited to store
the full Primary Account Number yourself if you are posting transactions to the
DalPay Gateway via either DalPay Checkout, as DalPay performs PCI DSS
compliant storage of this sensitive information.
Storage of a truncated card number (i.e. the first 6 and last 4 digits of the
card number only) is permitted if it is based on the DalPay Checkout Instant
Silent Post, or DalPay Merchant Server Notification response fields.
If a merchant collects customer information via mail order or telephone
order and is authorized to use the DalPay Virtual Terminal feature via the
DalPay Merchant Menu to self-key the transaction then the merchant must at a
minimum have returned to the DalPay Risk Department a Payment Card
Industry Data Security Standard Self-Assessment Questionnaire A or C-VT
and Attestation of Compliance, including attestation that they do not store
the CVV2/CVC2/CID/CAV2 after authorization by the issuing bank or stand-in
processor, on any media, including on any paper form.
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 37 of 38
DalPay Checkout and Compliance
Using DalPay Checkout may simplify compliance with the Payment Card
Industry Data Security Standard (PCI-DSS), and Payment Application Data
Security Standard (PA-DSS) if a third-party shopping cart is used*.
This however is only true if you DO NOT collect, transmit or store sensitive
cardholder or bank account information.
Your shopping cart must be configured NOT TO collect or store any cardholder
data (i.e. name on card, card number, expiry date, card security code, 3-D
Secure password, or PIN) or bank account information, instead being
configured to redirect to DalPay Checkout when it is time for customers to
enter their payment card or bank account information.
Your operating jurisdiction may require specific protection of other cardholder
or transaction data as well, or proper disclosure of your company's practices if
consumer-related personal data is being collected during the course of
business.
(In Iceland for example DalPay is subject to, and compliant with the
requirements of Act no. 77/2000 on The Protection of Privacy as regards the
Processing of Personal Data.)
*Please consult a Qualified Security Assessor regarding PCI DSS and PA-DSS
compliance.
FIGURE 2: Extract from the PCI DSS Version 2.0
https://www.pcisecuritystandards.org/
Version 1.3
Last revision: 01/07/2011
For public release
Copyright © 2011 Snorrason Holdings ehf
Page 38 of 38