Toolbox

A payment gateway is an e-commerce application service provider that authorizes payments for e-businesses, on-line retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateway protects credit cards details encrypting sensitive information, such as credit card numbers, to ensure that information passes securely between the customer and the merchant and also between merchant and payment processor.

Workflow

A payment gateway facilitates the transfer of information between a payment portal and the Front End Processor or acquiring bank. When a customer orders a product from a payment gateway enabled merchant, the payment gateway performs a variety of tasks to process the transaction:

A customer swipe the credit card and the device reads the information stored in the card.
The merchant sends the transaction details to their payment gateway, this is done via SSL (Secure Socket Layer) encryption.
The payment gateway forwards the transaction information to the processor used by the merchant's acquiring bank.
The processor forwards the transaction information to the card association (i.e., Visa/MasterCard).
The card association routes the transaction to the correct card issuing bank.
The credit card issuing bank receives the authorization request and sends a response back to the processor with a response code.
The processor forwards the response to the payment gateway.
The payment gateway receives the response, and forwards it on to the interface used to process the payment where it is interpreted and a relevant response then relayed back to the cardholder and the merchant.

Payment Gateway workflow diagram

User tutorial

Card Present Transaction

Card present (also called face-to-face) transactions are those in which both the payment card and the cardholder are present at the time the payment is processed. Merchants operating in face-to-face environments are required to make all efforts to ensure that transactions are legitimate. The process of card acceptance is conducted at physical terminals and the preparedness of their operators is critical for the proper execution of the transaction.

Standards

EMV

Introduction: In 2000 the European Commission decided that to foster innovation (Lisbon Agenda) the single market must make it easier to move money around the EU. Specifically, cross-border payments should not cost more than domestic payments. In other words, you can use your bank card in another EU country and they won’t charge you any more commission to withdraw money as they do in your home country. This initiative is known as the Single Euro Payment Area (SEPA). The SEPA zone encompasses 31 european countries (EU-27 plus Liechtenstein, Iceland, Norway and Switzerland). To make SEPA a reality, all EU banks need to agree on the same standards and implement the same procedures to ensure interoperability at the moment of accepting a card. To give an example, a cash machine (ATM) in Austria should be capable of accepting and understanding a card issued by an Italian bank. Said and done: the standard was developed by Europay, Mastercard and Visa and they called it EMV (the initials of the three companies). EMV will mean that there will be no difference between national and transfers within Europe. EMV will make SEPA a reality - meaning cheaper payments and faster money transfers between countries in the eurozone.

Advantages: The EMV standard is based on "Smart cards with a microprocessor chip" and this microprocessor chip is capable of storing not just financial applications (EMV) but also other types of application such as strong authentication and digital signature. EMV financial transactions are more secure against fraud than traditional credit card payments which use the data encoded in a magnetic stripe on the back of the card. This is due to the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction processing center. The majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt.

Deployment deadline in Europe: The banks of these 31 countries are obliged by SEPA to migrate all their magnetic strip cards to EMV smart cards. They have from January 2008 to 31st December 2010 to do the migration.

Openbravo POS: The future Openbravo POS payment gateway class architecture will support all the requirements needed to implement the EMV standard, it is as simple as adding a new class which implements PaymentGateway interface.

PCI DSS

The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually. Organisations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ).

More information about the requirements.

Getting an account

First step is to get a merchant account to start processing Card Present Transactions. Is necessary to contact the gateway (by a web inquiry form, email, telephone...) to do it. All gateways provide a Virtual Terminal which allows you to manually process credit card transactions from any computer with an Internet connection in the world. You simply login to a secure website with a login and password and you are able to charge cards, perform authorizations, and even process credits. In addition, you have complete on-line reporting of all your transactions and orders.

Authorize.NET: You need API Login and Transaction Key parameters to configure Card Present transactions in Openbravo POS.

Official Website: http://www.authorize.net/
Getting Started: http://www.authorize.net/files/ecommerceguide.pdf
Pricing: http://www.authorize.net/solutions/merchantsolutions/pricing/

PayPoint: You need Merchant ID and Transaction Key parameters.

Official Website: http://www.paypoint.net/
Getting Started: http://www.paypoint.com/contact.aspx
Pricing: http://www.paypoint.net/secpay-payment-gateway/

PlanetAuthorize: You need Username and Password parameters.

Official Website: http://www.planetauthorize.net
Getting Started: to obtain a merchant account for your business simply complete our Payment Gateway Only Account Setup Form. Merchant Account Application. Click here for more information.
Pricing: http://planetauthorize.net/pricing.html
Online help desk and knowledgebase: http://planetauthorize.com/vtigerlive/customerportal/login.php

PaymentsGateway: You need Merchant ID and Password parameters.

Official Website: https://www.paymentsgateway.net/
Getting Started:

First Data: You need Store Name, User ID and p12 file.

Official Website: http://www.firstdata.com/
Getting Started:
- https://contact.firstdata.com/callback.htm
- http://www.firstdata.com/product_solutions/ecommerce/global_gateway/virtual_terminal.htm

La Caixa: The solution they provide is Cyberpack. You need Merchant Code, Terminal and Commerce sign.

Official Website: http://empresa.lacaixa.es/home/empresas_es.html

Magnetic Card Reader

Tracks

All the information inside the financial transaction cards is stored in three tracks. This data (alphanumeric characters) follow a specific format defined by the international standard ISO/IEC 7813.

Types

The magnetic swipe reader must be configured in keyboard mode to work with Openbravo POS. Open a text editor and swipe the card. The tracks information should appear in the editor.

Example of Track1
%B1234567890123445^SURNAME1 SURNAME2/NAME ^99011200000000000000**XXX******?*

View Hardware Installation Tutorial for more information.

In the configuration panel is possible to select between four different types of magnetic card readers:

Not defined: no card reader available.
Intelligent: is a special and not very common reader. Is called intelligent because it parses automatically the tracks information in order to extract the most significant fields of the large list of characters: cardholder name, card number and expiration date.
Generic: is the most used. Is mandatory in Card Present Transactions to have a generic magnetic card reader. Sending all the tracks data make the validation process easier to the gateway and this becomes beneficial to the merchant because the transaction fees are reduced.
Keyboard: allows to enter by the keyboard cardholder, card number and expiration date. Is useful when the POS doesn't have a magnetic card reader. In this case the vendor needs to type the data visible in the card of the client in Payment window of Openbravo POS.

Openbravo POS configuration

Open Openbravo POS and login selecting an user with sufficient privileges to modify configuration settings. Go to Configuration panel and scroll down until you can view Payment configuration parameters.

Payment gateway configuration panel

The configuration values are as follows:

Mag card reader: select the device used to read magnetic card information. Is mandatory to have a magnetic card reader defined to allow selecting card payment type in Payment dialog.
- Not defined: device not defined. (by default).
- Intelligent: special type of magnetic card readers.
- Generic: Input data is read with a generic magnetic card reader.
- Keyboard: allow to insert card data through the keyboard. It is useful for test environment.
Payment gateway: a list of supported payment gateways.
Test mode: must be enabled to use in a test environment (with a test account).
Payment Gateway specific parameters: each payment gateway needs specific parameters configured to work successfully. After acquiring a merchant account (or test account) the payment gateway provides you this values, usually they involve a merchant name and password.

Save and restart the application.

Running transaction

Request for a merchant account to the payment gateway company in order to get required configuration values.
Configure Openbravo POS correctly.
In Payment dialog select Card tab and depending the magnetic card reader type selected fill cardholder information fields.
Press OK button and wait for the response of the gateway.
- Success: the process ends correctly and you return to the sales window automatically.
- Fail: the gateway can't validate sent data and it returns an error code explaining the reason of the failure. The information will be displayed in the Payment window.

Openbravo POS payment window

Planetauthorize Example

Planetauthorize payment gateway supports all major forms of credit card transactions including Visa, MasterCard, American Express, Discover, diners Club and JCB.

This payment platform is Multi-Currency. Currency support includes US Dollar, Euro, Australian Dollar, British Pound, Canadian Dollar, Danish Krone, Hong Kong Dollar, Japanese Yen, New Zealand Dollar, Norwegian Krone, South African Rand, Swedish Krona, swish Franc and more.

Planetauthorize payment gateway can support merchant accounts issued by any bank as long as the merchant account runs on one of the following 8 processing networks: Vital, Global Payments - East, Pago, Concord/Buypass, FDMS - Nashville, FDMS - Omaha, Paymentech Salem or Paymentech Tampa.

In the following steps the workflow is explained through an example by the user point of view. A test account is used for this purpose, note that some instructions could differ from the real merchant account.

Get an account: Put in contact with Planetauthorize and they will provide you some keys to access to the virtual terminal and make Card Present Transactions. The next step is associate your bank account to the Planetauthorize gateway in order to process transactions. The parameters needed in Openbravo POS are Username and Password.

Configure Openbravo POS: Login as Administrator and go to Configuration. Following Openbravo POS Configuration section, select Planetauthorize as Payment Gateway and fill Commerce ID = Username and Commerce pass = Password fields with the data provided by the gateway. Save and restart the application.

Finish a sale: Once in the Payment window (after pressing equals (=) button in Sales window), select Card tab and depending on the magnetic card reader type selected complete the form and press OK button. Wait until the process finish (2-3 seconds) and if it ends correctly you will be redirected to Sales window again with an empty ticket.

Checking the transaction in the virtual terminal: Point in your browser the URL provided by Planetauthorize and login the Virtual Terminal. This is the place where you can manage all transactions and create reports. In the left menu, click on Reports, then configure the filter and click on the Submit button. A table will appear with information regarding to each transaction made.

Planetauthorize transactions report

If you click on the ID assigned you will get all the information related to this transaction.

Planetauthorize transaction details

Refund the transaction: Two ways to make a refund.

By Openbravo POS: go to Edit sales panel, search the ticket and refund it.
By the Virtual Terminal: in the details of the transaction (See previous image) click on Refund and confirm.

Planetauthorize refund transactions

In this image two new refunds are shown. View the Type and Amount columns to notice that they are refunds.

Developers tutorial

Architecture

The base interface in Openbravo POS that performs payments is PaymentGateway (com.openbravo.pos.payment). All the payment gateways providers have its own implementation of this interface that deals with the technical details of the communication with the payment gateway services.

Payment Gateways class diagram

Each payment gateway implements PaymentGateway interface and overrides execute method using their own API.

public void execute(PaymentInfoMagcard payinfo);

Creating new Payment Gateway

This flexible and extensible architecture reduces the effort required to modify an existing functionality and minimizes the impact of adding a new payment gateway provider.

If the developers wants to implement a new payment gateway the process is described in the next steps:

Note: by default the package of a class is com.openbravo.pos.payment in the following steps, if the package is different it will be explicitly shown.

Create new class in com.openbravo.pos.payment package which implements PaymentGateway interface. You can use one of the existing classes (PaymentGatewayAuthorizeNet...) as example.
Override execute method using the API provided for the gateway.

@Override
public void execute(PaymentInfoMagcard payinfo) {
  //Your code
}

Configuration Panel

Modify the configuration panel of the application to show in the combo box the gateway what you are creating:

Create new Panel which implements PaymentConfiguration interface. The purpose of this panel is to allow user to insert the configuration parameters of the gateway. Use ConfigPaymentPanelGeneric as example.
Add the Panel created recently to JPanelConfigPayment (com.openbravo.pos.config) constructor.

initPayments("MyGateway", new ConfigPaymentPanelMyExample());

Add in PaymentGatewayFac the sentence to create the instance of the gateway.

else if ("MyGateway".equals(sReader)) {
 return new PaymentGatewayMyExample(props);
}

Compile.

Checking gateway response

During test phase is very useful to know what is exactly the response of the gateway in order to fix any problem.

In the execute method, the input is buffered and it must be read with readLine(). Depending of the response type you should need only one call to this method or a loop.

BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()));
response = in.readLine();

All the replied information is stored in this variable and it could be used to debugging purposes.

Suppported Payment Gateways

Authorize.NET

Documentation

http://developer.authorize.net
Card Present (CP) Implementation Guide: Hardware and software developers that serve retail merchants use the Card Present application programming interface (API). This document provides partners and developers with information about the technical specifications and features of the Card Present integration to the payment gateway. View this guide (PDF).

Test account

http://developer.authorize.net/testaccount/

PayPoint

Documentation

http://www.paypoint.net/support/payment-gateway-support/
http://www.paypoint.net/support/payment-gateway-support/resources1/ (is necessary to complete a form to get guides).

Test Account

https://www.secpay.com/secnet/app

Planetauthorize

Documentation

Test account

https://www.planetauthorize.net/tinc?key=IK7KK4X8&formname=gateway_test_account

PaymentsGateway

Documentation

https://www.paymentsgateway.net/developers.aspx
In the forum http://forum.paymentsgateway.net/ an account is required.

First Data

Documentation

http://www.firstdata.com/support/manuals_and_guides/index.htm

Test account

http://www.firstdata.com/product_solutions/ecommerce/global_gateway/apply_test_account.htm

La Caixa

Web information not available at this moment.

FAQ

1. Transaction error: null using LinkPoint

The exception launched is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This simply means that the web server or the URL you are connecting to does not have a valid certificate from an authorized CA.

So, you need to do is to import the server certificate and install it in your JDK's keystore.

Point your browser to https://secure.linkpt.net:1129 or https://staging.linkpt.net:1129 (if you are in test mode)
Download the certificate: when you access for first time you need to accept a certificate and you can download (or import) it to a file.
- For example, in Firefox: Menu -> Edit -> Preferences -> Advanced -> View Certificates.

Windows

A tipical path: C:\Program Files\Java\jdk1.6.0_13\jre\bin\keytool.exe

Import the certificate:

keytool -import -alias linkptstaging -keystore ..\lib\security\cacerts -file "path of the certificate file"

You can check all installed certificates with:

keytool -list -keystore ..\lib\security\cacerts

More information...

Linux

Import the certificate:

sudo /usr/lib/jvm/java-6-sun-1.6.0.07/bin/keytool -import -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -file "path of the certificate file" -alias linkptstaging

You can check all installed certificates with:

keytool -list -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts

The default password of the keystore is: changeit