The PTechCanadianDebit component is used to authorize face-to-face Interac (Canadian) debit card transactions with the Paymentech NetConnect system on the Tampa platform. This component allows for simple, direct, secure communication to the Paymentech TLS/SSL gateway through a standard Internet connection. This component can be integrated into web pages or stand-alone Point Of Sale applications. Because all TLS/SSL communications are handled inside the component, any application or web page can be deployed without the need for expensive dedicated TLS/SSL servers.
Canadian debit card processing on the Paymentech system is fundamentally different than authorizing US Debit cards. The US protocol requires an encrypted PIN block and Key Sequence Number (KSN), retrieved from a PIN Pad utilizing the DUKPT (DES/3DES) encryption protocols. However, Interac (Canadian) Debit uses Master/Session key authentication to retrieve an encrypted key from a PIN Pad. This is a much more complex procedure, and requires the use of a Chase Paymentech certified PIN pad (we recommend the Ingenico i3070).
A unique key per device for both the PIN key and the MAC key is required. All PIN pads must have a unique key injected at the time of deployment. In order for Chase Paymentech to identify the Master Key being used by the device, the PIN pad serial number (PinPadSerialNumber) is required to be sent with every transaction.
Before you can send any debit card transactions, you must first load the PIN Pad with a current session key. This is retrieved from Paymentech via the RequestCurrentKeys method. Two keys will be returned in the response: PINKey (also known as TPK) and MACKey (also known as TAK). Both keys must be loaded into the PIN pad device. The PIN key is used by the PIN pad to encrypt the customer's PIN, and the MAC key is used to generate hash values used in requests and responses. These keys are updated after every transaction, and the PIN pad must be updated with the current keys each time a response is received.
Each transaction you send (excluding RequestCurrentKeys and MACReversals) requires an accompanying MACValue. This value is a hash of the contents of GetRequestDataToMAC, and is hashed by the PIN Pad device using the MACKey returned in response to the last transaction.
In each response there is also a MACValue. You must use the PIN Pad to calculate the hash of the value returned by GetResponseDataToMAC for each response, and make sure that calculated value matches the MACValue. If they do not match, you cannot accept the transaction, and you must send an MACReversal transaction (tor MACReversals you may send the MACValue used in the original request, or omit it entirely - do not calculate a new one).
The following code illustrates the steps necessary to initialize the PIN Pad and begin sending transactions:
First, set up the component with your merchant information.
' Set up the component component.MerchantNumber = "yourMerchantNumber" component.TerminalNumber = "100" component.ClientNumber = "0002" component.UserId = "yourUserId" component.Password = "yourPassword"Then, retrieve the current PIN and MAC encryption keys with the RequestCurrentKeys method, as shown below. (The following code will also update the EncryptedKeyIndex).
component.SequenceNumber = 1 component.PinPadSerialNumber = "FFFFFFFFFFFFFFFF" ' retrieved from your PIN Pad component.RequestCurrentKeys()After receiving a valid response to RequestCurrentKeys, it is essential that you update the PIN pad with the PINKey and MACKey. The PINKey is used by the PIN pad to encrypt the customer's pin, and the MACKey is used by the PIN pad's MAC function. Now we are able to send an actual customer sale transaction. First, set up the transaction details:
component.SequenceNumber = 2 component.InteracTransactionType = ittSale ' Set this before calling GetRequestDataToMAC method component.TransactionAmount = "1.00"Now, have the customer swipe his card, and pass the TransactionAmount, Number, and GetRequestDataToMAC to the PIN pad in a PURCHASE transaction. After the customer enters his PIN, use the response from the PIN pad to fill the following properties:
component.CardTrack2Data = "9999999800002773=05121015432112345678" ' retrieved from your card reader component.AccountType = acctChecking ' retrieved from your PIN pad component.EncryptedPIN = "FFFFFFFFFFFFFFFF" ' retrieved from your PIN pad component.MACValue = "FFFFFFFF" ' retrieved from your PIN padOnce all the above properties are set, you can call the Authorize method to send the transaction to Paymentech for authorization.
component.Authorize()If the transaction was successful, the Code field will contain "A" (for Approval). Before processing the response, you must first analyze the response with the PIN pad to verify that the MACValue is correct, load the newly returned keys, and print the transaction's success or failure on the PIN pad device for the customer to read. To do this, you send the PINKey, MACKey, and GetResponseDataToMAC to the PIN pad in a "Response Analysis" transaction. The PIN Pad response will indicate if the MAC value matches and the keys were successfully loaded.
If the MAC validated correctly, you're done with this transaction. However, if it did not validate, then you must send a MACReversal to abort the transaction, and then re-send it. If you are unable to verify the contents of the MACValue after another transaction attempt, refresh your keys via the RequestCurrentKeys method and try again. You must call RequestCurrentKeys any time the PIN pad loses sync with the Paymentech server, or whenever the ForceKeyRequest property is true (or when initializing the PIN pad for the first time).
The status of any of the above transactions will be stored in the Code field, with human-readable text appearing in Text. Like the PTechCharge component, there are several other Response fields which will contain data that should be logged. However, there are a few new properties specific to the PTechCanadianDebit component that must be printed on each customer's receipt. These include RetrievalNumber, Time, and Trace.
Debit card transactions are instant funds transfers. There is no block placed on the debit card, funds are immediately removed and sent to the merchant. Therefore, only the Host Capture settlement mode is supported. At the end of the day you should release the current batch using the PTechHostSettle component (the batch may contain other authorizations that were made using different components from this product. See the documentation for the other components you are using for more information).
Note: All PIN pads must be certified with Chase Paymentech and Interac prior to being used or deployed. All injection services must be approved and certified by Chase Paymentech.
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
|AccountType||Account type selected by the cardholder.|
|CardNumber||The credit card number parsed from the CardTrack2Data .|
|CardTrack2Data||The Track2 portion of the debit card's magnetic stripe.|
|ClientNumber||Merchant configuration property, assigned by Paymentech.|
|DebitCashBack||Optional cash back amount for debit transactions.|
|DebitSurcharge||Extra amount the merchant charges the customer for using a debit card.|
|EncryptedKeyIndex||Specifies the current keys that are in use in the PIN pad and by Paymentech.|
|EncryptedPIN||Customer's PIN, encrypted by a PIN pad under the current PINKey .|
|InteracTransactionType||Indicates the type of transaction to authorize.|
|LastRetrievalNumber||The last RetrievalNumber received from the host. Used for Void transactions.|
|MACValue||Hash of transaction data used to verify message was not tampered with.|
|MerchantNumber||A unique number used to identify the merchant, assigned by Paymentech.|
|Password||Password for authentication with the NetConnect Server .|
|PinPadSerialNumber||The serial number retrieved from the PIN pad.|
|Proxy||A set of properties related to proxy access.|
|Response||Contains the response to the authorization.|
|RetrievalNumberToVoid||Indicates the transaction to void.|
|SequenceNumber||Sequence number of the transaction.|
|Server||The URL for the PaymenTech NetConnect server.|
|SSLAcceptServerCert||Instructs the component to unconditionally accept the server certificate that matches the supplied certificate.|
|SSLCert||The certificate to be used during SSL negotiation.|
|SSLServerCert||The server certificate for the last established connection.|
|TerminalNumber||Terminal number assigned by Paymentech.|
|Timeout||A timeout for the component.|
|TransactionAmount||Purchase amount for an authorization.|
|UserId||UserId for authentication with the NetConnect Server .|
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
|Authorize||Authorizes a Canadian debit card transaction.|
|Config||Sets or retrieves a configuration setting .|
|GetRequestDataToMAC||Returns a string of data for the PIN pad to hash with the MAC algorithm.|
|GetResponseDataToMAC||Returns a string containing data to validate against the MACValue using a PIN pad device.|
|Interrupt||Interrupt the current method.|
|MACReversal||Reverses a transaction when MAC validation fails.|
|RequestCurrentKeys||Used to retrieve the current encryption keys from Paymentech.|
|Reset||Clears all properties to their default values.|
|ReversalAdvice||Used if no response is received from the Server to void the authorization.|
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
|DataPacketIn||Fired when receiving a data packet from the transaction server.|
|DataPacketOut||Fired when sending a data packet to the transaction server.|
|Error||Information about errors during data delivery.|
|SSLServerAuthentication||Fired after the server presents its certificate to the client.|
|SSLStatus||Shows the progress of the secure connection.|
The following is a list of configuration settings for the component with short descriptions. Click on the links for further details.
|CustomerDefinedData||Additional transaction identification data.|
|SystemInformation||System Information field for Batch Inquiry and Release transactions.|
|SettlementMode||Indicates whether the component uses Paymentech's Host Capture or Terminal Capture system.|
|ResponsePOSRetrievalNumber||POS Retrieval Number sent in the request, echoed back in the response.|
|EMVData||The EMV data returned from a Pin Pad after reading an EMV card.|
|EMVEntryDataSource||The EMV Data Entry Source (DES).|
|ResponseEMVData||The response EMV data.|
|ResponseEMVCardAuthCode||The ChaseNet and Visa card authentication results code.|
|ResponseEMVDownloadIndicator||Whether EMV parameters should be updated.|
|AcceptEncoding||Used to tell the server which types of content encodings the client supports.|
|AllowHTTPCompression||This property enables HTTP compression for receiving data.|
|AllowHTTPFallback||Whether HTTP/2 connections are permitted to fallback to HTTP/1.1.|
|AllowNTLMFallback||Whether to allow fallback from Negotiate to NTLM when authenticating.|
|Append||Whether to append data to LocalFile.|
|Authorization||The Authorization string to be sent to the server.|
|BytesTransferred||Contains the number of bytes transferred in the response data.|
|EncodeURL||If set to true the URL will be encoded by the component.|
|FollowRedirects||Determines what happens when the server issues a redirect.|
|GetOn302Redirect||If set to true the component will perform a GET on the new location.|
|HTTPVersion||The version of HTTP used by the component.|
|HTTP2HeadersWithoutIndexing||HTTP2 headers that should not update the dynamic header table with incremental indexing.|
|IfModifiedSince||A date determining the maximum age of the desired document.|
|KeepAlive||Determines whether the HTTP connection is closed after completion of the request.|
|LogLevel||The level of detail that is logged.|
|MaxHeaders||Instructs component to save the amount of headers specified that are returned by the server after a Header event has been fired.|
|MaxHTTPCookies||Instructs component to save the amount of cookies specified that are returned by the server when a SetCookie event is fired.|
|MaxRedirectAttempts||Limits the number of redirects that are followed in a request.|
|NegotiatedHTTPVersion||The negotiated HTTP version.|
|OtherHeaders||Other headers as determined by the user (optional).|
|ProxyAuthorization||The authorization string to be sent to the proxy server.|
|ProxyAuthScheme||The authorization scheme to be used for the proxy.|
|ProxyPassword||A password if authentication is to be used for the proxy.|
|ProxyPort||Port for the proxy server (default 80).|
|ProxyServer||Name or IP address of a proxy server (optional).|
|ProxyUser||A user name if authentication is to be used for the proxy.|
|TransferredData||The contents of the last response from the server.|
|TransferredDataLimit||The maximum number of incoming bytes to be stored by the component.|
|TransferredHeaders||The full set of headers as received from the server.|
|UseChunkedEncoding||Enables or Disables HTTP chunked encoding for transfers.|
|ChunkSize||Specifies the chunk size in bytes when using chunked encoding.|
|UsePlatformHTTPClient||Whether or not to use the platform HTTP client.|
|UserAgent||Information about the user agent (browser).|
|KerberosSPN||The Service Principal Name for the Kerberos Domain Controller.|
|ConnectionTimeout||Sets a separate timeout value for establishing a connection.|
|FirewallAutoDetect||Tells the component whether or not to automatically detect and use firewall system settings, if available.|
|FirewallHost||Name or IP address of firewall (optional).|
|FirewallListener||If true, the component binds to a SOCKS firewall as a server (IPPort only).|
|FirewallPassword||Password to be used if authentication is to be used when connecting through the firewall.|
|FirewallPort||The TCP port for the FirewallHost;.|
|FirewallType||Determines the type of firewall to connect through.|
|FirewallUser||A user name if authentication is to be used connecting through a firewall.|
|KeepAliveTime||The inactivity time in milliseconds before a TCP keep-alive packet is sent.|
|KeepAliveInterval||The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.|
|Linger||When set to True, connections are terminated gracefully.|
|LingerTime||Time in seconds to have the connection linger.|
|LocalHost||The name of the local host through which connections are initiated or accepted.|
|LocalPort||The port in the local host where the component binds.|
|MaxLineLength||The maximum amount of data to accumulate when no EOL is found.|
|MaxTransferRate||The transfer rate limit in bytes per second.|
|ProxyExceptionsList||A semicolon separated list of hosts and IPs to bypass when using a proxy.|
|TCPKeepAlive||Determines whether or not the keep alive socket option is enabled.|
|UseIPv6||Whether to use IPv6.|
|UseNTLMv2||Whether to use NTLM V2.|
|CloseStreamAfterTransfer||If true, the component will close the upload or download stream after the transfer.|
|TcpNoDelay||Whether or not to delay when sending packets.|
|CACertFilePaths||The paths to CA certificate files when using Mono on Unix/Linux.|
|LogSSLPackets||Controls whether SSL packets are logged when using the internal security API.|
|ReuseSSLSession||Determines if the SSL session is reused.|
|SSLCipherStrength||The minimum cipher strength used for bulk encryption.|
|SSLEnabledProtocols||Used to enable/disable the supported security protocols.|
|SSLIncludeCertChain||Whether the entire certificate chain is included in the SSLServerAuthentication event.|
|SSLProvider||The name of the security provider to use.|
|SSLSecurityFlags||Flags that control certificate verification.|
|SSLCACerts||A newline separated list of CA certificate to use during SSL client authentication.|
|SSLEnabledCipherSuites||The cipher suite to be used in an SSL negotiation.|
|TLS12SignatureAlgorithms||Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True.|
|TLS12SupportedGroups||The supported groups for ECC.|
|TLS13KeyShareGroups||The groups for which to pregenerate key shares.|
|TLS13SupportedGroups||The supported groups for (EC)DHE key exchange.|
|TLS13SignatureAlgorithms||The allowed certificate signature algorithms.|
|AbsoluteTimeout||Determines whether timeouts are inactivity timeouts or absolute timeouts.|
|FirewallData||Used to send extra data to the firewall.|
|InBufferSize||The size in bytes of the incoming queue of the socket.|
|OutBufferSize||The size in bytes of the outgoing queue of the socket.|
|GUIAvailable||Tells the component whether or not a message loop is available for processing events.|
|UseBackgroundThread||Whether threads created by the component are background threads.|
|UseInternalSecurityAPI||Tells the component whether or not to use the system security libraries or an internal implementation.|