Purchase Token Security

Introduction

This document covers summary information on how to ensure that only purchase tokens which originate from your website can result in successfully authorised transactions. Where possible links to online documentation have been included should you wish to include this functionality within your web site or if you are developing a shopping cart which integrates with the WorldPay Payment Gateway.

To reduce the possibility of fraud it is recommended that your WorldPay integration takes advantage of at least one of the features covered in the sections below:

Protecting the Purchase Token and Installation ID Against Misuse

Select Pro and Select COM use 1024 bit encryption to protect certain elements of the purchase token (and 100% of the callback data we send). Please see http://support.worldpay.com/kb/integration_guides/pro/help/spig3300.html and http://support.worldpay.com/kb/integration_guides/pro/help/spig4310.html for further details.

Please note if you have used the Select COM buythis.asp script for testing (or for Select Pro the buythis servlet), you may wish to disable or restrict access to them once your site has gone live.

Where Select Pro or Select COM use is either impractical or impossible, the MD5 option for Select Junior is offered as a way of protecting HTML-based purchase tokens. Please see http://support.worldpay.com/kb/integration_guides/junior/integration/help/tech_notes/sjig_tn_009.html for more information.

Once enabled, if a purchase token reaches WorldPay and we cannot verify it the shopper will be presented with the following text:

Either The information sent from the merchant's site is invalid or incomplete. Please send the following information to the merchant: The transaction cannot be processed due to the following: the MD5 signature could not be verified
(This is controlled by the message token SPTS.sigNotVerified, found in https://select.worldpay.com/global3/payment/default/messages_en.properties)

Or Security failure: purchase parameters are not correctly signed
(This is controlled by the message token pInfo.signatureFailure.error, found in https://select.worldpay.com/global/payment/default/messages_en.properties)

It is recommended that, if you implement the MD5 option for Select Junior, all variables that can have a value should be protected.

Back to top

Preventing Duplicate Transactions

If you are using unique values of cartId in the purchase tokens submitted to WorldPay we can block duplicates of successfully authorised purchase transactions with the same cartId within any one hour period. Please contact your local Technical Support team by email requesting this, quoting the installation ID for which it is to be enabled.

It is advised that this facility is used in conjunction with the steps detailed in Limiting the Lifetime of a Purchase Token, to ensure that the purchase token becomes invalid after less than one hour. This combination ensures that even if the purchase token is cached in a shopper's web browser it cannot be used once it has expired.

Once enabled, if a duplicate value of cartId is detected by WorldPay then the shopper will be presented with the following text:

Either Sorry, that cart ID has already been used. Please return to the merchant's store and try another payment. If the problem persists contact the merchant.
(This is controlled by the message token DPCDCI.duplicate, found in https://select.worldpay.com/global/payment/default/messages_en.properties)

Or Sorry. This is a duplicate purchase. Please go back to merchant site.
(This is controlled by the message token pay.duplicateCartId, found in https://select.worldpay.com/global/payment/default/messages_en.properties)
This value could be customised to include a link back to your web site, allowing the shopper to continue purchasing the desired product or service.

Back to top

Limiting the Lifetime of a Purchase Token

It is possible to restrict the time within which a purchase token is valid for submission to WorldPay. For Select Junior this is catered for using the authValidFrom and authValidTo variables (see http://support.worldpay.com/kb/integration_guides/junior/integration/help/appendicies/sjig_10100.html). For Select COM this is illustrated in the example purchase.asp.txt available which is available (by default) in c:\worldpay\select\htdocs\select-docs when the Select COM object is installed. For Select Pro this can be done using the setAuthValidTime(long, long) (or setAuthValidTime(Date, Date)) method.

One way to determine any offset between the time on your server and WorldPay's is to fetch the exchange rates from WorldPay and use the commented timestamp at the top of the file. For more details on this please see http://support.worldpay.com/kb/integration_guides/junior/integration/help/information_services/sjig_8100.html. Alternatively you can use ntp1.uk.psi.net, ntp2.uk.psi.net or ntp3.uk.psi.net to synchronise your server with WorldPay.

If authValidFrom is in the future then the shopper will be presented with the following text:

Either Your transaction has timed out. Please return to the merchant's site and try again. If the problem persists contact the merchant.
(This is controlled by the message token VTR.notInValidTimeRange, found in https://select.worldpay.com/global/payment/default/messages_en.properties)

Or This transaction has been cancelled because it was not completed within the time limit specified by the merchant
(This is controlled by the message token pInfo.tokenTimeout.error, found in https://select.worldpay.com/global/payment/default/messages_en.properties)

Back to top

Data Integrity & Country Restrictions

The following technique is ideal if you wish to accept transactions from a specific country or range of countries. It has the added benefit of reducing the size of the WorldPay Payment Page.

If your web site collects and validates at least the mandatory elements of the Cardholder Details section of the WorldPay Payment Page (address, country and email), you can include these in the purchase token together with an extra parameter to either prevent this information from being edited or even displayed. If you choose to restrict the number of billing countries available you could subsequently verify that the country provided was correct using the AVS result. For more details please see http://support.worldpay.com/kb/integration_guides/junior/integration/help/appendicies/sjig_10100.html.

Countries you may wish to exclude are listed on http://support.worldpay.com/kb/user_guides/fighting_fraud/ffg2011.html.

Although the value attribute of fixContact and hideContact (and withDelivery, if you've requested WorldPay to collect delivery details for you) are ignored, you could use a value of true. This would then allow you to protect these parameters as part of an MD5 signature within a Select Junior purchase token.

You could also use this for:

Back to top

Maximising Use of AVS

You may wish to verify that the country provided on the WorldPay Payment Gateway matches against the country the card issuer has associated with the card used for the transaction. To do this you should check that the last digit of AVS is 2, corresponding to a match.

If you are examining the value of AVS prior to providing goods or services, you may wish to ensure that the Make Payment button on the WorldPay Payment Page cannot be used unless a Security Code or postcode are provided.

These two parameters are optional. If you would like one or both of them to be made mandatory on the WorldPay Payment Gateway then please contact your local Technical Support Team by email requesting this, quoting the installation ID for which it is to be enabled.

Making these parameters mandatory only means that a value must be provided; you must still examine the value of AVS returned after a successful authorisation to determine your course of action.

Back to top

Pre-Authorisation: The Ultimate Sanction

Pre-Authorisation gives you the final decision whether to accept a transaction even after WorldPay has returned the authorisation details to you. Unless you have a small number of transactions (i.e. where manual checks would be sufficient), you can use your own automated checking rules in a callback script to initiate a post-authorisation only for those you believe are sufficiently valid. For details on callback please see http://support.worldpay.com/kb/reference/faqs/callback_faqs.html.

Please note you must always ensure that you successfully post-authorise (i.e. complete) each pre-authorised transaction before supplying any goods or services to the shopper. WorldPay guarantee that the post-authorisation can be attempted for up to five days after the initial pre-authorisation although it may fail if, for example the associated card has been reported as lost or stolen.

To request pre-authorisation accounts be set up for you please contact pre-auth@worldpay.com, quoting your Company ID and whether you would like to use pre-authorisation either instead of or in addition to immediate authorisation. Documentation on automating the post-authorisation process is available at http://support.worldpay.com/kb/reference/faqs/remote_postauth_and_refunds.html.

Please note not all shopping cart solutions permit the changes required to take advantage of pre-authorisation with WorldPay; you will need to confirm that support for pre-authorisation is possible, how it can be set and whether or not it can be used alongside or instead of immediate authorisation accounts (as appropriate) before requesting the changes be made for you.

Back to top

Conclusion

These elements used in combination offer a high degree of security to prevent anyone simply submitting purchase tokens through one of your installations to the WorldPay Payment Gateway for fraudulent means - and all this comes in addition to the services offered by WorldAlert detailed in http://support.worldpay.com/kb/user_guides/fighting_fraud/fighting_fraud_guide.html.

Back to top

END
Last update: 14 February 2005