CN!Express® User Guide - Auric Systems InternationalExpressUserGuide.pdf · 2019. 2. 14. · III...
Transcript of CN!Express® User Guide - Auric Systems InternationalExpressUserGuide.pdf · 2019. 2. 14. · III...
The CN!Express® application is sunset.Please see inside for options.
CN!Express®
User Guide
Auric Systems International
Copyright © 2016 Auric Systems International. All rights reserved.
www.auricsystems.com
tokenize what matters®
3
The CN!Express® payment application is Sunset.This is the last formal release of the CN!Express® payment processing application.Information regarding the sunset and migration options are available at:
https://www.auricsystems.com/payment-apps/#cnx
Contents
Welcome to CN!Express®11
I Installation and Configuration 15
Installing CN!Express® on Windows®17
Installing CN!Express® on Linux®21
Configuring CN!Express®25
Encrypted/Secure HTTPS 35
Remote Firebird® Database 37
Tokenization 43
Uninstalling CN!Express®49
Auric Key Management Proxy 51
II Payment Processors 53
6
Working with your Payment Processor 55
Cardinal Commerce 57
Chase Paymentech 59
eBillme 65
First Data Global Gateway 75
TSYS Merchant Solutions–PayFuse 77
Vantiv®(formerly Litle & Co.) 79
Cielo Payments Inc. (Formerly Merchante-Solutions) 85
PayPal 89
Paypal PayFlow Pro 91
TenderCard 93
TransFirst 97
III PA DSS Secure Implementation Guide 99
Overview of PCI-Compliance Practices 101
Magnetic Stripe and CVV2 Data 103
7
Protect Stored Cardholder Data 107
Secure Authentication Features 111
Log Payment Application Activity 113
Develop Secure Payment Applications 115
Protect Wireless Transmissions 117
Test Payment Applications to Address Vulnerabilities 119
Facilitate Secure Network Implementation 121
Cardholder Data Must Never Be Stored on a Server Connected To the Internet123
Secure Remote Access and Updates 125
Facilitate Secure Remote Software Updates 127
Encrypt Sensitive Traffic 129
Encrypt all Non-Console Administrative Access 131
Maintain Instructional Documentation and Training Programs 133
Secure File Deletion 135
8
Key Management 137
Internal Encryption 139
Encrypting Import/Export Files 141
IV Appendices 145
Action Codes 147
ASI Response Codes 151
Soft Descriptors 153
Processor-Specific Attributes 157
Verified by Visa CAVV Response 161
ICV-Style Files 165
Repair Firebird® Database 169
Secure Deletion: sdel 171
Field Reference 173
Currency Codes 263
Index 267
List of Tables
1 CN!Express® Instant Tokenization™ actions. 44
2 ASI Response Codes for Instant Tokenization™44
3 eBillMe Transactions 67
4 eBillme response batch fields 71
5 eBillMe ‘Q’ batch file responses 72
6 Pre-paid card filtering rules 81
7 Automatic Account Updater Fields 83
8 CN!Express® action codes. 147
9 CN!Express® response codes. 151
10 Verified by Visa CAVV Response Codes 163
11 ICV-style action codes 166
12 CN!Express® field reference. 173
13 Currency Codes 263
Welcome to CN!Express®
Thank you for selecting the CN!Express® payment processing appli-cation. CN!Express® provides a consistent and speedy connectionto your payment processing service and easily manages all of yourtransactions. Once CN!Express® is configured, you rarely need tomanually interact with it.
Payment processing is not just credit cards any more. CN!Express®
supports a wide range of payment options, including a direct connec-tion to PayPal Express Checkout services.
CN!Express® offers the following features (depending on the capa-bilities of your processing service):
• From two (CX-7002) to one hundred (CX-7100) simultaneous con-nections to your payment processor(s).
• Simultaneous support for multiple processors, without you need-ing to sort/batch your transactions individually.
• Legacy file and modern HTTP/S interfaces.
• Direct connections to payment processor gateways.
• Support for many methods of payment including:
– Credit cards
– Purchase card level 2
– Electronic checks
– PayPal
• Federally-approved 256-bit AES encryption for sensitive data.
• Follows Visa’s Payment Application Best Practices for PCI compli-ance.
Supported Processing Services
CN!Express® supports the following payment processing services:
12 cn!express®
• Chase Paymentech Solutions/Orbital Gateway/Salem
• First Data/Global Gateway
• Merchant e-Solutions/Transcom
• Transfirst/eLink
• PayPal Express Checkout
Simultaneous Connections
CN!Express® supports multiple simultaneous connections to pay-ment processors. This allows CN!Express® to process transactionsin parallel with each other. Depending on the model, CN!Express®
supports from two (2) to ten (10) simultaneous connections. If youare using a single processor, all ten connections can be with that pro-cessor. If you are using two or three processors (perhaps a credit cardprocessor and PayPal), then CN!Express® automatically decides howmany connections to maintain for each processor–up to the maxi-mum supported by the specific model.
The CN!Express® model number indicates how many simultane-ous connections are available:
Model Number # Simultaneous ConnectionsCX-7002 2
CX-7005 5
CX-7010 10
CX-7100 100
Estimated Speed
CN!Express® adds extremely little overhead to the transaction. Thespeed of your payment processor is effectively the speed at whichCN!Express® runs. In demo mode, CN!Express® returns transactionsin three (3) seconds. This is a typical response time from a processor(and frequently you will see times better than that). Assuming threesecond response times, here is how long it takes different models ofCN!Express® to process 1,000 transactions:
Model Number # minutes for 1,000 transactions (est.)CX-7002 30
CX-7005 10
CX-7010 5
CX-7100 0.5
welcome to cn!express®
13
PCI Compliance
Auric Systems International is a validated Level 1 PCI Service Provider.CN!Express® is validated against the PCI PA-DSS 3.0 standard.
Passwords
CN!Express® uses passwords at several different levels:
• Access to the underlying operating system.
• Encrypting sensitive data.
• Submitting transactions through the Web.
• Monitoring.
Your in-house PCI policy in regards to password and key manage-ment must be applied to these passwords.
Access to the Underlying Operating System
All CN!Express® configuration is performed locally. There is no re-mote access for configuration and control. There are no configurationpasswords to manage.
Encrypting Sensitive Data
A CN!Express® installation supports a two-user server pass phrase toencrypt sensitive data (such as credit card account numbers). Refer tothe Configuring CN!Express® chapter for details on entering the passphrases.
Submitting Transactions through the Web
CN!Express® requires all web-based transactions to include a userID and password. These accounts cannot retrieve any informationfrom CN!Express® beyond the information returned for the currenttransaction The CN!Express® listens only on the localhost (127.0.0.1)for incoming web transactions. A secure front-end proxy, such asstunnel, IIS, or nginx, must be run as a front-end to the CN!Express®
application.
14 cn!express®
Monitoring CN!Express®
CN!Express® provides a web monitoring interface for which separateuser IDs are required. No account information can be retrieved fromCN!Express® through this interface.
Contacting Auric Systems International
To contact Auric Systems International:Phone 603-924-6079
E-mail/support [email protected]
E-mail/sales [email protected]
Web Site https://www.AuricSystems.com
Please have your serial number handy when you call. Whenyou purchased CN!Express® the serial number and activation keywere e-mailed to you. After you install the test or production (live)CN!Express® you can find your serial number and activation key onthe Run Mode Tab of the CN!Express® Configuration Manager.
Part I
Installation andConfiguration
Installing CN!Express® on Windows®
CN!Express® installs in the demo (demonstration) mode. Demomode allows you to work with, and become familiar with, CN!Express®
functionality without actually sending transactions to your processor.It is also a convenient way to integrate CN!Express® into your exist-ing systems. Auric Systems International strongly recommends youkeep CN!Express® in demo mode while you configure and learn itsoperation.
Supported Windows® Versions
CN!Express® supports the following Windows® platforms:
• Windows® Windows Server 2008 R2
• Windows® Windows Server 2012
• Windows® Windows Server 2012 R2
• Windows® Windows Server 2016
System Requirements
CN!Express® runs on fairly minimal systems. Any typical 2 GHzprocessor is suitable—even single core. Auric Systems Internationalrecommends you install CN!Express® on your target platform indemo mode and test at what you expect load requirements to be.
Memory Requirements
Having 256 MBytes of RAM available above and beyond your operat-ing system’s install is suitable long-term for CN!Express® running athighest speeds.
Disk Requirements
CN!Express® can generate a large number of logs and backup files.In addition, if you are using batch import/export, you’ll need addi-
18 cn!express®
tional space to manage those files. For initial installation, you’ll needapproximately 100 Mbytes of hard disk space. Auric Systems Interna-tional recommends planning for a minimum of 30 GBytes of free diskspace to ensure a long-lived and trouble-free operation.
It is important to check your file system on a regular basis. Back-ups and logs can start to consume a significant amount of disk space.
Installation Options
CN!Express® installs:
• on a local hard drive, not a network mount.
• as both an application and a Windows® service (the Windows®
service is not active until you manually activate it)
• in the demonstration (demo) mode (not in the test or productionmode)
• as a CX-7002 with two simultaneous processor connections
While you are configuring CN!Express® Auric Systems Interna-tional strongly recommends that you:
• Run CN!Express® as an application (not a service).
• Configure using the demo mode.
• Send your first transaction(s) to your processing service using thetest mode.
Demo mode is ideal for trying out configuration options andCN!Express® operations without using real transactions. Test modeis ideal for testing your configuration with your processing service.Production mode is strictly for processing real transactions.
After you’ve configured and tested CN!Express® you can switchto the production mode and you can run CN!Express® as a service,confident that CN!Express® will work smoothly.
Installation Procedure
CN!Express® is available for download from the Auric Systems Inter-national web page: https://www.auricsystems.com/payment-apps/.The Setup program prompts you for a location in which to installthe executables and a location in which to install the data directories.Both program and data directories need to be on a local hard drive,not a network drive.
• Download the CN!Express® Setup program from the web site.
installing cn!express®
on windows®
19
• Compare the MD5 signature of the downloaded file to the MD5
signature on the web site to confirm you download an uncor-rupted version.
• Run the CN!Express® Setup application and follow the installationscreens. Auric Systems International recommends you select thedefault installation application and data locations.
• CN!Express® is now installed.
Configuration
Now that CN!Express® is installed, your next step is ConfiguringCN!Express®.
Installing CN!Express® on Linux®
The Linux® version of CN!Express® is available as a bespoke deploy-ment. Please contact Auric Systems International for details.
CN!Express® installs in the demo (demonstration) mode. Demomode allows you to work with, and become familiar with, CN!Express®
functionality without actually sending transactions to your processor.It is also a convenient way to integrate CN!Express® into your exist-ing systems. Auric Systems International strongly recommends youkeep CN!Express® in demo mode while you configure and learn itsoperation.
In order to configure CN!Express® you must have the AKMP™ keymanagement daemon installed. The AKMP™ service provides the en-cryption key management necessary to support test and productionmode data. Please refer to the AKMP™ manual for details.
Supported Linux® Versions
• Red Hat Enterprise Linux® Versions 6.8 and 7.x.
• CentOS Versions 6.8 through 7.x.
• Call regarding support for other Linux® flavors.
System Requirements
CN!Express® runs on fairly minimal systems. Any typical 2 GHzprocessor is suitable—even single core. Auric Systems Internationalrecommends you install CN!Express® on your target platform indemo mode and test at what you expect load requirements to be.
Memory Requirements
Having 256 MBytes of RAM available above and beyond your operat-ing system’s install is suitable long-term for CN!Express® running athighest speeds.
22 cn!express®
Disk Requirements
CN!Express® can generate a large number of logs and backup files.In addition, if you are using batch import/export, you’ll need addi-tional space to manage those files. For initial installation, you’ll needapproximately 100 Mbytes of hard disk space. Auric Systems Interna-tional recommends planning for a minimum of 30 GBytes of free diskspace to ensure a long-lived and trouble-free operation.
It is important to check your file system on a regular basis. Back-ups and logs can start to consume a significant amount of disk space.
Installation
CN!Express® installs:
• on a local hard drive, not a network mount.
• as both an application and a service (the service is not active untilyou manually activate it)
• in the demonstration (demo) mode (not in the test or productionmode)
While you are configuring CN!Express® Auric Systems Interna-tional strongly recommends that you:
• Configure using the demo mode
• Send your first transaction(s) to your processing service using thetest mode.
Demo mode is ideal for trying out configuration options andCN!Express® operations without using real transactions. Test modeis ideal for testing your configuration with your processing service.Production mode is strictly for processing real transactions.
After you’ve configured and tested CN!Express®, you can switchto the production mode and you can run CN!Express® as a service,confident that CN!Express® will work smoothly.
Auric Systems International provides a custom download site forthe Linux® CN!Express® installation. CN!Express® expects to runas the cnxap user – which must be configured before running theinstallation script.
• download the cnx_installer...tgz file
• compare the checksum of the downloaded file to the checksumprovided by Auric Systems International to ensure the file has notbeen tampered.
installing cn!express®
on linux®
23
• create the cnxap user.
• run ./install.py
• CN!Express® installs in the /opt/cnxap directory
Installation Options
CN!Express® for Linux® must be run behind a proxy web serversuch as nginx or Apache. CN!Express® itself only listens on localhost(127.0.0.1). HTTPS security of front-end communications is managedby the proxy. The URL to proxy is:
/asi01
Starting and Stopping CN!Express®
To run as an application:
$ sudo -u cnxap /opt/bin/cnxap
To run as a service on RHEL 6:
$ sudo /sbin/service cnxapd start|stop|restart|status
To run as a service on RHEL 7:
$ sudo systemctl start|stop|restart|status cnxapd
Configuring CN!Express® for Linux®
The CN!Express® application for Linux® configuration is completedusing the CN!Express® Configuration Utility for Windows®.
In order to run the Configuration Utility on Windows®, youmust transfer your AKMP™ secure_data configuration from yourLinux® installation to your Windows® installation. Please refer to theAKMP™ manual for details.
Once AKMP™ is installed, you can follow the Windows® configu-ration instructions in the Configuring CN!Express® chapter, with thefollowing exceptions:
1. Any file paths must be manually entered and use the Linux® pathseparator (’/’).
2. On the Advanced Tab, you have the option of sending all CN!Express®
logs to syslog or maintaining separate logs. If you elect to keepCN!Express® logs separate, they are automatically rotated daily.
Configuring CN!Express®
This chapter walks through a typical CN!Express® configuration.Please refer to the PA DSS Secure Implementation Guide section forsecurity-specific information. You must be logged into the machinewhere CN!Express® is installed in order to configure it.
The CN!Express® Configuration Utility (cnxcfg.exe) groups theCN!Express® settings into major tabs:
• General
• Divisions
• Web Formats
• Files
• File Formats
• Security
• Run Mode
• Advanced
• About
The majority of CN!Express® settings can be modified whileCN!Express® is running. The CN!Express® program checks the con-figuration file every few seconds to see if it has been modified. If theconfiguration is changed, CN!Express® reloads the new configurationinformation.
Starting in Demo Mode
When configuring CN!Express® for the first time, it’s best to work inthe demo mode and run CN!Express® as an application. CN!Express®
automatically installs in the demo mode and as an application (it alsoinstalls as a Windows® service, but the service is not active). Af-ter you complete the configuration, you can test it without sending
26 cn!express®
transactions to your processing service. When you’re satisfied withthe configuration, you can switch from demo to test mode and thento production mode. You can also switch to running CN!Express® asa service. CN!Express® automatically remembers the configurationyou set up when it was in demo mode and running as an application.CN!Express® uses that same configuration when you switch modesand/or run it as a service.
When you first start the CN!Express® Configuration Utility youwill see a the dialog in noting that certain fields, which require en-cryption to be stored, will be disabled in demo mode. These fieldsare not required in demo mode. Just click the OK button to continueworking in Demo mode.
General Tab
Names
Every CN!Express® installation requires a Short Server Name anda Server Number. These two settings need only be changed if youare using multiple copies of CN!Express® within your organization.If you are using more than one copy of CN!Express® each of thesefields must be unique to the installation.
Web Service
By default the web service for accepting incoming transactions isdisabled. This ensures you do not suddenly have an unexpected webservice running on your system.
CN!Express® supports both HTTP and HTTPS connections. Thereare advantages and disadvantages to both of them. Please refer to theEncrypted/Secure HTTPS chapter on HTTP vs. HTTPS configura-tion.
CN!Express® comes with a set of self-signed certificates for HTTPScommunications. When you select HTTP or HTTPS, you must con-figure the Port on which CN!Express® accepts transactions (default is8100) and the IP address on which it will listen for web transactions.
The default listening address (127.0.0.1) is also known as local-host. With this setting, CN!Express® accepts only transactions fromthe local machine. If you have more than one network card on yourcomputer, CN!Express® lets you select which one it uses, or you canaccept from All Host Interfaces. Auric Systems International recom-mends you leave CN!Express® configured for localhost (127.0.0.1)and use a proxy server such as stunnel, IIS, or nginx to isolate theCN!Express® application from the external interfaces. This approachhas the advantage of allowing you to update your security protocols
configuring cn!express®
27
without having to upgrade CN!Express® and avoiding the testingtime such upgrades require.
Transaction Files
By default, CN!Express® is configured with a traditional interfaceto accept transactions through text files. You may disable this in-terface if you are going to send all your transactions through theCN!Express® Web interface. Otherwise, leave it enabled.
Fields
CN!Express® allows you to set the XCLASS value globally for allprocessors. Prior to CN!Express® version 4.0.11, all transactions de-faulted to E-commerce. Now, they can be set globally or per division.
Web Console
CN!Express® supports a web-based remote monitoring console. Thisconsole must be disabled in production.
Proxy Configuration
CN!Express® provides the ability to configure a proxy for all outgo-ing HTTPS connections. CN!Express® supports tunneling proxies.In a tunneling proxy, the defined connection between CN!Express®
and the proxy is via the HTTP port. The actual HTTPS connection istunneled through the HTTP port so there is a secure connection withthe target server (the payment processor).
In the Proxy settings, set the IP address of your proxy host andthe Port it will be using. If your proxy requires authentication, en-ter a user ID and password. Now all communications betweenCN!Express® and the payment processor go through your proxyserver.
Divisions Tab
The Divisions tab manages all your processor-specific information.All settings required for communicating with your processor aremanaged here. To start, click the Add. . . button. The dialog shown inFigure I.
Enter a name for this division, select a Payment Processor, andclick OK. CN!Express® presents you with a processor-specific setof fields that need to be completed in order to configure this new
28 cn!express®
Division for communication with your processor. See the processor-specific chapters at the end of this book for details on how to config-ure Divisions for each processor.
Divisions, Divisions, Divisions
The term ’divisions’ is an over-loaded term since some paymentprocessors also use this term to describe information used to com-municate with them. In CN!Express® the Division you created in theprevious step is a name you use to describe the connection. If youwant, you can name it the same as your payment processors divi-sion, or merchant id, or merchant number. Or, you can provide a nicegeneric name like Web Transactions or Accounting System or Cana-dian Recurring Billing. Or, you can have nice cryptic Division nameslike Q03-579. It does not matter, because this information is neversent to the payment processor. Think of it as a label or a tag you useto identify the information you want sent to the processor.
Multiple Divisions, Multiple Processors
Each time you create a new Division, you also select a processor forthat Division. This lets you define multiple settings for any specificprocessor as well as multiple simultaneous processors.Some proces-sors recommend you have a different division for each currency youprocess (USD, Euro, Yen, etc.)
Web Formats Tab
Web transactions are sent via a simple HTTP(S) POST. CN!Express®
supports transactions via its web interface in a variety of formats.The default is to send transaction data in key/value pairs and receiveresponses in a pip-delimited text format. This overview screen showsa sample request and response. To modify the request or responseformats, click the appropriate Edit Format. . . button.
Web Request Format
Web transactions are sent to CN!Express® via a POST. By default,this information is sent in name/value pair format. Choose whichRequest Type you want to support by clicking on the various radiobuttons at the top of this screen. As you select different formats, youare presented with options for configuring how CN!Express® ex-pects to see the web request. For name/value pair, you do not needto pre-define which fields you are going to send to CN!Express®.
configuring cn!express®
29
CN!Express® accepts any fields you send over. When using delim-ited format, the fields are in a specific order and you must defineeach and every field and the field order. Auric Systems Internationalrecommends using name/value pairs when sending requests. Thisformat is familiar to web programmers.
Web Response Format
Web responses can be in a variety of formats CN!Express®, by de-fault, returns a pipe-delimited format. An example is shown at thebottom of the dialog in Figure! I. To change which fields are re-turned, select them in the left-hand box and then click the arrowbutton button to move them to the response box. The up/down ar-rows on the right of the screen change the order in which the fieldsare arranged. By default, CN!Express® displays a small subset of allthe fields available. To see (and select) all the fields available, clickthe Fields to Include. . . button.
Available Fields
By default, CN!Express® displays a small fraction of the fields avail-able to process all transactions types with all processors. This dialogbox allows you to select which fields to display based on methods ofpayment or other common requirements (such as customer informa-tion or Payment Card Level II data).
Files Tab
This dialog determines where CN!Express® finds various files.
Transaction File Locations
• Import: CN!Express® imports transactions from here.
• Export: CN!Express® exports results to here.
• Decline: If you select to separate approvals from declines in yourexport format, the approvals go to Export and the declines go here.
• Backup: Where nightly database backups are placed. Backups arebest stored on a separate hard drive from where CN!Express® isinstalled.
• Recovery Log: Where copies of vital transaction status is stored.This directory is best stored on a separate hard drive from whereCN!Express® is installed.
30 cn!express®
File Extensions
CN!Express® uses certain file extensions for specific uses, such asimport or export files. You can change these default extensions tomeet any custom need you have in your environment.
Encryption
CN!Express® supports encrypted file import and export. See theEncrypting Import/Export Files chapter for details.
The Files Format Tab is much like the Web Request/ResponseTab. This screen allows you to customize the file import and exportconfiguration. In addition to configuration, CN!Express® also allowsyou to determine what actions to take after importing a file. It canbe as simple as changing the extension to.DNE indicating the file hasbeen imported, or you can delete the imported file.
Auric Systems International recommends the one-pass overwriteand delete. This overwrites the original file data and then deletes thefile, making it very difficult to retrieve any sensitive cardholder data.This screen also lets you decide if you want to export your resultsinto two separate files: approvals and declines.
Import File Format
The file import format screen allows you to customize the fields to beimported into CN!Express®. Click on the Model File. . . button andselect the cards.txt file distributed with CN!Express® as a sample.These configurations provide flexibility that allows CN!Express® toconform to your existing file formats.
Sample Import File
After you select a sample file, the right-hand list box shows boththe field names and a line of data from the sample file. The fieldsare shown in import order. You can use the arrow keys at the topof the list box to walk through the sample file and see what data isimported into specific fields.
Export File Format
The Export Format screen is similar to the Import File Format screen.You select which fields you want to see in the export file and declarethe order in which they will appear.
configuring cn!express®
31
Security Tab
Configure the Key Manager
CN!Express® supports external key management services. The vari-ous key management services are supported via the AKMP™ (AuricKey Management Proxy) application. The AKMP™ applications al-lows new key management services to be added without needing toupdate the basic CN!Express® application. AKMP™ is installed onyour system and is part of the basic CN!Express® installation.
The AKMP™ is not required to be configured for Demo mode.In demo mode, CN!Express® uses a hard-coded demo encryptionkey since you are only using demo account numbers. When you areready to move to test (and production), you’ll need to set up com-munications with the AKMP. Refer to the Auric Key ManagementProxy chapter and then return here to set the communications portand check the box indicating AKMP™ is configured and ready to run.
Allowed Hosts
Allowed Hosts define which computers can interact with the WebService and Web Console. By default, these are both set to allow only127.0.0.1 (the local machine or localhost) to interact with CN!Express®Typein the addresses you want to have access to the CN!Express® WebService. Both fields also support the ability to define a range of ad-dresses. Click the Add Range. . . button and enter the starting andending IP address allowed access to the Web Service or Web Console.
Web Users
This setting defines the users allowed to connect to CN!Express®.Click the Add. . . button. Define a user ID and password for eachuser. Additionally, you can declare a name for each user. Each indi-vidual user may either send transactions (Web Service) or interactwith the console (Web Console). A single user account cannot doboth.
Run Mode Tab
CN!Express® runs in one of two general modes:
• Demo
• Online
In Demo mode, processor connections are simulated. CN!Express®
simulates a response time of approximately 3 seconds per transac-
32 cn!express®
tion. All transaction amounts ending in even penny amounts areapproved. All transaction amounts ending in odd penny amounts aredeclined with a random decline reason. In Online mode, transactionsare sent to the processor. As you define each Division (processor con-nection) you can place individual Divisions in Test or Live mode. InTest mode, transactions are sent to the processor’s test addresses.
Note that the ability to set the test/live flag on a Division is hid-den in demo mode.
Advanced Tab
The Advanced tab contains settings for CN!Express® special features:
• How many days to cache tokenization (UTID) data locally beforediscarding.
• Whether to prioritize sending UTIDs to the Remote PaymentVault™
immediately, or only every minute.
• The PaymentVault™ URL.
• Logging settings.
• Email configuration.
• When to run maintenance processes.
The PaymentVault™ Tokenization Storage Service
This section contains settings for connecting CN!Express® with AuricSystems International’s PaymentVault™ technology. Call for more in-formation on PaymentVault™ solutions for secure, long-term storageof credit card accounts.
The Discard UTIDS (tokens) after xx days entry determines how longCN!Express® caches token data locally. This setting has no impact onhow long tokens are stored within the PaymentVault™ service.
Selecting the Prioritize Update of PaymentVault™ with New UTID In-formation checkbox causes CN!Express® to queue tokens for PaymentVault™
storage as soon as they are generated. Otherwise, CN!Express® mi-grates tokens to the long-term storage approximately every minute.
Logging and Messages
CN!Express® optionally runs a number of logs. By default, only theexception log is activated. This provides useful information to AuricSystems International support staff if an error should occur.
The first logging option provided, is for Linux only. Select thisoption if your CN!Express® is Linux-based.
configuring cn!express®
33
Remaining log options are as follows:
• Processor Communication Log: Logs all communications betweenCN!Express® and your processor.
• Web Service Request and Response Log: Logs all transaction infor-mation sent to CN!Express® via the web interface.
• File Request and Response Log: Logs all files imported and ex-ported.
• Exception Log: Log any exceptions that occur in the software.Note that some exceptions are expected and are part of normaloperations.
• Show Transactions in Monitor Window: Shows status of web re-sponse for transactions sent through the Web Service.
Note that the Audit log is active only when using the tokenizationfeature.
For PCI compliance, you must monitor and store your logs ina centralized location. The CN!Express® logs to be transported tothe centralized location are located in the CN!Express folder, whichresides in the Program Files (x86) folder.
Database Maintenance Service
CN!Express® performs daily maintenance operations includingbackup and database optimization. CN!Express® continues to accepttransactions while maintenance occurs – however, it is a good idea toschedule maintenance during times you expect to be rather quiet. Ifyou do not run CN!Express® constantly, then it will perform mainte-nance as soon as it starts up. As part of maintenance, CN!Express®
creates a backup database file in the directory configured in the FilesTab. You should periodically remove older versions of these backups.
Email Notification
CN!Express® can send email notifications as part of the nightlybackup process. CN!Express® also sends email notifications if a se-rious problem occurs. Auric Systems International recommends youconfigure email notifications. The test button on the dialog allowsyou to send an email immediately to confirm it is properly config-ured.
The Email Notification configuration screen allows you to config-ure how CN!Express® sends emails.
SMTP Server: Internet Address of your in-house email server.
34 cn!express®
SMTP Port: Port for communicating with your server.Use Authentication: Some email servers require clients to authen-
ticate before sending email. If your server requires authentication,enter your user and password information here.
Send Test Message: Click the button to send a test message.Message Content: Select notification typesScheduling: Intervals between email notifications
About Tab
The About tab contains the CN!Express® Version Number. Usefulwhen speaking with tech support. Processor contact information isprovided in this section, as well.
Encrypted/Secure HTTPS
The CN!Express® web interface must never be connected to the Inter-net. It is designed to be used within your network.
Historically, CN!Express® has supported both HTTP and HTTPSincoming communications. Because of the increasing focus on HTTPSprotocol attacks, Auric now recommends that the CN!Express® pay-ment application always be configured to:
• Use only HTTP
• Listen only on localhost (127.0.0.1).
Running Strictly On Localhost
When the software communicating with the CN!Express® applicationruns on the same server you can securely communicate between thetwo over HTTP using the 127.0.0.1 IP address. This is secure since thecommunication does not travel outside the server.
Using a Secure Proxy
When the software communicating with the CN!Express® applicationis on a different server, you must install the CN!Express® applicationbehind a secure proxy. CN!Express® can run it behind any standardweb server that has proxy capabilities. Options include: Microsoft®
IIS (Windows® only), nginx®, and Apache®.Another popular option is to use the stunnel product. From their https://www.stunnel.org/
web site, “Stunnel is a proxy designed to add TLS encryption func-tionality to existing clients and servers without any changes in theprograms’ code. Its architecture is optimized for security, portabil-ity, and scalability (including load-balancing), making it suitable forlarge deployments.” Auric uses stunnel in several production envi-ronments. It is available for both Windows® and Linux®.
Auric provides an stunnel configuration document at:https://www.AuricSystems.com/payment-apps/#stunnel
Remote Firebird® Database
CN!Express® can be configured to connect to a Firebird® databaseserver running on another computer. This chapter provides step bystep instructions for configuring CN!Express® to use a remote (ex-ternal) Firebird® server. These instructions are designed for runningCN!Express® and Firebird® on separate servers; both of which areproperly installed behind your corporate firewalls.
Configure Firebird® For Windows®
CN!Express® uses the embedded version of the Firebird® relationaldatabase. Using an external Firebird® server is optional. To switchfrom using embedded Firebird® to using a Firebird® server, firstdownload the latest Firebird®
2 server from the Firebird® distribu-tion site: http://firebirdsql.org/. Releases are available for severalplatforms including Windows®, Linux®, Mac OS X, and Solaris. Fol-low the directions to install and configure a basic Firebird® database.The rest of the instructions in this chapter show examples of runningFirebird® in a Windows® environment.
Create Firebird® Users
Once Firebird® is installed and running, create a user for the CN!Express®
database. CN!Express® maintains two different databases: one fordemo mode and one for on-line (test/live). For this example, we willcreate two users: DemoUser for the demo schema and OnlineUser forthe on-line schema (do not use the actual passwords shown in thisexample). You will use these two users in the CN!Express® SettingsManager to specify your database connection for CN!Express®Findwhere Firebird®
2 is installed on your machine and run the followingfrom the bin directory.Substitute the DBA Password you created foryour Firebird® installation:
gsec -user sysdba -password dbaPWGSEC> add DemoUser -pw DemoPWGSEC> add OnlineUser -pw OnlinePW
38 cn!express®
GSEC> quitIn the above example, DemoUser, OnlineUser, DemoPW and On-
linePW are all examples. Replace these with your own.
DemoUser:
DemoPassword:
OnlineUser:
OnlinePassword:
Changing User Passwords
The gsec utility is also used to change passwords:
gsec -user sysdba -password dbaPW
GSEC> modify DemoUser -pw NewPW
Create a Location For Database Files
The Firebird® database allows you to control where your databasefiles are located. Create a dedicated directory for storing the databases.In this example, we will use C:\AuricSystems\fb-data\cnx as ourstorage directory.
Import CN!Express® Demo and Online Schemas
CN!Express® ships with SQL files capable of building the Demo andOnline schemas.These files are stored in the Data
Remote directory wherever CN!Express® is installed:
C:\ProgramFiles\AuricSystems\CN!Express\Data\Remote\demo_remote.sql
C:\ProgramFiles\AuricSystems\CN!Express\Data\Remote\online_remote.sql
Copy these two files to the Firebird® database server system andthen use the Firebird® ISQL utility to create the databases as follows: The database, user and password
all have single quotes and the lineterminates with a semicolon.
First the demo schema:Start the \fb\ ISQL utility.
SQL> CREATE DATABASE ’C:\AuricSystems\fb-data\cnx\cnxap_demo.fdb
CON> page_size 8192
CON> user ’DemoUser’ password ’DemoPW’;
SQL> IN ’C:\Program Files\AuricSystems\CN!Express\Data\Remote\demo_remote.sql’;
Now quit ISQL and create the Online schema.Create the CN!Express® Online schema:Start the \fb\ ISQL utility.
SQL> CREATE DATABASE ’C:\AuricSystems\fb-data\cnx\cnxap.fdb’
CON> page_size 8192
CON> user ’OnlineUser’ password ’OnlinePW’;
SQL> IN ’C:\Program Files\AuricSystems\CN!Express\Data\Remote online\cnxap_remote.sql’;
remote firebird®
database 39
Now quit ISQL. Check the C:\AuricSystems\fb-data\cnx direc-tory to ensure the files were created there.
Creating Aliases
When you entered the database location in the ISQL create commandabove, you entered a fully-qualified path for the database file. Youcan now connect to that database, but you would need to alwaysenter the fully qualified path in your connect statements. Firebird®
allows you to configure aliases to these files so you can refer to themby short, easy names. Find where Firebird® is installed on your ma-chine and locate the aliases.conf file. Add the following lines to thatfile using a text editor, then save the file:
cnexpress = C:\AuricSystems\fb-data\cnx\cnxap.fdb
cnexpress_demo = C:\AuricSystems\fb-data\cnx\_demo.fdb
Test Your Connection
Type the following from your Firebird® server system: Don’t forget the semicolon (;) at the endof each command.
isql
SQL> connect cnexpress_demo user DemoUser password DemoPW;
SQL> connect cnexpress user OnlineUser password OnlinePW;
Configure Firebird® Database for Linux®
The following instructions are for Red Hat Enterprise and CentOSLinux®. Please refer to the Firebird® database website for details onLinux® and Unix® style systems.
1. Run the following to install Firebird®2.5 from EPEL.
$ sudo yum install firebird-classic
$ sudo yum install firebird-devel.x86_64
Replace "TBD" with your selectedpassword."
2. Change the default sysdba (master) password. This must bechanged in order to be PCI DSS compliant:
$ sudo gsec -user SYSDBA -password masterkey -modify sysdba -pw TBD
3. Create a "cnxapdemo" demo database user:
Here, and in the rest of these instruc-tions, replace ’masterkey’ with thepassword you elected above.
$ sudo gsec -user sysdba -pass masterkey -add cnxapdemo -pw cnxapdemo
Use the actual database username "cnxapdemo" and the actualdatabase user password "cnxapdemo" when creating this user.These strings are hard-coded into cnexpress and used for demodatabase access only. The demo database is INSECURE and mustnever be used for actual customer data.
40 cn!express®
4. Create a production database user. Replace ’TBD’ with a validpassword. Record this password, as you will need it in the nextsection.
$ sudo gsec -user sysdba -pass masterkey -add cnxap -pw TBD
Enter a username of your choosing and a password of yourchoosing in place of cnxap and cnxappass, above. You will laterenter these strings in the cnxap configuration file.
If either of the following commandsfails with an error like: "Unable tocomplete network request to hostlocalhost." You may need to restartthe xinetd service. Refer to your OSdocumentation for specific instructions.
5. Create the cnxap database and run the build scripts. In this stepyou will run isql-fb from the command line twice, to create boththe production and demo databases. The remote.sql script is avail-able in the respository under the ./support/Firebird/ directory(for the production database, substitute the correct password for’TBD’ in the second command below.
$ isql-fb -user cnxapdemo -pass cnxapdemo
SQL> create database "localhost:/var/lib/firebird/data/cnxap_demo.fdb";
SQL> in remote.sql;
SQL>exit;
$ isql-fb -user cnxap -pass TBD
SQL>create database "localhost:/var/lib/firebird/data/cnxap.fdb";
SQL>in remote.sql;
SQL>exit;
Configure CN!Express®
Now that you’ve successfully configured Firebird® and loaded thetwo databases, we’re ready to configure CN!Express® to use them.Start the CN!Express® Settings Manager and select the Database tab.
The above screen shows the Database tab configured and ready tocommunicate with both demo and online remote Firebird® databases.
Use External Database
Unchecked by default. Checking enables all other controls in thispanel. Connection Information DSN: Consists of a host name/address,colon, and database name. The example here shows CN!Express®
connecting to the remote server at a specific in-house IP address. Thedatabase name is the Firebird® alias you configured in a previousstep. User ID: The user id which you used when you created thedatabase. Password: You are prompted to enter this password a sec-ond time. Click OK to save the settings. These settings are read nexttime CN!Express® starts.
remote firebird®
database 41
Starting CN!Express®
After saving the configuration information, start CN!Express® as anapplication and ensure it is able to connect properly to the remote. Ifit is unable to connect you will see a Firebird® connection failure inthe logs.
Maintenance
When CN!Express® uses a remote Firebird® server, it performs allthe standard maintenance processes except backup. You shouldconfigure an appropriate back-up process to be run daily on theFirebird® database. The Firebird® gbak utility can create backupswhile CN!Express® is processing transactions. There is no need toshut-down or pause CN!Express® while the backup process runs.
For best performance, backups should not run while CN!Express®
is performing the nightly maintenance. As part of this maintenance,CN!Express® performs what is known as a sweep operation to re-claim unused database space. Performing a backup while the sweepis taking place will cause the Firebird® database to do additionalwork and be slightly slower.
Security Notes
In this chapter we refer to a remote database connection. In thiscontext, remote means running on a different server than whereCN!Express® is installed. These instructions assume the databaseis properly installed behind appropriate firewalls and is runningon a non-public network. In order to provide strong authenticationbetween CN!Express® and a remote database, an additional layer ofsecurity must be provided by operating a VPN or secure/encryptedtunnel between the two servers. The Stunnel application (http://www.stunnel.org/) is one example of a secure tunnel that works onboth Windows® and Unix-like environments.
Additional Help
Auric Systems International offers custom consulting services if youneed help configuring and maintaining a remote Firebird® server.Please contact Auric Systems International at 603.924.6079 for moreinformation.
Tokenization
CN!Express® provides a built-in tokenization mechanism. Thismechanism is activated whenever the UTID field is requested onexport from either the real-time or file interface. The default UTIDis a long, alphanumeric value designed so it can be generated asyn-chronously by several CN!Express® (or Trevance®) instances runningautonomously.
Note that CN!Express® converts the account number into a UTIDregardless of the method of payment: credit card, debit card, check,PayPal account, etc.
Transactions
The typical usage is to provide a cardholder account number ona sale or authorization request and request the UTID value in theresponse. Optionally, you can configure CN!Express® to return theaccount field with only the last four digits of the original accountnumber.
Account values can be provided for any action (Authorization,Sale, Deposit, Refund, Void, etc.). The tokenization occurs at exporttime when CN!Express® notes that a UTID is requested.
Instant Tokenization™
In addition to tokenization during transactions, CN!Express® alsoprovides a set of Instant Tokenization™ actions as shown in table In-stant Tokenization™ on the following page.
Response Codes
When performing tokenization, always check the LastActionSuc-ceeded (LAS) field to ensure it returns a 1. This is a quick check tosee that CN!Express® successfully performed the operation. If theLastActionSucceeded (LAS) field is 0, you must check the ASI Re-sponse Code (ASIRESP) field for more information.
44 cn!express®
Action Code Description
U Instant Tokenization: Provide the account(ACCT) field and export the UTID field.
UC Tokenization Check: Provide the UTID field andCN!Express® looks up the UTID, decrypts it,and returns the last four digits in the account(ACCT) field..
UD Delete Token: Provide the UTID field andCN!Express® marks any local copy for dele-tion and then queues it for deletion fromPaymentVault™.
UR Re-Encrypt Token: Provide the UTID field andthe UTID will be retrieved, re-encrypted, andstored
Table 1: CN!Express® InstantTokenization™ actions.
Code Description
100 Success900 Failed local UTID generation.901 Failed local UTID lookup.902 UTID marked for deletion.
Table 2: ASI Response Codes for InstantTokenization™
tokenization 45
PaymentVault™ Interaction
PaymentVault™ is a data storage mechanism. The actual UTID gen-eration occurs within CN!Express®. This is done for speed andefficiency. If a PaymentVault™ connection should be temporar-ily down, CN!Express® can continue to generate and store newUTIDs that are being requested. (You can use UTIDs without aPaymentVault™ connection if you only need the UTID values for afew days.) CN!Express® can be configured to store the UTID valueslocally for a given number of days. Usually, storing for one to threedays is sufficient for environments where a transaction is authorizedand then deposited (captured) in a short period of time.
Every minute, CN!Express® gathers up all the recently-generatedUTID values and migrates them to the PaymentVault™server. Evenafter they are migrated, they still remain cached locally withinCN!Express® until the configured number of days have passed.
Delayed Delete
Just as CN!Express® does not immediately communicate UTID ad-ditions to the PaymentVault™, it also does not communicate deleterequests. When CN!Express® receives a UD (Delete Token) request, itperforms the following actions:
• See if the UTID value is currently cached locally.
• If cached locally, mark it for deletion.
• If not cached locally, create a new entry in the cache with theUTID value and mark it for deletion.
• During token migration time, send a Delete command to thePaymentVault™ for each UTID record that is marked for deletion.
• Delete the UTID entry once the PaymentVault™ deletion occurs (orPaymentVault™ finds there was nothing to delete).
If you should request a UTID from CN!Express® between the timeit is marked for deletion in the local cache and it is actually deletedfrom the PaymentVault™, CN!Express® returns the 902 ASIRESPcode indicating the UTID is marked for deletion and cannot be de-crypted.
Tokenization Failures
All tokenization occurs within CN!Express® itself, so there are fewplaces where tokenization can fail. Successful tokenization operations
46 cn!express®
return the Last Action Succeeded (LAS) field as 1 and the ASIRESPfield as 100.
The tokenization process makes two data base queries which couldpossibly, under extreme circumstances (like the database suddenlydisappearing) fail. In both cases, the Last Action Succeeded (LAS)field will be 0 and the ASI Response (ASIRESP) field will be 400. TheRESPTEXT field contains a textual description of the problem.
Note that in one of these failure modes, a UTID will be returned,but it will not have been stored in the database. Therefore, it is al-ways important to check the LAS value to ensure it is successfulbefore using the returned UTID.
PaymentVault™ Communications Failures If email alerts are configured,PaymentVault™ communication er-rors also result in an email being sent tothe configured administrator.Token data is moved from CN!Express® to the PaymentVault™
long-term storage asynchronously. If CN!Express® cannot com-municate with the PaymentVault™ backend, it does not surfaceas an error in the real-time or batch transaction. Tokenization cancontinue successfully while access to the PaymentVault™ system isunavailable. CN!Express® makes an ERROR entry in the log whenPaymentVault™ is inaccessible. Look for errors like,
ERROR - PaymentVault connection test failed. orERROR - PaymentVault server connection disabled.
Demo Mode
In order to support functionality in demo mode, CN!Express® mustencrypt the demo cardholder accounts that are presented. Live card-holder account numbers must never be used in demo or test mode.This demo encryption key exists solely to allow people to test out thebasic tokenization functionality.
Demo Encryption Key: CNXAP555CNXAP555CNXAP555CNXAP555
Demo Key Identifier: CNXAP-DEMO-KEY
Migration to PaymentVault™
Once a minute, CN!Express® transfers recently-generated tokens tothe PaymentVault™ server.
Any token delete requests are also transferred to the PaymentVault™
server every 60 seconds, but offset from the storage request by 30 sec-onds.
tokenization 47
Token Formats
IMPORTANT: Tokens must be storedas an 8-bit ASCII alphanumeric value.In a database, they must be stored as aVARCHAR (variable character) in orderto support any future token lengthchange.
CN!Express® tokens (UTIDs) are alphanumeric values that representthe stored (encrypted) cardholder account number. By themselves,the tokens have no intrinsic meaning other than providing the abilityto look-up stored cardholder account numbers.
The UTID definition has changed over time, and it must be as-sumed to change in the future.
The current CN!Express® UTID format is 39 bytes and consists ofthe following data:
• The first 27 bytes consist of the 160-bit sha1 hash of the ACCTfield, current time, and a unique sequence. The result is base64
encoded in url-safe mode.
• The next five bytes consist of a 30-bit sequence base64 encoded inurl-safe mode.
• The next three bytes are the site-specific UTID suffix.
• The last four bytes are the last four digits of the original card-holder account number.
The unique sequences act as salt values and increase the difficultyof a brute-force reverse lookup.
Token Format Prior to CN!Express® 4.0.13
Prior to CN!Express® release 4.0.13, tokens (UTIDs) were 52-byteslong and consisted of the following data:
• The first 43 bytes consisted of the 256-bit hash of the ACCT field,current time, and a unique sequence. The hash is base64 encodedin url-safe mode.
• The next five bytes were a unique sequence base64 encoded inurl-safe mode.
• A dash character.
• A three-character site-specific UTID suffix.
Uninstalling CN!Express®
On Windows®
You just use the built-in uninstall program to remove the CN!Express®
application from your system. The uninstall process removes the ap-plication files, the core database files (unless running with a remotedatabase), and the configuration files. It also deletes the default im-port, export, backup, and recovery logs. If you are not running thesein the default location, you must securely delete them yourself usingthe sdel program distributed with CN!Express® or a secure deletionprogram such as SDelete on Windows (available from Microsoft) orshred on Linux.
Refer to Protect Stored Cardholder Data for further guidance onsecurely removing the CN!Express® application.
On Linux®
Use the shred utility (or equivalent) to securely delete all files in the/opt/cnxap directory. Also securely delete CN!Express® specific logfiles.
Auric Key Management Proxy
CN!Express® supports external key management services. The vari-ous key management services are supported via the Auric Key Man-agement Proxy or AKMP™. The AKMP™ application allows new keymanagement services to be added without needing to update thebasic CN!Express® application. AKMP™ must be installed on yoursystem and is part of the basic CN!Express® installation.
The AKMP™ application is not required to be configured forDemo mode. In demo mode, CN!Express® uses a hard-coded demoencryption key since you are only using demo account numbers.When you are ready to move to test (and production), refer to theinstructions below:
1. Open the CN!Express® Configuration Utility
2. Select Security tab
3. Click Configure Key Manager
4. Click button next to AKMP has been configured on this server
5. Click OK
6. The key manager has been configured
7. Once the key manager has been configured, the Encrypt button nextto it will become available. This button is typically used whensetting up a password for Remote PaymentVault.
8. To use the Encrypt option, click on the button and enter the text tobe encrypted
9. Encrypted text will show in the box below. From here it can becopied into the clipboard and used as a password.
Part II
Payment Processors
Working with your Payment Processor
CN!Express® works with many different operating systems, appli-cations, and processing services. The next several chapters containinformation on configuring CN!Express® to work with your specificprocessing services.
Cardinal Commerce
Functionality
CN!Express® has specialized support for the Cardinal CommerceCentinel Gateway. Currently, the only query supported through Car-dinal Commerce is a request to determine if a cardholder is enrolledin the 3D Secure program for MasterCard or Visa.
Configuration Screen
Your Cardinal Commerce representative will provide you with theinformation for completing this screen.
Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
Merchant ID Your identifier at Cardinal.
Processor ID Cardinal supports multiple Payment Processors.
Transaction Password Secret password shared with Cardinal.
Currency Cardinal supports multiple currencies. This value sets thedefault. Currency can be sent with each transaction.
Acquirer Password Password at your specific Payment Processor.Required only when processing within certain Visa Regions. YourCardinal representative will inform you if this value is necessary.
URL and Test URL Your Cardinal representative will provide youwith the production URL. Prior to that, once your account is set upyou can use the Test URL to test your integration.
3D Secure Participation Check
CN!Express® supports the Cardinal Commerce action for checkingwhether a cardholder is participating in 3D Secure authentication. 3D
58 cn!express®
Secure is an authentication protocol used to authenticate cardholdersprior to authorization. Verified by Visa and MasterCard SecureCodeare authentication services based on the 3D Secure protocol.
To check whether a cardholder is enrolled in 3D Secure authentica-tion:
• Set the Action to IC (Identify Customer)
• Set the TenderType to C for credit card.
• Send the Account, Amount, Expiration, and Merchant OrderNumber fields.
• Also send the XCLASS field. This will be set to E for E-commerce.
In the response, if the Processor Status field is Y (enrolled), thecardholder is enrolled in a 3D Secure program and you may proceedwith the 3D Secure authentication step.
The following fields returned in the IC response may be used tocontinue with authentication:
REDURL The URL to which you should redirect the customer forauthentication
PAYLOAD Sent as a form argument as part of the redirect. Please seethe Cardinal Centinel documentation for details.
ECOMTYP Use as the ECOMTYP value when processing the autho-rization transaction through CN!Express®.
Transaction ID Cardinal Commerce returns a 3d transaction ID
Cardinal Commerce Actions
Identify Customer (IC)
Chase Paymentech
Configuration Screen
Your Chase Paymentech representative will send you the informationrequired to complete the CN!Express® configuration screen:
Division Name the name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
BIN 000001 is Salem. 000002 is Tampa/PNS.
Merchant ID Your Paymentech rep forwards this information. Note:This is your Merchant ID, not your Merchant Number.
Currency Defaults to US dollars. If you import a currency, it over-rides the default set here.
URLs These are automatically maintained by CN!Express® for ChasePaymentech communications.
Depositing and Refunding with Only the PROCTID
Once a transaction is authorized, you do not need the account num-ber again to either deposit or refund the transaction. Instead, storethe PROCTID value. The CN!Express® PROCTID consists of twoChase Paymentech Orbital fields: TxRefNum and TxRefIdx, sepa-rated by a period. CN!Express® knows how to properly send these tothe Orbital Gateway.
There is a limit as to how many days the PROCTID can be usedfor refunds. Please discuss the limits set for your account with yourChase Paymentech representative.
Depositing Remotely or Externally Authorized Transactions
In some circumstances, merchant websites may authorize (Auth) atransaction directly to the Orbital Gateway and then want to settle
60 cn!express®
(Deposit) through CN!Express®. In order to properly deposit, ChasePaymentech requires a value called the TxRefNum. CN!Express®
accepts this value in the PROCTID field.Send the following fields to settle this transaction through CN!Express®:
• ACTION
• DIVISION
• PROCTID (with the TxRefNum)
• MRCHORDR (Merchant Order Number)
• AMT (Amount)
No other information needs to be sent. The CN!Express® PROC-TID for Chase Paymentech Orbital Gateway actually consists of twovalues separated by a period: TxRefNum.TxRefIdx
In the case of an Authorization, the TxRefIdx is always 0. CN!Express®
defaults the TxRefIdx to 0 when it is not present.
Maestro (Switch) Support
CN!Express® supports the UK Domestic Maestro (UKDM) card. Thiscard was formerly called the Switch card and CN!Express® still usesfields with the SW (Switch) naming convention. When using Maestro(Switch) you must always send the card type since the card numberson Maestro overlap some credit card values. Set the card type to SW.
CN!Express® supports:
• Issue Number: SWISSU
• Start Date: SWCHDATE
Maestro transactions can also support Card Security Code (CVV)and MasterCard Accountholder Authentication Value (AAV). Maestrosupports Full and Postal-Code-only Address Verification.
Retry Logic
Chase Paymentech supports retrying transactions that may havefailed due to timeout, or where the response has otherwise been lost(due to a network failure, for example). Normally, if a transaction issubmitted twice, it could result in duplicate processing. Retry logic isintended to prevent duplicate transactions.
CN!Express supports retry logic on the Orbital Gateway by re-turning a specific field (PROCATR1) for transactions that have faileddue to timeout, or that have been sent and for which no response
chase paymentech 61
has been received. If you resend the transaction to CN!Express us-ing the PROCATR1 that was returned with the original transaction,CN!Express® will send the transaction marked as a retry, and ChasePaymentech will return the results from the original transaction with-out duplication of processing.
To test retry logic, you must send the same transaction to Pay-mentech twice. Paymentech does not provide a recommended pro-cedure for completing this test. Because CN!Express® only returnsPROCATR1 for actual errors or timeouts, it may not be possible totest retry logic without some kind of manual intervention.
There are two ways to test retry logic using CN!Express®.
Method 1 Manually drop the connection. While sending transac-tions to Paymentech in test mode, drop the network connection (byunplugging the network cable or similar means). At least one of thetransactions should return a timeout error and a non-blank PRO-CATR1. Resubmit this transaction with the returned PROCATR1 tocomplete the test.
Here is a step-by-step procedure:
1. Configure web request and web response to accept and returnPROCATR1.
2. Send a series of authorization connections through the web inter-face.
3. Drop the network connection.
4. Examine the responses. At least one transaction should have aPROCATR1 which is not blank.
5. Restore the network connection.
6. Resend the transaction you identified in step 4, this time with thePROCATR1 that was returned from the original request.
Method 2 Recover the information from the gateway log for asuccessful transaction, and resubmit that.
1. Configure file or web request and file or web response to acceptand return PROCATR1.
2. Enable the “processor communication log” in the advanced tab ofthe CN!Express configuration utility.
3. Send an auth transaction.
4. Examine the gateway log. Recover the “Trace-number” for thetransaction from the gateway log.
62 cn!express®
5. Resend the transaction, this time with the PROCATR1 that yourecovered from step 5.
Auric has successfully tested CN!Express® using Method 2.
Paymentech may require a deposit transaction for the authoriza-tion to complete the test.
Customer Profile Tokens
Orbital’s Customer Profiles support storing customer informationalong with the credit card or e-check account number when creatinga token. When you use the token for subsequent transactions, fieldsstored in the profile are used as defaults for those transactions.
Set RQSTTOKN to “1” to request that the payment processorreturn a TOKEN on an action such as an auth or a sale (this field isnot required for explicit “T” tokenization actions).
The Action “T” can be used to receive a customer profile TOKENwithout obtaining an authorization by including the TOKEN field inthe web response or transaction file export. The TOKEN can be usedfor subsequent Auth, Sale or Refund Transactions.
To get a token for a credit card, send the following request:
ACTION TACCT Credit card numberDIVISION CNX divisionAMT $0.00
EXP Credit card expiration dateMRCHORDR Merchant Order NumberRQSTTOKN 1
Export Fields/Web Response:
AUTHCODEAUTHDATEPROCTIDTOKEN
PROCTID example: 50350D3C273D5FC81737D104E4F925D972B953D
TOKEN example: 12439563
To get a token for an electronic check, send the following request:
chase paymentech 63
ACTION TDIVISION CNX divisionXCLASS Transaction classACCT Checking account numberROUTNUM Transit/routing number
These check-related fields are optional, and will also be associatedwith the token:
CHKTYPE Check account typeECPDELVM Check payment delivery method
You can also get a token for a credit card or e-check by settingRQSTTOKN to “1” on a regular check authorization, sale, or refund.Using one of the examples above, simply change the ACTION to“‘A”, ‘S”, or “R”.
To Perform an Auth, Sale or Refund Transaction with TokenRequested:
ACTION AACCT Credit card numberDIVISION CNX divisionAMT $0.00
EXP Credit card expiration dateMRCHORDR Merchant Order NumberRQSTTOKN 1
Export Fields/Web Response:
AUTHCODEAUTHDATEPROCTIDTOKEN
Once a TOKEN is received, the Customer Profile has been storedon the Orbital Gateway and the TOKEN is used to identify the Cus-tomer Profile.
In the Gateway Log, the TOKEN is returned as the Customer-RefNum and will be between 1 to 22 characters. The PROCTID isstored in the Gateway Log as the TxRefNum.
Deposit transactions cannot be completed by using the “Token”,because every credit card deposit transaction must include authoriza-tion information
Deposit transactions can be done by utilizing the PROCTID infor-
64 cn!express®
mation, including the PROCTID field in the web request or transac-tion file import.
Example of Deposit Transaction using Token requested:
Import/Web requestACTION = DPROCTID = 50350D3C273D5FC81737D104E4F925D972B953D5
TOKEN = BlankDIVISION = ABC MerchantAMOUNT = $ 1.00
EXP=Expiration DateMRCHORDR=Merchant Order NumberRQSTTOKN = 0
AUTHCODE = DEMO001
AUTHDATE = 02/22/2022 12:47:56
eBillme
eBillme Transaction Process Flow
A typical eBillme transaction flow is different from a standard creditcard or electronic check process. Specifically, the initial transaction issent from the merchant to eBillme. Merchants receive final paymentnotifications via a batch result file.
CN!Express® manages the communications between a merchantsback-end order management systems and eBillme. CN!Express®
not only removes the need for merchants to implement a complexSOAP protocol for communicating with eBillme, CN!Express® alsoautomatically polls the eBillme service on a regular basis to retrievethe batch payment notification files. CN!Express® then exports thesebatch files in a format similar to the batch files the merchant uses forany other payment operations.
A typical eBillme Standard payment flowis as follows:
• customer selects eBillme during checkout process on the mer-chant’s web site.
• merchant’s web site posts order information to eBillme web site.
• eBillme web site returns tracking information to merchant’s website.
• eBillme sends customer an eBill with order total and paymentinstructions.
• customer makes an on-line payment from their account to eBillme.
• eBillme updates several times a day. The status updates are thenavailable as batch downloads to the merchant.
• merchant polls eBillme for latest paid transactions. upon confirma-tion of payment, merchant releases product to customer.
CN!Express® automates this required periodic polling process andautomatically exports all new transaction payment information using
66 cn!express®
the same export format you use for all your batch payment trans-actions. Additionally, CN!Express® provides support for conveyingnew transactions through the standard CN!Express® web and delim-ited batch file interfaces; including recurring payments, refunds, andshipping notifications.
Configuration Screen
Your eBillme representative will send you the information requiredto complete the CN!Express® configuration screen. You will need toenter the Merchant Token, Username, Password, and Payee token.
Demo Mode Account Type CN!Express® supports eBillme’s Standardand Express processing features. This combo box indicates whichservice is emulated in demo mode.
Scheduled Status Check Times CN!Express® automates the requiredeBillme polling process. CN!Express® can check multiple times perday for new download files available from eBillme. Talk with youreBillme representative to determine the best times for you to bechecking each day – usually not more than four to six times in a 24
hour period.
Standard and Express Modes
eBillme defines both a Standard and Express mode. The significantdifference between these two modes is when the merchant releasesthe product to the consumer.
eBillme Standard mode returns only two authorization responses:
WAIT Wait for payment
DECLINE Decline the order
eBillme Express supports two additional authorization responses:
SHIP IMMEDIATELY Ship now, non-payment risk is low.
SHIP UNDER REVIEW Wait, eBillme will update this status.
Please discuss this with your eBillme representative for full details.
eBillme Actions
CN!Express® supports the following transaction actions for eBillme:
• Void
ebillme 67
• Refund
• Get (manually check for new batch files)
• Get Order Information Details
• Ship Notification
• Get Unallocated Payment Details (manually check for new batchfiles)
CN!Express® automatically sends Q and UQ requests on a polled/timedbasis. You can optionally request them manually as well. The follow-ing table details the required and optional fields for each of thesetransactions.
Table 3: eBillMe Transactions
eBillme Action eBillme Fields CN!Express®Action CN!Express®Fields
Cancel Order ORDERREFIDREASONID
V PROCTIDPROCRSN
Submit Refund ORDERREFIDREFUNDAMOUNTREFUNDREASON
R PROCTIDAMOUNTPROCRSN
Get Q
Get Order InformationDetails
ORDERREFID GD PROCTID
Continued on next page
68 cn!express®
Table 3 – Continued from previous page
eBillme Action eBillme Fields CN!Express®Action CN!Express®Fields
Ship Notification ORDERREFIDAMOUNTSHIPPEDDATESHIPPEDSHIPPING METHODSHIPPING COMPANYTRACKING NUMBER
SN PROCTIDAMTSHIPDATESHIPMETHSHIPCAR (opt)CARTRACK (opt)
Get Unallocated PaymentDetails Query
UQ
Update Order Information UO
Continued on next page
ebillme 69
Table 3 – Continued from previous page
eBillme Action eBillme Fields CN!Express®Action CN!Express®Fields
Submit Order ORDERNUMBERTOTALPRICECOMMANDTYPEIPADDRESSRECURRING ORDERFIRSTNAMELASTNAMEEMAILADDRESS1
ADDRESS2
CITYSTATECOUNTRYZIPCODEPHONE 1
PHONE 1
FIRSTNAMELASTNAMEEMAILADDRESS1
ADDRESS2
CITYSTATECOUNTRYZIPCODESHIPPINGMETHODSHIPPINGCOMPANYTRACKINGNUMBERCURRENCYISPROXYSESSIONIDNEWCUSTOMERMERCHANTRATINGITEMDETAILSEXPIRYDATEPROMOCODESUBMERCHANTSUBTOTAL
S MRCHORDRAMTXCLASSCUSTIPPMTNBR (1, 2)BILLFNAMEBILLLNAMBILLEMALBILLADD1
BILLADD2(opt)BILLCITYBILLSTPRBILLCTRYBILLZCPCBILLHPHOBILLWPHOSHIPFNAMSHIPLNAMSHIPEMALSHIPADD1
SHIPADD2(opt)SHIPCITYSHIPSTPRSHIPCTRYSHIPZCPCSHIPMETH(opt)SHIPCAR(opt)CARTRACK(opt)CUR(opt)CUSTPRXY(opt)CUSTSID(opt)CUSTNEW(opt)CUSTRTG(opt)DETAILS(opt)EXP(opt)MCTPROMO(opt)SUBMRCH(opt)SUBTOTAL(opt)
Continued on next page
70 cn!express®
Table 3 – Continued from previous page
eBillme Action eBillme Fields CN!Express®Action CN!Express®Fields
Update Order Information ORDERREFIDORDERNUMBERTOTALPRICEEXPIRYDATESUBTOTALPROMOCODEFIRSTNAMELASTNAMEEMAILADDRESS1
ADDRESS2
CITYSTATECOUNTRYZIPCODEPHONE1
PHONE2
FIRSTNAMEFIRSTNAMELASTNAMEEMAILADDRESS1
ADDRESS2
CITYSTATECOUNTRYZIPCODESHIPPINGMETHODSHIPPINGCOMPANYTRACKINGNUMBER
UO PROCTIDMRCHORDR (opt)AMT (opt)EXP(opt)SUBTOTAL (opt)MCTPROMO (opt)BILLFNAM (opt)BILLLNAM (opt)BILLEMAL (opt)BILLADD1 (opt)BILLADD2 (opt)BILLCITY (opt)BILLSTPR (opt)BILLCTRY (opt)BILLZCPC (opt)BILLHPHO (opt)BILLWPHO (opt)SHIPFNAM (opt)SHIPLNAM (opt)SHIPEMAL (opt)SHIPADD1 (opt)SHIPADD2 (opt)SHIPCITY (opt)SHIPSTPR (opt)SHIPCTRY (opt)SHIPZCPC (opt)SHIPMETH (opt)SHIPCAR (opt)CARTRACK (opt)
Auth Responses
Each eBillme auth response is composed of three components:
Auth Status Ship, Wait, ShipUnderReview, Decline
Auth Reason Code Various codes–see eBillme documentation.
ebillme 71
Auth Reason Description Textual description of the Codes.
You must discuss the various Auth Status responses with youreBillme representative to help guide your business process decisionson each of the return types.
Polled Batch Responses
CN!Express® returns two kinds of eBillme response batch files:
• the kind returned for Q (get order status)
• the kind returned for UQ (get unallocated payment information).
Both batch files have:
1. An entry for each order.
2. For each order, zero or more payment detail records.
The format for each order entry line is user-defined, set by theCN!Express® batch export format. Since you are likely to be usingCN!Express® batches to also process credit, check, and other alterna-tive payments, you will use the same batch export format for receiv-ing eBillme information. Simply add the necessary eBillme fields tothe end of your existing export record.
UNALLOC is a Boolean value indicating whether payment isallocated or unallocated. 1 indicates unallocated.
For ‘Q’ batch files, you can configure the order entry (main record)to include any order-related fields, and these will be exported byCN!Express®. Following are the common CN!Express® fields that aremapped to eBillme response fields:
Table 4: eBillme response batch fields
CN!Express® CN!Express®eBillme
UNALLOC Boolean Flag
PROCTID ORDERREFID
ACCT ACCOUNTNUMBER
Continued on next page
72 cn!express®
Table 4 – Continued from previous page
CN!Express®Field CN!Express®eBillme Field
AMT TOTALPRICE
CUR CURRENCY
AUTHDATE PAYMENTDATE
CAPDATE PAYMENTSOURCE
PMTSRC NAME
CMT1 NAME
Table 5: eBillMe ‘Q’ batch file responses
CN!Express® CN!Express®eBillme
PROCTID PREAUTHREFERENCEID
PROCORDR ORDERREFERNECEID
MRCHORDR ORDERNUMBER
ACCT ACCOUNTNUMBER
PROCSTAT AUTHSTATUS
RESPCODE REASON
RESPTEXT REASONDESCRIPTION
AMT TOTALPRICE
AUTHDATE PAYMENTDATE
CAPDATE AMOUNTPAIDTODATE
Continued on next page
ebillme 73
Table 5 – Continued from previous page
CN!Express®Field CN!Express®eBillme Field
RESPDATE
CAPAMT AMOUNTPAIDTODATE
EXP EXPIRYDATE
CUR CURRENCY
PROCATTR1 PAYSTATUS
AMTDUE AMOUNTOWING
RFGRAMT AMOUNTREFUNDEDTODATE
SUBTOTAL SUBTOTAL
XCLASS COMMANDTYPE
UQ response batch files do not have an order under which togroup the payment detail records (UQ is just a list of payments madeagainst unknown orders).
CN!Express® exports one main record for each merchant returnedin the payment file from eBillme. In most cases, there will be just onemain record in the field, followed by the detail records. For somemerchants, there may be more than one main record. The detailrecords that follow each main record are the unallocated paymentsassociated with that merchant identifier.
First Data Global Gateway
The First Data Global Gateway is the default Internet gateway to allFirst Data Platforms. CN!Express® supports credit card processingthrough the First Data Global Gateway.
Configuration Screen
First Data Global Gateway provides both test and production servers.Before communicating with either of these servers, you must ob-tain a Digital Certificate from First Data. When you sign up for youraccount, your First Data welcome email contains directions for ob-taining your credentials and the Digital Certificate (.PEM)file. Youwill have separate certificates for test and production environments.
Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
(Test) Secure Host Name Address to which test or production trans-actions are sent. Note: Do not include the https:// as part of thename. Provided by First Data.
(Test) Secure Host Port Provided by First Data.
(Test) Store Name Provided by First Data.
(Test) Certificate Path to the .PEM file you download from the FirstData Virtual Terminal. Your welcome email has directions on howto obtain this file.
Note: Your Certificate acts in place of a userid/password for ac-cess to the First Data Global Gateway. Be cautious in where you storeand backup this file.
TSYS Merchant Solutions–PayFuse
Configuration Screen
Your TSYS Merchant Solutions representative will send you the infor-mation required to complete most of the CN!Express® configurationscreen.
Division Name the name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
Alias Provided by your TSYS representative.
Account Provided by your TSYS representative.
Password Provided by your TSYS representative.
Currency All transactions to this Division are processed in this cur-rency. Available currencies are: US Dollar (USD), Canadian Dollar(CAD), Euro (EUR), Pound (GBP), Yen (JPY).
Use FraudShield FraudShield is an TSYS fraud detection service.Please contact your TSYS representative if you want to use thisservice.
URL and Test URL Your TSYS representative will provide you withthese values.
Depositing Remotely Authorized Transactions
In some circumstances, merchant websites may authorize (Auth) atransaction directly to the PayFuse Gateway and then want to settle(Deposit) through CN!Express®. In order to properly deposit, Pay-Fuse requires an ID identifying the transaction. CN!Express® acceptsthis value in the PROCORDR field.
Send the following fields to settle this transaction through CN!Express®:
• DIVISION
78 cn!express®
• PROCORDR
• AMT (Amount)
• ACTION
No other information needs to be sent.Note: The CN!Express® PROCORDR for the PayFuse Gateway
needs to be extracted from the PayFuse response XML after a suc-cessful Authorization. Be aware that PayFuse returns two XML fieldscalled Id. The required Id is the Order Form Doc Id which can befound in the XML document at: /EngineDoc/OrderFormDoc/Id.
ACH
PayFuse supports ACH Sale and Refund transactions. Please con-tact your PayFuse representative to determine how to receive ACHsettlement reports.
ACH transactions require the following fields:
• ACCOUNT: This is the bank account number.
• ROUTNUM: Bank transit/routing number.
• CHKTYPE: This single CN!Express® field maps to two fields inPayFuse: AccountType and CheckType.
CHKTYP AccountType CheckType
C (Consumer) 1 (Checking) 1 (Personal)
S (Savings) 0 (Savings) 1 (Personal)
X (Commercial 1 (Checking) 0 (Commercial)
• ECPAUTHM: Indicates the method by which the consumer au-thorized you to process their checking account information. TheECPAUTHM values translate to the PayFuse EntryClass field asfollows:
ECPAUTHM EntryClass
W (Written) PPD Prearranged Payment and Deposit
I (Internet) WEB
T (Telehone) TEL
C (CCD) CCD Cash Concentration or Disbursement
Vantiv®(formerly Litle & Co.)
Configuration Screen
Your Vantiv® representative will send you the information requiredto complete the CN!Express® configuration screen.
Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
Merchant Identifier Your Vantiv® rep forwards this information
Test Information The URL, user ID, and password provided to you byVantiv® for submitting test transactions.
Production Information The URL, user id, and password provided toyou by Vantiv® for submitting live production transactions.
Depositing Remotely or Externally Authorized Transactions
In some circumstances, merchant websites may authorize (Auth)a transaction directly to Vantiv® and then settle (Deposit) throughCN!Express®. In order to properly deposit, Vantiv® requires a valuecalled the TxRefNum. CN!Express® accepts this value in the PROC-TID field.
• ACTION
• DIVISION
• PROCTID (with the TxRefNum)
• MRCHORDR (Merchant Order Number)
• AMT (Amount)
80 cn!express®
Supported Methods of Payment
CN!Express® supports the following Vantiv® functionality:
• Credit Cards: MasterCard, Visa, American Express, Discover, GiftCards
• Vantiv token
• Track 1/Track 2 retail data
• Level II, Level III, and Vantiv® Custom Billing data
• US Currency
• Auth, Auth Reversal (L), Capture, Capture Previous Auth, Sale,Force Capture, Credit, and Void
• Automatic Account Updater
• Automatic Account Updater Extended Response Codes
• Pre-paid card filtering.
• Card-type detection.
Tokenization
Vantiv® supports credit card number tokenization. The tokenizationservice is activated by Vantiv® on a per-division basis. If tokenizationis activated for a specific division, then tokens are automaticallygenerated when you submit a transaction using a credit card number.To retrieve this token, simply export the TOKEN field. There is noneed to specifically request the token through CN!Express®.
To use the token in future transaction, import it in the CN!Express®
TOKEN field.
Card Filtering Services
Vantiv® offers Card Filtering Services. CN!Express® supports Pre-paid Card Filtering Service
Contact Vantiv® for Test Scenarios and Testing Card FilteringServices
To use pre-paid card filtering with CN!Express®, use the DECLPPD
(Decline Pre-paid) as an import field.
• If you send a ‘1’ in this field, and filtering is not set for all trans-actions by default, Vantiv® will apply pre-paid filtering to thistransaction.
vantiv®(formerly litle & co.) 81
• If you send a ‘1’ in this field, and filtering is set for all transac-tions by default, Vantiv® will not apply pre-paid filtering to thistransaction.
• If you send a ‘0’ in this field, and filtering is set for all transac-tions by default, Vantiv® will not apply pre-paid filtering to thistransaction.
• If you send a ‘0’ in this field, and filtering is not set for all trans-actions by default, Vantiv® will apply pre-paid filtering to thistransaction.
• If you send a nothing in this field, and filtering is set for all trans-actions by default, Vantiv® will not apply pre-paid filtering to thistransaction.
Card Filtering Services
CN!Express® supports Vantiv®’s pre-paid card filtering service.To use pre-paid card filtering with CN!Express®, import the field
DECLPPD (Decline Pre-paid).The following table summarizes how this works:
Table 6: Pre-paid card filtering rules
DECLPPD Account Setting Card Type Transaction Result
(not sent) case-by-case not prepaid normal
(not sent) case-by-case not prepaid normal
(not sent) filter all not prepaid normal
(not sent) filter all prepaid declined by filter
0 case-by-case not prepaid normal
0 case-by-case prepaid normal
0 filter all not prepaid normal
0 filter all prepaid normal
Continued on next page
82 cn!express®
Table 6 – Continued from previous page
DECLPPD Account Setting Card Type Transaction Result
1 case-by-case not prepaid normal
1 case-by-case prepaid declined-by-filter
1 filter all not prepaid normal
1 filter all prepaid declined by filter
• If you send a ‘1’ in this field, and filtering is not set for all trans-actions by default, Vantiv® will apply pre-paid filtering to thistransaction.
• If you send a ‘1’ in this field, and filtering is set for all transac-tions by default, Vantiv® will not apply pre-paid filtering to thistransaction.
• If you send a ‘0’ in this field, and filtering is set for all transac-tions by default, Vantiv® will not apply pre-paid filtering to thistransaction.
• If you send a ‘0’ in this field, and filtering is not set for all trans-actions by default, Vantiv® will apply pre-paid filtering to thistransaction.
• If you send a nothing in this field, and filtering is set for all trans-actions by default, Vantiv® will not apply pre-paid filtering to thistransaction.
Card Type Detection
CN!Express® also supports Vantiv®’s card-type detection. To usecard-type detection, include the TENDSUBT field in your export.CN!Express® returns a description of the card used in the transac-tion. Some examples of the strings that may be returned are:
• UNKNOWN
• CREDIT
• DEBIT
• FSA
vantiv®(formerly litle & co.) 83
AUACCT New account number
AUEXP New expiration date
AUORCODE Response code for original (declined) transaction
AUORTEXT Response text for original (declined) transaction
AUCRDTYP New card type (e.g., MC, VI)
Table 7: Automatic Account UpdaterFields
• PREPAID:GENERAL_PREPAID
• PREPAID:GIFT
• PREPAID:PAYROLL
Note: on pre-paid transactions, you can also export the CURBAL(current balance) and LOADABLE fields. This provides you with thebalance on the pre-paid card and indicates if the card can be reloaded(LOADABLE is 1).
Automatic Account Updater
CN!Express® supports Vantiv®’s automatic account updater func-tionality. With this feature, declined transactions are automaticallychecked against a list of updated account numbers maintained byVantiv® If the account is out-of-date, Vantiv® will re-submit thetransaction using the updated account number and return new ac-count information as part of the transaction response. You mustconfigure your merchant account to use automatic account updates inorder to use this feature.
Table 7 shows the CN!Express® return fields that support thisfunctionality.
You should update your customer records to reflect the new in-formation when you receive these items as part of a transaction re-sponse
Cielo Payments Inc. (Formerly Merchante-Solutions)
Configuration Screen
Your Cielo Payments representative will send you the informationrequired to complete the CN!Express® configuration screen for theMerchant e-Solutions gateway:
Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
Profile ID Identifies the account under which this transaction is pro-cessed.
Merchant Key Provides access to the account – much like a password.
Dynamic DBA Information Overrides information already configuredand stored.
DBA Name Alternative business name (optional).
MCC Your Merchant Category Code (optional). Your representativewill have helped you determine this value at the time you appliedfor an account.
City, St./Prov, Zip/PC Your company address (optional).
Customer Service Phone Number (optional) This appears on yourclient’s billing records.
URLs These are automatically maintained by CN!Express® for yourpayment processor communications.
Payment Methods
CN!Express® supports the following payment methods throughMerchant e-Solutions:
• Credit Card
86 cn!express®
• Bill Me Later
CN!Express® also supports International Currencies through Mer-chant e-Solutions. International currencies can be supported as:
• process and settle transactions in a particular currency.
• convert between currencies before processing.
• process in customer currency and fund in merchant currency.
Depositing Remotely or Externally Authorized Transactions
In some circumstances, merchant websites may authorize (Auth)a transaction directly to Cielo Paymentsand then settle (Deposit)through CN!Express®. In order to properly deposit, Cielo Paymentsrequires a value called the TxRefNum. CN!Express® accepts thisvalue in the PROCTID field.
• ACTION
• DIVISION
• PROCTID (with the TxRefNum)
• MRCHORDR (Merchant Order Number)
• AMT (Amount)
Bill Me Later
Refer to the CN!Express_Field_Reference.html file for details on theBill Me Later fields supported by CN!Express®. It is important to talkwith both your Cielo Payments and Bill Me Later representatives todetermine precisely which fields should be transmitted. Specific fieldselection depends on your specific business.
3D Secure Support
CN!Express® supports 3D Security through Merchant e-Solutions. 3DSecure is an authentication protocol used to authenticate cardholdersprior to authorization. Verified by Visa and MasterCard SecureCodeare authentication services based on the 3D Secure protocol.
The first step in using 3D Secure is to check if a cardholder isenrolled in the 3D Secure authentication program. To check whethera cardholder is enrolled in 3D Secure authentication:
• Set the Action to IC (Identify Customer)
cielo payments inc. (formerly merchante-solutions) 87
• Set the TenderType to C for credit card.
• Send the Account, Amount, Expiration, and Merchant OrderNumber fields.
• Send the Invoice Number (INV).
In the response, if the Processor Status field is Y (enrolled), thecardholder is enrolled in a 3D Secure program and you may proceedwith the 3D Secure authentication step.
The following fields returned in the IC response may be used tocontinue with authentication:
REDURL The URL to which you should redirect the customer forauthentication.
PAYLOAD Sent as a form argument as part of the redirect. Please seethe Cardinal Centinel documentation for details.
AUTHTCID Return the AUTHCID value when processing the autho-rization transaction through CN!Express®.
When processing the authorization or conditional deposit, you canspecify that the customer was authenticated through 3D Secure byincluding the following two fields in the request:
AUTHTCID The AUTHTCID value returned in the IC request.
PAYLOAD The PaRes parameter returned by the card issuer in theauthentication response.
Multicurrency and FX Processing
With CN!Express®, each transaction can include a currency field.This field defines which currency to use for the amount field. CN!Express®
also supports Merchant e-Solutions ability to do currency conversionprior to the transaction. Merchant e-Solutions refers to this as FX(Foreign Exchange) processing. Please refer to the Cielo PaymentGateway FX Processing documentation for details beyond the follow-ing.
Available transactions are:
CA Convert Amount from one currency to a different currency.
CG Get Currency Rate. Retrieve rate for an individual currency, orretrieve the entire rate table. All rates are relative to the merchant’sdefault currency.
LC Lookup Currency. Given a Country or IP address, return thecurrency code for that locale.
88 cn!express®
The FX transactions need to be performed before an Authorization,Sale, or Refund transaction.
Lookup Currency Send either the BillAddress:Country (BILLCTRY) orCustomer IP Address (CUSTIP) field. The Currency (CUR) field inthe response contains the currency code for that locale.
Get Currency Rate Sending a value in the Currency (CUR) field re-turns an XML structure in the Payload field that describes theconversion rate between the merchant’s default currency and thetarget currency. There is also an Exchange Rate ID (EXCHRTID)which must be used in future Authorization, Sale, or Refund trans-actions. Each conversion response has an Expiration Date associ-ated with it. The conversion values must not be used beyond thatdate.
When you call Get Currency Rate without specifying a Currency,the Payload field in the response will contain a list of currency rateconversions for all supported currencies.
Convert Amount To convert from the merchant’s default currencyto another currency, send the original value in the Amount inMerchant Currency (MCURAMT) field and a Currency Code. Theconverted value is returned in the Amount field. Use this amount,along with the returned Exchange Rate ID and Expiration Date foruse in future Authorizations, Sales, and Refunds.
FX Auths, Sales, and Refunds When using Foreign Exchange, Autho-rization, Sale, and Refund transactions must include:
MCURAMT Amount in Merchant Currency.
AMOUNT The converted amount.
EXCHRTID The Exchange Rate Identifier.
PayPal
Configuration Screen
The PayPal Express Checkout configuration requires your standardPayPal identification information.
Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
User Your PayPal user name.
Password Password for accessing your PayPal account.
Signature Secret signature you’ve defined at your PayPal account.
URLs These are automatically maintained by CN!Express®.
Depositing Remotely or Externally Authorized Transactions
In some circumstances, merchant websites may authorize (Auth)a transaction directly to PayPal and then want to settle (Deposit)through CN!Express®. In order to properly deposit, PayPal requiresa value called the TxRefNum. CN!Express® accepts this value in thePROCTID field.
Send the following fields to settle this transaction through CN!Express®:
• ACTION
• DIVISION
• PROCTID (with the TxRefNum)
• MRCHORDR (Merchant Order Number)
• AMT (Amount)
No other information needs to be sent. The CN!Express® PROC-TID actually consists of two values separated by a period: TxRefNum.TxRefIdx
In the case of an Authorization, the TxRefIdx is always 0. CN!Express®
defaults the TxRefIdx to 0 when it is not present.
90 cn!express®
ButtonSource Parameter
Please include the ButtonSource (BN) parameter in your initial trans-action with the PayPal website. Please use the following Button-Source value: Auric_CNExpress_ECUS.
PayPal Express Checkout Actions
CN!Express®supports the following transaction actions for PayPalExpress:
• Final Deposit (FD)
• Get Details (GD)
• Open Order (OO)
• Query (Q)
• Partial Refund (PR)
Paypal PayFlow Pro
The information to complete the Paypal Payflow Pro configuration isavailable from your Payflow Pro management account available at:https://manager.paypal.com/.
• Obtain your Payflow Pro Settings information,
• For testing purposes, use Visa 4111111111111111 Exp 1/15
• Authorize a credit card, configuring the export field to return aPROCTID
• PROCTID is returned in the web log, as well as the gateway log. Inthe gateway log, PROCTID is returned as PNREF.
• Deposit or perform subsequent transactions by sending the PROC-TID number along with the appropriate amount.
• In the gateway log, PROCTID is returned as ORIGID after theinitial authorization.
• Payflow Pro will hold this credit card information for one year,using these Transaction ID’s rather than tokens.
• For recurring billing, any PROCTID from the past year may beused.
• Deposit transactions can include the optional CAPCOMPL (Cap-tureComplete). This indicates that no more capture will occuron the original authorization. Useful when depositing less thanoriginally authorized.
TenderCard
TenderCard supports online gift and loyalty cards. TenderCardprovides several APIs. CN!Express® implements TenderCard’s TC-SOAP Protocol 2.0.1.
Configuration Screen
Your TenderCard representative will send you the information re-quired to complete most of the CN!Express® configuration screen.
Division Name the name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
Loyalty Transactions TenderCard supports both Gift Cards (whichcontain an amount of money) and Loyalty/Rewards cards (whichcontain a number of points).
CN!Express® is designed to run a TenderCard division in eitherLoyalty or Gift Card mode. By default, it runs Gift Card transac-tions. Checking this checkbox causes the Division to run Loyaltytransactions.
It is possible to run both Gift and Loyalty transactions through thesame TenderCard processing account. If you require this ability,you must set-up two CN!Express® Divisions and configure onefor the default Gift Card transactions and the second for Loyaltytransactions. For example, you could call one TC-Gift and theother TC-Loyalty.
Amount Due Processing When unchecked, attempts to redeem morethan the available balance decline. The amount due (AMTDUE)field returns with the balance remaining to be collected by themerchant (Amount Requested minus Amount Redeemed). Theavailable balance (CURBAL) field returns with the balance avail-able on the card.
When checked, any attempt to redeem more than the availablebalance approves. The amount due (AMTDUE) field returns with
94 cn!express®
the balance of the amount requested minus the amount that wasredeemed from the card. The balance due (CURBAL) field returnswith 0.00.
Production/Test Login Information Your TenderCard representative willprovide you with your Test and Production log-in information.This is a fairly long (and cryptic) string that should be copied andpasted. Do not try to type this information. CN!Express® supportsTenderCard’s XML and base64-encoded XML formats.
The Login information contains your account number.
Functionality
CN!Express® supports the following TenderCard actions for bothLoyalty and Gift Card processing:
AO: Activate Only Activate an existing account without affecting itsvalue.
AV: Add Value Add value to a stored value/gift card.
BA: Balance Inquiry Retrieve the card balance.
CL: Close Card Deplete full balance of card and close account.
GP: Get Customer Profile Retrieve the customer information associatedwith an account.
IS: Issue Card Create and activate a new account with a specifiedbalance. If this is a replacement for a legacy gift card program,you can include the previous gift card account number in thePREVACCT field. This is for reporting and documentation only.
R: Refund Return funds to the account holder.
RD: Redeem Value Redeem (remove value). Returns Amount Due(AMTDUE) and Current Balance (CURBAL).
UP: Update Customer Profile Update customer information associatedwith an account.
V: Void Reverses the previous transaction applied to a card. Forexample, if the previous transaction was a $10.00 redemption, thevoid transaction restores $10.00 to the card balance.
XF: Transfer Transfer the entire balance from one TenderCard accountto another; closing the original account.
tendercard 95
Fields
The following fields have specific uses for TenderCard processing:
AMTDUE: Amount Due Returned by CN!Express® on Redeem Value(RD) call when using Amount Due Processing. This is the amountthat was not available on the Gift Card and still needs to be col-lected.
Authorization Code: AUTHCODE Value returned by TenderCard
Authorization Date: AUTHDATE Returned from TenderCard
AVS Fields and Email Supports standard name, address fields as wellas Email.
Current Balance: CURBAL Amount (dollars or points) available oncard. Returned by Balance Inquiry (BA) and Redeem Value (RD)when using Amount Due Processing.
CVV/CID: CVV TransFirst cards have a PIN. Put that value into theCVV field.
Expiration Date: EXP Expiration date for the card( M/D/YYYY). Avalue of 1/1/0001 causes TenderCard to use default settings foryour account. It is the merchant’s responsibility to ensure that giftcard expiration dates comply with applicable laws.
Account Issue Date: ISSUEDATE Date of issue for Gift cards. Eightchars: YYYYMMDD
Previous Gift Card Account Number: PREVACCT Used for Transfer(from PREVACCT to this card) and optionally for Issue transac-tion.
Response Code: RESPCODE & Response Text: RESPTEXT TenderCarddoes not have numeric response codes. Check the LAS (Last Ac-tion Succeeded) flag to determine if transaction was successful.TheRESPTEXT (Response Text) contains text returned by TenderCard).Note: TenderCard returns one-word responses like Insufficient-Funds. CN!Express® expands this to a multi-word string: Insuffi-cient Funds.
Response Date: RESPDATE Date the transaction was processed.
TransFirst
Configuration Screen
Your Transfirst representative will send you the information requiredto complete the CN!Express® configuration screen:
Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.
Account Provided by your Transfirst representative.
Password Password to access your account at Transfirst.
Customer Service Phone Number This information appears on yourcustomers records.
Division Duplicate Checking Informs Transfirst you want them tocheck for received duplicate transactions.
URLs These are automatically maintained by CN!Express®.
Depositing Remotely or Externally Authorized Transactions
In some circumstances, merchant websites may authorize (Auth) atransaction directly to TransFirst and then want to settle (Deposit)through CN!Express®.
Send the following fields to settle this transaction through CN!Express®:
• ACTION
• DIVISION
• PROORDR
• MRCHORDR
• AMT
No other information needs to be sent.
Part III
PA DSS SecureImplementation Guide
Overview of PCI-Compliance Practices
IMPORTANT: Please read the ??.This document outlines Auric Systems International’s prudent
practices for securely implementing, deploying, and integrating theCN!Express® (and optionally PaymentVault™) payment processingapplications under PCI PA-DSS 3.0.
The recommendations and prudent practices described in thisdocument are designed to help you to implement and integrate theseapplications in a PCI-compliant manner.
As prudent practices evolve, Auric Systems International willbe modifying both their products and this documentation to meetthe latest requirements. Please contact Auric Systems Internationalsupport if you have any questions: [email protected].
Auric Systems International’s payment applications are developedfor use in a PCI-compliant enterprise. Auric Systems Internationaldevelops these applications in accordance to the PCI Security Stan-dards Council Payment Application Data Security Standard (PA-DSS)version 3.0.
Auric Systems International has undergone a third-party assess-ment of our development processes. CN!Express® has undergone anindependent third-party assessment. Auric Systems International isa PCI-validated Level 1 service provider listed with MasterCard andVisa International.
This document contains Auric Systems International’s prudentpractices recommendations for installation, integration, and config-uration of the CN!Express® payment processing application. Mer-chants must make their own determination as to how best to create aPCI-compliant enterprise.
Compliance Status
Software technically cannot be PCI-compliant. PCI is a process thatapplies to merchants and service providers, not software. There are18 basic steps ranging from building and maintaining a secure net-work, to protecting cardholder data, to maintaining an information
102 cn!express®
security policy. Software must be evaluated to see how it fits within amerchant’s overall PCI efforts. What PCI is for merchants, PA-DSS isfor software.
All Auric Systems International products are listed on the PCISecurity Standards Council web site: pcisecuritystandards.org. Mer-chants should always check this website to confirm the current com-pliance of any payment application.
Prudent Practices
Recommendations
This document contains recommendations regarding the securityinstallation, integration, and configuration of Auric Systems Interna-tional products in a PCI compliant manner.
Customers and integrators are responsible for implementing theirown PCI compliant environment. Our intent is to provide sufficientinformation regarding prudent practices for the installation, configu-ration, and operation of Auric Systems International products to helpyour PCI compliance efforts
Additional Help
Auric Systems International’s support team is always available tohelp with any questions you may have related to implementing ourpayment processing applications—PCI or otherwise.
Auric Systems International has been providing payment process-ing applications since 1994, and we’ve been meeting PCI require-ments since 2005. We continue to strive to provide you with the bestproducts and support we possibly can.
Thank you for choosing Auric Systems International as your pay-ment software partner.
Do Not Retain Full Magnetic Stripe or CVV2 Data
General
• The CN!Express® real-time web interface accepts transactionscontaining CVV2/CID, magnetic stripe, and debit card PIN blockdata. This information is transmitted directly to the processor andnever stored.
• The CN!Express® batch file interface accepts transactions withCVV2/CID data. This feature is provided for integration withlegacy systems. Auric recommends that CVV2 data not be trans-mitted in files.
• Import and export file encryption formats are discussed later inthis document.
• If you do not encrypt the import file, Auric strongly recommendsyou configure CN!Express® to multi-pass delete the import fileafter it is read.
• If you do not delete the import file, Auric strongly recommendsyou configure CN!Express® to mask sensitive data after import. Inthis mode, instead of just changing the imported file’s extensionfrom .IMP to .DNE, CN!Express® copies the .IMP file to a tempo-rary file while masking sensitive data such as account number andCVV2/CID. When the copy is complete, the .IMP file is deletedand the new, masked, copy is given the .DNE extension.
• Do not export the account code. Instead, use the order numberfield or an internal tracking ID in one of the four comment fields.
• Never send sensitive customer information to Auric for support orany other reason.
• Sensitive authentication data should be collected only whenneeded to solve a specific problem.
• Any such sensitive data collected must be stored in a secure man-ner, in specific known locations, and with limited access.
104 cn!express®
• Collect only the limited amount of data required to solve a prob-lem.
• Securely delete any such sensitive collected data immediately afteruse.
Securely Delete Files
CN!Express® supports the ability to perform multi-pass file over-writes and deletion. After a batch file is imported, it is deleted in asecure manner by being overwritten multiple times before the actualdeletion. If this should cause excessive hard drive activity in yourspecific installation, the second-best approach is to use the One-PassOverwrite and Delete. See Appendix III Secure File Deletion for de-tails.
You must remove historic data (such as old databases and databasebackups no longer being used, using a secure removal tool such asSDelete for Windows or shred for Linux. This is mandatory for PCI-DSS compliance.
• File Formats Tab
– Set After Importing a File to Multi-Pass Overwrite and Delete. Aftera batch file is imported it is deleted in a secure manner by beingoverwritten multiple times before the actual deletion.
• Files Tab
– Decrypt Files Before Import is checked.
– Encrypt Files Before Export is checked (optional, better to notexport sensitive data).
Proper Log Handling
Run those logs appropriate for the environment. Ensure log maskingis active.
• From the Advanced Tab
– Turn off all Optional Logs that you are not explicitly using.
Do Not Store CVV2 Field
CVV2 data must never be transmitted in batch files.
• From the File Formats Tab, Edit Format... buttons (one for Importone for Export)
magnetic stripe and cvv2 data 105
– CVV/CID field is not imported or exported.
– Account field is not exported, or exported masked.
Protect Stored Cardholder Data
General
• CN!Express® supports external Key Management Systems.
• Merchants should develop a cardholder data retention policy.
• Card holder data exceeding the defined retention policy retentionperiod must be purged.
• CN!Express® never displays credit card data.
• All logs, including debug logs, mask sensitive data fields.
• When uninstalling a CN!Express® configuration that uses theembedded database, the uninstall routine securely deletes the datafiles in order to ensure locally encrypted data is removed securely.When using the remote database option, you must securely deletethe database files you stored on the remote database server usinga secure deletion tool such as SDelete on windows or shred onLinux.
• When uninstalling CN!Express®, all cryptographic material mustbe removed. The only cryptographic material is the encrypted cardholder accounts that may be in the database or backup files. Youshould explicitly check:
1. the Data directory
2. the Import directory
3. the Export directory
4. the Warning directory (only on Trevance)
5. the Backup directory
6. the Decline directory
7. any backup directories or media you have used internally tostore data from any of the above locations
108 cn!express®
• Customers are advised that Windows restore points; backups;crash files; debug files and any other type of file, that takes asnapshot of the registry and/or hard drive where CN!Express®
is loaded (whether resident on the system or not) must be deletedusing the secure delete process described in this document for thecustomer to maintain PCI compliance.
• Use a secure deletion program, such as SDelete for Windows orshred for Linux, to remove these files.
• Removal of historic cryptographic material is absolutely necessaryfor PCI DSS compliance.
• PCI DSS requires the secure removal of cryptographic key materialstored by previous versions of an application. Such removal ismandatory for PCI DSS compliance. During updates, CN!Express®
securely migrates legacy keys that were stored in the previousversion into the new version.
• CN!Express® requires the use of an external key server applicationor service (Key Service).
• The Key Service must:
– be PCI compliant.
– rotate keys at least once every 12 months.
– use strong encryption (such as 256-bit AES encryption)
CN!Express® Configuration
• External Key Manager Tab
• Select the Key Management software/service to which you willconnect.
• Enter the proper credentials.
• Encryption keys for all sensitive data are now managed externally.
• CN!Express® Stores Encrypted Cardholder Information:
• In embedded Firebird database contained in the Data subfolderunder the default installation directory.
• Or, in the remotely-installed Firebird database. Data locationsshould be listed and noted.
• In backup (gbk) files. Note the location as set in the CN!Express®
Configuration utility. Backup files are generated only for the em-bedded solution.
protect stored cardholder data 109
• If using the local embedded Firebird database, then securelydelete the database file: CNXAP.FDB. Also delete the backup files:cnxap\[The Date].GBK.
• If using the remote Firebird database, you must delete the CN!Express®
schema from the remote Firebird installation and remote files in amanner compliant with your PCI policies and procedures. Suchremoval is absolutely necessary for PCI DSS compliance.
• After the update from CN!Express®4.x to 5.0 CN!Express® will
immediately start using the new Key Manager based keys forall existing sensitive cardholder data. Transitory information(such as transactions held for end of day settlement and cachedPaymentVault™ data) will continue to use the old key. Such data istransitory and will be flushed from the system within a few hours(transactions queued for end of day) or days (PaymentVault™ datais cached depending on the number of days you have configuredto hold it in CN!Express®).
• If you are using PaymentVault™ CN!Express® will re-encrypt thehistoric data as it is retrieved from PaymentVault™ during normalUTID retrieval.
Clearing Sensitive Cardholder Data in Batch Transactions
CN!Express® supports sending batch authorization transactions.Authorization transactions may include sensitive cardholder data(CVV or CID). Because these are batch transactions, it is necessaryfor CN!Express® to temporarily store this information in its internaldatabase as the batch is prepared for transmission to the paymentprocessor.
To ensure that this data is not retained any longer than necessary,CN!Express® clears this information from its database when thebatch export file is generated (CN!Express® also never exports thisinformation).
On a general level, batch transmission through CN!Express®
works like this:
1. Merchant places a delimited-text file with batch transactions in theCN!Express® import directory.
2. CN!Express® reads in and parses this file, storing the informationin its internal database. For single-item files, CN!Express® doesnot store the information at all, but directly submits the transac-tion to the processor.
110 cn!express®
3. CN!Express® submits each item in the batch as an individual, on-line transaction, and updates its database with processor responseswhen these are received. Multiple transactions may be submittedsimultaneously.
4. When CN!Express® has received all of the responses for a batch, itreads the information out of the database for each transaction andbuilds and exports a delimited-text file.
CN!Express® clears the CVV from its internal storage as soon asthe response is received from the processor (step 3 above). In thedatabase, each transaction is stored as an "object," so updating atransaction with responses actually requires replacing that trans-action in the database with a new one. As soon as the response isreceived, CN!Express® clears the CVV from the transaction objectalong with writing the processor responses to it. It then overwritesthe transaction in the database with the new one, eliminating CVVfrom storage.
Secure Authentication Features
General
You must maintain secure authentication for access to all paymentprocessing applications and servers.
• Unique user IDs must be used for all administrative access toCN!Express®, CN!Express®, and PaymentVault™.
• All CN!Express®administration must occur on the server runningthe payment application.
• You must maintain PCI DSS compliant access and logins to theservers on which CN!Express®is installed.
• CN!Express® provides default accounts that must be replacedbefore running either program in Test or Production modes.
• CN!Express® passwords may be as long as 40 characters. Theymust be at least seven characters. This encourages the use of long,easily remembered passwords (sentences, poems, etc.) vs. shortcryptic passwords. Spaces and punctuation are acceptable pass-word characters. For PCI DSS compliance the password mustcontain both numbers and letters.
• CN!Express® maintains a history of the last four passwords usedand do not allow them to be reused.
• Passwords must be maintained according to company policiesand procedures. Specifically, PCI recommends that passwords bechanged every 90 days.
• You must not use administrative accounts for payment applicationlogins (e.g., don’t use the “sysdba” account for payment applica-tion access to the database).
• You must assign secure authentication default accounts (even ifthey won’t be used), and then disable or do not use the accounts.
112 cn!express®
• You must assign secure authentication for payment applicationsand systems whenever possible.
• You must create PCI DSS compliant secure authentication to accessthe payment application, per PCI DSS Requirements 8.5.8 through8.5.15.
• Changing “out of the box” installation settings for unique user-names and secure authentication will result in non-compliancewith PCI DSS.
• CN!Express® stores necessary database passwords in their respec-tive configuration files as encrypted data.
Replace Default Users
From the Configure/Administrater Users dialog:
• Create a new user.
• Set the User Type to Web Service or Web Console.
• Click the Manager checkbox to give Web Console users access toability to pause/resume CN!Express® or reload redo logs.
• Enter a strong password of at least seven (7) characters and bothalpha and numeric characters.
• Create a uinique user ID for each person requiring access to theCN!Express® console.
Provide Manager access only to those users who must man-age/control CN!Express® remotely.
If a Manager fails to log in after six attempts they are locked outof the system for 30 minutes. The exception to this is the WEB useraccounts for the real-time web transaction interface. A lock out in thisinstance would lead to a denial of service.
Manager accounts are automatically logged out after 15 minutesof inactivity. Non-managers users are not automatically logged outsince typically they are doing long-term monitoring.
Auric recommends that Manager accounts be used solely for start-ing/stopping CN!Express® remotely, and not for monitoring pur-poses.
Auric recommends that Manager accounts not be used to start/stopCN!Express in production – rather all stop/start actions should occurthrough the Windows System Manager.
Log Payment Application Activity
General
CN!Express® maintains a running log of Administrative, Manager,and Console users who connect. This log should be regularly moni-tored for failed log-in attempts.
• Use a Network Time Protocol service to ensure the time on theCN!Express®server is properly synchronized.
• Check the timezone and Daylight Savings/Standard Time flag isset properly on the servers.
• Check all logs on a daily basis.
• Provide a central log aggregator.
• For CN!Express® on Linux Auric recommends using the syslogsetting on the Advanced tab of the Configuration Utility to sendall CN!Express® logs to syslog.
• Implement automated audit trails to reconstruct the followingevents for all system components:
– All individual user access to cardholder data.
– All access to audit trails.
– All actions taken by any individual with root or administrativeprivileges.
– Access to all audit trails.
– Invalid logical access attempts.
– Use of identification and authentication mechanisms.
– Initialization of the audit logs.
– Creation and deletion of system-level objects.
• Record at least the following audit trail entries for each event forall system components:
114 cn!express®
– User identification
– Type of event
– Date and time
– Success or failure indication
– Origination of event
– Identity or name of affected data, system component, or re-source.
• CN!Express® has audit logs that are always active.
• You must capture and store these logs for at least one year tomaintain PCI compliance. Disabling logs will result in non-compliance with PCI DSS.
• Any attempt to disable these logs will result in non-compliancewith PCI DSS.
Centralized Logging
For the CN!Express® Linux version, Auric recommends using thesyslog option available in the Advanced tab of the CN!Express® Con-figuration Utility. This ensures that all CN!Express® logs are sent di-rectly to the local syslog process. This syslog can then be forwardedto a central logging facility for archiving.
The CN!Express® console user log maintains a running log ofManager and Console users who connect to CN!Express®. This logshould be regularly monitored for failed log-in attempts.
The CN!Express® audit log provides a list of activities performedby Manager. Console users can only Monitor CN!Express® activity.This log contains both the users log-in name and a date/time stampat which the activity occurred.
These logs are stored as simple text files that are easily reviewed.From the Configure/E-Mail Notification dialog:
• check All Logs to have the daily logs automatically emailed to you.
• configure the settings for your SMTP mail server.
• select a time at which the logs should be emailed to you.
• check Login Report to receive an email whenever anyone logs intoCN!Express®.
Develop Secure Payment Applications
General
This section of the PA-DSS standard is heavily focused on the devel-opment of secure web (public Internet-accessible) applications.
Although CN!Express® has web interfaces, it is not a web appli-cation and is not designed to be implemented directly on the publicInternet. CN!Express® is designed for use only on internal networks.See the Facilitate Secure Network Implementation section for recom-mendations on secure network implementation.
Where applicable, Auric Systems International follows the OpenWeb Application Security Project (OWASP) guidelines available athttp://www.owasp.org. Auric Systems International recommendsanyone integrating payment processing into their web site also followthe OWASP guidelines.
Required Protocols and Services
The following protocols and services are required for general opera-tion of the CN!Express® service:
1. Incoming
(a) HTTPS or HTTP
2. Outgoing connection TCP/IP socket connection to Firebirddatabase if using a remote Firebirdinstallation.(a) HTTPS to payment processors
(b) syslog (Linux® only)
(c) HTTP to AKMP™ on localhost
(d) HTTP to PaymentVault™ on localhost (optional)
Note: All external communications to CN!Express® must occurover a secured channel, specifically HTTPS. If CN!Express® shouldbe configured to run behind a proxy server or secure tunnel such asApache, nginx, or stunnel which is configured on the same physical
116 cn!express®
server. When behind a proxy or secure tunnel, CN!Express® shouldbe configured to use HTTP. Otherwise, CN!Express® must be config-ured to use HTTPS.
Protect Wireless Transmissions
General
A CN!Express® implementation neither requires nor recommends theuse of wireless networking.
If CN!Express®is integrated into a system using wireless paymentapplications, you must address the PCI compliance requirementsincluding:
• Install perimeter firewalls between any wireless networks and thecardholder data environment, and such firewalls must deny orcontrol any traffic from the wireless environment into the card-holder data environment.
• Change wireless vendor defaults including but not limited to keys,passwords, and SNMP community strings. Ensure wireless devicesecurity settings are enabled for strong encryption technology forauthentication and transmission.
• Use industry best practices (for example, IEEE 802.11i) to im-plement strong encryption for authentication transmission. It isprohibited to implement WEP if wireless networks are used in theCustomers payment environment.
• Proper key rotation
• Removal of all default keys from wireless equipment
Test Payment Applications to Address Vulnerabilities
General
In addition to on-going internal testing Auric Systems Internationalmonitors outside security sources and product-specific mailing liststo check for product vulnerabilities. If a vulnerability is found inthe CN!Express® you will be so informed via a security alert and atimely correction will be provided.
Facilitate Secure Network Implementation
General
The accompanying diagram shows a secure CN!Express® networkimplementation.
• Operate CN!Express® on it’s own, separate server.
• Isolate the CN!Express® server from the public Internet.
• Maintain your web server in a DMZ as shown in the diagram.
• Do not run CN!Express® in the DMZ (where the Web Server orWireless Application Server are shown in the diagram).
• If your application must use wireless, provide wireless accessthrough a separate firewall and isolate the application server.
Cardholder Data Must Never Be Stored on a Server Con-nected To the Internet
General
CN!Express® runs on the local, private network and not in either theDMZ or on a server directly connected to the Internet.
You must never store cardholder data on Internet-accessible sys-tems (e.g., web server and database server must not be on sameserver).
Facilitate Secure Remote Access to and Updates of Pay-ment Application
General
• Auric does not have remote access to the system where CN!Express®
is installed.
• Whenever accessing the system where CN!Express® is installed,you must use two-factor authentication (i.e., username and pass-word plus an additional authentication item such as a token orcertificate).
• Any integrator that has remote access to the system where CN!Express®
is installed must use and implement remote access software secu-rity procedures. For example:
– Change default settings in the remote access software (for ex-ample, change default Passwords and use unique Passwords foreach customer).
– Allow connections only from specific (known) IP/MAC ad-dresses.
– Use strong authentication or complex Passwords for logins.
– Enable encrypted data transmission.
– Enable account lockout after a certain number of failed loginattempts.
– Configure the system so a remote user must establish a VirtualPrivate Network ("VPN") connection via a firewall before accessis allowed.
– Enable the logging function.
– Restrict access to customer Passwords to authorized reseller/integratorpersonnel.
– Establish customer Passwords according to PCI DSS require-ments 8.1, 8.2, 8.4, and 8.5.
126 cn!express®
All remote access to the CN!Express® server is via the CN!Express®
Web Console.CN!Express® supports HTTPS connections to the Web Console.
This console is for use within your corporate network. Never provideaccess from the Internet to the Web Console.
Credit card information is not accessible via the Web Console.
Facilitate Secure Remote Software Updates
General
Auric does not force automatic updates to CN!Express®.
• The latest updates for CN!Express® are always available for imme-diate download from the Auric Systems International web site athttps://www.AuricSystems.com/.
• Both MD5 and SHA256 hashes are provided on the Auric SystemsInternational web site.
• For additional security, contact Auric Support to receive the officialMD5 and/or SHA256 hash sums for that release via email. Afterdownloading the release or update, you should perform your ownMD5 and/or SHA256 calculation on the downloaded file to checkthe hashes before installing. Auric Systems International providestools to perform these calculations, but recommends you use third-party tools to ensure integrity.
Encrypt Sensitive Traffic Over Public Networks
General
• CN!Express® is designed for installation on a private network –not a public network. As such, sensitive incoming traffic is notcommunicated over the public network.
• CN!Express® has no facility for emailing credit card information.
• Never email sensitive credit card information in an unencryptedform.
• If you should transmit any cardholder data over the public Inter-net, you must use secure encryption transmission technology (forexample, IPSEC, VPN, SSH, or SSL/TLS).
CN!Express® sends transactions to payment processor gatewaysusing secure HTTPS protocols as defined by the specific gatewayprovider.
Encrypt all Non-Console Administrative Access
General
Any remote connection into a server running CN!Express® must beencrypted and secure.
1. For Windows®, the Remote Desktop client must be set to themaximum level of encryption.
2. For Linux® use ssh or ssl with strong encryption.
3. For either operating system, use a VPN with strong encryption.
On Windows®
• All administrative access to CN!Express® is through the CN!Express®
Configuration Utility which must be run on the same machine asCN!Express®.
• Access to the CN!Express® Configuration Utility is maintained byoperating-system level user permissions.
• All configuration changes must occur through the CN!Express®
Configuration Utility.
On Linux®
• All CN!Express® configuration must occur through the CN!Express®
Configuration Utility which must be restricted to the fewest num-ber of people.
• Access to the generated cnxap.conf and cnxap_settings.xml filesmust be similarly restricted.
• The generated cnxap.conf and cnxap_settings.xml files must besecurely transferred to the production environment.
Maintain Instructional Documentation and TrainingPrograms
General
This document provides the basis from which all Customers, Re-sellers, and Integrators learn the prudent practices and recommenda-tions for installing CN!Express® in a PCI compliant manner.
Customers, Resellers, and Integrators should maintain theirown, internal PCI compliance training for their personnel to en-sure they are familiar with the PCI-compliance aspects of runningCN!Express®.
Additional phone training is available upon request. Please contactsupport at: [email protected] or 603.924.6079
Secure File Deletion
General
CN!Express® supports secure file deletion methods. Normally, filesdeleted using the standard services provided by the operating systemdo not erase the actual data in the file. Files deleted this way canbe easily recovered using software "undelete" tools. Even files thathave been overwritten can sometimes be recovered using additionalhardware and sophisticated forensic techniques.
CN!Express® offers three deletion choices ranging from the quick(but not secure) standard operating system delete to a multi-passsecure deletion:
• Quick Delete
• One-Pass Overwrite and Delete
• Multi-Pass Overwrite and Delete
Because the multi-pass secure deletion requires 35 write passes When using journaling file systemsor SSD drives a multi-pass deletionmay no longer be necessary due tothe manner in which data is storedon these configurations. Refer to yourcorporate security policies in regards tosecurely disposing data stored on thesetechnologies.
over the file, some sites may determine this consumes too muchtime or causes too much hard disk activity and interferes with otherservices. To address this, CN!Express® provides a one-pass securedelete that simply overwrites the file data with 0’s before deleting.
Quick Delete
• Uses standard operating system calls.
• Doesn’t overwrite any of the file (typically only the directory entryis updated) and so is very fast.
• File data is easily recovered if this option is used.
One-Pass Overwrite
• File is overwritten with a single pass of binary zeros.
• This makes it difficult to recover the file using "undelete" tools.
136 cn!express®
• Theorectically, the file data might still be recoverable using sophis-ticated forensic tools.
Multi-Pass Overwrite and Delete
• Overwrites file data with 35 passes using various data patterns.
• The 35 overwrite patterns, though possibly considered excessivefor modern drives, is specifically designed to make data recoveryextremely difficult.
• The pattern was developed by Peter Gutmann, and is often thepattern used by secure deletion utilities.
• Gutmann’s paper describing the pattern can be found at: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html.
During operation, the secure deletion applies to all imported files.During uninstall, the secure deletion applies to the configuration andembedded database files.
Key Management
General
Key Management is beyond the scope of this document.CN!Express® currently supports external Key Management Soft-
ware and Services. All key management is performed via those ser-vices.
You must select and implement a key management system thatmeets your PCI requirements.
Refer to the PCI Implementation Guide of the AKMP™ User Man-ual for details on using AKMP™ with the default n-key™ encryptionkey management service.
Internal Encryption
General
CN!Express® uses a variety of encryption techniques, both to followindustry rules regarding the storage of sensitive information and tohelp reduce the exposure of cardholder data to unauthorized access.
CN!Express® uses encryption in the following areas:
• Communicating with the payment processor.
• Encrypted Web Traffic
• Batch Import/Export Files
• Stored Data
Communicating with the Payment Processor
CN!Express® communicates with each processor using the protocolsprovided by that processor. When communicating with processorsover the Internet CN!Express® uses the encryption mechanismsprovided by each processor. The typical communication method isHTTPS.
Encrypted Web Traffic
CN!Express® contains an embedded HTTP/S web server throughwhich real-time transactions can be processed. Since CN!Express®
is implemented on a company’s private, and not public, network,use of HTTPS security is not required by either the PA-DSS or PCIstandards. Auric Systems International recommends CN!Express®
be implemented behind a secure proxy or tunnel (Apache, nginx, orstunnel) that provides externally-facing HTTPS encryption.
140 cn!express®
Batch Import/Export Files
• CN!Express® can import and export delimited text files that areexternally encrypted using 256-bit AES encryption.
• Import and export file encryption is recommended to ensure thattransaction data is not exposed while the files reside on the filesys-tem. Export encryption is optional if no sensitive data is exported.
• See the File Encryption Format chapter for details.
Stored Data
CN!Express® encrypts sensitive fields stored in the database using256-bit AES encryption.
The following fields are encrypted:
• Account
• CVV/CID (batch only)
• Customer Social Security Number
• Customer Drivers License Number
• Customer Date of Birth
The ability to encrypt/store the CVV value during batch importremains in the product as historical capability. You must never pro-cess CVV data through the batch interface.
All keys are managed via the external Key Management system.
Encrypting Import/Export Files
General
CN!Express® supports encrypted import and export files. These filesare encrypted using the 256-bit AES encryption standard. Import andexport file encryption is recommended to ensure that transaction datais not exposed while the files reside on the file system.
Since AES is a symmetric algorithm, CN!Express® and the externalencryption program must have access to the same key. A key consistsof any series of 256 bits. CN!Express® can:
Generate keys Generate a random import/export encryption key thenencrypt and store the key in the database. A copy of the key iswritten to an external file for use by the external encrypting appli-cation. Treat this key in compliance with your company securitypolicy.
Import keys Read a file containing the encryption key and use thatkey for future import/export file decryption/encryption. The keymay be one previously exported from Trevance®, or one createdexternally.
Export keys The import/export encryption key may be exported atany time.
Encryption Key
The CN!Express® key file format is:
• The file must contain a single key.
• The file must contain the key encoded using Base64 (http://www.ietf.org/rfc/rfc3548.txt).
• The raw key must be 256-bits, or 32 bytes. Because Base64-encodedtext has a 4:3 expansion ratio, the encoded key is a single line oftext, 44 characters in length.
142 cn!express®
Line by Line Encryption
Batch files are encrypted line-by-line. Each line in the encryptedbatch file represents a line in the plaintext batch file.
The line-by-line approach is taken to ensure both CN!Express®
and your external encryption routines can better handle the data ina secure manner. Import and export files can be quite large (10s or100s of thousands of lines). If the file was encrypted as one item, itwould be difficult to decrypt it at import time without creating anintermediate plaintext version. Since the goal of the encrypted batchfile is to have end-to-end encrypted file handling, Auric selected theline-by-line approach. Algorithms such as PGP which are blockedorient are not suitable for encrypting large files without ever writingto the disk. The line-by-line method is better suited for encryptingand decrypting large line-oriented files in a secure streamed manner.
The end-of-line characters (CR/LF) are not part of the encryptedline. End-of-line characters separate each line in the encrypted file.
Each line must be encrypted using AES with an 8-bit cipherfeedback-chaining mode. The initialization vector must be set to128 ’0’ bits. After encryption, each encrypted line is encoded usingBase64 and written to the file.
File Format
The line-by-line encryption format adds a 16-character randomiza-tion factor to the beginning of each line. This ensures that plaintextimport lines that start with identical values (e.g., Merchant Identi-fiers, Order numbers with leading 0s, etc.) do not generate encryptedtext that starts with identical values. Before encryption, each plain-text line must be prefixed with a 16-character string in the followingformat: xxSSMMHHddmmYYYY. Where:
xx Random two-digit number
SS Seconds
MM Minutes
HH Hour
dd Day
mm Month
YYYY Four-digit year
This same 16-character pattern is prefixed to each exported plain-text line before exports are encrypted.
encrypting import/export files 143
Import and Export file encryption is controlled separately.
Part IV
Appendices
Action Codes
The action to take, or the type of the transaction, such as authorize,capture, or refund. These action codes are specific to CN!Express®—they are not the same as the action codes or transaction types under-stood by the various gateways.CN!Express® translates these codes asappropriate for each back-end gateway.
Table 8: CN!Express® action codes.
A, C4, C6 Authorize Obtain an authorization for this transac-tion. Used when you intend to capturefunds at a later time, such as when theproduct ships.
AC Authenticate Customer Used for Bill Me Later transactions onMerchant e-Solutions gateway only
AO ActivateOnly Stored Value Card Activate Only. Ac-tivate an existing account withoutaffecting its value.
AV AddValue Stored Value Card AddValue. Addvalue to a stored value/gift card.
BA Balance Stored Value Card Balance. Retrieve thebalance for a stored value/gift card.
CB CloseBatch Close the current batch (settle).
CF ConvertAmount Merchant e-Solutions only. Convertamount to different currency.
148 cn!express®
Code Action Code Description
CG GetCurrencyRate Merchant e-Solutions only. Retrieve ratefor individual currency or retrieve ratetable.
CL Close Stored Value Card Close. Close a storedvalue/gift card account.
D,CO Deposit/Capture Mark a transaction for capture. Youmust have previously obtained an au-thorization for this transaction.
F Force/Voice Capture a transaction for which youdon’t have electronic authorization (youmay have voice authorization).
FD FinalDeposit PayPal specific. Capture funds for theorder and mark the order as complete.
GD GetDetails PayPal specific. Return the details for atransaction.
GP GetProfile Get Customer Profile Retrieve the cus-tomer information associated withan account. Currently supported forTenderCard only.
IC IdentifyCustomer Used for Bill Me Later and 3D-secureauthentication transactions on Merchante-Solutions gateway and for CardinalCentinel.
IS Issue Stored Value Card Issue. Activate anew account with a specified balance.If you include PREVACCT with thisaction, PREVACCT is assumed to repre-sent an account from a legacy gift cardprogram.
L Auth Reversal Litle specific. Requires inclusion ofPROCTID field, along with AUTH-CODE, AUTHDATE.
action codes 149
Code Action Code Description
LC LookupCurrencyCode Merchant e-Solutions only. Return acurrency code for a country or an IPaddress.
OO OpenOrder PayPal specific. Open a new order.An order can contain several relatedtransactions.
PA PartialAuth If full funds are not available, authorizefor a lesser amount.
PR PartialRefund Refund part of a transaction.
Q Query PayPal and eBillMe only. Return infor-mation for active transactions (eBillMe),or for transactions that match a speci-fied criteria (PayPal).
R,C3 Refund Return funds to the account holder.
RA RefundAuthorization Obtain an authorization for a refundtransaction (debit cards only).
RD Redeem Stored Value Card RemoveValue. Re-move value (redeem) from a storedvalue/gift card.
RE Reauthorize Used for Bill Me Later transactions onMerchant e-Solutions gateway only.
S,C,C1 Sale Authorize and then immediately markthe transaction for capture.
SN ShipmentNotification Notify eBillMe of a shipment. eBillMeonly.
UO UpdateOrder Notify eBillMe of a change to an order.eBillMe only.
150 cn!express®
Code Action Code Description
UP UpdateProfile Update Customer Profile Update cus-tomer information associated withan account. Currently supported forTenderCard only.
UQ UnallocatedQuery Return information on unallocatedpayments. eBillMe only.
V Void Undoes a mark-for-capture, but only ifthe capture has not been completed(typically all transactions that aremarked for capture are captured atthe end of the business day).
VR VoidRefund Void a pending refund transaction.
XF Transfer Stored Value Card Transfer. Transferthe entire balance from one account toanother.
• Not all actions are supported by all payment processors.
• C, CO, C1, C3, C4 and C6 are aliases that are provided for compat-ibility with legacy systems generating IC-Verify-style formats. Donot use these codes unless you need to integrate with an IC-Verify-style system.
ASI Response Codes
The numeric response code generated by CN!Express® (the responsecodes are common to all software built by Auric Systems Interna-tional). These codes are normalized across all divisions and paymentprocessors. Use this value to make programatic decisions on the dis-position of a transaction.
Table 9: CN!Express® response codes.
Code Description
100 Approved
101 Local duplicate detected
102 Accepted local capture with no match
103 Auth succeeded but capture failed
104 Auth succeeded but failed to save info
200 Declined
300 Processor reject
301 Local reject on user/password
302 Local reject
303 Processor unknown response
304 Error parsing processor response
305 Processor auth succeeded but settle failed
152 cn!express®
306 Processor auth succeeded settle status unknown
307 Processor settle status unknown
308 Processor duplicate
400 Not submitted
401 Terminated before request submitted
402 Local server busy
500 Submitted not returned
501 Terminated before response returned
502 Processor returned timeout status
600 Failed local capture with no match
601 Failed local capture
700 Failed local void (not in capture file)
701 Failed local void
800 Failed local refund (not authorized)
801 Failed local refund
Soft Descriptors
Soft Descriptor 1: SOFT1
Generally, a description of the payment that appears on the customerstatement. This field is used in different ways for different proces-sors.
Chase Paymentech Orbital Gateway
This field is used for both credit card and electronic check transac-tions. The description appears on the customer’s statement. If thisfield is blank, Chase Paymentech uses the default descriptor set forthe Division.
Credit Cards
The Merchant Name Descriptor field must not start with a space.There are three acceptable formats:
• A three (3) character company identifier, followed by an asterisk(*), and up to 18 character description.
• A seven (7) character company identifier, followed by an asterisk(*), and up to 14 character descriptor.
• A 12 character company identifier, followed by an asterisk (*), andup to nine (9) character descriptor.
The asterisk must be in position 4, 8, or 13. If necessary add spacesbetween the company name and the asterisk.
Electronic Checks
For Electronic Check Transactions, the first 15 characters of this fieldshould be used as the Doing Business As (DBA) Merchant Name.Both Descriptor fields are required when using descriptors withelectronic checks.
154 cn!express®
Litle & Co.
There are three acceptable formats:
• A three (3) character company identifier, followed by an asterisk(*), and up to 18 character description.
• A seven (7) character company identifier, followed by an asterisk(*), and up to 14 character descriptor.
• A 12 character company identifier, followed by an asterisk (*), andup to nine (9) character descriptor.
The asterisk must be in position 4, 8, or 13. If necessary add spacesbetween the company name and the asterisk.
Transfirst ePay
A 25-digit payment descriptor which will appear on the cardholder’sstatement.
Trident Payment Gateway
DBA name of the merchant. See also SOFT2, MSTATE, and MZCPC.
SOFT2
Chase Paymentech Orbital Gateway
City or customer service phone number that will appear on the card-holder’s statement. If left blank, will default to the value set at ChasePaymentech. This field is used for both credit card and check transac-tions.
Credit Cards
The Merchant city or customer service phone number that will ap-pear on the cardholder’s statement. Recommended formats by mer-chant channel:
soft descriptors 155
Channel Format
Retail Store location city formatted asAAAAAAAAAAAAA
Direct Marketing Customer Service Phone Number formatted asNNN-NNN-NNNN or NNN-AAAAAAA
Store URL
Support Email address
Entering the Customer Service Phone Number is a requirement toqualify for Visa’s reduced Direct Marketing interchange rate.
Electronic Checks
The first ten (10) characters of this field (usually) appear on the cus-tomer’s statement. Both Descriptor fields are required when usingdescriptors with electronic checks.
Litle & Co.
For card not present, merchant customer service phone number.For US merchants, must be exactly 10 digits in length. For non-USmerchants, may be up to 13 digits. For retail, merchant location (city).
Trident Payment Gateway
DBA city of the merchant. See also SOFT1, MSTATE, and MZCPC.
Processor-Specific Attributes
CN!Express® maintains a set of fields for processor-specific at-tributes. These are specialty fields used in different ways by eachprocessor.
Chase Paymentech Orbital Gateway
PROCATR1 The retry key. You can use this value to uniquely iden-tify a certain transaction through multiple retries. To do so, storethe response from this field. If a transaction must be retried, re-turn the response as PROCATR1 with the new submission toCN!Express®.
PROCATR2 Not Used
PROCATR3 Not Used
PROCATR4 Not Used
eBillMe
PROCATR1 The payment status, as shown in the following table.
Code Description
U Unpaid
P Partially Paid
F Fully Paid
PROCATR2 Payment status, as shown in the following table:
158 cn!express®
Code Description
U Unsuspect
S Suspect
C Confirmed
PROCATR3 The a list of suspect reasons (reasoncodes). Individualreason codes are separated by a "+" character.
PROCATR4 Not Used
Litle & Co.
PROCATR1 The retry key. You can use this value to uniquely iden-tify a certain transaction through multiple retries. To do so, storethe response from this field. If a transaction must be retried, re-turn the response as PROCATR1 with the new submission toCN!Express®.
PROCATR2 Litle’s Velocity Check flag. If imported to CN!Express®
as "0", velocity check is bypassed for this transaction. The defaultis "1", that is, velocity checking will be performed.
PROCATR3 Not Used
PROCATR4 Not Used
PayPal
PROCATR1 The parent transaction ID, the PayPal transaction IDof the preceding transaction in a sequence. Provided for trackingpurposes only.
PROCATR2 The PayPal TransactionType. Returned by GetDetailsand Query transactions. Some examples are ’cart’ or ’virtual-terminal’.
PROCATR3 PROCATR3 is the PayPal ReceiptID. Can be sent toCN!Express® as a search parameter for a Query transaction, orreturned by PayPal in response to a GetDetails transaction.
PROCATR4 The PayPal PaymentType. Indicates whether a paymentis instant or delayed.
processor-specific attributes 159
Cardinal Centinel
PROCATR1 The Order Channel, which may be sent to indicate thesource of the transaction. If sent, Order Channel must match oneof the following values:
Code Description
MARK Transaction initiated from the payment page.
CART Transaction initiated from the cart page.
CALLCENTER Transaction initiated from the call center.
WIDGET Transaction initiated from the widget.
PRODUCT Transaction initiated from the product.
1CLICK Transaction initiated from 1 Click.
PROCATR2 Not Used
PROCATR3 Not Used
PROCATR4 Not Used
Verified by Visa CAVV Response
The following table documents the result code returned during anAuthorization of a transaction that includes data from the Verified byVisa service.
Code Description
(Blank) CAVV not present.
0 CAVV not validated due to erroneous datasubmitted.
1 CAVV failed validation. This is an indication ofpotential bad or fraudulent data submitted asthe CAVV.
2 CAVV passed validation–Authentication Trans-action.
3 CAVV passed validation–Attempted Authenti-cation Transaction. Determined that the IssuerACS generated this value from the use of theIssuer’s CAVV key(s).
4 CAVV failed validation Attempted Authen-tication Transaction. This is an indication ofpotential bad or fraudulent data submitted asthe CAVV. Determined that Visa generated thisvalue from the use of CAVV key(s).
5 Reserved for future use.
162 cn!express®
Code Description
6 CAVV not validated Issuer not participating inCAVV validation. This value is generated whenan Issuer requests the "do not verify" flag to beestablished for its BINs. This parameter enablesan Issuer to temporarily stop CVV verifica-tion while resolving CAVV key issues. VisaNetprocesses this value as a valid CAVV.
7 CAVV failed validation Attempted Authen-tication Transaction. This is an indication ofpotential bad or fraudulent data submittedas the CAVV. CAVV generated with Visa KeyIssuer ACS unavailable.
8 CAVV passed validation Attempted Authenti-cation Transaction. CAVV generated with VisaKey.
9 CAVV Failed Validation Attempted Authen-tication Transaction. This is an indication ofpotential bad or fraudulent data submittedas the CAVV CAVV generated with Visa KeyIssuer ACS unavailable.
A CAVV passed validation Attempted Authenti-cation Transaction. CAVV generated with VisaKey Issuer ACS unavailable.
B CAVV passed validation Attempted Authenti-cation Transaction. No liability shift. Indicationthat the account number is a commercial card ora prepaid gift card or that this transaction wasan encrypted Internet transaction for which au-thentication was not provided–in other words, atypical HTTPS Web transaction.
C CAVV not validated Attempted Authentica-tion Transaction. Issuer did not return a CAVVresults code in the authorization response.VisaNet will treat this as a valid CAVV if theIssuer approved the transaction.
verified by visa cavv response 163
Code Description
D CAVV not validated Authentication. Issuerdid not return a CAVV results code in the au-thorization response. VisaNet will treat this asvalid CAVV if the Issuer approves the autho-rization.
I Invalid Security Data.
U Issuer does not participate or 3-D Secure datanot utilized.
Table 10: Verified by Visa CAVV Response Codes
ICV-Style Files
CN!Express® is able to communicate with third-party applicationsthat require ICVerify® style (ICV-style) import and export files. Thisappendix describes how to set up CN!Express® to be compatible withVersion 1 ICV-style files.
This functionality is provided strictly for backwards compatibilitywith legacy systems. Auric recommends you do not use this func-tionality unless you are integrating with software that requires thisformat.
Specifically, ICV-style transactions do not support either MerchantOrder Numbers or Card Security Codes (CVV2/CID). Modern pay-ment processors use Merchant Order Numbers in their reporting,reconciliation, and duplicate detection. Use of Card Security Codesshould be your first step towards reducing fraud. ICV-style Version 1
is an extremely old form of transaction format and should be movedaway from wherever possible.
Preparing for Configuration
The following table lists the ICV-style actions CN!Express® supports.Auric recommends not using the ICV-style Action codes unless inter-acting with a legacy ICV-style system.
Activating the ICV-Style Field
Refer to Chapter I: Configuring CN!Express® for general informationon configuring CN!Express® import/export capabilities. Before pro-cessing ICV-style transactions, you must first add the ICVResp fieldto the list of fields able to be imported/exported.
• Start the CN!Express® Settings Manager and click on the FileFormats tab.
• Click on Edit Format button for Import (or Export) files.
• Click on Fields to Include.
166 cn!express®
ICV-Style Action CN!Express®
Action Action
C1 Sale S or C
C2 Void V
CR
C3 Refund/Credit R
C4 Auth/Hold H
C5 Voice Authoriztion F
C6 Authorization Only A
CO Ship Z
Table 11: ICV-style action codes
• Scroll down to the Other group and click on the ’+’ to open.
• Scroll down to ICVRESP and check it.
• Click OK.
• After clicking OK, you’ll see there is a new ICV-Style Options areaavailable on the field configuration dialog.
Configuring ICV-Style Imports
Configure your import fields as follows:
• Action Code
• Comment 2 (ICVerify calls this the Clerk field)
• Comment 3 (ICVerify calls this the Member Number field)
• Account Number
• Credit Card Expiration Date
• Amount
• ZIP Code
• Address 1
icv-style files 167
Configuring ICV-Style Exports
Configure your export fields as follows:
• Action Code
• Comment 2 (ICVerify calls this the Clerk field.)
• Comment 3 (ICVerify calls this the Member Number field)
• Account Number
• Expiration Date
• Amount
• ZIP Code
• Address 1
• ICV Response
NOTE: Only export the account number if your legacy systemrequires it. Exporting account numbers is not good PCI securitypractice. Export a blank field instead, or ensure the account numberis truncated on export. In the CN!Express® Export Format dialog,ensure the ’Mask Sensitive Fields’ checkbox is checked.
ICV-Style Options
Following ICV-Style import/export options are available.
YYMM Exp Credit card expiration dates are usually imported inMM/YY format. ICV requires them to be in YYMM format.
Read Division from Comment 2 (’Clerk’) Import Only. The ICV-styleimport field historically consisted of a ’Clerk’ and a ’Merchant’section. The ’Merchant’ section is found between two tilde’s. Ex-ample: Clerk Name 185382 CN!Express® uses the value betweenthe two tildes, 185382 in the above example, as the CN!Express®
Division ID.
Include AVS Include ICV-style normalized Address Verification re-sponses. Second Line: When unchecked, the ICVRESP field isexported on the same line as all the other fields you have selected.If checked, the ICVRESP field is exported on a second line. Theother fields you have selected are exported on the first line Thisoption is available only when exporting delimited-style text files.
Repair Firebird® Database
It is rare to run into a corrupt Firebird®embedded database. Thespecific areas where we’ve seen this occur with any of the paymentapplications is when a server runs out of disk space. You shouldalways monitor your disk space on a regular basis and ensure yourlogs and backup files are being properly maintained.
If you should end up with a corrupt database, there’s several stepsthat you can take to recover. The necessary tools are provided as partof the general CN!Express® installation.
Windows®
All recovery work is done from the command line. The CN!Express®
installation includes a repair directory that by default installs atc:\AuricSystems\CN!Express\repair.
1. If you are running the default embedded database, shut downCN!Express® and make a copy of the database (cnxap.fdb). Callit cnx-orig.fdb. Copy the cnx-orig.fdb file to the repair directory.If you are not using the embedded database, perform the follow-ing commands while connected to the remote server.
2. From the command line, run the following command:
gfix -v -f -user userid -password passwd cnx-orig.fdb
You should see errors reported.
Note: Contact Auric Systems International tech support for userid/password.
3. Run the following command to prepare the database for recovery.
gfix -mend -user userid -password passwd cnx-orig.fdb
4. Now back up the database:
gbak -b -g -user userid -password passwd cnx-orig.fdb cnx-orig.fbk
170 cn!express®
5. Now restore it as good:
gbak -c -user userid -password passwd cnx-orig.fbk cnx-good.fdb
6. Check to see there are no problems:
gfix -v -f -user userid -password passwd cnx-good.fdb
You should not see any errors. If there are errors, contact AuricSystems International technical support for further instructions.
7. Shut down CN!Express®. Rename cnxap.fdb to cnxap.fdb.bad
8. Copy cnx-good.fdb to the data directory.
9. Rename cnx-good.fdb to cnxap.fdb.
10. Restart CN!Express®.
Remote Firebird® Database
Contact Auric Systems International support for details.
Secure Deletion: sdel
CN!Express® ships with a custom secure deletion routine: sdel. OnWindows® and Linux®, sdel ships as a pre-built executable. Thesource code is available for review in the sample code directory.
By default, sdel performs a series of seven (7) overwrites of theentire file contents, each time with a different byte value. It thenperforms two last overwrites of the file contents, first filling it with all255’s and then filling it with 0’s, before actually deleting the file.
If your security policies require a more stringent deletion process,you can modify sdel to perform the additional overwrites. The sdelcode also contains an implementation of the Gutmann overwritepatterns which are typically considered overkill for modern datastorage elements. It is provided here as an option should you decideto use it.
The sdel program can be used outside of CN!Express® itself.
Field Reference
Table 12: CN!Express® field reference.
ACCT: AccountGroup: Common Request FieldsSample: 4111-1111-1111-1111
Credit Card, Purchase Card, Debit Card, or Checking Account number. CreditCard, Purchase Card, and Debit Card numbers may contain dashes (’-’) orspaces. Checking account numbers should not have spaces. For transactionsusing Track 1 or Track 2 data, the account field is extracted from the trackdata and returned to the caller. The account field is masked on export (lastfour digits) by default. If PROCTID or CNXTID are not retained (which isrecommended practice), merchants using separate authorization and capturetransactions must retain the auhorization account number for later capture.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
ACTION: ActionGroup: Common Request FieldsSample: AThe action to take, or the type of the transaction, such as authorize, capture,or refund. These action codes are specific to CN!Express®—they are not thesame as the action codes or transaction types understood by the various gate-ways. CN!Express® translates these codes as appropriate for each back-end gate-way. See Appendix IV (Action Codes) for a list of supported ACTION values.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
174 cn!express®
ACTVDATE: Activity DateGroup: OtherSample: 3/1/2010 14:22:31
Date and time at which the transaction was processed. For an autho-rization, this is the time the authorization was obtained. For a cap-ture, this is the time the item was marked for capture. CN!Express®—not the payment processor—generates this value. The server onwhich CN!Express® is running determines the date and time value.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
ADDRVRFD: Address VerifiedGroup: PayPalSample: 1
A boolean field returned by PayPal if the payer’s address has been verified.Processors Supported: PayPal Express Checkoutonly.
ALTTXAMT: Alternate Tax AmountGroup: PC Level 3/Detail RecordsSample: 1.00
Used only for MasterCard Purchase Card Level 3 transactions. To-tal amount of alternate tax associated with this transaction. If thisfield is populated (including zero filled) Alternate Tax ID is required.Processors Supported: Chase Paymentech Orbital Gatewayonly.
ALTTXID: Alternate Tax IDGroup: PC Level 3/Detail RecordsSample: 01-234-5678
Used only for MasterCard Purchase Card Level 3 transactions.Tax ID number for the alternate tax associated with this transac-tion. Required if there is an amount in Alternate Tax Amount.Processors Supported: Chase Paymentech Orbital Gatewayonly.
field reference 175
AMT: AmountGroup: Common Request FieldsSample: 34.00
Amount of this transaction. The decimal point and the two digits tothe right of the decimal place are required except when processingYen. When processing Yen, the decimal place and digits to the rightare not allowed. Amounts must not contain commas or currency sym-bol. $1,000.00 is incorrect. 1000.00 is correct. Minimum amount for allcard types is $0.01 USD (or established international currency equiva-lent). This amount is in the currently selected currency for the division.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
AMTDUE: Amount DueGroup: Gift/Prepaid CardsSample: 10.00
Gift cards only. If the division is set up for amount due processing,the processor will approve redemption amounts greater than the avail-able balance. After approval, the available balance (CURBAL) will beset to zero. CN!Express® also calculates the amount due (redemp-tion amount-available balance) and return this value in AMTDUE.Processors Supported: eBillMe, TenderCard.
ASIRESP: ASI ResponseGroup: Common Response FieldsSample: 100
The numeric response code generated by CN!Express® (the responsecodes are common to all software built by Auric Systems International).These codes are normalized across all divisions and payment proces-sors. Use this value to make programatic decisions on the disposi-tion of a transaction. See Appendix IV (ASI Response Codes) for list.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway.
176 cn!express®
AUACCT: Account Updater New Account NumberGroup: Account UpdaterSample: 4111-1111-1111-1111
Automatic account updater new account number. Currently sup-ported for Litle only. If merchant is signed up for Litle Auto-matic Account Updater, the new account number will be returnedin this field for transactions where there was an account change.Processors Supported: Litle & Co.only.
AUCRDTYP: Account Updater New Card TypeGroup: Account UpdaterSample: MCAutomatic account updater new card type. Currently sup-ported for Litle only. If merchant is signed up for Litle Auto-matic Account Updater, the new card type will be returned inthis field for transactions where there was an account change.Processors Supported: Litle & Co.only.
AUCTBYR: Auction Buyer IDGroup: PayPalSample: 1234565
Returned by PayPal in response to a GetDetails transaction. The customer’s auc-tion ID.Processors Supported: PayPal Express Checkoutonly.
AUCTDATE: Auction Closing DateGroup: PayPalSample: 3/1/2010
Returned by PayPal in response to a GetDetails transaction. The auctions’s closedate.Processors Supported: PayPal Express Checkoutonly.
AUCTITM: Auction Item NumberGroup: PayPalSample: 99
Can be specified in a PayPal Query transaction. Search by the auction item num-ber.Processors Supported: PayPal Express Checkoutonly.
field reference 177
AUCTMULT: Auction Multi-Item CounterGroup: PayPalSample: 22
Returned by PayPal in response to a GetDetails transac-tion. The counter value in a multi-item auction payment.Processors Supported: PayPal Express Checkoutonly.
AUEXP: Account Updater New Expiration DateGroup: Account UpdaterSample: 0414
Automatic account updater new account number. Currently sup-ported for Litle only. If merchant is signed up for Litle Auto-matic Account Updater, the new expiration date will be returnedin this field for transactions where there was an account change.Processors Supported: Litle & Co.only.
AUORCODE: Account Updater Original Response CodeGroup: Account UpdaterSample: 501
Currently supported for Litle only. If merchant is signed up forLitle Automatic Account Updater, and a new account number is re-turned (AUACCT), this field will contain the response code for theoriginal transaction (using the old accoun t number before update).Processors Supported: Litle & Co.only.
AUORTEXT: Account Updater Original Response TextGroup: Account UpdaterSample: The account was closedCurrently supported for Litle only. If merchant is signed up forLitle Automatic Account Updater, and a new account number is re-turned (AUACCT), this field will contain the response text for theoriginal transaction (using the old account number before update).Processors Supported: Litle & Co.only.
178 cn!express®
AUTHAMT: Total Authorized AmountGroup: Separate Auth/CaptureSample: 1.00
The current amount authorized for deposit. For ChasePaymentech Or-bital Gateway, used only for Void transactions. If specified, CN!Express®
will perform a partial void, voiding only this amount. For Transfirst ePay,an optional field that specifies the amount of the current authorization.Processors Supported: Litle & Co., Moneris Solutions, Chase Paymentech Or-bital Gateway, PayPal Payflow Pro, Tsys PayFuse, TenderCard, Transfirst ePay.
AUTHCODE: Authorization CodeGroup: Common Response FieldsSample: 123456
The authorization code returned by the payment processor. This is re-turned for Authorize and Sale transactions. If you do not track and returnthe CNXTID or PROCTID (which is the recommended practice), you mustreturn the authorization code with a Deposit transaction. Authorizationcodes are most important for credit card transactions. Electronic check anddebit card transactions may return blank or dummy values. Except for BMLtransactions, AUTHCODE will always be six characters or fewer in length.Processors Supported: First Data Global Gateway, Litle & Co., Moneris Solu-tions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,TenderCard, Trident Payment Gateway, Transfirst ePay.
AUTHDATE: Authorized Date (may include time)Group: Common Response FieldsSample: 3/1/2010
The date on which an authorization was obtained. This is re-turned by the payment processor after an Authorization transaction.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., MonerisSolutions, Chase Paymentech Orbital Gateway, Tsys PayFuse, PayPal ExpressCheckout, Trident Payment Gateway, Transfirst ePay.
field reference 179
AUTHMOP: Auth MOPGroup: Debit CardsSample: PPThe authorizing method of payment. Retuned by the payment proces-sor after a debit card authorization. This field tells the specific typeof debit card that was used. If not using CNXTID or PROCTID, youmust return the AUTHMOP when settling debit card transactions.Processors Supported: Local field/reserved for future use.
AUTHSRC: Authorization Source CodeGroup: Credit Card Authorization SpecificsSample: EReturned by Transfirst ePay. Indicates the source of the authorization.Processors Supported: Transfirst ePayonly.
AUTHSRCP: Authorization Source PlatformGroup: VbV/Secure CodeSample: AOptional for 3D Secure (Verified by Visa or MasterCard SecureCode) transac-tions.
Code Description
A Application processing
B Batch capture, recurring or mail order
C Call center
F Fulfillment/order management
K Kiosk
M Mobile device gateway
P Processor or gateway reauthorization
R Retail POS
Processors Supported: Litle & Co.only.
180 cn!express®
AUTHTCID: Authentication IDGroup: VbV/Secure CodeSample: lK2876Hst6259ar3
Used for 3D Secure authentication on Merchant e-Solutions plat-form. Returned with the Identify Customer (IC) response. In-clude this field along with the payload returned from authen-tication redirect with the authorization or sale transaction.Processors Supported: Trident Payment Gatewayonly.
AVREQ: AVS RequestedGroup: AVSSample: 1
Currently unused. A boolean value that specifies whether or not Ad-dress Verification Service was requested. CN!Express® automat-ically requests AVS whenever sufficient information is available.Processors Supported: Local field/reserved for future use.
AVSRESP: AVS ResponseGroup: AVSSample: I3Address Verification Service response code returnedby processor, if AVS is used. Otherwise blank. See pay-ment processor documentation for specific response codes.Processors Supported: First Data Global Gateway, Litle & Co., Moneris Solu-tions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,Trident Payment Gateway, Transfirst ePay.
AVSTEXT: AVS MessageGroup: AVSSample: I3 – Match Except +4
Textual description of the AVS response code.Processors Supported: Local field/reserved for future use.
BATCHID: Batch IDGroup: OtherSample: BATCHIDThis field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
field reference 181
BILLADD1: BillAddress:Address 1
Group: AVSSample: 22 Sample LaneFirst address line of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., MonerisSolutions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys Pay-Fuse, TenderCard, Trident Payment Gateway, Transfirst ePay.
BILLADD2: BillAddress:Address 2
Group: AVSSample: PO Box 22
Second address line of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway.
BILLAPT: BillAddress:AptGroup: Other AddressesSample: 22
Apartment portion of customer billing address. This field is not sent to the pay-ment processor.Processors Supported: Local field/reserved for future use.
BILLCITY: BillAddress:CityGroup: AVSSample: PeterboroughCity portion of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, TenderCard,Trident Payment Gateway, Transfirst ePay.
BILLCO: BillAddress:CompanyGroup: Other AddressesSample: Example Corp.The payer’s company name.Processors Supported: First Data Global Gateway, PayPal Express Checkout.
182 cn!express®
BILLCTRY: BillAddress:CountryGroup: AVSSample: USCountry portion of customer billing address. AVS is available only forthese countries. You must specify the country using one of the followingvalues. If this field is not specified, CN!Express® assumes a US address.
Code Country
US USA
USA USA
CA Canada
GB UK
UK UK
If the country is not in this list, use the two-letter ISO code
for the country.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway.
BILLEMAL: BillAddress:EmailGroup: Other AddressesSample: [email protected] portion of customer billing address.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys Pay-Fuse, PayPal Express Checkout, TenderCard, Trident Payment Gateway, Trans-first ePay.
BILLFNAM: BillAddress:First NameGroup: Customer NameSample: JohnCustomer’s first name on card or checking account. Specify either the namecomponents (e.g., BILLFNAM, BILLMI, BILLLNAM) or the full name (BILL-NAME), depending on how these fields are used in your implementation.Processors Supported: All processors.
field reference 183
BILLHPHO: BillAddress:Home PhoneGroup: Other AddressesSample: 6035551212
Home phone portion of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, Trident Pay-ment Gateway, Transfirst ePay.
BILLLNAM: BillAddress:Last NameGroup: Customer NameSample: SmithCustomer’s last name on card or checking account. Specify either the namecomponents (e.g., BILLFNAM, BILLMI, BILLLNAM) or the full name (BILL-NAME), depending on how these fields are used in your implementation.Processors Supported: All processors.
BILLMI: BillAddress:Middle InitialGroup: Customer NameSample: ACustomer’s middle initial (not a middle name). Do not use for compound lastnames (e.g., van Beethoven); put the entire last name in the BILLLNAM fieldProcessors Supported: All processors.
BILLNAME: Customer Full NameGroup: Customer NameSample: John SmithCustomer’s full name as it appears on card or checking account. Specify eitherthe name components (e.g., BILLFNAM, BILLMI, BILLLNAM) or the full name(BILLNAME), depending on how these fields are used in your implementation.Processors Supported: All processors.
BILLRREF: Biller ReferenceGroup: OtherSample: BILLER REFAn optional reference number that can be used by the merchant to identify thecustomer.Processors Supported: Litle & Co., Moneris Solutions, PayPal Payflow Pro,Trident Payment Gateway, Transfirst ePay.
184 cn!express®
BILLSALU: BillAddress:SalutationGroup: Customer NameSample: Ms.The billing name salutation (e.g., "Mr.")Processors Supported: PayPal Express Checkoutonly.
BILLSTPR: BillAddress:State/ProvinceGroup: AVSSample: NHUS State or Canadian Province Code portion of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, TenderCard,Trident Payment Gateway, Transfirst ePay.
BILLSUFX: BillAddress:SuffixGroup: Customer NameSample: Jr.The billing name suffix (e.g., "Jr.")Processors Supported: PayPal Express Checkoutonly.
BILLWPHO: BillAddress:Work PhoneGroup: Other AddressesSample: 6032222222
Work phone number of customer billing address.Processors Supported: eBillMe, Litle & Co., Tsys PayFuse, Trident PaymentGateway.
field reference 185
BILLZCPC: BillAddress:ZIP/Postal CodeGroup: AVSSample: 03458
A five-digit US Zip Code, ten-character Zip+4, seven-character Canadian Postal Code or UK Postal Code. (UK AVSis supported by Chase Paymentech Orbital Gateway only).
Format Country
NNNNN US
NNNNN-NNNN US
ANAANA CAN
ANA ANA CAN
AN NAA UK
ANA NAA UK
ANN NAA UK
AAN NAA UK
AANN NAA UK
AANA NAA UK
Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., MonerisSolutions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys Pay-Fuse, TenderCard, Trident Payment Gateway, Transfirst ePay.
BMLAUTH: BML Virtual Authentication KeyGroup: Bill Me LaterSample: ABCDUsed for BML transactions. Please see BML documentation for further informa-tion.Processors Supported: Litle & Co.only.
186 cn!express®
BMLAUTHP: BML Virtual Authentication Key Presence IndicatorGroup: Bill Me LaterSample: 1
Used for BML transactions. Please see BML documentation for further informa-tion.Processors Supported: Litle & Co.only.
BMLCAT: BML Item CategoryGroup: Bill Me LaterSample: 4000
Bill Me Later product description code assigned by processor. Can-not be all blanks. Required for Bill Me Later batch transactions.Processors Supported: Litle & Co., Trident Payment Gateway.
BMLCUST: BML Customer TypeGroup: Bill Me LaterSample: EIndicate if this is a new or existing Bill Me Later customer.
Code Description
E Existing
N New
Processors Supported: Local field/reserved for future use.
CAPAMT: Capture AmountGroup: PayPalSample: 4.00
The capture amount, returned by PayPal. This includes any currency conver-sion.Processors Supported: eBillMe, PayPal Express Checkout.
CAPCOMPL: Capture Complete–No further captures on this auth.Group: Additional Credit CardSample: 1
Processors Supported: PayPal Payflow Proonly.
field reference 187
CAPDATE: Captured DateGroup: Separate Auth/CaptureSample: 3/1/2010 14:22:31
Date and time at which the capture occurred. Returned by CN!Express® forC and D transactions. In most cases this value is returned by the processor,but if it is not provided, CN!Express® will return the local date at capture.Processors Supported: All processors.
CARDLEVL: Card Level ResultsGroup: Additional Credit CardSample: 00
This field is provided for compatibility with the Trevance®
transaction gateway, and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
CARDPRES: Card PresentGroup: RetailSample: 0
Indicate if the card was present when the transaction was originated.
Value Description
0 Card not present
1 Card present
W AMEX Transponder
Processors Supported: Local field/reserved for future use.
188 cn!express®
CARDTYPE: Card TypeGroup: Credit CardsSample: MCType of credit or purchase card, for credit card transactions. If imported,value is only used if type cannot be determined from the account num-ber. If not imported, CN!Express® automatically generates a two-charactercode. Field is blank if transaction is not a credit card transaction (or creditcard account number is not valid). Card Type is case insensitive on import.
Code Description
AM American Express/Optima
CB Carte Blanche
DC Diners Club
DS Discover
JC JCB
MC MasterCard International
SW Switch/Solo
VI Visa
Processors Supported: All processors.
CARTRACK: Carrier Tracking NumberGroup: Shipment Address/InfoSample: 1Z9999W99999999999
The shipper’s tracking number for the order as delivered to the customer.Processors Supported: eBillMe, Chase Paymentech Orbital Gateway.
CASHBACK: Cashback AmountGroup: Debit CardsSample: 1.00
Amount (of the total amount) customer has requested forcashback. Used with PIN-based debit card transactions.Processors Supported: Local field/reserved for future use.
field reference 189
CATTYPE: CAT TypeGroup: Additional Credit CardSample: 1
Type of Card Activated Terminal. Used for Retail transactions. Valid values:
Code Description
1 Automated Dispensing Machine
2 Self Service Terminal
3 Limited Amount Terminal
Processors Supported: Local field/reserved for future use.
CCAPCAPB: Card Capture CapabilityGroup: Additional Credit CardSample: 1
Describes the capture capability of the terminal. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.
Code Description
0 Unknown
1 Capture
Processors Supported: Local field/reserved for future use.
190 cn!express®
CDOPCAPB: Card Data Output CapabilityGroup: Additional Credit CardSample: 0
Describes the card-update capability of the terminal. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.
Code Description
0 Unknown
1 None
Processors Supported: Local field/reserved for future use.
CHATCAPB: Cardholder Authentication CapabilityGroup: Additional Credit CardSample: 0
Local field/reserved for future use. Describes the authentication capa-bility of the terminal. American Express only. This is additional infor-mation that you can specify to describe the transaction environment.
Code Description
0 Unknown or none
6 Other
Processors Supported: Local field/reserved for future use.
field reference 191
CHATENT: Cardholder Authentication EntityGroup: Additional Credit CardSample: 0
Local field/reserved for future use. Indicates the entity that authenticatedthe card holder. Including this information may improve the interchange ratefor this transaction. Contact payment processor for specific requirements.
Code Description
0 Not authenticated
1 Chip card
2 Card acceptor device
4 Merchant
5 Other
Processors Supported: Local field/reserved for future use.
CHECKNUM: Check NumberGroup: POP/ArcSample: 123
Optional check number for ACH and electronic checks. Required only for ARCand POP transactions.Processors Supported: Tsys PayFuseonly.
192 cn!express®
CHKTYPE: Checking Account TypeGroup: ChecksSample: CThe bank account type for check transactions.
Code Description
C Consumer Checking
S Consumer Savings
X Commercial Checking
See Debit Account type field for debit transactions.Processors Supported: Chase Paymentech Orbital Gateway, Tsys PayFuse.
CHPRES: Cardholder PresentGroup: Additional Credit CardSample: 2
Indicates whether the customer is present or not, and, if not present,indicates the type of transaction. This is additional informationthat you can specify to describe the transaction environment.
Code Description
0 Present
1 Not present, unknown
2 Not present, mail order
3 Not present, telephone
4 Not present, standing auth
9 Not present recurring
S Not present, electronic
Processors Supported: Local field/reserved for future use.
field reference 193
CMT1: Comment 1
Group: CommentsSample: Comment 1
Free-form descriptive field. Although you can always use thisfield for your own comments, information is transmitted to thepayment processor only if processor is in supported list. ForCardinal Centinel, this field is sent as the Order Description.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, PayPalExpress Checkout, TenderCard, Trident Payment Gateway, Transfirst ePay.
CMT2: Comment 2
Group: CommentsSample: Comment 2
Free-form descriptive field. Although you can always use thisfield for your own comments, information is transmitted tothe payment processor only if processor is in supported list.Processors Supported: First Data Global Gateway, PayPal Payflow Pro, PayPalExpress Checkout, Transfirst ePay.
CMT3: Comment 3
Group: CommentsSample: Comment 3
Free-form descriptive field. Although you can always use thisfield for your own comments, information is transmitted tothe payment processor only if processor is in supported list.Processors Supported: First Data Global Gateway, PayPal Express Checkout.
CMT4: Comment 4
Group: CommentsSample: Comment 4
Free-form descriptive field. For First Data Global Gateway, this com-ment is submitted as the "referred" field, and may be a URL. Forall other payment processors, this information is not submitted.Processors Supported: First Data Global Gatewayonly.
194 cn!express®
CNXORDR: CNX Order IDGroup: IdentifiersSample: 2398-cnx0-ORDThe order identifier as generated by CN!Express®. An order is a groupingof transactions related to an individual customer order. Not currently used,but completes the set of identifiers that may be used to identify a transaction.CNXTID is the CNX transaction ID. PROCTID is the processor’s transactionID. CNXORDR is the CNX order ID. PROCORDR is the processor’s order ID.Processors Supported: Local field/reserved for future use.
CNXTID: CNX Transaction IDGroup: IdentifiersSample: TID-cnx0-P23090
The identifier used by CN!Express® to refer to a single transaction. Thisis returned for all transactions. You can return this field or CNXTID toCN!Express® when processing a later transaction (for example, return theCNXTID associated with an authorization when capturing the transaction).Processors Supported: All processors.
COMCRDTY: Commercial Card TypeGroup: PC Level 2
Sample: BDescribes the type of Commercial Card (Purchase Card) used for this transac-tion.Processors Supported: PayPal Payflow Proonly.
CRDTLINE: Customer Credit LineGroup: Customer InfomationSample: 1000.00
Customer credit line. May be returned by Bill Me Later.Processors Supported: Litle & Co.only.
CRTDDATE: Created DateGroup: OtherSample: 3/1/2010 14:22:31
Date and Time at which the transaction was created in CN!Express®
database. Useful for tracking transaction flow or debugging purposes.Processors Supported: All processors.
field reference 195
CUR: CurrencyGroup: OtherSample: USDThe three-letter code that specifies the currency for the transaction. Proces-sors associate currency types with merchant numbers/divisions. Typically,you will set up currency as a default value per division in CN!Express®
and not import currencies with each transaction. The following table listssome typical currencies. Not all processors support all currency types.
Code Description
AUD, 036 Australian Dollar
GBP, 826 British Pounds Sterling
CAD, 124 Canadian Dollar
DKK, 208 Danish Krone (Krona)
EUR, 978 Euro
HKD, 344 Hong Kong Dollar
JPY, 392 Japanese Yen
NZD, 554 New Zealand Dollar
NOK, 578 Norwegian Krone (Krona)
SGD, 702 Singapore Dollar
ZAR, 710 South African Rand
SEK, 752 Swedish Krona
CHF, 756 Swiss Franc
USD, 840 US Dollar
Processors Supported: Cardinal Centinel, eBillMe, Chase Paymentech OrbitalGateway, Tsys PayFuse, PayPal Express Checkout, Trident Payment Gateway.
196 cn!express®
CURBAL: Current BalanceGroup: Gift/Prepaid CardsSample: 10.00
Currently supported for gift cards only. The current balance on the account.Processors Supported: Litle & Co., PayPal Payflow Pro, TenderCard.
CUSTACPH: Customer Accept HeaderGroup: ECommerce Customer InfoSample: text/plainThe customer HTTP accept header.Processors Supported: Cardinal Centinelonly.
CUSTADCH: Customer Changed Billing AddressGroup: Customer InfomationSample: 0
Optional for Bill Me Later. Indicates if customer has updated their billing ad-dress at merchant site.Processors Supported: Local field/reserved for future use.
CUSTANI: Customer ANIGroup: Additional Credit CardSample: 6039246079
Customer Automatic Number Identification. The phone number the customerused to place a phone order, as specified by Automatic Number Identification.Processors Supported: Local field/reserved for future use.
CUSTAUTH: Customer Authenticated by MerchantGroup: VbV/Secure CodeSample: 0
True if the customer has been authenticated by the merchant, either by log-ging in to a secure web site or authenticated by the call center. Optionalfor 3D Secure (Verified by Visa or MasterCard SecureCode) transactions.Processors Supported: Litle & Co.only.
field reference 197
CUSTDLCT: Customer Drivers License CountryGroup: Customer InfomationSample: USUsed for Bill Me Later. Customer’s driver’s license country. (Optional)Processors Supported: Local field/reserved for future use.
CUSTDLNO: Customer Drivers License NumberGroup: Customer InfomationSample: ABC-432392981
Used for Bill Me Later. Customer’s driver’s license number. (Optional)Processors Supported: Local field/reserved for future use.
CUSTDLSP: Customer Drivers License State/ProvGroup: Customer InfomationSample: NHUsed for Bill Me Later. Customer’s driver’s license state. (Optional)Processors Supported: Local field/reserved for future use.
CUSTDOB: Customer Date Of BirthGroup: Customer InfomationSample: 4/22/1970
Required for Bill Me Later authorization transactions.Processors Supported: Litle & Co., Trident Payment Gateway.
CUSTEMCH: Customer Changed Email AddressGroup: Customer InfomationSample: 1
Optional for Bill Me Later. Indicates if customer has updated their email addressat merchant site.Processors Supported: Local field/reserved for future use.
CUSTEMP: Customer EmployerGroup: Customer InfomationSample: Auric SystemsThe customer’s employer.Processors Supported: Litle & Co.only.
198 cn!express®
CUSTEMYR: Customer Years At EmployerGroup: Customer InfomationSample: 4
Used for Bill Me Later. Optional for authorization transactions. Number of yearswith current employer. Round up to nearest year. Example: 5 months = 1 year.Processors Supported: Litle & Co., Trident Payment Gateway.
CUSTGHI: Customer Gross Household IncomeGroup: Customer InfomationSample: 45500.00
Used for Bill Me Later. Gross annual household income. (Optional)Processors Supported: Litle & Co., Trident Payment Gateway.
CUSTGHIC: Customer Gross Household Income CurrencyGroup: Customer InfomationSample: USDUsed for Bill Me Later. Currency type of gross household annualincome. (Optional). See CUR field for list of typical currencies.Processors Supported: Litle & Co.only.
CUSTHASC: Customer Has Checking AccountGroup: Customer InfomationSample: 1
Used for Bill Me Later. Optional for authorization transactions.
Code Description
Y Yes, customer has a checking account.
N No, customer does not have a checking account.
Processors Supported: Trident Payment Gatewayonly.
field reference 199
CUSTHASS: Customer Has Savings AccountGroup: Customer InfomationSample: 1
Used for Bill Me Later. Optional for authorization transactions.
Code Description
Y Yes, customer has a savings account.
N No, customer does not have a savings account.
Processors Supported: Trident Payment Gatewayonly.
CUSTHOST: Customer HostGroup: ECommerce Customer InfoSample: myserver.example.comName of the customer host used in an e-commerce transaction.Processors Supported: PayPal Payflow Proonly.
CUSTII: Customer iiGroup: Additional Credit CardSample: 00
Customer information identifier. The Automatic Number Iden-tification ii digits reported for the call when the customerplaced the order, which identify the call type (e.g., cellular).Processors Supported: PayPal Payflow Proonly.
CUSTIP: Customer IP AddressGroup: ECommerce Customer InfoSample: 192.168.24.1Internet address of customer during an Ecommerce transaction.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., PayPal Payflow Pro, Trident Payment Gateway.
CUSTNEW: New CustomerGroup: Customer InfomationSample: 1
Set this field to "1" if this is an order by a new customer.Processors Supported: eBillMe, Litle & Co., Trident Payment Gateway.
200 cn!express®
CUSTPHCH: Customer Changed Home Phone NumberGroup: Customer InfomationSample: 0
Optional for Bill Me Later. Indicates if customer hasupdated their home phone number at merchant site.Processors Supported: Local field/reserved for future use.
CUSTPRXY: Customer ProxyGroup: ECommerce Customer InfoSample: 0
Set this field to "1" if the given CUSTIP represents a proxy.Processors Supported: eBillMeonly.
CUSTPWCH: Customer Changed PasswordGroup: Customer InfomationSample: 0
Optional for Bill Me Later. Indicates if customer has changed their password atmerchant site.Processors Supported: Local field/reserved for future use.
CUSTRESD: Customer Residence StatusGroup: Customer InfomationSample: OUsed for Bill Me Later. Optional for authorization transactions.
Code Description
O Own
R Rent
X Other
Processors Supported: Litle & Co., Trident Payment Gateway.
field reference 201
CUSTRSYR: Customer Years At ResidenceGroup: Customer InfomationSample: 2
Used for Bill Me Later. Optional for authorization transactions. Number ofyears at current residence. Round up to nearest year. Example: 5 months = 1
Processors Supported: Litle & Co., Trident Payment Gateway.
CUSTRTG: Customer RatingGroup: Customer InfomationSample: 3
Merchant customer rating.
1. Existing Good User
2. Existing Bad User
3. Unknown
Currently used by eBillMe only.Processors Supported: eBillMeonly.
CUSTSID: Customer Session IDGroup: ECommerce Customer InfoSample: SESSIONID01
Web browser session ID of customer during an Ecommerce transaction.Processors Supported: eBillMeonly.
CUSTSSN: Customer Social Security NumberGroup: Customer InfomationSample: 111-22-3333
Used for Bill Me Later. Optional for authorization transactions.Processors Supported: Litle & Co., Trident Payment Gateway.
CUSTUA: Customer User AgentGroup: ECommerce Customer InfoSample: MOZILLA/4.0 (COMPATIBLE; MSIE 5.0; WINDOWS 95)Name of the customer user agent used in an e-commerce transaction.Processors Supported: Cardinal Centinel, PayPal Payflow Pro.
202 cn!express®
CVV: CVV/CIDGroup: Credit CardsSample: 123
Card Type Format Description
American Express 4-digits Card Identification Number (CID)
Discover 3-digits Card Identification Number (CID)
MasterCard 3-digits Card Verification Code (CVC2)
Visa 3-digits Card Verification Value (CVV2)
The three or four-digit card security code. Used for fraud deterrence forcredit card transactions. According to card industry rules, the CVV mustnot be retained after an authorization is obtained. CN!Express® clears thisvalue immediately after authorization and always returns a blank CVV.Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle &Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro,Tsys PayFuse, TenderCard, Trident Payment Gateway, Transfirst ePay.
CVVPRES: CVV PresenceGroup: Additional Credit CardSample: PIndicates the presence of a Card Security value. Supportedby Visa, MasterCard, and Discover. If this field is not im-ported or blank, it is set to P or NP based on presence of CVVvalue. Leave this field blank for American Express transactions.
Code Description
Blank: Indicator not sent
P Present
NP Not Present
I Illegible
Processors Supported: First Data Global Gateway, Moneris Solutions, ChasePaymentech Orbital Gateway, Tsys PayFuse.
field reference 203
CVVRESP: CVV ResponseGroup: Credit CardsSample: MCode returned by the card issuer in response to a card security verificationrequest. Both American Express and Bill Me Later transactions return a blank.
Code Description
M Value matched (Visa, MasterCard, Discover, FlexCache)
N Value not matched (Visa, MasterCard, Discover, FlexCache)
P Not processed (Visa, MasterCard, Discover, FlexCache)
S Should be on the card (Visa, Discover, FlexCache)
U Unsupported by the Issuer (Visa, MasterCard, Discover, Flex-Cache)
I Invalid (Visa, MasterCard, Discover, American Express, Flex-Cache)
Blank (American Express, Bill Me Later)
Processors Supported: First Data Global Gateway, Litle & Co., Moneris Solu-tions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,Trident Payment Gateway, Transfirst ePay.
CVVTEXT: CVV MessageGroup: Credit CardsSample: MatchText description of CID/CVV2 result.Processors Supported: Local field/reserved for future use.
204 cn!express®
DEBTACCT: Debit Account TypeGroup: Debit CardsSample: CThe Account Type for debit transactions. Must be one of the following:
Code Description
C Consumer Checking
S Consumer Savings
Processors Supported: Local field/reserved for future use.
DEBTTRCE: Debit Trace NumberGroup: Debit CardsSample: 12345678
Trace number returned from debit card vendor on authorization transactions.Processors Supported: Local field/reserved for future use.
DECLPPD: Decline PrepaidGroup: Gift/Prepaid CardsSample: 0
Decline all prepaid cards. Currently implemented for Litle only. Litle sup-ports prepaid card filtering, which must be set up at the division levelwith Litle. This field can be used to override the default behavior if pre-paid card filtering is in use. If you have the division set up to filter all pre-paid cards, you can send 0 in this field to selectively allow a prepaid cardto pass. If you have the division set up to allow prepaid cards, you cansend 1 in the field to selectively decline the transaction if the card is pre-paid. If you don’t send this field, or send a blank, then Litle will use thedefault setting for the division to determine how to handle prepaid cards.Processors Supported: Litle & Co.only.
field reference 205
DETAILS: All DetailsGroup: PC Level 3/Detail RecordsSample: (see description)Transaction details can be included for purchase card level 3 and PayPal transac-tions (not all processors support these transactions). The details can be specifiedone of three ways:
1. as part of the import file, with detail records on lines that follow the transac-tion line;
2. as serial fields, marked with tags such as I_AMT_0, I_AMT_1..I_AMT_n; or
3. with all details in a single field.
If detail handling is required, you can configure CN!Express® to ac-cept one of these methods when setting up input formats. The DETAILSfield is used with method 3. It contains all detail records in a single field.The details field is delimited by row and then by field. The DETAILsub-field layout is a fixed format. Refer to Appendix ?? (??) for details.Processors Supported: Cardinal Centinel, eBillMe, Litle & Co., Chase Pay-mentech Orbital Gateway.
DISC: DiscountGroup: PC Level 3/Detail RecordsSample: 1.00
The discount amount applied to the full order. Used for level 3 purchase cardtransactions.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro.
DIVISION: Division IDGroup: Common Request FieldsSample: asi-2The CN!Express® division number for this transaction. CN!Express®
uses divisions to associate payment processors and payment pro-cessor accounts with each transaction. If you have only one divi-sion set up in CN!Express® you don’t need to import this field. ForLitle, the DIVISION is sent as the Report Group for the transaction.Processors Supported: All processors.
206 cn!express®
DUTY: DutyGroup: PC Level 3/Detail RecordsSample: 1.00
Amount of duty included in the transaction.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro.
ECOMTYP: ECommerce TypeGroup: Common Request FieldsSample: EThis field can be used in one of two ways: If authenticating a 3DS transac-tion through a third party (e.g., Cardinal Centinel), import the ECI value re-turned by the third party in this field. This will typically be a one- or two-digit numeric value. If not using 3DS authentication, and XCLASS is set to’E’ for E-commerce, this field more precisely defines the type of E-commercetransaction. This will almost always be E, indicating a secure Internet trans-action (typically HTTPS over the Web). This setting is sometimes describedas Non-SET Channel Encrypted. Other possible settings (although these arerarely used) are U (for an unsecured ecommerce transaction) or S (used only forSET encryption). SET is a specific security implementation that is rarely used.
Code Description
U,8,08 Non-Secure
E,7,07 HTTPS
S Secure SET
5,05 VbV Authenticated Transaction
6,06 VbV Attempted Authentication
1,01 Master Card Indicates Merchant Liability
2,02 Master Card Indicates Card Issuer Liability
Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle & Co.,Chase Paymentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway,Transfirst ePay.
field reference 207
ECPAUTHM: ECP Authorization MethodGroup: ChecksSample: IMethod by which merchant is authorized by customer to conduct thisElectronic Check transaction. The ECP Authorization Method may bedefaulted at the processor division level. If the default is set, all trans-actions processed through the division will carry the default ECP au-thorization value unless this field is populated to override the default.
Code Description
Blank: Unknown
W Written
I Internet
T Telephone
C Cash Concentration or Disbursement
P Point of Purchase (POP)
A Accounts Receivable Conversion (ARC)
NOTE:
For PayFuse, Written translates into Prearranged Payment and De-posit. Also, Cash Concentration or Disbursement is only available forPayFuse. PayFuse defaults to W (Prearranged Payment and Deposit)Processors Supported: Chase Paymentech Orbital Gateway, Tsys PayFuse.
208 cn!express®
ECPDELVM: ECP Preferred Delivery MethodGroup: ChecksSample: AThe Preferred Delivery Method for depositing checks. Electronic checkrefunds require a preferred delivery method of ACH (A). If best pos-sible (B) is sent, and the RDFI is a non-ACH participant, the trans-action is rejected with Response Code 760 ACH Non-participant.
Code Description
A ACH Automated Clearing House electronic delivery
B Best Possible
Processors Supported: Chase Paymentech Orbital Gatewayonly.
EDBSC: EDD Bank Sort CodeGroup: EDDSample: 1234567890
Used for European Direct Debit Transactions. The identifier of thecustomer’s bank. Each country has its own bank sort code format.Processors Supported: Local field/reserved for future use.
field reference 209
EDCNTRY: EDD Country CodeGroup: EDDSample: DEUsed for European Direct Debit Transactions. This is acode which indicates the country of the customer’s bank.
Code Country
AT Austria
BE Belgium
FR France
DE Germany
NL Netherlands
GB United Kingdom
Processors Supported: Local field/reserved for future use.
EDRIB: EDD RIB CodeGroup: EDDSample: 12
Used for European Direct Debit Transactions. The bank ac-count checksum. This is optional, used only in France.Processors Supported: Local field/reserved for future use.
ENCFLAG: Encryption FlagGroup: OtherSample: FThis field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
210 cn!express®
ENDDATE: End DateGroup: PayPalSample: 3/31/2010 14:22:31
For Query transactions, the last date to include in the search.Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.
EXCHRATE: Exchange RateGroup: PayPalSample: 1.85
The exchange rate for the transaction. Returned by PayPal for in response toQuery (Q) transactions.Processors Supported: PayPal Express Checkoutonly.
EXCHRTID: Exchange Rate IDGroup: OtherSample: 92822817
The exchange rate identifier, returned by Merchant e-Solutions on cur-rency conversion operations when using FX processing. If obtained, theEXCHRTID must be retained by the merchant and returned along withMCURAMT with subsequent authorization, sale, or other transactions.Processors Supported: Trident Payment Gatewayonly.
field reference 211
EXP: Expiration DateGroup: Credit CardsSample: 0414
Usually the credit card expiration date: MMYY or MM/YY. Send blanks(or 0000) if the card has expired since the order was placed or if the trueexpiration date is unknown. Omitting the expiration date on a card-not-present transaction, while acceptable to some card processors anddebit networks, may result in a decline code from the Issuer. Field isalso returned by Merchant e-Solutions on ConvertAmount (CF) trans-actions. In this case the expiration date is a timestamp that indicateswhen the given exchange rate id (see EXCHRTID) will expire. Examples:
(Blank)
0000
00/00
MMYY
MM/YY
Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, TenderCard, Trident Payment Gateway, TransfirstePay.
EXSTDEBT: Existing DebtGroup: Additional Credit CardSample: 0
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
212 cn!express®
FREIGHT: FreightGroup: PC Level 3/Detail RecordsSample: 1.00
Amount of freight included in the transaction. Frequently called Shipping orShipping Cost.Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle &Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, PayPal ExpressCheckout, Trident Payment Gateway.
HANDLING: Handling ChargeGroup: PayPalSample: 1.00
Amount of handling fee included in the transaction.Processors Supported: PayPal Express Checkoutonly.
ICVRESP: ICV-Style ResponseGroup: OtherSample: Y123456Y123456789
See appendix on IC-Verify compatibility features.Processors Supported: Local field/reserved for future use.
IGOTS: IGOTS Transaction CodeGroup: Additional Credit CardSample: 00
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
IMGNUM: Image Reference NumberGroup: POP/ArcSample: 29029093209023
Image Reference Number associated with check for POP and ARC transactions.Optional.Processors Supported: Local field/reserved for future use.
field reference 213
INV: InvoiceGroup: OtherSample: INV#1234
Invoice number for this order. Provide this field for Merchant e-Solutions purchase card level 2 and 3D secure lookup (IC) transactions.Processors Supported: First Data Global Gateway, Litle & Co., PayPal PayflowPro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident PaymentGateway.
ISSUDATE: Account Issue DateGroup: Gift/Prepaid CardsSample: 3/1/2010
Date of issue for gift cards.Processors Supported: TenderCardonly.
I_AMT_N: Item AmountGroup: PC Level 3/Detail RecordsSample: 45.36
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_AMT_0 represents the amount forthe first item, I_AMT_1 represents the amount for the second item, etc.Processors Supported: Local field/reserved for future use.
I_CMD_N: Item Commodity CodeGroup: PC Level 3/Detail RecordsSample: 20130
Transaction details can be included for purchase card level 3 or for PayPaltransactions (not all processors support these transactions). This field is usedto specify detail information using a serial tag format. See the DETAILSfield for other formats. I_CMD_0 represents the commodity code for thefirst item, I_CMD_1 represents the commodity code for the second item, etc.Processors Supported: Local field/reserved for future use.
214 cn!express®
I_CMT_N: Item CommentGroup: PC Level 3/Detail RecordsSample: Line item commentTransaction details can be included for purchase card level 3 or forPayPal transactions (not all processors support these transactions).This field is used to specify detail information using a serial tag for-mat. See the DETAILS field for other formats. I_CMT_0 is a com-ment for the first item, I_CMT_1 is a comment for the second item, etc.Processors Supported: Local field/reserved for future use.
I_CRD_N: Item Amount Is CreditGroup: PC Level 3/Detail RecordsSample: 0
Transaction details can be included for purchase card level 3 or forPayPal transactions (not all processors support these transactions).This field is used to specify detail information using a serial tag for-mat. See the DETAILS field for other formats. I_CRD_0 is true if thefirst item is a credit, I_CRD_1 is true if the second item is a credit, etc.Processors Supported: Local field/reserved for future use.
I_DAM_N: Item Discount AmountGroup: PC Level 3/Detail RecordsSample: 4.80
Transaction details can be included for purchase card level 3 or for PayPaltransactions (not all processors support these transactions). This field is usedto specify detail information using a serial tag format. See the DETAILSfield for other formats. I_DAM_0 represents the discount amount for thefirst item, I_DAM_1 represents the discount amount for the second item, etc.Processors Supported: Local field/reserved for future use.
I_DCD_N: Item DiscountedGroup: PC Level 3/Detail RecordsSample: 1
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). Thisfield is used to specify detail information using a serial tag format. Seethe DETAILS field for other formats. I_DCD_0 is true if the first itemis discounted, I_DCD_1 is true if the second item is discounted, etc.Processors Supported: Local field/reserved for future use.
field reference 215
I_DSC_N: Item DescriptionGroup: PC Level 3/Detail RecordsSample: CAP,SCREENED,PROMOTransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_DSC_0 represents the description for thefirst item, I_DSC_1 represents the description for the second item, etc.Processors Supported: Local field/reserved for future use.
I_MSR_N: Item MeasureGroup: PC Level 3/Detail RecordsSample: PCETransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_MSR_0 represents the unit of measure for thefirst item, I_MSR_1 represents the unit of measure for the second item, etc.Processors Supported: Local field/reserved for future use.
I_NBR_N: Item Number/Product CodeGroup: PC Level 3/Detail RecordsSample: CAP-238-LOGOTransaction details can be included for purchase card level 3 or for Pay-Pal transactions ( not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_NBR_0 represents the item number for thefirst item, I_NBR_1 represents the item number for the second item, etc.Processors Supported: Local field/reserved for future use.
I_OPT_N: Item OptionsGroup: PC Level 3/Detail RecordsSample: NoneTransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_OPT_0 represents optional information forthe first item, I_OPT_1 represents optional information for the second item, etc.Processors Supported: Local field/reserved for future use.
216 cn!express®
I_QTY_N: Item QuantityGroup: PC Level 3/Detail RecordsSample: 12
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_QTY_0 represents the quantity ofthe first item, I_QTY_1 represents the quantity of the second item, etc.Processors Supported: Local field/reserved for future use.
I_TAX_N: Item TaxGroup: PC Level 3/Detail RecordsSample: 2.16
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). Thisfield is used to specify detail information using a serial tag format.See the DETAILS field for other formats. I_TAX_0 represents the taxfor the first item, I_TAX_1 represents the tax for the second item, etc.Processors Supported: Local field/reserved for future use.
I_TXR_N: Item Tax RateGroup: PC Level 3/Detail RecordsSample: 0.05
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_TXR_0 represents the tax rate forthe first item, I_TXR_1 represents the tax rate for the second item, etc.Processors Supported: Local field/reserved for future use.
I_UAM_N: Item Unit CostGroup: PC Level 3/Detail RecordsSample: 4.00
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_UAM_0 represents the unit cost forthe first item, I_UAM_1 represents the unit cost for the second item, etc.Processors Supported: Local field/reserved for future use.
field reference 217
I_XIN_N: Item Total Includes TaxGroup: PC Level 3/Detail RecordsSample: 1
Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). Thisfield is used to specify detail information using a serial tag format.See the DETAILS field for other formats. I_XIN_0 is true if the firstitem includes tax, I_XIN_1 is true if the second item includes tax, etc.Processors Supported: Local field/reserved for future use.
I_XTY_N: Item Tax TypeGroup: PC Level 3/Detail RecordsSample: STATETransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_XTY_0 represents the tax type forthe first item, I_XTY_1 represents the tax type for the second item, etc.Processors Supported: Local field/reserved for future use.
KSN: KSNGroup: Debit CardsSample: 0123456789012345
For debit card transactions. Key Sequence Number (KSN) as-sociated with the PIN pad that encrypted the customer’s PIN.Processors Supported: Local field/reserved for future use.
LAS: Last Action SucceededGroup: Common Response FieldsSample: 1
Flag indicating whether the last requested transaction actionsucceeded. Field is 1 if successful and 0 if not. Use this field tocheck for success or failure when writing programs that workwith CN!Express®. Use ASIRESP for more specific information.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
218 cn!express®
LOADABLE: Prepaid Card is ReloadableGroup: Gift/Prepaid CardsSample: 0
Returned in response for prepaid cards, if supported by processor. Returnvalue of 1 means the card can be re-loaded, return value of 0 means it can not.Processors Supported: Litle & Co.only.
MACTION: Merchant ActionGroup: Common Response FieldsSample:This is a suggested action a merchant could take in responseto a specific type of transaction decline. This field is gener-ated by CN!Express®. These are the values that can be returned:
Code Description
DECLINE Decline the transaction
RETRY Retry the transaction at a later time
ERROR Correct the transaction and retry
CALL Call payment processor for assistance with thistransaction
VOICE Obtain a voice authorization
Processors Supported: All processors.
MARKSPEC: Market Specific DataGroup: Additional Credit CardSample: BThis field is provided for compatibility with the Trevance® transaction gatewayand is not used by cnx.Processors Supported: Local field/reserved for future use.
field reference 219
MCBNKDAT: MC Banknet DateGroup: Credit Card Authorization SpecificsSample: 0301
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
MCBNKREF: MC Banknet Reference NumberGroup: Credit Card Authorization SpecificsSample: MWCYW4EDKThis field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
MCC: MCCGroup: Additional Credit CardSample: 1234
Used to describe merchant’s primary business. Usually set up at the divisionlevel.Processors Supported: Chase Paymentech Orbital Gateway, Trident PaymentGateway, Transfirst ePay.
MCSCAAV: MC SecureCode AAVGroup: VbV/Secure CodeSample: AAVMasterCard SecureCode Account holder Authentication Value. This isa unique transaction token generated by the issuer and presented tothe merchant each time a card holder conducts an electronic transac-tion using MasterCard SecureCode. AAV incorporates elements spe-cific to the transaction and effectively binds the cardholder to a transac-tion at a particular merchant for a given sale amount. Must be sent inBase 64 Encoding. This is the same format used by MasterCard when re-turning the AAV data to the merchant during the authentication step.Processors Supported: First Data Global Gateway, Litle & Co., Moneris So-lutions, Chase Paymentech Orbital Gateway, Tsys PayFuse, Trident PaymentGateway, Transfirst ePay.
220 cn!express®
MCSCSPT: MC Secure Code SupportGroup: VbV/Secure CodeSample: 1
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
MCTPROMO: Merchant Promotional CodeGroup: OtherSample: 90DAYSACUsed by Bill Me Later. Optional value indicating a mer-chant special promotion code to which customer responded.Processors Supported: eBillMe, Litle & Co., Trident Payment Gateway.
MCURAMT: Amount in Merchant CurrencyGroup: OtherSample: 25.00
The amount of the transaction in merchant funding currency (generally,USD). Sent by the merchant as a parameter to Merchant e-Solutions in cur-rency conversion operations when using FX processing. The amount in cus-tomer currency is then returned in AMT. MCURAMT and EXCHRTID mustbe retained by the merchant and returned with subsequent transactions.Processors Supported: Trident Payment Gatewayonly.
MRCHCSPH: Merchant Customer Service Phone NumberGroup: Merchant Info/Soft DescriptorsSample: 8001234567
Merchant customer support phone number. Usually set up at the division level.Processors Supported: Trident Payment Gateway, Transfirst ePay.
field reference 221
MRCHORDR: Merchant Order NumberGroup: Common Request FieldsSample: MRCHORDR-9012345678901234
The merchant order number represents the order associated with this transac-tion. Often, the merchant order number is the best way to look up a transactionwhen handling exceptions or when discussing a transaction with the paymentprocessor. The merchant order number should be unique for each transaction.Different payment processors have different rules about the number of charac-ters for an order number, or about what types of characters are acceptable.
• Order numbers should be 22 characters in length or shorter.
• Order numbers should be unique within the first eight digits.
• Use only upper and lowercase alpha and numeric characters, plus the follow-ing: -,$@
• Pinless debit order numbers must use alphanumerics only.
ASI recommends that you follow the above guidelines so that your ordernumbers will meet the requirements of even the most restrictive systems.Processors Supported: All processors.
MSGVRFD: Message VerifiedGroup: Bill Me LaterSample: 1
Indicates whether or not processor has verified that the message sent was au-thentic, based on its digital signature. This field is returned by Merchant e-Solutions for BML transactions in response to an authentication (AC) request.Processors Supported: Trident Payment Gatewayonly.
MSTATE: Merchant State/Prov DescriptorGroup: Merchant Info/Soft DescriptorsSample: NHState or province part of merchant location.Processors Supported: Trident Payment Gatewayonly.
222 cn!express®
MZCPC: Merchant ZIP/Postal CodeGroup: Merchant Info/Soft DescriptorsSample: 03458
Zip code or postal code part of merchant location.Processors Supported: Trident Payment Gatewayonly.
NETAMT: Net AmountGroup: PayPalSample: 4.00
The net amount of the transaction. Returned by PayPal in response to a querytransaction.Processors Supported: PayPal Express Checkoutonly.
NOUTID: Suppress UTID GenerationGroup: OtherSample: 0
If set, CN!Express® will not generate or store a UTID for the associatedtransaction. Use to override system defaults for a specific transaction.Processors Supported: Local field/reserved for future use.
OPENV: Operating EnvironmentGroup: Additional Credit CardSample: 0
Describes the terminal operating environment. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.Processors Supported: Local field/reserved for future use.
ORDDATE: Order DateGroup: OtherSample: 3/1/2010
The date on which an order was created using OpenOrder (as returned by Pay-Pal).Processors Supported: Litle & Co., PayPal Payflow Pro, PayPal ExpressCheckout.
field reference 223
ORDTIME: Order TimeGroup: OtherSample: 14:22:31
The time at which an order was created using OpenOrder (as returned by Pay-Pal).Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.
ORIGAUTH: Original Authorized AmountGroup: Credit Card Authorization SpecificsSample: 1.00
Amount of initial authorization.Processors Supported: Local field/reserved for future use.
PAYLOAD: PayloadGroup: Online IntegrationSample: anI3900WUEA9329029389iljwaef32WU372
Used for any return or request value where processor sends or receives a largeamount of operation-specific data in a single field.
• Used to transfer data when customer must be authenticated on external (pro-cessor) site, during BML authentication process on Merchant e-Solutionsgateway.
• Used to transfer data when customer must be authenticated on external site,during 3D-secure authentication process on Merchant e-Solutions gateway.
• Used to return single currency exchange rate data or full exchange rate tablefor rate lookup (CL) transactions on Merchant e-Solutions gateway.
Details of the field usage are based on the specific payment method and transac-tions being processed.Processors Supported: Cardinal Centinel, Trident Payment Gateway.
PCAPCAPB: PIN Capture CapabilityGroup: Additional Credit CardSample: 0
Describes the PIN capture capability of the terminal. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.Processors Supported: Local field/reserved for future use.
224 cn!express®
PENDED: PendedGroup: PayPalSample: 0
A boolean value returned in a GetDetails response whichtells whether or not a transaction is in pending status.Processors Supported: PayPal Express Checkoutonly.
PENDTEXT: Pended TextGroup: PayPalSample: verifyReturned by PayPal in a GetDetails response which describes the reason a trans-action is pending.Processors Supported: PayPal Express Checkoutonly.
PID: Presenter IDGroup: OtherSample: 123456
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
PIN: PINGroup: Debit CardsSample: 0123456789012345
Debit Card encrypted Personal Identification Number (PIN) entered by cus-tomer.Processors Supported: Litle & Co., Moneris Solutions, Chase Paymentech Or-bital Gateway, Tsys PayFuse.
PMTENDDT: Payment End DateGroup: Recurring/InstallmentSample: 3/31/2011
For installment payments, the payment end date.Processors Supported: Cardinal Centinelonly.
field reference 225
PMTFREQ: Payment FrequencyGroup: Recurring/InstallmentSample: 28
For installment payments, the payment frequency.Processors Supported: Cardinal Centinelonly.
PMTNBR: Payment NumberGroup: Recurring/InstallmentSample: 1
For recurring or installment transactions, the number of this payment in the se-ries of payments.Processors Supported: eBillMe, Chase Paymentech Orbital Gateway, TransfirstePay.
PMTSRC: Payment SourceGroup: eBillMeSample: RPPSThe source of a payment made by a customer. Currently used for eBillMe only.Processors Supported: eBillMeonly.
PONUM: PO NumberGroup: PC Level 2
Sample: PO-23456789
Customer Purchase Order Number. This field is required for purchasecard level 2 and purchase card level 3 transactions, except when pro-cessing through Merchant e-Solutions. For Merchant e-Solutions level2 transactions, provide the Invoice Number (INV) instead of this field.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse.
POPCITY: POP Terminal CityGroup: POP/ArcSample: BOSCity where Point of Purchase terminal is located. Optional. Used only for POPtransactions.Processors Supported: Local field/reserved for future use.
226 cn!express®
POPSTATE: POP Terminal StateGroup: POP/ArcSample: MAState where Point of Purchase terminal is located. Optional. Used only for POPtransactions.Processors Supported: Local field/reserved for future use.
POSCAP: POS Capability CodeGroup: RetailSample: KDescribes the capabilities of the POS device. Optional. For Litle, POSCAPshould be included with all retail transactions. This is additional in-formation that you can specify to describe the transaction environ-ment. Including this information may improve the interchange rate forthis transaction. Contact payment processor for specific requirements.
Code Description
1 Track 1
2 Track 2
C Chip
K Keyed
L Contactless
N No Terminal
Processors Supported: Litle & Co., Transfirst ePay.
field reference 227
POSENTRY: POS Entry ModeGroup: RetailSample: KDescribes how the transaction was entered. For Litle, POSENTRY shouldbe included with all retail transactions. This is additional informationthat you can specify to describe the transaction environment. Includ-ing this information may improve the interchange rate for this trans-action. Contact your payment processor for specific requirements.
Code Description
K Keyed
2 Track 2
C Chip
1 Track 1
V Contactless Chip
E Ecommerce
M Track 1 and 2
N No Terminal
L Contactless
U Chip Card (CVV unreliable)
Processors Supported: Litle & Co., Transfirst ePay.
228 cn!express®
POSID: POS Customer ID MethodGroup: RetailSample: MDescribes how the cardholder was identified. For Litle, POSID shouldbe included with all retail transactions. This is additional informationthat you can specify to describe the transaction environment. Includ-ing this information may improve the interchange rate for this trans-action. Contact your payment processor for specific requirements.
Code Description
M Mailorder
P PIN
S Signature
U Unattended
Processors Supported: First Data Global Gateway, Litle & Co., Transfirst ePay.
PREAPRNO: Pre-approval Invitation NumberGroup: Bill Me LaterSample: 123456789ABCDEFUsed for Bill Me Later.
• Pre-approval from credit bureau should include the 16-digit pre-approvalnumber. This allows the pre-approval to be matched with the first customerorder.
• Internal pre-approval should include the leftmost digit as 1.
• No pre-approval should include all zeros or be blank.
Indicates whether or not customer has been pre-approved.Processors Supported: Litle & Co.only.
PREVACCT: Previous Gift Card Account NumberGroup: Gift/Prepaid CardsSample: 8700000000000000
TenderCard transactions only. Represents the previous account number for XFor IS transactions.Processors Supported: TenderCardonly.
field reference 229
PROCATR1: Processor-Specific Attribute 1
Group: Processor SpecificsSample: proc-attr-1Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, PayPal Express Checkout.
PROCATR2: Processor-Specific Attribute 2
Group: Processor SpecificsSample: proc-attr-2Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., PayPalPayflow Pro, PayPal Express Checkout.
PROCATR3: Processor-Specific Attribute 3
Group: Processor SpecificsSample: proc-attr-3Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: eBillMe, PayPal Payflow Pro, PayPal Express Checkout.
PROCATR4: Processor-Specific Attribute 4
Group: Processor SpecificsSample: proc-attr-4Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.
PROCDIV: Processor Division IDGroup: Processor SpecificsSample: 123456
The processor’s division number or processor-specific Merchant ID. If you haveonly one CN!Express® division set up, you can use this to directly assign indi-vidual transactions to processor divisions. See Chapter ?? (?? for more details.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Tsys PayFuse, PayPal Express Checkout, TenderCard,Trident Payment Gateway, Transfirst ePay.
230 cn!express®
PROCFEE: Processor FeeGroup: Processor SpecificsSample: 1.00
Fee charged for transaction. Returned by GetDetails and Query transactions.Processors Supported: PayPal Express Checkoutonly.
PROCMODE: Payment Processor ModeGroup: Processor SpecificsSample: PThe mode for this transaction.
Code Description
D Demo Mode. For setup/demo only. Handledinternally by CN!Express® and never sent topayment processor.
T Test Mode. Sent to the payment processor usingthe payment processor’s test mode.
P Production Mode. Sent to the payment proces-sor in production mode.
Processors Supported: Local field/reserved for future use.
PROCORDR: Processor Order IDGroup: IdentifiersSample: 28269684AF474914SThe processor order number for this transaction.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Tsys PayFuse, PayPal Express Checkout, Trident Payment Gateway, TransfirstePay.
field reference 231
PROCRSN: Processor Reason CodeGroup: Processor SpecificsSample: 2
Processor-specific reason code (eg., a reason given for cancel-ing an order). Currently, this is used by eBillMe only. eBillMeaccepts a PROCRSN for Void and Refund actions. PROCRSNcodes have different meanings, depending on the action.
Action CodeDescription
Void(V) 1 Consumer: does not want order
Void(V) 2 Consumer: unable to complete payment
Void(V) 3 Consumer: changed payment method
Void(V) 4 Merchant: consumer risk
Void(V) 5 Merchant: confirmed fraud
Void(V) 6 Merchant: duplicate order
Void(V) 7 Merchant: unable to fulfill order
Void(V) 8 Merchant: order expired
Refund(R) 1 Unknown payment
Refund(R) 2 Duplicate payment
Refund(R) 3 Overpayment
Refund(R) 4 Order expired
Refund(R) 5 Refund requested: goods returned
Refund(R) 6 Refund requested: order cancelled
Refund(R) 7 Refund requested: per originator
Refund(R) 8 Unable to fulfill order
Refund(R) 9 Confirmed fraud
Refund(R) 10 Consumer risk
Refund(R) 11 Merchant has ceased operations
Processors Supported: eBillMe, Moneris Solutions.
232 cn!express®
PROCSTAT: Processor StatusGroup: OtherSample: CompletedA text description of the status of the transaction, as returned or maintainedby the processor.
• For eBillMe, this field can be used as a search parameter for Query transac-tions.
• For Bill Me Later transactions on the Merchant e-Solutions gateway, this field contains the returned statusfor each BML operation, as shown in the follwing table:
Code MeS Field Values
IC enroll_status Y: Enrolled; N: Not Enrolled
AC application_status Y: Success; X: Cancelled; D:Customer requested data update; E: Error
S,RE,D,R status_code Y: Success; N: Declined: E: Error
• For 3D-secure enrollment check on the Merchant e-Solutions gateway, this field contains the returned sta-tus for each transaction, as shown in the following table:
Code MeS Field Values
IC 3d_enrolled Y: Enrolled; N: Not Enrolled
• For Cardinal Centinel lookup transations, this field contains the re-turned status for each transaction, as shown in the following table:
Code Centinel Field Values
IC Enrolled Y: Enrolled; N: Not Enrolled, U: Pro-cessing Unavailable, (blank):Error
Processors Supported: Cardinal Centinel, eBillMe, Moneris Solutions, PayPalExpress Checkout, Trident Payment Gateway.
field reference 233
PROCTID: Processor Transaction IDGroup: IdentifiersSample: 7AWDEGTR012345678
The processor transaction ID. Uniquely identifies a transaction for a given pro-cessor. This is returned for all transactions. You can return this field or CNXTIDto CN!Express® when processing a later transaction (for example, return theCNXTID associated with an authorization when capturing the transaction).Processors Supported: All processors.
PROCTYPE: Processor TypeGroup: Processor SpecificsSample: orbitalThe payment processor associated with this division.Processors Supported: Local field/reserved for future use.
PRODTYPE: Product Delivery TypeGroup: Shipment Address/InfoSample: PDescribes how the product being purchased is to be delivered.
CN!Express® Processor Description
Code Code
D DIG Digital Goods, ex: Downloadedsoftware or Ebook
P PHY Physical
T TBD To Be Determined
V SVC Service
Y CNC Cash and Carry
Processors Supported: Cardinal Centinel, Litle & Co., Trident Payment Gateway.
234 cn!express®
PYADRONR: PayPal Address OwnerGroup: PayPalSample: Owner Corp.PayPal only. eBay company that maintains this address.Processors Supported: PayPal Express Checkoutonly.
PYADRSTA: PayPal Address StatusGroup: PayPalSample: Confirmed.PayPal only. Text status of this address with PayPal.Processors Supported: PayPal Express Checkoutonly.
PYCID: PayPal Contract IDGroup: PayPalSample: 7IKLQNJS012345678901
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
PYPAYER: PayPal PayerIDGroup: PayPalSample: 95HR9CM6D56Q2
The PayPal PayerID. Required field (along with PYTO-KEN) for PayPal Authorization, Sale, or CreateOrder.Processors Supported: PayPal Express Checkoutonly.
PYPWD: PayPal API PasswordGroup: PayPalSample: QFZCWN5HZM8VBG7QThis field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
field reference 235
PYSIG: PayPal API SignatureGroup: PayPalSample: A-IzJhZZjhg29XQ2qnhapuwxIDzyAZQ92FRP5dqBzVesOkzbdUONzmOUThis field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
PYTOKEN: PayPal TokenGroup: PayPalSample: EC-0E881823PA052770AThe PayPal Token. Required field (along with PYPAYER) for PayPal Authoriza-tion, Sale, or CreateOrder.Processors Supported: PayPal Express Checkoutonly.
PYUSER: PayPal API UserGroup: PayPalSample: example.comThis field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
QRYCLASS: Query ClassGroup: PayPalSample: AllThe PayPal TransactionClass. May be used as a search param-eter with a Query transaction. Some examples include All andBalanceAffecting. See PayPal documentation for complete list.Processors Supported: PayPal Express Checkoutonly.
QUALKEY: Qual KeyGroup: Separate Auth/CaptureSample:This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
236 cn!express®
RAUTHTID: Retail Auth Terminal IDGroup: RetailSample: 01234567
The terminal ID for the authorizing terminal in a POS environment. Optional.Processors Supported: Transfirst ePayonly.
RECADV: Recurring Payment Advice CodeGroup: Recurring/InstallmentSample: 01
Action to be taken when receiving decline on a transaction marked as re-curring. This code is returned only for MasterCard account numbers.The Transaction Class must be set to Recurring (see the Class field).
Code Action
01 New account information available. Obtain newaccount information.
02 Try again later. Recycle transaction in 72 hours.
03 Do not try again. Obtain another type of pay-ment from customer.
Processors Supported: Chase Paymentech Orbital Gatewayonly.
RECURTYP: Recurring TypeGroup: Recurring/InstallmentSample: ROnly used if XCLASS is "R" or "I". Some payment services distinguish be-twen the first recurring transaction and subsequent recurring transactions,requiring different information for reach. Set this value to "0" for the ini-tial recurring transaction, and to "R" for all others. (See also PMTNBR).
Code Description
0 Initial Payment
R All Other Payments
Processors Supported: Local field/reserved for future use.
field reference 237
REDRURL: Redirect URLGroup: Online IntegrationSample: https://www.example.com/enrollUsed when merchant must redirect customer to processor URL. Thisfield is returned by Merchant e-Solutions for BML transactions in re-sponse to a lookup/identify customer (IC) request. This field is alsoreturned by Merchant e-Solutions for credit-card transactions in re-sponse to a 3D Secure enrollment check/identify customer (IC) request.Processors Supported: Cardinal Centinel, Trident Payment Gateway.
REGDATE: Customer Registration DateGroup: Bill Me LaterSample: 1/14/2005
Used for Bill Me Later. Date the customer registered with the merchant.Processors Supported: Litle & Co., Trident Payment Gateway.
REQDACI: Requested ACIGroup: Credit Card Authorization SpecificsSample: YReturned Authorization Characteristics Indicator. Thisvalue indicates the ACI value that was requested at au-thorization time. This is currently for documentation only.Processors Supported: Local field/reserved for future use.
REQSEQ: Sequence of RequestGroup: OtherSample: 238743
Request sequence. A transaction identifier, used only fortracking the transaction in logs generated by CN!Express.Processors Supported: Local field/reserved for future use.
238 cn!express®
RESPCODE: Response CodeGroup: Common Response FieldsSample: 100
The processor-specific response code. These can be used to programaticallydetermine the disposition of a transaction, but the merchant system must beable to handle new response codes. Generally, these will be two- or three-digitnumeric values, but some processors may return longer codes or text stringsin this field. ASI recommends that you use the normalized ASIRESP code forthis purpose. For the TenderCard payment processor only, RESPCODE is gen-erated by CN!Express®, because TenderCard does not return a response code.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
RESPDATE: Response Date and TimeGroup: Common Response FieldsSample: 3/1/2010 14:22:31
Date and Time the transaction was processed.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
RESPTEXT: Response TextGroup: Common Response FieldsSample: 100 – ApprovedText description of the transaction result.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.
RESPTZ: Response TimezoneGroup: PayPalSample: GMTTime zone of a transaction. Can be used as a Query input parameter.Processors Supported: PayPal Express Checkoutonly.
field reference 239
RETRACI: Returned ACIGroup: Credit Card Authorization SpecificsSample: VThis value is returned by Visa in the original Authorization transac-tion. Can be stored and optionally returned with the deposit transaction.Processors Supported: Tsys PayFuse, Transfirst ePay.
RETRREF: Retrieval Reference NumberGroup: Credit Card Authorization SpecificsSample: 012345678901
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
RFFEEAMT: Fee RefundedGroup: PayPalSample: 1.00
Returned for refund transactions. Transaction fee refunded to merchant.Processors Supported: PayPal Express Checkoutonly.
RFGRAMT: Gross Refunded AmountGroup: PayPalSample: 5.00
Returned for refund transactions. Amount of money refunded to payer.Processors Supported: eBillMe, PayPal Express Checkout.
RIID: Receiving Institution IDGroup: Credit Card Authorization SpecificsSample: 000000
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
240 cn!express®
ROUTNUM: Routing NumberGroup: ChecksSample: 123456789
Bank routing number for checks. Also called Receiving Depository Finan-cial Institution (RDFI) number, the Bank ID, the ABA#, or the Transit Rout-ing #. US bank values are nine (9) digits. Canadian bank values are eight(8) digits. For Canadian banks, the first eight characters should not have aspace or dash. The proper formatting of Canadian bank IDs is FFFBBBBBwhere FFF is the financial institution and BBBBB is the branch number.Processors Supported: Chase Paymentech Orbital Gateway, Tsys PayFuse.
RQSTTOKN: Request Return Processor TokenGroup: OtherSample: 0
For processors that support the generation of an account token dur-ing a normal authorization or sale transaction. Set RQSTTOKN to "1"for the auth or sale transaction to request that a token be returned.Not needed for specific tokenization transaction (ACTION="T").Processors Supported: Chase Paymentech Orbital Gatewayonly.
RSETLBID: Retail Settle Batch IDGroup: RetailSample: 0123456789012345
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
RSETLTID: Retail Settle Terminal IDGroup: RetailSample: 0123456789012345
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
field reference 241
RVRSTEXT: Reversal TextGroup: PayPalSample: chargebackReturned for a GetDetails transaction if the status of the transactionis Reversed. A text description of why the transaction was reversed.Processors Supported: PayPal Express Checkoutonly.
SALESTAX: Sales TaxGroup: PayPalSample: 1.00
Returned for a GetDetails transaction. The amount of sales tax on the purchase.Processors Supported: PayPal Express Checkoutonly.
SELLACCT: Seller AccountIDGroup: PayPalSample: 1234565
Returned for a GetDetails transaction. Account number of the seller.Processors Supported: PayPal Express Checkoutonly.
SELLCNTC: Seller Contact InformationGroup: PayPalSample: [email protected] for a GetDetails transaction. Email address or account ID of the seller.Processors Supported: PayPal Express Checkoutonly.
SELLEMAL: Seller EmailGroup: PayPalSample: [email protected] for a GetDetails transaction. Email address of the seller.Processors Supported: PayPal Express Checkoutonly.
SERVDEV: Service DevelopmentGroup: Additional Credit CardSample: 7
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
242 cn!express®
SFRMZCPC: Ship From ZIP/Postal CodeGroup: PC Level 2
Sample: 03458-1234
Zip code or Canadian postal code from which product was shipped.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro, Transfirst ePay.
SHIPADD1: ShipAddress:Address 1
Group: Shipment Address/InfoSample: 44 Shipper LaneFirst address line of customer shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, PayPal Express Checkout,Trident Payment Gateway.
SHIPADD2: ShipAddress:Address 2
Group: Shipment Address/InfoSample: PO Box 44
Second address line of customer shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Express Checkout, Trident PaymentGateway.
SHIPADTY: Ship-to Address TypeGroup: Shipment Address/InfoSample: RMay be returned by Bill Me Later.
Code Description
C Commercial
R Residential
Processors Supported: Litle & Co.only.
field reference 243
SHIPAPT: ShipAddress:AptGroup: Shipment Address/InfoSample: 44
Apartment portion of customer shipping address.Processors Supported: Local field/reserved for future use.
SHIPCAR: Shipping CarrierGroup: Shipment Address/InfoSample: USPSCarrier delivering the merchandise to customer.
Code Description
DHL DHL
FEDX Federal Express
G Greyhound
O Other
P Purolator
USPS United States Postal Service
UPS United Parcel Service
Processors Supported: eBillMeonly.
SHIPCITY: ShipAddress:CityGroup: Shipment Address/InfoSample: PeterboroughCity portion of customer shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Express Checkout, Trident PaymentGateway.
244 cn!express®
SHIPCO: ShipAddress:CompanyGroup: Shipment Address/InfoSample: Example Corp.Company portion of customer shipping address.Processors Supported: Local field/reserved for future use.
SHIPCTRY: ShipAddress:CountryGroup: Shipment Address/InfoSample: USCountry portion of customer shipping address. For level-3 credit card pro-cessing using Orbital, use three-letter ISO country codes. For all other ap-plications, use the two-letter ISO country code for the destination country.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, PayPal Express Checkout.
SHIPDATE: Ship DateGroup: Shipment Address/InfoSample: 3/1/2010
Date product was shipped to fulfill the order.Processors Supported: eBillMe, Transfirst ePay.
SHIPEMAL: ShipAddress:EmailGroup: Shipment Address/InfoSample: [email protected] portion of customer shipping address. Example: [email protected] Supported: eBillMe, First Data Global Gateway, Litle & Co., TridentPayment Gateway.
SHIPFNAM: ShipAddress:First NameGroup: Shipment Address/InfoSample: MaryRecipient’s first name. Specify either the name components (e.g.,SHIPFNAM, SHIPMI, SHIPLNAM) or the full name (SHIPNAME),depending on how these fields are used in your implementation.Processors Supported: All processors.
field reference 245
SHIPHPHO: ShipAddress:Home PhoneGroup: Shipment Address/InfoSample: 6035554444
Home phone portion of customer shipping address.Processors Supported: First Data Global Gateway, Litle & Co., PayPal PayflowPro, PayPal Express Checkout, Trident Payment Gateway.
SHIPLNAM: ShipAddress:Last NameGroup: Shipment Address/InfoSample: JonesRecipient’s last name. Specify either the name components (e.g.,SHIPFNAM, SHIPMI, SHIPLNAM) or the full name (SHIPNAME),depending on how these fields are used in your implementation.Processors Supported: All processors.
246 cn!express®
SHIPMETH: Shipping MethodGroup: Shipment Address/InfoSample: NMethod by which purchase is shipped to customer.
Code Method
S Same Day
G Ground
E Electronic
N Next Day
T Two Day
W Three Day
C Lowest Cost
D Carrier Designated
I International
M Military
P Pick up
O Other
X Express
U Standard
Processors Supported: eBillMe, PayPal Payflow Pro.
field reference 247
SHIPMI: ShipAddress:Middle InitialGroup: Shipment Address/InfoSample: BRecipient’s middle initial (not a middle name). Do not use for compound lastnames (e.g., van Beethoven); put the entire last name in the SHIPLNAM field.Processors Supported: All processors.
SHIPNAME: Ship-To Full NameGroup: Shipment Address/InfoSample: Mary JonesRecipient’s full name. Specify either the name components (e.g.,SHIPFNAM, SHIPMI, SHIPLNAM) or the full name (BILLNAME),depending on how these fields are used in your implementation.Processors Supported: All processors.
SHIPSALU: ShipAddress:SalutationGroup: Shipment Address/InfoSample: Ms.The shipping name salutation (e.g., "Mr.")Processors Supported: Local field/reserved for future use.
SHIPSTPR: ShipAddress:State/ProvGroup: Shipment Address/InfoSample: NHUS State or Canadian Province Code portion of shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Express Checkout, Trident PaymentGateway.
SHIPSUFX: ShipAddress:ShuffixGroup: Shipment Address/InfoSample: Jr.The shipping name suffix (e.g., "Jr.")Processors Supported: Local field/reserved for future use.
248 cn!express®
SHIPWPHO: ShipAddress:Work PhoneGroup: Shipment Address/InfoSample: 6034444444
Work phone number of shipping address.Processors Supported: Trident Payment Gatewayonly.
SHIPZCPC: ShipAddress:ZIP/Postal CodeGroup: Shipment Address/InfoSample: 03458
A five-digit US ZIP Code, ten-character ZIP+4, seven-character Cana-dian Postal Code or UK Postal Code. (UK AVS is supported byChase Paymentech Orbital Gateway only). Valid field formats are:
Format Country
NNNNN US
NNNNN-NNNN US
ANAANA CAN
ANA ANA CAN
AN NAA UK
ANA NAA UK
ANN NAA UK
AAN NAA UK
AANN NAA UK
AANA NAA UK
Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, PayPal ExpressCheckout, Trident Payment Gateway.
field reference 249
SID: SubmitterIDGroup: OtherSample: 0123456
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
SKU: SKUGroup: Shipment Address/InfoSample: SKU NUMBERMerchant’s SKU number.Processors Supported: PayPal Payflow Proonly.
SOFT1: Soft Descriptor 1
Group: Merchant Info/Soft DescriptorsSample: ASI*TREVANCE GATEWAYGenerally, a description of the payment that appears on the customerstatement. This field is used in different ways for different processors.Appendix IV (Soft Descriptors) has detailed information on this field.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro, Trident Payment Gateway, Transfirst ePay.
SOFT2: Soft Descriptor 2
Group: Merchant Info/Soft DescriptorsSample: 800-123-1234
Generally, a description of the payment that appears on the customerstatement. This field is used in different ways for different processors.Appendix IV (Soft Descriptors) has detailed information on this field.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro, Trident Payment Gateway.
SOURCEIP: Source IP AddressGroup: ECommerce Customer InfoSample: 192.168.123.123
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
250 cn!express®
STATUS: StatusGroup: OtherSample: AUTHORIZEDTransaction Status.
• Authorized
• Closed
• Captured
• Entered
• Failed
• Refunded
• Voided
This field is generated by CN!Express®.Processors Supported: PayPal Express Checkoutonly.
STRTDATE: Start DateGroup: PayPalSample: 3/1/2010 14:22:31
For Query transactions, the first date to include in the search.Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.
SUBDATE: Subscription DateGroup: PayPalSample: 3/1/2010
Returned by PayPal in response to a GetDetails transaction. The subscriptionstart date.Processors Supported: PayPal Express Checkoutonly.
SUBEFDT: Subscription Effective DateGroup: PayPalSample: 3/1/2010
Returned by PayPal in response to a GetDetails transaction. The subscription ef-fective date.Processors Supported: PayPal Express Checkoutonly.
field reference 251
SUBID: Subscriber IDGroup: PayPalSample: 123456
Returned by PayPal in response to a GetDetails transaction. The subscription ID.Processors Supported: PayPal Express Checkoutonly.
SUBMRCH: Submerchant NameGroup: Merchant Info/Soft DescriptorsSample: Auric SystemsA sub-merchant description. This is currently used for eBillMe only.Processors Supported: eBillMeonly.
SUBPASS: Subscriber PasswordGroup: PayPalSample: a8923ha89ha32
Returned by PayPal in response to a GetDetails transaction. The subscriptionpassword.Processors Supported: PayPal Express Checkoutonly.
SUBPRD: Subscription PeriodGroup: PayPalSample: 2 YearsReturned by PayPal in response to a GetDetails transaction. The subscription pe-riod.Processors Supported: PayPal Express Checkoutonly.
SUBRECR: Subscription Rate RecurringGroup: PayPalSample: 1
Returned by PayPal in response to a GetDetails transaction. 1 if regular rate re-curs.Processors Supported: PayPal Express Checkoutonly.
252 cn!express®
SUBRETR: Subscription RetryGroup: PayPalSample: 1
Returned by PayPal in response to a GetDetails transaction.Indicates whether re-attempts occur on payment failures.Processors Supported: PayPal Express Checkoutonly.
SUBRTDT: Subscription Retry DateGroup: PayPalSample: 3/1/2010
Returned by PayPal in response to a GetDetails transaction. Date of retry onfailed payment attempt.Processors Supported: PayPal Express Checkoutonly.
SUBTOTAL: Subtotal AmountGroup: eBillMeSample: 10.00
The subtotal of items in the order.Processors Supported: eBillMe, First Data Global Gateway.
SUBUSER: Subscriber User NameGroup: PayPalSample: JDoe25
Returned by PayPal in response to a GetDetails transaction. The subscriptionuser.Processors Supported: PayPal Express Checkoutonly.
SURCHAMT: Surcharge AmountGroup: Debit CardsSample: 1.00
Returned by Debit Authorization Transaction. Amount ofsurcharge charged for this transaction. 0.00 if no surcharge.Processors Supported: Local field/reserved for future use.
field reference 253
SWCHDATE: Switch/Solo Card Start DateGroup: Switch/MaestroSample: 0105
The date the card becomes active. Format: MMYY The Switch/Solo CardStart Date field should be submitted only when the card does not havean Issue Number. If the card displays only a Start Date and no IssueNumber, the Switch/Solo Card Start Date field should contain a valueand the Switch/Solo Card Issue Number field must be blank. If the carddisplays both a Start Date and an Issue Number, the Card Start Dateshould be left blank and the Card Issue Number field must be populated.Processors Supported: Chase Paymentech Orbital Gatewayonly.
SWCHISSU: Switch/Solo Card Issue NumberGroup: Switch/MaestroSample: 01
An increment counter of either 1 or 2 characters defined by the issuing bank.If a card is lost, the bank issues a replacement card with the issue number beingincreased by one. The Switch/Solo Card Issue Number must be submitted evenwhen a Switch/Solo Card Start Date exists. Example:
• If the card displays "01", submit "01", NOT "1".
• If the card displays "1", submit "1", not "01".
In addition, the Switch/Solo Card Issue Number must be submitted exactly asshown on the card.Processors Supported: Chase Paymentech Orbital Gatewayonly.
TAA1: AMEX Trans Advice 1
Group: PC Level 2
Sample: Advice1
American Express Transaction Advice Addendum #1. This record providesadditional purchase information for American Express transactions. It is alsoused for Purchase Card transactions to provide specific details about the trans-action to the cardholder for tracking purposes. Information entered in this fieldshould be as specific as possible. MERCHANDISE, for example, is unacceptable.APPLE MACINTOSH is acceptable. The text must be in uppercase. Transac-tion Advice Addendum (TAA) fields must be presented in sequence for themto be transmitted. If two TAA fields are to be transmitted, they must be TAA#1
and TAA#2. If TAA#1 and TAA#3 are presented, only TAA#1 is transmitted.Processors Supported: Chase Paymentech Orbital Gatewayonly.
254 cn!express®
TAA2: AMEX Trans Advice 2
Group: PC Level 2
Sample: Advice2
American Express Transaction Advice Addendum #2.Processors Supported: Chase Paymentech Orbital Gatewayonly.
TAA3: AMEX Trans Advice 3
Group: PC Level 2
Sample: Advice3
American Express Transaction Advice Addendum #3
Processors Supported: Chase Paymentech Orbital Gatewayonly.
TAA4: AMEX Trans Advice 4
Group: PC Level 2
Sample: Advice4
American Express Transaction Advice Addendum #4
Processors Supported: Chase Paymentech Orbital Gatewayonly.
TANDC: T and C VersionGroup: Bill Me LaterSample: 02102
Used for Bill Me Later transactions. Version number ofthe Terms and Conditions to which the customer agreed.Processors Supported: Litle & Co., Trident Payment Gateway.
TAX: TaxGroup: PC Level 2
Sample: 1.00
This value is required for purchase card level 2 and purchase card level 3 trans-actions.Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle &Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,PayPal Express Checkout, Trident Payment Gateway, Transfirst ePay.
field reference 255
TAXEXMPT: Tax ExemptGroup: PC Level 2
Sample: 0
This value is required for purchase card level 2 and purchasecard level 3 transactions. ’Y’ if transaction is tax exempt, ’N’if not. If not supplied but TAX is supplied, ’N’ is assumed.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, Transfirst ePay.
TENDSUBT: Tender Sub-TypeGroup: OtherSample: PREPAID:GIFTTender sub-type. For information only, returned on response. Some valuesare listed in the following table, but there may be additional types as well.
Example Values
UNKNOWN
CREDIT
DEBIT
FSA
PREPAID:GENERAL_PREPAID
PREPAID:GIFT
PREPAID:PAYROLL
Processors Supported: Litle & Co.only.
256 cn!express®
TENDTYPE: Tender TypeGroup: Common Request FieldsSample: CCN!Express® always assumes the incoming transaction is a credit card trans-action. It can then automatically distinguish check, PIN-based Debit, and BillMe Later transactions based on the imported information. CN!Express® cannotdistinguish between a credit card, a purchase card, and PIN-less debit transac-tion. If you are processing purchase cards or PIN-less debit transactions, youmust import the Tender Type. The following table lists the acceptable TenderTypes and also shows the data CN!Express® uses for automatic identification.
Code Description Distinguishing Feature
C Credit Card
K Check Routing Number
B Bill Me Later T and C Version
D PIN Debit PIN
L PINless Debit
P Purchase Card
Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway.
TOKEN: Processor TokenGroup: IdentifiersSample: ABCDEFG01234567890-1234567890
An identifier, generated by the payment processor, that represents a cus-tomer’s account number. The token can be used in place of the accountnumber for future transactions with this payment processor. This allowsthe merchant to discard the sensitive account number (which would other-wise need to be encrypted and securely stored) and retain only the token.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, TridentPayment Gateway.
field reference 257
TOPCAPB: Terminal Output CapabilityGroup: Additional Credit CardSample: 0
Indicates whether the terminal is capable of printing or dis-play. American Express only. This is additional informationthat you can specify to describe the transaction environment.
Code Description
0 Unknown
1 None
2 Printing
3 Display
4 Print and Display
Processors Supported: Local field/reserved for future use.
TOTPMTS: Total PaymentsGroup: Recurring/InstallmentSample: 4
The total number of payments in an installment order.Processors Supported: Cardinal Centinel, PayPal Express Checkout, TransfirstePay.
TRACK1: Track 1
Group: RetailSample: TRACK1DATACard Swipe data from Track 1. Card present retail transactions should pro-vide either Track 1 or Track 2 data, but not both. If a transaction does containboth Track 1 and Track 2 data, CN!Express® defaults to using the Track 1 data.Processors Supported: First Data Global Gateway, Litle & Co., Trident PaymentGateway.
258 cn!express®
TRACK2: Track 2
Group: RetailSample: TRACK2DATACard Swipe data from Track 2. Card present retail transactions should pro-vide either Track 1 or Track 2 data, but not both. If a transaction does containboth Track 1 and Track 2 data, CN!Express® defaults to using the Track 1 data.Processors Supported: First Data Global Gateway, Litle & Co., Trident PaymentGateway.
TRANSID: Transaction IdentifierGroup: Credit Card Authorization SpecificsSample: 2390239023A9JReturned by Transfirst with the authorization. May be tracked and op-tionally returned with the deposit transaction. An identifier, assignedby Visa or Mastercard, used to uniquely identify and link all relatedmessages and records used to authorize and settle the transactions.Processors Supported: Tsys PayFuse, Transfirst ePay.
UNALLOC: Unallocated PaymentGroup: eBillMeSample: 0
A boolean value that describes whether a payment is allocated or un-allocated (1 means unallocated). Currently used by eBillMe only.Processors Supported: eBillMeonly.
UTID: Unique Transaction IDGroup: IdentifiersSample: 0123456789abcdefghijklmnopqrstuvwxyz_ABC-DEFGHIJCN!Express® can be configured to generate and store UTIDs for eachsuccessful authorization. CN!Express® can later use the UTID to lookup the customer account number for a transaction. The merchant canstore the UTID instead of the account number and send the UTID toCN!Express® for later deposit (and refunds, if required). Using UTIDsrelieves the merchant of the requirement to store credit card accountnumbers to use in follow-up transactions over the life of an order.Processors Supported: Local field/reserved for future use.
field reference 259
VALCODE: Validation CodeGroup: Credit Card Authorization SpecificsSample: 1234
Returned by Transfirst with the authorization. May be tracked andoptionally returned with the deposit transaction. Value is assignedby the Visa authorization system. Used by Visa to determine the ac-curacy of the authorization data contained in the settlement record.Processors Supported: Transfirst ePayonly.
VATAMT: VAT AmountGroup: PC Level 3/Detail RecordsSample: 1.00
Amount of total transaction that represents European VAT tax.Processors Supported: First Data Global Gateway, Chase Paymentech OrbitalGateway.
VATRATE: VAT RateGroup: PC Level 3/Detail RecordsSample: .01
Local field/ reserved for future use Rate at which VAT was calculated for thistransaction.Processors Supported: Chase Paymentech Orbital Gatewayonly.
VICAVV: Visa Authentication CAVVGroup: VbV/Secure CodeSample: CAVVValue returned by Verified by Visa service prior to authorization. Includewith Authorization for Verified by Visa transactions. A cryptographicvalue that links the Issuer’s authentication or attempted authenticationresponse with a subsequent authorization message for that purchase.Processors Supported: First Data Global Gateway, Litle & Co., Moneris So-lutions, Chase Paymentech Orbital Gateway, Tsys PayFuse, Trident PaymentGateway, Transfirst ePay.
260 cn!express®
VICAVVRS: Visa Authentication CAVV ResponseGroup: VbV/Secure CodeSample: 2
Result code returned during Authorization of a Verified by Visa trans-action. See Appendix IV (Verified by Visa CAVV Response) for details.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Transfirst ePay.
VIXID: Visa Authentication XIDGroup: VbV/Secure CodeSample: XIDValue returned by Verified by Visa service prior to authorization. Includewith Authorization for Verified by Visa transactions. A unique trackingnumber set by the Merchant and sent to the Issuer Authentication Server.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway, TransfirstePay.
WEBPASS: Web PasswordGroup: OtherSample: webpass01
Used for transactions presented via the Web interface. This value isused by CN!Express® only, it is not sent to the payment processor.Processors Supported: All processors.
WEBUSER: Web UserGroup: OtherSample: webuserUsed for transactions presented via the Web interface. This value isused by CN!Express® only, it is not sent to the payment processor.Processors Supported: All processors.
field reference 261
XCLASS: ClassGroup: Common Request FieldsSample: ETransaction Class. Not all transaction classes are supported by all proces-sors. In particular, "ER" is supported by Transfirst ePay and First Data GlobalGateway only. For all other processors, use "R" for all recurring transactions.
Class Description
E, E-Commerce Ecommerce
ER Recurring (Ecommerce)
I, Installment Installment
M, MOTO Mail Order/ Phone Order: MOTO
R, Recurring Recurring
P Retail (POS)
T Telephone Order
Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, TridentPayment Gateway, Transfirst ePay.
XSEQ: Transaction SequenceGroup: OtherSample: 1
This field is provided for compatibility with the Trevance®
transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.
Currency Codes
Table 13: Currency Codes
Description Currency Code
Australian Dollars AUD 36
Brazilian Real BRL 986
British Pounds GBP 826
Canadian Dollars CAD 124
Czech Koruna CZK 203
Danish Krona DKK 208
Hong Kong Dollars HKD 344
Hungarian HUF 348
Indian Rupee INR 356
Indonesian IDR 360
Japanese, Yen JPY 392
Norwegian Krone NOK 578
Philipine Peso PHP 608
Continued on next page
264 cn!express®
Table 13 – Continued from previous page
Description Currency Code
Polish New PLN 985
Russian Rouble RUB 643
South African Rand ZAR 710
South Korean KRW 410
Swedish Krona SEK 752
Swiss Franc CHF 756
Thailand BAHT 764
United States USD 764
currency codes 265
Index
CN!Express®
ASI Response Code, 43
LastActionSucceeded, 43
Instant Tokenization™, 43
response codes, 43
PaymentVault™, 45
delayed delete, 45
action codetokenization, 44
audit trails, 113
CID, 103
cid, 139
cvv, 139
CVV2, 103
cvv2, 139
date of birth, 139
delete files, 103
driver’s license, 139
encrypt, 103, 107
encryption, 139
export, 103
https, 139
import, 103
key management, 107
logs, 103, 113
magnetic stripe, 103
mail server, 113
multi-pass overwrite, 103
Network Time Protocol, 113
Open Web Application SecurityProject, OWASP, 115
passwords, 111
remote access, 125
s-ftp, 139
secure applications, 115
secure file deletion, 103
security alerts, 119
SMTP, 113
social security number, 139
tokenization, 43, 47
migration, 46
UTID, 43
users, 111
vpn, 139
web application, 115
web interface, 115
wireless, 117