CN!Express® User Guide - Auric Systems InternationalExpressUserGuide.pdf · 2019. 2. 14. · III...

The CN!Express® application is sunset.Please see inside for options.

CN!Express®

User Guide

Auric Systems International

Copyright © 2016 Auric Systems International. All rights reserved.

www.auricsystems.com

tokenize what matters®

3

The CN!Express® payment application is Sunset.This is the last formal release of the CN!Express® payment processing application.Information regarding the sunset and migration options are available at:

https://www.auricsystems.com/payment-apps/#cnx

https://www.auricsystems.com/payment-apps/#cnx

Contents

Welcome to CN!Express®11

I Installation and Configuration 15

Installing CN!Express® on Windows®17

Installing CN!Express® on Linux®21

Configuring CN!Express®25

Encrypted/Secure HTTPS 35

Remote Firebird® Database 37

Tokenization 43

Uninstalling CN!Express®49

Auric Key Management Proxy 51

II Payment Processors 53

6

Working with your Payment Processor 55

Cardinal Commerce 57

Chase Paymentech 59

eBillme 65

First Data Global Gateway 75

TSYS Merchant Solutions–PayFuse 77

Vantiv®(formerly Litle & Co.) 79

Cielo Payments Inc. (Formerly Merchante-Solutions) 85

PayPal 89

Paypal PayFlow Pro 91

TenderCard 93

TransFirst 97

III PA DSS Secure Implementation Guide 99

Overview of PCI-Compliance Practices 101

Magnetic Stripe and CVV2 Data 103

7

Protect Stored Cardholder Data 107

Secure Authentication Features 111

Log Payment Application Activity 113

Develop Secure Payment Applications 115

Protect Wireless Transmissions 117

Test Payment Applications to Address Vulnerabilities 119

Facilitate Secure Network Implementation 121

Cardholder Data Must Never Be Stored on a Server Connected To the Internet123

Secure Remote Access and Updates 125

Facilitate Secure Remote Software Updates 127

Encrypt Sensitive Traffic 129

Encrypt all Non-Console Administrative Access 131

Maintain Instructional Documentation and Training Programs 133

Secure File Deletion 135

8

Key Management 137

Internal Encryption 139

Encrypting Import/Export Files 141

IV Appendices 145

Action Codes 147

ASI Response Codes 151

Soft Descriptors 153

Processor-Specific Attributes 157

Verified by Visa CAVV Response 161

ICV-Style Files 165

Repair Firebird® Database 169

Secure Deletion: sdel 171

Field Reference 173

Currency Codes 263

Index 267

List of Tables

1 CN!Express® Instant Tokenization™ actions. 44

2 ASI Response Codes for Instant Tokenization™44

3 eBillMe Transactions 67

4 eBillme response batch fields 71

5 eBillMe ‘Q’ batch file responses 72

6 Pre-paid card filtering rules 81

7 Automatic Account Updater Fields 83

8 CN!Express® action codes. 147

9 CN!Express® response codes. 151

10 Verified by Visa CAVV Response Codes 163

11 ICV-style action codes 166

12 CN!Express® field reference. 173

13 Currency Codes 263

Welcome to CN!Express®

Thank you for selecting the CN!Express® payment processing appli-cation. CN!Express® provides a consistent and speedy connectionto your payment processing service and easily manages all of yourtransactions. Once CN!Express® is configured, you rarely need tomanually interact with it.

Payment processing is not just credit cards any more. CN!Express®

supports a wide range of payment options, including a direct connec-tion to PayPal Express Checkout services.

CN!Express® offers the following features (depending on the capa-bilities of your processing service):

• From two (CX-7002) to one hundred (CX-7100) simultaneous con-nections to your payment processor(s).

• Simultaneous support for multiple processors, without you need-ing to sort/batch your transactions individually.

• Legacy file and modern HTTP/S interfaces.

• Direct connections to payment processor gateways.

• Support for many methods of payment including:

– Credit cards

– Purchase card level 2

– Electronic checks

– PayPal

• Federally-approved 256-bit AES encryption for sensitive data.

• Follows Visa’s Payment Application Best Practices for PCI compli-ance.

Supported Processing Services

CN!Express® supports the following payment processing services:

12 cn!express®

• Chase Paymentech Solutions/Orbital Gateway/Salem

• First Data/Global Gateway

• Merchant e-Solutions/Transcom

• Transfirst/eLink

• PayPal Express Checkout

Simultaneous Connections

CN!Express® supports multiple simultaneous connections to pay-ment processors. This allows CN!Express® to process transactionsin parallel with each other. Depending on the model, CN!Express®

supports from two (2) to ten (10) simultaneous connections. If youare using a single processor, all ten connections can be with that pro-cessor. If you are using two or three processors (perhaps a credit cardprocessor and PayPal), then CN!Express® automatically decides howmany connections to maintain for each processor–up to the maxi-mum supported by the specific model.

The CN!Express® model number indicates how many simultane-ous connections are available:

Model Number # Simultaneous ConnectionsCX-7002 2

CX-7005 5

CX-7010 10

CX-7100 100

Estimated Speed

CN!Express® adds extremely little overhead to the transaction. Thespeed of your payment processor is effectively the speed at whichCN!Express® runs. In demo mode, CN!Express® returns transactionsin three (3) seconds. This is a typical response time from a processor(and frequently you will see times better than that). Assuming threesecond response times, here is how long it takes different models ofCN!Express® to process 1,000 transactions:

Model Number # minutes for 1,000 transactions (est.)CX-7002 30

CX-7005 10

CX-7010 5

CX-7100 0.5

welcome to cn!express®

13

PCI Compliance

Auric Systems International is a validated Level 1 PCI Service Provider.CN!Express® is validated against the PCI PA-DSS 3.0 standard.

Passwords

CN!Express® uses passwords at several different levels:

• Access to the underlying operating system.

• Encrypting sensitive data.

• Submitting transactions through the Web.

• Monitoring.

Your in-house PCI policy in regards to password and key manage-ment must be applied to these passwords.

Access to the Underlying Operating System

All CN!Express® configuration is performed locally. There is no re-mote access for configuration and control. There are no configurationpasswords to manage.

Encrypting Sensitive Data

A CN!Express® installation supports a two-user server pass phrase toencrypt sensitive data (such as credit card account numbers). Refer tothe Configuring CN!Express® chapter for details on entering the passphrases.

Submitting Transactions through the Web

CN!Express® requires all web-based transactions to include a userID and password. These accounts cannot retrieve any informationfrom CN!Express® beyond the information returned for the currenttransaction The CN!Express® listens only on the localhost (127.0.0.1)for incoming web transactions. A secure front-end proxy, such asstunnel, IIS, or nginx, must be run as a front-end to the CN!Express®

application.

14 cn!express®

Monitoring CN!Express®

CN!Express® provides a web monitoring interface for which separateuser IDs are required. No account information can be retrieved fromCN!Express® through this interface.

Contacting Auric Systems International

To contact Auric Systems International:Phone 603-924-6079

E-mail/support [email protected]

E-mail/sales [email protected]

Web Site https://www.AuricSystems.com

Please have your serial number handy when you call. Whenyou purchased CN!Express® the serial number and activation keywere e-mailed to you. After you install the test or production (live)CN!Express® you can find your serial number and activation key onthe Run Mode Tab of the CN!Express® Configuration Manager.

[email protected]

[email protected]

https://www.AuricSystems.com

Part I

Installation andConfiguration

Installing CN!Express® on Windows®

CN!Express® installs in the demo (demonstration) mode. Demomode allows you to work with, and become familiar with, CN!Express®

functionality without actually sending transactions to your processor.It is also a convenient way to integrate CN!Express® into your exist-ing systems. Auric Systems International strongly recommends youkeep CN!Express® in demo mode while you configure and learn itsoperation.

Supported Windows® Versions

CN!Express® supports the following Windows® platforms:

• Windows® Windows Server 2008 R2

• Windows® Windows Server 2012

• Windows® Windows Server 2012 R2

• Windows® Windows Server 2016

System Requirements

CN!Express® runs on fairly minimal systems. Any typical 2 GHzprocessor is suitable—even single core. Auric Systems Internationalrecommends you install CN!Express® on your target platform indemo mode and test at what you expect load requirements to be.

Memory Requirements

Having 256 MBytes of RAM available above and beyond your operat-ing system’s install is suitable long-term for CN!Express® running athighest speeds.

Disk Requirements

CN!Express® can generate a large number of logs and backup files.In addition, if you are using batch import/export, you’ll need addi-

18 cn!express®

tional space to manage those files. For initial installation, you’ll needapproximately 100 Mbytes of hard disk space. Auric Systems Interna-tional recommends planning for a minimum of 30 GBytes of free diskspace to ensure a long-lived and trouble-free operation.

It is important to check your file system on a regular basis. Back-ups and logs can start to consume a significant amount of disk space.

Installation Options

CN!Express® installs:

• on a local hard drive, not a network mount.

• as both an application and a Windows® service (the Windows®

service is not active until you manually activate it)

• in the demonstration (demo) mode (not in the test or productionmode)

• as a CX-7002 with two simultaneous processor connections

While you are configuring CN!Express® Auric Systems Interna-tional strongly recommends that you:

• Run CN!Express® as an application (not a service).

• Configure using the demo mode.

• Send your first transaction(s) to your processing service using thetest mode.

Demo mode is ideal for trying out configuration options andCN!Express® operations without using real transactions. Test modeis ideal for testing your configuration with your processing service.Production mode is strictly for processing real transactions.

After you’ve configured and tested CN!Express® you can switchto the production mode and you can run CN!Express® as a service,confident that CN!Express® will work smoothly.

Installation Procedure

CN!Express® is available for download from the Auric Systems Inter-national web page: https://www.auricsystems.com/payment-apps/.The Setup program prompts you for a location in which to installthe executables and a location in which to install the data directories.Both program and data directories need to be on a local hard drive,not a network drive.

• Download the CN!Express® Setup program from the web site.

https://www.auricsystems.com/payment-apps/

installing cn!express®

on windows®

19

• Compare the MD5 signature of the downloaded file to the MD5

signature on the web site to confirm you download an uncor-rupted version.

• Run the CN!Express® Setup application and follow the installationscreens. Auric Systems International recommends you select thedefault installation application and data locations.

• CN!Express® is now installed.

Configuration

Now that CN!Express® is installed, your next step is ConfiguringCN!Express®.

Installing CN!Express® on Linux®

The Linux® version of CN!Express® is available as a bespoke deploy-ment. Please contact Auric Systems International for details.

CN!Express® installs in the demo (demonstration) mode. Demomode allows you to work with, and become familiar with, CN!Express®

functionality without actually sending transactions to your processor.It is also a convenient way to integrate CN!Express® into your exist-ing systems. Auric Systems International strongly recommends youkeep CN!Express® in demo mode while you configure and learn itsoperation.

In order to configure CN!Express® you must have the AKMP™ keymanagement daemon installed. The AKMP™ service provides the en-cryption key management necessary to support test and productionmode data. Please refer to the AKMP™ manual for details.

Supported Linux® Versions

• Red Hat Enterprise Linux® Versions 6.8 and 7.x.

• CentOS Versions 6.8 through 7.x.

• Call regarding support for other Linux® flavors.

System Requirements

CN!Express® runs on fairly minimal systems. Any typical 2 GHzprocessor is suitable—even single core. Auric Systems Internationalrecommends you install CN!Express® on your target platform indemo mode and test at what you expect load requirements to be.

Memory Requirements

Having 256 MBytes of RAM available above and beyond your operat-ing system’s install is suitable long-term for CN!Express® running athighest speeds.

22 cn!express®

Disk Requirements

CN!Express® can generate a large number of logs and backup files.In addition, if you are using batch import/export, you’ll need addi-tional space to manage those files. For initial installation, you’ll needapproximately 100 Mbytes of hard disk space. Auric Systems Interna-tional recommends planning for a minimum of 30 GBytes of free diskspace to ensure a long-lived and trouble-free operation.

It is important to check your file system on a regular basis. Back-ups and logs can start to consume a significant amount of disk space.

Installation

CN!Express® installs:

• on a local hard drive, not a network mount.

• as both an application and a service (the service is not active untilyou manually activate it)

• in the demonstration (demo) mode (not in the test or productionmode)

While you are configuring CN!Express® Auric Systems Interna-tional strongly recommends that you:

• Configure using the demo mode

• Send your first transaction(s) to your processing service using thetest mode.

Demo mode is ideal for trying out configuration options andCN!Express® operations without using real transactions. Test modeis ideal for testing your configuration with your processing service.Production mode is strictly for processing real transactions.

After you’ve configured and tested CN!Express®, you can switchto the production mode and you can run CN!Express® as a service,confident that CN!Express® will work smoothly.

Auric Systems International provides a custom download site forthe Linux® CN!Express® installation. CN!Express® expects to runas the cnxap user – which must be configured before running theinstallation script.

• download the cnx_installer...tgz file

• compare the checksum of the downloaded file to the checksumprovided by Auric Systems International to ensure the file has notbeen tampered.

installing cn!express®

on linux®

23

• create the cnxap user.

• run ./install.py

• CN!Express® installs in the /opt/cnxap directory

Installation Options

CN!Express® for Linux® must be run behind a proxy web serversuch as nginx or Apache. CN!Express® itself only listens on localhost(127.0.0.1). HTTPS security of front-end communications is managedby the proxy. The URL to proxy is:

/asi01

Starting and Stopping CN!Express®

To run as an application:

$ sudo -u cnxap /opt/bin/cnxap

To run as a service on RHEL 6:

$ sudo /sbin/service cnxapd start|stop|restart|status

To run as a service on RHEL 7:

$ sudo systemctl start|stop|restart|status cnxapd

Configuring CN!Express® for Linux®

The CN!Express® application for Linux® configuration is completedusing the CN!Express® Configuration Utility for Windows®.

In order to run the Configuration Utility on Windows®, youmust transfer your AKMP™ secure_data configuration from yourLinux® installation to your Windows® installation. Please refer to theAKMP™ manual for details.

Once AKMP™ is installed, you can follow the Windows® configu-ration instructions in the Configuring CN!Express® chapter, with thefollowing exceptions:

1. Any file paths must be manually entered and use the Linux® pathseparator (’/’).

2. On the Advanced Tab, you have the option of sending all CN!Express®

logs to syslog or maintaining separate logs. If you elect to keepCN!Express® logs separate, they are automatically rotated daily.

Configuring CN!Express®

This chapter walks through a typical CN!Express® configuration.Please refer to the PA DSS Secure Implementation Guide section forsecurity-specific information. You must be logged into the machinewhere CN!Express® is installed in order to configure it.

The CN!Express® Configuration Utility (cnxcfg.exe) groups theCN!Express® settings into major tabs:

• General

• Divisions

• Web Formats

• Files

• File Formats

• Security

• Run Mode

• Advanced

• About

The majority of CN!Express® settings can be modified whileCN!Express® is running. The CN!Express® program checks the con-figuration file every few seconds to see if it has been modified. If theconfiguration is changed, CN!Express® reloads the new configurationinformation.

Starting in Demo Mode

When configuring CN!Express® for the first time, it’s best to work inthe demo mode and run CN!Express® as an application. CN!Express®

automatically installs in the demo mode and as an application (it alsoinstalls as a Windows® service, but the service is not active). Af-ter you complete the configuration, you can test it without sending

26 cn!express®

transactions to your processing service. When you’re satisfied withthe configuration, you can switch from demo to test mode and thento production mode. You can also switch to running CN!Express® asa service. CN!Express® automatically remembers the configurationyou set up when it was in demo mode and running as an application.CN!Express® uses that same configuration when you switch modesand/or run it as a service.

When you first start the CN!Express® Configuration Utility youwill see a the dialog in noting that certain fields, which require en-cryption to be stored, will be disabled in demo mode. These fieldsare not required in demo mode. Just click the OK button to continueworking in Demo mode.

General Tab

Names

Every CN!Express® installation requires a Short Server Name anda Server Number. These two settings need only be changed if youare using multiple copies of CN!Express® within your organization.If you are using more than one copy of CN!Express® each of thesefields must be unique to the installation.

Web Service

By default the web service for accepting incoming transactions isdisabled. This ensures you do not suddenly have an unexpected webservice running on your system.

CN!Express® supports both HTTP and HTTPS connections. Thereare advantages and disadvantages to both of them. Please refer to theEncrypted/Secure HTTPS chapter on HTTP vs. HTTPS configura-tion.

CN!Express® comes with a set of self-signed certificates for HTTPScommunications. When you select HTTP or HTTPS, you must con-figure the Port on which CN!Express® accepts transactions (default is8100) and the IP address on which it will listen for web transactions.

The default listening address (127.0.0.1) is also known as local-host. With this setting, CN!Express® accepts only transactions fromthe local machine. If you have more than one network card on yourcomputer, CN!Express® lets you select which one it uses, or you canaccept from All Host Interfaces. Auric Systems International recom-mends you leave CN!Express® configured for localhost (127.0.0.1)and use a proxy server such as stunnel, IIS, or nginx to isolate theCN!Express® application from the external interfaces. This approachhas the advantage of allowing you to update your security protocols

configuring cn!express®

27

without having to upgrade CN!Express® and avoiding the testingtime such upgrades require.

Transaction Files

By default, CN!Express® is configured with a traditional interfaceto accept transactions through text files. You may disable this in-terface if you are going to send all your transactions through theCN!Express® Web interface. Otherwise, leave it enabled.

Fields

CN!Express® allows you to set the XCLASS value globally for allprocessors. Prior to CN!Express® version 4.0.11, all transactions de-faulted to E-commerce. Now, they can be set globally or per division.

Web Console

CN!Express® supports a web-based remote monitoring console. Thisconsole must be disabled in production.

Proxy Configuration

CN!Express® provides the ability to configure a proxy for all outgo-ing HTTPS connections. CN!Express® supports tunneling proxies.In a tunneling proxy, the defined connection between CN!Express®

and the proxy is via the HTTP port. The actual HTTPS connection istunneled through the HTTP port so there is a secure connection withthe target server (the payment processor).

In the Proxy settings, set the IP address of your proxy host andthe Port it will be using. If your proxy requires authentication, en-ter a user ID and password. Now all communications betweenCN!Express® and the payment processor go through your proxyserver.

Divisions Tab

The Divisions tab manages all your processor-specific information.All settings required for communicating with your processor aremanaged here. To start, click the Add. . . button. The dialog shown inFigure I.

Enter a name for this division, select a Payment Processor, andclick OK. CN!Express® presents you with a processor-specific setof fields that need to be completed in order to configure this new

28 cn!express®

Division for communication with your processor. See the processor-specific chapters at the end of this book for details on how to config-ure Divisions for each processor.

Divisions, Divisions, Divisions

The term ’divisions’ is an over-loaded term since some paymentprocessors also use this term to describe information used to com-municate with them. In CN!Express® the Division you created in theprevious step is a name you use to describe the connection. If youwant, you can name it the same as your payment processors divi-sion, or merchant id, or merchant number. Or, you can provide a nicegeneric name like Web Transactions or Accounting System or Cana-dian Recurring Billing. Or, you can have nice cryptic Division nameslike Q03-579. It does not matter, because this information is neversent to the payment processor. Think of it as a label or a tag you useto identify the information you want sent to the processor.

Multiple Divisions, Multiple Processors

Each time you create a new Division, you also select a processor forthat Division. This lets you define multiple settings for any specificprocessor as well as multiple simultaneous processors.Some proces-sors recommend you have a different division for each currency youprocess (USD, Euro, Yen, etc.)

Web Formats Tab

Web transactions are sent via a simple HTTP(S) POST. CN!Express®

supports transactions via its web interface in a variety of formats.The default is to send transaction data in key/value pairs and receiveresponses in a pip-delimited text format. This overview screen showsa sample request and response. To modify the request or responseformats, click the appropriate Edit Format. . . button.

Web Request Format

Web transactions are sent to CN!Express® via a POST. By default,this information is sent in name/value pair format. Choose whichRequest Type you want to support by clicking on the various radiobuttons at the top of this screen. As you select different formats, youare presented with options for configuring how CN!Express® ex-pects to see the web request. For name/value pair, you do not needto pre-define which fields you are going to send to CN!Express®.


29

CN!Express® accepts any fields you send over. When using delim-ited format, the fields are in a specific order and you must defineeach and every field and the field order. Auric Systems Internationalrecommends using name/value pairs when sending requests. Thisformat is familiar to web programmers.

Web Response Format

Web responses can be in a variety of formats CN!Express®, by de-fault, returns a pipe-delimited format. An example is shown at thebottom of the dialog in Figure! I. To change which fields are re-turned, select them in the left-hand box and then click the arrowbutton button to move them to the response box. The up/down ar-rows on the right of the screen change the order in which the fieldsare arranged. By default, CN!Express® displays a small subset of allthe fields available. To see (and select) all the fields available, clickthe Fields to Include. . . button.

Available Fields

By default, CN!Express® displays a small fraction of the fields avail-able to process all transactions types with all processors. This dialogbox allows you to select which fields to display based on methods ofpayment or other common requirements (such as customer informa-tion or Payment Card Level II data).

Files Tab

This dialog determines where CN!Express® finds various files.

Transaction File Locations

• Import: CN!Express® imports transactions from here.

• Export: CN!Express® exports results to here.

• Decline: If you select to separate approvals from declines in yourexport format, the approvals go to Export and the declines go here.

• Backup: Where nightly database backups are placed. Backups arebest stored on a separate hard drive from where CN!Express® isinstalled.

• Recovery Log: Where copies of vital transaction status is stored.This directory is best stored on a separate hard drive from whereCN!Express® is installed.

30 cn!express®

File Extensions

CN!Express® uses certain file extensions for specific uses, such asimport or export files. You can change these default extensions tomeet any custom need you have in your environment.

Encryption

CN!Express® supports encrypted file import and export. See theEncrypting Import/Export Files chapter for details.

The Files Format Tab is much like the Web Request/ResponseTab. This screen allows you to customize the file import and exportconfiguration. In addition to configuration, CN!Express® also allowsyou to determine what actions to take after importing a file. It canbe as simple as changing the extension to.DNE indicating the file hasbeen imported, or you can delete the imported file.

Auric Systems International recommends the one-pass overwriteand delete. This overwrites the original file data and then deletes thefile, making it very difficult to retrieve any sensitive cardholder data.This screen also lets you decide if you want to export your resultsinto two separate files: approvals and declines.

Import File Format

The file import format screen allows you to customize the fields to beimported into CN!Express®. Click on the Model File. . . button andselect the cards.txt file distributed with CN!Express® as a sample.These configurations provide flexibility that allows CN!Express® toconform to your existing file formats.

Sample Import File

After you select a sample file, the right-hand list box shows boththe field names and a line of data from the sample file. The fieldsare shown in import order. You can use the arrow keys at the topof the list box to walk through the sample file and see what data isimported into specific fields.

Export File Format

The Export Format screen is similar to the Import File Format screen.You select which fields you want to see in the export file and declarethe order in which they will appear.


31

Security Tab

Configure the Key Manager

CN!Express® supports external key management services. The vari-ous key management services are supported via the AKMP™ (AuricKey Management Proxy) application. The AKMP™ applications al-lows new key management services to be added without needing toupdate the basic CN!Express® application. AKMP™ is installed onyour system and is part of the basic CN!Express® installation.

The AKMP™ is not required to be configured for Demo mode.In demo mode, CN!Express® uses a hard-coded demo encryptionkey since you are only using demo account numbers. When you areready to move to test (and production), you’ll need to set up com-munications with the AKMP. Refer to the Auric Key ManagementProxy chapter and then return here to set the communications portand check the box indicating AKMP™ is configured and ready to run.

Allowed Hosts

Allowed Hosts define which computers can interact with the WebService and Web Console. By default, these are both set to allow only127.0.0.1 (the local machine or localhost) to interact with CN!Express®Typein the addresses you want to have access to the CN!Express® WebService. Both fields also support the ability to define a range of ad-dresses. Click the Add Range. . . button and enter the starting andending IP address allowed access to the Web Service or Web Console.

Web Users

This setting defines the users allowed to connect to CN!Express®.Click the Add. . . button. Define a user ID and password for eachuser. Additionally, you can declare a name for each user. Each indi-vidual user may either send transactions (Web Service) or interactwith the console (Web Console). A single user account cannot doboth.

Run Mode Tab

CN!Express® runs in one of two general modes:

• Demo

• Online

In Demo mode, processor connections are simulated. CN!Express®

simulates a response time of approximately 3 seconds per transac-

32 cn!express®

tion. All transaction amounts ending in even penny amounts areapproved. All transaction amounts ending in odd penny amounts aredeclined with a random decline reason. In Online mode, transactionsare sent to the processor. As you define each Division (processor con-nection) you can place individual Divisions in Test or Live mode. InTest mode, transactions are sent to the processor’s test addresses.

Note that the ability to set the test/live flag on a Division is hid-den in demo mode.

Advanced Tab

The Advanced tab contains settings for CN!Express® special features:

• How many days to cache tokenization (UTID) data locally beforediscarding.

• Whether to prioritize sending UTIDs to the Remote PaymentVault™

immediately, or only every minute.

• The PaymentVault™ URL.

• Logging settings.

• Email configuration.

• When to run maintenance processes.

The PaymentVault™ Tokenization Storage Service

This section contains settings for connecting CN!Express® with AuricSystems International’s PaymentVault™ technology. Call for more in-formation on PaymentVault™ solutions for secure, long-term storageof credit card accounts.

The Discard UTIDS (tokens) after xx days entry determines how longCN!Express® caches token data locally. This setting has no impact onhow long tokens are stored within the PaymentVault™ service.

Selecting the Prioritize Update of PaymentVault™ with New UTID In-formation checkbox causes CN!Express® to queue tokens for PaymentVault™

storage as soon as they are generated. Otherwise, CN!Express® mi-grates tokens to the long-term storage approximately every minute.

Logging and Messages

CN!Express® optionally runs a number of logs. By default, only theexception log is activated. This provides useful information to AuricSystems International support staff if an error should occur.

The first logging option provided, is for Linux only. Select thisoption if your CN!Express® is Linux-based.


33

Remaining log options are as follows:

• Processor Communication Log: Logs all communications betweenCN!Express® and your processor.

• Web Service Request and Response Log: Logs all transaction infor-mation sent to CN!Express® via the web interface.

• File Request and Response Log: Logs all files imported and ex-ported.

• Exception Log: Log any exceptions that occur in the software.Note that some exceptions are expected and are part of normaloperations.

• Show Transactions in Monitor Window: Shows status of web re-sponse for transactions sent through the Web Service.

Note that the Audit log is active only when using the tokenizationfeature.

For PCI compliance, you must monitor and store your logs ina centralized location. The CN!Express® logs to be transported tothe centralized location are located in the CN!Express folder, whichresides in the Program Files (x86) folder.

Database Maintenance Service

CN!Express® performs daily maintenance operations includingbackup and database optimization. CN!Express® continues to accepttransactions while maintenance occurs – however, it is a good idea toschedule maintenance during times you expect to be rather quiet. Ifyou do not run CN!Express® constantly, then it will perform mainte-nance as soon as it starts up. As part of maintenance, CN!Express®

creates a backup database file in the directory configured in the FilesTab. You should periodically remove older versions of these backups.

Email Notification

CN!Express® can send email notifications as part of the nightlybackup process. CN!Express® also sends email notifications if a se-rious problem occurs. Auric Systems International recommends youconfigure email notifications. The test button on the dialog allowsyou to send an email immediately to confirm it is properly config-ured.

The Email Notification configuration screen allows you to config-ure how CN!Express® sends emails.

SMTP Server: Internet Address of your in-house email server.

34 cn!express®

SMTP Port: Port for communicating with your server.Use Authentication: Some email servers require clients to authen-

ticate before sending email. If your server requires authentication,enter your user and password information here.

Send Test Message: Click the button to send a test message.Message Content: Select notification typesScheduling: Intervals between email notifications

About Tab

The About tab contains the CN!Express® Version Number. Usefulwhen speaking with tech support. Processor contact information isprovided in this section, as well.

Encrypted/Secure HTTPS

The CN!Express® web interface must never be connected to the Inter-net. It is designed to be used within your network.

Historically, CN!Express® has supported both HTTP and HTTPSincoming communications. Because of the increasing focus on HTTPSprotocol attacks, Auric now recommends that the CN!Express® pay-ment application always be configured to:

• Use only HTTP

• Listen only on localhost (127.0.0.1).

Running Strictly On Localhost

When the software communicating with the CN!Express® applicationruns on the same server you can securely communicate between thetwo over HTTP using the 127.0.0.1 IP address. This is secure since thecommunication does not travel outside the server.

Using a Secure Proxy

When the software communicating with the CN!Express® applicationis on a different server, you must install the CN!Express® applicationbehind a secure proxy. CN!Express® can run it behind any standardweb server that has proxy capabilities. Options include: Microsoft®

IIS (Windows® only), nginx®, and Apache®.Another popular option is to use the stunnel product. From their https://www.stunnel.org/

web site, “Stunnel is a proxy designed to add TLS encryption func-tionality to existing clients and servers without any changes in theprograms’ code. Its architecture is optimized for security, portabil-ity, and scalability (including load-balancing), making it suitable forlarge deployments.” Auric uses stunnel in several production envi-ronments. It is available for both Windows® and Linux®.

Auric provides an stunnel configuration document at:https://www.AuricSystems.com/payment-apps/#stunnel

https://www.stunnel.org/

https://www.AuricSystems.com/payment-apps/#stunnel

Remote Firebird® Database

CN!Express® can be configured to connect to a Firebird® databaseserver running on another computer. This chapter provides step bystep instructions for configuring CN!Express® to use a remote (ex-ternal) Firebird® server. These instructions are designed for runningCN!Express® and Firebird® on separate servers; both of which areproperly installed behind your corporate firewalls.

Configure Firebird® For Windows®

CN!Express® uses the embedded version of the Firebird® relationaldatabase. Using an external Firebird® server is optional. To switchfrom using embedded Firebird® to using a Firebird® server, firstdownload the latest Firebird®

2 server from the Firebird® distribu-tion site: http://firebirdsql.org/. Releases are available for severalplatforms including Windows®, Linux®, Mac OS X, and Solaris. Fol-low the directions to install and configure a basic Firebird® database.The rest of the instructions in this chapter show examples of runningFirebird® in a Windows® environment.

Create Firebird® Users

Once Firebird® is installed and running, create a user for the CN!Express®

database. CN!Express® maintains two different databases: one fordemo mode and one for on-line (test/live). For this example, we willcreate two users: DemoUser for the demo schema and OnlineUser forthe on-line schema (do not use the actual passwords shown in thisexample). You will use these two users in the CN!Express® SettingsManager to specify your database connection for CN!Express®Findwhere Firebird®

2 is installed on your machine and run the followingfrom the bin directory.Substitute the DBA Password you created foryour Firebird® installation:

gsec -user sysdba -password dbaPWGSEC> add DemoUser -pw DemoPWGSEC> add OnlineUser -pw OnlinePW

http://firebirdsql.org/

38 cn!express®

GSEC> quitIn the above example, DemoUser, OnlineUser, DemoPW and On-

linePW are all examples. Replace these with your own.

DemoUser:

DemoPassword:

OnlineUser:

OnlinePassword:

Changing User Passwords

The gsec utility is also used to change passwords:

gsec -user sysdba -password dbaPW

GSEC> modify DemoUser -pw NewPW

Create a Location For Database Files

The Firebird® database allows you to control where your databasefiles are located. Create a dedicated directory for storing the databases.In this example, we will use C:\AuricSystems\fb-data\cnx as ourstorage directory.

Import CN!Express® Demo and Online Schemas

CN!Express® ships with SQL files capable of building the Demo andOnline schemas.These files are stored in the Data

Remote directory wherever CN!Express® is installed:

C:\ProgramFiles\AuricSystems\CN!Express\Data\Remote\demo_remote.sql

C:\ProgramFiles\AuricSystems\CN!Express\Data\Remote\online_remote.sql

Copy these two files to the Firebird® database server system andthen use the Firebird® ISQL utility to create the databases as follows: The database, user and password

all have single quotes and the lineterminates with a semicolon.

First the demo schema:Start the \fb\ ISQL utility.

SQL> CREATE DATABASE ’C:\AuricSystems\fb-data\cnx\cnxap_demo.fdb

CON> page_size 8192

CON> user ’DemoUser’ password ’DemoPW’;

SQL> IN ’C:\Program Files\AuricSystems\CN!Express\Data\Remote\demo_remote.sql’;

Now quit ISQL and create the Online schema.Create the CN!Express® Online schema:Start the \fb\ ISQL utility.

SQL> CREATE DATABASE ’C:\AuricSystems\fb-data\cnx\cnxap.fdb’

CON> page_size 8192

CON> user ’OnlineUser’ password ’OnlinePW’;

SQL> IN ’C:\Program Files\AuricSystems\CN!Express\Data\Remote online\cnxap_remote.sql’;

remote firebird®

database 39

Now quit ISQL. Check the C:\AuricSystems\fb-data\cnx direc-tory to ensure the files were created there.

Creating Aliases

When you entered the database location in the ISQL create commandabove, you entered a fully-qualified path for the database file. Youcan now connect to that database, but you would need to alwaysenter the fully qualified path in your connect statements. Firebird®

allows you to configure aliases to these files so you can refer to themby short, easy names. Find where Firebird® is installed on your ma-chine and locate the aliases.conf file. Add the following lines to thatfile using a text editor, then save the file:

cnexpress = C:\AuricSystems\fb-data\cnx\cnxap.fdb

cnexpress_demo = C:\AuricSystems\fb-data\cnx\_demo.fdb

Test Your Connection

Type the following from your Firebird® server system: Don’t forget the semicolon (;) at the endof each command.

isql

SQL> connect cnexpress_demo user DemoUser password DemoPW;

SQL> connect cnexpress user OnlineUser password OnlinePW;

Configure Firebird® Database for Linux®

The following instructions are for Red Hat Enterprise and CentOSLinux®. Please refer to the Firebird® database website for details onLinux® and Unix® style systems.

1. Run the following to install Firebird®2.5 from EPEL.

$ sudo yum install firebird-classic

$ sudo yum install firebird-devel.x86_64

Replace "TBD" with your selectedpassword."

2. Change the default sysdba (master) password. This must bechanged in order to be PCI DSS compliant:

$ sudo gsec -user SYSDBA -password masterkey -modify sysdba -pw TBD

3. Create a "cnxapdemo" demo database user:

Here, and in the rest of these instruc-tions, replace ’masterkey’ with thepassword you elected above.

$ sudo gsec -user sysdba -pass masterkey -add cnxapdemo -pw cnxapdemo

Use the actual database username "cnxapdemo" and the actualdatabase user password "cnxapdemo" when creating this user.These strings are hard-coded into cnexpress and used for demodatabase access only. The demo database is INSECURE and mustnever be used for actual customer data.

40 cn!express®

4. Create a production database user. Replace ’TBD’ with a validpassword. Record this password, as you will need it in the nextsection.

$ sudo gsec -user sysdba -pass masterkey -add cnxap -pw TBD

Enter a username of your choosing and a password of yourchoosing in place of cnxap and cnxappass, above. You will laterenter these strings in the cnxap configuration file.

If either of the following commandsfails with an error like: "Unable tocomplete network request to hostlocalhost." You may need to restartthe xinetd service. Refer to your OSdocumentation for specific instructions.

5. Create the cnxap database and run the build scripts. In this stepyou will run isql-fb from the command line twice, to create boththe production and demo databases. The remote.sql script is avail-able in the respository under the ./support/Firebird/ directory(for the production database, substitute the correct password for’TBD’ in the second command below.

$ isql-fb -user cnxapdemo -pass cnxapdemo

SQL> create database "localhost:/var/lib/firebird/data/cnxap_demo.fdb";

SQL> in remote.sql;

SQL>exit;

$ isql-fb -user cnxap -pass TBD

SQL>create database "localhost:/var/lib/firebird/data/cnxap.fdb";

SQL>in remote.sql;

SQL>exit;

Configure CN!Express®

Now that you’ve successfully configured Firebird® and loaded thetwo databases, we’re ready to configure CN!Express® to use them.Start the CN!Express® Settings Manager and select the Database tab.

The above screen shows the Database tab configured and ready tocommunicate with both demo and online remote Firebird® databases.

Use External Database

Unchecked by default. Checking enables all other controls in thispanel. Connection Information DSN: Consists of a host name/address,colon, and database name. The example here shows CN!Express®

connecting to the remote server at a specific in-house IP address. Thedatabase name is the Firebird® alias you configured in a previousstep. User ID: The user id which you used when you created thedatabase. Password: You are prompted to enter this password a sec-ond time. Click OK to save the settings. These settings are read nexttime CN!Express® starts.

remote firebird®

database 41

Starting CN!Express®

After saving the configuration information, start CN!Express® as anapplication and ensure it is able to connect properly to the remote. Ifit is unable to connect you will see a Firebird® connection failure inthe logs.

Maintenance

When CN!Express® uses a remote Firebird® server, it performs allthe standard maintenance processes except backup. You shouldconfigure an appropriate back-up process to be run daily on theFirebird® database. The Firebird® gbak utility can create backupswhile CN!Express® is processing transactions. There is no need toshut-down or pause CN!Express® while the backup process runs.

For best performance, backups should not run while CN!Express®

is performing the nightly maintenance. As part of this maintenance,CN!Express® performs what is known as a sweep operation to re-claim unused database space. Performing a backup while the sweepis taking place will cause the Firebird® database to do additionalwork and be slightly slower.

Security Notes

In this chapter we refer to a remote database connection. In thiscontext, remote means running on a different server than whereCN!Express® is installed. These instructions assume the databaseis properly installed behind appropriate firewalls and is runningon a non-public network. In order to provide strong authenticationbetween CN!Express® and a remote database, an additional layer ofsecurity must be provided by operating a VPN or secure/encryptedtunnel between the two servers. The Stunnel application (http://www.stunnel.org/) is one example of a secure tunnel that works onboth Windows® and Unix-like environments.

Additional Help

Auric Systems International offers custom consulting services if youneed help configuring and maintaining a remote Firebird® server.Please contact Auric Systems International at 603.924.6079 for moreinformation.

http://www.stunnel.org/

http://www.stunnel.org/

Tokenization

CN!Express® provides a built-in tokenization mechanism. Thismechanism is activated whenever the UTID field is requested onexport from either the real-time or file interface. The default UTIDis a long, alphanumeric value designed so it can be generated asyn-chronously by several CN!Express® (or Trevance®) instances runningautonomously.

Note that CN!Express® converts the account number into a UTIDregardless of the method of payment: credit card, debit card, check,PayPal account, etc.

Transactions

The typical usage is to provide a cardholder account number ona sale or authorization request and request the UTID value in theresponse. Optionally, you can configure CN!Express® to return theaccount field with only the last four digits of the original accountnumber.

Account values can be provided for any action (Authorization,Sale, Deposit, Refund, Void, etc.). The tokenization occurs at exporttime when CN!Express® notes that a UTID is requested.

Instant Tokenization™

In addition to tokenization during transactions, CN!Express® alsoprovides a set of Instant Tokenization™ actions as shown in table In-stant Tokenization™ on the following page.

Response Codes

When performing tokenization, always check the LastActionSuc-ceeded (LAS) field to ensure it returns a 1. This is a quick check tosee that CN!Express® successfully performed the operation. If theLastActionSucceeded (LAS) field is 0, you must check the ASI Re-sponse Code (ASIRESP) field for more information.

44 cn!express®

Action Code Description

U Instant Tokenization: Provide the account(ACCT) field and export the UTID field.

UC Tokenization Check: Provide the UTID field andCN!Express® looks up the UTID, decrypts it,and returns the last four digits in the account(ACCT) field..

UD Delete Token: Provide the UTID field andCN!Express® marks any local copy for dele-tion and then queues it for deletion fromPaymentVault™.

UR Re-Encrypt Token: Provide the UTID field andthe UTID will be retrieved, re-encrypted, andstored

Table 1: CN!Express® InstantTokenization™ actions.

Code Description

100 Success900 Failed local UTID generation.901 Failed local UTID lookup.902 UTID marked for deletion.

Table 2: ASI Response Codes for InstantTokenization™

tokenization 45

PaymentVault™ Interaction

PaymentVault™ is a data storage mechanism. The actual UTID gen-eration occurs within CN!Express®. This is done for speed andefficiency. If a PaymentVault™ connection should be temporar-ily down, CN!Express® can continue to generate and store newUTIDs that are being requested. (You can use UTIDs without aPaymentVault™ connection if you only need the UTID values for afew days.) CN!Express® can be configured to store the UTID valueslocally for a given number of days. Usually, storing for one to threedays is sufficient for environments where a transaction is authorizedand then deposited (captured) in a short period of time.

Every minute, CN!Express® gathers up all the recently-generatedUTID values and migrates them to the PaymentVault™server. Evenafter they are migrated, they still remain cached locally withinCN!Express® until the configured number of days have passed.

Delayed Delete

Just as CN!Express® does not immediately communicate UTID ad-ditions to the PaymentVault™, it also does not communicate deleterequests. When CN!Express® receives a UD (Delete Token) request, itperforms the following actions:

• See if the UTID value is currently cached locally.

• If cached locally, mark it for deletion.

• If not cached locally, create a new entry in the cache with theUTID value and mark it for deletion.

• During token migration time, send a Delete command to thePaymentVault™ for each UTID record that is marked for deletion.

• Delete the UTID entry once the PaymentVault™ deletion occurs (orPaymentVault™ finds there was nothing to delete).

If you should request a UTID from CN!Express® between the timeit is marked for deletion in the local cache and it is actually deletedfrom the PaymentVault™, CN!Express® returns the 902 ASIRESPcode indicating the UTID is marked for deletion and cannot be de-crypted.

Tokenization Failures

All tokenization occurs within CN!Express® itself, so there are fewplaces where tokenization can fail. Successful tokenization operations

46 cn!express®

return the Last Action Succeeded (LAS) field as 1 and the ASIRESPfield as 100.

The tokenization process makes two data base queries which couldpossibly, under extreme circumstances (like the database suddenlydisappearing) fail. In both cases, the Last Action Succeeded (LAS)field will be 0 and the ASI Response (ASIRESP) field will be 400. TheRESPTEXT field contains a textual description of the problem.

Note that in one of these failure modes, a UTID will be returned,but it will not have been stored in the database. Therefore, it is al-ways important to check the LAS value to ensure it is successfulbefore using the returned UTID.

PaymentVault™ Communications Failures If email alerts are configured,PaymentVault™ communication er-rors also result in an email being sent tothe configured administrator.Token data is moved from CN!Express® to the PaymentVault™

long-term storage asynchronously. If CN!Express® cannot com-municate with the PaymentVault™ backend, it does not surfaceas an error in the real-time or batch transaction. Tokenization cancontinue successfully while access to the PaymentVault™ system isunavailable. CN!Express® makes an ERROR entry in the log whenPaymentVault™ is inaccessible. Look for errors like,

ERROR - PaymentVault connection test failed. orERROR - PaymentVault server connection disabled.

Demo Mode

In order to support functionality in demo mode, CN!Express® mustencrypt the demo cardholder accounts that are presented. Live card-holder account numbers must never be used in demo or test mode.This demo encryption key exists solely to allow people to test out thebasic tokenization functionality.

Demo Encryption Key: CNXAP555CNXAP555CNXAP555CNXAP555

Demo Key Identifier: CNXAP-DEMO-KEY

Migration to PaymentVault™

Once a minute, CN!Express® transfers recently-generated tokens tothe PaymentVault™ server.

Any token delete requests are also transferred to the PaymentVault™

server every 60 seconds, but offset from the storage request by 30 sec-onds.

tokenization 47

Token Formats

IMPORTANT: Tokens must be storedas an 8-bit ASCII alphanumeric value.In a database, they must be stored as aVARCHAR (variable character) in orderto support any future token lengthchange.

CN!Express® tokens (UTIDs) are alphanumeric values that representthe stored (encrypted) cardholder account number. By themselves,the tokens have no intrinsic meaning other than providing the abilityto look-up stored cardholder account numbers.

The UTID definition has changed over time, and it must be as-sumed to change in the future.

The current CN!Express® UTID format is 39 bytes and consists ofthe following data:

• The first 27 bytes consist of the 160-bit sha1 hash of the ACCTfield, current time, and a unique sequence. The result is base64

encoded in url-safe mode.

• The next five bytes consist of a 30-bit sequence base64 encoded inurl-safe mode.

• The next three bytes are the site-specific UTID suffix.

• The last four bytes are the last four digits of the original card-holder account number.

The unique sequences act as salt values and increase the difficultyof a brute-force reverse lookup.

Token Format Prior to CN!Express® 4.0.13

Prior to CN!Express® release 4.0.13, tokens (UTIDs) were 52-byteslong and consisted of the following data:

• The first 43 bytes consisted of the 256-bit hash of the ACCT field,current time, and a unique sequence. The hash is base64 encodedin url-safe mode.

• The next five bytes were a unique sequence base64 encoded inurl-safe mode.

• A dash character.

• A three-character site-specific UTID suffix.

Uninstalling CN!Express®

On Windows®

You just use the built-in uninstall program to remove the CN!Express®

application from your system. The uninstall process removes the ap-plication files, the core database files (unless running with a remotedatabase), and the configuration files. It also deletes the default im-port, export, backup, and recovery logs. If you are not running thesein the default location, you must securely delete them yourself usingthe sdel program distributed with CN!Express® or a secure deletionprogram such as SDelete on Windows (available from Microsoft) orshred on Linux.

Refer to Protect Stored Cardholder Data for further guidance onsecurely removing the CN!Express® application.

On Linux®

Use the shred utility (or equivalent) to securely delete all files in the/opt/cnxap directory. Also securely delete CN!Express® specific logfiles.

Auric Key Management Proxy

CN!Express® supports external key management services. The vari-ous key management services are supported via the Auric Key Man-agement Proxy or AKMP™. The AKMP™ application allows new keymanagement services to be added without needing to update thebasic CN!Express® application. AKMP™ must be installed on yoursystem and is part of the basic CN!Express® installation.

The AKMP™ application is not required to be configured forDemo mode. In demo mode, CN!Express® uses a hard-coded demoencryption key since you are only using demo account numbers.When you are ready to move to test (and production), refer to theinstructions below:

1. Open the CN!Express® Configuration Utility

2. Select Security tab

3. Click Configure Key Manager

4. Click button next to AKMP has been configured on this server

5. Click OK

6. The key manager has been configured

7. Once the key manager has been configured, the Encrypt button nextto it will become available. This button is typically used whensetting up a password for Remote PaymentVault.

8. To use the Encrypt option, click on the button and enter the text tobe encrypted

9. Encrypted text will show in the box below. From here it can becopied into the clipboard and used as a password.

Part II

Payment Processors

Working with your Payment Processor

CN!Express® works with many different operating systems, appli-cations, and processing services. The next several chapters containinformation on configuring CN!Express® to work with your specificprocessing services.

Cardinal Commerce

Functionality

CN!Express® has specialized support for the Cardinal CommerceCentinel Gateway. Currently, the only query supported through Car-dinal Commerce is a request to determine if a cardholder is enrolledin the 3D Secure program for MasterCard or Visa.

Configuration Screen

Your Cardinal Commerce representative will provide you with theinformation for completing this screen.

Division Name The name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.

Merchant ID Your identifier at Cardinal.

Processor ID Cardinal supports multiple Payment Processors.

Transaction Password Secret password shared with Cardinal.

Currency Cardinal supports multiple currencies. This value sets thedefault. Currency can be sent with each transaction.

Acquirer Password Password at your specific Payment Processor.Required only when processing within certain Visa Regions. YourCardinal representative will inform you if this value is necessary.

URL and Test URL Your Cardinal representative will provide youwith the production URL. Prior to that, once your account is set upyou can use the Test URL to test your integration.

3D Secure Participation Check

CN!Express® supports the Cardinal Commerce action for checkingwhether a cardholder is participating in 3D Secure authentication. 3D

58 cn!express®

Secure is an authentication protocol used to authenticate cardholdersprior to authorization. Verified by Visa and MasterCard SecureCodeare authentication services based on the 3D Secure protocol.

To check whether a cardholder is enrolled in 3D Secure authentica-tion:

• Set the Action to IC (Identify Customer)

• Set the TenderType to C for credit card.

• Send the Account, Amount, Expiration, and Merchant OrderNumber fields.

• Also send the XCLASS field. This will be set to E for E-commerce.

In the response, if the Processor Status field is Y (enrolled), thecardholder is enrolled in a 3D Secure program and you may proceedwith the 3D Secure authentication step.

The following fields returned in the IC response may be used tocontinue with authentication:

REDURL The URL to which you should redirect the customer forauthentication

PAYLOAD Sent as a form argument as part of the redirect. Please seethe Cardinal Centinel documentation for details.

ECOMTYP Use as the ECOMTYP value when processing the autho-rization transaction through CN!Express®.

Transaction ID Cardinal Commerce returns a 3d transaction ID

Cardinal Commerce Actions

Identify Customer (IC)

Chase Paymentech


Your Chase Paymentech representative will send you the informationrequired to complete the CN!Express® configuration screen:

Division Name the name by which you want to refer to this processorconnection. This is a name you make up for your own use. It is thename/value you import to CN!Express®.

BIN 000001 is Salem. 000002 is Tampa/PNS.

Merchant ID Your Paymentech rep forwards this information. Note:This is your Merchant ID, not your Merchant Number.

Currency Defaults to US dollars. If you import a currency, it over-rides the default set here.

URLs These are automatically maintained by CN!Express® for ChasePaymentech communications.

Depositing and Refunding with Only the PROCTID

Once a transaction is authorized, you do not need the account num-ber again to either deposit or refund the transaction. Instead, storethe PROCTID value. The CN!Express® PROCTID consists of twoChase Paymentech Orbital fields: TxRefNum and TxRefIdx, sepa-rated by a period. CN!Express® knows how to properly send these tothe Orbital Gateway.

There is a limit as to how many days the PROCTID can be usedfor refunds. Please discuss the limits set for your account with yourChase Paymentech representative.

Depositing Remotely or Externally Authorized Transactions

In some circumstances, merchant websites may authorize (Auth) atransaction directly to the Orbital Gateway and then want to settle

60 cn!express®

(Deposit) through CN!Express®. In order to properly deposit, ChasePaymentech requires a value called the TxRefNum. CN!Express®

accepts this value in the PROCTID field.Send the following fields to settle this transaction through CN!Express®:

• ACTION

• DIVISION

• PROCTID (with the TxRefNum)

• MRCHORDR (Merchant Order Number)

• AMT (Amount)

No other information needs to be sent. The CN!Express® PROC-TID for Chase Paymentech Orbital Gateway actually consists of twovalues separated by a period: TxRefNum.TxRefIdx

In the case of an Authorization, the TxRefIdx is always 0. CN!Express®

defaults the TxRefIdx to 0 when it is not present.

Maestro (Switch) Support

CN!Express® supports the UK Domestic Maestro (UKDM) card. Thiscard was formerly called the Switch card and CN!Express® still usesfields with the SW (Switch) naming convention. When using Maestro(Switch) you must always send the card type since the card numberson Maestro overlap some credit card values. Set the card type to SW.

CN!Express® supports:

• Issue Number: SWISSU

• Start Date: SWCHDATE

Maestro transactions can also support Card Security Code (CVV)and MasterCard Accountholder Authentication Value (AAV). Maestrosupports Full and Postal-Code-only Address Verification.

Retry Logic

Chase Paymentech supports retrying transactions that may havefailed due to timeout, or where the response has otherwise been lost(due to a network failure, for example). Normally, if a transaction issubmitted twice, it could result in duplicate processing. Retry logic isintended to prevent duplicate transactions.

CN!Express supports retry logic on the Orbital Gateway by re-turning a specific field (PROCATR1) for transactions that have faileddue to timeout, or that have been sent and for which no response

chase paymentech 61

has been received. If you resend the transaction to CN!Express us-ing the PROCATR1 that was returned with the original transaction,CN!Express® will send the transaction marked as a retry, and ChasePaymentech will return the results from the original transaction with-out duplication of processing.

To test retry logic, you must send the same transaction to Pay-mentech twice. Paymentech does not provide a recommended pro-cedure for completing this test. Because CN!Express® only returnsPROCATR1 for actual errors or timeouts, it may not be possible totest retry logic without some kind of manual intervention.

There are two ways to test retry logic using CN!Express®.

Method 1 Manually drop the connection. While sending transac-tions to Paymentech in test mode, drop the network connection (byunplugging the network cable or similar means). At least one of thetransactions should return a timeout error and a non-blank PRO-CATR1. Resubmit this transaction with the returned PROCATR1 tocomplete the test.

Here is a step-by-step procedure:

1. Configure web request and web response to accept and returnPROCATR1.

2. Send a series of authorization connections through the web inter-face.

3. Drop the network connection.

4. Examine the responses. At least one transaction should have aPROCATR1 which is not blank.

5. Restore the network connection.

6. Resend the transaction you identified in step 4, this time with thePROCATR1 that was returned from the original request.

Method 2 Recover the information from the gateway log for asuccessful transaction, and resubmit that.

1. Configure file or web request and file or web response to acceptand return PROCATR1.

2. Enable the “processor communication log” in the advanced tab ofthe CN!Express configuration utility.

3. Send an auth transaction.

4. Examine the gateway log. Recover the “Trace-number” for thetransaction from the gateway log.

62 cn!express®

5. Resend the transaction, this time with the PROCATR1 that yourecovered from step 5.

Auric has successfully tested CN!Express® using Method 2.

Paymentech may require a deposit transaction for the authoriza-tion to complete the test.

Customer Profile Tokens

Orbital’s Customer Profiles support storing customer informationalong with the credit card or e-check account number when creatinga token. When you use the token for subsequent transactions, fieldsstored in the profile are used as defaults for those transactions.

Set RQSTTOKN to “1” to request that the payment processorreturn a TOKEN on an action such as an auth or a sale (this field isnot required for explicit “T” tokenization actions).

The Action “T” can be used to receive a customer profile TOKENwithout obtaining an authorization by including the TOKEN field inthe web response or transaction file export. The TOKEN can be usedfor subsequent Auth, Sale or Refund Transactions.

To get a token for a credit card, send the following request:

ACTION TACCT Credit card numberDIVISION CNX divisionAMT $0.00

EXP Credit card expiration dateMRCHORDR Merchant Order NumberRQSTTOKN 1

Export Fields/Web Response:

AUTHCODEAUTHDATEPROCTIDTOKEN

PROCTID example: 50350D3C273D5FC81737D104E4F925D972B953D

TOKEN example: 12439563

To get a token for an electronic check, send the following request:

chase paymentech 63

ACTION TDIVISION CNX divisionXCLASS Transaction classACCT Checking account numberROUTNUM Transit/routing number

These check-related fields are optional, and will also be associatedwith the token:

CHKTYPE Check account typeECPDELVM Check payment delivery method

You can also get a token for a credit card or e-check by settingRQSTTOKN to “1” on a regular check authorization, sale, or refund.Using one of the examples above, simply change the ACTION to“‘A”, ‘S”, or “R”.

To Perform an Auth, Sale or Refund Transaction with TokenRequested:

ACTION AACCT Credit card numberDIVISION CNX divisionAMT $0.00

EXP Credit card expiration dateMRCHORDR Merchant Order NumberRQSTTOKN 1

Export Fields/Web Response:

AUTHCODEAUTHDATEPROCTIDTOKEN

Once a TOKEN is received, the Customer Profile has been storedon the Orbital Gateway and the TOKEN is used to identify the Cus-tomer Profile.

In the Gateway Log, the TOKEN is returned as the Customer-RefNum and will be between 1 to 22 characters. The PROCTID isstored in the Gateway Log as the TxRefNum.

Deposit transactions cannot be completed by using the “Token”,because every credit card deposit transaction must include authoriza-tion information

Deposit transactions can be done by utilizing the PROCTID infor-

64 cn!express®

mation, including the PROCTID field in the web request or transac-tion file import.

Example of Deposit Transaction using Token requested:

Import/Web requestACTION = DPROCTID = 50350D3C273D5FC81737D104E4F925D972B953D5

TOKEN = BlankDIVISION = ABC MerchantAMOUNT = $ 1.00

EXP=Expiration DateMRCHORDR=Merchant Order NumberRQSTTOKN = 0

AUTHCODE = DEMO001

AUTHDATE = 02/22/2022 12:47:56

eBillme

eBillme Transaction Process Flow

A typical eBillme transaction flow is different from a standard creditcard or electronic check process. Specifically, the initial transaction issent from the merchant to eBillme. Merchants receive final paymentnotifications via a batch result file.

CN!Express® manages the communications between a merchantsback-end order management systems and eBillme. CN!Express®

not only removes the need for merchants to implement a complexSOAP protocol for communicating with eBillme, CN!Express® alsoautomatically polls the eBillme service on a regular basis to retrievethe batch payment notification files. CN!Express® then exports thesebatch files in a format similar to the batch files the merchant uses forany other payment operations.

A typical eBillme Standard payment flowis as follows:

• customer selects eBillme during checkout process on the mer-chant’s web site.

• merchant’s web site posts order information to eBillme web site.

• eBillme web site returns tracking information to merchant’s website.

• eBillme sends customer an eBill with order total and paymentinstructions.

• customer makes an on-line payment from their account to eBillme.

• eBillme updates several times a day. The status updates are thenavailable as batch downloads to the merchant.

• merchant polls eBillme for latest paid transactions. upon confirma-tion of payment, merchant releases product to customer.

CN!Express® automates this required periodic polling process andautomatically exports all new transaction payment information using

66 cn!express®

the same export format you use for all your batch payment trans-actions. Additionally, CN!Express® provides support for conveyingnew transactions through the standard CN!Express® web and delim-ited batch file interfaces; including recurring payments, refunds, andshipping notifications.


Your eBillme representative will send you the information requiredto complete the CN!Express® configuration screen. You will need toenter the Merchant Token, Username, Password, and Payee token.

Demo Mode Account Type CN!Express® supports eBillme’s Standardand Express processing features. This combo box indicates whichservice is emulated in demo mode.

Scheduled Status Check Times CN!Express® automates the requiredeBillme polling process. CN!Express® can check multiple times perday for new download files available from eBillme. Talk with youreBillme representative to determine the best times for you to bechecking each day – usually not more than four to six times in a 24

hour period.

Standard and Express Modes

eBillme defines both a Standard and Express mode. The significantdifference between these two modes is when the merchant releasesthe product to the consumer.

eBillme Standard mode returns only two authorization responses:

WAIT Wait for payment

DECLINE Decline the order

eBillme Express supports two additional authorization responses:

SHIP IMMEDIATELY Ship now, non-payment risk is low.

SHIP UNDER REVIEW Wait, eBillme will update this status.

Please discuss this with your eBillme representative for full details.

eBillme Actions

CN!Express® supports the following transaction actions for eBillme:

• Void

ebillme 67

• Refund

• Get (manually check for new batch files)

• Get Order Information Details

• Ship Notification

• Get Unallocated Payment Details (manually check for new batchfiles)

CN!Express® automatically sends Q and UQ requests on a polled/timedbasis. You can optionally request them manually as well. The follow-ing table details the required and optional fields for each of thesetransactions.

Table 3: eBillMe Transactions

eBillme Action eBillme Fields CN!Express®Action CN!Express®Fields

Cancel Order ORDERREFIDREASONID

V PROCTIDPROCRSN

Submit Refund ORDERREFIDREFUNDAMOUNTREFUNDREASON

R PROCTIDAMOUNTPROCRSN

Get Q

Get Order InformationDetails

ORDERREFID GD PROCTID

Continued on next page

68 cn!express®

Table 3 – Continued from previous page


Ship Notification ORDERREFIDAMOUNTSHIPPEDDATESHIPPEDSHIPPING METHODSHIPPING COMPANYTRACKING NUMBER

SN PROCTIDAMTSHIPDATESHIPMETHSHIPCAR (opt)CARTRACK (opt)

Get Unallocated PaymentDetails Query

UQ

Update Order Information UO


ebillme 69



Submit Order ORDERNUMBERTOTALPRICECOMMANDTYPEIPADDRESSRECURRING ORDERFIRSTNAMELASTNAMEEMAILADDRESS1

ADDRESS2

CITYSTATECOUNTRYZIPCODEPHONE 1

PHONE 1

FIRSTNAMELASTNAMEEMAILADDRESS1

ADDRESS2

CITYSTATECOUNTRYZIPCODESHIPPINGMETHODSHIPPINGCOMPANYTRACKINGNUMBERCURRENCYISPROXYSESSIONIDNEWCUSTOMERMERCHANTRATINGITEMDETAILSEXPIRYDATEPROMOCODESUBMERCHANTSUBTOTAL

S MRCHORDRAMTXCLASSCUSTIPPMTNBR (1, 2)BILLFNAMEBILLLNAMBILLEMALBILLADD1

BILLADD2(opt)BILLCITYBILLSTPRBILLCTRYBILLZCPCBILLHPHOBILLWPHOSHIPFNAMSHIPLNAMSHIPEMALSHIPADD1

SHIPADD2(opt)SHIPCITYSHIPSTPRSHIPCTRYSHIPZCPCSHIPMETH(opt)SHIPCAR(opt)CARTRACK(opt)CUR(opt)CUSTPRXY(opt)CUSTSID(opt)CUSTNEW(opt)CUSTRTG(opt)DETAILS(opt)EXP(opt)MCTPROMO(opt)SUBMRCH(opt)SUBTOTAL(opt)


70 cn!express®



Update Order Information ORDERREFIDORDERNUMBERTOTALPRICEEXPIRYDATESUBTOTALPROMOCODEFIRSTNAMELASTNAMEEMAILADDRESS1

ADDRESS2

CITYSTATECOUNTRYZIPCODEPHONE1

PHONE2

FIRSTNAMEFIRSTNAMELASTNAMEEMAILADDRESS1

ADDRESS2

CITYSTATECOUNTRYZIPCODESHIPPINGMETHODSHIPPINGCOMPANYTRACKINGNUMBER

UO PROCTIDMRCHORDR (opt)AMT (opt)EXP(opt)SUBTOTAL (opt)MCTPROMO (opt)BILLFNAM (opt)BILLLNAM (opt)BILLEMAL (opt)BILLADD1 (opt)BILLADD2 (opt)BILLCITY (opt)BILLSTPR (opt)BILLCTRY (opt)BILLZCPC (opt)BILLHPHO (opt)BILLWPHO (opt)SHIPFNAM (opt)SHIPLNAM (opt)SHIPEMAL (opt)SHIPADD1 (opt)SHIPADD2 (opt)SHIPCITY (opt)SHIPSTPR (opt)SHIPCTRY (opt)SHIPZCPC (opt)SHIPMETH (opt)SHIPCAR (opt)CARTRACK (opt)

Auth Responses

Each eBillme auth response is composed of three components:

Auth Status Ship, Wait, ShipUnderReview, Decline

Auth Reason Code Various codes–see eBillme documentation.

ebillme 71

Auth Reason Description Textual description of the Codes.

You must discuss the various Auth Status responses with youreBillme representative to help guide your business process decisionson each of the return types.

Polled Batch Responses

CN!Express® returns two kinds of eBillme response batch files:

• the kind returned for Q (get order status)

• the kind returned for UQ (get unallocated payment information).

Both batch files have:

1. An entry for each order.

2. For each order, zero or more payment detail records.

The format for each order entry line is user-defined, set by theCN!Express® batch export format. Since you are likely to be usingCN!Express® batches to also process credit, check, and other alterna-tive payments, you will use the same batch export format for receiv-ing eBillme information. Simply add the necessary eBillme fields tothe end of your existing export record.

UNALLOC is a Boolean value indicating whether payment isallocated or unallocated. 1 indicates unallocated.

For ‘Q’ batch files, you can configure the order entry (main record)to include any order-related fields, and these will be exported byCN!Express®. Following are the common CN!Express® fields that aremapped to eBillme response fields:

Table 4: eBillme response batch fields

CN!Express® CN!Express®eBillme

UNALLOC Boolean Flag

PROCTID ORDERREFID

ACCT ACCOUNTNUMBER


72 cn!express®


CN!Express®Field CN!Express®eBillme Field

AMT TOTALPRICE

CUR CURRENCY

AUTHDATE PAYMENTDATE

CAPDATE PAYMENTSOURCE

PMTSRC NAME

CMT1 NAME

Table 5: eBillMe ‘Q’ batch file responses

CN!Express® CN!Express®eBillme

PROCTID PREAUTHREFERENCEID

PROCORDR ORDERREFERNECEID

MRCHORDR ORDERNUMBER

ACCT ACCOUNTNUMBER

PROCSTAT AUTHSTATUS

RESPCODE REASON

RESPTEXT REASONDESCRIPTION

AMT TOTALPRICE

AUTHDATE PAYMENTDATE

CAPDATE AMOUNTPAIDTODATE


ebillme 73


CN!Express®Field CN!Express®eBillme Field

RESPDATE

CAPAMT AMOUNTPAIDTODATE

EXP EXPIRYDATE

CUR CURRENCY

PROCATTR1 PAYSTATUS

AMTDUE AMOUNTOWING

RFGRAMT AMOUNTREFUNDEDTODATE

SUBTOTAL SUBTOTAL

XCLASS COMMANDTYPE

UQ response batch files do not have an order under which togroup the payment detail records (UQ is just a list of payments madeagainst unknown orders).

CN!Express® exports one main record for each merchant returnedin the payment file from eBillme. In most cases, there will be just onemain record in the field, followed by the detail records. For somemerchants, there may be more than one main record. The detailrecords that follow each main record are the unallocated paymentsassociated with that merchant identifier.

First Data Global Gateway

The First Data Global Gateway is the default Internet gateway to allFirst Data Platforms. CN!Express® supports credit card processingthrough the First Data Global Gateway.


First Data Global Gateway provides both test and production servers.Before communicating with either of these servers, you must ob-tain a Digital Certificate from First Data. When you sign up for youraccount, your First Data welcome email contains directions for ob-taining your credentials and the Digital Certificate (.PEM)file. Youwill have separate certificates for test and production environments.


(Test) Secure Host Name Address to which test or production trans-actions are sent. Note: Do not include the https:// as part of thename. Provided by First Data.

(Test) Secure Host Port Provided by First Data.

(Test) Store Name Provided by First Data.

(Test) Certificate Path to the .PEM file you download from the FirstData Virtual Terminal. Your welcome email has directions on howto obtain this file.

Note: Your Certificate acts in place of a userid/password for ac-cess to the First Data Global Gateway. Be cautious in where you storeand backup this file.

TSYS Merchant Solutions–PayFuse


Your TSYS Merchant Solutions representative will send you the infor-mation required to complete most of the CN!Express® configurationscreen.


Alias Provided by your TSYS representative.

Account Provided by your TSYS representative.

Password Provided by your TSYS representative.

Currency All transactions to this Division are processed in this cur-rency. Available currencies are: US Dollar (USD), Canadian Dollar(CAD), Euro (EUR), Pound (GBP), Yen (JPY).

Use FraudShield FraudShield is an TSYS fraud detection service.Please contact your TSYS representative if you want to use thisservice.

URL and Test URL Your TSYS representative will provide you withthese values.

Depositing Remotely Authorized Transactions

In some circumstances, merchant websites may authorize (Auth) atransaction directly to the PayFuse Gateway and then want to settle(Deposit) through CN!Express®. In order to properly deposit, Pay-Fuse requires an ID identifying the transaction. CN!Express® acceptsthis value in the PROCORDR field.

Send the following fields to settle this transaction through CN!Express®:

• DIVISION

78 cn!express®

• PROCORDR

• AMT (Amount)

• ACTION

No other information needs to be sent.Note: The CN!Express® PROCORDR for the PayFuse Gateway

needs to be extracted from the PayFuse response XML after a suc-cessful Authorization. Be aware that PayFuse returns two XML fieldscalled Id. The required Id is the Order Form Doc Id which can befound in the XML document at: /EngineDoc/OrderFormDoc/Id.

ACH

PayFuse supports ACH Sale and Refund transactions. Please con-tact your PayFuse representative to determine how to receive ACHsettlement reports.

ACH transactions require the following fields:

• ACCOUNT: This is the bank account number.

• ROUTNUM: Bank transit/routing number.

• CHKTYPE: This single CN!Express® field maps to two fields inPayFuse: AccountType and CheckType.

CHKTYP AccountType CheckType

C (Consumer) 1 (Checking) 1 (Personal)

S (Savings) 0 (Savings) 1 (Personal)

X (Commercial 1 (Checking) 0 (Commercial)

• ECPAUTHM: Indicates the method by which the consumer au-thorized you to process their checking account information. TheECPAUTHM values translate to the PayFuse EntryClass field asfollows:

ECPAUTHM EntryClass

W (Written) PPD Prearranged Payment and Deposit

I (Internet) WEB

T (Telehone) TEL

C (CCD) CCD Cash Concentration or Disbursement

/EngineDoc/OrderFormDoc/Id

Vantiv®(formerly Litle & Co.)


Your Vantiv® representative will send you the information requiredto complete the CN!Express® configuration screen.


Merchant Identifier Your Vantiv® rep forwards this information

Test Information The URL, user ID, and password provided to you byVantiv® for submitting test transactions.

Production Information The URL, user id, and password provided toyou by Vantiv® for submitting live production transactions.


In some circumstances, merchant websites may authorize (Auth)a transaction directly to Vantiv® and then settle (Deposit) throughCN!Express®. In order to properly deposit, Vantiv® requires a valuecalled the TxRefNum. CN!Express® accepts this value in the PROC-TID field.

• ACTION

• DIVISION



• AMT (Amount)

80 cn!express®

Supported Methods of Payment

CN!Express® supports the following Vantiv® functionality:

• Credit Cards: MasterCard, Visa, American Express, Discover, GiftCards

• Vantiv token

• Track 1/Track 2 retail data

• Level II, Level III, and Vantiv® Custom Billing data

• US Currency

• Auth, Auth Reversal (L), Capture, Capture Previous Auth, Sale,Force Capture, Credit, and Void

• Automatic Account Updater

• Automatic Account Updater Extended Response Codes

• Pre-paid card filtering.

• Card-type detection.

Tokenization

Vantiv® supports credit card number tokenization. The tokenizationservice is activated by Vantiv® on a per-division basis. If tokenizationis activated for a specific division, then tokens are automaticallygenerated when you submit a transaction using a credit card number.To retrieve this token, simply export the TOKEN field. There is noneed to specifically request the token through CN!Express®.

To use the token in future transaction, import it in the CN!Express®

TOKEN field.

Card Filtering Services

Vantiv® offers Card Filtering Services. CN!Express® supports Pre-paid Card Filtering Service

Contact Vantiv® for Test Scenarios and Testing Card FilteringServices

To use pre-paid card filtering with CN!Express®, use the DECLPPD

(Decline Pre-paid) as an import field.

• If you send a ‘1’ in this field, and filtering is not set for all trans-actions by default, Vantiv® will apply pre-paid filtering to thistransaction.

vantiv®(formerly litle & co.) 81

• If you send a ‘1’ in this field, and filtering is set for all transac-tions by default, Vantiv® will not apply pre-paid filtering to thistransaction.



• If you send a nothing in this field, and filtering is set for all trans-actions by default, Vantiv® will not apply pre-paid filtering to thistransaction.

Card Filtering Services

CN!Express® supports Vantiv®’s pre-paid card filtering service.To use pre-paid card filtering with CN!Express®, import the field

DECLPPD (Decline Pre-paid).The following table summarizes how this works:

Table 6: Pre-paid card filtering rules

DECLPPD Account Setting Card Type Transaction Result

(not sent) case-by-case not prepaid normal

(not sent) case-by-case not prepaid normal

(not sent) filter all not prepaid normal

(not sent) filter all prepaid declined by filter

0 case-by-case not prepaid normal

0 case-by-case prepaid normal

0 filter all not prepaid normal

0 filter all prepaid normal


82 cn!express®


DECLPPD Account Setting Card Type Transaction Result

1 case-by-case not prepaid normal

1 case-by-case prepaid declined-by-filter

1 filter all not prepaid normal

1 filter all prepaid declined by filter





• If you send a nothing in this field, and filtering is set for all trans-actions by default, Vantiv® will not apply pre-paid filtering to thistransaction.

Card Type Detection

CN!Express® also supports Vantiv®’s card-type detection. To usecard-type detection, include the TENDSUBT field in your export.CN!Express® returns a description of the card used in the transac-tion. Some examples of the strings that may be returned are:

• UNKNOWN

• CREDIT

• DEBIT

• FSA

vantiv®(formerly litle & co.) 83

AUACCT New account number

AUEXP New expiration date

AUORCODE Response code for original (declined) transaction

AUORTEXT Response text for original (declined) transaction

AUCRDTYP New card type (e.g., MC, VI)

Table 7: Automatic Account UpdaterFields

• PREPAID:GENERAL_PREPAID

• PREPAID:GIFT

• PREPAID:PAYROLL

Note: on pre-paid transactions, you can also export the CURBAL(current balance) and LOADABLE fields. This provides you with thebalance on the pre-paid card and indicates if the card can be reloaded(LOADABLE is 1).

Automatic Account Updater

CN!Express® supports Vantiv®’s automatic account updater func-tionality. With this feature, declined transactions are automaticallychecked against a list of updated account numbers maintained byVantiv® If the account is out-of-date, Vantiv® will re-submit thetransaction using the updated account number and return new ac-count information as part of the transaction response. You mustconfigure your merchant account to use automatic account updates inorder to use this feature.

Table 7 shows the CN!Express® return fields that support thisfunctionality.

You should update your customer records to reflect the new in-formation when you receive these items as part of a transaction re-sponse

Cielo Payments Inc. (Formerly Merchante-Solutions)


Your Cielo Payments representative will send you the informationrequired to complete the CN!Express® configuration screen for theMerchant e-Solutions gateway:


Profile ID Identifies the account under which this transaction is pro-cessed.

Merchant Key Provides access to the account – much like a password.

Dynamic DBA Information Overrides information already configuredand stored.

DBA Name Alternative business name (optional).

MCC Your Merchant Category Code (optional). Your representativewill have helped you determine this value at the time you appliedfor an account.

City, St./Prov, Zip/PC Your company address (optional).

Customer Service Phone Number (optional) This appears on yourclient’s billing records.

URLs These are automatically maintained by CN!Express® for yourpayment processor communications.

Payment Methods

CN!Express® supports the following payment methods throughMerchant e-Solutions:

• Credit Card

86 cn!express®

• Bill Me Later

CN!Express® also supports International Currencies through Mer-chant e-Solutions. International currencies can be supported as:

• process and settle transactions in a particular currency.

• convert between currencies before processing.

• process in customer currency and fund in merchant currency.


In some circumstances, merchant websites may authorize (Auth)a transaction directly to Cielo Paymentsand then settle (Deposit)through CN!Express®. In order to properly deposit, Cielo Paymentsrequires a value called the TxRefNum. CN!Express® accepts thisvalue in the PROCTID field.

• ACTION

• DIVISION



• AMT (Amount)

Bill Me Later

Refer to the CN!Express_Field_Reference.html file for details on theBill Me Later fields supported by CN!Express®. It is important to talkwith both your Cielo Payments and Bill Me Later representatives todetermine precisely which fields should be transmitted. Specific fieldselection depends on your specific business.

3D Secure Support

CN!Express® supports 3D Security through Merchant e-Solutions. 3DSecure is an authentication protocol used to authenticate cardholdersprior to authorization. Verified by Visa and MasterCard SecureCodeare authentication services based on the 3D Secure protocol.

The first step in using 3D Secure is to check if a cardholder isenrolled in the 3D Secure authentication program. To check whethera cardholder is enrolled in 3D Secure authentication:

• Set the Action to IC (Identify Customer)

cielo payments inc. (formerly merchante-solutions) 87

• Set the TenderType to C for credit card.

• Send the Account, Amount, Expiration, and Merchant OrderNumber fields.

• Send the Invoice Number (INV).

In the response, if the Processor Status field is Y (enrolled), thecardholder is enrolled in a 3D Secure program and you may proceedwith the 3D Secure authentication step.

The following fields returned in the IC response may be used tocontinue with authentication:

REDURL The URL to which you should redirect the customer forauthentication.

PAYLOAD Sent as a form argument as part of the redirect. Please seethe Cardinal Centinel documentation for details.

AUTHTCID Return the AUTHCID value when processing the autho-rization transaction through CN!Express®.

When processing the authorization or conditional deposit, you canspecify that the customer was authenticated through 3D Secure byincluding the following two fields in the request:

AUTHTCID The AUTHTCID value returned in the IC request.

PAYLOAD The PaRes parameter returned by the card issuer in theauthentication response.

Multicurrency and FX Processing

With CN!Express®, each transaction can include a currency field.This field defines which currency to use for the amount field. CN!Express®

also supports Merchant e-Solutions ability to do currency conversionprior to the transaction. Merchant e-Solutions refers to this as FX(Foreign Exchange) processing. Please refer to the Cielo PaymentGateway FX Processing documentation for details beyond the follow-ing.

Available transactions are:

CA Convert Amount from one currency to a different currency.

CG Get Currency Rate. Retrieve rate for an individual currency, orretrieve the entire rate table. All rates are relative to the merchant’sdefault currency.

LC Lookup Currency. Given a Country or IP address, return thecurrency code for that locale.

88 cn!express®

The FX transactions need to be performed before an Authorization,Sale, or Refund transaction.

Lookup Currency Send either the BillAddress:Country (BILLCTRY) orCustomer IP Address (CUSTIP) field. The Currency (CUR) field inthe response contains the currency code for that locale.

Get Currency Rate Sending a value in the Currency (CUR) field re-turns an XML structure in the Payload field that describes theconversion rate between the merchant’s default currency and thetarget currency. There is also an Exchange Rate ID (EXCHRTID)which must be used in future Authorization, Sale, or Refund trans-actions. Each conversion response has an Expiration Date associ-ated with it. The conversion values must not be used beyond thatdate.

When you call Get Currency Rate without specifying a Currency,the Payload field in the response will contain a list of currency rateconversions for all supported currencies.

Convert Amount To convert from the merchant’s default currencyto another currency, send the original value in the Amount inMerchant Currency (MCURAMT) field and a Currency Code. Theconverted value is returned in the Amount field. Use this amount,along with the returned Exchange Rate ID and Expiration Date foruse in future Authorizations, Sales, and Refunds.

FX Auths, Sales, and Refunds When using Foreign Exchange, Autho-rization, Sale, and Refund transactions must include:

MCURAMT Amount in Merchant Currency.

AMOUNT The converted amount.

EXCHRTID The Exchange Rate Identifier.

PayPal


The PayPal Express Checkout configuration requires your standardPayPal identification information.


User Your PayPal user name.

Password Password for accessing your PayPal account.

Signature Secret signature you’ve defined at your PayPal account.

URLs These are automatically maintained by CN!Express®.


In some circumstances, merchant websites may authorize (Auth)a transaction directly to PayPal and then want to settle (Deposit)through CN!Express®. In order to properly deposit, PayPal requiresa value called the TxRefNum. CN!Express® accepts this value in thePROCTID field.


• ACTION

• DIVISION



• AMT (Amount)

No other information needs to be sent. The CN!Express® PROC-TID actually consists of two values separated by a period: TxRefNum.TxRefIdx

In the case of an Authorization, the TxRefIdx is always 0. CN!Express®

defaults the TxRefIdx to 0 when it is not present.

90 cn!express®

ButtonSource Parameter

Please include the ButtonSource (BN) parameter in your initial trans-action with the PayPal website. Please use the following Button-Source value: Auric_CNExpress_ECUS.

PayPal Express Checkout Actions

CN!Express®supports the following transaction actions for PayPalExpress:

• Final Deposit (FD)

• Get Details (GD)

• Open Order (OO)

• Query (Q)

• Partial Refund (PR)

Auric_CNExpress_ECUS

Paypal PayFlow Pro

The information to complete the Paypal Payflow Pro configuration isavailable from your Payflow Pro management account available at:https://manager.paypal.com/.

• Obtain your Payflow Pro Settings information,

• For testing purposes, use Visa 4111111111111111 Exp 1/15

• Authorize a credit card, configuring the export field to return aPROCTID

• PROCTID is returned in the web log, as well as the gateway log. Inthe gateway log, PROCTID is returned as PNREF.

• Deposit or perform subsequent transactions by sending the PROC-TID number along with the appropriate amount.

• In the gateway log, PROCTID is returned as ORIGID after theinitial authorization.

• Payflow Pro will hold this credit card information for one year,using these Transaction ID’s rather than tokens.

• For recurring billing, any PROCTID from the past year may beused.

• Deposit transactions can include the optional CAPCOMPL (Cap-tureComplete). This indicates that no more capture will occuron the original authorization. Useful when depositing less thanoriginally authorized.

https://manager.paypal.com/

TenderCard

TenderCard supports online gift and loyalty cards. TenderCardprovides several APIs. CN!Express® implements TenderCard’s TC-SOAP Protocol 2.0.1.


Your TenderCard representative will send you the information re-quired to complete most of the CN!Express® configuration screen.


Loyalty Transactions TenderCard supports both Gift Cards (whichcontain an amount of money) and Loyalty/Rewards cards (whichcontain a number of points).

CN!Express® is designed to run a TenderCard division in eitherLoyalty or Gift Card mode. By default, it runs Gift Card transac-tions. Checking this checkbox causes the Division to run Loyaltytransactions.

It is possible to run both Gift and Loyalty transactions through thesame TenderCard processing account. If you require this ability,you must set-up two CN!Express® Divisions and configure onefor the default Gift Card transactions and the second for Loyaltytransactions. For example, you could call one TC-Gift and theother TC-Loyalty.

Amount Due Processing When unchecked, attempts to redeem morethan the available balance decline. The amount due (AMTDUE)field returns with the balance remaining to be collected by themerchant (Amount Requested minus Amount Redeemed). Theavailable balance (CURBAL) field returns with the balance avail-able on the card.

When checked, any attempt to redeem more than the availablebalance approves. The amount due (AMTDUE) field returns with

94 cn!express®

the balance of the amount requested minus the amount that wasredeemed from the card. The balance due (CURBAL) field returnswith 0.00.

Production/Test Login Information Your TenderCard representative willprovide you with your Test and Production log-in information.This is a fairly long (and cryptic) string that should be copied andpasted. Do not try to type this information. CN!Express® supportsTenderCard’s XML and base64-encoded XML formats.

The Login information contains your account number.

Functionality

CN!Express® supports the following TenderCard actions for bothLoyalty and Gift Card processing:

AO: Activate Only Activate an existing account without affecting itsvalue.

AV: Add Value Add value to a stored value/gift card.

BA: Balance Inquiry Retrieve the card balance.

CL: Close Card Deplete full balance of card and close account.

GP: Get Customer Profile Retrieve the customer information associatedwith an account.

IS: Issue Card Create and activate a new account with a specifiedbalance. If this is a replacement for a legacy gift card program,you can include the previous gift card account number in thePREVACCT field. This is for reporting and documentation only.

R: Refund Return funds to the account holder.

RD: Redeem Value Redeem (remove value). Returns Amount Due(AMTDUE) and Current Balance (CURBAL).

UP: Update Customer Profile Update customer information associatedwith an account.

V: Void Reverses the previous transaction applied to a card. Forexample, if the previous transaction was a $10.00 redemption, thevoid transaction restores $10.00 to the card balance.

XF: Transfer Transfer the entire balance from one TenderCard accountto another; closing the original account.

tendercard 95

Fields

The following fields have specific uses for TenderCard processing:

AMTDUE: Amount Due Returned by CN!Express® on Redeem Value(RD) call when using Amount Due Processing. This is the amountthat was not available on the Gift Card and still needs to be col-lected.

Authorization Code: AUTHCODE Value returned by TenderCard

Authorization Date: AUTHDATE Returned from TenderCard

AVS Fields and Email Supports standard name, address fields as wellas Email.

Current Balance: CURBAL Amount (dollars or points) available oncard. Returned by Balance Inquiry (BA) and Redeem Value (RD)when using Amount Due Processing.

CVV/CID: CVV TransFirst cards have a PIN. Put that value into theCVV field.

Expiration Date: EXP Expiration date for the card( M/D/YYYY). Avalue of 1/1/0001 causes TenderCard to use default settings foryour account. It is the merchant’s responsibility to ensure that giftcard expiration dates comply with applicable laws.

Account Issue Date: ISSUEDATE Date of issue for Gift cards. Eightchars: YYYYMMDD

Previous Gift Card Account Number: PREVACCT Used for Transfer(from PREVACCT to this card) and optionally for Issue transac-tion.

Response Code: RESPCODE & Response Text: RESPTEXT TenderCarddoes not have numeric response codes. Check the LAS (Last Ac-tion Succeeded) flag to determine if transaction was successful.TheRESPTEXT (Response Text) contains text returned by TenderCard).Note: TenderCard returns one-word responses like Insufficient-Funds. CN!Express® expands this to a multi-word string: Insuffi-cient Funds.

Response Date: RESPDATE Date the transaction was processed.

TransFirst


Your Transfirst representative will send you the information requiredto complete the CN!Express® configuration screen:


Account Provided by your Transfirst representative.

Password Password to access your account at Transfirst.

Customer Service Phone Number This information appears on yourcustomers records.

Division Duplicate Checking Informs Transfirst you want them tocheck for received duplicate transactions.

URLs These are automatically maintained by CN!Express®.


In some circumstances, merchant websites may authorize (Auth) atransaction directly to TransFirst and then want to settle (Deposit)through CN!Express®.


• ACTION

• DIVISION

• PROORDR

• MRCHORDR

• AMT

No other information needs to be sent.

Part III

PA DSS SecureImplementation Guide

Overview of PCI-Compliance Practices

IMPORTANT: Please read the ??.This document outlines Auric Systems International’s prudent

practices for securely implementing, deploying, and integrating theCN!Express® (and optionally PaymentVault™) payment processingapplications under PCI PA-DSS 3.0.

The recommendations and prudent practices described in thisdocument are designed to help you to implement and integrate theseapplications in a PCI-compliant manner.

As prudent practices evolve, Auric Systems International willbe modifying both their products and this documentation to meetthe latest requirements. Please contact Auric Systems Internationalsupport if you have any questions: [email protected].

Auric Systems International’s payment applications are developedfor use in a PCI-compliant enterprise. Auric Systems Internationaldevelops these applications in accordance to the PCI Security Stan-dards Council Payment Application Data Security Standard (PA-DSS)version 3.0.

Auric Systems International has undergone a third-party assess-ment of our development processes. CN!Express® has undergone anindependent third-party assessment. Auric Systems International isa PCI-validated Level 1 service provider listed with MasterCard andVisa International.

This document contains Auric Systems International’s prudentpractices recommendations for installation, integration, and config-uration of the CN!Express® payment processing application. Mer-chants must make their own determination as to how best to create aPCI-compliant enterprise.

Compliance Status

Software technically cannot be PCI-compliant. PCI is a process thatapplies to merchants and service providers, not software. There are18 basic steps ranging from building and maintaining a secure net-work, to protecting cardholder data, to maintaining an information

[email protected]

102 cn!express®

security policy. Software must be evaluated to see how it fits within amerchant’s overall PCI efforts. What PCI is for merchants, PA-DSS isfor software.

All Auric Systems International products are listed on the PCISecurity Standards Council web site: pcisecuritystandards.org. Mer-chants should always check this website to confirm the current com-pliance of any payment application.

Prudent Practices

Recommendations

This document contains recommendations regarding the securityinstallation, integration, and configuration of Auric Systems Interna-tional products in a PCI compliant manner.

Customers and integrators are responsible for implementing theirown PCI compliant environment. Our intent is to provide sufficientinformation regarding prudent practices for the installation, configu-ration, and operation of Auric Systems International products to helpyour PCI compliance efforts

Additional Help

Auric Systems International’s support team is always available tohelp with any questions you may have related to implementing ourpayment processing applications—PCI or otherwise.

Auric Systems International has been providing payment process-ing applications since 1994, and we’ve been meeting PCI require-ments since 2005. We continue to strive to provide you with the bestproducts and support we possibly can.

Thank you for choosing Auric Systems International as your pay-ment software partner.

https://www.pcisecuritystandards.org

Do Not Retain Full Magnetic Stripe or CVV2 Data

General

• The CN!Express® real-time web interface accepts transactionscontaining CVV2/CID, magnetic stripe, and debit card PIN blockdata. This information is transmitted directly to the processor andnever stored.

• The CN!Express® batch file interface accepts transactions withCVV2/CID data. This feature is provided for integration withlegacy systems. Auric recommends that CVV2 data not be trans-mitted in files.

• Import and export file encryption formats are discussed later inthis document.

• If you do not encrypt the import file, Auric strongly recommendsyou configure CN!Express® to multi-pass delete the import fileafter it is read.

• If you do not delete the import file, Auric strongly recommendsyou configure CN!Express® to mask sensitive data after import. Inthis mode, instead of just changing the imported file’s extensionfrom .IMP to .DNE, CN!Express® copies the .IMP file to a tempo-rary file while masking sensitive data such as account number andCVV2/CID. When the copy is complete, the .IMP file is deletedand the new, masked, copy is given the .DNE extension.

• Do not export the account code. Instead, use the order numberfield or an internal tracking ID in one of the four comment fields.

• Never send sensitive customer information to Auric for support orany other reason.

• Sensitive authentication data should be collected only whenneeded to solve a specific problem.

• Any such sensitive data collected must be stored in a secure man-ner, in specific known locations, and with limited access.

104 cn!express®

• Collect only the limited amount of data required to solve a prob-lem.

• Securely delete any such sensitive collected data immediately afteruse.

Securely Delete Files

CN!Express® supports the ability to perform multi-pass file over-writes and deletion. After a batch file is imported, it is deleted in asecure manner by being overwritten multiple times before the actualdeletion. If this should cause excessive hard drive activity in yourspecific installation, the second-best approach is to use the One-PassOverwrite and Delete. See Appendix III Secure File Deletion for de-tails.

You must remove historic data (such as old databases and databasebackups no longer being used, using a secure removal tool such asSDelete for Windows or shred for Linux. This is mandatory for PCI-DSS compliance.

• File Formats Tab

– Set After Importing a File to Multi-Pass Overwrite and Delete. Aftera batch file is imported it is deleted in a secure manner by beingoverwritten multiple times before the actual deletion.

• Files Tab

– Decrypt Files Before Import is checked.

– Encrypt Files Before Export is checked (optional, better to notexport sensitive data).

Proper Log Handling

Run those logs appropriate for the environment. Ensure log maskingis active.

• From the Advanced Tab

– Turn off all Optional Logs that you are not explicitly using.

Do Not Store CVV2 Field

CVV2 data must never be transmitted in batch files.

• From the File Formats Tab, Edit Format... buttons (one for Importone for Export)

magnetic stripe and cvv2 data 105

– CVV/CID field is not imported or exported.

– Account field is not exported, or exported masked.

Protect Stored Cardholder Data

General

• CN!Express® supports external Key Management Systems.

• Merchants should develop a cardholder data retention policy.

• Card holder data exceeding the defined retention policy retentionperiod must be purged.

• CN!Express® never displays credit card data.

• All logs, including debug logs, mask sensitive data fields.

• When uninstalling a CN!Express® configuration that uses theembedded database, the uninstall routine securely deletes the datafiles in order to ensure locally encrypted data is removed securely.When using the remote database option, you must securely deletethe database files you stored on the remote database server usinga secure deletion tool such as SDelete on windows or shred onLinux.

• When uninstalling CN!Express®, all cryptographic material mustbe removed. The only cryptographic material is the encrypted cardholder accounts that may be in the database or backup files. Youshould explicitly check:

1. the Data directory

2. the Import directory

3. the Export directory

4. the Warning directory (only on Trevance)

5. the Backup directory

6. the Decline directory

7. any backup directories or media you have used internally tostore data from any of the above locations

108 cn!express®

• Customers are advised that Windows restore points; backups;crash files; debug files and any other type of file, that takes asnapshot of the registry and/or hard drive where CN!Express®

is loaded (whether resident on the system or not) must be deletedusing the secure delete process described in this document for thecustomer to maintain PCI compliance.

• Use a secure deletion program, such as SDelete for Windows orshred for Linux, to remove these files.

• Removal of historic cryptographic material is absolutely necessaryfor PCI DSS compliance.

• PCI DSS requires the secure removal of cryptographic key materialstored by previous versions of an application. Such removal ismandatory for PCI DSS compliance. During updates, CN!Express®

securely migrates legacy keys that were stored in the previousversion into the new version.

• CN!Express® requires the use of an external key server applicationor service (Key Service).

• The Key Service must:

– be PCI compliant.

– rotate keys at least once every 12 months.

– use strong encryption (such as 256-bit AES encryption)

CN!Express® Configuration

• External Key Manager Tab

• Select the Key Management software/service to which you willconnect.

• Enter the proper credentials.

• Encryption keys for all sensitive data are now managed externally.

• CN!Express® Stores Encrypted Cardholder Information:

• In embedded Firebird database contained in the Data subfolderunder the default installation directory.

• Or, in the remotely-installed Firebird database. Data locationsshould be listed and noted.

• In backup (gbk) files. Note the location as set in the CN!Express®

Configuration utility. Backup files are generated only for the em-bedded solution.

protect stored cardholder data 109

• If using the local embedded Firebird database, then securelydelete the database file: CNXAP.FDB. Also delete the backup files:cnxap\[The Date].GBK.

• If using the remote Firebird database, you must delete the CN!Express®

schema from the remote Firebird installation and remote files in amanner compliant with your PCI policies and procedures. Suchremoval is absolutely necessary for PCI DSS compliance.

• After the update from CN!Express®4.x to 5.0 CN!Express® will

immediately start using the new Key Manager based keys forall existing sensitive cardholder data. Transitory information(such as transactions held for end of day settlement and cachedPaymentVault™ data) will continue to use the old key. Such data istransitory and will be flushed from the system within a few hours(transactions queued for end of day) or days (PaymentVault™ datais cached depending on the number of days you have configuredto hold it in CN!Express®).

• If you are using PaymentVault™ CN!Express® will re-encrypt thehistoric data as it is retrieved from PaymentVault™ during normalUTID retrieval.

Clearing Sensitive Cardholder Data in Batch Transactions

CN!Express® supports sending batch authorization transactions.Authorization transactions may include sensitive cardholder data(CVV or CID). Because these are batch transactions, it is necessaryfor CN!Express® to temporarily store this information in its internaldatabase as the batch is prepared for transmission to the paymentprocessor.

To ensure that this data is not retained any longer than necessary,CN!Express® clears this information from its database when thebatch export file is generated (CN!Express® also never exports thisinformation).

On a general level, batch transmission through CN!Express®

works like this:

1. Merchant places a delimited-text file with batch transactions in theCN!Express® import directory.

2. CN!Express® reads in and parses this file, storing the informationin its internal database. For single-item files, CN!Express® doesnot store the information at all, but directly submits the transac-tion to the processor.

110 cn!express®

3. CN!Express® submits each item in the batch as an individual, on-line transaction, and updates its database with processor responseswhen these are received. Multiple transactions may be submittedsimultaneously.

4. When CN!Express® has received all of the responses for a batch, itreads the information out of the database for each transaction andbuilds and exports a delimited-text file.

CN!Express® clears the CVV from its internal storage as soon asthe response is received from the processor (step 3 above). In thedatabase, each transaction is stored as an "object," so updating atransaction with responses actually requires replacing that trans-action in the database with a new one. As soon as the response isreceived, CN!Express® clears the CVV from the transaction objectalong with writing the processor responses to it. It then overwritesthe transaction in the database with the new one, eliminating CVVfrom storage.

Secure Authentication Features

General

You must maintain secure authentication for access to all paymentprocessing applications and servers.

• Unique user IDs must be used for all administrative access toCN!Express®, CN!Express®, and PaymentVault™.

• All CN!Express®administration must occur on the server runningthe payment application.

• You must maintain PCI DSS compliant access and logins to theservers on which CN!Express®is installed.

• CN!Express® provides default accounts that must be replacedbefore running either program in Test or Production modes.

• CN!Express® passwords may be as long as 40 characters. Theymust be at least seven characters. This encourages the use of long,easily remembered passwords (sentences, poems, etc.) vs. shortcryptic passwords. Spaces and punctuation are acceptable pass-word characters. For PCI DSS compliance the password mustcontain both numbers and letters.

• CN!Express® maintains a history of the last four passwords usedand do not allow them to be reused.

• Passwords must be maintained according to company policiesand procedures. Specifically, PCI recommends that passwords bechanged every 90 days.

• You must not use administrative accounts for payment applicationlogins (e.g., don’t use the “sysdba” account for payment applica-tion access to the database).

• You must assign secure authentication default accounts (even ifthey won’t be used), and then disable or do not use the accounts.

112 cn!express®

• You must assign secure authentication for payment applicationsand systems whenever possible.

• You must create PCI DSS compliant secure authentication to accessthe payment application, per PCI DSS Requirements 8.5.8 through8.5.15.

• Changing “out of the box” installation settings for unique user-names and secure authentication will result in non-compliancewith PCI DSS.

• CN!Express® stores necessary database passwords in their respec-tive configuration files as encrypted data.

Replace Default Users

From the Configure/Administrater Users dialog:

• Create a new user.

• Set the User Type to Web Service or Web Console.

• Click the Manager checkbox to give Web Console users access toability to pause/resume CN!Express® or reload redo logs.

• Enter a strong password of at least seven (7) characters and bothalpha and numeric characters.

• Create a uinique user ID for each person requiring access to theCN!Express® console.

Provide Manager access only to those users who must man-age/control CN!Express® remotely.

If a Manager fails to log in after six attempts they are locked outof the system for 30 minutes. The exception to this is the WEB useraccounts for the real-time web transaction interface. A lock out in thisinstance would lead to a denial of service.

Manager accounts are automatically logged out after 15 minutesof inactivity. Non-managers users are not automatically logged outsince typically they are doing long-term monitoring.

Auric recommends that Manager accounts be used solely for start-ing/stopping CN!Express® remotely, and not for monitoring pur-poses.

Auric recommends that Manager accounts not be used to start/stopCN!Express in production – rather all stop/start actions should occurthrough the Windows System Manager.

Log Payment Application Activity

General

CN!Express® maintains a running log of Administrative, Manager,and Console users who connect. This log should be regularly moni-tored for failed log-in attempts.

• Use a Network Time Protocol service to ensure the time on theCN!Express®server is properly synchronized.

• Check the timezone and Daylight Savings/Standard Time flag isset properly on the servers.

• Check all logs on a daily basis.

• Provide a central log aggregator.

• For CN!Express® on Linux Auric recommends using the syslogsetting on the Advanced tab of the Configuration Utility to sendall CN!Express® logs to syslog.

• Implement automated audit trails to reconstruct the followingevents for all system components:

– All individual user access to cardholder data.

– All access to audit trails.

– All actions taken by any individual with root or administrativeprivileges.

– Access to all audit trails.

– Invalid logical access attempts.

– Use of identification and authentication mechanisms.

– Initialization of the audit logs.

– Creation and deletion of system-level objects.

• Record at least the following audit trail entries for each event forall system components:

114 cn!express®

– User identification

– Type of event

– Date and time

– Success or failure indication

– Origination of event

– Identity or name of affected data, system component, or re-source.

• CN!Express® has audit logs that are always active.

• You must capture and store these logs for at least one year tomaintain PCI compliance. Disabling logs will result in non-compliance with PCI DSS.

• Any attempt to disable these logs will result in non-compliancewith PCI DSS.

Centralized Logging

For the CN!Express® Linux version, Auric recommends using thesyslog option available in the Advanced tab of the CN!Express® Con-figuration Utility. This ensures that all CN!Express® logs are sent di-rectly to the local syslog process. This syslog can then be forwardedto a central logging facility for archiving.

The CN!Express® console user log maintains a running log ofManager and Console users who connect to CN!Express®. This logshould be regularly monitored for failed log-in attempts.

The CN!Express® audit log provides a list of activities performedby Manager. Console users can only Monitor CN!Express® activity.This log contains both the users log-in name and a date/time stampat which the activity occurred.

These logs are stored as simple text files that are easily reviewed.From the Configure/E-Mail Notification dialog:

• check All Logs to have the daily logs automatically emailed to you.

• configure the settings for your SMTP mail server.

• select a time at which the logs should be emailed to you.

• check Login Report to receive an email whenever anyone logs intoCN!Express®.

Develop Secure Payment Applications

General

This section of the PA-DSS standard is heavily focused on the devel-opment of secure web (public Internet-accessible) applications.

Although CN!Express® has web interfaces, it is not a web appli-cation and is not designed to be implemented directly on the publicInternet. CN!Express® is designed for use only on internal networks.See the Facilitate Secure Network Implementation section for recom-mendations on secure network implementation.

Where applicable, Auric Systems International follows the OpenWeb Application Security Project (OWASP) guidelines available athttp://www.owasp.org. Auric Systems International recommendsanyone integrating payment processing into their web site also followthe OWASP guidelines.

Required Protocols and Services

The following protocols and services are required for general opera-tion of the CN!Express® service:

1. Incoming

(a) HTTPS or HTTP

2. Outgoing connection TCP/IP socket connection to Firebirddatabase if using a remote Firebirdinstallation.(a) HTTPS to payment processors

(b) syslog (Linux® only)

(c) HTTP to AKMP™ on localhost

(d) HTTP to PaymentVault™ on localhost (optional)

Note: All external communications to CN!Express® must occurover a secured channel, specifically HTTPS. If CN!Express® shouldbe configured to run behind a proxy server or secure tunnel such asApache, nginx, or stunnel which is configured on the same physical

http://www.owasp.org

116 cn!express®

server. When behind a proxy or secure tunnel, CN!Express® shouldbe configured to use HTTP. Otherwise, CN!Express® must be config-ured to use HTTPS.

Protect Wireless Transmissions

General

A CN!Express® implementation neither requires nor recommends theuse of wireless networking.

If CN!Express®is integrated into a system using wireless paymentapplications, you must address the PCI compliance requirementsincluding:

• Install perimeter firewalls between any wireless networks and thecardholder data environment, and such firewalls must deny orcontrol any traffic from the wireless environment into the card-holder data environment.

• Change wireless vendor defaults including but not limited to keys,passwords, and SNMP community strings. Ensure wireless devicesecurity settings are enabled for strong encryption technology forauthentication and transmission.

• Use industry best practices (for example, IEEE 802.11i) to im-plement strong encryption for authentication transmission. It isprohibited to implement WEP if wireless networks are used in theCustomers payment environment.

• Proper key rotation

• Removal of all default keys from wireless equipment

Test Payment Applications to Address Vulnerabilities

General

In addition to on-going internal testing Auric Systems Internationalmonitors outside security sources and product-specific mailing liststo check for product vulnerabilities. If a vulnerability is found inthe CN!Express® you will be so informed via a security alert and atimely correction will be provided.

Facilitate Secure Network Implementation

General

The accompanying diagram shows a secure CN!Express® networkimplementation.

• Operate CN!Express® on it’s own, separate server.

• Isolate the CN!Express® server from the public Internet.

• Maintain your web server in a DMZ as shown in the diagram.

• Do not run CN!Express® in the DMZ (where the Web Server orWireless Application Server are shown in the diagram).

• If your application must use wireless, provide wireless accessthrough a separate firewall and isolate the application server.

Cardholder Data Must Never Be Stored on a Server Con-nected To the Internet

General

CN!Express® runs on the local, private network and not in either theDMZ or on a server directly connected to the Internet.

You must never store cardholder data on Internet-accessible sys-tems (e.g., web server and database server must not be on sameserver).

Facilitate Secure Remote Access to and Updates of Pay-ment Application

General

• Auric does not have remote access to the system where CN!Express®

is installed.

• Whenever accessing the system where CN!Express® is installed,you must use two-factor authentication (i.e., username and pass-word plus an additional authentication item such as a token orcertificate).

• Any integrator that has remote access to the system where CN!Express®

is installed must use and implement remote access software secu-rity procedures. For example:

– Change default settings in the remote access software (for ex-ample, change default Passwords and use unique Passwords foreach customer).

– Allow connections only from specific (known) IP/MAC ad-dresses.

– Use strong authentication or complex Passwords for logins.

– Enable encrypted data transmission.

– Enable account lockout after a certain number of failed loginattempts.

– Configure the system so a remote user must establish a VirtualPrivate Network ("VPN") connection via a firewall before accessis allowed.

– Enable the logging function.

– Restrict access to customer Passwords to authorized reseller/integratorpersonnel.

– Establish customer Passwords according to PCI DSS require-ments 8.1, 8.2, 8.4, and 8.5.

126 cn!express®

All remote access to the CN!Express® server is via the CN!Express®

Web Console.CN!Express® supports HTTPS connections to the Web Console.

This console is for use within your corporate network. Never provideaccess from the Internet to the Web Console.

Credit card information is not accessible via the Web Console.

Facilitate Secure Remote Software Updates

General

Auric does not force automatic updates to CN!Express®.

• The latest updates for CN!Express® are always available for imme-diate download from the Auric Systems International web site athttps://www.AuricSystems.com/.

• Both MD5 and SHA256 hashes are provided on the Auric SystemsInternational web site.

• For additional security, contact Auric Support to receive the officialMD5 and/or SHA256 hash sums for that release via email. Afterdownloading the release or update, you should perform your ownMD5 and/or SHA256 calculation on the downloaded file to checkthe hashes before installing. Auric Systems International providestools to perform these calculations, but recommends you use third-party tools to ensure integrity.

https://www.AuricSystems.com/

Encrypt Sensitive Traffic Over Public Networks

General

• CN!Express® is designed for installation on a private network –not a public network. As such, sensitive incoming traffic is notcommunicated over the public network.

• CN!Express® has no facility for emailing credit card information.

• Never email sensitive credit card information in an unencryptedform.

• If you should transmit any cardholder data over the public Inter-net, you must use secure encryption transmission technology (forexample, IPSEC, VPN, SSH, or SSL/TLS).

CN!Express® sends transactions to payment processor gatewaysusing secure HTTPS protocols as defined by the specific gatewayprovider.

Encrypt all Non-Console Administrative Access

General

Any remote connection into a server running CN!Express® must beencrypted and secure.

1. For Windows®, the Remote Desktop client must be set to themaximum level of encryption.

2. For Linux® use ssh or ssl with strong encryption.

3. For either operating system, use a VPN with strong encryption.

On Windows®

• All administrative access to CN!Express® is through the CN!Express®

Configuration Utility which must be run on the same machine asCN!Express®.

• Access to the CN!Express® Configuration Utility is maintained byoperating-system level user permissions.

• All configuration changes must occur through the CN!Express®

Configuration Utility.

On Linux®

• All CN!Express® configuration must occur through the CN!Express®

Configuration Utility which must be restricted to the fewest num-ber of people.

• Access to the generated cnxap.conf and cnxap_settings.xml filesmust be similarly restricted.

• The generated cnxap.conf and cnxap_settings.xml files must besecurely transferred to the production environment.

Maintain Instructional Documentation and TrainingPrograms

General

This document provides the basis from which all Customers, Re-sellers, and Integrators learn the prudent practices and recommenda-tions for installing CN!Express® in a PCI compliant manner.

Customers, Resellers, and Integrators should maintain theirown, internal PCI compliance training for their personnel to en-sure they are familiar with the PCI-compliance aspects of runningCN!Express®.

Additional phone training is available upon request. Please contactsupport at: [email protected] or 603.924.6079

mailto:[email protected]

Secure File Deletion

General

CN!Express® supports secure file deletion methods. Normally, filesdeleted using the standard services provided by the operating systemdo not erase the actual data in the file. Files deleted this way canbe easily recovered using software "undelete" tools. Even files thathave been overwritten can sometimes be recovered using additionalhardware and sophisticated forensic techniques.

CN!Express® offers three deletion choices ranging from the quick(but not secure) standard operating system delete to a multi-passsecure deletion:

• Quick Delete

• One-Pass Overwrite and Delete

• Multi-Pass Overwrite and Delete

Because the multi-pass secure deletion requires 35 write passes When using journaling file systemsor SSD drives a multi-pass deletionmay no longer be necessary due tothe manner in which data is storedon these configurations. Refer to yourcorporate security policies in regards tosecurely disposing data stored on thesetechnologies.

over the file, some sites may determine this consumes too muchtime or causes too much hard disk activity and interferes with otherservices. To address this, CN!Express® provides a one-pass securedelete that simply overwrites the file data with 0’s before deleting.

Quick Delete

• Uses standard operating system calls.

• Doesn’t overwrite any of the file (typically only the directory entryis updated) and so is very fast.

• File data is easily recovered if this option is used.

One-Pass Overwrite

• File is overwritten with a single pass of binary zeros.

• This makes it difficult to recover the file using "undelete" tools.

136 cn!express®

• Theorectically, the file data might still be recoverable using sophis-ticated forensic tools.

Multi-Pass Overwrite and Delete

• Overwrites file data with 35 passes using various data patterns.

• The 35 overwrite patterns, though possibly considered excessivefor modern drives, is specifically designed to make data recoveryextremely difficult.

• The pattern was developed by Peter Gutmann, and is often thepattern used by secure deletion utilities.

• Gutmann’s paper describing the pattern can be found at: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html.

During operation, the secure deletion applies to all imported files.During uninstall, the secure deletion applies to the configuration andembedded database files.

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

Key Management

General

Key Management is beyond the scope of this document.CN!Express® currently supports external Key Management Soft-

ware and Services. All key management is performed via those ser-vices.

You must select and implement a key management system thatmeets your PCI requirements.

Refer to the PCI Implementation Guide of the AKMP™ User Man-ual for details on using AKMP™ with the default n-key™ encryptionkey management service.

Internal Encryption

General

CN!Express® uses a variety of encryption techniques, both to followindustry rules regarding the storage of sensitive information and tohelp reduce the exposure of cardholder data to unauthorized access.

CN!Express® uses encryption in the following areas:

• Communicating with the payment processor.

• Encrypted Web Traffic

• Batch Import/Export Files

• Stored Data

Communicating with the Payment Processor

CN!Express® communicates with each processor using the protocolsprovided by that processor. When communicating with processorsover the Internet CN!Express® uses the encryption mechanismsprovided by each processor. The typical communication method isHTTPS.

Encrypted Web Traffic

CN!Express® contains an embedded HTTP/S web server throughwhich real-time transactions can be processed. Since CN!Express®

is implemented on a company’s private, and not public, network,use of HTTPS security is not required by either the PA-DSS or PCIstandards. Auric Systems International recommends CN!Express®

be implemented behind a secure proxy or tunnel (Apache, nginx, orstunnel) that provides externally-facing HTTPS encryption.

140 cn!express®

Batch Import/Export Files

• CN!Express® can import and export delimited text files that areexternally encrypted using 256-bit AES encryption.

• Import and export file encryption is recommended to ensure thattransaction data is not exposed while the files reside on the filesys-tem. Export encryption is optional if no sensitive data is exported.

• See the File Encryption Format chapter for details.

Stored Data

CN!Express® encrypts sensitive fields stored in the database using256-bit AES encryption.

The following fields are encrypted:

• Account

• CVV/CID (batch only)

• Customer Social Security Number

• Customer Drivers License Number

• Customer Date of Birth

The ability to encrypt/store the CVV value during batch importremains in the product as historical capability. You must never pro-cess CVV data through the batch interface.

All keys are managed via the external Key Management system.

Encrypting Import/Export Files

General

CN!Express® supports encrypted import and export files. These filesare encrypted using the 256-bit AES encryption standard. Import andexport file encryption is recommended to ensure that transaction datais not exposed while the files reside on the file system.

Since AES is a symmetric algorithm, CN!Express® and the externalencryption program must have access to the same key. A key consistsof any series of 256 bits. CN!Express® can:

Generate keys Generate a random import/export encryption key thenencrypt and store the key in the database. A copy of the key iswritten to an external file for use by the external encrypting appli-cation. Treat this key in compliance with your company securitypolicy.

Import keys Read a file containing the encryption key and use thatkey for future import/export file decryption/encryption. The keymay be one previously exported from Trevance®, or one createdexternally.

Export keys The import/export encryption key may be exported atany time.

Encryption Key

The CN!Express® key file format is:

• The file must contain a single key.

• The file must contain the key encoded using Base64 (http://www.ietf.org/rfc/rfc3548.txt).

• The raw key must be 256-bits, or 32 bytes. Because Base64-encodedtext has a 4:3 expansion ratio, the encoded key is a single line oftext, 44 characters in length.

142 cn!express®

Line by Line Encryption

Batch files are encrypted line-by-line. Each line in the encryptedbatch file represents a line in the plaintext batch file.

The line-by-line approach is taken to ensure both CN!Express®

and your external encryption routines can better handle the data ina secure manner. Import and export files can be quite large (10s or100s of thousands of lines). If the file was encrypted as one item, itwould be difficult to decrypt it at import time without creating anintermediate plaintext version. Since the goal of the encrypted batchfile is to have end-to-end encrypted file handling, Auric selected theline-by-line approach. Algorithms such as PGP which are blockedorient are not suitable for encrypting large files without ever writingto the disk. The line-by-line method is better suited for encryptingand decrypting large line-oriented files in a secure streamed manner.

The end-of-line characters (CR/LF) are not part of the encryptedline. End-of-line characters separate each line in the encrypted file.

Each line must be encrypted using AES with an 8-bit cipherfeedback-chaining mode. The initialization vector must be set to128 ’0’ bits. After encryption, each encrypted line is encoded usingBase64 and written to the file.

File Format

The line-by-line encryption format adds a 16-character randomiza-tion factor to the beginning of each line. This ensures that plaintextimport lines that start with identical values (e.g., Merchant Identi-fiers, Order numbers with leading 0s, etc.) do not generate encryptedtext that starts with identical values. Before encryption, each plain-text line must be prefixed with a 16-character string in the followingformat: xxSSMMHHddmmYYYY. Where:

xx Random two-digit number

SS Seconds

MM Minutes

HH Hour

dd Day

mm Month

YYYY Four-digit year

This same 16-character pattern is prefixed to each exported plain-text line before exports are encrypted.

encrypting import/export files 143

Import and Export file encryption is controlled separately.

Part IV

Appendices

Action Codes

The action to take, or the type of the transaction, such as authorize,capture, or refund. These action codes are specific to CN!Express®—they are not the same as the action codes or transaction types under-stood by the various gateways.CN!Express® translates these codes asappropriate for each back-end gateway.

Table 8: CN!Express® action codes.

A, C4, C6 Authorize Obtain an authorization for this transac-tion. Used when you intend to capturefunds at a later time, such as when theproduct ships.

AC Authenticate Customer Used for Bill Me Later transactions onMerchant e-Solutions gateway only

AO ActivateOnly Stored Value Card Activate Only. Ac-tivate an existing account withoutaffecting its value.

AV AddValue Stored Value Card AddValue. Addvalue to a stored value/gift card.

BA Balance Stored Value Card Balance. Retrieve thebalance for a stored value/gift card.

CB CloseBatch Close the current batch (settle).

CF ConvertAmount Merchant e-Solutions only. Convertamount to different currency.

148 cn!express®

Code Action Code Description

CG GetCurrencyRate Merchant e-Solutions only. Retrieve ratefor individual currency or retrieve ratetable.

CL Close Stored Value Card Close. Close a storedvalue/gift card account.

D,CO Deposit/Capture Mark a transaction for capture. Youmust have previously obtained an au-thorization for this transaction.

F Force/Voice Capture a transaction for which youdon’t have electronic authorization (youmay have voice authorization).

FD FinalDeposit PayPal specific. Capture funds for theorder and mark the order as complete.

GD GetDetails PayPal specific. Return the details for atransaction.

GP GetProfile Get Customer Profile Retrieve the cus-tomer information associated withan account. Currently supported forTenderCard only.

IC IdentifyCustomer Used for Bill Me Later and 3D-secureauthentication transactions on Merchante-Solutions gateway and for CardinalCentinel.

IS Issue Stored Value Card Issue. Activate anew account with a specified balance.If you include PREVACCT with thisaction, PREVACCT is assumed to repre-sent an account from a legacy gift cardprogram.

L Auth Reversal Litle specific. Requires inclusion ofPROCTID field, along with AUTH-CODE, AUTHDATE.

action codes 149


LC LookupCurrencyCode Merchant e-Solutions only. Return acurrency code for a country or an IPaddress.

OO OpenOrder PayPal specific. Open a new order.An order can contain several relatedtransactions.

PA PartialAuth If full funds are not available, authorizefor a lesser amount.

PR PartialRefund Refund part of a transaction.

Q Query PayPal and eBillMe only. Return infor-mation for active transactions (eBillMe),or for transactions that match a speci-fied criteria (PayPal).

R,C3 Refund Return funds to the account holder.

RA RefundAuthorization Obtain an authorization for a refundtransaction (debit cards only).

RD Redeem Stored Value Card RemoveValue. Re-move value (redeem) from a storedvalue/gift card.

RE Reauthorize Used for Bill Me Later transactions onMerchant e-Solutions gateway only.

S,C,C1 Sale Authorize and then immediately markthe transaction for capture.

SN ShipmentNotification Notify eBillMe of a shipment. eBillMeonly.

UO UpdateOrder Notify eBillMe of a change to an order.eBillMe only.

150 cn!express®


UP UpdateProfile Update Customer Profile Update cus-tomer information associated withan account. Currently supported forTenderCard only.

UQ UnallocatedQuery Return information on unallocatedpayments. eBillMe only.

V Void Undoes a mark-for-capture, but only ifthe capture has not been completed(typically all transactions that aremarked for capture are captured atthe end of the business day).

VR VoidRefund Void a pending refund transaction.

XF Transfer Stored Value Card Transfer. Transferthe entire balance from one account toanother.

• Not all actions are supported by all payment processors.

• C, CO, C1, C3, C4 and C6 are aliases that are provided for compat-ibility with legacy systems generating IC-Verify-style formats. Donot use these codes unless you need to integrate with an IC-Verify-style system.

ASI Response Codes

The numeric response code generated by CN!Express® (the responsecodes are common to all software built by Auric Systems Interna-tional). These codes are normalized across all divisions and paymentprocessors. Use this value to make programatic decisions on the dis-position of a transaction.

Table 9: CN!Express® response codes.

Code Description

100 Approved

101 Local duplicate detected

102 Accepted local capture with no match

103 Auth succeeded but capture failed

104 Auth succeeded but failed to save info

200 Declined

300 Processor reject

301 Local reject on user/password

302 Local reject

303 Processor unknown response

304 Error parsing processor response

305 Processor auth succeeded but settle failed

152 cn!express®

306 Processor auth succeeded settle status unknown

307 Processor settle status unknown

308 Processor duplicate

400 Not submitted

401 Terminated before request submitted

402 Local server busy

500 Submitted not returned

501 Terminated before response returned

502 Processor returned timeout status

600 Failed local capture with no match

601 Failed local capture

700 Failed local void (not in capture file)

701 Failed local void

800 Failed local refund (not authorized)

801 Failed local refund

Soft Descriptors

Soft Descriptor 1: SOFT1

Generally, a description of the payment that appears on the customerstatement. This field is used in different ways for different proces-sors.

Chase Paymentech Orbital Gateway

This field is used for both credit card and electronic check transac-tions. The description appears on the customer’s statement. If thisfield is blank, Chase Paymentech uses the default descriptor set forthe Division.

Credit Cards

The Merchant Name Descriptor field must not start with a space.There are three acceptable formats:

• A three (3) character company identifier, followed by an asterisk(*), and up to 18 character description.

• A seven (7) character company identifier, followed by an asterisk(*), and up to 14 character descriptor.

• A 12 character company identifier, followed by an asterisk (*), andup to nine (9) character descriptor.

The asterisk must be in position 4, 8, or 13. If necessary add spacesbetween the company name and the asterisk.

Electronic Checks

For Electronic Check Transactions, the first 15 characters of this fieldshould be used as the Doing Business As (DBA) Merchant Name.Both Descriptor fields are required when using descriptors withelectronic checks.

154 cn!express®

Litle & Co.

There are three acceptable formats:

• A three (3) character company identifier, followed by an asterisk(*), and up to 18 character description.

• A seven (7) character company identifier, followed by an asterisk(*), and up to 14 character descriptor.

• A 12 character company identifier, followed by an asterisk (*), andup to nine (9) character descriptor.

The asterisk must be in position 4, 8, or 13. If necessary add spacesbetween the company name and the asterisk.

Transfirst ePay

A 25-digit payment descriptor which will appear on the cardholder’sstatement.

Trident Payment Gateway

DBA name of the merchant. See also SOFT2, MSTATE, and MZCPC.

SOFT2


City or customer service phone number that will appear on the card-holder’s statement. If left blank, will default to the value set at ChasePaymentech. This field is used for both credit card and check transac-tions.

Credit Cards

The Merchant city or customer service phone number that will ap-pear on the cardholder’s statement. Recommended formats by mer-chant channel:

soft descriptors 155

Channel Format

Retail Store location city formatted asAAAAAAAAAAAAA

Direct Marketing Customer Service Phone Number formatted asNNN-NNN-NNNN or NNN-AAAAAAA

Store URL

Support Email address

Entering the Customer Service Phone Number is a requirement toqualify for Visa’s reduced Direct Marketing interchange rate.

Electronic Checks

The first ten (10) characters of this field (usually) appear on the cus-tomer’s statement. Both Descriptor fields are required when usingdescriptors with electronic checks.

Litle & Co.

For card not present, merchant customer service phone number.For US merchants, must be exactly 10 digits in length. For non-USmerchants, may be up to 13 digits. For retail, merchant location (city).

Trident Payment Gateway

DBA city of the merchant. See also SOFT1, MSTATE, and MZCPC.

Processor-Specific Attributes

CN!Express® maintains a set of fields for processor-specific at-tributes. These are specialty fields used in different ways by eachprocessor.


PROCATR1 The retry key. You can use this value to uniquely iden-tify a certain transaction through multiple retries. To do so, storethe response from this field. If a transaction must be retried, re-turn the response as PROCATR1 with the new submission toCN!Express®.

PROCATR2 Not Used

PROCATR3 Not Used

PROCATR4 Not Used

eBillMe

PROCATR1 The payment status, as shown in the following table.

Code Description

U Unpaid

P Partially Paid

F Fully Paid

PROCATR2 Payment status, as shown in the following table:

158 cn!express®

Code Description

U Unsuspect

S Suspect

C Confirmed

PROCATR3 The a list of suspect reasons (reasoncodes). Individualreason codes are separated by a "+" character.

PROCATR4 Not Used

Litle & Co.

PROCATR1 The retry key. You can use this value to uniquely iden-tify a certain transaction through multiple retries. To do so, storethe response from this field. If a transaction must be retried, re-turn the response as PROCATR1 with the new submission toCN!Express®.

PROCATR2 Litle’s Velocity Check flag. If imported to CN!Express®

as "0", velocity check is bypassed for this transaction. The defaultis "1", that is, velocity checking will be performed.

PROCATR3 Not Used

PROCATR4 Not Used

PayPal

PROCATR1 The parent transaction ID, the PayPal transaction IDof the preceding transaction in a sequence. Provided for trackingpurposes only.

PROCATR2 The PayPal TransactionType. Returned by GetDetailsand Query transactions. Some examples are ’cart’ or ’virtual-terminal’.

PROCATR3 PROCATR3 is the PayPal ReceiptID. Can be sent toCN!Express® as a search parameter for a Query transaction, orreturned by PayPal in response to a GetDetails transaction.

PROCATR4 The PayPal PaymentType. Indicates whether a paymentis instant or delayed.

processor-specific attributes 159

Cardinal Centinel

PROCATR1 The Order Channel, which may be sent to indicate thesource of the transaction. If sent, Order Channel must match oneof the following values:

Code Description

MARK Transaction initiated from the payment page.

CART Transaction initiated from the cart page.

CALLCENTER Transaction initiated from the call center.

WIDGET Transaction initiated from the widget.

PRODUCT Transaction initiated from the product.

1CLICK Transaction initiated from 1 Click.

PROCATR2 Not Used

PROCATR3 Not Used

PROCATR4 Not Used

Verified by Visa CAVV Response

The following table documents the result code returned during anAuthorization of a transaction that includes data from the Verified byVisa service.

Code Description

(Blank) CAVV not present.

0 CAVV not validated due to erroneous datasubmitted.

1 CAVV failed validation. This is an indication ofpotential bad or fraudulent data submitted asthe CAVV.

2 CAVV passed validation–Authentication Trans-action.

3 CAVV passed validation–Attempted Authenti-cation Transaction. Determined that the IssuerACS generated this value from the use of theIssuer’s CAVV key(s).

4 CAVV failed validation Attempted Authen-tication Transaction. This is an indication ofpotential bad or fraudulent data submitted asthe CAVV. Determined that Visa generated thisvalue from the use of CAVV key(s).

5 Reserved for future use.

162 cn!express®

Code Description

6 CAVV not validated Issuer not participating inCAVV validation. This value is generated whenan Issuer requests the "do not verify" flag to beestablished for its BINs. This parameter enablesan Issuer to temporarily stop CVV verifica-tion while resolving CAVV key issues. VisaNetprocesses this value as a valid CAVV.

7 CAVV failed validation Attempted Authen-tication Transaction. This is an indication ofpotential bad or fraudulent data submittedas the CAVV. CAVV generated with Visa KeyIssuer ACS unavailable.

8 CAVV passed validation Attempted Authenti-cation Transaction. CAVV generated with VisaKey.

9 CAVV Failed Validation Attempted Authen-tication Transaction. This is an indication ofpotential bad or fraudulent data submittedas the CAVV CAVV generated with Visa KeyIssuer ACS unavailable.

A CAVV passed validation Attempted Authenti-cation Transaction. CAVV generated with VisaKey Issuer ACS unavailable.

B CAVV passed validation Attempted Authenti-cation Transaction. No liability shift. Indicationthat the account number is a commercial card ora prepaid gift card or that this transaction wasan encrypted Internet transaction for which au-thentication was not provided–in other words, atypical HTTPS Web transaction.

C CAVV not validated Attempted Authentica-tion Transaction. Issuer did not return a CAVVresults code in the authorization response.VisaNet will treat this as a valid CAVV if theIssuer approved the transaction.

verified by visa cavv response 163

Code Description

D CAVV not validated Authentication. Issuerdid not return a CAVV results code in the au-thorization response. VisaNet will treat this asvalid CAVV if the Issuer approves the autho-rization.

I Invalid Security Data.

U Issuer does not participate or 3-D Secure datanot utilized.

Table 10: Verified by Visa CAVV Response Codes

ICV-Style Files

CN!Express® is able to communicate with third-party applicationsthat require ICVerify® style (ICV-style) import and export files. Thisappendix describes how to set up CN!Express® to be compatible withVersion 1 ICV-style files.

This functionality is provided strictly for backwards compatibilitywith legacy systems. Auric recommends you do not use this func-tionality unless you are integrating with software that requires thisformat.

Specifically, ICV-style transactions do not support either MerchantOrder Numbers or Card Security Codes (CVV2/CID). Modern pay-ment processors use Merchant Order Numbers in their reporting,reconciliation, and duplicate detection. Use of Card Security Codesshould be your first step towards reducing fraud. ICV-style Version 1

is an extremely old form of transaction format and should be movedaway from wherever possible.

Preparing for Configuration

The following table lists the ICV-style actions CN!Express® supports.Auric recommends not using the ICV-style Action codes unless inter-acting with a legacy ICV-style system.

Activating the ICV-Style Field

Refer to Chapter I: Configuring CN!Express® for general informationon configuring CN!Express® import/export capabilities. Before pro-cessing ICV-style transactions, you must first add the ICVResp fieldto the list of fields able to be imported/exported.

• Start the CN!Express® Settings Manager and click on the FileFormats tab.

• Click on Edit Format button for Import (or Export) files.

• Click on Fields to Include.

166 cn!express®

ICV-Style Action CN!Express®

Action Action

C1 Sale S or C

C2 Void V

CR

C3 Refund/Credit R

C4 Auth/Hold H

C5 Voice Authoriztion F

C6 Authorization Only A

CO Ship Z

Table 11: ICV-style action codes

• Scroll down to the Other group and click on the ’+’ to open.

• Scroll down to ICVRESP and check it.

• Click OK.

• After clicking OK, you’ll see there is a new ICV-Style Options areaavailable on the field configuration dialog.

Configuring ICV-Style Imports

Configure your import fields as follows:

• Action Code

• Comment 2 (ICVerify calls this the Clerk field)

• Comment 3 (ICVerify calls this the Member Number field)

• Account Number

• Credit Card Expiration Date

• Amount

• ZIP Code

• Address 1

icv-style files 167

Configuring ICV-Style Exports

Configure your export fields as follows:

• Action Code

• Comment 2 (ICVerify calls this the Clerk field.)

• Comment 3 (ICVerify calls this the Member Number field)

• Account Number

• Expiration Date

• Amount

• ZIP Code

• Address 1

• ICV Response

NOTE: Only export the account number if your legacy systemrequires it. Exporting account numbers is not good PCI securitypractice. Export a blank field instead, or ensure the account numberis truncated on export. In the CN!Express® Export Format dialog,ensure the ’Mask Sensitive Fields’ checkbox is checked.

ICV-Style Options

Following ICV-Style import/export options are available.

YYMM Exp Credit card expiration dates are usually imported inMM/YY format. ICV requires them to be in YYMM format.

Read Division from Comment 2 (’Clerk’) Import Only. The ICV-styleimport field historically consisted of a ’Clerk’ and a ’Merchant’section. The ’Merchant’ section is found between two tilde’s. Ex-ample: Clerk Name 185382 CN!Express® uses the value betweenthe two tildes, 185382 in the above example, as the CN!Express®

Division ID.

Include AVS Include ICV-style normalized Address Verification re-sponses. Second Line: When unchecked, the ICVRESP field isexported on the same line as all the other fields you have selected.If checked, the ICVRESP field is exported on a second line. Theother fields you have selected are exported on the first line Thisoption is available only when exporting delimited-style text files.

Repair Firebird® Database

It is rare to run into a corrupt Firebird®embedded database. Thespecific areas where we’ve seen this occur with any of the paymentapplications is when a server runs out of disk space. You shouldalways monitor your disk space on a regular basis and ensure yourlogs and backup files are being properly maintained.

If you should end up with a corrupt database, there’s several stepsthat you can take to recover. The necessary tools are provided as partof the general CN!Express® installation.

Windows®

All recovery work is done from the command line. The CN!Express®

installation includes a repair directory that by default installs atc:\AuricSystems\CN!Express\repair.

1. If you are running the default embedded database, shut downCN!Express® and make a copy of the database (cnxap.fdb). Callit cnx-orig.fdb. Copy the cnx-orig.fdb file to the repair directory.If you are not using the embedded database, perform the follow-ing commands while connected to the remote server.

2. From the command line, run the following command:

gfix -v -f -user userid -password passwd cnx-orig.fdb

You should see errors reported.

Note: Contact Auric Systems International tech support for userid/password.

3. Run the following command to prepare the database for recovery.

gfix -mend -user userid -password passwd cnx-orig.fdb

4. Now back up the database:

gbak -b -g -user userid -password passwd cnx-orig.fdb cnx-orig.fbk

170 cn!express®

5. Now restore it as good:

gbak -c -user userid -password passwd cnx-orig.fbk cnx-good.fdb

6. Check to see there are no problems:

gfix -v -f -user userid -password passwd cnx-good.fdb

You should not see any errors. If there are errors, contact AuricSystems International technical support for further instructions.

7. Shut down CN!Express®. Rename cnxap.fdb to cnxap.fdb.bad

8. Copy cnx-good.fdb to the data directory.

9. Rename cnx-good.fdb to cnxap.fdb.

10. Restart CN!Express®.

Remote Firebird® Database

Contact Auric Systems International support for details.

Secure Deletion: sdel

CN!Express® ships with a custom secure deletion routine: sdel. OnWindows® and Linux®, sdel ships as a pre-built executable. Thesource code is available for review in the sample code directory.

By default, sdel performs a series of seven (7) overwrites of theentire file contents, each time with a different byte value. It thenperforms two last overwrites of the file contents, first filling it with all255’s and then filling it with 0’s, before actually deleting the file.

If your security policies require a more stringent deletion process,you can modify sdel to perform the additional overwrites. The sdelcode also contains an implementation of the Gutmann overwritepatterns which are typically considered overkill for modern datastorage elements. It is provided here as an option should you decideto use it.

The sdel program can be used outside of CN!Express® itself.

Field Reference

Table 12: CN!Express® field reference.

ACCT: AccountGroup: Common Request FieldsSample: 4111-1111-1111-1111

Credit Card, Purchase Card, Debit Card, or Checking Account number. CreditCard, Purchase Card, and Debit Card numbers may contain dashes (’-’) orspaces. Checking account numbers should not have spaces. For transactionsusing Track 1 or Track 2 data, the account field is extracted from the trackdata and returned to the caller. The account field is masked on export (lastfour digits) by default. If PROCTID or CNXTID are not retained (which isrecommended practice), merchants using separate authorization and capturetransactions must retain the auhorization account number for later capture.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

ACTION: ActionGroup: Common Request FieldsSample: AThe action to take, or the type of the transaction, such as authorize, capture,or refund. These action codes are specific to CN!Express®—they are not thesame as the action codes or transaction types understood by the various gate-ways. CN!Express® translates these codes as appropriate for each back-end gate-way. See Appendix IV (Action Codes) for a list of supported ACTION values.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

174 cn!express®

ACTVDATE: Activity DateGroup: OtherSample: 3/1/2010 14:22:31

Date and time at which the transaction was processed. For an autho-rization, this is the time the authorization was obtained. For a cap-ture, this is the time the item was marked for capture. CN!Express®—not the payment processor—generates this value. The server onwhich CN!Express® is running determines the date and time value.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

ADDRVRFD: Address VerifiedGroup: PayPalSample: 1

A boolean field returned by PayPal if the payer’s address has been verified.Processors Supported: PayPal Express Checkoutonly.

ALTTXAMT: Alternate Tax AmountGroup: PC Level 3/Detail RecordsSample: 1.00

Used only for MasterCard Purchase Card Level 3 transactions. To-tal amount of alternate tax associated with this transaction. If thisfield is populated (including zero filled) Alternate Tax ID is required.Processors Supported: Chase Paymentech Orbital Gatewayonly.

ALTTXID: Alternate Tax IDGroup: PC Level 3/Detail RecordsSample: 01-234-5678

Used only for MasterCard Purchase Card Level 3 transactions.Tax ID number for the alternate tax associated with this transac-tion. Required if there is an amount in Alternate Tax Amount.Processors Supported: Chase Paymentech Orbital Gatewayonly.

field reference 175

AMT: AmountGroup: Common Request FieldsSample: 34.00

Amount of this transaction. The decimal point and the two digits tothe right of the decimal place are required except when processingYen. When processing Yen, the decimal place and digits to the rightare not allowed. Amounts must not contain commas or currency sym-bol. $1,000.00 is incorrect. 1000.00 is correct. Minimum amount for allcard types is $0.01 USD (or established international currency equiva-lent). This amount is in the currently selected currency for the division.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

AMTDUE: Amount DueGroup: Gift/Prepaid CardsSample: 10.00

Gift cards only. If the division is set up for amount due processing,the processor will approve redemption amounts greater than the avail-able balance. After approval, the available balance (CURBAL) will beset to zero. CN!Express® also calculates the amount due (redemp-tion amount-available balance) and return this value in AMTDUE.Processors Supported: eBillMe, TenderCard.

ASIRESP: ASI ResponseGroup: Common Response FieldsSample: 100

The numeric response code generated by CN!Express® (the responsecodes are common to all software built by Auric Systems International).These codes are normalized across all divisions and payment proces-sors. Use this value to make programatic decisions on the disposi-tion of a transaction. See Appendix IV (ASI Response Codes) for list.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway.

176 cn!express®

AUACCT: Account Updater New Account NumberGroup: Account UpdaterSample: 4111-1111-1111-1111

Automatic account updater new account number. Currently sup-ported for Litle only. If merchant is signed up for Litle Auto-matic Account Updater, the new account number will be returnedin this field for transactions where there was an account change.Processors Supported: Litle & Co.only.

AUCRDTYP: Account Updater New Card TypeGroup: Account UpdaterSample: MCAutomatic account updater new card type. Currently sup-ported for Litle only. If merchant is signed up for Litle Auto-matic Account Updater, the new card type will be returned inthis field for transactions where there was an account change.Processors Supported: Litle & Co.only.

AUCTBYR: Auction Buyer IDGroup: PayPalSample: 1234565

Returned by PayPal in response to a GetDetails transaction. The customer’s auc-tion ID.Processors Supported: PayPal Express Checkoutonly.

AUCTDATE: Auction Closing DateGroup: PayPalSample: 3/1/2010

Returned by PayPal in response to a GetDetails transaction. The auctions’s closedate.Processors Supported: PayPal Express Checkoutonly.

AUCTITM: Auction Item NumberGroup: PayPalSample: 99

Can be specified in a PayPal Query transaction. Search by the auction item num-ber.Processors Supported: PayPal Express Checkoutonly.

field reference 177

AUCTMULT: Auction Multi-Item CounterGroup: PayPalSample: 22

Returned by PayPal in response to a GetDetails transac-tion. The counter value in a multi-item auction payment.Processors Supported: PayPal Express Checkoutonly.

AUEXP: Account Updater New Expiration DateGroup: Account UpdaterSample: 0414

Automatic account updater new account number. Currently sup-ported for Litle only. If merchant is signed up for Litle Auto-matic Account Updater, the new expiration date will be returnedin this field for transactions where there was an account change.Processors Supported: Litle & Co.only.

AUORCODE: Account Updater Original Response CodeGroup: Account UpdaterSample: 501

Currently supported for Litle only. If merchant is signed up forLitle Automatic Account Updater, and a new account number is re-turned (AUACCT), this field will contain the response code for theoriginal transaction (using the old accoun t number before update).Processors Supported: Litle & Co.only.

AUORTEXT: Account Updater Original Response TextGroup: Account UpdaterSample: The account was closedCurrently supported for Litle only. If merchant is signed up forLitle Automatic Account Updater, and a new account number is re-turned (AUACCT), this field will contain the response text for theoriginal transaction (using the old account number before update).Processors Supported: Litle & Co.only.

178 cn!express®

AUTHAMT: Total Authorized AmountGroup: Separate Auth/CaptureSample: 1.00

The current amount authorized for deposit. For ChasePaymentech Or-bital Gateway, used only for Void transactions. If specified, CN!Express®

will perform a partial void, voiding only this amount. For Transfirst ePay,an optional field that specifies the amount of the current authorization.Processors Supported: Litle & Co., Moneris Solutions, Chase Paymentech Or-bital Gateway, PayPal Payflow Pro, Tsys PayFuse, TenderCard, Transfirst ePay.

AUTHCODE: Authorization CodeGroup: Common Response FieldsSample: 123456

The authorization code returned by the payment processor. This is re-turned for Authorize and Sale transactions. If you do not track and returnthe CNXTID or PROCTID (which is the recommended practice), you mustreturn the authorization code with a Deposit transaction. Authorizationcodes are most important for credit card transactions. Electronic check anddebit card transactions may return blank or dummy values. Except for BMLtransactions, AUTHCODE will always be six characters or fewer in length.Processors Supported: First Data Global Gateway, Litle & Co., Moneris Solu-tions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,TenderCard, Trident Payment Gateway, Transfirst ePay.

AUTHDATE: Authorized Date (may include time)Group: Common Response FieldsSample: 3/1/2010

The date on which an authorization was obtained. This is re-turned by the payment processor after an Authorization transaction.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., MonerisSolutions, Chase Paymentech Orbital Gateway, Tsys PayFuse, PayPal ExpressCheckout, Trident Payment Gateway, Transfirst ePay.

field reference 179

AUTHMOP: Auth MOPGroup: Debit CardsSample: PPThe authorizing method of payment. Retuned by the payment proces-sor after a debit card authorization. This field tells the specific typeof debit card that was used. If not using CNXTID or PROCTID, youmust return the AUTHMOP when settling debit card transactions.Processors Supported: Local field/reserved for future use.

AUTHSRC: Authorization Source CodeGroup: Credit Card Authorization SpecificsSample: EReturned by Transfirst ePay. Indicates the source of the authorization.Processors Supported: Transfirst ePayonly.

AUTHSRCP: Authorization Source PlatformGroup: VbV/Secure CodeSample: AOptional for 3D Secure (Verified by Visa or MasterCard SecureCode) transac-tions.

Code Description

A Application processing

B Batch capture, recurring or mail order

C Call center

F Fulfillment/order management

K Kiosk

M Mobile device gateway

P Processor or gateway reauthorization

R Retail POS

Processors Supported: Litle & Co.only.

180 cn!express®

AUTHTCID: Authentication IDGroup: VbV/Secure CodeSample: lK2876Hst6259ar3

Used for 3D Secure authentication on Merchant e-Solutions plat-form. Returned with the Identify Customer (IC) response. In-clude this field along with the payload returned from authen-tication redirect with the authorization or sale transaction.Processors Supported: Trident Payment Gatewayonly.

AVREQ: AVS RequestedGroup: AVSSample: 1

Currently unused. A boolean value that specifies whether or not Ad-dress Verification Service was requested. CN!Express® automat-ically requests AVS whenever sufficient information is available.Processors Supported: Local field/reserved for future use.

AVSRESP: AVS ResponseGroup: AVSSample: I3Address Verification Service response code returnedby processor, if AVS is used. Otherwise blank. See pay-ment processor documentation for specific response codes.Processors Supported: First Data Global Gateway, Litle & Co., Moneris Solu-tions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,Trident Payment Gateway, Transfirst ePay.

AVSTEXT: AVS MessageGroup: AVSSample: I3 – Match Except +4

Textual description of the AVS response code.Processors Supported: Local field/reserved for future use.

BATCHID: Batch IDGroup: OtherSample: BATCHIDThis field is provided for compatibility with the Trevance®

transaction gateway and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.

field reference 181

BILLADD1: BillAddress:Address 1

Group: AVSSample: 22 Sample LaneFirst address line of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., MonerisSolutions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys Pay-Fuse, TenderCard, Trident Payment Gateway, Transfirst ePay.

BILLADD2: BillAddress:Address 2

Group: AVSSample: PO Box 22

Second address line of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway.

BILLAPT: BillAddress:AptGroup: Other AddressesSample: 22

Apartment portion of customer billing address. This field is not sent to the pay-ment processor.Processors Supported: Local field/reserved for future use.

BILLCITY: BillAddress:CityGroup: AVSSample: PeterboroughCity portion of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, TenderCard,Trident Payment Gateway, Transfirst ePay.

BILLCO: BillAddress:CompanyGroup: Other AddressesSample: Example Corp.The payer’s company name.Processors Supported: First Data Global Gateway, PayPal Express Checkout.

182 cn!express®

BILLCTRY: BillAddress:CountryGroup: AVSSample: USCountry portion of customer billing address. AVS is available only forthese countries. You must specify the country using one of the followingvalues. If this field is not specified, CN!Express® assumes a US address.

Code Country

US USA

USA USA

CA Canada

GB UK

UK UK

If the country is not in this list, use the two-letter ISO code

for the country.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway.

BILLEMAL: BillAddress:EmailGroup: Other AddressesSample: [email protected] portion of customer billing address.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys Pay-Fuse, PayPal Express Checkout, TenderCard, Trident Payment Gateway, Trans-first ePay.

BILLFNAM: BillAddress:First NameGroup: Customer NameSample: JohnCustomer’s first name on card or checking account. Specify either the namecomponents (e.g., BILLFNAM, BILLMI, BILLLNAM) or the full name (BILL-NAME), depending on how these fields are used in your implementation.Processors Supported: All processors.

field reference 183

BILLHPHO: BillAddress:Home PhoneGroup: Other AddressesSample: 6035551212

Home phone portion of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, Trident Pay-ment Gateway, Transfirst ePay.

BILLLNAM: BillAddress:Last NameGroup: Customer NameSample: SmithCustomer’s last name on card or checking account. Specify either the namecomponents (e.g., BILLFNAM, BILLMI, BILLLNAM) or the full name (BILL-NAME), depending on how these fields are used in your implementation.Processors Supported: All processors.

BILLMI: BillAddress:Middle InitialGroup: Customer NameSample: ACustomer’s middle initial (not a middle name). Do not use for compound lastnames (e.g., van Beethoven); put the entire last name in the BILLLNAM fieldProcessors Supported: All processors.

BILLNAME: Customer Full NameGroup: Customer NameSample: John SmithCustomer’s full name as it appears on card or checking account. Specify eitherthe name components (e.g., BILLFNAM, BILLMI, BILLLNAM) or the full name(BILLNAME), depending on how these fields are used in your implementation.Processors Supported: All processors.

BILLRREF: Biller ReferenceGroup: OtherSample: BILLER REFAn optional reference number that can be used by the merchant to identify thecustomer.Processors Supported: Litle & Co., Moneris Solutions, PayPal Payflow Pro,Trident Payment Gateway, Transfirst ePay.

184 cn!express®

BILLSALU: BillAddress:SalutationGroup: Customer NameSample: Ms.The billing name salutation (e.g., "Mr.")Processors Supported: PayPal Express Checkoutonly.

BILLSTPR: BillAddress:State/ProvinceGroup: AVSSample: NHUS State or Canadian Province Code portion of customer billing address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, TenderCard,Trident Payment Gateway, Transfirst ePay.

BILLSUFX: BillAddress:SuffixGroup: Customer NameSample: Jr.The billing name suffix (e.g., "Jr.")Processors Supported: PayPal Express Checkoutonly.

BILLWPHO: BillAddress:Work PhoneGroup: Other AddressesSample: 6032222222

Work phone number of customer billing address.Processors Supported: eBillMe, Litle & Co., Tsys PayFuse, Trident PaymentGateway.

field reference 185

BILLZCPC: BillAddress:ZIP/Postal CodeGroup: AVSSample: 03458

A five-digit US Zip Code, ten-character Zip+4, seven-character Canadian Postal Code or UK Postal Code. (UK AVSis supported by Chase Paymentech Orbital Gateway only).

Format Country

NNNNN US

NNNNN-NNNN US

ANAANA CAN

ANA ANA CAN

AN NAA UK

ANA NAA UK

ANN NAA UK

AAN NAA UK

AANN NAA UK

AANA NAA UK

Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., MonerisSolutions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys Pay-Fuse, TenderCard, Trident Payment Gateway, Transfirst ePay.

BMLAUTH: BML Virtual Authentication KeyGroup: Bill Me LaterSample: ABCDUsed for BML transactions. Please see BML documentation for further informa-tion.Processors Supported: Litle & Co.only.

186 cn!express®

BMLAUTHP: BML Virtual Authentication Key Presence IndicatorGroup: Bill Me LaterSample: 1

Used for BML transactions. Please see BML documentation for further informa-tion.Processors Supported: Litle & Co.only.

BMLCAT: BML Item CategoryGroup: Bill Me LaterSample: 4000

Bill Me Later product description code assigned by processor. Can-not be all blanks. Required for Bill Me Later batch transactions.Processors Supported: Litle & Co., Trident Payment Gateway.

BMLCUST: BML Customer TypeGroup: Bill Me LaterSample: EIndicate if this is a new or existing Bill Me Later customer.

Code Description

E Existing

N New

Processors Supported: Local field/reserved for future use.

CAPAMT: Capture AmountGroup: PayPalSample: 4.00

The capture amount, returned by PayPal. This includes any currency conver-sion.Processors Supported: eBillMe, PayPal Express Checkout.

CAPCOMPL: Capture Complete–No further captures on this auth.Group: Additional Credit CardSample: 1

Processors Supported: PayPal Payflow Proonly.

field reference 187

CAPDATE: Captured DateGroup: Separate Auth/CaptureSample: 3/1/2010 14:22:31

Date and time at which the capture occurred. Returned by CN!Express® forC and D transactions. In most cases this value is returned by the processor,but if it is not provided, CN!Express® will return the local date at capture.Processors Supported: All processors.

CARDLEVL: Card Level ResultsGroup: Additional Credit CardSample: 00

This field is provided for compatibility with the Trevance®

transaction gateway, and is not used by CN!Express®.Processors Supported: Local field/reserved for future use.

CARDPRES: Card PresentGroup: RetailSample: 0

Indicate if the card was present when the transaction was originated.

Value Description

0 Card not present

1 Card present

W AMEX Transponder


188 cn!express®

CARDTYPE: Card TypeGroup: Credit CardsSample: MCType of credit or purchase card, for credit card transactions. If imported,value is only used if type cannot be determined from the account num-ber. If not imported, CN!Express® automatically generates a two-charactercode. Field is blank if transaction is not a credit card transaction (or creditcard account number is not valid). Card Type is case insensitive on import.

Code Description

AM American Express/Optima

CB Carte Blanche

DC Diners Club

DS Discover

JC JCB

MC MasterCard International

SW Switch/Solo

VI Visa

Processors Supported: All processors.

CARTRACK: Carrier Tracking NumberGroup: Shipment Address/InfoSample: 1Z9999W99999999999

The shipper’s tracking number for the order as delivered to the customer.Processors Supported: eBillMe, Chase Paymentech Orbital Gateway.

CASHBACK: Cashback AmountGroup: Debit CardsSample: 1.00

Amount (of the total amount) customer has requested forcashback. Used with PIN-based debit card transactions.Processors Supported: Local field/reserved for future use.

field reference 189

CATTYPE: CAT TypeGroup: Additional Credit CardSample: 1

Type of Card Activated Terminal. Used for Retail transactions. Valid values:

Code Description

1 Automated Dispensing Machine

2 Self Service Terminal

3 Limited Amount Terminal


CCAPCAPB: Card Capture CapabilityGroup: Additional Credit CardSample: 1

Describes the capture capability of the terminal. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.

Code Description

0 Unknown

1 Capture


190 cn!express®

CDOPCAPB: Card Data Output CapabilityGroup: Additional Credit CardSample: 0

Describes the card-update capability of the terminal. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.

Code Description

0 Unknown

1 None


CHATCAPB: Cardholder Authentication CapabilityGroup: Additional Credit CardSample: 0

Local field/reserved for future use. Describes the authentication capa-bility of the terminal. American Express only. This is additional infor-mation that you can specify to describe the transaction environment.

Code Description

0 Unknown or none

6 Other


field reference 191

CHATENT: Cardholder Authentication EntityGroup: Additional Credit CardSample: 0

Local field/reserved for future use. Indicates the entity that authenticatedthe card holder. Including this information may improve the interchange ratefor this transaction. Contact payment processor for specific requirements.

Code Description

0 Not authenticated

1 Chip card

2 Card acceptor device

4 Merchant

5 Other


CHECKNUM: Check NumberGroup: POP/ArcSample: 123

Optional check number for ACH and electronic checks. Required only for ARCand POP transactions.Processors Supported: Tsys PayFuseonly.

192 cn!express®

CHKTYPE: Checking Account TypeGroup: ChecksSample: CThe bank account type for check transactions.

Code Description

C Consumer Checking

S Consumer Savings

X Commercial Checking

See Debit Account type field for debit transactions.Processors Supported: Chase Paymentech Orbital Gateway, Tsys PayFuse.

CHPRES: Cardholder PresentGroup: Additional Credit CardSample: 2

Indicates whether the customer is present or not, and, if not present,indicates the type of transaction. This is additional informationthat you can specify to describe the transaction environment.

Code Description

0 Present

1 Not present, unknown

2 Not present, mail order

3 Not present, telephone

4 Not present, standing auth

9 Not present recurring

S Not present, electronic


field reference 193

CMT1: Comment 1

Group: CommentsSample: Comment 1

Free-form descriptive field. Although you can always use thisfield for your own comments, information is transmitted to thepayment processor only if processor is in supported list. ForCardinal Centinel, this field is sent as the Order Description.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, PayPalExpress Checkout, TenderCard, Trident Payment Gateway, Transfirst ePay.

CMT2: Comment 2


Free-form descriptive field. Although you can always use thisfield for your own comments, information is transmitted tothe payment processor only if processor is in supported list.Processors Supported: First Data Global Gateway, PayPal Payflow Pro, PayPalExpress Checkout, Transfirst ePay.

CMT3: Comment 3


Free-form descriptive field. Although you can always use thisfield for your own comments, information is transmitted tothe payment processor only if processor is in supported list.Processors Supported: First Data Global Gateway, PayPal Express Checkout.

CMT4: Comment 4


Free-form descriptive field. For First Data Global Gateway, this com-ment is submitted as the "referred" field, and may be a URL. Forall other payment processors, this information is not submitted.Processors Supported: First Data Global Gatewayonly.

194 cn!express®

CNXORDR: CNX Order IDGroup: IdentifiersSample: 2398-cnx0-ORDThe order identifier as generated by CN!Express®. An order is a groupingof transactions related to an individual customer order. Not currently used,but completes the set of identifiers that may be used to identify a transaction.CNXTID is the CNX transaction ID. PROCTID is the processor’s transactionID. CNXORDR is the CNX order ID. PROCORDR is the processor’s order ID.Processors Supported: Local field/reserved for future use.

CNXTID: CNX Transaction IDGroup: IdentifiersSample: TID-cnx0-P23090

The identifier used by CN!Express® to refer to a single transaction. Thisis returned for all transactions. You can return this field or CNXTID toCN!Express® when processing a later transaction (for example, return theCNXTID associated with an authorization when capturing the transaction).Processors Supported: All processors.

COMCRDTY: Commercial Card TypeGroup: PC Level 2

Sample: BDescribes the type of Commercial Card (Purchase Card) used for this transac-tion.Processors Supported: PayPal Payflow Proonly.

CRDTLINE: Customer Credit LineGroup: Customer InfomationSample: 1000.00

Customer credit line. May be returned by Bill Me Later.Processors Supported: Litle & Co.only.

CRTDDATE: Created DateGroup: OtherSample: 3/1/2010 14:22:31

Date and Time at which the transaction was created in CN!Express®

database. Useful for tracking transaction flow or debugging purposes.Processors Supported: All processors.

field reference 195

CUR: CurrencyGroup: OtherSample: USDThe three-letter code that specifies the currency for the transaction. Proces-sors associate currency types with merchant numbers/divisions. Typically,you will set up currency as a default value per division in CN!Express®

and not import currencies with each transaction. The following table listssome typical currencies. Not all processors support all currency types.

Code Description

AUD, 036 Australian Dollar

GBP, 826 British Pounds Sterling

CAD, 124 Canadian Dollar

DKK, 208 Danish Krone (Krona)

EUR, 978 Euro

HKD, 344 Hong Kong Dollar

JPY, 392 Japanese Yen

NZD, 554 New Zealand Dollar

NOK, 578 Norwegian Krone (Krona)

SGD, 702 Singapore Dollar

ZAR, 710 South African Rand

SEK, 752 Swedish Krona

CHF, 756 Swiss Franc

USD, 840 US Dollar

Processors Supported: Cardinal Centinel, eBillMe, Chase Paymentech OrbitalGateway, Tsys PayFuse, PayPal Express Checkout, Trident Payment Gateway.

196 cn!express®

CURBAL: Current BalanceGroup: Gift/Prepaid CardsSample: 10.00

Currently supported for gift cards only. The current balance on the account.Processors Supported: Litle & Co., PayPal Payflow Pro, TenderCard.

CUSTACPH: Customer Accept HeaderGroup: ECommerce Customer InfoSample: text/plainThe customer HTTP accept header.Processors Supported: Cardinal Centinelonly.

CUSTADCH: Customer Changed Billing AddressGroup: Customer InfomationSample: 0

Optional for Bill Me Later. Indicates if customer has updated their billing ad-dress at merchant site.Processors Supported: Local field/reserved for future use.

CUSTANI: Customer ANIGroup: Additional Credit CardSample: 6039246079

Customer Automatic Number Identification. The phone number the customerused to place a phone order, as specified by Automatic Number Identification.Processors Supported: Local field/reserved for future use.

CUSTAUTH: Customer Authenticated by MerchantGroup: VbV/Secure CodeSample: 0

True if the customer has been authenticated by the merchant, either by log-ging in to a secure web site or authenticated by the call center. Optionalfor 3D Secure (Verified by Visa or MasterCard SecureCode) transactions.Processors Supported: Litle & Co.only.

field reference 197

CUSTDLCT: Customer Drivers License CountryGroup: Customer InfomationSample: USUsed for Bill Me Later. Customer’s driver’s license country. (Optional)Processors Supported: Local field/reserved for future use.

CUSTDLNO: Customer Drivers License NumberGroup: Customer InfomationSample: ABC-432392981

Used for Bill Me Later. Customer’s driver’s license number. (Optional)Processors Supported: Local field/reserved for future use.

CUSTDLSP: Customer Drivers License State/ProvGroup: Customer InfomationSample: NHUsed for Bill Me Later. Customer’s driver’s license state. (Optional)Processors Supported: Local field/reserved for future use.

CUSTDOB: Customer Date Of BirthGroup: Customer InfomationSample: 4/22/1970

Required for Bill Me Later authorization transactions.Processors Supported: Litle & Co., Trident Payment Gateway.

CUSTEMCH: Customer Changed Email AddressGroup: Customer InfomationSample: 1

Optional for Bill Me Later. Indicates if customer has updated their email addressat merchant site.Processors Supported: Local field/reserved for future use.

CUSTEMP: Customer EmployerGroup: Customer InfomationSample: Auric SystemsThe customer’s employer.Processors Supported: Litle & Co.only.

198 cn!express®

CUSTEMYR: Customer Years At EmployerGroup: Customer InfomationSample: 4

Used for Bill Me Later. Optional for authorization transactions. Number of yearswith current employer. Round up to nearest year. Example: 5 months = 1 year.Processors Supported: Litle & Co., Trident Payment Gateway.

CUSTGHI: Customer Gross Household IncomeGroup: Customer InfomationSample: 45500.00

Used for Bill Me Later. Gross annual household income. (Optional)Processors Supported: Litle & Co., Trident Payment Gateway.

CUSTGHIC: Customer Gross Household Income CurrencyGroup: Customer InfomationSample: USDUsed for Bill Me Later. Currency type of gross household annualincome. (Optional). See CUR field for list of typical currencies.Processors Supported: Litle & Co.only.

CUSTHASC: Customer Has Checking AccountGroup: Customer InfomationSample: 1

Used for Bill Me Later. Optional for authorization transactions.

Code Description

Y Yes, customer has a checking account.

N No, customer does not have a checking account.

Processors Supported: Trident Payment Gatewayonly.

field reference 199

CUSTHASS: Customer Has Savings AccountGroup: Customer InfomationSample: 1

Used for Bill Me Later. Optional for authorization transactions.

Code Description

Y Yes, customer has a savings account.

N No, customer does not have a savings account.

Processors Supported: Trident Payment Gatewayonly.

CUSTHOST: Customer HostGroup: ECommerce Customer InfoSample: myserver.example.comName of the customer host used in an e-commerce transaction.Processors Supported: PayPal Payflow Proonly.

CUSTII: Customer iiGroup: Additional Credit CardSample: 00

Customer information identifier. The Automatic Number Iden-tification ii digits reported for the call when the customerplaced the order, which identify the call type (e.g., cellular).Processors Supported: PayPal Payflow Proonly.

CUSTIP: Customer IP AddressGroup: ECommerce Customer InfoSample: 192.168.24.1Internet address of customer during an Ecommerce transaction.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., PayPal Payflow Pro, Trident Payment Gateway.

CUSTNEW: New CustomerGroup: Customer InfomationSample: 1

Set this field to "1" if this is an order by a new customer.Processors Supported: eBillMe, Litle & Co., Trident Payment Gateway.

200 cn!express®

CUSTPHCH: Customer Changed Home Phone NumberGroup: Customer InfomationSample: 0

Optional for Bill Me Later. Indicates if customer hasupdated their home phone number at merchant site.Processors Supported: Local field/reserved for future use.

CUSTPRXY: Customer ProxyGroup: ECommerce Customer InfoSample: 0

Set this field to "1" if the given CUSTIP represents a proxy.Processors Supported: eBillMeonly.

CUSTPWCH: Customer Changed PasswordGroup: Customer InfomationSample: 0

Optional for Bill Me Later. Indicates if customer has changed their password atmerchant site.Processors Supported: Local field/reserved for future use.

CUSTRESD: Customer Residence StatusGroup: Customer InfomationSample: OUsed for Bill Me Later. Optional for authorization transactions.

Code Description

O Own

R Rent

X Other

Processors Supported: Litle & Co., Trident Payment Gateway.

field reference 201

CUSTRSYR: Customer Years At ResidenceGroup: Customer InfomationSample: 2

Used for Bill Me Later. Optional for authorization transactions. Number ofyears at current residence. Round up to nearest year. Example: 5 months = 1

Processors Supported: Litle & Co., Trident Payment Gateway.

CUSTRTG: Customer RatingGroup: Customer InfomationSample: 3

Merchant customer rating.

1. Existing Good User

2. Existing Bad User

3. Unknown

Currently used by eBillMe only.Processors Supported: eBillMeonly.

CUSTSID: Customer Session IDGroup: ECommerce Customer InfoSample: SESSIONID01

Web browser session ID of customer during an Ecommerce transaction.Processors Supported: eBillMeonly.

CUSTSSN: Customer Social Security NumberGroup: Customer InfomationSample: 111-22-3333

Used for Bill Me Later. Optional for authorization transactions.Processors Supported: Litle & Co., Trident Payment Gateway.

CUSTUA: Customer User AgentGroup: ECommerce Customer InfoSample: MOZILLA/4.0 (COMPATIBLE; MSIE 5.0; WINDOWS 95)Name of the customer user agent used in an e-commerce transaction.Processors Supported: Cardinal Centinel, PayPal Payflow Pro.

202 cn!express®

CVV: CVV/CIDGroup: Credit CardsSample: 123

Card Type Format Description

American Express 4-digits Card Identification Number (CID)

Discover 3-digits Card Identification Number (CID)

MasterCard 3-digits Card Verification Code (CVC2)

Visa 3-digits Card Verification Value (CVV2)

The three or four-digit card security code. Used for fraud deterrence forcredit card transactions. According to card industry rules, the CVV mustnot be retained after an authorization is obtained. CN!Express® clears thisvalue immediately after authorization and always returns a blank CVV.Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle &Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro,Tsys PayFuse, TenderCard, Trident Payment Gateway, Transfirst ePay.

CVVPRES: CVV PresenceGroup: Additional Credit CardSample: PIndicates the presence of a Card Security value. Supportedby Visa, MasterCard, and Discover. If this field is not im-ported or blank, it is set to P or NP based on presence of CVVvalue. Leave this field blank for American Express transactions.

Code Description

Blank: Indicator not sent

P Present

NP Not Present

I Illegible

Processors Supported: First Data Global Gateway, Moneris Solutions, ChasePaymentech Orbital Gateway, Tsys PayFuse.

field reference 203

CVVRESP: CVV ResponseGroup: Credit CardsSample: MCode returned by the card issuer in response to a card security verificationrequest. Both American Express and Bill Me Later transactions return a blank.

Code Description

M Value matched (Visa, MasterCard, Discover, FlexCache)

N Value not matched (Visa, MasterCard, Discover, FlexCache)

P Not processed (Visa, MasterCard, Discover, FlexCache)

S Should be on the card (Visa, Discover, FlexCache)

U Unsupported by the Issuer (Visa, MasterCard, Discover, Flex-Cache)

I Invalid (Visa, MasterCard, Discover, American Express, Flex-Cache)

Blank (American Express, Bill Me Later)

Processors Supported: First Data Global Gateway, Litle & Co., Moneris Solu-tions, Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,Trident Payment Gateway, Transfirst ePay.

CVVTEXT: CVV MessageGroup: Credit CardsSample: MatchText description of CID/CVV2 result.Processors Supported: Local field/reserved for future use.

204 cn!express®

DEBTACCT: Debit Account TypeGroup: Debit CardsSample: CThe Account Type for debit transactions. Must be one of the following:

Code Description

C Consumer Checking

S Consumer Savings


DEBTTRCE: Debit Trace NumberGroup: Debit CardsSample: 12345678

Trace number returned from debit card vendor on authorization transactions.Processors Supported: Local field/reserved for future use.

DECLPPD: Decline PrepaidGroup: Gift/Prepaid CardsSample: 0

Decline all prepaid cards. Currently implemented for Litle only. Litle sup-ports prepaid card filtering, which must be set up at the division levelwith Litle. This field can be used to override the default behavior if pre-paid card filtering is in use. If you have the division set up to filter all pre-paid cards, you can send 0 in this field to selectively allow a prepaid cardto pass. If you have the division set up to allow prepaid cards, you cansend 1 in the field to selectively decline the transaction if the card is pre-paid. If you don’t send this field, or send a blank, then Litle will use thedefault setting for the division to determine how to handle prepaid cards.Processors Supported: Litle & Co.only.

field reference 205

DETAILS: All DetailsGroup: PC Level 3/Detail RecordsSample: (see description)Transaction details can be included for purchase card level 3 and PayPal transac-tions (not all processors support these transactions). The details can be specifiedone of three ways:

1. as part of the import file, with detail records on lines that follow the transac-tion line;

2. as serial fields, marked with tags such as I_AMT_0, I_AMT_1..I_AMT_n; or

3. with all details in a single field.

If detail handling is required, you can configure CN!Express® to ac-cept one of these methods when setting up input formats. The DETAILSfield is used with method 3. It contains all detail records in a single field.The details field is delimited by row and then by field. The DETAILsub-field layout is a fixed format. Refer to Appendix ?? (??) for details.Processors Supported: Cardinal Centinel, eBillMe, Litle & Co., Chase Pay-mentech Orbital Gateway.

DISC: DiscountGroup: PC Level 3/Detail RecordsSample: 1.00

The discount amount applied to the full order. Used for level 3 purchase cardtransactions.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro.

DIVISION: Division IDGroup: Common Request FieldsSample: asi-2The CN!Express® division number for this transaction. CN!Express®

uses divisions to associate payment processors and payment pro-cessor accounts with each transaction. If you have only one divi-sion set up in CN!Express® you don’t need to import this field. ForLitle, the DIVISION is sent as the Report Group for the transaction.Processors Supported: All processors.

206 cn!express®

DUTY: DutyGroup: PC Level 3/Detail RecordsSample: 1.00

Amount of duty included in the transaction.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro.

ECOMTYP: ECommerce TypeGroup: Common Request FieldsSample: EThis field can be used in one of two ways: If authenticating a 3DS transac-tion through a third party (e.g., Cardinal Centinel), import the ECI value re-turned by the third party in this field. This will typically be a one- or two-digit numeric value. If not using 3DS authentication, and XCLASS is set to’E’ for E-commerce, this field more precisely defines the type of E-commercetransaction. This will almost always be E, indicating a secure Internet trans-action (typically HTTPS over the Web). This setting is sometimes describedas Non-SET Channel Encrypted. Other possible settings (although these arerarely used) are U (for an unsecured ecommerce transaction) or S (used only forSET encryption). SET is a specific security implementation that is rarely used.

Code Description

U,8,08 Non-Secure

E,7,07 HTTPS

S Secure SET

5,05 VbV Authenticated Transaction

6,06 VbV Attempted Authentication

1,01 Master Card Indicates Merchant Liability

2,02 Master Card Indicates Card Issuer Liability

Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle & Co.,Chase Paymentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway,Transfirst ePay.

field reference 207

ECPAUTHM: ECP Authorization MethodGroup: ChecksSample: IMethod by which merchant is authorized by customer to conduct thisElectronic Check transaction. The ECP Authorization Method may bedefaulted at the processor division level. If the default is set, all trans-actions processed through the division will carry the default ECP au-thorization value unless this field is populated to override the default.

Code Description

Blank: Unknown

W Written

I Internet

T Telephone

C Cash Concentration or Disbursement

P Point of Purchase (POP)

A Accounts Receivable Conversion (ARC)

NOTE:

For PayFuse, Written translates into Prearranged Payment and De-posit. Also, Cash Concentration or Disbursement is only available forPayFuse. PayFuse defaults to W (Prearranged Payment and Deposit)Processors Supported: Chase Paymentech Orbital Gateway, Tsys PayFuse.

208 cn!express®

ECPDELVM: ECP Preferred Delivery MethodGroup: ChecksSample: AThe Preferred Delivery Method for depositing checks. Electronic checkrefunds require a preferred delivery method of ACH (A). If best pos-sible (B) is sent, and the RDFI is a non-ACH participant, the trans-action is rejected with Response Code 760 ACH Non-participant.

Code Description

A ACH Automated Clearing House electronic delivery

B Best Possible

Processors Supported: Chase Paymentech Orbital Gatewayonly.

EDBSC: EDD Bank Sort CodeGroup: EDDSample: 1234567890

Used for European Direct Debit Transactions. The identifier of thecustomer’s bank. Each country has its own bank sort code format.Processors Supported: Local field/reserved for future use.

field reference 209

EDCNTRY: EDD Country CodeGroup: EDDSample: DEUsed for European Direct Debit Transactions. This is acode which indicates the country of the customer’s bank.

Code Country

AT Austria

BE Belgium

FR France

DE Germany

NL Netherlands

GB United Kingdom


EDRIB: EDD RIB CodeGroup: EDDSample: 12

Used for European Direct Debit Transactions. The bank ac-count checksum. This is optional, used only in France.Processors Supported: Local field/reserved for future use.

ENCFLAG: Encryption FlagGroup: OtherSample: FThis field is provided for compatibility with the Trevance®


210 cn!express®

ENDDATE: End DateGroup: PayPalSample: 3/31/2010 14:22:31

For Query transactions, the last date to include in the search.Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.

EXCHRATE: Exchange RateGroup: PayPalSample: 1.85

The exchange rate for the transaction. Returned by PayPal for in response toQuery (Q) transactions.Processors Supported: PayPal Express Checkoutonly.

EXCHRTID: Exchange Rate IDGroup: OtherSample: 92822817

The exchange rate identifier, returned by Merchant e-Solutions on cur-rency conversion operations when using FX processing. If obtained, theEXCHRTID must be retained by the merchant and returned along withMCURAMT with subsequent authorization, sale, or other transactions.Processors Supported: Trident Payment Gatewayonly.

field reference 211

EXP: Expiration DateGroup: Credit CardsSample: 0414

Usually the credit card expiration date: MMYY or MM/YY. Send blanks(or 0000) if the card has expired since the order was placed or if the trueexpiration date is unknown. Omitting the expiration date on a card-not-present transaction, while acceptable to some card processors anddebit networks, may result in a decline code from the Issuer. Field isalso returned by Merchant e-Solutions on ConvertAmount (CF) trans-actions. In this case the expiration date is a timestamp that indicateswhen the given exchange rate id (see EXCHRTID) will expire. Examples:

(Blank)

0000

00/00

MMYY

MM/YY

Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, TenderCard, Trident Payment Gateway, TransfirstePay.

EXSTDEBT: Existing DebtGroup: Additional Credit CardSample: 0



212 cn!express®

FREIGHT: FreightGroup: PC Level 3/Detail RecordsSample: 1.00

Amount of freight included in the transaction. Frequently called Shipping orShipping Cost.Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle &Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, PayPal ExpressCheckout, Trident Payment Gateway.

HANDLING: Handling ChargeGroup: PayPalSample: 1.00

Amount of handling fee included in the transaction.Processors Supported: PayPal Express Checkoutonly.

ICVRESP: ICV-Style ResponseGroup: OtherSample: Y123456Y123456789

See appendix on IC-Verify compatibility features.Processors Supported: Local field/reserved for future use.

IGOTS: IGOTS Transaction CodeGroup: Additional Credit CardSample: 00



IMGNUM: Image Reference NumberGroup: POP/ArcSample: 29029093209023

Image Reference Number associated with check for POP and ARC transactions.Optional.Processors Supported: Local field/reserved for future use.

field reference 213

INV: InvoiceGroup: OtherSample: INV#1234

Invoice number for this order. Provide this field for Merchant e-Solutions purchase card level 2 and 3D secure lookup (IC) transactions.Processors Supported: First Data Global Gateway, Litle & Co., PayPal PayflowPro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident PaymentGateway.

ISSUDATE: Account Issue DateGroup: Gift/Prepaid CardsSample: 3/1/2010

Date of issue for gift cards.Processors Supported: TenderCardonly.

I_AMT_N: Item AmountGroup: PC Level 3/Detail RecordsSample: 45.36

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_AMT_0 represents the amount forthe first item, I_AMT_1 represents the amount for the second item, etc.Processors Supported: Local field/reserved for future use.

I_CMD_N: Item Commodity CodeGroup: PC Level 3/Detail RecordsSample: 20130

Transaction details can be included for purchase card level 3 or for PayPaltransactions (not all processors support these transactions). This field is usedto specify detail information using a serial tag format. See the DETAILSfield for other formats. I_CMD_0 represents the commodity code for thefirst item, I_CMD_1 represents the commodity code for the second item, etc.Processors Supported: Local field/reserved for future use.

214 cn!express®

I_CMT_N: Item CommentGroup: PC Level 3/Detail RecordsSample: Line item commentTransaction details can be included for purchase card level 3 or forPayPal transactions (not all processors support these transactions).This field is used to specify detail information using a serial tag for-mat. See the DETAILS field for other formats. I_CMT_0 is a com-ment for the first item, I_CMT_1 is a comment for the second item, etc.Processors Supported: Local field/reserved for future use.

I_CRD_N: Item Amount Is CreditGroup: PC Level 3/Detail RecordsSample: 0

Transaction details can be included for purchase card level 3 or forPayPal transactions (not all processors support these transactions).This field is used to specify detail information using a serial tag for-mat. See the DETAILS field for other formats. I_CRD_0 is true if thefirst item is a credit, I_CRD_1 is true if the second item is a credit, etc.Processors Supported: Local field/reserved for future use.

I_DAM_N: Item Discount AmountGroup: PC Level 3/Detail RecordsSample: 4.80

Transaction details can be included for purchase card level 3 or for PayPaltransactions (not all processors support these transactions). This field is usedto specify detail information using a serial tag format. See the DETAILSfield for other formats. I_DAM_0 represents the discount amount for thefirst item, I_DAM_1 represents the discount amount for the second item, etc.Processors Supported: Local field/reserved for future use.

I_DCD_N: Item DiscountedGroup: PC Level 3/Detail RecordsSample: 1

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). Thisfield is used to specify detail information using a serial tag format. Seethe DETAILS field for other formats. I_DCD_0 is true if the first itemis discounted, I_DCD_1 is true if the second item is discounted, etc.Processors Supported: Local field/reserved for future use.

field reference 215

I_DSC_N: Item DescriptionGroup: PC Level 3/Detail RecordsSample: CAP,SCREENED,PROMOTransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_DSC_0 represents the description for thefirst item, I_DSC_1 represents the description for the second item, etc.Processors Supported: Local field/reserved for future use.

I_MSR_N: Item MeasureGroup: PC Level 3/Detail RecordsSample: PCETransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_MSR_0 represents the unit of measure for thefirst item, I_MSR_1 represents the unit of measure for the second item, etc.Processors Supported: Local field/reserved for future use.

I_NBR_N: Item Number/Product CodeGroup: PC Level 3/Detail RecordsSample: CAP-238-LOGOTransaction details can be included for purchase card level 3 or for Pay-Pal transactions ( not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_NBR_0 represents the item number for thefirst item, I_NBR_1 represents the item number for the second item, etc.Processors Supported: Local field/reserved for future use.

I_OPT_N: Item OptionsGroup: PC Level 3/Detail RecordsSample: NoneTransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See the DE-TAILS field for other formats. I_OPT_0 represents optional information forthe first item, I_OPT_1 represents optional information for the second item, etc.Processors Supported: Local field/reserved for future use.

216 cn!express®

I_QTY_N: Item QuantityGroup: PC Level 3/Detail RecordsSample: 12

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_QTY_0 represents the quantity ofthe first item, I_QTY_1 represents the quantity of the second item, etc.Processors Supported: Local field/reserved for future use.

I_TAX_N: Item TaxGroup: PC Level 3/Detail RecordsSample: 2.16

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). Thisfield is used to specify detail information using a serial tag format.See the DETAILS field for other formats. I_TAX_0 represents the taxfor the first item, I_TAX_1 represents the tax for the second item, etc.Processors Supported: Local field/reserved for future use.

I_TXR_N: Item Tax RateGroup: PC Level 3/Detail RecordsSample: 0.05

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_TXR_0 represents the tax rate forthe first item, I_TXR_1 represents the tax rate for the second item, etc.Processors Supported: Local field/reserved for future use.

I_UAM_N: Item Unit CostGroup: PC Level 3/Detail RecordsSample: 4.00

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_UAM_0 represents the unit cost forthe first item, I_UAM_1 represents the unit cost for the second item, etc.Processors Supported: Local field/reserved for future use.

field reference 217

I_XIN_N: Item Total Includes TaxGroup: PC Level 3/Detail RecordsSample: 1

Transaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). Thisfield is used to specify detail information using a serial tag format.See the DETAILS field for other formats. I_XIN_0 is true if the firstitem includes tax, I_XIN_1 is true if the second item includes tax, etc.Processors Supported: Local field/reserved for future use.

I_XTY_N: Item Tax TypeGroup: PC Level 3/Detail RecordsSample: STATETransaction details can be included for purchase card level 3 or for Pay-Pal transactions (not all processors support these transactions). This fieldis used to specify detail information using a serial tag format. See theDETAILS field for other formats. I_XTY_0 represents the tax type forthe first item, I_XTY_1 represents the tax type for the second item, etc.Processors Supported: Local field/reserved for future use.

KSN: KSNGroup: Debit CardsSample: 0123456789012345

For debit card transactions. Key Sequence Number (KSN) as-sociated with the PIN pad that encrypted the customer’s PIN.Processors Supported: Local field/reserved for future use.

LAS: Last Action SucceededGroup: Common Response FieldsSample: 1

Flag indicating whether the last requested transaction actionsucceeded. Field is 1 if successful and 0 if not. Use this field tocheck for success or failure when writing programs that workwith CN!Express®. Use ASIRESP for more specific information.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

218 cn!express®

LOADABLE: Prepaid Card is ReloadableGroup: Gift/Prepaid CardsSample: 0

Returned in response for prepaid cards, if supported by processor. Returnvalue of 1 means the card can be re-loaded, return value of 0 means it can not.Processors Supported: Litle & Co.only.

MACTION: Merchant ActionGroup: Common Response FieldsSample:This is a suggested action a merchant could take in responseto a specific type of transaction decline. This field is gener-ated by CN!Express®. These are the values that can be returned:

Code Description

DECLINE Decline the transaction

RETRY Retry the transaction at a later time

ERROR Correct the transaction and retry

CALL Call payment processor for assistance with thistransaction

VOICE Obtain a voice authorization

Processors Supported: All processors.

MARKSPEC: Market Specific DataGroup: Additional Credit CardSample: BThis field is provided for compatibility with the Trevance® transaction gatewayand is not used by cnx.Processors Supported: Local field/reserved for future use.

field reference 219

MCBNKDAT: MC Banknet DateGroup: Credit Card Authorization SpecificsSample: 0301



MCBNKREF: MC Banknet Reference NumberGroup: Credit Card Authorization SpecificsSample: MWCYW4EDKThis field is provided for compatibility with the Trevance®


MCC: MCCGroup: Additional Credit CardSample: 1234

Used to describe merchant’s primary business. Usually set up at the divisionlevel.Processors Supported: Chase Paymentech Orbital Gateway, Trident PaymentGateway, Transfirst ePay.

MCSCAAV: MC SecureCode AAVGroup: VbV/Secure CodeSample: AAVMasterCard SecureCode Account holder Authentication Value. This isa unique transaction token generated by the issuer and presented tothe merchant each time a card holder conducts an electronic transac-tion using MasterCard SecureCode. AAV incorporates elements spe-cific to the transaction and effectively binds the cardholder to a transac-tion at a particular merchant for a given sale amount. Must be sent inBase 64 Encoding. This is the same format used by MasterCard when re-turning the AAV data to the merchant during the authentication step.Processors Supported: First Data Global Gateway, Litle & Co., Moneris So-lutions, Chase Paymentech Orbital Gateway, Tsys PayFuse, Trident PaymentGateway, Transfirst ePay.

220 cn!express®

MCSCSPT: MC Secure Code SupportGroup: VbV/Secure CodeSample: 1



MCTPROMO: Merchant Promotional CodeGroup: OtherSample: 90DAYSACUsed by Bill Me Later. Optional value indicating a mer-chant special promotion code to which customer responded.Processors Supported: eBillMe, Litle & Co., Trident Payment Gateway.

MCURAMT: Amount in Merchant CurrencyGroup: OtherSample: 25.00

The amount of the transaction in merchant funding currency (generally,USD). Sent by the merchant as a parameter to Merchant e-Solutions in cur-rency conversion operations when using FX processing. The amount in cus-tomer currency is then returned in AMT. MCURAMT and EXCHRTID mustbe retained by the merchant and returned with subsequent transactions.Processors Supported: Trident Payment Gatewayonly.

MRCHCSPH: Merchant Customer Service Phone NumberGroup: Merchant Info/Soft DescriptorsSample: 8001234567

Merchant customer support phone number. Usually set up at the division level.Processors Supported: Trident Payment Gateway, Transfirst ePay.

field reference 221

MRCHORDR: Merchant Order NumberGroup: Common Request FieldsSample: MRCHORDR-9012345678901234

The merchant order number represents the order associated with this transac-tion. Often, the merchant order number is the best way to look up a transactionwhen handling exceptions or when discussing a transaction with the paymentprocessor. The merchant order number should be unique for each transaction.Different payment processors have different rules about the number of charac-ters for an order number, or about what types of characters are acceptable.

• Order numbers should be 22 characters in length or shorter.

• Order numbers should be unique within the first eight digits.

• Use only upper and lowercase alpha and numeric characters, plus the follow-ing: -,$@

• Pinless debit order numbers must use alphanumerics only.

ASI recommends that you follow the above guidelines so that your ordernumbers will meet the requirements of even the most restrictive systems.Processors Supported: All processors.

MSGVRFD: Message VerifiedGroup: Bill Me LaterSample: 1

Indicates whether or not processor has verified that the message sent was au-thentic, based on its digital signature. This field is returned by Merchant e-Solutions for BML transactions in response to an authentication (AC) request.Processors Supported: Trident Payment Gatewayonly.

MSTATE: Merchant State/Prov DescriptorGroup: Merchant Info/Soft DescriptorsSample: NHState or province part of merchant location.Processors Supported: Trident Payment Gatewayonly.

222 cn!express®

MZCPC: Merchant ZIP/Postal CodeGroup: Merchant Info/Soft DescriptorsSample: 03458

Zip code or postal code part of merchant location.Processors Supported: Trident Payment Gatewayonly.

NETAMT: Net AmountGroup: PayPalSample: 4.00

The net amount of the transaction. Returned by PayPal in response to a querytransaction.Processors Supported: PayPal Express Checkoutonly.

NOUTID: Suppress UTID GenerationGroup: OtherSample: 0

If set, CN!Express® will not generate or store a UTID for the associatedtransaction. Use to override system defaults for a specific transaction.Processors Supported: Local field/reserved for future use.

OPENV: Operating EnvironmentGroup: Additional Credit CardSample: 0

Describes the terminal operating environment. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.Processors Supported: Local field/reserved for future use.

ORDDATE: Order DateGroup: OtherSample: 3/1/2010

The date on which an order was created using OpenOrder (as returned by Pay-Pal).Processors Supported: Litle & Co., PayPal Payflow Pro, PayPal ExpressCheckout.

field reference 223

ORDTIME: Order TimeGroup: OtherSample: 14:22:31

The time at which an order was created using OpenOrder (as returned by Pay-Pal).Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.

ORIGAUTH: Original Authorized AmountGroup: Credit Card Authorization SpecificsSample: 1.00

Amount of initial authorization.Processors Supported: Local field/reserved for future use.

PAYLOAD: PayloadGroup: Online IntegrationSample: anI3900WUEA9329029389iljwaef32WU372

Used for any return or request value where processor sends or receives a largeamount of operation-specific data in a single field.

• Used to transfer data when customer must be authenticated on external (pro-cessor) site, during BML authentication process on Merchant e-Solutionsgateway.

• Used to transfer data when customer must be authenticated on external site,during 3D-secure authentication process on Merchant e-Solutions gateway.

• Used to return single currency exchange rate data or full exchange rate tablefor rate lookup (CL) transactions on Merchant e-Solutions gateway.

Details of the field usage are based on the specific payment method and transac-tions being processed.Processors Supported: Cardinal Centinel, Trident Payment Gateway.

PCAPCAPB: PIN Capture CapabilityGroup: Additional Credit CardSample: 0

Describes the PIN capture capability of the terminal. Amer-ican Express only. This is additional information thatyou can specify to describe the transaction environment.Processors Supported: Local field/reserved for future use.

224 cn!express®

PENDED: PendedGroup: PayPalSample: 0

A boolean value returned in a GetDetails response whichtells whether or not a transaction is in pending status.Processors Supported: PayPal Express Checkoutonly.

PENDTEXT: Pended TextGroup: PayPalSample: verifyReturned by PayPal in a GetDetails response which describes the reason a trans-action is pending.Processors Supported: PayPal Express Checkoutonly.

PID: Presenter IDGroup: OtherSample: 123456



PIN: PINGroup: Debit CardsSample: 0123456789012345

Debit Card encrypted Personal Identification Number (PIN) entered by cus-tomer.Processors Supported: Litle & Co., Moneris Solutions, Chase Paymentech Or-bital Gateway, Tsys PayFuse.

PMTENDDT: Payment End DateGroup: Recurring/InstallmentSample: 3/31/2011

For installment payments, the payment end date.Processors Supported: Cardinal Centinelonly.

field reference 225

PMTFREQ: Payment FrequencyGroup: Recurring/InstallmentSample: 28

For installment payments, the payment frequency.Processors Supported: Cardinal Centinelonly.

PMTNBR: Payment NumberGroup: Recurring/InstallmentSample: 1

For recurring or installment transactions, the number of this payment in the se-ries of payments.Processors Supported: eBillMe, Chase Paymentech Orbital Gateway, TransfirstePay.

PMTSRC: Payment SourceGroup: eBillMeSample: RPPSThe source of a payment made by a customer. Currently used for eBillMe only.Processors Supported: eBillMeonly.

PONUM: PO NumberGroup: PC Level 2

Sample: PO-23456789

Customer Purchase Order Number. This field is required for purchasecard level 2 and purchase card level 3 transactions, except when pro-cessing through Merchant e-Solutions. For Merchant e-Solutions level2 transactions, provide the Invoice Number (INV) instead of this field.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse.

POPCITY: POP Terminal CityGroup: POP/ArcSample: BOSCity where Point of Purchase terminal is located. Optional. Used only for POPtransactions.Processors Supported: Local field/reserved for future use.

226 cn!express®

POPSTATE: POP Terminal StateGroup: POP/ArcSample: MAState where Point of Purchase terminal is located. Optional. Used only for POPtransactions.Processors Supported: Local field/reserved for future use.

POSCAP: POS Capability CodeGroup: RetailSample: KDescribes the capabilities of the POS device. Optional. For Litle, POSCAPshould be included with all retail transactions. This is additional in-formation that you can specify to describe the transaction environ-ment. Including this information may improve the interchange rate forthis transaction. Contact payment processor for specific requirements.

Code Description

1 Track 1

2 Track 2

C Chip

K Keyed

L Contactless

N No Terminal

Processors Supported: Litle & Co., Transfirst ePay.

field reference 227

POSENTRY: POS Entry ModeGroup: RetailSample: KDescribes how the transaction was entered. For Litle, POSENTRY shouldbe included with all retail transactions. This is additional informationthat you can specify to describe the transaction environment. Includ-ing this information may improve the interchange rate for this trans-action. Contact your payment processor for specific requirements.

Code Description

K Keyed

2 Track 2

C Chip

1 Track 1

V Contactless Chip

E Ecommerce

M Track 1 and 2

N No Terminal

L Contactless

U Chip Card (CVV unreliable)

Processors Supported: Litle & Co., Transfirst ePay.

228 cn!express®

POSID: POS Customer ID MethodGroup: RetailSample: MDescribes how the cardholder was identified. For Litle, POSID shouldbe included with all retail transactions. This is additional informationthat you can specify to describe the transaction environment. Includ-ing this information may improve the interchange rate for this trans-action. Contact your payment processor for specific requirements.

Code Description

M Mailorder

P PIN

S Signature

U Unattended

Processors Supported: First Data Global Gateway, Litle & Co., Transfirst ePay.

PREAPRNO: Pre-approval Invitation NumberGroup: Bill Me LaterSample: 123456789ABCDEFUsed for Bill Me Later.

• Pre-approval from credit bureau should include the 16-digit pre-approvalnumber. This allows the pre-approval to be matched with the first customerorder.

• Internal pre-approval should include the leftmost digit as 1.

• No pre-approval should include all zeros or be blank.

Indicates whether or not customer has been pre-approved.Processors Supported: Litle & Co.only.

PREVACCT: Previous Gift Card Account NumberGroup: Gift/Prepaid CardsSample: 8700000000000000

TenderCard transactions only. Represents the previous account number for XFor IS transactions.Processors Supported: TenderCardonly.

field reference 229

PROCATR1: Processor-Specific Attribute 1

Group: Processor SpecificsSample: proc-attr-1Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, PayPal Express Checkout.


Group: Processor SpecificsSample: proc-attr-2Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., PayPalPayflow Pro, PayPal Express Checkout.


Group: Processor SpecificsSample: proc-attr-3Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: eBillMe, PayPal Payflow Pro, PayPal Express Checkout.


Group: Processor SpecificsSample: proc-attr-4Processor-specific. See Appendix IV (Processor-Specific Attributes) for details.Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.

PROCDIV: Processor Division IDGroup: Processor SpecificsSample: 123456

The processor’s division number or processor-specific Merchant ID. If you haveonly one CN!Express® division set up, you can use this to directly assign indi-vidual transactions to processor divisions. See Chapter ?? (?? for more details.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Tsys PayFuse, PayPal Express Checkout, TenderCard,Trident Payment Gateway, Transfirst ePay.

230 cn!express®

PROCFEE: Processor FeeGroup: Processor SpecificsSample: 1.00

Fee charged for transaction. Returned by GetDetails and Query transactions.Processors Supported: PayPal Express Checkoutonly.

PROCMODE: Payment Processor ModeGroup: Processor SpecificsSample: PThe mode for this transaction.

Code Description

D Demo Mode. For setup/demo only. Handledinternally by CN!Express® and never sent topayment processor.

T Test Mode. Sent to the payment processor usingthe payment processor’s test mode.

P Production Mode. Sent to the payment proces-sor in production mode.


PROCORDR: Processor Order IDGroup: IdentifiersSample: 28269684AF474914SThe processor order number for this transaction.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Tsys PayFuse, PayPal Express Checkout, Trident Payment Gateway, TransfirstePay.

field reference 231

PROCRSN: Processor Reason CodeGroup: Processor SpecificsSample: 2

Processor-specific reason code (eg., a reason given for cancel-ing an order). Currently, this is used by eBillMe only. eBillMeaccepts a PROCRSN for Void and Refund actions. PROCRSNcodes have different meanings, depending on the action.

Action CodeDescription

Void(V) 1 Consumer: does not want order

Void(V) 2 Consumer: unable to complete payment

Void(V) 3 Consumer: changed payment method

Void(V) 4 Merchant: consumer risk

Void(V) 5 Merchant: confirmed fraud

Void(V) 6 Merchant: duplicate order

Void(V) 7 Merchant: unable to fulfill order

Void(V) 8 Merchant: order expired

Refund(R) 1 Unknown payment

Refund(R) 2 Duplicate payment

Refund(R) 3 Overpayment

Refund(R) 4 Order expired

Refund(R) 5 Refund requested: goods returned

Refund(R) 6 Refund requested: order cancelled

Refund(R) 7 Refund requested: per originator

Refund(R) 8 Unable to fulfill order

Refund(R) 9 Confirmed fraud

Refund(R) 10 Consumer risk

Refund(R) 11 Merchant has ceased operations

Processors Supported: eBillMe, Moneris Solutions.

232 cn!express®

PROCSTAT: Processor StatusGroup: OtherSample: CompletedA text description of the status of the transaction, as returned or maintainedby the processor.

• For eBillMe, this field can be used as a search parameter for Query transac-tions.

• For Bill Me Later transactions on the Merchant e-Solutions gateway, this field contains the returned statusfor each BML operation, as shown in the follwing table:

Code MeS Field Values

IC enroll_status Y: Enrolled; N: Not Enrolled

AC application_status Y: Success; X: Cancelled; D:Customer requested data update; E: Error

S,RE,D,R status_code Y: Success; N: Declined: E: Error

• For 3D-secure enrollment check on the Merchant e-Solutions gateway, this field contains the returned sta-tus for each transaction, as shown in the following table:

Code MeS Field Values

IC 3d_enrolled Y: Enrolled; N: Not Enrolled

• For Cardinal Centinel lookup transations, this field contains the re-turned status for each transaction, as shown in the following table:

Code Centinel Field Values

IC Enrolled Y: Enrolled; N: Not Enrolled, U: Pro-cessing Unavailable, (blank):Error

Processors Supported: Cardinal Centinel, eBillMe, Moneris Solutions, PayPalExpress Checkout, Trident Payment Gateway.

field reference 233

PROCTID: Processor Transaction IDGroup: IdentifiersSample: 7AWDEGTR012345678

The processor transaction ID. Uniquely identifies a transaction for a given pro-cessor. This is returned for all transactions. You can return this field or CNXTIDto CN!Express® when processing a later transaction (for example, return theCNXTID associated with an authorization when capturing the transaction).Processors Supported: All processors.

PROCTYPE: Processor TypeGroup: Processor SpecificsSample: orbitalThe payment processor associated with this division.Processors Supported: Local field/reserved for future use.

PRODTYPE: Product Delivery TypeGroup: Shipment Address/InfoSample: PDescribes how the product being purchased is to be delivered.

CN!Express® Processor Description

Code Code

D DIG Digital Goods, ex: Downloadedsoftware or Ebook

P PHY Physical

T TBD To Be Determined

V SVC Service

Y CNC Cash and Carry

Processors Supported: Cardinal Centinel, Litle & Co., Trident Payment Gateway.

234 cn!express®

PYADRONR: PayPal Address OwnerGroup: PayPalSample: Owner Corp.PayPal only. eBay company that maintains this address.Processors Supported: PayPal Express Checkoutonly.

PYADRSTA: PayPal Address StatusGroup: PayPalSample: Confirmed.PayPal only. Text status of this address with PayPal.Processors Supported: PayPal Express Checkoutonly.

PYCID: PayPal Contract IDGroup: PayPalSample: 7IKLQNJS012345678901



PYPAYER: PayPal PayerIDGroup: PayPalSample: 95HR9CM6D56Q2

The PayPal PayerID. Required field (along with PYTO-KEN) for PayPal Authorization, Sale, or CreateOrder.Processors Supported: PayPal Express Checkoutonly.

PYPWD: PayPal API PasswordGroup: PayPalSample: QFZCWN5HZM8VBG7QThis field is provided for compatibility with the Trevance®


field reference 235

PYSIG: PayPal API SignatureGroup: PayPalSample: A-IzJhZZjhg29XQ2qnhapuwxIDzyAZQ92FRP5dqBzVesOkzbdUONzmOUThis field is provided for compatibility with the Trevance®


PYTOKEN: PayPal TokenGroup: PayPalSample: EC-0E881823PA052770AThe PayPal Token. Required field (along with PYPAYER) for PayPal Authoriza-tion, Sale, or CreateOrder.Processors Supported: PayPal Express Checkoutonly.

PYUSER: PayPal API UserGroup: PayPalSample: example.comThis field is provided for compatibility with the Trevance®


QRYCLASS: Query ClassGroup: PayPalSample: AllThe PayPal TransactionClass. May be used as a search param-eter with a Query transaction. Some examples include All andBalanceAffecting. See PayPal documentation for complete list.Processors Supported: PayPal Express Checkoutonly.

QUALKEY: Qual KeyGroup: Separate Auth/CaptureSample:This field is provided for compatibility with the Trevance®


236 cn!express®

RAUTHTID: Retail Auth Terminal IDGroup: RetailSample: 01234567

The terminal ID for the authorizing terminal in a POS environment. Optional.Processors Supported: Transfirst ePayonly.

RECADV: Recurring Payment Advice CodeGroup: Recurring/InstallmentSample: 01

Action to be taken when receiving decline on a transaction marked as re-curring. This code is returned only for MasterCard account numbers.The Transaction Class must be set to Recurring (see the Class field).

Code Action

01 New account information available. Obtain newaccount information.

02 Try again later. Recycle transaction in 72 hours.

03 Do not try again. Obtain another type of pay-ment from customer.


RECURTYP: Recurring TypeGroup: Recurring/InstallmentSample: ROnly used if XCLASS is "R" or "I". Some payment services distinguish be-twen the first recurring transaction and subsequent recurring transactions,requiring different information for reach. Set this value to "0" for the ini-tial recurring transaction, and to "R" for all others. (See also PMTNBR).

Code Description

0 Initial Payment

R All Other Payments


field reference 237

REDRURL: Redirect URLGroup: Online IntegrationSample: https://www.example.com/enrollUsed when merchant must redirect customer to processor URL. Thisfield is returned by Merchant e-Solutions for BML transactions in re-sponse to a lookup/identify customer (IC) request. This field is alsoreturned by Merchant e-Solutions for credit-card transactions in re-sponse to a 3D Secure enrollment check/identify customer (IC) request.Processors Supported: Cardinal Centinel, Trident Payment Gateway.

REGDATE: Customer Registration DateGroup: Bill Me LaterSample: 1/14/2005

Used for Bill Me Later. Date the customer registered with the merchant.Processors Supported: Litle & Co., Trident Payment Gateway.

REQDACI: Requested ACIGroup: Credit Card Authorization SpecificsSample: YReturned Authorization Characteristics Indicator. Thisvalue indicates the ACI value that was requested at au-thorization time. This is currently for documentation only.Processors Supported: Local field/reserved for future use.

REQSEQ: Sequence of RequestGroup: OtherSample: 238743

Request sequence. A transaction identifier, used only fortracking the transaction in logs generated by CN!Express.Processors Supported: Local field/reserved for future use.

238 cn!express®

RESPCODE: Response CodeGroup: Common Response FieldsSample: 100

The processor-specific response code. These can be used to programaticallydetermine the disposition of a transaction, but the merchant system must beable to handle new response codes. Generally, these will be two- or three-digitnumeric values, but some processors may return longer codes or text stringsin this field. ASI recommends that you use the normalized ASIRESP code forthis purpose. For the TenderCard payment processor only, RESPCODE is gen-erated by CN!Express®, because TenderCard does not return a response code.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

RESPDATE: Response Date and TimeGroup: Common Response FieldsSample: 3/1/2010 14:22:31

Date and Time the transaction was processed.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

RESPTEXT: Response TextGroup: Common Response FieldsSample: 100 – ApprovedText description of the transaction result.Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Moneris Solutions, Chase Paymentech Orbital Gateway, PayPalPayflow Pro, Tsys PayFuse, PayPal Express Checkout, TenderCard, Trident Pay-ment Gateway, Transfirst ePay.

RESPTZ: Response TimezoneGroup: PayPalSample: GMTTime zone of a transaction. Can be used as a Query input parameter.Processors Supported: PayPal Express Checkoutonly.

field reference 239

RETRACI: Returned ACIGroup: Credit Card Authorization SpecificsSample: VThis value is returned by Visa in the original Authorization transac-tion. Can be stored and optionally returned with the deposit transaction.Processors Supported: Tsys PayFuse, Transfirst ePay.

RETRREF: Retrieval Reference NumberGroup: Credit Card Authorization SpecificsSample: 012345678901



RFFEEAMT: Fee RefundedGroup: PayPalSample: 1.00

Returned for refund transactions. Transaction fee refunded to merchant.Processors Supported: PayPal Express Checkoutonly.

RFGRAMT: Gross Refunded AmountGroup: PayPalSample: 5.00

Returned for refund transactions. Amount of money refunded to payer.Processors Supported: eBillMe, PayPal Express Checkout.

RIID: Receiving Institution IDGroup: Credit Card Authorization SpecificsSample: 000000



240 cn!express®

ROUTNUM: Routing NumberGroup: ChecksSample: 123456789

Bank routing number for checks. Also called Receiving Depository Finan-cial Institution (RDFI) number, the Bank ID, the ABA#, or the Transit Rout-ing #. US bank values are nine (9) digits. Canadian bank values are eight(8) digits. For Canadian banks, the first eight characters should not have aspace or dash. The proper formatting of Canadian bank IDs is FFFBBBBBwhere FFF is the financial institution and BBBBB is the branch number.Processors Supported: Chase Paymentech Orbital Gateway, Tsys PayFuse.

RQSTTOKN: Request Return Processor TokenGroup: OtherSample: 0

For processors that support the generation of an account token dur-ing a normal authorization or sale transaction. Set RQSTTOKN to "1"for the auth or sale transaction to request that a token be returned.Not needed for specific tokenization transaction (ACTION="T").Processors Supported: Chase Paymentech Orbital Gatewayonly.

RSETLBID: Retail Settle Batch IDGroup: RetailSample: 0123456789012345



RSETLTID: Retail Settle Terminal IDGroup: RetailSample: 0123456789012345



field reference 241

RVRSTEXT: Reversal TextGroup: PayPalSample: chargebackReturned for a GetDetails transaction if the status of the transactionis Reversed. A text description of why the transaction was reversed.Processors Supported: PayPal Express Checkoutonly.

SALESTAX: Sales TaxGroup: PayPalSample: 1.00

Returned for a GetDetails transaction. The amount of sales tax on the purchase.Processors Supported: PayPal Express Checkoutonly.

SELLACCT: Seller AccountIDGroup: PayPalSample: 1234565

Returned for a GetDetails transaction. Account number of the seller.Processors Supported: PayPal Express Checkoutonly.

SELLCNTC: Seller Contact InformationGroup: PayPalSample: [email protected] for a GetDetails transaction. Email address or account ID of the seller.Processors Supported: PayPal Express Checkoutonly.

SELLEMAL: Seller EmailGroup: PayPalSample: [email protected] for a GetDetails transaction. Email address of the seller.Processors Supported: PayPal Express Checkoutonly.

SERVDEV: Service DevelopmentGroup: Additional Credit CardSample: 7



242 cn!express®

SFRMZCPC: Ship From ZIP/Postal CodeGroup: PC Level 2

Sample: 03458-1234

Zip code or Canadian postal code from which product was shipped.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro, Transfirst ePay.

SHIPADD1: ShipAddress:Address 1

Group: Shipment Address/InfoSample: 44 Shipper LaneFirst address line of customer shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, PayPal Express Checkout,Trident Payment Gateway.

SHIPADD2: ShipAddress:Address 2

Group: Shipment Address/InfoSample: PO Box 44

Second address line of customer shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Express Checkout, Trident PaymentGateway.

SHIPADTY: Ship-to Address TypeGroup: Shipment Address/InfoSample: RMay be returned by Bill Me Later.

Code Description

C Commercial

R Residential


field reference 243

SHIPAPT: ShipAddress:AptGroup: Shipment Address/InfoSample: 44

Apartment portion of customer shipping address.Processors Supported: Local field/reserved for future use.

SHIPCAR: Shipping CarrierGroup: Shipment Address/InfoSample: USPSCarrier delivering the merchandise to customer.

Code Description

DHL DHL

FEDX Federal Express

G Greyhound

O Other

P Purolator

USPS United States Postal Service

UPS United Parcel Service

Processors Supported: eBillMeonly.

SHIPCITY: ShipAddress:CityGroup: Shipment Address/InfoSample: PeterboroughCity portion of customer shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Express Checkout, Trident PaymentGateway.

244 cn!express®

SHIPCO: ShipAddress:CompanyGroup: Shipment Address/InfoSample: Example Corp.Company portion of customer shipping address.Processors Supported: Local field/reserved for future use.

SHIPCTRY: ShipAddress:CountryGroup: Shipment Address/InfoSample: USCountry portion of customer shipping address. For level-3 credit card pro-cessing using Orbital, use three-letter ISO country codes. For all other ap-plications, use the two-letter ISO country code for the destination country.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, PayPal Express Checkout.

SHIPDATE: Ship DateGroup: Shipment Address/InfoSample: 3/1/2010

Date product was shipped to fulfill the order.Processors Supported: eBillMe, Transfirst ePay.

SHIPEMAL: ShipAddress:EmailGroup: Shipment Address/InfoSample: [email protected] portion of customer shipping address. Example: [email protected] Supported: eBillMe, First Data Global Gateway, Litle & Co., TridentPayment Gateway.

SHIPFNAM: ShipAddress:First NameGroup: Shipment Address/InfoSample: MaryRecipient’s first name. Specify either the name components (e.g.,SHIPFNAM, SHIPMI, SHIPLNAM) or the full name (SHIPNAME),depending on how these fields are used in your implementation.Processors Supported: All processors.

[email protected]

field reference 245

SHIPHPHO: ShipAddress:Home PhoneGroup: Shipment Address/InfoSample: 6035554444

Home phone portion of customer shipping address.Processors Supported: First Data Global Gateway, Litle & Co., PayPal PayflowPro, PayPal Express Checkout, Trident Payment Gateway.

SHIPLNAM: ShipAddress:Last NameGroup: Shipment Address/InfoSample: JonesRecipient’s last name. Specify either the name components (e.g.,SHIPFNAM, SHIPMI, SHIPLNAM) or the full name (SHIPNAME),depending on how these fields are used in your implementation.Processors Supported: All processors.

246 cn!express®

SHIPMETH: Shipping MethodGroup: Shipment Address/InfoSample: NMethod by which purchase is shipped to customer.

Code Method

S Same Day

G Ground

E Electronic

N Next Day

T Two Day

W Three Day

C Lowest Cost

D Carrier Designated

I International

M Military

P Pick up

O Other

X Express

U Standard

Processors Supported: eBillMe, PayPal Payflow Pro.

field reference 247

SHIPMI: ShipAddress:Middle InitialGroup: Shipment Address/InfoSample: BRecipient’s middle initial (not a middle name). Do not use for compound lastnames (e.g., van Beethoven); put the entire last name in the SHIPLNAM field.Processors Supported: All processors.

SHIPNAME: Ship-To Full NameGroup: Shipment Address/InfoSample: Mary JonesRecipient’s full name. Specify either the name components (e.g.,SHIPFNAM, SHIPMI, SHIPLNAM) or the full name (BILLNAME),depending on how these fields are used in your implementation.Processors Supported: All processors.

SHIPSALU: ShipAddress:SalutationGroup: Shipment Address/InfoSample: Ms.The shipping name salutation (e.g., "Mr.")Processors Supported: Local field/reserved for future use.

SHIPSTPR: ShipAddress:State/ProvGroup: Shipment Address/InfoSample: NHUS State or Canadian Province Code portion of shipping address.Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Express Checkout, Trident PaymentGateway.

SHIPSUFX: ShipAddress:ShuffixGroup: Shipment Address/InfoSample: Jr.The shipping name suffix (e.g., "Jr.")Processors Supported: Local field/reserved for future use.

248 cn!express®

SHIPWPHO: ShipAddress:Work PhoneGroup: Shipment Address/InfoSample: 6034444444

Work phone number of shipping address.Processors Supported: Trident Payment Gatewayonly.

SHIPZCPC: ShipAddress:ZIP/Postal CodeGroup: Shipment Address/InfoSample: 03458

A five-digit US ZIP Code, ten-character ZIP+4, seven-character Cana-dian Postal Code or UK Postal Code. (UK AVS is supported byChase Paymentech Orbital Gateway only). Valid field formats are:

Format Country

NNNNN US

NNNNN-NNNN US

ANAANA CAN

ANA ANA CAN

AN NAA UK

ANA NAA UK

ANN NAA UK

AAN NAA UK

AANN NAA UK

AANA NAA UK

Processors Supported: eBillMe, First Data Global Gateway, Litle & Co., ChasePaymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, PayPal ExpressCheckout, Trident Payment Gateway.

field reference 249

SID: SubmitterIDGroup: OtherSample: 0123456



SKU: SKUGroup: Shipment Address/InfoSample: SKU NUMBERMerchant’s SKU number.Processors Supported: PayPal Payflow Proonly.

SOFT1: Soft Descriptor 1

Group: Merchant Info/Soft DescriptorsSample: ASI*TREVANCE GATEWAYGenerally, a description of the payment that appears on the customerstatement. This field is used in different ways for different processors.Appendix IV (Soft Descriptors) has detailed information on this field.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro, Trident Payment Gateway, Transfirst ePay.

SOFT2: Soft Descriptor 2

Group: Merchant Info/Soft DescriptorsSample: 800-123-1234

Generally, a description of the payment that appears on the customerstatement. This field is used in different ways for different processors.Appendix IV (Soft Descriptors) has detailed information on this field.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, Pay-Pal Payflow Pro, Trident Payment Gateway.

SOURCEIP: Source IP AddressGroup: ECommerce Customer InfoSample: 192.168.123.123



250 cn!express®

STATUS: StatusGroup: OtherSample: AUTHORIZEDTransaction Status.

• Authorized

• Closed

• Captured

• Entered

• Failed

• Refunded

• Voided

This field is generated by CN!Express®.Processors Supported: PayPal Express Checkoutonly.

STRTDATE: Start DateGroup: PayPalSample: 3/1/2010 14:22:31

For Query transactions, the first date to include in the search.Processors Supported: PayPal Payflow Pro, PayPal Express Checkout.

SUBDATE: Subscription DateGroup: PayPalSample: 3/1/2010

Returned by PayPal in response to a GetDetails transaction. The subscriptionstart date.Processors Supported: PayPal Express Checkoutonly.

SUBEFDT: Subscription Effective DateGroup: PayPalSample: 3/1/2010

Returned by PayPal in response to a GetDetails transaction. The subscription ef-fective date.Processors Supported: PayPal Express Checkoutonly.

field reference 251

SUBID: Subscriber IDGroup: PayPalSample: 123456

Returned by PayPal in response to a GetDetails transaction. The subscription ID.Processors Supported: PayPal Express Checkoutonly.

SUBMRCH: Submerchant NameGroup: Merchant Info/Soft DescriptorsSample: Auric SystemsA sub-merchant description. This is currently used for eBillMe only.Processors Supported: eBillMeonly.

SUBPASS: Subscriber PasswordGroup: PayPalSample: a8923ha89ha32

Returned by PayPal in response to a GetDetails transaction. The subscriptionpassword.Processors Supported: PayPal Express Checkoutonly.

SUBPRD: Subscription PeriodGroup: PayPalSample: 2 YearsReturned by PayPal in response to a GetDetails transaction. The subscription pe-riod.Processors Supported: PayPal Express Checkoutonly.

SUBRECR: Subscription Rate RecurringGroup: PayPalSample: 1

Returned by PayPal in response to a GetDetails transaction. 1 if regular rate re-curs.Processors Supported: PayPal Express Checkoutonly.

252 cn!express®

SUBRETR: Subscription RetryGroup: PayPalSample: 1

Returned by PayPal in response to a GetDetails transaction.Indicates whether re-attempts occur on payment failures.Processors Supported: PayPal Express Checkoutonly.

SUBRTDT: Subscription Retry DateGroup: PayPalSample: 3/1/2010

Returned by PayPal in response to a GetDetails transaction. Date of retry onfailed payment attempt.Processors Supported: PayPal Express Checkoutonly.

SUBTOTAL: Subtotal AmountGroup: eBillMeSample: 10.00

The subtotal of items in the order.Processors Supported: eBillMe, First Data Global Gateway.

SUBUSER: Subscriber User NameGroup: PayPalSample: JDoe25

Returned by PayPal in response to a GetDetails transaction. The subscriptionuser.Processors Supported: PayPal Express Checkoutonly.

SURCHAMT: Surcharge AmountGroup: Debit CardsSample: 1.00

Returned by Debit Authorization Transaction. Amount ofsurcharge charged for this transaction. 0.00 if no surcharge.Processors Supported: Local field/reserved for future use.

field reference 253

SWCHDATE: Switch/Solo Card Start DateGroup: Switch/MaestroSample: 0105

The date the card becomes active. Format: MMYY The Switch/Solo CardStart Date field should be submitted only when the card does not havean Issue Number. If the card displays only a Start Date and no IssueNumber, the Switch/Solo Card Start Date field should contain a valueand the Switch/Solo Card Issue Number field must be blank. If the carddisplays both a Start Date and an Issue Number, the Card Start Dateshould be left blank and the Card Issue Number field must be populated.Processors Supported: Chase Paymentech Orbital Gatewayonly.

SWCHISSU: Switch/Solo Card Issue NumberGroup: Switch/MaestroSample: 01

An increment counter of either 1 or 2 characters defined by the issuing bank.If a card is lost, the bank issues a replacement card with the issue number beingincreased by one. The Switch/Solo Card Issue Number must be submitted evenwhen a Switch/Solo Card Start Date exists. Example:

• If the card displays "01", submit "01", NOT "1".

• If the card displays "1", submit "1", not "01".

In addition, the Switch/Solo Card Issue Number must be submitted exactly asshown on the card.Processors Supported: Chase Paymentech Orbital Gatewayonly.

TAA1: AMEX Trans Advice 1

Group: PC Level 2

Sample: Advice1

American Express Transaction Advice Addendum #1. This record providesadditional purchase information for American Express transactions. It is alsoused for Purchase Card transactions to provide specific details about the trans-action to the cardholder for tracking purposes. Information entered in this fieldshould be as specific as possible. MERCHANDISE, for example, is unacceptable.APPLE MACINTOSH is acceptable. The text must be in uppercase. Transac-tion Advice Addendum (TAA) fields must be presented in sequence for themto be transmitted. If two TAA fields are to be transmitted, they must be TAA#1

and TAA#2. If TAA#1 and TAA#3 are presented, only TAA#1 is transmitted.Processors Supported: Chase Paymentech Orbital Gatewayonly.

254 cn!express®


Group: PC Level 2

Sample: Advice2

American Express Transaction Advice Addendum #2.Processors Supported: Chase Paymentech Orbital Gatewayonly.


Group: PC Level 2

Sample: Advice3

American Express Transaction Advice Addendum #3



Group: PC Level 2

Sample: Advice4

American Express Transaction Advice Addendum #4


TANDC: T and C VersionGroup: Bill Me LaterSample: 02102

Used for Bill Me Later transactions. Version number ofthe Terms and Conditions to which the customer agreed.Processors Supported: Litle & Co., Trident Payment Gateway.

TAX: TaxGroup: PC Level 2

Sample: 1.00

This value is required for purchase card level 2 and purchase card level 3 trans-actions.Processors Supported: Cardinal Centinel, First Data Global Gateway, Litle &Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse,PayPal Express Checkout, Trident Payment Gateway, Transfirst ePay.

field reference 255

TAXEXMPT: Tax ExemptGroup: PC Level 2

Sample: 0

This value is required for purchase card level 2 and purchasecard level 3 transactions. ’Y’ if transaction is tax exempt, ’N’if not. If not supplied but TAX is supplied, ’N’ is assumed.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, PayPal Payflow Pro, Tsys PayFuse, Transfirst ePay.

TENDSUBT: Tender Sub-TypeGroup: OtherSample: PREPAID:GIFTTender sub-type. For information only, returned on response. Some valuesare listed in the following table, but there may be additional types as well.

Example Values

UNKNOWN

CREDIT

DEBIT

FSA

PREPAID:GENERAL_PREPAID

PREPAID:GIFT

PREPAID:PAYROLL


256 cn!express®

TENDTYPE: Tender TypeGroup: Common Request FieldsSample: CCN!Express® always assumes the incoming transaction is a credit card trans-action. It can then automatically distinguish check, PIN-based Debit, and BillMe Later transactions based on the imported information. CN!Express® cannotdistinguish between a credit card, a purchase card, and PIN-less debit transac-tion. If you are processing purchase cards or PIN-less debit transactions, youmust import the Tender Type. The following table lists the acceptable TenderTypes and also shows the data CN!Express® uses for automatic identification.

Code Description Distinguishing Feature

C Credit Card

K Check Routing Number

B Bill Me Later T and C Version

D PIN Debit PIN

L PINless Debit

P Purchase Card

Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway.

TOKEN: Processor TokenGroup: IdentifiersSample: ABCDEFG01234567890-1234567890

An identifier, generated by the payment processor, that represents a cus-tomer’s account number. The token can be used in place of the accountnumber for future transactions with this payment processor. This allowsthe merchant to discard the sensitive account number (which would other-wise need to be encrypted and securely stored) and retain only the token.Processors Supported: Litle & Co., Chase Paymentech Orbital Gateway, TridentPayment Gateway.

field reference 257

TOPCAPB: Terminal Output CapabilityGroup: Additional Credit CardSample: 0

Indicates whether the terminal is capable of printing or dis-play. American Express only. This is additional informationthat you can specify to describe the transaction environment.

Code Description

0 Unknown

1 None

2 Printing

3 Display

4 Print and Display


TOTPMTS: Total PaymentsGroup: Recurring/InstallmentSample: 4

The total number of payments in an installment order.Processors Supported: Cardinal Centinel, PayPal Express Checkout, TransfirstePay.

TRACK1: Track 1

Group: RetailSample: TRACK1DATACard Swipe data from Track 1. Card present retail transactions should pro-vide either Track 1 or Track 2 data, but not both. If a transaction does containboth Track 1 and Track 2 data, CN!Express® defaults to using the Track 1 data.Processors Supported: First Data Global Gateway, Litle & Co., Trident PaymentGateway.

258 cn!express®

TRACK2: Track 2

Group: RetailSample: TRACK2DATACard Swipe data from Track 2. Card present retail transactions should pro-vide either Track 1 or Track 2 data, but not both. If a transaction does containboth Track 1 and Track 2 data, CN!Express® defaults to using the Track 1 data.Processors Supported: First Data Global Gateway, Litle & Co., Trident PaymentGateway.

TRANSID: Transaction IdentifierGroup: Credit Card Authorization SpecificsSample: 2390239023A9JReturned by Transfirst with the authorization. May be tracked and op-tionally returned with the deposit transaction. An identifier, assignedby Visa or Mastercard, used to uniquely identify and link all relatedmessages and records used to authorize and settle the transactions.Processors Supported: Tsys PayFuse, Transfirst ePay.

UNALLOC: Unallocated PaymentGroup: eBillMeSample: 0

A boolean value that describes whether a payment is allocated or un-allocated (1 means unallocated). Currently used by eBillMe only.Processors Supported: eBillMeonly.

UTID: Unique Transaction IDGroup: IdentifiersSample: 0123456789abcdefghijklmnopqrstuvwxyz_ABC-DEFGHIJCN!Express® can be configured to generate and store UTIDs for eachsuccessful authorization. CN!Express® can later use the UTID to lookup the customer account number for a transaction. The merchant canstore the UTID instead of the account number and send the UTID toCN!Express® for later deposit (and refunds, if required). Using UTIDsrelieves the merchant of the requirement to store credit card accountnumbers to use in follow-up transactions over the life of an order.Processors Supported: Local field/reserved for future use.

field reference 259

VALCODE: Validation CodeGroup: Credit Card Authorization SpecificsSample: 1234

Returned by Transfirst with the authorization. May be tracked andoptionally returned with the deposit transaction. Value is assignedby the Visa authorization system. Used by Visa to determine the ac-curacy of the authorization data contained in the settlement record.Processors Supported: Transfirst ePayonly.

VATAMT: VAT AmountGroup: PC Level 3/Detail RecordsSample: 1.00

Amount of total transaction that represents European VAT tax.Processors Supported: First Data Global Gateway, Chase Paymentech OrbitalGateway.

VATRATE: VAT RateGroup: PC Level 3/Detail RecordsSample: .01

Local field/ reserved for future use Rate at which VAT was calculated for thistransaction.Processors Supported: Chase Paymentech Orbital Gatewayonly.

VICAVV: Visa Authentication CAVVGroup: VbV/Secure CodeSample: CAVVValue returned by Verified by Visa service prior to authorization. Includewith Authorization for Verified by Visa transactions. A cryptographicvalue that links the Issuer’s authentication or attempted authenticationresponse with a subsequent authorization message for that purchase.Processors Supported: First Data Global Gateway, Litle & Co., Moneris So-lutions, Chase Paymentech Orbital Gateway, Tsys PayFuse, Trident PaymentGateway, Transfirst ePay.

260 cn!express®

VICAVVRS: Visa Authentication CAVV ResponseGroup: VbV/Secure CodeSample: 2

Result code returned during Authorization of a Verified by Visa trans-action. See Appendix IV (Verified by Visa CAVV Response) for details.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Transfirst ePay.

VIXID: Visa Authentication XIDGroup: VbV/Secure CodeSample: XIDValue returned by Verified by Visa service prior to authorization. Includewith Authorization for Verified by Visa transactions. A unique trackingnumber set by the Merchant and sent to the Issuer Authentication Server.Processors Supported: First Data Global Gateway, Litle & Co., Chase Pay-mentech Orbital Gateway, Tsys PayFuse, Trident Payment Gateway, TransfirstePay.

WEBPASS: Web PasswordGroup: OtherSample: webpass01

Used for transactions presented via the Web interface. This value isused by CN!Express® only, it is not sent to the payment processor.Processors Supported: All processors.

WEBUSER: Web UserGroup: OtherSample: webuserUsed for transactions presented via the Web interface. This value isused by CN!Express® only, it is not sent to the payment processor.Processors Supported: All processors.

field reference 261

XCLASS: ClassGroup: Common Request FieldsSample: ETransaction Class. Not all transaction classes are supported by all proces-sors. In particular, "ER" is supported by Transfirst ePay and First Data GlobalGateway only. For all other processors, use "R" for all recurring transactions.

Class Description

E, E-Commerce Ecommerce

ER Recurring (Ecommerce)

I, Installment Installment

M, MOTO Mail Order/ Phone Order: MOTO

R, Recurring Recurring

P Retail (POS)

T Telephone Order

Processors Supported: Cardinal Centinel, eBillMe, First Data Global Gateway,Litle & Co., Chase Paymentech Orbital Gateway, PayPal Payflow Pro, TridentPayment Gateway, Transfirst ePay.

XSEQ: Transaction SequenceGroup: OtherSample: 1



Currency Codes

Table 13: Currency Codes

Description Currency Code

Australian Dollars AUD 36

Brazilian Real BRL 986

British Pounds GBP 826

Canadian Dollars CAD 124

Czech Koruna CZK 203

Danish Krona DKK 208

Hong Kong Dollars HKD 344

Hungarian HUF 348

Indian Rupee INR 356

Indonesian IDR 360

Japanese, Yen JPY 392

Norwegian Krone NOK 578

Philipine Peso PHP 608


264 cn!express®


Description Currency Code

Polish New PLN 985

Russian Rouble RUB 643

South African Rand ZAR 710

South Korean KRW 410

Swedish Krona SEK 752

Swiss Franc CHF 756

Thailand BAHT 764

United States USD 764

currency codes 265

Index

CN!Express®

ASI Response Code, 43

LastActionSucceeded, 43

Instant Tokenization™, 43

response codes, 43

PaymentVault™, 45

delayed delete, 45

action codetokenization, 44

audit trails, 113

CID, 103

cid, 139

cvv, 139

CVV2, 103

cvv2, 139

date of birth, 139

delete files, 103

driver’s license, 139

encrypt, 103, 107

encryption, 139

export, 103

https, 139

import, 103

key management, 107

logs, 103, 113

magnetic stripe, 103

mail server, 113

multi-pass overwrite, 103

Network Time Protocol, 113

Open Web Application SecurityProject, OWASP, 115

passwords, 111

remote access, 125

s-ftp, 139

secure applications, 115

secure file deletion, 103

security alerts, 119

SMTP, 113

social security number, 139

tokenization, 43, 47

migration, 46

UTID, 43

users, 111

vpn, 139

web application, 115

web interface, 115

wireless, 117

CN!Express® User Guide - Auric Systems InternationalExpressUserGuide.pdf · 2019. 2. 14. · III...

Documents

Transcript of CN!Express® User Guide - Auric Systems InternationalExpressUserGuide.pdf · 2019. 2. 14. · III...