Jump to content
Sign in to follow this  
freerangemum

HSBC secure-epayment module

Recommended Posts

I'm glad that you got your link with Protx sorted. Unfortunately I know other people who have done this and have had as much trouble as some people have had with HSBC integration. Also - don't you end up paying twice? Once to Protx, once to HSBC?

 

Vger

Share this post


Link to post
Share on other sites

Hi, No it does not have to be dropped into /usr/lib/, as all of the necessary files we dropped into the one folder, the cgi-bin. We never had a problem with that setup.

 

Vger

Hi Vger

 

I had already dropped them into a folder (outside the web directory) and pointed the hsbc.php to the location. I assume the .so file that hsbc uses has a dependency on this other file, I could be wrong however, it was 1 am this morning!! The only other posiblility is that the /usr/lib location is hard coded into the .so from hsbc, so it will only work if the library file resides in /usr/lib, however other people have reported it works with the files anywhere. So either the required files are present in /usr/lib on that system or it is a dependency of the supplied library file ... I will do a little testing and see if I can find an answer (probably at 1 am again!!).

 

I will take a look at the other problem later on, i think it already uses the checkout_success page.

 

Paul.

Share this post


Link to post
Share on other sites

I am having a problem when HSBC stops a order. Apparently, there is no record of the order being made on OSC. Shouldn't an order be saved to the db before going to HSBC? And then if it's rejected, the order would be marked for rewiew or something?

 

I'm looking through this extremely long thread again. But, my eyes get blurry after a couple of pages. :blink:

 

Thanks,

Paul

Share this post


Link to post
Share on other sites

No, it's the PayPal IPN that pre-saves the order, HSBC doesn't. But if you look through this thread you'll find a solution to the problem of HSBC refusing an order because the cardholder statement address and delivery address don't match up.

 

Actually , just found the link - here itis:

 

http://forums.oscommerce.com/index.php?sho...ndpost&p=369748

 

and here:

 

http://forums.oscommerce.com/index.php?sho...ndpost&p=369476

 

Vger

Share this post


Link to post
Share on other sites
No, it's the PayPal IPN that pre-saves the order, HSBC doesn't.  But if you look through this thread you'll find a solution to the problem of HSBC refusing an order because the cardholder statement address and delivery address don't match up.

I agree that's what PayPal does and HSBC doesn't. What I was asking was "Shouldn't an order be saved to the db before going to HSBC?" ;)

 

 

Thanks for the links. But, I'm not careing for that one right off hand. But, I'm still thinking it through.

 

 

 

I figured out something that might work. But, I need to test it. I just tried a purchase with one of my cards with a totally wrong name and address (Jesse James in Tombstone, Az) to test it. But, HSBC accepted the charge!!!! :'(

 

Thanks for your response as always. You are great. It always helps to talk things through a bit.

 

Paul

Share this post


Link to post
Share on other sites

Hi Paul,

 

Just to re-emphasise what Vger posted. The HSBC mod does not create an order before the payment has been made - This would not make sense as if the customer chooses to cancel the transaction from the HSBC page then he/she gets returned to the checkout process and you do not need a completed order.

 

What does happen is that the minute the customer makes the payment, on the HSBC site, HSBC sends a "hidden post" back to your osC site confirming the transaction and placing the order. This means that althought the customer is prompted to return to your site, they do not need to for the order to be placed.

 

With regards to the HSBC review system, once setup correctly, I have to admit it does work rather well. I am guessing that the reason your "dodgy" address went through ok is that you are still running in test mode. I seem to remember that they dont actually check the card or address until you switch to live.

 

Basically, HSBC will accept, proivisionally any transaction where any the address is incorrect but they place it in a review state. You have to personally accept it - if in doubt call the customer to verify things. If the card number is known to be fraudulent then they do not accept the transaction at all and you cannot do anything about it.

 

Just recently I have had an order placed that was declined by HSBC as the e-mail address of the customer was known to be used before in fraudulent cases - this was useful as there was no way of me knowing.

 

All in all, after using them now for about 11 months, and after a lot of initial teething problems, I would indeed sing their praises and say its worth the agro of getting it setup.

 

Cheers,

Rich


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Hi Rich,

 

Thanks for you response. But you have made a lot of incorrect assumptions. So, to clear things up a bit.....

 

Hi Paul,

 

Just to re-emphasise what Vger posted.  The HSBC mod does not create an order before the payment has been made - This would not make sense as if the customer chooses to cancel the transaction from the HSBC page then he/she gets returned to the checkout process and you do not need a completed order.

As I mentioned, I understand what HSBC does and does not do. My question was "shouldn't" it be done differently?

I disagree with you that it wouldn't make sense to create the transaction before being sent off site. Too many things can happen on the internet. If a customer wants to place an order on my OsCommerce site, then they hit the confirmation button. At that point the order should be documented in the database. If the customer looses connection, gets cold feet, or whatever and the transaction isn't completed, then their is a record of their order at least. If they actually cancell the trans. then the order would get flagged with that information and the customer gets returned to the site. All is well.

What does happen is that the minute the customer makes the payment, on the HSBC site, HSBC sends a "hidden post" back to your osC site confirming the transaction and placing the order.  This means that althought the customer is prompted to return to your site, they do not need to for the order to be placed.

And, of this, I am also aware. But, has nothing to do with the problem I presented.

With regards to the HSBC review system, once setup correctly, I have to admit it does work rather well.  I am guessing that the reason your "dodgy" address went through ok is that you are still running in test mode.  I seem to remember that they dont actually check the card or address until you switch to live.

I have no problem with HSBC. That is not the issue. And you are entirely wrong in the "guess" that the module is in test mode. We are live and accept payments regularly.

Basically, HSBC will accept, proivisionally any transaction where any the address is incorrect but they place it in a review state.  You have to personally accept it - if in doubt call the customer to verify things.  If the card number is known to be fraudulent then they do not accept the transaction at all and you cannot do anything about it.

This is obviously wrong as I have stated that being Live (not in test mode) I just made two transactions with incorrect names and addresses. And HSBC did not place the transaction in "review" mode. But, instead, accepted my name as being Jesse James and my address as Tombstone, Az. . :D Both name and address are way off. When I put in a fake account number, however, HSBC was correct in not accepting the transaction. Which obviously, it shouldn't.

Just recently I have had an order placed that was declined by HSBC as the e-mail address of the customer was known to be used before in fraudulent cases - this was useful as there was no way of me knowing.

Great. We have had that happen too.

All in all, after using them now for about 11 months, and after a lot of initial teething problems, I would indeed sing their praises and say its worth the agro of getting it setup.

 

Cheers,

Rich

 

Now, after all that, have you ever Ok'd a transaction that was put in "review" status? Only to find that the only thing you now know, is the total amount of the transaction. That is fine if all you have is one product. But, if you have 2000+ items, you don't have a clue what the customer wanted. Now, you have a dilemma. If the purchase had been posted before the customer left the site. You would be able to change the order status. And all's well.

 

So, "All in all". I still don't have a good reason or solution. :D

 

But, thanks for the conversation, Rich.

 

Paul

Share this post


Link to post
Share on other sites

Paul - this was your original question "I am having a problem when HSBC stops a order. Apparently, there is no record of the order being made on OSC. Shouldn't an order be saved to the db before going to HSBC? And then if it's rejected, the order would be marked for rewiew or something?"

 

That question was answered by both myself and Richard - in that your HSBC order is not pre-saved before proceeding to HSBC. Yes, it is put into a review state if an order fails, but you are not notified of that by HSBC.

 

Richard was trying to assist you. I don't think, given your reply, that he'll be bothering to do so again.

 

If you are worried about not knowing what was in the cart at the time a transaction is placed into review by HSBC then there's a contribution you can install that allows you to recover the cart contents.

 

Vger

Share this post


Link to post
Share on other sites
If you are worried about not knowing what was in the cart at the time a transaction is placed into review by HSBC then there's a contribution you can install that allows you to recover the cart contents.

 

Vger

 

I agree with Vger.

 

Due to the nature of our business (computer/electonic goods) we get a lot of customers coming to the site and going all the way through the checkout just to see what the final price ends up like. These people will often click on the PAY button just to see what further info they are going to have to add.

 

These customers then go off and compare our prices to other site/stores and sometimes come back to purchase the item, often they don't though. If an order was created before they paid for the item, we'd end up with hundreds of un-completed orders every month sitting in our orders list making it look like we were doing more business than we really are.

 

I have installed the Visitors Webstats Contribution which gives me pretty good tracking of where visitors have come from and what pages and products they've looked at. I may also install the 'recover cart contents' contrib at some point just to help me see what products customers 'almost' purchase but the Visitors webstats helps with this anyway.

 

As to whether or not the HSBC contrib 'should' create the order before sending the client to the HSBC site... maybe it 'should' give the store owner the option of creating the order first if the want, but it would probably take some heavy sweet-talking to get someone to do it (or a few dollars!).

 

If you are having problems with orders not getting recorded after payment, you could talk to ribs (Neil Westlake). He fixed some stuff for us and is VERY good. Highly recommended! He may be able to help.

 

Happy Easter

Peter

Share this post


Link to post
Share on other sites

Hi All

 

OK, so I got the module up and working, however I have one issue which I am not sure how to solve, it is simillar to lots of reported issues but so far I have not sorted this out.

 

The problem is the order not being returned from the HSBC site to OSC, however it is intermitent.

 

I have tailed the error logs and it seems when OSC posts the Oscsid then all is OK but when it does not then the order is not processed, no e-mails are sent etc etc.

 

shop.xxxx.co.uk 213.78.208.209 - - [01/Apr/2005:23:03:35 +0100] "POST /checkout_shipping.php?osCsid=0e3a728d240508257d81b8a7526fc20f HTTP/1.1" 302 5 "https://shop.xxxx.co.uk/checkout_shipping.php?osCsid=0e3a728d240508257d81b8a7526fc20f" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

shop.xxxx.co.uk 213.78.208.209 - - [01/Apr/2005:23:03:48 +0100] "POST /checkout_confirmation.php?osCsid=0e3a728d240508257d81b8a7526fc20f HTTP/1.1" 200 30204 "https://shop.xxxx.co.uk/checkout_payment.php?osCsid=0e3a728d240508257d81b8a7526fc20f" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

 

The above posting worked fine, however....

 

shop.xxxx.co.uk 213.78.208.209 - - [01/Apr/2005:23:07:14 +0100] "POST /checkout_shipping.php HTTP/1.1" 302 5 "https://shop.xxxx.co.uk/checkout_shipping.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

shop.ozee.co.uk 213.78.208.209 - - [01/Apr/2005:23:07:42 +0100] "POST /checkout_confirmation.php HTTP/1.1" 200 28006 "https://shop.xxxx.co.uk/checkout_payment.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

shop.ozee.co.uk 63.105.4.5 - - [01/Apr/2005:23:09:08 +0100] "POST /checkout_process.php HTTP/1.1" 302 5 "-" "Java/1.4.2_04"

shop.xxxx.co.uk 213.78.208.209 - - [01/Apr/2005:23:09:44 +0100] "POST /hsbc_return.php HTTP/1.1" 302 5 "https://www.cpi.hsbc.com/servlet" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

 

This one does not work (no oscsid) and in fact the success page still has the items in from the previous session and the cart still has the products in (the ones just purchased and not from the previous session).

 

So the question is how to cure this behaviour ?

It only does it on my browser when I do more than one purchase without opening up a new browser window, however, my customer can not even do one purchase as the OScsid does not get posted when they use their browser.

 

I would think that this needs to be addressed in the hsbc.php so that the oscsid gets posted to the hsbc cpi so that it can be sent back.

 

Am I missing something really stupid here ?

 

The force cookies thing is set to False and I have tried various combinations of suggested mods in the hsbc_return file.

 

The cpi is posting back to the checkout_process.php fine (before the continue button is pressed on the hsbc site) but it seems to be tied in with the sessions.

 

Any ideas anyone ?

 

Cheers

 

Paul.

Share this post


Link to post
Share on other sites

If your site does not send a session id to HSBC then they generate one of their own and send that back to your site - which your site does not recognise, so the whole thing falls down. If you have Recreate Session set to 'true' change it to 'false'

 

Vger

Share this post


Link to post
Share on other sites

Hi Vger

 

I have already set this to False (as your instructions I think) all are set to False except the spider sessions thing.

I take your point about the hsbc posting the session thing back, so I suppose the way round is to make sure the oscsid is ALWAYS posted to the cpi ?

 

But how to do this ?

 

It works fine when the oscsid is posted.

 

Paul.

Share this post


Link to post
Share on other sites

Paul (Fourbit),

 

Nice reply - Glad I could be of assistance :thumbsup:

 

Now, it seems the both of us are making a couple of assumptions.

 

But, if you have 2000+ items, you don't have a clue what the customer wanted

 

I do have 2000+ items listed and I dont see what relevance this has to the way HSBC works. As stated above, if you want to know what your customers are doing then (personally) I would use the mod suggested above, recover cart, and the user tracking mod. I dont see how this issue is related to payment as the customer has for whatever reason not paid.

 

But, instead, accepted my name as being Jesse James and my address as Tombstone, Az

 

This sounds serious - not wanting to jump to any conclusions- have you approched HSBC about it? If so, what was there reply. I am certainly not aware of a problem, any time a different address is entered, or even one that is not in a correct/recognisable state it gets placed in review.

 

Now, after all that, have you ever Ok'd a transaction that was put in "review" status? Only to find that the only thing you now know, is the total amount of the transaction. That is fine if all you have is one product. But, if you have 2000+ items, you don't have a clue what the customer wanted. Now, you have a dilemma. If the purchase had been posted before the customer left the site. You would be able to change the order status. And all's well.

 

Sorry - I dont have a freakin clue what you are on about in this instance. I "ok" review transactions every day. I know everything about the order because as soon as HSBC accept the order (even if still pending review) the hidden post inserts the order in the DB. Thus, I have the printed orders with the ordered items, customers address, shipping adress, telephone number,etc,etc all sitting in front of me when I make the decision. What is the problem with that??? Where is the dilemma?

 

The only situation that I have come across that may be what you are trying to describe is when an order is taken by HSBC and the hidden post does not get back to osC. Since having been with HSBC I have taken in the region of 2000 orders and this has happened twice. (Not a high percentage) Now, what caused these two instances I dont know but with regards to accepting the payment, placed in review or otherwise, well, how can you accept a payment for an order without sending it?? You cant! So, you have the customers name from HSBC, you have there account details so you phone them or e-mail them. Again, no problem.

 

If you are p**ssed because this is occurring regularly then I would suggest you take a good look at your setup - it should not be happening.

 

Once again, for anyone else considering joining up with HSBC - After 9 months and a couple of thousand transactions, I have had only two attempted chargebacks, both of which fell through (in one case it appeared that the items were ordered by the son/daughter of the cardholder without his knowledge and in the other the customer claimed we had charged twice and this was not the case) and I have had three genuinely fraudulent orders. One as mentioned HSBC did not accept due to the e-mail address - This guy is still e-mailing me asking where his order has got to!! - The other two were placed in review and were pretty obviously high risk - expensive items - a quick phone call was enough to prove that the cardholder did not know anything about the order.

 

So, again, I am happy :D - If your not sort it out yourself - As Vger said, your attitude doesnt really entice me to offer any more assistance.

 

Rant over, goodnight,

 

Rich


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Paul (Fourbit),

 

I think I understand what the problem is you are having:

 

A customer purchases an item, they checkout and there address they input is not the same as the registered cardholders (Say they put in there work address). Now when they complete the order they get the ok and you get a transaction in review on HSBC but no order in osCommerce?

 

Am I correct? If so you just need to make a change in hsbc.php and hsbc_return.php to accept return code 9's.

 

The line that needs changing looks like this:

 

if ($CpiResultsCode=='0') and needs to be changed to this ($CpiResultsCode=='0' || $CpiResultsCode=='9')

 

Hope this helps, if this is not what you was asking then ignore me as it's late friday night and I've been on the liquor a little.

 

Regards

 

Neil Westlake

DJBox.co.uk

Edited by ribs

Share this post


Link to post
Share on other sites

Neil,

 

At the risk of incurring another snotty reply, I think you are right, this is exactly the problem Paul has. However, this fix was pointed out to him on the previous page by Vger and he stated that this was not the solution he was looking for.

 

Cheers,

Rich


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Paul (Paulshutt),

 

Yes, its late and I am probably stating the obvious but are you installing the latest version of the mod? See previous posts by Vger with directions, it is available from the Qadram site as opposed to the osC contributions area.

 

Have you got this line in your hsbc_return.php

 

if (!empty($_POST['MerchantData'])) $_GET['osCsid']=$_POST['MerchantData'];

 

just above

 

include('includes/application_top.php');

 

Also, check your config files are set correct. These can cause problems with the session ids - I am confused as to why opening another broswer window should affect things and its making me think that something is amiss in your setup. There are plenty of threads on this in the forums but just let me know if you need an example posted/emailed.

 

If all else fails, pm me tomorrow and I will email you my hsbc and hsbc_return files.

 

Well, I watched "The Ring" on the box tonight and very bl**dy scary film it maybe, it just doesnt compare on the nightmare front to the nights I spent installing HSBC!! :P

 

Cheers,

Rich


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Thanks Vger, Rich, and Neil,

 

You all helped me find the answer. Kinda staring me in the face as usual. As I told Vger it always helps to talk things through.

 

Sorry I came off so "snotty" as Rich put it. But, just wasn't in the mood for a lot of the "re-emphasis" and I was in the middle of a major tootheache. I really thought I was being nice and trying to clear up the misunderstanding as to my Post.

 

Anyhow, I have managed to solve that goofy problem with the order not being in the db after the customer is returned by HSBC with the flag of "review" status. Actually, it was quite simple. And I didn't have to change any code. (well I did change and then changed back). I found that there is a field that you can add error numbers to that's called "Pending Error Codes". I put 8,9 in there. This field causes the order info. to be saved with a "pending" flag if HSBC has returned the order with one of those error codes. Then after you OK the purchase with HSBC, you can change that "pending" to "processing" or whatever in the Customers/orders screen. Simple. :blush:

 

I again apologize for being a bit on the rude side. ;)

 

Just an old crotchity mountain man that can't handle multitasking with a toothache.

 

Multitasking.... :D Heck, I can barely walk and chew gum at the same time. And that's taken 50 years to perfect. :blink:

 

Paul

Share this post


Link to post
Share on other sites

Pleased to hear you got it sorted Paul. :thumbsup:

 

Multitasking.... I have it on good authority (my wife!) that this can only be accomplished by the fairer sex, hence I have given up trying!!

 

Cheers,

Rich


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

OK

 

Thanks for the comments rich (and the files) however I was already testing when you sent them.

 

Your post made me think and work through the problem after some sleep!!

 

I have got the most recent version of the module.

 

Yes you were stating the obvious (but I am not going to get offended!!) and this obvious stuff actually drove me to the solution (well so far).

if (!empty($_POST['MerchantData'])) $_GET['osCsid']=$_POST['MerchantData'];

 

Yes this was in the hsbc_return.php file however it was not in the checkout_success.php file (the file the HSBC cpi secretly posts back to) so in it went and now the session ID is picked back up from the returned POST string. :rolleyes:

 

So even when the oscsid is not present in the post action then everything seems now to work, obvious really, so why did I waste so much time trying to sort it out... DOHHHHH! :angry:

 

Half the problem with this thread is that most of the stuff before about Sept 04 is now fairly obsolete as the latest version of the module addresses most of the problems. By the time you have got through all those old posts then you have talked yourself out of installing this module.

 

For anyone thinking about installing this then follow the readme files included in the latest zip file of the module and you should be most of the way there.

 

I think I am now sorted (now why did I say that!!) so thanks for all the pointers from this thread along the way (vger, Neil, Rich and all the rest).

 

Start of shameless plug....

 

If anyone is having problems installing this module then we can offer hosting for your ocommerce site and help you set this up and get it working as our servers do work with this module (unlike some others by the looks of it). Anyway feel free to contact me.

 

End of shameless plug ...

 

So .. so long and thanks for al the fish! (only funny if you read Douglas Adams)

Share this post


Link to post
Share on other sites

Paul, most of the people who try to help out here can offer osCommerce compatible hosting for THEIR customers - but we don't do it because it is strictly against forum rules to do so.

 

I think it's a bit rich offering to help others to install it (for a fee I presume), when you've only just got yours installed with help from others here.

 

Are the Mice still studying us? (HHGTTG)

 

Vger

Share this post


Link to post
Share on other sites

Hi Vger

 

Au Contraire .. I was not trying to charge people for setting up the module, I was just saying if you are having host problems contact me.

 

I was not aware it was against the rules .. so I retract the statement ... I will not offer to host anything for anyone on this forum, and with my new found understanding of the HSBC module I will offer to fight for truth and justice and help people if I can at no cost to them at all whatsoever ... (is that better) ;)

 

Sorry for any offence, none was intended!

 

Anyway .. I have just looked at my digital watch (which I still think is a pretty neat idea) and it tells me it is time for lunch!

 

Paul

Share this post


Link to post
Share on other sites

Yes, just looked at my digital screen, and it's telling me it's time for lunch also!

 

Vger

Share this post


Link to post
Share on other sites

I copied the necessary files from CDROM into a directory I made called CGI-BIN as it was not on my FTP. I moved this folder outside the httpdoc directory but still getting "Hacking Attempt!".

 

Is there anywhere I can define in the contribution where the location of the files are? Or how do I know if it really locates the files?

 

Thanks!

Share this post


Link to post
Share on other sites

You need to set the path in the hsbc.php file that you put in /catalog/includes/modules/payment

 

Find the section

  //Path where the TestHash.e executable is located
 $path='/home/sites/site13/hsbc';    

 putenv("LD_LIBRARY_PATH=$path");

 

at about line 87 and change the path to the location of your files.

 

Good Luck.

 

Paul.

Share this post


Link to post
Share on other sites

So everyones comments on here have been very helpful and I have been able to take the integration of HSBC's epayments quite far but I reckon I may have hit a brick wall. I quizzed my server hosts about the exec() function in PHP and it appears that they have disabled it for security reasons. Is there a workaround for the generate hash function in the code below?

 

//Executes the TestHash to get the hash
 $cmd="$path/TestHash.e \"".MODULE_PAYMENT_HSBC_HASH."\" $cmd";
  
 $ret=exec($cmd);

 

Is it possible to run this part of the function on another server that allows the exec() command to be run?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×