Latest News: (loading..)
Sign in to follow this  
Followers 0
freerangemum

HSBC secure-epayment module

1,158 posts in this topic

Not in the URLs specifically - but definitely don't force cookie usage.

 

Cheers mate.

 

If anyone has managed to develope a robust system where the session isn't in the URL let me know. On this particular job the URL's have to be totally clean which is why I need to take them out of the URL's

Share this post


Link to post
Share on other sites
First of all I'm getting a cpi results 10

 

What I've changed to the oscommerce system is;

- forced sessions into cookies

- set the configure file to;

define('HTTP_SERVER', 'http://www.domain.co.uk');

define('HTTPS_SERVER', 'https://www.domain.co.uk');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'www.domain.co.uk');

define('HTTPS_COOKIE_DOMAIN', '');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '');

 

the previous configure file looked like this

 

define('HTTP_SERVER', 'http://www.domain.co.uk');

define('HTTPS_SERVER', 'https://domain.co.uk');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'http://www.domain.co.uk');

define('HTTPS_COOKIE_DOMAIN', 'https://www.domain.co.uk');

define('HTTP_COOKIE_PATH', '/execsc');

define('HTTPS_COOKIE_PATH', '');

 

I'm not really qualified to help you, since I still have a small bug using the hsbc_return.php file, but the process through to HSBC and back on my server seems OK.

 

FWIW - You stated the changes you made to the configure file - mine looks like this :

 

define('HTTP_SERVER', 'http://www.domain.co.uk');

define('HTTPS_SERVER', 'https://domain.co.uk');

define('ENABLE_SSL', true);

define('HTTP_COOKIE_DOMAIN', 'www.domain.co.uk');

define('HTTPS_COOKIE_DOMAIN', 'domain.co.uk');

define('HTTP_COOKIE_PATH', '/');

define('HTTPS_COOKIE_PATH', '/');

 

In this case, the SSL certificate for this domain is made out to http://domain.co.uk.

 

I have no idea if this helps - but hope it does.

Share this post


Link to post
Share on other sites

For the other question, for HSBC e-Secure to work you must send HSBC a session id, else they will generate an id of their own and pass it back to your site - but your site won't recognise their id and the transaction will fail.

 

If you want an alternative which does not rely on session ids being passed then look at Protx Direct. The customer stays on your site - it's only the card verification that goes off-site and that's done behind the scenes.

 

Vger

Share this post


Link to post
Share on other sites
For the other question, for HSBC e-Secure to work you must send HSBC a session id, else they will generate an id of their own and pass it back to your site - but your site won't recognise their id and the transaction will fail.

 

If you want an alternative which does not rely on session ids being passed then look at Protx Direct. The customer stays on your site - it's only the card verification that goes off-site and that's done behind the scenes.

 

Vger

 

Thanks for your thoughts on this problem.

 

Would it not be at all possible to send HSBC the session which is stored in the cookies?

 

This is where my understanding of the system reaches it's limits so feel free to have a chuckle if I've said something stupid.

Share this post


Link to post
Share on other sites

The session id is picked up from the code source of the page that contains the data being sent to HSBC. If you run through an order until you reach the checkout_confirmation.php page and then use View Source in your browser you will see (or not see) the session id that's being sent to HSBC.

 

We had this problem with our first install of e-Secure, on a website with a full ssl cert and Force Cookie Use set to True. The only solution was to turn off Force Cookie Use.

 

At least it's not as bad as Barclays ePDQ, because their system relies on http headers being sent, not https headers - so you have to make two pages http pages, which should be https pages, just to get it to work. This is bizarre to say the least - a banking company whose system requires that pages are NOT encrypted. It's even worse when you realise that they use exactly the same software that HSBC uses!

 

Protx Direct is infinitely superior to either Barclays or HSBC - the customer stays on your website and doesn't leave it - and you don't have to pass a session id and you don't have to make https pages into http pages.

 

Vger

Share this post


Link to post
Share on other sites

Combined with the fact its so easy to install and its ?20/month for 1000 transactions per quarter is very attractive to the small business who might not take a lot of orders.

 

I'm definitely with you on that 1 but yet the clients still go ahead with the HSBC system even when we tell them otherwise....

 

Thanks for the info :)

 

The session id is picked up from the code source of the page that contains the data being sent to HSBC. If you run through an order until you reach the checkout_confirmation.php page and then use View Source in your browser you will see (or not see) the session id that's being sent to HSBC.

 

We had this problem with our first install of e-Secure, on a website with a full ssl cert and Force Cookie Use set to True. The only solution was to turn off Force Cookie Use.

 

At least it's not as bad as Barclays ePDQ, because their system relies on http headers being sent, not https headers - so you have to make two pages http pages, which should be https pages, just to get it to work. This is bizarre to say the least - a banking company whose system requires that pages are NOT encrypted. It's even worse when you realise that they use exactly the same software that HSBC uses!

 

Protx Direct is infinitely superior to either Barclays or HSBC - the customer stays on your website and doesn't leave it - and you don't have to pass a session id and you don't have to make https pages into http pages.

 

Vger

Share this post


Link to post
Share on other sites
I'm definitely with you on that 1 but yet the clients still go ahead with the HSBC system even when we tell them otherwise....

The thing you have to bear in mind is that whilst protx is familiar to those of us who spend a lot of time online, and staying on your own site to take payment details appears more fluid & 'cleaner', for our customers HSBC is a name they know from the high street and feel comfortable & safe with. To them going to a different site to enter their payment details isn't a -ve, far from it. Personally I'm not interested in what makes for a better payment process code wise (or at least not as a priority), my no. 1 priority is making my customers feel safe & secure, so they'll hit the final confirm button.

Share this post


Link to post
Share on other sites

I agree that HSBC is a known name and well trusted. With online fraud rising by 22% in the UK last year people are wary of making payments online.

 

However, they are just as reassured by a nice SSL Seal on the page and by the fact that they are not being redirected elsewhere to make their payment.

 

I've lost count of the number of HSBC e-Secure installs I've done - but I'd still recommend Protx Direct - now that I have used that system as well.

 

But, as Stephen said, at the end of the day it's down to the customer and what they want.

 

Vger

Share this post


Link to post
Share on other sites

Can anyone answer this please. Does HSBC accept a BillingAddress2 parameter? The Suburb (renamed Address Line 2) on my shop is not being passed through to HSBC, so the option is to tag it on to the BillingAddress1 field or pass it in another field. What do you reckon?

 

Cheers, Andy

Share this post


Link to post
Share on other sites

Agh, I'm taking a guess that I know what is happening here. If someone enters their address as below then it will fail the comparison HSBC carries out between address and postcode:

 

Address 1: Red Brick Cottage

Address Line 2: 29 Brick Lane

 

whereas, if they enter it as below then it matches and the transaction goes through:

 

Address 1: 29 Brick Lane

 

The way around this is to make code 9 a pass and not a fail. Then, instead of the transaction failing, it will appear in your HSBC interface as 'Fraud Pending' and it is then up to you whether or not to proceed and Approve.

 

hsbc_return.php

 

if ($CpiResultsCode=='0')
	{
		tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL'));  }  if ($CpiResultsCode=='9')  {
		tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL',true));
	}

	$error=MODULE_PAYMENT_HSBC_TEXT_ERROR1;

	switch($CpiResultsCode)
	{
		case 1: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR1; break;
		case 2: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR2; break;
		case 3: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR3; break;
		case 4: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR4; break;
		case 5: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR5; break;
		case 6: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR6; break;
		case 7: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR7; break;
		case 8: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR8; break;
		case 10: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR10; break;
		case 11: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR11; break;
		case 12: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR12; break;
		case 13: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR13; break;
		case 14: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR14; break;
		case 15: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR15; break;
		case 16: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR16; break;

	}

 

Vger

Share this post


Link to post
Share on other sites

Thanks Vger

 

I suspect the client want's it go through without the pending!!! But may not have a choice...

 

Andy.

 

 

Agh, I'm taking a guess that I know what is happening here. If someone enters their address as below then it will fail the comparison HSBC carries out between address and postcode:

 

Address 1: Red Brick Cottage

Address Line 2: 29 Brick Lane

 

whereas, if they enter it as below then it matches and the transaction goes through:

 

Address 1: 29 Brick Lane

 

The way around this is to make code 9 a pass and not a fail. Then, instead of the transaction failing, it will appear in your HSBC interface as 'Fraud Pending' and it is then up to you whether or not to proceed and Approve.

 

hsbc_return.php

 

if ($CpiResultsCode=='0')
	{
		tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL'));  }  if ($CpiResultsCode=='9')  {
		tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL',true));
	}

	$error=MODULE_PAYMENT_HSBC_TEXT_ERROR1;

	switch($CpiResultsCode)
	{
		case 1: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR1; break;
		case 2: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR2; break;
		case 3: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR3; break;
		case 4: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR4; break;
		case 5: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR5; break;
		case 6: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR6; break;
		case 7: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR7; break;
		case 8: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR8; break;
		case 10: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR10; break;
		case 11: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR11; break;
		case 12: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR12; break;
		case 13: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR13; break;
		case 14: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR14; break;
		case 15: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR15; break;
		case 16: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR16; break;

	}

 

Vger

Share this post


Link to post
Share on other sites

Vger,

I have now managed to obtain a new hash key from HSBC, however this module is STILL fialing, with CPIResultCode 10, which apparently means "invalid input data"

 

This is a clean install of the hsbc module I am using.

The path to the testhash.e file is fine, it appears to be creating a hash, but hsbc seem to be rejecting it.

 

I don't know whether this is an issue with the module itself, or hsbc. Please let me know what is wrong!

Share this post


Link to post
Share on other sites

When you get to checkout_confirmation.php do a 'View Source' in your Browser and look at what you are sending to HSBC - and in particular make sure that a session id is present.

 

Vger

Share this post


Link to post
Share on other sites
When you get to checkout_confirmation.php do a 'View Source' in your Browser and look at what you are sending to HSBC - and in particular make sure that a session id is present.

 

Vger

There is a session id being passed, and from what i can see, all the required data is being passed.

 

I will double check on Monday all of the names of the fields being passed

Share this post


Link to post
Share on other sites

Bounds checking

 

I Have just had a problem with customer not being able to get to the HSBC payment page.

 

The problem was that the city length was greater than 25 characters. osc allows 32 HSBC only allows 25, osc also by default allows 64 chars for address line 1, HSBC only allows 60 now(see new documentation CD).

 

This fix works for the city and a similar fix will work on address, it doesn't require any changes to the database or truncating of customer data. It will probably result in an error code 9 but you should be handling those already.

 

old code

 

'BillingCity'=>$order->billing['city'],

'ShippingCity'=>$order->delivery['city'],

 

new code

 

'BillingCity'=>substr($order->billing['city'],0,25),

'ShippingCity'=>substr($order->delivery['city'],0,25),

 

Has this been mentioned before in the forum?

 

Do we think it should be added to the code along with bounds checking for the other fields?

 

I will be happy to make the changes.

Share this post


Link to post
Share on other sites
HSBC only allows 60 now(see new documentation CD).

 

Address line 1 used to be 30 in old documentation.

 

file to modify is includes/modules/payment/hsbc.php

 

Back up and test before making changes...

Share this post


Link to post
Share on other sites
Has this been mentioned before in the forum?

 

Do we think it should be added to the code along with bounds checking for the other fields?

 

I will be happy to make the changes.

 

Not to my knowledge. Make the changes by all means.

 

Vger

Share this post


Link to post
Share on other sites

Hi

 

I have added Euros to my GBP merchant account I've had for the last couple of years - the mod that Jose helped my developer install way back then has been working fine.

 

The Euro's have been added to the same merchant number.

 

I just wanted to know if I need to do anything other than ensure the correct currency code is sent to the CPI (going from the OSC country ISO codes)?

 

HSBC have sent me a hash key but I'm not sure whether it's not a duplicate of the existing one.

 

Apologies in advance for the lack of technical knowledge but I like to know what's what before I ask someone to help me with it!

Share this post


Link to post
Share on other sites

Euros is one of the standard languages defined in the Secure ePayments module.

 

Vger

Share this post


Link to post
Share on other sites

Hi Vger.

 

Just started with the live HSBC module, and started to take a few valid transactions.

 

I've had a couple with a Fraudshield AVS Address Errors (Error 9).

 

Can I confirm that in : "Pending Error Codes", from the module, I need to just set enter a 9 here so the customer is not aware of the problem (i.e. and not 0, 9).

 

Thanks

 

 

 

Doni

Share this post


Link to post
Share on other sites

hsbc_return.php

if ($CpiResultsCode=='0')
{
tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL')); } if ($CpiResultsCode=='9') {
tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL',true));
}

$error=MODULE_PAYMENT_HSBC_TEXT_ERROR1;

switch($CpiResultsCode)
{
case 1: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR1; break;
case 2: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR2; break;
case 3: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR3; break;
case 4: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR4; break;
case 5: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR5; break;
case 6: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR6; break;
case 7: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR7; break;
case 8: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR8; break;
case 10: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR10; break;
case 11: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR11; break;
case 12: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR12; break;
case 13: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR13; break;
case 14: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR14; break;
case 15: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR15; break;
case 16: $error=MODULE_PAYMENT_HSBC_TEXT_ERROR16; break;

}

 

Vger

Share this post


Link to post
Share on other sites
Euros is one of the standard languages defined in the Secure ePayments module.

 

Vger

 

 

 

Thank you Vger :)

 

The problem I have is that my merchant account ID is the same number but ends in EUR instead of GBP.

 

The hash key is also different.

 

I know these can be edited in the admin section but then to be able to accept both GBP and Euros I'd need 2 x payment modules - one for GBP and one for EUR - nightmare!

 

Is there a way round this please anyone?

 

Many Thanks

 

Tom

Share this post


Link to post
Share on other sites

Tom,

 

The only way for you to acheive merchant account switching is by creating specific code to do this. The current HSBC module only allows for one merchant account.

 

It would be unpractical to have two modules.

 

The code would need to be placed in /modules/payment/hsbc.php, and would pick up the currency code and switch to the desired account.

 

This wouldn't be difficult for someone with a good knowledge of PHP/osCommerce/HSBC.

 

Regards

 

Neil Westlake

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0