Jump to content
Sign in to follow this  
freerangemum

HSBC secure-epayment module

Recommended Posts

thanks found cured.

 

Still one final problem. When the hsbc_return.php script executes after coming back from the CPI it retirects with the various bits to checkout_process.php which in turn seems to redirect to shopping_cart.php.. The problem seems to be at that point it screws up the path.. instead of redirecting to /secure/catalog/shopping_cart.php it goes to just /catalog/shopping_cart.php

 

Just to clear things up we have normal hosting on http://www.domain.com/catalog/ and ssl hosting of a copy of the directory on https://anotherdomain.com/secure/catalog and the relevent entries on our two copies of configure.php to clear up the ssl server and the ssl paths. The site works in every other respect (and all cart/account stuff happens on the secure side).

 

Anyone know WHERE that reference is so I can try and find out why it's redirecting to a 404? Once that's working I think I'll be finished. It's 01.34 am and i need sleep now.

 

AJ

Share this post


Link to post
Share on other sites

Ok. All is now working as far as I can see. I have one extra tip that some might find useful in future that does not seem to have been mentioned elsewhere on this forum :

 

Try to make sure that your directory structure is mirrored between the SSL side and the non SSL side. For exaple if your SSL is on

 

https://ssl-uk.com/secure/catalog/

 

make sure your non SSL catalogue is also in path

 

http://ww.your-site.co.uk/secure/catalog/

 

The final problem I had hinged around a failing redirect. My guess was that the redirect was operating using the non SSL path but applying it to the SSL side and therefore 404 erroring. Initially my non SSL catalog was on /catalog/ and not /secure/catalog/ ... Moving it and altering the various configs to point back solved it for me.

 

However - anyone reading this and contemplating HSBC as a payment provider would be WELL advised to look elsewhere. This has been a nightmare at each stage to integrate and quite how HSBC consider themselves a viable alternative to worldpay or netbanx or whoever is beyond me. For a start requiring a SSL server on the merchant's part seems to dissolve half the point of outsourcing payments..

 

Having said all that, even under adverse conditions it IS possible to get HSBC integrated; it's just far more hassle that it needs to be compared to some of the more popular (better) alternatives.

 

If anyone wants specific help relating to HSBC integration please private message me and I will do my best to help.

 

AJ

Share this post


Link to post
Share on other sites

Hi All

 

I thought I had this working perfectly after all the messing about a few weeks ago. Now it seems the Suburb line of the customers address isn't going through to the HSBC CPI database. This is causing occasional orders to be marked as fraudulent.

 

Has anybody else had this problem? Anyone got any idea how I can fix it? It's a bit of a problem to be working on a live site to try an fix something like this.

 

 

Another question is this. When a transaction is marked as fraudulent and you check it and approve it, is there any way the order can be submitted to the store so the customenr can see the order.

 

TIA

Tim

Share this post


Link to post
Share on other sites

Looking at the HSBC module it deliberately doesn't include suburb in the post to HSBC. The post is:

 

      $post_1=array(
                              'CpiDirectResultUrl'=>tep_href_link('checkout_process.php', '', 'SSL', false),
                              'CpiReturnUrl'=>tep_href_link('hsbc_return.php', '', 'SSL', false),
                              'OrderDesc'=>STORE_NAME . ' order',
                              'OrderId'=>$sequence,
                              'PurchaseAmount'=>preg_replace('/\./', '', $total),
                              'PurchaseCurrency'=>$currency_code,
                              'StorefrontId'=>MODULE_PAYMENT_HSBC_ID,
                              'TimeStamp'=>$time,
                              'TransactionType'=>'Auth',
                              'MerchantData'=>tep_session_id(),
                              'BillingAddress1'=>$order->billing['street_address'],          
                              'BillingCity'=>$order->billing['city'],          
                              //'BillingCountry'=>$order->billing['country']['title'],          
         'BillingCountry'=>$country_codes[$order->billing['country']['iso_code_2']],
                              'BillingCounty'=>$order->billing['state'],          
                              'BillingFirstName'=>$order->billing['firstname'],
                              'BillingLastName'=>$order->billing['lastname'],
                              'BillingPostal'=>$order->billing['postcode'],
                              'ShopperEmail'=>$order->customer['email_address'],
                              'ShippingAddress1'=>$order->delivery['street_address'],          
                              'ShippingCity'=>$order->delivery['city'],          
                              //'ShippingCountry'=>$order->delivery['country']['title'],          
         'ShippingCountry'=>$country_codes[$order->delivery['country']['iso_code_2']],          
                              'ShippingCounty'=>$order->delivery['state'],          
                              'ShippingFirstName'=>$order->delivery['firstname'],
                              'ShippingLastName'=>$order->delivery['lastname'],
                              'ShippingPostal'=>$order->delivery['postcode']
                              
         );

 

with no 'BillingAddress2' specified. Can I just add extra lines into this code like this?

 

                               'BillingAddress2'=>$order->billing['suburb'],          
                              'ShippingAddress2'=>$order->delivery['suburb'],          

 

Will that work OK or will it mess up if the suburb is empty? Any advice appreciated, especially if someone can test this on a test CPI. Mine is live now.

 

Thanks

Tim

Share this post


Link to post
Share on other sites

Update to the above problem:

 

I have added the lines I mentioned above to the HSBC post and it seems to work now. The second line of the address goes through to HSBC and appears in the payment and shipping details. I haven't processed an order to completion this way but it seems to be OK.

 

The post section of hsbc.php now looks like this:

      $post_1=array(
                              'CpiDirectResultUrl'=>tep_href_link('checkout_process.php', '', 'SSL', false),
                              'CpiReturnUrl'=>tep_href_link('hsbc_return.php', '', 'SSL', false),
                              'OrderDesc'=>STORE_NAME . ' order',
                              'OrderId'=>$sequence,
                              'PurchaseAmount'=>preg_replace('/\./', '', $total),
                              'PurchaseCurrency'=>$currency_code,
                              'StorefrontId'=>MODULE_PAYMENT_HSBC_ID,
                              'TimeStamp'=>$time,
                              'TransactionType'=>'Auth',
                              'MerchantData'=>tep_session_id()
                              ,
                              'BillingAddress1'=>$order->billing['street_address'],          
                              'BillingAddress2'=>$order->billing['suburb'],          
                              'BillingCity'=>$order->billing['city'],          
                              //'BillingCountry'=>$order->billing['country']['title'],          
         'BillingCountry'=>$country_codes[$order->billing['country']['iso_code_2']],
                              'BillingCounty'=>$order->billing['state'],          
                              'BillingFirstName'=>$order->billing['firstname'],
                              'BillingLastName'=>$order->billing['lastname'],
                              'BillingPostal'=>$order->billing['postcode'],
                              'ShopperEmail'=>$order->customer['email_address'],
                              'ShippingAddress1'=>$order->delivery['street_address'],          
                              'ShippingAddress2'=>$order->delivery['suburb'],          
                              'ShippingCity'=>$order->delivery['city'],          
                              //'ShippingCountry'=>$order->delivery['country']['title'],          
         'ShippingCountry'=>$country_codes[$order->delivery['country']['iso_code_2']],          
                              'ShippingCounty'=>$order->delivery['state'],          
                              'ShippingFirstName'=>$order->delivery['firstname'],
                              'ShippingLastName'=>$order->delivery['lastname'],
                              'ShippingPostal'=>$order->delivery['postcode']
                              
         );

 

Panic over....

 

Tim

Share this post


Link to post
Share on other sites

Hello tlelliott77,

 

I am trying to integrate HSBC in my site. I am willing to send billing information along with the required information. But I am getting CpiResultCode=10 ie invalid data input. I am using actual existing address of UK. On the contrary when I exclude the billing address my HSBC integration works well. Following is my code which I used for billing address:

 

<input type="hidden" name="BillingAddress1" value="Falcon Drive">

<input type="hidden" name="BillingCity" value="Cardiff Bay">

<input type="hidden" name="BillingCountry" value="826">

<input type="hidden" name="BillingCounty" value="Cardiff">

<input type="hidden" name="BillingFirstName" value="fname">

<input type="hidden" name="BillingLastName" value="lname">

<input type="hidden" name="BillingPostal" value="CF10 4RU">

<input type="ehidden" name="ShopperEmail" value="email@email.com">

 

I am in testing mode.

 

Any suggestions on this one will be highly appreciable.

 

Thanks

Share this post


Link to post
Share on other sites

does anyone have a solution for the problem raiesd by ribs regarding the users closing there browser before returning to your site and so checkout_process.php not being called ?

Share this post


Link to post
Share on other sites

Anurag

 

I don't really know what you mean. The billing address gets sent to the CPI if you use the HSBC module

 

The code I posted earlier for $post_1=array includes both shipping and billing address.

 

 

Danthemanheaver

 

I don't know of any solution, although I feel a rewrite of the mod would be benificial to deal with this problem, and also the problem of orders that get postponed for verification (review) not getting registered as orders by osCommerce.

 

What would be nice would be for an order to be created in osCommerce before it gets sent to HSBC. This order would have some kind of flag to mark it as awaiting confirmation.

 

It could then be confirmed either by:

- the HSBC CPI results (which would update the order details)

- manually in admin by the store owner if he confirmed that the payment was received but the customer closed down the browser before hsbc-return.php was called

- manually in admin by the store owner if he confirmed that the problem with address verification was sorted.

 

What does anyone else think of the idea?

 

Unfortunately I'm nowhere near capable of updating he mod so will have to make do with my current solution which involves using a manual order entry mod to enter any orders that are registered in HSBC but not in OSC.

 

Regards

Tim

Share this post


Link to post
Share on other sites

Hiya Guys,

 

So the problems continue!!

 

I agree Tim that this mod does need some pretty serious rewriting. Unfortunatley my main gripe is with the HSBC side of things rather than the OScommerce setup.

 

I am getting between 2 and 5 orders a day currently, and being a gift shop I am hoping this figure will rise dramatically later in the year. Still, about 1 in 8 order attempts are simply not working due to people not being able to access the HSBC site. I have been quite lucky in that customers have contacted me by email or phone to complete their payment but they should not have to do this!! It is very unprofessional and just keeps me thinking about how many orders I am losing/going to lose.

 

It strikes me that HSBC have just gone too far ahead with security and fraud prevention. This may sound strange as it should be in our interest but I would rather they left some of the decisions to me. Letting me know that an order is in review state because the shipping address is different to the Billing address is fine, letting the customer know is not necassary and as we all know prevents OScommerce from completing the order!! Currently I have got around this by simply changing any return error codes to a success status and pointing the browser to checkout success. Of course this means the order goes through no matter what, even if the customer wants to back out and presses the cancel button, far from satisfactory but in my view better than taking a customers money and then having to contact him to ask what his order was for!!! Very embarrassing.

 

Even more serious is the fact that IE 5 has big problems connecting with HSBC. I know, I am using it. Firstly, IE5 users have to visit the Windows site to upgrade their browsers to 128bit encryption but even then, my first attempt to connect as a customer allways fails. I know I have to hit the back button on my browser and then it will connect second time round but other customers aint gonna know this!! How other browsers work with it I dont yet know, but I do know that I still have several customers who have failed to connect even on IE6 - the reasons for this I dont know. What I do know is that it is hard enought to attract customers and even harder to get them to part with their hard earned cash - any obstacles in the way of this will soon send them elsewhere!!

 

Now that the site is live, and not being a programmer makes playing with this a little difficult at the moment. Still, I will have to find the time to try and improve things, hopefully sooner rather than later and will try and get some info from HSBC with regards to browser compatibility.

 

I am going to give it a bit more time as I do like the idea of having the HSBC image integrated into the site but if I continue to have problems with payments I will have no choice but to look elsewhere. This is my buisiness and losing customers is just not an option.

 

In summary, at present I can only reiterate what many others have said on this forum about the HSBC setup, if you aint started, think very seriously about other options first.

 

 

Oh yeah, I meant to ask about the problem of closing the browser. I dont get this as once the customer accepts the HSBC confirmation, the HSBC send the second post results which should confirm the order without the need for the customer to return to your site. The problem I have is, as stated above, when the transaction is placed into a review state. Usually caused by a different shipping address but also sometimes due to a correct address being entered in an unrecognised format, ie. the customer placing their details in the wrong order/boxes. As far as I am concerned these orders need to be accepted and reviewed later but HSBC dont see it that way and send an error for a return code which OScommerce just dont like.

 

Right, gotta go for now. Sorry for rambling but there are a lot of issues here that do need clearing up somehow. There seems to be alot of us that are having problems we just dont need and could avoid by simply changing payment processors.

 

Cheers for now,

Richard


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Hmm well i've not seen this latest problem appear (YET) in my installation. However now I know about it I will keep an eye. It looks like tim's solution will sort the problem out for now though I think...

 

A.

Share this post


Link to post
Share on other sites

I agree, HSBC don't really seem to have bothered to have thought about browser compatibility when they wrote their CPI. I suppose they decided to make it as secure as possible, which means older browsers simply won't work.

 

I guess this is a good thing but it would be nice if they had told me before I decided to use them, and even nicer if they had a list of incompatible browsers on the first page of a transaction so that a user could immediately see what was happening and why.

 

On the point of fraud errors, the solution I just posted might fix a few of these as the suburb line was not being transmitted to HSBC. IIt would however be better to register the order before going to HSBC and then confirming it or denying it on return. This would mean the customer never sees a difference between a normal order and one that needs verification, but on the admin side you woul dsee the differnce and act accordingly.

 

Again, like I said before, I'm no php expert but I will have a go at getting this started. I'd appreciate any suggestions and advice straight away.

 

One potential problem I foresee is identifying the order on return from HSBC. I suppose I will need to identify by customer name and by products ordered somehow.

 

If I added an extra field to the orders table for "confirmation status" what values should it have?

confirmed

before_hsbc

fraud

Any others?

 

I might be taking on a bigger task than I can manage here so apologies in advance if I can't produce it.

 

Neil Westlake, how many changes have you made to the mod. Do you already have solutions to any of the problems?

 

Wish me luck

Tim

Share this post


Link to post
Share on other sites

Tim,

 

Again, the programming is pretty much over the top of my head, I am a copy and paste merchant. However, as far as I can tell, the key is in the Post from the HSBC back to OScommerce. This occurs as soon as the transaction is confirmed on the HSBC site and before the customer is returned to your site. I may well be wrong as its been a little while since I looked at all this in depth but I would think that this second Post should contain the customer id and hence all you need to identify the customer and their order details.

 

Just a quick thought, I havent really followed this through yet, but would you not be better off not worrying about the order status prior to the transfer to HSBC, but looking more at the results code sent back from them. The current mod seems to process the order if the result code = 0, but reject it if it has any other value. I am thinking it may be possible to just point OScommerce in a different direction depending on the result code, ie if the result is "placed in review state", OScommerce just takes it as a success. This result can of course be checked at a later stage by the store owner.

 

Apologies is I am miles from the mark, I am currently at home with the wife, kid and half laid patio!!! Will try and spend a bit more time looking at it later in the week.

 

Best of Luck anyhow, think your gonna need it,

 

Richard.


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Hello,

 

Richandzhaoyan is 100% right, the order is stored in oscommerce in a "hidden" post from HSBC to the shop, so the order is stored even the user closes the browser after the payment is done. If it doesn't work for you, check your setup and the modifications you have done to the module because I can guarantee 100% that works that way.

 

Regarding the module, I have performed several modifications I plan to publish soon, also I have made some modifications for a customer to allow him choose which error codes are treated as "pending" orders, that means the order will be stored even if the error code is <> 0.

 

My plan is to release an updated version in 1/2 weeks.

 

Regards.

Share this post


Link to post
Share on other sites

Jose

 

In that case there is no need for me to make an attempt at writing an updated module (which would probably have been a failure anyway).

 

My setup does store the order if the browser is closed on the HSBC conformation page, but for me it doesn't seem to do so if HSBC flags the order as possible fraud.

 

But like you said, maybe I could easily change that to intepret a fraud failure as an order, but mark it as pending.

 

Look forward to the updated release.

Tim

Share this post


Link to post
Share on other sites

Hiya Jose,

 

Gotta tell you thats the best news I have heard in ages.

 

I know alot of people appreciate the work you have done on this mod already and to have an improved version would be just great.

 

Thanks in advance,

Richard


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Hello tlelliott77,

 

The code you had posted earlier includes both shipping and billing address, I used that too, but returned with the same error ie CpiResultsCode=10 ie invalid data input. I am not getting any one reason why the code does not return CpiResultsCode=0 whenever I am sending billing and shipping information to HSBC via CPI post. On the contrary when I exclude the billing and shipping information (ie when I does not send the billing and shipping information but I am sending the other required fields like returnurl,userid etc), HSBC returns CpiResultsCode=0 to me ie successfull transaction.

 

Do I need to update any settings in the HSBC administrator panel or some code is to be included into my script?

 

Waiting for your reply.

 

Thanks

Share this post


Link to post
Share on other sites

Hello,

Thanks must go to Lynda Howard, she paid me to develop the module and allowed me to make it public ;-)

 

Also I must thank all the people that has hired me to install and customize the module, I have got a nice revenue from that, so I think is fair to update the module and release it again.

 

Regards.

Share this post


Link to post
Share on other sites

Anurag

 

Don't know what your problem is. I'm no expert on php or this module. I think when I had result code of 10 it was because my Client ID was entered incorrectly, but that doesn't seem to be the case with you.

 

All I can suggest is reading through this thread and finding someone else who had similar problems and then PMing them.

 

Good luck

Tim

Share this post


Link to post
Share on other sites

Hi all

 

I got an order today which didn't get through the HSBC net. In the HSBC CPI the order appeared like this:

 

Void  Transaction ID  Type  Status  Authorized Date  Amount 

 

  40xxxxxx-40b7-xxxx-xxxx-xxxxbaxyyyyyy  Sale  Approved  10/05/04 22:01  ?36.50 

 

  40xxxxxx-40b7-xxxx-xxxx-xxxxbxyyyyyy  PreAuth  Fraud Pending  10/05/04 22:01  ?36.50 

 

But the return post had not instructed OSC to create a new order.

 

Jose, I guess your new mod cope with this sort of situation. Any idea how soon it will be available?

 

For the time being should I just change my hsbc_return.php file so that it accepts an order with CpiResultsCode == 9?

 

Would that allow me to go in and verify these orders?

 

Thanks

 

Tim

Share this post


Link to post
Share on other sites

Hi

 

I'm very new to all this and have been asked to

connect a php site into the hsbc cpi, I've downloaded

the mod, but am unsure how to install etc,

if someone here could send me an abc to this

i'd be grateful

 

thanks

Share this post


Link to post
Share on other sites

Can anyone offer some advice on whats happening here ?

 

ive go the payment module configured and i go to the checkout and all goes well untill i post to hsbc

 

the response i get back from the cpi servlet is 'the transaction failed due to invalid data' ?

 

the post and data look fine to me .....

 

<form name="checkout_confirmation" action="https://www.cpi.hsbc.com/servlet" method="post">   
<br>  
<input type="hidden" name="CpiDirectResultUrl" value="https://www.thehardwareworks.co.uk/catalog/checkout_process.php">
<input type="hidden" name="CpiReturnUrl" value="https://www.thehardwareworks.co.uk/catalog/hsbc_return.php">
<input type="hidden" name="OrderDesc" value="The Hardware Works order">
<input type="hidden" name="OrderId" value="04134-093124156">
<input type="hidden" name="PurchaseAmount" value="1814">
<input type="hidden" name="PurchaseCurrency" value="826">
<input type="hidden" name="StorefrontId" value="UKxxxxxxxxGBP">
<input type="hidden" name="TimeStamp" value="1084566684000">
<input type="hidden" name="TransactionType" value="Auth">
<input type="hidden" name="MerchantData" value="286b03ed38640b8c9a1d844ddd4b6821">
<input type="hidden" name="Mode" value="P">
<input type="hidden" name="OrderHash" value="yjgF+GlhDfFpLR9IIpPUGeqTZiQ=">
<input type="image" src="includes/languages/english/images/buttons/button_confirm_order.gif" border="0" alt="Confirm Order" title=" Confirm Order ">
</form>

 

I've taken out the shipping and billing info, so thats obviously not the problem, and the c code is generating a hash sucessfully as shown above.

 

My real nagging fear is that HSBC may have supplied a duff hash key, if that is so getting them to admit could be awkward I guess.

 

Every time I ask them to check the hash key, they only seem to check against what there record of the hash key should be, rather than the validity of the supplied hash key itself.

 

i.e. If they supply a dodgy key obviously no amount of tinkering will make your're site work :o

 

I've been go bakc and forth to HSBC all this week and all they can say is that something in the data must be wrong, but they cannot identify anything that is currently wrong with the data I'm passing over...which is why I'm questing how often they supply dodgy hash keys.

 

One person on this board has complained of having a bad key, has anyone else suffered this fate or was that a one off ?


Andrew McDonald

w: http://www.webguru.uk.net

Share this post


Link to post
Share on other sites

Hello,

To check whether a hash key is valid or not, you must use the TestHash program, there are two versions, the C one and the Java one, if you use them with the same input data and get different result values, then the Hash key provided by HSBC is a duff one, 100% guaranteed.

 

They use the Java version in their servers, I supose there is a problem with the C library and some hash keys.

 

Regards.

Share this post


Link to post
Share on other sites

Running the test hash program I get:

ERROR: You must store your SharedSecret in local file ss.txt.

 

I don't even get the chance to generate a hash key, so its not looking promising.

 

Anyone know what the 'SharedSecret' is ?


Andrew McDonald

w: http://www.webguru.uk.net

Share this post


Link to post
Share on other sites

Andrew, are you developing for yourself or a customer? HSBC will have supplied a 'securesecret' to the account holder which should be saved as a .txt file in your cgi bin. If you have that in place & still suspect you have a duff key, insist on their changing it. From my experience they only check it in Java & not C, as Jos? says, so even if they say its ok it could be duff. Stamp your feet a bit if you have to, after all YOU are paying THEM!


I've had 3 children.........how hard can this be???

Share this post


Link to post
Share on other sites

If I look at the server logs when I try and process a live transaction, I am gettting no errors on the server, just HSBC returning an error 10 code and they are unable to explain where the data is invalid that they're receving

 

If I run the windows testhash.exe locally it generates the same hash key repeatedly, but to get it to work I need to create a ss.txt file containing my client ID

 

So I'm completely stumped..I've checked both the data, and the variable names being passed to hsbc, and everything is the correct case with seemingly valid data being submitted

 

I'v even stripped out the shipping info to help with debugging they're end, but they can't tell me whats wrong with the data being submitted.


Andrew McDonald

w: http://www.webguru.uk.net

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×