AuthorizeNet - Real-time Credit Card Payment Processing

The integration of Authorize.Net real-time payment processing in WebStore is designed for use by programmers or developers knowledgeable in Perl, CGI, and SSL.

WebStore supports credit card and electronic check authorization requests using Authorize.Net's Automated Direct Connect (ADC) method. Submitted transaction requests are sent using a client side SSL connection to Authorize.Net's gateway server.

You must obtain a merchant account from an Authorize.Net agent for processing credit card transactions using the WebStore shopping cart/cash register application.

WebStore handles authorization requests and responses only. To view the status and history of transactions, use Authorize.Net's Merchant Manager.

Index

Authorizing and Processing Transactions

WebStore supports credit card and electronic check authorization requests for transactions.

Credit Cards:

You must have a merchant account to process credit card payments. A merchant account may be obtained from an Authorize.Net agent.

Four points in processing credit card payments:

WebStore application on the merchant's web site Authorize.Net Gateway Server Merchant account processing center Cardholder's financial institution

Credit card payment process:

The WebStore order form on the merchant's web site collects the customer's billing address, shipping address, payment information, etc. This information is converted to an authorization request and sent to the Authorize.Net Gateway. The gateway sends the request to the merchant account processing center. The processing center contacts the cardholder's financial institution to obtain authorization for the payment. The financial institution sends an authorization response (authorized, declined, or referred) which is returned to all previous points in the process. WebStore informs the customer of the outcome. If the transaction is authorized, the order is accepted. If the transaction is not authorized, the customer must provide another payment method for the order.

Electronic Checks:

To process electronic checks, you must add eCheck.Net services to the merchant account you obtained from an Authorize.Net agent.

Four points in processing electronic check payments:

WebStore application on the merchant's web site Authorize.Net Gateway Server e-Check processing center Check writer's financial institution

Electronic check payment process:

The WebStore order form on the merchant's web site collects the customer's billing address, shipping address, payment information, etc. This information is converted to an authorization request and sent to the Authorize.Net Gateway. The gateway sends the request to the e-Check processing center. The e-Check processing center contacts the check writer's financial institution to verify the checking account is valid obtain authorization for the payment. The financial institution sends an authorization response (authorized or declined) which is returned to all previous points in the process. WebStore informs the customer of the outcome. If the transaction is authorized, the order is accepted. If the transaction is not authorized, the customer must provide another payment method for the order.

Index

Authorize.Net Installation and Configuration

WebStore requires the following in order to process real-time payment transactions with the Authorize.Net Gateway:

An Internet merchant account obtained from an Authorize.Net agent System requirements: Perl 5.005+ Telnet access if installing Perl modules and OpenSSL An SSL (Secure Socket Layer) implementation consisting of: Net::SSLeay 1.05 Perl module - download entire Net::SSLeay module now openssl-0.9.5 or openssl-0.9.6 c library Digest::MD5 Perl module - download entire Digest::MD5 module now WebStore's store setup file configured for Authorize.Net WebStore's merchant configuration file for Authorize.Net contains merchant account details

RDC Software does not redistribute SSL products (openssl) or Perl modules. It is the responsibility of the user to set up an SSL implementation on their server.

Index

Net::SSLeay and OpenSSL:

Authorization requests to the Authorize.Net gateway hub must be sent using the https protocol, ensuring private information is transferred securely. The SSL implementation used by WebStore to accomplish this is Net::SSLeay, the Perl extension for using OpenSSL.

WebStore has been tested using Net::SSLeay 1.05 with openssl-0.9.5 and openssl-0.9.6.

Download Net::SSLeay 1.05 from CPAN (Comprehensive Perl Archive Network):

Net::SSLeay 1.05 Perl module page

Download the following files:

Net_SSLeay.pm-1.05.README

Net_SSLeay.pm-1.05.tar.gz

Download the entire Net::SSLeay Perl module now

Download openssl-0.9.6.tar.gz from http://www.openssl.org.

Prior to installing OpenSSL or Net::SSLeay, review the following files:

OpenSSL	README INSTALL LICENSE
Net::SSLeay	README

Index

Install OpenSSL:

If your server already has openssl installed, skip the installation of openssl and install Net::SSLeay.

Review the INSTALL, README, and LICENSE files prior to installing OpenSSL.

Install the openssl c library you downloaded from http://www.openssl.org first.
Net::SSLeay will not install if openssl can not be located on your server.

After transferring openssl-0.9.6.tar.gz to your server, telnet to your account and extract it:

tar xvzpf openssl-0.9.6.tar.gz    (GNU tar)
-OR-
gunzip openssl-0.9.6.tar.gz
tar xvf openssl-0.9.6.tar

All files are stored under the openssl-0.9.6 directory.

If you are installing openssl in a location other than /usr/local/ssl (a user's domain, etc.) the following command will install files under /PATH/TO/ssl:

./config --prefix=/PATH/TO/ssl --openssldir=/PATH/TO/ssl/openssl

/PATH/TO may be the UNIX path to a user's domain root.

Complete the installation of openssl by issuing the following commands:

make
make test
make install

Index

Install Net::SSLeay:

Review the README file prior to installing Net::SSLeay.

After transferring Net_SSLeay.pm-1.05.tar.gz to your server, telnet to your account and extract it:

tar xvzpf Net_SSLeay.pm-1.05.tar.gz    (GNU tar)
-OR-
gunzip Net_SSLeay.pm-1.05.tar.gz
tar xvf Net_SSLeay.pm-1.05.tar

All files are stored under the Net_SSLeay.pm-1.05 directory.

If you are installing Net::SSLeay under a user's domain and openssl has been installed in a location other than /usr/local/ssl, edit LINE 14 in Makefile.PL prior to the installation of Net::SSLeay:

Original Code:  $openssl_path = shift || '/usr/local/ssl';
Change to:      $openssl_path = '/PATH/TO/ssl';

/PATH/TO equals the UNIX path to the domain's root.

After modifying Makefile.PL, issue the following commands:

perl Makefile.PL PREFIX=/PATH/TO/perl
make
make test
make install

This will install Net::SSLeay under /PATH/TO/perl.

Add the appropriate use lib statement to WebStore's global setup file, ws_global.setup:

use lib '/PATH/TO/perl/lib/site_perl/5.6.0';
use lib '/PATH/TO/perl/lib/site_perl/5.6.0/i686-linux';

Library paths will differ between operating systems and Perl versions.

Another use lib example:

use lib '/PATH/TO/perl/lib/site_perl/5.005';

Index

Install Digest::MD5

Review the README file prior to installing Digest::MD5.

After transferring Digest-MD5-2.12.tar.gz to your server, telnet to your account and extract it:

tar xvzpf Digest-MD5-2.12.tar.gz    (GNU tar)
-OR-
gunzip Digest-MD5-2.12.tar.gz
tar xvf Digest-MD5-2.12.tar

All files are stored under the Digest-MD5-2.12 directory.

If you are installing Digest::MD5 under a user's domain, cd to the Digest-MD5-2.12 directory and issue the following commands:

perl Makefile.PL PREFIX=/PATH/TO/perl
make
make test
make install

This will install Digest::MD5 under /PATH/TO/perl.

Index

Configure WebStore's setup file for Authorize.Net

Variables listed in this section are located in WebStore's setup file, /Web_store/Databases/outlet.setup.

The variables shown below are configured for Authorize.Net.

$merchant_file = 'merchant.authorizenet.cfg';

$merchant_file is the merchant configuration file for the real-time payment processor you are using.

The processor name must be included in the merchant configuration filename. For example, AuthorizeNet must be included as part of the filename for the Authorize.Net merchant configuration file, merchant.authorizenet.cfg. The processor name is case insensitive in the merchant configuration filename.

Merchant configuration files are located in the /Library sub-directory.

Protect your merchant file from viewing:

Move the /Library sub-directoy to an area which can not be accessed using a web browser or place the /Library sub-directoy under HTACCESS. Rename the /Library sub-directoy defined in $libr_directory in WebStore's global setup file, ws_global.setup. Rename the merchant file. Store the merchant file under a sub-directory: Create a directory under the /Library sub-directory Store the merchant file under the newly created sub-directory Set $merchant_file = 'sub-directory/merchant.xxxx.cfg';

Modify the variables in the merchant configuration file you are using. Variables included in the configuration file are your merchant ID, merchant password, etc.

Setting $merchant_file = '' disables real-time payment processing.

$merchant_file is disabled in the WebStore distributions.

%form_files = ( # KEYS zero one '10' => ['OrderForm.AuthorizeNet.CreditCard.setup', 'Credit Card'], '11' => ['OrderForm.AuthorizeNet.Check.setup', 'Personal Check - US citizens'], '12' => ['Demo.OrderForm.AuthorizeNet.CreditCard.setup', 'AuthorizeNet Demo: Credit Card'], ); # DO NOT REMOVE - terminates %form_files

%form_files is a hash of arrays listing WebStore order form setup files.

Element zero of each array lists an order form's filename in the /Databases sub-directory. WebStore adds .setup to the filename listed in element zero if the filename does not end in .setup.

Element one is the order form's descriptive label.

Order forms stored under $form_files{10} and $form_files{11} are configured for live order transactions with Authorize.Net.

The order form stored under $form_files{12} is configured for test credit card transactions with Authorize.Net. Additional form fields exist on this form for enabling diagnostic features built into the WebStore application software and WebStore's program library for Authorize.Net.

$form_files{12}, the test form file array, should be commented out or removed from %form_files after your Authorize.Net configuration has been fully tested. If you do not accept payment by check, comment out or remove $form_files{11} as well.

WebStore sorts the arrays in %form_files by their KEYS, in ascending order. The array with the least significant KEY becomes the default order form printed by WebStore when no payment method is selected by the client. $form_files{10} is the default order form in the WebStore distributions.

Index

Configure WebStore's merchant file for Authorize.Net

Variables listed in this section are located in the Authorize.Net merchant configuration file, /Web_store/Library/merchant.authorizenet.cfg. Protect your merchant configuration file from hackers.

Variables in the merchant configuration file may be disabled by leaving the variable's value blank, commenting out a variable, or removing the variable from the configuration file.

Variable names and values must be on the same line, separated by a single space.

Comment lines begin with a # (pound sign). The # (pound sign) can not used in a variable's value.

Comment lines and blank lines are bypassed in this file.

Trailing comments on variable lines are truncated at the first # (pound sign), removing all trailing whitespace from the variable's value.

The variable values shown below (in blue) are configured for Authorize.Net test transactions.

x_Login testing

x_Login is the Authorize.Net merchant login ID.

x_Password password

x_Password is the Authorize.Net merchant login password.

x_Type AUTH_CAPTURE # AUTH_CAPTURE or AUTH_ONLY

x_Type is the type of transaction Authorize.Net is to perform.

Valid values for x_Type are:

AUTH_CAPTURE - Authorization w/ Auto Capture
AUTH_ONLY    - Authorize Only

x_Type defaults to AUTH_CAPTURE when the value assigned to x_Type does not equal AUTH_CAPTURE or AUTH_ONLY.

x_MD5

The value assigned to x_MD5 must be equal to the value of the ADC secret key stored in the General ADC Settings section of your merchant account at Authorize.Net.

When using MD5 validation, WebStore creates the MD5 checksum using the following values in the sequence shown:

x_MD5 + x_Login + x_Trans_ID + x_Amount

The MD5 checksum computed by WebStore is checked against the MD5 checksum received from Authorize.Net.

When MD5 validation fails, WebStore adds the following MD5 Checksum Error message to the bottom of the Processing Server section of the administrative order e-mail:

MD5 Checksum Error:  Received MD5 does not match Computed MD5

    Received MD5:  0EB499A5A6C3038573B6E757C1DEFAE3
    Computed MD5:  3BB3D4DAA63D5695E97B85D354D89CA8

    Verify the ADC key stored in x_MD5 in your merchant configuration file
    matches the ADC secret key in the General ADC Settings section of your
    merchant account at secure.authorize.net.

WebStore will not prevent an authorization from being processed due to an MD5 checksum error. WebStore merely reports the error as shown above. It is the responsibility of the user to determine why an MD5 checksum error was received.

Setting the value of x_MD5 to blank disables MD5 validation.

x_Email_Customer FALSE # TRUE or FALSE

Setting x_Email_Customer to TRUE will e-mail a sales receipt created by the Authorize.Net system to the client. WebStore disables sending it's client sales receipt.

Setting x_Email_Customer to blank or FALSE disables sending a sales receipt e-mail to the client from Authorize.Net. WebStore sends it's sales receipt to the client.

x_Email_Customer defaults to blank when x_Email_Customer does not equal TRUE or FALSE.

x_Email_Merchant FALSE # TRUE or FALSE

Setting x_Email_Merchant to blank or TRUE will e-mail a transaction receipt created by the Authorize.Net system to all contact e-mail addresses which have been configured to receive transaction receipts.

Contact e-mail addresses are stored in the Manage Contact Information section of your merchant account at Authorize.Net.

Setting x_Email_Merchant to FALSE disables sending transaction receipt e-mails created by the Authorize.Net system to the contact e-mail addresses.

Regardless of the value of x_Email_Merchant, WebStore always e-mails detailed order receipts to the store administrator.

x_Email_Merchant defaults to blank when x_Email_Merchant does not equal TRUE or FALSE.

Index

WSAuthorizeNet.pl - Configured ADC Direct Response Settings

Variables listed below are located in the DEFINE VARIABLES section of the Authorize.Net program library, /Web_store/Library/WSAuthorizeNet.pl.

The variable values shown below are pre-set in the distibutions of WebStore and should not require modification by the user.

$merchant_log = 'AuthorizeNet.log';

$merchant_log is the file used to store transaction status messages, located in the /Web_store/Logs directory.

Non-test values for credit card number and merchant login id stored in the log file are replaced with * (asterisks). Values for merchant password are always replaced with * (asterisks).

Setting $merchant_log = '' disables the log file routine.

$merchant_log_size = '100000'; (log file size = 100K)

$merchant_log_size equals the maximum size of the merchant log file before overwrite occurs.

Setting $merchant_log_size = '' disables overwrite of the merchant log file. You must manually delete the merchant log file.

$pr_type = 'https'; $pr_host = 'secure.authorize.net'; $pr_path = '/gateway/transact.dll'; $pr_port = '443';

Authorize.Net gateway system

Transaction URL = https://secure.authorize.net/gateway/transact.dll

$pr_login_test = 'testing'; $pr_password_test = 'password';

Authorize.Net test login and password.

The value of $pr_login_test is also used to determine when to hide the merchant's login ID present in the merchant configuration file.

Required Authorize.Net form values

The following required Authorize.Net form names and values are hard coded in WSAuthorizeNet.pl:


x_ADC_Delim_Character        |         (pipe character)
x_ADC_Delim_Data             TRUE
x_ADC_URL                    FALSE
x_Version                    3.0

x_ADC_Encapsulate_Character  disabled  (not used)

Form names associated with Authorize.Net's WebLink and ADC Relay Response integration methods are disabled in WSAuthorizeNet.pl.

Index

Authorize.Net form values supplied by WebStore

Values for the following Authorize.Net form names are supplied by variables found in WebStore's setup file, outlet.setup:

x_Header_Email_Receipt

Text sent in x_Header_Email_Receipt will display at the top of the client e-mail receipt.

Store this text in $pre_client_msg in outlet.setup.

x_Footer_Email_Receipt

Text sent in x_Footer_Email_Receipt will display at the bottom of the client e-mail receipt.

Store this text in $app_client_msg in outlet.setup.

Default values are supplied for each of the Authorize.Net form names above in the distributions of WebStore.

Index

ADC Direct Response Settings at Authorize.Net

The form elements below are a duplication of the form elements present in the Automated Direct Connect (ADC) Settings section of an Authorize.Net merchant account.

ADC Direct Response Settings

Set Delimited Response, Default Field Separator, and Default Field Encapsulation Character to the values shown. The values shown are hard coded in WSAuthorizeNet.pl.

Delimited Response

Default Field Separator

Default Field Encapsulation Character

General ADC Settings

The ADC Secret is the private key used in the creation of the MD5 Hash field included in all ADC responses. The value assigned to ADC Secret must also be stored in x_MD5 in WebStore's merchant configuration file for Authorize.Net, merchant.authorizenet.cfg.

Current Secret (case-sensitive)

New Secret (case-sensitive)

Retype New Secret

Related Settings

Set Require Password to YES if ALL TRANSACTIONS are to be submitted via ADC Direct Response and/or Virtual Terminal and/or Batch Uploads. Store the merchant password in x_Password in WebStore's merchant configuration file for Authorize.Net, merchant.authorizenet.cfg.

Require Password for ALL Transactions

Index

Sending Test Authorization Requests

Before sending live transaction requests through the Authorize.Net system, you should send a few test transactions.

The Authorize.Net merchant configuration file, /Library/merchant.authorizenet.cfg, is pre-configured with a test merchant ID and password for connecting to Authorize.Net.

Testing the Authorize.Net system allows you to verify your requests are sent correctly and allows you to verify the responses are handled correctly by WebStore. Make sure all required fields contain values when you send the test authorizations.

Use the values shown below for submitting test credit card authorizations:

Visa credit card Credit card number 4222222222222 Valid expiration month and year

Demo.OrderForm.AuthorizeNet.CreditCard.setup is a pre-configured order form setup file distributed with WebStore for submitting credit card test transaction requests to the Authorize.Net server. With exception of the year field, the form values listed above are included in this order form setup file.

The Test Amount field on this order form may be used for submitting order totals which correspond to Authorize.Net's Response Reason Codes. The Authorize.Net system will return the Response Reason Text associated with the submitted Response Reason Code.

Setting the Test Request field on this order form to TRUE will cause the Authorize.Net system to send a copy of it's transaction receipt and customer receipt to the e-mail address submitted on the form.

Setting Test Request to blank or FALSE disables sending e-mail copies of Authorize.Net's transaction receipt and customer receipt.

Turning on Diagnostic Mode will print additional program information at the bottom of the order form and at the bottom of the Confirmation of Order page.

Index

Sending Live Authorization Requests

After testing your WebStore's configuration by sending test transaction requests through the Authorize.Net gateway server, switch to actual requests by changing the following values in the AuthorizeNet merchant file, merchant.authorizenet.cfg:

x_Login
Change the value of x_Login to the merchant ID number you received when you established your Authorize.Net account.
x_Password
Change the value of x_Password to the merchant password you received when you established your Authorize.Net account.

Index

OpenSSL:

WebStore real-time payment processing uses software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions. RDC Software strongly recommends that users fully understand the laws and regulations relating to encryption and the Internet. THE IMPORT/EXPORT OR USE OF STRONG CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. YOU ARE ADVISED TO PAY CLOSE ATTENTION TO ANY IMPORT/EXPORT OR USE LAWS WHICH APPLY TO YOU. RDC SOFTWARE IS NOT LIABLE FOR ANY VIOLATION OF LAW YOU MAKE WITH RESPECT TO THE IMPORT/EXPORT OR USE OF STRONG CRYPTOGRAPHY SOFTWARE. IT IS YOUR RESPONSIBILITY.

Top of Page

Previous \| Next	Main Index: Frames \| No Frames
Document: Frames \| No Frames

ADC Direct Response Settings

Set Delimited Response, Default Field Separator, and Default Field Encapsulation Character to the values shown. The values shown are hard coded in WSAuthorizeNet.pl.
Delimited Response
Default Field Separator
Default Field Encapsulation Character

General ADC Settings

The ADC Secret is the private key used in the creation of the MD5 Hash field included in all ADC responses. The value assigned to ADC Secret must also be stored in x_MD5 in WebStore's merchant configuration file for Authorize.Net, merchant.authorizenet.cfg.
Current Secret (case-sensitive)
New Secret (case-sensitive)
Retype New Secret

Related Settings

Set Require Password to YES if ALL TRANSACTIONS are to be submitted via ADC Direct Response and/or Virtual Terminal and/or Batch Uploads. Store the merchant password in x_Password in WebStore's merchant configuration file for Authorize.Net, merchant.authorizenet.cfg.
Require Password for ALL Transactions

Authorize.Net Real-time Payment Processing in WebStore Online Demo

***Authorize.Net* Real-time Payment Processing in *WebStore***
Online Demo