This document covers summary information on how to ensure that only purchase tokens which originate from your website can result in successfully authorised transactions. Where possible links to online documentation have been included should you wish to include this functionality within your web site or if you are developing a shopping cart which integrates with the WorldPay Payment Gateway.
To reduce the possibility of fraud it is recommended that your WorldPay integration takes advantage of at least one of the features covered in the sections below:
Select Pro and Select COM use 1024 bit encryption to protect certain elements of the purchase token (and 100% of the callback data we send). Please see http://support.worldpay.com/kb/integration_guides/pro/help/spig3300.html and http://support.worldpay.com/kb/integration_guides/pro/help/spig4310.html for further details.
Please note if you have used the Select COM buythis.asp script for testing (or for Select Pro the buythis servlet), you may wish to disable or restrict access to them once your site has gone live.
Where Select Pro or Select COM use is either impractical or impossible, the MD5 option for Select Junior is offered as a way of protecting HTML-based purchase tokens. Please see http://support.worldpay.com/kb/integration_guides/junior/integration/help/tech_notes/sjig_tn_009.html for more information.
Once enabled, if a purchase token reaches WorldPay and we cannot verify it the shopper will be presented with the following text:
It is recommended that, if you implement the MD5 option for Select Junior, all variables that can have a value should be protected.
Back to top
Limiting the Lifetime of a Purchase Token
It is possible to restrict the time within which a purchase token is valid for submission to WorldPay. For Select Junior this is catered for using the authValidFrom and authValidTo variables (see http://support.worldpay.com/kb/integration_guides/junior/integration/help/appendicies/sjig_10100.html). For Select COM this is illustrated in the example purchase.asp.txt available which is available (by default) in c:\worldpay\select\htdocs\select-docs when the Select COM object is installed. For Select Pro this can be done using the setAuthValidTime(long, long) (or setAuthValidTime(Date, Date)) method.
One way to determine any offset between the time on your server and WorldPay's is to fetch the exchange rates from WorldPay and use the commented timestamp at the top of the file. For more details on this please see http://support.worldpay.com/kb/integration_guides/junior/integration/help/information_services/sjig_8100.html. Alternatively you can use ntp1.uk.psi.net, ntp2.uk.psi.net or ntp3.uk.psi.net to synchronise your server with WorldPay.
If authValidFrom is in the future then the shopper will be presented with the following text:
Back to top
Data Integrity & Country Restrictions
The following technique is ideal if you wish to accept transactions from a specific country or range of countries. It has the added benefit of reducing the size of the WorldPay Payment Page.
If your web site collects and validates at least the mandatory elements of the Cardholder Details section of the WorldPay Payment Page (address, country and email), you can include these in the purchase token together with an extra parameter to either prevent this information from being edited or even displayed. If you choose to restrict the number of billing countries available you could subsequently verify that the country provided was correct using the AVS result. For more details please see http://support.worldpay.com/kb/integration_guides/junior/integration/help/appendicies/sjig_10100.html.
Countries you may wish to exclude are listed on http://support.worldpay.com/kb/user_guides/fighting_fraud/ffg2011.html.
Although the value attribute of fixContact and hideContact (and withDelivery, if you've requested WorldPay to collect delivery details for you) are ignored, you could use a value of true. This would then allow you to protect these parameters as part of an MD5 signature within a Select Junior purchase token.
You could also use this for:
- Validating
- Ensuring that the
addressis formatted in a particular way.
Back to top
Maximising Use of AVS
You may wish to verify that the country provided on the WorldPay Payment Gateway matches against the country the card issuer has associated with the card used for the transaction. To do this you should check that the last digit of AVS is 2, corresponding to a match.
If you are examining the value of AVS prior to providing goods or services, you may wish to ensure that the Make Payment button on the WorldPay Payment Page cannot be used unless a Security Code or postcode are provided.
These two parameters are optional. If you would like one or both of them to be made mandatory on the WorldPay Payment Gateway then please contact your local Technical Support Team by email requesting this, quoting the installation ID for which it is to be enabled.
Making these parameters mandatory only means that a value must be provided; you must still examine the value of AVS returned after a successful authorisation to determine your course of action.
Back to top
Pre-Authorisation: The Ultimate Sanction
Pre-Authorisation gives you the final decision whether to accept a transaction even after WorldPay has returned the authorisation details to you. Unless you have a small number of transactions (i.e. where manual checks would be sufficient), you can use your own automated checking rules in a callback script to initiate a post-authorisation only for those you believe are sufficiently valid. For details on callback please see http://support.worldpay.com/kb/reference/faqs/callback_faqs.html.
Please note you must always ensure that you successfully post-authorise (i.e. complete) each pre-authorised transaction before supplying any goods or services to the shopper. WorldPay guarantee that the post-authorisation can be attempted for up to five days after the initial pre-authorisation although it may fail if, for example the associated card has been reported as lost or stolen.
To request pre-authorisation accounts be set up for you please contact pre-auth@worldpay.com, quoting your Company ID and whether you would like to use pre-authorisation either instead of or in addition to immediate authorisation. Documentation on automating the post-authorisation process is available at http://support.worldpay.com/kb/reference/faqs/remote_postauth_and_refunds.html.
Please note not all shopping cart solutions permit the changes required to take advantage of pre-authorisation with WorldPay; you will need to confirm that support for pre-authorisation is possible, how it can be set and whether or not it can be used alongside or instead of immediate authorisation accounts (as appropriate) before requesting the changes be made for you.
These elements used in combination offer a high degree of security to prevent anyone simply submitting purchase tokens through one of your installations to the WorldPay Payment Gateway for fraudulent means - and all this comes in addition to the services offered by WorldAlert detailed in http://support.worldpay.com/kb/user_guides/fighting_fraud/fighting_fraud_guide.html.
END
Last update: 14 February 2005