Magento Extension User Guide: Payment Pages
This document explains how to install the official Secure Trading
extension on your Magento store.
Module version: 3.5
Published: 6 August 2015
Magento Extension User Guide: Payment Pages
Table of Contents
1 Introduction ... 3
1.1 Features ... 3
1.2 Requirements ... 3
1.3 About Magento Extensions ... 4
2 Process Overview ... 5
2.1 Overview of making a payment ... 5
3 First-Time Configuration ... 6
3.1 Install and configure the extension ... 7
3.2 Configure the extension ... 10
3.3 Configure Secure Trading account ... 20
3.4 Make a test payment ... 28
4 Advanced Configuration ... 32
4.1 Payment Action Types ... 32
4.2 Configure Iframe ... 36
4.3 Additional request types ... 37
4.4 Cancel Order on Risk Decision Deny ... 38
5 Managing Orders ... 39
5.1 Order View ... 39
5.2 Credit Memo ... 46
6 Testing and Maintenance ... 47
6.1 Compatibility ... 47
6.2 Troubleshooting ... 48
6.3 Updating the Extension ... 49
6.4 Log files ... 51
7 Additional Notes ... 52
7.1 Create Web Services Username... 52
7.2 Multishipping purchasing ... 53
7.3 Failed payment attempt ... 53
7.4 PayPal support ... 53
7.5 Sofort ... 54
7.6 Transaction reporting ... 54
7.7 Multi-store configuration ... 55
7.8 Multi-currency configuration ... 56
7.9 STAPI Configuration (advanced) ... 57
8 Further Information and Support ... 58
8.1 Secure Trading Support ... 58
8.2 Secure Trading Sales ... 58
Magento Extension User Guide: Payment Pages
1 Introduction
The Secure Trading extension written for Magento Community Edition allows you to seamlessly integrate with Secure Trading to process payments on your online store. This document outlines the installation, configuration, testing and interaction of the extension between Secure Trading and Magento.
1.1
Features
The SecureTrading Magento extension supports the following features: Magento’s one-step checkout process
Tokenization
Magento’s multishipping checkout process Multi-store
Multi-currency
Customisable iframe configuration (3-D Secure only for API transactions) 3-D secure-enabled payments
Secure Trading’s Protect Plus fraud services Secure Trading’s Account Check feature
Payments initiated from the Magento admin area (Mail Order / Telephone Order) Extensive transaction reporting tools
Managing Secure Trading transaction from within the Magento admin interface Fully supports UTF-8 character set
1.2
Requirements
You will need to consider the following steps before processing payments through Secure Trading using our Magento extension.
1.2.1 Upgrading from an older version
If you already have a Secure Trading extension installed on your Magento store, follow the update procedure steps outlined in section 6.3.
1.2.2 Magento installation and PHP version
You will need to have a web server running a Magento store installation, in order to install the Secure Trading extension. The extension has been designed and tested for use with Magento 1.7, 1.8 and 1.9 Community Edition. This version of the extension supports PHP 5.3.10 - 5.5.15.
1.2.3 Secure Trading account
In order to process transactions through Secure Trading’s servers, you will need to have an account with us and a site reference. You are provided with a Secure Trading site reference when you sign up and this is used to uniquely identify your account when you send any data to Secure Trading. It should also be quoted with any correspondence with Secure Trading.
Please note that to process Mail Order/Telephone Order requests through STPP, you must have a MOTO merchant number and you must ask Support (see section 8.1) to allow “MOTO” to be processed on your site reference.
Magento Extension User Guide: Payment Pages
1.3
About Magento Extensions
A Magento extension is a collection of files that are packaged together in order to alter or extend the behaviour of Magento. Extensions do not affect core Magento code and instead interact with Magento in several non-disruptive ways:
1. Additional files included in the extension folder will be executed within the Magento workflow.
2. Magento event observers will listen for certain conditions and execute additional pre-defined operations.
Magento Extension User Guide: Payment Pages
2 Process Overview
This section of the document explains how payments are processed using the Secure Trading extension for your Magento store.
2.1
Overview of making a payment
Step 2) Customer enters
billing and delivery information and confirms
the order.
Step 3) The Magento
store generates a request to Secure Trading’s Payment
Pages. Step 4) The Customer inputs payment details on
Secure Trading’s servers and submits these details
to the acquiring bank over a secure
connection.
Step 5) Secure Trading
interprets response from the Acquiring Bank and submits a notification to
the Magento store to confirm the result of the
transaction.
Step 6) The Magento
store displays a success message to the
customer.
C U S T O M E R M A G E N T O S E C U R E T R A D I N G
C U S T O M E R M A G E N T O S E C U R E T R A D I N G Step 1) The Customer
opts to make a payment on Merchant’s Magento
store using Secure Trading’s Payment Pages extension.
2.1.1 Capture (Settlement)
Funds that have been authorised by your acquiring bank will generally be transferred into your bank account within 24 hours. Secure Trading calls this process of settling funds into your account the settlement process. Magento calls this process capturing the funds.
Magento Extension User Guide: Payment Pages
3 First-Time Configuration
Follow these four easy steps to start making payments with the extension:
Configure your Secure Trading account. See section 3.3 for more information.
Make a test payment using the test details provided. See section 3.4 for more information.
3
4
S T E P
S T E P
Install the extension on your Magento store. See section 3.1 for more information.
1
S T E P
Configure the extension on your Magento store. See section 3.2 for more information.
2
Magento Extension User Guide: Payment Pages
3.1
Install and configure the extension
S T E P
1
Install the extension on your Magento store. 3.1.1 Installation1. Access Magento Connect to retrieve the Secure Trading payment extension from the following URL : http://www.magentocommerce.com/magento-connect/securetrading.html 2. Sign in and click the “Install Now” button.
3. Tick the "I agree to the extension license agreement" note and click the "Get Extension Key" button.
Magento Extension User Guide: Payment Pages
5. Sign in to your Magento admin panel, hover over “System” and then hover over “Magento Connect” from the drop-down menu. From here, select “Magento Connect Manager”. When prompted, enter your admin credentials to proceed to the Magento Connect Manager.
6. Once signed in to the Magento Connect Manager, you will need to locate the section titled “Install new Extensions” and paste the copied extension key into the text box (as seen below).
7. Click “Install”. The installation of the extension will begin.
8. You will be shown a list of current extensions (under “Manage Existing Extensions”). From here, you can “Cancel Installation” or “Proceed”. Click “Proceed” to install the extension.
Magento Extension User Guide: Payment Pages
9. Once the installation has been completed, click “Refresh” under the console.
10. Please ensure the section titled “Manage Existing Extensions” has the two extensions listed with “Package name(s)” of “Securetrading_Stpp” and “Securetrading_Multishipping”.
Magento Extension User Guide: Payment Pages
3.2
Configure the extension
S T E P
2
Configure the extension on your Magento store. 1. Sign in to the Magento administration area.2. Hover over “System” from the options at the top of the page, and then click “Configuration” from the drop-down menu.
Magento Extension User Guide: Payment Pages
In the “SecureTrading STPP” box, click the “Configure” button for “Secure Trading Payment Pages”. This expands to show four options:
“Basic Configuration” “Gateway Configuration” “Connection Configuration”
“Transaction Search Configuration”
If you cannot view Secure Trading settings in this view, please refer to section 6.2 Troubleshooting.
Magento Extension User Guide: Payment Pages
You can hover the cursor over the “?” icons in the configuration to display further information on a field.
3.2.1 Basic Configuration
Click “Configure” next to “Basic Configuration” (under “Secure Trading Payment Pages”). This expands to show settings you can configure.
Ensure the “Enabled” field is set to “Yes”. You may also wish to give the payment module a distinctive name while testing so it will stand out on the checkout page. The name and description are both displayed in your Magento store when the customer is selecting a payment method. These can be changed before switching to your live Secure Trading site. When you have finished, click “Close” to collapse the list of settings.
Magento Extension User Guide: Payment Pages
3.2.2 Gateway ConfigurationClick “Configure” next to “Gateway Configuration” (under “Secure Trading Payment Pages”). This expands to show settings you can configure.
3.2.2.1 Site Reference
You must enter your unique Secure Trading site reference in the “Site Reference” field.
When setting up the Magento extension for the first time, Secure Trading strongly recommends using your test site reference (e.g. “test_site12345”). This allows you to test payments to Secure Trading’s test bank (see section 3.4), to ensure your implementation works as expected.
When you are ready to go live, you change this to be your live site reference (e.g. “site24680”).
Any settings for “Payment Action” or “Settle Status” do not apply to Sofort bank transfers:
Successful Sofort bank transfers will always generate an invoice within 12 hours of being processed.
Successful Sofort bank transfers will always have settle status “10 - Settling” initially, before going to “100” following settlement.
Magento Extension User Guide: Payment Pages
3.2.2.2 Configure ST Site SecuritySecure Trading strongly recommends enabling Site Security on your Magento solution.
Site Security will prevent malicious users from modifying sensitive payment information before being re-directed to the Secure Trading payment pages from your Magento store. This feature can be enabled by following these steps:
1. Set “Use Site Security” to “Yes”.
2. Enter a difficult-to-guess combination of letters and numbers into the “Site Security Password” field. This combination should be at least 8 characters long.
3. You must now notify Secure Trading Support team vie email ([email protected]) of the site reference being used and that you have "enabled the Site Security Password Hash" and include the following fields in this order :
currencyiso3a mainamount sitereference settlestatus settleduedate orderreference accounttypedescription order_increment_ids PASSWORD*
*The last field, 'PASSWORD', is to be the combination of characters you entered into the 'Site Security Password'.
The fields above will only work for version 3.5 of the extension.Older or newer versions of the extension may require different fields for site security. Please refer to the correct documentation for these versions.
Secure Trading Support will notify you when Site Security has been enabled on your site.
Secure Trading will never ask for your Site Security password after first-time configuration.
Never share your Site Security password with third parties. Do not store hard copies of this password.
Magento Extension User Guide: Payment Pages
3.2.2.3 Configure ST Notification HashSecure Trading strongly recommends enabling Notification Hash on your Magento solution.
Configuring a Notification Hash will help you to ensure that only Secure Trading can update your Magento store following a transaction. This feature can be enabled by following these steps:
1. Set “Use Notification Hash” to “Yes”.
2. Enter a difficult-to-guess combination of letters and numbers into the “Notification Hash Password” field. This combination should be at least 8 characters long.
3. Remember this password. You will need to enter it again when configuring your Secure Trading account within MyST, later in this document.
3.2.2.4 Use API with Payment Pages
You can use Secure Trading’s API to update existing transactions with changes made in the admin interface. To do this, set “Use API with Payment Pages” to “Yes” and then follow the instructions in section 3.2.3 to correctly fill in the “Connection Configuration”.
Magento Extension User Guide: Payment Pages
3.2.3 Connection ConfigurationYour Web Services credentials are used to update existing transactions with changes made in the admin interface. You will need to enter these details into the “Connection Configuration”. Click “Configure” next to “Connection Configuration” (under “Secure Trading Payment Pages”). This expands to show a drop-down box labeled “Connection” and configuration settings for STAPI and Web Services. From the drop-down box, select “Stpp Web Services”:
The Secure Trading extension is recommended to be used with Secure Trading Web Services; it also supports the use of our STAPI client.
Please refer to section 7.9 for information on how to configure STAPI. Note: Tokenization cannot be performed using the STAPI client. All Secure Trading documents can be found on our website.
Then, click “Configure” next to “Web Services Connections” (under “Connection Configuration”).
This expands to show additional Web Services settings you can configure. Please fill in all fields shown (alias and username must be the same).
If the Verify SSL Certificates is set to “Yes” the SSL CA FILE must be a full file path pointing to a trusted .PEM/.CRT certificate.
If you do not already have a Web Services username and password, you can create Web Services credentials for your site(s) by following the steps outlined in section 7.1.
Magento Extension User Guide: Payment Pages
3.2.4 Transaction Search ConfigurationThe Secure Trading extension makes use of ‘crons’ to schedule background maintenance tasks on your Magento store. This is required for:
Cancelling orders older than 24 hours that are still in the “Payment Pages”, “3D Secure” or “Pending Sofort” status. These orders are most-likely abandoned and cancelling them releases the stock reserved, allowing purchase by new customers. This runs every hour, on the hour (at *:00).
Performing daily checks (at midnight GMT) for orders older than 7 days: o Cancels orders that haven’t been captured.
o Closes open ‘Transactions’ (see the “Sales” > “Transactions” page in the admin area). Closed ‘Capture’ transactions indicate the payment is no longer pending settlement.
Updating Sofort orders to “Processing” if they were accepted (settle status 100) or “Canceled” if they failed (settle status 3).
3.2.4.1 Set-up a Transaction Search User
You will need to contact the Secure Trading Support team (see section 8.1) and ask to have a new user account created for CSV downloading.
3.2.4.2 Configure the Magento Module
Click “Configure” next to “Transaction Search Configuration” (under “Secure Trading Payment Pages”).
This expands to show additional Web Services settings you can configure to allow CSV files to be downloaded from MyST into your Magento store. Please fill in all fields shown:
If the Verify SSL Certificates is set to “Yes” the SSL CA FILE must be a full file path pointing to a trusted .PEM/.CRT certificate.
3.2.4.3 Configure the Cron
You must configure a cron job (e.g. by using Linux crontab or Windows Scheduled Tasks) that performs an HTTP GET request to <root_magento_dir>/cron.php at regular intervals (Magento recommends every 15 minutes).
Every time the cron.php file is accessed, Magento will check any tasks that need to be run, and schedule any future tasks.
This is discussed in detail here:
Magento Extension User Guide: Payment Pages
3.2.5 TokenizationTokenization allows customers to save their payment details following their first payment using a particular card, allowing them to make future payments without having to re-enter their payment details.
Before saving a card After saving a card
Please note the currency used to make the transaction is also stored, and subsequent transactions using the same saved card must be processed in the same currency.
Risk Decision and Account Checks are NOT performed on tokenization requests. (These checks can be run on the initial requests to Payment Pages)
For merchants upgrading from an earlier version of the extension:
In addition to the other steps outlined in this section, please sign in to MyST and ensure your existing notifications include the following fields.
Default fields: currencyiso3a, expirydate
Custom fields: customer_id, savecc
See section 3.3.1 for a list of all required fields.
Card details are saved as customer billing agreements in the Magento system. When the customer opts to use a saved card for a new transaction, the payment is made using an API request to Secure Trading. The customer is not redirected to the Payment Pages. They don’t need to type in any payment details, as these have been stored as part of the billing agreement. Configuring tokenization requires you to perform some additional configuration, which is documented in this section.
Magento Extension User Guide: Payment Pages
3.2.5.1 Payment Pages ConfigurationUnder “Secure Trading Payment Pages” > “Gateway Configuration”, please set “Use Tokenization” to “Yes”.
Also, you can optionally enter custom text into the “”Save CC details?” Question” field, which is shown to the customer when asking if they would like to save their card details for future use. The default text if left blank is “Save card details?”
3.2.5.2 Tokenization Configuration
Under “Secure Trading Tokenization”, please address the following: Ensure “Enabled” is set to “Yes”.
Enter a distinct “Title” & “Description”. Note: These are both shown to customers prior to payment. Title & description are only shown when customer has previously opted to save a card for future payments.
If you would like 3-D Secure to be performed for each tokenization request, set the “Use 3D Secure” option to “Yes”.
(This is independent of the setting in the “Secure Trading Payment Pages” configuration)
See section 4.3.3 for further information.
Select the card types you will accept for tokenization.
Ensure the “Config Inheritance” is set to “Secure Trading Payment Pages”. This inherits necessary settings from the “Secure Trading Payment Pages” configuration.
Consider the other fields available, and customise as required (hover over the “?” icons for more information).
3.2.6 Save your settings
Always be sure to click “Save Config” when you have finished changing configuration in order to save your preferences.
Magento Extension User Guide: Payment Pages
3.3
Configure Secure Trading account
S T E P
3
Configure your Secure Trading account. 3.3.1 NotificationsNotifications are responsible for updating order information in your Magento store after payment has been completed.
Using MyST to configure notifications is described in detail in theMyST User Guide
All Secure Trading documents can be found on our website.
1. Navigate to https://myst.securetrading.net/login and sign in to MyST. 2. Click “Notifications” from the left side menu.
3. Ensure the site reference you used in section 3.2.2.1 has been selected in “SiteReference” field in the upper left of the page.
Magento Extension User Guide: Payment Pages
5. Configure the filter with the following options:Field Input required
Description Enter a recognizable name of your choice here e.g. "success and decline transactions". Requests AUTH (mandatory) ACCOUNTCHECK (optional) THREEDQUERY (optional) RISKDEC (optional) Payment types Select all required payment types.
Error codes 0 - successful transactions (mandatory) 70000 - declined transactions (optional)
Please note that notifications can be configured to update your Magento admin interface for error codes other than 0 or 70000. Common examples:
for unauthenticated 3-D Secure payments (error code 60022).
for when Protect Plus returns a “DENY” response (error code 60107).
If you wish to be sent errorcodes other than 0 or 70000, please contact the Secure Trading Support team (see section 8.1).
6. Click “Save”.
Magento Extension User Guide: Payment Pages
8. Configure the destination with the following options:Field Input required
Description Enter a recognizable name of your choice here e.g. "Magento notification destination".
Notification type URL (This will perform a HTTP POST to your Magento store). Process
notification
Failover (A notification is sent to your store before the customer
completes the transaction. In the event of a failure the notification will be scheduled to be retried periodically for up to 48 hours)
Destination <your_root_magento_install_here>/index.php/securetrading/redirect/noti fication
Notification password
The value of this field is included in the Notification Hash which can be used to verify the request has not been modified.
Secure Trading strongly recommends enabling the Notification Hash feature on your Magento solution. Secure Trading strongly recommends using a different value for your Notification Hash password to the Site Security password entered while configuring the Magento store.
To enable the Notification Hash, please enter the same password here that you specified in section 3.2.2.3.
Magento Extension User Guide: Payment Pages
Fields: (select all of the following default fields)accounttypedescription billingcountryiso2a billingcounty billingemail billingfirstname billinglastname billingpostcode billingprefixname billingpremise billingstreet billingtelephone billingtown currencyiso3a customercountryiso2a customercounty customeremail customerfirstname customerlastname customerpostcode customerprefixname customerpremise customerstreet customertelephone customertown enrolled errorcode expirydate maskedpan orderreference parenttransactionreference paymenttypedescription requesttypedescription securityresponseaddress securityresponsepostcode securityresponsesecuritycode settlestatus status transactionreference
Custom Fields: (include the following custom fields) customer_id errordata errormessage fraudcontrolshieldstatuscode order_increment_ids savecc send_confirmation
You must ensure all of the fields above are selected in the “Add new destination” overlay. If any of the fields are missing, Secure Trading may not update your Magento store correctly following the processing of new transactions or transaction updates.
It is possible to submit additional fields to the above for additional reporting within the ‘ST Transactions’ page if required.
Magento Extension User Guide: Payment Pages
9. Click “Save”.10. Select the filter you created from the “Filters” drop-down at the top of the table. Then select the destination you created from the “Destinations” drop-down to the right of the filter. 11. Click “Save”. Ensure the filter and destination is displayed together when the page reloads
Magento Extension User Guide: Payment Pages
3.3.2 RedirectsOnce a payment has been successfully processed using the Secure Trading Payment Pages, you will need to configure a redirect(s) to return the user from the Payment Pages to your Magento store. You will need to sign in to MyST with your username and password and use the “Rule manager” feature. The following MyST user roles have access to this functionality:
Site admin Developer Developer 2
3.3.2.1 Getting started 1. Sign in to MyST.
2. Navigate to the “Rule manager” page (click the link in the left side menu).
3. Select your site reference and select the “Payment pages redirect” action type from the drop-down boxes in the upper-left and click “Change”.
Magento Extension User Guide: Payment Pages
3.3.2.2 Creating the ECOM redirectThis will redirect customers to your Magento store after they have processed a successful e-commerce (ECOM) payment on the Payment Pages.
Create the Action (1)
Configure an Action with the following criteria (click the “New action” button): Website address (URL) of
<your_root_magento_install_here>/index.php/securetrading/redirect/redirect Under the Field selection tab, tick the following fields:
o “errorcode” o “orderreference”
o “paymenttypedescription” And add the following custom field:
o “order_increment_ids”
Give the Action a unique and memorable name (e.g. “Magento store”) and click “Save”.
For multi-store installations, please see section 7.7. Create the Condition (2)
Configure a Condition with the following criteria (click the “New condition” button): Accounts in ECOM
Requests in AUTH Error codes in 0
Give the Condition a unique and memorable name (e.g. “successful Magento ECOM”) and click “Save”.
Use the Condition and Action to create a redirect rule (3)
Use the drop-down boxes at the top of the table to select the Condition and Action and click “Save”. After you have clicked “Save”, the new redirect rule will be displayed in the table with a
2 1
Magento Extension User Guide: Payment Pages
3.3.2.3 Creating the MOTO redirectThis will redirect you or other designated users to your Magento admin area, after performing a successful Mail Order / Telephone Order (MOTO) using the Payment Pages.
Create the Action (1)
Configure an Action with the following criteria (click the “New action” button): Website address (URL) of
<your_root_magento_install_here>/index.php/admin/sales_order_create_securetrading/red irect
Give the Action a unique and memorable name (e.g. “Magento admin area”) and click “Save”. Create the Condition (2)
Configure a Condition with the following criteria (click the “New condition” button): Accounts in MOTO
Requests in AUTH Error codes in 0
Give the Condition a unique and memorable name (e.g. “successful Magento MOTO”) and click “Save”.
Use the Condition and Action to create a redirect rule (3)
Use the drop-down boxes at the top of the table to select the Condition and Action and click “Save”. After you have clicked “Save”, the new redirect rule will be displayed in the table with a tick to indicate that the rule is active (new rules are set to be active automatically).
3.3.2.4 Further reading
For further information on using the “Rule manager” to create and manage rules on your site reference(s), please refer to the MyST User Guide2 1
Magento Extension User Guide: Payment Pages
3.4
Make a test payment
S T E P
4
Make a test payment by following the steps outlined in this section.
You must only perform the following tests when connecting to your Secure Trading test site (must start with “test_”). Configuring your site reference is outlined as part of step 1.
1. Add an item(s) to your cart and proceed to checkout.
2. Register/sign in as appropriate and fill out billing and shipping information.
3. If the extension has been configured correctly, it will appear as a payment option in your store (name and description dependent on your configuration settings, see section 3.2.1). Select this option (if not already selected) and click “Continue”.
Magento Extension User Guide: Payment Pages
4. Confirm your order by clicking “Place Order”.5. You will now be redirected to the Secure Trading’s Payment Pages solution. By default, this will be shown in an iframe within your Magento store (see section 4.2 for further options). All Ecommerce payment types enabled on your account will be displayed. Select a payment type to process the payment with by clicking its respective logo.
Magento Extension User Guide: Payment Pages
6. Enter payment details into the fields shown and click “Pay”.
The following are fake PANs you can use for testing your implementation:
Name of payment type Authorisation Decline Security code
American Express 340000000000611 340000000000512 1234 Diners 3000000000000111 3000000000000012 123 Discover 6011000000000301 6011000000000202 123 JCB 3528000000000411 3528000000000312 123 Maestro 5000000000000611 5000000000000512 123 MasterCard 5100000000000511 5100000000000412 123 MasterCard Debit 5124990000000101 5124990000000002 123 V PAY 4370000000000061 4370000000000012 123 Visa 4111110000000211 4111110000000112 123 Visa Debit 4310720000000091 4310720000000042 123 Visa Electron 4245190000000311 4245190000000212 123 Visa Purchasing 4484000000000411 4484000000000312 123
If the customer modifies the billing or delivery details at this stage, Secure Trading will update your Magento store with these changes after the payment has been authorised.
Magento Extension User Guide: Payment Pages
7. Providing the test card details you entered were for an authorised response, you will be shown a success message. If you entered declining test card details, an error message will be shown, and you’ll be allowed to try different payment details.
Magento Extension User Guide: Payment Pages
4 Advanced Configuration
4.1
Payment Action Types
Secure Trading supports two payment action settings:
1. “Authorize and Capture” – Secure Trading sends a request for payment authorisation, and the funds will be captured in a subsequent settlement run (normally within 24 hours). See sections 4.1.1 and 4.1.2.
2. “Authorize only” – Secure Trading sends a request for payment authorisation, but the funds will not be captured without further action from the merchant. See sections 4.1.3 and 4.1.4.
Any settings for “Payment Action” will not apply to Sofort bank transfers. Successful Sofort bank transfers will always be updated within 12 hours of being processed.Magento Extension User Guide: Payment Pages
4.1.1 Diagram of Order Status Flow (using “Authorize & Capture” Payment Action)
The following is a diagrammatic overview of the order status flow in Magento when the customer places an order in your store when payment action is set to “Authorize & Capture” (described in more detail in section 4.1.2):
Step 1) The Magento
store displays the Secure Trading Payment Pages
in an iframe.
Step 2) Customer enters
their payment details on Secure Trading’s servers.
Step 3) Secure Trading submits a
request to the Acquiring Bank and interprets the response returned.
Invoice is in “Paid” status and is sent to the Customer.
Customer can amend payment details and
start again.
Invoice is in “Pending” status.
Order status: “Payment Review” Order status: “Processing” Order status: “Payment Pages”
Payment cancelled by the Merchant. Invoice is in
“Canceled” status.
Order status: “Canceled”
I F S U S P I C I O U S
I F E R R O R
I F M E R C H A N T S H I P S
Product is delivered to Customer.
Order status: “Completed” I F M E R C H A N T A P P R O V E S
p
I F M E R C H A N T D E N I E SE.g. if card security code provided by Customer returns
“Not Matched” response.
I F N O T S U S P I C I O U S
Step 4) Magento automatically
generates an invoice.
I F A U T H O R I S E D
Magento Extension User Guide: Payment Pages
4.1.2 Description of Order Status Flow (using “Authorize and Capture” Payment Action)
After the checkout process (one-page or multishipping) hosted by your Magento store, the customer confirms they are ready to make a payment by clicking “Place Order”. At this point, the customer is shown the Secure Trading Payment Pages within an iframe (by default), where they can enter their payment details on our secure server. In Magento, the order status is set to “Payment Pages”.
After the customer clicks “Pay”, Secure Trading sends a request to the acquiring bank which in turn submits a request to the card issuer, which will either authorise the payment or decline. If the payment is declined, the customer remains on Secure Trading’s Payment Pages and is given the opportunity to amend their details and try again if they wish to do so.
If the payment has been authorised and the order is:
Not suspicious, an invoice is automatically generated by your Magento store and the order status is set to “Processing”. Unless you manually update or cancel the transaction, the funds will be captured (settled) in Secure Trading’s next settlement run. Suspicious, (e.g. if the security code entered is incorrect), the order status in Magento is set to “Payment Review” and the generated invoice will be in a ‘pending’ status.
You can review a “Payment Review” transaction on the Order View page (see section 5.1) and opt to cancel it using the Magento interface. Clicking the “Deny Payment” button updates the order status to “Canceled”, preventing the funds from being captured.
Alternatively, you can approve the payment by clicking on the “Accept Payment” button on the Order View page (see section 5.1) and allow the funds to be captured. The invoice is updated to ‘Paid’ status and the order status is updated to “Processing”.
To dispatch your product, you must manually confirm this in the Magento interface. This is achieved by clicking “Ship” on the Order View page for the order in question (providing the invoice has been paid). When you have done so, the order status in Magento is updated to “Completed”.
Magento Extension User Guide: Payment Pages
4.1.3 Diagram of Order Status Flow (using “Authorize Only” Payment Action)
The following is a diagrammatic overview of the order status flow in Magento when the customer places an order in your store (described in more detail in section 4.1.4):
Diagrammatic Overview
Payment authorised by the Acquiring Bank and awaits action from
Merchant.
p
Order status: “Processing”
Merchant opts to generate invoice for the Customer.
Order status: “Processing”
Product is delivered to Customer.
Order status: “Completed”
I F A U T H O R I S E D
I F M E R C H A N T G E N E R A T E S I N V O I C E
I F M E R C H A N T S H I P S
Step 1) The Magento
store displays the Secure Trading Payment Pages
in an iframe.
Step 2) Customer enters
their payment details on Secure Trading’s servers.
Step 3) Secure Trading submits a
request to the Acquiring Bank and interprets the response returned.
Customer can amend payment details and
start again.
Order status: “Payment Pages”
Magento Extension User Guide: Payment Pages
4.1.4 Description of Order Status Flow (using “Authorize Only” Payment Action)
After the one-page checkout process (one-page or multishipping) hosted by your Magento store, the customer confirms they are ready to make a payment by clicking “Place Order”. At this point, the customer is shown the Secure Trading Payment Pages within an iframe (by default), where they can enter their payment details on our secure server. Within Magento, the order status is set to “Payment Pages”.
After the customer clicks “Pay”, Secure Trading sends a request to the acquiring bank which in turn submits a request to the card issuer, which will either authorise the payment or decline. If the card issuer declines the payment, the customer remains on Secure Trading’s Payment Pages and are given the opportunity to amend their details to try again if they wish to do so. If the payment has been authorised, the order status in Magento is set to “Processing”. You must manually “Invoice” or “Cancel” each payment using the Magento interface:
To deny a payment and prevent it from being captured (settled), click “Cancel” on the Order View page for the order in question (This will leave the transaction in a suspended state within Secure Trading that will not be scheduled for capture (settlement).
To proceed with the order, generate an invoice within the Magento interface. This is achieved by clicking “Invoice” on the Order View page. This allows the funds to be captured in Secure Trading’s next settlement run by updating the transaction on Secure Trading to be scheduled for capture (settlement).
To dispatch your product, you must manually confirm this within the Magento interface. This is achieved by clicking “Ship” on the Order View page for the order in question. Once the item(s) have been shipped, the order status in Magento is updated to “Completed”.
Please note when using Protect Plus, if the checks return a “CHALLENGE” or “DENY” response, the order will enter “Payment Review”. Please see section 5.1.4 for information on actions that can be performed on orders in status “Payment Review”.
4.2
Configure Iframe
By default, the extension uses iframes to redirect your Customers to Secure Trading’s Payment Pages. Iframes are used to display the Payment Pages within your Magento store. This is used to create a seamless user experience.
If you wish to disable iframes:
Navigate to the SecureTrading Payment Pages > Basic Configuration settings within the extension settings and set “Use iframes” to “No”.
Magento Extension User Guide: Payment Pages
4.3
Additional request types
Secure Trading allows you to customize your Payment Pages in a number of ways. To enable any of the following features on your Secure Trading Payment Pages solution, please contact Secure Trading support (see section 8.1).
The following features are described in more detail in thePayment Pages Setup Guide
All Secure Trading documents can be found on our website.
Risk Decision and Account Checks are NOT performed on tokenization requests. (These checks can be run on the initial requests to Payment Pages)
4.3.1 Risk Decision (Protect Plus)
The purpose of Risk Decision requests is to minimise fraud by analysing customer details and highlighting possible fraudulent activity by using Secure Trading’s Protect Plus system. This is to assist you in making a decision of whether or not to process a customer’s transaction, based on the perceived level of risk.
This is achieved by checking the industry’s largest negative database and also searching for suspicious patterns in user activity. The system uses neural-based fraud assessments that can be configured specifically for your account and is constantly updating the fraud checks used to combat new risks.
Based on the decision returned by the Protect Plus system a customer that is deemed as suspicious can be prevented from processing a payment.
4.3.2 Account Check
An Account Check is an optional request to help minimise fraud. It allows payment details to be validated, and checks that the details entered by the customer matches those on the card issuer’s records. No funds will be reserved or transferred by the Account Check request.
Please note that Account Checks are only available for certain Acquiring Banks. Please contact the Secure Trading support team for more information (see section 8.1).
4.3.3 3D Secure
3-D Secure is a protocol designed to reduce fraud and Chargebacks during e-commerce Internet transactions. Cardholders are asked to identify themselves at the point of sale before the purchase can be completed. This usually means entering a PIN or other password after entering their credit card details.
In the event of a dispute with the transaction at a later date, the card issuer will usually take responsibility of the Chargeback instead of the merchant. The liability issues involved with 3-D Secure transactions are out of the scope of this document. For a detailed indication of the liabilities involved, contact your bank.
Magento Extension User Guide: Payment Pages
4.4
Cancel Order on Risk Decision Deny
If you are using Risk Decision (Protect Plus), there are two options for handling transactions that return a Risk Decision status of DENY:
4.4.1 Default behaviour
By default, the extension leaves orders that have returned a risk decision status of DENY in the payment review status for you to manually investigate and either accept or deny the payment. The customer will be shown a success message following payment. You do not need to make any additional configuration changes to the extension if this is the desired behaviour.
4.4.2 Cancel order on 60107 error code
You can opt to have the extension update orders that have returned a risk decision status of DENY to order status “Canceled” within Magento. The extension achieves this by placing the affected orders in payment review and then denying the payment. The customer will be redirected to Magento and will be provided with the opportunity to pay again.
To configure this for your solution, please perform the following steps:
Navigate to the extensions configuration settings in the Magento administration interface (as described in section 3.2). Set “Cancel order on 60107 error code” to “Yes” (under Secure Trading Payment Pages > Basic Configuration).
Please email Secure Trading Support and request a rule to be configured, to cancel Magento transactions that return an error code 60107 (risk decision DENY). Secure Trading Support will email back when the rule is in place.
Please note that to revert to default behaviour, you will need to set the option to “No” and contact Support to disable the previously-configured rule.
Please note if you change payment flows to use an API you will need to contact Support to disable this rule, for more information on the API please see the latest API Magento Extension Guide.
Magento Extension User Guide: Payment Pages
5 Managing Orders
The Secure Trading extension provides full integration with your Magento store. You are able to manage your orders using the Magento admin interface and any actions taken will instruct Secure Trading to update transaction(s), as required provided that you have configured the advanced extension settings to use the Web Services or STAPI client as detailed in sections 3.2.3 and 3.2.4.
Please note that Secure Trading strongly recommends using the Magento admin interface when managing orders processed by your store.
The purpose of this section of the document is to outline the expected behaviour of Secure Trading’s extension for Magento when performing default Magento actions on orders processed by your store. These actions are core Magento functions. For up-to-date information on Magento features, please refer to Magento’s website.
5.1
Order View
On the Magento Order View page, Secure Trading populates additional fields containing relevant information about the processed payment.
Magento Extension User Guide: Payment Pages
5.1.1 Multishipping TabBy clicking the “Related Multishipping Orders” from the left side menu (when a customer used multishipping), you will be able to see all other orders that are in the same multishipping transaction.
5.1.2 Payment Information
Secure Trading will populate the following fields in the “Payment Information” box:
Field Comment
“Account Type Description”
“ECOM” – E-commerce transaction performed by the customer.
“MOTO” – Mail Order Telephone Order performed in the Magento admin interface.
“Transaction
Reference” Unique reference assigned by Secure Trading to reference the payment. “Security Response
Address”
The result of the Address Verification System (AVS) and security code checks on the house number, postcode and card security code provided by the customer (see the AVS & CVV2 document):
“Matched” - Billing details matches those on record. “Not Matched” - Billing details don’t match those on record. “Not Checked” - Billing details not checked.
“Not Given” - Billing details missing. “Security Response
Postcode”
“Security Response Security Code”
“Fraud Control Shield Status Code”
Results from the Protect Plus checks performed on the customer’s details:
(If configured. See section 4.3.1 for further information) “ACCEPT” – The details are not deemed suspicious. “CHALLENGE” – Further investigation is recommended. “DENY” – The details are suspicious and a transaction should not be performed.
“Payment Type” The payment method used by the customer. e.g. “VISA”
“Last 4 Card Digits” The last four digits of the card used by the customer. e.g. “1111”
“3D Enrolled”
(If configured. See section 4.3.3 for further information) “Y” – Card is enrolled in 3-D Secure.
“N” – Card is not enrolled in 3-D Secure.
“U” – Unable to determine if card is enrolled in 3-D Secure.
“3D Status”
(If configured. See section 4.3.3 for further information) “Y” – Customer authenticated by the card issuer.
“A” – An authentication attempt occurred but could not be completed.
“U” – Unable to perform authentication. “N” – Customer not authenticated. “Order was placed
Magento Extension User Guide: Payment Pages
Clicking the “View in MyST” hyperlink will open MyST in a new tab/window. After signing in to MyST, you will be displayed the corresponding single transaction view page for the transaction reference associated with the order shown on the Order View page.
For more info on viewing transaction information using MyST, please refer to theMyST User Guide
All Secure Trading documents can be found on our website.
5.1.3 Orders Not Invoiced (Authorize Only)
This section only applies to merchants using “Authorize Only” payment action status. (See section 4.1.3)
Please note that if you wish to process the order you must issue the invoice within 7 days of the payment being authorised. After this time period, Secure Trading will automatically cancel the transaction as the authorisation code will have expired.
Magento Extension User Guide: Payment Pages
Orders that are yet to be invoiced (default behavior when Payment Action is set to “Authorize Only” for a successfully processed transaction) will have the following actions that can be performed:
Action button Comment
“Edit”
Click “Edit” to change details of an order.
For non-invoiced orders, this procedure cancels the order and creates a new offline (MOTO) order with the modified details you provide. Secure Trading sends a new request to the card issuer for authorisation with the payment details you provide.
“Cancel”
Click “Cancel” to cancel an order.
This marks the order as “Canceled” in the Magento interface. Cancelled orders cannot be resumed using the Magento interface; in such a scenario, you will need to process a new order.
Note 1: Any partial captures that are registered within Magento for an order before it is manually cancelled will still proceed for settlement. Once cancelled no further funds can be accepted from the order.
Note 2: It is still possible for credit memo’s to be performed on any existing invoices generated for an order that is in a ‘Canceled’ state.
“Send Email”
Click “Send Email” to send an email to the customer.
By default, the email is sent to the customer’s user account email address. When on the order details page, this will send an order confirmation email if one was not sent initially.
When on the invoice details page, this will send an invoice confirmation. When on the credit memo page, this will send a credit memo confirmation.
When clicked on the shipping page, this will send a shipping confirmation.
“Hold”
Click “Hold” to put an order on hold.
This prevents subsequent actions such as shipping the product or refunding the order without explicitly “unholding” the order first. Putting an order on hold will not prevent funds from being captured by the acquiring bank, if this has been previously authorised.
“Unhold” Click “Unhold” to take an order off hold status. This allows you to perform other actions on the order, such as modification or cancellation, generating an invoice or shipping the product.
“Invoice”
Click “Invoice” to generate an invoice for the order and proceed with the payment.
Performing this action will allow funds to be captured by the acquiring bank (usually occurs within 24 hours). Once an invoice has been generated for an order, it is not possible to cancel it. Instead, you will need process a “Credit Memo” (refund).
“Credit Memo” For information on “Credit Memo” please see section 5.2. “Ship”
Click “Ship” to dispatch the product to the customer.
This is unrelated to the state of the payment and can be performed at any time after an order has been generated. We strongly recommend waiting for funds to be captured by your acquiring bank before shipping.
“Reorder”
Click “Reorder” to create a new order using details of the order being viewed.
You will be presented with a form pre-filled with details of the order, allowing you to process an additional order with the same or different details depending on your requirements.
Magento Extension User Guide: Payment Pages
5.1.4 “Payment Review” OrdersWhen an order is in “Payment Review” status, this is because a transaction has met certain pre-defined criteria that have led Secure Trading to suspend payment until you have manually reviewed the transaction. By default, this occurs for Authorize and Capture orders when the customer has entered an invalid CVV2 (security code on the customer’s card) or any time a Protect Plus (if enabled) returns a “CHALLENGE” or “DENY” response.
Please note that if you wish to process the order you must issue the invoice within 7 days of the payment being authorised. After this time period, Secure Trading will automatically cancel the transaction as the authorisation code will have expired.
Magento Extension User Guide: Payment Pages
Action button Comment
“Send Email”
Click “Send Email” to send an email to the customer.
By default, the email is sent to the customer’s user account email address. When on the order details page, this will send an order confirmation email if one was not sent initially.
When on the invoice details page, this will send an invoice confirmation. When on the credit memo page, this will send a credit memo confirmation. When clicked on the shipping page, this will send a shipping confirmation.
“Accept Payment”
This will instruct Secure Trading to accept the payment.
If already invoiced (Authorize and Capture): Selecting this option will allow the funds to be captured by the acquiring bank and will set the order status to “Processing”.
If not invoiced (Authorize Only): Selecting this option will allow you to invoice the order and will set the order status to “Processing”.
“Deny Payment”
This will instruct Secure Trading to prevent the funds from being captured by the acquiring bank. This will set the order status to “Canceled”.
Magento Extension User Guide: Payment Pages
All orders that have been invoiced will have the following actions that can be performed: Action button Comment
“Edit”
Click “Edit” to change details of an order.
For invoiced orders, this procedure creates a new order with the modified details you provide. Secure Trading sends a new request to the card issuer for authorisation with the payment details you provide.
Note: The original order and transaction will still be processed unless you opt to override the order.
“Send Email”
Click “Send Email” to send an email to the customer.
By default, the email is sent to the customer’s user account email address. When on the order details page, this will send an order confirmation email if one was not sent initially.
When on the invoice details page, this will send an invoice confirmation. When on the credit memo page, this will send a credit memo confirmation.
When clicked on the shipping page, this will send a shipping confirmation.
“Credit Memo” For information on “Credit Memo” see section 5.2. “Hold”
Click “Hold” to put an order on hold.
This prevents subsequent actions such as shipping the product or refunding the order without explicitly “unholding” the order first. Putting an order on hold will not prevent funds from being captured by the acquiring bank, if this has been previously authorised.
“Unhold” Click “Unhold” to take an order off hold status. This allows you to perform other actions, such as shipping the product or refunding the order.
“Ship”
Click “Ship” to dispatch the product to the customer.
This is unrelated to the state of the payment and can be performed at any time after an order has been generated. We strongly recommend waiting for funds to be captured by your acquiring bank before shipping.
“Reorder”
Click “Reorder” to create a new order using details of the order being viewed.
You will be presented with a form pre-filled with details of the order, allowing you to process an additional order with the same or different details depending on your requirements.
Magento Extension User Guide: Payment Pages
5.2
Credit Memo
There are two types of Credit Memos that can be issued for an order: 1. Offline Credit Memos
2. Online Credit Memos
5.2.1 Offline Credit Memos
Offline credit memos will not update the transaction on the Secure Trading system and will only generate the credit memo within Magento. Offline credit memos are issued when a refund is performed when clicking the “Refund Offline” button.
Clicking “Credit Memo” from the Order View page will lead to issuing an offline credit memo.
5.2.2 Online Credit Memos
Online credit memos will update the transaction on the Secure Trading system and will also generate a credit memo within Magento.
To generate an online credit memo, please follow the following steps:
Step 1 - From within the Magento Administration portal select from the menu: Sales > Orders
Step 2 - Choose an Order (by clicking on the order).
Step 3 - Select Invoice from the left side menu on the Order View page. Step 4 - Choose an Invoice (by clicking on an invoice).
Step 5 - click the “Credit Memo” button. Step 6 - click the “Refund” button.
Alternatively you could access the invoice, by navigating to Sales > Invoice and continuing from Step 4 mentioned above.
Note: Clicking the “Refund Offline” button when issuing a credit memo will generate an offline credit memo which will NOT update the transaction on Secure Trading's systems.
5.2.3 Credit Memo behavior
The following behaviour is observed when issuing a credit memo for the following conditions: Condition 1: For full refunds where funds have not been captured
Secure Trading will cancel the order and the authorised funds will be released back to the customer’s account.
Condition 2: For full refunds where funds have been captured Secure Trading will initiate a refund for the full amount.
Condition 3: For partial refunds where funds have not been captured
Secure Trading will reduce the amount that will be captured by the acquiring bank, as required. The remainder of the reserved funds will be released to the customer’s bank account.
Condition 4: For partial refunds where funds have been captured Secure Trading will initiate a partial refund for the specified amount.
Magento Extension User Guide: Payment Pages
6 Testing and Maintenance
Magento is written in PHP and runs on an HTTP webserver. Secure Trading’s typical testing environment is a LAMP (Ubuntu OS) or WAMP (Windows OS) stack. Due to the enormous variety of possible environments that may run this module, (each webserver has its own peculiarities and has its own set of PHP version distributions) we recommend that each installation or upgrade is thoroughly tested on a staging system before being deployed to production.
Once the module is deployed to the stage system, we recommend running test cases with a similar workload as is expected on the production system. As with all test systems, we recommend that you replicate the production system in terms of hardware and software setups to eliminate any possible anomalies. After the module is deployed to a production system, we recommend that all available log files are monitored and if any unexpected behaviour is detected, appropriate personnel should be alerted immediately.
All production system changes should adhere to a strict change-control process to reduce the likelihood of release issues.
6.1
Compatibility
Secure Trading has tested the Magento extension with a default installation of Magento. We cannot guarantee the behaviour if any core code has been modified or if any additional modules have been enabled.
Any functionality not described within this document is not guaranteed to exhibit the expected behaviour. If you have any queries on Magento features not covered in this document and whether the SecureTrading extension supports them, please contact Secure Trading Support (section 8.1).
Magento Extension User Guide: Payment Pages
6.2
Troubleshooting
Symptom(s) Suggested solution(s)
Payment module not displaying within “System” > “Configuration” > “Payment Methods”
Ensure you have installed the extension correctly, by following the instructions outlined in section 3.1.
If this does not resolve the problem, please change the file permissions / CHMOD settings of the extension (temporarily) to 777. This will give it full access to READ, WRITE and EXECUTE.
Ensure the file permissions are set securely before going live (at least “755”).
Payment not updating or cart not emptying on your Magento store following a successful payment.
Issues such as the cart not redirecting or updating as expected can be caused by the ST notification and/or redirect not being configured correctly.
Please ensure the “Use API with Payment Pages” option has been set to “Yes” in the configuration settings (see section 3.2.2.4). Please ensure the “Connection Configuration” section in the configuration settings has been configured as required (see section 3.2.3).
Please check that your notification settings have been configured as outlined in section 3.3.1. In particular, ensure all required fields have been ticked when configuring the filter.
Please check that your Payment Pages redirects have been configured as outlined in section 3.3.2.
If you are still having problems with the shopping cart, please contact Secure Trading Support (see section 8.1) and they will assist you in troubleshooting the problem.
Unable to
generate “invoice” or “credit memo”.
This could be caused by the misconfiguration of Web Services / STAPI within the Secure Trading extension settings within the Magento admin interface.
Please ensure the “Use API with Payment Pages” option has been set to “Yes” in the configuration settings (see section 3.2.2.4). Please ensure the “Connection Configuration” section in the configuration settings has been configured as required (see section 3.2.3).
Customer can’t use saved card details with tokenization.
Please ensure that your “Config Inheritance” is set to the appropriate connection type (see section 3.2.5.2) and that the connection details set in the corresponding “Connection Configuration” is correct.
Transaction not processed in the displayed currency.
Magento allows your storefront to display multiple currencies to the customer. Regardless of the currency that the customer is viewing the transaction will be processed in the ‘Base Currency’ that has been configured for the store.
Magento Extension User Guide: Payment Pages
6.3
Updating the Extension
As part of maintaining and improving the Magento extension, Secure Trading will release updates, periodically. As such, Secure Trading recommends regularly checking the Magento Connect Manager for new versions of the extension.
All new versions of the extension will also be available on the Magento Connect website: http://www.magentocommerce.com/magento-connect/securetrading.html Click “Follow this extension” to be notified when the extension is updated.
6.3.1 Pre-Requisites
6.3.1.1 Back-Up Your System
Before updating the extension, Secure Trading recommend that you perform a full back-up of the existing extension files installed on your system, including your database. Magento provides tools to assist you:
Go to “System” > “Tools” > “Backups”.
Back-up files are compressed using the .gz format and are stored in the var/backups directory in your Magento file system.
6.3.1.2 Test Update on your Staging System
Secure Trading recommends first installing the extension update on your staging system, before deploying the new version of the extension on your live system.
Please perform the following on your staging system, using your test site reference:
Process a number of transactions on your staging system using the existing configuration.
Upgrade to the new extension.
Update transactions that you processed before the extension was upgraded (to ensure correct behaviour).
Process a number of new transactions on your staging system, using the upgraded extension.
