How To Prepare For The Second Data Center On Payware Connect For A Second Time

(1)

PAYware Connect

Gateway

Guide of Instruction to work with

PAYware Connect Multi-site Data

Centers

Frequently Asked Questions

(2)

2

VeriFone’s first step to deploy the redundant data center will be to redirect the current PAYware Connect URLs from direct access at the existing data center to a new multi-site management service. The purpose of this service is to allow VeriFone to seamlessly move traffic between the two data centers, meaning without any routing changes on your end, as needed (schedule and unscheduled).

This change will change the IP addresses to which the PAYware Connect URLs resolve.

How will this impact a merchant location?

The following merchants will be affected by the scheduled PAYware Connect change:  Firewalls/Access Control Lists [ACLs]: Merchant locations that limit outbound

Internet traffic via a firewall or some other form of Access Control lost need to ensure that the new IP addresses are added to their firewall in advance of this change. Additionally, the legacy IP addresses should be retained indefinitely.  Static IPs: Merchant Locations that in any fashion using static IP addresses instead

of URL's are at risk of a service interruption. There are three ways that a static IP address could be introduced by your infrastructure:

o The IP address is hardcoded in your application o The IP address is cached in your DNS server

o The HOST Name/IP address resides in your local host table

The following merchants will not be affected by this URL IP address change:  Merchants connecting via the Dial interface will be unaffected.

 Merchants using PAYware Mobile and not using WiFi will be unaffected. However,

PAYware Mobile users using WiFi for Internet access and the the outbound traffic is limited by some sort of Access Control List [Firewall or other] are at risk.

(4)

4

How do I determine if a merchant location is at risk?

1. Firewall/Access Control Lists:

a. If a merchant location has a firewall [or other Access Control List] with rules limiting specific IP addresses the POS system can connect to outside the merchant’s network proper, a new set of IP address ranges must be added for Datacenter 2 while maintaining the Datacenter 1 IP Address range in your ACL. The additional IP ranges conveyed in the September 2011 communication are highlighted below in red.

Existing: 63.111.8.4 - 63.111.8.60 New Ranges: 68.64.45.36 - 68.64.45.62 65.254.220.36 - 65.254.220.46 209.198.197.130 - 209.198.197.131 209.198.196.25 - 209.198.196.30 66.129.115.97 - 66.129.115.102 209.198.205.177 - 209.198.205.182 NOTE: Do not delete the existing IP addresses

b. Once the additional IP addresses have been added, a merchant location can test access to the existing datacenter [ensuring current access is not

broken], direct access to the new data center [as a failsafe], and finally to the new multi-site management service:

1. Existing data center:

1. Using a browser on a PC/server that route through the same network path as your point of sale system.

a. Go to https://ipcharge.net/ipchAPI/RH.aspx b. Go to https://ipcharge2.net/ipchAPI/RH.aspx

2. A Successful response will be returned on the web browser of "Bad Request"

2. Multi-site management service for API access can be tested by

following the below instructions [Note: these test addresses have

been updated to reflect the newest IP addresses conveyed in Sept 2011 communication].

(5)

5

a. Go to https://209.198.196.26/ipchapi/rh.aspx b. Go to https://66.129.115.98/ipchapi/rh.aspx

2. Depending on which browser you use, you will receive some sort of error indicating that the site is not valid. This is OK. Accept whatever message is provided to proceed to the site. 3. A Successful response will be returned on the web browser of

"Bad Request"

4. Accessing PAYware Connect via the Test URL’s above is only for validating your network connectivity. Please utilize the correct domain name instead of IPAddress for production traffic.

3. Multi-site management service for Portal access can be tested by following the below instructions [Note: these test addresses have

been updated to reflect the newest IP addresses conveyed in Sept 2011 communication].

a. Go to https://209.198.196.25/mc b. Go to https://66.129.115.97/mc

2. Depending on which browser you use, you will receive some sort of error indicating that the site is not valid. This is OK. Accept whatever message is provided to proceed to the site. 3. If you successfully connect, you will be presented with the

login page to the PWC Store Portal

4. Accessing PAYware Connect via the Test URL’s above is only for validating your network connectivity. Please utilize the correct domain name instead of IPAddress for production traffic.

2. Use of Static IPs:

a. Determine what method is used to interface with PAYware Connect, URL or static IP address.

1. If you currently use https://ipcharge.com or https://Ipcharge2.com, you are using the URL.

2. If you currently use 63.111.8.9 or 63.111.8.33 [port 443], you are using a static IP address.

(6)

6

b. Merchant who is caching (storing) the IP addresses for long usage windows will need to clear the cache. The URL/IP Address resolution should be

resolved on a transactional basis. 1. On Windows Desktop, click START 2. Type in "CMD" or "Command"

3. At the command prompt (C:\>) type in "IPCONFIG /FLUSHDNS" 4. Perform this command immediately following PAYware Connect

Maintenance Window that announces the URL IP/Addresses are being updated.

FAQs

What error message would a merchant see who is trying to access the PAYware Connect Store/Merchant Portal see if the URL is not resolving to correct IP Address?

Depending on browser software, merchant will see something like “Cannot locate host” or “DNS Look-up failed” type message. The failure to connect would be very obvious to the user.

Will the FLUSHDNS command work for all versions of Windows?

This command will work for all newer versions of Windows. If using Windows 2000, use command DNSFLUSH.

How do I confirm that FLUSHDNS command worked?

A user can confirm the command worked correctly by attempting to access Store/Merchant Portal at https://ipcharge.com/mc or access the

Corporate/Reseller Portal at https://ipcharge.com/rc. If FLUSHDNS command worked, these URLs will resolve to the new correct IP address.

What error message would a merchant location that is trying to execute a transaction see if the PAYware Connect API integration URL is not resolving to correct IP Address?

When the integrated application attempts to connect to the URL and the DNS cache still has the old IP address, the application will receive a communication error. How that is reported back to the user, would be answered by the POS integrator. The failure to communicate would be obvious.

(7)

7

What error message would an integrated merchant or virtual terminal merchant see if a static IP address is no longer available?

Both the integrated merchant and virtual terminal merchant would see a “failure to communicate” or “failure to connect” type message. In Windows Explorer, the user could see “Internet Connection Problem” and ask if the user wishes to troubleshoot. Also, depending upon the merchant’s firewall

configuration, the firewall could return a message indicating that the “IP Address route is unavailable”. The failure to connect to the static IP address will be obvious.

Will VeriFone still recommend a primary and secondary URL approach that rolls automatically from primary to secondary after this URL Address is changed at VeriFone’s data center?

Yes, VeriFone will always recommend the practice of utilizing a primary and secondary URL Address with automatic fail-over routing. This data center change does not alter that best practice.

How long from the time of formal announcements being sent will the change be made? (How long do merchant/partners have to make updates?)

Our goal is to deploy these changes approximately 45 days after delivery of notification.

Are the IP address updates available currently for any merchant validation testing?

Yes, but not for production traffic. VeriFone has exposed these IP addresses for the purposes of testing general access only. See the previously provided instructions for testing this access.

Will there be other host name changes coming in the future that merchants and partners will need to address?

As previously stated in the DNS Best Practices Guide, VeriFone may add host names and IP addresses as needed. However, these changes would never be deployed without following a similar merchant/partner notification process.

(8)

8

History of PAYware Connect DNS Best Practices

VeriFone established the best practice document for our Merchants, Resellers, and Integrators in order to minimize potential future interruption of service with respect to DNS and Domain Registrar routing issues while maintaining secure access to the PAYware Connect Gateway in August, 2009.

Background

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

1. An SSL Certificate enables encryption of sensitive information during online transactions.

2. Each SSL Certificate contains unique, authenticated information about the certificate owner.

3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

It is important that the client utilize the proper URL when accessing PAYware Connect in order for the web-browser or integrated application to verify the SSL Certificate against the URL provided. If there are any Certificate errors establishing the secure HTTPS/SSL connection, the client should not send any sensitive data to that server. If a user attempts to connect to PAYware Connect by IP Address rather than URL, a certificate error will be generated and it will be more difficult for the

client/integrated application to verify that the site connected to is the secure and authenticated PAYware Connect server and not rogue phishing site.

Multiple URLs / Domains

For redundancy, VeriFone established multiple Domain Names, SSL Certificates, and DNS management to the PAYware Connect Gateway with multiple vendors. This has been done to prevent one Vendor/ Domain Registrar from causing a single point of failure which would prevent merchants from processing mission critical payment transactions.

Best Practice Guidelines

 All access to the PAYware Connect Gateway should utilize one of the available published URLs.

 If connectivity via the URL is not achieved, then one of the available alternate URLs should be automatically utilized.

 Multiple URLs should be configurable in the Integrated Application in order to provide redundancy in case one of the URLs becomes unavailable, primary and secondary.

 The Integrated Application should have the ability to change the URL on-demand if necessary without requiring a code-recompile.

(9)

9

The following Domains are currently available for production use:

Domain Name Purpose Used By Year

Introduced Ipcharge.com Access to PAYware Connect

Virtual Terminal Console

Resellers, Merchants, Aggregators

October, 2005 Ipcharge2.com Access to PAYware Connect

Virtual Terminal Console

Resellers, Merchants, Aggregators

February, 2009 Ipcharge.net Integration Access to

PAYware Connect

Merchants October, 2005

Ipcharge2.net Integration Access to PAYware Connect

Merchants February, 2005

The URLs currently supported:

URL Access To DNS Certificate

https://ipcharge.com/mc Merchant Console

Access

eNOM –A GoDaddy

https://ipcharge2.com/mc Merchant Console

Access

GoDaddy B

GoDaddy

https://ipcharge.com/rc Reseller Console

Access

eNOM – A GoDaddy

https://ipcharge2.com/rc Reseller Console

Access GoDaddy – B GoDaddy https://ipcharge.net/IPCHAPI/RH.aspx Integrated Merchant Access eNOM – A THAWTE https://ipcharge2.net/IPCHAPI/RH.aspx Integrated Merchant Access GoDaddy - B THAWTE ***ADDITIONAL URL’s WILL BE ADDED AS REQUIRED

How To Prepare For The Second Data Center On Payware Connect For A Second Time

PAYware Connect

Gateway

Guide of Instruction to work with

PAYware Connect Multi-site Data

Centers

Frequently Asked Questions

Table of Contents

Contents