Version 1.3 Last revision: 01/07/2011 Page 1 of 10
For public release
Copyright © 2011 Snorrason Holdings ehf
DalPay Internet Billing
Version 1.3 Last revision: 01/07/2011 Page 3 of 10
For public release
Copyright © 2011 Snorrason Holdings ehf
REVISION HISTORY ... 4
INTRODUCTION ... 5
DALPAY CHECKOUT INTEGRATION... 6
Via Simple Button Factory ... 7
Via Shopping Cart ... 7
Via API Integration ... 7
DALPAY DIRECT INTEGRATION ... 8
DALPAY VIRTUAL TERMINAL... 8
AN IMPORTANT NOTE TO MERCHANTS ON PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE... 9
What Must Never Be Stored ... 9
DalPay Checkout and Compliance ... 10
DalPay Direct and Compliance... 10
Revision History
Version DateReleased Change Notice Pages Affected Remarks
1.0 Jan 1, 2009 First release All PCI DSS 1.2 applies 1.1 July 1, 2009 Introduction update,
Screen shot changes p. 6, 7 PCI DSS 1.2 applies 1.2 July 1, 2010 PCI DSS extract
update p. 10 PCI DSS 1.2.1 applies 1.3 July 1, 2011 PCI DSS extract
update p. 10 PCI DSS 2.0 applies
The latest version of this document can be downloaded here:
Version 1.3 Last revision: 01/07/2011 Page 5 of 10
For public release
Copyright © 2011 Snorrason Holdings ehf
Introduction
This integration guide gives an overview of the main methods for integrating with DalPay to accept debit or credit cards and bank ePayment transactions. DalPay’s own PCI DSS Level 1 certified platform (the highest level of payment service provider compliance) acts as gateway and front-end processor.
The two integration methods are:
• DalPay Checkout
DalPay’s hosted payment page integration method for card-not-present or bank ePayment transactions.
DalPay Checkout does not require merchants to collect, transmit or store sensitive cardholder or bank account information to process transactions.
DalPay Checkout is equivalent to Authorize.net’s SIM (Server Integration Method) or
Simple Checkout.
• DalPay Direct
DalPay’s most flexible integration method to connect acquiring banks via DalPay’s payment gateway for card-not-present or bank ePayment transactions.
DalPay Direct requires merchants to collect payment card or bank account information on their own SSL-secured webpage, and offers the highest degree of customization and control over the checkout experience
DalPay Direct is equivalent to Authorize.net’s AIM (Advanced Integration Method).
The different accounts offered by DalPay are the direct merchant
account, sponsored merchant account, and the supplier account.
Integration varies case by case, but in general if you have applied for a
direct merchant account from one of our supported acquiring banks you will
implement DalPay Direct. if you have a supplier or sponsored merchant account you will implement DalPay Checkout.
Make an Online Application (without obligation & free of charge – all countries):
https://www.dalpay.com/en/application.html
The type of DalPay account you will be offered is based on:
• the type of products or services that you sell,
• if you are an established business with processing history or a startup,
DalPay Checkout Integration
DalPay Checkout is a hosted payment processing solution that securely handles all of the steps in processing a transaction, including:
• Collection of customer payment information through a secure hosted form, • Generation of a receipt page with a copy to the customer by email,
• Secure transmission to the DalPay payment gateway for transaction processing, • Secure storage of cardholder information (including for optional recurring billing).
DalPay Checkout does not require merchants to collect, transmit or store
sensitive cardholder or bank account information to process transactions. This method allows a merchant to use a simple buy now button (Simple Button Factory), or post customer contact and address information securely to DalPay (via Shopping Cart or API Integration) for single page checkout.
DalPay Checkout’s co-branded checkout sequence prompts the user for their
payment card details on DalPay’s secure web form or redirects them (if required) for online bank ePayment transactions and 3-D Secure
Version 1.3 Last revision: 01/07/2011 Page 7 of 10
For public release
Copyright © 2011 Snorrason Holdings ehf
Via Simple Button Factory
DalPay Buy Now buttons are for online merchants who sell one item per order (different product variations such as size or quantity, and order quantity for that single item are supported, as is setup of recurring billing).
DalPay Buy Now buttons are equivalent to PayPal Payment Buttons or Authorize.net’s Simple Checkout. They do not require programming skills.
https://www.dalpay.com/en/support/simple_button_factory.html
Via Shopping Cart
DalPay Checkout integrates with leading AJAX and legacy shopping carts.
https://www.dalpay.com/en/support/shopping_carts/
For shopping cart issues contact: [email protected]
Via API Integration
The DalPay Checkout APIs are a subset of the DalPayAPI which is a RESTful web service using HTTP POST over SSL.
https://www.dalpay.com/en/dalpayapi/DalPay_Checkout_Integration_Guide.pdf
POST the payment type, customer contact and address information securely to DalPay Checkout and achieve single page checkout (showing Page 3 only). If you pass in any name-value pairs incorrectly, the DalPay Checkout system ignores the variables incorrectly posted and displays to the customer all three DalPay Checkout pages; Page 1: payment type and customer country,
followed by Page 2: customer contact details and cardholder address (email and phone are mandatory), then Page 3: payment card details.
DalPay Direct Integration
DalPay Direct is a customizable payment processing solution that gives the merchant full control over the customer’s checkout experience, including:
• Collection of customer payment information securely on merchant’s website, • Merchant-side generation of a receipt to the customer,
• Secure transmission to the DalPay payment gateway for transaction processing, • Secure storage of cardholder information (including for optional recurring billing).
DalPay Direct is equivalent to Authorize.net’s AIM (Advanced Integration Method).
The DalPay Direct APIs are a subset of the DalPayAPI which is a RESTful web service using HTTP POST over SSL. (You must have a direct merchant account
at one of DalPay’s supported acquiring banks to use DalPay Direct.)
https://www.dalpay.com/en/dalpayapi/DalPay_Direct_Integration_Guide.pdf
For DalPay Direct issues contact: [email protected]
DalPay Virtual Terminal
The DalPay Virtual Terminal extends your DalPay account to process orders received via mail order or telephone (MOTO).
https://www.dalpay.com/en/support/DalPay_Virtual_Terminal_User_Guide.pdf
Virtual Terminal requires collection of the same transaction information as DalPay Checkout (minus 3-D Secure authentication), but allows the merchant to self-key the transaction instead of the customer checking out online.
Orders placed by a merchant directly using the Virtual Terminal do not receive
the benefit of: i) fraud scrubbing by the DalPay Automated Anti-Fraud
Inspection System (which only works fully when customers enter orders themselves online via DalPay Checkout) or ii) 3-D Secure* protection.
A MOTO order entered using the Virtual Terminal is therefore a higher risk transaction and subject to different risk controls and guidelines.
Version 1.3 Last revision: 01/07/2011 Page 9 of 10
For public release
Copyright © 2011 Snorrason Holdings ehf
An Important Note to Merchants on Payment Card Industry
Data Security Standard Compliance
DalPay operates its own PCI DSS Level 1 certified platform (the highest level of payment service provider compliance) as gateway and front-end processor.
What Must Never Be Stored
Please note that under the Payment Card Industry Data Security Standard (PCI DSS), Cardholder Data must be stored encrypted and Sensitive Authentication Data must NOT be stored.
At the time of writing, Cardholder Data in the context of Card-Not-Present transactions is defined as Primary Account Number (PAN) AKA card number, Cardholder Name, and Expiration Date.
Sensitive Authorization Data in the context of Card-Not-Present transactions is defined as the CVV2/CVC2/CID/CAV2 (the three digit or four digit Card
Security Code):
https://www.dalpay.com/en/support/card_security_code.html
You must never store the CVV2/CVC2/CID/CAV2, and it is prohibited to store the full Primary Account Number yourself if you are posting transactions to the DalPay Gateway via either DalPay Checkout or DalPay Direct, as DalPay
performs PCI DSS compliant storage of this sensitive information for the merchant.
Storage of a truncated card number (i.e. the first 6 and last 4 digits of the card number only) is permitted if it is based on the DalPay Checkout Instant
Silent Post, DalPay Direct Transaction Post response, or DalPay Merchant Server Notification response fields.
If a merchant collects customer information via mail order or telephone order and is authorized to use the DalPay Virtual Terminal feature via the DalPay Merchant Menu to self-key the transaction then the merchant must at a minimum have returned to the DalPay Risk Department a Payment Card
DalPay Checkout and Compliance
Using DalPay Checkout may simplify compliance with the Payment Card Industry Data Security Standard (PCI-DSS), and Payment Application Data Security Standard (PA-DSS) if a third-party shopping cart is used*.
This however is only true if you DO NOT collect, transmit or store sensitive cardholder or bank account information.
Your shopping cart must be configured NOT TO collect or store any cardholder data (i.e. name on card, card number, expiry date, card security code, 3-D
Secure password, or PIN) or bank account information, instead being
configured to redirect to DalPay Checkout when it is time for customers to enter their payment card or bank account information.
DalPay Direct and Compliance
For DalPay Direct merchants who process and transmit sensitive information to the DalPay Gateway, the PCI DSS is still fully applicable*.
The PCI DSS mandates rendering the full PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks). Please refer to Figure 1 and the PCI Data Security Standard itself for further information.
*Please consult a Qualified Security Assessor regarding PCI DSS and PA-DSS compliance.
