V11 Test Credit Card server (UK) (CommsXL/TNSi)

Did you get an answer to this Wayne?

I'm looking at exactly the same thing myself and I'm wondering if I have to contact TNS to sort this out?!?!

Tony Barnes gave me a ring and explained it all really well.  I never got round to reposting here.

We are going to have to do this in a 2 stage approach.  Get the hosted service sorted while on V10 and also get it working for V11 testing (If anyone else is on V10 and uses TNSi hosted service for Customer Present, C&P and e-commerce, please could you confirm or deny what I'm saying.  It would be good to know either way).

For V11, the new web service "TransactionService" will take place of the credit card server for customer present and e-commerce.  As I understand it, the client will pass the credit card details directly to this service and it will connect to TNSi securely over the internet and that will give a response back for the client with Authed or Not Authed.  You no longer need a credit card "Server", you need a server running IIS that can communicate with the client, the database and the internet.

We also have the option/recommendation from TNSi to install their software on all the clients to process credit cards directly with TNSi HQ.  I am hoping we don't have to do this will add complication for our PCI Compliance.

If anyone from Tessitura is reading this, it would be good to know if the credit card number is transmitted via the FAT client or the credit card number ID from t_account_data is transmitted via the FAT client and the service looks the card number up.  (This was a PCI question we posed and need to find out).

For V10/V11 - Chip and Pin, the current software you have installed on your PCs (Smart CCard Lite?)  that communicates with CCSyncro on the credit card server is getting replaced with a new version that communicates directly over the internet to TNSi.  I assume it will work in much the same way as it does now, just over the internet instead of your local server.

V10 customer present and e-commerce - After my phone call with TNSi yesterday I am fairly confused.  I was under the impression we would be replacing the TNSi software on the credit card server, so the web/FAT client still spoke to "Tessitura Credit Card Server", so the Tessitura side of things wasn't affected.  That would pass the request onto the TNSi side which would auth over the internet and reply back to the TCCS program and that would pass the reply back to the web/FAT Client (Normal processing for us - minimal change).  I was told this would change and the same software for C&P comms would be installed - but under a different mode and the client would communicate directly over the internet.  I assume this can't be the only way of doing things else how would the web work.

I'll see if I can get some input from someone who already does hosted CC services for V10.

Wayne

Tessitura does not have the ability to for each client to talk directly to the TNSi hosted service. The Tessitura client talks to the Payment Gateway Service over a socket, and formats the request and talks to the TNSi hosted service. The connection between the Tessitura client and the Payment Gateway Service is unencrypted and works just like it did in v10. It works the same way right now for backward compatibility.

The Payment Gateway Service is a Windows service, a drop-in replacement for the old CCServer. It uses more up-to-date technology, but it functions the same way. It accepts a socket request from the client and formats the request for TNSi. Payment Gateway Service can encrypt the request and send it directly to TNSi. The CCServer wasn't able to do this, so it had to talk to the CCSmart daemon.

SmartCCard Lite is being replaced by TNS Pay. Tessitura will not have any knowledge whatsoever about the card details for such payments. Those detalis are kept as a secret between the cardholder, the pinpad, and TNSi.

The Web API and the Tessitura client still speak to the Payment Gateway Server using the same mechanism as they used to do to talk to the old CCServer. The Payment Gateway Service doesn't need any help to talk to SecureCXL like the CCServer did.

Best regards,

Rob(tm)

Thanks Rob.  That helps me out.

You mention the unencrypted traffic in V11.  In V12, is the intention to encrypt traffic between the client and the database, and the client and payment gateway. The Security guys who did an assessment for us used wireshark on my PC while I was running V10 and V11 with some interesting results.

This is only for people who have been struggling with moving across to hosted TNSi from having an in house CC server.

These are TEST settings ONLY for Version 2.0.11 (and possibly beyond)

C&P

Mode:

Interactive Workstation

Authorization Type: SecureCXL

Host: bank.securecxl.com

Server Port: 4433

Configuration: 

Allow Test Card: True

CCEms Host Name: securecxl.com

CCEms Port: 4488

Customer ID: 3541XXX  this is not your main merchant ID

Enable Auto-Update: True

Device Serial No: This is not the serial number, it is the PTID

Printer

Printer Type: None

Once you are done, run TNSPayments.exe (there wasn't a shortcut for me in the start menu).  This updates the PDQ files.   You should also end up with a circle icon next to the clock.  Right click and Open the Visualizer to check for error messages.  This gives you a screen similar to a trace.log file

Test the transaction using TNS own POS Client

Server Windows Service

Change your NLog.config on TEST to be:

<logger name"*" minlevel="Debug" writeTo="file" enable="true"/>

TessituraPaymentGateway.exe.config.  (Ensure your setting are similar - you should not have to change any settings - these all come from TIM.exe for TEST)

SecureCXL ServiceURL="https://bank.securecxl.com:4433/"    (this is the external side)

AppSettings:

ServerIPAddress: 10.5.6.182  (this is the internal IP address of the server you have installed this service onto)

Port: 12002 (or pick a port you want.  Don't forget the local firewall hole)

PaymentGateway: secureCXLWebApi 

In T_Defaults, change the credit card server IP address to be the internal settings above, e.g.:

IP: 10.5.6.182

Port: 12002

READ THIS FOR TEST'S RESPONSE CODES

When you put a payment through to TEST for C&P, eCommerce, phone etc..., the amount that is charged dictates the response code:

If your order is for £12.30, the last digit is 0, so the auth code is Authorised.

If your order is for £12.34, the last digit is 4, so a response code of Unknown Card

If your order is for £12.39, the last digit is 9, so a response code of Decline

^^^^^This info has been really useful for me once I have found out about it, but haven't seen it the TNSi install documentation, so sharing it here.

You should also have a web logon to TNS Pay.  You should be able to see your transaction going through to the system, if you logon (to TEST at https://bank.securecxl.com) with the credentials TNS supply you.

Choose Search

Change the merchant number to: Comms XL Test - 6815145

From Date: Today

To Date: Today

Submit and go to the last page.  You should be able to see your transaction there.  If you can - you've made it work, if you can't see it, check your firewall has holes for port 4433 and 4488 and firewall holes on your internal server.

Hope if your reading this, its helped

Thanks Wayne. That info was very helpful.

I think we are on the hosted TNSI service already on v10 so things were pretty straight forward for us.

I've installed the PaymentGatewayService on our test credit card server, stopped the old v10 service and the CommsXL services, then put through a payment in Tessitura v11 TEST and all worked fine.

Thanks for the tip on setting NLog.config to debug and the response codes. Helped my testing.

Rob, 

You mentioned "SmartCCard Lite is being replaced by TNS Pay" in your post.  Is this a requirment before we go live with version 11? 

We are using SmartCCard Lite for the Chip and PIN's. I'll want to test v11 with a chip and pin transaction before we go live so wondering if I need to do this software upgrade first.

thanks,

Dara

Just to add, we have being trying to test TNS Pay recently in preparation for this scenario.  Turns out if you intend to use the vx810 then the current USB driver for the device is incompatible, so you have to use a serial connection.  We have been told that a driver is in development and are playing the waiting game for it!  Not great for new PC's that dont have a serial connection though....

TNSPay will work on Windows 7 too. 

Hi Guys

We have just been reading through this post after testing V11 with the Credit Card server, just about to test SmartCCard Lite.  All seems to be working fine but I had a quick question for Rob about the unecrypted Transaction data from the client to the Payment Gateway. 

We have setup a SSL certificate for the REST services.  So even if we have this certificate in place the credit card data will not be encrypted?  I thought this was the main reason for us having a SSL certificate for REST.

Many thanks

Nick

Thanks Rob that makes perfect sense!

Just to clarify so I understand this, the V11 interface between client and Payment Gateway Service IS NOT PCI compliant yet, but will be in the future when it gets encrypted using REST.  

Is there any date when this will be made active?

However, Tessitura recommend setting SQL Server --> Force Encryption ON, so all the comms with the SQL server are encrypted.  (I'm assuming this is a SQL Server side setting I will need to switch on - I'll do my homework on this)

I am able to do a man in the middle attack on my PC sending a transaction to the payment gateway and read the unencrypted card details using wireshark (filter:  ip.dst==10.5.6.181&&tcp.port==12002)

I used credit card number 4111 1111 1111 1111 Expiry: 05/12 and CVV 123 and works postcode CV37 6BB:

0000  00 19 bb b1 49 00 6c 62  6d 87 07 5d 08 00 45 00   ....I.lb m..]..E.

0010  00 96 43 4b 40 00 80 06  00 00 0a 02 07 66 0a 05   ..CK@... .....f..

0020  06 b5 7f 67 2e e2 27 ca  91 ff 40 71 04 f8 50 18   ...g..'. ..@q..P.

0030  01 00 22 aa 00 00 24 42  4f 54 24 41 55 54 48 4f   .."...$B OT$AUTHO

0040  52 49 5a 45 7c 09 09 31  34 32 32 30 31 34 09 41   RIZE|..1 422014.A

0050  09 34 31 31 31 31 31 31  31 31 31 31 31 31 31 31   .4111111 11111111

0060  31 09 30 35 31 32 09 35  30 30 09 30 30 30 09 09   1.0512.5 00.000..

0070  09 09 57 61 79 6e 65 20  45 76 61 6e 73 09 09 43   ..Wayne  Evans..C

0080  56 33 37 20 36 42 42 09  09 09 31 32 33 09 09 09   V37 6BB. ..123...

0090  09 09 09 09 09 09 09 09  09 09 09 09 09 4e 09 24   ........ .....N.$

00a0  45 4f 54 24                                        EOT$  

Is there a date when we are able to use the encrypted transmissions as I'd thought we'd finally nailed PCI-DSS.

Thanks

Wayne