ticket_auth.cgi
Description
The DIBS payment gateway offers a facility for subscription payments/transactions, a so-called ticket transaction. In short, this means that the customer's credit card is authorised once, and the details for the credit card (the ticket) may then be used for more than one transaction on several future occasions, e.g. a monthly payment of $15 to cover your cell-phone bill. This allows the customer to continuously pay for goods or services without having to send his/her credit card details again and again.
The credit card details are stored on the DIBS server in accordance with the strict rules of VISA/Mastercard. Tickets for which the credit card has expired are also considered expired, and the customer has to make a new ticket with another card to re-establish his/her subscription payment.
3-D Secure
Recurring payments can be forced through 3D Secure, which validates the credit card details against the card issuer's system. This feature is enabled on a per-agreement basis, i.e., per card issuer. To activate this feature please contact DIBS Support.
Usage
The standard work flow for ticket_auth.cgi is:
- The credit card details are submitted to the DIBS server for a so-called pre-authorisation by sending the "preauth" parameter either to auth.cgi or to Flexwin.
- The response from the pre-authorisation is returned along with a ticket number.
Once you require to make a ticket transaction, the actual transaction must be authorised using the ticket and the order information by calling https://payment.architrade.com/cgi-ssl/ticket_auth.cgi. - The result of the authorisation of the transaction is then returned along with a transaction number.
- To capture the ticket payment, use either the standard procedure of the DIBS administration interface or use the function capture.cgi.
- In order to delete a pre-authorised ticket use the function delticket.cgi.
Function call
https://payment.architrade.com/cgi-ssl/ticket_auth.cgi
Input parameters
The input parameters accepted by ticket_auth.cgi for the actual transaction authorisation are:
Parameter | Description |
merchant | The merchant parameter is the shops DIBS identification number. The merchant number is available in the order confirmation email and is a 7-digit integer. |
ticket | The value of "transact" returned by auth.cgi or Flexwin. |
amount | Amount to be transferred. The amount must be given in smallest possible unit, e.g. cents 100 = USD 1. |
currency | Currency code of the transfer in the ISO4217 form, e.g. 208 for DKK (see other ISO4217 currency codes ). |
orderid | The shops order number, which may contain a maximum of 50 characters. |
textreply | If this variable is set (e.g. textreply=true) the DIBS server returns its answer in simple text format. If you are not using the standard DIBS payment window, e.g. using server-to-server requests, this significantly simplifies parsing the answer from DIBS. |
[account] | If several departments within a company use the same acquirer contract, it may be beneficial to keep track of the transactions per department. Setting the "account" parameter enables separation of the transactions by department in the DIBS administration interface. |
[md5key] | This variable enables a MD5 key control of the parameters received by DIBS. This control confirms that the parameters sent to DIBS has not been tampered with during the transfer. The MD5-key for auth.cgi is calculated as:
&ticket=<ticket>¤cy=<cur>&amount=<amount>))
|
[test] | This variable indicates to the DIBS server whether the transaction is an actual 'live' transaction or simply a test transaction. If 'test=true' is included in the post to the DIBS server, the transaction is dealt with by a dedicated test-server, and not transferred to the acquirer. See step 5 in the 10 step guide for further explanation. Please note, that during the initial implementation phase all transactions are automatically regarded as test transactions regardless of the test variable parameter. Once DIBS have approved the implementation the test variable must be enabled if testing is performed. Please contact the DIBS support if you require the full test mode to be re-enabled after your payment facility has gone live. |
[uniqueoid] | If this parameter is set the DIBS server checks the order number to be unique. That is, if a previous transaction contain the same order number, the authorisation is rejected with reason=7. Unless the shop is unable to create unique order numbers it is strongly recommended to enable uniqueoid. NB! order numbers must be less than 50 characters. |
[account] | If several departments in a company use the same acquirer contract it may be beneficial to keep track of the transactions by department. Setting the account parameter enables separation of the transaction by department in the DIBS administration interface. |
[capturenow] | If this parameter is set, the DIBS server tries to capture the transaction immediately following the authorisation (if this was successful). Instant capture is only allowed for shops that sell products that are not physically shipped to the customer, e.g. conferences fees or services on the internet. NB! capturenow requires uniqueoid to be enabled. Please contact DIBS if you intend to use capturenow. |
[calcfee] | If this parameter is set (e.g. calcfee=foo), the charge due to the transaction will automatically be calculated and affixed, i.e., the charge payable to the acquirer (e.g. PBS) |
[ip] | DIBS retains the IP number from which a card transaction is carried out. The IP number is used for fraud protection, etc. Some implementations may send the IP number of the shop to DIBS, rather than that of the customer's machine. In order to provide the same services to shops which utilize such a program for their DIBS hookup, we offer the option of sending the "ip" parameter. |
[delivery1..deliveryN] | Complex order information. If both simple and complex order information (ordertext) is declared, the simple order information is ignored. This information is stored at DIBS. |
[ordline0-1 ... ordlineN-M] | Complex order information (please refer to Order information in DIBS). If both complex and simple order information (ordertext) is declared, the simple order information is ignored. This information is stored at DIBS. It is a requirement that the number of fields be identical in all lines of the order. E.g., if there are four fields in the first line, the remaining lines must also contain four fields. |
[priceinfo1.. priceinfoN] | Complex order information. If both complex and simple order information is declared, the simple order information is ignored. This information is stored at DIBS. |
Return parameters
The return parameters from ticket_auth.cgi when the ticket authorisation was accepted are:
Parameter | Type | Description |
status | string | ACCEPTED |
transact | integer | All transactions are given a unique DIBS identification number, it is a as minimum 6-digit integer , e.g. transact=123456. |
cardtype | string | Credit card type used |
approvalcode | string | The acquirer authorisation code |
[fee] | integer | The calculated fee only returned if [calcfee] was sent as input |
[authkey] | string | calculated as MD5(k2 + MD5(k1 + "transact=<transact>&amount=<amount>¤cy=<currency>")) only returned if keys (k1, k2) are activated in the DIBS administration interface |
If the pre-authorisation was rejected, then the return values are:
Parameter | Type | Description |
status | string | DECLINED |
reason | integer | Reason for the rejection. Please refer to error codes for a list of possible values. |
Example
This example shows a standard HTML form for calling ticket_auth.cgi for an authorisation of a ticket transaction.
<form action="https://payment.architrade.com/cgi-ssl/ticket_auth.cgi" method="post">
<input type="hidden" name="merchant" value="4206891" />
<input type="hidden" name="ticket" value="270000543" />
<input type="hidden" name="amount" value="1000000" />
<input type="hidden" name="currency" value="208" />
<input type="hidden" name="orderid" value="A Ticket Draw" />
<input type="hidden" name="textreply" value="true" />
<input type="hidden" name="test" value="yes" />
<input type="hidden" name="calcfee" value="yes" />
<input type="hidden" name="md5key" value="264f0737cff3be64d3050a8141568266">
<input type="submit" value="Click to call ticket_auth.cgi" />
</form>
Submitting this form returned the following:
status=ACCEPTED&transact=270001151&authkey=df9a8e577299394ab7e5e7f538699652&cardtype=VISA&approvalcode=123456&fee=61008
Calculation of the 'md5key' input to DIBS:
The shops secret keys are:
k1: D*OU+kG^O!r5Bo#oc}k$H^~ow-P6:WX:
k2: U:s0;gq|$|1sS8r(lYJKc~?[iXWf?SVP
MD5(k2 + MD5(k1 + "merchant=<merchant>&orderid=<orderid>&ticket=<ticket>¤cy=<cur>&amount=<amount>")) =
MD5(k2 + MD5(D*OU+kG^O!r5Bo#oc}k$H^~ow-P6:WX: + "merchant=4206891&orderid=A Ticket Draw&ticket=270000543¤cy=208&amount=1000000")) =
MD5(k2 + MD5(D*OU+kG^O!r5Bo#oc}k$H^~ow-P6:WX:merchant=4206891&orderid=A Ticket Draw&ticket=270000543¤cy=208&amount=1000000)) =
MD5(k2 + dd6244e9aaed0fab3b9fa1ff7360c7f9) =
MD5(U:s0;gq|$|1sS8r(lYJKc~?[iXWf?SVP + dd6244e9aaed0fab3b9fa1ff7360c7f9) =
MD5(U:s0;gq|$|1sS8r(lYJKc~?[iXWf?SVPdd6244e9aaed0fab3b9fa1ff7360c7f9) =
md5key=264f0737cff3be64d3050a8141568266
Calculation of the 'authkey' returned from DIBS:
(The shops secret keys are as above)
MD5(k2 + MD5(k1 + "transact=<transact>&amount=<amount>¤cy=<currency>")) =
MD5(k2 + MD5(k1 + "transact=270001151&amount=1000000 + 61008¤cy=208")) =
MD5(k2 + MD5(D*OU+kG^O!r5Bo#oc}k$H^~ow-P6:WX: + "transact=270001151&amount=1061008¤cy=208")) =
MD5(k2 + MD5(D*OU+kG^O!r5Bo#oc}k$H^~ow-P6:WX:transact=270001151&amount=1061008¤cy=208)) =
MD5(U:s0;gq|$|1sS8r(lYJKc~?[iXWf?SVP + 29e35d3584be0ace99528a653867b3fb) =
MD5(U:s0;gq|$|1sS8r(lYJKc~?[iXWf?SVP29e35d3584be0ace99528a653867b3fb) = authkey=df9a8e577299394ab7e5e7f538699652
