Payment Gateway Module - CASHNet eMarket Checkout

PaperCut Payment Gateway Module -

CASHNet eMarket Checkout - Quick Start

Guide

This guide is designed to supplement the Payment Gateway Module documentation and provides a guide to installing, setting up, and testing the Payment Gateway Module for use with

CASHNet’s hosted credit card payment service, eMarket Checkout. The main Payment

Gateway Module documentation may be downloaded from: http://www.papercut.com/anonftp/pub/pcng/ext/payment-gateway/PaymentGatewayModule.pdf

IMPORTANT: You should have a registered and active CASHNet account with HigherOne

activated before installing the payment gateway module.

Setup and testing time should take around 30 minutes for basic setup, plus time for customizing the order pages if required. No system level restart is required; however the

PaperCut application server will be restarted during the install process. If other administrators are using the PaperCut administration interface at this time, it may be advisable to warn them of the pending restart.

This document is written assuming the reader has good server administration skills and is experienced with general PaperCut administration.

Contents

1 Payment Process Workflow ______________________________ 2

2 Installing the Payment Gateway Module ____________________ 2

3 Firewall and POST URL Configuration ______________________ 4

4 CASHNet Configuration _________________________________ 5

5 Testing _____________________________________________ 7

6 Securing the System ___________________________________ 9

7 Go-Live _____________________________________________ 9

8 Troubleshooting _____________________________________ 10

8.1 CASHNet Charging Correctly, Balances Not Updated in PaperCut ______ 11

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

1 Payment Process Workflow

Below is the sequence of events that occurs when a user adds credit to their account using the CASHNet payment gateway:

1. User clicks on the Add Credit link in the PaperCut web interface and goes to the Add

Credit page.

2. User chooses the amount they would like to add and clicks on Add Value.

3. The user is redirected to the CASHNet hosted payment page to enter their payment details. This URL is configurable as it is site-specific.

4. After the user has filled out all the fields and has confirmed payment, CASHNet will send a POST request off to the PaperCut server with status of either the success or failure of the transaction (this is called Store Notification). This POST request URL must be configured in CASHNet and the PaperCut App Server’s ip address must be added to CASHNet’s allow list (which is done by CASHNet).

5. The user will typically be taken to a CASHNet receipt page. They can then click on

sign out and be redirected back to the PaperCut user interface.

6. PaperCut will display the original Add Credit page with a message at the top indicating either success or failure for the transaction.

2 Installing the Payment Gateway Module

1. The Payment Gateway Module will function during the PaperCut NG 40 day trial period. After this, the module must be licensed. If you have been supplied with a new license take the time to install this now. The license install procedure is documented in the PaperCut user manual chapter ‘Licensing and Support’.

2. Download the Payment Gateway Module from the PaperCut website at http://www.papercut.com/anonftp/pub/pcng/ext/payment-gateway/pcng-paymentgateway-module.exe

3. Install the module into the same directory as PaperCut. This is normally:

C:\Program Files\PaperCut NG\

4. Open the file:

[app-path]\server\lib-ext\ext-payment-gatewaycashnet.properties in a text editor such as Notepad.

5. Locate the line cashnet.enabled=N and change the N to Y. This will enable the

CASHNet module.

6. Locate the line cashnet.item-code and enter your item code that is to be used for itemizing the PaperCut payment. This just needs to be a string to represent a

PaperCut payment code that you have notified Higher One you will be using. It can be seen in CASHNet reports and payment receipts. Optionally, you can provide a description for this item using cashnet.item-description.

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 2 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

7. Locate the line cashnet.hosted-payment-page-url and modify the existing

URL. This is the URL that PaperCut will redirect to for the user to enter their account details to make the payment. Typically, only the “MyCheckoutMerchantCode” part at the end of the URL will need to be replaced with the name provided by CASHNet to represent your institution.

8. Configure other options in this file as discussed in General Configuration Options in the Payment Gateway Module documentation, or by referring to the comments in the file itself. Options include limits on the amount to transfer, access groups, custom error messages, and the messages displayed to users after a successful or failed transaction.

You may like to enable a group restriction to limit access to administrators until configuration is complete.

9. Save the file and exit the text editor.

10. Restart the PaperCut Application Server service via Control Panel ->

Administrative Tools -> Services and wait 30 seconds.

11. Check the end of the log file at [app-path]\server\logs\server.log for any obvious error messages.

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 3 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

3 Firewall and POST URL Configuration

CASHNet sends transaction notification messages to the PaperCut server via HTTPS as configured in section 4 below (either 9192/443). CASHNet calls this feature “Store

Notification”.

You will need to ensure that CASHNet is able to contact the PaperCut server via an internetaccessible hostname. This will usually involve the following network changes:

1. Set up a public DNS entry to ensure the PaperCut server is publicly accessible via a friendly name (e.g. papercut.myorg.edu).

2. Allow internet access directly to the PaperCut server via the configured port from section 4 below (either 9192/443).

Note that CASHNet by default locks down external traffic to port 443. To use a different port such as 9192 you will need to notify CASHNet to allow external traffic from the CASHNet servers through their firewall to your public DNS entry on all required ports as configured in section 4 below.

It is important that your organizations firewall policy only applies to external hosts.

Internal hosts will require direct access to the PaperCut server.

During testing it may be appropriate to open access from any host, then lock down access to the CASHNet IP address range once it has been determined. Once a test transaction has been made via HTTP the CASHNet server IP address(es) may be gained from the payment gateway event log file (located at [apppath]/server/logs/payment-gateway/event.log).

Note that CASHNet may change these addresses over time, so if transactions are failing, check

CASHNET’s Event Log Viewer to see if the messages are not getting through.

3.

Accessing the following URL with a web browser will display a simple confirmation page containing the current time, and can be used to test external access: http://papercut.myorg.edu/rpc/gateway/cashnet

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 4 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

4 CASHNet Configuration

1. Set up with CASHNet customer service, the following parameters: a.

An item code e.g. “papercutcode” b.

Optionally an item code description e.g. “PaperCut” c.

A reference type of “SESSIONID”.

2. Log into your CASHNet vendor account site.

3. Navigate to Store Setup -> Notifications (click)

4. In the HTTP Notifications section there are 2 fields to be filled out with the same

URL: a. For failed transactions enter: https://papercut.myorg.edu:9192/rpc/gateway/cashnet/trans action

Where papercut.myorg.edu is the external hostname of your PaperCut server. b. For successful transactions enter (same URL as above): https://papercut.myorg.edu:9192/rpc/gateway/cashnet/trans action c. For extra security, a secret string can be appended to these URLs. This is

discussed in the section, Securing the System.

5. For the radio box of Select format for HTTP content, select Name Value

Format (POST) and click Save .

6. To enable these notifications, navigate to Store Setup -> Implement Store (click) and then click on CONTINUE .

7. Finally, you need to let CASHNet know about the external ip address that you use for the HTTP notifications. In the example above, you would need to let them know the ip address for papercut.myorg.edu. The CASHNet firewalls are configured to block outbound traffic to any destination that has not been explicitly permitted.

Therefore, CASHNet needs to add the store notification ip address to their allow list otherwise the store notification will be blocked.

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 5 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

Figure 1 Setting up CASHNet Notifications

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 6 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

Figure 2 Implementing Store to enable notifications

5 Testing

The payment gateway module is now ready for testing. This test will involve performing a live transaction with a real credit card, testing real-world end-to-end functionality. Afterwards the payment may be refunded via the CASHNet vendor interface. Note that transaction fees may still apply.

1. Log into the PaperCut user web interface e.g. http://papercut:9191/user

2. A new link called Add Credit should be present on the left. Click this link.

3. Select an amount to add and click Add Value .

4. You should now be redirected to CASHNet for payment. Enter the payment details including a valid credit card number and associated details as requested.

5. After entering payment details you should be presented with a success (or failure) page with a printable receipt link. At this stage the payment should have already

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 7 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21 taken place, and CASHNet has contacted PaperCut via the Store Notification feature to report the transaction (causing PaperCut to add the value to the user’s account).

There should also be a sign out button. Click this to return to PaperCut.

6. You should now be back at the Add Credit page. You should see a green message indicating that the funds were added to your account, and Current

Balance should show your new account balance. The Transaction History page should contain the payment transaction.

Note: it is possible due to a network communication failure that the CASHNet store notification was unable to be sent to PaperCut. In this case, the order will be cancelled and the administrator will need to reconcile the logs. See the

Troubleshooting section for more information.

7. The transaction should appear in the CASHNet vendor interface and may now be refunded.

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 8 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

6 Securing the System

Because CASHNet sends the Store Notification transaction data to PaperCut directly users are not provided with an opportunity to tamper with the order data. It is however possible for users who know the Store Notification

URL to “spoof” a transaction if they know the right data and format. This risk can be mitigated by:

1.

Implementing a “shared secret”. This is a secret token/password that is known only to CASHNet and the PaperCut server, and never exposed to the user. PaperCut will then only accept Store Notification messages that contain the shared secret, so that a user can only forge Store Notification messages if they also know it. To implement the Store Notification shared secret: a. Find the cashnet.shared-secret option in the PaperCut configuration file and assign a random alphanumeric string that will serve as the secret/password. E.g. “cashnet.shared-secret=1n2bxn5h” b. In the CASHNet vendor interface update both Store Notification URLs

(success and failure URLs) and append a slash and your shared secret to the end of them. E.g.

“https://papercut.myorg.edu:9191/rpc/gateway/cashnet/tran saction/1n2bxn5h

”. c. Store Notification messages should now only be accepted if they contain the configured shared secret. If you like you can try entering the wrong shared secret in the Store Notification URL to ensure that it is rejected. Note that this will result in a charge on the CASHNet side but no transaction on the

PaperCut side (an error message will be logged to the App. Log).

2.

Restricting the Store Notification URL so that it can only be called by CASHNet’s server IP addresses. See the cashnet.postback-allowed-ip option in the config file. However, this is only viable if CASHNet can guarantee the ip address does not change.

7 Go-Live

If a group restriction was enabled in Stage 2 it can now be removed or altered to allow access to end-users. Your system is now live and will accept and charge credit cards.

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 9 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide

8 Troubleshooting

Administrators may find information in the following log files useful when trying to troubleshoot setup/configuration problems or issues reported by end-users.

Payment Gateway Event Log:

[app-path]\server\logs\payment-gateway\event.log

This log contains gateway specific error messages and events.

Application Log:

[app-path]\server\logs\server.log

This log contains general application specific error messages and events.

Transaction Log:

[app-path]\server\logs\payment-gateway\transaction.log

This log contains a list of successful transactions in a tab-delimited form.

Please feel free to contact the PaperCut Software Development Team at [email protected] if you require assistance. v2015-04-21

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 10 of 11

PaperCut - Payment Gateway Module - CASHNet eMarket Checkout - Quick Start Guide v2015-04-21

8.1 CASHNet Charging Correctly, Balances Not Updated in

PaperCut

If CASHNet is charging cards/accounts correctly but no balances are being updated in

PaperCut, there is most likely a problem with the Store Notification messages getting through.

1. In the CASHNet vendor interface, navigate to Event Log Viewer , tick the severity level of Debugging and choose the appropriate date interval. This page lists the HTTP store notifications that CASHNet has attempted to send to

PaperCut (the configured Store Notification URL). Ensure that at the time of the transaction in question that a store notification was made and that no error occurred during the notification. Ensure that the Store Notification URL is accessible from the internet.

2. If the Store Notification does exist at the expected time, then check the payment gateway event log file (location above) for error messages. If there are no obvious messages then you can reproduce the problem with debug logging enabled to see more information about the messages sent and received.

Copyright © 2012 PaperCut Software International Pty. Ltd., All Rights Reserved 11 of 11