Table of Contents |
- uPay posting URL
- Location that department storefront will initiate request post and redirect
- (Sean Lee) 20150807 Mathew Lindley: The uPay posting URL is where you post the parameters and the user redirect occurs in that single operation. There is an example posting in the uPay Technical Guide. This is the only method of posting to a uPay site.
- (Sean Lee) Department postback
- Send TouchNet the IPs and ports to allow postbacks through the TouchNet firewall
- (Rich Martucci) So when we are ready to move to the production server we will need to send you the ssl certificate .cer renamed as .txt for that server too correct?
- 20151014 Adam Stambaugh: More than likely. If wildcards are used than it may not be needed but to be on the safe side sending in the cert is the best bet.
- 20160226 Cecilia Do: For troubleshooting the postback, go here
- (Sean Lee) I have noted two additional postback parameters with corresponding value in postback result: __VIEWSTATE and __VIEWSTATEGENERATOR. What are these values for and is there a way that we can exclude them in postback?
- 20150818 Mathew Lindley: The two parameters are not part of TMS. If they are being posted to the posting URL, it is because they are being passed to TMS on entry. The school needs to change their application to not pass them.
- Alphanumeric plus special characters
- Sample: hX0r0Huchc9gv+ReALWrkQ
- 20150817 Sean Lee: Now I know that we cannot have hyphen as part of validation key. I have tried to include hyphen in ExtTransId and TouchNet complains.
- (Sean Lee) The other question I have is related to validation key. I have setup HousingTest uPay site with a validation key. Let’s say my campus web application is not configured or is configured with incorrect validation key for posting. TouchNet will redirect user to this page (see attachment), and stay on that page if user clicked the “Please click here to return” button. Is there a way that we can configure this scenario in uPay setting with an external URL similar to the way we configure for success/error/cancel page?
- 20150818 Mathew Lindley: The ‘Please click here to return’ button is not configurable. It returns the user back to the location they were sent from.
- (Sean Lee) What is the maximum field length return by uPay postback for the following fields:
CREDIT_ACCT_AMT_2All of them have field type ALPHANUMERIC and FIELD LENGTH Unlimited. What is the maximum “possible” return value for unlimited length? We want to limit the field length but at same time try to prevent truncation to occur. This is especially important for tpg_trans_id and CREDIT_ACCT_CODE/CREDIT_ACCT_CODE_2.
- 20150821 Mathew Lindley:
- The maximum length allowed to be entered into the Op Center when creating an accounting code is 50. So their maximum length is defined by what they use for accounting codes.
- Validation key is not passed back to the posting url, but it is calculated and passed by the school, so they should be able to see the length, but I believe that it is 24.
- tpg_trans_id is defined by payment gateway, but I believe for credit cards the format is always year, month, day and 6 numbers for a total of 14. Ach is just a one up number, so that can grow over time.
- 20150821 Mathew Lindley:
(Cecilia Do) Can you confirm what will happen when we transmit an invalid account code (CREDIT_ACCT_CODE) in uPay?
We're seeing:
uPay session is successful. Customer can make payment.
- Transaction shows up in:
- uPay reports
- Payment Gateway reports
- Transaction does not show up in Marketplace Accounting Code report
- The transaction shows up under GL Exception
- We can correct the Accounting Code and mark it as complete
- After which transaction will show up in Marketplace Accounting Code report under the newly selected Account Code
20150820 Mathew Lindley: We have confirmed that yes, payments are taken and completed before attempting to send to G/L. If an exception occurs, payments are not reversed, G/L error notifications are sent.
(Cecilia Do) 20150825 Mathew Lindley (in red)
- For the uPay payment reversals (same day VOID and subsequent refunds), will a postback be sent? No
- Is this the “Post data when payment is cancelled:” parameter under “Posting Settings”? Post data when payment is cancelled controls whether we post back to you when the customer hits the cancel button
- If a transaction had multiple partial refunds, will a postback be transmitted for each one with the appropriate refunded amount? No
- And what about recurring payments? Will a postback be sent out for each payment that is processed on the scheduled payment date? Yes
- (Cecilia Do) Can you delete a uStore/uPay as long as it hasn’t taken payments yet? And once a payment is taken, the store/site can only be disabled, not deleted?
- 20150825 Mathew Lindley: Correct.
- (Cecilia Do) It looks like uStore and uPay names are not required to be unique.
- 20150825 Mathew Lindley: Correct.
- (Cecilia Do) When a store is no longer used, we can only disable it? And it will forever show up on the Revenue by Merchant reports with 0 amounts?
- 20150825 Mathew Lindley: Correct, although it will only show up with zero depending on how far you search back. If you haven’t used the store or site you can delete it.
- They will stay there for reporting. We do allow the deletion of uStore products though.
(Cecilia Do) When a uPay site's name is changed, the reports will display the new name, even for transaction data before the name change.
- (Sean Lee) Does uPay support postback encryption? I am a bit concerned on postback security and wondering if it has any methods to encrypt the postback string.
- 20150908 Mathew Lindley: I’m not aware of any post back encryption, although it should be noted that we would never receive a post or send a post back that contains payment data; that information is entered on the uPay pages and is only saved within our datacenter at that point.
- (Cecilia Do on behalf of Linda Snyder) I understand that TouchNet has monthly maintenance. Are we able to request for uninterrupted service during our peak payment period? For example, the period 2-3 weeks where students make an SIR (Student Intent to Register) payment is critical. Can we request for uninterrupted service during those weeks?
- 20150916 Michelle Sullivan: You are correct, we do have monthly maintenance that occur on Wednesday. Unfortunately it is a datacenter-wide activity and we cannot pull certain schools from this. I apologize for any inconvenience this may cause.
- (Sean Lee) It occurs to me that I need some ways to verify user’s identity for those that visit success page, cancel page, and error page via uPay redirect. Is there a way that we can append parameters (e.g., campus identifier, tpg_trans_id, user-defined parameters, etc.) from post string at the end of redirect URL so the referred page can parse and verify?
- 20150917 Mathew Lindley: Posted parameters are not added to the Success Link. If they want the posted parameters passed back to them, they need to use a posting url. UPAY_SITE_ID and EXT_TRANS_ID are added to the success url unless they have turn this off in the Payment Settings page with the “Transaction ID Settings - Show External Transaction Id in URL” setting.
- (Markus Quon) With the UPAY_SITE_ID and EXT_TRANS_ID, we are able to identify the record (person) being redirected, however, there is no trust that the redirect URL was tampered with because it lacks trust/validation information. Is there a way to include one more item such as the VALIDATION_KEY which the external user would not know, but TouchNet does know (Cecilia: this is comparable to the session id key in our current world).
- 20150917 Mathew Lindley: This is not possible in our current environment.
- (Markus Quon) I'm a bit concerned about the lack of the VALIDATION_KEY as part of the redirect process. There's a big disconnect that breaks trust and actually would open the door for someone to brute force if a uPay client blindly trust the EXT_TRANS_ID to continue to process assuming they still are handling the same “customer.” Our only saving grace for the UX is that we are able to check for our session and if it exists correlate that with the EXT_TRANS_ID to validate if we have the same user; and in all other cases force reauthentication.
- (Dianne Bean) 20150928 Mathew Lindley: Adding new merchants / uStores / uPay sites does NOT require any kind of restart. As soon as they are created, they will show up.
(Cecilia Do) Regarding going live. For uPay, there’s no preview mode, right? If a department wants to test to the point of authorization, postback, and viewing reports, do we enable the uPay site, go through the local storefront, make a payment with a personal card, check for the postback, view the reports, and do a same-day reversal?
20150930 Mathew Lindley: That would be the best way to test it front-to-back. You can also use the TEST uPay page to simply test transactions without involving the posting application.
- (Linda Snyder) The “Site Email Address” item in “General Settings” of the Miscellaneous page…. Is this for administrator announcements/alerts? Or is this for users to submit queries?
Used as the contact e-mail address on e-mail confirmation messages to the customer. In addition, warning messages for posting URL failures, GL update failures, and recurring payment failures are sent to this e-mail address.
How to view reversals (voids/refunds) in reports
- Marketplace Reports » uPay Sites » <uPay name>
- » Revenue
- Input date range.
- Lists out individual transaction and refund lines.
- » By Product
- Input date range.
- Product drilldown will list out individual transaction and refund lines.
- » Revenue
- Marketplace Reports » uPay Sites » <uPay name>
- 20151012 Mathew Lindley: The end user and school each receive an email saying payment failed on CC recurring failures.
- Department notification for transactions processed?
- 20151013 Mathew Lindley: A uPay site manager can opt to receive emails by going to "Edit My Profile" on the left hand menu.
- 20151013 Mathew Lindley: A uPay site manager can opt to receive emails by going to "Edit My Profile" on the left hand menu.
- Email receipt signature block uses uPay site name by default. Can override by configuring "Payment Notification Signature Text" under "Miscellaneous" section
- User's browser might show insecure red lock icon in the https URL in uPay site.
- The SSL certificate for, is certainly valid and secure. This warning is most only being seen by certain older operating systems (generally MAC) and internet browsers that are having issues recognizing new SSL certificates. Therefore, if those users can visit the site in Safari and permanently trust the root certificate as shown in the attached image, it should resolve future warnings in Safari and Chrome as well.
- The SSL certificate for, is certainly valid and secure. This warning is most only being seen by certain older operating systems (generally MAC) and internet browsers that are having issues recognizing new SSL certificates. Therefore, if those users can visit the site in Safari and permanently trust the root certificate as shown in the attached image, it should resolve future warnings in Safari and Chrome as well.
- (Cecilia Do) Per TouchNet Customer Care, there is no way to repost a postback if it is not in the posting exceptions list. The department will need to perform manual updates.
- (Cecilia Do) For passing parameters to your uPay site, can we define our own fields for input? Do these self-defined fields come back to us in the postback? Can we pass over fields not defined in the Technical Guide? Say I pass over fields called student_id = '12345678' and term_code = 'F2017'. Will I get these value pairs in the postback so my web system can further process this data? Or does uPay only accept the parameters defined in the uPay Technical Guide?
- Yes, allowed! Cecilia confirmed on TEST environment .
- TouchNet Customer Care: You can pass any parameter you like, we wll pass them back to the posting url. Take a look at section 10.4 of the Marketplace Users guide. or the uPay Technical Guide Section 1.0 “uPay will accept any parameters that you pass and in turn pass the parameters back to your campus web application after the transaction is processed”.
- (Cecilia Do) How do we know when settlement completes? Are we notified? Or does settlement always complete, say, within 1 hour?
- 20150804 Mathew Lindley: Batch settlement completes on the same time every day, based on when you configure your Credit Card Merchant to settle its batch. Transactions flow from Marketplace to Payment Gateway upon fulfillment real-time.
- 20150904 Cecilia Do: Configured batch settlement for 2AM (Central). The batch settlement time is 2:01AM.
- Each batch is submitted for settlement one at a time.
- Each batch holds up to 1,000 transactions - about 3 minutes to complete settlement transmission
- Settlement transmission duration
- 100 transactions - 15-20 seconds
- 300 transactions - 1 minute
- 1,000 transactions - 2.5-3 minutes
- Each batch is submitted for settlement one at a time.
- (Cecilia Do) And just to confirm, the “Batch time” parameter controls this. It is configured at the individual Payment Gateway Credit Card Merchant level. It is in military time, Central Time. If left at the default value “off” then settlement is manual.
- 20150903 Mathew Lindley: Correct!
- (Dianne Bean) Is there a cutoff for when a department can do a refund through MarketPlace? In other words, if I made a MarketPlace payment today (8/25) at a School of Medicine store, how long does the SOM have to refund me when I make a request before the transaction is no longer accessible to refund? 30 days? 90 days? 120 days? 6 mos?
- 20150825 Mathew Lindley: We do not create a limit, we allow the schools to dictate that per store. The system will allow a refund at any time after purchase.
- (Cecilia Do) How do debit card types show up in reports? For example, a debit card with the Visa credit card logo, does it show up as “VISA” or “Visa Debit” (Payment Gateway Business User Guide, p.210)
- 20150806 Mathew Lindley: This shows up as Visa and will be listed as a Signature Debit payment rather than Credit Card in TPG reporting.
- (I-Rong Lin) I understand uPay user receive post-back in real time for credit card authorization. For uStore, is it true “order confirmation” is equal to credit card authorization is completed successfully?
20150807 Mathew Lindley: When you set up your Marketplace Merchants, it is configurable whether or not to authorize at order time for the uStores in that Marketplace Merchant. I always recommend turning this on as an Administrator. Otherwise the authorization would occur at batch closure.
- (I-Rong Lin) I take the default is blank or no for uStore authorization at the time the client places an order.
20150807 Mathew Lindley: Yes, that is the default. This can be edited by Admins and Merchant Managers in the General Settings of each Marketplace Merchant.
- (Cecilia Do) Is the fulfillment/auto-fulfillment date (in the Marketplace reports) the same as the authorization date (in the Payment Gateway reports)?
- 20150811 Mathew Lindley: The authorization will either occur at order time or at batch closure time, depending on how your admins choose to set that in Marketplace. Also if an authorization passes 72 hours without fulfillment, the fulfillment will put a fresh authorization encumbrance on the card statement (to replace the one that fell off after 72 hours) prior to that day’s batch closure.
- (I-Rong Lin) Theoretically if we set up our settlement time from 12 a.m. - 11:59:59 p.m., this will coincide with the date range of information in Revenue by Account Code report even if this report doesn't only list settled transactions, right?
20150813 Mathew Lindley: It should be really close to that, yes. You may have one transaction end up being on one day or the other by a fraction of a second depending on the timing and the communication between marketplace and payment gateway but that should be rare.
- (Cecilia Do) Carte Blanche
- Card type in Payment Gateway reports: "CB"
- 20150811 Mathew Lindley: No test Carte Blanche number in TouchNet TEST. No plans to add to PaySim.
- 20150813: Per the MID setup conference call with Mathew Lindley, he said that Carte Blanche is folded into AmEx and there will be no processor on the backend to process Carte Blanche payments. Per discussion with Dianne afterwards, we will not allow Carte Blanche in Marketplace.
- (Cecilia Do) We have settlement configured for 12am (2am Central). I have some test recurring payments and I’m seeing that the recurring payments are authorized around 12am, and they’re going straight into the settlement batch. Is this correct behavior? It should be the following day’s data, shouldn’t it? As a result, we’re seeing discrepancies between the Merchant Revenue and the Batch Settlement. For example, if you look at the batch details for 9/7’s batch, you’ll see this:
And here’s one from 9/10:
Can we change the time that recurring payments are fired off for authorization? Say if we can make them come in at 3:00 Central, then it would mitigate the discrepancies.
20150917 Mathew Lindley: Recurring payment authorization times are not configurable. We fix a bug if it is determined that this is not working as expected but anything else would be an enhancement request.
I confirmed with Product Development that the time it runs is not configurable. All payments are scheduled for midnight (00:00) and TMS recur runs payments that have a scheduled date that is less than its current run time. That is why the first time tmsrecur runs starting after midnight, payments for the current day start to be processed.
- Product fulfillment
- Authorization & settlement
- Credit card is authorized at order time
- If order is fulfilled within 72 hours, the authorization is still active and the transaction will be submitted to the credit card batch for settlement
- If order is not fulfilled within 72 hours, the authorization will be automatically reversed/cancelled
- Upon fulfillment, the credit card will be authorized again, and if successful, will be submitted to the credit card batch for settlement
- There are no partial fulfillments (e.g. have 5 products, ship 3 products, and later ship the remaining 2). Entire shipment is sent, or the quantity can be decreased.
- Marketplace revenue reports are based off the fulfillment date for products requiring manual fulfillment
Fulfilled order transactions will be submitted for the day's credit card batch for settlement
Tip Marketplace Revenue reports and Payment Gateway credit card reports are in sync for ledger posting of manually fulfilled orders.
- Authorization & settlement
Credit Card Processing Error
- How to find out the reason (Error Code) for a credit card rejection by TouchNet when user tries to make a payment by using a credit card?
Sometimes, a user don't know why his/her credit card is not working on TouchNet and Touchnet normally shows user a generic error message. The user will likely to call us for help.
a. go to Payment Gateway
b. go to Reports
c. Select Credit Card and activity
d. select the closet time frame
e. Search for the user's name and you will find the related Error Code as shown below.
f. You can find the Error Code meaning at TouchNet Exception Error Codes
User Authorization
- (Dianne Bean) Does MarketPlace keep an audit trail of the roles and names in which the roles were granted for each store? If so, how far back does it go and are we able to query them and run a report?
20150812 Mathew Lindley: Marketplace does not have an audit report, only Payment Gateway.
The Audit log for Payment Gateway is in the Users Section of Payment Gateway.
- Retention: As do all TouchNet reports. They stay as long as you have the software.
- (Cecilia Do) 20150830 Mathew Lindley (in red):
- We want to know when someone grants a role to someone (e.g. MP Manager A grants B as a fellow MP Manager; uStore Manager C grants D as a uStore Clerk). Is an email sent out when a user is granted access? There is no email that is sent out for user permissions granted in Marketplace.
- Does Marketplace keep an audit trail? No
- Is there a report/log that we can view? No
- Is this something that we can request from customer support? If so, what is the procedure to go about it? I have never seen this done, although we do have the data in our log files. I would say the request would have to related to something specific (i.e. “can you tell me what user gave a user this permission”) along with a timeframe small enough to be able to narrow the action down to the right session log. Once this session log is found it would be easy to tell when who granted a certain permission, the only trick is sufficiently narrowing the timeframe around when the action would have occurred for us to find the session.
- (Cecilia Do) 20150902 Mathew Lindley (in red)
Since there is no audit trail or notification for Marketplace authorization, we are thinking of performing monthly audits. We will need to get the users granted for each of the Marketplace user roles: Marketplace Chief Administrators, Marketplace Administrators, Marketplace Accounts, Merchant Managers, uStore Managers, …, uPay Managers, …, etc. Can we see when they were granted the access? There is no way to see this in Marketplace
Is there a simple way to export all the authorized users and roles for Marketplace? This functionality does not exist for Marketplace It looks like we have to drill down to each area to pull the access (i.e. at the Marketplace level, Merchant level, uStore level, uPay level). If we have 30 merchants and 100 stores, then we have to drill down to each of the 30 merchants and 100 stores to view the user access? That is correct Can customer support pull reports? I assume that Customer Support could find out when someone was added via a log file that tracks activity in the Operations Center. These log files are based on when you log in however and we need specificity to find the right activity. An example of what would work to find the right log file would be, “Can you see who gave this permission? I know that they were grant access on this time and date”. Something that would not work in this system would be, “Can you tell me when all the current users gained access”. There are just too many file to go through.
The best way I can think to do this in Marketplace is to track this internally. Train your users to only request access and not to grant access to users on their own. Keep a list of all users, their permissions and the dates they were added in a spreadsheet. Then periodically compare the list to the Operations Center and delete any permission that doesn’t match.
- (Markus Quon) 20150922: So is the “Marketplace uPay Site Manager” KSAMs role the appropriate role for IT? And the uPay Payment Clerk and uPay Accountant the appropriate roles for HSG A/R (Sarah)?
- Cecilia Do: For the uPay manager, there are parameters that are business-related (like credit card validation settings) and others that are storefront-related, so it should be a collaborative effort. At this time, we will leave it to the department to determine how they want this done. Do they want to assign both parties? Or one party, who will work closely with the other? My recommendation at this time is to have IT configure it, with the business side input on the business parameters.
- The Payment Clerk is definitely a business role.
- You may want to grant IT with the accountant role in case you need to look up transaction information for system troubleshooting. Also, note that this role also views the postback exceptions.