The Endeavour 3D Secure MPI is certified and has gone through interoperability testing with Visa, MasterCard, Amex, JCB and Discover/Diners. Notwithstanding, for Visa Verified by Visa, MasterCard SecureCode, Amex SafeKey, JCB J/Secure, Discover/Diners, new installations of the MPI or new Acquirers being added to an existing MPI installation, it is required to complete Visa PITS testing of the final integrated product (Merchant/Gateway/MPI/Acquirer).
The PIT Home contains a detailed PIT User's Guide and Test Plan should be consulted.
For the 'BIN' field of the enrollment page, it's recommended to use a fictitious number, such as '999999'. On the MPI interface you will setup an Acquirer with this fictitious BIN and a Merchant will be setup in turn that uses this Acquirer.
For 'Component Type(s)', you must select the ''MPI'' checkbox, and fill out the 'Merchant ID' input field. Any value can be used here - you do not require a real merchant ID. This value must then be used as the 'Merchant Number' when setting up the Merchant to be used for PIT testing.
Similarly, if you are using a Merchant Password (Visa only), you must fill out the 'Password' input field (any value) and this value must be used in the Merchant Password field when setting up the merchant.
SSL Client Certificate Request
Establishing a connection to the Visa Directory.
Endeavour has done a particularly good job at reducing the normally complicated and specialist job of creating and importing keys and certificates to a few simple steps.
What is Required:
A public and private key pair must be generated, then a Certificate Signing Request (CSR) is generated to sign this key with the CA keys from Visa. The CSR is submitted to the to the PIT's automated certificate generator.
The PIT generated certificate is then returned and loaded into a keystore which will be used by the MPI to establish a link to the Visa directory.
On the MPI Interface, under the Certificates Menu, select 'Create CSR'.
The 'alias' serves as the name of the certificate.
Organization - can be any data.
Organizational Unit - can be anything.
The Common name MUST be the IP Address of your server or a fully qualified domain name.
The PIT Directory Server will validate the IP Address of the MPI attempting to make the connection against the IP Address, IP
Address range, or URL in the Common Name of the certificate. If the validation fails, the PIT will accept the connection but it
will show an error message in the VEReq message in the test results.
Country - Two letter code (ISO 3166-1) for your country.
State - can be any data.
City - can be any data.
Hit Proceed. When it finishes, a key pair would have been generated and a CSR ready for submitting to PIT.
Now log into the PIT online interface (https://dropit.3dsecure.net/PIT) and click the "Request Certificate" link.
The PIT 'Request Certificate' form is now open. The certificate type required is: 'MPI SSL Client Certificate (for authentication to DS)'.
Copy the CSR created above paste it in the 'Cert Request (PEM)' field. Hit submit.
The PIT now shows a page with the DER-encoded certificate and PKCS#7 chain, which are also sent via email.
Copy the DER or the PEM encoded certificate or PKCS7 file to the working directory.
From the MPI Interface, select Import Certificate. The form that comes up allows the certificate to be loaded from any of three formats.
Specify the name of the keystore which will be created as well as the Password.
The import will then take the private/public key pair originally create to generate the CSR and combine them with the signed certificate, loading the result in a new keystore.
Put KeyStore in configuration:
The MPI uses property files for SSL; there are 3 property files, these being Visa_SSL.properties, MasterCard_SSL.properties and Amex_SSL.properties.
Each of these files points to two keystores, one with the client keystore and one with the root certificates.
It is possible that you point to the same file keystore in both cases if one keystore contains all the certificates.
Find Visa_SSL.properties under /etc/MPI or under c:\winnt\MPI.
epg.MPI.sslProvider: leave this as com.sun.net.ssl.internal.ssl.Provider.
epg.MPI.KeyStore: Point to the Keystore with the client certificate.
epg.MPI.CACerts: Point to the Keystore with root certificates. Can be the same as above.
epg.MPI.KeyStorePassword: Password for keystore - default is changeit.
epg.MPI.KeyPassword: leave it as default. Normally its simpler not to have a certificate for the key as well.
Running The Tests
Configure Merchant and Acquirer.
At this point, you have set the Visa_SSL.properties file pointing to the keystore containing the client certificate and the keystore containing the root certificates used to verify the signature of messages returned by the 3D-Secure server.
Now login on the MPI interface and make sure that a merchant is created which uses the Acquirer configured on PIT. In particular take care of the following:
Acquirer BIN Visa in the Acquirer setup matches the "BIN" in PIT profile.
Merchant Number in Merchant setup matches "Merchant ID" in PIT profile
Merchant Password in Merchant setup matches "Password" in PIT profile
You also need to set the Active Visa Directory to the following: https://dropit.3dsecure.net:9443/PIT/DS
Now run through the test cases documented in the PIT Test Plan (linked from the PIT Home).
When finished, and all the tests pass, click "Conclude Testing" on the PIT Home and to notify the Visa Regional Representative.