WorldPay have changed switched from using 6 character ID to 27 character

  • Posts: 165
  • Thank you received: 7
  • Hikashop Essential
4 months 1 week ago #357718

-- HikaShop version -- : 4.7.5
-- Joomla version -- : 4 Latest
-- PHP version -- : 8.2
-- Browser(s) name and version -- : All
-- Error-message(debug-mod must be tuned on) -- : WorldPay have changed from using 6 character Installation ID to 27 Character reference ID due to fraudulent card testing.

All call backs now fail using the new 27 character string.

Due to fraudulent card testing using our 6 digit installation ID, WorldPay tried to swap to our reference code which is 27 characters, unfortunately this works until the callback, which then fails.

Please Log in or Create an account to join the conversation.

  • Posts: 81562
  • Thank you received: 13071
  • MODERATOR
4 months 1 week ago #357720

Hi,

The installation ID length doesn't matter for the Worldpay plugin. So as long as you provided the new one in the payment method, it shouldn't change anything.
In fact, I don't think it would help with fraudulent card testing.
I would recommend activating the debug setting of the payment method and looking at the "payment log file" of the HikaShop configuration after a new test. It should contain debug information which will help user understand what's going on with the callback.

Please Log in or Create an account to join the conversation.

  • Posts: 165
  • Thank you received: 7
  • Hikashop Essential
4 months 1 week ago #357730

Hi Nicolas,
Card testing isn't coming through the website, they are using the installation ID number to directly access the WorldPay server. As the Installation ID is 6 digits without any characters etc it's not hard for them to find active installation ID's, this also came from the technical department of WorldPay who asked me to change to the reference number which is 27 characters/numbers. This would stop them from being able to find reference ID's (unless they go down the road of quantum computing!).

We did the change replacing the Installation ID with the reference number and they did the change their end.
We could purchase and make the Payment through WorldPay, but the call back does not work at all. I asked them to switch back to the installation ID which they did, and all is working fine again, unfortunately we still are suffering the card testing on our Installation ID on the WorldPay Server. So something is going on our end with the reference ID not being accepted and the only difference I can see is the length and it contains characters, where the Installation ID is 6 numerical digits?

I'll try and sort through and find something but debug doesn't help when it comes to the WorldPay plugin as we have found out before..

Regards
Ian

Please Log in or Create an account to join the conversation.

  • Posts: 81562
  • Thank you received: 13071
  • MODERATOR
4 months 1 week ago #357735

Hi,

What do you mean by "the reference ID not being accepted" ?
What is a reference ID ?
And if you're talking about the Installation ID, if it was not accepted by WorldPay, then you would not be able to see the credit card form and process the payment, it would fail directly there, not during the callback phase later on.
Also, if you're talking about the Installation ID as reference ID, changing the reference ID won't prevent the hackers from finding your installation ID. It is provided in clear in the parameters of the redirection form which redirects the customers from your website to WorldPay. This is necessary for WorldPay to know that the customer is paying something to you and not another merchant.
So it takes just 2 minutes for a motivated person knowing what they are doing to figure out your installation ID, regardless of its length.

Please Log in or Create an account to join the conversation.

  • Posts: 165
  • Thank you received: 7
  • Hikashop Essential
4 months 1 week ago #357744

There is and associated 27 alphanumeric reference associated with every installation on WorldPay.

Okay, so WorldPay changed their end to receive the 27 alphanumeric reference which is a unique reference for each WorldPay installation.
I removed the Installation ID and replaced with the 27 alphanumeric reference in the plugin. We did a test, we got to the card payment up and made a payment and WorldPay received the funds, the return URL showed up and returned to the site, but without any update to the status to confirmed etc.
So I changed back to the Installation ID and WorldPay changed their end back to using the installation ID and everything works again.

Either way this is how WorldPay are dealing with the issue on other sites where this problem is occuring, and for them it is stopping the card testers.

Please Log in or Create an account to join the conversation.

  • Posts: 81562
  • Thank you received: 13071
  • MODERATOR
4 months 1 week ago #357753

Hi,

Well, I'm not sure how I can help for now. This needs looking at the debug. Ideally, you would have both installation ID activated, and a copy of the website with the 27 chars ID so that we could look at the situation there while not impacting your customers on your live website.

Please Log in or Create an account to join the conversation.

  • Posts: 165
  • Thank you received: 7
  • Hikashop Essential
2 months 4 weeks ago #358674

Hi Nicolas,
Hope you're well.
I now have the test environment ready and a login created. WorldPay have altered their end to accept the 27 char ID from hikashop to WorldPay and the call back being changed to send the 27 char ID.
I'll PM you the link.
Many thanks
Ian

Please Log in or Create an account to join the conversation.

  • Posts: 4533
  • Thank you received: 612
  • MODERATOR
2 months 4 weeks ago #358676

Hello,

Your provided references don't allow us to reach your backend, can you double-check your references, and to be sure not to make any mistakes, be a little clearer about the notation of your references.
Regards

Please Log in or Create an account to join the conversation.

  • Posts: 81562
  • Thank you received: 13071
  • MODERATOR
2 months 4 weeks ago #358715

Hi,

I made a test payment on your test website with the debug activated.
What I can see is that the instId provided by WorldPay during the callback is 1135466 while it is supposed to be the "Installation ID" configured in the settings of the payment method. At least that's what was said in the old documentation BrainForge (he made the plugin and provided for free to be included in HikaShop) based himself on when developing the first version of the plugin years ago.
So it's normal the plugin is refusing the callback to confirm the order.
From what I can see the bug is on WorldPay's end which changes how it sends back the notifications and doesn't provide a valid InstId anymore for some reason.
So I went on their new API website and found the new documentation for Business gateway. There, there is a page for the parameters :
developerengine.fisglobal.com/apis/bg350...mandatory-parameters
The "payment result parameters" (near the end of the page), don't mention the InstId at all.
So, a simple solution would be to remove the code:

if(@$vars['instId'] != $this->payment_params->instid) {
			return false;
		}
from the payment plugin in plugins/hikashoppayment/bf_rbsbusinessgateway/bf_rbsbusinessgateway.php in order to remove that check on the installation ID.

I also see they have a new parameter called "callbackPW". Apparently, it would help in securing the payment notifications.
Supporting this parameter would surely help improve security for the transactions. I'm surprised they didn't mention anything about it to you ?

So, I would recommend you to check with the support there that they know about all this and what they recommend.

Please Log in or Create an account to join the conversation.

Time to create page: 0.068 seconds
Powered by Kunena Forum