PIT Testing Guide – 3D Secure with Visa

3D Secure with Visa

This blog provides supplementary information for GPayments’ MPI (ActiveMerchant) clients undergoing Visa Product Integration Testing (PIT).

Visa has mandated that PIT testing is carried out for all new 3-D Secure MPI implementations, before they go into production, in all Visa regions.

The first step in Visa PIT testing is to enrol for Product Integration Testing (PIT) at the Visa PIT site.  

Visa PIT Enrolment

The following fields on the Visa PIT Enrolment form, found on the Visa PIT site, require specific ActiveMerchant information:

BIN – enter the Acquirer BIN associated with your testing. Using the ActiveMerchant Administration interface, you will need to set up an Acquirer with this BIN and a Merchant that will use this Acquirer.

Component Type(s) – select the MPI checkbox.

Merchant ID – you can use a dummy Merchant ID, but you will need to have a Merchant profile set up in ActiveMerchant with this dummy number. The Merchant ID can be found in ActiveMerchant Administration > Merchants > Find Merchant > Merchant Details > Merchant ID.

Merchant Password and Confirm Password – you need to know whether you will be using a Merchant Password or an SSL client certificate for authentication to the 3-D Secure Directory Server.

If you are unsure which one you should be using, check with your Visa Regional Representative or the Acquiring Bank.

Merchant Password

Enter an 8-character, non-production merchant password in Merchant Password and Confirm Password. This can be any value but must match the Merchant Password in ActiveMerchant.

SSL client certificate

Leave the password fields blank and an SSL client certificate will be requested from the PIT at a later stage. Once you have submitted the form, you can use the Email and Password used on the enrolment form to login to the Visa PIT site.

ActiveMerchant Configuration (MPI)

This section describes the steps for preparing ActiveMerchant for PIT testing, which correspond to the MPI setup steps in the Visa PIT User’s Guide.

NOTE: Configuration steps vary depending on your Visa Region and whether you use Merchant ID / Password or SSL client authentication for Directory Server authentication.

Acquirer BIN

  1.    Go to ActiveMerchant Administration > Merchants > Acquirers > New
  2.    Enter the Acquirer BIN
  3.    Click the Apply button

NOTE: Ensure that the Acquirer BIN set in this section matches the one you entered in your PIT profile.

Cipher Suites

ActiveMerchant supports the TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLS) and SSL_RSA_WITH_3DES_EDE_CBC_SHA (SSL Version 3) cipher suites.


NOTE: Ensure that these cipher suites are not on the list of Disabled Ciphers and Protocols in your ActiveMerchant config file: ActiveMerchant_Home_Directory/config/config.xml.

Visa PIT Root Certificate

Downloading the Certificate

Download the DER-formatted PIT Root Certificate from the hyperlink provided in the MPI Setup section of the Visa PIT User’s Guide.

If you experience any issues downloading the certificate, contact your Visa Region representative.

Importing the Certificate

  1.    Go to ActiveMerchant Administration > Settings > CA Certificates > Import
  2.    Click the Choose File button and select the DER-formatted PIT Root certificate file
  3.    Click the Import Button
  4.    Click the restart link provided in the confirmation message to restart the server for the changes to take effect.

Merchant ID and Password Configuration

Configure ActiveMerchant as follows for regions that use Merchant ID and Password:

Merchant ID and Password

  1. Go to ActiveMerchant Administration > Merchants > Find Merchant > Merchant Details
  2. Acquirers – select the Acquirer BIN from the BIN dropdown list for the Visa provider and set the Merchant Password in the Password column
  3. Click the Apply button

NOTE: Ensure that the Merchant ID and Password set in this section match those in your PIT profile.

Visa Directory URL

  1.    Go to ActiveMerchant Administration > Settings > Directory Servers
  2.    Select Visa from the Provider drop down list
  3.    Set Cache update to Disabled
  4.    Set the Primary directory to https://pitwsi.3dsecure.net:5443/ds and set the status to Enabled
  5.    Click the Apply button

Client Authentication Certificate Configuration

Configure ActiveMerchant using the steps below for regions that use client authentication certificates.

Merchant ID

  1.    Go to ActiveMerchant Administration > Merchants > Find Merchant > Merchant Details
  2.    Acquirers – Select the Acquirer BIN from the BIN drop down list for the Visa provider and leave Password blank
  3.    Click the Apply button

NOTE: Ensure that the Merchant ID set in this section matches the one in your PIT profile.

Visa Directory URL

  1.    Go to ActiveMerchant Administration > Settings > Directory Servers
  2.    Select Visa from the Provider drop down list
  3.    Set Cache update to Disabled
  4.    Set the Primary directory to https://pit-wsi.3dsecure.net:443/dsm and set the status to Enabled
  5.    Click the Apply button

SSL Client Certificate

For authentication with an SSL client certificate, a Certificate Signing Request (CSR) must be generated and submitted to the PIT certificate generator to be signed by Visa’s CA. The certificate, which is generated by PIT, needs to be loaded into ActiveMerchant’s KeyStore to be used for establishing a connection to the Visa Directory Server.

Generating a Certificate Request

  1.    Go to ActiveMerchant Administration > Merchants > Find Merchant > Merchant Details page > Merchant Certificates tab > Create
  2.    Select the Key Size to be used for the Certificate Request from the drop down list
  3.    Select Visa from the Provider drop down list
  4.    Common name – you must enter the fully qualified domain name of your server or an externally accessible IP address. This will be validated when ActiveMerchant attempts to establish a connection to the PIT Directory Server
  5.    Organization, Organizational unit, City and Province – you can enter any data in these fields
  6.    Two-letter country code – enter the ISO 3166 code for the country in which the merchant resides, e.g. AU should be used for Australia
  7.    Select an SHA2 Hash algorithm from the dropdown list
  8.    Click the Apply button to create the certificate request
  9.    Copy the Certificate content, including the BEGIN and END tags, from the generated Certificate Request.

Signing the Certificate Request

  1.    Go to the Visa PIT site.
  2.    Click the Request Certificate link
  3.    Select MPI SSL Client Certificate (for authentication to DS)
  4.    Paste the certificate content into Cert Request (PEM)
  5.    Click the Submit button. The generated client certificate DER-encoded certificate and the PKCS#7 certificate chain will be shown on the page and will also be emailed to you
  6.    Save the .p7 file, from the email, into your working directory.

Installing the Signed Certificate

  1.    Go to ActiveMerchant Administration > Merchants > Find Merchant > Merchant Details page > Merchant Certificates tab > Install
  2.    Select Visa from the Provider drop down list
  3.    Certificate content – click the Choose File button and attach the p.7 certificate file generated by PIT
  4.    Click the Install button

Next Steps

Visa PIT Test Cases

Once you have configured ActiveMerchant, run through the test cases provided in Visa’s 3-D Secure Production Integration Testing (PIT) Test Plan Guide.

Feedback / Support

If you have any specific comments or suggestions on how to improve this supplementary information, contact us.

[ecko_button color=”gray” size=”large” url=”https://gpayments.com/contact”]Contact Us[/ecko_button]