QuickConnect

QuickConnect is a Westpac hosted service that enables your website to offer secure online payments.

The key features of the QuickConnect solution are:

  • Your system displays all the web pages (unlike QuickWeb which requires credit card details to be entered into a Westpac hosted web page).

  • The customer’s browser sends the payment details directly to QuickConnect. This means sensitive credit card details never enter your system (unlike QuickGateway which requires credit card details to enter your system before being sent to Westpac).

To make a payment, the customer will visit your website and enter their credit card details into one of your web pages. When the page is submitted, the customer’s browser will send the credit card details directly to QuickConnect. QuickConnect will make the payment using Westpac’s payment processor, then redirect the customer’s browser back to your website to display the receipt page.

Solution overview

Demo Payment Flow

This document describes the QuickConnect solution and explains how it can integrate with your existing website to make payments. High-level requirements, as well as detailed step-by-step instructions, are included to help with the implementation process.

The intended audience for this document is the software development team responsible for integrating your systems with QuickConnect.

How does the payment process work?

The following diagram shows the sequence of events that take place when a customer makes a payment.

Payment process

The steps for the above diagram are as follows:

  1. The customer visits your website. One of your web pages will include a button to begin the payment process.
  2. When the customer clicks the button your system will prepare the ‘Payment Details’ page. To do this you must first retrieve a security token from QuickConnect. You will then include this security token in a hidden field within the 'Payment Details’ page. Technical details for this process will be discussed in Parameters for the direct post.
  3. The customer enters their account information into the 'Payment Details’ page.
  4. When the 'Make Payment’ button is clicked the customer’s browser will post the account details directly to QuickConnect. The account details will not enter your system. This process is discussed in Making a payment.
  5. QuickConnect makes the payment.
  6. QuickConnect redirects the customer’s browser back to your website. This process is discussed in Making a payment.
  7. Your website displays the 'Receipt’ page to the customer.

Implementation process

There are a number of tasks involved in the implementation process. Each task is described in detail in the following sections of this document. A summary of the tasks and their corresponding section is listed in the table below.

Step Description/Document Reference
Step 1 Kick-off meeting
Step 2 Displaying the ‘Payment Details’ page
Step 3 Making a payment
Step 4 Receiving payment details from QuickConnect
Step 5 Testing
Step 6 Sign off
Step 7 Production lodgement
Step 8 Go live
Step 9 Post implementation

To help with the implementation process, we have included a requirements checklist for you to complete as you work on each task. The purpose of the requirements checklist is to help identify and keep track of your requirements.

If you require further assistance, please contact your Westpac Implementation Manager or your Qvalent implementation manager.

Kick-off meeting

The kick-off meeting is the first meeting between your organisation and Qvalent. This typically consists of a telephone conference with the relevant people from your organisation, Westpac and Qvalent.

The purpose of this meeting is to, introduce the team members from each organisation, discuss the implementation process and discuss your requirements.

Displaying the Payment Details page

The ‘Payment Details’ page is a webpage generated by your system. The purpose of the page is to capture your customer’s credit card details and submit them securely to QuickConnect.

Credit card payments The 'Payment Details’ page for credit cards will include fields for:

  • Cardholder name
  • Credit card number
  • Expiry date
  • CVN

Example 'Payment Details' page

Bank account payments The 'Payment Details’ page for bank accounts will include fields for:

  • Account name
  • BSB
  • Account number

Figure 3 Example 'Payment Details' page for bank account

There are a number of steps involved in displaying the 'Payment Details’ page. The QuickConnect payment solution requires parameters to be sent to QuickConnect in two separate calls. There are:

Parameters for the secure token request

The secure token request is a message sent directly from your server to QuickConnect. It occurs immediately before you display the 'Payment Details’ page (shown earlier in Figure 2 step 2). The purpose of the secure token request is to prevent parameters from being tampered with. Most parameters will be sent to QuickConnect using the secure token request. See Secure token request parameters.

In order to use the secure token request your website must have:

  • a dynamic backend which can send a HTTPS POST directly to the QuickConnect server
  • the ability to make an outbound HTTPS connection to QuickConnect through your proxy and firewall

Parameters for the direct post

The direct post is a message sent directly from the customer’s browser to QuickConnect. It occurs after the customer clicks the 'Make Payment’ button on the 'Payment Details’ page (shown earlier in Figure 2 step 4). The purpose of the message is to send the customer’s credit card details to QuickConnect without entering your system.

There are a number of parameters included in the direct post. They relate to either:

  • Input fields are shown on the 'Payment Details’ page (for example the cardholder name, credit card number, expiry date and CVN)
  • Hidden fields included within the 'Payment Details’ page (for example the secure token)

See Direct post parameters for the full list of parameters that need to be included on the 'Payment Details’ page.

The following sequence diagram shows all the steps required to display the 'Payment Details’ page (shown in Figure 2).

Figure 4 Sequence diagram for displaying the 'Payment Details' page

Figure 4 Sequence diagram for displaying the 'Payment Details’ page

The steps for displaying the Payment Details page are as follows:

  1. Click 'Next’

    • On the 'Enter Details’ page (see Figure 2) the customer clicks the 'Next’ button.
  2. Send request

    • The customer’s browser sends a request to your server to display the 'Payment Details’ page.
  3. Retrieve data

    • Your server retrieves all the data that is required for the secure token request. It then builds a parameter list that will be sent to QuickConnect as part of the request. For more details see Secure token request parameters.
  4. Request security token

    • Your server makes an outbound HTTPS connection to the QuickConnect server. The parameter list from the previous step is included in the request.
  5. Generate security token & store parameters

    • QuickConnect generates a security token and stores your parameter list. A security token is a randomly generated, base 64 encoded string of characters.
    • For example: token=m378813qtvOtylVTvVvpWA7PT14QHltr-AqX2gZ-RFM
    • A unique security token is created for every request. The token is valid for 1 hour after it is created and can only be used once.
  6. Return security token

    • QuickConnect returns the security token to your server.
  7. Return html for 'Payment Details’ page.

    • Your server produces HTML for the 'Payment Details’ page and sends it to the customer’s browser. The page includes:
    • Input fields for the customer to enter their account details
    • Hidden fields that are required for the direct post to QuickConnect

For more details see Direct post parameters.

Making a payment

This section explains the process for making a payment. It includes information about submitting payment details to QuickConnect as well as suggestions for presenting a results page to your customer.

There are two flows that may occur when a customer submits their payment details. They are:

  1. Typical payment flow
  2. Error flow
  3. Surcharge flow
  4. Duplicate payment flow

Your system must correctly handle both flows.

Typical payment flow

The typical payment flow consists of:

  1. The customer submitting their payment details to QuickConnect.
  2. QuickConnect performing high-level checks on the payment data, then making the payment attempt.
  3. QuickConnect returning the results to your system.
  4. Your system displaying the ‘Receipt’ page.

The diagram shown in Figure 5 provides a high-level overview of the typical payment flow.

The sequence diagram in Figure 6 shows the individual steps involved.

Figure 5 Making a payment via QuickConnect

Figure 5 Making a payment via QuickConnect with bank account

Figure 5 Making a payment via QuickConnect

Figure 6 Sequence diagram for making a payment via QuickConnect

Figure 6 Sequence diagram for making a payment via QuickConnect

The steps for the above sequence diagram are:

  1. Click 'Make Payment’
    • The customer enters their credit card details into the 'Payment Details’ page then clicks 'Save’.
  2. Direct post
    • The customer’s browser submits the credit card details directly to QuickConnect.
  3. Verify security token, lookup parameters and make payment.
    • QuickConnect checks the security token to ensure it matches the token generated earlier in Figure 4. It then retrieves the other parameters, validates the data and makes the payment.
  4. Redirect
    • QuickConnect builds a list of parameters to include in the redirect. They are included as a list of ampersand-delimited parameters. For example: communityCode=ACOMPANY&supplierBusinessCode=ACOMPANY&…
    • See Redirect parameters for the full list of parameters.
    • QuickConnect then instructs the customer’s browser to redirect to your returnUrl via HTTP get.
  5. Request next page
    • The customer’s browser redirects to your server’s returnUrl.
  6. Retrieve parameters
    • Your server retrieves the parameters from the request. It then uses this data to build the HTML for the 'Receipt’ page.
  7. Return HTML for next page
    • Your server returns the HTML for the 'Receipt’ page to the customer’s browser.

Error flow

This section explains the sequence of events that take place when QuickConnect identifies a problem with the customer’s payment details. There are a number of reasons why the error flow may occur:

  1. The customer has entered invalid credit card details. For example, the credit card number is too short or the expiry date is in the past. See Error descriptions for the list of errors that may be identified.
  2. The customer has entered invalid bank account details. For example, the BSB is not valid. See Error descriptions for the list of errors that may be identified.
  3. The payment includes a surcharge (calculated by QuickConnect) without the acceptSurcharge flag set. See Surcharge flow for information on payments with surcharges.
  4. The payment is suspected to be a duplicate payment. A 'duplicate payment’ is a payment that has the same credit card number (for credit card payments) or BSB and account number (for bank account payments) and payment amount as another payment made in the past 24 hours. See Duplicate payment flow for information on handling potential duplicates.

If QuickConnect identifies a problem with the payment data, it will not attempt to make the payment. Instead, it will return an error summary to your system for you to display to the customer. During this process, QuickConnect will:

  • Redirect to your errorUrl
  • Include a parameter called 'action’ with a value of 'Error’

When you receive error information from QuickConnect we recommend you redisplay the 'Payment Details’ page, present an error message and ask the customer to re-enter their details. As part of this process, you will need to request a new security token.

The diagram in Figure 7 provides a high-level overview of the error flow.

The sequence diagram in Figure 8 shows the individual steps involved.

Figure 7 Error flow

Figure 7 Error flow

Figure 7 Error flow

Figure 8 Sequence diagram for the error flow

Figure 8 Sequence diagram for the error flow

The steps for the above sequence diagram are:

  1. Click 'Make Payment’

    • The customer enters their credit card details into the 'Payment Details’ page then clicks 'Save’. For this particular example assume the customer has entered an invalid credit card number.
  2. Direct post

    • The customer’s browser submits the credit card details directly to QuickConnect.
  3. Identify credit card or bank account problem QuickConnect identifies a problem with the credit card or bank account details. The payment is not attempted.

  4. Redirect

    • QuickConnect builds a list of parameters to include in the redirect. These parameters are specific to the error flow. They are included as a list of ampersand-delimited parameters.
    • For example: action=Error&communityCode=ACOMPANY&supplierBusinessCode=ACOMPANY&…
    • See Redirect parameters for the full list of parameters.
    • QuickConnect then instructs the customer’s browser to redirect to the errorUrl you provided in the secure token request. Note, if you did not provide an errorUrl, QuickConnect will instead redirect to your returnUrl.
  5. Request next page

    • The customer’s browser redirects to your server’s errorUrl.
  6. Retrieve data

    • Your server retrieves the error parameters from the request.
  7. Request security token

    • Your server requests a new security token from QuickConnect. Your request will include a new parameter list. See Secure token request parameters for details.
  8. Generate security token & store parameters

    • QuickConnect generates a new security token and stores your parameter list.
  9. Return security token

    • QuickConnect returns the security token to your server.
  10. Return html for 'Payment Details’ page

Your server produces HTML for the 'Payment Details’ page and sends it to the customer’s browser. The page includes:

  • An error message to explain why the previous account details were rejected
  • Input fields for the customer to re-enter their account details
  • Hidden fields for the direct post to QuickConnect

Surcharge flow

This section explains the sequence of events that take place when QuickConnect is used to calculate and apply credit card surcharges. Please note that this flow is similar to the Duplicate payment flow and you may be required to handle surcharges as well as duplicate payments.

The typical surcharge flow consists of:

  1. The customer submitting their payment details to QuickConnect.
  2. QuickConnect performing high-level checks on the payment data, then calculating the surcharge amount
  3. QuickConnect returning the results to your system
  4. Your system displaying the calculated total, principal and surcharge amounts with an “Accept Surcharge” control.
  5. The customer submitting the confirmation to QuickConnect and QuickConnect attempting the payment.
  6. QuickConnect returning the results to your system.
  7. Your system displaying the 'Receipt’ page.

The surcharge flow differs from the Typical payment flow in points 3-5 where an additional confirmation step is required.

In step 3, QuickConnect returns the details of the payment, including the total, principal and surcharge amounts back to your system. It also includes the following additional fields:

  • action = Error
  • errorField = acceptSurcharge
  • errorDescription = You must agree to accept the surcharge amount before continuing
  • actionContextId = A string of characters, for example, z4cbB4K1HKEm1Z_mDRzzg

QuickConnect expects a confirmation of the surcharge amount to be sent back before the payment is attempted. In step 4, you may display an “Accept Surcharge” control to post the required parameters to QuickConnect. The customer will submit the form and post the following parameters to QuickConnect:

  • actionContextId = The action context Id that was returned in the previous step.
  • communityCode = Your QuickStream community code
  • action = QuickConnectPayment
  • acceptSurcharge = true or false

To understand the process better, you can use the test poster to simulate this process. Your test poster is located at https://quickweb.support.qvalent.com/test/YOURCOMMUNITYCODE.

Accept surcharge test poster example

Duplicate payment flow

This section explains the sequence of events that take place when QuickConnect identifies a duplicate payment. Please note that this flow is similar to the Surcharge flow and you may be required to a handle duplicate payments as well as surcharges.

The typical duplicate payment flow consists of:

  1. The customer submitting their payment details to QuickConnect.
  2. QuickConnect performing high-level checks on the payment data, and determining it is a duplicate payment.
  3. QuickConnect returning the results to your system
  4. Your system displaying a Duplicate Payment notice.
  5. The customer submitting the confirmation to QuickConnect and QuickConnect attempting the payment.
  6. QuickConnect returning the results to your system.
  7. Your system displaying the 'Receipt’ page.

The duplicate payment flow differs from the Typical payment flow in points 3-5 where an additional confirmation step is required.

In step 3, QuickConnect returns the details of the payment back to your system. It also includes the following additional fields:

  • action = Error
  • errorField = ignoreDuplicate
  • errorDescription = You must agree to process the duplicate payment before continuing
  • actionContextId = A string of characters, for example, Qb3is8yHS8ehkS9hjks_sh22Sc

QuickConnect expects a confirmation of the duplicate payment to be sent back before the payment is attempted. In step 4, you may display an “Ignore Duplicate Payment” control to post the required parameters to QuickConnect. The customer will submit the form and post the following parameters to QuickConnect:

  • actionContextId = The action context Id that was returned in the previous step.
  • communityCode = Your QuickStream community code
  • action = QuickConnectPayment
  • ignoreDuplicate = true or false

To understand the process better, you can use the test poster to simulate this process. Your test poster is located at https://quickweb.support.qvalent.com/test/YOURCOMMUNITYCODE.

Ignore duplicate test poster example

Receiving payment details

There are two ways to receive payment details:

  1. Server to server notification.
  2. Cash Applied File.

Server to server notification

This option is also known as the server-to-server postback. It allows you to receive payment summary details after each credit card payment is made.

This is done via a HTTPS POST to your server. The payment details are posted as form parameters or as XML.

To receive a server to server notification

  1. Your website must provide the serverReturnUrl parameter in a secure token handoff, or configure your server to server notifications in QuickStream Portal.
  2. Configure the domain white list in QuickStream Portal.
  3. Have a valid SSL certificate issued by a trusted certificate authority. Sending the notification over SSL ensures that the encrypted notification cannot be read by a malicious third-party. As your SSL certificate was issued by a trusted certificate authority, it also guarantees that QuickStream is connecting to your webserver (and not another fraudulent server as in the case of DNS attacks).
  4. Have a dynamic backend which can receive and parse HTTPS requests with parameters or can parse XML.

A server to server notification is sent after a successful credit card payment attempt.

When you receive a server to server notification, your system must:

  1. Check that the IP address matches the expected QuickStream IP address.
    • If they do not match you will return a status of 403 Forbidden.
    • See IP addresses in Test and in Production.
  2. Check that the Basic Auth username and password in the Authorization header match your credentials in QuickStream.
    • If they do not match you will return a status of 403 Forbidden.
  3. Extract the payment summary details.
    • The way you do this will depend on the content type the payment details are posted in. You will either extract the details from the form parameters or extract the details from the XML.
  4. Check to make sure you have not already processed a notification for this payment.
    • To do this you will compare the receiptNumber to the receipt numbers you have already processed.
  5. Save the payment details to your database.
  6. Your server returns a status of 200 OK.
    • Note, if an error occurred and you were unable to save the payment details, your server will instead return a status of 500 Internal Server Error.

Example server to server notification consumption in Java

public class NotificationConsumer extends HttpServlet 
{
    ...
    @Override
    protected void doPost( final HttpServletRequest request, 
                           final HttpServletResponse response ) throws IOException
    {
        try 
        {
            if( !request.getRemoteAddr().equals( QUICKSTREAM_IP_ADDRESS ) ) {
                response.sendError( HttpServletResponse.SC_FORBIDDEN );
                return;
            }
            final String authorization = request.getHeader( "Authorization" );
            if( authorization == null )
            {
                response.sendError( HttpServletResponse.SC_UNAUTHORIZED );
                return;
            }
            String base64Credentials = authorization.substring( "Basic".length() ).trim();
            String credentials = new String( Base64.getDecoder().decode( base64Credentials ), Charset.forName( "UTF-8" ) );
            final String[] values = credentials.split(":",2);
            if( !QUICKSTREAM_USERNAME.equals( values[0] ) || !QUICKSTREAM_PASSWORD.equals( values[1] ) )  {
                response.sendError( HttpServletResponse.SC_FORBIDDEN );
                return;
            }
            response.setStatus( HttpServletResponse.SC_OK );
            for( final String name : request.getParameterMap().keySet() ) {
                for( final String value : request.getParameterMap().get( name ) ) {
                    // Consume
                }
            }
        }
        catch( final Exception e  ) {
            response.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR );
        }
        return;
    }
}

Example server to server notification consumption in PHP

<?php
    header( "Content-Type: text/plain" );
    if ( $_SERVER["REMOTE_ADDR"] != QUICKSTREAM_IP_ADDRESS ) {
        header("HTTP/1.1 403 FORBIDDEN");
        return;
    }
    if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ) {
        header("HTTP/1.1 401 UNAUTHORIZED");
        return;
    }
    if ( $_SERVER['PHP_AUTH_USER'] != QUICKSTREAM_USERNAME || $_SERVER['PHP_AUTH_PW'] != QUICKSTREAM_PASSWORD ){
        header("HTTP/1.1 403 FORBIDDEN");
        return;
    }
    if( $_SERVER["REQUEST_METHOD"] === "POST" ) {
        try {
            foreach( $_POST as $key => $value ) {
                // consume
            }
            header("HTTP/1.1 200 OK");
        } catch (Exception $e) {
            header("HTTP/1.1 500 INTERNAL SERVER ERROR");
        }
    }
    return;
?>

Parameters in the server to server notification

These parameters are present in the server to server notification:

Parameter Name Description
sourceCode The payment channel used to make the transaction. The values are Net, Adhoc and Phone.
receiptNumber The unique receipt number generated by QuickWeb. This value can be used later to locate this payment in QuickStream Portal.
communityCode Your community code. Provided in communityCode when initialising the payment frame. See View your connection details in QuickStream Portal.
supplierBusinessCode Your supplier business code. Provided in supplierBusinessCode during handoff. See View your connection details in QuickStream Portal.
paymentReference Provided in paymentReference when initialising the payment frame or entered by the payer.
customerReferenceNumber A customer-level reference. Provided in supplierBusinessCode during handoff or entered by the payer.
paymentAmount The payment amount including surcharges.
surchargeAmount The surcharge amount.
cardScheme The card scheme. One of:
  • VISA
  • MASTERCARD
  • AMEX
  • DINERS
  • UNIONPAY
  • JCB
settlementDate The settlement date of the payment. See Transaction settlement.
createdDateTime The date and time of the transaction on the QuickWeb server in Sydney. Format: dd MMM yyyy HH:mm:ss.
responseCode The two digit response code. See Response Codes.
responseDescription The description of the response code. See Response Codes.
summaryCode The one digit summary code. See Response Codes.
successFlag true when the transaction was successful, otherwise false.
Custom fields Any custom parameters that you included in the handoff will be sent back to you.

That is, any parameters prefixed with custom will be included in this notification.

For example:
customTitle,
customPayeeName

If you choose to receive the data as XML, the parameters listed in the table above will instead be built into an XML document. This document will be passed to your server in the body of the request. The request will have a content-type of application/xml.

An example XML response

POST /payments HTTP/1.1
Host: yoursite.com.au
Content-Type: application/xml

<PaymentResponse>
    <sourceCode>Net</sourceCode>
    <receiptNumber>1003548481</receiptNumber>
    <communityCode><YOUR_COMMUNITY_CODE></communityCode>
    <supplierBusinessCode><YOUR_SUPPLIER_CODE></supplierBusinessCode>
    <customerReferenceNumber>CUSTOMER1</customerReferenceNumber>
    <paymentReference>PAYMENT1</paymentReference>
    <paymentAmount>624.00</paymentAmount>
    <surchargeAmount>24.00</surchargeAmount>
    <cardScheme>VISA</cardScheme>
    <settlementDate>20170110</settlementDate>
    <createdDateTime>10 Jan 2017 01:11:31</createdDateTime>
    <responseCode>00</responseCode>
    <responseDescription>Approved or completed successfully</responseDescription>
    <summaryCode>0</summaryCode>
    <successFlag>true</successFlag>
</PaymentResponse>

Cash Applied File

The purpose of the report is to provide you with a detailed list of all the transactions for that day. You can then load the report into your system and use it to help reconcile your bank statements.

Note:

  • It will only include transactions that occur before the banking cut off. Any transactions that occur after the cut off will be included in the next file.
  • QuickStream generates the Cash Applied File at 8pm (Sydney time) each banking day.
  • You can choose to include all the payments in one single file or split the payments into multiple files based on the business group they belong to.
  • You can choose to include only the successful transactions or both the successful and rejected transactions.

File format

The standard CSV format is a “comma separated value” file that we have created for our customers. The file consists of one header row followed by multiple detail rows.

The header row contains the field names.

For example

"Settlement Date","Receipt Number","Merchant Number","Customer Reference Number","Payment Amount"

The detail row contains the details for a particular transaction.

For example

"11-Jun-2012","9742904","MERCHANT1","CUSTOMERA","100.00"

Column Name Description
Settlement Date The settlement date of the payment.

The default date format is DD-MMM-YYYY.
For example: 20-Jun-2012

For refunds, this field contains the settlement date of the refund.
For example, credit card transactions after 6pm Sydney time will settle on the following banking day. See Response codes and settlement for more information.
Receipt Number The unique receipt number generated by QuickStream. This value can be used later to locate the payment in QuickStream.
For refunds, this field contains the new receipt number that was generated at the time of the refund. It is not the receipt number of the original payment.
Supplier Business Code Your supplier business code. You will be notified of this value during the implementation.
For refunds, this is the supplier business code of the original payment.
Reference Number This is an optional column. It will be included if your system provides a referenceNumber parameter to QuickStream during the secure token request.

This value represents a unique payment level reference created by your system. For example: invoice number, credit note number, fine code or transaction reference.

For refunds, this is the reference number of the original payment.
Customer Reference Number This is an optional column. It will be included if your system provides a customerReferenceNumber parameter to QuickStream during the secure token request.

This value represents a unique customer level reference created by your system. For example: customer number, family code, company code, BPAY number.

For refunds, this is the customer reference number of the original payment.
Payment Amount For credit card payments this value is positive. It represents the amount that QuickStream used when it attempted the transaction. It includes any surcharge or GST amount that needed to be paid.

The amount is in dollars and cents. For example, an amount of one thousand and fifteen dollars will be provided as follows:
1015.00

For refunds, this value is negative. It represents the total refund amount. For example, a refund of one thousand and fifteen dollars will be provided as follows:
-1015.00
Surcharge Amount For credit card payments this value is positive. It represents the surcharge amount that QuickStream included in the transaction.

The amount is in dollars and cents. For example, an amount of fifteen dollars will be provided as follows:
15.00

For refunds, this value is negative. It represents the surcharge amount that was included in the refund. For example, an amount of fifteen dollars will be provided as follows:
-15.00
Response Code The two digit response code.
For example: 41

See Response codes and settlement for the list of codes.

For refunds, this field contains the response code for the refund - not the code of the original payment.
Response Description` The description of the response code.
For example: Lost card

See Response codes and settlement for the list of codes and their corresponding description.

For refunds, this field contains the response description for the refund - not the description of the original payment.
Summary Code The one digit summary code.
For example: 1

See Response codes and settlement for the list of summary codes.

For refunds, this field contains the summary code for the refund - not the summary code of the original payment.
Card Scheme (Credit cards only) The type of credit card the customer used to make the payment. QuickStream will return one of the following values:
VISA
MASTERCARD
AMEX
DINERS
JBC
UNIONPAY

For refunds, this is the card type used to make the original payment.
Account Holder Name The account name for bank account payments, or cardholder name that the customer entered.
For example: John Smith

For refunds, this is the card holder name associated with the original payment.
Masked Card Number The credit card number that the customer entered. For security reasons part of this number will be masked.
For example: 45647xxxxxxx004

For refunds, this is the card number associated with the original payment.
BSB Number For bank account payments, this field is populated with the BSB the customer entered on the Payment Details page.

For example: 650-000.
For credit card payments/refunds this field is empty.
Account Number For bank account payments, this field is populated with the account number the customer entered on the Payment Details page.

For example: 987654321.
For credit card payments/refunds this field is empty.
Created Date Time The date and time the transaction was made on the QuickStream server in Sydney.

The default format is DD-MMM-YYYY hh:mm.
For example: 20-Jun-2012 15:04

For refunds, this is the date and time the refund was made on the QuickStream server in Sydney.
Source Product The payment channel used to make the transaction.
For example: NET.
Parent Receipt Number For credit card payments, this field is blank.

For refunds, this field is populated with the receipt number of the original credit card payment.

Sample file

In this example there are two transactions:

  1. A card transaction for 618.00. A sucharge amount of 24.00 was calculated.
  2. A bank account transaction for 50.00.
  3. A card refund transaction for 31.20. A surcharge amount of 1.20 was calculated.
"Settlement Date","Receipt Number","Supplier Business Code","Reference Number","Customer Reference Number","Payment Amount","Surcharge Amount","Response Code","Response Description","Summary Code","Card Scheme","Account Holder Name","Masked Card Number","BSB Number","Account Number","Created Date Time","Source Product","Parent Receipt Number"
"10-Jan-2017","1003548481","MERCHANT1","PAYMENT1","CUSTOMER1","624.00","24.00","00","Approved or completed successfully","0","VISA","John Smith","456471xxxxxxx004","","","10-Jan-2017 01:11","QuickWeb",""
"10-Jan-2017","1003548482","MERCHANT1","PAYMENT2","CUSTOMER2","50.00","0.00","G","WBC Exception processing released successfully","0","UNKNOWN","John Smith","","032-xxx","xxx465","10-Jan-2017 02:56","QuickWeb",""
"10-Jan-2017","1003548483","MERCHANT1","REFUND","CUSTOMER1","-301.20","-1.20","00","Approved or completed successfully","0","VISA","John Smith","456471xxxxxxx004","","","10-Jan-2017 13:46","QuickWeb","1003548480"

Retrieving a Cash Applied File

The file may be retrieved using Westpac iLink, WIBS or available for download in QuickStream Portal.

  • Westpac iLink is a web based service that allows you to securely send files to and receive files.
  • WIBS (Westpac Integrated Banking Services) is a straight through connectivity product, that uses SFTP, HTTP, SOAP or XCOM to deliver files to your server. Westpac iLink is used as the BCP for WIBS.
  • QuickStream Portal is the administrative interface for QuickStream products, such as QuickWeb and QuickConnect.

See WIBS User Guides for more on Westpac iLink or WIBS.

To download a Cash Applied File from QuickStream Portal:

  1. Sign into QuickStream Portal
    • Test: https://quickstream.support.qvalent.com/quickportal
    • Production: https://quickstream.westpac.com.au/quickportal
  2. Click Administration -> Transactions and Reports -> Facility Reports
  3. Your report will appear on this page.
    • Select the download icon to retrieve a Cash Applied File.
    • Use the date filters to find older files.

Download cash applied files from QuickStream Portal.

Manage your security settings

QuickStream Portal is your administration interface for QuickStream. You can manage the following security settings:

Manage your IP white list

The IP address white list holds the allowed IP addresses for secure token requests. Requests made from IP addresses that are not in this white list will be rejected, and will not receive a security token.

  1. Sign into QuickStream Portal
    • Test: https://quickstream.support.qvalent.com/quickportal
    • Production: https://quickstream.westpac.com.au/quickportal
  2. Click Administration -> Facility Settings -> Manage IP Address White List
  3. Select Add IP Address to white list a new IP address, or select the edit or delete icons to manage existing entries.

QuickStream Portal allows you to manage your allowed IP addresses.

Manage your Domain white list

The domain white list holds the allowed domains or URLs for sending server to server notifications. Server to server notifications to URLs that are not in this white list will be rejected, and will not receive a server to server notification.

  1. Sign into QuickStream Portal
    • Test: https://quickstream.support.qvalent.com/quickportal
    • Production: https://quickstream.westpac.com.au/quickportal
  2. Click Administration -> Facility Settings -> Manage Domain White List
  3. Select Add Domain to white list a new domain or specific URL, or select the edit or delete icons to manage existing entries.

You can white list your entire domain, or a specific URL. For example,

  • To receive server to server notifications from any URL on your website, white list yoursite.com.au.
  • To receive server to server notifications at a specific URL on your website, white list yoursite.com.au/payments.

QuickStream Portal allows you to manage your allowed domains.

View your connection details

Connection details are required to interact with QuickStream in each environment. These connection details refer to values you must pass for the Secure Token Handoff.

  1. Sign into QuickStream Portal
    • Test: https://quickstream.support.qvalent.com/quickportal
    • Production: https://quickstream.westpac.com.au/quickportal
  2. Click Administration -> Facility Settings -> View Connection Details
  3. Select Secure Token Request to view connection details for the Secure Token Request.

QuickStream Portal allows you to view your connection details and configuration.

Manage server to server notifications

Server to server notifications are submitted directly to your system. A HTTP POST with form data or XML sent from QuickStream after a successful credit card payment attempt.

  1. Sign into QuickStream Portal
    • Test: https://quickstream.support.qvalent.com/quickportal
    • Production: https://quickstream.westpac.com.au/quickportal
  2. Click Administration -> Facility Settings -> Manage Server to Server Notification

Manage server to server notifications in QuickStream Portal.

Destination URL

This option can be used for:

You can override this by passing serverReturnUrl in a Secure Token Handoff for the above products except the QuickTerminal and QuickVoice products.

Notification format

Choose HTTPS POST or XML.

Control Description
HTTPS POST The server to server notification will be sent as HTTPS POST form parameters.
XML The server to server notification will be sent as HTTPS POST with XML as the request body.

Automatic retry of failed notifications

Configure the number of times you wish QuickStream to re-send failed notifications. A failed notification is one where a server cannot be reached, or a server responds with a HTTP status code other than 200 OK.

Control Description
If the original attempt fails Choose the time until the system retries the first time.
If this second attempt fails, retry Choose number of times the system should retry after the second attempt.
at intervals of Choose the interval between each subsequent retry.
If all attempts fail, send an email to Enter the email address the system will notify when a server to server notification cannot be sent. You can override this by passing errorEmailToAddress in a Secure Token Handoff.

For example the following setting produces a schedule:

Setting Value
If the original attempt fails Retry 1 minute after the original attempt
If this second attempt fails, retry 3 more times
at intervals of 10 mins
If all attempts fail, send an email to john@yoursite.com.au

This setup will send the following server to server notifications:

  1. Credit card payment made at 12:00 PM
  2. Server to server notification sent at 12:00 PM and failed.
  3. Server to server notification retried at 12:01 PM and failed.
  4. Server to server notification retried at 12:11 PM and failed.
  5. Server to server notification retried at 12:21 PM and failed.
  6. Server to server notification retried at 12:31 PM and failed.
  7. Stop retrying and send an email to john@yoursite.com.au.

Troubleshooting security settings

QuickStream Portal’s Activity Log shows:

  • Unsuccessful secure token request attempts.
  • Unsuccessful server to server notification sending attempts.
  1. Sign into QuickStream Portal
    • Test: https://quickstream.support.qvalent.com/quickportal
    • Production: https://quickstream.westpac.com.au/quickportal
  2. Click Administration -> Activity Log
  3. Select the date you wish to view logs for.

Types of entries you may see for unsuccessful secure token requests are:

  • A Secure Token Request was received from an IP address that is not in the IP Address White-list for this facility.

Types of entries you may see for unsuccessful server to server notification attempts are:

  • Server to server postback to URL X failed as no username or password is configured for this facility.
  • Server to server postback URL X using HTTP, but should be HTTPS.
  • The URL X is not listed as an allowed end point to post response information to.
  • The URL X is invalid and cannot be used as an end point to post response information to.
  • Received HTTP N instead of HTTP 200 from endpoint X.

QuickStream Portal allows you debug connection problems through the Activity Log.

Testing

The testing process is also known as User Acceptance Testing or UAT. The purpose of UAT is to test the entire solution as thoroughly as possible. The tests are carried out by the relevant participants from your business. We recommend you create a test plan which details the scenarios your verification team need to cover during their testing.

The tests should include:

  • Approved transactions
  • Declined transactions
  • Invalid payment details (eg, reference number too short; invalid credit card number or BSB)
  • Duplicate payments

The reporting tests should include:

  • Retrieving your daily payment report (either manually from iLink or automatically using WIBS)
  • Uploading the payment report into your system

The QuickStream Portal tests should include:

  • Creating users
  • Assigning roles to users
  • Searching for payments
  • Refunding payments
  • Resending receipts

To support the testing process a test environment is provided. This environment is also known as the ‘support environment’ or 'support’. It simulates the banking system, allowing you to test credit card payments without affecting any live bank accounts.

The test environment will remain in place after you go live. This will enable you to test any future changes before they are released into production. The test environment is provided on a best-efforts basis. It will occasionally be unavailable due to upgrades to our base products. Please factor this into your testing timelines and raise any concerns you have with your implementation manager.

Test Account Numbers

To help with the testing process we provide a list of account numbers for you to use.

Test Credit Cards

During the testing phase QuickStream will generate a response code based on the credit card number entered. The last 2 digits of the credit card number will map to a particular response code.

  • Any credit card number that ends with a value between 00-89 will result in an approved transaction.
  • Any credit card number that ends with a value between 90-99 will result in a declined transaction.

The table below lists the credit card numbers you can test with and the corresponding response codes are returned.

Visa Logo Visa Test Cards
Last 2 digits of card number Example card number Response code Summary code
00-89 4242424242424242
4111111111111111
4444333322221111
Debit Card: 4041370000456459
08 (Honour with identification) 0 (Transaction Approved)
90 4111111117444490 01 (Refer to card issuer) 1 (Transaction Declined)
91 4111111116444491 04 (Pick-up card) 1 (Transaction Declined)
92 4111111115444492 05 (Do not honour) 1 (Transaction Declined)
93 4111111114444493 91 (Issuer or switch is inoperative) 1 (Transaction Declined)
94 4111111113444494 54 (Expired card) 1 (Transaction Declined)
95 4111111112444495 42 (No universal account) 1 (Transaction Declined)
96 4111111111444496 51 (Not sufficient funds) 1 (Transaction Declined)
97 4111111110444497
Debit Card: 4041370000011197
62 (Restricted card) 1 (Transaction Declined)
98 4111111119444498 43 (Stolen card, pick up) 1 (Transaction Declined)
99 4111111118444499 01 (Refer to card issuer) 1 (Transaction Declined)
Mastercard Logo Mastercard Test Cards
Last 2 digits of card number Example card number Response code Summary code
00-89 5163200000000008
5200000009915957
2224000000031118
Debit Cd. 5188680400000008
08 (Honour with identification) 0 (Transaction Approved)
90 5100000000404390 01 (Refer to card issuer) 1 (Transaction Declined)
91 2229000000002791 04 (Pick-up card) 1 (Transaction Declined)
92 5163200000000792 05 (Do not honour) 1 (Transaction Declined)
93 5500000000101893 91 (Issuer or switch is inoperative) 1 (Transaction Declined)
94 5400000000501994 54 (Expired card) 1 (Transaction Declined)
95 2300000000887995 42 (No universal account) 1 (Transaction Declined)
96 5100000000432896 51 (Not sufficient funds) 1 (Transaction Declined)
97 2710000000011897
Debit Card: 5188683000000097
62 (Restricted card) 1 (Transaction Declined)
98 5200000000022498 43 (Stolen card, pick up) 1 (Transaction Declined)
99 5200000000830999 01 (Refer to card issuer) 1 (Transaction Declined)
Amex Logo Amex Test Cards
Last 2 digits of card number Example card number Response code Summary code
00-89 340000000636513
370000000201048
08 (Honour with identification) 0 (Transaction Approved)
90 340000000075290 01 (Refer to card issuer) 1 (Transaction Declined)
91 370000000024291 04 (Pick-up card) 1 (Transaction Declined)
92 340000000067792 05 (Do not honour) 1 (Transaction Declined)
93 340000000070093 91 (Issuer or switch is inoperative) 1 (Transaction Declined)
94 370000000094294 54 (Expired card) 1 (Transaction Declined)
95 370000000093395 42 (No universal account) 1 (Transaction Declined)
96 340000000089796 51 (Not sufficient funds) 1 (Transaction Declined)
97 370000000092397 62 (Restricted card) 1 (Transaction Declined)
98 370000000064198 43 (Stolen card, pick up) 1 (Transaction Declined)
99 370000000079899 01 (Refer to card issuer) 1 (Transaction Declined)
Diners Logo Diners Test Cards
Last 2 digits of card number Example card number Response code Summary code
00-89 30000000056030
5200000009915957
39000000022686
08 (Honour with identification) 0 (Transaction Approved)
90 39000000000690 01 (Refer to card issuer) 1 (Transaction Declined)
91 38000000008991 04 (Pick-up card) 1 (Transaction Declined)
92 39000000003892 05 (Do not honour) 1 (Transaction Declined)
93 30000000008593 91 (Issuer or switch is inoperative) 1 (Transaction Declined)
94 36000000009694 54 (Expired card) 1 (Transaction Declined)
95 38000000004495 42 (No universal account) 1 (Transaction Declined)
96 39000000004296 51 (Not sufficient funds) 1 (Transaction Declined)
97 30000000006597 62 (Restricted card) 1 (Transaction Declined)
98 36000000003598 43 (Stolen card, pick up) 1 (Transaction Declined)
99 38000000003299 01 (Refer to card issuer) 1 (Transaction Declined)
JCB Logo JCB Test Cards
Example card number Expiry Date CVN Response code Summary code
3530000000000003 10/2025 573 00 (Approved or completed successfully) 0 (Transaction Approved)
3530000000000011 10/2025 573 05 (Do not honour) 1 (Transaction Declined)
UnionPay Logo UnionPay Test Cards
Example card number Expiry Date CVN Response code Summary code
6250947000000014 12/2033 123 08 (Honor with identification) 0 (Transaction Approved)

Test Bank Accounts

To help test your bank account solution QuickStream will generate response codes based on the BSB values. This will give you the ability to test a broad range of scenarios.

To test bank account payments use the BSBs provided in the table below. Each BSB will return a specific response code and summary code.

  • Rejected transactions (summary code ‘3’) represent errors that are identified early on by QuickStream and Westpac. For example, invalid BSB. These transactions will be stopped on day 1. They will not be passed to the customer’s bank for processing. They will not appear in the night time Payment Report (or morning Payment Report).
  • Declined transactions (summary code '1’) represent errors that are identified by the customer’s bank. These transactions are initially reported as approved in a Payment Report (because they pass Westpac’s high level error checks), but will later be declined in the morning Payment Report.

To test approved transactions use a BSB that is not included in the table below. We recommend using a non Westpac BSB such as 650-000.

BSB Example Account Number Response code Summary Code
032-050 111111 R (WBC Exception Processing Error) 3 (Transaction Rejected)
032-051 111110 1 (Invalid BSB Number) 1 (Transaction Declined)
032-052 111112 2 (Payment stopped) 1 (Transaction Declined)
032-053 111114 3 (Account Closed) 1 (Transaction Declined)
032-054 111116 4 (Customer Deceased) 1 (Transaction Declined)
032-055 111118 5 (No Account/Incorrect Account#) 1 (Transaction Declined)
032-056 222223 6 (Refer to Customer) 1 (Transaction Declined)
032-057 111111 7 (No form PDC held) 1 (Transaction Declined)
032-058 111113 8 (Invalid User ID Number) 1 (Transaction Declined)
032-059 111115 9 (Other) 1 (Transaction Declined)
032-999 999994 G (WBC Exception Processing released successfully) 0 (Transaction Successful)
032-002 123465 G (WBC Exception Processing released successfully) 0 (Transaction Successful)

Test URLs and IP addresses

The following URLs and IP addresses are to be used during testing.

Applications

Name Description URL
QuickStream Portal The administration interface for QuickStream products. https://quickstream.support.qvalent.com/quickportal
iLink Manually retrieve reports for an associated WIBS connection. https://ilink.support.qvalent.com

Services

Name Description URL
Test Poster A webpage to simulate the handoff from your website to QuickStream products. https://quickweb.support.qvalent.com/test/YOURCOMMUNITYCODE
Secure Token Request If you have implemented the handoff using a secure token request use this URL. https://ws.support.qvalent.com/services/quickweb/CommunityTokenRequestServlet
Hand-off Hand-off your customer from your website. https://quickweb.support.qvalent.com/OnlinePaymentServlet3
Server to server notification IP address If you are receiving server to server notifications use this IP address to validate against. 203.39.159.31

Sign off

After you have completed your user acceptance testing you must send a ‘sign off’ email to your Qvalent implementation manager. The email will state that you have successfully tested all aspects of the solution and you are ready for it to be moved into production.

A sample sign off email is included below.

To: Qvalent_implementation_manager

Cc: Westpac_implementation_manager

Subject: Sign off

We have successfully completed user acceptance testing. Our tests covered all areas of the solution. They included payments, reporting and QuickStream Portal admin tasks.

Our payment tests covered:

  • Approved transactions
  • Declined transactions
  • Invalid payment details
  • Duplicate payments

Our reporting tests covered:

  • Retrieving the daily payment report
  • Uploading the payment report into our system

Our QuickStream Portal admin tests covered:

  • Creating users
  • Assigning roles to users
  • Searching for payments
  • Refunding payments
  • Resending receipts

We are satisfied with the results of these tests and we are ready for the solution to be moved into production.

Regards, John Smith

Production lodgement

Production lodgement is the final step to complete before going live. It involves:

  • Us configuring our Qvalent/Westpac systems in production
  • You configuring your systems in production
  • You running a set of live, low value tests in production to confirm the solution is ready to go live

Qvalent lodgement tasks

As part of the lodgement process Qvalent will complete the following tasks:

  • Obtain written approval from the security team to allow the solution to be placed into production

  • Install the solution into production

  • Configure connectivity

  • Configure reporting

  • Create your community/business

  • Set up your user roles

  • Create a QuickStream Portal admin user for you to use in production. You will receive the login details for this user via email.

  • Create an iLink admin user for you to use in production. This step is only performed if you have elected to receive files via iLink. You will receive the login details for this user via email.

  • If you are using a secure token request for the handoff we will provide you with a new handoff password to use in production.

Your lodgement tasks

To complete the lodgement process you will perform the following tasks:

  • Change your configuration for the handoff so that your website links to our production instance (rather than the support instance you used for user acceptance testing). See the production URLs.

  • If you have implemented the handoff using the secure token request you will:

    • Change your handoff configuration so that you pass across the new production password. Your Qvalent implementation manager will provide you with this password.
    • Email your Qvalent implementation manager and let them know the IP address of the server that will be making the secure token request.
  • If you will be receiving payment notifications, update your configuration for the expected IP address so that it uses our production IP address (rather than the support IP address you used for user acceptance testing). The production IP address for QuickWeb is included here.

You must also test the end to end solution in production using a few small value transactions. This test will take a number of days to complete and will test all of your credit card merchants and bank account facilities.

Low value credit card testing

The test consists of the following steps:

  1. On day 1, make two small test payments for each credit card merchant

  2. On day 2, check your bank statement. Make sure:

    • the bulk settlement amount is correct
    • the narrative is correct
    • the money has been deposited into the correct bank account
  3. Also on day 2, check your customer’s credit card statement/s. Make sure:

    • The amount is correct
    • The narrative is correct
  4. On day 3, refund all of the payments.

  5. On day 4, check your bank statement. Make sure:

    • The bulk settlement amount is correct
    • The narrative is correct
    • The money has been withdrawn from the correct bank account
  6. Also on day 4, check your customer’s credit card statement/s. Make sure:

    • The amount is correct
    • The narrative is correct

Low value bank account testing

The purpose of this test is to ensure your bank account solution is working correctly in production. We recommend using low value amounts (for example $0.20) because these are real payments using real bank accounts.

The low value tests involve a number of steps:

  1. On day 1 do the following:

    • Make 2 customer payments per bank account. For example, if your organisation has 3 bank accounts accepting payments, you should submit a total of 6 payments: 2 for the first bank account, 2 for the second bank account and 2 for the third bank account.
    • Check the night time Payment Report. Make sure it includes all 6 payments with a status of approved.
  2. On day 2 do the following:

    • Check your bank statement(s). Make sure the bulk settlement amount is correct, the narrative is correct and the money has been deposited into the correct bank account.
    • Check the morning Payment Report. Make sure there are no errors.
  3. On day 3 check the morning Payment Report. Make sure there are no errors.

  4. On day 4 do the following:

    • Check the morning Payment Report. Make sure there are no errors.
    • If refunds are in scope, refund all of the payments from step 1.

Production URLs and IP addresses

This section lists the URLs and IP addresses you must use in production.

Applications

Name Description URL
QuickStream Portal The administration interface for QuickStream products. https://quickstream.westpac.com.au/quickportal
iLink Manually retrieve reports for an associated WIBS connection. https://ilink.westpac.com.au

Services

Name Description URL
Secure Token Request If you have implemented the handoff using a secure token request use this URL. https://ws.qvalent.com/services/quickweb/CommunityTokenRequestServlet
Hand-off Hand-off your customer from your website. https://quickweb.westpac.com.au/OnlinePaymentServlet3
Server to server notification IP address If you are receiving server to server notifications use this IP address to validate against. 192.170.86.153

Go live

Once production lodgement is complete and you are satisfied with the results of your low value tests in production you are ready to go live. The term “go live” represents the date you will make the solution available to your customers.

At this stage of the implementation process there are only a few tasks left to complete. They are:

  • Before the go live date, communicate with your customers to inform them about the new payment process.

  • On the go live date, update the appropriate page (or pages) on your website to make the new solution available to your customers.

After you go live, Qvalent and Westpac will closely monitor the solution. This is known as the “monitoring phase” and lasts for two weeks. During this time, if you have any questions or concerns about the solution you should communicate directly with your Qvalent implementation manager.

Post implementation

Once the two week monitoring phase is over the implementation process is officially complete. Your Qvalent implementation manager will hand the solution over to the Qvalent helpdesk. The helpdesk will be responsible for day to day monitoring of the solution and resolving any issues that occur.

If you have any questions or concerns about the solution at this point contact the helpdesk: QuickStream Technical Support.

Security

The QuickStream suite of products complies with Level 1 of the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a multifaceted security standard that includes requirements for

  • security management
  • policies
  • procedures
  • network architecture
  • software design
  • critical protective measures.

For more informaiton, see QuickStream Security Features.

For more information on PCI DSS see PCI SSC Data Security Standards.

To ensure QuickStream maintains this high level of security there are a number of security requirements that must be adhered to. These are listed below.

No client specific dynamic content

QuickStream hosted solution (e.g. QuickWeb) payment pages will not contain any client specified dynamic content. This means that you cannot provide javascript or flash components to be used in these solutions. In particular no site measurement javascript or links will be added to any QuickStream page.

QuickStream pages contain sensitive data such as credit card details. The restrictions mentioned above help prevent attacks such as cross site scripting (XSS).

No remote assets

QuickStream hosted solution (e.g. QuickWeb) payment pages will not fetch content from any third party server. All branding resources such as images and stylesheets will be stored on and served from QuickStream servers.

Cookies are required

QuickStream requires session cookies to be enabled in your customer’s browser. Session cookies are only used to maintain state while accessing QuickStream. No permanent information is stored on the client’s computer once the browser is closed.

Trusting the QuickStream Server

When your server exchanges information with QuickStream over HTTPS it must trust the root level certificate. That is, your server must trust the certificate issued by Verisign - not the certificated issued to Qvalent. The Qvalent certificate will expire and need replacing each year. However the Verisign certificate will have a much longer life (i.e. expire in 2028).

If your server trusts the Qvalent certificate directly your QuickStream implementation will cease to operate when a replacement certificate is installed.

Excessive Failures - IP Blacklisting

To prevent fraud, Qvalent will monitor IP addresses and transactions. If any suspicious behaviour is detected we will blacklist the IP address to prevent it from accessing QuickStream again.

Captcha

QuickStream hosted solutions (e.g. QuickWeb) uses Captcha image protection to prevent hackers from using the website to validate stolen credit card details. The term CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. The Captcha program randomly generates a distorted “word” that humans can read but computer programs can’t.

For more information about Captcha see http://www.captcha.net/.

Web Analytics

QuickWeb processes payments using the most up to date security best practices. Analytics sends usage data from hosted payment pages via the web browser to a third party system which cannot be guaranteed as secure and may comprise the sensitive data of your customers.

Due to this, hosted payment page solutions (e.g. QuickWeb and QuickVault Web) do not support incorporating analytics code or tools where data is gathered in the customer’s browser.

Transport Layer Security (TLS)

QuickWeb, QuickConnect and QuickVault require Secure Token Handoff and web browser access made using the encryption standard known as TLSv1.2. QuickWeb, QuickConnect and QuickVault rejects request made using TLSv1, or TLSv1.1.

If you receive an error that resembles the error message below, then the underlying TLS connection was not successful. Your systems need adjustments or upgrades to work properly with this service.

TLSv1 is not strong encryption, please use TLSv1.2 instead

HTTP 429 Too Many Requests

You may receive a HTTP 429 Too Many Requests response code when you have sent too many requests in a given amount of time.

If you send more than 10 simultaneous requests, you may receive a HTTP 429 Too Many Requests response code. You should wait for 20 seconds and resend the request.

Standard Network Ports for HTTP Transmissions

QuickStream sends Payment and Registration Notifications (aka Server to Server Responses) via HTTP on standard ports. These are ports 80 and 443. Other network ports are not available to send Payment and Registration Notifications to your server.

Secure token request parameters

The following table lists the parameters that can be passed from your server to QuickConnect during the secure token request. This task is shown in Figure 4 step 4.

The parameters must be passed to CommunityTokenRequestServlet. See the full URL for the test environment. See the full URL for the production environment.

Mandatory parameters

Parameter Name Description
username Your username. This value will be provided to you.
password Your password. This value will be provided to you.
supplierBusinessCode Your QuickStream supplier business code. This will be provided to you.
principalAmount The amount the customer is going to pay less surcharges. This value excludes any GST or surcharge amount.

The amount is in dollars and cents. For example: 1015.00 (for one thousand and fifteen dollars)
returnUrl Note: We recommend you use a HTTPS URL for this parameter.
The URL you would like QuickConnect to redirect to after the payment is complete. This is typically your receipt page.

Any parameters included in the URL will be provided back to you.

Example: https://www.yoursite.com.au/receipt?Name=John&Age=21
connectionType QUICKCONNECT
product QUICKWEB

Optional parameters

Parameter Name Description
customerReferenceNumber A value that uniquely identifies your customer. For example, a customer reference number, member ID, family code or BPAY number. This value will be provided back to you later. It can then be used to help you reconcile the payment in your backend system.
paymentReference A value that uniquely identifies the payment. For example, an invoice number, fine code or transaction reference.

This value will be provided back to you later. It can then be used to help you reconcile the payment in your backend system.
currencyCode The currency code. This will determine which currency to use when making the payment.

Specify either AUD or NZD.

If this parameter is not provided, QuickConnect will default to AUD.
serverReturnUrl Note: You must use a HTTPS URL for this parameter.
The URL you would like QuickConnect to send the payment notification to (ie, the server-to-server post back).
Example: https://www.yoursite.com.au/processPayment
errorEmailToAddress The email address you would like QuickConnect to send an email to if we cannot deliver the payment notification to your server (eg, your web site is down).

Example: payments@yoursite.com.au

This parameter is only relevant if you wish to receive the payment notification. See Server to server notification for details.
errorUrl Note: We recommend you use a HTTPS URL for this parameter.
The URL that QuickConnect will redirect to if an error occurs. For example, if invalid credit card details are provided or the payment has been found to be a duplicate.

If an errorUrl is not included, QuickConnect will redirect to the returnUrl instead.
registerPaymentAccount This parameter is only applicable to your facility when QuickVault is enabled. One of:
  • true
  • false
This will register the account in QuickVault after a successful payment.

Custom parameters

If you would like to provide additional information to QuickConnect you can do this by using a custom parameter. Multiple custom parameters can be passed to QuickConnect.

Parameter Name Description
custom<Custom name>

Example:
customTitle,
customPayeeName
QuickConnect can pass this data back to you.

The parameter name must start with the word ‘custom’ and be followed by a word beginning with a capital letter. Maximum 100 characters per parameter.

Sample code for the secure token request

Java

package com.qvalent.demo;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.HttpsURLConnection;

public class TokenRequestExample
{
    // This is the HTTP proxy configuration section.
    // To use basic authentication, other options
    // will have to be specified. This example
    // uses Windows domain-based NTLM authentication.
    // To use a direct connection, set USING_PROXY to false.
    private static final String HTTP_PROXY_URL_STRING =
        "proxy.yourdomain.com.au";
    private static final int HTTP_PROXY_PORT = 8080;
    private static final boolean USING_PROXY = true;
    private static final String TOKEN_REQEST_URL_STRING =
        "https://<environment_url>/CommunityTokenRequestServlet";

    // Here we are initialising a java.net.URL object.
    private static final URL TOKEN_REQUEST_URL =
        new URL( TOKEN_REQEST_URL_STRING );

    public static void main( final String[] args ) throws Exception
    {

        // Add username, password and customer reference number parameters
        // to the request.
        final Map<String, String> params =
            new HashMap<String, String>();
        params.put( "username", "username" );
        params.put( "password", "password" );
        params.put( "customerReferenceNumber", "CUSTOMER1" );
        final String content = getQuery( params );

        // Control block to use either proxy or direct connection.
        final HttpsUrlCOnnection connection;
        if( USING_PROXY )
        {
            final Proxy proxy = new Proxy( Proxy.Type.HTTP,
                                               new InetSocketAddress(
                                                   HTTP_PROXY_URL_STRING,
                                                   HTTP_PROXY_PORT ) );
            connection = (HttpsURLConnection)TOKEN_REQUEST_URL.openConnection( proxy );
        }
        else
        {
            connection = (HttpsURLConnection)TOKEN_REQUEST_URL.openConnection();
        }

        // Token request should be a HTTP POST for enhanced security.
        connection.setRequestMethod( "POST" );

        // The parameters are sent using url form encoding.
        connection.setRequestProperty(
            "Content-Type",
            "application/x-www-form-urlencoded" );

        // Add the content length and language.
        connection.setRequestProperty(
            "Content-Length",
            Integer.toString( content.length() ) );
        connection.setRequestProperty(
            "Content-Language",
            "en-au" );

        // We're going to write out post data and get the response (token),
        // so set both output and input.
        connection.setDoOutput( true );
        connection.setDoInput( true );
        // Set up a writer to write the http post data out.
        final BufferedWriter writer =
           new BufferedWriter(
               new OutputStreamWriter( connection.getOutputStream() ) );
        writer.write( content );
        writer.close(); // This will send the content.

        // Set up a reader to get the token result back from
        // the connection. Build it all up into one string.
        final BufferedReader reader =
           new BufferedReader(
               new InputStreamReader( connection.getInputStream() ) );
        String response = "";
        String buff;
        while( ( buff = reader.readLine() ) != null )
        {
            response += buff;
        }
        reader.close();

        // Print the full response.
        System.out.println( "Response: " + response );

        // Print the token, which will occur after "token="
        // and should be the only response parameter parameter.
        final String token =
            URLDecoder.decode(
                response.substring(
                    response.indexOf( "=" ) + 1 ) ,
                "UTF-8" );
        System.out.println( "Token: " + token );
    }

    // Helper method to construct a URL encoded query from
    // a map of string => string.
    private static String getQuery( final Map<String, String> params )
    throws Exception
    {
        String result = "";
        boolean first = true;
        for( final RequestParameter requestParameter : RequestParameter.values() )
        {
            if( first )
            {
                first = false;
            }
            else
            {
                result += "&";
            }
            result += URLEncoder.encode( requestParameter.getLabel(), "UTF-8" );
            result += "=";
            result += URLEncoder.encode(
                params.get( requestParameter.getLabel() ) == null ?
                "" :
                params.get( requestParameter.getLabel() ),
                "UTF-8" );
        }
        return result;
    }
}

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Net;
using System.Web;
using System.Collections;
namespace TokenRequestExample
{
    class TokenRequestExample
    {
        static void Main(string[] args)
        {
            byte[] byteArray;
            Stream webpageStream;
            StreamReader webpageReader;
            String webpageContent;
            Hashtable parameters = new Hashtable();
            parameters.Add("username", "username");
            parameters.Add("password", "password");
            parameters.Add("customerReferenceNumber", "CUSTOMER1");
            HttpUtility.UrlEncode("");
            String postData = "";
            Boolean first = true;
            foreach( String key in parameters.Keys )
            {
                if(first)
                {
                    first = false;
                }
                else
                {
                    postData += "&";
                }
                postData += key + "=" + HttpUtility.UrlEncode(parameters[key].ToString());
            }
            String URL = "https://<environment_url>/CommunityTokenRequestServlet";
            byteArray = Encoding.UTF8.GetBytes(postData);
            WebRequest request = WebRequest.Create(URL);
            WebProxy proxy = new WebProxy("proxy.yourdomain.com.au", 8080);
            proxy.UseDefaultCredentials = true;
            proxy.BypassProxyOnLocal = true;
            request.Proxy = proxy;
            request.Method = "POST";
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = byteArray.Length;
            webpageStream = request.GetRequestStream();
            webpageStream.Write(byteArray, 0, byteArray.Length);
            webpageStream.Close();
            webpageReader = new StreamReader(request.GetResponse().GetResponseStream());
            webpageContent = webpageReader.ReadToEnd();
            Console.WriteLine(webpageContent);
            Console.ReadKey(true);
        }
    }
}

PHP

<?php
    $postFields = array( "username" => "username",
                         "password" => "password",
                         "customerReferenceNumber" => "CUSTOMER1" );
    $postFieldsString = http_build_query( $postFields );
    $curlHandle = curl_init();
    curl_setopt( $curlHandle, CURLOPT_URL, "https://<environment_url>/CommunityTokenRequestServlet" );
    if( array_key_exists( "user", $_POST ) &&
        array_key_exists( "pwd", $_POST ) )
    {
        curl_setopt( $curlHandle, CURLOPT_PROXY, "proxy.yourdomain.com.au:8080" );
        curl_setopt( $curlHandle, CURLOPT_PROXYUSERPWD, $_POST["user"].":".$_POST["pwd"] );
    }
    curl_setopt( $curlHandle, CURLOPT_POST, count( $postFields ) );
    curl_setopt( $curlHandle, CURLOPT_POSTFIELDS, $postFieldsString );
    curl_setopt( $curlHandle, CURLOPT_RETURNTRANSFER, 1 );
    curl_setopt( $curlHandle, CURLOPT_CAINFO, "PCA-3G5.pem" );
    curl_setopt( $curlHandle, CURLINFO_HEADER_OUT, 1 );
    $result = curl_exec( $curlHandle );
?>
<html>
    <head>
    </head>
    <body>
        <p> Header: <?php echo curl_getinfo( $curlHandle, CURLINFO_HEADER_OUT ); ?> </p>
        <?php
            if( curl_errno( $curlHandle ) )
            {
        ?>
                <p> Error: <?php echo curl_error( $curlHandle ); ?> </p>
        <?php
            }
            else
            {
        ?>
                <p> Token: <?php echo $result; ?> </p>
        <?php
            }
        ?>
    </body>
</html>
<?php   
    curl_close( $curlHandle );
?>

Python 3.x

import urllib.request as request
import urllib.parse as parse

USERNAME = ""
PASSWORD = ""
CD_CRN = ""

URL = "https://quickstream.support.qvalent.com/CommunityTokenRequestServlet"

class TokenRequest:

    def __init__(self, url):
        self.url = url
        self.params = {}

    def addParameter(self, key, value):
        self.params[key] = value

    def addParameters(self, dictKeyValues):
        for key in dictKeyValues:
            self.addParameter(key, dictKeyValues[key])

    def performRequest(self):
        details = parse.urlencode(self.params).encode("UTF-8")
        response = request.urlopen(self.url, details)
        return response

    def getToken(self):
        response = self.performRequest().read()
        response = response.decode("UTF-8")
        return response.split("=")[1]

# If you do not have a proxy then delete these
# next four lines.
proxyaddress = 'username:password@proxy.yourdomain.com.au:8080'
proxy = request.ProxyHandler({'https': proxyaddress})
opener = request.build_opener(proxy)
request.install_opener(opener)
#---------------------------------------------

req = TokenRequest(URL)
req.addParameter("username", USERNAME)
req.addParameter("password", PASSWORD)
req.addParameter("cd_crn", CD_CRN)
token = req.getToken()

print(token)

Direct post parameters

The following table lists the parameters that can be included in the direct post from the ‘Payment Details’ page to QuickConnect. The HTML for the page is produced in Figure 4 step 7. Parameters are included as either input fields or hidden fields.

The direct post to QuickConnect is shown in Figure 6 step 2. Parameters are posted directly to OnlinePaymentServlet3. The full URL for the test environment is shown in Test URLs and IP addresses. The full URL for the production environment is shown in Production URLs and IP addresses.

Mandatory parameters

These are to be included as hidden fields on the 'Payment Details’ page.

Parameter Name Description
communityCode Your QuickStream community code. This value will be provided to you.
token The security token is given to you by QuickConnect in Figure 4 step 6.

QuickConnect will use this token to lookup the parameters that were stored during the secure token request (see Figure 4 step 5).

Additional mandatory parameters

These are to be included as input fields on the 'Payment Details’ page.

Parameter Name Description
cardholderName The cardholder name as it appears on the customer’s credit card. When accountType is CREDIT_CARD only.
creditCardNumber The credit card number. When accountType is CREDIT_CARD only.
expiryDateMonth The month the credit card expires.

Format: MM

For example: 01 (for January). When accountType is CREDIT_CARD only.
expiryDateYear The year the credit card expires.

Format: YY

For example: 18 (for the year 2018). When accountType is CREDIT_CARD only.
cvn The card verification number (CVN). This is also known as the card verification value (CVV). When accountType is CREDIT_CARD only.
accountName The account name associated with the customer’s bank account. When accountType is DIRECT_DEBIT_NZ or DIRECT_DEBIT only.
accountNumber The credit card number associated with the customer’s bank account. When accountType is DIRECT_DEBIT_NZ or DIRECT_DEBIT only.
bsb The BSB associated with the customer’s bank account. When accountType is DIRECT_DEBIT only.
bankCode The bank code associated with the customer’s bank account. When accountType is DIRECT_DEBIT_NZ only.
branchCode The branch code associated with the customer’s bank account. When accountType is DIRECT_DEBIT_NZ only.
accountSuffix The account suffix associated with the customer’s bank account. When accountType is DIRECT_DEBIT_NZ only.
accountType The type of payment the customer is going to make.

Specify either: DIRECT_DEBIT (to restrict to Australian bank account payments), DIRECT_DEBIT_NZ (to restrict to New Zealand bank account payments) or CREDIT_CARD (to restrict to credit card payments). Do not send this parameter if your payer can choose either in your solution.
ignoreDuplicate If this parameter is set to 'true’ QuickConnect will not perform a 'duplicate payment check’.

A duplicate payment is an identical payment that has already been made that day. If a duplicate payment is found, QuickConnect usually rejects the current payment request.

Please note that an error will occur and the payment will not proceed if ignoreDuplicate is not set to 'true’.
acceptSurcharge If this parameter is set to 'true’ QuickConnect will process the payment. You must accept the surcharge to continue with the payment.

Please note that an error will occur and the payment will not proceed if acceptSurcharge is not set to 'true’.
actionContextId This parameter is required for the Surcharge flow and the Duplicate payment flow. You must provide the value of actionContextId that was returned to you by QuickConnect to accept surcharge or ignore a duplicate payment.

Custom parameters

If you would like to provide additional information to QuickConnect you can do this by using a custom parameter. Multiple custom parameters can be passed to QuickConnect.

Parameter Name Description
custom<Custom name>

Example:
customTitle,
customPayeeName
QuickConnect can display this data on the screen and/or pass it back to you in the payment notification.

The parameter name must start with 'custom’ followed by an uppercase letter.

Redirect parameters

This section lists the parameters QuickConnect may return in the redirect. There are two flows that can occur. QuickConnect will return either:

  1. Parameters for the typical payment flow
  2. Parameters for the error flow

Parameters for the typical payment flow

The following table shows the parameters that QuickConnect will return in the typical payment flow. Your system can then display this information on your ‘Receipt’ page (see Figure 6 step 7). Do not store this data in your system - it is for display purposes only.

The summaryCode parameter will indicate whether or not the payment was successful. For failed payments you may wish to provide a 'Try again’ button to take the customer back to the 'Payment Details’ page.

For more information, see Typical payment flow.

Mandatory parameters

Parameter Name Description
communityCode Your QuickStream community code. You will be notified of your community code during the implementation.
supplierBusinessCode Your QuickStream supplier business code. This value will be provided to you during the implementation.
paymentAmount The total payment amount that QuickStream used when it attempted the transaction. It included the principalAmount plus any surcharge amount that needed to be paid via surchargeAmount.

The amount is in dollars and cents.

For example: 1001.15(for one thousand and one dollars and fifteen cents).
surchargeAmount The surcharge amount applied to the transaction. This value is included in the paymentAmount field. The amount is in dollars and cents.

For example: 1.15 (for one dollar and fifteen cents).
receiptNumber The unique receipt number generated by QuickStream. The value can be used later to locate this payment in QuickStream Portal.
responseCode The two digit response code.

For example: 41.
See Response Codes for a list of response codes that may be returned.
responseDescription The description of the response code.

For example: Lost card.
See Response Codes for details.
summaryCode The one digit summary code.

For example: 1.
See Response Codes for the list of summary codes.
createdDateTime The date and time of the transaction on the QuickStream server in Sydney.

Format: DD MMM YYYY hh:mm

For example: 20 Jun 2012 15:04
settlementDate The settlement date of the payment. Transactions after 6pm Sydney time will settle on the following banking day.

Format: YYYYMMDD

For example: 20120620 (for 20th June 2012)
cardholderName The card holder name entered by the customer.

For example: John Smith
maskedCardNumber The credit card number the customer entered. For security reasons part of this number will be masked.

For example: 456471xxxxxxx004
expiryDateMonth The month that the customer entered into the expiry date field.

Format: MM

For example: 01 (for January)
expiryDateYear The year that the customer entered into the expiry date field.

Format: YYYY

For example: 2016
cardScheme The type of credit card the customer used to make the payment. QuickStream will return one of the following values:
  • VISA
  • MASTERCARD
  • AMEX
  • DINERS
  • JCB
  • UNIONPAY
accountName The account name that the customer entered on the 'Payment Details’ page.

For example: John Smith
accountNumber The account number that the customer entered on the 'Payment Details’ page. For security reasons part of this number will be masked.

For example: xxxxxx789
bsb The BSB that the customer entered on the 'Payment Details’ page. For security reasons part of this number will be masked.

For example: xxx-000
hmac A HMAC_SHA256 signed string of the parameters in the passback. Use this to validate that the parameters in the passback were not tampered. See Validating the HMAC.

Optional parameters

Parameter Name Description
customerReferenceNumber This will be included if you provided the customerReferenceNumber parameter in the secure token request.
paymentReference This will be included if you provided the paymentReference parameter in the secure token request.

Custom parameters

Parameter Name Description
custom<Custom name>

Example:
customTitle,
customPayeeName
Any custom parameters you include in the secure token request will be provided back to you. That is, any parameters prefixed with 'custom’ will be included in the redirect.

Parameters for the error flow

The following table lists the parameters that QuickConnect will return during the error flow. Your system can then display the error information on your 'Payment Details’ page (see Figure 8 step 10).

For more information see Error flow.

Mandatory parameters

Parameter Name Description
action 'Error’
communityCode This is the same value that you passed to QuickConnect in the secure token request.
supplierBusinessCode This is the same value that you passed to QuickConnect in the secure token request.
paymentAmount This is the total amount that will be charged to your customers credit card. It is the principalAmount passed in the secure token request plus (when applicable) the surchargeAmount calculated by QuickStream.
errorDescription A description of the error. See Error descriptions for the list of errors that may be provided by QuickStream.
For example: Card type not accepted
errorField The name of the parameter that generated the error.
For example: creditCardNumber.
This parameter can be provided more than once. See Error descriptions for the list of errors that may be provided by QuickStream.

Optional parameters

Parameter Name Description
surchargeAmount This is the surcharge amount calculated by QuickStream based on the surcharge percentage configured for a particular card scheme. This field is only applicable when QuickStream has calculated a surcharge, otherwise it will be omitted.
customerReferenceNumber This will be included if you provided the customerReferenceNumber parameter in the secure token request. See Secure token request parameter for details.
paymentReference This will be included if you provided the paymentReference parameter in the secure token request. See Secure token request parameter for details.
actionContextId This parameter is required for the Surcharge flow and the Duplicate payment flow. You must provide this value to accept surcharge or ignore a duplicate payment.

Error descriptions

This table lists the values that QuickConnect may return for the errorField and errorDescription parameters. These are returned as part of the error flow (see Figure 8 step 4).

Error Field Error Description
acceptSurcharge 'You must agree to accept the surcharge amount before continuing.5’
ignoreDuplicate 'You must agree to process the duplicate payment before continuing.’
cardholderName 'The value contains illegal characters. Please use only English letters and symbols.’
creditCardNumber 'A value is required for this field.’
creditCardNumber 'The value you have entered is too short. Please enter at least 13 characters.’
creditCardNumber 'The value you have entered is too long. Please enter at most 16 characters.’
creditCardNumber 'Invalid card number.’
creditCardNumber 'Card type not accepted.’
expiryDateMonth 'A value is required for this field.’
expiryDateMonth 'The value you have entered is too short. Please enter at least 4 characters.’
expiryDateMonth 'The value you have entered is too long. Please enter at most 4 characters.’
expiryDateYear 'A value is required for this field.’
expiryDateYear 'The value you have entered is too short. Please enter at least 4 characters.’
expiryDateYear 'The value you have entered is too long. Please enter at most 4 characters.’
expiryDateYear 'Expiry date must be in the future.’
cvn 'A value is required for this field.’
cvn 'The value you have entered is too short. Please enter at least 3 characters.’
cvn 'The value you have entered is too long. Please enter at most 4 characters.’
cvn 'Invalid number.’
cvn 'Invalid CVN for card type.’
bsb 'A value is required for this field’
bsb 'Invalid BSB’
bsb 'BSB is not valid for direct debit’
bsb 'Not a valid settlement account BSB’
accountNumber 'A value is required for this field’
accountNumber 'Invalid Account Number’
accountName 'A value is required for this field’
accountName 'The value you have entered is too long. Please enter at most 200 characters.’
accountName 'The value contains illegal characters. Please use only English letters and symbols.’
acceptDDR 'You must accept the Direct Debit Request before continuing’

Validating the HMAC

The HMAC is included in the parameters returned in the redirect. Use this to validate the parameters in the redirect were not tampered.

The parameters in the redirect are signed using the HMAC_SHA256 algorithm. Your secure token request password is used as the secret in the HMAC_SHA256 calculation. Find the password by viewing your connection details in QuickStream Portal.

To validate the hmac parameter:

  1. Remove hmac from the list of parameters returned and order the parameters ASCIIbetically by name.
  2. URL encode each parameter with UTF-8 character encoding.
  3. Join the parameter names and values with = and each pair with & (as per a query string).
  4. Generate the HMAC from this string using secure token request password.
  5. Hexadecimal encode the resulting string.
  6. Compare the HMAC string you generated to the hmac parameter in the passback.

HMAC validation example

This example illustrates a simple validation of the hmac parameter in the passback.

Step 1: Get the list of parameters returned in the passback.

Parameter Name Parameter Value
communityCode COMCODE
supplierBusinessCode SUPP
principalAmount 10.00
customParam this is a custom param with special characters &
hmac dce3bc3945ca4d33151fb4c6a69971d86c35556cc2becafb3cb451f080af3d49

Step 2: Remove hmac and order the parameters ASCIIbetically by name.

Parameter Name Parameter Value
communityCode COMCODE
customParam this is a custom param with special characters &
principalAmount 10.00
supplierBusinessCode SUPP

Step 3: URL encode each parameter with UTF-8 character encoding

Ensure the encoded characters are lowercase and not uppercase (for example, %3A not %3a.)

Parameter Name Parameter Value
communityCode COMCODE
customParam this+is+a+custom+param+with+special+characters+%26
principalAmount 10.00
supplierBusinessCode SUPP

Step 4: Join the parameter names and values with = and each pair with &.

communityCode=COMCODE&customParam=this+is+a+custom+param+with+special+characters+%26&principalAmount=10.00&supplierBusinessCode=SUPP

Step 5: Generate the HMAC from this string using secure token password.

public static String hash( final String password, final String queryString )
{
    final Mac mac = Mac.getInstance( "HmacSHA256" );
    mac.init( new SecretKeySpec( password.getBytes( "UTF-8" ), "HmacSHA256" ) );
    return Hex.encodeHexString( mac.doFinal( queryString.getBytes() ) );
}

Finally, compare the HMAC string you generated to the hmac parameter in the passback. If the strings do not match, there has likely been tampering of the parameters and their values and should not be considered accurate.

Soft descriptors for Aggregators

Soft-descriptors are informational fields that Aggregators must collect for each transaction. Other merchants cannot use these fields. These merchant descriptor fields allow some control over the cardholder narrative for each transaction. The Secure Token Request includes new fields to provide these soft-descriptors.

Read more about Soft descriptors for Aggregators.

Secure Token Request Fields

These fields are sent in a Secure Token Request.

Parameter Name Length Required Description (for a Payment)
merchantName 22 Yes This field is only relevant for credit card payments for Aggregators.
Must be in the format AggregatorName*SubMerchantName.
For example:
  • AggregatorName is Jane's Transactions, abbreviated to JAT.
  • SubMerchantName name is Jill's Bikes.
  • The value of this field may be JAT*JillsBikes.
AggregatorName can be either in full or abbreviated and must be 3 characters.
Westpac may suggest a three character aggregator name during your implementation.
merchantStreetAddress 48 Yes This field is only relevant for credit card payments for Aggregators.
The street address of the sub-merchant’s trading address.
It is a scheme requirement to populate the street address as part of the payment. Westpac does not hold the street address information for sub-merchants and it will not appear on the cardholder’s or merchant’s statement.
Must contain the street address lines only:
  • Include the city or suburb in Merchant Location.
  • Include the state in Merchant State.
  • Include the country in Merchant Country.
  • Include the post code in Merchant Post Code.
merchantLocation 13 Yes This field is only relevant for credit card payments for Aggregators.
The city or suburb of the sub-merchant’s trading address.
merchantState 3 Yes This field is only relevant for credit card payments for Aggregators.
The state of the sub-merchant’s trading address. One of:
  • NSW
  • ACT
  • VIC
  • QLD
  • NT
  • SA
  • WA
  • TAS
Merchant Country 2 Yes This field is only relevant for credit card payments for Aggregators.
Must be set to AU.
The sub-merchant must be registered in Australia and have a presence and process payments within Australia.
merchantPostCode 4 Yes This field is only relevant for credit card payments for Aggregators.
The postal code of the sub-merchant’s trading address.
subMerchantId 15 Yes This field is only relevant for credit card payments for Aggregators.
A unique identifier for your sub-merchant. The aggregator allocates the sub-merchant identifier. Westpac does not allocate this value.

Passback and Payment Notification

No additional fields are provided in the passback to your website or payment notification to your server.

3D Secure Card Payments

Use QuickConnect to accept card payments verified using 3D Secure. 3D Secure is an additional layer of authentication that protects you from liability for fraudulent card payments. Unlike regular card payments, 3D Secure requires cardholders to complete an additional verification step with the card-issuer.

3D Secure is also known as Mastercard SecureCode and Verified by Visa.

See 3D Secure Card Payments for QuickConnect for more.

Payment procedure

Credit card transactions

The payment procedure for credit card payments is simple. Card payments occur in real-time: the transaction is made between Westpac and the payer’s issuing bank. The issuing bank responds to Westpac with a response code to report the success or failure of the credit card transaction.

Bank account transactions

The payment procedure for bank accounts is more complex than the payment procedure for credit cards. It will take 3 banking days to fully process a bank account payment. During this time you will receive a number of Payment Reports from QuickStream. A Payment Report (also known as a Cash Applied File or CAF) is a file that contains information about the payments submitted by your customers. QuickStream will generate a night time Payment Report and a morning Payment Report.

The night time Payment Report is generated at 8pm Monday-Friday. It lists the valid bank account payments that have been submitted by your customers that day. A ‘valid’ payment is a payment that has passed the high level error checks performed by QuickStream and Westpac. Payments that fail these checks will be deemed invalid and won’t be included in the Payment Report. Note:

  • The report only includes payments that are submitted before the cut off time. For bank account payments this is 4pm Sydney time each banking day. Transactions that occur after this time will be included in the next file.
  • You can choose to have bank account payments and credit card payments in the same file or separate files.
  • You can choose to include all the payments in one single file or split the payments into multiple files based on the business group they belong to.

The morning Payment Report is generated at 6am Monday-Friday. It lists the bank account payments that have been declined overnight by the customers’ banks. The Payment Report can include any payment request from the previous 3 banking days.

The sequence diagram below explains the payment procedure in more detail.

  • Steps 1-3 show what happens immediately after a customer submits their payment details.
  • Steps 4-12 show the scheduled events that relate to that payment.

Sequence diagram for bank account payment procedure

Sequence diagram for bank account payment procedure

The steps for the sequence diagram are:

Day 1 (steps 1-6)

  • Step 1: Click ‘Make Payment’

    • The customer click the Make Payment button on your site
  • Step 2: Send Request

    • The customer’s browser sends the request to QuickConnect.
  • Step 3: Save payment details

    • QuickConnect performs a basic error check on the payment then saves the payment details. Errors such as invalid BSB or invalid account number may be identified at this point.
  • Step 4: Send Payment File
    • At 4pm QuickStream creates a payment file and sends it to Westpac’s payment processor. The file contains a list of all the payments customers have submitted since the previous banking day.
  • Step 5: Send Exception/Disbursement File
    • Westpac performs high level error checking on each of the payments in the file. An Exception Disbursement file (also known as a Direct Entry Exception Disbursement file or DEEDS file) is then created and sent back to QuickStream. This file lists all the payments and categorises each one as either valid or invalid. Behind the scenes Westpac will also send a debit request to each customer’s bank.
  • Step 6: Send Payment Report
    • At 8pm QuickStream creates a Payment Report (also known as a Cash Applied File or CAF). The report contains information about:
    • valid bank account payments
    • successful credit card payments
    • For information about the Payment Report format see Cash Applied File.

Day 2 (steps 7-8)

  • Step 7: Send Returns File
    • At 6am Westpac will create a Returns file (also known as a Direct Entry Return Processing System file or DERPS file) and will send it to QuickStream. The Returns file contains all the overnight error notifications sent in by other banks. These errors are low level errors that can only be identified by the customer’s bank.
    • The Returns file can relate to any payment request from the previous 3 banking days, not just the payment request made in step 1. For example, the Returns file created on Thursday may contain errors related to payments made on Monday, Tuesday or Wednesday.
  • Step 8: Send Payment Report
    • QuickStream creates a Payment Report and sends it to your system. The report contains declined bank account payments only. It is based on the Returns file received in the previous step. All the errors in the Returns file will be copied into the Payment Report. If the Returns file is empty the Payment Report will also be empty. For information about the Payment Report see Cash Applied File.

Day 3 (steps 9-10)

  • Step 9: Send Returns File

    • At 6am Westpac creates a Returns file and sends it to QuickStream. This step is identical to step 7.
  • Step 10: Send Payment Report

    • QuickStream creates a Payment Report and sends it to your system. This step is identical to step 8.

Day 4 (steps 11-12)

  • Step 11: Send Returns File

    • At 6am Westpac creates a Returns file and sends it to QuickStream. This step is identical to step 7.
  • Step 12: Send Payment Report

    • QuickStream creates a Payment Report and sends it to your system. This step is identical to step 8.

Processing is complete. Any payment that was included in the night time Payment Report on day 1 (see step 6) and not included in the morning Payment Report on day 2, day 3 or day 4 (see steps 8, 10 & 12) can now be considered successful.

Transaction Settlement

Credit card transaction settlement

Westpac credits your account the same day, except on weekends and national public holidays when the settlement is delayed until the next banking day. The amount credited is the total of approved transactions. Any direct debit or merchant service fees will be deducted as separate transactions per your service agreement.

American Express and Diners Club may credit your account a number of days later and may be a net amount (i.e. approved transactions less the merchant service fees), depending on your contract with them. Although Westpac facilitates the processing of the transaction, we do not control settlement for these schemes and therefore any queries should be made to American Express and Diners Club directly.

For reconciliation purposes, all successful transactions through a given acquirer that return the same settlement date will be credited together on the same day.

What are the credit card cut-off times?

The standard cut-off time for credit card payments is 18:00 (Australia/Sydney Time).

When are payments sent to the bank?

Generally, credit card transactions will be processed immediately. The settlement date will depend on the time of processing (whether they were processed before the current day’s cutoff time).

Bank account transaction settlement

Direct debit transactions work differently from credit card transactions in that there is no immediate response from your customer’s bank to indicate whether the transaction worked. Instead, the transaction is assumed to have worked unless it is later declined by the customer’s bank. The customer’s bank can decline the transaction for up to 3 banking days after the transaction was processed.

Your Direct Debit facility configuration will affect how successful and failed transactions are represented on your statement. For example, your account may be credited with the total amount of all direct debit transactions processed in one settlement day. Your account may also be debited with the amount of declined (or “returned”) direct debit transactions. If no transactions are returned, you will not receive a debit that day.

What are the Direct Debit cut-off times?

The standard cut-off time for Direct Debit payments is 16:00 (Australia/Sydney Time).

When are payments sent to the bank?

Generally, Direct Debit transactions performed before 16:00 (Australia/Sydney) will be submitted to the bank for processing at 16:00.

Response codes

These response codes have been presented for your reference and are derived from the message format defined in Australian Standard 2805.2 (1997).

It is highly unlikely that you will receive many of these response codes; as a general rule you should use the provided summary response code to determine whether a transaction is approved or declined. Valid response codes are of a two digit alphanumeric format.

If an unknown response code is returned please contact Westpac with the appropriate transaction details.

Please note that there are no response codes specific to card verification number mismatches. This is because no financial institutions within Australia currently return any such information if declining a transaction for security reasons. Response Codes are generally returned from the customer’s issuing bank.

Credit card transaction response codes

Successful credit card transactions will generally have a response code of 00 - Approved or completed successfully or 08 - Honour with Identification. Other statuses indicate a problem processing the transaction. If you receive a status code starting with ‘Q’ that you do not understand, you should contact your Client Enquiry Manager with the transaction details.

For non approved transaction statuses that do not start with 'Q’ the card holder will likely need to contact their issuing financial institution for more information about the rejected transaction.

When doing so you can recommend they:

  • provide the date and amount of the transaction.
  • request specific information regarding the transaction rejection.
Summary Code Description
0 Approved
1 Declined
2 Error
3 Rejected


Response Code Description Summary Code Soft Decline
00 Approved or completed successfully. More information 0
01 Refer to card issuer. More information 1 Yes
02 Refer to card issuers special conditions 1
03 Invalid merchant. More information 1
04 Pick-up card. More information 1
05 Do not honor. More information 1 Yes
06 Error 1
07 Pick-up card, special condition 1
08 Honor with identification. More information 0
09 Request in progress 1
10 Approved for partial amount 0
11 Approved VIP 0
12 Invalid transaction. More information 1
13 Invalid amount 1
14 Invalid card number (no such number). More information 1
15 No such issuer 1
16 Approved, update Track 3 0
17 Customer cancellation 1
18 Customer dispute 1
19 Re-enter transaction 1 Yes
20 Invalid response 1
21 No action taken 1
22 Suspected malfunction. More information 1 Yes
23 Unacceptable transaction fee 1
24 File update not supported by receiver 1
25 Unable to locate record on file 1
26 Duplicate file update record, old record replaced 1
27 File update field edit error 1
28 File update file locked out 1
29 File update not successful, contact acquirer 1
30 Format error 1
31 Bank not supported by switch 1
32 Completed partially 1
33 Expired card 1
34 Suspected fraud 1
35 Card acceptor contact acquirer 1
36 Restricted card 1
37 Card acceptor call acquirer security 1
38 Allowable PIN tries exceeded 1
39 No credit account 1
40 Request function not supported 1
41 Lost card 1
42 No universal account. More information 1
43 Stolen card, pick up 1
44 No investment account 1
45-50 Reserved for ISO use 1
51 Not sufficient funds 1 Yes
52 No cheque account 1
53 No savings account 1
54 Expired card. More information 1
55 Incorrect PIN 1
56 No card record 1
57 Transaction not permitted to cardholder 1
58 Transaction not permitted to terminal 1
59 Suspected fraud 1
60 Card acceptor contact acquirer 1
61 Exceeds withdrawal amount limits. More information 1 Yes
62 Restricted card 1
63 Security violation 1
64 Original amount incorrect 1
65 Exceeds withdrawal frequency limit 1 Yes
66 Card acceptor call acquirers security department 1
67 Hard capture (requires that card be picked up at ATM) 1
68 Response received too late 1 Yes
69-74 Reserved for ISO use 1
75 Allowable number of PIN tries exceeded 1 Yes
76-89 Reserved for private use 1
90 Cutoff is in process (Switch ending a day’s business and starting the next. The transaction can be sent again in a few minutes). 1 Yes
91 Issuer or switch is inoperative. More information 1 Yes
92 Financial institution or intermediate network facility cannot be found for routing 1 Yes
93 Transaction cannot be completed. Violation of law 1
94 Duplicate transmission 1 Yes
95 Reconcile error 1
96 System malfunction 1 Yes
97 Advises that reconciliation totals have been reset 1
98 MAC error 1
99 Reserved for national use 1
EA response text varies depending on reason for error 2
EG response text varies depending on reason for error 2
EM Error at the Merchant Server level 2
N1 Unknown Error (NZ Only) 1
N2 Bank Declined Transaction (NZ Only) 1
N No Reply from Bank (NZ Only) 1
N4 Expired Card (NZ Only) 1
N5 Insufficient Funds (NZ Only) 1
N6 Error Communicating with Bank (NZ Only) 1
N7 Payment Server System Error (NZ Only) 1
N8 Transaction Type Not Supported (NZ Only) 1
N9 Bank declined transaction (NZ Only) 1
NA Transaction aborted (NZ Only) 1
NC Transaction cancelled (NZ Only) 1
ND Deferred Transaction (NZ Only) 1
NF 3D Secure Authentication Failed (NZ Only) 1
NI Card Security Code Failed (NZ Only) 1
NL Transaction Locked (NZ Only) 1
NN Cardholder is not enrolled in 3D Secure (NZ Only) 1
NP Transaction is Pending (NZ Only) 2
NR Retry Limits Exceeded, Transaction Not Processed (NZ Only) 1
NT Address Verification Failed (NZ Only) 1
NU Card Security Code Failed (NZ Only) 1
NV Address Verification and Card Security Code Failed (NZ Only) 1
Q1 Unknown Buyer 1
Q2 Transaction Pending 2
Q3 Payment Gateway Connection Error. More information 3 Yes
Q4 Payment Gateway Unavailable 3 Yes
Q8 Error verifying 3D Secure enrolment 3
Q9 3D Secure authentication failed 3
QA Invalid parameters 3
QB Order type not currently supported 3
QC Invalid Order Type 3
QD Invalid Payment Amount - Payment amount less than minimum/exceeds maximum allowed limit 1
QE Internal Error 3
QF Transaction Failed 3 Yes
QG Unknown Customer Order Number 3
QH Unknown Customer Username 3
QI Transaction incomplete - contact Westpac to confirm reconciliation 2 Yes
QJ Incorrect Customer Password 3
QK Unknown Customer Merchant 3
QL Business Group not configured for customer 3
QM Payment Instrument not configured for customer 3
QN Configuration Error 1
QO Missing Payment Instrument 3
QP Missing Supplier Account 3
QQ Invalid Credit Card \ Invalid Credit Card Verification Number 1
QR Transaction Retry 2
QS Transaction Successful 0
QT Invalid currency 3
QU Unknown Customer IP Address 3
QV Invalid Capture Order Number specified for Refund, Refund amount exceeds capture amount, or Previous capture was not approved 1
QW Invalid Reference Number 1
QX Network Error has occurred 3 Yes
QY Card Type Not Accepted 1
QZ Zero value transaction 0
RA response text varies depending on reason for rejection 3
RG response text varies depending on reason for rejection 3
RM Rejected at the Merchant Server level 3
No Short for 'No Account’, this response code indicates the QuickVault account used for the transaction was not found. More information. 3

00 - Approved

This indicates that the transaction has been authorised.

What authorisation DOES mean:-

  • The card number is valid
  • The card has not been reported lost or stolen (although it may in fact be lost, stolen or compromised [card details improperly obtained or copied] and the card owner is unaware)
  • There are sufficient funds available to cover the transaction.

What authorisation DOES NOT mean:-

  • An authorisation does NOT confirm that the person providing the card number is the legitimate card holder. The risk remains that the person providing the credit card number has either stolen or improperly obtained the card.

01 - Refer to card issuer

This indicates an error or problem from the card issuer. The problem may be related to the card holder’s account. This response code is often a result of one of the following:-

  • Suspected Fraud
  • Insufficient Funds
  • Stolen Card
  • Expired Card
  • Invalid CVN
  • Any other rule imposed by the card issuer that causes a decline (e.g. daily limit exceeded, minimum monthly payment not made, duplicate transaction suspected, etc).

03 - Invalid merchant

This can indicate a problem with Westpac’s merchant configuration. This can also be returned for AMEX transactions when there is a problem with the setup at American Express. This code can be returned from an issuing bank if they don’t like the acquiring bank. An example of this would be someone trying to pay their speeding fine with an overseas credit card. The overseas issuing bank would return a 03, indicating that they wouldn’t allow the transaction over the internet for an Australian bank.

04 - Pickup Card.

This can mean the card has been reported as lost or stolen. The card holder should contact their issuing bank.

05 - Do not honour

This indicates an error or problem from the card issuer. The problem may be related to the card holder’s account. In general the reason for this response code may be any of the following:-

  • Suspected Fraud
  • Insufficient Funds
  • Stolen Card
  • Expired Card
  • Invalid CVN
  • Any other rule imposed by the card issuer that causes a decline (e.g. daily limit exceeded, minimum monthly payment not made, duplicate transaction suspected, etc).

08 - Honor with identification

This indicates that the transaction has been authorised.

What authorisation DOES mean:-

  • The card number is valid
  • The card has not been reported lost or stolen (although it may in fact be lost, stolen or compromised [card details improperly obtained or copied] and the card owner is unaware)
  • There are sufficient funds available to cover the transaction.

What authorisation DOES NOT mean:-

  • An authorisation does NOT confirm that the person providing the card number is the legitimate card holder. The risk remains that the person providing the credit card number has either stolen or improperly obtained the card.

12 - Invalid transaction

This code is often returned from the issuer when they do not accept the transaction. This can possibly be when a transaction for the same amount and merchant is attempted multiple times quickly for the same card. The card holder should contact their issuing bank.

14 - Invalid card number (no such number)

This code indicates that the card number does not exist. Also returned code if an AMEX card is used, but the merchant is not setup for AMEX cards.

22 - Suspected Malfunction

This code normally indicates that the card number was invalid.

42 - No Universal Account

This error is returned from some issuers when the credit account does not exist at the issuing bank. This situation is similar to the 14 response code.

54 - Expired Card

This error is returned when the credit card has expired. Check that the expiry date is correct, and attempt the transaction again. If the transaction still does not work, check with the card holder to see if they have a new card with a new expiry date.

61 - Exceeds withdrawal amount limits

This error is returned when the card holder does not have enough credit to pay the specified amount. Ask the card holder if they have another card to use for the payment.

91 - Issuer or switch is inoperative

This code is used to indicate that the next party in a credit card transaction timed out and the transaction has been reversed. This may happen between QuickStream and Westpac, or further down the chain. This response may also be returned for pre-authorisation transactions that are manually reversed.

92 - Financial institution or intermediate network facility cannot be found for routing

The card number is incorrect. The first 6 digits of the credit card number indicate which bank issued the card. These are used for routing credit card requests through the credit card network to the issuing bank. This error indicates that there is no bank that corresponds to the first 6 digits of the card number.

QI - Transaction incomplete

This status code indicates that a request message was sent to the QuickStream server but no response was received within the timeout period.

QQ - Invalid Card

The QQ error code indicates that the credit card details (card number, expiry date or CVN) are invalid. This could be because the card number does not meet check digit validation, an invalid expiry date was entered, or an invalid CVN was entered.

QY - Card Type not accepted

The QY error code indicates that the merchant is not enabled for the particular card scheme. This error code is normally returned for American Express and Diners Club cards, or when a UnionPay debit card is used. Only UnionPay credit cards are supported.

Q3 - Payment Gateway Unavailable

The downstream credit card gateway was unavailable. The credit card transaction was not attempted and the transaction record will not exist. When you receive this response code, the transaction will not exist in QuickStream.

No - No Account

The QuickVault account used for the transaction was not found or is not enabled. Please check that the QuickVault account exists and is enabled. You can do this in via QuickGateway or in QuickStream Portal.

Bank account transaction response codes

(aka Direct Entry Transaction Response Codes)

In all cases where the response code requires the account holder to contact their bank, it will help if they can provide a date and amount of the failed attempted transaction and specifically ask the bank why they returned that status for the attempted transaction. Otherwise the issuing bank staff may just check the available funds in the account.

Successful Direct Entry transactions will generally have a response code of G - WBC Exception Processing released successfully.

Summary Code Description
0 Approved
1 Declined
2 Processing
3 Rejected


Code Description Summary Code Soft Decline
Zero Zero 0
No Account No Account Registered 1
Duplicate Duplicate Transaction 1
New New 2
1 Invalid BSB Number 1
2 Payment stopped. More information 1
3 Account Closed. More information 1
4 Customer Deceased 1
5 No Account/Incorrect Account#. More information 1
6 Refer to Customer. More information 1 Yes
7 No form PDC held 1
8 Invalid User ID Number 1
9 Other. More information 1 Yes
Success Approved or completed successfully 0
R WBC Exception Processing Error - see description 3
G WBC Exception Processing released successfully. More information 0
C WBC Exception Processing - Cancelled 3
D WBC Exception Processing - Recalled 3
No Short for ‘No Account’, this response code indicates the QuickVault account used for the transaction was not found. More information. 3

2 - Payment Stopped

The account holder has requested that their bank stop any direct debit transactions. Contact the customer to determine an alternate payment mechanism, or if they wish to stop their service.

3 - Account Closed

The account holder has closed their account. Contact your customer to ask for new account details.

5 - No Account/Incorrect Account

Contact your customer to determine if the BSB and account number you have is correct. It may be useful for them to fax you the first page of their bank account statement so that you can check you have the correct BSB and account number.

6 - Refer to Customer

Contact your customer to determine if they have sufficient funds in their account, if the BSB and account number you have is correct, and if their account allows direct debit transactions.

9 - Other

The banks use this response code as they see fit. If you receive this response code for a customer and you have never had a successful debit for that customer, first check the BSB and account number. This could indicate one of the following:

  • Account does not allow Direct Debit
  • Incorrect Account Number
  • Insufficient Funds
  • Suspected Fraud
  • Any other rule imposed by the account holder’s bank that causes a decline (e.g. daily limit exceeded, duplicate transaction suspected, etc)

G - WBC Exception Processing released successfully

The transaction is being processed by Westpac. If the debit is from another bank, Westpac has sent the transaction to that bank. When a direct entry transaction is successful, it remains in this response code. When a transaction is declined and returned, the response will be set to a different response code.