QuickWeb Technical Implementation Guide

QuickWeb

QuickWeb is a Westpac hosted service that enables your website to offer secure online payments.

The key features of the solution are:

  • It integrates with your existing website.
  • The appearance of the QuickWeb pages can be branded to look like your website. This gives the customer the impression the payment is being made from your website.
  • QuickWeb manages the complexities of the payment process, providing you with a summary of the outcome.
  • You can offer your customers credit card payments and bank account payments.

Demo Payment Flow

This page describes the payments QuickWeb solution. Other types of QuickWeb are:

The purpose of this document is to describe the QuickWeb solution and explain how it can integrate with an existing website. High level requirements as well as detailed step-by-step instructions are included in the document to help with the implementation process.

The intended audience for this document is the software development team that will be responsible for integrating QuickWeb with their website.

How does the payment process work?

The following diagram shows the high level sequence of events that take place when a customer makes a payment.

Payment process

The steps for the above diagram are as follows:

  1. The customer visits your website. One of your webpages will include a button (or a link) to QuickWeb. The location of this button will depend on the tasks you want the customer to complete before entering their payment details. For example,

    • You may want to verify the customer's reference number before showing the button.
    • If your website has a shopping cart, you may want to display the button at the end of the shopping experience.
    • You may not require any verification. In this case you could include a simple link on one of your pages.
  2. Your website will link to QuickWeb after the customer clicks the button. This transition is referred to as the 'handoff'. The technical details for this process will be discussed further in Link from your website to QuickWeb.

  3. QuickWeb will display the 'Payment Details' page. Typically this page will allow the customer to enter their payment amount, payment reference and payment details. The content and branding of this page will be discussed further in Branding QuickWeb - Payment Details page.

  4. QuickWeb will display the 'Confirmation' page. This will allow the customer to review their payment details before QuickWeb proceeds with making a payment. The content and branding of this page will be discussed further in section Branding QuickWeb - Confirmation page.

  5. QuickWeb will make the payment.

  6. QuickWeb will display the 'Receipt' page. This page includes a button linking back to your website. Note, it is not mandatory for QuickWeb to show the 'Receipt' page. If you prefer, QuickWeb can redirect back to your website so that you can show the receipt page. This will be discussed further in Link from QuickWeb back to your website.

  7. QuickWeb will return the customer back to your website. This process is known as the 'passback' and will be discussed further in section Link from QuickWeb back to your website.

  8. Your website will display the appropriate page to the customer.

Implementation process overview

There are a number of tasks involved in implementing a QuickWeb solution. Each task is described in detail in the following sections of this document. A summary of the tasks and their corresponding section number is listed in the table below.

Steps Description/Document Reference
Step 1 Kick-off meeting
Step 2 Branding QuickWeb
Step 3 Linking from your website to QuickWeb
Step 4 Linking from QuickWeb back to your website
Step 5 Receiving payment details
Step 6 Testing
Step 7 Sign off
Step 8 Production lodgement
Step 9 Go live
Step 10 Post implementation

To help with the implementation process, we have included a requirements checklist for you to complete as you work on each task. The purpose of the requirements checklist is to help identify and keep track of your requirements.

If you require further assistance, please contact your Westpac Implementation Manager or your Qvalent implementation manager.

Kick-off meeting

The kick-off meeting is the first meeting between your organisation and Qvalent. This typically consists of a telephone conference with the relevant people from your organisation, Westpac and Qvalent.

The purpose of this meeting is to, introduce the team members from each organisation, discuss the implementation process and discuss your requirements.

Branding QuickWeb

The purpose of this section is to describe the QuickWeb pages that are involved in the payment process and explain how we can tailor their appearance and behaviour to meet your needs. This process is referred to as "branding QuickWeb".

Branding is the first task we like to complete in the implementation. It allows us to identify your needs early and develop a working set of pages for you to examine in our test environment. This will then allow you to quickly identify any issues and provide us with feedback.

In general it takes 6 weeks to develop a branded set of QuickWeb pages. This will vary depending on your requirements. We also expect there will be 2-3 iterations before the final release.

Defining requirements

There are a number of decisions that need to be made during the branding process. These include:

  • The layout of the page
  • The size and location of images
  • The name and position of buttons and links
  • The size and type of the font/s
  • The data you want your customer to enter in QuickWeb
  • The data you want your customer to enter in your website rather than QuickWeb
  • Identifying additional data you want to pass from your website and have QuickWeb display
  • Whether to display your own receipt page or have QuickWeb show the receipt page

There are three ways you can provide us with your branding information:

1. Provide the URL of your existing website for us to copy

If you would like to have the same look and feel as your existing website, simply provide us with the URL of your website.

We will then use your website as our branding guideline for developing your QuickWeb pages.

2. Provide a branding guide for us to use

If your business has a branding guide or a style guide for website development and you would like us to follow that guide, simply send us a copy of your branding guide.

We will then use this as our branding guideline for developing your QuickWeb pages.

3. Provide us a branded version of the QuickWeb click-through

The QuickWeb click-through is a zip file that contains a simple version of our QuickWeb pages. It shows the flow of the pages, the basic layout of each page and the data we typically request from the customer. Your developers can use this click-through as a base for creating your own branded version of the pages. Once complete, send us the new click-through zip file (including all the required images and CSS).

We will then use this as our branding guideline for developing your QuickWeb pages. Please notify your implementation manager if you have not yet received a copy of the QuickWeb click-through.

Download the QuickWeb click-through

QuickWeb pages

This section describes each of the QuickWeb pages that are involved in the payment process. Sample images have been included to help with the description of each page. These are example images only. As part of the branding process we can change the look and feel of the page, the data we show to the customer and the data we request from the customer.

The basic QuickWeb pages are:

  1. Payment Details page
  2. Confirmation page
  3. Receipt page

Payment details page

This is the first QuickWeb page in the payment process (cards only).

QuickWeb Payment Details page

This is the first QuickWeb page in the payment process with cards and bank accounts.

QuickWeb Payment Details page with bank accounts

The fields for the "Payment Details" page are described in the following table:

Field Details
Amount The amount the customer needs to pay. This value excludes any surcharge amount.

Note:
- A credit card surcharge amount may be added to this amount after the customer has entered their credit card details.
- If you would like to accept payments in a currency other than Australian dollars please advise.
- If you would prefer the amount to be entered/calculated on your website you can instead pass the value across to QuickWeb during the handoff. QuickWeb will then show the amount as a read only value. For more information about the handoff see Linking from your website to QuickWeb.
Payment Reference The "Payment Reference" is a unique value that identifies the payment. For example, it may represent an invoice number, credit note number, fine code or transaction reference. This value can then be used later to help you reconcile the payment in your backend system.

Note:
- This field is only relevant if a payment level identifier can be provided. If your customers can only provide a customer level identifier you will need to use the "Customer Reference Number" field instead.
- The label for this field may be changed to a name of your choosing. Please advise if a different name would better suit your customers.
- We can validate the value entered by the customer. Typically the number entered would include a check digit for us to verify its validity. Alternatively you can send us a data file that contains the list of accepted values for us to check against. Please advise if you would like validation to occur and specify the validation routine you would like us to apply.
- If you prefer, your system can pass the Payment Reference to QuickWeb during the handoff. This can be done using the paymentReference parameter. QuickWeb will then display the Payment Reference as a read only value. For information about passing the value to QuickWeb see Linking from your website to QuickWeb.
Customer Reference Number The "Customer Reference Number" is a reference that identifies the customer. For example, it may represent a customer number, family code, company code or Bpay number. This value can then be used later to help you reconcile the payment in your backend system.

Note:
- The difference between this field and the "Payment Reference" field is that this field can only allocate the payment to the customer level. For example, it allows you to identify who made the payment but not the specific invoice that was paid.
- The label for this field may be changed to a name of your choosing. Please advise if a different name would better suit your customers.
- We can validate the value entered by the customer. Typically the number entered would include a check digit for us to verify its validity. Alternatively you can send us a data file that contains the list of accepted values for us to check against. Please advise if you would like validation to occur and specify the validation routine you would like us to apply.
- If you prefer, you can pass the Customer Reference Number to QuickWeb from your website. This can be done during the handoff using the customerReferenceNumber parameter. QuickWeb will then display the customer reference number as a read only value. For information about passing the value to QuickWeb see Linking from your website to QuickWeb.
Payment Method This page assumes your customers are allowed to pay via credit card or direct debit. The appearance of the page will change if the customer chooses a different payment method. For example, if "Credit Card" is selected QuickWeb will remove the bank account fields and display credit card fields instead.
If you do not want customers to pay via credit card please advise your implementation manager. We can remove the "Payment Method" field if you are only offering direct debit.
Cardholder Name The name printed on the front of the customer's credit card
Credit Card Number The number that appears on the front of the customer's credit card. The value is entered as a continuous string of digits. We recommend that the list of accepted credit cards is also displayed on this page. It is particularly useful if certain credit cards are not accepted (for example Amex or Diners). If you do not include the list here your customer will not be notified about the invalid card type prior to submitting the payment details.
Expiry Date The expiry date printed on the customer's credit card. The date format must be mm/yy. Separate drop down boxes are provided for the month and year.
Card Verification Number (CVN) The "Card Verification Number" is an additional security number included on the customer's credit card. Information about the number, where it is located on the card and why it is used appears in a popup window when the customer clicks the "What's this?" link. An example of this page is included below.
Direct Debit Service Agreement A Direct Debit Request (DDR) Service Agreement is required for bank account payments. It is written by your organisation and outlines the terms and conditions for making direct debit payments.
I accept the Direct Debit Request The customer must agree to the terms and conditions before going to the next page. This is done by ticking the checkbox.
Account Name The customer's bank account name.
BSB The customer's BSB (Branch-State-Branch)
Account Number The customer's bank account number.

What's This? CVN Explanation

Additional information:

  • If a surcharge is required for certain credit card types please advise your implementation manager. We recommend displaying the surcharge rates for each card type on this page.
  • The "Cancel" button will take the customer back to your website.
  • The "Next" button will take the customer to the "Confirmation" page.

Confirmation page

This page appears after the customer has entered their payment details. It allows the customer to check their details before going ahead with the payment.

Confirmation page

Confirmation page with bank account

The fields for the "Confirmation" page are described in the following table:

Field Details
Principal Amount The amount the customer entered on the previous page.
Surcharge Amount The surcharge amount calculated by QuickWeb. The calculation is based on the amount entered by the customer and the type of credit card they have used. A checkbox is included at the bottom of the page to ensure the customer is aware of the surcharge. The payment will not be attempted until the customer has ticked this box.
Total Amount The total amount the customer must pay. QuickWeb will calculate this value by adding the Principal Amount and the Surcharge Amount. This is the value that will be charged to the customer's credit card.
Payment Reference The Payment Reference that the customer entered on the previous page.
Customer Reference Number The Customer Reference Number that the customer entered on the previous page.
Cardholder Name The card holder name that the customer entered on the previous page.
Credit Card Number The credit card number the customer entered on the previous page. For security reasons we do not display the entire credit card number.
Expiry Date The expiry date that the customer entered on the previous page.
Account Name The account name that the customer entered on the previous page.
BSB The BSB the customer entered on the previous page. For security reasons we do not display the whole number.
Account Number The account number the customer entered on the previous page. For security reasons we do not display the whole number.
Verification Code The "Verification Code" is included for security reasons. It is a random computer generated code that can only be read by humans. This prevents hackers from being able to use QuickWeb to automatically validate stolen credit card details. The customer must type the code into the provided field before they are allowed to proceed. Note, this field is not required if: - The "Customer Reference Number" or "Payment Reference" values entered on the "Payment Details" page were validated by QuickWeb. - The "Customer Reference Number" or "Payment Reference" values were provided to QuickWeb in the handoff.

Additional information:

  • The "Back" button will take the customer back to the "Payment Details" page.
  • The "Cancel" button will take the customer back to your website.
  • The "Confirm" button will instruct QuickWeb to attempt the payment. The credit card transaction is conducted in real time. The customer must wait for a response from QuickWeb. At this point the buttons will become inactive and the message "Please wait" will be displayed to the customer. This will prevent the customer from making multiple payment attempts.
  • After the payment is made the receipt page will be displayed. You can choose to have QuickWeb display the receipt page or if you prefer you can display your own receipt page.
  • QuickWeb can also provide your server with payment summary details at this point. See Server to server notification.

Duplicate payments

QuickWeb performs duplicate transaction checks in order to reduce the instances of accidental double payment. See Duplicate payment checking.

Receipt page

The receipt page is shown after the credit card payment is attempted. You can choose to have QuickWeb display the receipt page or if you prefer you can display your own page.

The following image is an example of a QuickWeb receipt page for a card payment.

Receipt page

The following image is an example of a QuickWeb receipt page for a bank account payment.

Receipt page with bank account

The receipt page can be branded to match your existing website.

The data on the receipt page is described in the following table:

Field Details
Status This value indicates whether or not the payment attempt was successful. A value of "Approved" means the payment was successful. A value of "Declined" means the payment attempt was unsuccessful.
Receipt Number A unique transaction ID generated by QuickWeb. This value can be used later to locate the payment in the QuickStream Portal search screens.
Principal Amount The amount the customer entered on the previous page.
Date The date and time that the transaction was made by QuickWeb.
Surcharge Amount The surcharge amount the customer had to pay. It is based on the payment amount entered by the customer and the type of credit card they have used.
Total Amount The total payment amount calculated by QuickWeb. It is calculated by adding the payment amount and surcharge amount. This amount was charged to the customer's credit card.
Payment Reference The Payment Reference that was entered on the "Payment Details" page.
Customer Reference Number The Customer Reference Number that was entered on the "Payment Details" page.
Cardholder Name The card holder name that the customer entered on the "Payment Details" page.
Credit Card Number The credit card number the customer entered on the "Payment Details" page. For security reasons we do not display the entire credit card number.
Expiry Date The expiry date that the customer entered on the "Payment Details" page.
Account Name The account name the customer entered on the "Payment Details" page.
BSB The BSB the customer entered on the "Payment Details" page. For security reasons we do not display the whole value.
Account Number The account number the customer entered on the "Payment Details" page. For security reasons we do not display the whole value.
Send Receipt Email To This field allows the customer to send a copy of the receipt to the specified email address. The receipt will be included as a PDF attachment. An example PDF receipt is shown below.

Additional information:

  • By default, when the receiptEmailAddress parameter is provided, an email will automatically be delivered to that address after confirming the payment. The customer can also use the "Send Receipt Email To" field to send additional copies of the receipt.

  • The "Finish" button will take the customer back to your website. We will use the returnUrl parameter value to do this. You will provide this parameter during the handoff to QuickWeb. See Linking from your website to QuickWeb for details.

  • The "Print" button will display a PDF version of the receipt. The customer can then print the PDF. See example below.

The following is an example of a receipt for a card payment.

Receipt page

The following is an example of a receipt for a bank account payment.

Receipt page with bank account

QuickWeb test poster

The QuickWeb test poster is a webpage that allows you to easily view your QuickWeb pages in our test environment. The page is intended for the test environment only. It will not exist in the live environment. The purpose of the page is to simulate the handoff from your website to QuickWeb. This means you can review the branded QuickWeb pages before you implement your handoff.

The following image is an example of a test poster

Test poster

This particular example simulates a secure token handoff (described in Sending parameters via secure token request).

The page is divided into two sections:

  • The "Generate Token" (top) section lists the parameters we expect your server to pass to QuickWeb in the first part of the handoff (ie the secure token request). These parameters are explained in detail in Parameters for secure token request. When the "Generate Token" button is clicked, the webpage will generate a dummy security token and place it in the "Token" field (shown in the bottom section).

  • The "Handoff" (bottom) section lists the parameters we expect the client's browser to pass to QuickWeb in the second part of the handoff (ie the browser redirect). These parameters are explained in detail in Parameters for redirect.

    When the "Submit" button is clicked the first QuickWeb page will appear.

Duplicate payment checking

QuickWeb performs duplicate transaction checks in order to reduce the instances of accidental double payment.

What's a duplicate?

A transaction is considered a duplicate if there is a previous transaction that matches all these criteria:

  • has the same credit card number (but not necessarily expiry date) or bank account BSB and account number
  • is for the same merchant
  • is for the same amount
  • is approved or currently processing
  • is not a QuickBatch transaction (but could be QuickVoice, QuickConnect, etc)
  • is for the current settlement date

What is displayed to the card holder?

The card holder is warned of the duplicate and must tick a box in order to continue processing.

Duplicate Payment Check

Can a merchant disable the duplicate check?

Not directly. However, the duplicate check is not performed if a merchant hosts the (payment details page)[#payment-details-page].

Link from your website to QuickWeb

The purpose of this section is to explain in detail how to link your website to QuickWeb. This process is referred to as the 'handoff'.

Before beginning your implementation of the handoff process you need to decide how you are going to send parameters to QuickWeb. You may choose one of the following options:

  1. Sending parameters via secure token request
  2. Sending parameters via form inputs

Send parameters via secure token request

The secure token request is Westpac's recommended method for sending parameters. It allows the parameters to be sent directly from your server to QuickWeb. This prevents the customer from being able to tamper with the parameters before they are sent to QuickWeb.

In order to use the secure token request your website must have:

  • a dynamic backend which can send a HTTPS POST directly to the QuickWeb server
  • the ability to make an outbound HTTPS connection to QuickWeb through your proxy and firewall

The parameters for this handoff are listed in Handoff parameters for secure token method.

To help explain how the handoff process works we will use the following example. Your implementation may have different webpages, however the actual handoff steps will be the same.

Secure token request handoff

This example has three pages. The first two pages are an example of what your website may display to the customer before you handoff to QuickWeb. The third page is an example of what QuickWeb may display to the customer after the handoff.

Page 1: The 'Enter Details' page instructs the customer to enter their amount and payment reference. When the customer clicks the 'Next' button your website validates the data.

Page 2: The 'Summary' page displays the amount and payment reference as read only fields. When the customer clicks the 'Next' button your website will handoff to QuickWeb. The amount and payment reference are passed to QuickWeb during the handoff.

Page 3: The 'Payment Details' page displays the amount and payment reference as read only fields. Additional fields are also provided for the customer to enter their credit card details.

The following sequence diagram shows how the handoff works using the secure token request. Note:

  • The section highlighted in grey shows the handoff steps. These steps apply for any handoff using the secure token method - not just this particular example. They begin when the customer clicks the last button (or link) on your website.
  • Additional steps have been included before and after the grey box. These steps are specific to this particular example. They are not part of the handoff. They have been included to help demonstrate how the handoff can fit into the overall solution.

Sequence diagram for the handoff using a secure token

The steps for the sequence diagram are as follows:

  1. Enter data & click 'Next'

  2. Post form

    • The customer's browser posts the form to your server.
  3. Store data

    • Your server validates the amount and payment reference. It then stores the data appropriately so that it can be retrieved later for the handoff.
  4. Return html for summary page

    • Your server produces html for the 'Summary' page. The summary page includes the amount and payment reference as read only data. This data is not included as hidden fields. Your server sends the html to the customer's browser.
  5. Click 'Next'

    • The 'Summary' page is displayed to the customer (see Send parameters via Secure Token Request). The customer checks to make sure the data is correct then clicks the 'Next' button. The handoff begins here.
  6. Send request

    • The customer's browser sends the request to your server to initiate handoff.
  7. Retrieve data

    • Your server builds the parameter list that will be sent to QuickWeb as part of the secure token request.
    • For details see Parameters for secure token request.
    • Note, the parameter list for this example is: username, password, paymentReference and principalAmount.
  8. Request security token

    • Your server makes an outbound HTTPS connection to the QuickWeb server. The parameter list is included in the token request.
  9. Generate security token & store parameters

    • QuickWeb generates a security token and stores your parameter list. A unique token is created for every token request.
    • For example: token=m378813qtvOtylVTvVvpWA7PT14QHltr-AqX2gZ-RFM
    • Note, the security token is valid for 1 hour after it is created and can only be used once.
  10. Return security token

    • QuickWeb returns the security token to your server.
  11. Redirect

    • Your server tells the customer's browser to redirect to QuickWeb. A list of parameters is included in the redirect. For details see Parameters for redirect.
  12. Request payment page

    • The customer's browser redirects to QuickWeb. The list of parameters is included in the redirect.
  13. Verify security token & lookup parameters

    • QuickWeb verifies the security token to make sure it has not been tampered with. It then uses the token to lookup the parameters that your server passed to QuickWeb during the security token request (see step 8). The token is then destroyed.
  14. Return html for payment page

    • QuickWeb produces html for the 'Payment Details' page and sends it to the customer's browser. The handoff ends here.
  15. Enter payment details

Send parameters via form inputs

Form inputs is the second option for sending parameters to QuickWeb. It involves all the parameters being sent directly from the customer's browser to QuickWeb. It is an easier method to implement, however it does allow the customer to tamper with the parameters before they are sent to QuickWeb. Westpac therefore recommends using the secure token method described in Sending parameters via secure token request instead.

The parameters for the handoff are listed in Handoff parameters for form inputs. The sequence diagram below shows how the handoff (in Send parameters via Secure Token Request) works using only form inputs. It also explains where the security vulnerability is and describes how the customer may exploit it.

Sequence diagram for handoff using form inputs

The steps for the above sequence diagram are as follows:

  1. Enter data & click 'Next'

  2. Post form

    • The customer's browser posts the form to your server.
  3. Return html for summary page

    • Your server validates the amount and payment reference. It then produces html for the 'Summary' page. The page:
      • Shows the amount and payment reference as read only data.
      • Includes hidden fields for the amount and payment reference.
      • Includes hidden fields for the mandatory and optional parameters that need to be passed to QuickWeb. For details see Handoff parameters for form inputs.
  4. Click 'Next'

    • The customer views the 'Summary' page (see Send parameters via Secure Token Request). They check the data is correct then click the 'Next' button. The handoff begins here.
  5. Post form

    • The customer's browser posts the form to QuickWeb.
  6. Return html for payment page

    • QuickWeb produces html for the 'Payment Details' page. The html is sent to the customer's browser.
    • The handoff ends here.
  7. Enter payment details

Link from QuickWeb back to your website

The purpose of this section is to explain how the customer can return to your website after QuickWeb has made the payment. This process is referred to as the 'passback'.

Before implementing the passback you need to decide when you would like the customer to return to your website. You may choose one of the following options:

  1. QuickWeb receipt page linking to your website
  2. QuickWeb redirecting to your website for you to show the receipt page

In this option QuickWeb will display its own receipt page to the customer. The receipt page includes a button that links back to your website. The passback occurs when the customer clicks the button.

The sequence diagram below shows how the customer can return to your website if they use this option.

Sequence diagram for the passback via QuickWeb receipt page

The steps for the above sequence diagram are:

  1. Click 'Confirm'

    • QuickWeb displays the 'Confirmation' page to the customer. The customer reviews the details then clicks the 'Confirm' button to continue.
  2. Send request

    • The customer's browser sends the request to QuickWeb.
  3. Make payment

    • QuickWeb makes the payment.
  4. Return html for receipt page

    • QuickWeb builds the html for the receipt page. The page includes a button that links back to your website. QuickWeb will link the button to the returnUrl you provided in the handoff (see details about the handoff). QuickWeb returns the html to the customer's browser.
  5. Click 'Finish'

    • The customer views QuickWeb's receipt page. When they have finished reading the page they click the 'Finish' button. The passback begins here.
  6. Request next page

    • The customer's browser asks your server for the next page.
  7. Return html for next page

    • Your server returns the html for the next page. The passback ends here.

QuickWeb redirects to your receipt page

In this option QuickWeb will return the customer to your website immediately after the payment is made. Your website will then show a receipt page to the customer. QuickWeb will include a number of parameters in the redirect. They will be included as a list of ampersand delimited parameters.

The parameters that QuickWeb will return are listed in Passback Parameters.

The sequence diagram below shows how the passback works when using this option.

Sequence diagram for the passback using immediate redirect

The steps for the above sequence diagram are:

  1. Click 'Confirm'

    • QuickWeb shows the 'Confirmation' page to the customer. The customer reviews the details then clicks the 'Confirm' button to continue.
  2. Send request

    • The customer's browser sends the request to QuickWeb to initiate payment.
  3. Make payment

    • QuickWeb makes the payment.
  4. Redirect

    • The passback begins here.
    • QuickWeb builds a list of parameters to include in the redirect. They are included as a list of ampersand delimited parameters. For example: communityCode=ACOMPANY&supplierBusinessCode=ACOMPANY&.... For the full list of parameters see Passback Parameters.
    • QuickWeb instructs the customer's browser to redirect to the returnUrl you provided in the handoff.
    • Note, our default method for sending this data is via a HTTP get. If you would prefer us to use a HTTP post please advise.
  5. Request receipt page

    • The customer's browser redirects to your server.
  6. Retrieve parameters

    • Your server retrieves the parameters from the request.
  7. Return html for receipt page

    • Your server builds the receipt page html. The receipt page will include data from the parameter list. Your server returns the receipt page html to the customer's browser.
    • The passback ends here.

Receiving payment details

There are two ways to receive payment details:

  1. Server to server notification.
  2. Cash Applied File.

Server to server notification

This option is also known as the server-to-server postback. It allows you to receive payment summary details after each credit card payment is made.

This is done via a HTTPS POST to your server. The payment details are posted as form parameters or as XML.

To receive a server to server notification

  1. Your website must provide the serverReturnUrl parameter in a secure token handoff, or configure your server to server notifications in QuickStream Portal.
  2. Configure the domain white list in QuickStream Portal.
  3. Have a valid SSL certificate issued by a trusted certificate authority. Sending the notification over SSL ensures that the encrypted notification cannot be read by a malicious third-party. As your SSL certificate was issued by a trusted certificate authority, it also guarantees that QuickStream is connecting to your webserver (and not another fraudulent server as in the case of DNS attacks).
  4. Have a dynamic backend which can receive and parse HTTPS requests with parameters or can parse XML.

A server to server notification is sent after a successful credit card payment attempt.

When you receive a server to server notification, your system must:

  1. Check that the IP address matches the expected QuickStream IP address.
    • If they do not match you will return a status of 403 Forbidden.
    • See IP addresses in Test and in Production.
  2. Check that the Basic Auth username and password in the Authorization header match your credentials in QuickStream.
    • If they do not match you will return a status of 403 Forbidden.
  3. Extract the payment summary details.
    • The way you do this will depend on the content type the payment details are posted in. You will either extract the details from the form parameters or extract the details from the XML.
  4. Check to make sure you have not already processed a notification for this payment.
    • To do this you will compare the receiptNumber to the receipt numbers you have already processed.
  5. Save the payment details to your database.
  6. Your server returns a status of 200 OK.
    • Note, if an error occurred and you were unable to save the payment details, your server will instead return a status of 500 Internal Server Error.

Example server to server notification consumption in Java

public class NotificationConsumer extends HttpServlet 
{
    ...
    @Override
    protected void doPost( final HttpServletRequest request, 
                           final HttpServletResponse response ) throws IOException
    {
        try 
        {
            if( !request.getRemoteAddr().equals( QUICKSTREAM_IP_ADDRESS ) ) {
                response.sendError( HttpServletResponse.SC_FORBIDDEN );
                return;
            }
            final String authorization = request.getHeader( "Authorization" );
            if( authorization == null )
            {
                response.sendError( HttpServletResponse.SC_UNAUTHORIZED );
                return;
            }
            String base64Credentials = authorization.substring( "Basic".length() ).trim();
            String credentials = new String( Base64.getDecoder().decode( base64Credentials ), Charset.forName( "UTF-8" ) );
            final String[] values = credentials.split(":",2);
            if( !QUICKSTREAM_USERNAME.equals( values[0] ) || !QUICKSTREAM_PASSWORD.equals( values[1] ) )  {
                response.sendError( HttpServletResponse.SC_FORBIDDEN );
                return;
            }
            response.setStatus( HttpServletResponse.SC_OK );
            for( final String name : request.getParameterMap().keySet() ) {
                for( final String value : request.getParameterMap().get( name ) ) {
                    // Consume
                }
            }
        }
        catch( final Exception e  ) {
            response.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR );
        }
        return;
    }
}

Example server to server notification consumption in PHP

<?php
    header( "Content-Type: text/plain" );
    if ( $_SERVER["REMOTE_ADDR"] != QUICKSTREAM_IP_ADDRESS ) {
        header("HTTP/1.1 403 FORBIDDEN");
        return;
    }
    if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ) {
        header("HTTP/1.1 401 UNAUTHORIZED");
        return;
    }
    if ( $_SERVER['PHP_AUTH_USER'] != QUICKSTREAM_USERNAME || $_SERVER['PHP_AUTH_PW'] != QUICKSTREAM_PASSWORD ){
        header("HTTP/1.1 403 FORBIDDEN");
        return;
    }
    if( $_SERVER["REQUEST_METHOD"] === "POST" ) {
        try {
            foreach( $_POST as $key => $value ) {
                // consume
            }
            header("HTTP/1.1 200 OK");
        } catch (Exception $e) {
            header("HTTP/1.1 500 INTERNAL SERVER ERROR");
        }
    }
    return;
?>

Parameters in the server to server notification

These parameters are present in the server to server notification:

Parameter Name Description
sourceCode The payment channel used to make the transaction. The values are net, adhoc and phone.
receiptNumber The unique receipt number generated by QuickWeb. This value can be used later to locate this payment in QuickStream Portal.
communityCode Your community code. Provided in communityCode during the handoff. See View your connection details in QuickStream Portal.
supplierBusinessCode Your supplier business code. Provided in supplierBusinessCode during handoff. See View your connection details in QuickStream Portal.
paymentReference Provided in paymentReference during the handoff or entered by the payer.
customerReferenceNumber A customer-level reference. Provided in supplierBusinessCode during the handoff or entered by the payer.
paymentAmount The payment amount including surcharges.
surchargeAmount The surcharge amount.
cardScheme The card scheme. One of:
  • VISA
  • MASTERCARD
  • AMEX
  • DINERS
  • UNIONPAY
  • JCB
settlementDate The settlement date of the payment. See Transaction settlement.
createdDateTime The date and time of the transaction on the QuickWeb server in Sydney. Format: dd MMM yyyy HH:mm:ss.
responseCode The two digit response code. See Response Codes.
responseDescription The description of the response code. See Response Codes.
summaryCode The one digit summary code. See Response Codes.
successFlag true when the transaction was successful, otherwise false.
Custom fields Any custom parameters that you included in the handoff will be sent back to you.

That is, any parameters prefixed with custom will be included in this notification.

For example:
customTitle,
customPayeeName

If you choose to receive the data as XML, the parameters listed in the table above will instead be built into an XML document. This document will be passed to your server in the body of the request. The request will have a content-type of application/xml.

An example XML response

POST /payments HTTP/1.1
Host: yoursite.com.au
Content-Type: application/xml

<PaymentResponse>
    <sourceCode>Net</sourceCode>
    <receiptNumber>1003548481</receiptNumber>
    <communityCode><YOUR_COMMUNITY_CODE></communityCode>
    <supplierBusinessCode><YOUR_SUPPLIER_CODE></supplierBusinessCode>
    <customerReferenceNumber>CUSTOMER1</customerReferenceNumber>
    <paymentReference>PAYMENT1</paymentReference>
    <paymentAmount>624.00</paymentAmount>
    <surchargeAmount>24.00</surchargeAmount>
    <cardScheme>VISA</cardScheme>
    <settlementDate>20170110</settlementDate>
    <createdDateTime>10 Jan 2017 01:11:31</createdDateTime>
    <responseCode>00</responseCode>
    <responseDescription>Approved or completed successfully</responseDescription>
    <summaryCode>0</summaryCode>
    <successFlag>true</successFlag>
</PaymentResponse>

Cash Applied File

See Cash applied file.

Retrieving a Cash Applied File

The file may be retrieved using iLink or available for download in QuickStream Portal.

  • iLink is a service that allows you to securely send files to and receive files. You can do this manually or via straight through connectivity that uses SFTP, HTTPS or SOAP.
  • QuickStream Portal is the administrative interface for QuickStream products, such as QuickWeb and QuickConnect.

See iLink Documentation for more information.

To download a Cash Applied File from QuickStream Portal:

  1. Sign into QuickStream Portal
  2. Click Administration -> Transactions and Reports -> Facility Reports
  3. Your report will appear on this page.
    • Select the download icon to retrieve a Cash Applied File.
    • Use the date filters to find older files.

Download cash applied files from QuickStream Portal.

Manage your security settings

QuickStream Portal is your administration interface for QuickStream. You can manage the following security settings:

Manage your IP white list

The IP address white list holds the allowed IP addresses for secure token requests. Requests made from IP addresses that are not in this white list will be rejected, and will not receive a security token.

  1. Sign into QuickStream Portal
  2. Click Administration -> Facility Settings -> Manage IP Address White List
  3. Select Add IP Address to white list a new IP address, or select the edit or delete icons to manage existing entries.

QuickStream Portal allows you to manage your allowed IP addresses.

Manage your domain white list

The domain white list holds the allowed domains or URLs for sending server to server notifications. Server to server notifications to URLs that are not in this white list will be rejected, and will not receive a server to server notification.

  1. Sign into QuickStream Portal
  2. Click Administration -> Facility Settings -> Manage Domain White List
  3. Select Add Domain to white list a new domain or specific URL, or select the edit or delete icons to manage existing entries.

You can white list your entire domain, or a specific URL. For example,

  • To receive server to server notifications from any URL on your website, white list yoursite.com.au.
  • To receive server to server notifications at a specific URL on your website, white list yoursite.com.au/payments.

QuickStream Portal allows you to manage your allowed domains.

View your connection details

Connection details are required to interact with QuickStream in each environment. These connection details refer to values you must pass for the Secure Token Handoff.

  1. Sign into QuickStream Portal
  2. Click Administration -> Facility Settings -> View Connection Details
  3. Select Secure Token Request to view connection details for the Secure Token Request.

QuickStream Portal allows you to view your connection details and configuration.

Manage server to server notifications

Server to server notifications are submitted directly to your system. A HTTP POST with form data or XML sent from QuickStream after a successful credit card payment attempt.

  1. Sign into QuickStream Portal
  2. Click Administration -> Facility Settings -> Manage Server to Server Notification

Manage server to server notifications in QuickStream Portal.

Destination URL

This option can be used for:

You can override this by passing serverReturnUrl in a Secure Token Handoff for the above products except the QuickTerminal and QuickVoice products.

Notification format

Choose HTTPS POST or XML.

Control Description
HTTPS POST The server to server notification will be sent as HTTPS POST form parameters.
XML The server to server notification will be sent as HTTPS POST with XML as the request body.

Automatic retry of failed notifications

Configure the number of times you wish QuickStream to re-send failed notifications. A failed notification is one where a server cannot be reached, or a server responds with a HTTP status code other than 200 OK.

Control Description
If the original attempt fails Choose the time until the system retries the first time.
If this second attempt fails, retry Choose number of times the system should retry after the second attempt.
at intervals of Choose the interval between each subsequent retry.
If all attempts fail, send an email to Enter the email address the system will notify when a server to server notification cannot be sent. You can override this by passing errorEmailToAddress in a Secure Token Handoff.

For example the following setting produces a schedule:

Setting Value
If the original attempt fails Retry 1 minute after the original attempt
If this second attempt fails, retry 3 more times
at intervals of 10 mins
If all attempts fail, send an email to john@yoursite.com.au

This setup will send the following server to server notifications:

  1. Credit card payment made at 12:00 PM
  2. Server to server notification sent at 12:00 PM and failed.
  3. Server to server notification retried at 12:01 PM and failed.
  4. Server to server notification retried at 12:11 PM and failed.
  5. Server to server notification retried at 12:21 PM and failed.
  6. Server to server notification retried at 12:31 PM and failed.
  7. Stop retrying and send an email to john@yoursite.com.au.

Troubleshooting security settings

QuickStream Portal's Activity Log shows:

Types of entries you may see for unsuccessful secure token requests are:

  • A Secure Token Request was received from an IP address that is not in the IP Address White-list for this facility.

Types of entries you may see for unsuccessful server to server notification attempts are:

  • Server to server postback to URL X failed as no username or password is configured for this facility.
  • Server to server postback URL X using HTTP, but should be HTTPS.
  • The URL X is not listed as an allowed end point to post response information to.
  • The URL X is invalid and cannot be used as an end point to post response information to.
  • Received HTTP N instead of HTTP 200 from endpoint X.

QuickStream Portal allows you debug connection problems through the Activity Log.

Testing

See Testing.

Test account numbers

See Test card and bank account numbers.

Test URLs and IP addresses

See Test URLs and IP addresses.

Sign off

After you have completed your user acceptance testing you must send a 'sign off' email to your Qvalent implementation manager. The email will state that you have successfully tested all aspects of the solution and you are ready for it to be moved into production.

A sample sign off email is included below.

To: Qvalent_implementation_manager

Cc: Westpac_implementation_manager

Subject: Sign off

We have successfully completed user acceptance testing. Our tests covered all areas of the solution. They included payments, reporting and QuickStream Portal admin tasks.

Our payment tests covered:

  • Approved transactions
  • Declined transactions
  • Invalid payment details
  • Duplicate payments

Our reporting tests covered:

  • Retrieving the daily payment report
  • Uploading the payment report into our system

Our QuickStream Portal admin tests covered:

  • Creating users
  • Assigning roles to users
  • Searching for payments
  • Refunding payments
  • Resending receipts

We are satisfied with the results of these tests and we are ready for the solution to be moved into production.

Regards, John Smith

Production lodgement

See Production lodgement.

Production URLs and IP addresses

See Production URLs and IP addresses.

Go live

Once production lodgement is complete and you are satisfied with the results of your low value tests in production you are ready to go live. The term "go live" represents the date you will make the solution available to your customers.

At this stage of the implementation process there are only a few tasks left to complete. They are:

  • Before the go live date, communicate with your customers to inform them about the new payment process.

  • On the go live date, update the appropriate page (or pages) on your website to make the new solution available to your customers.

After you go live, Qvalent and Westpac will closely monitor the solution. This is known as the "monitoring phase" and lasts for two weeks. During this time, if you have any questions or concerns about the solution you should communicate directly with your Qvalent implementation manager.

Post implementation

Once the two week monitoring phase is over the implementation process is officially complete. Your Qvalent implementation manager will hand the solution over to the Qvalent helpdesk. The helpdesk will be responsible for day to day monitoring of the solution and resolving any issues that occur.

If you have any questions or concerns about the solution at this point contact the helpdesk: QuickStream Technical Support.

Security

The QuickStream suite of products complies with Level 1 of the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a multifaceted security standard that includes requirements for

  • security management
  • policies
  • procedures
  • network architecture
  • software design
  • critical protective measures.

For more information on PCI DSS see PCI Data Security Standards.

To ensure QuickStream maintains this high level of security there are a number of security requirements that must be adhered to. These are listed below.

No client specific dynamic content

QuickStream hosted solution (e.g. QuickWeb) payment pages will not contain any client specified dynamic content. This means that you cannot provide javascript or flash components to be used in these solutions. In particular no site measurement javascript or links will be added to any QuickStream page.

QuickStream pages contain sensitive data such as credit card details. The restrictions mentioned above help prevent attacks such as cross site scripting (XSS).

No remote assets

QuickStream hosted solution (e.g. QuickWeb) payment pages will not fetch content from any third party server. All branding resources such as images and stylesheets will be stored on and served from QuickStream servers.

Cookies are required

QuickStream requires session cookies to be enabled in your customer's browser. Session cookies are only used to maintain state while accessing QuickStream. No permanent information is stored on the client's computer once the browser is closed.

Trusting the QuickStream server

When your server exchanges information with QuickStream over HTTPS it must trust the root level certificate. That is, your server must trust the certificate issued by Verisign - not the certificated issued to Qvalent. The Qvalent certificate will expire and need replacing each year. However the Verisign certificate will have a much longer life (i.e. expire in 2028).

If your server trusts the Qvalent certificate directly your QuickStream implementation will cease to operate when a replacement certificate is installed.

Excessive failures - IP blacklisting

To prevent fraud, Qvalent will monitor IP addresses and transactions. If any suspicious behaviour is detected we will blacklist the IP address to prevent it from accessing QuickStream again.

Captcha

QuickStream hosted solutions (e.g. QuickWeb) uses Captcha image protection to prevent hackers from using the website to validate stolen credit card details. The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The Captcha program randomly generates a distorted "word" that humans can read but computer programs can't.

For more information about Captcha see http://www.captcha.net/.

Web analytics

QuickWeb processes payments using the most up to date security best practices. Analytics sends usage data from hosted payment pages via the web browser to a third party system which cannot be guaranteed as secure and may comprise the sensitive data of your customers.

Due to this, hosted payment page solutions (e.g. QuickWeb and QuickVault Web) do not support incorporating analytics code or tools where data is gathered in the customer's browser.

Transport layer security (TLS)

QuickWeb, QuickConnect and QuickVault require Secure Token Handoff and web browser access made using the encryption standard known as TLSv1.2. QuickWeb, QuickConnect and QuickVault rejects request made using TLSv1, or TLSv1.1.

If you receive an error that resembles the error message below, then the underlying TLS connection was not successful. Your systems need adjustments or upgrades to work properly with this service.

TLSv1 is not strong encryption, please use TLSv1.2 instead

HTTP 429 Too Many Requests

You may receive a HTTP 429 Too Many Requests response code when you have sent too many requests in a given amount of time.

If you send more than 10 simultaneous requests, you may receive a HTTP 429 Too Many Requests response code. You should wait for 20 seconds and resend the request.

Standard network ports for HTTP transmissions

QuickStream sends Payment and Registration Notifications (aka Server to Server Responses) via HTTP on standard ports. These are ports 80 and 443. Other network ports are not available to send Payment and Registration Notifications to your server.

Secure token handoff

This section lists the parameters you may pass to QuickWeb during the handoff. This section is only relevant if you are using the "secure token" method. If you are instead using the "form inputs" method please refer to Handoff parameters for form inputs.

When using the secure token method, parameters are sent to QuickWeb in two separate calls. There are:

Parameters for secure token request

The following table lists the parameters that can be passed to QuickWeb during the secure token request. This step is described in Sending parameters via secure token request step 8.

The parameters must be passed to CommunityTokenRequestServlet. The full URL for the test environment is included in Test URLs and IP addresses. The full URL for the production environment is included in Production URLs and IP addresses.

Mandatory parameters

Parameter Name Description
username Your username. This value will be provided to you.
password Your password. This value will be provided to you.
supplierBusinessCode Your QuickWeb supplier business code. This will be provided to you.
connectionType QUICKWEB
product QUICKWEB

Optional parameters

Parameter Name Description
currencyCode The currency code. This will determine which currency to use when making the payment.

Specify either AUD or NZD.

If this parameter is not provided, QuickWeb will default to AUD.
principalAmount The payment amount. Include this parameter if you want the payment amount to be entered/calculated on your website rather than ours. If you include this parameter QuickWeb will display the "Payment Amount" as a read-only field. The customer will not be able to adjust this value in QuickWeb.

Example:
12.00
paymentReference Include this parameter if you want to pass a unique payment level reference to QuickWeb.

For example: invoice number, credit note number, fine code or transaction reference.

QuickWeb will then display the value in the "Payment Reference" field. The customer will not be able to adjust this value in QuickWeb.
customerReferenceNumber Include this parameter if you want to pass a customer level reference to QuickWeb.

For example: customer number, family code, company code, BPAY number.

QuickWeb will then display the value in the "Customer Reference Number" field. The customer will not be able to adjust this value in QuickWeb.
returnUrl Note: We recommend you use a HTTPS URL for this parameter.
The URL you would like QuickWeb to redirect to after the payment is complete. If you do not provide this parameter QuickWeb will display its own receipt page without a link/ button to your website.

Any parameters included in URL will be provided back to you.

Example: https://www.yoursite.com.au/receipt?Name=John&Age=21

See Linking from QuickWeb back to your website for information on how this parameter is used.
cancelUrl Note: We recommend you use a HTTPS URL for this parameter.
The URL you would like QuickWeb to redirect to if the customer chooses to cancel out of the payment process. If you do not provide this parameter QuickWeb will display is own cancel page.

Any parameters included in the URL will be provided back to you.

Example: https://www.yoursite.com.au/cancelledpayment?Name=John&Age=21
serverReturnUrl Note: You must use a HTTPS URL for this parameter.
The URL you would like QuickWeb to send the server to server notification to.

Example: https://www.yoursite.com.au/processPayment

This parameter is only relevant if you wish to receive the server to server payment notification. See Server to server notification for details.
errorEmailToAddress The email address you would like QuickWeb to send an email to if we cannot deliver the payment notification to your server (e.g. your web site is down).

Example: payments@yoursite.com.au

This parameter is only relevant if you wish to receive the server to server payment notification. See Server to server notification for details.
accountType The type of payment the customer is going to make. This value will influence the appearance of the "Payment Details" page.

Specify either: DIRECT_DEBIT (to restrict to Australian bank account payments), DIRECT_DEBIT_NZ (to restrict to New Zealand bank account payments) or CREDIT_CARD (to restrict to credit card payments). Do not send this parameter if your payer can choose either in your solution.
registerPaymentAccount This parameter is only applicable to your facility when QuickVault is enabled. One of:
  • true
  • false
This will register the account in QuickVault after a successful payment.
receiptEmailAddress Optional. Provide an email address to instruct QuickWeb to send a payment receipt.

Custom parameters

If you would like to provide additional information to QuickWeb you can do this by using a custom parameter. Multiple custom parameters can be passed to QuickWeb.

Parameter Name Description
custom<Custom name>

Example:
customTitle,
customPayeeName
QuickWeb can display this data on the screen and/or pass it back to you in the payment notification.

The parameter name must start with "custom" followed by an uppercase letter. Maximum 100 characters per parameter.

Parameters for redirect

The following table lists the parameters that must be included in the redirect to QuickWeb. This step is described in Send parameters via Secure Token Request.

You must pass these parameters to OnlinePaymentServlet3. The full URL for the test environment is included in Test URLs and IP addresses. The full URL for the production environment is included in Production URLs and IP addresses.

Parameter Name Description
communityCode Your QuickWeb community code. This value will be provided to you.
token This is the encrypted token given to you by QuickWeb after you make the secure token request.

See Send parameters via Secure Token Request. QuickWeb will use this security token to validate the handoff and lookup parameters.

Sample code for the secure token request

Java

package com.qvalent.demo;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.HttpsURLConnection;

public class TokenRequestExample
{
    // This is the HTTP proxy configuration section.
    // To use basic authentication, other options
    // will have to be specified. This example
    // uses Windows domain-based NTLM authentication.
    // To use a direct connection, set USING_PROXY to false.
    private static final String HTTP_PROXY_URL_STRING =
        "proxy.yourdomain.com.au";
    private static final int HTTP_PROXY_PORT = 8080;
    private static final boolean USING_PROXY = true;
    private static final String TOKEN_REQEST_URL_STRING =
        "https://<environment_url>/CommunityTokenRequestServlet";

    // Here we are initialising a java.net.URL object.
    private static final URL TOKEN_REQUEST_URL =
        new URL( TOKEN_REQEST_URL_STRING );

    public static void main( final String[] args ) throws Exception
    {

        // Add username, password and customer reference number parameters
        // to the request.
        final Map<String, String> params =
            new HashMap<String, String>();
        params.put( "username", "username" );
        params.put( "password", "password" );
        params.put( "customerReferenceNumber", "CUSTOMER1" );
        final String content = getQuery( params );

        // Control block to use either proxy or direct connection.
        final HttpsUrlCOnnection connection;
        if( USING_PROXY )
        {
            final Proxy proxy = new Proxy( Proxy.Type.HTTP,
                                               new InetSocketAddress(
                                                   HTTP_PROXY_URL_STRING,
                                                   HTTP_PROXY_PORT ) );
            connection = (HttpsURLConnection)TOKEN_REQUEST_URL.openConnection( proxy );
        }
        else
        {
            connection = (HttpsURLConnection)TOKEN_REQUEST_URL.openConnection();
        }

        // Token request should be a HTTP POST for enhanced security.
        connection.setRequestMethod( "POST" );

        // The parameters are sent using url form encoding.
        connection.setRequestProperty(
            "Content-Type",
            "application/x-www-form-urlencoded" );

        // Add the content length and language.
        connection.setRequestProperty(
            "Content-Length",
            Integer.toString( content.length() ) );
        connection.setRequestProperty(
            "Content-Language",
            "en-au" );

        // We're going to write out post data and get the response (token),
        // so set both output and input.
        connection.setDoOutput( true );
        connection.setDoInput( true );
        // Set up a writer to write the http post data out.
        final BufferedWriter writer =
           new BufferedWriter(
               new OutputStreamWriter( connection.getOutputStream() ) );
        writer.write( content );
        writer.close(); // This will send the content.

        // Set up a reader to get the token result back from
        // the connection. Build it all up into one string.
        final BufferedReader reader =
           new BufferedReader(
               new InputStreamReader( connection.getInputStream() ) );
        String response = "";
        String buff;
        while( ( buff = reader.readLine() ) != null )
        {
            response += buff;
        }
        reader.close();

        // Print the full response.
        System.out.println( "Response: " + response );

        // Print the token, which will occur after "token="
        // and should be the only response parameter parameter.
        final String token =
            URLDecoder.decode(
                response.substring(
                    response.indexOf( "=" ) + 1 ) ,
                "UTF-8" );
        System.out.println( "Token: " + token );
    }

    // Helper method to construct a URL encoded query from
    // a map of string => string.
    private static String getQuery( final Map<String, String> params )
    throws Exception
    {
        String result = "";
        boolean first = true;
        for( final RequestParameter requestParameter : RequestParameter.values() )
        {
            if( first )
            {
                first = false;
            }
            else
            {
                result += "&";
            }
            result += URLEncoder.encode( requestParameter.getLabel(), "UTF-8" );
            result += "=";
            result += URLEncoder.encode(
                params.get( requestParameter.getLabel() ) == null ?
                "" :
                params.get( requestParameter.getLabel() ),
                "UTF-8" );
        }
        return result;
    }
}

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Net;
using System.Web;
using System.Collections;
namespace TokenRequestExample
{
    class TokenRequestExample
    {
        static void Main(string[] args)
        {
            byte[] byteArray;
            Stream webpageStream;
            StreamReader webpageReader;
            String webpageContent;
            Hashtable parameters = new Hashtable();
            parameters.Add("username", "username");
            parameters.Add("password", "password");
            parameters.Add("customerReferenceNumber", "CUSTOMER1");
            HttpUtility.UrlEncode("");
            String postData = "";
            Boolean first = true;
            foreach( String key in parameters.Keys )
            {
                if(first)
                {
                    first = false;
                }
                else
                {
                    postData += "&";
                }
                postData += key + "=" + HttpUtility.UrlEncode(parameters[key].ToString());
            }
            String URL = "https://<environment_url>/CommunityTokenRequestServlet";
            byteArray = Encoding.UTF8.GetBytes(postData);
            WebRequest request = WebRequest.Create(URL);
            WebProxy proxy = new WebProxy("proxy.yourdomain.com.au", 8080);
            proxy.UseDefaultCredentials = true;
            proxy.BypassProxyOnLocal = true;
            request.Proxy = proxy;
            request.Method = "POST";
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = byteArray.Length;
            webpageStream = request.GetRequestStream();
            webpageStream.Write(byteArray, 0, byteArray.Length);
            webpageStream.Close();
            webpageReader = new StreamReader(request.GetResponse().GetResponseStream());
            webpageContent = webpageReader.ReadToEnd();
            Console.WriteLine(webpageContent);
            Console.ReadKey(true);
        }
    }
}

PHP

<?php
    $postFields = array( "username" => "username",
                         "password" => "password",
                         "customerReferenceNumber" => "CUSTOMER1" );
    $postFieldsString = http_build_query( $postFields );
    $curlHandle = curl_init();
    curl_setopt( $curlHandle, CURLOPT_URL, "https://<environment_url>/CommunityTokenRequestServlet" );
    if( array_key_exists( "user", $_POST ) &&
        array_key_exists( "pwd", $_POST ) )
    {
        curl_setopt( $curlHandle, CURLOPT_PROXY, "proxy.yourdomain.com.au:8080" );
        curl_setopt( $curlHandle, CURLOPT_PROXYUSERPWD, $_POST["user"].":".$_POST["pwd"] );
    }
    curl_setopt( $curlHandle, CURLOPT_POST, count( $postFields ) );
    curl_setopt( $curlHandle, CURLOPT_POSTFIELDS, $postFieldsString );
    curl_setopt( $curlHandle, CURLOPT_RETURNTRANSFER, 1 );
    curl_setopt( $curlHandle, CURLOPT_CAINFO, "PCA-3G5.pem" );
    curl_setopt( $curlHandle, CURLINFO_HEADER_OUT, 1 );
    $result = curl_exec( $curlHandle );
?>
<html>
    <head>
    </head>
    <body>
        <p> Header: <?php echo curl_getinfo( $curlHandle, CURLINFO_HEADER_OUT ); ?> </p>
        <?php
            if( curl_errno( $curlHandle ) )
            {
        ?>
                <p> Error: <?php echo curl_error( $curlHandle ); ?> </p>
        <?php
            }
            else
            {
        ?>
                <p> Token: <?php echo $result; ?> </p>
        <?php
            }
        ?>
    </body>
</html>
<?php   
    curl_close( $curlHandle );
?>

Python 3.x


import urllib.request as request
import urllib.parse as parse

USERNAME = ""
PASSWORD = ""
CD_CRN = ""

URL = "https://quickstream.support.qvalent.com/CommunityTokenRequestServlet"

class TokenRequest:

    def __init__(self, url):
        self.url = url
        self.params = {}

    def addParameter(self, key, value):
        self.params[key] = value

    def addParameters(self, dictKeyValues):
        for key in dictKeyValues:
            self.addParameter(key, dictKeyValues[key])

    def performRequest(self):
        details = parse.urlencode(self.params).encode("UTF-8")
        response = request.urlopen(self.url, details)
        return response

    def getToken(self):
        response = self.performRequest().read()
        response = response.decode("UTF-8")
        return response.split("=")[1]

# If you do not have a proxy then delete these
# next four lines.
proxyaddress = 'username:password@proxy.yourdomain.com.au:8080'
proxy = request.ProxyHandler({'https': proxyaddress})
opener = request.build_opener(proxy)
request.install_opener(opener)
#---------------------------------------------

req = TokenRequest(URL)
req.addParameter("username", USERNAME)
req.addParameter("password", PASSWORD)
req.addParameter("cd_crn", CD_CRN)
token = req.getToken()

print(token)

Form inputs handoff

This section lists the parameters you may pass to QuickWeb during the handoff. This section is only relevant if you are using the 'form inputs' method. If you are instead using the 'secure token' method, please refer to Handoff parameters for secure token method.

The following table lists the parameters that can be passed to QuickWeb. See Send parameters via form inputs.

The parameters must be passed to OnlinePaymentServlet3. The full URL for the test environment is included in Test URLs and IP addresses. The full URL for the production environment is included in Production URLs and IP addresses.

Mandatory parameters

Parameter Name Description
communityCode Your QuickWeb community code. This value will be provided to you.
supplierBusinessCode Your QuickWeb supplier business code. This will be provided to you.

Optional parameters

Parameter Name Description
currencyCode The currency code. This will determine which currency to use when making the payment.

Specify either AUD or NZD.

If this parameter is not provided, QuickWeb will default to AUD.
paymentReference Include this parameter if you want to pass a unique payment level reference to QuickWeb.

For example: invoice number, credit note number, fine code or transaction reference.

QuickWeb will then display the value in the 'Payment Reference' field. The customer will not be able to adjust this value in QuickWeb.
customerReferenceNumber Include this parameter if you want to pass a customer level reference to QuickWeb.

For example: customer number, family code, company code, Bpay number.

QuickWeb will then display the value in the 'Customer Reference Number' field. The customer will not be able to adjust this value in QuickWeb.
returnUrl The URL you would like QuickWeb to redirect to after the payment is complete. If you do not provide this parameter QuickWeb will display its own receipt page without a link / button to your website.

Any parameters included in URL will be provided back to you.

Example: http://www.yoursite.com.au/receipt?Name=John&Age=21

Note, there are two ways we can return the customer to your website
  1. QuickWeb can redirect straight away, allowing you to display your own receipt page.
  2. QuickWeb can display its own receipt page and include a link/button for the customer to click on to link back to your website.
cancelUrl The URL you would like QuickWeb to redirect to if the customer choses to cancel out of the payment process. If you do not provide this parameter QuickWeb will display is own cancel page.

Any parameters included in the URL will be provided back to you.

Example: http://www.yoursite.com.au/cancelledpayment?Name=John&Age=21
accountType The type of payment the customer is going to make. This value will influence the appearance of the 'Payment Details' page.

Specify either: DIRECT_DEBIT (to restrict to Australian bank account payments), DIRECT_DEBIT_NZ (to restrict to New Zealand bank account payments) or CREDIT_CARD (to restrict to credit card payments). Do not send this parameter if your payer can choose either in your solution.

Custom parameters

If you would like to provide additional information to QuickWeb you can do this by using a custom parameter. Multiple custom parameters can be passed to QuickWeb.

Parameter Name Description
custom<Custom name>

Example:
customTitle,
customPayeeName
QuickWeb can display this data on the screen and/or pass it back to you in the payment notification.

The parameter name must start with 'custom' followed by an uppercase letter.

Passback parameters

The following table lists the parameters that QuickWeb will return in the passback. The data can then be presented to your customers on your receipt page. For more details about the passback see Link from QuickWeb back to your website.

All parameters are mandatory unless stated otherwise.

Parameter Name Description
communityCode Your QuickWeb community code. This value will be provided to you.

Note, this is the same value that you will pass to QuickWeb during the handoff.
supplierBusinessCode Your QuickWeb supplier business code. This will be provided to you.

Note, this is the same value that you will pass to QuickWeb during the handoff.
paymentAmount The amount that QuickWeb used when it attempted the transaction.

It includes any surcharge or GST amount that needed to be paid.

The amount is in dollars and cents.

For example:
1015.00
surchargeAmount The surcharge amount that was included in the transaction.

The amount is in dollars and cents.

For example:
15.00
receiptNumber The unique receipt number generated by QuickWeb. This value can be used later to locate this payment in QuickStream Portal.
paymentReference This is an optional parameter. It will be included if the customer provided a unique payment level reference.

For example: invoice number, credit note number, fine code or transaction reference.

This value was either:
  1. entered in the 'Payment Reference' field on the QuickWeb 'Payment Details' page, or
  2. entered on your website then passed to QuickWeb during the handoff using the paymentReference parameter.
customerReferenceNumber This is an optional parameter. It will be included if the customer provided a customer reference.

For example: customer number, family code, company code, Bpay number.

This value was either:
  1. entered in the 'Customer Reference Number' field on the QuickWeb 'Payment Details' page, or
  2. entered on your website then passed to QuickWeb during the handoff using the customerReferenceNumber parameter.
responseCode The two digit response code.

For example: 41

See Transaction Response Codes for more information.
responseDescription The description of the response code.

For example: Lost card

See Transaction Response Codes for more information.
summaryCode The one digit summary code.

For example: 1

See Transaction Response Codes for more information.
createdDateTime The date and time of the transaction on the QuickWeb server in Sydney.

Format: DD MMM YYYY hh:mm

For example: 20 Jun 2012 15:04
settlementDate The settlement date of the payment. Transactions after 6pm Sydney time will settle on the following banking day. For more information see Transaction Settlement.

Format: YYYYMMDD

For example: 20120620
cardHolderName The card holder name that the customer entered.

For example: John Smith
maskedCardNumber The credit card number that the customer entered.

For security reasons part of this number will be masked.

For example: 456471xxxxxxx004
cardScheme The type of credit card the customer used to make the payment. QuickWeb will return one of the following values:
  • VISA
  • MASTERCARD
  • AMEX
  • DINERS
  • UNIONPAY
  • JCB
expiryDateMonth The month that the customer entered into the expiry date field. This value will be 2 digits long.

For example: 03
expiryDateYear The year that the customer entered into the expiry date field. This value will be 4 digits long.

For example: 2013
accountName The account name that the customer entered on the 'Payment Details' page.

For example: John Smith
accountNumber The account number that the customer entered on the 'Payment Details' page. For security reasons part of this number will be masked.

For example: xxxxxx789
bsb The BSB that the customer entered on the 'Payment Details' page. For security reasons part of this number will be masked.

For example: xxx-000
hmac A HMAC_SHA256 signed string of the parameters in the passback. Use this to validate that the parameters in the passback were not tampered. See Validating the HMAC.
Custom fields Any custom parameters that you included in the handoff will be sent back to you.

That is, any parameters prefixed with custom will be included in the passback.

For example:
customTitle,
customPayeeName

For example

GET /thankyou?
communityCode=<YOUR_COMMUNITY_CODE>&amp;
supplierBusinessCode=<YOUR_SUPPLIER_CODE>&amp;
surchargeAmount=24.00&amp;
paymentAmount=624.00&amp;
paymentReference=INVOICE1&amp;
customerReferenceNumber=CUSTOMER1&amp;
receiptNumber=1003548481&amp;
responseCode=00&amp;
responseDescription=Approved+or+completed+successfully&amp;
summaryCode=0&amp;
createdDateTime=10+Jan+2017+01%3A11%3A31&amp;
settlementDate=20170110&amp;
cardholderName=John Smith&amp;
maskedCardNumber=456471...004&amp;
cardScheme=VISA&amp;
expiryDateMonth=04&amp;
expiryDateYear=2020&amp;
hmac=13c747bb128c69cca9697c7d63ad5161ccce3c658951ea85ffe239e0a908fa16 HTTP/1.1
Host: yoursite.com.au

Validating the HMAC

The HMAC is included in the parameters returned in the passback. Use this to validate the parameters in the passback were not tampered.

The parameters in the passback are signed using the HMAC_SHA256 algorithm. Your secure token request password is used as the secret in the HMAC_SHA256 calculation. Find the password by viewing your connection details in QuickStream Portal.

To validate the hmac parameter:

  1. Remove hmac from the list of parameters returned and order the parameters ASCIIbetically by name.
  2. URL encode each parameter with UTF-8 character encoding.
  3. Join the parameter names and values with = and each pair with & (as per a query string).
  4. Generate the HMAC from this string using secure token request password.
  5. Hexadecimal encode the resulting string.
  6. Compare the HMAC string you generated to the hmac parameter in the passback.

HMAC validation example

This example illustrates a simple validation of the hmac parameter in the passback.

Step 1: Get the list of parameters returned in the passback.

Parameter Name Parameter Value
communityCode COMCODE
supplierBusinessCode SUPP
principalAmount 10.00
customParam this is a custom param with special characters &
hmac dce3bc3945ca4d33151fb4c6a69971d86c35556cc2becafb3cb451f080af3d49

Step 2: Remove hmac and order the parameters ASCIIbetically by name.

Parameter Name Parameter Value
communityCode COMCODE
customParam this is a custom param with special characters &
principalAmount 10.00
supplierBusinessCode SUPP

Step 3: URL encode each parameter with UTF-8 character encoding

Ensure the encoded characters are lowercase and not uppercase (for example, %3A not %3a.)

Parameter Name Parameter Value
communityCode COMCODE
customParam this+is+a+custom+param+with+special+characters+%26
principalAmount 10.00
supplierBusinessCode SUPP

Step 4: Join the parameter names and values with = and each pair with &.

communityCode=COMCODE&customParam=this+is+a+custom+param+with+special+characters+%26&principalAmount=10.00&supplierBusinessCode=SUPP

Step 5: Generate the HMAC from this string using secure token password.

public static String hash( final String password, final String queryString )
{
    final Mac mac = Mac.getInstance( "HmacSHA256" );
    mac.init( new SecretKeySpec( password.getBytes( "UTF-8" ), "HmacSHA256" ) );
    return Hex.encodeHexString( mac.doFinal( queryString.getBytes() ) );
}

Finally, compare the HMAC string you generated to the hmac parameter in the passback. If the strings do not match, there has likely been tampering of the parameters and their values and should not be considered accurate.

Soft descriptors for Aggregators

Soft-descriptors are informational fields that Aggregators must collect for each transaction. Other merchants cannot use these fields. These merchant descriptor fields allow some control over the cardholder narrative for each transaction. The Secure Token Request includes new fields to provide these soft-descriptors.

Read more about Soft descriptors for Aggregators.

Secure token request fields

These fields are sent in a Secure Token Request.

Parameter Name Length Required Description (for a Payment)
merchantName 22 Yes This field is only relevant for credit card payments for Aggregators.
Must be in the format AggregatorName*SubMerchantName.
For example:
  • AggregatorName is Jane's Transactions, abbreviated to JAT.
  • SubMerchantName name is Jill's Bikes.
  • The value of this field may be JAT*JillsBikes.
AggregatorName can be either in full or abbreviated and must be 3 characters.
Westpac may suggest a three character aggregator name during your implementation.
merchantStreetAddress 48 Yes This field is only relevant for credit card payments for Aggregators.
The street address of the sub-merchant's trading address.
It is a scheme requirement to populate the street address as part of the payment. Westpac does not hold the street address information for sub-merchants and it will not appear on the cardholder's or merchant's statement.
Must contain the street address lines only:
  • Include the city or suburb in Merchant Location.
  • Include the state in Merchant State.
  • Include the country in Merchant Country.
  • Include the post code in Merchant Post Code.
merchantLocation 13 Yes This field is only relevant for credit card payments for Aggregators.
The city or suburb of the sub-merchant's trading address.
merchantState 3 Yes This field is only relevant for credit card payments for Aggregators.
The state of the sub-merchant's trading address. One of:
  • NSW
  • ACT
  • VIC
  • QLD
  • NT
  • SA
  • WA
  • TAS
Merchant Country 2 Yes This field is only relevant for credit card payments for Aggregators.
Must be set to AU.
The sub-merchant must be registered in Australia and have a presence and process payments within Australia.
merchantPostCode 4 Yes This field is only relevant for credit card payments for Aggregators.
The postal code of the sub-merchant's trading address.
subMerchantId 15 Yes This field is only relevant for credit card payments for Aggregators.
A unique identifier for your sub-merchant. The aggregator allocates the sub-merchant identifier. Westpac does not allocate this value.

Passback and payment notification

No additional fields are provided in the passback to your website or payment notification to your server.

3D Secure Card Payments

Use QuickWeb to accept card payments verified using 3D Secure. 3D Secure is an additional layer of authentication that protects you from liability for fraudulent card payments. Unlike regular card payments, 3D Secure requires cardholders to complete an additional verification step with the card-issuer.

3D Secure is also known as Mastercard SecureCode and Verified by Visa.

See 3D Secure Card Payments for QuickWeb for more.

Payment procedure

See Transaction processing and settlement.

Transaction settlement

See Transaction processing and settlement.

Response codes

See Transaction Response Codes.

Requirements checklist

Download the Checklist.

The purpose of this section is to help identify your requirements. Use the checklist as follows:

  1. Download the requirements checklist and rename it with your company name.
  2. Complete as much of the checklist as you can before your first meeting with Westpac.
  3. Use the checklist to understand the steps required to implement this product.