PIT Testing Overview

Requirements: /n software E-Payment Integrator - 3-D Secure
Download Demo: Included in the installation of /n software E-Payment Integrator - 3-D Secure
Download Demo: PIT sample code

Contents

  1. Introduction
  2. PIT Enrollment
  3. SSL Client Certificate Request
  4. Export the Client Certificate
  5. PIT Root Certificate
  6. Export the PIT Root Certificate
  7. Running the Tests

Introduction

Although our E-Payment Integrator - 3-D Secure MPI is certified and has gone through interoperability testing with Visa, every merchant that signs up for 3D Secure (whether they develop the application themselves, use a certified component, or buy an off the shelf solution) is required by Visa to complete PIT testing. If you plan to use MasterCard SecureCode, MasterCard will also require that you complete Visa PIT testing on your final 3D Secure solution.  This document is designed to walk you through the process of going through this PIT testing.

For a fully detailed PIT User's Guide and Test Plan, please check the PIT Home.

PIT Enrollment

First, you must first sign up for Product Integration Testing (PIT). To do this, you'll need to know if you are going to authenticate to the 3D Secure Directory Server with a Merchant Password or with an SSL client certificate.  If you're unsure, check with your Visa Region Representative or the acquiring bank.
  1. Begin PIT enrollment by filling out the enrollment form at https://pit.3dsecure.net/VbVTestSuiteService/#/pit/userEnrollment.
  2. For the "BIN" field of the enrollment page, we recommend using an obviously fake number, such as "999999". It is only necessary that the BIN in your PIT profile matches the value that you use for the MerchantBankId property of the MPI component.
  3. For "Component Type(s)", you must select the "MPI" checkbox, and fill out the "Merchant ID" input field.  This value must match the MerchantNumber property of the MPI component, but can otherwise be any value (for PIT testing, you don't have to use your real merchant ID).
  4. If you're using Merchant Password for authentication to the 3D Secure Directory Server, you must fill out the "Password" input field here. This value must match the MerchantPassword property of the MPI component, but can otherwise be any value.  
  5. Alternatively (to step #4), if you are using an SSL client certificate for authentication to the 3D Secure Directory Server, leave the "Password" input field blank, and in a later step you will need to request a certificate from the PIT.
  6. Double-check that the settings in your PIT profile match those that you will use in your 3D Secure solution (ie, your website). If any of the values do not match, your transactions will not show up on the PIT's "Review Test Activity" and "Review Required Results" pages.

SSL Client Certificate Request

If you're using a merchant password for authentication to the 3D Secure Directory Server, you can skip this section and the next, and go straight to downloading the PIT Root Certificate.  However, if you are using an SSL client certificate for authentication to the 3D Secure Directory Server as mentioned earlier, read on.  Your next steps are to generate a certificate request, submit it to the PIT's automated certificate generator, and import the PIT generated certificate into your test environment. 

How to generate a certificate with IIS5 or IIS6:
  1. In the IIS Manager snap-in of MMC, right click on your website in the Web Sites directory tree, select "Properties", click on the "Directory Security" tab, click on "Server Certificate", select "Create a new certificate" and click Next. If asked, select "Prepare the request now, but send it later" and click Next.
  2. Select a name for your cert request. Something like "PIT Client Cert". Bit length should be 1024, and any other options should remain as default. Press Next.
  3. Organization and Organizational Unit can be anything.
  4. The Common name MUST be the IP Address of your server.
  5. Country, State, and City can be any data.
  6. Save the request as c:\certreq.txt
  7. Now log into the PIT online interface (https://pit.3dsecure.net/VbVTestSuiteService/) and click the "Request Certificate" link.
  8. Open the c:\certreq.txt file with Notepad, copy the contents, and paste it into the "Cert Request (PEM)" field on the "Request Certificate" page.  "Certificate Type" should be "MPI SSL Client Certificate (for authentication to DS)".
  9. Visa will send you an email response containing a client certificate (.der file) and a certificate chain (.p7 file).  Once you have received it, save the MPIclient_certificate.der and MPIclient_certificate_chain.p7 to your computer.
  10. Go back to the Directory Security tab, click "Server Certificate" again, select "Process the pending request and install the certificate" and click Next.
  11. Browse to the MPIclient_certificate.der file, follow the remaining instructions, click Finish and you are done importing the PIT certificate.

How to generate a certificate with IIS7:

  1. In the IIS Manager snap-in of MMC open your server home, double click on "Server Certificates", and click the "Create Certificate Request..." action link.
  2. The Common name MUST be the IP Address of your server.  Organization, Organizational Unit, Country, State, and City can be anything. Click Next.
  3. Bit length should be 1024.  Click Next.
  4. Save the request as something like c:\certreq.txt.  Click Next.
  5. Now log into the PIT online interface (https://pit.3dsecure.net/VbVTestSuiteService/) and click the "Request Certificate" link.
  6. Open the c:\certreq.txt file with Notepad, copy the contents, and paste it into the "Cert Request (PEM)" field on the "Request Certificate" page.  "Certificate Type" should be "MPI SSL Client Certificate (for authentication to DS)".  Click Submit.
  7. Visa will send you an email response containing a client certificate (.der file) and a certificate chain (.p7 file).  Once you have received it, save the MPIclient_certificate.der and MPIclient_certificate_chain.p7 to your computer.
  8. Go back to the "Server Certificates" console, and click the "Complete Certificate Request..." action link.
  9. Browse to the MPIclient_certificate.der file, follow the remaining instructions, click Finish and you are done importing the PIT certificate.

If you view the certificate now, you will notice that it is not yet valid. This is because we have not yet installed the CA certificate (the PKCS#7 certificate chain) that the PIT emailed to us along with the DER encoded certificate.  To do this, use the following steps:

  1. Open Internet Explorer and select the Tools menu. Then click on "Internet Options".
  2. Click the "Content" tab, and then click the "Certificates" button.
  3. Press the "Import" button. You will be asked for a file name. Browse to the MPIclient_certificate_chain.p7 on your computer and press "Next".
  4. Select the "Place all certificates in the following store" radio button, and then press the "Browse" button.
  5. Make sure the "Show Physical Stores" checkbox is checked, and place the certificate in "Intermediate Certification Authorities\Local Computer". Press Next and then Finish.

Export the Client Certificate

If your solution is an ASP or ASP.NET application, it will not have access to the local machine's certificate stores.  You will need to export all three of these certificates in order for the MPI component to communicate with the PIT's directory server. First, lets export the client authentication certificate.

Here's how you can do this in IIS5 and IIS6:
  1. In the IIS Manager snap-in of MMC, open your server home, double click on "Server Certificates", and find the certificate you installed previously.
  2. Click "View...", select the "Details" tab, and then press the "Copy to File" button.
  3. When asked to export the private key, select "Yes, export the private key."
  4. When asked for the export file format, choose "Personal Information Exchange - PKCS #12 (.PFX)", and check "Include all certificates in the certification path if possible".  Do not check "Delete the private key". Click Next.
  5. Choose a password for this certificate. Use something you'll remember. For this example I am using "pitpass"
  6. Choose a filename for this certificate. I will use "c:\pitclient.pfx".

And here's how to do it in IIS7:

  1. In the IIS Manager snap-in of MMC, open your server home, double click on "Server Certificates", and find the certificate you installed previously.
  2. Click "View...", select the "Details" tab, and then press the "Copy to File" button.
  3. When asked to export the private key, select "Yes, export the private key."
  4. When asked for the export file format, choose "Personal Information Exchange - PKCS #12 (.PFX)", and check "Include all certificates in the certification path if possible".  Do not check "Delete the private key". Click Next.
  5. Choose a password for this certificate. Use something you'll remember. For this example I am using "pitpass"
  6. Choose a filename for this certificate. I will use "c:\pitclient.pfx".

Now in your code, you can point the MPI component to this newly exported certificate by setting the SSLCert property as shown below.  Note that the SSLCert Subject property gets set to the subject of the certificate which was specified when generating the certificate.

MPI1.setSSLCert(new Certificate(Certificate.cstPFXFile, "C:\\pitclient.pfx", "password", "11.12.13.14")); 
//where "11.12.13.14" will match the certificate subject

PIT Root Certificate

Next, you'll need to install the PIT root certificate in order to verify the security of the communication with the PIT Access Control Server. Download the DER-formatted PIT root certificate from the "View User's Guide" link off of the main PIT home page (a link to the root certificate is located in that guide in the section entitled "MPI Setup Guide", the direct link is https://dropit.3dsecure.net/PIT/pit_root.der).

  1. Double-click on this DER file, and click the "Install Certificate" button.
  2. When prompted, select "Place all certificates in the following store". Click "Browse", and check the "Show physical stores" checkbox.
  3. Select the "Trusted Root Certification Authorities\Local Computer" store.
  4. Click OK/Next/Finish,  and you're done.

Export Root Certificate

During 3D Secure communications, payment authentication request packets are digitally signed by the 3D Secure server, and their signatures must be verified by the MPI control. In order to verify the signature, the MPI component will need to access the PIT root certificate and the PIT CA certificate.  Therefore, both the PIT root certificate and the PIT Intermediate Signing Certificate must be exported as well.

  1. In MMC, open the Certificates snap-in.  When asked what certificates to manage, select the "Computer account" radio button.
  2. Open the "Certificates\Trusted Root Certification Authorities\Certificates" tree.
  3. Double-click the certificate named "pit_root", select the "Details" tab and press the "Copy to File" button.
  4. Select the "Base-64 encoded X.509 (.CER)" radio button and press Next. You will be asked for a file name. I will use "C:\pit_root.cer".
  5. Back in MMC, open the "Certificates/Intermediate Certificate Authorities/Certificates" tree and export the pit_ca certificate the same way. I will use the file name "c:\pit_ca.cer".

In your code, you'll need to add these certificates to the MPI component.  To do this, open the pit_root.cer file and paste the contents into the RootCertificate property. Then open the pit_ca.cer file and paste the contents into the Root Certificate property with a preceding '+'. For example:

MPI1.setRootCertificate("MIICHzCCAYigAw..."); //contents of pit_root.cer
MPI1.setRootCertificate("+" + "MIICHjCC..."); //contents of pit_ca.cer

Using the plus (+) sign at the beginning of the second certificate indicates that it is an additional certificate used to verify the signature of a PARes. You can add any number of certificates in this manner.

After this step, the pit_root.cer and pit_ca.cer files on your hard drive are no longer necessary and can be deleted.  You are now finished setting up the certificates needed for the MPI component to communicate with the PIT servers.

Running The Tests

At this point, you have set the SSLCert properties of the MPI component to point to a certificate to use for client authentication, and you have set the RootCertificate property of the MPI component to point to certificate(s) used to verify the signature of messages returned by the 3D-Secure server.

Next, set the following properties to the corresponding values in your PIT profile:

  • MerchantBankId - must match the "BIN" in PIT profile.
  • MerchantNumber - must match "Merchant ID" in PIT profile
  • MerchantPassword - must match "Password" in PIT profile

Add these lines of code to your solution, and begin running through the test cases documented in the PIT Test Plan (linked from the PIT Home).  When you are finished, and all the tests pass, you can click "Conclude Testing" on the PIT Home and your Visa Regional Representative will be notified.

Conclusion

This article showed how to get started with Visa PIT testing. Here I went over the basics that you need to get started, but I recommend that you also take a look at the documentation of the MPI component that comes installed with the /n software E-Payment Integrator - 3-D Secure, as it goes into details about all available properties of the component, including some that were not discussed here. Also be certain to review the User's Guide and Test Plan on Visa's PIT Home.


We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.