Transcription
The CN!Express application is sunset.Please see inside for options. CN!ExpressUser GuideAuric Systems International
Copyright 2016 Auric Systems International. All rights reserved.www.auricsystems.comtokenize what matters
3The CN!Express payment application is Sunset.This is the last formal release of the CN!Express payment processing application.Information regarding the sunset and migration options are available at:https://www.auricsystems.com/payment-apps/#cnx
ContentsWelcome to CN!Express I11Installation and Configuration15Installing CN!Express on Windows Installing CN!Express on Linux Configuring CN!Express 25Encrypted/Secure HTTPS35Remote Firebird DatabaseTokenization4349Auric Key Management ProxyII2137Uninstalling CN!Express Payment Processors531751
6Working with your Payment ProcessorCardinal CommerceChase PaymentecheBillme55575965First Data Global Gateway75TSYS Merchant Solutions–PayFuseVantiv (formerly Litle & Co.)7779Cielo Payments Inc. (Formerly Merchante-Solutions)PayPal89Paypal PayFlow ProTenderCardTransFirstIII919397PA DSS Secure Implementation GuideOverview of PCI-Compliance PracticesMagnetic Stripe and CVV2 Data1039910185
7Protect Stored Cardholder Data107Secure Authentication Features111Log Payment Application Activity113Develop Secure Payment ApplicationsProtect Wireless Transmissions115117Test Payment Applications to Address VulnerabilitiesFacilitate Secure Network Implementation119121Cardholder Data Must Never Be Stored on a Server Connected To the Internet123Secure Remote Access and Updates125Facilitate Secure Remote Software UpdatesEncrypt Sensitive Traffic127129Encrypt all Non-Console Administrative Access131Maintain Instructional Documentation and Training ProgramsSecure File Deletion135133
8Key Management137Internal Encryption139Encrypting Import/Export FilesIVAppendicesAction Codes141145147ASI Response Codes151Soft Descriptors153Processor-Specific Attributes157Verified by Visa CAVV ResponseICV-Style Files165Repair Firebird DatabaseSecure Deletion: sdelField ReferenceCurrency CodesIndex267173263171169161
List of Tables12CN!Express Instant Tokenization actions.44 ASI Response Codes for Instant Tokenization44345eBillMe Transactions67eBillme response batch fields71eBillMe ‘Q’ batch file responses7267Pre-paid card filtering rules81Automatic Account Updater Fields8CN!Express action codes.9CN!Express response codes.8314715110 Verified by Visa CAVV Response Codes11 ICV-style action codes16612 CN!Express field reference.13 Currency Codes263173163
Welcome to CN!Express Thank you for selecting the CN!Express payment processing application. CN!Express provides a consistent and speedy connectionto your payment processing service and easily manages all of yourtransactions. Once CN!Express is configured, you rarely need tomanually interact with it.Payment processing is not just credit cards any more. CN!Express supports a wide range of payment options, including a direct connection to PayPal Express Checkout services.CN!Express offers the following features (depending on the capabilities of your processing service): From two (CX-7002) to one hundred (CX-7100) simultaneous connections to your payment processor(s). Simultaneous support for multiple processors, without you needing to sort/batch your transactions individually. Legacy file and modern HTTP/S interfaces. Direct connections to payment processor gateways. Support for many methods of payment including:– Credit cards– Purchase card level 2– Electronic checks– PayPal Federally-approved 256-bit AES encryption for sensitive data. Follows Visa’s Payment Application Best Practices for PCI compliance.Supported Processing ServicesCN!Express supports the following payment processing services:
12cn!express Chase Paymentech Solutions/Orbital Gateway/Salem First Data/Global Gateway Merchant e-Solutions/Transcom Transfirst/eLink PayPal Express CheckoutSimultaneous ConnectionsCN!Express supports multiple simultaneous connections to payment processors. This allows CN!Express to process transactionsin parallel with each other. Depending on the model, CN!Express supports from two (2) to ten (10) simultaneous connections. If youare using a single processor, all ten connections can be with that processor. If you are using two or three processors (perhaps a credit cardprocessor and PayPal), then CN!Express automatically decides howmany connections to maintain for each processor–up to the maximum supported by the specific model.The CN!Express model number indicates how many simultaneous connections are available:Model Number # Simultaneous mated SpeedCN!Express adds extremely little overhead to the transaction. Thespeed of your payment processor is effectively the speed at whichCN!Express runs. In demo mode, CN!Express returns transactionsin three (3) seconds. This is a typical response time from a processor(and frequently you will see times better than that). Assuming threesecond response times, here is how long it takes different models ofCN!Express to process 1,000 transactions:Model Number # minutes for 1,000 transactions (est.)CX-700230CX-700510CX-70105CX-71000.5
welcome to cn!express PCI ComplianceAuric Systems International is a validated Level 1 PCI Service Provider.CN!Express is validated against the PCI PA-DSS 3.0 standard.PasswordsCN!Express uses passwords at several different levels: Access to the underlying operating system. Encrypting sensitive data. Submitting transactions through the Web. Monitoring.Your in-house PCI policy in regards to password and key management must be applied to these passwords.Access to the Underlying Operating SystemAll CN!Express configuration is performed locally. There is no remote access for configuration and control. There are no configurationpasswords to manage.Encrypting Sensitive DataA CN!Express installation supports a two-user server pass phrase toencrypt sensitive data (such as credit card account numbers). Refer tothe Configuring CN!Express chapter for details on entering the passphrases.Submitting Transactions through the WebCN!Express requires all web-based transactions to include a userID and password. These accounts cannot retrieve any informationfrom CN!Express beyond the information returned for the currenttransaction The CN!Express listens only on the localhost (127.0.0.1)for incoming web transactions. A secure front-end proxy, such asstunnel, IIS, or nginx, must be run as a front-end to the CN!Express application.13
14cn!express Monitoring CN!Express CN!Express provides a web monitoring interface for which separateuser IDs are required. No account information can be retrieved fromCN!Express through this interface.Contacting Auric Systems InternationalTo contact Auric Systems International:Phone603-924-6079E-mail/support tems.comWeb Sitehttps://www.AuricSystems.comPlease have your serial number handy when you call. Whenyou purchased CN!Express the serial number and activation keywere e-mailed to you. After you install the test or production (live)CN!Express you can find your serial number and activation key onthe Run Mode Tab of the CN!Express Configuration Manager.
Part IInstallation andConfiguration
Installing CN!Express on Windows CN!Express installs in the demo (demonstration) mode. Demomode allows you to work with, and become familiar with, CN!Express functionality without actually sending transactions to your processor.It is also a convenient way to integrate CN!Express into your existing systems. Auric Systems International strongly recommends youkeep CN!Express in demo mode while you configure and learn itsoperation.Supported Windows VersionsCN!Express supports the following Windows platforms: Windows Windows Server 2008 R2 Windows Windows Server 2012 Windows Windows Server 2012 R2 Windows Windows Server 2016System RequirementsCN!Express runs on fairly minimal systems. Any typical 2 GHzprocessor is suitable—even single core. Auric Systems Internationalrecommends you install CN!Express on your target platform indemo mode and test at what you expect load requirements to be.Memory RequirementsHaving 256 MBytes of RAM available above and beyond your operating system’s install is suitable long-term for CN!Express running athighest speeds.Disk RequirementsCN!Express can generate a large number of logs and backup files.In addition, if you are using batch import/export, you’ll need addi-
18cn!express tional space to manage those files. For initial installation, you’ll needapproximately 100 Mbytes of hard disk space. Auric Systems International recommends planning for a minimum of 30 GBytes of free diskspace to ensure a long-lived and trouble-free operation.It is important to check your file system on a regular basis. Backups and logs can start to consume a significant amount of disk space.Installation OptionsCN!Express installs: on a local hard drive, not a network mount. as both an application and a Windows service (the Windows service is not active until you manually activate it) in the demonstration (demo) mode (not in the test or productionmode) as a CX-7002 with two simultaneous processor connectionsWhile you are configuring CN!Express Auric Systems International strongly recommends that you: Run CN!Express as an application (not a service). Configure using the demo mode. Send your first transaction(s) to your processing service using thetest mode.Demo mode is ideal for trying out configuration options andCN!Express operations without using real transactions. Test modeis ideal for testing your configuration with your processing service.Production mode is strictly for processing real transactions.After you’ve configured and tested CN!Express you can switchto the production mode and you can run CN!Express as a service,confident that CN!Express will work smoothly.Installation ProcedureCN!Express is available for download from the Auric Systems International web page: https://www.auricsystems.com/payment-apps/.The Setup program prompts you for a location in which to installthe executables and a location in which to install the data directories.Both program and data directories need to be on a local hard drive,not a network drive. Download the CN!Express Setup program from the web site.
installing cn!express on windows Compare the MD5 signature of the downloaded file to the MD5signature on the web site to confirm you download an uncorrupted version. Run the CN!Express Setup application and follow the installationscreens. Auric Systems International recommends you select thedefault installation application and data locations. CN!Express is now installed.ConfigurationNow that CN!Express is installed, your next step is ConfiguringCN!Express .19
Installing CN!Express on Linux The Linux version of CN!Express is available as a bespoke deployment. Please contact Auric Systems International for details.CN!Express installs in the demo (demonstration) mode. Demomode allows you to work with, and become familiar with, CN!Express functionality without actually sending transactions to your processor.It is also a convenient way to integrate CN!Express into your existing systems. Auric Systems International strongly recommends youkeep CN!Express in demo mode while you configure and learn itsoperation.In order to configure CN!Express you must have the AKMP keymanagement daemon installed. The AKMP service provides the encryption key management necessary to support test and productionmode data. Please refer to the AKMP manual for details.Supported Linux Versions Red Hat Enterprise Linux Versions 6.8 and 7.x. CentOS Versions 6.8 through 7.x. Call regarding support for other Linux flavors.System RequirementsCN!Express runs on fairly minimal systems. Any typical 2 GHzprocessor is suitable—even single core. Auric Systems Internationalrecommends you install CN!Express on your target platform indemo mode and test at what you expect load requirements to be.Memory RequirementsHaving 256 MBytes of RAM available above and beyond your operating system’s install is suitable long-term for CN!Express running athighest speeds.
22cn!express Disk RequirementsCN!Express can generate a large number of logs and backup files.In addition, if you are using batch import/export, you’ll need additional space to manage those files. For initial installation, you’ll needapproximately 100 Mbytes of hard disk space. Auric Systems International recommends planning for a minimum of 30 GBytes of free diskspace to ensure a long-lived and trouble-free operation.It is important to check your file system on a regular basis. Backups and logs can start to consume a significant amount of disk space.InstallationCN!Express installs: on a local hard drive, not a network mount. as both an application and a service (the service is not active untilyou manually activate it) in the demonstration (demo) mode (not in the test or productionmode)While you are configuring CN!Express Auric Systems International strongly recommends that you: Configure using the demo mode Send your first transaction(s) to your processing service using thetest mode.Demo mode is ideal for trying out configuration options andCN!Express operations without using real transactions. Test modeis ideal for testing your configuration with your processing service.Production mode is strictly for processing real transactions.After you’ve configured and tested CN!Express , you can switchto the production mode and you can run CN!Express as a service,confident that CN!Express will work smoothly.Auric Systems International provides a custom download site forthe Linux CN!Express installation. CN!Express expects to runas the cnxap user – which must be configured before running theinstallation script. download the cnx installer.tgz file compare the checksum of the downloaded file to the checksumprovided by Auric Systems International to ensure the file has notbeen tampered.
installing cn!express on linux create the cnxap user. run ./install.py CN!Express installs in the /opt/cnxap directoryInstallation OptionsCN!Express for Linux must be run behind a proxy web serversuch as nginx or Apache. CN!Express itself only listens on localhost(127.0.0.1). HTTPS security of front-end communications is managedby the proxy. The URL to proxy is:/asi01Starting and Stopping CN!Express To run as an application: sudo -u cnxap /opt/bin/cnxapTo run as a service on RHEL 6: sudo /sbin/service cnxapd start stop restart statusTo run as a service on RHEL 7: sudo systemctl start stop restart status cnxapdConfiguring CN!Express for Linux The CN!Express application for Linux configuration is completedusing the CN!Express Configuration Utility for Windows .In order to run the Configuration Utility on Windows , youmust transfer your AKMP secure data configuration from yourLinux installation to your Windows installation. Please refer to theAKMP manual for details.Once AKMP is installed, you can follow the Windows configuration instructions in the Configuring CN!Express chapter, with thefollowing exceptions:1. Any file paths must be manually entered and use the Linux pathseparator (’/’).2. On the Advanced Tab, you have the option of sending all CN!Express logs to syslog or maintaining separate logs. If you elect to keepCN!Express logs separate, they are automatically rotated daily.23
Configuring CN!Express This chapter walks through a typical CN!Express configuration.Please refer to the PA DSS Secure Implementation Guide section forsecurity-specific information. You must be logged into the machinewhere CN!Express is installed in order to configure it.The CN!Express Configuration Utility (cnxcfg.exe) groups theCN!Express settings into major tabs: General Divisions Web Formats Files File Formats Security Run Mode Advanced AboutThe majority of CN!Express settings can be modified whileCN!Express is running. The CN!Express program checks the configuration file every few seconds to see if it has been modified. If theconfiguration is changed, CN!Express reloads the new configurationinformation.Starting in Demo ModeWhen configuring CN!Express for the first time, it’s best to work inthe demo mode and run CN!Express as an application. CN!Express automatically installs in the demo mode and as an application (it alsoinstalls as a Windows service, but the service is not active). After you complete the configuration, you can test it without sending
26cn!express transactions to your processing service. When you’re satisfied withthe configuration, you can switch from demo to test mode and thento production mode. You can also switch to running CN!Express asa service. CN!Express automatically remembers the configurationyou set up when it was in demo mode and running as an application.CN!Express uses that same configuration when you switch modesand/or run it as a service.When you first start the CN!Express Configuration Utility youwill see a the dialog in noting that certain fields, which require encryption to be stored, will be disabled in demo mode. These fieldsare not required in demo mode. Just click the OK button to continueworking in Demo mode.General TabNamesEvery CN!Express installation requires a Short Server Name anda Server Number. These two settings need only be changed if youare using multiple copies of CN!Express within your organization.If you are using more than one copy of CN!Express each of thesefields must be unique to the installation.Web ServiceBy default the web service for accepting incoming transactions isdisabled. This ensures you do not suddenly have an unexpected webservice running on your system.CN!Express supports both HTTP and HTTPS connections. Thereare advantages and disadvantages to both of them. Please refer to theEncrypted/Secure HTTPS chapter on HTTP vs. HTTPS configuration.CN!Express comes with a set of self-signed certificates for HTTPScommunications. When you select HTTP or HTTPS, you must configure the Port on which CN!Express accepts transactions (default is8100) and the IP address on which it will listen for web transactions.The default listening address (127.0.0.1) is also known as localhost. With this setting, CN!Express accepts only transactions fromthe local machine. If you have more than one network card on yourcomputer, CN!Express lets you select which one it uses, or you canaccept from All Host Interfaces. Auric Systems International recommends you leave CN!Express configured for localhost (127.0.0.1)and use a proxy server such as stunnel, IIS, or nginx to isolate theCN!Express application from the external interfaces. This approachhas the advantage of allowing you to update your security protocols
configuring cn!express without having to upgrade CN!Express and avoiding the testingtime such upgrades require.Transaction FilesBy default, CN!Express is configured with a traditional interfaceto accept transactions through text files. You may disable this interface if you are going to send all your transactions through theCN!Express Web interface. Otherwise, leave it enabled.FieldsCN!Express allows you to set the XCLASS value globally for allprocessors. Prior to CN!Express version 4.0.11, all transactions defaulted to E-commerce. Now, they can be set globally or per division.Web ConsoleCN!Express supports a web-based remote monitoring console. Thisconsole must be disabled in production.Proxy ConfigurationCN!Express provides the ability to configure a proxy for all outgoing HTTPS connections. CN!Express supports tunneling proxies.In a tunneling proxy, the defined connection between CN!Express and the proxy is via the HTTP port. The actual HTTPS connection istunneled through the HTTP port so there is a sec
Chase Paymentech Solutions/Orbital Gateway/Salem First Data/Global Gateway Merchant e-Solutions/Transcom Transfirst/eLink PayPal Express Checkout Simultaneous Connections CN!Express supports multiple simultaneous connections to pay-ment processors. This allows CN!Expr
