Friday, 20 September 2013

Groping in the dark, part 4

So I've made a new version of billthedoubtfuls.cgi, and using the test card number, I tried to run it. After several attempts when I got no answer whatsover from the BMS server (because of a wrong URL got from the mistaken page in the documentation) or the wrong port), eventually, I got a response.


The response is "Some of the data entered is incorrect. Please retry."


So I googled that. And I decided that I had to change my BMS setup.

Actually, I have eight, count them, eight accounts. There's test and there's production. There's dollars and there's sterling. And there's the admin user, and the ordinary user.
So I went into a flurry of calls to BMS front line support, because if there's one thing that any front line support can deal with, it's password issues. Each time I call, by the way, they ask for my name, my merchant number, and then as a security check, they ask for something that only I can know. My bank sort code and my bank account number. Which is, of course, on every cheque that I send out, so not really very secret, is it? But they're a bank, poor lambs, and shouldn't really be expected to know anything about security.

So eventually, I got all eight of these set up with passwords that I could remember, and tried again. "Some of the data entered is incorrect. Please retry."

This has got to be one of the worst error messages in the world. It tells you nothing useful. The only good thing about it is that it's so ungrammatical that when you Google it, all the hits are for the Ogone software. And none of the hits are of much use.

IGSSS, paragraph 2.2.2 suggested that I have to tell BMS the IP addresses of the servers that are sending it data. Actually, they suggest you go to the "data and origin verification" tab, and the tab is actually "data and origin" and then they send you to "Checks for Direct Link" when they actually mean "Checks for Barclaycard Direct Link and Barclaycard Batch (Automatic)".
And there I put in the range of IP addresses that I'm coming from. On the same page, there's a line for SHA-IN pass phrase, and that turned out to be a lure and a delusion, because I filled that in, because it has it twice on that page, once for "Checks for e-Commerce" because it said in big red letters that I had to, and once for  "Checks for Barclaycard Direct Link and Barclaycard Batch (Automatic)" because it seemed like a good idea.

Which is wasn't.

Because then I had to code up a SHA-1 checksum using that passphrase, and I had to sort the elements into alphabetical order before computing the SHA, and then I had to send the SHA with the data for each transaction. BMS provided a handy page so that I could make sure that my computation of the checksum agreed with theirs, which it did after I wasted about an hour thinking it didn't when actually the problem was I had a leading space before the string that I gave to their test page, but once I sorted that out, my computed checksum agreed with theirs.

 "Some of the data entered is incorrect. Please retry."

So then I found their  "Create a test payment with Barclaycard Direct Link" page

And that lets you give a fake transaction and see if it works. Which it didn't. Because it was failing the SHA test. And it was failing it, because there was no way to tell the test page to compute the SHA.

So I called BMS tech support for a bit of help, and while the support guy was talking, he happened to mention about users needing to be given API access. Which means that unless I send the data with a username that has API access, no chance. So I gave a user API access.
"Some of the data entered is incorrect. Please retry."

So I removed the SHA from my BMS setup and tried another transaction on the "Create a test payment with Barclaycard Direct Link" page . Which worked!!! That's encouraging, but what I need to do is send it from my server DATA1 to their server. and when I tried to do that, I got ...

"Some of the data entered is incorrect. Please retry."

If they gave me some clue about what their system thinks is wrong, that would be *SO* helpful. But they don't. And, I think, they can't because BMS didn't write this system, it's just bought-in (or leased or hired or something).

So I phoned BMS support, and got a call back from Tom Anderson. He's very helpful, but by the time I'd gotten my call back from him, I'd solved a lot of the problems (see above). Or have I? All I know is that I started off getting  "Some of the data entered is incorrect. Please retry." and now I'm getting "Some of the data entered is incorrect. Please retry."

The BMS setup also  asks for the referring URL that calls the orderstandard.asp page, and I gave it a URL, and I told my billthedoubtfuls.cgi to give the same referer, but that's for "e-Commerce", and I'm using "Direct Link", so I doubt if that's going to help. I checked that the referer was appearing correctly by using billthedoubtfuls.cgi to access one of my servers and looking at the log, and it did, so I tried it on BMS.

"Some of the data entered is incorrect. Please retry."

I emailed the data string that I was using for testing to Tom, he looked at it, and says it's OK. So the problem isn't actually the data entered, it's something else. And I think I've run out of ideas to try.

So - I don't think I need a SHA, but I can't be sure, and I'm set up to compute one if I need to, but I'm currently not using it. I don't think I need a referer, but I've got one set up anyway. I've told it the IP addresses that I'll be using. I'm using the test system. And still ...

"Some of the data entered is incorrect. Please retry."

And I think I've run out of ideas to try.


  1. Surely you should see this as an opportunity for a new, fiendish, puzzle cache. Put a blank text field on the cache page, get punters to fill it in, then submit it to BMS.

    If their submission works, give them the cache coordinates and ask them how they did it :)