Search code examples
xmlpayflowpronvp

How to use reference transactions in the Payflow Pro XMLPay API?

I'm trying to use reference transactions in the Payflow Pro XMLPay API to make recurring profiles and one-off transactions, but I'm having difficulty figuring out where I should include an ORIGID parameter. We would like to avoid including the bare credit card data in the recurring profile create or transaction create to keep our PCI scope low - effectively using the reference transaction in lieu of what would be a credit card token in a more modern API (including the new PayPal REST API, although we can't use it because it would create too many changes).

Creating transactions based on reference transactions is described pretty clearly for the NVP API (search for "Converting an Existing Transaction Into a Profile"):

TRXTYPE=R&TENDER=C&PARTNER=PayPal&VENDOR=Acme&USER=Acme&PWD=a1b2c3d4&ACTION=A&PROFILENAME=RegularSubscription&ORIGID=XYZ123&START=12012013&PAYPERIOD=WEEK&TERM=12&OPTIONALTRX=S&OPTIONALTRXAMT=2.00&COMMENT1=First-time customer&AMT=42.00

The relevant bit is close to the middle, where you pass ORIGID=XYZ123.

But I've had trouble figuring out how to pass ORIGID using the XML API. I've tried including the tag a number of different ways, e.g. by replacing the tender section as follows (pure guesswork):

<Tender>
  <Card>
    <OrigId>XYZ123</OrigId>
  </Card>
</Tender>

But I haven't been able to get around error messages that ask for the ORIGID, or that complain about an invalid tender section. The two APIs are similar enough that it feels like there should be support through XMLPay also. That said, using the NVP API instead would not be the biggest difficulty if there just isn't a way to do this through the XMLPay API.

Note also that the Secure Token/Transparent Redirect flow isn't helpful, as it does not hide the credit card data. You would still need to include the bare credit card data in the create transaction call, and this does not help us reduce the PCI scope. It appears to allow making a call directly the PayPal without exposing your API credentials client-side, but in our case even hosting the form puts that service in PCI scope.

Solution

  • So this isn't documented in the XMLPay documentation as far I can tell, but thankfully it is being done in the ActiveMerchant codebase.

    Instead of including the credit card data in the Tender section, you add an ExtData tag like so:

    <Tender>
  <Card>
    <ExtData Name='ORIGID' Value='XYZ123' />
  </Card>
</Tender>