Trevance Transaction Gateway

Change log for the Trevance CN-3500, CN-4200 and CN-4250 Transaction Gateway.

Current Release:

7 December 2011 Version 3.0.1.3

GENERAL:

• PCI 2.0 Compliant Key Management
• Window  Server 2008 R2 support
  

27 December 2010 Version 2.2.15.10

• Trevance Demo & Production Setup
  
• Trevance Update

GENERAL:

• Modified priority for batch thread during long operations.
• Modify watch dog timer to know a long operation is occurring and should not be shut down early.
• Aligned queue and thread pool sizes (reduced thread pool size).
• Fixed mutex detection for Vista and newer.
• Identify a database deadlock situation when closing large batches with high-volume active online captures occurring. Changed the end of day queries to use a read committed rather than snapshot isolation level.
• Handle missing dfr_rules file.
• Improve deadlock handling when very large real-time to batch file conversions occurs (over 300,000 transactions).
• Correct UTID base64 validation issue that occurred in test mode.
• Timed batch and encrypted DFR in progress.
• Properly generate UTID in batch mode.
• PCI: ACCT was returned in some instance where UTID was being returned. ACCT and UTID should never be returned together.
• Sanitize account expiration dates.

CHASE PAYMENTECH:

• In batch mode, now sends default currency vs. 840 when importing blank currency field.
• Fraud support
• Extend log sanitization to include FTP password.
• Added ability to check for data reports multiple times per day. New config setting allows for hourly checks
• PCI: DFRs are now categorized as sensitive and insensitive and downloaded to different directories. Sensitive DFRs are encrypted if encryption key is set

TRANSFIRST:

• Correct problem where real-time crash occurs when URL is not set.

11 November 2010 Version 2.2.14.9

GENERAL:

• Corrected validation problem with new UTID format validation.

TRANSFIRST:

• Corrected crash problem when real-time URL was not set.

28 October 2010 Version 2.2.14.8

• Trevance Demo & Production Setup
  
• Trevance Update

GENERAL:

• Change to new UTID format.
• Watch dog timer thread now monitors the main thread (batch imports, exports, uploads, downloads, and maintenance). If it should hang, automatically restarts.
• When constant batches are run the Console does not time out. This is now corrected.
  This is not being issued as a security alert since it is only in test modes such things would happen. None of the payment processors allow highly-repetitious batch submission.

CHASE PAYMENTECH:

• Gift Cards
• Correct FTP issue where errors would not time out. Could cause transfers to hang.

FIRST DATA:

• Add support for Secure Transport (DataWire) communications.

FIRST NATIONAL MERCHANT SOLUTIONS:

Correct FTP issue where errors would not time out. Could cause transfers to hang.

11 May 2010 Version 2.2.13.1

• Trevance Demo & Production Setup
  
• Trevance Update

GENERAL:

• Corrected problem with starting up under domain controller in some situations. Problem caused because name check could be returned in four different formats and Trevance was not handling all formats.
  

12 November 2009 Version 2.2.12.1b

• Trevance Demo & Production Setup
  
• Trevance Update

FIRST DATA:

• Initial support for Compass platform.

29 September 2009 Version 2.2.11.2

• Trevance Demo & Production Setup
  
• Trevance Update

TRANSFIRST:

• Initial Release of TransFirst support.

19 June 2009 Version 2.2.10.2

• Trevance Demo & Production Setup
  
• Trevance Update
  

GENERAL:

• Ability to generate UTID without any payment processor interaction.  Just send action code of U and account field -- all other import fields are ignored. Just export the UTID field. U transaction works only via real-time interface.
  

• PaymentVault server configuration information was not being updated after pause/resume.

• When UTID is requested, but Account field is blank or missing, UTID is not generated.
  

5 June 2009 Version 2.2.9.3

• Trevance Demo & Production Setup 
• Trevance Update

GENERAL:

• Failover support for PaymentVault.
• On startup, log user we are running as and user who ran initial encryption.

CHASE PAYMENTECH:

• Support Account Check (otherwise known as $0.00 auth for MasterCard and Visa).

5 May 2009 Version 2.2.8.3

•  Trevance Demo & Production Setup

• Trevance Update
  

 CHASE PAYMENTECH:

• Support for Revolution Money alternative payment method.

• Corrected problem where setting priority of socket to high caused exception. Now exception is caught and processing continues.
  

13 February 2009 Version 2.2.7.3

• Trevance Demo & Production Setup
• Trevance Update

GENERAL:

• Add UTID to standard Service Interface response.

Note: UTID only generated if UTID is being exported by real-time web interface.  If you're not seeing UTIDs via the standard Service Interface, configure the real-time web interface to return UTID field.

• Configurable Warnings.

Trevance generates any import warnings that are helpful during demo/test, and perhaps less useful after moving to Production. There is now a Configure/Warnings menu option that allows you to disable certain import warnings such as mal-formed Zip/Postal Codes.

• Interface for custom Repeat Billing System.
• Add Ruby sample encryption/decryption code for batch interface.

CHASE PAYMENTECH:

• Support for Green Dot MoneyPak

Current Release:

4 December 2008 Version 2.2.6.29

• Trevance Demo & Production Setup
  

• Trevance Update

GENERAL:

• Increase number of days QUAL data is maintained in Trevance from 30 to 60 days.

(QUAL data used to associate qualification data between Auth and Deposit transactions.)

CHASE PAYMENTECH DIRECT/SALEM

• In Trevance CN-4250, all "POST ASI/01" entries for local web-actions D, R, and V have a 0 in the last position for Last Action Succeeded (LAS). This is true whether or not the action succeeded. (LAS was being returned properly through the web transaction.)

• Incoming Auth codes that are shorter than six characters are now right-padded with spaces out to six characters. Trevance always returns the trailing spaces from auths and stores the full six-character auth code as part of the later look-up key. Web transactions were trimming the right-padded spaces (batch file transactions did not).

This did not arise during earlier testing because neither Trevance in demo mode nor Chase Paymentech in test mode return auth codes any shorter than six characters.
Trevance now returns five-character auths in Demo mode approximately 20% of the time.

1 November 2008 Version 2.2.6.27

• Trevance Demo & Production Setup 
• Trevance Update 

CHASE PAYMENTECH DIRECT/SALEM

• PayPal certified
• PINless debit card auth reversal.
• Support for Auric Cipher Engine (ACE).

 CUSTOM RELEASE

17 October 2008 Version 2.2.6.25

GENERAL:

• First official release for DEU support.

 CHASE PAYMENTECH DIRECT/SALEM

• PayPal: Add LO and AE transactions.

 CUSTOM RELEASE

8 October 2008 Version 2.2.6.24

CHASE PAYMENTECH DIRECT/SALEM

• PayPal [in process]
• PINless debit card auth reversal functionality [in process]

 CUSTOM RELEASE

4 October 2008 Version 2.2.6.23

GENERAL:

• Implement HTTPS support for real-time web interface.
• Implement standardized web interface for communicating with Data Entry Utilities.
• Implement initial ACE (Auric Cipher Engine) functionality.

  Contact Auric for more information on ACE.

• Mask WEBPASS in web log.

 CUSTOM RELEASE

8 September 2008 Version 2.2.6.18

GENERAL:

• F, D, and R transactions received through the real-time interface are now checked to ensure they pass LUHN-10 before being processed. If they do not pass LUHN-10, they are rejected before being sent to the processor.

  This change is particularly important in the CN-4250 which accepts Refunds and Voice/Force Deposits and simply queues them for later batch settlement.

• Trevance Console does not allow email to be set up until the Server Pass Phrases are set. This ensures any passwords required for the email configuration are properly encrypted. Previously, the passwords were simply not being saved.
• Audit Log tracking now tracks all changes to items items set under the Options dialog. 
• Audit Log tracking tracks when Config files are exported and imported.
• SFTP Proxy support now available for Chase Paymentech and First National Merchant Solutions SFTP connections.
• CN-4250 sales settlement fails when triggered through web interface. This problem introduced in previous release. 
• CN-4250 AutoSettle functionality now triggered via either web interface command or set for specific time each day. 

  CHASE PAYMENTECH DIRECT/SALEM:

• support UK Account Updater download files.
• ValueLink/Disney Gift Cards
• TCP/IP Socket Fallback 
• PayPal [in process]
• PINless debit card auth reversal functionality [in process]
• F, D, and R transactions in Batch files that fail now generate emails. 

This feature implemented to raise awareness of batch-failures for transactions that are always expected to succeed. 

• Presenter and Submitter Passwords are sanitized in batch upload/download logs. 
• CN-3500 SFTP connection supports Proxies. 
• Remove non-alphanumeric characters from list of possible characters in SFTP NetConnect Batch password. 

NetConnect password rules do not quite match documentation. 

• Sanitize batch presenter and submitter passwords in batch upload and download logs. 
• Switch/Maestro transactions did not properly export the SW CardType in on-line transactions. CardType was being exported as blank.
• Improved wording on 30-day password test dialog to clarify how it is used.
• AutoSettle of real-time refunds incorrectly used the authorized amount for the batch. Should use amount. 
• Sanitize PID and SID passwords from Upload and Download logs. 
• Added 'P' (Pass) and 'A' (Attempted) to the list of accepted codes for ECOMTYP. These codes indicate a Successful or Attempted Verified by Visa or MasterCard SecureCode transaction.

  This code typically set to 'E' indicating encrypted HTTPS. 

• Support Authorization Reversal for Visa, MasterCard, and MasterCard/Diners credit cards. Action code is L.
• Support Authorization Reversal for PIN-based and PINless debit cards. Action code is L.
• Support Refund Authorization Reversal for PINbased debit cards.
• Support Partial Authorization for American Express, MasterCard, and Visa.
• Support Force Full Authorization to override divisions set to default to Partial Authorization.
• Support mail-order, recurring, and Ecommerce transaction classes for PINless debit cards. 
• Support Auth (A) and Sale (S) transactions for PINless debit transactions submitted via batch. 

 CHASE PAYMENTECH PNS/TAMPA:

• Disney Rewards

 PAYMENTVAULT TECHNOLOGY:

• PaymentVault technology now integrated for all Trevance versions.
• UTIDs are now generated for all action types in batch mode.
• Added UTID station identifier ID to avoid collisions between multiple UTID generators. 
• UTIDs are copied to PaymentVault every minute. Previous implementations migrated UTID values as part of the end of day maintenance.
• Trevance requires upgraded PaymentVault version: 1.1.1
• UTIDs now generated for all transactions. Previously generated only for Auth and Sale transactions. 

  CHASE PAYMENTECH DIRECT/SALEM:

• Online specifications: 7.4.
• Batch specifications: 3.0.0

 CHASE PAYMENTECH PNS/TAMPA:

• Online specifications: PNS ISO Spec 3.4.1

 FIRST NATIONAL MERCHANT SOLUTIONS:

• 150-byte BAS batch specifications: 7.2

 02 June 2008 Version 2.2.5.3

•  Trevance Demo & Production Setup 
•  Trevance Update

CHASE PAYMENTECH:

• Send Track 2 data for all PIN-based debit card transaction actions.  Was previously sending Track 2 for only some actions. 

12 May 2008 Version 2.2.5.2

CHASE PAYMENTECH:

• Trevance stores the original authorization amount for auth-only transactions so it can be added to the deposit/capture transaction. In batch-auths, this value was being read too early and was thus being stored as 0.00. Value is now read and stored at correct time. 

 24 April 2008 Version 2.2.5.1c

•  Trevance Demo & Production Setup 
• Trevance Update
  

GENERAL:

• Trevance 2.2 and Trevance 2.2 with PaymentVault are listed on Visa site as meeting current Payment Application Best Practices (PABP) requirements. This starts the third year for which Trevance meets PABP requirements.

CHASE PAYMENTECH

CN-3500 only:

• The Trevance Console was incorrectly triggering a password change for the NetConnect Batch Zip file.
  When OK is clicked on the Payment Processor Configuration Dialog (even if no changes have been made),
  the Trevance Console (TrevCon) checks to see if a manual reset was performed.
  If the user did initiate a manual reset, TrevCon sets the ZIP file password equal to the new SFTP password.
  TrevCon incorrectly determined that, when the SFTP and ZIP passwords
  were different, a manual reset had occurred and then updated the ZIP password.
  The correction was made to TrevCon 2.2.5.2 and included in installer 2.2.5.1b.

06 March 2008 Version 2.2.5.1

CHASE PAYMENTECH

CN-3500 only:

• Provide ability to change S-FTP connection password manually during certification test.
• Modify UI to emphasize connection passwords should only be changed to passwords provided by Chase Paymentech.

               30-day password changes otherwise handled automatically by Trevance.

• Clear old passwords on manual password entry. During automatic password change, we maintain a fallback since password change make take several hours to propagate (as per Chase Paymentech Spec).
• Allow recovery logs to be loaded. Previously, this was hidden in CN-3500.

All Versions:

• Add wait cursor for better feedback when performing email testing.

• When deleting a batch from the queue, write column headers if that option is select in export and you elect to export the file before deletion.

• Real-time transactions return authentication errors before parse errors. Previously, a parse error (such as amount missing) would be returned even if userid/password was invalid. Now, Trevance parses, authenticates, and then returns any parse errors.

• Improved email handling. Addressed case where SMTP server returns simple netbios host name instead of fully qualified domain name. If there's no dot in the hostname, supply a bracked IP in the EHLO record.

07 January 2008 Version 2.2.4.1a

• Trevance Demo & Production Setup
  
• Trevance Update
  

GENERAL PABP-RELATED CHANGES:

The following changes were made as part of our updated Payment Application Best Practices (audit) third-party audit. These changes reflect the updated PABP requirements active as per November 2007.

• Log access to the PaymentVault (UTID lookup.)
• When sending transactions using UTIDs, the account number can no longer be exported. It is blank.
• Docs\AuditFileFormat.txt documents the layout of the UTID files.
• UTIDs now supported for real-time transactions other than Authorization.
•  Updated Encryption/Decryption code samples.

 FIRST NATIONAL MERCHANT SOLUTIONS

 When FNMS sends a rejected file notification:

•   Log it.
•   Send email notification.
•   Export reject notification to the Other Files directory.
•   Do _not_ remove queued file.

Addresses problems such as having the file upload terminate mid-stream and then having a successful upload of same file.
FNMS generates batch reject of first file and processes second successfully.

14 November 2007 Version 2.2.3.2a

GENERAL:

• PABP correction. If the Export Masked Account Numbers is not set (default is set), then unmasked account numbers appear in the web log.

Corrected. A problem only if web logs are being run AND the Export Masked Account Numbers is not set.

•  Possible to get wrong merchant order number on transaction in following situation.

a: Authorize two transactions with same credit card number, expiration date, division id, and dollar amount.
b: Receive the same Authorization code from payment processor for both transactions.
c: Settle both transactions in the same batch.

• In the above scenario, the two transactions in the settlement batch are given the same merchant order id:

a: no duplicate deposits are made.
b: no transactions are skipped.
However, it makes reconciling difficult since the same order number appears twice.
This problem appears in Trevance 2.2.1.x.

A good time for a reminder that the same order number provided to (or generated by) the Authorization process must be submitted with the deposit.
Also, order numbers sent through the real-time interface must be unique.
[explicitly, the combination of account, amount, division, and order number must be unique; but having a unique order number ensures this.]

25 October 2007 Version 2.2.2.6a

•  Trevance Demo & Production Setup
  

• Trevance Update
  

GENERAL:

- batch import files are now polled for every 15 seconds (vs. every second).
Windows Directory Monitoring service is still used, but is disabled when talking to some SAMBA and Novell shared drives.
Polling always exists as a fallback (Monitoring fails silently on SAMBA shares.)

FIRST NATIONAL MERCHANT SOLUTIONS:

• Imported Merchant Order Number field is uploaded to FNMS in the Merchant Assigned Reference Number (MARN) field.

This is the field that appears in the FNMS reporting system.
This is a change from the CreditNow! version of FNMS BAS support where the Merchant Order Number is not uploaded and the MARN contains a sequential number used for sequencing batches.
Trevance now uses the FNMS BAS sequence field to match up transactions when batches are returned.

***IMPORTANT***: Since the method of matching up returned transactions is changed, this upgrade MUST NOT be applied if there are any batches in the queue.
Only update when the batch queue is empty.

23 October 2007 Version 2.2.2.5

•  Trevance Demo & Production Setup
  

• Trevance Update
  

FIRST NATIONAL MERCHANT SOLUTIONS:

- Add merchant phone number to merchant division configuration.

19 October 2007 Version 2.2.2.4

GENERAL:

- Attempting to start a Windows Directory Monitoring service on a Novell network share throws exception and stops Trevance from switching from Pause to Run mode.
Modify start-up to check for this error, log a message that Directory Monitoring is disabled, and falls back to using polling.
- Corrected problem where trying to set Currency value for merchant/division IDs caused foreign key exception.
Value was being stored as a NULL vs. a blank. Now force USD (which is what default blank value did).

FIRST NATIONAL MERCHANT SOLUTIONS:

• Trevance CN-3500 now supports First National Merchant Solutions' 150-byte BAS Version 7.2 functionality.

Trevance supports both credit card and check processing for card (check) not present services.

• This release supports American Express CAPN.
• For check processing, Trevance supports the following values for the AuthorizationMethod Field:
•  W    Written Authorization (FNMS refers to this as PPD: Prearranged Payment and Deposit)
•   I    Internet (Web)
•   T    Telephone
•  A    ARC (Accounts Receivable Truncation)

Note: FNMS requires Ship Date to be sent with all Deposit and Sale transactions (credit cards and checks).
Trevance defaults to a ship date of 'today' for transactions which do not provide their own ship date.

12 October 2007 Version 2.2.2.2

• Trevance Demo & Production Setup
  
• Trevance Update
  

GENERAL: CN-4250 custom only.

- Real-time Sale transactions (S) were reported as a capture. The Auth portion was not counted.
Sales are now counted as one Auth and one Capture (on successful auths).

CHASE PAYMENTECH: CN-4250 custom only.

• Accept Deposit (D) transactions through real-time interface and batch for end of day settlement.

Note: A success response code does _not_ indicate the transaction succeeded.
Simply means it was batched for later settlement

By default, Trevance refuses to accept Deposit transactions for transactions that were not previously authorized through Trevance.
To alter that, uncheck the "Reject Secondary Transactions without Auths" checkbox in Options dialog on Real-Time tab.

Once this box is unchecked, there are two possible success response codes:
100: deposit successfully added to batch. Trevance found previous Authorization information to include in transaction.
102: deposit successfully added to batch. Trevance did not find previous Authorization information to include in transaction.
Note that voice authorizations presented through the D transaction generate this 102 response.

Alternatively, ASI recommends Voice Authorization transactions be presented using the F transaction type.
This returns 100 for success and not 102 since it does not attempt to look-up qualification data from a previous authorization transaction.

CHASE PAYMENTECH: GENERAL

• ARC (Accounts Receivable Conversion for Checks) now available in CN-3500.
  

12 September 2007 Version 2.2.1.7.

GENERAL:

• Server pass phrases must be entered before importing an XML configuration file.
• When settling, Trevance updates submitted transactions with data collected from the transaction at authorization time. Trevance tracks a different set of information for credit cards and debit cards.

In Trevance 2.2.0, with debit cards, these fields are not being tracked, and so are cleared in error before the settlement is submitted:
Order Number
Auth Code
Auth Date
 
PAYMENTECH:

•  NetConnect batch support (SFTP)

14 August 2007 Version 2.2.0.17

GENERAL:

• Security update: Identified and corrected an encryption problem. Contact Auric for details.
• 'Disappearing' users. Occasionally, after entering a new user into Trevance, they do not appear in the list of users. However, you can log-in as that user and it is properly stored in the database. The problem was triggered by non-printable ASCII values being used in the password hash salt. This caused a problem with the middleware libraries when, on random occasions, the stored salt value is the same as the separator used by the middleware. Salts are now restricted to printable ASCII. Please contact Auric if you have a problem where a user is not appearing in your user list.
• Trevance CN-4250 (custom version of Trevance) supports Unique Transaction IDs (UTID). This allows merchants to refer to the UTID in follow-up transactions (such as a deposit) and not have stored the account number in their systems.
• Trevance CN-4250 (custom version of Trevance) supports Auric's PaymentVault(tm) account storage subsystem. PaymentVault is designed to store credit card account information separately from customer's personally identifiable information. Account information in PaymentVault is referenced via a UTID (Unique Transaction Identifier).
• UTID and PaymentVault are currently available as custom Trevance options. Please call Auric for details.
• Improved error handling during export time.
• Some Visa purchase cards were being identified as Switch/Solo cards. The BIN ranges overlap and there is no way to programmatically tell them apart. Remove automatic detection of Switch/Solo cards and always assume they are Visa. Allow an imported MOP to override the calculated MOP.
  

CHASE PAYMENTECH:

• Online specifications: 7.4.
• Batch specifications: 3.0.0.
• Trevance supports the American Express CAPN address requirements. Merchants already sending cardholder's name and full address do not need to make any changes. Any merchant not currently sending cardholder's name and full address should start doing so in order to achieve CAPN requirements.
  

Various. Version 2.1.x

GENERAL:

• 2.1 contains changes for several custom releases of Trevance CN-4250. Changes summarized below are included in version 2.2.x of CN-4250. Implement auto-settlement mode. Trevance captures authorizations for batch settlement at end of day.
• Implement Unique Transaction ID (UTID) process. Trevance returns a UTID to merchant. Merchant uses UTID to settle transaction. Removes need for merchant to store credit card account number.
• Implement interface to PaymentVault(tm). PaymentVault used to store credit card account numbers separately from personally identifiable information.
• Batch file encryption/decryption code included in Sample Code directory.
• Purchase Card Level III functionality compatible with CN!Express-style Purchase Card Level III batch imports.
• Corrected range check error report when void transaction imported into batch. (Batch cannot process voids.)
• Several minor speed improvements.
• Identified and corrected a possible deadlock condition.
• Allow Web and Console to bind to specific IP in systems with multiple network cards.
• '^' character not being decoded properly in real-time web interface. Problem involved case insensitivity.
• Switch/Solo cards starting with 56 or 49 were incorrectly identified as MasterCard and Visa.
  

TSYS:

• TSYS support is now a custom request.
  

01 March 2007. Version 2.0.4.1

GENERAL:

• Correct problem where unrecognized action code causes export to fail. This occured due to an extra comma in an import field. Correction backported from 2.1.
  

14 February 2007. Version 2.0.3.1

GENERAL:

• Fixed: Configure Directories dialog fails on OK.
  

16 January 2007 Release 2.0.2.7

GENERAL:

• Corrected installer problem where Trevance Service installed with incorrect path value.
  

CHASE PAYMENTECH:

• CN-3500 batch-only version now supports PayPal settlement transactions.

TSYS/VITAL:

•  Support for TSYS (formerly Vital) CNP Auth batch processing service.

Changes from previous internal beta release include:

• Support for import files > 33,000 (need to be broken into smaller files before upload).
• Support for the 08 response code which, in a retail/test environment appears to be successful, but is not.
• Support for new American Express AVS codes.
  

04 August 2006 Release 2.0.1.37

Trevance 2.0 is a significant upgrade providing higher throughput and functionality. Trevance 2.0 has undergone a third-party validation to ensure it meats Visa's Payment Application Best Practices. Trevance is an ideal fit with your PCI requirements.

GENERAL:

• Corrected installer problem where Trevance Service installed with incorrect path value.

CHASE PAYMENTECH:

•     * CN-3500 batch-only version now supports PayPal settlement transactions.

TSYS/VITAL:

• Support for TSYS (formerly Vital) CNP Auth batch processing service.

      Changes from previous internal beta release include:

• Support for import files > 33,000 (need to be broken into smaller files before upload).
• Support for the 08 response code which, in a retail/test environment appears to be successful, but is not.
• Support for new American Express AVS codes.

• 
  
• 
  
• Upgrade embedded Firebird database from 1.5.0 to 1.5.2. This version has various optimization and speed improvements that improve overall Trevance performance.
• When switching running modes (Demo/Test/Live), the server was mistakingly disconnecting the Admin connection if "Admin" was spelled with a lowercase 'a'. This would occasionally result in an error dialog. Other places where the Admin user is explicitly checked were reviewed and found to not have this problem.
• 
  
• The installer automatically installs a Windows Service for Trevance. This service is not enabled by default. The Uninstaller removes the Trevance Windows Service.
• The Trevance Service Manager is now obsolete and removed.
• Start-up speed improved. Trevance now creates a minimum number of (real-time auth) threads immediately on start and then spawns additional threads once per second. This results in quicker start times as well as being a lighter burden on CPU during start-up.
• Database validation no longer run at every restart. Only done when Trevance detects it was shut-down abnormally.
• Invalid credit card values are no longer logged as an error.
• # Remote viewer now checks it is talking to correct server type (i.e., Trevance and not CreditNow! or CN!Express).
• # Nightly sweep operation now completes properly (see SWEEP note below).

PAYMENT APPLICATION BEST PRACTICES:

This release makes a number of changes in order to better comply with Visa's Payment Application Best Practices (PABP). PABP is part of the PCI/CISP/SDP compliance program. Trevance has passed a third-party validation to ensure Trevance is developed in accordance with Visa's PABP requirements.

• User account passwords must now be a minimum of seven (7) characters and contain at least one alpha and one numeric character.
• Punctuation is acceptable in passwords.
• The last four passwords for each user are remembered and cannot be reused.
• The encryption key used to encrypt sensitive database data (such as credit card numbers) is now automatically generated per installation.
• Before Test or Live mode can be used, you must enter a Server Passphrase (See Configure/Change Server Passphrase). This Passphrase is the encryption key for your sensitive data. Protect it according to your corporate passphrase policies.
• For greater security, the Server Passphrase is broken into two components which should be entered by two different people.
• The Server Passphrase is stored using standard Microsoft Windows Security APIs. You must be logged in as the user under which Trevance will run when you enter the Passphrase.
• Trevance will no longer run in Test or Live mode if the default ADMIN user account is still active. PCI compliance rules require merchants not run using any default accounts. Create a new Administrative account and delete the existing ADMIN administrator.
• If you are using the Trevance Web interface, Trevance will no longer run in Test or Live mode if the default WEB user account is still active. Create a new Web user account and delete the existing WEB user.
• A non-web user is locked-out of Trevance for 30 minutes after six (6) unsuccessful log-in attempts. Web users do not have this lock-out since this would open the possibility of a denial of service.
• Admin users are logged-off the Trevance Console after 15 minutes. Non-admin users are not logged off since they may simply be monitoring Trevance activity.
• The real-time file interface has been removed. The real-time files present interesting PCI compliance problems -- particularly around the use of CVV. Custom real-time single transaction file interfaces can be built for merchants who require this functionality in the future.
• Secure file deletion. When Trevance is configured to delete processed import files, it now performs a secure deletion by overwriting the files a number of times.
• Import files can now be encrypted using 256-bit AES encryption.
• Debug logs now mask-out account numbers and CVV values.
• User passwords are now hashed using the more secure salted SHA-256.
• The key for encrypting communications between the Trevance Console and the Trevance Server is now based on an RSA key exchange. Previously, the encryption key was hard coded.

CHASE PAYMENTECH:

• Added latest Chase Paymentech response codes.
• Added cross-currency support.
• During idle time, now checks for on-line heartbeat every 5 seconds vs. every 60 seconds. Addresses problem where heartbeat was being received significantly quicker than spec.
  

TSYS/VITAL:

• Initial support for TSYS/Vital CNP batch platform.
  

SWEEP

The nightly maintenance cycle run on the embedded Firebird database includes a 'sweep' process that cleans-up unused data in the database. Unfortunately, this process only cleans up data which is older than the oldest currently active database transaction that is open. In Trevance 1.x, it was likely that old transactions (such as remote monitoring connections and some transaction connections) could stay open for long periods of times -- i.e., days. As a result, although the sweep operation would occur, it would not be cleaning up the ever accumulating unused data.

If Trevance were to be turned off and restarted, the next nightly sweep would start and run for an extended period of time -- we've seen over 18 hours in our test labs. During that time, real-time transactions would be processing without any difficulty, but batch files would not be picked up and processed since batches are handled by the same application thread as the sweep operation.

Trevance has been extensively reviewed to ensure transactions are not left open for extended periods of time thus ensuring the nightly sweep operation proceeds at the proper pace.

23 August 2005 Release 1.3.1.6

GENERAL:

• The I[x] Address Verification Response text codes had been removed as per Visa recommendation. However, other processors are still using these codes. They have been reinstated.
• Reviewed and corrected AVS Response To Text routine that was generating an exception for un-found AVS codes. Exception text would be returned as AVS Response Text.
• Upgrade Trevance PCI Compliance Document to Version 1.1
  

20 June 2005 Release 1.3.1.5

PAYMENTECH:

• The CN-4200 version now allows Division IDs to be used without first being configured. This is useful for merchants who frequently add new Division IDs or who handle a large number of Division IDs. New Division IDs can be employed without pausing Trevance for configuration. Paymentech requires that each transaction include a Currency Code. When using Division IDs that are not configured in Trevance, Trevance assumes the Currency Code for the transaction is US Dollars (USD) unless a Currency Code is explicitly provided in the transaction.
  

6 June 2005 Release 1.3.1.4

IMPORTANT:

      Two important changes in this release.

1. The Trevance CN-4150 is now called the CN-4200. If you are using a CN-4150, please contact Auric Systems International for a new serial number and activation key.
2. Four field names have been changed in order to better track the Paymentech specifications or to track industry naming conventions.

            CUSTREF -> BILLRREF
            NEWCUST -> BMLCUST
            SOLODATE -> SWCHDATE
            SOLOISSU -> SWCHISSU

GENERAL:

• Payment Card Industry (PCI) Application Best Practices Compliance Status document now part of installation. Documents Trevance compliance with PCI Best Practices. Includes lists of planned improvements. This document is useful for all merchants as they approach PCI/CISP/SDP compliance.
• First release with formal PCI Compliance review. Trevance 1.3.1.4 is the first release for which PCI compliance has been formally reviewed. The only compliance-critical change made to version 1.3.1.4 is to ensure a debit card encrypted PIN value is never exported. All older versions of Trevance are equally compliant as long as:
• you do not process debit cards or
• you do not return the PIN field in your export or
• you are using an older version of Trevance that does not support debit cards

PAYMENTECH:

• Real-time Debit Card Refund Authorization action code is now RA. Previously was just R. This was changed to provide compatibility with future functionality.
• Bill Me Later® functionality now supported.
• Purchase Card Level III now supported.
• Paymentech-specific section of documention rewritten and expanded.
• Field reference document expanded with significant new details.
• Now able to run with just online authorization or batch configured. Previously, both features needed to be configured to communicate with Paymentech before Trevance would allow you to run in Test or Live mode.
• In the process of reviewing documentation, various field descriptions were modified to be more descriptive.
• The field reference has been expanded with more detailed information.
• Convert an all-zero (00/00) expiration date to blank.

10 November 2004 Release 1.2.1.2

General

• In Verbose Log mode, Trevance now logs web responses as well as web requests.
• Remove background grid from real-time chart in Trevance Console. Makes for a cleaner display.
• Log IP address (SOURCEIPADDRESS) from which a Web transaction originated.
• Log the Customer IP field (IPADDRESS). This field is submitted with the Web transaction and represents the customer's IP address.

Paymentech

• Add PIN-less debit card support (CN-4200 only).
• Add POP and ARC check processing support (CN-4200 only).
• Corrected bug which caused auto-generated Order Numbers to be blank. This problem occured only in batch mode.
• When the real-time connection is lost and the transaction times-out before a successful reconnect, the message in the log file now says "Timed Out" vs "Declined". The actual transaction response was already Timed Out and this makes the log file consistent.
• Fixed a bug in online authorization handling that occured when the socket connection was interrupted. The bug caused Trevance to resubmit authorization requests that had timed out due to line failure after the connection was restored but the 'late authorization' response was not logged.
• 
  Modified duplicate detection to rely on Paymentech duplicate detection processes. Previously, Trevance logged transactions being sent to Paymentech and then updated the transaction with results returned from Paymentech. If a duplicate transaction was detected, transaction was not sent to Paymentech and results returned from local cache. This caused difficulties in error situations where the network connection was lost after a transaction was sent to Paymentech. Now, transactions are always sent to Paymentech and may be detected as a duplicate there. Trevance does not store the transaction until it has been returned from Paymentech. Trevance checks for duplicate detection at this time. If a duplicate is detected, the transaction is not stored a second time. Trevance uses the same CADO method of duplicate detection: Card, Amount, Division id, Order number.
  

20 July 2004 Release 1.1.3.3

• Add Paymentech-requested retry delay when processor gracefully closes real-time socket. Previously had retry delay only when port was closed and Trevance was unable to reconnect.
  

13 July 2004 Release 1.1.3.2

• Properly handle URLEncoding on Web interface.
• See URL Encoding for details.
• Allow spurious leading delimiter in URL: i.e. &FirstField vs. FirstField.

7 July 2004 Release 1.1.3.1

•     * Trevance CN-4200 now capable of 15 transactions per second, sustained. Requires a 2GHz processor.
• Daily Batch Refund value in batch summary using wrong calculation.
• TrevCon Export Configuration dialog no longer says 'Successful' when you cancel.
• Backup directory path was reading the Archive directory path from the .INI file. Only a problem when there were .INI file values (i.e., not default).
• Now able to set From Address for emails sent from Trevance.
• After importing a configuration, email information was not updated at the console until Trevance was started.
• Emails may now be sent to multiple recipients. When configuration Email notifications, put a comma-separated list of addresses in the To address field. Example:
        bob@company.com,sue@offsite.com,alert@pageme.com
• Test messages can now be sent from the Email configuration dialog.
• When the real-time socket connection is dropped, Trevance now sends a single Email, vs an Email every 10 seconds if the reconnect fails. This is particularly useful in a TEST environment since test systems are regularly taken off-line for normal daily maintenance and in-house testing.
        Please note: no matter which processor you use, TEST systems are never guaranteed to be available at all times. All the processors use their test systems for internal testing as well as merchant testing. Several of them reset their systems as known times every day.
• Deleting a batch from the queue now generates a log entry.
• Marking a batch to be resent now generates a log entry.
• Added ability to trace Web requests in the log file. Useful for seeing exactly what you are sending to Trevance over the Web. Activate by adding TraceWebRequests=1 to the [Settings] section of the Trevance.ini file.
        Note: Not recommended for use when running high-volumes or production environments.