As you may know, I've been working on a web shop. I had it all working
fine, and doing the 3D-Secure using our merchant's test system. So
change the account details and hurrah, now live. Except it turns out
that there are a load of difference in the test system, and each and
every one has been a nightmare for me. Mainly because I'd achieve a
certain state and then ask the merchant support people for help, and
they'd take 24-48 hours to respond, and I'd make a change and a test,
then wait again.

Anyway, long story short, WebBuilder is quite capable of doing proper
3D-Secure (of course).

These are snippets of code that may be useful to anyone else falling
over this hole. Main thing is that the PaReq must not be URI encoded
before you send it to the ACS. The hidden fields are done by creating
TEdits (thanks to Walter Matte for that), and the FormEncoding can be
set to the "old way" to match what other code does (I did a lot of
comparisons!)

szPaReq :=
decodeURIComponent(json_UnescapeString(json_ReadString(sz3DSecure,
'3drequest', '')));

xParams.Values['PaReq'] := szPaReq;
xParams.Values['MD'] := szMD;
xParams.Values['TermUrl'] := szTermURL;

// looped:
xPostEdit := TEdit.Create(m_xPostPanel);
xPostEdit.Visible := false;
xPostEdit.Name := xParams.Names[nLoop];
xPostEdit.Text := xParams.ValueFromIndex[nLoop];

m_xPostPanel.FormURL := szFinalURL;
m_xPostPanel.FormEncoding := 'application/x-www-form-urlencoded';
m_xPostPanel.SubmitForm;


Now I just have to get the merchant people to adjust their firewall to
allow my server to charge real cards...

--

Matthew Jones