Steve Endow, a Microsoft MVP for Dynamics GP and a Dynamics GP Certified IT Professional based in Los Angeles, recently completed a fascinating Dynamics GP integration project.

This project involved creating a RESTful JSON web service that enables a website to seamlessly integrate with Dynamics GP, Authorize.net, and the k-eCommerce/Azox Credit Card Extension. Given its role in handling sensitive credit card data, the web service prioritizes security by incorporating HMAC authentication, AES encryption, and operating exclusively over HTTPS.

The customer utilizes an internal website for processing customer orders, gathering customer details, credit card information, and product selections. Previously, customer data was stored separately and manually entered or imported into Dynamics GP. Credit card transactions were managed through a payment gateway with recurring billing features, and all transaction data was entered into GP retrospectively. To streamline operations, the client desired a real-time integration between the website and Dynamics GP, allowing for immediate customer information updates in GP.

However, the client wished to avoid storing credit card information within Dynamics GP or the Credit Card Extension module, even in encrypted form, opting instead for tokenization. This process involves securely sending credit card data to the payment gateway, Authorize.net in this case, and receiving a unique identifier or “token.” This token, stored in the Credit Card Extension module, facilitates future credit card transactions within Dynamics GP.

The decision to utilize a RESTful architecture stemmed from the client’s website being developed with PHP on Linux, effectively excluding direct APIs like COM and .NET libraries. Given their familiarity with REST and its simplicity for this integration, REST emerged as the preferred choice over SOAP.

The selection of JSON as the data format was driven by the client’s developers’ experience with JSON-based web services, simplifying implementation compared to SOAP or XML-based alternatives.

With the architectural decisions finalized, the next step involved addressing implementation details, including web service authentication. The client’s developer recommended HMAC, a secure and straightforward authentication method that involves hashing the request content combined with a shared secret key. This process generates a unique “password” that is virtually impossible to forge, ensuring secure request validation on the web service side. The project utilized SHA-256 as the hashing algorithm.

To further enhance security, despite employing SSL and HTTPS for the web service, the transmission of credit card data as plain text was avoided. The team opted for AES-128 encryption, which proved more challenging than anticipated. Determining an “initialization vector” (IV) and navigating the differences in AES implementation between PHP and .NET presented significant hurdles. The team invested considerable effort in researching encryption settings, eventually discovering that PHP defaults to NULL padding, while the chosen encryption library used PKCS7 padding.

Future blog posts will delve deeper into each element of this project.

Steve Endow is a Microsoft MVP for Dynamics GP and a Dynamics GP Certified IT Professional in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him onGoogle+andTwitter

http://www.precipioservices.com