I’ve set up SagePay in order to take online payments. I’ve put the account into test mode and am using the test encryption key provided by SagePay. All works fine when I create and attempt to pay for an invoice online using a SagePay test card, and I receive emails from SagePay telling me the payment was successful.
However, I am not redirected back to the invoice page after paying on the SagePay screen. It just hangs with a notice saying “INVALID CALL” and a whirling bar saying “Redirection in process”. The payment does not show up on the account either.
What is going on? I am reluctant to put the system into live mode and start using it for invoicing, in case the same thing happens with genuine payments.
In order to verify SagePay are making the callback and not some malicious 3rd party we very the IP address the call is being made from. The problem is SagePay can occasionally changes these IPs without issuing any notification, particularly on the test gateway.
I’ve not heard of any issues on the live service, but you could test with a very small (say 20p) transaction. Either way the payment will always go through and the part that’s failing in this instance is the logging of the payment on Quick File and the friendly redirect back to the invoice page.
@Glenn As you suggested, I have just tried it using the live SagePay account, and exactly the same thing happened. The payment was taken, 3D-secure worked fine, but the client was not redirected back to the invoice. An email was received by myself and the client, but the payment was not applied to the quickfile invoice.
This is, in my view, a serious flaw - it makes taking payments impossible because the client is left wondering whether the payment was taken. If they login to see their invoice it will still say it is unpaid, and they are likely to try and pay again.
Is there no way this can be fixed? Surely I can’t be the only one experiencing this problem? As it stands, I cannot invoice clients from quickfile and cannot use online payments!
Unfortuantely this is a problem whereby SagePay are calling from unknown IP addresses. I checked the notes on SagePay and they recently disclosed a bunch of IPs that there servers are authorised to call from, the transaction you made this evening originated from an IP address not on the list supplied. It makes it very difficult for us to institute any sort of security when the IPs are not static.
I’ve added the IP address to the list, but we will probably need to have a chat with SagePay so we can be absolutely sure that these IPs will remain static.
Thanks very much for looking into this. I’ll test again and let you know if it works.
Incidentally, what is the ip address that the callback is being made from? I’ve read (though I’m no expert) that I can add allowed ip addresses to MySagePay control panel, and that this has solved other people’s problems.
When SagePay complete the processing of the payment they will make a call to a specific link within Quick File to pass back the results. We need to know if the transactions was successful or not so we can apply a payment. To prevent anybody from discovering this link and manually calling it with bogus information we check the IP and only process if the call was made from a known IP address (this would be one of the SagePay servers).
The IP addresses configurable in your control panel will solve a similar problem but when payments are being passed into SagePay (Our problem is on the other side). It’s the same principle but a way for SagePay to know that your server is making the call, not someone trying to fake a call from your website.
We will take a look at this first thing tomorrow morning for you.
Great; thank you for the clarification - that makes sense.
I’ve just tested using the test server, and now it goes to a page that says “Clunk!!” I’m not sure what’s happening now, but I will wait for your response and test again tomorrow.
Just a quick note before anyone uses this: the invalid call has been resolved and the redirection is working, but the payment is not being applied to the invoices. It may be just me - I look forward to any help!