Development of a payment system for the site using CyberSource Secure Acceptance
Quite often, web developers are faced with the task of integrating a payment system into an already finished project. How to quickly and accurately cope with this task? Of course, today there are a large number of payment systems that provide tools for organizing credit card transaction processing. And about one of such systems I want to tell. Meet - CyberSource .
CyberSource is a company that provides payment management services. The company was founded in 1994. In 2010, CyberSource was acquired by Visa Inc. and is now its subsidiary. Several solutions are offered for system integration:
Which of the integration options you would not choose, the general principle of operation is the same. In order for a user to be able to carry out payment transactions on your website, he first of all needs to “tie” his credit card, that is, register it in CyberSource. After successful registration, the user receives a unique identifier payment_token, the presence of which is mandatory in all subsequent transactions (card operations). And today I want to talk about technology Secure Acceptance. This integration method allows you to quickly create forms for making purchases on your website. In addition, it requires writing a minimum of code, which makes the integration process easy and understandable even for those who are just taking the first steps in programming.
To work with the CyberSource system, you first need to register and create a test account. The test account will be used only at the stage of development and testing, and in the future it should be replaced with a full-fledged worker. After registration, we enter the test business center. This will be mainly our working tool. Here the user can create profiles for Secure Acceptance, check the results of transactions, write letters to the support service. Just want to note the presence of the Russian language for the cabinet interface. You can switch to it in the “My User Settings” menu. In general, working with Secure Acceptance is quite simple, and I only had difficulties at the stage of creating profiles and setting them up. But here the help desk always came to the rescue.
')
Answers to all my questions came pretty quickly. The truth is that this service is organized quite specifically - through eTickets. In order to ask a question, go to the “Support Center”. The support page will open. In the My eTickets section, your calls to the service will be displayed. To ask a question just create a new eTicket. Below is a table with questions that users ask most often. Therefore, first check to see if your answer is already contained in it. If not, then feel free to create your eTicket, and CyberSource experts will be happy to provide you with all the necessary information. They will post their answer in the same eTicket.
To be able to use Cybersource Secure Acceptance on your site, you must create an appropriate profile. This can be done by selecting “Tools & Settings” and going to the “Secure Acceptance” section of the “Profiles” menu. By default, Secure Acceptance is disabled, so immediately after registration in the menu of your business center this item will not be. To activate it, you need to contact support. Immediately I advise you to ask to activate the Payment Tokenization service so that in the future there will be no error "Recurring Billing or Secure Storage" .
We are waiting until the section "Secure Acceptance" appears in the settings menu and proceed to create a profile.
Cybersource Secure Acceptance offers two methods for site integration:
There is practically no difference between these two methods. Secure Acceptance Web / Mobile offers ready-made forms for collecting and displaying information, whereas in Secure Acceptance Silent Order POST, the developer creates all forms on his own. For example, to link a credit card to Web / Mobile, it is enough to place a button on the site, by clicking which, the user enters the registration data entry form developed by CyberSource. It is impossible to change this form (although you can change the style a bit in the profile settings). If the transaction is successful, then the receipt form is displayed (also from CyberSource). In Silent Order POST, the developer himself creates all the forms he needs. That's all the difference. And then the principles of the work of both methods are the same. After the server has processed the request, the user is automatically redirected to the page specified in the profile settings. In addition, if the settings specified email address or page, then where will be sent a receipt with the results of the transaction.
You can create any number of profiles of various types (Web / Mobile or Silent Order POST). But only one of them can be active. Be careful. If you activate the Web / Mobile profile, and send requests to Silent Order POST, this will cause an error at the authorization stage of the request in the system. After all, each profile has a unique identifier and keys, on the basis of which the authorization takes place.
Here is a list of the main groups of settings:
Are common
Only for Web / Mobile
After filling in all the required fields, activate the profile. If necessary, make changes - first we do deactivation. A list of all available profiles can be seen by clicking the " <All Profiles " button at the top of the page.
The official documentation has very good examples of working with Secure Acceptance, written in various programming languages. Implementation in PHP is quite simple, and makes it easy to integrate the system into the site. But I did not like the fact that the form in the hidden fields contains information for authorizing transactions (profile identifier, keys, identifier and date of the transaction). Therefore, I decided to complicate my life and make sure that all these fields are filled immediately before being sent to the server. In addition, without accessing the server is not enough. And that's why. Before sending data, the CyberSource server needs to generate a signature. The signature is generated based on the required form fields (the names of these fields are in the signed_field_names field) and recorded in the signature field. The same signature is generated on the server and serves to verify the integrity of the data received.
Therefore, all the scripts from my example can be divided into 3 groups:
The get_default.php script returns a data set to fill in the form fields (depending on the type of transaction and the type of system). This script uses three classes that I created to work with Cybersource Secure Acceptance
Data is returned in JSON format and recorded in the appropriate fields of the form, after which it is submitted (submit).
Script get_response - here the server response is sent with a receipt of the transaction results. The address of this script must be specified in the settings of the “Notifications” profile. The answer comes in the form of an array, which is located in $ _POST. The result of the transaction is in the field reason_code. The transaction is successful if the reason_code is 100. A full list of response fields, as well as error codes, can be found in the documentation. The task of this script is to write to the database the payment_token field if the transaction was successful.
Script get_users - used to get a list of users or create a new one. This script uses the class User .
In addition, the DbAdapter class is used in all scripts. This class is designed to work with the mySQL database.
Since the server’s response comes to a separate address, the logical question is how to track which particular user the token was created for? I did not find a standard solution and therefore did so. Before sending the form to the CiberSource server, I write down the identifier of this transaction to the user for whom I bind a credit card. When the answer comes, it also contains this identifier. Therefore, I can unequivocally find the user for whom the transaction was launched and save payment_token for him.
And another question that may arise - is it possible to use Secure Acceptance without web forms? Let's say you have a huge number of users, and every month they have to pay a certain amount. We will not force them to constantly go to the site, open and fill out a form of payment. It is necessary to automate this process somehow. I tried to do this using CURL and Silent Order POST. The support service wrote that they did not guarantee the correct operation of such a bundle. But the result was positive and requests are sent normally. You just need to remember to check the result of the curl_exec () function execution, to verify that the transaction is authorized, to issue a message in case of failure. However, I would not advise using CURL for such purposes. Although it works, it is not as convenient as the CyberSorce API.
My example, which you can download here , works with a test version of the account. When switching to production, you must:
A list of required form fields, endpoints and all additional information can be found in the official documentation of Secure Acceptance Web / Mobile and Secure Acceptance Silent Order POST
How it works
CyberSource is a company that provides payment management services. The company was founded in 1994. In 2010, CyberSource was acquired by Visa Inc. and is now its subsidiary. Several solutions are offered for system integration:
- Using API (Simple Order API, SOAP Toolkit API)
- Secure Acceptance (Web / Mobile, Silent Order POST)
Which of the integration options you would not choose, the general principle of operation is the same. In order for a user to be able to carry out payment transactions on your website, he first of all needs to “tie” his credit card, that is, register it in CyberSource. After successful registration, the user receives a unique identifier payment_token, the presence of which is mandatory in all subsequent transactions (card operations). And today I want to talk about technology Secure Acceptance. This integration method allows you to quickly create forms for making purchases on your website. In addition, it requires writing a minimum of code, which makes the integration process easy and understandable even for those who are just taking the first steps in programming.
Work with CyberSource Secure Acceptance
To work with the CyberSource system, you first need to register and create a test account. The test account will be used only at the stage of development and testing, and in the future it should be replaced with a full-fledged worker. After registration, we enter the test business center. This will be mainly our working tool. Here the user can create profiles for Secure Acceptance, check the results of transactions, write letters to the support service. Just want to note the presence of the Russian language for the cabinet interface. You can switch to it in the “My User Settings” menu. In general, working with Secure Acceptance is quite simple, and I only had difficulties at the stage of creating profiles and setting them up. But here the help desk always came to the rescue.
')
Answers to all my questions came pretty quickly. The truth is that this service is organized quite specifically - through eTickets. In order to ask a question, go to the “Support Center”. The support page will open. In the My eTickets section, your calls to the service will be displayed. To ask a question just create a new eTicket. Below is a table with questions that users ask most often. Therefore, first check to see if your answer is already contained in it. If not, then feel free to create your eTicket, and CyberSource experts will be happy to provide you with all the necessary information. They will post their answer in the same eTicket.
To be able to use Cybersource Secure Acceptance on your site, you must create an appropriate profile. This can be done by selecting “Tools & Settings” and going to the “Secure Acceptance” section of the “Profiles” menu. By default, Secure Acceptance is disabled, so immediately after registration in the menu of your business center this item will not be. To activate it, you need to contact support. Immediately I advise you to ask to activate the Payment Tokenization service so that in the future there will be no error "Recurring Billing or Secure Storage" .
We are waiting until the section "Secure Acceptance" appears in the settings menu and proceed to create a profile.
Secure Acceptance Web / Mobile and Secure Acceptance Silent Order POST profiles
Cybersource Secure Acceptance offers two methods for site integration:
- Secure Acceptance Web / Mobile
- Secure Acceptance Silent Order POST
There is practically no difference between these two methods. Secure Acceptance Web / Mobile offers ready-made forms for collecting and displaying information, whereas in Secure Acceptance Silent Order POST, the developer creates all forms on his own. For example, to link a credit card to Web / Mobile, it is enough to place a button on the site, by clicking which, the user enters the registration data entry form developed by CyberSource. It is impossible to change this form (although you can change the style a bit in the profile settings). If the transaction is successful, then the receipt form is displayed (also from CyberSource). In Silent Order POST, the developer himself creates all the forms he needs. That's all the difference. And then the principles of the work of both methods are the same. After the server has processed the request, the user is automatically redirected to the page specified in the profile settings. In addition, if the settings specified email address or page, then where will be sent a receipt with the results of the transaction.
You can create any number of profiles of various types (Web / Mobile or Silent Order POST). But only one of them can be active. Be careful. If you activate the Web / Mobile profile, and send requests to Silent Order POST, this will cause an error at the authorization stage of the request in the system. After all, each profile has a unique identifier and keys, on the basis of which the authorization takes place.
Here is a list of the main groups of settings:
Are common
- General Settings - profile name, type, profile ID
- Payment Settings - settings for credit card types, currency
- Security - creating keys for authorization
- Notifications - choose where the receipt with the results of the transaction will be sent
- Customer Response Pages - page settings for various server responses
Only for Web / Mobile
- Appearance and Branding - add your own brand on the form
- Localization - list of supported languages
- Payment Form - setting the form fields
After filling in all the required fields, activate the profile. If necessary, make changes - first we do deactivation. A list of all available profiles can be seen by clicking the " <All Profiles " button at the top of the page.
Practical implementation
The official documentation has very good examples of working with Secure Acceptance, written in various programming languages. Implementation in PHP is quite simple, and makes it easy to integrate the system into the site. But I did not like the fact that the form in the hidden fields contains information for authorizing transactions (profile identifier, keys, identifier and date of the transaction). Therefore, I decided to complicate my life and make sure that all these fields are filled immediately before being sent to the server. In addition, without accessing the server is not enough. And that's why. Before sending data, the CyberSource server needs to generate a signature. The signature is generated based on the required form fields (the names of these fields are in the signed_field_names field) and recorded in the signature field. The same signature is generated on the server and serves to verify the integrity of the data received.
Therefore, all the scripts from my example can be divided into 3 groups:
The get_default.php script returns a data set to fill in the form fields (depending on the type of transaction and the type of system). This script uses three classes that I created to work with Cybersource Secure Acceptance
- Base class Cybersource - contains fields and methods common to Web / Mobile and Silent Order POST
- SecureAcceptanceWM class - for working with Web / Mobile
- Class SecureAcceptanceSOP - to work with Silent Order POST
Data is returned in JSON format and recorded in the appropriate fields of the form, after which it is submitted (submit).
Script get_response - here the server response is sent with a receipt of the transaction results. The address of this script must be specified in the settings of the “Notifications” profile. The answer comes in the form of an array, which is located in $ _POST. The result of the transaction is in the field reason_code. The transaction is successful if the reason_code is 100. A full list of response fields, as well as error codes, can be found in the documentation. The task of this script is to write to the database the payment_token field if the transaction was successful.
Script get_users - used to get a list of users or create a new one. This script uses the class User .
In addition, the DbAdapter class is used in all scripts. This class is designed to work with the mySQL database.
Since the server’s response comes to a separate address, the logical question is how to track which particular user the token was created for? I did not find a standard solution and therefore did so. Before sending the form to the CiberSource server, I write down the identifier of this transaction to the user for whom I bind a credit card. When the answer comes, it also contains this identifier. Therefore, I can unequivocally find the user for whom the transaction was launched and save payment_token for him.
And another question that may arise - is it possible to use Secure Acceptance without web forms? Let's say you have a huge number of users, and every month they have to pay a certain amount. We will not force them to constantly go to the site, open and fill out a form of payment. It is necessary to automate this process somehow. I tried to do this using CURL and Silent Order POST. The support service wrote that they did not guarantee the correct operation of such a bundle. But the result was positive and requests are sent normally. You just need to remember to check the result of the curl_exec () function execution, to verify that the transaction is authorized, to issue a message in case of failure. However, I would not advise using CURL for such purposes. Although it works, it is not as convenient as the CyberSorce API.
My example, which you can download here , works with a test version of the account. When switching to production, you must:
- Register in the system (create a working account, not a test account)
- Register new profile parameters in classes
- Change addresses for submitting forms (change endpoints)
A list of required form fields, endpoints and all additional information can be found in the official documentation of Secure Acceptance Web / Mobile and Secure Acceptance Silent Order POST
Source: https://habr.com/ru/post/229947/
All Articles