Development of a payment system for a site using CyberSource Secure Acceptance

  • Tutorial
Quite often, web developers are faced with the task of integrating a payment system into an already completed project. How to quickly and efficiently cope with such a task? Of course, today there are a large number of payment systems that provide tools for organizing the processing of credit card transactions. And I want to talk about one of these systems. Meet CyberSource .

How it works


CyberSource is a company that provides payment management services. The company was founded in 1994. In 2010, CyberSource was acquired by Visa Inc. and is now its subsidiary. Several solutions are offered for system integration:

  • Using the API (Simple Order API, SOAP Toolkit API)
  • Secure Acceptance (Web / Mobile, Silent Order POST)

Which integration option would you choose, the general principle of operation is the same. In order for the user to be able to carry out payment transactions on your site, he first of all needs to “bind” his credit card, that is, register it in the CyberSource system. After successful registration, the user receives a unique payment_token identifier, the presence of which is mandatory in all subsequent transactions (card transactions). And today I want to talk about Secure Acceptance technology. This integration method allows you to quickly create forms for making purchases on your site. In addition, it requires writing a minimum of code, which makes the integration process easy and understandable even for those who are just taking their first steps in programming.

Work with CyberSource Secure Acceptance


To work with the CyberSource system, you first need to register and create a test account. The test account will be used only at the development and testing stage, and in the future it should be replaced with a full-fledged working one. After registration, we find ourselves in a test business center. This will be mainly our working tool. Here the user can create profiles for Secure Acceptance, check the results of transactions, write letters to the support service. Immediately I want to note the presence of the Russian language for the cabinet interface. You can switch to it in the “My User Settings” menu. In general, working with Secure Acceptance is quite simple, and I only had difficulties at the stage of creating profiles and setting them up. But here the support service always came to the rescue.

The answers to all my questions came pretty quickly. True, this service is organized quite specifically - through eTickets. In order to ask a question, go to the “Support Center” section. The support page opens. The My eTickets section will display your calls to the service. To ask a question, just create a new eTicket. Below is a table with the questions that users ask most often. So first check, maybe the answer to yours is already contained in it. If not, then feel free to create your eTicket, and CyberSource specialists will be happy to provide you with all the necessary information. They will post their answer in the same eTicket.

To be able to use Cybersource Secure Acceptance on your website, you need to create an appropriate profile. This can be done by selecting “Tools & Settings” and going to the “Secure Acceptance” section of the “Profiles” menu. By default, Secure Acceptance is disabled, so immediately after registration in the menu of your business center this item will not be. To activate it, you must contact support. Immediately I advise you to ask to activate the Payment Tokenization service so that in the future there will not be an error “Recurring Billing or Secure Storage service is not enabled for the merchant” .
We wait until the “Secure Acceptance” section appears in the settings menu and proceed to creating the profile.

Secure Acceptance Web / Mobile and Secure Acceptance Silent Order POST Profiles


Cybersource Secure Acceptance offers two methods for integrating into a site:

  1. Secure Acceptance Web / Mobile
  2. Secure Acceptance Silent Order POST

There is practically no difference between the two methods. Secure Acceptance Web / Mobile offers ready-made forms for collecting and displaying information, whereas in Secure Acceptance Silent Order POST, the developer creates all forms independently. For example, to link a credit card to Web / Mobile, it is enough to place a button on the site, by clicking which the user will be taken to the form for entering registration data developed by CyberSource. It is impossible to change this form (although you can slightly change the style in the profile settings). If the transaction was successful, then a receipt form is displayed (also from CyberSource). In Silent Order POST, the developer creates all the forms he needs. That's all the differences. And then the principles of operation of both methods are the same. After the server processes the request, the user is automatically redirected to the page, which is specified in the profile settings. In addition, if the email address or page is specified in the settings, then where will the receipt with the results of the transaction be sent.

You can create any number of profiles of various types (Web / Mobile or Silent Order POST). But only one of them can be active. Be careful. If you activate the Web / Mobile profile, and send requests to the Silent Order POST, this will cause an error at the request authorization stage in the system. After all, each profile has a unique identifier and keys, on the basis of which authorization takes place.

Here is a list of the main settings groups:

General
  • General Settings - profile name, type, profile identifier
  • Payment Settings - settings for types of credit cards, currency
  • Security - create keys for authorization
  • Notifications - choose where the receipt of the transaction results will be sent
  • Customer Response Pages - page settings for various server responses

Web / Mobile only
  • Appearance and Branding - adding your own brand to the form
  • Localization - list of supported languages
  • Payment Form - setting up form fields

After filling in all the necessary fields, activate the profile. If necessary, make changes - first do the deactivation. A list of all available profiles can be seen by clicking the ""at the top of the page.

Practical implementation


In the official documentation there are very good examples of working with Secure Acceptance, written in various programming languages. Implementation in PHP is quite simple, and allows you to easily integrate the system into the site. But I did not like the fact that the form in hidden fields contains information for authorizing transactions (profile identifier, keys, identifier and transaction date). Therefore, I decided to complicate my life and make sure that all these fields are filled immediately before sending to the server. In addition, you can’t do without access to the server. And that's why. Before sending data to the CyberSource server, a signature must be generated. The signature is generated based on the required fields of the form (the names of these fields are in the signed_field_names field) and are recorded in the signature field.

Therefore, all the scripts from my example can be divided into 3 groups:

The get_default.php script returns a data set for filling out the form fields (depending on the type of transaction and the type of system). This script uses three classes that I created to work with Cybersource Secure Acceptance

  • Cybersource base class - contains fields and methods common to Web / Mobile and Silent Order POST
  • SecureAcceptanceWM class - for working with Web / Mobile
  • SecureAcceptanceSOP class - for working with Silent Order POST

The data is returned in JSON format and recorded in the corresponding fields of the form, after which it is submitted. Get_response

script - the server response is sent here with a receipt of the transaction results. The address of this script must be registered in the “Notifications” settings of the profile. The answer comes in the form of an array, which is located in $ _POST. The result of the transaction is in the reason_code field. A transaction is successful if reason_code is 100. A complete list of response fields as well as error codes can be found in the documentation. The task of this script is to write the payment_token field to the database if the transaction was successful. Get_users script - used to get a list of users or create a new one. This script uses the class

The User .

In addition, all scripts use the DbAdapter class . This class is designed to work with the mySQL database.

Since the server response comes to a separate address, the question naturally arises, how to track for which user the token was created? I did not find a standard solution and therefore did so. Before submitting the form to the CiberSource server, I write down the identifier of this transaction to the user for whom I attach the credit card. When the answer arrives, it also contains this identifier. Therefore, I can definitely find the user for whom the transaction was launched and save payment_token for it.

And one more question that may arise - is it possible to use Secure Acceptance without web forms? Say you have a huge number of users, and every month they have to pay a certain amount. We will not make them constantly go to the site, open and fill out a payment form. It is necessary to somehow automate this process. I tried to do this using CURL and Silent Order POST. The support service wrote that they did not guarantee the correct operation of such a bundle. But the result was positive and requests are sent normally. Just do not forget to check the result of the curl_exec () function to ensure that the transaction has been authorized to give a message in case of failure. However, I would not recommend using CURL for such purposes. Although it works, it is not as convenient as the CyberSorce API.

My example, which you can download here , works with a test version of the account. When switching to production, you must:

  1. Register in the system (create a working account instead of a test one)
  2. In the classes register new profile parameters
  3. Change addresses for sending forms (change endpoints)

You can find a list of required form fields, endpoints and all additional information in the official documentation of Secure Acceptance Web / Mobile and Secure Acceptance Silent Order POST

Also popular now: