Transcript Teach Skills Topic

Credit Card Processing
Gail “Montreal” Shoffey Keeler
August 14, 2007
About Me
Contractor with TEKsystems
Current project: Reliant Energy
Working with ColdFusion over 4 years
Credit Card Processing
What are the first items that come to mind when you
think of credit card processing?
Security
Connectivity
Components
What You Will Leave With
3 key points you will leave with after the meeting
An understanding of Payment Card Industry
Data Security Standard (PCI DSS)
An example of a credit card merchant’s
Application Programming Interface (API)
An example of credit card components
How these skills will help in the future
Process credit cards in real time
Store credit card information within PCI compliance
Create your own final step in a shopping cart
Focus
 What is PCI compliance?
PCI Compliance
Secure your business
•
Intellectual and Web property
• Credit card data/account information protected
• Transaction information locked
Store data in inaccessible areas
•
From locks to scanning devices
Payment Card Industry (PCI)
PCI History
5 major credit card brands:
Visa
MasterCard
American Express
DiscoverCard
JCB International
PCI Security Council founded in June 2005
Competitor brand-specific requirements intersecting
Single standard for protecting credit card data
Based on ISO 17799  information security standard
There are 12 main requirements
PCI Controls 1 of 2
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect
cardholder data
Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
PCI Controls 2 of 2
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and
cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Maintain a policy that addresses information security
Focus
 What is PCI compliance?
 Why use APIs?
Application Programming Interface
The Application Programming Interface (API)
consists of several sets of related methods or
functions that specifies how two different computers
can communicate
Platform independent
Facilitates subsequent developers who may need to
tap into new services
Using the API offers greater advantages into your
organization’s business needs
API Advantages
Flexibility—with an API, you can take advantage of any CyberSource service available with the package you purchase
(Tax and line item detail, for example)
Scalability—an API implementation is best if your business volume warrants a high level of order processing automation
Control and Customization—create
your own customized order page and receipt to give you more control over
your customer's buying experience
Stability—have your server communicate directly to ours for greater stability than with a Web browser
Security Control—you or your hosting provider control security with an SSL secure server
Data Access—store order or customer data before sending it to CyberSource
Fulfillment—share order data with a fulfillment house or internal dept
Easy Order Management—use the online Business Center to review and manage all of your orders from any
computer with Internet access
CyberSource API Choices
Linux
Solaris
ASP/COM
Windows
X
C
X
Java
X
.NET
X
X
X
X
PHP
X
X
Perl
X
X
General API Documentation
Java API Documentation
Focus
 What is PCI compliance?
 Why use APIs?
 Where’s the code?
The Process
Load the
configuration
Create credit card
object
Create properties
object
Process the
results
Combine into a
transaction object
Load the Configuration
<merchantID>your merchant ID</merchantID>
<keysDirectory>C:\CFUGMD\secure\certificate</keysDirectory>
<sendToProduction>false</sendToProduction>
<targetAPIVersion>1.26</targetAPIVersion>
<keyFilename>CFUGMDkey.p12</keyFilename>
<namespaceURI>urn:schemas-cybersource-com:transactiondata-1.26</namespaceURI>
<enableLog>true</enableLog>
<logDirectory>C:\CFUGMD\secure\log</logDirectory>
<logFilename>cybs.log</logFilename>
<logMaximumSize>10</logMaximumSize>
<timeout>130</timeout>
<useHttpClient>false</useHttpClient>
Parse the Properties
// init CyberSource params
csMerchantID = this.getSettingsParam("merchantID");
csKeysDirectory = this.getSettingsParam("keysDirectory");
csSendToProduction = this.getSettingsParam("sendToProduction");
csTargetAPIVersion = this.getSettingsParam("targetAPIVersion");
csKeyFilename = this.getSettingsParam("keyFilename");
csServerURL = this.getSettingsParam("serverURL");
csNamespaceURI = this.getSettingsParam("namespaceURI");
csEnableLog = this.getSettingsParam("enableLog");
csLogDirectory = this.getSettingsParam("logDirectory");
csLogFilename = this.getSettingsParam("logFilename");
csLogMaximumSize = this.getSettingsParam("logMaximumSize");
csTimeout = this.getSettingsParam("timeout");
csUseHttpClient = this.getSettingsParam("useHttpClient");
Add Merchant-Specific Values
// CyberSource-specific values for credit cards
csCreditCardType = arguments.creditCard.getCcType();
switch(csCreditCardType){
case "VISA":
csCreditCardValue = '001';
break;
case "MASTERCARD":
csCreditCardValue = '002';
break;
case "AMEX":
csCreditCardValue = '003';
break;
case "DISCOVER":
csCreditCardValue = '004';
break;
case "JCB":
csCreditCardValue = '007';
break;
default:
csCreditCardValue = '';
}
Create Properties Object
// create csProps - Properties object and init object constructor
csProps = createObject("Java","java.util.Properties");
csProps.put("merchantID",csMerchantID);
csProps.put("keysDirectory",csKeysDirectory);
csProps.put("sendToProduction",csSendToProduction);
csProps.put("targetAPIVersion",csTargetAPIVersion);
csProps.put("keyFilename",csKeyFilename);
csProps.put("namespaceURI",csNamespaceURI);
csProps.put("enableLog",csEnableLog);
csProps.put("logDirectory",csLogDirectory);
csProps.put("logFilename",csLogFilename);
csProps.put("logMaximumSize",csLogMaximumSize);
csProps.put("timeout",csTimeout);
csProps.put("useHttpClient",csUseHttpClient);
Create Credit Card Object
// create csRequest - HashMap object
csRequest = createObject("Java","java.util.HashMap");
csRequest.put("billTo_city",arguments.creditCard.getCcCity());
csRequest.put("billTo_country",arguments.creditCard.getCcCountry());
csRequest.put("billTo_customerID",1); // optional good for level 2
csRequest.put("billTo_email",arguments.creditCard.getCcEmail());
csRequest.put("billTo_firstName",arguments.creditCard.getCcFirstName());
csRequest.put("billTo_lastName",arguments.creditCard.getCcLastName());
csRequest.put("billTo_postalCode",arguments.creditCard.getCcZip());
csRequest.put("billTo_state",arguments.creditCard.getCcStateProvince());
csRequest.put("billTo_street1",arguments.creditCard.getCcAddress1());
csRequest.put("billTo_street2",arguments.creditCard.getCcAddress2());
csRequest.put("card_accountNumber",arguments.creditCard.getCcNumber());
csRequest.put("card_cardType",csCreditCardValue);
csRequest.put("card_cvIndicator","1"); // 0, 1, 2, 9
csRequest.put("card_cvNumber",arguments.creditCard.getCvvCode());
csRequest.put("card_expirationMonth",arguments.creditCard.getCcExpMonth());
csRequest.put("card_expirationYear",arguments.creditCard.getCcExpYear());
csRequest.put("ccAuthService_commerceIndicator","internet"); // internet (default): eCommerce transaction.
csRequest.put("ccAuthService_run","true");
csRequest.put("ccCaptureService_run","true");
csRequest.put("comments","Payment made via EFT Module");
csRequest.put("item_0_unitPrice",csAmount); // loop to check the items purchased note: this is the total
csRequest.put("merchantID",csMerchantID);
csRequest.put("merchantReferenceCode",cookieFacade.getValue("jsessionid"));
csRequest.put("purchaseTotals_currency","USD");
Combine Objects in Transaction
// CREDIT CARD AUTHORIZATION AND CAPTURE REQUEST
csReply = createObject("Java","java.util.HashMap");
csReply = createObject("Java","com.cybersource.ws.client.Client").
runTransaction(csRequest,csProps);
Code response
<!--- check to see if response was error or denied --->
<cfif StructFind(csReply, "decision") IS 'ACCEPT'>
<cfset eftResponse = structNew() />
<cfset eftResponse.transactionReference = StructFind(csReply, "requestID") />
<cfset eftResponse.transactionToken = StructFind(csReply, "requestToken") />
<cfset eftResponse.amountCharged = StructFind(csReply, "ccCaptureReply_amount") />
<cfset eftResponse.cardholderName = arguments.creditCard.getCardholderName() />
<cfset eftResponse.creditCardType = arguments.creditCard.getCcType() />
<cfreturn eftResponse />
<cfelse>
<!--- init errors --->
</cfif
Credit Card Components
Credit Card
type
Number
expMonth
expYear
cvvCode
firstName
middleName
lastName
address1
address2
city
stateProvince
zip
phone
email
init()
getters/setters()
expirationDate()
Visa extends Credit Card
init()
validate()
MasterCard extends Credit Card
type
init()
validate()
Discover extends Credit Card
init()
validate()
American Express extends Credit Card
init()
validate()
Your Questions & Comments
Key Learning Objectives
Security, compliance and the law
APIs are the best connectivity
Use components
BLOGS
Montreal
http://www.montrealoncf.org
Special Thanks Go To
Phill Nacelli
http://www.phillnacelli.net
Scott Stroz
http://www.boyzoid.com