Credit Card ProcessingCredit Card Processing

Gail “Montreal” Shoffey Keeler

August 14, 2007

About MeAbout Me

Contractor with TEKsystems

Current project: Reliant Energy

Working with ColdFusion over 4 years

Credit Card ProcessingCredit Card Processing

What are the first items that come to mind when you think of credit card processing?

Security

Connectivity

Components

What You Will Leave WithWhat You Will Leave With

3 key points you will leave with after the meetingAn understanding of Payment Card Industry Data Security Standard (PCI DSS)

An example of a credit card merchant’s Application Programming Interface (API)

An example of credit card components

How these skills will help in the futureProcess credit cards in real time

Store credit card information within PCI compliance

Create your own final step in a shopping cart

FocusFocus

What is PCI compliance?

PCI CompliancePCI Compliance

Secure your business• Intellectual and Web property• Credit card data/account information protected• Transaction information locked

Store data in inaccessible areas• From locks to scanning devices

Payment Card Industry (PCI)Payment Card Industry (PCI)

PCI History5 major credit card brands:

Visa

MasterCard

American Express

DiscoverCard

JCB International

PCI Security Council founded in June 2005Competitor brand-specific requirements intersecting

Single standard for protecting credit card data

Based on ISO 17799 information security standardThere are 12 main requirements

PCI Controls 1 of 2PCI Controls 1 of 2

Build and Maintain a Secure NetworkInstall and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program Use and regularly update anti-virus software

Develop and maintain secure systems and applications

PCI Controls 2 of 2PCI Controls 2 of 2

Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an Information Security PolicyMaintain a policy that addresses information security

FocusFocus

What is PCI compliance? Why use APIs?

Application Programming InterfaceApplication Programming Interface

The Application Programming Interface (API) consists of several sets of related methods or functions that specifies how two different computers can communicate

Platform independent

Facilitates subsequent developers who may need to tap into new services

Using the API offers greater advantages into your organization’s business needs

API AdvantagesAPI Advantages

CyberSource API ChoicesCyberSource API Choices

  Linux Solaris Windows

ASP/COM     X

C X   X

Java X X X

.NET     X

PHP X   X

Perl X   X

General API DocumentationGeneral API Documentation

Java API DocumentationJava API Documentation

FocusFocus

What is PCI compliance? Why use APIs? Where’s the code?

Load the configuration

Create properties object

Create credit card object

Process the results

Combine into a transaction object

The ProcessThe Process

Load the ConfigurationLoad the Configuration

<merchantID>your merchant ID</merchantID><keysDirectory>C:\CFUGMD\secure\certificate</keysDirectory><sendToProduction>false</sendToProduction><targetAPIVersion>1.26</targetAPIVersion><keyFilename>CFUGMDkey.p12</keyFilename><namespaceURI>urn:schemas-cybersource-com:transaction-

data-1.26</namespaceURI><enableLog>true</enableLog><logDirectory>C:\CFUGMD\secure\log</logDirectory><logFilename>cybs.log</logFilename><logMaximumSize>10</logMaximumSize><timeout>130</timeout><useHttpClient>false</useHttpClient>

Parse the PropertiesParse the Properties

// init CyberSource params

csMerchantID = this.getSettingsParam("merchantID");csKeysDirectory = this.getSettingsParam("keysDirectory");csSendToProduction = this.getSettingsParam("sendToProduction");csTargetAPIVersion = this.getSettingsParam("targetAPIVersion");

csKeyFilename = this.getSettingsParam("keyFilename");csServerURL = this.getSettingsParam("serverURL");csNamespaceURI = this.getSettingsParam("namespaceURI");csEnableLog = this.getSettingsParam("enableLog");csLogDirectory = this.getSettingsParam("logDirectory");csLogFilename = this.getSettingsParam("logFilename");csLogMaximumSize = this.getSettingsParam("logMaximumSize");csTimeout = this.getSettingsParam("timeout");csUseHttpClient = this.getSettingsParam("useHttpClient");

Add Merchant-Specific ValuesAdd Merchant-Specific Values// CyberSource-specific values for credit cardscsCreditCardType = arguments.creditCard.getCcType();

switch(csCreditCardType){case "VISA":

csCreditCardValue = '001';break;

case "MASTERCARD":csCreditCardValue = '002';break;

case "AMEX":csCreditCardValue = '003';break;

case "DISCOVER":csCreditCardValue = '004';break;

case "JCB":csCreditCardValue = '007';break;

default:csCreditCardValue = '';

}

Create Properties ObjectCreate Properties Object

// create csProps - Properties object and init object constructorcsProps = createObject("Java","java.util.Properties");csProps.put("merchantID",csMerchantID);csProps.put("keysDirectory",csKeysDirectory);csProps.put("sendToProduction",csSendToProduction);csProps.put("targetAPIVersion",csTargetAPIVersion);csProps.put("keyFilename",csKeyFilename);csProps.put("namespaceURI",csNamespaceURI);csProps.put("enableLog",csEnableLog);csProps.put("logDirectory",csLogDirectory);csProps.put("logFilename",csLogFilename);csProps.put("logMaximumSize",csLogMaximumSize);csProps.put("timeout",csTimeout);csProps.put("useHttpClient",csUseHttpClient);

Create Credit Card ObjectCreate Credit Card Object

// create csRequest - HashMap objectcsRequest = createObject("Java","java.util.HashMap");csRequest.put("billTo_city",arguments.creditCard.getCcCity());csRequest.put("billTo_country",arguments.creditCard.getCcCountry());csRequest.put("billTo_customerID",1); // optional good for level 2csRequest.put("billTo_email",arguments.creditCard.getCcEmail());csRequest.put("billTo_firstName",arguments.creditCard.getCcFirstName());csRequest.put("billTo_lastName",arguments.creditCard.getCcLastName());csRequest.put("billTo_postalCode",arguments.creditCard.getCcZip());csRequest.put("billTo_state",arguments.creditCard.getCcStateProvince());csRequest.put("billTo_street1",arguments.creditCard.getCcAddress1());csRequest.put("billTo_street2",arguments.creditCard.getCcAddress2());csRequest.put("card_accountNumber",arguments.creditCard.getCcNumber());csRequest.put("card_cardType",csCreditCardValue);csRequest.put("card_cvIndicator","1"); // 0, 1, 2, 9csRequest.put("card_cvNumber",arguments.creditCard.getCvvCode());csRequest.put("card_expirationMonth",arguments.creditCard.getCcExpMonth());csRequest.put("card_expirationYear",arguments.creditCard.getCcExpYear());csRequest.put("ccAuthService_commerceIndicator","internet"); // internet (default): eCommerce transaction.csRequest.put("ccAuthService_run","true");csRequest.put("ccCaptureService_run","true");csRequest.put("comments","Payment made via EFT Module");csRequest.put("item_0_unitPrice",csAmount); // loop to check the items purchased note: this is the totalcsRequest.put("merchantID",csMerchantID);csRequest.put("merchantReferenceCode",cookieFacade.getValue("jsessionid"));csRequest.put("purchaseTotals_currency","USD");

Combine Objects in TransactionCombine Objects in Transaction

// CREDIT CARD AUTHORIZATION AND CAPTURE REQUEST

csReply = createObject("Java","java.util.HashMap");

csReply = createObject("Java","com.cybersource.ws.client.Client").

runTransaction(csRequest,csProps);

Code responseCode response

<!--- check to see if response was error or denied ---><cfif StructFind(csReply, "decision") IS 'ACCEPT'><cfset eftResponse = structNew() /><cfset eftResponse.transactionReference = StructFind(csReply, "requestID") /><cfset eftResponse.transactionToken = StructFind(csReply, "requestToken") /><cfset eftResponse.amountCharged = StructFind(csReply, "ccCaptureReply_amount") /><cfset eftResponse.cardholderName = arguments.creditCard.getCardholderName() /><cfset eftResponse.creditCardType = arguments.creditCard.getCcType() /><cfreturn eftResponse />

<cfelse><!--- init errors --->

</cfif

Credit Card ComponentsCredit Card Components

type

Your Questions & CommentsYour Questions & Comments

Key Learning ObjectivesKey Learning Objectives

Security, compliance and the law

APIs are the best connectivity

Use components

BLOGSBLOGS

Phill Nacelli

http://www.phillnacelli.net

Scott Stroz

http://www.boyzoid.com

Special Thanks Go ToSpecial Thanks Go To

Montreal

http://www.montrealoncf.org