On This Page

Accept Card Information

This section covers the implementation steps needed to complete the server-side and client-side setup for accepting card information with
Microform Integration
.
Implementing
Microform Integration
 is a three-step process:
This figure shows the flow for implementing
Microform Integration
:

Figure:

Microform Integration
 Implementation Workflow

Server-Side Setup

This section contains the information you need to set up your server. Initializing
Microform Integration
 within your webpage begins with a server-to-server call to the sessions API. This step authenticates your merchant credentials and establishes how the
Microform Integration
 frontend components will function. The sessions API request contains parameters that define how
Microform Integration
 performs.
The server-side component provides this information:
  • A transaction-specific public key is used by the customer's browser to protect the transaction.
  • An authenticated context description package that manages the payment experience on the client side. It includes available payment options such as card networks, payment interface styling, and payment methods.
The functions are compiled in a JSON Web Token (JWT) object referred to as the
capture context
. For information JSON Web Tokens, see JSON Web Tokens.

Capture Context

The capture context request is a signed JSON Web Token (JWT) that includes all of the merchant-specific parameters. This request tells the front-end JavaScript library how to behave within your payment experience. The request provides authentication, one-time keys, the target origin to the
Microform Integration
, in addition to allowed card networks and payment types (card or check). The capture context request includes these elements:
  • allowedCardNetworks
  • allowedPaymentTypes
  • clientVersion
  • targetOrigins
  • transientTokenResponseOptions.includeCardPrefix
For information about JWTs, see JSON Web Tokens.
Target Origin
The target origin is defined by the scheme (protocol), host name (domain), and port number (if used).
You must use the https:// protocol. Sub-domains must also be included in the target origin.
Any valid top-level domain is supported, such as .com, .co.uk, and.gov.br. Wildcards are not supported.
For example, if you are launching
Unified Checkout
 on example.com, the target origin could be any of these values:
You can define the payment cards and digital payments that you want to accept in the capture context.
Allowed Card Networks
Use the
allowedCardNetworks
 field to define the card types.
These card networks are available for card entry:
  • American Express
  • Cartes Bancaires
  • Carnet
  • China UnionPay
  • Diners Club
  • Discover
  • EFTPOS
  • ELO
  • JCB
  • JCrew
  • Mada
  • Maestro
  • Mastercard
  • Meeza
  • Visa
When you integrate with
Microform Integration
 to accept card or
eCheck
 information, you must include at least one card network in the
allowedCardNetworks
 field in the capture context request.
Allowed Payment Types
You can specify the type of
Microform Integration
 you want to accept in the capture context. You can accept card and
eCheck
 information.
Use the
allowedPaymentTypes
 field to define the payment type. Possible values:
  • CARD
  • CHECK
The
allowedPaymentTypes
 field is optional. When this field is provided in the capture context, the
Microform Integration
 defaults the field value to
CARD
 and is returned in the response.
Include Card Prefix
You can control the length of the card number prefix to be received in the response to the capture context (
/sessions
) request:
  • 6 digits
  • 8 digits
  • no prefix at all
To specify your preferred card number prefix length, include or exclude the
transientTokenResponseOptions.includeCardPrefix
 field in the capture context (
/sessions
) request.
If you want to receive a 6-digit card number prefix in the response
  • Do not
     include the
    transientTokenResponseOptions.includeCardPrefix
     field in the capture context (
    /sessions
    ) request.
  • This example shows how a 6-digit card number prefix
    411111
     is returned in the transient token response:
    "maskedValue" : "XXXXXXXXXXXX1111”,
"bin" : "411111"
If you want to receive an 8-digit card number prefix in the response
  • Include the
    transientTokenResponseOptions.includeCardPrefix
     field in the capture context request, and set the value to
    true
    .
    IMPORTANT
    Per PCI DSS requirements, this requirement applies only to card numbers longer than 15 digits and for Discover, JCB, Mastercard, UnionPay, and Visa brands.
    • If the card type entered is not part of these brands, a 6-digit card number prefix is returned instead.
    • If the card type entered is not part of these brands but is
      co-branded
       with these brands, an 8-digit card number prefix is returned.
  • This example shows how an 8-digit card prefix
    41111102
     is returned in the transient token response:
    "maskedValue" : "XXXXXXXXXXXX1111”,
"prefix" : "41111102"
If you do not want to receive a card number prefix in the response
  • Include the
    transientTokenResponseOptions.includeCardPrefix
     field in the capture context request, and set the value to
    false
    .
  • This example shows how a card number is returned without a card number prefix in the transient token response:
    "maskedValue" : "XXXXXXXXXXXX1111"
Best practice:
If your application does not require card number prefix information for routing or identification purposes,
Cybersource
 recommends that you include the
transientTokenResponseOptions.includeCardPrefix
 field in the capture context request and set its value to
false
. Doing so limits the exposure of payment data to only what is necessary for your processing needs.
For more information about PCI DSS, see
Frequently Asked Questions
 on the PCI Security Standards Council site.

Creating the Server-Side Capture Context

The first step in integrating with
Microform Integration
 is to develop the server-side code that generates the capture context. The capture context is also known as a
session
.
You can use the SDK or call the API directly to generate the capture context.
To use the SDK to generate the capture context, use the sample code here: Flex Samples on Github.
Follow these steps to call the API directly to generate the capture context:
  1. Send an authenticated POST request to the
    /sessions
     endpoint to create your capture context session:
    • Production
      :
      https://api.cybersource.com
      /microform/v2/sessions
    • Test
      :
      https://apitest.cybersource.com
      /microform/v2/sessions
    Include the target origin URL and at least one accepted card type in the content of the body of the request. You must also include the type of
    Microform Integration
     you want to include in the capture context for accepting card information. If you do not include the
    allowedPaymentTypes
     field in your capture request, the value defaults to
    CARD
    .
    For example: 
    {
	"clientVersion": "v2",
	"targetOrigins": ["https://www.example.com"],
	"allowedCardNetworks": ["VISA"],
	"allowedPaymentTypes": ["CARD"]
}
    To embed the target origin URL within multiple nested iframes, you must specify the origins of all the browser contexts used. For example: 
    {
	"clientVersion": "v2",
	"targetOrigins": ["https://www.example.com", "https://www.basket.example.com", "https://ecom.example.com"],
	"allowedCardNetworks": ["VISA",
		"MASTERCARD",
		"AMEX",
		"CARTESBANCAIRES",
		"CARNET",
		"CUP",
		"DINERSCLUB",
		"DISCOVER",
		"EFTPOS",
		"ELO",
		"JCB",
		"JCREW",
		"MADA",
		"MAESTRO",
		"MEEZA"
	],
	"allowedPaymentTypes": ["CARD"]
}
  2. Pass the capture context response data object to your front-end application. The capture context is valid for 15 minutes.
    Successful Encrypted JWT Response
     
    eyJraWQiOiJqNCIsImFsZyI6IlJTMjU2In0.eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiJ1Q0RERW94M2dDQk1VaHI2T1ZDVGt4QUFFS1pHSTRHcDFvQ2pyYXlVb1MxQzdGOXE2WFpyYXhGbGxMVDMvenE2cjFnNXoxS1U2UDZseldqRVFTVVJoZUtxUThoVWJkZVNNdmt5SERTTXUwV01tMzhcdTAwM2QiLCJvcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJuIjoiMXNDY3NZNC1WZTNWU0VKekhnelJ5WjVDOURrM0VHZ2ZPOGd5SDc5bVJfSlN6NzdmWTdfV1loM3psdTkyTFVfeU5KVTBUMzdOQmVzd0szU2c0YnRNaU41Q0FCbWNXLWNSckhta2k0MVZoNUZRMmtjcWZSSlgxNVhZN1A3R25GTnd4QzVkUG9UM29NM1czRFVHaUMyYW56enhIN3pNNlA3N2hFbnc2TkZHSXlBdXhJRWFwRG9DaXlEVW5NdFRwV2lBV3YzTF9OVHZOaHRkVE4tNm1GRWU1RmdVYmlzeWtrTzlWMHZaS0d6SWRWWmdTdE42cHlnUGhVbnlNXzJIVmIxQmkyWjNKaElhZDFLUW02SGl0NklwYjNyUTBHRWZsN0ZWOUV3NGZyNzJpekQ0WVg2WHo0V3ZuMzlLN3J3WkhCRXdNM3l5Wl9ELTBUbjM1MFhvUlBUVjB3Iiwia2lkIjoiMDB4V1A1eUh1UE1kNkFkNHdwVzNzQkt1bWFaQ01zYWMifX0sImN0eCI6W3siZGF0YSI6eyJjbGllbnRMaWJyYXJ5SW50ZWdyaXR5Ijoic2hhMjU2LXZkWWkxaDV1ZTNwcm5iVC8xYThJSkxlUkNrSGVqSHBkRGR3My95RkxaREFcdTAwM2QiLCJjbGllbnRMaWJyYXJ5IjoiaHR0cHM6Ly9zdGFnZWZsZXguY3liZXJzb3VyY2UuY29tL21pY3JvZm9ybS9idW5kbGUvdjIuNS4xL2ZsZXgtbWljcm9mb3JtLm1pbi5qcyIsImFsbG93ZWRDYXJkTmV0d29ya3MiOlsiVklTQSIsIk1BU1RFUkNBUkQiLCJBTUVYIiwiTUFFU1RSTyIsIkRJU0NPVkVSIiwiRElORVJTQ0xVQiIsIkpDQiIsIkNVUCIsIkNBUlRFU0JBTkNBSVJFUyJdLCJ0YXJnZXRPcmlnaW5zIjpbImh0dHBzOi8vdGhlLXVwLWRlbW8uYXBwc3BvdC5jb20iXSwibWZPcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJhbGxvd2VkUGF5bWVudFR5cGVzIjpbIkNBUkQiXX0sInR5cGUiOiJtZi0yLjEuMCJ9XSwiaXNzIjoiRmxleCBBUEkiLCJleHAiOjE3MzY0MzA0MTQsImlhdCI6MTczNjQyOTUxNCwianRpIjoiZDVZbzVhNU0wWFBPQ1BxZiJ9.G4Ea-gIk6SG5ULE4NE5OsdPI41YaAuTEMHDstBgkFzczIWwzJScvXs4hgWiyA-1ZLGITedlumGj-0x8jxmYTWeTm7D0fP8RL0w148EpDLMD8xMHpAJMdMqZTmYHyichsy8uOZKVOn9NbnuQqfDeQS_rLpJV3tMe2NwJL3RdBXdJ894ihKpFP2yXE1wQeLekNiYJ6s-Uuxwf0jf2CSN_TJAjnfVR6bqlpWbUpiUaBLcqDsHHe_pcrd5g2r-1LEfCiOV9RIw7844XKFNLQZvt_alQjItuMy8M9LVhnlRWCSnTKB1iV1RUxuTWtMzTvHmQWPx4nShqzE3j0Hp61c0PmBw

AFTER COMPLETING THE TASK

IMPORTANT
  • Ensure that all endpoints within your ownership are secure with some kind of authentication so they cannot be called at will by bad actors.
  • Do not pass the
    targetOrigin
     field in any external requests. Hard code it on the server side.
For more information on requesting the capture context, see Capture Context.

Validating the Server-Side Capture Context

The capture context that you generated is a JSON Web Token (JWT) data object. The JWT is digitally signed using a public key. The purpose is to ensure the validity of the JWT and confirm that it comes from
Cybersource
. When you do not have a key specified locally in the JWT header, you should follow best cryptography practices and validate the capture context signature.
To validate a JWT, you can obtain its public key. This public RSA key is in JSON Web Key (JWK) format. This public key is associated with the capture context on the
Cybersource
 domain.
To get the public key of a capture context from the header of the capture context itself, retrieve the key ID associated with the public key. Then, pass the key ID to the
public-keys
 endpoint.
Example
From the header of the capture context, get the key ID (
kid
) as shown in this example:
{
  
"kid": "3g"
,
  "alg": "RS256"
}
Append the key ID to the endpoint
/flex/v2/public-keys/
3g
. Then, call this endpoint to get the public key.
IMPORTANT
Depending on the cryptographic method you use to validate the public key, you might need to convert the key to privacy-enhanced mail (PEM) format.

Resource

Pass the key ID (kid), that you obtained from the capture context header, as a path parameter, and send a GET request to the
/public-keys
 endpoint:
  • Test:
    https://apitest.cybersource.com
    /flex/v2/public-keys/
    {kid}
  • Production:
    https://api.cybersource.com
    /flex/v2/public-keys/
    {kid}
The resource returns the public key. Use this public RSA key to validate the capture context.

Example

eyJraWQiOiJqNCIsImFsZyI6IlJTMjU2In0.eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiJ1Q0RERW94M2dDQk1VaHI2T1ZDVGt4QUFFS1pHSTRHcDFvQ2pyYXlVb1MxQzdGOXE2WFpyYXhGbGxMVDMvenE2cjFnNXoxS1U2UDZseldqRVFTVVJoZUtxUThoVWJkZVNNdmt5SERTTXUwV01tMzhcdTAwM2QiLCJvcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJuIjoiMXNDY3NZNC1WZTNWU0VKekhnelJ5WjVDOURrM0VHZ2ZPOGd5SDc5bVJfSlN6NzdmWTdfV1loM3psdTkyTFVfeU5KVTBUMzdOQmVzd0szU2c0YnRNaU41Q0FCbWNXLWNSckhta2k0MVZoNUZRMmtjcWZSSlgxNVhZN1A3R25GTnd4QzVkUG9UM29NM1czRFVHaUMyYW56enhIN3pNNlA3N2hFbnc2TkZHSXlBdXhJRWFwRG9DaXlEVW5NdFRwV2lBV3YzTF9OVHZOaHRkVE4tNm1GRWU1RmdVYmlzeWtrTzlWMHZaS0d6SWRWWmdTdE42cHlnUGhVbnlNXzJIVmIxQmkyWjNKaElhZDFLUW02SGl0NklwYjNyUTBHRWZsN0ZWOUV3NGZyNzJpekQ0WVg2WHo0V3ZuMzlLN3J3WkhCRXdNM3l5Wl9ELTBUbjM1MFhvUlBUVjB3Iiwia2lkIjoiMDB4V1A1eUh1UE1kNkFkNHdwVzNzQkt1bWFaQ01zYWMifX0sImN0eCI6W3siZGF0YSI6eyJjbGllbnRMaWJyYXJ5SW50ZWdyaXR5Ijoic2hhMjU2LXZkWWkxaDV1ZTNwcm5iVC8xYThJSkxlUkNrSGVqSHBkRGR3My95RkxaREFcdTAwM2QiLCJjbGllbnRMaWJyYXJ5IjoiaHR0cHM6Ly9zdGFnZWZsZXguY3liZXJzb3VyY2UuY29tL21pY3JvZm9ybS9idW5kbGUvdjIuNS4xL2ZsZXgtbWljcm9mb3JtLm1pbi5qcyIsImFsbG93ZWRDYXJkTmV0d29ya3MiOlsiVklTQSIsIk1BU1RFUkNBUkQiLCJBTUVYIiwiTUFFU1RSTyIsIkRJU0NPVkVSIiwiRElORVJTQ0xVQiIsIkpDQiIsIkNVUCIsIkNBUlRFU0JBTkNBSVJFUyJdLCJ0YXJnZXRPcmlnaW5zIjpbImh0dHBzOi8vdGhlLXVwLWRlbW8uYXBwc3BvdC5jb20iXSwibWZPcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJhbGxvd2VkUGF5bWVudFR5cGVzIjpbIkNBUkQiXX0sInR5cGUiOiJtZi0yLjEuMCJ9XSwiaXNzIjoiRmxleCBBUEkiLCJleHAiOjE3MzY0MzA0MTQsImlhdCI6MTczNjQyOTUxNCwianRpIjoiZDVZbzVhNU0wWFBPQ1BxZiJ9.G4Ea-gIk6SG5ULE4NE5OsdPI41YaAuTEMHDstBgkFzczIWwzJScvXs4hgWiyA-1ZLGITedlumGj-0x8jxmYTWeTm7D0fP8RL0w148EpDLMD8xMHpAJMdMqZTmYHyichsy8uOZKVOn9NbnuQqfDeQS_rLpJV3tMe2NwJL3RdBXdJ894ihKpFP2yXE1wQeLekNiYJ6s-Uuxwf0jf2CSN_TJAjnfVR6bqlpWbUpiUaBLcqDsHHe_pcrd5g2r-1LEfCiOV9RIw7844XKFNLQZvt_alQjItuMy8M9LVhnlRWCSnTKB1iV1RUxuTWtMzTvHmQWPx4nShqzE3j0Hp61c0PmBw
Base64 decode the capture context to get the key ID (
kid
) from its header: 
{
  
"kid": "3g"
,
  "alg": "RS256"
}
Get its public key from
/flex/v2/public-keys/3g
:
{
    "kty":"RSA",    
    "use":"enc",
    "kid":"3g",
    "n":"ir7Nl1Bj8G9rxr3co5v_JLkP3o9UxXZRX1LIZFZeckguEf7Gdt5kGFFfTsymKBesm3Pe
     8o1hwfkq7KmJZEZSuDbiJSZvFBZycK2pEeBjycahw9CqOweM7aKG2F_bhwVHrY4YdKsp
     _cSJe_ZMXFUqYmjk7D0p7clX6CmR1QgMl41Ajb7NHI23uOWL7PyfJQwP1X8HdunE6ZwK
     DNcavqxOW5VuW6nfsGvtygKQxjeHrI-gpyMXF0e_PeVpUIG0KVjmb5-em_Vd2SbyPNme
     nADGJGCmECYMgL5hEvnTuyAybwgVwuM9amyfFqIbRcrAIzclT4jQBeZFwkzZfQF7MgA6QQ",
     "e":"AQAB"
}

Client-Side Setup

You can integrate
Microform Integration
 with your native payment acceptance web page or mobile application.

Web Page

Initiate and embed
Microform Integration
 into your payment acceptance web page.
  1. Decode the JWT from the
    /microform/v2/sessions
     response to get the capture context.
  2. Use the
    clientLibrary
     and
    clientLibraryIntegrity
     values that are returned in the JWT from
    /microform/v2/sessions
     response to obtain the
    Microform Integration
     JavaScript library URL and integrity value that you use to create your script tags.
    IMPORTANT
    You must use these values for every transaction. These values can be unique for each transaction.
    IMPORTANT
    Do not hard code these values, because doing so can result in client-side
    Microform Integration
     errors. If you do not hard code these values for all transactions, you can load a JavaScript library that is incompatible with the version you requested in the
    /sessions
     request.
    Example
    /sessions
     Response:
    "data":{ "clientLibrary":"[EXTRACT clientLibrary VALUE from here]", "clientLibraryIntegrity": "[EXTRACT clientLibraryIntegrity VALUE from here]" }
    Example Script Tags
    <script src="[INSERT clientLibrary VALUE HERE]" integrity=”[INSERT clientLibraryIntegrity VALUE HERE]” crossorigin=”anonymous”> </script>
    Example Code for Loading the Script Dynamically Following JWT Extraction Tags
    // values read from capture context
const clientLibrary = " ";
const clientLibraryIntegrity = " ";
// create script tag
const script = document.createElement("script");
script.src = clientLibrary;
script.type = "text/javascript";
script.async = true;
script.integrity = clientLibraryIntegrity;
script.crossOrigin = "anonymous";
// run setup code after script has loaded successfully
script.onload = function () {
  // SETUP
};
// insert to document
document.head.appendChild(script);
  3. Create the HTML placeholder objects to attach to the microforms.
    Microform Integration
     attaches the microform fields to containers within your HTML. Within your HTML checkout, replace the payment card and CVN tag with a simple container.
    Microform Integration
     uses the container to render an iframe for secured credit card input. This example contains simple
    div
     tags to define where to place the PAN and CVN fields within the payment acceptance page:
    <div id="number-container" class="form-control"></div>
    .
    Example: Accept Card Information Checkout Form
    <h1>Checkout Page</h1>
<div id="errors-output" role="alert"></div>
<form action="/token" id="my-sample-form" method="post">
    <div class="form-group">
        <label for="cardholderName">Name</label>
        <input id="cardholderName" class="form-control" name="cardholderName" placeholder="Name on the card">
        <label id="cardNumber-label">Card Number</label>
        <div id="number-container" class="form-control"></div>
        <label for="securityCode-container">Security Code</label>
        <div id="securityCode-container" class="form-control"></div>
    </div>

    <div class="form-row">
        <div class="form-group col-md-6">
            <label for="expMonth">Expiry month</label>
            <select id="expMonth" class="form-control">
                <option>01</option>
                <option>02</option>
                <option>03</option>
                <option>04</option>
                <option>05</option>
                <option>06</option>
                <option>07</option>
                <option>08</option>
                <option>09</option>
                <option>10</option>
                <option>11</option>
                <option>12</option>
            </select>
        </div>
        <div class="form-group col-md-6">
            <label for="expYear">Expiry year</label>
            <select id="expYear" class="form-control">
                <option>2021</option>
                <option>2022</option>
                <option>2023</option>
            </select>
        </div>
    </div>

    <button type="button" id="pay-button" class="btn btn-primary">Pay</button>
    <input type="hidden" id="flexresponse" name="flexresponse">
</form>
  4. Invoke the Flex SDK by passing the capture context that was generated in the previous step to the microform object.
    const flex = new Flex(captureContext);
  5. Initiate the microform object with styling to match your web page.
    After you create a new Flex object, you can begin creating your Microform. You will pass your baseline styles and ensure that the button matches your merchant page:
    const microform = flex.microform("card", { styles: myStyles });
  6. Create and attach the microform fields to the HTML objects through the Microform Integration JavaScript library.
    const number = microform.createField('number', { placeholder: 'Enter card number' });
const securityCode = microform.createField('securityCode', { placeholder: '•••' });
            number.load('#number-container');
            securityCode.load('#securityCode-container');
  7. Create a function for the customer to submit their payment information, and invoke the tokenization request to
    Microform Integration
     for the transient token.

Mobile Application

To initiate and embed
Microform Integration
 into a native payment acceptance mobile application, follow the steps for web page set up, and ensure that these additional requirements are met:
  • The card information acceptance fields of PAN and CVV must be hosted on a web page.
  • The
    eCheck
     information acceptance fields of routing number, account number, and confirmed account number must be hosted on a web page.
  • The native application must load the hosted card entry form web page in a web view.

AFTER COMPLETING THE TASK

As an alternative, you can use the Mobile SDKs hosted on GitHub:

Transient Tokens for Accepting Card Information

The response to a successful customer interaction with
Microform Integration
 is a transient token. The transient token is a reference to the payment data that is collected on your behalf. Tokens allow secure card or check payments to occur without risk of exposure to sensitive payment information. The transient token is a short-term token that expires after 15 minutes. This reduces your PCI burden/responsibility and ensures that sensitive information is not exposed to your back-end systems.

Transient Token Time Limit

The sensitive data associated with the transient token is available for use in API requests for a 15-minute duration. After 15 minutes, you must prompt the customer to restart the checkout flow.
Example: Creating the Pay Button with Event Listener for Accepting Card Information
const button = document.querySelector("#myButton");

button.addEventListener("click", function () {
  // Compiling MM & YY into optional parameters
  const options = {
    expirationMonth: document.querySelector("#expMonth").value,
    expirationYear: document.querySelector("#expYear").value,
  };
  //
  microform.createToken(options, function (err, token) {
    // handle err
    if (err) {
      console.error(err);
      errorsOutput.textContent = err.message;
      return;
    }
  
    // At this point you may pass the token back to your server as you wish.
    // In this example we append a hidden input to the form and submit it.
    console.log(JSON.stringify(token));
    flexResponse.value = JSON.stringify(token);
    form.submit();
  });
});
When the customer submits the form,
Microform Integration
 securely collects and tokenizes the data in the loaded fields as well as the options supplied to the
createToken()
 function. The Account Type is included in the request. If tokenization succeeds, your callback receives the token as its second parameter. Send the token to your server, and use it in place of the
eCheck
 data when you use supported payment services.
Example: Customer-Submitted Form for Accepting Card Information
<script>
    // Variables from the HTML form 
    const form = document.querySelector('#my-sample-form');
    const payButton = document.querySelector('#pay-button');
    const flexResponse = document.querySelector('#flexresponse');
    const expMonth = document.querySelector('#expMonth');
    const expYear = document.querySelector('#expYear');
    const errorsOutput = document.querySelector('#errors-output');

    // the capture context that was requested server-side for this transaction
    const captureContext = <% -keyInfo %> ;
    // custom styles that will be applied to each field we create using Microform
    const myStyles = {
        'input': {
            'font-size': '14px',
            'font-family': 'helvetica, tahoma, calibri, sans-serif',
            'color': '#555'
        },
        ':focus': { 'color': 'blue' },
        ':disabled': { 'cursor': 'not-allowed' },
        'valid': { 'color': '#3c763d' },
        'invalid': { 'color': '#a94442' }
    };
    // setup Microform
    const flex = new Flex(captureContext);
    const microform = flex.microform({ styles: myStyles });
    const number = microform.createField('number', { placeholder: 'Enter card number' });
    const securityCode = microform.createField('securityCode', { placeholder: '•••' });
    number.load('#number-container');
    securityCode.load('#securityCode-container');


    // Configuring a Listener for the Pay button	
    payButton.addEventListener('click', function () {

        // Compiling MM & YY into optional parameters	 
        const options = {
            expirationMonth: document.querySelector('#expMonth').value,
            expirationYear: document.querySelector('#expYear').value
        };
        //  
        microform.createToken(options, function (err, token) {
            if (err) {
                // handle error
                console.error(err);
                errorsOutput.textContent = err.message;
            } else {
                // At this point you may pass the token back to your server as you wish.
                // In this example we append a hidden input to the form and submit it.      
                console.log(JSON.stringify(token));
                flexResponse.value = JSON.stringify(token);
                form.submit();
            }
        });
    }); 
</script>

Transient Token Response Format

The transient token is issued as a JSON Web Token (RFC 7519). A JWT is a string consisting of three parts that are separated by dots:
  • Header
  • Payload
  • Signature
JWT example:
xxxxx.yyyyy.zzzzz
The payload portion of the token is an encoded Base64url JSON string and contains various claims.
IMPORTANT
When you integrate with Cybersource APIs, Cybersource recommends that you dynamically parse the response for the fields that you are looking for. Additional fields may be added in the future.
You must ensure that your integration can handle new fields that are returned in the response. While the underlying data structures will not change, you must also ensure that your integration can handle changes to the order in which the data is returned.
The internal data structure of the JWT can expand to contain additional data elements. Ensure that your integration and validation rules do not limit the data elements contained in responses.
Example: Token Payload for Accepting Card Information
{
  "iss": "Flex/00",
  "exp": 1728911080,
  "type": "mf-2.0.0",
  "iat": 1728910180,
  "jti": "1D1S6JK9RL6EK667H1I370689A63I2I8YLFJSPJ1EUSKIPMJJWEL670D16E89AF8",
  "content": {
    "paymentInformation": {
      "card": {
        "expirationYear": {
          "value": "2025"
        },
        "number": {
          "detectedCardTypes": [
            "001"
          ],
          "maskedValue": "XXXXXXXXXXXX1111",
          "bin": "411111"
        },
        "securityCode": {},
        "expirationMonth": {
          "value": "01"
        }
      }
    }
  }
}

Validating the Transient Token

After receiving the transient token, validate its integrity using the public key embedded within the capture context created at the beginning of this flow. This verifies that
Cybersource
 issued the token and that no data tampering occurred during transit.
Example: Capture Context Public Key
"jwk": {
                "kty": "RSA",
                "e": "AQAB",
                "use": "enc",
                "n": "3DhDtIHLxsbsSygEAG1hcFqnw64khTIZ6w9W9mZNl83gIyj1FVk-H5GDMa85e8RZFxUwgU_zQ0kHLtONo8SB52Z0hsJVE9wqHNIRoloiNPGPQYVXQZw2S1BSPxBtCEjA5x_-bcG6aeJdsz_cAE7OrIYkJa5Fphg9_pxgYRod6JCFjgdHj0iDSQxtBsmtxagAGHjDhW7UoiIig71SN-f-gggaCpITem4zlb5kkRVvmKMUANe4B36v4XSSSpwdP_H5kv4JDz_cVlp_Vy8T3AfAbCtROyRyH9iH1Z-4Yy6T5hb-9y3IPD8vlc8E3JQ4qt6U46EeiKPH4KtcdokMPjqiuQ",
                "kid": "00UaBe20jy9VkwZUQPZwNNoKFPJA4Qhc"    }
Use the capture context public key to cryptographically validate the JWT provided from a successful
microform.createToken
 call. You might have to convert the JSON Web Key (JWK) to privacy-enhanced mail (PEM) format for compatibility with some JWT validation software libraries.
The
Cybersource
 SDK has functions that verify the token response. You must verify the response to ensure that no tampering occurs as it passes through the cardholder device. Do so by using the public key generated at the start of the process.
Example: Validating the Transient Token
console.log('Response TransientToken: ' + req.body.transientToken); console.log('Response CaptureContext: ' + 
req.body.captureContext); 
//	Validating Token JWT Against Signature in Capture Context const capturecontext = req.body.captureContext; 
const transientToken = req.body.transientToken; 
// Extracting JWK in Body of Capture Context const ccBody = capturecontext.split('.')[1]; console.log('Body: ' + ccBody); 
const atob = require('atob');
const ccDecodedValue = JSON.parse( atob(ccBody)); const jwk = ccDecodedValue.flx.jwk;

Using the Transient Token to Process a Payment

After you validate the transient token, you can use it in place of the PAN with payment services for 15 minutes. See Transient Token Time Limit.
When the consuming service receives a request containing a transient token, it retrieves the tokenized data and injects the values into your request before processing, and none of the sensitive data is stored on your systems. In some scenarios, the
jti
 value contained in the JWT transient token response must be extracted and used instead of the entire JWT.
Connection Method
Field
Simple Order API
tokenSource_transientToken
SCMP API
transient_token
REST API with Transient Token JSON Web Token
"tokenInformation": {
"transientTokenJwt": "eyJraWQiOiIwNzRsM3p5M2xCRWN5d1gxcnhXNFFoUmJFNXJLN1NmQiIsImFsZyI6IlJTMjU2In0.eyJkYXRhIjp7ImV4cGlyYXRpb25ZZWFyIjoiMjAyMSIsIm51bWJlciI6IjQxMTExMVhYWFhYWDExMTEiLCJleHBpcmF0aW9uTW9udGgiOiIwNSIsInR5cGUiOiIwMDEifSwiaXNzIjoiRmxleC8wOCIsImV4cCI6MTU4ODcwMjkxNSwidHlwZSI6Im1mLTAuMTEuMCIsImlhdCI6MTU4ODcwMjAxNSwianRpIjoiMUU0Q0NMSUw4NFFXM1RPSTFBM0pUU1RGMTZGQUNVNkUwNU9VRVNGWlRQNUhIVkJDWTQwUTVFQjFBRUMzNDZBMCJ9.FB3b2r8mjtvqo3_k05sRIPGmCZ_5dRSZp8AIJ4u7NKb8E0-6ZOHDwEpxtOMFzfozwXMTJ3C6yBK9vFIPTIG6kydcrWNheE2Pfort8KbxyUxG-PYONY-xFnRDF841EFhCMC4nRFvXEIvlcLnSK6opUUe7myKPjpZI1ijWpF0N-DzZiVT8JX-9ZIarJq2OI0S61Y3912xLJUKi5c2VpRPQOS54hRr5GHdGJ2fV8JZ1gTuup_qLyyK7uE1VxI0aucsyH7yeF5vTdjgSd76ZJ1OUFi-3Ij5kSLsiX4j-D0T8ENT1DbB_hPTaK9o6qqtGJs7QEeW8abtnKFsTwVGrT32G2w"
}
REST API with JSON Web Token ID
"tokenInformation": {
    "jti": "1E3GQY1RNKBG6IBD2EP93C43PIZ2NQ6SQLUIM3S16BGLHTY4IIEK5EB1AE5D73A4",    
}
Example: Authorization with a Transient Token Using the REST API
{
    "clientReferenceInformation": {
        "code": "TC50171_3"
    },
    "orderInformation": {
        "amountDetails": {
            "totalAmount": "102.21",
            "currency": "USD"
        },
        "billTo": {
            "firstName": "Tanya",
            "lastName": "Lee",
            "address1": "1234 Main St.",
            "locality": "Small Town",
            "administrativeArea": "MI",
            "postalCode": "98765-4321",
            "country": "US",
            "district": "MI",
            "buildingNumber": "123",
            "email": "tanyalee@example.com",
            "phoneNumber": "987-654-3210"
        }
    },
    "tokenInformation": {
        "transientTokenJwt": "eyJraWQiOiIwN0JwSE9abkhJM3c3UVAycmhNZkhuWE9XQlhwa1ZHTiIsImFsZyI6IlJTMjU2In0.eyJkYXRhIjp7ImV4cGlyYXRpb25ZZWFyIjoiMjAyMCIsIm51bWJlciI6IjQxMTExMVhYWFhYWDExMTEiLCJleHBpcmF0aW9uTW9udGgiOiIxMCIsInR5cGUiOiIwMDEifSwiaXNzIjoiRmxleC8wNyIsImV4cCI6MTU5MTc0NjAyNCwidHlwZSI6Im1mLTAuMTEuMCIsImlhdCI6MTU5MTc0NTEyNCwianRpIjoiMUMzWjdUTkpaVjI4OVM5MTdQM0JHSFM1T0ZQNFNBRERCUUtKMFFKMzMzOEhRR0MwWTg0QjVFRTAxREU4NEZDQiJ9.cfwzUMJf115K2T9-wE_A_k2jZptXlovls8-fKY0muO8YzGatE5fu9r6aC4q7n0YOvEU6G7XdH4ASG32mWnYu-kKlqN4IY_cquRJeUvV89ZPZ5WTttyrgVH17LSTE2EvwMawKNYnjh0lJwqYJ51cLnJiVlyqTdEAv3DJ3vInXP1YeQjLX5_vF-OWEuZfJxahHfUdsjeGhGaaOGVMUZJSkzpTu9zDLTvpb1px3WGGPu8FcHoxrcCGGpcKk456AZgYMBSHNjr-pPkRr3Dnd7XgNF6shfzIPbcXeWDYPTpS4PNY8ZsWKx8nFQIeROMWCSxIZOmu3Wt71KN9iK6DfOPro7w"
    }
}