On This Page
Secure Acceptance
Checkout API Overview
Secure Acceptance
Checkout API
OverviewCybersource
Secure Acceptance
Checkout API
provides a seamless customer checkout experience that keeps your branding consistent. You can create a Secure Acceptance
Checkout API
profile and configure the required settings to set up your customer checkout experience.Secure Acceptance
Checkout API
can significantly simplify your Payment Card Industry Security Standard (PCI DSS) compliance by sending sensitive payment card data directly from your customer’s browser to Cybersource
servers. Your web application infrastructure does not come into contact with the sensitive payment data and the transition is silent.Secure Acceptance
is designed to process transaction requests
directly from the customer browser so that sensitive payment data does not pass through
your servers. If you do intend to send payment data from your
servers, use the REST API, SOAP Toolkit API, or the Simple Order API.
Sending server-side payments using
Secure Acceptance
incurs unnecessary overhead and could result in the suspension
of your Secure Acceptance
profileTo create your customer's
Secure Acceptance
experience, you take these steps:
- Create and configureSecure AcceptanceCheckout APIprofiles.
- Update the code on your web site to POST payment data directly toCybersourcefrom your secure payment form. See Sample Transaction Process Using JSP.Cybersourceprocesses the transaction on your behalf by sending an approval request to your payment processor in real time. See Secure Acceptance Checkout API Transaction Flow.
- Use the response information to generate an appropriate transaction response page to display to the customer. You can view and manage all orders in the Business Center. You can configure the payment options, response pages, and customer notifications. See Creating a Secure Acceptance Profile.
Required Browsers
You must use one of these browsers in order to ensure that the
Secure Acceptance
checkout flow is fast and secure.Internet Explorer is no longer supported.
Desktop browsers:
- Chrome 80, released February 4, 2020 or later
- Edge 109, released January 12, 2023 or later
- Firefox 115, released June 29, 2023 or later
- Opera 106, released December 19, 2023 or later
- Safari 13, released September 20, 2019 or later
Mobile browsers:
- Android Browser 123, released March 12, 2024 or later
- Chrome Mobile 80, released February 4, 2020 or later
- iOS Safari 13, released September 20, 2019 or later
Secure Acceptance Profile
Secure Acceptance
ProfileA Secure Acceptance profile consists of settings that you configure to create a
customer checkout experience. You can create and edit multiple profiles, each offering a custom checkout experience. For example, you might want to offer different payment options for different geographic locations.
Secure Acceptance Checkout API Transaction Flow
Secure Acceptance
Checkout API
Transaction FlowFigure:
Secure Acceptance
Checkout API
Transaction Flow
- Display the checkout page on your customer's browser with a form to collect their payment information and include a signature to validate their order information (signed data fields).Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonatingCybersource, do not allow unauthorized access to the signing function.
- The customer enters and submits their payment details (the unsigned data fields). The transaction request message, the signature, and the signed and unsigned data fields are sent directly from your customer's browser to theCybersourceservers. The unsigned data fields do not pass through your network.Cybersourcereviews and validates the transaction request data to confirm it has not been amended or tampered with and that it contains valid authentication credentials.Cybersourceprocesses the transaction and creates and signs the response message. The response message is sent to the customer's browser as an automated HTTPS form POST.If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.Secure Acceptance signs every response field. Ignore any response fields in the POST that are not in thesigned_fieldsfield.
- The response HTTPS POST data contains the transaction result in addition to the masked payment data that was collected outside of your domain. Validate the response signature to confirm that the response data has not been amended or tampered with.If the transaction type issale, it is immediately submitted for settlement. If the transaction type isauthorization, use the Simple Order API to submit a capture request when goods are shipped.
- Cybersourcerecommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.
Payment Tokens
Contact
Cybersource
Customer Support to
activate your merchant account for the
Token Management Service
(TMS
). You
cannot use payment tokens until your account is activated and you have
enabled payment tokens for Secure Acceptance
. See Creating a Secure Acceptance Profile.Payment tokens are unique identifiers that replace sensitive payment
information and that cannot be mathematically reversed.
Cybersource
securely stores all the card information, replacing
it with the payment token. The token is also known as a subscription ID,
which you store on your server.The payment token replaces the card
or ACH bank account
number, and optionally
the associated billing, shipping, and card information. No sensitive card
information is stored on your servers, thereby reducing your PCI DSS
obligations.Tokens That Represent a Card or Bank Account Only
Instrument identifier tokens
created using the Token
Management Service (TMS) and third-party tokens
represent a payment card number or
bank account number. The same card number or bank account number sent in multiple token
creation calls results in the same payment token being returned. TMS instrument identifier and third-party tokens cannot be
updated. If your merchant account is configured for one of these token types, you
receive an error if you attempt to update a token.
When using
Secure Acceptance
with tokens that represent only the card number or bank account, you must include associated data, such as expiration dates and billing address data, in your transaction request.Subscription Payments
A customer subscription contains information that you store in the
Cybersource
database and use for future billing. At any time, you can send a
request to bill the customer for an amount you specify, and Cybersource
uses the payment token to retrieve the card, billing, and shipping information to process
the transaction. You can also view the customer subscription in the Business Center. See
Viewing Transactions in the Business Center.A customer subscription includes:
- Customer contact information, such as billing and shipping information.
- Customer payment information, such as card type, masked account number, and expiration date.
- Customer order information, such as the transaction reference number and merchant-defined data fields.
Type of Subscription | Description |
|---|---|
Recurring | A recurring billing service with no specific end date. You
must specify the amount and frequency of each payment and the start date for
processing the payments. Cybersource creates a schedule based
on this information and automatically bills the customer according to the
schedule. For example, you can offer an online service that the customer
subscribes to and can charge a monthly fee for this service. See Recurring Payments. |
Installment | A recurring billing service with a fixed number of scheduled
payments. You must specify the number of payments, the amount and frequency of
each payment, and the start date for processing the payments. Cybersource creates a schedule based on this information and
automatically bills the customer according to the schedule. For example, you
can offer a product for 75.00 and let the customer pay in three installments of
25.00. See Installment Payments. |
Level II and III Data
and III
DataSecure Acceptance
supports Level II and III
data. Level II cards, also known as Type II cards, provide customers with additional information on their payment card statements. Business and corporate cards along with purchase and procurement cards are considered Level II cards.Level III data can be provided for purchase cards, which are payment cards used by employees to make purchases for their company. You provide additional detailed information—the Level III data—about the purchase card order during the settlement process. The Level III data is forwarded to the company that made the purchase, and it enables the company to manage its purchasing activities.
Payouts Payment Tokens
Use
Secure Acceptance
to create a payment token that can be used with the Payouts API or batch submissions.Creating a Payment Token for Payouts
- Create aSecure AcceptanceProfile and define your checkout page. See Payment Configuration or Portfolio Management for Resellers.
- For transaction processing, create a payment token. See Payment Tokens.
- Set the Payouts subscription ID field to the value of the payment token.
RESULT
Go-Live with Secure Acceptance
Secure Acceptance
Cybersource
recommends that you submit all banking information and required integration services before going live. Doing so will speed up your merchant account configuration.When you are ready to implement
Secure Acceptance
in your live environment, you must
contact Cybersource
Customer Support and request Go-Live. When all the
banking information has been received by Cybersource
, the Go-Live procedure
can require three days to complete. Go-Live implementations do not occur on Fridays.