On This Page

Secure Acceptance
Checkout API
 Transaction Flow

Figure:

Secure Acceptance
Checkout API
 Transaction Flow
  1. Display the checkout page on your customer's browser with a form to collect their payment information and include a signature to validate their order information (signed data fields).
    Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonating
    Cybersource
    , do not allow unauthorized access to the signing function.
  2. The customer enters and submits their payment details (the unsigned data fields). The transaction request message, the signature, and the signed and unsigned data fields are sent directly from your customer's browser to the
    Cybersource
     servers. The unsigned data fields do not pass through your network.
    Cybersource
     reviews and validates the transaction request data to confirm it has not been amended or tampered with and that it contains valid authentication credentials.
    Cybersource
     processes the transaction and creates and signs the response message. The response message is sent to the customer's browser as an automated HTTPS form POST.
    If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.
    Secure Acceptance signs every response field. Ignore any response fields in the POST that are not in the
    signed_fields
     field.
  3. The response HTTPS POST data contains the transaction result in addition to the masked payment data that was collected outside of your domain. Validate the response signature to confirm that the response data has not been amended or tampered with.
    If the transaction type is
    sale
    , it is immediately submitted for settlement. If the transaction type is
    authorization
    , use the Simple Order API to submit a capture request when goods are shipped.
  4. Cybersource
     recommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.