On This Page
Secure Acceptance
Hosted Checkout Integration Overview
Secure Acceptance
Hosted Checkout Integration
OverviewCybersource
Secure Acceptance
Hosted Checkout Integration
is your secure hosted customer checkout
experience. It consists of securely managed payment forms or as a single-page
payment form for capturing payment card data, processing transactions, enabling you
to simplify your Payment Card Industry Data Security Standard (PCI DSS) compliance
and reduce risks associated with handling and/or storing sensitive payment card
information. You, the merchant, out-source capturing and managing sensitive payment
card data to Secure Acceptance
, which is designed to accept card payments.Secure Acceptance
is designed to process transaction requests
directly from the customer browser so that sensitive payment data does not pass
through your servers. If you do intend to send payment data from
your servers, use the REST API, SOAP Toolkit API, or the Simple Order API.
Sending
server-side payments using Secure Acceptance
incurs unnecessary overhead and
could result in the suspension of your Secure Acceptance
profileTo create your customer's
checkout
experience, take these steps:
- Create and configureSecure Acceptanceprofiles.
- Update the code on your web site to render theHosted Checkout Integrationand immediately process card transactions. See Scripting Language Samples. Sensitive card data bypasses your network and is accepted bySecure Acceptancedirectly from the customer.Cybersourceprocesses the transaction on your behalf by sending an approval request to your payment processor in real time. See Secure Acceptance Hosted Checkout Integration Transaction Flow.
- Use the response information to display an appropriate transaction response page to the customer. You can view and manage all orders inthe Business Center. See Viewing Transactions in the Business Center.
Required Browsers
You must use one of these browsers in order to ensure that the
Secure Acceptance
checkout flow is fast and secure.Internet Explorer is no longer supported.
Desktop browsers:
- Chrome 80, released February 4, 2020 or later
- Edge 109, released January 12, 2023 or later
- Firefox 115, released June 29, 2023 or later
- Opera 106, released December 19, 2023 or later
- Safari 13, released September 20, 2019 or later
Mobile browsers:
- Android Browser 123, released March 12, 2024 or later
- Chrome Mobile 80, released February 4, 2020 or later
- iOS Safari 13, released September 20, 2019 or later
Secure Acceptance Profile
Secure Acceptance
ProfileA
Secure Acceptance
profile consists of settings that you configure to create a
customer checkout experience. You can create and edit multiple profiles, each offering a
custom checkout experience. See Custom Checkout Appearance. For
example, you might need multiple profiles for localized branding of your websites. You can
display a multi-step checkout process or a single page checkout to the customer as
well as configure the appearance and branding, payment options, languages, and customer
notifications. See Checkout Configuration.Secure Acceptance Hosted Checkout Integration Transaction Flow
Secure Acceptance
Hosted Checkout Integration
Transaction FlowFigure:
Hosted Checkout Integration
Transaction Flow
- The customer clicks thepaybutton on your website, which triggers an HTTPS POST that directs the customer to thehostedthat you configured inSecure Acceptancepagethe Business Center. The HTTPS POST includes the signature and signed data fields containing the order information.Hosted Checkout Integrationworks best with JavaScript and cookies enabled in the customer browser.Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonatingCybersource, do not allow unauthorized access to the signing function. See Required Signed Fields.
- Secure Acceptanceverifies the signature to ensure that the order details were not amended or tampered with and displays the. The customer enters and submits payment detailsHosted Checkout Integrationpageandtheir billing and shipping information. The customer confirms the payment, and the transaction is processed.
- Cybersourcerecommends that you configure a custom receipt page inthe Business Centerso that the signed transaction response is sent back to your merchant server through the browser. See Merchant Notifications. You must validate the response signature to confirm that the response data was not amended or tampered with.Hosted Checkout Integrationcan also display a standard receipt page to your customer, and you can verify the result of the transaction search inthe Business Centeror the standardCybersourcereports.If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.Secure Acceptancesigns every response field. Ignore any response fields in the POST that are not in thesigned_fieldsfield.
- Cybersourcerecommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.If the transaction type if sale, it is immediately submitted for settlement. If the transaction type isauthorization, use theCybersourceSimple Order API to submit a capture request when goods are shipped.
Payment Tokens
Contact
Cybersource
Customer Support to
activate your merchant account for the
Token Management Service
(TMS
). You
cannot use payment tokens until your account is activated and you have
enabled payment tokens for Secure Acceptance
. See Creating a Secure Acceptance Profile.Payment tokens are unique identifiers that replace sensitive payment
information and that cannot be mathematically reversed.
Cybersource
securely stores all the card information, replacing
it with the payment token. The token is also known as a subscription ID,
which you store on your server.The payment token replaces the card
or ACH bank account
number, and optionally
the associated billing, shipping, and card information. No sensitive card
information is stored on your servers, thereby reducing your PCI DSS
obligations.Tokens That Represent a Card or Bank Account Only
Instrument identifier tokens
created using the Token
Management Service (TMS) and third-party tokens
represent a payment card number or
bank account number. The same card number or bank account number sent in multiple token
creation calls results in the same payment token being returned. TMS instrument identifier and third-party tokens cannot be
updated. If your merchant account is configured for one of these token types, you
receive an error if you attempt to update a token.
When using
Secure Acceptance
with tokens that represent only the card number or bank account, you must include associated data, such as expiration dates and billing address data, in your transaction request.One-Click Checkout
With
one-click checkout
, customers can buy products with a single click. Secure Acceptance
is integrated to Cybersource
tokenization
, so returning
customers are not required to enter their payment details. Before a customer can use
one-click checkout, they must create a payment token during the first transaction on the
merchant website. See Payment Token Transactions. The payment token
is an identifier for the payment details; therefore, no further purchases require that you
enter any information. When the payment token is included in a payment request, it
retrieves the card, billing, and shipping information related to the original payment
request from the payment repository.To use one-click checkout, you must include the one-click checkout endpoint to process the
transaction. See Endpoints and Transaction Types.
Subscription Payments
A customer subscription contains information that you store in the
Cybersource
database and use for future billing. At any time, you can send a
request to bill the customer for an amount you specify, and Cybersource
uses the payment token to retrieve the card, billing, and shipping information to process
the transaction. You can also view the customer subscription in the Business Center. See
Viewing Transactions in the Business Center.A customer subscription includes:
- Customer contact information, such as billing and shipping information.
- Customer payment information, such as card type, masked account number, and expiration date.
- Customer order information, such as the transaction reference number and merchant-defined data fields.
Type of Subscription | Description |
---|---|
Recurring | A recurring billing service with no specific end date. You
must specify the amount and frequency of each payment and the start date for
processing the payments. Cybersource creates a schedule based
on this information and automatically bills the customer according to the
schedule. For example, you can offer an online service that the customer
subscribes to and can charge a monthly fee for this service. See Recurring Payments. |
Installment | A recurring billing service with a fixed number of scheduled
payments. You must specify the number of payments, the amount and frequency of
each payment, and the start date for processing the payments. Cybersource creates a schedule based on this information and
automatically bills the customer according to the schedule. For example, you
can offer a product for 75.00 and let the customer pay in three installments of
25.00. See Installment Payments. |
Level II and III Data
and III
DataSecure Acceptance
supports Level II and III
data. Level II cards, also known as Type II cards, provide customers with additional information on their payment card statements. Business and corporate cards along with purchase and procurement cards are considered Level II cards.Level III data can be provided for purchase cards, which are payment cards used by employees to make purchases for their company. You provide additional detailed information—the Level III data—about the purchase card order during the settlement process. The Level III data is forwarded to the company that made the purchase, and it enables the company to manage its purchasing activities.
Payouts Payment Tokens
Use
Secure Acceptance
to create a payment token that can be used with the Payouts API or batch submissions.Creating a Payment Token for Payouts
- Create aSecure AcceptanceProfile and define your checkout page. See Payment Configuration or Portfolio Management for Resellers.
- For transaction processing, create a payment token. See Payment Tokens.
- Set the Payouts subscription ID field to the value of the payment token.
RESULT
Go-Live with Secure Acceptance
Secure Acceptance
Cybersource
recommends that you submit all banking information and required integration services before going live. Doing so will speed up your merchant account configuration.When you are ready to implement
Secure Acceptance
in your live environment, you must
contact Cybersource
Customer Support and request Go-Live. When all the
banking information has been received by Cybersource
, the Go-Live procedure
can require three days to complete. Go-Live implementations do not occur on Fridays.