Secure Acceptance
Hosted Checkout Integration
Overview

Cybersource
Secure Acceptance
Hosted Checkout Integration
is your secure hosted customer checkout experience. It consists of securely managed payment forms or as a single-page payment form for capturing payment card data, processing transactions, enabling you to simplify your Payment Card Industry Data Security Standard (PCI DSS) compliance and reduce risks associated with handling and/or storing sensitive payment card information. You, the merchant, out-source capturing and managing sensitive payment card data to
Secure Acceptance
, which is designed to accept card payments.
Secure Acceptance
is designed to process transaction requests directly from the customer browser so that sensitive payment data does not pass through your servers.
If you do intend to send payment data from your servers, use the REST API, SOAP Toolkit API, or the Simple Order API.
Sending server-side payments using
Secure Acceptance
incurs unnecessary overhead and could result in the suspension of your
Secure Acceptance
profile
and subsequent failure of transactions.
To create your customer's
checkout
experience, take these steps:
  1. Create and configure
    Secure Acceptance
    profiles.
  2. Update the code on your web site to render the
    Hosted Checkout Integration
    and immediately process card transactions. See Scripting Language Samples. Sensitive card data bypasses your network and is accepted by
    Secure Acceptance
    directly from the customer.
    Cybersource
    processes the transaction on your behalf by sending an approval request to your payment processor in real time. See Secure Acceptance Hosted Checkout Integration Transaction Flow.
  3. Use the response information to display an appropriate transaction response page to the customer. You can view and manage all orders in
    the Business Center
    . See Viewing Transactions in the Business Center.

Required Browsers

You must use one of these browsers in order to ensure that the
Secure Acceptance
checkout flow is fast and secure.
Internet Explorer is no longer supported.
Desktop browsers:
  • Chrome 80, released February 4, 2020 or later
  • Edge 109, released January 12, 2023 or later
  • Firefox 115, released June 29, 2023 or later
  • Opera 106, released December 19, 2023 or later
  • Safari 13, released September 20, 2019 or later
Mobile browsers:
  • Android Browser 123, released March 12, 2024 or later
  • Chrome Mobile 80, released February 4, 2020 or later
  • iOS Safari 13, released September 20, 2019 or later

Secure Acceptance
Profile

A
Secure Acceptance
profile consists of settings that you configure to create a customer checkout experience. You can create and edit multiple profiles, each offering a custom checkout experience. See Custom Checkout Appearance. For example, you might need multiple profiles for localized branding of your websites. You can display a multi-step checkout process or a single page checkout to the customer as well as configure the appearance and branding, payment options, languages, and customer notifications. See Checkout Configuration.

Secure Acceptance
Hosted Checkout Integration
Transaction Flow

Figure:

Hosted Checkout Integration
Transaction Flow
  1. The customer clicks the
    pay
    button on your website, which triggers an HTTPS POST that directs the customer to the
    hosted
    Secure Acceptance
    page
    that you configured in
    the Business Center
    . The HTTPS POST includes the signature and signed data fields containing the order information.
    Hosted Checkout Integration
    works best with JavaScript and cookies enabled in the customer browser.
    Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonating
    Cybersource
    , do not allow unauthorized access to the signing function. See Required Signed Fields.
  2. Secure Acceptance
    verifies the signature to ensure that the order details were not amended or tampered with and displays the
    Hosted Checkout Integration
    page
    . The customer enters and submits payment details
    and
    their billing and shipping information. The customer confirms the payment, and the transaction is processed.
  3. Cybersource
    recommends that you configure a custom receipt page in
    the Business Center
    so that the signed transaction response is sent back to your merchant server through the browser. See Merchant Notifications. You must validate the response signature to confirm that the response data was not amended or tampered with.
    Hosted Checkout Integration
    can also display a standard receipt page to your customer, and you can verify the result of the transaction search in
    the Business Center
    or the standard
    Cybersource
    reports.
    If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.
    Secure Acceptance
    signs every response field. Ignore any response fields in the POST that are not in the
    signed_fields
    field.
  4. Cybersource
    recommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.
    If the transaction type if sale, it is immediately submitted for settlement. If the transaction type is
    authorization
    , use the
    Cybersource
    Simple Order API to submit a capture request when goods are shipped.

Payment Tokens

Contact
Cybersource
Customer Support to activate your merchant account for
the
Token Management Service
(
TMS
). You cannot use payment tokens until your account is activated and you have enabled payment tokens for
Secure Acceptance
. See Creating a Secure Acceptance Profile.
Payment tokens are unique identifiers that replace sensitive payment information and that cannot be mathematically reversed.
Cybersource
securely stores all the card information, replacing it with the payment token. The token is also known as a subscription ID, which you store on your server.
The payment tokenization solution is compatible with the Visa and Mastercard Account Updater service. Card data stored with
Cybersource
is automatically updated by participating banks, thereby reducing payment failures. See the
Account Updater User Guide
(PDF | HTML).
The payment token replaces the card
or ACH bank account
number, and optionally the associated billing, shipping, and card information. No sensitive card information is stored on your servers, thereby reducing your PCI DSS obligations.

Tokens That Represent a Card or Bank Account Only

Instrument identifier tokens
created using the Token Management Service (TMS) and third-party tokens
represent a payment card number or bank account number. The same card number or bank account number sent in multiple token creation calls results in the same payment token being returned.
TMS instrument identifier and third-party tokens cannot be updated. If your merchant account is configured for one of these token types, you receive an error if you attempt to update a token.
When using
Secure Acceptance
with tokens that represent only the card number or bank account, you must include associated data, such as expiration dates and billing address data, in your transaction request.

One-Click Checkout

With
one-click checkout
, customers can buy products with a single click.
Secure Acceptance
is integrated to
Cybersource
tokenization
, so returning customers are not required to enter their payment details. Before a customer can use one-click checkout, they must create a payment token during the first transaction on the merchant website. See Payment Token Transactions. The payment token is an identifier for the payment details; therefore, no further purchases require that you enter any information. When the payment token is included in a payment request, it retrieves the card, billing, and shipping information related to the original payment request from the payment repository.
To use one-click checkout, you must include the one-click checkout endpoint to process the transaction. See Endpoints and Transaction Types.

Subscription Payments

A customer subscription contains information that you store in the
Cybersource
database and use for future billing. At any time, you can send a request to bill the customer for an amount you specify, and
Cybersource
uses the payment token to retrieve the card, billing, and shipping information to process the transaction. You can also view the customer subscription in the Business Center. See Viewing Transactions in the Business Center.
A customer subscription includes:
  • Customer contact information, such as billing and shipping information.
  • Customer payment information, such as card type, masked account number, and expiration date.
  • Customer order information, such as the transaction reference number and merchant-defined data fields.
Subscription Types
Type of Subscription
Description
Recurring
A recurring billing service with no specific end date. You must specify the amount and frequency of each payment and the start date for processing the payments.
Cybersource
creates a schedule based on this information and automatically bills the customer according to the schedule. For example, you can offer an online service that the customer subscribes to and can charge a monthly fee for this service. See Recurring Payments.
Installment
A recurring billing service with a fixed number of scheduled payments. You must specify the number of payments, the amount and frequency of each payment, and the start date for processing the payments.
Cybersource
creates a schedule based on this information and automatically bills the customer according to the schedule. For example, you can offer a product for 75.00 and let the customer pay in three installments of 25.00. See Installment Payments.

Level II
and III
Data

Secure Acceptance
supports Level II
and III
data. Level II cards, also known as Type II cards, provide customers with additional information on their payment card statements. Business and corporate cards along with purchase and procurement cards are considered Level II cards.
Level III data can be provided for purchase cards, which are payment cards used by employees to make purchases for their company. You provide additional detailed information—the Level III data—about the purchase card order during the settlement process. The Level III data is forwarded to the company that made the purchase, and it enables the company to manage its purchasing activities.
For detailed descriptions of each Level II and Level III field, see
Level II and Level III Processing Using Secure Acceptance
(PDF | HTML). This guide also describes how to request sale and capture transactions.

Payouts Payment Tokens

Use
Secure Acceptance
to create a payment token that can be used with the Payouts API or batch submissions.

Creating a Payment Token for Payouts

  1. Create a
    Secure Acceptance
    Profile and define your checkout page. See Payment Configuration or Portfolio Management for Resellers.
  2. For transaction processing, create a payment token. See Payment Tokens.
  3. Set the Payouts subscription ID field to the value of the payment token.

RESULT

Go-Live with
Secure Acceptance

Cybersource
recommends that you submit all banking information and required integration services before going live. Doing so will speed up your merchant account configuration.
When you are ready to implement
Secure Acceptance
in your live environment, you must contact
Cybersource
Customer Support and request Go-Live. When all the banking information has been received by
Cybersource
, the Go-Live procedure can require three days to complete. Go-Live implementations do not occur on Fridays.