On This Page

Secure Acceptance
Hosted Checkout Integration
 Transaction Flow

Figure:

Hosted Checkout Integration
 Transaction Flow
  1. The customer clicks the
    pay
     button on your website, which triggers an HTTPS POST that directs the customer to the
    hosted
    Secure Acceptance
     page
    that you configured in
    the Business Center
    . The HTTPS POST includes the signature and signed data fields containing the order information.
    Hosted Checkout Integration
     works best with JavaScript and cookies enabled in the customer browser.
    Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonating
    Cybersource
    , do not allow unauthorized access to the signing function. See Required Signed Fields.
  2. Secure Acceptance
     verifies the signature to ensure that the order details were not amended or tampered with and displays the
    Hosted Checkout Integration
     page
    . The customer enters and submits payment details
    and
     their billing and shipping information. The customer confirms the payment, and the transaction is processed.
  3. Cybersource
     recommends that you configure a custom receipt page in
    the Business Center
     so that the signed transaction response is sent back to your merchant server through the browser. See Merchant Notifications. You must validate the response signature to confirm that the response data was not amended or tampered with.
    Hosted Checkout Integration
     can also display a standard receipt page to your customer, and you can verify the result of the transaction search in
    the Business Center
     or the standard
    Cybersource
     reports.
    If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.
    Secure Acceptance
     signs every response field. Ignore any response fields in the POST that are not in the
    signed_fields
     field.
  4. Cybersource
     recommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.
    If the transaction type if sale, it is immediately submitted for settlement. If the transaction type is
    authorization
    , use the
    Cybersource
     Simple Order API to submit a capture request when goods are shipped.