Capture Context API

The capture context request contains all of the merchant-specific parameters that tell the frontend JavaScript library how to behave within your payment experience.
The capture context is a signed JSON Web Token (JWT) containing this information:
  • Merchant-specific parameters that dictate the customer payment experience for the current payment transaction.
  • A one-time public key that secures the information flow during the current payment transaction.
The capture context request includes these elements:
  • allowedCardNetworks
  • allowedPaymentTypes
  • clientVersion
  • targetOrigins
  • transientTokenResponseOptions.includeCardPrefix
  • completeMandate
For information on JSON Web Tokens, see JSON Web Tokens.
Target Origin
The target origin is defined by the scheme (protocol), hostname (domain) and port number (if used).
You must use the https:// protocol. Sub domains must also be included in the target origin.
Any valid top-level domains, such as .com, .co.uk, and .gov.br, are supported. Wildcards are not supported.
For example, if you are launching
Unified Checkout
on example.com, the target origin could be any of the following:
You can define the payment cards and digital payments that you want to accept in the capture context.
Allowed Card Networks
Use the
allowedCardNetworks
field to define the card types.
These card networks are available for card entry:
  • American Express
  • Cartes Bancaires
  • Carnet
  • China UnionPay
  • Diners Club
  • Discover
  • EFTPOS
  • ELO
  • JCB
  • JCrew
  • Mada
  • Maestro
  • Mastercard
  • Meeza
  • Visa
To support dual-branded or co-badged cards, you must list your supported card types values for the
allowedCardNetworks
field based on your preference for processing card numbers. For example, if a card is dual-branded as Visa and Cartes Bancaires and Cartes Bancaires is listed first, the card type is set to Cartes Bancaires after the card number is enter in your
Unified Checkout
card collection form. For information on dual-branded or co-badged cards, see Support for Dual-Branded Cards.
Allowed Payment Types
You can specify the type of
Unified Checkout
digital payment methods you want to accept in the capture context.
Use the
allowedPaymentTypes
field to define the payment type:
  • APPLEPAY
  • CHECK
  • CLICKTOPAY
  • GOOGLEPAY
  • PANENTRY
  • PAZE
IMPORTANT
Click to Pay
supports American Express, Mastercard, and Visa for saved cards. Visa and Mastercard tokenize payment credentials using network tokenization for all
Click to Pay
requests.
Click to Pay
uses
Click to Pay
Token Requester IDs (TRIDs) rather than the your existing TRIDs.
For more information on enabling and managing these digital payment methods, see these topics:
Include Card Prefix
You can control the length of the card number prefix to be received in the response to the capture context
/sessions
request:
  • 6 digits
  • 8 digits
  • no prefix at all
To specify your preferred card number prefix length, include or exclude the
transientTokenResponseOptions.includeCardPrefix
field in the capture context
/sessions
request.
If you want to receive a 6-digit card number prefix in the response
  • Do not
    include the
    transientTokenResponseOptions.includeCardPrefix
    field in the capture context
    /sessions
    request.
  • This example shows how a 6-digit card number prefix
    411111
    is returned in the transient token response:
    "maskedValue": "XXXXXXXXXXXX1111”, "" : "411111"
If you want to receive an 8-digit card number prefix in the response
  • Include the
    transientTokenResponseOptions.includeCardPrefix
    field in the capture context request, and set the value to
    true
    .
    IMPORTANT
    Per PCI DSS requirements, this requirement applies only to card numbers longer than 15 digits and for Discover, JCB, Mastercard, UnionPay, and Visa brands.
    • If the card type entered is not part of these brands, a 6-digit card number prefix is returned instead.
    • If the card type entered is not part of these brands but is
      co-branded
      with these brands, an 8-digit card number prefix is returned.
  • This example shows how an 8-digit card prefix
    41111102
    is returned in the transient token response:
    "maskedValue": "XXXXXXXXXXXX1111”, "" : "41111102"
If you do not want to receive a card number prefix in the response
  • Include the
    transientTokenResponseOptions.includeCardPrefix
    field in the capture context request, and set the value to
    false
    .
  • This example shows how a card number is returned without a card number prefix in the transient token response:
    "maskedValue":"XXXXXXXXXXXX1111"
Best practice:
If your application does not require card number prefix information for routing or identification purposes,
Cybersource
recommends that you include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request and set its value to
false
. Doing so limits the exposure of payment data to only what is necessary for your processing needs.
For more information about PCI DSS, see
Frequently Asked Questions
on the PCI Security Standards Council site.
Complete Mandate
The complete mandate feature provides instructions to service orchestration in
Unified Checkout
and simplifies your integration. Service orchestration enables
Unified Checkout
to orchestrate services on your behalf. The complete mandate feature provides instructions to the
unifiedPayment.complete()
method in the JavaScript SDK. Include the
completeMandate
field object in your capture context to have
Unified Checkout
initiate services on your behalf from the browser.
The complete mandate feature is defined by two fields:
  1. completeMandate.type
    : This field is used to indicate how a payment should be processed. Possible values:
    • AUTH
    • CAPTURE
    • PREFER_AUTH
  2. completeMandate.decisionManager
    : This field determines if
    Decision Manager
    should used. When this field is set to
    true
    , device fingerprinting is run. When set to
    false
    , device fingerprinting is not run and
    Decision Manager
    services are not used.
IMPORTANT
When integrating with
Cybersource
APIs,
Cybersource
recommends that you dynamically parse the response for the fields that you are looking for. Additional fields may be added in the future.
You must ensure that your integration can handle new fields that are returned in the response. While the underlying data structures will not change, you must also ensure that your integration can handle changes to the order in which the data is returned.
Cybersource
uses semantic versioning practices, which enables you to retain backwards compatibility as new fields are introduced in minor version updates.