1 / 48

Credit Card Transaction Processing for E-commerce Web Sites with Java

Credit Card Transaction Processing for E-commerce Web Sites with Java. Sean C. Sullivan sean@seansullivan.com. Agenda. Credit card fundamentals Credit card transaction processing Solutions for Java developers Q & A. Credit Cards. Credit Cards 101. Card number Expiration date

Gabriel
Download Presentation

Credit Card Transaction Processing for E-commerce Web Sites with Java

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan sean@seansullivan.com

  2. Agenda • Credit card fundamentals • Credit card transaction processing • Solutions for Java developers • Q & A

  3. Credit Cards

  4. Credit Cards 101 • Card number • Expiration date • Card verification number

  5. Validating aCredit Card Number • “Mod 10” check algorithm • Right-most digit is the check digit • 4100000000000001 Note: Always run the Mod-10 algorithm before submitting a transaction!

  6. Example: Mod-10 algorithm • Number: 74385 • (5*1) , (8 * 2) , (3 * 1), (4 * 2), (7 * 1) • 5, 16, 3, 8, 7 • 5 + (1 + 6) + 3 + 8 + 7 • Sum = 30 • 30 mod 10 = zero • This number passes the algorithm.

  7. Types of Credit Card Transactions • Card present transactions • Card not present (CNP) transactions

  8. Participants in a Credit Card Transaction • Cardholder • Issuing bank • Merchant • Acquiring bank

  9. Typical Internet transaction Internet payment service provider Cardholder Merchant’s web site Issuing bank Payment processor Acquiring bank

  10. Basic Credit Card Transaction Two steps: • Authorization • Settlement

  11. Authorizations Authorization request Merchant application Internet payment service provider Authorization response Authorization takes place when the customer places an order

  12. Address Verification • Address Verification System (AVS) • Use it! • Added protection against fraud • Verifies: • billing street address • billing zip code

  13. Authorization Issues • How long does an authorization take? • What if your application does not receive a response? • Lifetime of an authorization? • What if the cardholder cancels the order?

  14. Authorization Reversals • Undo a prior authorization • Types: • Full reversal • Partial reversal • Not universally supported • CyberSource: no auth reversals

  15. Settlement • “settle” an authorized transaction • CyberSource refers to this as “bill” For physical goods, settlement of the transaction should not occur until the merchandise is shipped to the customer.

  16. Credits • Refund • Original credit

  17. Merchant Account • Sign up for Merchant account with a financial institution Alternative: • Use a payment service that does not require you to have a merchant account (ex: PayPal, CCNow)

  18. Java API for Credit Card Transaction Processing? • There is no standard API • Must use API provided by the payment service provider • Every vendor has their own API

  19. Internet PaymentService Providers • ClearCommerce • Cybercash • CyberSource • SurePay • Verisign • …and many more

  20. Choosing a Payment Service Provider • Transaction fees? • Multiple currencies? • Integration with 3rd party web commerce products? • Support for required card types? • API / SDK?

  21. Choosing a Payment Service Provider (cont) • Provides a Test server for performing “test” transactions? • Fraud screening services? • Management and Reporting tools? • Service and support? • Security? Scalability?

  22. Development Issues • Explicitly open and close SSL sockets? • Need to license an SSL class library? • One connection or many? • Connection timeouts • Does the vendor’s API shield you from connection complexity?

  23. Development Issues (cont) • How to represent money? • java.lang.String?? • java.math.BigDecimal?? • Classes to represent currency? • Thread safety of the vendor’s class library?

  24. Exceptional Conditions • Card reported stolen • Card reported lost • Card expired • Invalid credit card • Funds not available • AVS: no match • …

  25. CyberSource www.cybersource.com • payment service provider

  26. Cardholder Merchant web site SCMP HTTP/SSL CyberSource CyberSource

  27. Getting Started with CyberSource • Register at • www.cybersource.com • Download • “CyberSource Java ICS Client Developers Kit (CDK)”

  28. Setting up the CyberSource CDK • Generate cert and key pair • run Ecert utility • Edit ICSClient properties file • Update classpath • cdkjava3310.jar

  29. CyberSource Credit Card Services • Authorizations • ics_auth • Authorization Reversals • not supported • Settlement • ics_bill

  30. CyberSource Credit Card Services (cont) • Issue a credit • ics_credit • Score a transaction’s fraud risk • ics_score

  31. CyberSource: key classes • ICSClient • ICSClientRequest • ICSOffer • ICSClientReply

  32. CyberSource authorization ICSClient client = … ICSClientOffer offer = new ICSClientOffer(); ICSClientRequest req = new ICSClientRequest(client); req.addApplication(“ics_auth”); req.setMerchantId(“sockwarehouse”);

  33. CyberSource authorization, 2 … req.setCustomerCreditCardNumber( “4111111111111111“); req.setCustomerCreditCardExpirationMonth("12"); req.setCustomerCreditCardExpirationYear("2004"); req.setCurrency("USD");

  34. CyberSource authorization, 3 … offer.setAmount(“7.99”); offer.setQuantity(1); req.addOffer(offer); ICSClientReply reply = (ICSClientReply) client.send(request); …

  35. Q & A • Questions?

  36. Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan sean@seansullivan.com

  37. The following slides are uncategorized and are included here as reference material. This material was omitted from the O’Reilly presentation due to time constraints.

  38. JDollars Project http://jdollars.sourceforge.net/

  39. Terminology • Card Not Present (CNP) • Address Verification Service (AVS) • Chargebacks • MOTO • CVV2

  40. Best Practices • Use AVS • Use SSL • Cardholder  web site • Web site  payment service provider • Protect your private keys • Encrypt credit card numbers

  41. Best Practices (cont) • For Development & QA: • Send transactions to test server • Use “test” merchant account • Use non-production certificates

  42. Avoid Bad Practices • Don’t put credit card numbers in outgoing e-mail messages • Don’t display credit card numbers on an unsecured web page • Don’t display full credit card number on a web page; instead: last 4 digits only • Don’t put CC #’s in browser cookies

  43. What are you selling? • Digital goods or Physical goods • Leather clothing, computers/electronics, jewelry, luxury items Tip: If a customer orders 10 Rolex watches, it should set off a red flag!

  44. Fraud Screening Solutions • ClearCommerce FraudShield • CrediView • CyberSource Internet Fraud Screen • HNC Software eFalcon • Verisign Payflow Fraud Screen

  45. Cardholder Statement • Transaction amount • Transaction date • Merchant name • City or Phone Number • State

  46. AVS Result Codes

  47. Additional Topics • Chargebacks… • Fraud… • Risk management techniques… • Commercial cards (Level II) • American Express Private Payments • “Verified by Visa”

  48. Resources • www.cybersource.com • www.visa.com • www.visabrc.com • www.mastercard.com • www.merchantfraudsquad.com • jdollars.sourceforge.net

More Related