480 likes | 716 Views
Credit Card Transaction Processing for E-commerce Web Sites with Java. Sean C. Sullivan sean@seansullivan.com. Agenda. Credit card fundamentals Credit card transaction processing Solutions for Java developers Q & A. Credit Cards. Credit Cards 101. Card number Expiration date
E N D
Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan sean@seansullivan.com
Agenda • Credit card fundamentals • Credit card transaction processing • Solutions for Java developers • Q & A
Credit Cards 101 • Card number • Expiration date • Card verification number
Validating aCredit Card Number • “Mod 10” check algorithm • Right-most digit is the check digit • 4100000000000001 Note: Always run the Mod-10 algorithm before submitting a transaction!
Example: Mod-10 algorithm • Number: 74385 • (5*1) , (8 * 2) , (3 * 1), (4 * 2), (7 * 1) • 5, 16, 3, 8, 7 • 5 + (1 + 6) + 3 + 8 + 7 • Sum = 30 • 30 mod 10 = zero • This number passes the algorithm.
Types of Credit Card Transactions • Card present transactions • Card not present (CNP) transactions
Participants in a Credit Card Transaction • Cardholder • Issuing bank • Merchant • Acquiring bank
Typical Internet transaction Internet payment service provider Cardholder Merchant’s web site Issuing bank Payment processor Acquiring bank
Basic Credit Card Transaction Two steps: • Authorization • Settlement
Authorizations Authorization request Merchant application Internet payment service provider Authorization response Authorization takes place when the customer places an order
Address Verification • Address Verification System (AVS) • Use it! • Added protection against fraud • Verifies: • billing street address • billing zip code
Authorization Issues • How long does an authorization take? • What if your application does not receive a response? • Lifetime of an authorization? • What if the cardholder cancels the order?
Authorization Reversals • Undo a prior authorization • Types: • Full reversal • Partial reversal • Not universally supported • CyberSource: no auth reversals
Settlement • “settle” an authorized transaction • CyberSource refers to this as “bill” For physical goods, settlement of the transaction should not occur until the merchandise is shipped to the customer.
Credits • Refund • Original credit
Merchant Account • Sign up for Merchant account with a financial institution Alternative: • Use a payment service that does not require you to have a merchant account (ex: PayPal, CCNow)
Java API for Credit Card Transaction Processing? • There is no standard API • Must use API provided by the payment service provider • Every vendor has their own API
Internet PaymentService Providers • ClearCommerce • Cybercash • CyberSource • SurePay • Verisign • …and many more
Choosing a Payment Service Provider • Transaction fees? • Multiple currencies? • Integration with 3rd party web commerce products? • Support for required card types? • API / SDK?
Choosing a Payment Service Provider (cont) • Provides a Test server for performing “test” transactions? • Fraud screening services? • Management and Reporting tools? • Service and support? • Security? Scalability?
Development Issues • Explicitly open and close SSL sockets? • Need to license an SSL class library? • One connection or many? • Connection timeouts • Does the vendor’s API shield you from connection complexity?
Development Issues (cont) • How to represent money? • java.lang.String?? • java.math.BigDecimal?? • Classes to represent currency? • Thread safety of the vendor’s class library?
Exceptional Conditions • Card reported stolen • Card reported lost • Card expired • Invalid credit card • Funds not available • AVS: no match • …
CyberSource www.cybersource.com • payment service provider
Cardholder Merchant web site SCMP HTTP/SSL CyberSource CyberSource
Getting Started with CyberSource • Register at • www.cybersource.com • Download • “CyberSource Java ICS Client Developers Kit (CDK)”
Setting up the CyberSource CDK • Generate cert and key pair • run Ecert utility • Edit ICSClient properties file • Update classpath • cdkjava3310.jar
CyberSource Credit Card Services • Authorizations • ics_auth • Authorization Reversals • not supported • Settlement • ics_bill
CyberSource Credit Card Services (cont) • Issue a credit • ics_credit • Score a transaction’s fraud risk • ics_score
CyberSource: key classes • ICSClient • ICSClientRequest • ICSOffer • ICSClientReply
CyberSource authorization ICSClient client = … ICSClientOffer offer = new ICSClientOffer(); ICSClientRequest req = new ICSClientRequest(client); req.addApplication(“ics_auth”); req.setMerchantId(“sockwarehouse”);
CyberSource authorization, 2 … req.setCustomerCreditCardNumber( “4111111111111111“); req.setCustomerCreditCardExpirationMonth("12"); req.setCustomerCreditCardExpirationYear("2004"); req.setCurrency("USD");
CyberSource authorization, 3 … offer.setAmount(“7.99”); offer.setQuantity(1); req.addOffer(offer); ICSClientReply reply = (ICSClientReply) client.send(request); …
Q & A • Questions?
Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan sean@seansullivan.com
The following slides are uncategorized and are included here as reference material. This material was omitted from the O’Reilly presentation due to time constraints.
JDollars Project http://jdollars.sourceforge.net/
Terminology • Card Not Present (CNP) • Address Verification Service (AVS) • Chargebacks • MOTO • CVV2
Best Practices • Use AVS • Use SSL • Cardholder web site • Web site payment service provider • Protect your private keys • Encrypt credit card numbers
Best Practices (cont) • For Development & QA: • Send transactions to test server • Use “test” merchant account • Use non-production certificates
Avoid Bad Practices • Don’t put credit card numbers in outgoing e-mail messages • Don’t display credit card numbers on an unsecured web page • Don’t display full credit card number on a web page; instead: last 4 digits only • Don’t put CC #’s in browser cookies
What are you selling? • Digital goods or Physical goods • Leather clothing, computers/electronics, jewelry, luxury items Tip: If a customer orders 10 Rolex watches, it should set off a red flag!
Fraud Screening Solutions • ClearCommerce FraudShield • CrediView • CyberSource Internet Fraud Screen • HNC Software eFalcon • Verisign Payflow Fraud Screen
Cardholder Statement • Transaction amount • Transaction date • Merchant name • City or Phone Number • State
Additional Topics • Chargebacks… • Fraud… • Risk management techniques… • Commercial cards (Level II) • American Express Private Payments • “Verified by Visa”
Resources • www.cybersource.com • www.visa.com • www.visabrc.com • www.mastercard.com • www.merchantfraudsquad.com