Copyright © 2001 Sean C. Sullivan Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan
Copyright © 2001 Sean C. Sullivan Agenda l Credit card fundamentals l Credit card transaction processing l Solutions for Java developers l Q & A
Copyright © 2001 Sean C. Sullivan Credit Cards
Copyright © 2001 Sean C. Sullivan Credit Cards 101 l Card number l Expiration date l Card verification number
Copyright © 2001 Sean C. Sullivan Validating a Credit Card Number l Mod 10 check algorithm l Right-most digit is the check digit – Note: Always run the Mod-10 algorithm before submitting a transaction!
Copyright © 2001 Sean C. Sullivan Example: Mod-10 algorithm A. Number: B. (5*1), (8 * 2), (3 * 1), (4 * 2), (7 * 1) C. 5, 16, 3, 8, 7 D. 5 + (1 + 6) E. Sum = 30 F. 30 mod 10 = zero This number passes the algorithm.
Copyright © 2001 Sean C. Sullivan Types of Credit Card Transactions l Card present transactions l Card not present (CNP) transactions
Copyright © 2001 Sean C. Sullivan Participants in a Credit Card Transaction l Cardholder l Issuing bank l Merchant l Acquiring bank
Copyright © 2001 Sean C. Sullivan Typical Internet transaction Cardholder Merchants web site Acquiring bank Internet payment service provider Payment processor Issuing bank
Copyright © 2001 Sean C. Sullivan Basic Credit Card Transaction Two steps: 1.Authorization 2.Settlement
Copyright © 2001 Sean C. Sullivan Authorizations Merchant application Internet payment service provider Authorization request Authorization response Authorization takes place when the customer places an order
Copyright © 2001 Sean C. Sullivan Address Verification l Address Verification System (AVS) l Use it! l Added protection against fraud l Verifies: –billing street address –billing zip code
Copyright © 2001 Sean C. Sullivan Authorization Issues l How long does an authorization take? l What if your application does not receive a response? l Lifetime of an authorization? l What if the cardholder cancels the order?
Copyright © 2001 Sean C. Sullivan Authorization Reversals l Undo a prior authorization l Types: –Full reversal –Partial reversal l Not universally supported –CyberSource: no auth reversals
Copyright © 2001 Sean C. Sullivan Settlement l settle an authorized transaction CyberSource refers to this as bill For physical goods, settlement of the transaction should not occur until the merchandise is shipped to the customer.
Copyright © 2001 Sean C. Sullivan Credits l Refund l Original credit
Copyright © 2001 Sean C. Sullivan Merchant Account l Sign up for Merchant account with a financial institution Alternative: l Use a payment service that does not require you to have a merchant account (ex: PayPal, CCNow)
Copyright © 2001 Sean C. Sullivan Java API for Credit Card Transaction Processing? l There is no standard API l Must use API provided by the payment service provider l Every vendor has their own API
Copyright © 2001 Sean C. Sullivan Internet Payment Service Providers l ClearCommerce l Cybercash l CyberSource l SurePay l Verisign l …and many more
Copyright © 2001 Sean C. Sullivan Choosing a Payment Service Provider l Transaction fees? l Multiple currencies? l Integration with 3 rd party web commerce products? l Support for required card types? l API / SDK?
Copyright © 2001 Sean C. Sullivan Choosing a Payment Service Provider (cont) l Provides a Test server for performing test transactions? l Fraud screening services? l Management and Reporting tools? l Service and support? l Security? Scalability?
Copyright © 2001 Sean C. Sullivan Development Issues l Explicitly open and close SSL sockets? l Need to license an SSL class library? l One connection or many? l Connection timeouts l Does the vendors API shield you from connection complexity?
Copyright © 2001 Sean C. Sullivan Development Issues (cont) l How to represent money? –java.lang.String?? –java.math.BigDecimal?? l Classes to represent currency? l Thread safety of the vendors class library?
Copyright © 2001 Sean C. Sullivan Exceptional Conditions l Card reported stolen l Card reported lost l Card expired l Invalid credit card l Funds not available l AVS: no match l …
Copyright © 2001 Sean C. Sullivan CyberSource l payment service provider
Copyright © 2001 Sean C. Sullivan CyberSource HTTP/SSL SCMP Cardholder Merchant web site CyberSource
Copyright © 2001 Sean C. Sullivan Getting Started with CyberSource l Register at – l Download – CyberSource Java ICS Client Developers Kit (CDK)
Copyright © 2001 Sean C. Sullivan Setting up the CyberSource CDK l Generate cert and key pair –run Ecert utility l Edit ICSClient properties file l Update classpath –cdkjava3310.jar
Copyright © 2001 Sean C. Sullivan CyberSource Credit Card Services l Authorizations –ics_auth l Authorization Reversals –not supported l Settlement –ics_bill
Copyright © 2001 Sean C. Sullivan CyberSource Credit Card Services (cont) l Issue a credit –ics_credit l Score a transactions fraud risk –ics_score
Copyright © 2001 Sean C. Sullivan CyberSource: key classes l ICSClient l ICSClientRequest l ICSOffer l ICSClientReply
Copyright © 2001 Sean C. Sullivan CyberSource authorization ICSClient client = … ICSClientOffer offer = new ICSClientOffer(); ICSClientRequest req = new ICSClientRequest(client); req.addApplication(ics_auth); req.setMerchantId(sockwarehouse);
Copyright © 2001 Sean C. Sullivan CyberSource authorization, 2 … req.setCustomerCreditCardNumber( ); req.setCustomerCreditCardExpiration Month("12"); req.setCustomerCreditCardExpiration Year("2004"); req.setCurrency("USD");
Copyright © 2001 Sean C. Sullivan CyberSource authorization, 3 … offer.setAmount(7.99); offer.setQuantity(1); req.addOffer(offer); ICSClientReply reply = (ICSClientReply) client.send(request); …
Copyright © 2001 Sean C. Sullivan Q & A l Questions?
Copyright © 2001 Sean C. Sullivan Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan
Copyright © 2001 Sean C. Sullivan The following slides are uncategorized and are included here as reference material. This material was omitted from the OReilly presentation due to time constraints.
Copyright © 2001 Sean C. Sullivan JDollars Project
Copyright © 2001 Sean C. Sullivan Terminology l Card Not Present (CNP) l Address Verification Service (AVS) l Chargebacks l MOTO l CVV2
Copyright © 2001 Sean C. Sullivan Best Practices l Use AVS l Use SSL –Cardholder web site –Web site payment service provider l Protect your private keys l Encrypt credit card numbers
Copyright © 2001 Sean C. Sullivan Best Practices (cont) l For Development & QA: –Send transactions to test server –Use test merchant account –Use non-production certificates
Copyright © 2001 Sean C. Sullivan Avoid Bad Practices l Dont put credit card numbers in outgoing messages l Dont display credit card numbers on an unsecured web page l Dont display full credit card number on a web page; instead: last 4 digits only l Dont put CC #s in browser cookies
Copyright © 2001 Sean C. Sullivan What are you selling? l Digital goods or Physical goods l Leather clothing, computers/electronics, jewelry, luxury items Tip: If a customer orders 10 Rolex watches, it should set off a red flag!
Copyright © 2001 Sean C. Sullivan Fraud Screening Solutions l ClearCommerce FraudShield l CrediView l CyberSource Internet Fraud Screen l HNC Software eFalcon l Verisign Payflow Fraud Screen
Copyright © 2001 Sean C. Sullivan Cardholder Statement l Transaction amount l Transaction date l Merchant name l City or Phone Number l State
Copyright © 2001 Sean C. Sullivan AVS Result Codes XExact match, 9 digit zip YExact match, 5 digit zip AAddress match only W9-digit zip match only Z5-digit zip match only NNo address or zip match UAddress unavailable RIssuer system unavailable ENot a mail/phone order SService not supported
Copyright © 2001 Sean C. Sullivan Additional Topics l Chargebacks… l Fraud… l Risk management techniques… l Commercial cards (Level II) l American Express Private Payments l Verified by Visa
Copyright © 2001 Sean C. Sullivan Resources l l l l l