Copyright © 2001 Sean C. Sullivan Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan

Presentation on theme: "Copyright © 2001 Sean C. Sullivan Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan"— Presentation transcript:

Copyright © 2001 Sean C. Sullivan Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan sean@seansullivan.com

Copyright © 2001 Sean C. Sullivan Agenda l Credit card fundamentals l Credit card transaction processing l Solutions for Java developers l Q & A

Copyright © 2001 Sean C. Sullivan Credit Cards 101 l Card number l Expiration date l Card verification number

Copyright © 2001 Sean C. Sullivan Validating a Credit Card Number l Mod 10 check algorithm l Right-most digit is the check digit –4100000000000001 Note: Always run the Mod-10 algorithm before submitting a transaction!

Copyright © 2001 Sean C. Sullivan Example: Mod-10 algorithm A. Number: 74385 B. (5*1), (8 * 2), (3 * 1), (4 * 2), (7 * 1) C. 5, 16, 3, 8, 7 D. 5 + (1 + 6) + 3 + 8 + 7 E. Sum = 30 F. 30 mod 10 = zero This number passes the algorithm.

Copyright © 2001 Sean C. Sullivan Types of Credit Card Transactions l Card present transactions l Card not present (CNP) transactions

Copyright © 2001 Sean C. Sullivan Participants in a Credit Card Transaction l Cardholder l Issuing bank l Merchant l Acquiring bank

Copyright © 2001 Sean C. Sullivan Typical Internet transaction Cardholder Merchants web site Acquiring bank Internet payment service provider Payment processor Issuing bank

Copyright © 2001 Sean C. Sullivan Basic Credit Card Transaction Two steps: 1.Authorization 2.Settlement

Copyright © 2001 Sean C. Sullivan Authorizations Merchant application Internet payment service provider Authorization request Authorization response Authorization takes place when the customer places an order

Copyright © 2001 Sean C. Sullivan Authorization Issues l How long does an authorization take? l What if your application does not receive a response? l Lifetime of an authorization? l What if the cardholder cancels the order?

Copyright © 2001 Sean C. Sullivan Authorization Reversals l Undo a prior authorization l Types: –Full reversal –Partial reversal l Not universally supported –CyberSource: no auth reversals

Copyright © 2001 Sean C. Sullivan Settlement l settle an authorized transaction CyberSource refers to this as bill For physical goods, settlement of the transaction should not occur until the merchandise is shipped to the customer.

Copyright © 2001 Sean C. Sullivan Credits l Refund l Original credit

Copyright © 2001 Sean C. Sullivan Merchant Account l Sign up for Merchant account with a financial institution Alternative: l Use a payment service that does not require you to have a merchant account (ex: PayPal, CCNow)

Copyright © 2001 Sean C. Sullivan Java API for Credit Card Transaction Processing? l There is no standard API l Must use API provided by the payment service provider l Every vendor has their own API

Copyright © 2001 Sean C. Sullivan Internet Payment Service Providers l ClearCommerce l Cybercash l CyberSource l SurePay l Verisign l …and many more

Copyright © 2001 Sean C. Sullivan Choosing a Payment Service Provider l Transaction fees? l Multiple currencies? l Integration with 3 rd party web commerce products? l Support for required card types? l API / SDK?

Copyright © 2001 Sean C. Sullivan Choosing a Payment Service Provider (cont) l Provides a Test server for performing test transactions? l Fraud screening services? l Management and Reporting tools? l Service and support? l Security? Scalability?

Copyright © 2001 Sean C. Sullivan Development Issues l Explicitly open and close SSL sockets? l Need to license an SSL class library? l One connection or many? l Connection timeouts l Does the vendors API shield you from connection complexity?

Copyright © 2001 Sean C. Sullivan Development Issues (cont) l How to represent money? –java.lang.String?? –java.math.BigDecimal?? l Classes to represent currency? l Thread safety of the vendors class library?

Copyright © 2001 Sean C. Sullivan Exceptional Conditions l Card reported stolen l Card reported lost l Card expired l Invalid credit card l Funds not available l AVS: no match l …

Copyright © 2001 Sean C. Sullivan CyberSource www.cybersource.com l payment service provider

Copyright © 2001 Sean C. Sullivan CyberSource HTTP/SSL SCMP Cardholder Merchant web site CyberSource

Copyright © 2001 Sean C. Sullivan Getting Started with CyberSource l Register at –www.cybersource.com l Download – CyberSource Java ICS Client Developers Kit (CDK)

Copyright © 2001 Sean C. Sullivan Setting up the CyberSource CDK l Generate cert and key pair –run Ecert utility l Edit ICSClient properties file l Update classpath –cdkjava3310.jar

Copyright © 2001 Sean C. Sullivan CyberSource Credit Card Services l Authorizations –ics_auth l Authorization Reversals –not supported l Settlement –ics_bill

Copyright © 2001 Sean C. Sullivan CyberSource Credit Card Services (cont) l Issue a credit –ics_credit l Score a transactions fraud risk –ics_score

Copyright © 2001 Sean C. Sullivan CyberSource: key classes l ICSClient l ICSClientRequest l ICSOffer l ICSClientReply

Copyright © 2001 Sean C. Sullivan CyberSource authorization ICSClient client = … ICSClientOffer offer = new ICSClientOffer(); ICSClientRequest req = new ICSClientRequest(client); req.addApplication(ics_auth); req.setMerchantId(sockwarehouse);

Copyright © 2001 Sean C. Sullivan CyberSource authorization, 2 … req.setCustomerCreditCardNumber( 4111111111111111); req.setCustomerCreditCardExpiration Month("12"); req.setCustomerCreditCardExpiration Year("2004"); req.setCurrency("USD");

Copyright © 2001 Sean C. Sullivan Credit Card Transaction Processing for E-commerce Web Sites with Java Sean C. Sullivan sean@seansullivan.com

Copyright © 2001 Sean C. Sullivan The following slides are uncategorized and are included here as reference material. This material was omitted from the OReilly presentation due to time constraints.

Copyright © 2001 Sean C. Sullivan Terminology l Card Not Present (CNP) l Address Verification Service (AVS) l Chargebacks l MOTO l CVV2

Copyright © 2001 Sean C. Sullivan Best Practices l Use AVS l Use SSL –Cardholder web site –Web site payment service provider l Protect your private keys l Encrypt credit card numbers

Copyright © 2001 Sean C. Sullivan Best Practices (cont) l For Development & QA: –Send transactions to test server –Use test merchant account –Use non-production certificates

Copyright © 2001 Sean C. Sullivan Avoid Bad Practices l Dont put credit card numbers in outgoing e-mail messages l Dont display credit card numbers on an unsecured web page l Dont display full credit card number on a web page; instead: last 4 digits only l Dont put CC #s in browser cookies

Copyright © 2001 Sean C. Sullivan What are you selling? l Digital goods or Physical goods l Leather clothing, computers/electronics, jewelry, luxury items Tip: If a customer orders 10 Rolex watches, it should set off a red flag!

Copyright © 2001 Sean C. Sullivan Fraud Screening Solutions l ClearCommerce FraudShield l CrediView l CyberSource Internet Fraud Screen l HNC Software eFalcon l Verisign Payflow Fraud Screen

Copyright © 2001 Sean C. Sullivan Cardholder Statement l Transaction amount l Transaction date l Merchant name l City or Phone Number l State

Copyright © 2001 Sean C. Sullivan AVS Result Codes XExact match, 9 digit zip YExact match, 5 digit zip AAddress match only W9-digit zip match only Z5-digit zip match only NNo address or zip match UAddress unavailable RIssuer system unavailable ENot a mail/phone order SService not supported

Copyright © 2001 Sean C. Sullivan Additional Topics l Chargebacks… l Fraud… l Risk management techniques… l Commercial cards (Level II) l American Express Private Payments l Verified by Visa

Copyright © 2001 Sean C. Sullivan Resources l www.cybersource.com l www.visa.com l www.visabrc.com l www.mastercard.com l www.merchantfraudsquad.com