andar pci compliance set-up, with cybersource · telecheck, or rbs worldpay atlanta, or cybersource...

Andar PCI Compliance Set-Up, with CyberSource

Andar Release: 2017.02.01 - 1 - Revised: August 29, 2017

Table of Contents Introduction ................................................................................................................................................................2

Requirements .............................................................................................................................................................2

Notes ..........................................................................................................................................................................3

Set-Up Instructions .....................................................................................................................................................4

Step 1 - Order CCAP ................................................................................................................................................4

Step 2 - Upgrade Andar ..........................................................................................................................................4

Step 3 - If Using ACH / e-Checks .............................................................................................................................5

Step 4 - Communicate with CyberSource ...............................................................................................................5

Step 5 - Create your CyberSource Merchant ID (login Information) ......................................................................7

Step 6 - Create a Secure Acceptance Profile for each Merchant ID .......................................................................8

Step 7 - SA Profile Payment Settings ................................................................................................................... 11

Step 8 - SA Profile Security .................................................................................................................................. 15

Step 9 - SA Profile Notifications ........................................................................................................................... 16

Step 10 - SA Profile Customer Response Pages ................................................................................................... 18

Step 11. SA Profile Activation. ............................................................................................................................ 19

Step 12 - CyberSource API Keys File – Generate and Download ......................................................................... 21

Step 13 - Andar’s CyberSource Settings .............................................................................................................. 22

Step 14 - CyberSource Menu Review .................................................................................................................. 27

Step 15 - Andar PCI Compliance System Preferences ......................................................................................... 27

Step 16 - Andar CyberSource System Preferences .............................................................................................. 28

Testing ..................................................................................................................................................................... 30

Step 17 - Enter Test Transaction(s) via Andar ..................................................................................................... 30

Step 18 - If possible, Enter a Test Transaction via e-Pledge (or i-Attend) ........................................................... 30

Step 19 - Clean-up after Testing .......................................................................................................................... 31

Going Live ................................................................................................................................................................ 31

Step 20 - Tell CyberSource You are Ready to Go Live. ........................................................................................ 31

Step 21 - Set up the CyberSource Live Business Center ...................................................................................... 32

Step 22 - Set Up the Andar Production Database ............................................................................................... 33

Step 23 - Restart the Andar Services ................................................................................................................... 33

Step 24 - Enter Real Payment Transactions in Production .................................................................................. 34

PCI Compliance Verification - Remove Existing Credit Card and ACH Data ............................................................ 34

Step 25 - Complete Andar’s PCI Compliance Set-up ........................................................................................... 34



Miscellaneous .......................................................................................................................................................... 35

Step 26 – CyberSource Verification Report ......................................................................................................... 35

Step 27 - Update Billing Schedules ...................................................................................................................... 36

Step 28 – e-Pledge Web Options ......................................................................................................................... 36

Post Set-Up .......................................................................................................................................................... 36

Introduction

This document is for Andar customers who want their Andar database to be PCI Compliant, and want to process

credit cards and electronic checks (ACH) using CyberSource. In Andar, PCI Compliance means personal credit

card and bank account information are no longer stored in the Andar database (in the Transactions and Billing

Schedules). This document provides instructions for setting up both CyberSource and Andar. In addition to

Andar, customers are required to obtain the following CyberSource products: Simple Order API and Secure

Acceptance SOP.

Once Andar is PCI Compliant, Andar uses CyberSource as a Gateway for electronic payments. Credit Card

(and/or ACH) information is sent through the Gateway (CyberSource) to your Payment Processor, allowing

payments to be deposited into your Bank Account. The personal Credit Card (and/or ACH) information does not

get physically stored within Andar. Instead, that information is captured by CyberSource.

Note: If you want to be able to process electronic checks in a PCI-Compliant Andar database, CyberSource

requires that you use one of the following electronic payment processors: Chase Paymentech Solutions, or

TeleCheck, or RBS Worldpay Atlanta, or CyberSource ACH Service. (There might ultimately be multiple parties in

the mix, including CyberSource, your Payment Processor, your Bank, and possibly another intermediary party –

to ensure that the payment data flows all the way from your donor to your bank.)

If a donor wants to set up recurring payments (i.e., monthly credit card charges), Andar tells CyberSource to

assign the donor a Subscription ID. The donor’s payment information is encrypted and stored in CyberSource’s

database, and the Subscription ID is passed to Andar and stored in the donor’s account profile (in the Bill

Schedules sub-tab). On a regular basis, you then run a job in Andar (a pre-authorized payment generation job)

that tells CyberSource to charge the card that is identified by the Subscription ID. Andar tells CyberSource how

much to charge, and when to charge it. The payment is processed “on demand”.

Requirements



1. A bare minimum of Andar release 2014.02.01 is required, but it is Strongly Recommended that Andar be at

the most current release (2017.02.01, at the time of this document revision). It is often necessary to make

program revisions in Andar when working with third-party vendors (such as CyberSource). Therefore, using

the most current version of Andar is important.

2. Your organization must establish an account with CyberSource, utilizing their Simple Order API product, and

their Secure Acceptance SOP product.

3. You must provide information to CyberSource about your Payment Processor (this is typically who you pay

for processing donors’ credit cards and/or electronic checks). CyberSource and your Payment Processor

have to be able to connect electronically in order to get the donor’s money into your bank account. Contact

CyberSource to get this connection established. This must be done before you can go Live with

CyberSource.

4. Set-up is required – both from the CyberSource website and from within Andar. Please follow the

instructions in this document to complete the set-up. Note: The set-up might takes days to complete, or it

might take weeks.

5. Once your CyberSource account has been properly established, schedule at least a 4-hour time-frame when

you can (temporarily) stop processing payments in Andar, and when you can stop your AndarWeb Tomcat

service. This is to prevent payments from being entered via e-Pledge and/or i-Attend while you are setting

up and testing CyberSource. (4 hours is only an estimate – a minimum estimate.)

6. If you use Andar’s Security feature, make sure that the appropriate Groups of Users have authority

to submit payment verifications to CyberSource. Go to Andar Main Menu > System Administration

> Security > Authority Maintenance > Special Authorities and set up the authority called Allow CC

and ACH authorization submission.

Notes

1. It is highly recommended that you use an Andar Test database to start setting up PCI Compliance and

CyberSource, if at all possible. Use the CyberSource Test Business Center (server) for testing (as opposed

to their Live Business Center). This will allow you to test everything before you Go Live with CyberSource -

without any consequence to your production data. Once you have successfully tested the use of

CyberSource in your Andar Test database (using the CyberSource Test Business Center), then you will

basically repeat the steps to set up CyberSource and PCI Compliance on your Andar Production database

(using the CyberSource Live Business Center) – to Go Live.

2. The CyberSource Secure Acceptance product connects the user directly to a CyberSource web page, so the

user can enter the credit card or electronic check information. CyberSource requires that an e-mail address



be submitted for the donor. That might mean that you will refuse to process a donor’s credit card payment

until you know his e-mail address. Or, it might mean that you will choose to enter a place-holder e-mail

address (like [email protected]) in order to process the donor’s payment (if you absolutely must

process the card in Andar, and no real e-mail address is known for the donor). (Helix does not recommend

the practice of putting fictitious data in any database.)

3. CyberSource’s Secure Acceptance feature includes some options that Andar does not require. This

documentation focuses on the items / answers that Andar does require. Extra CyberSource options such as

Payer Authentication and Verbose Mode are not required by Andar. Decisions about whether or not to use

them are up to you. Similarly, you may or may not require address verification or card verification numbers.

(See CyberSource’s documentation / support center for additional information about these and other

options.)

Set-Up Instructions

Step 1 - Order CCAP

Order Andar’s CCAP module from Helix. When Helix sends you the new CMC Configuration code, apply

it in Andar – to indicate that you are licensed for CCAP.

Note: When Helix creates a license code for a Test environment, a license for CCAP is typically not

included. Therefore, if you are planning to use a Test environment of Andar for testing your

CyberSource set-up, you may need to ask Helix to create a new license code for that Test environment

– one that includes a CCAP license.

If you do have a Test environment, and it includes a license for CCAP, you must be certain that any / all

CyberSource Settings records have a checkmark in the box titled “Use CyberSource Test Server”. See

Step 13 – Andar’s CyberSource Settings.

Step 2 - Upgrade Andar

Ensure you are up to date on Service Packs. At a minimum, your Andar version must be at least

2014.02.01. Andar version 2017.02.01 or higher is definitely preferred. Depending on your Andar

version, there may be some Andar Hot Fixes that must be installed.

mailto:[email protected]



Step 3 - If Using ACH / e-Checks

To use the CyberSource Electronic Check Services (also known as automated bank withdrawals,

eCheck, e-check, ACH / Automated Clearing House), CyberSource documentation says you must

register with one of the following processors:

• Chase Paymentech Solutions **

• CyberSource ACH Service

• RBS WorldPay Atlanta

• TeleCheck

** Note: Chase Paymentech Solutions is the only one of these that supports Canadian Dollars for

Canadian bank accounts. If Canadian, and if you want to process e-checks within Andar, contact

[email protected] and arrange for Chase Paymentech to be your e-check

processor in conjunction with CyberSource. (TeleCheck is the product that Chase PaymenTech uses for

handling ACH with Canadian banks.)

Andar includes some System Preferences that will allow you to process credit cards electronically, even

while using a non-Andar method for processing e-checks / ACH. (See System Preferences > Finance >

CyberSource > ACH Processing.)

Step 4 - Communicate with CyberSource

Log onto Helix’s online Support Center (www.andar360.com), and go to the “Support Center” page,

and click on the link for the CyberSource Sign-Up Form. Complete and Submit it. When submitted, the

Sign-Up Form is automatically sent to CyberSource, and one of their associates will contact you. If you

don’t hear from CyberSource within a couple of business days, feel free to contact them directly.

CyberSource Account Executives include the following people, and are assigned based on customer

location:

• Robert Gok. For US customers in WI, IN, OH, PA, NJ, MI, NY, VT, NH, ME, MA, CT, RI, and for

Canadian customers in ON, QC, NB, PE, NS, and NL. Phone: 650-432-4856 or 650-445-8211. e-

Mail: [email protected].


http://www.andar360.com/




• Kavon Mohsen. For US customers in MT, WY, CO, NM, TX, OK, MO, IL, IA, MN, ND, SD, NE, and

KS. Phone: 650-437-4969 or 650-432-4662. e-Mail: [email protected].

• Doug Molseed. For US customers in AZ, UT, ID, HI, WA, OR, NV, and CA, and for Canadian

customers in MB, NT, NU, AB, BC, MB, SK, and YT. Phone: 650-432-4632 or 650-863-9776. e-

Mail: [email protected].

• Joe Murray. For US customers in DE, MD, WV, KY, AR, LA, TN, VA, NC, SC, GA, AL, MS, and FL.

Phone: 650-554-9948 or 650-432-4304. e-Mail: [email protected].

In your conversation with CyberSource, you will need to provide them with additional information – so

they can set you up with the necessary CyberSource features.

Specifically address the following Conversation Points with CyberSource:

1. Tell them you need their Simple Order API product. (This product enables Andar to share

information with CyberSource without a user actually seeing the CyberSource web page. It is used

when you run Andar’s pre-authorized credit card payment generation, and when you update credit

card expiry dates on Andar Billing Schedules.)

2. Tell them that you also need their Secure Acceptance SOP product. (This product enables Andar to

open a CyberSource Checkout web page – to allow a user to enter credit card and/or ACH banking

information.)

3. If you use Canadian Dollars (instead of US Dollars), tell CyberSource. (Stress this fact to them,

because there is a setting that they have to change. There have been multiple instances where this

was overlooked by CyberSource, and it led to delays and frustration.)

4. Tell them if you want to be able to process Credit Card payments.

5. Tell them if you want to be able to process e-Checks (ACH / payments via personal bank account

withdrawals).

6. If you want to allow your donors to authorize future recurring payments, such as monthly

payments via credit card, tell CyberSource you want to use Recurring Billing / Subscriptions. (In

Andar, these are referred to as pre-authorized payments. A donor might give you authorization,

saying “charge my card monthly”. Each month (or week, or day), you run a job that tells Andar to

identify the people whose cards should be charged at that point in time. That job creates

envelopes and payment transactions, and sends those payment requests to CyberSource, “on

demand”. CyberSource will only process the future payments when specifically prompted by Andar

(as opposed to CyberSource initiating the payments without further input from you or Andar).

6.1 If asked, you do not need to pre-authorize a credit card in order to set up a Subscription.






7. Tell them you want to be able to run reports from CyberSource’s website.

8. If you use different bank accounts for different Campaign Accounts, then you need multiple

Merchant Logins for CyberSource – one for each bank / campaign account. If you have multiple

Merchant Logins for CyberSource, you also need CyberSource’s Subscription Sharing feature.

9. Before you can Go Live with CyberSource, you must have provided them with your Payment

Processor’s name and contact information – and possibly more. Depending on who you use for

Payment Processing purposes, CyberSource will require specific sets of information to ensure

CyberSource can connect electronically to your Payment Processor (i.e., Merchant ID (MID),

Terminal ID (TID), etc.). CyberSource may ask you to contact your Payment Processor and find out

what processing platform they are on, and to get a VAR Sheet that outlines all of the specs. See the

following CyberSource link for more information, or contact their support department at 800-709-

7779:

http://www.cybersource.com/support_center/implementation/merchant_bank_info/processorspe

cs.php

It may take as little as one day, or it may take several days (or possibly weeks) for CyberSource to

get the connection set up with your Merchant Bank / Payment Processor. Start this information

exchange sooner rather than later. Andar is not involved in this exchange.

Step 5 - Create your CyberSource Merchant ID (login Information)

1. CyberSource lets you create your own Merchant ID information (for your organization) by

completing CyberSource’s Registration page (http://www.cybersource.com/register).

1.1 Do this for each desired Merchant Login. (See Conversation Point 8, above.)

1.2 Make sure your Merchant ID resembles your organization’s name. (You may set up

different “User” ID’s that resemble your personal names, but the “Merchant” ID should

resemble your organization’s name.)

2. CyberSource should then set up your account in Test mode (not Live mode yet, and not Evaluation

mode). That means donors’ credit cards will not actually be processed. CyberSource will then wait

for you to tell them when you’re ready to “go live” (after you have completed your testing).

http://www.cybersource.com/support_center/implementation/merchant_bank_info/processorspecs.php

http://www.cybersource.com/support_center/implementation/merchant_bank_info/processorspecs.php

http://www.cybersource.com/register



Step 6 - Create a Secure Acceptance Profile for each Merchant ID

IMPORTANT: You will need to perform Steps 6 through 12 for each different Merchant ID that you

have set up in CyberSource (Step 5 above). If you have more than 1 Merchant ID, you will ultimately

have more than one Secure Acceptance Profile in CyberSource.

Log in to CyberSource Test Business Center - https://ebctest.cybersource.com (for setting up a profile

in their test server). (Later, you will use the CyberSource Live Business Center -

https://ebc.cybersource.com - to set up the profile in their live server.)

When creating a Secure Acceptance Profile in the Test Business Center, we recommend appending the

letter T (or the word Test) to the end of your desired Profile Name and Profile ID. Later, when creating

a Profile in the Live Business Center, omit the appended letter(s).

1. In CyberSource, go to Tools & Settings > Secure Acceptance > Profiles.

2. Click the Create New Profile button.

https://ebctest.cybersource.com/

https://ebc.cybersource.com/



3. Complete the Create Profile page (also known as the General Settings page) to create a new

Secure Acceptance profile.

3.1 In the Profile Information section:

3.1.1 Name – Make up a Name for your Profile ID (perhaps your organization’s name

or abbreviated name – or the campaign name). As a best practice, add the letter

T (or the word Test) to the end if you are setting up a Profile in the Test Business

Center. (Do not use your personal name here.)

3.1.2 Description – Provide a meaningful description for this Profile – it’s for your own

use when you (or your co-workers) are looking at your Profiles in CyberSource.

3.1.3 Integration Method – select Silent Order Post. VERY IMPORTANT.

3.1.4 Company Name – Provide the name of your organization.

3.2 In the Contact Information section:

3.2.1 Name – Enter the first and last name of your staff person who is responsible for

overall payment processing. If needed, CyberSource will contact this person.

3.2.2 Email – Enter the e-mail address of your staff person.

3.2.3 Phone Number – Enter the phone number of your staff person.

3.3 In the Added Value Services section:

3.3.1 Payment Tokenization – Yes, select this. VERY IMPORTANT.

3.3.2 Decision Manager – Yes, select this. VERY IMPORTANT.

3.3.3 Enable Verbose Data – You may leave this checkbox empty.

3.3.4 Generate Device Fingerprint – You may leave this checkbox empty.

3.4 Click Create when finished.



4. It may take a few seconds, but you will then see a Profile Home page, from which you will access

other details of your newly-created Profile. Go through each of the items (Payment Settings,

Security, Notifications, and Customer Response Pages), as detailed in the steps below.



Step 7 - SA Profile Payment Settings

1. From your Profile’s Home Page, click on the Payment Settings item.



2. In the Card section, click the Add/Edit Card Types button. The Add/Edit Card Types window will

appear, displaying a list of possible credit card types.

3. Select the checkboxes next to each of the card types that you will accept, and then click the Update

button.



3.1 Next to each of your selected card types, click the pencil icon to specify the currency you

support for that card type (i.e., USD – United States: Dollar, or CAD – Canada: Dollar).

3.2 You may leave the Payer Authentication checkbox empty (above the Currencies section).

3.3 Move the desired currency to the right side of the screen (to the Enabled panel), and click

Update.

4. In the Automatic Authorization Reversal section, decide whether or not you want CyberSource

Secure Acceptance to perform automatic authorization reversals in the event of AVS or CVN

failures. An automatic reversal releases the reserved funds held against a customer’s card.

4.1 Fails AVS Check. If you select this, then CyberSource will perform an automatic authorization

reversal on each transaction that fails the Address Verification System check.

4.2 Fails CVN Check. If you select this, then CyberSource will perform an automatic authorization

reversal on each transaction that fails the Card Verification Number check. To be able to enter a

CVN on the Checkout page, see the “Card Verification Number (CVN)” field in Andar (System

Preferences > Finance > CyberSource > Checkout Page Field Entry section). The System Preference

titled Card Verification Number (CVN) allows you to choose “Entry is mandatory” or “Entry is

optional” or “Field not displayed”.



5. In the eCheck section, if you wish to allow CyberSource to process ACH / e-check payments, select

the eCheck payments enabled checkbox. (Reminder: Andar has system preferences related to

ACH payments – use them if you do not wish to process ACH through Andar/CyberSource.)

5.1 Click the pencil icon to see the Edit Electronic Check Settings page, and select the currency

for eCheck payments. Move the desired currency to the right side of the screen (to the

Enabled panel), and click Update.

6. Click Save at the bottom of the Payment Method window when done.



Step 8 - SA Profile Security

For your new Secure Acceptance Profile, complete the Security screen.

When creating your Security Key in the Test Business Center, we recommend appending the letter T to

the end of your Key Name. Later, when creating your Security Key in the Live Business Center, leave

the letter T off the end of the Key Name.

1. From your Profile’s Home Page, click on the Security item.

2. Click Create New Key.

2.1 Key Name.

2.1.1 Although your Key Name can be anything, you should not use the same Key Name in

a Test environment as in a Live environment. (Consider adding an extra letter – such

as T – to the end of Key Name that you create in the CyberSource Test Business

Center.)

2.2 Signature Version – use the default value - Version 1.

2.3 Signature Method – use the default value - HMAC-SHA256.

2.4 Click Generate Key.



3. Additional fields will be added to the window. Your generated Access Key and Secret Key will be

displayed. The window will automatically close in 30 seconds.

3.1 Later, you will return to this window, and copy and paste these keys into Andar’s

CyberSource Settings. For now, though, close the window (if it hasn’t already closed).

4. Click Return to Profile home.

Step 9 - SA Profile Notifications

1. From your Profile’s Home Page, click on the Notifications item. All of the options on this screen are

optional.



2. Merchant Post Email. If you wish to receive an e-mail whenever a connection is made between

Andar and CyberSource, select this checkbox, and enter the e-mail address of your intended

recipient. A technical-in-nature e-mail will be sent to that e-mail address for each transaction that

is processed, including payment information, return codes, and more. (The e-mail is not very user-

friendly, but perhaps it will be helpful initially.)

2.1 You may specify which digits of the donor’s card number you would like to see displayed in

the e-mail.

3. Email Receipt to Customer. If you would like your donor to automatically receive an e-mail when

his payment is processed by CyberSource, select this checkbox.



3.1 Caution: If you select this option, keep it in mind when you are creating Test Transactions.

If you enter a real individual’s account on the test transaction, they will receive this e-mail.

3.2 The e-mail will be sent to the e-mail address on the CyberSource payment info window (the

checkout page). CyberSource requires an e-mail address for the payer / donor, regardless

of whether or not you choose this option.

3.3 Sender's Email Address and the Sender's Name. The e-mail that is sent to the donor will

appear to have come from this Sender.

3.4 Send a copy to. If you would like CyberSource to send a copy of the Customer’s e-Mail

Receipt to an e-mail address within your organization, select this checkbox, and provide the

e-mail address of the selected recipient. This e-mail will include additional transaction

response information that did not appear on the payer / donor’s e-mail.

4. Display Notification Logo. If desired, your organization’s logo can be included in the e-mail

notifications. To enable this feature, select this checkbox, and upload your logo.

5. If desired, visit CyberSource’s Support Center for more information about Custom e-mail receipts.

6. Click Save when done.

Step 10 - SA Profile Customer Response Pages

For your new Secure Acceptance Profile, complete the Customer Response Pages screen.

After payment verification is complete at CyberSource, CyberSource typically redirects the user to the

URL that is indicated on this Transaction Response Page. This would be the Andar / e-Community URL

that receives the payment results from CyberSource, and updates the payment results on the Andar

database.

Andar / e-Community, though, will actually override this URL. Andar’s programming will automatically

provide a new URL in real-time to instruct CyberSource what page to show next.

1. From your Profile’s Home Page, click on the Customer Response Pages item.



2. Since the Hosted by you field is mandatory, enter http://127.0.0.1:30000

3. Click Save when done.

Step 11. SA Profile Activation.

Activate your new Secure Acceptance Profile. The profile cannot be used (payments cannot be

processed) until it has been activated.

1. From your Profile’s Home Page, click the Promote to Active button. Otherwise your Profile will

remain an Inactive Profile (unusable).

http://127.0.0.1:30000/



Note: When you select Tools& Settings > Secure Acceptance > Profiles, you see a screen of all profiles

that have been created – including separate lists for Active Profiles vs. Inactive Profiles. Click on a

profile to work with it.

Only Inactive profiles can be edited, so you may (at some time) need to Deactivate a profile (in order to

make changes to it).



IMPORTANT: Repeat Steps 6 through 11 for each of your CyberSource Merchant ID’s / Accounts (if

you have more than one).

Step 12 - CyberSource API Keys File – Generate and Download

Log in to the appropriate CyberSource Business Center website (Test or Live) using the appropriate

Merchant ID. (As previously stated, for each Merchant ID, you will do this step from the CyberSource

Test Business Center the first time, and later from the CyberSource Live Business Center.)

1. From the CyberSource Business Center, go to Account Management > Transaction Security Keys

2. Click on the link for Security Keys for the Simple Order API, and follow the on-screen instructions

to Generate a Certificate Request.

3. Download the generated file, whose name is something like: <merchantID>.p12 (where

<merchantID> is your CyberSource Merchant ID). (Note that this key file is only valid for 2 years.

At that point, you will need to download a new one and replace this one.)

4. Save the <merchantID>.p12 file in the Andar database server, in the base folder for the appropriate

environment – such as Production.

4.1 If your database is hosted elsewhere – such as with UPIC or UWITC – THEY may need to

save this file in the appropriate place(s) for you.

4.2 When this file is stored on the server, it does not also have to be stored on each client

machine (user desktop).

4.3 If you do not have an Andar Test database, and you are therefore using the Andar

Production database for testing purposes, then you will store the .p12 file once for testing.

Then, Andar will access this file during your testing. Once you have finished testing, and you

are setting up for Live use, you will REPLACE the .p12 file that you downloaded from

CyberSource’s Test Business Center with the .p12 file that you downloaded from

CyberSource’s Live Business Center.

4.4 Be absolutely sure that you had authority to write this file to your database – be sure the

time-stamp on the file proves you now have the most current version.



5. Additionally, if your organization uses Andar’s e-Pledge or i-Attend module, save the .p12 file

wherever Tomcat is installed. This might be on the on your web server or on your database server

– depending on how Tomcat was installed for your organization. The path would typically be

something like this: Tomcat859\servers\AndarWeb8\<MerchantID>.p12. This should be the in

same directory as your AndarParm.txt file (for the web). (Again, double-check the time stamp on

the file, to make sure you now have the most recent version.)

6. It may be necessary to Restart your Andar service and your Andar web service (sometimes the .p12

files get stored in cache, and you want to make sure the newest versions are being used).

Step 13 - Andar’s CyberSource Settings

Sign on to Andar Training Database (the first time), and update its CyberSource Settings - using

information (Keys) from the CyberSource Test Business Center.

You will ultimately do this two times for each of your Merchant IDs. The second time, you will sign on

to Andar Production Database, and update its CyberSource Settings – using information (Keys) from

the CyberSource Live Business Center.

Note: If you do not have an Andar Training database, then you will use your Andar Production

database twice (per Merchant ID). The first time, set up Andar Production to Use the CyberSource

Test Server. Then, after successfully testing, set up Andar Production to use the CyberSource Live

Server.

It is IMPORTANT that the API Keys File Path includes the Name (or IP Address) of the Andar Database

Server (as opposed to simply a drive letter such as C or D).

1. From Andar Main Menu (on your Andar database server), go to Finance > Accounts Receivable >

ACH/Credit Card Management > CyberSource Settings. (Add one record for each Merchant ID.)

1.1 Campaign Account – Your first record should use “All Campaigns” as the Campaign

Account. In this record, think about the Merchant ID that will be used most regularly, and

complete the other fields with this ID in mind.

1.1.1 If you have multiple Merchant ID’s, you will add addition records here. For those

records, identify the specific Campaign Account that corresponds to the

Merchant ID.



1.1.2 If you have 2 Merchant ID’s – perhaps one for your Local Annual Campaign, and

one for your SECC – set up the “All Campaigns” record to refer to your Local

Annual Campaign. Set the API Keys File Path and the Secure Acceptance

information that pertains to the Local Annual Campaign (using the “All

Campaign” record. Add another record for the “SECC” . On this second record,

set the API Keys File Path and the Secure Acceptance information that pertains

to the State Employees Campaign (SECC). (You would only need 2 records in this

situation. You would not need a third record that specifically names the Local

Annual Campaign.)

1.2 Merchant ID – Enter your CyberSource Merchant ID. (This is the ID you use when you log

into CyberSource Business Center.)

1.3 API Keys File Path – Browse to the location where you previously (permanently) stored the

API Keys file (the <MerchantID>.p12 file). (You should find it in the Andar database server,

in the base folder for the appropriate environment – such as Production.)

1.3.1 Once the record(s) has been added, the path to the *.p12 file should indicate the

actual server name. It should not use mapped drive letters. Instead of looking

like “M:\andar\Production\filename.p12”, it should look more like

\\servername\andar\Production\filename.p12 (WITH SUBSTITUTIONS for the

real server name and folder names and .p12 file name).

1.3.2 If you do not have an Andar Test database, and you are therefore using the

Andar Production database for testing prior to using it for live data, then you will

have stored the .p12 file once for testing. Then, Andar will have accessed that

file during your testing. Once you have finished testing, and you are setting up

for Live use, you will REPLACE the existing .p12 file that came from

CyberSource’s Test Business Center with the new .p12 file from CyberSource’s

Live Business Center. It might also be necessary to restart your Andar services.

1.3.3 Remember that this key file is only valid in CyberSource for 2 years. At that

point, you will need to download a new one and replace this one.

1.4 HOP Settings (HOP.jsp File Path) – Leave this section empty. Eventually, Helix will remove

this section from the screen.

1.5 Secure Acceptance Section – This information comes from the CyberSource website > Tools

& Settings > Secure Acceptance > Profiles, click on your Profile to see its Home Page.



1.5.1 Profile ID – Look in the General Settings screen for your Profile to recall your

Profile ID. (Be careful to read the Profile ID, NOT the Name.) Copy and paste

the Profile ID from the CyberSource screen into the Andar screen.

1.5.2 Access Key – Look in the Security screen for your Profile, and click on your

Security Key to see its details (the screen only displays for 30 seconds). Copy the

complete contents of the Access Key field from the CyberSource page, and paste

the whole thing into the Access Key field on the Andar CyberSource Settings

record.

1.5.3 Secret Key – Still looking at the Security Key details in CyberSource, copy the

complete contents of the Secret Key field from the CyberSource page, and paste

the whole thing into the Secret Key field on the Andar CyberSource Settings

record.

1.6 Depositor – If using Andar’s feature to automatically create Deposits for payments that are

processed by CyberSource (or PayPal), supply the account number of the Depositor

1.7 Deposit Bank – If using Andar’s feature to automatically create Deposits, supply the account

number of the Deposit Bank.

1.8 Bank Account Number – If using Andar’s feature to automatically create Deposits, supply

the bank account number.

1.9 Click Import.

2. Add a separate record for each additional Merchant ID. Remember that each different Merchant

ID has its own API Keys File and Secure Acceptance Profile. (On each subsequent record, be specific

when choosing a Campaign Account – as indicated previously.)

3. New fields will become available when you Update one of these records. This is important after

you’ve completed testing – when you’re setting it up for Live use.

3.1 Use CyberSource Test Server. When you are simply testing the CyberSource connections

process, this checkbox should be Selected (turned ON).

3.1.1 Once all of your testing is complete, and CyberSource says you’re “live”, and you

have set up both Andar and CyberSource to be live, this checkbox should be empty

(not selected).



3.1.2 Note: When you initially ADD a record into this CyberSource Settings list, this

checkbox is turned ON by default. When you UPDATE a record, then you have the

ability to change this.

3.2 API Target Version – this will be selected for you, based on the API Key File that you are

using.

3.3 Log API Activities – By default, this is On (selected). Leave it On. This impacts the ability to

Remove Subscriptions from an account profile Billing Schedule sub-tab.



Step 14 - CyberSource Menu Review

Review the CyberSource menu options (inside their Business Center). Make sure you see a menu item

called Recurring Billing (along with Home, Support Center, Tools & Settings, Transaction Search,

Reports, and more). If Recurring Billing is not an option, then you will not be able to successfully use

Andar’s Pre-authorized Credit Card and Pre-authorized ACH features. (In the past, CyberSource has

sometimes forgotten to enable that feature for some of our customers.)

Step 15 - Andar PCI Compliance System Preferences

In Andar, set up the System Preference to Enable PCI Compliance. Switch it from Disabled to Enabled

(pending verification).

1. In Andar, go to System Preferences > Finance > PCI Compliance > Enabled (pending verification) >

Apply.

2. If transaction-entry is in progress at the preference is selected (Compliance is enabled), it could

conceivably make that transaction’s entry act oddly – the user might possibly see 2 screens for

entering credit card info. It’s unclear. For that reason, you may choose to stop entering payment

transactions in Andar until you have finished setting up the system preference – and you may

choose to stop the AndarWeb service until you have completed the setup.

3. Once you have chosen Enabled (pending verification) on the System Preference screen, complete

the following options from that screen:

3.1 Currency – US Dollars or Canadian Dollars

3.2 Preferred Billing Contact – The CyberSource web page (where credit card / e-check

information is entered) also requires an Individual’s name. In the event the payment being

entered is for a Corporate Gift (with no individual account number on it), this pecking order

will be used to determine the individual whose name will be placed on the CyberSource

web page.

3.3 Preferred Billing Address – Pecking Order to use to display an address for the individual on

the CyberSource web page.

3.4 Ignore Address Verification Service (AVS) check results – When a credit card payment is

submitted to CyberSource, the card-issuing bank performs an address verification. If the



address for the payment does not match the bank’s records, the payment request will be

declined. Check this box to ignore the address verification results and allow payments with

address mismatches. Leave this box empty if you will absolutely require a matching

address.

3.5 Preferred Billing Phone Number – Pecking Order to use to display a phone number for the

individual on the CyberSource web page.

3.6 Preferred Billing e-Mail – Pecking Order to use to display an e-mail address for the

individual on the CyberSource web page.

Step 16 - Andar CyberSource System Preferences

Set up additional System Preferences specifically related to CyberSource.

1. In Andar, click System > Preferences > System Preferences > Finance > CyberSource

2. Bypass CyberSource for ACH payments and billing schedules. Do not offer ACH and Pre-

authorized ACH pledge type via e-pledge. Select this option if you do not wish to process ACH (e-

checks) through CyberSource – but you do wish to process credit cards through CyberSource. (The

assumption is that you have a different method for processing ACH – if you offer it at all.)

3. Disallow ACH payment and subscription request submission when the authorization method is

not specified. Select this option if you process ACH through CyberSource, and if your Processor

uses PaymenTech - because PaymenTech requires / mandates that the Authorization Method be

provided for ACH processing (such as TEL for telephone authorization, or WEB for internet

authorization).

4. Allow generating Credit Card payment when no Subscription ID is specified in the billing

schedule. Not typically recommended. If you are at a stage where you process some pre-

authorized credit card payments OUTSIDE of Andar, select this option. It allows you to run the Pre-

authorized Credit Card Payment Generation job to automatically create the A/R envelope for

payment transactions – without sending those transactions to CyberSource. New Andar customers

might turn this option on for their first year of Andar’s use – but then turn it off once you’re

processing all credit card payments through Andar/CyberSource.

5. Allow generating ACH payment when no Subscription ID is specified in the billing schedule. Not

typically recommended. If you are at a stage where you process some pre-authorized ACH



payments OUTSIDE of Andar, (but you want brand new pre-authorized ACH payments to be

processed through Andar,) select this option. It allows you to run the Pre-authorized ACH Payment

Generation job to automatically create the A/R envelope for payment transactions – without

sending those transactions to CyberSource. New Andar customers might turn this option on for

their first year of Andar’s use – but then turn it off once you’re processing all ACH payments

through Andar/CyberSource.

6. Alert recipient e-mail. If, due to some security issue, a payment is processed on CyberSource’s

Test environment when it was supposed to be processed on their Live environment (or vice-versa),

Andar will send an e-mail to the e-mail address specified here. Enter the e-mail address of

someone who should be alerted in the case of CyberSource security problems (someone who will

follow-up on the payment verification). See project 69529 in the Support Center for additional

details.

7. Alert sender e-mail. In the event an e-mail is sent to the above e-mail address (for this type of

situation), what would you like to see as the Sender’s e-mail address? Consider using something

like the following: “CyberSource Environment Mismatch Alert” [email protected].

8. Payment request issue. This is the e-mail template that will be used for the e-mail alert /

notification that is sent when a payment request transaction is sent to an incorrect server.

9. Subscription request issue. This is the e-mail template that will be used for the e-mail alert /

notification that is sent when a subscription request is sent to an incorrect server.

10. Card Verification Number (CVN). With CyberSource Secure Acceptance, you may optionally choose to

honor / require matching of the Card Verification Number. Use this field to dictate whether the Checkout

page should contain a field for that number, and to dictate whether a number is optional or mandatory.

11. Phone Number (for ACH only). With CyberSource eCheck payments, it is possible that your payment

processor requires phone numbers that match what is on file with the bank. Use this field to dictate

whether the Checkout page should contain a field for that number, and to dictate whether a number is

optional or mandatory.

12. Driver License Number and State (for ACH only). With CyberSource eCheck payments, it is possible that

your payment processor requires a driver license number and state that match what is on file with the bank.

Use this field to dictate whether the Checkout page should contain fields for that information, and to dictate

whether it is optional or mandatory.




Testing

Step 17 - Enter Test Transaction(s) via Andar

WHILE YOU ARE IN THE TESTING PHASE, go into Andar and create an envelope for the purpose of

testing payments through CyberSource. Add test transactions into that envelope.

It is recommended that you enter a test transaction for every credit card type that you plan to allow.

Following are some card numbers you may use for testing (use any Name, and any valid Expiration

Date):

Visa – 4111 1111 1111 1111

MasterCard – 5555 5555 5555 4444

American Express – 3782 8224 6310 005

Discover – 6011 1111 1111 1117

If you plan to use e-checks / ACH, you may use the following data for testing:

Account Number: 4100 (any number between 4000 and 6000)

Routing Number / Bank Transit Number: 121042882

Account Type: Checking

Authorize: select an option, such as TEL – telephone authorization

1. Create a fully paid credit card pledge.

2. Create a to-be-billed credit card pledge (pre-authorized payment / subscription). Later, try to

update the credit card expiry date from the Billing Schedule record in Andar (to test the API).

3. Before closing or cancelling the envelope, display the transactions in Andar to see the results that

were returned from CyberSource.

4. Log into CyberSource Business Center, and go to Transaction Search > General Search, and look for

your test transactions there.

Step 18 - If possible, Enter a Test Transaction via e-Pledge (or i-Attend)



WHILE YOU ARE IN THE TESTING PHASE, if you have e-pledge (or i-Attend), and IF the AndarWeb

service can be started for TESTING without being available for actual donors, test that approach as

well. (Note, if you do not have a Testing website, and if you have some actual e-pledge or i-Attend

registrations in process, then you will not be able to test the use of credit cards from the web – it

would be unwise to test the web, because a “real” payment might be entered by someone else while

Andar was connected to CyberSource’s Test Business Center.)

To test the web:

1. Create a test web envelope for a test company (or possibly for your own organization, if you are

not in the process of running your internal campaign).

2. Log into the web as an employee from the test company.

3. Enter two test pledges – one Fully Paid Credit Card, and one Pre-authorized Credit Card.

4. As above, look at the transactions inside Andar screens.

5. As above, look at the transactions inside CyberSource.

Step 19 - Clean-up after Testing

1. If you entered any test transactions through your Andar Production database (perhaps because you

don’t have an Andar Test database), cancel the test envelope(s) in Andar.

2. If you tested any pre-authorized payments (in an Andar Production database), double-check the

Billing Schedules for the donors that you used for testing. Either delete the Billing Schedules, or

update the Billing Schedules and use the button to Remove Subscription. You do not want to leave

any fake / test Subscription ID’s in your Production database.

Going Live

Step 20 - Tell CyberSource You are Ready to Go Live.



Once you are satisfied that everything is working out okay in the TESTING phase, then contact

CyberSource and tell them you’re ready to go “live”.

1. Log in to CyberSource’s Live Business Center (https://ebc.cybersource.com).

2. Click on Support Center.

3. Create an e-Ticket.

4. Type “Go Live Request” on the Summary line.

5. Submit it.

6. Wait for CyberSource Support to respond.

CyberSource will not let you go Live until you have supplied them with all the necessary information

about your Payment Processor – and they have set up a connection with that Payment Processor. This

typically includes you sending them a VAR Sheet of information about your bank and your payment

processor.

Step 21 - Set up the CyberSource Live Business Center

Log in to CyberSource’s Live Business Center (https://ebc.cybersource.com), and repeat the steps to

set up CyberSource. That includes Step 6 through Step 12 (outlined below for convenience).

1. Create a Secure Acceptance Profile (General Settings).

2. SA Profile Payment Settings.

3. SA Profile Security.

4. SA Profile Notifications.

5. SA Profile Customer Response Pages.

6. SA Profile Activation.

7. API Keys File Download.





Step 22 - Set Up the Andar Production Database

Log in to your Andar Production database, and add the CyberSource Settings record(s), as detailed in

Step 13 above (Andar’s CyberSource Settings – outlined below for convenience).

1. Go to Andar Main Menu > Finance > Accounts Receivable > ACH/Credit Card Management >

CyberSource Settings.

2. If you do not have an Andar Test database, and you previously did your testing by using the Andar

Production database, delete all of the CyberSource Settings records that were created for testing

purposes.

3. Add new CyberSource Settings records (one for each Merchant ID).

3.1 If your Andar version is not 2014.03 or higher, then refer to project # 82385 for a Hot Fix

that is related to the HOP.jsp file path requirement.

4. Update each new CyberSource Settings record to turn OFF the checkbox titled Use CyberSource

Test Server.

When everything is finished, all of the CyberSource Settings records in an Andar Test database should

have a checkmark in the box titled Use CyberSource Test Server – and all of the CyberSource Settings

records in an Andar Production database should NOT have a checkmark in that checkbox.

Step 23 - Restart the Andar Services

If you previously stopped the Tomcat AndarWeb service (so e-pledge and i-Attend were temporarily

disabled), then Start that service now.

It is also wise to restart the Andar Production service and the Andar Training service. This is to ensure

that when Andar connects to CyberSource behind-the-scenes, it is using the most recent version of the

Simple Order API Key (*.p12 file).



Step 24 - Enter Real Payment Transactions in Production

Once live, we highly recommend you immediately enter a fully-paid credit card pledge – just to be

certain everything is set up properly between Andar, CyberSource, and the Merchant Bank / Payment

Processor. Check the results on all 3 systems.

PCI Compliance Verification - Remove Existing Credit Card and ACH

Data

Step 25 - Complete Andar’s PCI Compliance Set-up

In System Preferences, finalize the task of making Andar PCI Compliant. This may be done in both the

Andar Test database (if you have one) and in the Andar Production database.

1. Make sure you have a current, complete Andar backup. The next task is going to change your

donors’ Billing Schedules.

2. System Preferences > Finance > PCI Compliance. This screen currently says PCI Compliance is

“Enabled (pending verification)”. There are two Run buttons within this screen.

3. Transfer credit card and ACH information from Andar billing schedules into CyberSource

subscriptions > Run. This job searches for credit card information in Andar’s Billing Schedule

records, using additional criteria supplied by you. CyberSource creates Subscription ID’s for those

donors, and the Subscription ID’s replace the credit card info on the Billing Schedules.

3.1 Run this job only for the campaigns/years that you are still billing / collecting. You do not

need to have Subscription ID’s on Billing Schedules for campaigns that you are no longer

collecting.

3.2 Running this job will produce a report. Review that report to make sure there are no

problems – cases where the Billing Schedules were not converted into Subscriptions in

CyberSource.

3.3 Fix any problems, and re-run this job until there are no errors. “Fixing” problems might

entail any of the following:



3.3.1 Deleting Billing Schedules from donor account profiles for particular campaign years

(if they are no longer necessary for billing the donor or for processing pre-authorized

payments),

3.3.2 Supplying e-mail addresses for donors (CyberSource requires e-mail addresses in

order to create Subscription IDs),

3.3.3 Obtaining current credit card info (if the existing card has expired before the donor

has completely paid his pledge), or

3.3.4 Updating Billing Schedules from donor account profiles – to remove the Pre-

authorized Payment Type - thus setting the donor up to receive billing statements (if

you are unable to obtain current credit card data, and the donor has a balance due).

4. Make sure you have a current, complete Andar backup. The next task is going to change your

donors’ Billing Schedules as well as Transactions.

5. Remove all credit card and ACH information from the Andar database > Run. This job

permanently removes any remaining credit card or bank account information still stored in Andar’s

Billing Schedules and/or Transactions. Only run this job once you are confident that Andar has

CyberSource Subscription IDs on all necessary Billing Schedules.

6. In System Preferences, confirm that your Andar database is now PCI Compliant. Instead of

“Enabled (pending verification)”, the 2nd radio button on this System Preference screen will simply

show “Enabled”.

Miscellaneous

Step 26 – CyberSource Verification Report

Occasionally, the payment verification task will not complete as expected. The security files for

CyberSource might have expired; or the internet connection between the user and CyberSource might

drop; or the communication between Andar and CyberSource might fail. Andar might still contain the

transaction record, but it might not be updated. The “CyberSource Authorization Decision” on the

transaction might say “Verifying”.

In order to be informed of this situation, schedule the CyberSource Verification Report to run on a

regular basis. When / if the report indicates that Andar includes transactions that still say “Verifying”,



refer to the Andar Support document titled “CyberSource – Tackle Verifying Transactions” for

instructions.

Step 27 - Update Billing Schedules

If you formerly had a manual procedure for identifying pre-authorized-payment donors, and you did

not previously store their credit card or bank account information inside Andar, then Create

Subscriptions for those donors (from their Finance tab > Billing Schedule sub-tabs).

If a donor’s Billing Schedule record includes a Pre-Authorized Payment Type, and a CyberSource

Subscription ID, then Andar will be able to automatically process payments for that donor whenever

you run the Pre-authorized Credit Card Payment Generation job from Andar’s Main Menu.

Step 28 – e-Pledge Web Options

If you are using e-pledge, consider adding the General web option titled “CyberSource checkout –

number of attempts allowed”. If the user attempts an online payment that gets denied, the normal

behavior is for the pledge to be immediately deleted. The donor has to restart the pledge process in

order to try again. With this web option, the donor can be sent back to the CyberSource checkout

page (without canceling the original pledge), where he can attempt to provide different payment

details.

Post Set-Up

If you are allowing donors to say “Charge my card in installments to pay my pledge”, then you are using

Andar’s “Pre-authorized Payment” feature. Refer to Andar’s Help documentation for running the

following jobs:

• Pre-authorized Credit Card Payment Report

• Pre-authorized Credit Card Payment Generation

Similarly, if you allow installment payments via e-check / ACH, you will need to run these jobs:

• Pre-authorized ACH Payment Report

• Pre-authorized ACH Payment Generation

See the Glossary item “Pre-authorized Payment” in Andar’s Help.

andar pci compliance set-up, with cybersource · telecheck, or rbs worldpay atlanta, or cybersource...

Documents