copyright © 2001 sean c. sullivan credit card transaction processing for e-commerce web sites with...

Copyright © 2001 Sean C. Sullivan

Credit Card Transaction Credit Card Transaction Processing for E-commerce Processing for E-commerce

Web Sites with JavaWeb Sites with JavaSean C. Sullivan

[email protected]


Agenda

Credit card fundamentals Credit card transaction processing Solutions for Java developers Q & A


Credit Cards


Credit Cards 101 Card number Expiration date Card verification number


Validating aCredit Card Number

“Mod 10” check algorithm Right-most digit is the check digit

– 4100000000000001

Note:Always run the Mod-10 algorithm before submitting a transaction!


Example: Mod-10 algorithm

A. Number: 74385

B. (5*1) , (8 * 2) , (3 * 1), (4 * 2), (7 * 1)

C. 5, 16, 3, 8, 7

D. 5 + (1 + 6) + 3 + 8 + 7

E. Sum = 30

F. 30 mod 10 = zero This number passes the algorithm.


Types of Credit Card Transactions

Card present transactions Card not present (CNP) transactions


Participants in a Credit Card Transaction

Cardholder Issuing bank Merchant Acquiring bank


Typical Internet transaction

Cardholder Merchant’sweb site

Acquiringbank

Internetpaymentservice

provider

Paymentprocessor

Issuingbank


Basic Credit Card Transaction

Two steps:1. Authorization

2. Settlement


Authorizations

Merchantapplication

Internetpaymentservice

provider

Authorization request

Authorization response

Authorization takes place when the customer places an order


Address Verification Address Verification System (AVS) Use it! Added protection against fraud Verifies:

– billing street address– billing zip code


Authorization Issues

How long does an authorization take? What if your application does not

receive a response? Lifetime of an authorization? What if the cardholder cancels the

order?


Authorization Reversals

Undo a prior authorization Types:

– Full reversal– Partial reversal

Not universally supported– CyberSource: no auth reversals


Settlement “settle” an authorized transaction

CyberSource refers to this as “bill”

For physical goods, settlement of the transaction should not occur until the merchandise is shipped to the customer.


Credits

Refund Original credit


Merchant Account

Sign up for Merchant account with a financial institution

Alternative: Use a payment service that does not

require you to have a merchant account (ex: PayPal, CCNow)


Java API for Credit Card Transaction Processing?

There is no standard API Must use API provided by the payment

service provider Every vendor has their own API


Internet PaymentService Providers

ClearCommerce Cybercash CyberSource SurePay Verisign …and many more


Choosing a Payment Service Provider

Transaction fees? Multiple currencies? Integration with 3rd party web commerce

products? Support for required card types? API / SDK?


Choosing a Payment Service Provider (cont)

Provides a Test server for performing “test” transactions?

Fraud screening services? Management and Reporting tools? Service and support? Security? Scalability?


Development Issues Explicitly open and close SSL sockets? Need to license an SSL class library? One connection or many? Connection timeouts Does the vendor’s API shield you from

connection complexity?


Development Issues (cont) How to represent money?

– java.lang.String??– java.math.BigDecimal??

Classes to represent currency? Thread safety of the vendor’s class

library?


Exceptional Conditions Card reported stolen Card reported lost Card expired Invalid credit card Funds not available AVS: no match …


CyberSource

www.cybersource.com

payment service provider


CyberSource

HTTP/SSL

SCMP

Cardholder

Merchantweb site

CyberSource


Getting Started with CyberSource

Register at– www.cybersource.com

Download– “CyberSource Java ICS Client Developers

Kit (CDK)”


Setting up the CyberSource CDK

Generate cert and key pair– run Ecert utility

Edit ICSClient properties file Update classpath

– cdkjava3310.jar


CyberSource Credit Card Services

Authorizations– ics_auth

Authorization Reversals– not supported

Settlement– ics_bill


CyberSource Credit Card Services (cont)

Issue a credit– ics_credit

Score a transaction’s fraud risk– ics_score


CyberSource: key classes

ICSClient ICSClientRequest ICSOffer ICSClientReply


CyberSource authorizationICSClient client = …

ICSClientOffer offer =

new ICSClientOffer();

ICSClientRequest req =

new ICSClientRequest(client);

req.addApplication(“ics_auth”);

req.setMerchantId(“sockwarehouse”);


CyberSource authorization, 2…

req.setCustomerCreditCardNumber(

“4111111111111111“);

req.setCustomerCreditCardExpirationMonth("12");

req.setCustomerCreditCardExpirationYear("2004");

req.setCurrency("USD");


CyberSource authorization, 3…

offer.setAmount(“7.99”);

offer.setQuantity(1);

req.addOffer(offer);

ICSClientReply reply = (ICSClientReply) client.send(request);

…


Q & A

Questions?


Credit Card Transaction Credit Card Transaction Processing for E-commerce Processing for E-commerce

Web Sites with JavaWeb Sites with JavaSean C. Sullivan

[email protected]


The following slides are uncategorized and are included here as reference material.

This material was omitted from the O’Reilly presentation due to time constraints.


JDollars Project

http://jdollars.sourceforge.net/


Terminology

Card Not Present (CNP) Address Verification Service (AVS) Chargebacks MOTO CVV2


Best Practices

Use AVS Use SSL

– Cardholder web site– Web site payment service provider

Protect your private keys Encrypt credit card numbers


Best Practices (cont)

For Development & QA:– Send transactions to test server– Use “test” merchant account– Use non-production certificates


Avoid Bad Practices

Don’t put credit card numbers in outgoing e-mail messages

Don’t display credit card numbers on an unsecured web page

Don’t display full credit card number on a web page; instead: last 4 digits only

Don’t put CC #’s in browser cookies


What are you selling?

Digital goods or Physical goods Leather clothing, computers/electronics,

jewelry, luxury items

Tip:If a customer orders 10 Rolex watches, it should set off a red flag!


Fraud Screening Solutions ClearCommerce FraudShield CrediView CyberSource Internet Fraud Screen HNC Software eFalcon Verisign Payflow Fraud Screen


Cardholder Statement

Transaction amount Transaction date Merchant name City or Phone Number State


AVS Result CodesX Exact match, 9 digit zip

Y Exact match, 5 digit zip

A Address match only

W 9-digit zip match only

Z 5-digit zip match only

N No address or zip match

U Address unavailable

R Issuer system unavailable

E Not a mail/phone order

S Service not supported


Additional Topics

Chargebacks… Fraud… Risk management techniques… Commercial cards (Level II) American Express Private Payments “Verified by Visa”


Resources www.cybersource.com www.visa.com www.visabrc.com www.mastercard.com www.merchantfraudsquad.com

copyright © 2001 sean c. sullivan credit card transaction processing for e-commerce web sites with...

Documents

java sean

api slide

sullivan settlement

settlement slide

sullivan credits

sullivan agenda

sullivan participants

sullivan example