Upload
rohitrajchauhan
View
98
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright © 2001 Sean C. Sullivan
Credit Card Transaction Credit Card Transaction Processing for E-commerce Processing for E-commerce
Web Sites with JavaWeb Sites with JavaSean C. Sullivan
Copyright © 2001 Sean C. Sullivan
Agenda
Credit card fundamentals Credit card transaction processing Solutions for Java developers Q & A
Copyright © 2001 Sean C. Sullivan
Credit Cards
Copyright © 2001 Sean C. Sullivan
Credit Cards 101 Card number Expiration date Card verification number
Copyright © 2001 Sean C. Sullivan
Validating aCredit Card Number
“Mod 10” check algorithm Right-most digit is the check digit
– 4100000000000001
Note:Always run the Mod-10 algorithm before submitting a transaction!
Copyright © 2001 Sean C. Sullivan
Example: Mod-10 algorithm
A. Number: 74385
B. (5*1) , (8 * 2) , (3 * 1), (4 * 2), (7 * 1)
C. 5, 16, 3, 8, 7
D. 5 + (1 + 6) + 3 + 8 + 7
E. Sum = 30
F. 30 mod 10 = zero This number passes the algorithm.
Copyright © 2001 Sean C. Sullivan
Types of Credit Card Transactions
Card present transactions Card not present (CNP) transactions
Copyright © 2001 Sean C. Sullivan
Participants in a Credit Card Transaction
Cardholder Issuing bank Merchant Acquiring bank
Copyright © 2001 Sean C. Sullivan
Typical Internet transaction
Cardholder Merchant’sweb site
Acquiringbank
Internetpaymentservice
provider
Paymentprocessor
Issuingbank
Copyright © 2001 Sean C. Sullivan
Basic Credit Card Transaction
Two steps:1. Authorization
2. Settlement
Copyright © 2001 Sean C. Sullivan
Authorizations
Merchantapplication
Internetpaymentservice
provider
Authorization request
Authorization response
Authorization takes place when the customer places an order
Copyright © 2001 Sean C. Sullivan
Address Verification Address Verification System (AVS) Use it! Added protection against fraud Verifies:
– billing street address– billing zip code
Copyright © 2001 Sean C. Sullivan
Authorization Issues
How long does an authorization take? What if your application does not
receive a response? Lifetime of an authorization? What if the cardholder cancels the
order?
Copyright © 2001 Sean C. Sullivan
Authorization Reversals
Undo a prior authorization Types:
– Full reversal– Partial reversal
Not universally supported– CyberSource: no auth reversals
Copyright © 2001 Sean C. Sullivan
Settlement “settle” an authorized transaction
CyberSource refers to this as “bill”
For physical goods, settlement of the transaction should not occur until the merchandise is shipped to the customer.
Copyright © 2001 Sean C. Sullivan
Credits
Refund Original credit
Copyright © 2001 Sean C. Sullivan
Merchant Account
Sign up for Merchant account with a financial institution
Alternative: Use a payment service that does not
require you to have a merchant account (ex: PayPal, CCNow)
Copyright © 2001 Sean C. Sullivan
Java API for Credit Card Transaction Processing?
There is no standard API Must use API provided by the payment
service provider Every vendor has their own API
Copyright © 2001 Sean C. Sullivan
Internet PaymentService Providers
ClearCommerce Cybercash CyberSource SurePay Verisign …and many more
Copyright © 2001 Sean C. Sullivan
Choosing a Payment Service Provider
Transaction fees? Multiple currencies? Integration with 3rd party web commerce
products? Support for required card types? API / SDK?
Copyright © 2001 Sean C. Sullivan
Choosing a Payment Service Provider (cont)
Provides a Test server for performing “test” transactions?
Fraud screening services? Management and Reporting tools? Service and support? Security? Scalability?
Copyright © 2001 Sean C. Sullivan
Development Issues Explicitly open and close SSL sockets? Need to license an SSL class library? One connection or many? Connection timeouts Does the vendor’s API shield you from
connection complexity?
Copyright © 2001 Sean C. Sullivan
Development Issues (cont) How to represent money?
– java.lang.String??– java.math.BigDecimal??
Classes to represent currency? Thread safety of the vendor’s class
library?
Copyright © 2001 Sean C. Sullivan
Exceptional Conditions Card reported stolen Card reported lost Card expired Invalid credit card Funds not available AVS: no match …
Copyright © 2001 Sean C. Sullivan
CyberSource
www.cybersource.com
payment service provider
Copyright © 2001 Sean C. Sullivan
CyberSource
HTTP/SSL
SCMP
Cardholder
Merchantweb site
CyberSource
Copyright © 2001 Sean C. Sullivan
Getting Started with CyberSource
Register at– www.cybersource.com
Download– “CyberSource Java ICS Client Developers
Kit (CDK)”
Copyright © 2001 Sean C. Sullivan
Setting up the CyberSource CDK
Generate cert and key pair– run Ecert utility
Edit ICSClient properties file Update classpath
– cdkjava3310.jar
Copyright © 2001 Sean C. Sullivan
CyberSource Credit Card Services
Authorizations– ics_auth
Authorization Reversals– not supported
Settlement– ics_bill
Copyright © 2001 Sean C. Sullivan
CyberSource Credit Card Services (cont)
Issue a credit– ics_credit
Score a transaction’s fraud risk– ics_score
Copyright © 2001 Sean C. Sullivan
CyberSource: key classes
ICSClient ICSClientRequest ICSOffer ICSClientReply
Copyright © 2001 Sean C. Sullivan
CyberSource authorizationICSClient client = …
ICSClientOffer offer =
new ICSClientOffer();
ICSClientRequest req =
new ICSClientRequest(client);
req.addApplication(“ics_auth”);
req.setMerchantId(“sockwarehouse”);
Copyright © 2001 Sean C. Sullivan
CyberSource authorization, 2…
req.setCustomerCreditCardNumber(
“4111111111111111“);
req.setCustomerCreditCardExpirationMonth("12");
req.setCustomerCreditCardExpirationYear("2004");
req.setCurrency("USD");
Copyright © 2001 Sean C. Sullivan
CyberSource authorization, 3…
offer.setAmount(“7.99”);
offer.setQuantity(1);
req.addOffer(offer);
ICSClientReply reply = (ICSClientReply) client.send(request);
…
Copyright © 2001 Sean C. Sullivan
Q & A
Questions?
Copyright © 2001 Sean C. Sullivan
Credit Card Transaction Credit Card Transaction Processing for E-commerce Processing for E-commerce
Web Sites with JavaWeb Sites with JavaSean C. Sullivan
Copyright © 2001 Sean C. Sullivan
The following slides are uncategorized and are included here as reference material.
This material was omitted from the O’Reilly presentation due to time constraints.
Copyright © 2001 Sean C. Sullivan
JDollars Project
http://jdollars.sourceforge.net/
Copyright © 2001 Sean C. Sullivan
Terminology
Card Not Present (CNP) Address Verification Service (AVS) Chargebacks MOTO CVV2
Copyright © 2001 Sean C. Sullivan
Best Practices
Use AVS Use SSL
– Cardholder web site– Web site payment service provider
Protect your private keys Encrypt credit card numbers
Copyright © 2001 Sean C. Sullivan
Best Practices (cont)
For Development & QA:– Send transactions to test server– Use “test” merchant account– Use non-production certificates
Copyright © 2001 Sean C. Sullivan
Avoid Bad Practices
Don’t put credit card numbers in outgoing e-mail messages
Don’t display credit card numbers on an unsecured web page
Don’t display full credit card number on a web page; instead: last 4 digits only
Don’t put CC #’s in browser cookies
Copyright © 2001 Sean C. Sullivan
What are you selling?
Digital goods or Physical goods Leather clothing, computers/electronics,
jewelry, luxury items
Tip:If a customer orders 10 Rolex watches, it should set off a red flag!
Copyright © 2001 Sean C. Sullivan
Fraud Screening Solutions ClearCommerce FraudShield CrediView CyberSource Internet Fraud Screen HNC Software eFalcon Verisign Payflow Fraud Screen
Copyright © 2001 Sean C. Sullivan
Cardholder Statement
Transaction amount Transaction date Merchant name City or Phone Number State
Copyright © 2001 Sean C. Sullivan
AVS Result CodesX Exact match, 9 digit zip
Y Exact match, 5 digit zip
A Address match only
W 9-digit zip match only
Z 5-digit zip match only
N No address or zip match
U Address unavailable
R Issuer system unavailable
E Not a mail/phone order
S Service not supported
Copyright © 2001 Sean C. Sullivan
Additional Topics
Chargebacks… Fraud… Risk management techniques… Commercial cards (Level II) American Express Private Payments “Verified by Visa”
Copyright © 2001 Sean C. Sullivan
Resources www.cybersource.com www.visa.com www.visabrc.com www.mastercard.com www.merchantfraudsquad.com jdollars.sourceforge.net