CyberSource is a credit card payment gateway that allows full customization of checkout and error pages, and still simplifies PCI compliance by posting credit card data directly to secure CyberSource servers.
This checkout handler uses CyberSource Secure Acceptance Hosted Checkout for the payment form. It can also use the CyberSource REST API for saved-card payments, recurring payments, and remote capture.
You can read more about CyberSource at their website.
Note
- The CyberSource checkout handler requires a SSL certificate to protect your customer payment information
- The provider supports using TLS 1.2
CyberSource provides a Sandbox environment for testing purposes. This sandbox mimics the live payment gateway experience but doesn't execute real transactions. CyberSource doesn't send sandbox transactions to financial institutions for actual processing.
You can sign up for a CyberSource sandbox here.
Configure CyberSource Business Center
Log in to CyberSource Business Center and configure a Secure Acceptance Hosted Checkout profile:
- Go to Payment Configuration > Secure Acceptance Settings
- Create a new profile or edit an existing profile
- Under Payment settings, add the card types the payment form should accept
- Add the currencies used by your shop
- Under Security, create a key and save the Access Key and Secret Key
- Under Customer response, configure the response settings required for your checkout flow
- Enable Payment Tokenization if you want to use saved cards, recurring payments, or token-based payment flows
- Promote the profile when it is ready to use
Configure the Dynamicweb Provider
To configure the CyberSource payment method in Dynamicweb, you need the Secure Acceptance profile credentials:
- Merchant id - This is the name of your sandbox account
- Profile ID - The Secure Acceptance Hosted Checkout profile ID
- Profile Access Key - The public key identifier from the profile security settings
- Profile Secret Key - The secret signing key from the profile security settings
The guide on how to get the Access Key and Secret Key can be found here.
You must also choose the transaction type:
- With Sale, the amount is authorized and captured in one transaction. If approved, the payment is submitted for settlement
- With Authorization (order amount), the order amount is authorized in CyberSource without being captured. Capture can be performed later from the Dynamicweb order list or another back-office flow
- With Authorization (zero amount), the checkout sends a zero-amount authorization/account verification request. Use it to validate a card or create a payment token without authorizing or capturing the order amount
Select a Work Mode:
- Choose Production when you are ready to go live
- Choose Test to simulate payment transactions without involving real money transfers
Select a Window Mode:
- Choose Redirect to redirect the customer to CyberSource
- Choose Embedded to render the CyberSource payment form in an iframe on the checkout page
Furthermore, you can:
- Enable Forced tokenization to save a payment token for logged-in users even when they have not selected Save card
- Select a Payment template for the embedded payment form
- Select Cancel and Error templates for cancellation and error messages
- Enable Debug logging to write CyberSource request and response details to order debugging and system logs. Payment-sensitive values are masked
- Enable Use API callback endpoint to let CyberSource post receipt and cancel callbacks to the Dynamicweb Delivery API callback endpoint
Note
Enable Use API callback endpoint only when the /dwapi Delivery API endpoints are available on the solution. When disabled, CyberSource posts callbacks back to the checkout page.
Saved Cards, Recurring Payments, and Capture
Saved-card payments, recurring payments, and remote capture use the CyberSource REST API. These credentials are separate from the Secure Acceptance profile credentials used for the hosted checkout form.
There are two ways to sign REST API requests:
- Certificate JWT
- Shared Secret JWT
Either method allows Dynamicweb to save payment cards, process saved-card payments and recurring payments, and capture authorized payments.
Note
Saved-card payments are available only when the selected REST authentication settings are valid. Deleting saved cards from CyberSource is not supported through this provider - they will be removed from DynamicWeb but not inside CyberSource.
Create a JWT Certificate
To create a JWT certificate file:
- Log in to CyberSource Business Center
- Go to Payment Configuration > Key Management
- Select Generate key
- Set the key type to REST - Certificate
- Select Generate key
- Select Download key and specify a password
The key file, for example somevalue.p12, is downloaded to your computer. Upload the .p12 file to /Files/System in Dynamicweb, select it in the provider, and enter the certificate password.
If a certificate is needed, see CyberSource's guide on how to create a P12 certificate.
Create a Shared Secret JWT
To create a Shared Secret JWT:
- Log in to CyberSource Business Center
- Go to Payment Configuration > Key Management
- Select Generate key
- Set the key type to REST - Shared Secret
- Select Generate key
- Copy the Key value to REST Shared Secret Key ID in Dynamicweb
- Copy the Shared Secret value to REST Shared Secret in Dynamicweb
Dynamicweb does not use the .pem file for Shared Secret JWT authentication, so you only need to download it if it is required for another purpose.
AVS Validation
CyberSource supports AVS (Address Verification System) validation:
- Review AVS Codes contains the AVS result codes CyberSource should decline. The default value is
N, which means street address and postal code do not match - Ignore AVS Result tells CyberSource to ignore AVS declines
- Approve AVS Code is an optional comma- or space-separated list of AVS result codes Dynamicweb accepts after CyberSource returns the payment. If the field contains values and the returned AVS code is not listed, the order is rejected
Testing CyberSource
Before going live, test your setup thoroughly. Test credit card numbers for authorization, capture, and credit services can be found here. Do not use real credit card numbers.