Handling Credit Card Transactions Using CyberCash

Many entrepreneurs have set out to make money by selling products, subscriptions, and services on the web. For many of these small businesses, one of the largest hurdles is implementing a solution that accepts credit card transactions.

With ColdFusion's CFX_CYBERCASH tag, this hurdle can be easily cleared and businesses can be making money on the web within a short period of time. In this article I explain how credit card transactions work, explore the steps required to implement a solution, and show how ColdFusion can play a vital role in this process.

The Players

Handling a credit card transaction is an operation that requires the cooperation of a variety of organizations. To understand the complexity of the process, you first need to know who the players are:

• Merchant: The first player is the merchant, the organization that wants to sell products online.
• Acquiring Financial Institution: Put simply, this is the bank where the Merchant has set up a merchant account and hopes lots of money will eventually be deposited.
• CyberCash: This organization functions as a gateway. CyberCash facilitates credit card transactions by interacting with other organizations to handle credit card authorizations and captures.
• Cardholder Financial Institution: This organization issues the credit card to the consumer and maintains the account from which funds will be deducted if the transaction succeeds.
• Third-Party Processor: Banks often outsource various merchant services to a separate company, re-ferred to as a third-party processor. This organization may handle services such as settlement, billing, authorization, and reporting. There may or may not be a third-party processor involved in the transaction process.

Handling credit card transactions may involve up to five separate organizations. While you typically don't have to deal directly with cardholder financial institutions, it's not uncommon to have interactions with the other four when initially implementing credit card functionality.

How It Works

The credit card transaction process is illustrated in Figure 1. The customer enters all information required for a credit card transaction using a secure form provided by the merchant's web site. The transaction information is then forwarded to CyberCash's CashRegister server.

CyberCash handles the details, interacting with the cardholder financial institution to determine whether a transaction should be approved or declined. CyberCash passes the response back to the merchant's web site. If the transaction is approved, the web site's software can request the "capture of the transaction," also known as settlement.

CyberCash then handles the necessary communication with the acquiring financial institution, the cardholder financial institution and, possibly, a third-party processor to ensure that the money ends up where it belongs.

Handling Credit Card Transactions
To enable a merchant's web site to handle credit card transactions the following steps must be taken. Some of these steps are technical and are easily handled by ColdFusion code. Some are more bureaucratic and you simply need to keep trudging forward until each step is finished.

Step 1: Arrange for secure transactions
To handle credit card transactions online, you must provide customers with a secure way to supply confidential information. This translates to the Secure Socket Layer (SSL), a protocol that allows for the exchange of encrypted information over the web. The protocol also uses digital signatures to verify the identity of the servers communicating using SSL.

You'll need SSL to accept credit card information from customers and to communicate with Cyber- Cash's CashRegister server.

Step 2: Get a merchant account
Get a merchant account from a bank if your business doesn't have one already. Indicate up front that you want an "Internet-ready" account that will allow you to accept credit card payments using CyberCash. This shouldn't be a problem since CyberCash works with virtually all banks. In credit card lingo, your bank will be referred to as the acquiring financial institution.

Step 3: Register with CyberCash
Go to the CyberCash site (http://www.cybercash.com/) and register for their CashRegister product. At the time this article was written, the cost of CashRegister was $495 for setup, $20 a month for the service, and 20¢ per credit card transaction. These costs may change over time, but, as you can see, the costs associated with handling credit card transactions are reasonable.

When you register, you'll receive a CyberCash ID, which will be a text string that uniquely identifies your CyberCash account. Write down this string because you'll be using it in your ColdFusion code later on.

Step 4: Perform an online CyberCash setup process
CyberCash will provide you with access to an online system called the Merchant Control Panel (see Figure 2). During the registration process you'll be asked for a user name and password. With this information, you can log in to the Merchant Control Panel at http://amps.cybercash.com/

This web site provides a well-organized set of tasks that need to be accomplished before the CyberCash functionality can be used. It guides you through the process of entering required billing information and viewing the necessary CyberCash agreement. This site also provides a central location from which required software can be downloaded. To use CyberCash with ColdFusion, you'll need to download the Merchant Connection Kit (MCK).

You'll need to use the site's "merchant key exchange" link to generate a merchant key to use with CyberCash. This is basically a long alphanumeric string. Write this key down as it will also be needed by the ColdFusion code later on.

This will be as far as you can get with the Merchant Control Panel. The next task shown on the list can only be accomplished by the acquiring financial institution, possibly in conjunction with a third-party processor.

Step 5: Merchant account CyberCash configuration
The acquiring financial institution should put you in contact with the necessary people to get your merchant account configured to interact with CyberCash. This may either be a department within the bank or an external organization to which the bank has outsourced these types of activities. If the activity is outsourced, the external organization will be referred to as the third-party processor.

Whoever you're interacting with, they'll need to know your CyberCash ID and your merchant key in order to get the merchant account configured to interact with CyberCash. Since this step will probably take a while, you can accomplish Step 6 while you're waiting.

Step 6: Install the Merchant Connection Kit
Download the MCK from Cyber-Cash's Merchant Control Panel, then, following their instructions, install it on your web server.

Step 7: Implementation and testing
Now that CyberCash has been configured, implement the ColdFusion code to use CyberCash and then test it.

At this point, you can execute credit card transactions using fake credit card numbers detailed in the CyberCash documentation. The nice thing is that CyberCash is functional, but no money is being moved.

Step 8: Go live
Once you've thoroughly tested the CyberCash functionality, execute the "Going Live" task in the Merchant Control Panel. As soon as this occurs, your web site may begin accepting real credit card transactions.

Now, On to the Code!
As it turns out, creating the ColdFusion code to interact with CyberCash is actually one of the easiest steps in the entire process. This is because ColdFusion provides an easy-to-use CyberCash tag that uses the Merchant Control Kit to communicate with CyberCash's CashRegister Server.

Listing 1 provides a simple example of how this tag can be used to send a credit card transaction to CyberCash.

For this example, authorization and capture will be accomplished in one step (this can be set using the Auto-Mark/Auto-Settle area of the Merchant Control Panel). This is appropriate for services, such as online subscriptions, that take effect immediately upon purchase. For products that require shipping, the credit card shouldn't be billed until the product is shipped (merchants can get themselves into regulatory trouble if they bill customers too far in advance of product shipment).

As mentioned earlier, the CyberCash ID and the merchant key are needed by the ColdFusion code. These items are provided as hard-coded arguments to the tag (which is acceptable because neither value is likely to change).

The transaction requires information from the customer, including the customer's name (as it appears on the credit card), the credit card number, and the expiration date (as MMYY). Note that the type of credit card is not required, as CyberCash can determine this from the first few digits of the credit card number.

In addition, the MO_PRICE parameter will record the total cost of the transaction, the amount that will be billed to the customer's credit card. The amount should be preceded by "usd" to indicate U.S. dollars (or some other currency can be designated if required). Note: The price should be formatted as a valid amount; for example, 78.456 will be rejected by CyberCash.

Some other parameters can also be provided. The MO_ORDER_ID parameter allows you to record your local order ID as part of the transaction. CyberCash doesn't use this, but the merchant's accounting department will find it useful for cross-referencing CyberCash transactions with their own local order IDs. The MO_PRODUCT_DESCR parameter allows a description of the order to be recorded with the transaction.

The OutputPopQuery parameter allows you to specify where the results of the operation should be recorded. In this case, the results are stored in a structure called pop, which can be checked to determine whether or not the transaction succeeded.

If pop.status is not "success," the code presumably results in the display of an error message for the customer. If successful, the code updates a database table to indicate that the order has been processed, and then directs the user to a "thank you" page.

A Few Security Issues

Be very careful if you intend to store credit card information in a database. While interacting with CyberCash using SSL is extremely secure, studies have shown that in the majority of cases where the credit card information of online retailers has been compromised, it's because of inadequate security on the part of the retailer. Under no circumstances should unencrypted credit card information be stored in a database.

There's another potential issue concerning the design of the web pages associated with a credit card transaction. Usually, the web pages that facilitate a credit card transaction flow like this:

1. Show the customer an invoice
2. Collect credit card information
3. Confirm credit card information and invoice total
4. Display a thank you page

Depending on the design of your pages, credit card or order information may need to be passed from one page to the next in sequence. If so, they should probably be communicated as session variables, which are highly secure, as opposed to, say, URL parameters (don't store the credit card number in the ORDER table, and then pass the ORDER_ID as a URL parameter).

Conclusion

Credit cards are the enabling technology of the web economy. For any business to make money on the web, the ability to handle credit card transactions is an essential ingredient. With ColdFusions's CFX_CYBERCASH tag, any web site can be converted into a potentially profitable storefront for an online business.

Source Code

Listing 1: Sending a Credit Card Transaction
<CFSET order_id="345">
<CFSET price="45.78">
<CFSET ccard="1234567812345678">
<CFSET cexpire="0302">
<CFSET cname="John Doe">


<CFX_CYBERCASH
     VERSION="3.2"
     CCPS_HOST="http://cr.cybercash.com/cgi-bin/"
     CYBERCASH_ID="xyzcorp-71"
     MERCHANT_KEY="ya2eNtJiBTDog32pJS7a4yiZI8cPVc"
     MO_ORDER_ID="KT#order_id#"
     MO_PRODUCT_DESCR="Premium Teddy Bear"
     MO_VERSION="3.2.0.2"
     MO_PRICE="usd #numberformat(price, '99999999.00')#"
     CPI_CARD_NUMBER="#ccard#"
     CPI_CARD_EXP="#cexpire#"
     CPI_CARD_NAME="#cname#"
     OutputPOPQuery="pop">


<CFIF pop.status is not "success">
  <CFSET ok=false>
  <CFSET message=pop.error_message>
<CFELSE>
  <!--- Everything ok, complete order --->
  <CFQUERY Name="updateorder"
           Datasource="#DataSource#"
           username="#DBUser#"
           password="#DBPassword#">


           UPDATE transaction
              SET order_processed = 'Y'
            WHERE order_id=#order_id#
  </CFQUERY>
  <CFLOCATION url="thanks.cfm" addtoken="No">
</CFIF>