Understanding Credit Card Verification Number Encryption
To enhance the security of credit card transactions, the CRM system supports the inclusion of verification number in the credit card authorization process. A verification number, also known as a card identification number, card authentication value, or card validation code depending on the card company, is a 3-digit or 4-digit code that is printed on the back or the face of the credit card. The number is associated uniquely to the card account number as well as the physical credit card. For transactional components that support credit card payments, a field is available to capture the verification number of the credit card. When a transaction, paid by credit card, is submitted, the specified credit card information and the verification number are sent to the authorization process.
In compliance with the guidelines recommended by the PCI Security Standards Council regarding sensitive authentication data, the verification number is removed permanently from the database once the authorization process completes (passed or failed). In situations where the card data is accepted but not immediately authorized (for example, future dated orders that are saved in the database and not submitted until the order date is reached), the verification number is stored in an encrypted format and is masked with XXX when displayed in the field until the value is deleted after authorization.
Here are a list of transactional components that support credit card payments and accepts verification number for authorization processing:
Support Case.
Credit card transactions are not applicable to HelpDesk and HR HelpDesk cases.
Order (agent-facing and customer-facing).
For canceled orders (which can be orders that are not yet submitted, or expired orders that are canceled by a batch process on a regular basis), their saved verification numbers are deleted from the database.
For future dated orders, their verification numbers are stored in the database, and will be removed when the fulfill by date is reached AND the orders are submitted.
For bulk orders, credit card information (including the verification number) is transferred to their child orders. Upon submission, the verification number is removed from the database and no longer appears on the parent and child orders.
Agreement.
Service order.
Prepaid account.
Verification number is not supported in non-prepaid accounts.
Note: Because of its sensitive nature, verification number is not stored or displayed in the section of the Person component where credit card entries are stored, nor it is passed to another system (for example, supply chain system) through integration points.
Integration Technology
PeopleSoft CRM uses the Integration Broker messaging technology (SOAP) to perform credit card authorizations with CyberSource (certified third-party vendor).
To facilitate message exchange between the PeopleSoft and Cybersource systems, an application engine program (CYB_SOAP_REQ) is used to transform authorization request and response messages to the appropriate format for the system that receives them.
The system delivers a node called PSFT_CYB in Integration Broker as part of the integration setup. This node contains the Cybersource-specific HTTP connector settings for contacting the authorization servers via SOAP as well as message transformation and routing settings.
Note: This SOAP-based integration uses core Integration Broker functionality that is available in all PeopleTools versions, which ensures backward and forward compatibility without reliance on third-party software support. Because it is a native PeopleTools functionality, it is easier for customers to set up, deploy and maintain.
This integration uses secure SSL (secure sockets layer) encryption.
Customers who use other non-Cybersource third-party vendors for credit card authorizations can also leverage this SOAP solution with few custom modifications. These changes include an updated node definition and routing properties for their vendors, and possibly a new transformation program (or an updated one based on the delivered transformation program) that formats messages circulating between PeopleSoft and their vendors. The underlying Enterprise Components message stubs and transaction triggers remain the same.
To avoid the potential issue of storing and displaying sensitive data in the Integration Broker logs and Service Operations Monitor, the log detail setting in the routing definition for the messages is set to No Logging as delivered.
General Settings for Credit Card Authorizations with Cybersource
A system-wide setting is available to make the provision of credit card verification number mandatory for authorization processing. When the setting is enabled, an error message appears if the user fails to enter a verification number when the credit card transaction is being submitted to authorization. In the case of an order, it is put on credit card hold if the verification number is not present.
For security verification purposes, the CRM system requires that the Cybersource user ID, merchant ID and merchant key be provided on the Installation Options page. These fields are included in the SOAP message for security verification during credit card authorization.
See General Options Page.
Cybersource SOAP Connectivity
Refer to the CRM installation guide for more information on how to set up the integration with Cybersource, which includes these high-level steps:
Set up the web server with SSL certificate provided by Cybersource and new proxy server setting.
Make sure to enter your Cybersource user ID, merchant ID and merchant key information on the Installation Options page.
Make sure the PSFT_CYB node is set up properly (connector and routing information in particular) and activated.
Test the connectivity using the Test Credit Card Interface component.
See PeopleSoft Customer Relationship Management Installation Guide product documentation.
CyberSource Hosted Order Page
To help customers improve data security and reduce liability and effort required to meet security standards for storing sensitive credit card data, CRM provides a hosted payment option in which all payment processing is handled on a third party hosted website.
The feature Third-Party Storage and Payment Hosting integrates the Online Marketing (OLM) Dialog Execution Server (DES) with the CyberSource Hosted Order Page (HOP). HOP refers to the third-party where payment processing takes place allows a dialog to be presented to a consumer which allows them to provide payment as part of the dialog flow. The payment process takes place on a third-party system which returns receipt details to online marketing. Only receipts details are stored in the PeopleSoft database. In CRM, an installation option is available for customers to decide if they want to switch to the hosted payment option, or remain on the current CRM methods of payment entry, transmission, and storage. Currently, credit card data is encrypted, stored and maintained in the PeopleSoft database records. In CRM, an installation option is available for customers to decide if they want to switch to the hosted
payment option, or remain on the current CRM methods of payment entry, transmission, and storage.
If the hosted payment option is selected, the system takes the input from each component and transfers control of the transaction to a third-party hosted site, CyberSource. Users are then transferred within the current browser window to the card processor's site during checkout where they will enter their card data for approval.
Note: Once the option is selected for Hosted Order Page, you cannot return to SOAP option.