Configure the CyberSource integration

The CyberSource integration lets your store accept credit card payments.

To use the integration, you must have both a CyberSource merchant account and an activated CyberSource Secure Acceptance Checkout API profile. If you do not already have a CyberSource account, go to to obtain an evaluation account. An evaluation account lets you configure and test the CyberSource integration. You will need to register for a paid merchant account (including both Payment Gateway and Tokenization) before your store can go live and accept payments from shoppers.

CyberSource Secure Acceptance Checkout API allows Commerce to send payment card data directly from a shopper’s browser to CyberSource. No credit card data is ever stored on Oracle servers. CyberSource securely stores all the card information, replacing it with a unique identifier called a payment token. The payment token is stored on CyberSource servers and in a property of the associated order on Oracle servers. The token is used in all processing tasks associated with the order, including settlement, refunds, and shipping.

To learn how to create a Secure Acceptance Checkout API profile, see Create a Checkout API Profile in theSecure Acceptance Checkout API Integration Guide. This guide is available on the CyberSource website.

Note: Commerce uses HMAC-SHA256 to generate the request signature and validate the response signature for requests and responses sent as part of the CyberSource integration. For more information, see Secure Your Service.

Configure Oracle Commerce settings

This section describes how to configure the CyberSource integration in Oracle Commerce. Make sure you have your CyberSource account information on hand when you perform the following steps.

  1. Click the Settings icon, then select Payment Processing.
  2. On the Payment Gateways tab, select CyberSource.
  3. Under Account Information, click Use CyberSource and enter your CyberSource account information.
  4. Select one of the following environments and then enter your security keys for the Secure Acceptance Checkout API. Each environment requires its own security key. You cannot use the same security key for more than one environment.

    Preview: Your store’s preview environment

    Agent: The Commerce Agent Console

    Storefront: Your production storefront

  5. Click Save.

Account Information

These properties identify your CyberSource account. All properties are required.

Property Description
Merchant ID Merchant ID for your CyberSource account.

First Name

Last Name

First name and surname for the contact.

This is usually the name of the person listed as the contact in your CyberSource account, but it can be different.

Username Login name for your CyberSource account.

Security Keys for Secure Acceptance

These properties identify your CyberSource Secure Acceptance Checkout API profile. If you configure properties for both the Storefront and Agent configurations, use the same properties for both. All properties are required.

Property Description
Profile ID The ID for your CyberSource Secure Acceptance Checkout API profile.
Access Key Authenticates your account with CyberSource.
Secret Key The secret key associated with the access key you entered. The secret key signs the transaction data and is required for each transaction.

The URL used to send the form to CyberSource for processing the payment.

For test and preview environments, set this to:

For production environments, set this to:

Test the CyberSource integration

Once the CyberSource integration is configured, you should be able to go to your store and place a test transaction. If the transactions are successful, the orders will be visible in Oracle Commerce reports in the CyberSource Business Center under Transaction Search.

Note: You cannot place test transactions in preview mode; you must place them from your store. See Preview your store for information about preview mode.

The following page provides a list of test credit card numbers:

Note that to enable communication between CyberSource and your Commerce sites, you must add the appropriate URL and HTTP methods to the allowedOriginMethods property of each site object, and then publish your changes. For example, for a site whose ID is siteUK:

PUT /ccadmin/v1/sites/siteUK HTTP/1.1
Authorization: Bearer <access_token>
x-ccasset-language: en

 "properties": {
 "allowedOriginMethods": {

For more information, see CORS support.