Understand webhooks and PCI DSS compliance
Not all external systems you integrate with Oracle Commerce will comply with the Payment Card Industry Data Security Standard (PCI DSS).
For example, while your order management system will likely comply with PCI DSS, systems that manage services like email marketing or customer loyalty programs might not be compliant.
Oracle Commerce provides three webhooks that exclude payment details from the order data you send to systems that do not comply with PCI DSS:
- Order Submit Without Payment Details fires when an order has been successfully submitted by a customer or an agent.
- Return Request Update Without Payment Details fires when a return request has been successfully processed by an agent.
- Return Request Validation Without Payment Details queries an external system to determine whether an order is returnable.
Important: Oracle Commerce does not verify that systems to which you send webhook notifications comply with PCI DSS. You are responsible for determining if target systems are compliant. If you know for sure the target system does not comply with PCI DSS, or if you are unsure whether it does, use the versions of the webhooks Without Payment Details.
The following table describes all the components of the
paymentGroups object that are excluded from the request for non-PCI
compliant versions of the webhooks.
| paymentGroups Component | Description |
|---|---|
authorizationStatus |
An array of authorization status objects. |
token |
The payment token string. This component is valid only if the
paymentGroupClassType is
tokenizedCreditCard.
|
expirationMonth |
The two-digit credit card expiration month. This component is valid only if the
paymentGroupClassType is
tokenizedCreditCard.
|
expirationYear |
The four-digit credit card expiration year. This component is valid only if the
paymentGroupClassType is
tokenizedCreditCard.
|
paymentGroupClassType |
The class type of the payment group. Valid values are
tokenizedCreditCard or
externalPaymentGroup.
|
creditCardNumber |
The last four digits of the credit card number. This component is valid only if
the paymentGroupClassType is
tokenizedCreditCard.
|
submittedDate |
The date the payment was submitted. |
The following example shows the paymentGroups portion of an Order Submit webhook POST request.
"paymentGroups": [{
"id": "pg30411",
"amount": 277.97,
"authorizationStatus": [{
"amount": 277.97,
"errorMessage": "Request was processed successfully.",
"authorizationDecision": "ACCEPT",
"transactionId": "bupovkdslhd8or1i869pj1bls",
"reasonCode": "100",
"transactionUuid": "75afb7640b5a43e88341572869adbda6",
"transactionSuccess": true,
"currency": "USD"
}],
"currencyCode": "USD",
"token": "9997000108950573",
"expirationMonth": "02",
"expirationYear": "2019",
"paymentGroupClassType": "tokenizedCreditCard",
"creditCardNumber": "1111",
"submittedDate": "2015-12-16T10:25:41.894Z",
"billingAddress": {
"middleName": null,
"lastName": "Shopper",
"ownerId": null,
"state": "NY",
"address1": "100 MyStreet Ave",
"address2": null,
"address3": null,
"companyName": null,
"suffix": null,
"country": "US",
"city": "MyTown",
"faxNumber": null,
"postalCode": "13202",
"phoneNumber": "212-555-0100",
"email": "shopper@example.com",
"county": null,
"prefix": null,
"firstName": "Sally",
"jobTitle": null
},
"amountAuthorized": 277.97,
"paymentMethod": "tokenizedCreditCard"
}]The following example shows the paymentGroups portion of an Order Submit Without Payment Details webhook POST request.
"paymentGroups": [{
"id": "pg30411",
"amount": 277.97,
"billingAddress": {
"middleName": null,
"lastName": "Shopper",
"ownerId": null,
"state": "NY",
"address1": "100 MyStreet Ave",
"address2": null,
"address3": null,
"companyName": null,
"suffix": null,
"country": "US",
"city": "MyTown",
"faxNumber": null,
"postalCode": "13202",
"phoneNumber": "212-555-0100",
"email": "shopper@example.com",
"county": null,
"prefix": null,
"firstName": "Sally",
"jobTitle": null
},
"amountAuthorized": 277.97,
"paymentMethod": "tokenizedCreditCard"
}]