Use Credit Card Tokens to Improve Security

Use tokens to improve security for the credit cards that you use with Order Management.

If you use credit cards to make payment in your upstream source system, then you can use this feature to include credit card tokens that remove sensitive details when you pay for the sales order transaction.

• Use it to help meet the Payment Card Industry Data Security Standard (PCI DSS) requirements in your order-to-cash process.

• Specify exact, credit card details in a secure way to pay for the transaction. Use the card token without handling any sensitive credit card details.

• Send a value that identifies the authorization request to your upstream source system.

• Order Management gets token details from the Payment Gateway and sends them to Oracle Payments to finish the payment.

• Order Management sends token details to Oracle Payments to validate, authorize and process the payment. You can send details about the credit card token on the order header and the order line. Use this feature to get the value that identifies the authorization request and the authorized amount from the CyberSource payment gateway.

Note

• To use this feature, you must enable the FOM_ENABLE_CARD_PAYMENT order profile. For details, see Enable the Credit Card Feature in Order Management.

• This feature applies only for source orders that you import through REST API.

• You can process credit card details in Oracle Applications only under controlled availability.

• Credit card processing is available only for Oracle Applications services that use Oracle Payments.

• Credit card processing is available only in data centers where Oracle Payments is certified for Payment Card Industry Data Security Standard (PCI DSS v3.2.1).

• You can use Oracle Payments only with payment gateways that can process tokens and credit card payments. For details about the certified data centers and payment gateways that you can use, see Is Credit Card Processing Supported In Oracle Applications? (Doc ID 1949941.1).

• Send tokenization attributes for the credit card only when the Payment Method attribute equals Credit Card. If you don't use this method, then Order Management won't create the sales order.

• The Credit Card Token attribute is required only if your import payload includes the token attributes for the credit card.

For details and examples, go to REST API for Oracle Supply Chain Management Cloud, expand Order Management, then click Sales Orders for Order Hub.

Caution: You must never send credit card numbers that aren't tokenized to Oracle Cloud Service. If they aren't tokenized, then you must modify them so they don't reveal the actual card number. For example, you can truncate the number so that you send no more than the first six digits or the last four digits of the number.You must never send the credit card data, including credit card tokens, outside the supported business flows through a file, attachment, email, descriptive flexfield, or any other attribute.

How it Works

Here's a summary of how it works.

Note

1. You import credit card details through a REST API payload.

2. Order Management calls Oracle Payments.

3. Payments communicates with CyberSource to validate and store the details that you import.

4. Payments sends the Payment Transaction Extension Identifier to Order Management.

5. To view credit card details, you go to the Order Management work area, open your sales order, go to the Billing and Payment Details tab, then use the Payment Status dialog on the order line.

REST API

Use attributes in your REST API payload.

Scenario	Variation
Resource	Attribute	Description
payments	CardTokenNumber	Token number from the service that provides the token for the card number. If you import a token and an authorization, then you must include a value for CardTokenNumber.
payments	CardFirstName	First name of the card holder.
payments	CardLastName	Last name of the card holder.
payments	CardExpirationDate	Expiration date on the credit card. Provide a value in the format YYYY/MM/DD.
payments	CardIssuerCode	Abbreviation that identifies the organization that issues the card, such as Visa or MasterCard.
payments	MaskedCardNumber	Masked format that displays only the last four digits of a card number, and replaces all other digits with an X, for security purposes. The length of the value for MaskedCardNumber must match the length of the number on the card. For example, for a Visa card with number 4123456789012345, set MaskedCardNumber to XXXXXXXXXXXX2345.
payments	AuthorizationRequestId	Value that uniquely identifies the authorization request that you receive from the token service. If you don't want to use CardTokenNumber to authorize your import, then you must provide a value for AuthorizationRequestId or VoiceAuthorizationCode. If you provide a value for both of these attributes, then the import uses AuthorizationRequestId.
payments	VoiceAuthorizationCode	Abbreviation that identifies the voice authorization. If you don't want to use CardTokenNumber to authorize your import, then you must provide a value for AuthorizationRequestId or VoiceAuthorizationCode. If you provide a value for both of these attributes, then the import uses AuthorizationRequestId.
payments	PaymentServerOrderNumber	Number that identifies the card payment that Oracle Payment Server authorized.
payments	AuthorizedAmount	Amount that the token service authorized for the transaction. If you provide a value in the AuthorizationRequestId in your import payload, then you must also include a value for AuthorizedAmount.