Tutorial: Passing sensitive payment data to back-end processes when the data is not persisted

In this tutorial, you learn how to customize a WebSphere Commerce starter store to pass sensitive payment data to back-end processes. Specifically, to send card verification code information to the order process for payment authorization when your site does not temporarily store the card verification code for payment authorization purposes.

Attention: You are recommended to not permanently store any card verification code information for any customer. This verification code is the three-digit or four-digit number that is printed on the front or back of a payment card that is used to verify card-not-present transactions. By default, WebSphere Commerce stores a card verification code only temporarily for validating payment authorization. The code is temporarily stored in the PPCEXTDATA database tables to complete payment authorization. After the authorization is complete, WebSphere Commerce removes the code from the database.

Depending on your business requirements, you can configure your site so that the card verification code does not need to be temporarily stored. This configuration requires the PaymentSystemPluginMapping.xml configuration file for your site to be updated to include the parameter neverPersist with a value of "true". With this configuration, WebSphere Commerce captures the card verification code and sends it for payment authorization in a single transaction. By sending the data in a single transaction, you eliminate the need to temporarily store the code information.

For more information about protecting stored cardholder data, see Requirement 3: Protect stored cardholder data.

If your store is based on a web 2.0 starter store, such as the Aurora starter store, and is configured to never persist card verification data, you must customize your store before the card verification code information can be passed from the store page where a customer enters the information to the Order Summary page for validating the payment authorization. In stores that are based on a web 2.0 starter store, the payment information for a customer is captured on the Shipping and Billing Method store page. The order process, however, is handled on the Order Summary page. By default, the order process does not retrieve the card verification code data for payment authorization from the Shipping and Billing Method page. If the card verification code is not temporarily persisted, the order process cannot retrieve the information to include as parameters in the OrderProcess request. To include the information as parameters, you must customize your store to pass the sensitive payment information from the Shipping and Billing Method page to the Order Summary page.

Note: This tutorial uses only a single payment method for a single order and single shipment to demonstrate how to customize your store.

Learning objectives

By completing this tutorial, you can understand how to complete the following tasks:

Update store pages to retrieve and send sensitive payment information such as card verification code data
Update OrderProcess functions to receive card verification code data as parameters for payment authorization when a customer submits an order

Time required

This tutorial can take approximately 1 hour to finish. If you explore other concepts that are related to this tutorial, the tutorial can take longer to complete.

Skill level

WebSphere Commerce developers responsible for configuring the payments subsystem for a store. Ensure that you are familiar with the following concepts:

HTML
JSP
Java
JavaScript
REST services

System requirements

Before you begin this tutorial, ensure that you complete the following tasks:

Install WebSphere Commerce Developer Version 7
Install WebSphere Commerce Developer Feature Pack 8
Publish a store that is based on the Feature Pack 8 Aurora starter store. This tutorial uses, and is tested on, this store to demonstrate how to customize a store to pass sensitive payment data to back-end processes.