Payment integration

Both WebSphere Commerce and DOM share a similar set of rules controlling the payment processing flow. WebSphere Commerce features a Payment Plug-in (with Payment Plug-in Controller) module, which manages shipped and custom connections to payment gateways. DOM features more advanced functionality in its payment processing business logic. For example, additional authorization control over amount and when to authorize, multiple types of invoices, and refunds and refund fulfillment orders. DOM also supplies SSDCS (Sensitive Data Capture Server), which handles the payment capture process for SSFS (Sterling Selling and Fulfillment Suite) to keep the PA-DSS (Payment Application Data Security Standard) scope limited.

Important: Review the following information for your version of WebSphere Commerce:

Review information about APAR fixes for integration of IBM WebSphere Commerce and IBM Sterling Order Management. For more information about integrating IBM WebSphere Commerce Version 7 Feature Pack 8 (or later) with IBM Sterling Order Management Release 9.3, see WebSphere Commerce integration with Sterling Order Management. For more information about integrating IBM WebSphere Commerce Version 7 Feature Pack 5 (or later) with IBM Sterling Order Management Release 9.2.1 (or later), see WebSphere Commerce integration with Sterling Order Management.
You can integrate Sterling Order Management with WebSphere Commerce using either Direct Integration or IBM® WebSphere Enterprise Service Bus (WESB) integration. With Direct Integration, the functions to convert message content and format are performed by services in the Sterling Order Management Service Definition Framework (SDF). For information about using Direct Integration to integrate Sterling Order Management with WebSphere Commerce, see Direct Integration with WebSphere Commerce.

The implications for the PA-DSS are greatly tied to the path going forward. The is a user interface punch-out designed to capture the sensitive payment information without exposing the encapsulating user interface to the sensitive information. This removes most other applications from the PA-DSS scope, and most PA-DSS requirements from scope too.

To pass on the required payment information, including the PAN token when WebSphere Commerce transfers the order to Sterling DOM, the following functionality is provided:

PAN tokenization with SSDCS integration

The WebSphere Commerce storefront integrates with SSDCS for PAN tokenization. Tokenization is used in WebSphere Commerce where an external tokenization service is evoked to convert the primary account number, for example, a credit card number, into a token. This is used in payment integration to ensure the primary account number is not passed to the backend DOM system.

The following diagram depicts this flow:
Payment integration flow

Where:

The live PAN is submitted to the WebSphere Commerce server with other shipping and billing information. In the WebSphere Commerce payments component, the live PAN is validated with the LUHN algorithm in the Payment Rule Engine layer. When it is passed to the Payment Plug-in Controller layer, the encrypted PAN is written to the WebSphere Commerce database as the payment method's protocol data.
When an authorization request is raised in WebSphere Commerce, in the Payment Plug-in Controller, the token is retrieved from the database and sent to the Payment Gateway to process payment request using the Payment Plug-in interface.
Before an order is transferred to Sterling DOM:
1. 3A: The live PAN is retrieved from the database and sent to the Card Vault for tokenization by calling the PAL in the Payment Module internally.
2. 3B: The token is returned to WebSphere Commerce through PAL.
3. 3C: The token is transferred to Sterling DOM with other order and payment information.

Note: You must customize this flow to suit your business needs. That is, you must configure the IBM_TransferOrder access profile to call the TokenizeAccountNumberCmd to tokenize the account number:

To enable payment integration support, you must supply your PAN tokenization logic to WebSphere Commerce by implementing the TokenizeAccountNumberCmd task command to return a token. This task command is called by the ComposeTransferOrderCmdImpl, an implementation of the ComposeOrderCmd task command for the transfer order integration flow, to tokenize the PAN when composing the payment-related information of an Order noun for the purpose of order transfer.

Configuring order transfer commands for payments

ProcessOrderSubmitEventCmdImpl recognizes the following configuration in WC_eardir/xml/config/com.ibm.commerce.order-ext/wc-admin-component.xml:


<_config:configgrouping name="TransferOrder">
     <_config:property name="accessProfile" value="IBM_TransferOrder"/>
 </_config:configgrouping>

By default (when this configuration is not specified) ProcessOrderSubmitEventCmdImpl preserves its current behavior and uses the existing IBM_Details access profile to compose the order details.

To support payment integration and dynamic kits, the IBM_TransferOrder access profile and its corresponding ComposeOrderCmd implementation, ComposeTransferOrderCmdImpl, is provided specifically for transfer order. In addition to the existing order details, ComposeTransferOrderCmdImpl adds the following information:

Unencrypted payment and transaction information, excluding the PAN.
The tokenized PAN returned by a call to TokenizeAccountNumberCmd.
The configuration XML string of each order item (if they exist).