Using Secure Acceptance Checkout API : Secure Acceptance Transaction Flow
Secure Acceptance Transaction Flow
The Secure Acceptance Checkout API transaction flow is illustrated in Figure 1 and described below.
Figure 1
Secure Acceptance Checkout API Transaction Flow
 
4
Display the checkout page on your customer’s browser with a form to collect their payment information and include a signature to validate their order information (signed data fields).
 
* 
5
The customer enters and submits their payment details (the unsigned data fields). The transaction request message, the signature, and the signed and unsigned data fields are sent directly from your customer’s browser to the CyberSource servers. The unsigned data fields do not pass through your network.
CyberSource reviews and validates the transaction request data to confirm it has not been amended or tampered with and that it contains valid authentication credentials. CyberSource processes the transaction and creates and signs the reply message. The reply message is sent to the customer’s browser as an automated HTTPS form POST.
 
* 
6
The reply HTTPS POST data contains the transaction result in addition to the masked payment data that was collected outside of your domain. Validate the reply signature to confirm that the reply data has not been amended or tampered with.
If the transaction type is sale, it is immediately submitted for settlement. If the transaction type is authorization, use the CyberSource Simple Order API to submit a capture request when goods are shipped.
7
CyberSource recommends implementing the merchant POST URL notification (see Receiving Merchant Notifications) as a backup means of determining the transaction result. This method does not rely on your customer’s browser. You receive the transaction result even if your customer lost connection after confirming the payment.