XP Cloud:Tokenization and Re-Use of Saved Credit Cards
In this section:
If you serve repeat customers or need to run recurring payments, you may want to be able to store your customers' credit or debit card information so you will not have to ask for it again every time a purchase is made. However, according to PCI DSS, an industry-wide standard that must be met by any organization that stores, processes, or transmits cardholder data, storing customers' card information is not allowed for regular merchants - unless they take steps to implement a number of security aspects and undergo an expensive and time-consuming process of certification to ensure that all the PCI DSS requirements have been thoroughly met.
X-Payments Cloud provides a PCI DSS compliant solution that allows you to charge customer credit cards again when you use certain payment gateways. You get all the benefits of storing your customers' card information - without actually storing it on your system. This is made possible through the use of the so-called "tokenization". Tokenization is a means of protecting sensitive cardholder data that was designed to reduce the risks associated with storing credit card information for merchants. The technology is meant to prevent the theft of the credit card information in storage. It replaces your customer's credit card details with a special number (token) that can be used to charge again the customer’s credit card via an integrated payment gateway. As sensitive information is stored not on the merchant site, but in a secure PCI DSS compliant environment of the payment system, use of tokenization significantly simplifies PCI DSS compliance for the merchant.
Support for tokenization and re-use of saved credit card information is available for a number of payment gateways with which X-Payments Cloud works. To find out whether a specific payment gateway supports tokenization, see the list of supported payment gateways for X-Payments Cloud.
If your store has an active (enabled) payment configuration associated with a payment method with tokenization support, customers that have a user account at your store will be able to save their credit card information for future orders. They will be able to save a card during checkout:
or via a special section in their user profile (For instance, in X-Cart 5, the respective page can be found under My account > Details > Saved cards):
All sensitive information associated with the card will be saved in a secure PCI DSS compliant environment of the payment system and available for re-use via X-Payments Cloud through the use of tokenization.
X-Payments Cloud allows a customer to save up to three credit or debit cards. Customers who have one or more saved cards associated with their user profile can choose which card to use for each specific order at your store. They can also manage the saved cards in their user profile.
For Authorize.Net and Intuit QuickBooks Payments, using sensitive customer payment information tokenization has some specifics described below.
During the initial transaction - when a customer chooses to save their credit card for future use and enters the credit card information to be saved using a secure form provided by X-Payments Cloud - this secure form in which the information is entered requires them to enter a Card Security Code (CSC/CVV2). This code is required only for the authorization of the transaction used to save the credit card info, and it is not saved or stored anywhere. Further payment transactions on the saved credit card do not require that CSC/CVV2 be entered.
However, the merchant back end of each of the above-named payment gateways provides some security settings allowing the merchant to customize the credit card authorization process for online transactions. Among them, there is a setting that can be used to allow or forbid the processing of transactions with Card Security Code unavailable. If this setting is adjusted in such a way that CSC/CVV2 is required for all payment transactions at all times, it will cause problems related to the store's ability to use the tokenization feature: for a saved credit card all payment transactions but for the very first one (the one that was used to save the card info) will be rejected by the payment gateway because of the missing CSC/CVV2. The payment gateway may generate errors similar to the following: "A validation error occurred while processing this transaction: Card Verification Code not available."
To avoid this problem, make sure that the payment gateway setting requiring the gateway to reject payment transactions with no CSC/CVV2 is not enabled. This will not cause your store to stop requesting CSC/CVV2 altogether because the X-Payments Cloud secure form employed by your store to collect credit card information treats the CVV field as required at all times - regardless of the payment gateway settings.
Following are instructions for how to achieve proper payment gateway account configuration for the specific payment gateways.
- Intuit QuickBooks Payments
In the merchant settings, change the setting for If CSC is not available to Accept Transaction:
- Authorize.Net CIM
- Log on to the Merchant Interface at https://account.authorize.net.
- Select Settings under Account in the main menu on the left.
- Click Card Code Verification.
- Click to select the check box(es) next to the Card Code responses for which the payment gateway should reject transactions. Make sure you do not enable the option to reject transactions where the Card Code is unavailable. This, however, is different from transactions for which the Card Code is incorrect; we strongly recommend you keep the option to reject any transactions with incorrect Card Code enabled.
- Click Submit. A confirmation message indicates that your settings have been successfully applied.
Charging Saved Credit Cards
X-Payments Cloud allows you to charge again the cards that have been used at your store to pay you via an X-Payments Cloud integrated payment method with support for tokenization and have been saved in the customer's user profile for future use.
To charge a saved credit card via the X-Payments Cloud admin panel:
- Find the initial payment that was made using the card that needs to be charged and open its details for viewing. To find the initial payment, use any of the following links:
If necessary, use filtering/advanced search.
- On the Payment details page displaying the details of the initial payment, click the 'Charge this card again' link. A popup form titled 'Charge this card again' will be displayed allowing you to specify the parameters of the new payment:
- In the 'Charge this card again' form, enter the amount that needs to be charged. If you wish you can also provide a comment for yourself - something to make your job easier later when you will be figuring out what this payment is for.
- Click the Charge this card again button at the bottom of the form.
Confirm the action. The card will be charged, and the new payment will be created in X-Payments Cloud. The newly created payment will be marked as associated with the initial payment:
Viewing Payments Made with Saved Credit Cards
In X-Payments Cloud, all payments made using a saved card are linked to the initial payment made using this card and are considered "based" on this payment. You can tell whether a payment was made using a saved card by the contents of its Reference ID field: independent payments have reference IDs like "#N", whereas payments based on another payment (payments made using a saved card) have a link in the Reference ID field that looks like "Payment #N" and points to the Payment details page of the initial payment.
Get/update tokenized card feature
X-Payments Cloud supports the Get/update card feature for some payment integrations. These include:
- Chase Paymentech Orbital.
The Get/update card feature aims to protect your customer relationships by enabling you to quickly and easily update the details of tokenized cards that have been used for payment at your store (including the masked card number, expiry date, etc.)
Customer card information may change for a variety of reasons, including card expirations, lost or stolen cards, upgrades and so on. The Get/update tokenized card feature enables you to provide uninterrupted service to your customers keeping the updating process transparent to them.
To use the feature, you will need to enable the payment gateway's card information updating service in your payment gateway account (or, depending on the gateway, to have the gateway support enable it for you). This way you will get access to the gateway's interface allowing you to request an update of information for the credit cards that have been previously saved for use at your store and are now stored in the gateway's secure vault. Depending on the gateway, the tools you will get for updating your customers' payment card information will range from the simplest button that you click to request an update to more complex schedulers enabling you to schedule payment information updates according to your needs. After you request an update of your customers' payment information, the gateway will submit a request to VISA/Master Card to check if there have been any changes for the cards stored by the gateway for use in your store. After VISA/Master Card has processed the request (which may take up to 2-3 days), the gateway will get a report of any changed payment card details. Based on the report, the information stored by the payment gateway will be updated to reflect the changes. The updated cards will then be linked to the existing tokens. This way your store will be able to charge the cards after re-issue using the same old tokens already stored by X-Payments.
If a customer with a tokenized card makes a payment at your store via X-Payments Cloud after the card has been re-issued, the card information will be updated automatically and transparently to the customer.