Internal Documentation on Credit Card Application (CCA) at CMU
Technical Guide
Table of Contents
Overview of Credit Card Processing at CMU
Return to Top of Page
Credit Card Processing on a Regular Store Front
A regular storefront is used by anyone in the world who wishes to give CMU money. A department develops their own web pages
for their storefront. The department webpages will provide all of the details regarding the item they are selling.
The website will also collect all order information from the customer, with the exception of the payment information.
It will collect information such as shipping information, item(s) the customer wishes to purchase, calculate sales tax and shipping charges.
An invoice number is also assigned by the department website.
The invoice number, the departments store number (which we assign), and the detailed item information is sent to the credit card application.
This is done when the customer pushes a button on the department webpage and is then transferred to the credit card application.
The customer enters their own credit card information on a standard html page, on the acisX secure servers.
When the customer hits submit, the information is validated, written to the credit card oracle database on typhoon, then sent to Cybersource.
Cybersource does some validation, saves the data, and then passes the data to PaymentTech. PaymentTech records the transaction, and sends a
response back to Cybersource. Cybersource saves the information, and sends the response back to us. The response is written to the oracle
database on typhoon. An appropriate message is displayed to the customer. If the transaction is successful, the web page is the customer's
receipt of payment. It displays the detailed order information which was submitted from the department.
The transaction goes through the following servers
| Dept Webserver | ---> | acis server | ---> | (oracle on typhoon) | ---> |
| acis server | ---> | Cybersource | ---> | PaymentTech |
| acis server | <--- | (oracle on typhoon) | <--- | acis server | <--- | Cybersource | <------ |
The customer sees the following web pages
| last dept webpage | ----> | Credit Card Collection Page | -----> | Credit Card Response Page |
A demo is located at
https://acis.as.cmu.edu/cc/doc/example.html
The basic steps in authorizing a credit card purchase with both the storefront are as follows:
| Department Web Server | ----> | https://acis.... | ----> | https://acis... |
| Checkout page | ----> | Credit Card Collection Page | ----> | Credit Card Response Page |
Currently CCA can process credit card payments for customers using
VISA, MasterCard and American Express.
Return to Top of Page
Generic Store Front
A generic storefront is used only by people with pre authorized andrew ids. The generic storefront is intended to
serve those departments who wish to process credit cards, but do not want their own ecommerce website.
A good example would be a department who receives orders via phone or fax.
The process is almost identical to one described above. The only difference is that instead of a dept web server with
dept web pages, the user goes to the acisX secure server and uses the generic store webpage. On the generic store webpage,
the cmu user will enter the invoice number, and the individual item detail for the order. Then they will be taken to
the standard credit card collection webpage, and processing will continue as detailed above.
Return to Top of Page
Processing of Credits/Refunds
Preauthorized andrew ids can issue refunds for their storefront. A user searches for the transaction on a secure acisX webpage.
An example of this webpage can be found at the following link.
https://acis.as.cmu.edu:4443/cc/reports/search.html
When they find their transaction, they click "Issue a Credit Now". They enter the amount which they would like to credit,
up to the full amount of the original transaction. When they submit the transaction, it is processed in the same way as described above.
Return to Top of Page
Electronic Check Processing
The student interface is Student Information Online. They enroll in electronic checking by providing their bank account routing number,
account number, and a brief description of this account. One business day later this account is available to them to make payments.
They can setup as many of these accounts as they wish. These accounts can be deleted at any time. One of these accounts can be designated
as ‘refund’ accounts. The refund account can also be used to make payments. If a student is eligible for a refund from enrollment,
instead of cutting a check, this refund account will automatically be credited.
When they wish to make a payment, they select the account from which to make the payment, by selecting the appropriate brief description.
They enter the amount of the payment and the payment date. The payment date needs to be 1 or more business days in the future, not to exceed 1 year.
There is a 5 pm Eastern cut off time for transactions to be processed on the current business day.
It appears as though enrollment is the only current credit card storefront who accepts re-occurring payments. Therefore there are no immediate
plans to setup the echeck capability with any other departments.
Capturing the echeck enrollment and payment information from the student.
AcisX -? write to sis database on typhoon
To send the echeck enrollment and payment information to Mellon,
- generate flat, fixed length datafiles on typhoon nightly
- ftp the files through the leased line connection to Mellon
- wait for confirmation that Mellon has received them ??
- delete routing number and account number from the sis database
ftp to Mellon server and pick up summary reports
Return to Top of Page
What is a Generic Storefront?
The generic storefront is for use by authorized Carnegie Mellon University employees only. Access to
this storefront will require an Andrew username and password. Generic storefront users will be setup
by the Financial Services Group and will be associated with an store.
The purpose of the generic storefront is to replace traditional credit card terminals when most or all of the
transactions are Card Not Present. For example, if a customer provides credit card information over the phone,
the user can process the payment from their desktop. This provides immediate feedback to the customer, and eliminates
the need to put confidential credit card information on paper.
The user logs into the website and brings up the generic storefront screen.
In the example shown, the store has setup the generic storefront default values for
- merchant reference number
- confirmation email
- item name
- quantity
The screen already has defaulted values for Settle Now of Yes.
The data entry required is now quite minimal. The user need only verify the default values, enter a price and choose a
GL string from the select list.
The next screen is the standard
credit card collection page.
The transactions from the generic storefront are handled in the same way as transactions from the department storefronts.
- A confirmation email message is sent to the Confirmation Email address, if provided.
- The fees charged are identical to those for the department storefronts.
- The transactions are posted to the financial system through an automatic nightly process.
- A daily outload of commas delimited data is available.
- Query access to the data is available through the search page.
Return to Top of Page
What is the difference between a generic storefront and a regular storefront?
The difference between a regular storefront and a
generic storefront is who is entering the credit card
information.
A generic storefront can only be accessed by
pre-designated andrew ids. It is meant to be used, for
example, by admin staff who get credit card orders over
the phone. The generic storefront is a generic web
page, and does not require the store to create their
own website.
A regular storefront is meant to be a self-serve
application where the customer chooses their products
and services and then completes the
transaction themselves. In order to use the regular
storefront, the
department needs to create their own website, and host
it on their own server.
One department can have both a generic & regular storefront
with the same store number. This would allow the department, for example,
to have customers signup and pay for a conference themselves through
the website (using the regular storefront). The department can also
process credit card payments from faxed payment forms (using the
generic storefront).
Return to Top of Page
Can we use both a generic and department storefront?
Yes. It is possible to use both the generic storefront and a department storefront with the same store number.
Return to Top of Page
How does one setup a generic storefront?
How does one setup a generic storefront ?
- The store setup must be done, if the store doesn't exist yet.
- A list of General Ledger strings must be submitted.
- The generic store defaults need to be setup.
- Users must be assigned to the generic store.
Return to Top of Page
Department Information for Store Setup
Every department will be assigned a 5 character store number. This store number will need
to be included in the information that is included in the "check out page".
We will require the following information for each department
- How would you like the name of your department to appear to the customer?
- Do you want daily outload file to be produced?
- Will you accept American Express ?
- Will these transactions be posted to the financial system through another feeder system?
- Administrative Contact Information
- Name (for internal CMU use only)
- Email Address
- Phone Number
- Technical Contact Information, ie Webmaster (for internal CMU use only)
- Name
- Email Address
- Phone Number
- A General Ledger String that will be used to charged Credit Card Fees to the dept
- A General Ledger String that will be used as a suspense account for transactions
that have failed to be posted to the financial system.
The following department specific information will be displayed on the
"cc response page".
- Department Name as it should appear to the customer
- Administrative Contact Phone
- Administrative Contact Email
Return to Top of Page
How long does it take to setup the generic storefront?
Once all of the data is submitted, setup will take less than 2 business days.
Return to Top of Page
How do I test my storefront?
When Submitting Transactions to the Test Server:
| Credit Card Type | Test Account Number |
| VISA | 4111 1111 1111 1111 |
| MasterCard | 5555 5555 5555 4444 |
| American Express | 3782 8224 6310 005 |
When the total credit card charge is between $1001.00 and $4000.00 on the test server only, this will
simulate error messages. Complete list of amounts and associated errors
An invalid credit card number error can be generated by entering the credit
card 4111111111111112.
The test environment will be continually available, even after a store is in production. The test environment consists of
- credit card processing (The ACIS test server sends transactions to the Cybersource test server)
- query tools (For viewing data in the test database)
Error Messages
- Transmission error while processing credit card.
- Please press the BACK button on your browser and correct the following
information on the previous page. (Then the exact error message from Cybersource is
displayed. For example: The following request field(s) is either invalid or missing: bill_zip
- The expiration date is invalid. This credit card has expired. Please press
the BACK button on your browser and update the expiration date or enter a
new credit card.
- The credit card number is invalid. Please press the BACK button on your
browser and update the credit card number, or enter a new credit card number.
- This credit card has been declined.
- An error has occured while processing this credit card.
- No response was received from credit card authorization request.
- An error has occured while sending credit card information.
Return to Top of Page
How do I 'go live'?
I have to ask Lisa about this one. Who is in charge of switching the account from "test" mode to "production" mode. How is this done in Cybersource.
Return to Top of Page
Frequently Asked Questions (FAQ)
Return to Top of Page
Recent Changes
Nov 27th, 2006:
Several Security Enhancements
Permit the use of only the follow characters: A-Z a-z 0-9 -_./@+, :
Added the ability to do real-time notification of successful transactions.
Important Changes to credit card processing in MARCH 2007
When will this occur?
- Mon March 19th user testing begins
- Wed March 21st datafile available from new and old sites
- Fri March 30th user testing ends
- Sun Apr 1st Changes are moved into production, and current credit card sites get redirected to new site.
- Tues May 15th the redirection to the new site will be turned off, and datafiles will only be accessible on the new site.
Why is this being done?
- We are making these changes to enhance the security and reliability
of the credit card application.
- Additionally, the credit card vendor has required us to upgrade the software used to communicate with them.
What will change?
- All web addresses (URLs) for the credit card application will be changed. The credit card application will be moved to dedicated machines with improved security, reliability, and performance.
- We are upgrading the release of the software that we use to communicate with the credit card processor. This will substantially improve the process of issuing credits.
What do I need to do?
- For those stores with a generic storefront
- After April 1st you will need to use a different website address in order to access the generic storefront. That new website address will be
https://ccard.as.cmu.edu/cgi-bin/generic_store.cgi
- From April 1st - May 15th when you go to the old website address you will be automatically forwarded to the new site.
- If you have set a bookmark for the address of the generic storefront, you should update it after April 1st.
- For those stores who use the "real-time notification" feature
- You should perform testing with the new credit card test site to ensure that everything is performing as expected. The new credit card test site will be available as of Mon March 19th. The new credit card test site will be
https://ccard-submit-test.as.cmu.edu/cgi-bin/gather_info.cgi Testing will
end Friday March 30th.
- If your server restricts the real-time notification based on IP address, it will need to be changed by April 1st. You will be provided with this information shortly.
- For those stores who use daily datafiles
- You will need to download the datafiles from a new site. You can
begin accessing the datafiles from the new site as of Wed March 21st. All of the old files, as well as new files will be available from both sites as of Wed March 21st. The new site for downloading datafiles is
https://ccard.as.cmu.edu/cgi-bin/store.cgi
- If you have set a bookmark for the address of the datafiles, you should update it after March 21st.
- If you automatically download the datafiles please
contact us
for further instructions on required changes.
- After May 15th, datafiles can only be accessed from the new site.
- For those stores who use a regular storefront
- You should perform testing with the new credit card test site to ensure that everything is performing as expected. The new credit card test site will be available starting Mon March 19th. The new credit card test site will be
https://ccard-submit-test.as.cmu.edu/cgi-bin/gather_info.cgi Testing
will end Friday March 30th.
- Between April 1st and May 15th you should update your website to use
the new credit card site. If the old site is used from April 1st
through May 15th the user will be automatically forwarded to the
new site. After May 15th your website will STOP WORKING if you
do not change your website to use the new website address of
https://ccard-submit.as.cmu.edu/cgi-bin/gather_info.cgi
- For administrative users who issue credits and perform searches
- After April 1st you will need to use a different website address in order to perform searches and issue credits. The new website address will be
https://ccard.as.cmu.edu/search.html
- From April 1st - May 15th when you go to the old website address you will be automatically forwarded to the new site.
- If you have set a bookmark for the address of the credit card search site, you should update it after April 1st.
What will happen on April 1st?
At 6:00 pm the following web addresses will be redirected to the new servers.
Test Server
https://acis.as.cmu.edu:4443/cc/gather_info.cgi
Production Server
https://acis.as.cmu.edu/cc/doc.html
https://acis.as.cmu.edu/cc/gather_info.cgi
https://acis.as.cmu.edu/cc/reports/search.html
https://acis.as.cmu.edu/cc/reports/generic_store.cgi
Where can I find updated information about these changes?
This webpage will be continually updated throughout this process.
As users ask questions, or as more information becomes available this section
of the documention will be updated. The date at the top of this webpage will
indicate when this webpage was last modified.
Who do I contact if I have any questions?
creditcard-info@lists.andrew.cmu.edu
Return to Top of Page
What needs to be on my "checkout" page?
| Name | Max Size | Description |
| store_no | c5 | Will be assigned to each dept. |
| return_url | c150 | Displayed on cc response page (optional) if not provided, http://www.cmu.edu will be shown |
| return_url_text | c150 | Description for return link (optional) if not provided "CMU Homepage" will be shown |
| merchant_ref_no | c50 | Anything you want to assign. This field should be unique, as it will be a way for you to
identify each transaction. You will be able to query your transactions based on this data item. |
| settle_now | c1 Y/N | Are all of these items to be shipped immediately? |
| notify_email | c100 | Email address which will receive info on the result of this transaction (optional) |
| flex_field1 | c100 | An optional field containing any information in any format. Typically this would be used to pass along information that was collected from your storefront. |
| flex_field2 | c100 | Additional optional flex field |
| flex_field3 | c100 | Additional optional flex field |
| flex_field4 | c100 | Additional optional flex field |
| flex_field5 | c100 | Additional optional flex field |
| flex_field6 |
c100 |
If a transaction is for a service the storefront is required to provide the beginning and ending dates (Range of Service) for the service. Generic storefronts will use the field named "Range of Service". Regular storefronts are to record the range in flex_field6. The format should be MMMDD - MMMDD (JUN08 - JUL12). In the event a single credit card transaction is for more than one item that meets the above criteria then the range of dates should be enclosed in brackets (format [MMMDD-MMMDD][MMMDD-MMMDD]). The date order should correspond to the Item Detail order. The following are examples of services that require the range of dates be provided:
- Conferences
- Educational programs (i.e. executive education)
- Fees for events and activities
- Fees for advertising
- Fees for memberships and dues
|
| header_file | c30 | Optional field to specify which html
file to use as a header on the credit card collection & response page. |
| footer_file | c30 | Optional field to specify which html
file to use as a footer on the credit card collection & response page. |
| For every item purchased: |
| itemX_name | c50 | Name of item |
| itemX_sku | c20 | Product SKU (optional) |
| itemX_qty | integer | Item quantity |
| itemX_price_each | float | Price PER item |
| itemX_gl_str | c25 | Oracle Financials GL String |
Note
The above variables should be sent as hidden variables with a post request.
- The post request for testing should be sent to
https://ccard-submit-test.as.cmu.edu/cgi-bin/gather_info.cgi
- The post request for production should be sent to
https://ccard-submit.as.cmu.edu/cgi-bin/gather_info.cgi
Additional Note: Due to the prevalance of pop-up blocker software,
it is preferred for you to call the credit card collection page within the
same window. If you call the credit card collection page in a new window and
the user has pop-up blocker software enabled, the customer will never see the
credit card collection page.
Return to Top of Page
Example
Example check out page
To view the "Credit Card Collection Page", follow the above link and
press the "Enter Credit Card Payment Information" button.
Sample Confirmation Email
Sample Results Page
Return to Top of Page
Customizing the Credit Card Collection & Response Pages
A store can make the credit card collection & response pages look more
consistant with their storefront by using a header & footer file. A store
can choose to use a header, a footer, both, or neither. A store can have
multiple header and footer files. However there can not be multiple header
or footer files, displayed on one transaction. At most, 1 footer and 1 header
file will be displayed during a particular transaction. Let's say that a store
had several storefronts. One storefront is for conferences, and another is
for donations. It is possible to have a header & footer file for
the conference transactions, and two different files for the header & footer
files for the donation transactions. (A total of 4 different files.)
The header & footer filenames should contain the store number. For example,
store number 10320 could have a header file named header10320riweb.html.
The files should contain simple html, no javascript.
In order to setup your store to use header & footer files, the files need
be emailed, as attachments to
creditcard-info@lists.andrew.cmu.edu. We reserve the right to edit the html
files if we deem appropriate before we upload them to the server.
The header and footer filenames are then specified as hidden variables that are
sent to the credit card collection page.
Return to Top of Page
Secure web server for collecting credit cards
The department's web server does not have to be
a secure web server. (A secure web server has a URL which begins
with https:// instead of http:// )
A secure web server is required to enter credit card information.
ACIS will provide a secure server for this part of the process.
Using Frames If your department's web site uses frames, and
will call the credit card collection page within a frame, then your
department's web site must be on a secure server. If you call the
credit card collection page from within a frame, and your departmental
web page is not on a secure server, the user's browser will not
appear to be secure. For example, in this case, the lock that appears
at the bottom of the Netscape browser will not be closed. The
connection will be secure, but the user's browser will not appear
to be connected to a secure server. This is only
an issue if the credit card collection page is called from within a frame, that
is hosted on a server which is not a secure server.
Return to Top of Page
Accepting Gifts
Do not use the ecommerce process to accept university gifts. It is
extremely important that all ecommerce gifts are processed through the
Carnegie Mellon "Make a Gift" web site. A hyper link can be added to
your page that will take the donor to the
official university on-line
gift page. If you
have any questions regarding gifts to the university please call the Office of
Gift Accounting at 412/268/2027.
Return to Top of Page
How will my transactions get into Oracle Financials?
ACIS will be responsible for posting all credit card transactions
into the financial system. This will occur nightly.
Return to Top of Page
What about sales tax?
If you are going to consider the use of the web for external sales, you
certainly do need to be aware of the requirements for collection of sales
tax.
How the process will work, though, is fairly straight-forward... for the
"generic storefront" process, the sales tax will be manually calculated and
added as a separate line, with the credit going to
4031500000000000000000101, which is a university liability balance
sheet account to record this activity. Judy Cvejkus files and remits
collected sales tax to the State. We're finalizing the actual procedures
in terms of how this will be handled through the web application.
If a department has a "regular storefront", this functionality will need to
be programmed into the page, such that items will need to be flagged as
taxable or non-taxable (e.g., clothing is not taxable), tax will need to be
calculated (7%), and then identified to the above-noted GL string for
distribution.
Lastly, in terms of identifying taxable/non-taxable, Lisa Luffe (Manager of Financial Reporting & Taxation) can be a resource.
Return to Top of Page
What should we do if a customer contacts us?
There will be real time access to detailed credit card transaction information
through a secure web site. If a "notify email" address is included on the checkout
page, then detailed transaction information will be sent to this address immediately
following the response from the credit card processor. If more than 1 person needs to
receive the credit card transaction confirmation email, then we recommended setting up
an email mailing list for this purpose. Alternatively, an email address that posts to
a bbs can be used.
Return to Top of Page
How can I update my department backend database with the credit card information?
ACIS will create a standard comma delimited outload file
of all credit card transaction information for each department. This file will
include the merchant_ref_no, which you can use to identify the transaction in your
database.
Detailed Outload File Information
Return to Top of Page
How does this charge appear on the customer's credit card?
There is only 1 merchant identifier for the university, which greatly reduces costs. So regardless of
the storefront which charged the customer, the customer's credit card statement will show the charge as
Carnegie Mellon Univ Pittsburgh PA
Return to Top of Page
How can I get immediate notification of a successful transaction?
The merchant reference number of all successful transactions can be sent real-time to a
pre-determined URL that you provide for your store number. This will provide your store with
immediate notification for all successful transactions. In order to use this feature, the following
criteria is required:
- Your merchant reference number must be unique for each transaction
- Your merchant reference number must be comprised of only digits
- The site which is to be sent the merchant reference number must be on a secure server.
For more information please contact
creditcard-info@lists.andrew.cmu.edu
Return to Top of Page
How can I issue a credit to a customer?
The credits are issued through the web search screen.
There is a
production
and test
credit card search screen.
Enter as little information as possible into the search screen, that will
identify the transaction. Simply putting in part of their last name is
usually sufficient. A common mistake is to enter all of the information
that is available on the search page. This often causes
no records to be returned.
The search page will return a summary
screen containing the Date, Name, Merchant Ref no, etc.
Click the radio button that is in front of the transaction to be credited.
Press the submit button at the bottom. This will display more detailed
information about that transaction. Scroll to the bottom of that page.
A button labelled "Issue a Credit Now" will be displayed. Press this and a
screen will appear that will allow the amount to be credited to be entered.
Return to Top of Page
Why is the 'Issue a Credit' screen asking for the credit card expiration?
There are rare occasions when the 'Issue a Credit' screen will include fields
for the credit card month and year expiration. When these fields appear on
that screen, values for the expiration month and year must be provided.
This occurs when a credit card needs
to be credited, after the credit card expiration has passed. Please contact
the card holder and obtain the new expiration information. Once that has been
entered into those fields, the credit can be issued.
Return to Top of Page
Is it possible to cancel a charge, or a credit?
You can request that a charge or a credit be canceled only on the day
that the charge or credit occured. At the end of the day, around midnight,
the card processor creates a batch of all transactions from that day. The
batch is then processed. Before the batch is created, it is possible to
void or cancel transactions.
You can submit your request by emailing
creditcard-info@lists.andrew.cmu.edu with the details of the transactions and the reason for the
request. Someone from the credit card team will submit the request to the
card processor.
Return to Top of Page
Making Changes to Your Existing Store
If you need to make any changes to information associated with your existing store including:
- Store Name
- Administrative Contact Information
- Technical Contact Information
- If you want to stop or start getting a daily datafile
- General Ledger string used for fees
- Add or remove a user's access to the web search screen
- Add or remove a user's ability to issue credits or settle transactions
- For generic stores:
- Add or remove a user's access to the generic store
- Add or remove Revenue General Ledger strings in the generic store
please email those changes to creditcard-info@lists.andrew.cmu.edu
Return to Top of Page
Last Modified: 04 October 2007
Computing Services | 5000 Forbes Avenue Pittsburgh, PA 15213 | Office: (412) 268-2638 | Support: (412) 268-4357
