E-commerce

Implementations Methods

By Ritsu Doan
Some common e-commerce implementations include:
 Merchant-managed e-commerce implementations:
 Proprietary/custom-developed shopping cart/payment application.
 Commercial shopping cart/payment application implementation fully
managed by the merchant.
 Shared-management e-commerce implementations:
 URL redirection to a third-party hosted payment page.
 An Inline Frame (or “iFrame”) that allows a payment form hosted by a
third party to be embedded within the merchant’s web page(s).
 Embedded content within the merchant’s page(s) using non-iFrame
tags.
 Direct Post Method (Form).
 JavaScript Form.
 Merchant gateway with third-party embedded application
programming interfaces (APIs).
 Wholly outsourced e-commerce implementations.
1. Shared-Management E-commerce – URL Redirects
 What is a URL Redirect?
 The URL Redirect Process
1. Shared-Management E-commerce – URL Redirects
 What is a URL Redirect?
 In the URL redirection model, the cardholder is redirected from the
merchant’s website to a third-party page.
 The cardholder then enters their account data into a payment page
hosted by the third-party payment service provider (PSP). This may
also be called a “punch out” since customers and application users
are sent to a PSP’s web pages. This is generally noticeable to the
customer as the merchant’s website URL.
 Example: http://www.merchant.example.com changes to that of the
PSP https://www.psp.example.com

 The URL Redirect Process

1. Shared-Management E-commerce – URL Redirects
 The URL Redirect Process
 1. Merchant website sends a redirect command to the customer’s
browser.
 2. The customer’s browser then requests a payment form from the
PSP.
 3. The PSP creates the payment form and sends to the customer’s
browser.
 4. The customer’s browser displays the PSP’s payment form.
 5. The customer enters account data and sends to the PSP.
 6. The PSP receives the account data and sends it to the payment
system for authorization.
1. Shared-Management E-commerce – URL Redirects
 The URL Redirect Process
2. The iFrame
 What is an iFrame?
 The iFrame Process
2. The iFrame
 What is an iFrame?
 An iFrame (or Inline Frame) is a method of seamlessly embedding a
web page within another web page - the iFrame becomes a frame for
displaying another web page.
 iFrame provides “sandboxing” to isolate content of the embedded
frame from the parent web page, thus ensuring that information is
not accessible or cannot be manipulated through various exploits by
malicious individuals.
 In e-commerce payments, the pages delivered during the checkout
process would be supplied by the merchant's website, with an
embedded iFrame supplied by the PSP within that process. The PSP’s
iFrame receives all cardholder data entered by the customer.

 The iFrame Process

2. The iFrame
 The iFrame Process
 1. The merchant website creates an iFrame within the current
webpage. The customer’s browser requests the payment form from
the PSP.
 2. The PSP creates a payment form and sends to the customer’s
browser within the iFrame.
 3. The customer’s browser displays the payment form within the
iFrame located on the merchant page.
 4. The customer enters their payment details into the iFrame
containing the PSP’s payment form.
 5. The PSP receives the account data and sends it to the payment
system for authorization.
2. The iFrame
 The iFrame Process
3. The Direct Post Method (DPM)
 What is a Direct Post?
 The Direct Post process
3. The Direct Post Method (DPM)
 What is a Direct Post?
 The Direct Post Method for e-commerce payment is generally used
by larger merchants that require more control over their payment
form “look and feel” and are able to understand and implement the
extra PCI DSS security controls that are required to protect their
systems.
 The Direct Post Method uses the merchant’s website to generate the
shopping cart and payment web pages. The merchant’s payment
form, loaded in the customer’s browser, sends the cardholder data
directly to the PSP—not via the merchant’s website or systems—
ensuring cardholder data is not stored, processed, or transmitted
via the merchant systems.
 However, the payment form is provided by the merchant; therefore,
the merchant’s systems are in scope for additional PCI DSS controls,
which are necessary to protect the merchant website against
malicious individuals changing the form and capturing cardholder
data.
3. The Direct Post Method (DPM)
 The Direct Post process
 1. The merchant’s website creates the payment page.
 2. The customer’s browser displays the payment page and sends
cardholder data directly to the PSP.
 3. The PSP receives the cardholder data and sends it to the payment
system for authorization.
3. The Direct Post Method (DPM)
 The Direct Post process
4. JavaScript Form
 What is a JavaScript Form?
 The JavaScript Form process
4. JavaScript Form
 What is a JavaScript Form?
 Similar to the Direct Post Method, the JavaScript payment page
originates from the merchant’s website and requests the customer’s
browser execute JavaScript code from the PSP to create the
payment form. Entered cardholder data is then sent directly to the
PSP in the same way as the Direct Post Method.
 Also similar to the Direct Post Method, a JavaScript form is
generally used by larger merchants that require more control over
their payment form look and feel and are able to understand and
implement the extra PCI DSS security controls that are required to
protect their systems.
4. JavaScript Form
 The JavaScript Form process
 1. Merchant website creates the payment page.
 2. Payment page on the customer’s browser requests JavaScript
from the PSP.
 3. The PSP creates JavaScript and sends to customer’s browser.
 4. The customer’s browser uses JavaScript to create the payment
form within the payment page.
 5. The customer completes payment by entering payment details
into the form, which is sent directly to the PSP.
 6. The PSP receives cardholder data and sends to payment system
for authorization.
4. JavaScript Form
 The JavaScript Form process
5. The Application Programming Interface (API)
 What is an API?
 The API Process
5. The Application Programming Interface (API)
 What is an API?
 In this context, an API is a method of system-to-system data
transmission wherein the merchant principally controls the progress
of the payment transaction.
 Customer cardholder data is sent from the customer browser back
to the merchant website before being sent to the PSP. Data sent to
the PSP may be sent in different formats such as XML, JSON, or
name/value pairs.
 The payment page and form are hosted and supplied by the
merchant website with all cardholder data processed by the
merchant web server (and possibly other system components)
before being sent to the payment solution provider.
5. The Application Programming Interface (API)
 The API Process
 1. Merchant creates payment page.
 2. Customer’s browser displays the payment form.
 3. The customer enters cardholder data into the payment form and
the data is sent to merchant web server.
 4. The merchant web server transmits cardholder data to the PSP.
 5. The PSP receives cardholder data and sends it to the payment
system for authorization.
5. The Application Programming Interface (API)
 The API Process
Advantages and Disadvantages of E-commerce
Methods:
PCI DSS Validation Requirements: