This article outlines the flow of sensitive cardholder information in Cerbo's Bluefin integration.
Card Present
- Transaction requested from browser.
- Browser makes XMLHttp request to our server to queue a transaction with the Pax Device
- Our server uses the TSAPI API to create a "placeholder" transaction
- Our server passes the placeholder transaction ID and the amount to be charged to Pax device via LAN using the SaasConex Javascript API
- Card is swiped/tapped to process the transaction, the Pax device communicates directly with the Bluefin gateway, which relays the transaction to Elavon and the processing network
- The network responds, and data flows back to the Pax device with the outcome of the transaction
- The Pax device responds via the still-open Cerbo Server <-> Pax LAN connection so that Cerbo can store the results of the transaction, including transaction ID which can be used as a card-token for future processing.
Card Not Present (Keyed in)
- Browser presents an HTML form for card-entry to take place on the user's browser. The form creates a timestamped/encrypted transaction token so the sending application can be verified by Bluefin as well as the callback URLs that Bluefin can use to report back the transaction result.
- User submits the form, which submits directly to secure.payconex.net (data passes directly from the user's browser to Bluefin)
- Bluefin processes the transaction and then sends a transparent-redirect command to the user's browser with the appropriate callback URL from the original form.
- On success, Cerbo stores the payment metadata (last4, card-type, expiration), payment amount, and stores the transaction ID which can be used for stored-token transactions in the future
- User submits the form, which submits directly to secure.payconex.net (data passes directly from the user's browser to Bluefin)
Card Not Present (Stored token transaction)
- Cerbo presents a list of stored-card tokens (created in one of the two above workflows) along with metadata that identifies each card (Last 4, Exp)
- User selects the card they want to use and sets the amount they want processed.
- Form is submitted via POST to Cerbo's servers, including card-token data and amount to be processed
- Cerbo uses Bluefin's QSAPI API to send a stored-card transaction to PayConex
- Payconex responds with the result of the transaction, which Cerbo then records.
- Cerbo uses Bluefin's QSAPI API to send a stored-card transaction to PayConex
- Form is submitted via POST to Cerbo's servers, including card-token data and amount to be processed
- User selects the card they want to use and sets the amount they want processed.