Notice: This integration method has been deprecated. We encourage developers to look at our other integration methods.
This method is no longer considered "Out Of Scope" for the new PCI 3.2 standard therefoe if you choose to utilize this method your servers are considered "in-scope" and you are required to complate a PCI Attestation of Compliance.
See https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf for more info.
Below is a diagram of the request flow. The only step that involves credit card data is step #2, which bypasses your API servers.
- The Merchant website contains its typical form to accept credit card information.
- The merchant attaches the form handler using the ticket() method with the required parameters.
- After the client submits the form, the submit event becomes intercepted. The client submitted data will then be sent to the API server to the /v2/cardtickets endpoint and be processed for validation. This step happens in the background via AJAX requests.
- If the information provided is valid, a token will be generated by the API server. This token is added to the credit card form as a hidden field.
- This method then allows the credit card to be replaced by the token when submitting a transaction to be processed by the API server.
- MWS responds to Customer browser with “Thank You” page.
Note: The returned ticket can be used as card information holder for Transaction Actions.
- jQuery 1.0+
- SHA-256 server algorithm
- PHP 5 (for this example)
You can download a zip file with all of the necessary files for the PHP example here. There are two main files that are needed to get started:
- example.php - This is an example php file that shows how a form can be setup to capture necessary credit card data.
There is an optional third file included if you wish utilize a USB card reader to get full track data.
- card_reader.js - This JS file can be used to implement a USB card reader to get full track data for card transactions.
We need to generate a hash in PHP. There are 4 parameters that are required to generate a signature hash:
- Ticket Hash Key: This is the ticket hash key provided by the API that is used to generate the signature hash. This key is secret and should not be shared with anyone.
- Location Id: Provided by the API as your location identifier
- Order Id: The order number for your order. If you don't have one, you can use a random number generated by PHP.
- Timestamp: The current time when the page has been generated. it has an expire period of 5 minutes
The hash is generated using the location id, timestamp, and order id, in that specific order. Here is sample code of how to generate the signature:
In this implementation, all elements that you do not want to be received by your system shall have a class named “ticketed”. This will submit them to get the ticket, then the ticket id will be used in place of the credit card information. Also, each element needs to have a data-ticket attribute to determine the name of it in the post data to be sent in to the server The required elements that need to be submitted to create a ticket are: