Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

LearningBuilder only uses PCI-Compliant payment gateways to process financial transactions. This page documents the technical details behind each supported CheckoutMode.

This is also represented as a PCI Cardholder Data Flow Diagram.

Click here for more information about payment gateways

...

In the HostedPages model, the user’s browser is fully redirected to the payment gateway’s website to perform the checkout process.

  1. User enters checkout in LearningBuilder

  2. (optional) User enters non-payment-card data such as their shipping address

  3. User’s browser is redirected to the payment gateway’s website over HTTPS, completely severing their connection to LearningBuilder.

  4. User provides credit card information to the payment gateway, which performs the transaction.

  5. Upon success, the user is redirected back to LearningBuilder and sees the payment success message.

The transaction ID is provided to LearningBuilder in one of two ways:

...

The HostedPagesIFrame model is similar to HostedPages, except that instead of fully redirecting the user’s browser to the payment gateway’s website, the gateway’s checkout form is embedded within LearningBuilder using an <iframe>.

  1. User enters checkout in LearningBuilder

  2. (optional) User enters non-payment-card data such as their shipping address

  3. LearningBuilder displays a checkout page, which consists of the LearningBuilder site “chrome” plus an <iframe> that displays a form hosted by the payment gateway. The checkout form is loaded using HTTPS within the <iframe>.

  4. User submits credit card information within the <iframe>, posting it directly to the payment gateway.

  5. Upon success, a payment success message is displayed within the <iframe> and the transaction ID is posted to LearningBuilder as an API call. The user can then continue with their process within LearningBuilder.

Even though the user’s browser seems to remain on the LearningBuilder website, LearningBuilder never receives or processes any credit card information; it is submitted directly to the payment gateway.

...

In the TwoStep model, LearningBuilder hosts the form that collects credit card information. This form, however, makes an HTTPS post to the payment gateway, NOT to LearningBuilder.

  1. User enters checkout in LearningBuilder

  2. LearningBuilder displays a form that collects the billing address and credit card information. The <form>'s action attribute points to the payment gateway over HTTPS.

  3. When the user clicks the submit button, their browser initiates the HTTPS POST and navigates to the payment gateway endpoint.

  4. The payment gateway performs the transaction and, upon success, redirects the user’s browser back to LearningBuilder.

Even though the credit card form is displayed by LearningBuilder, the data it collects is submitted elsewhere.

...

In the ThreeStep mode, the credit card form is hosted by LearningBuilder. This form makes a background HTTPS post to payment gateway and “trades” the credit card details (which LearningBuilder does NOT store or process) for a “token” (which LearningBuilder DOES store and process). When the user confirms their intent to make the payment, LearningBuilder sends that token back to the gateway to initiate the transaction.

  1. User enters checkout in LearningBuilder

  2. LearningBuilder displays a form that collects the billing address and credit card information. The <form>'s action attribute points to the payment gateway over HTTPS.

  3. When the user clicks the submit button, client-side JavaScript code performs an asynchronous HTTPS POST to the payment gateway, submitting the credit card information.

  4. The payment gateway securely stores those details, returning a “token” back to LearningBuilder. LearningBuilder attaches this token to the user’s checkout process.

  5. LearningBuilder displays an order confirmation screen to the user, summarizing the transaction they are about to perform.

  6. User clicks a “submit order” button. LearningBuilder makes a background API call to the payment gateway, specifying the order details (amount, etc) and providing the token in lieu of any payment card data.

  7. The payment gateway uses the token to look up the stored credentials and then performs the transaction.

  8. The payment gateway returns the transaction details, including card authorization, in the API call response.

Info

The “token” is a one-time-use identifier for a set of payment card credentials. It is not an encrypted or encoded version of the credentials and therefore cannot be reverse engineered into the specific credit card number. The token cannot be reused to perform additional transactions.

...