How PayFacto's recurring payment module associates a cardholder's credit card with a token so merchants can run future transactions — and automatic recurring payments — without the cardholder present, across integrated, redirect, card-present, and Payment Manager input modes.
Contents
The recurrent payment module allows the merchant to execute transactions according to criteria established with the client and without the presence of the cardholder. It also allows automatically making payments at regular intervals.
Once the registration and data entry of the cardholder is completed, the card number is stored in the PayFacto secured database and a token, associated with the card, is returned to the merchant. The following financial operations are available with the use of tokens:
Financial transactions 1, 2, and 3 must be acknowledged using the Ack endpoint.
Subscription management transactions 4, 5, and 6 must be acknowledged using the Recur Ack endpoint.
PayFacto's management of stored card numbers significantly eases the constraints related to PCI-DSS certification for the merchant.
This document covers the following sections:
Missing Section
The source material lists a "Technological architecture" section in this overview, but no such section's content was included in what was provided. [CONFIRM: please provide the Technological Architecture content, or confirm it should be omitted]
The basic functionality of recurring payment is the association of the cardholder's credit card number to a token. To perform transactions with a token (without the presence of the cardholder), this information must have been previously input and registered for future use. Storage of this information is made in the PayFacto database according to the security standards required by PCI-DSS.
There are three possible action categories:
For all transactions on a customer profile or a subscription performed server-to-server, a security token is necessary. This token is provided:
addUser function.It is used as a reference for the client's information: credit card number and expiry date of the card.
In this server-to-server mode, the merchant server calls the PayFacto server through the Payment API, which is integrated into the merchant systems to allow communication with PayFacto systems. Once the information is transmitted to PayFacto, it is stored in the PayFacto database and associated with a token that is returned to the merchant in the response parameters. Once the information is input, the merchant can create or modify existing customer profiles from calls to the Payment API.
With this input mode, the client's card numbers pass through the merchant's computer systems, which must therefore comply with PCI-DSS standards.
To add a token in integrated mode, the merchant calls the Payment API using the following function:
The merchant collects the customer account information and sends it via this call. The following information is required to complete the token addition:
Source Gap Flagged
The source table has a "Mandatory?" column but no values were filled in for any field, for this table or the equivalent table under Redirect Input Mode below. [CONFIRM: which fields are actually mandatory?]
In the response of this call, PayFacto provides the merchant with the token and a Return Codes List indicating whether or not the operation was successful. Finally, the e-commerce application must send the acknowledgment ("Ack") to the PayFacto server to finalize the addition of the token. The merchant has 3 minutes to send the acknowledgment to PayFacto.
Important
If the result of this acknowledgment is not received, or returns a negative answer ("FALSE"), the token will be automatically deleted. The merchant must wait for the result of the acknowledgment (which must return "TRUE") before considering the addition of the token successful.
The secure redirection service is an exemplary, efficient, and safe way for merchants to add a token. It requires the merchant to take a customer's information in order to add the token without an associated credit card, then call a web page hosted on the PayFacto servers via the PayFacto Payment API. This page asks the customer to enter their credit card information. Once this is done, PayFacto creates the token/credit-card association, then redirects the user to a success or failure page specified by the merchant. From this page, a call to the Payment API must be made to communicate with PayFacto and retrieve the response parameters of adding the token.
The PayFacto entry page contains links to information pages hosted on PayFacto payment servers, displayed in the PayFacto Customer Payment Service, describing the security solution. All communications between the merchant application and the PayFacto application are made securely over the HTTP protocol, using worldwide-approved encryption. Internet clients must have a browser that supports 128-bit encryption to use the PayFacto Payment Solution redirection service.
To add a token in redirect mode, the merchant uses the Payment API with the same Recurring - Add User function used in integrated mode. The merchant collects the information from the customer account and sends it via this call — the card number and expiry date parameters must still be sent, but with an "empty" value. The following information is required to complete the token addition:
In the response of this call, PayFacto provides the merchant with the token and a return code indicating whether the operation succeeded. The e-commerce application must then send the "Ack" to the PayFacto server to finalize the addition of the token, within 3 minutes:
Important
If the result of this acknowledgment is not received, or returns a negative answer ("FALSE"), the token will be automatically deleted. The merchant must wait for the result of the acknowledgment (which must return "TRUE") before considering the addition of the token successful.
Next, the merchant's e-commerce application calls PayFacto's Payment API with the payment input parameters of the following call, which transfers the data to the PayFacto payment servers:
The PayFacto server retains the received parameters and returns a session number in the transactionOutput of the "Recurring - Create Session" call. The e-commerce application then redirects the client's browser to the PayFacto redirection page, including the session number, so the payment server can retrieve the transaction data. The format of the redirect URL is:
PayFacto then displays the customer's credit card information input page (referred to in the source as Image 1: Customer Credit Card Information Input Page).
Validation of the 3-digit verification code and the cardholder's address are configurable options at the merchant's request. These values are validated only on the initial addition of the token, not on subsequent transactions made with that token. For more details, refer to the Verification Code (CVV) documentation and the Address Verification System (AVS) documentation.
The customer enters their credit card number, expiry date, and — if required — the 3-digit validation code and address information, then presses "Continue." The customer has a maximum time to enter this information. If the customer makes a mistake, an error page appears (referred to in the source as Image 2: Error Page Regarding the Input of the Customer's Credit Card Information) with the option to cancel or restart the transaction. The customer has a maximum of three attempts to correctly complete the addition of the credit card.
When the customer presses "Continue," the PayFacto server automatically associates the entered credit card with the token provided during session creation. After validating the verification code, the cardholder's address, and the card-to-token association, PayFacto redirects the customer to the merchant — to a success page if the operation succeeds, or a failure page if there is a problem or a non-success of the verification code or address validation — with the transaction's session number as a parameter.
The merchant's success or failure page must use the session number received from the PayFacto redirection to make a new call to the Payment API, returning the result of the card-to-token association in the response parameters:
The source material references four screenshots (Images 1–4: the credit card input page, the input error page, and two PayFacto information pages) that were not included with the content provided. [CONFIRM: attach these screenshots before publishing]
The Payment API also supports creating a token during a card-present transaction performed on a point-of-sale terminal running the PayFacto application. In this mode, the merchant server calls the PayFacto server via the Payment API to send a purchase transaction to a physical terminal installed at the merchant. The Payment API is integrated into the merchant's systems to allow communication with PayFacto systems. During this call, PayFacto sends the transaction information to the device to perform the card transaction.
To add a token in card-present mode, the merchant calls the Payment API using one of the following functions:
In the response of this call, PayFacto provides the merchant with the token, a predetermined customer number, and a return code indicating the result of the financial transaction made at the terminal. The merchant must retrieve the token, along with the CustomerNumber, from the response of the Purchase or PreAuthorization call, for future use in a card-not-present transaction. If the financial transaction is not allowed, no token will be created or returned.
No tokens are returned when the transaction is made using a debit card, or when the payment is made using a mobile wallet (e.g. Apple Pay, Android Pay, Google Pay, etc.).
This is a manual input mode between the merchant and PayFacto. The PayFacto Payment Manager allows manually entering customer profile and subscription information. With this input method, the customer's card number does not pass through the merchant's computer systems, but must pass through a merchant employee.
To access the recurrence module, select the User menu from the Payment Manager's main menu. Clicking Recurring transactions in the User menu displays a list of Internet and MOTO merchants — choose the merchant with which recurring transactions will be configured.
Select Manage Clients to access customer-related features. From the list of all customers, you can manage additions, modifications, and deletions of customer profiles.
Client Addition
Creates a client in the database and associates a credit card number and a token. The card number itself is never given back to the merchant once entered. The client number should be unique to facilitate the merchant's management. When you click Add, the form contains five fields: Merchant (the merchant for which a new client will be added), Name (the credit card holder's name), Client # (identifies the customer with the merchant), Email, and Language (French or English). After filling the fields, click Create, then enter the customer's credit card number and expiration date and click Add.
Client Modification
Select the client name from the list to modify general information, credit card parameters, or the subscription list. In the Customer Information tab: Name, Client #, Email, Language. In the Credit Card Parameters tab: expiration date, and the credit card number (the expiry date must also be specified if the card number is changed).
Client Deletion
Erases a client from the database. Select the client in the list, click the delete option, and confirm the deletion.
The client list can be downloaded as an Excel file, containing:
Select Manage Subscriptions to access subscription features. From the list of all customers, you can manage additions and deletions of subscriptions.
Subscription Addition
Creates a subscription. The client number and token are essential to correctly identify which client is being subscribed. Clicking Add displays a form with seven fields:
After filling the fields, click Create.
Subscription Modification
Select the subscription from the list to change the account number, status, or subscription description. The two possible statuses are "Active" and "Pause." If a subscription is paused, scheduled withdrawals wait for the subscription to become active before being attempted.
Subscription Deletion
Ends a subscription immediately. Select the subscription from the list and click the delete option.
Select Billing Report to access invoice information. The report contains:
To view a specific transaction receipt, click the transaction number in the billing report.
The source material references numerous Payment Manager screenshots throughout this section ("the following screen is displayed") that were not included with the content provided. [CONFIRM: attach these screenshots before publishing]