REST API v2 Architecture
CyberSource REST API v2 consolidates the full payment lifecycle into a single unified endpoint framework.
Each resource — /pts/v2/payments, /pts/v2/captures, /pts/v2/refunds,
/pts/v2/voids — follows consistent JSON request/response conventions with HTTP verb semantics.
Idempotency is enforced via the v-c-idempotency-id header: re-submitting an identical request
within the 24-hour window returns the original response without re-processing — critical for network-timeout
retry logic. Webhooks deliver asynchronous event notifications (payment.updated, fraud.case.review) to
registered HTTPS endpoints, enabling event-driven order management without polling.
Authentication uses HTTP Signature (preferred) or JWT Bearer tokens. HTTP Signature requires a merchant key ID, a secret key, and a digest of the request body — we assist clients in building correct signature generation libraries across Java, .NET, PHP, Python and Node.js SDKs, as well as validating webhook signature payloads on receipt.
Secure Acceptance & Flex Microform — PCI Scope Reduction
Secure Acceptance Hosted Checkout redirects the cardholder to a CyberSource-hosted page, reducing the merchant to PCI DSS SAQ A scope. Configuration is managed through Business Center: form customisation, locale mapping, payment method ordering, 3DS trigger thresholds, and post-payment redirect URLs are all profile-driven. Signed data fields and a HMAC-SHA256 signature prevent parameter tampering.
Flex Microform allows merchants to embed individual card number and CVV fields as
iframes within their own checkout page while keeping raw PAN data off the merchant server. The
microform.createField() JavaScript call renders a Flex-hosted iframe; the resulting
transient token is included in the server-side authorisation request. This achieves PCI SAQ
A-EP scope whilst preserving full UX control. We advise on Flex v2 migration from Flex v1 (which uses
a different transient token format and is deprecated).
Decision Manager (DM) — Fraud Rule Management
Decision Manager is CyberSource’s rules-based and machine-learning fraud scoring engine. Passive mode allows DM to score every transaction and record recommendations without affecting authorisation flow — ideal for baseline benchmarking and data collection before live deployment. Active mode uses DM decisions to accept, review, or reject transactions in real time.
In passive mode, DM attaches a riskInformation.score.factorCodes array and a
riskInformation.score.result (ACCEPT, REVIEW, REJECT) to every response. Merchants
can harvest weeks of passive-mode data, identify FP and FN patterns against actual chargeback
outcomes, and build rule sets tuned to their specific traffic profile before switching to active mode.
Rule creation in Business Center Rule Manager supports velocity rules (count of transactions from a given IP, BIN, email or device fingerprint within a configurable time window), BIN-country mismatch rules, device fingerprint rules using the ThreatMetrix integration, and custom list (positive/negative) matching. Rules are combined via AND/OR boolean logic into strategies. The chargeback feedback loop (uploading chargeback files back to CyberSource) enables the ML model to learn from confirmed fraud, improving score accuracy over time.
Case management workflow: REVIEW decisions surface in the Case Management queue for manual analyst decisioning. Agents can inspect device fingerprint details, velocity counts, address verification results, and order history. Accept/Reject decisions in the queue can optionally trigger a real-time capture or void via the API.
Token Management Service (TMS)
CyberSource TMS supports two distinct token types that are frequently confused:
- TMS tokens — a CyberSource-proprietary token referencing a stored card on CyberSource infrastructure. The token value is a 64-character hex string that maps to a Payment Instrument resource. TMS tokens never leave the CyberSource ecosystem.
- Payment Network Tokens (PNT) — issued by the card network (Visa Token Service / Mastercard MDES) and usable cross-processor. CyberSource acts as the Token Requestor (TR), performing token provisioning and cryptogram generation on behalf of the merchant. Network tokens are recommended for recurring / subscription use cases due to improved issuer approval rates and lifecycle management (card expiry updates propagate automatically).
The TMS resource hierarchy is: Customer → Payment Instrument (the card token) → Instrument Identifier (the underlying PAN reference, never exposed in full). Instrument Identifiers enable cross-instrument reporting and chargeback correlation without storing PANs. We guide clients through the correct token hierarchy design for their subscription billing, marketplace, and stored-credential use cases.
Payer Authentication — 3DS 2.x
CyberSource Payer Authentication (PA) supports the full EMV 3-D Secure 2.x specification via two integration paths:
-
Cardinal Commerce (external) — Cardinal’s Cruise JavaScript SDK handles
device fingerprinting (Method URL collection) and the cardholder challenge UI. The merchant
passes the Cardinal JWT and
referenceIdto CyberSource for the authorisation-with-payer-authentication request. -
CyberSource-native 3DS — CyberSource manages the full 3DS 2.x flow internally,
including ACS communication, frictionless vs challenge determination, and result mapping. The
merchant only calls
POST /risk/v1/authentication-setups(setup),POST /risk/v1/authentications(check enrollment), and includesPOST /risk/v1/authorization-with-authenticationto combine auth and 3DS.
Authentication result mapping is critical for correct liability shift: ECI (Electronic Commerce Indicator) carries liability classification (05 = fully authenticated, 06 = attempted, 07 = not enrolled / no 3DS). CAVV (Cardholder Authentication Verification Value) is the cryptogram the acquirer passes to the network. dsTransactionId (replacing legacy XID in 3DS 2.x) is the Directory Server transaction reference — a mandatory field on Visa and Mastercard authorisations where 3DS 2.x was performed.
Reporting API
CyberSource offers two reporting modes: subscription reports (automatically
generated and delivered on a schedule to SFTP or pulled via API) and on-demand reports
(triggered via POST /reporting/v3/report-requests with a date range and report type).
Key report types include the Transaction Detail Report (TDR) — a full record of
every transaction including decision fields, rule codes, and processor response codes — and the
Conversion Report, which tracks the authorisation-to-capture funnel and identifies
abandoned payment sessions. We assist clients in parsing TDR CSV schema changes across API versions
and building automated reconciliation pipelines.
Decision Manager Rule Operators Reference
| Field | Operator | Value Example | Use Case |
|---|---|---|---|
billTo.ipAddress |
VELOCITY_COUNT | > 5 in 24h | Detect rapid-fire carding from same IP |
card.prefix (BIN) |
NOT_IN_LIST | Positive BIN list | Restrict to approved issuer BIN ranges |
deviceFingerprintID |
VELOCITY_COUNT | > 3 in 1h | Multiple cards tested from same device |
billTo.email |
REGEX_MATCH | .*@tempmail\..* |
Disposable email detection |
card.cardType |
EQUALS | Prepaid | Flag prepaid cards for manual review |
billTo.country vs card.prefix country |
MISMATCH | — | BIN-to-billing country mismatch |
orderInformation.amountDetails.totalAmount |
GREATER_THAN | 5000.00 | High-value order step-up review |
Simple Order API → REST API Migration Checklist
ccAuthService_run=true); REST uses nested JSON objects. CyberSource publishes
a field mapping guide but many edge-case fields (custom DM variables, custom fields 1–4) need
manual mapping validation.
v-c-idempotency-id header to prevent duplicate charges on network retries.
paySubscriptionCreateService) are not directly compatible with TMS v2 Payment
Instrument tokens. Bulk migration requires a CyberSource-assisted token porting engagement.