This article is relevant if you are seeking to move credit card information into NetSuite and you are concerned with PCI compliance and security.
Background
NetSuite offers a secure mechanism to manage credit card information. When properly used, NetSuite helps merchants manage PCI compliance obligations. As such, it is desirable to use NetSuite to process credit cards.
In many new NetSuite implementations, we encounter eCommerce or other applications that are holding credit card data. We have seen all kinds of ways that the credit card data is held. One secure way credit card data can be stored is via customer wallets held by the actual payment gateway. That is good but what if you need the credit card data in NetSuite?
For a recent implementation, our client used CyberSource, a leading credit card payment gateway that is built into NetSuite’s platform. Independent from NetSuite however, the client had a home grown eCommerce recurring billing application which would call out to CyberSource proprietary checkout pages. The client was appropriately nervous about handling credit card data. A breach would damage their hard-earned brand. They worked hard to have their custom checkout process integrate with CyberSource so they would never hold credit card data.
The client however wanted a new recurring billing solution driven by NetSuite. Instead of going with NetSuite’s recurring billing offering, which had limitations based on NetSuite’s built-in eCommerce offerings, the client worked with us to build a custom recurring billing solution natively in NetSuite (a topic for a different article).
Under this new architecture, credit card data would be stored in NetSuite so that automated monthly recurring operations would happen all within NetSuite. The implementation GoLive cutover challenge was how we were going to get the credit card information out of CyberSource an into NetSuite.
Secure Custom NetSuite Application to Migrate Credit Card Data from CyberSource
As we explored various options, the following two conventional methods to get credit card data from Cybersource into NetSuite were presented:
- CyberSource / NetSuite Professional Services: While CyberSource and NetSuite could be engaged to perform a migration, the challenge is that the coordination takes a couple of weeks to complete and there would be missing information between the time the data is migrated to the time we cut over to the new system. This was not a good offer.
- One-Time Credit Export for CSV Import: Under separate legal agreements, CyberSource will deliver credit card data to merchants who need to migrate. The issue here is that the data will need to be handled, stored and it too will result in missing credit card information for the period between the data is exported and the time we wanted to go live. In addition, the client was quite nervous about any holding credit card information due to the security concern.
As we discussed the various alternatives to the two above, we came up with a new option. Our first option was to move to CyberSource’s new token mechanism instead of working with the actual credit card data. This looked quite promising until we learned that the tokens available for download in our Client’s CyberSource back end management account were incompatible for NetSuite use.
So we instead came up with another approach (see image). The tokens could be retrieved for each customer and held in a custom field on the NetSuite customer record. We then created a Custom NetSuite Mass Update that would read a customer’s token, call out to CyberSource’s API under secure credentials, retrieve the actual credit card information by presenting the token, and then write the sensitive data to the Customer’s NetSuite driven Credit Card Profile.
The solution offered much appeal:
- Timing: We could get the credit card information migrated on our own timeline and up to the moment we cut over to the new system. No missing information and it could be called as many times as needed without third party coordination.
- Security: Because we performed all the operations on HTTPS and via NetSuite’s SuiteScript environment, and we did not store the credit card information except in the prescribed PCI compliant location (i.e, NetSuite’s Customer Credit Card Profile), we had client solution that comforted their concern of potential breaches or brand damaging mishaps.
CyberSource Credit Card Import as a SuiteBundle
This solution illustrates the power of the NetSuite platform and innovation we offer to our clients in our NetSuite Systems Integration practice. The good news is that this solution is available as a bundle and can be easily adapted to fit another specific client situation. If you are looking to securely migrate your credit card data to NetSuite, let’s have a conversation.
How to add a link for custom button with cybersource credit card processing?
Hello Rajitha,
I am not sure I understand your request. Please say more. What would happen when you click the button?
Hi Zigman,
Im working as a Netsuite Technical consultant.
I also fallows your posts.
Here I have problem with my card reader.
Im using Magtek edynamo card reader to accept customer payments.
Now the problem is I need to get & store customer card details when customer inserted him/her card in the card reader.
I did lot of research regarding this but failed to find solution.
Do you have any idea regarding this?
Please share your thoughts.
Thanks in advance!!
I am not familiar with that specific technology. But a card reader is effectively a hardware device, like a keyboard. Thus, is there any API that is open on the device to allow you to read the data stream?
Marty