Developer's Resources CPNI White Paper Glossary Security Model {~contentSpot} {~merchantInfoSpot}

Welcome to your developer’s section.

Running an online business can be an overwhelming task. Extending a business to the Web and opening an e-commerce storefront requires merchants to master many tasks-not only Web site development and design, but also maintaining the confidentiality and security of consumer data and accepting and processing payments. ClearCard takes the headache out of payment processing by managing a secure, reliable and low-cost solution for accepting payments. This section of the website was designed with that idea in mind.

This section contains many resources to help you get connected to ClearCard. Here you will find best practices we have learned from other developers, a forum so you can communicate with other ClearCard members, and sample code to save you time. As this section belongs to you, please feel free to write us and make any recommendations you feel might be necessary at webmaster@clearcard.com. We sincerely appreciate any time you spend in helping us to provide you with the best service possible.

As the need for online payment solutions continues to grow, we work continuously to securely link thousands of merchants and their customers to payment processing networks, making each transaction as safe and easy on the Internet as it is in the physical world. We are committed to providing cutting edge payment technologies while supporting standards to maximize the outreach to merchant and consumer clientele. Simply put, ClearCard offers the best e-commerce payment solution available.

Access-Based Sales
Many ClearCard clients sell access to restricted areas of their web sites. Their customers purchase the right to enter those restricted areas for a certain period of time. Customers enter the restricted areas by providing specific URL locations and, usually, a valid username and password.

ACH Authorization
Automated Clearinghouse Authorization. Similar to a wire transfer, this banking technology is used to automatically deduct from and/or credit money to specific bank accounts.

Authorization/Verification
Like any other online or offline retailer accepting credit cards as a form of payment, ClearCard consults the credit card authorization/verification network prior to completing the sale. This network first verifies that the credit card number and supporting data are valid, checks that there is sufficient credit in the account, then authorizes the dollar amount of the requested charge.

What does AVS mean?
AVS stands for Address Verification System. An AVS check is a comparison of an address with the billing address for a creditcard. By rejecting transactions that fail AVS, you help reduce your exposure to fraud.

Charge back
The reverse of a charge. A customer who regrets having made a purchase may ask his/her bank to undo the credit card charge. When the charge involves the delivery of a tangible product, banks tend to favor the seller. When the charge involves an intangible such as web site access, banks tend to favor the reticent buyer. Customers who get out of their purchases in this manner are added to ClearCard's fraud database so that future purchase attempts will be turned away.

Client
From ClearCard's point of view, a client is any vendor who sells access to his/her web site, or a service or a product, through ClearCard. A customer is any person who buys that access, service or product from ClearCard, then goes to the client to claim what he/she just bought.

Client Reserve
Standard credit card industry billing procedure in which a percentage of the sale amount is retained by the payment processing company to protect itself from catastrophic losses. It's expected that there will always be a certain percentage of charge backs (refunds of charges, whether the customer requests it through you or simply forces it through his/her bank). Because these charge backs come against ClearCard, the banks expect ClearCard to pay back the disputed amounts.

Credit cards are most often used to carry debts over many months. Challenges may occur long after the original charge was applied. It would be unreasonable for ClearCard to hold back all of its clients' wholesale credit card revenue for half a year, but ClearCard has to have some way to protect itself against catastrophe (the abrupt disappearance of a web site and its proprietor, mainly). Keep in mind, ClearCard has very little knowledge of its clients apart from faxed contracts with signatures. As a compromise, ClearCard issues client wholesale checks for credit card revenue at a set time after each billing cycle. These checks deliver the lion's share of wholesale revenue to each client, but not quite all of it. A negotiated percentage of the original retail amount is held back for six months as an emergency reserve.

Client Username/Password
ClearCard provides near-real-time reports on your account's transactions and payment statements through the Merchant Area. In this section, you can also submit refund requests and many other business functions. To access the Merchant Area, you must first log in using your client username and password.

Country Mismatch
When a customer signs up for service they tell us what country they're from in three different ways. 1) They tell us their country. (Usually from a pull-down list of countries.) 2) Their IP address is within a range allocated to a country. 3) Their credit card is issued by a bank in a country. These three methods of obtaining the country data do not always agree. When they differ, the likelihood that the transaction is fraudulent is higher. For the greatest level of security, deny these transactions.

CPI
ClearCard Payment Interface (CPI) is a simple and scalable commerce system and the core of ClearCard’s offering. The two main components of the system are: The ClearCard Payment Interface (CPI) and the ClearCard API. Both of these implementations ride on top of the same basic payment processing application.

CPNI
ClearCard’s Payment Notification Interface (CPNI) allows you to integrate ClearCard payments with your website commerce functionality. This part of CPI will allow you to receive immediate notification and confirmation of payments you receive from customers. The benefit to you is the ability to: Store transaction information in your own database. Automate your fulfillment operations (e.g. Sending shipping info to your warehouse) For CRM functionality you can track your customers through the notification’s pass through variables capability. Customize your websites response to customer purchases in real time

Customer
From ClearCard's point of view, a customer is any person who buys access, service or a product from ClearCard, then goes to a client to claim what he/she just bought. A client is any vendor who sells access to his/her web site, or a service or a product, through ClearCard.

CVV2
CVV2 stands for Card Verification Value. It is a new authentication scheme established by credit card companies to further efforts towards reducing fraud for internet transactions. It consists of requiring a card holder to enter the CVV2 number in at transaction time to verify that the card is on hand.

CVC
CVC stands for Card Validation Code. It is essentially synonymous with CVV2. Specifically, MasterCard uses the term CVC, Visa (and most other cards) use CVV2.

Glossary | Continued

Dispute
(See also charge back). On occasion, customers regret having made a purchase and, rather than try to talk you or ClearCard out of a refund, resort to asking their bank or phone company to undo the charge. A certain, small, percentage of disputes is expected as par for the course. An above average number of disputes should inspire both you and ClearCard to find remedies.

Fraud Database
There are acceptable reasons a customer might request a refund: an accidental double charging of his/her account, a quick realization that your site, service, or product was not what he/she expected, etc. There are also unacceptable reasons a customer might force a refund, most often that he/she enjoyed what you provided, then wished to avoid paying for it. When the latter happens, ClearCard adds that customer's credit card or telephone number information to a database we maintain which prevents that credit card number or telephone number from being accepted by ClearCard for any client's site in the future. Because such fraudulent individuals tend to be repeat offenders, this unified database provides much greater protection than if each ClearCard client were to maintain his/her own database. We also pass on this information to the credit card authorization/verification network and in some cases to the credit reporting agencies.

IP
An IP is a unique number to every workstation in the world. This "IP number" is a four byte value that, by convention, is expressed by converting each byte into a decimal number (0 to 255) and separating the bytes with a period. For example, 130.132.59.234. Intangible Items Non-physical goods sold by merchants, including Internet access, information or services.

Internet Merchant Account
A merchant account is a relationship between a retailing company and a merchant bank which allows the retailer to accept credit card payments from customers. Banks require that certain (usually very stringent) qualifications be met before granting a merchant account to a company. Most small companies, in particular web-based sites, find it too expensive and cumbersome to acquire their own merchant accounts, yet credit cards are the most efficient way of doing business on the Internet. That's where ClearCard comes in. ClearCard is a retailer who can buy proofs of purchase at wholesale from a web site by traditional (mailed check) means, then sell those proofs to Internet users.

Real-Time
Computer activity that occurs "while you wait" rather than being added to a batch for processing at a later time. Online credit card authorization/verification, for example, occurs in real time, beginning seconds after a customer submits his/her Credit Card Processing Form and finishing moments later with the delivery of a response page letting the customer know the success or failure of the transaction.

Recurring Billing
Method of billing credit card purchases that occur automatically, a set number of days apart, e.g. monthly.

Refund
It's an unavoidable fact of business that a small percentage of customers will ask for their money back, for a wide range of acceptable (and unacceptable) reasons. Where possible, you and ClearCard should both encourage customers to begin their refund requests through you rather than through ClearCard or their bank. This allows for a graceful undoing of the purchase, rather than surprising you. Of course, if you turn down a request for a refund, the customer can more often than not force a refund from his/her bank or phone company. The customer's information is added to our fraud database in such cases, so that he/she will not be able to make future purchases through ClearCard for any of ClearCard's clients.

Secure Server
ClearCard's web servers which handle credit cards use SSL (secure socket layer) encrypted communications. While a secure server discusses sensitive credit card information with the customer, anyone eavesdropping on this electronic conversation through any Internet computer between browser and server will only see illegible data. Of course, it can't protect the customer from someone watching over the customer's shoulder.

SSL Encryption
Secure Socket Layer Encryption. Standard used on the Internet for securing sensitive data, by means of advanced encryption technology, while it is transferred between a Web browser and a Web server. For the protection of Internet consumers, credit card numbers and other sensitive data should only be transferred via secure servers.

Suspicious IPs
A suspicious IP is one from which we've received several rejected credit card transactions in a short period of time -- a sign there may be a credit card generator in use. If an IP has more than 5 rejections in 10 minutes, ClearCard will block the IP for 10 hours.

Transaction ID
ClearCard assigns a unique transaction ID to each customer attempt to bill a credit card through any of ClearCard's secure servers. If the attempt is approved by the credit card verification network, ClearCard presents the customer with a success notification that includes this event's transaction ID.

Unused accounts
In most circumstances, when a customer creates an account and does not subsequently log in, it is a bad idea to charge the account. The account may be the result of fraud -- for example, a credit card generator may have been used to create the account. If an account is created and the customer does not log in, ClearCard will wait 2 hours and then send a warning email to the customer. The email instructs the customer that if they do not log in within -1 hours their account will be canceled. After waiting another period of time, ClearCard cancels the account and sends an email to the customer explaining that the account has been canceled due to inactivity.

Glossary | Back

If you choose to use ClearCard to manage access to your site, there are two different methods of access control you can choose to use.

As with anytime a program provides many options, just the amount of choices can confuse the issue. The Authentication options you have available to you through ClearCard have two basic styles of authentication (http and ftp) and each of those has two types of 'member's lists' that can be updated using these options.

You will only want to select one method. While either is acceptable, the most commonly used method is the HTTP basic authentication. To activate, select 'yes' on the radio button. Now you must fill in a URL to the CGI on your computer that will listen for ClearCard's post of your new member's name/password information. This CGI will then write the information to an 'htpassword' file on your system. Every time a customer then logs into your system, it is this 'htpassword' file that is checked to see if the customer is in fact a valid member. To use the FTP method you will only need to supply the FTP information and the direct location of the 'htpassword' file. This method is much simpler and bypasses the need for a CGI 'listener', but it is not generally considered as secure as the former method.

While you are welcome to write your own CGI listener, ClearCard has a simple secure implementation we are happy to install for you.

First, let's explain what we mean by 'member lists'. Your members will sign-in using a name/password. Somewhere on your server this list exists (usually an htpassword file). Every time a user signs up using our member management signup page, you will want to be notified of the new member and their password. ClearCard will need to know where to send this information. Commonly, this is some CGI on your system that writes to a file. ClearCard can send this information to you either through the web (HTTP) and then that message will need to be read by some CGI on your side and then written to some file on your system(usually a htpassword file). OR ClearCard can use FTP protocol to write directly to the file on your system (usually a htpassword file).

See Process Flowchart -- Fig A.

As you will notice in the diagram (fig A) there are points on the flow chart represented as diamond shapes labeled 'htaccess'. These security points are not required but they do represent an interesting security model that ClearCard recommends you consider.

A customer signs up for your website. The signup information is sent to you with a special name/password coming from ClearCard. ClearCard's name/password is validated like a regular login. If this message validates properly then the customer's name/password is sent to your CGI. The CGI then adds its own name/password and attempts to write to the htpassword file. The CGI name/password is validated and if it is good then the customer's name/password is added to the member's name/password file as a valid member. As you can see this methodology provides a fairly airtight method of securing your member name/password data.