Silent Order Post

With Silent Order Post, payment data is securely transferred, maintaining full control over the checkout experience.

This method makes it possible to send the shopper's payment data securely directly into our system. Payment fields are stored by Cielo, which is PCI DSS 3.2 certified.

It is ideal for merchants who require a high level of security without losing the identity of their page.

Characteristics

• It captures payment data directly to Cielo systems through fields hosted on your page through a script (JavaScript)).
• Compatibility with all payment methods available to the Gateway (National and International)
• Reducing the scope of the PCI DSS
• Full control over your checkout experience and brand management elements

The PCI Data Security Standard (PCI DSS) is a global standard for card data security, and comprises a minimum set of requirements to protect cardholder data.

Authorization Flow

Below is how a standard authorization flow and an authorization flow with Silent Order Post.

Standard Authorization Flow

In the standard authorization flow, the online store receives payment data from the shopper and therefore needs to be PCI DSS compliant.

Authorization Flow with Silent Order POST

With Silent Order Post, the virtual store server does not transfer card data openly.

1. The store configures JavaScript on the checkout screen. At checkout, the script sends payment data directly to API E-commerce Cielo, without going through the store's server;
2. The API stores the card data for that purchase and creates an encrypted code (PaymentToken, valid only for one purchase) or stores the card data and creates an encrypted code for the card (CardToken, which can be used on other purchases);
3. The store sends the script token to the server itself;
4. The store, through its server, sends the authorization request with the token and the other mandatory fields for a transaction.

Integration

Step 1. Getting access tokens

In order to use Silent Order Post, you will need two tokens:

• OAuth2 authentication token (access_token);
• Silent Order Post authentication token (AccessToken).

OAuth2 authentication token

Get the access_token from the Cielo authentication API (OAuth2). In case of success, the API will return an access_token that must be used in the next authentication layer of the tool.

To get the access_token in the OAuth 2.0 standard, send a request using the HTTP VERB POST to the URL of the table below, formed by the "base URL of the environment + endpoint", according to the desired environment:

Note: The "{base64}" value for the "Basic" type authorization must be obtained as follows:

1. Concatenate the "ClientId" and the "ClientSecret" (ClientId:ClientSecret);
2. Encode the result of the concatenation in base64;
3. Make a request to the authorization server using the generated alphanumeric code.

To obtain the "ClientID" and "ClientSecret", send an email to [email protected] containing the MerchantId and informing that you want to obtain the "ClientID" and "ClientSecret" credentials for Silent Order Post.

Request

--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded" 
--data-binary "grant_type=client_credentials"

Response

{
  "access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
  "token_type": "bearer",
  "expires_in": 599
}

{
  "access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
  "token_type": "bearer",
  "expires_in": 599
}

Silent Order Post Authentication Token

After obtaining the OAuth2 authentication token, send a request using the HTTP VERB POST to the URL in the table below, depending on the desired environment:

Request

--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose

Response

In response, the store will receive a json ("HTTP 201 Created") containing, among other information, the AccessToken from Silent Order Post.

{
    "MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
    "Issued": "2021-05-05T08:50:04",
    "ExpiresIn": "2021-05-05T09:10:04"
}

--header "Content-Type: application/json"
--header "RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--data-binary
{
    "MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
    "Issued": "2021-05-05T08:50:04",
    "ExpiresIn": "2021-05-05T09:10:04"
}

Step 2. Implementing the script

Download the script provided by Cielo, and attach the script to your checkout page. This script will allow Cielo to process all card information without the merchant's intervention.

Download the script corresponding to the desired environment, sandbox or production:

Then configure the form with the following classes:

• For the credit/debit card holder: bp-sop-cardholdername
• For credit/debit card number: bp-sop-cardnumber
• For credit/debit card validity: bp-sop-cardexpirationdate
• For credit/debit card security code: bp-sop-cardcvvc

Additionally, set the following parameters:

Script Parameters

Example of setup to be performed by the virtual store on the checkout page:


Script Response

The script provided by Cielo provides three events for handling and treatment by the establishment. They are:

• onSuccess, returns the “PaymentToken” after processing the card data;
• onError, in case there is an error in the consumption of Cielo services;
• onInvalid, returns the input validation result.

When validating the inputs, the establishment will be able to use the entire validation layer on the card data carried out by Cielo and thus simplify the treatment in its checkout form. The messages returned in the validation result are available in Portuguese (default), English and Spanish.

• The PaymentToken or CardToken will represent all the card data provided by the shopper. The token will be used by the establishment so that it does not need to treat and process card data on its server.
  
• For security reasons, the PaymentToken can only be used for authorization in the API E-commerce Cielo. After processing the token, it will be invalidated.

Step 3. Authorization request with token

Request with PaymentToken

Send the authorization request with the PaymentToken in the CreditCard node (for credit card transaction) or in the DebitCard node (for debit card transaction).

},
    "Payment": {
    "Type": "CreditCard",
    "Amount": 1400,
    "Installments": 1,
        "CreditCard": {
        "PaymentToken": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
        "Brand": "MASTER"
        }
    }
}

To see the required fields for the request and the response, see standard requests for credit or debit.

For security reasons, the PaymentToken can only be used for authorization in the API E-commerce Cielo. The token will be processed and then invalidated.

Request with CardToken

Submit the authorization request with the CardToken in the CreditCard node (for credit card transaction) or in the DebitCard node (for debit card transaction).

{  
   "MerchantOrderId":"2014111706",
   "Customer":{  
      "Name":"Comprador Teste"
   },
   "Payment":{  
     "Type":"CreditCard",
     "Amount":100,
     "Installments":1,
     "SoftDescriptor":"123456789ABCD",
     "CreditCard":{  
         "CardToken":"6e1bf77a-b28b-4660-b14f-455e2a1c95e9",
         "SecurityCode":"262",
         "Brand":"Visa"
     }
   }
}

To see the required fields for the request and the response, see standard requests for credit or debit.