Silent Order Post

With Silent Order Post, payment data is securely transferred, maintaining full control over the checkout experience.

This method makes it possible to send the shopper's payment data securely directly into our system. Payment fields are stored by Cielo, which is PCI DSS 3.2 certified.

It is ideal for merchants who require a high level of security without losing the identity of their page.

Characteristics

  • It captures payment data directly to Cielo systems through fields hosted on your page through a script (JavaScript)).
  • Compatibility with all payment methods available to the Gateway (National and International)
  • Reducing the scope of the PCI DSS
  • Full control over your checkout experience and brand management elements

The PCI Data Security Standard (PCI DSS) is a global standard for card data security, and comprises a minimum set of requirements to protect cardholder data.

Authorization Flow

Below is how a standard authorization flow and an authorization flow with Silent Order Post.

Standard Authorization Flow

In the standard authorization flow, the online store receives payment data from the shopper and therefore needs to be PCI DSS compliant.

Authorization_Flow

Authorization Flow with Silent Order POST

With Silent Order Post, the virtual store server does not transfer card data openly.

Authorization_Flow_POST

  1. The store configures JavaScript on the checkout screen. At checkout, the script sends payment data directly to API E-commerce Cielo, without going through the store's server;
  2. The API stores the card data for that purchase and creates an encrypted code (PaymentToken, valid only for one purchase) or stores the card data and creates an encrypted code for the card (CardToken, which can be used on other purchases);
  3. The store sends the script token to the server itself;
  4. The store, through its server, sends the authorization request with the token and the other mandatory fields for a transaction.

Integration

Step 1. Getting access tokens

In order to use Silent Order Post, you will need two tokens:

  • OAuth2 authentication token (access_token);
  • Silent Order Post authentication token (AccessToken).

OAuth2 authentication token

Get the access_token from the Cielo authentication API (OAuth2). In case of success, the API will return an access_token that must be used in the next authentication layer of the tool.

To get the access_token in the OAuth 2.0 standard, send a request using the HTTP VERB POST to the URL of the table below, formed by the "base URL of the environment + endpoint", according to the desired environment:

Environmentbase URL + endpointAuthorization
SANDBOXhttps://authsandbox.braspag.com.br/oauth2/token"Basic {base64}"
PRODUCTIONhttps://auth.braspag.com.br/oauth2/token"Basic {base64}"

Note: The "{base64}" value for the "Basic" type authorization must be obtained as follows:

  1. Concatenate the "ClientId" and the "ClientSecret" (ClientId:ClientSecret);
  2. Encode the result of the concatenation in base64;
  3. Make a request to the authorization server using the generated alphanumeric code.

To obtain the "ClientID" and "ClientSecret", send an email to [email protected] containing the MerchantId and informing that you want to obtain the "ClientID" and "ClientSecret" credentials for Silent Order Post.

Request

POST oauth2/token
--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded" 
--data-binary "grant_type=client_credentials"
ParametersFormatWhere to send
Authorization"Basic {base64}"Header.
Content-Type"application/x-www-form-urlencoded"Header.
grant_type"client_credentials"Body.

Response

{
  "access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
  "token_type": "bearer",
  "expires_in": 599
}
{
  "access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
  "token_type": "bearer",
  "expires_in": 599
}
Response PropertiesDescription
access_tokenThe requested authentication token, that will be used in the next step.
token_typeIndicates the token type value.
expires_inAccess Token expiration, in seconds. When the token expires, you must request a new one.

Silent Order Post Authentication Token

After obtaining the OAuth2 authentication token, send a request using the HTTP VERB POST to the URL in the table below, depending on the desired environment:

Environmentbase URL + endpoint
Sandboxhttps://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken
Productionhttps://transaction.pagador.com.br/post/api/public/v2/accesstoken

Request

POST api/public/v2/accesstoken
--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose
PropertiesDescriptionTypeSizeRequired
MerchantIdMerchant identifier at Pagador.GUID36Yes
AuthorizationBearer [AccessToken OAuth2]Text36Yes

Response

In response, the store will receive a json ("HTTP 201 Created") containing, among other information, the AccessToken from Silent Order Post.

{
    "MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
    "Issued": "2021-05-05T08:50:04",
    "ExpiresIn": "2021-05-05T09:10:04"
}
--header "Content-Type: application/json"
--header "RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--data-binary
{
    "MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
    "Issued": "2021-05-05T08:50:04",
    "ExpiresIn": "2021-05-05T09:10:04"
}
PropertiesDescriptionTypeSizeFormat
MerchantIdMerchant identifier at aPI E-commerce Cielo.Guid36xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AccessTokenAccess token (AccessToken from Silent Order Post). The AccessToken obtained will allow an authorization attempt to be made within 20 minutes.Text--NjBhMjY1ODktNDk3YS00NGJkLWI5YTQtYmNmNTYxYzhlNjdiLTQwMzgxMjAzMQ==
IssuedToken creation date and hour.Text--AAAA-MM-DDTHH:MM:SS
ExpiresInToken expiration date and hour.Text--AAAA-MM-DDTHH:MM:SS

Step 2. Implementing the script

Download the script provided by Cielo, and attach the script to your checkout page. This script will allow Cielo to process all card information without the merchant's intervention.

Download the script corresponding to the desired environment, sandbox or production:

Then configure the form with the following classes:

  • For the credit/debit card holder: bp-sop-cardholdername
  • For credit/debit card number: bp-sop-cardnumber
  • For credit/debit card validity: bp-sop-cardexpirationdate
  • For credit/debit card security code: bp-sop-cardcvvc

Additionally, set the following parameters:

Script Parameters

PropertyDescription
accessTokenAccess token obtained via Braspag's authentication API (AccessToken SOP).
environmentType of environment: sandbox or production
languagePT or EN or ES
enableTokenize"true" (saves the card directly to the Protected Card, returning a cardToken instead of a paymentToken) / "false" (otherwise).
cvvRequired"false" (sets CVV as not mandatory) / "true" (sets CVV as mandatory).

Example of setup to be performed by the virtual store on the checkout page:

![Pagina Checkout]({{ site.baseurl_root }}/images/html-silent-order-post.jpg)

Script Response

The script provided by Cielo provides three events for handling and treatment by the establishment. They are:

  • onSuccess, returns the “PaymentToken” after processing the card data;
  • onError, in case there is an error in the consumption of Cielo services;
  • onInvalid, returns the input validation result.

When validating the inputs, the establishment will be able to use the entire validation layer on the card data carried out by Cielo and thus simplify the treatment in its checkout form. The messages returned in the validation result are available in Portuguese (default), English and Spanish.

PropertyDescriptionCondition
PaymentTokenPayment Token in GUID format (36)
CardTokenPermanent token to be used on a payment request on a GUID format (36).Only works if 'enableTokenize' is true.
  • The PaymentToken or CardToken will represent all the card data provided by the shopper. The token will be used by the establishment so that it does not need to treat and process card data on its server.
  • For security reasons, the PaymentToken can only be used for authorization in the API E-commerce Cielo. After processing the token, it will be invalidated.

Step 3. Authorization request with token

Request with PaymentToken

Send the authorization request with the PaymentToken in the CreditCard node (for credit card transaction) or in the DebitCard node (for debit card transaction).

POST /1/sales/
},
    "Payment": {
    "Type": "CreditCard",
    "Amount": 1400,
    "Installments": 1,
        "CreditCard": {
        "PaymentToken": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
        "Brand": "MASTER"
        }
    }
}

To see the required fields for the request and the response, see standard requests for credit or debit.

For security reasons, the PaymentToken can only be used for authorization in the API E-commerce Cielo. The token will be processed and then invalidated.

Request with CardToken

Submit the authorization request with the CardToken in the CreditCard node (for credit card transaction) or in the DebitCard node (for debit card transaction).

POST /1/sales/
{  
   "MerchantOrderId":"2014111706",
   "Customer":{  
      "Name":"Comprador Teste"
   },
   "Payment":{  
     "Type":"CreditCard",
     "Amount":100,
     "Installments":1,
     "SoftDescriptor":"123456789ABCD",
     "CreditCard":{  
         "CardToken":"6e1bf77a-b28b-4660-b14f-455e2a1c95e9",
         "SecurityCode":"262",
         "Brand":"Visa"
     }
   }
}

To see the required fields for the request and the response, see standard requests for credit or debit.