Silent Order Post
With Silent Order Post, payment data is securely transferred, maintaining full control over the checkout experience.
This method makes it possible to send the shopper's payment data securely directly into our system. Payment fields are stored by Cielo, which is PCI DSS 3.2 certified.
It is ideal for merchants who require a high level of security without losing the identity of their page.
Characteristics
- It captures payment data directly to Cielo systems through fields hosted on your page through a script (JavaScript)).
- Compatibility with all payment methods available to the Gateway (National and International)
- Reducing the scope of the PCI DSS
- Full control over your checkout experience and brand management elements
The PCI Data Security Standard (PCI DSS) is a global standard for card data security, and comprises a minimum set of requirements to protect cardholder data.
Authorization Flow
Below is how a standard authorization flow and an authorization flow with Silent Order Post.
Standard Authorization Flow
In the standard authorization flow, the online store receives payment data from the shopper and therefore needs to be PCI DSS compliant.
Authorization Flow with Silent Order POST
With Silent Order Post, the virtual store server does not transfer card data openly.
- The store configures JavaScript on the checkout screen. At checkout, the script sends payment data directly to API E-commerce Cielo, without going through the store's server;
- The API stores the card data for that purchase and creates an encrypted code (
PaymentToken
, valid only for one purchase) or stores the card data and creates an encrypted code for the card (CardToken
, which can be used on other purchases); - The store sends the script token to the server itself;
- The store, through its server, sends the authorization request with the token and the other mandatory fields for a transaction.
Integration
Step 1. Getting access tokens
In order to use Silent Order Post, you will need two tokens:
- OAuth2 authentication token (
access_token
); - Silent Order Post authentication token (
AccessToken
).
OAuth2 authentication token
Get the access_token
from the Cielo authentication API (OAuth2). In case of success, the API will return an access_token
that must be used in the next authentication layer of the tool.
To get the access_token
in the OAuth 2.0 standard, send a request using the HTTP VERB POST to the URL of the table below, formed by the "base URL of the environment + endpoint", according to the desired environment:
Environment | base URL + endpoint | Authorization |
---|---|---|
SANDBOX | https://authsandbox.braspag.com.br/oauth2/token | "Basic {base64}" |
PRODUCTION | https://auth.braspag.com.br/oauth2/token | "Basic {base64}" |
Note: The "{base64}" value for the "Basic" type authorization must be obtained as follows:
- Concatenate the "ClientId" and the "ClientSecret" (
ClientId:ClientSecret
); - Encode the result of the concatenation in base64;
- Make a request to the authorization server using the generated alphanumeric code.
To obtain the "ClientID" and "ClientSecret", send an email to [email protected] containing the MerchantId
and informing that you want to obtain the "ClientID" and "ClientSecret" credentials for Silent Order Post.
Request
POST oauth2/token--request POST "https://authsandbox.braspag.com.br/oauth2/token"
--header "Authorization: Basic {base64}"
--header "Content-Type: application/x-www-form-urlencoded"
--data-binary "grant_type=client_credentials"
Parameters | Format | Where to send |
---|---|---|
Authorization | "Basic {base64}" | Header. |
Content-Type | "application/x-www-form-urlencoded" | Header. |
grant_type | "client_credentials" | Body. |
Response
{
"access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
"token_type": "bearer",
"expires_in": 599
}
{
"access_token": "faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw",
"token_type": "bearer",
"expires_in": 599
}
Response Properties | Description |
---|---|
access_token | The requested authentication token, that will be used in the next step. |
token_type | Indicates the token type value. |
expires_in | Access Token expiration, in seconds. When the token expires, you must request a new one. |
Silent Order Post Authentication Token
After obtaining the OAuth2 authentication token, send a request using the HTTP VERB POST to the URL in the table below, depending on the desired environment:
Environment | base URL + endpoint |
---|---|
Sandbox | https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken |
Production | https://transaction.pagador.com.br/post/api/public/v2/accesstoken |
Request
POST api/public/v2/accesstoken--request POST "https://transactionsandbox.pagador.com.br/post/api/public/v2/accesstoken"
--header "Content-Type: application/json"
--header "MerchantId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
--header "Authorization: Bearer faSYkjfiod8ddJxFTU3vti_ ... _xD0i0jqcw"
--data-binary
--verbose
Properties | Description | Type | Size | Required |
---|---|---|---|---|
MerchantId | Merchant identifier at Pagador. | GUID | 36 | Yes |
Authorization | Bearer [AccessToken OAuth2] | Text | 36 | Yes |
Response
In response, the store will receive a json ("HTTP 201 Created") containing, among other information, the AccessToken
from Silent Order Post.
{
"MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
"Issued": "2021-05-05T08:50:04",
"ExpiresIn": "2021-05-05T09:10:04"
}
--header "Content-Type: application/json"
--header "RequestId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
--data-binary
{
"MerchantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"AccessToken": "MzA5YWIxNmQtYWIzZi00YmM2LWEwN2QtYTg2OTZjZjQxN2NkMDIzODk5MjI3Mg==",
"Issued": "2021-05-05T08:50:04",
"ExpiresIn": "2021-05-05T09:10:04"
}
Properties | Description | Type | Size | Format |
---|---|---|---|---|
MerchantId | Merchant identifier at aPI E-commerce Cielo. | Guid | 36 | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
AccessToken | Access token (AccessToken from Silent Order Post). The AccessToken obtained will allow an authorization attempt to be made within 20 minutes. | Text | -- | NjBhMjY1ODktNDk3YS00NGJkLWI5YTQtYmNmNTYxYzhlNjdiLTQwMzgxMjAzMQ== |
Issued | Token creation date and hour. | Text | -- | AAAA-MM-DDTHH:MM:SS |
ExpiresIn | Token expiration date and hour. | Text | -- | AAAA-MM-DDTHH:MM:SS |
Step 2. Implementing the script
Download the script provided by Cielo, and attach the script to your checkout page. This script will allow Cielo to process all card information without the merchant's intervention.
Download the script corresponding to the desired environment, sandbox or production:
Then configure the form with the following classes:
- For the credit/debit card holder: bp-sop-cardholdername
- For credit/debit card number: bp-sop-cardnumber
- For credit/debit card validity: bp-sop-cardexpirationdate
- For credit/debit card security code: bp-sop-cardcvvc
Additionally, set the following parameters:
Script Parameters
Property | Description |
---|---|
accessToken | Access token obtained via Braspag's authentication API (AccessToken SOP). |
environment | Type of environment: sandbox or production |
language | PT or EN or ES |
enableTokenize | "true" (saves the card directly to the Protected Card, returning a cardToken instead of a paymentToken) / "false" (otherwise). |
cvvRequired | "false" (sets CVV as not mandatory) / "true" (sets CVV as mandatory). |
Example of setup to be performed by the virtual store on the checkout page:
![Pagina Checkout]({{ site.baseurl_root }}/images/html-silent-order-post.jpg)
Script Response
The script provided by Cielo provides three events for handling and treatment by the establishment. They are:
- onSuccess, returns the “PaymentToken” after processing the card data;
- onError, in case there is an error in the consumption of Cielo services;
- onInvalid, returns the input validation result.
When validating the inputs, the establishment will be able to use the entire validation layer on the card data carried out by Cielo and thus simplify the treatment in its checkout form. The messages returned in the validation result are available in Portuguese (default), English and Spanish.
Property | Description | Condition |
---|---|---|
PaymentToken | Payment Token in GUID format (36) | |
CardToken | Permanent token to be used on a payment request on a GUID format (36). | Only works if 'enableTokenize' is true. |
- The
PaymentToken
orCardToken
will represent all the card data provided by the shopper. The token will be used by the establishment so that it does not need to treat and process card data on its server.- For security reasons, the
PaymentToken
can only be used for authorization in the API E-commerce Cielo. After processing the token, it will be invalidated.
Step 3. Authorization request with token
Request with PaymentToken
Send the authorization request with the PaymentToken
in the CreditCard
node (for credit card transaction) or in the DebitCard
node (for debit card transaction).
},
"Payment": {
"Type": "CreditCard",
"Amount": 1400,
"Installments": 1,
"CreditCard": {
"PaymentToken": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"Brand": "MASTER"
}
}
}
To see the required fields for the request and the response, see standard requests for credit or debit.
For security reasons, the PaymentToken
can only be used for authorization in the API E-commerce Cielo. The token will be processed and then invalidated.
Request with CardToken
Submit the authorization request with the CardToken
in the CreditCard
node (for credit card transaction) or in the DebitCard
node (for debit card transaction).
{
"MerchantOrderId":"2014111706",
"Customer":{
"Name":"Comprador Teste"
},
"Payment":{
"Type":"CreditCard",
"Amount":100,
"Installments":1,
"SoftDescriptor":"123456789ABCD",
"CreditCard":{
"CardToken":"6e1bf77a-b28b-4660-b14f-455e2a1c95e9",
"SecurityCode":"262",
"Brand":"Visa"
}
}
}
To see the required fields for the request and the response, see standard requests for credit or debit.
Updated 2 months ago