Fiserv CardPointe Compliance Updates

Date: 2025-10-09

Summary

Updated CardPointe integration to comply with Fiserv requirements for production approval.

Fiserv Requirements (from Ryan McDonnell, Sr. Project Manager)

1. ✅ postal - IMPLEMENTED

Requirement: Prompt for postal code for card-not-present transactions (fraud prevention and interchange optimization)

Implementation:

• Added billing_postal field to payment form (app/views/app/quotes/payment.html.erb:59-64, 89-94)
• Field defaults to customer's zip_code (from Company or Contact model)
• User can override the default value
• Passed to CardPointe API via postal parameter in auth payload
• Updated both Fiserv and Authorize.Net payment forms

2. ✅ cvv2 - ALREADY COMPLIANT

Requirement: Prompt for CVV for card-not-present transactions

Status: Already implemented via CardPointe HIT iframe

• HIT iframe configured with usecvv=true parameter
• CVV is collected and tokenized within the iframe
• CVV is included in the token automatically (PCI SAQ-A compliant)

3. ✅ ecomind - ALREADY COMPLIANT

Requirement: Include appropriate ecomind value for card-not-present transactions

Status: Already implemented in app/services/payment_processors/fiserv_adapter.rb:394

• Set to "E" (E-commerce web or mobile application)
• Correct for our use case (online quote/order system)

Valid ecomind values:

• T - Telephone or mail payment
• R - Recurring billing
• E - E-commerce web or mobile application ← We use this

4. ✅ Tokenization - ALREADY COMPLIANT

Requirement: Tokenize card data prior to sending auth request

Status: Already implemented using CardPointe Hosted iFrame Tokenizer (HIT)

• Card data entered into CardPointe iframe
• Tokenized via postMessage
• Token sent to auth endpoint (never raw card data)

Files Modified

1. app/views/app/quotes/payment.html.erb

Changes:

• Added billing_postal field for both Fiserv and Authorize.Net sections
• Defaults to (@order.company || @order.contact).zip_code
• User can edit/override the default
• Includes explanatory text about fraud prevention

Lines: 59-64, 89-94

2. app/services/payment_processors/fiserv_adapter.rb

Changes:

• Added postal_code parameter to authorize_with_token method signature
• Added postal field to CardPointe auth payload
• Removed debug logging ([EXPIRY DEBUG] statements)
• Cleaned up expiry parsing code

Lines: 375-402, 417-461

3. app/controllers/app/quotes_controller.rb

Changes:

• Added billing_postal = params[:billing_postal] extraction
• Passed postal_code: billing_postal to authorize_with_token call

Lines: 289-308

Testing Checklist

Pre-Production Testing

• [ ] Test with valid postal code (approval)
• [ ] Test with invalid postal code (decline/downgrade check)
• [ ] Test postal code override functionality
• [ ] Verify all 4 requirements are met in CardPointe logs:
  • [ ] postal field present in auth request
  • [ ] CVV captured (via HIT token)
  • [ ] ecomind: "E" in request
  • [ ] Token used (not raw card)

Production Deployment

• [ ] Update environment variables:
  • CARDPOINTE_API_URL=https://fts.cardconnect.com
  • CARDPOINTE_MERCHANT_ID=<production_mid>
  • CARDPOINTE_API_USERNAME=<prod_username>
  • CARDPOINTE_API_PASSWORD=<prod_password>
• [ ] Update iframe URL in payment.html.erb:180
  • Change: https://fts-uat.cardconnect.com → https://fts.cardconnect.com
• [ ] Update postMessage origin check in payment.html.erb:198
  • Change: /fts-uat\.cardconnect\.com$/ → /fts\.cardconnect\.com$/

Compliance Status

Additional Benefits

Fraud Prevention

• AVS (Address Verification Service) enabled via postal code
• Reduces chargebacks and fraud

Interchange Optimization

• Proper ecomind value ensures correct interchange rates
• Postal code prevents interchange downgrades
• CVV collection improves authorization rates

PCI Compliance

• SAQ-A compliance maintained (simplest PCI level)
• Card data never touches our servers
• Only token and metadata transmitted

Code Quality

• ✅ All RuboCop checks passed
• ✅ No style violations
• ✅ Debug logging removed
• ✅ Comments updated

Next Steps

1. Submit to Fiserv - Inform Ryan McDonnell that all requirements are implemented
2. Request Production Credentials - Get production merchant ID and credentials
3. Production Deployment - Update environment variables and iframe URLs
4. Production Testing - Test with small transactions first
5. Monitor - Watch for any AVS mismatches or downgrades

Contact

Fiserv Integration Delivery:

• Ryan McDonnell, Sr. Project Manager
• Office: 412.317.6456

Implementation Date: October 9, 2025 Status: Ready for Production Approval