Payment Processor Abstraction & Fiserv Migration

Executive Summary

Goal: Build a payment processor-agnostic architecture and migrate from Authorize.Net to Fiserv Commerce Hub.

Why:

• PCI Compliance: Reduce from SAQ A-EP to SAQ-A (22 questions vs 175+)
• Cost Savings: Free processing with Fiserv vs Authorize.Net fees
• Flexibility: Easy to switch processors or support multiple processors
• Security: Fiserv Hosted Fields keep payment data off our domain

Current State (Authorize.Net)

Architecture

Browser → Accept.js (tokenize) → payment_nonce → Server
Server → Authorize.Net API → Create Customer Profile
Server → Authorize.Net API → Create Payment Profile (vault card)
Server → Authorize.Net API → Authorize Payment (hold funds)
Server → Database → Save PaymentProfile + PaymentTransaction
Later → Authorize.Net API → Capture Authorization (charge card)

Key Files

• app/views/app/quotes/payment.html.erb - Accept.js client integration
• app/services/authorize_net_payment_service.rb - Authorize.Net API wrapper
• app/models/payment_profile.rb - Stores customer payment methods
• app/models/payment_transaction.rb - Stores transaction history
• app/controllers/app/quotes_controller.rb - Payment flow orchestration

Database Schema (Current)

PaymentProfile
  - authorize_customer_profile_id  # Authorize.Net customer vault ID
  - authorize_payment_profile_id   # Authorize.Net payment method token
  - card_type, last_four, expiration_month, expiration_year
  - company_id or contact_id (polymorphic)

PaymentTransaction
  - authorize_transaction_id       # Authorize.Net transaction ID
  - transaction_type               # auth_only, capture, refund
  - amount, status, response_code
  - order_id, payment_profile_id

Problems

1. Tight coupling to Authorize.Net (field names, service class)
2. PCI burden - SAQ A-EP compliance required
3. Processing fees - Authorize.Net charges per transaction
4. Vendor lock-in - Hard to migrate to different processor

Target State (Processor-Agnostic + Fiserv)

Architecture

Browser → Fiserv Hosted Fields (iframe) → sessionId → Server
Server → Fiserv Data Capture API → Tokenize payment
Server → Fiserv Payments API → Authorize Payment (hold funds)
Server → Database → Save PaymentProfile + PaymentTransaction
Later → Fiserv Payments API → Capture Authorization (charge card)

// Abstraction Layer
Controller → PaymentProcessorFactory → FiservAdapter or AuthorizeNetAdapter
Adapter → Processor-specific API calls
Adapter → Returns standardized response

New Database Schema

PaymentProfile
  - processor              # 'authorize_net', 'fiserv', 'stripe', etc.
  - processor_customer_id  # Generic customer ID in processor vault
  - processor_token_id     # Generic payment method token
  - card_type, last_four, expiration_month, expiration_year
  - company_id or contact_id (polymorphic)
  - is_default

PaymentTransaction
  - processor              # Which processor handled this transaction
  - processor_transaction_id  # Generic transaction ID
  - transaction_type       # auth_only, capture, refund
  - amount, status, response_code
  - order_id, payment_profile_id
  - metadata (jsonb)       # Processor-specific extra data

Implementation Plan

Phase 1: Create Abstraction Layer

Goal: Extract Authorize.Net into adapter pattern without breaking existing functionality

Tasks:

1. Create base interface

   • app/services/payment_processors/base.rb
   • Define standard methods: create_customer, tokenize_payment, authorize, capture, refund

2. Create Authorize.Net adapter

   • app/services/payment_processors/authorize_net_adapter.rb
   • Wrap existing AuthorizeNetPaymentService logic
   • Implement base interface methods

3. Create factory

   • app/services/payment_processor_factory.rb
   • Route to correct adapter based on configuration

4. Update controllers

   • Replace direct calls to AuthorizeNetPaymentService
   • Use PaymentProcessorFactory.default

5. Add tests

   • Test base interface
   • Test Authorize.Net adapter
   • Test factory routing

Deliverable: Same functionality, but using adapter pattern

Phase 2: Database Migration

Goal: Add processor-agnostic columns while keeping existing ones for backwards compatibility

Tasks:

1. Generate migration for PaymentProfile

   add_column :payment_profiles, :processor, :string
   add_column :payment_profiles, :processor_customer_id, :string
   add_column :payment_profiles, :processor_token_id, :string
   add_index :payment_profiles, [:processor, :processor_customer_id]
   

2. Generate migration for PaymentTransaction

   add_column :payment_transactions, :processor, :string
   add_column :payment_transactions, :processor_transaction_id, :string
   add_column :payment_transactions, :metadata, :jsonb
   add_index :payment_transactions, [:processor, :processor_transaction_id]
   

3. Data migration

   # Backfill existing records
   PaymentProfile.where(processor: nil).update_all(
     processor: 'authorize_net',
     processor_customer_id: 'authorize_customer_profile_id',
     processor_token_id: 'authorize_payment_profile_id'
   )
   

4. Update models

   • Add validations for new fields
   • Add backwards compatibility for old field names

Deliverable: Database ready for multiple processors

Phase 3: Implement Fiserv Adapter

Goal: Build Fiserv integration alongside existing Authorize.Net

Tasks:

1. Setup Fiserv credentials

   • Add to .env: FISERV_API_KEY, FISERV_API_SECRET, FISERV_MERCHANT_ID
   • Add initializer: config/initializers/fiserv.rb

2. Create Fiserv adapter

   • app/services/payment_processors/fiserv_adapter.rb
   • Implement all base interface methods
   • Handle Fiserv-specific session flow

3. Create Fiserv helper

   • app/helpers/fiserv_helper.rb
   • Session credential generation
   • HMAC signature generation

4. Update payment view

   • Add Fiserv Hosted Fields SDK
   • Conditional rendering based on selected processor
   • Keep Accept.js for backwards compatibility

5. Update controller

   • Handle both payment nonce (Authorize.Net) and sessionId (Fiserv)
   • Route to correct adapter based on customer config

6. Add tests

   • Integration tests for Fiserv API calls
   • Test both auth and capture flows
   • Test error handling

Deliverable: Working Fiserv integration running alongside Authorize.Net

Phase 4: Migration & Cutover

Goal: Migrate existing customers and switch default processor

Tasks:

1. Add processor selection to admin

   • UI to choose default processor per customer
   • UI to view/edit payment profiles

2. Test Fiserv in production (parallel running)

   • Select test customers to use Fiserv
   • Monitor transactions
   • Verify auth/capture flow

3. Gradual migration

   • Week 1: 10% of new customers on Fiserv
   • Week 2: 50% of new customers on Fiserv
   • Week 3: 100% of new customers on Fiserv

4. Update defaults

   • Change DEFAULT_PAYMENT_PROCESSOR=fiserv in production .env

5. Monitor & optimize

   • Track success rates by processor
   • Compare costs
   • Fix any Fiserv-specific issues

Deliverable: Fiserv as primary processor, Authorize.Net as fallback

Phase 5: Cleanup (Optional)

Goal: Remove Authorize.Net if no longer needed

Tasks:

1. Identify customers still on Authorize.Net
2. Migrate remaining customers or keep for legacy
3. Remove Accept.js code if all migrated
4. Archive AuthorizeNetPaymentService if unused
5. Remove old database columns after 6-month grace period

Technical Details

Fiserv Integration Specifics

Hosted Fields Setup

// 1. Request session credentials from backend
const response = await fetch('/api/payment/session', { method: 'POST' });
const { sessionId, publicKey } = await response.json();

// 2. Initialize Fiserv SDK
const hostedFields = await fiserv.hostedFields.create({
  sessionId: sessionId,
  publicKey: publicKey,
  fields: {
    cardNumber: { selector: '#card-number' },
    expirationDate: { selector: '#expiration' },
    cvv: { selector: '#cvv' }
  },
  styles: {
    // Custom styling to match your brand
  }
});

// 3. On submit, capture payment data
hostedFields.submit().then(result => {
  if (result.status === 'success') {
    // Submit form with sessionId to your server
    document.getElementById('payment_session_id').value = sessionId;
    form.submit();
  }
});

Backend Session Creation

# app/controllers/api/payment_controller.rb
def create_session
  # Generate session credentials
  response = Faraday.post(
    'https://prod.api.fiservapps.com/ch/payments/v1/payment-sessions',
    { amount: params[:amount], currency: 'USD' }.to_json,
    {
      'Api-Key' => ENV['FISERV_API_KEY'],
      'Authorization' => generate_hmac_signature,
      'Content-Type' => 'application/json'
    }
  )

  json = JSON.parse(response.body)
  render json: {
    sessionId: json['sessionId'],
    publicKey: json['publicKeyBase64']
  }
end

Payment Authorization

# app/services/payment_processors/fiserv_adapter.rb
def authorize_payment(amount:, session_id:, order_details:)
  response = Faraday.post(
    'https://prod.api.fiservapps.com/ch/payments/v1/charges',
    {
      amount: { total: amount, currency: 'USD' },
      source: { sourceType: 'PaymentSession', sessionId: session_id },
      transactionDetails: {
        captureFlag: false  # Authorization only
      }
    }.to_json,
    headers
  )

  # Parse response and return standardized format
  {
    success: response.status == 200,
    transaction_id: json['transactionId'],
    status: json['transactionStatus']
  }
end

Standard Interface Methods

All adapters must implement:

module PaymentProcessors
  class Base
    # Customer Management
    def create_customer(customer_data)
      # Returns: { customer_id: 'cust_123' }
    end

    # Payment Token Management
    def create_payment_token(customer_id:, payment_data:)
      # payment_data can be payment_nonce (Auth.Net) or session_id (Fiserv)
      # Returns: { token_id: 'tok_123', card_type: 'Visa', last_four: '1234' }
    end

    # Transactions
    def authorize_payment(amount:, token_id:, order_details:)
      # Returns: { transaction_id: 'txn_123', status: 'authorized', amount: 100.00 }
    end

    def capture_authorization(transaction_id:, amount:)
      # Returns: { transaction_id: 'txn_456', status: 'captured', amount: 100.00 }
    end

    def refund_transaction(transaction_id:, amount:)
      # Returns: { transaction_id: 'txn_789', status: 'refunded', amount: 100.00 }
    end

    # Helpers
    def errors
      # Returns array of error messages
    end
  end
end

Configuration

Environment Variables

# Processor Selection
DEFAULT_PAYMENT_PROCESSOR=fiserv  # or 'authorize_net'

# Authorize.Net (existing)
AUTHORIZENET_API_LOGIN_ID=xxx
AUTHORIZENET_TRANSACTION_KEY=xxx
AUTHORIZENET_PUBLIC_CLIENT_KEY=xxx

# Fiserv (new)
FISERV_API_KEY=xxx
FISERV_API_SECRET=xxx
FISERV_MERCHANT_ID=xxx
FISERV_ENVIRONMENT=prod  # or 'cert' for testing

Per-Customer Processor Selection

# Add to Company model
class Company
  def payment_processor
    # Can be set per company to override default
    settings[:payment_processor] || ENV['DEFAULT_PAYMENT_PROCESSOR']
  end
end

# Usage in controller
processor = PaymentProcessorFactory.for(@order.company.payment_processor)

Testing Strategy

Unit Tests

• Test each adapter implements all interface methods
• Test factory routing
• Mock external API calls

Integration Tests

• Test full auth → capture flow with Fiserv sandbox
• Test refund flow
• Test error handling

Manual Testing Checklist

• [ ] New customer checkout with Fiserv
• [ ] Existing customer with saved card (Authorize.Net)
• [ ] Authorization holds funds on card
• [ ] Capture charges the held funds
• [ ] Refund returns money
• [ ] Failed payment shows proper error
• [ ] PCI compliance - verify card data never touches server logs

Rollback Plan

If Fiserv has issues:

1. Change DEFAULT_PAYMENT_PROCESSOR=authorize_net in .env
2. Restart server (will route new payments to Authorize.Net)
3. Existing Fiserv authorizations can still be captured via adapter

No code changes needed - just config change.

Success Metrics

• PCI Compliance: Reduced to SAQ-A
• Cost Savings: $X saved per month on processing fees
• Code Quality: Payment logic abstracted and testable
• Flexibility: Can switch processors with config change
• Performance: Payment success rate maintains 95%+

Timeline Estimate

• Phase 1 (Abstraction Layer): 2-3 days
• Phase 2 (Database Migration): 1 day
• Phase 3 (Fiserv Integration): 3-4 days
• Phase 4 (Migration & Testing): 1-2 weeks
• Phase 5 (Cleanup): 1 day

Total: ~3-4 weeks for full migration

Questions/Decisions Needed

1. Fiserv Account: Do we have Fiserv Commerce Hub credentials?
2. Migration Date: When should we start migrating customers?
3. Authorize.Net Retention: Keep as fallback or fully deprecate?
4. Customer Communication: Inform customers of payment processor change?
5. Hosted Components vs Hosted Fields: Which Fiserv integration type? (Recommend Hosted Fields for max customization)

Resources

• Fiserv Commerce Hub Docs
• Fiserv Hosted Fields Guide
• Authorize.Net API Reference
• PCI SAQ-A Requirements