Phase 3 Complete: Fiserv Commerce Hub Integration

✅ What's Been Completed

1. Fiserv Adapter - `app/services/payment_processors/fiserv_adapter.rb`

Full implementation of base payment processor interface
HMAC-based authentication for all API requests
Methods implemented:
- create_customer_profile - Generates Fiserv customer ID
- create_payment_token - Tokenizes payment via Data Capture API
- authorize_payment - Authorizes payment using token
- capture_authorization - Captures authorized payment
- refund_transaction - Refunds captured payment
- void_authorization - Voids authorized payment
- process_payment_with_session - Convenience method combining token creation + authorization

2. Fiserv Helper - `app/helpers/fiserv_helper.rb`

HMAC-SHA256 signature generation for API authentication
Payment session creation for Hosted Fields
Generic API request method with proper headers
Error parsing for Fiserv responses
Environment configuration support (sandbox/production)

3. API Payment Session Endpoint - `app/controllers/app/api/payment_controller.rb`

POST /api/payment/session
Creates Fiserv payment session for Hosted Fields
Returns { session_id:, public_key: } to frontend
Handles errors appropriately
No authentication required (uses order token)

4. Updated Payment View - `app/views/app/quotes/payment.html.erb`

Conditional rendering based on processor type
Fiserv Hosted Fields:
- Loads Fiserv SDK from Commerce Hub
- Creates payment session via API
- Renders secure iframes for card number, expiration, CVV
- Validates fields before submission
- Submits session_id to backend
Authorize.Net Accept.js:
- Keeps existing implementation
- Tokenizes card data client-side
- Submits payment_nonce to backend
Both processors use same security message format

5. Updated Routes - `config/routes.rb`

Added API endpoint: POST /api/payment/session
Properly namespaced under app subdomain

6. Fiserv Initializer - `config/initializers/fiserv.rb`

Loads Fiserv credentials from environment
Validates credentials if Fiserv is default processor
Sets DEFAULT_PAYMENT_PROCESSOR configuration

7. Environment Configuration - `.env.example`

Added DEFAULT_PAYMENT_PROCESSOR setting
Documented Authorize.Net credentials
Documented Fiserv credentials with sandbox/production URLs
Clear comments for switching processors

🚀 How to Use

Testing with Fiserv (Sandbox)

Add Fiserv credentials to .env:

DEFAULT_PAYMENT_PROCESSOR=fiserv

FISERV_API_KEY=bG5L6qhCDXXl3M53VbbKXATU1aOZSlXx
FISERV_API_SECRET=pOyVKDgp1lxIrXASDM9g5q84SmtqjEet
FISERV_MERCHANT_ID=500100005000
FISERV_HOST_URL=https://connect-cert.fiservapis.com/ch
FISERV_ENVIRONMENT=sandbox

Run database migrations (if not already done):
```
bin/rails db:migrate
```
Restart your development server:
```
bin/dev
```
Test the payment flow:
- Navigate to any order payment page
- You should see Fiserv Hosted Fields (iframes) instead of Accept.js fields
- Use Fiserv test cards:
  - Visa: 4005550000000019
  - Mastercard: 2223000048400011
  - Amex: 374101000000608
  - Exp: Any future date (e.g., 12/25)
  - CVV: Any 3-4 digits (e.g., 123)

Switching Back to Authorize.Net

Simply change the environment variable:

DEFAULT_PAYMENT_PROCESSOR=authorize_net

Then restart your server. No code changes needed!

🏗️ Architecture Overview

Payment Flow with Fiserv

Customer → Payment Page
           ↓
        [Frontend JavaScript]
           ↓ (Fetch payment session)
        POST /api/payment/session
           ↓
        FiservHelper.create_payment_session
           ↓ (Returns session_id + public_key)
        Initialize Hosted Fields (iframes)
           ↓ (Customer enters card data)
        Validate fields
           ↓ (Submit form with session_id)
        POST /order/:token/process_payment
           ↓
        PaymentProcessorFactory.for_order
           ↓
        FiservAdapter.process_payment_with_session
           ↓
        1. Create customer profile
        2. Tokenize via Data Capture API
        3. Authorize payment
           ↓
        Save PaymentProfile + PaymentTransaction
           ↓
        Redirect to complete page

Payment Flow with Authorize.Net

Customer → Payment Page
           ↓
        [Frontend JavaScript]
           ↓ (Customer enters card data)
        Accept.js tokenizes card data
           ↓ (Returns payment_nonce)
        POST /order/:token/process_payment
           ↓
        PaymentProcessorFactory.for_order
           ↓
        AuthorizeNetAdapter.process_payment_with_nonce
           ↓
        1. Create customer profile
        2. Create payment token
        3. Authorize payment
           ↓
        Save PaymentProfile + PaymentTransaction
           ↓
        Redirect to complete page

📊 Database Schema

Both processors use the same database tables with processor-agnostic fields:

PaymentProfile

processor - 'authorize_net' or 'fiserv'
processor_customer_id - Processor's customer identifier
processor_token_id - Processor's payment token ID
card_type, last_four, exp_month, exp_year - Card details
is_default - Default payment method flag

PaymentTransaction

processor - 'authorize_net' or 'fiserv'
processor_transaction_id - Processor's transaction ID
transaction_type - 'auth_only', 'capture_only', 'refund', etc.
status - 'approved', 'declined', 'error', etc.
amount, card_type, last_four - Transaction details
metadata (jsonb) - Processor-specific extra data

🔐 PCI Compliance Improvements

Before (Authorize.Net Accept.js)

SAQ Level: A-EP (more complex)
Card Data: Customer types into form fields on your domain
Tokenization: Accept.js tokenizes before submission
Risk: Higher compliance burden

After (Fiserv Hosted Fields)

SAQ Level: SAQ-A (simplest)
Card Data: Customer types into secure iframes from Fiserv
Tokenization: Done entirely within Fiserv's iframes
Risk: Minimal compliance burden (card data never touches your servers)

🧪 Testing Checklist

Before switching to production:

[ ] Fiserv sandbox payment authorization works
[ ] Payment profiles save correctly with Fiserv data
[ ] Payment transactions save correctly with Fiserv data
[ ] Order status updates to "pending" after payment
[ ] Email notifications sent correctly
[ ] Can switch back to Authorize.Net without issues
[ ] Authorize.Net still works for existing customers
[ ] Capture flow works when order is delivered
[ ] Refund flow works
[ ] Void flow works
[ ] Error handling displays user-friendly messages

🚨 Important Notes

Environment Variables Required

For Fiserv (Production):

DEFAULT_PAYMENT_PROCESSOR=fiserv
FISERV_API_KEY=<production_api_key>
FISERV_API_SECRET=<production_api_secret>
FISERV_MERCHANT_ID=<production_merchant_id>
FISERV_HOST_URL=https://connect.fiservapis.com/ch
FISERV_ENVIRONMENT=production

For Authorize.Net (if keeping as backup):

AUTHORIZENET_API_LOGIN_ID=<your_api_login_id>
AUTHORIZENET_TRANSACTION_KEY=<your_transaction_key>
AUTHORIZENET_SIGNATURE_KEY=<your_signature_key>
AUTHORIZENET_PUBLIC_CLIENT_KEY=<your_public_client_key>

Per-Customer Processor Selection

The factory supports per-customer processor selection:

# In customer model (future enhancement):
customer.payment_processor = 'fiserv' # or 'authorize_net'

This allows gradual migration:

Keep existing customers on Authorize.Net
Route new customers to Fiserv
Migrate customers one-by-one as needed

📁 Files Changed/Created

Created:

app/controllers/app/api/payment_controller.rb - Payment session API
config/initializers/fiserv.rb - Fiserv configuration
docs/phase3_fiserv_integration_complete.md - This file

Modified:

app/views/app/quotes/payment.html.erb - Conditional Fiserv/Authorize.Net rendering
config/routes.rb - Added API payment session endpoint
.env.example - Added payment processor configuration

Previously Created (Phase 1 & 2):

app/services/payment_processors/base.rb - Base interface
app/services/payment_processors/authorize_net_adapter.rb - Authorize.Net adapter
app/services/payment_processors/fiserv_adapter.rb - Fiserv adapter
app/services/payment_processor_factory.rb - Factory for routing
app/helpers/fiserv_helper.rb - Fiserv API helper
app/models/payment_profile.rb - Updated model
app/models/payment_transaction.rb - Updated model
Database migrations for processor columns

🎯 Next Steps

1. Test in Sandbox

[ ] Test complete payment flow with Fiserv sandbox
[ ] Verify all email notifications work
[ ] Test error scenarios (declined cards, network errors)
[ ] Check browser console for any JavaScript errors

2. Prepare for Production

[ ] Get production Fiserv credentials
[ ] Update .env with production values
[ ] Test in staging environment first
[ ] Plan gradual migration strategy

3. Migration Strategy Options

Option A: Switch All at Once

Set DEFAULT_PAYMENT_PROCESSOR=fiserv
All new orders use Fiserv
Existing Authorize.Net profiles still work for captures/refunds

Option B: Gradual Migration

Keep DEFAULT_PAYMENT_PROCESSOR=authorize_net
Manually set customer.payment_processor = 'fiserv' for select customers
Monitor and expand gradually

Option C: New Customers Only

Keep existing customers on Authorize.Net
Route only new customers to Fiserv
Migrate existing customers over time

🤝 Benefits Achieved

✅ Processor Agnostic - Can switch processors with one environment variable ✅ Better PCI Compliance - SAQ-A vs SAQ A-EP ✅ Cost Savings - Free processing with Fiserv ✅ Backwards Compatible - Existing Authorize.Net data still works ✅ Future Proof - Easy to add more processors ✅ Per-Customer Selection - Can route customers to different processors ✅ Better Testing - Can mock processors in tests

📞 Support

Fiserv Documentation:

Developer Portal: https://developer.fiserv.com/product/CommerceHub
Hosted Fields Guide: https://developer.fiserv.com/product/CommerceHub/docs/?path=docs/Online-Mobile-Digital/Hosted-Payment-Page/Hosted-Payment-Page.md
API Reference: https://developer.fiserv.com/product/CommerceHub/api

Sandbox Credentials:

See docs/fiserv_credentials.md for complete sandbox details

Questions?

Check docs/payment_processor_abstraction.md for architecture details
Review app/services/payment_processors/base.rb for interface documentation