On This Page

Overview of REST

To get started using the
Cybersource
 payment API, you must first set up your payment processing system to be REST compliant.
Cybersource
 uses the REST, or REpresentational State Transfer architecture, for developing web services. REST enables communication between a client and server using HTTP protocols.
This guide explains how to set up secure communications between your client and server using one of these methods:
JSON Web Token
JSON Web Tokens (JWTs) are digitally signed JSON objects based on the open standard RFC 7519. These tokens provide a compact, self-contained method for securely transmitting information between parties. These tokens are signed with an RSA-encoded public/private key pair. The signature is calculated using the header and body, which enables the receiver to validate that the content has not been tampered with. Token-based messages are best for applications that use browser and mobile clients.
HTTP Signature
Each request is digitally signed, or the entire request is digitally hashed using a private key. Both the client and server have the same shared secret, which enables each request to be validated on either end. If the request transmission is compromised, the attacker cannot change the request or act as a user without the secret. HTTP signatures can be used only with API requests. They cannot be used in browser or mobile applications.

Secure Communication Requirements

REST-compliant machines communicate with each other using
stateless messaging
. Stateless messaging is a loosely coupled connection between a client and server, where each message is self-contained. This connection enables the client and server to communicate without first establishing a communication channel and without managing the state between systems.
To ensure secure communications between the client and server, you must provide these security measures:
  • Sender Authentication:
     A receiver needs to know that a message comes from a trusted entity.
  • Message Encryption:
     By encrypting the message before transmission and decrypting the message when received, you prevent man-in-the-middle attacks.
IMPORTANT
When building your connection to the
Cybersource
 payment gateway, ensure that you have implemented controls to prevent card testing or card enumeration attacks on your platform. For more information, see the best practices guide. When we detect suspicious transaction activity associated with your merchant ID, including a card testing or card enumeration attack,
Cybersource
 reserves the right to enable fraud management tools on your behalf in order to mitigate the attack. The fraud team might also implement internal controls to mitigate attack activity. These controls block traffic that is perceived as fraudulent. Additionally, if you are using one of our fraud tools and experience a significant attack, our internal team might modify or add rules to your configuration to help prevent the attack and minimize the threat to our infrastructure. However, any actions taken by
Cybersource
 would not replace the need for you to follow industry standard best practices to protect your systems, servers, and platforms.

Key Features of REST

These are the key features of REST:
  • Client/Server model:
     Clients and servers are independent from each other, enabling portability and scalability.
  • Stateless Communication:
     Each request is independent.
  • Uniform Interface:
     Architecture is simplified through uniform standards.

Components of REST

A REST message consists of these four components:
  • Endpoint:
     The endpoint is a Uniform Resource Identifier (URI) that shows where and how to find the resource on the internet. For example, to test an authorization request, you can send the request to this endpoint:
    https://apitest.cybersource.com
    /pts/v2/payments
    .
  • HTTP Method:
     The method is the action performed by the resource. There are four basic HTTP methods:
    • POST: Create a resource.
    • GET: Retrieve a resource.
    • PATCH: Modify a resource.
    • DELETE: Delete a resource.
  • Headers:
     The header is a collection of fields and their associated values. It provides information about the message to the receiver. Think of it as metadata about the message. The header also contains authentication information that indicates that the message is legitimate.
  • Body:
     The request in JSON format.