Merge pull request #32 from jbransvisa/mle

Implemented Message Level Encryption
Added a new custom field to track the order count.

Author: jbransvisa

.env

@@ -34,17 +34,23 @@ PAYMENT_GATEWAY_NETWORK_TOKEN_MULTI_MID =
 
 PAYMENT_GATEWAY_UC_ALLOWED_PAYMENTS =
 PAYMENT_GATEWAY_UC_BILLING_TYPE =
-PAYMENT_GATEWAY_UC_ENABLE_PHONE = 
-PAYMENT_GATEWAY_UC_ENABLE_EMAIL = 
+PAYMENT_GATEWAY_UC_ENABLE_PHONE =
+PAYMENT_GATEWAY_UC_ENABLE_EMAIL =
 PAYMENT_GATEWAY_UC_ENABLE_NETWORK_ICONS =
 PAYMENT_GATEWAY_UC_ENABLE_SHIPPING =
 PAYMENT_GATEWAY_UC_ALLOWED_SHIP_TO_COUNTRIES =
 
 PAYMENT_GATEWAY_SERVERLESS_DEPLOYMENT =
 FUNCTIONS_HTTPWORKER_PORT =
 
+PAYMENT_GATEWAY_USE_MLE =
+PAYMENT_GATEWAY_KEY_FILE_NAME =
+PAYMENT_GATEWAY_KEY_PASS =
+PAYMENT_GATEWAY_KEY_ALIAS =
+PAYMENT_GATEWAY_KEY_FILE_URL =
+
 CT_PROJECT_KEY =
 CT_CLIENT_ID =
 CT_CLIENT_SECRET =
 CT_AUTH_HOST =
-CT_API_HOST =
+CT_API_HOST =

.gitignore

@@ -8,3 +8,4 @@ src/**.js
 coverage
 *.log
 yarn.lock
+.DS_Store

docs/API-Extension-Setup.md

@@ -24,7 +24,7 @@ Variables that begin with 'CT' prefix are Commercetools project specific propert
 | PAYMENT_GATEWAY_MERCHANT_SECRET_KEY        | Value of a Cybersource shared secret key to be used for HTTP Signature authentication | Created in [key-Creation\#Cybersource](key-Creation.md#Cybersource).                                                                  |
 | PAYMENT_GATEWAY_TARGET_ORIGINS              | Base URLs where your frontend will be accessible                                       |     Used for Card payment method. Comma separated value without any spaces                                                                                                               |
 | PAYMENT_GATEWAY_VERIFICATION_KEY           | Used to check Flex tokens for tampering                                               | Use <b>Openssl -rand64 32 </b>command to generate verification key                                                             |
-| PAYMENT_GATEWAY_CC_ALLOWED_CARD_NETWORKS                | csv(comma separated value) of the card networks                                                           | If not specified extension will support all the card networks(VISA, MASTERCARD, AMEX, DISCOVER, MAESTRO, CUP, JCB, CARTESBANCAIRES & DINERSCLUB) by default. In case of Unified Checkout it will support(VISA, MASTERCARD, AMEX) by default. Case sensitive. Accepts block letters only without any spaces – eg: VISA,AMEX                                                                                     |
+| PAYMENT_GATEWAY_CC_ALLOWED_CARD_NETWORKS                | csv(comma separated value) of the card networks                                                           | If not specified extension will support only (VISA) by default. Case sensitive. Accepts block letters only without any spaces – eg: VISA,AMEX                                                                                     |
 | PAYMENT_GATEWAY_3DS_RETURN_URL             | URL that the issuing bank will redirect to the customer for Payer Authentication      | Required if payment.paymentMethodInfo.method is creditCardWithPayerAuthentication                                     |
 | PAYMENT_GATEWAY_SCA_CHALLENGE              | Boolean value - true or false                                                         | Flag to force Strong consumer authentication challenge while saving a card using Payer Authentication. Case sensitive |
 | PAYMENT_GATEWAY_ORDER_RECONCILIATION       | Boolean value - true or false                                                          | Flag for enabling or disabling Order reconciliation to indicate whether reconciliation Id to be passed in sale, capture and refund transactions. Case sensitive. The Cybersource-Commercetools Extension will consider order number as the reconciliation id if available. The order number from Commercetools should be numeric/alpha-numeric string to reflect in Cybersource |

docs/Commercetools-Setup.md

@@ -148,7 +148,6 @@ Fields
 | isv_accountType                      | String  | false    ||
 | isv_routingNumber                    | String  | false    ||
 | isv_merchantId                       | String  | false    ||
-| isv_securityCode                     | Number  | false    ||
 | isv_screenWidth                      | String  | false    ||
 | isv_screenHeight                     | String  | false    ||
 | isv_responseDateAndTime              | String  | false    ||
@@ -161,6 +160,7 @@ Fields
 | isv_dmpaFlag                         | Boolean | false    ||
 | isv_shippingMethod                   | String  | false    || 
 | isv_metadata                         | String  | false    ||
+| isv_accountPurchaseCount             | Number  | false    ||
 
 ### Payer Authentication enrolment check
 

docs/Docker-Container-in-Azure.md

@@ -132,7 +132,7 @@ Once `deploy-aci.yaml` is ready with all the values, navigate to the directory w
 
 ## Loggers
 
-- In order to see the extension logs, add a console.log statement inside the `logData` function in PaymentUtils.ts file before you could create the image. Logs generated by extension can be found under Properties --> Logs
+- In order to see the extension logs, add a console.log statement inside the `logData` function in PaymentUtils.ts file before you could create the image. Logs generated by extension can be found under Monitoring --> Logs
 
 ## Troubleshooting
 

docs/Message-Level-Encryption.md

@@ -0,0 +1,65 @@
+# Message Level Encryption
+
+## Overview
+
+Message Level Encryption (MLE) allows you to store information or to communicate with other parties while helping to prevent uninvolved parties from understanding the stored information or understanding the communication. MLE can help address the threat of relying on TLS for message security. SSL is designed to provide point-to-point security, which falls short for web/restful services because of a need for end-to-end security. Where multiple intermediary nodes could exist between the two endpoints, MLE would provide that the message remains encrypted, even during these intermediate "hops" where the traffic itself is decrypted before it arrives at Visa servers. Both processes involve a mathematical formula (algorithm) and secret data (key).
+
+MLE is required for APIs that primarily deal with sensitive transaction data (financial/non-financial) which could fall into one or several of the following categories:
+
+- PII (Personal Identification Information)
+- PAN (Personal Account Number)
+- PAI (Personal Account Information)
+
+## Implementation
+
+### Step 1: Generate a .p12 File
+
+Go to the Business Center and generate a .p12 file. Follow the provided link to [Create a p12 File](https://developer.cybersource.com/docs/cybs/en-us/platform/developer/all/rest/rest-getting-started/restgs-jwt-message-intro/restgs-security-p12-intro/restgs-security-P12.html).
+
+### Step 2: File Location
+
+If you're storing the `.p12` file locally , make sure it's placed in the `src/certificates` folder within your project directory, so the plugin can access it.
+
+### Step 3: Enable MLE in Your Configuration
+
+Set the following environment variables to enable Message-Level Encryption (MLE):
+
+- `PAYMENT_GATEWAY_USE_MLE` - Set to `True` to enable MLE.
+- `PAYMENT_GATEWAY_KEY_FILE_NAME` - The name of your .p12 file (required if you are hosting the certificate locally).
+- `PAYMENT_GATEWAY_KEY_FILE_URL` - The path to where the .p12 certificate is stored (required if you are hosting in the cloud).
+- `PAYMENT_GATEWAY_KEY_PASS` - Password of the `.p12` file
+- `PAYMENT_GATEWAY_KEY_ALIAS` -  Key alias (optional – use if overriding the default CyberSource alias).
+
+## Step 4: Support for Multi-Mid
+
+In this section, mid refers to Cybersource Merchant Id. 
+
+The new mid configurations should be added in the .env file of the extension in the following format
+
+      XXXX_KEY_FILE_NAME = <The name of your .p12 file>
+      XXXX_KEY_FILE_URL = <The path to where the .p12 certificate is stored>
+      XXXX_KEY_PASS = <Password of your `.p12` file>
+      XXXX_KEY_ALIAS = <Value of a Overrided name>
+
+Likewise you can configure, as many mids you want to support.
+
+The value added for `PAYMENT_GATEWAY_KEY_FILE_NAME` and respective fields should be the default value in which transactions will be processed when Multi-Mid is not enabled.
+
+ Following are the constraints to be followed when you want to support multiple mids in your extension instance.
+
+      1. It is mandatory to provide the env variables for Multi-Mid in recommended format only.
+      2. All env variables should be in block letters
+      3. First part of the variable (XXXX) should be your Cybersource merchant Id in block letters
+      4. Second part of the variable to store key file name should be _KEY_FILE_NAME
+      5. Second part of the variable to store key file url should be _KEY_FILE_URL
+      6. Second part of the variable to store key file password should be _KEY_PASS
+      7. Second part of the variable to store key alias should be _KEY_ALIAS
+
+Example :
+  
+Below is the env variables for the mid which has merchant Id as `merchantid123` 
+      
+      MERCHANTID123_KEY_FILE_NAME = <The name of your .p12 file>
+      MERCHANTID123_KEY_FILE_URL = <The path to where the .p12 certificate is stored>
+      MERCHANTID123_KEY_PASS = <Password of your `.p12` file>
+      MERCHANTID123_KEY_ALIAS = <Value of a Overrided name>

docs/Process-a-Card-Payment-With-Payer-Authentication.md

@@ -68,7 +68,7 @@ After authentication is complete, authorization of the payment can then be tri
     | custom.fields.isv_tokenAlias       | Alias for saved token               | No        | custom.fields.isv_tokens's "alias" value from Customer object                                                                                                       |
     | custom.fields.isv_saleEnabled         | false                         | Yes       | Set the value to true if sale is enabled                                                                                                                                                                                                                                                                                                                                                                                                                                           |
     | custom.fields.isv_merchantId                      | Merchant Id used for the transaction                               | No       |              Required when you want to support Multi-Mid functionality. Populate this field with the value of Merchant Id in which the transaction should happen. When this field is empty, default mid configuration will be considered for the transaction.                                                                                                                                                                                                                                                                                                       |
-    | custom.fields.isv_securityCode                      | Security code for card payment                              | No       |              Required when you want to send the card security code (CVV) during a saved card transaction                                                                                                                                                                                                                                                                                                       |
+  
 
 4.  Add the payment to the cart
 
@@ -92,6 +92,7 @@ After authentication is complete, authorization of the payment can then be tri
     | custom.fields.isv_saleEnabled         | false                         | Yes       | Set the value to true if sale is enabled                                                                                                                                                                                                                                                                                                                                                                                                                                           |
     | custom.fields.isv_shippingMethod | Shipping method for the order                                                                                         | No    | Possible values: <ul> <li> `lowcost`: Lowest-cost service  </li> <li>`sameday`: Courier or same-day service </li> <li>`oneday`: Next-day or overnight service </li> <li>`twoday`: Two-day service </li> <li>`threeday`: Three-day service.</li> <li> `pickup`: Store pick-up </li> <li> `other`: Other shipping method </li> <li> `none`: No shipping method because product is a service or subscription </li>   |
     | custom.fields.isv_metadata | Metadata for the order                                                                                         | No    | This field can be used to send additional custom data as part of the authorization request. The data should be serialized into a string format (e.g., JSON string) before passing it in the request.<br>**Example:**"isv_metadata": "{\"1\":\"value1\", \"2\":\"value2\"}"   |
+    | custom.fields.isv_accountPurchaseCount | Required to determine account creation history and purchase activity                             | No    | Provide the user's purchase count for the last six months. This value will be used to determine account creation history and populate the riskInformation section of the authorization request   |
 
 
     c. For saved token, when the payment is being updated, the extension will do a Payer Auth Setup call to get reference_id for Digital Wallets to use in place of BIN number in Cardinal.
@@ -105,6 +106,7 @@ After authentication is complete, authorization of the payment can then be tri
     | custom.fields.isv_deviceFingerprintId | Customer device fingerprint Id | Yes      | Refer [Device Fingerprinting](./Decision-Manager.md#device-fingerprinting) to generate this value |
     | custom.fields.isv_shippingMethod | Shipping method for the order                                                                                         | No    | Possible values: <ul> <li> `lowcost`: Lowest-cost service  </li> <li>`sameday`: Courier or same-day service </li> <li>`oneday`: Next-day or overnight service </li> <li>`twoday`: Two-day service </li> <li>`threeday`: Three-day service.</li> <li> `pickup`: Store pick-up </li> <li> `other`: Other shipping method </li> <li> `none`: No shipping method because product is a service or subscription </li>  |
     | custom.fields.isv_metadata | Metadata for the order                                                                                         | No    | This field can be used to send additional custom data as part of the authorization request. The data should be serialized into a string format (e.g., JSON string) before passing it in the request.<br>**Example:**"isv_metadata": "{\"1\":\"value1\", \"2\":\"value2\"}"   |
+    | custom.fields.isv_accountPurchaseCount | Required to determine account creation history and purchase activity                             | No    | Provide the user's purchase count for the last six months. This value will be used to determine account creation history and populate the riskInformation section of the authorization request   |
 
 
 6.  Wait for the event to return back the following fields, verify them from update response. If the data exists for below fields, submit the device data collection form using below data, else throw error to the user. See [Device Data Collection](https://developer.cybersource.com/docs/cybs/en-us/payer-authentication/developer/all/rest/payer-auth/pa2-ccdc-ddc-intro.html) to get more details about device data collection Iframe

docs/Process-a-Card-Payment-Without-Payer-Authentication.md

@@ -68,7 +68,6 @@ Processing of a payment is triggered by adding an initial transaction to a Comme
     | custom.fields.isv_deviceFingerprintId | Customer device fingerprint Id      | Yes       | Refer [Device Fingerprinting](./Decision-Manager.md#device-fingerprinting) to generate this value |
     | custom.fields.isv_saleEnabled         | false                         | Yes       | Set the value to true if sale is enabled                                                                                                                                                                                                                                                                                                                                                                                                                                           |
     | custom.fields.isv_merchantId                      | Merchant Id used for the transaction                               | No       |              Required when you want to support Multi-Mid functionality. Populate this field with the value of merchant Id in which the transaction should happen. When this field is empty, default mid configuration will be considered for the transaction.                                                                                                                                                                                                                                                                                                       |
-    | custom.fields.isv_securityCode                      | Security code for  Card payment                              | No       |              Required when you want to send the Card security code (CVV) during a saved card transaction                                                                                                                                                                                                                                                                                                       |
 
     Also see [Decision Manager](Decision-Manager.md) for additional fields to be populated if you are using Decision Manager
 
@@ -91,6 +90,7 @@ Processing of a payment is triggered by adding an initial transaction to a Comme
     | custom.fields.isv_saleEnabled         | false                         | Yes       | Set the value to true if sale is enabled                                                                                                                                                                                                                                                                                                                                                                                                                                           |
     | custom.fields.isv_shippingMethod | Shipping method for the order                                                                                         | No    | Possible values: <ul> <li> `lowcost`: Lowest-cost service  </li> <li>`sameday`: Courier or same-day service </li> <li>`oneday`: Next-day or overnight service </li> <li>`twoday`: Two-day service </li> <li>`threeday`: Three-day service.</li> <li> `pickup`: Store pick-up </li> <li> `other`: Other shipping method </li> <li> `none`: No shipping method because product is a service or subscription </li>   |
     | custom.fields.isv_metadata | Metadata for the order                                                                                         | No    | This field can be used to send additional custom data as part of the authorization request. The data should be serialized into a string format (e.g., JSON string) before passing it in the request.<br>**Example:**"isv_metadata": "{\"1\":\"value1\", \"2\":\"value2\"}"   |
+    | custom.fields.isv_accountPurchaseCount | Required to determine account creation history and purchase activity                             | No    | Provide the user's purchase count for the last six months. This value will be used to determine account creation history and populate the riskInformation section of the authorization request   |
 
 
 6.  Add a transaction to the payment with the following values populated