Q: What are the options for merchant redirect URLs in Cybersource?
On this page:
Answer
Authorized Users Only Only authorized users can update these URLs in their Cybersource accounts. Merchants who have questions about updating these urls should contact chargemit-help@mit.edu. |
In a Secure Acceptance Profile, there are 4 configurable URLs:
- Merchant POST URL
- Transaction Response Page
- Custom Cancel Response Page
- Custom Redirect After Checkout
They are described below:
Note
Merchants do NOT need to change all 4 URLs in order to handle different responses (e.g. ACCEPT, DECLINE, ERROR) correctly. Merchants should consult Appendix A of the Secure Acceptance Web/Mobile Guide (PDF), in the section labeled "Types of Notifications". A copy of that table is available below (click to enlarge), but always consult the most recent Cybersource documentation.
For all of these URLs, the URL must be the final URL of the page, and cannot be a URL that redirects (via 301 or 302) to yet another URL (for example, if the url is http://example.com/response, that then cannot redirect to http://example.com/mit_response). If it does that, all transaction data will be lost, and the custom response page will have no way of knowing if a transaction was successful or not. (Some web browsers will correctly handle a 307 redirect, but merchants are strongly encouraged to specify a response URL that points to an actual page and returns a 200.) Merchants who re-design their websites should take care to ensure that their web designer does not attempt to preserve old links via a RedirectMatch or RewriteRule or similar directive; or they must update their Cybersource profiles when they redesign their sites.
Merchant POST URL
This is found in the "Notifications" section of the secure acceptance profile. By default, this is set to https://shopmitprd.mit.edu/web/log, and ensures that transaction data is logged on the shopmitprd server.
If a merchant wishes to change this URL, they should ensure that they correctly handle ALL possible "Reason Codes" and correctly process ALL "API Reply Fields". (See Appendix A of the Silent Order POST guide: PDF)
Note that if a merchant changes this URL, no transaction data will be sent to the shopmitprd server, so we won't have access to help them troubleshoot any problems.
IMPORTANT: If a merchant simply wishes to handle different responses (e.g. ACCEPT, DECLINE, ERROR) on their own, they do not need to change this URL – they can use a Transaction Response Page, as described below. In general, changing this is NOT recommended unless a merchant absolutely needs to.
Custom Response Page
This is found in the "Customer Response Pages" section of the secure acceptance profile. By default, this is set to "Hosted by Cybersource", and will display a Cybersource page that either tells the customer their order was successful, or declined, or there was an error.
If a merchant wants their own page, they can specify a custom URL here, by clicking "Hosted by you", and entering the URL. After entering payment information, the customer will be sent to that page, and Cybersource will also send information about whether the transaction was successful or not. If a merchant wishes to change this URL, they should ensure that they correctly handle ALL possible "Reason Codes" and correctly process ALL "API Reply Fields". (See Appendix A of the Secure Acceptance Web/Mobile guide: PDF)
Custom Cancellation Page
This is found in the "Customer Response Pages" section of the secure acceptance profile. By default, this is set to "Hosted by Cybersource", and will display a Cybersource page that either tells the customer their order was successful, or declined, or there was an error.
This is similar to the "Custom Response Page" above, but is only displayed for transactions that are cancelled: either the customer clicked "Cancel", or the customer declined to agree to any service fees/service charges. It is less complicated than the Custom Response Page, because the only data sent by Cybersource is the reason for the cancellation. However, if the merchant decides to use the same URL for "Custom Response" and "Custom Cancellation", they must ensure they correct read all data from Cybersource, and do not mistakenly count a cancellation as a successful payment.
Customer Redirect After Checkout
This is found in the "Customer Response Pages" section of the secure acceptance profile. By default, this is blank.
This can be used along with Cybersource-hosted Response and Cancellation pages. Cybersource will display their own pages indicating whether payment was successful or not, but will then give the customers a link back to whatever URL is specified here. Unlike the Custom Response page, no information is sent along with the URL to indicate whether the transaction succeeded or failed. It's the same page for every transaction, but merchants may still want to use it to indicate next steps to the customer (e.g. "Thank you for your payment. If it was declined, we will contact you in a week. If your payment was successful, you don't need to take any other action")
The Cybersource development guides indicate that if a Custom Response Page is used, this URL must be set to the same URL as the Custom Response Page.