This article outlines the flow of sensitive cardholder information in Cerbo's Bluefin integration. 

Card Present

  • Transaction requested from browser.
    • Browser makes XMLHttp request to our server to queue a transaction with the Pax Device     
    • Our server uses the TSAPI API to create a "placeholder" transaction
    • Our server passes the placeholder transaction ID and the amount to be charged to Pax device via LAN using the SaasConex Javascript API
    • Card is swiped/tapped to process the transaction, the Pax device communicates directly with the Bluefin gateway, which relays the transaction to Elavon and the processing network
    • The network responds, and data flows back to the Pax device with the outcome of the transaction
    • The Pax device responds via the still-open Cerbo Server <-> Pax LAN connection so that Cerbo can store the results of the transaction, including transaction ID which can be used as a card-token for future processing.

Card Not Present (Keyed in)

  • Browser presents an HTML form for card-entry to take place on the user's browser. The form creates a timestamped/encrypted transaction token so the sending application can be verified by Bluefin as well as the callback URLs that Bluefin can use to report back the transaction result.
    • User submits the form, which submits directly to (data passes directly from the user's browser to Bluefin)
    • Bluefin processes the transaction and then sends a transparent-redirect command to the user's browser with the appropriate callback URL from the original form.
      • On success, Cerbo stores the payment metadata (last4, card-type, expiration), payment amount, and stores the transaction ID which can be used for stored-token transactions in the future

Card Not Present (Stored token transaction)

  • Cerbo presents a list of stored-card tokens (created in one of the two above workflows) along with metadata that identifies each card (Last 4, Exp)
    • User selects the card they want to use and sets the amount they want processed.
      • Form is submitted via POST to Cerbo's servers, including card-token data and amount to be processed
        • Cerbo uses Bluefin's QSAPI API to send a stored-card transaction to PayConex
          • Payconex responds with the result of the transaction, which Cerbo then records.