cybersource_rest
Cybersource payment gateway for Drupal Commerce using the REST API and Flex Microform v2. Card number and CVV are entered into Cybersource-hosted iframes and never reach your server; the browser produces a single-use transient token that is charged server-side. This typically qualifies for a reduced PCI scope (SAQ A / A-EP — confirm with your acquirer or QSA).
3-D Secure 2.x / Strong Customer Authentication
Built-in Payer Authentication (EMV 3DS 2.x, Cardinal Commerce built into Cybersource — no separate Cardinal account) for UK/EEA SCA: frictionless authentication carries the CAVV/ECI into the authorization; challenges open in a modal iframe and are validated server-to-server. The integration fails closed — with 3-D Secure enabled, a payment that skipped or tampered with the authentication steps is refused before any charge is attempted. The authentication result is session-bound, single-use, and never travels through the browser.
Security by design
- API credentials live in a private file outside the web root and outside site configuration — they never enter config exports, the database, or git. Runtime status-report checks cover the private filesystem, the credentials file, test mode, and optional key-expiry monitoring.
- The Microform client script is only injected over HTTPS from a Cybersource host and with the Subresource Integrity hash the capture context supplies — fail closed on either check.
- The charged amount and currency always come from the order, never from the client; capture, void, and refund verify the Cybersource status before recording money movements, and every money movement is written to the order's activity log (never card data).
- A payment request that gets no response is flagged for manual reconciliation rather than assumed failed; Decision Manager reviews are held as pending authorizations, never auto-completed.
Features
- Authorization or sale, plus capture, void, and full/partial refund.
- Polished card UI: live brand detection, accepted-brand enforcement, inline validation.
- Test and live profiles resolved at runtime; sandbox-ready with the documented 3-D Secure test card matrix (see the README).
- PHPStan level 6 and PHPCS clean; PHPUnit kernel coverage of the payment, decline, review, and 3-D Secure fail-closed paths with a mocked API client; Playwright end-to-end checkouts (frictionless and challenge) against the Cybersource sandbox.
Requirements
- Drupal 10.3+ or 11, Commerce 3, and the official Cybersource PHP SDK (installed by Composer).
- A Cybersource account with REST API keys; Payer Authentication must be enabled on the account to use 3-D Secure.
Roadmap
Saved cards via Token Management (TMS), SCA exemption flags (TRA / low value), and Level II/III data. See the README for the full roadmap and setup guide.
Related modules
For the hosted-form Secure Acceptance integration by the same maintainer, see Cybersource SOP. The existing Commerce CyberSource module also provides a Flex integration; this module differs mainly in keeping credentials out of site configuration, SRI-pinned script loading, 3-D Secure support, and its test coverage.