Drupal is a registered trademark of Dries Buytaert
drupal 11.4.1 Update released for Drupal core (11.4.1)! drupal 11.4.0 Update released for Drupal core (11.4.0)! drupal 10.6.12 Update released for Drupal core (10.6.12)! drupal 11.3.13 Update released for Drupal core (11.3.13)! drupal 10.6.11 Update released for Drupal core (10.6.11)! drupal 11.3.12 Update released for Drupal core (11.3.12)! drupal 11.2.14 Update released for Drupal core (11.2.14)! drupal 10.5.12 Update released for Drupal core (10.5.12)! cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)!

Cybersource payment gateway for Drupal Commerce using the REST API and Flex Microform v2. Card number and CVV are entered into Cybersource-hosted iframes and never reach your server; the browser produces a single-use transient token that is charged server-side. This typically qualifies for a reduced PCI scope (SAQ A / A-EP — confirm with your acquirer or QSA).

3-D Secure 2.x / Strong Customer Authentication

Built-in Payer Authentication (EMV 3DS 2.x, Cardinal Commerce built into Cybersource — no separate Cardinal account) for UK/EEA SCA: frictionless authentication carries the CAVV/ECI into the authorization; challenges open in a modal iframe and are validated server-to-server. The integration fails closed — with 3-D Secure enabled, a payment that skipped or tampered with the authentication steps is refused before any charge is attempted. The authentication result is session-bound, single-use, and never travels through the browser.

Security by design

  • API credentials live in a private file outside the web root and outside site configuration — they never enter config exports, the database, or git. Runtime status-report checks cover the private filesystem, the credentials file, test mode, and optional key-expiry monitoring.
  • The Microform client script is only injected over HTTPS from a Cybersource host and with the Subresource Integrity hash the capture context supplies — fail closed on either check.
  • The charged amount and currency always come from the order, never from the client; capture, void, and refund verify the Cybersource status before recording money movements, and every money movement is written to the order's activity log (never card data).
  • A payment request that gets no response is flagged for manual reconciliation rather than assumed failed; Decision Manager reviews are held as pending authorizations, never auto-completed.

Features

  • Authorization or sale, plus capture, void, and full/partial refund.
  • Polished card UI: live brand detection, accepted-brand enforcement, inline validation.
  • Test and live profiles resolved at runtime; sandbox-ready with the documented 3-D Secure test card matrix (see the README).
  • PHPStan level 6 and PHPCS clean; PHPUnit kernel coverage of the payment, decline, review, and 3-D Secure fail-closed paths with a mocked API client; Playwright end-to-end checkouts (frictionless and challenge) against the Cybersource sandbox.

Requirements

  • Drupal 10.3+ or 11, Commerce 3, and the official Cybersource PHP SDK (installed by Composer).
  • A Cybersource account with REST API keys; Payer Authentication must be enabled on the account to use 3-D Secure.

Roadmap

Saved cards via Token Management (TMS), SCA exemption flags (TRA / low value), and Level II/III data. See the README for the full roadmap and setup guide.

Related modules

For the hosted-form Secure Acceptance integration by the same maintainer, see Cybersource SOP. The existing Commerce CyberSource module also provides a Flex integration; this module differs mainly in keeping credentials out of site configuration, SRI-pinned script loading, 3-D Secure support, and its test coverage.

Activity

Total releases
1
First release
Jul 2026
Latest release
16 hours ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.x-dev Dev Jul 6, 2026