https://netsuiteprofessionals.com logo
Join Slack
Powered by
The details are then used to create a customer rec...
# suitescript
c
The details are then used to create a customer record with a credit card. I'm not sure if SS API allows us to fill in the CC fields and I'm NOT saying that it's even a good idea! Just asking if anyone has seen it before.
b
pci compliance is measured in what safeguards you have to take
m
@Craig I've seen this being done so can confirm it's possible but there are most probably going to be PCI compliance issues involved
c
Customer Payment customerpayment Transaction Copy and Create Not Allowed
From the docs
Looks like Customer Payment is not scriptable?
b
normal netsuite is treated as saas, the compliance level is on netsuite to determine
using the suitecloud features upgrades you to paas
m
The case I saw was sales order with credit card details created via restlet
b
c
@battk - what does the upgrade to paas mean exactly?
b
first 10 or so pages is what you would need to understand my statements
😅 1
c
I will engross myself in that thoroughly interesting read 😄 thanks
Assuming it's ok - will need to figure out if that record is scriptable - the docs suggest not
b
you can add customer payments via suitescript
its one of the harder records to work with since you primarily apply payments to existing records and there are limitation to how may of those records appear in the apply list
c
Do you know what record it is? It's the financial tab on the customer record - credit cards list
b
thats a sublist on a customer
c
Found it - thanks
Yeah so technically this will work - it's all a matter of PCI - I can tell the customer that - I can do it but I'm not signing off the PCI side of it, that's for them to audit.
b
honestly whoever is thinking of sending the credit card numbers is suspect
unless they are actually tokens representing credit card numbers, which is much more modern
c
@battk this is for customers that are booking in person events, the credit card is debited in case of a no-show
they need to provide CC details when booking - currently someone calls the customer and writes down the details (not PCI compliant).
b
restlet implies that an external system will also be handling the credit card details
that external system has what will probably be at least equivalent (probably greater) responsibilities for pci compliance
c
Once the CC number is in NetSuite then I assume it's tokenised when interreacting with the payment gateway. The external system will be a commerce platform that captures the details and sends them straight to the restlet. They should be captured and sent client side (browser javascript) so the shopify server side isn't storing them
b
you underestimate how old netsuite is. The tokenization feature is the relatively new payment instruments
netsuite by default stores credit card numbers
c
either way, once it's in NS at that point (from a technical perspective), there's nothing else for me to worry about. NS takes over from there.
Standard ecommerce payment gateway integrations work the same way - the forms are in the users browser then client side JS will send the card details directly to the payment gateway over SSL, all from the users browser and not touching anything on the backend of the commerce platform.
The tokenisation service then kicks in and a token is sent / saved on the ecommerce platform, that part isn't relevant here though. Think I just talked myself into doing it.
b
the problem i saw was the restlet part
you dont use restlets from client code, which means that the credit card numbers will be sent from server code
so, the hope should be that both your ecommerce platform, and the payment processor used in netsuite both support the tokens that will be passed through them
c
Why can't the browser JS send a HTTP request to a restlet?
client code to restlet should be fine
Shopify already uses a token for the credit card payments - that does't touch this though.
b
restlets block using cors
c
@battk why would it be cors?
Maybe you're right - maybe we can't generate a HTTP request from a browser that calls a restlet and the restlet will be happy - in that case I'll tell this customer no, we're not doing this,
b
browsers block cross domain requests
unless the responding server sets specific headers
c
That's exactly how most payment gateways work
it's all POST requests from the browser to get the CC number into the gateway API
b
the unless part being the important part here
restlets wont let you set those headers
c
IN that case this isn't possible then
b
you can do a quick test to see what i mean if you want
make a restlet, and then do a quick fetch to it via a browser console on a page that isnt netsuite
c
I'll do that and watch what happens
I've only seen calls to restlets from server side applications before
b
thats is the expected flow, the restriction is for browsers
its also not very safe to put the tokens required for restlet authentication in browser running code
c
Yeah that's true
which pushes more PCI responsibility into the backend then.
2 Views
Open in Slack
PreviousNext
Powered by