Customer responsibility

If your implementation of Sterling™ Order Management System Software applications are handling sensitive payment data, you must follow IBM® recommendations to achieve PCI DSS compliance.

Payment Solution Provider

You should subscribe to a payment solution provider that can capture PAN data in a secure way. This application should be embedded in a seamless manner into Sterling Order Management System Software applications. The payment application must be able to tokenize the PAN data such as credit card number and provide a token number.

Integrating Sterling Order Management System Software with Payment Solution providers

These are high level integration guidelines. The actual implementation may need more specific details depending on the type of Payment provider you choose. These guidelines simplify your PCI DSS compliance effort and keep the applications out of PCI DSS auditing scope.
  • The recommended integration between IBM applications and Payment Solution providers is to embed PAN data capture page as inline frame in existing application screens. This inline frame must be provided by the Payment Solution.
  • The inline frame should contain the fields to capture sensitive data like Credit Card Number, CVV code, and others. This payment iframe should be seamlessly embedded onto IBM applications web pages wherever payment data needs to be captured. To the users of IBM applications, the payment frame should look no different than the rest of frames on the page.
  • The sensitive PAN data that is entered on the payment frame is directly transmitted to the payment solution provider and not into IBM applications.
  • Upon successful submission of payment data, the transactions details should be retrieved from the payment provider. For successful transactions, that is, if a valid payment instrument is added, the token number should be fetched from the Payment solution and store it in IBM applications as Primary Account Number along with other mandatory parameters. All future references of this payment method in IBM applications is made using this token number. Along with the token number, you can also retrieve details of fields such as last four digits of a credit card number and show it on the application screen.
  • If the transaction fails, the error message needs to be displayed appropriately to the users and request them to enter the payment information again.
  • Out of the box payment capture screens in Sterling Order Management System Software contain all fields including sensitive ones like Credit Card Number, Expiry Data etc. But as part of this integration these sensitive fields should be replaced by the payment iframe’s fields.
  • Sensitive data should never be entered directly into IBM applications before tokenizing them.