CypherPay Integration

Security Model

All of the requests that are submitted to the Base Commerce Platform are transmitted via a HTTPS connection. In addition to the utilization of the TLS 1.2 protocol, we also require that the payload (financial information) of the request and responses be Triple DES Encrypted.

Each merchant and development partner are issued a unique username, password, and transaction key that is used when communicating with the platform. On the client side of the SDK, the transaction key is used to Triple DES encrypt the payload of the request, which is then submitted to our servers along with the username and password via TLS 1.2 where our servers retrieve the key associated with the username and password to decrypt the request. This added layer of encryption provides protection against the possibility of compromised SSL certificates and man in the middle attacks.

In addition to secure coding practices, Base Commerce also uses a physical layer of protection in cardholder-present environments. By selecting a device from our approved hardware list, your cardholder data will be encrypted at the magnetic head when the card is swiped by using a unique key for each transaction on each device. This is known as the DUKPT key management scheme. This added layer of protection in the physical world protects against malicious software that may be installed on the devices of your users, which is what lead to the largest cardholder data breach in 2014 at several large retailers.

CypherPay Code

*note that at Cypher pay UUID is a one time use key, once it is used it is deleted so they can not be reused. They also have a limited life span, if the key is not used within an hour it is deleted.

CypherPay is the patent-pending Base Commerce solution for securing online payment forms without using a legacy iFrame or three-step type of API. CypherPay works with your existing forms and allows you to completely customize the user's experience with just a few, simple lines of javascript. In order to use CypherPay on your website, you must include jQuery libraries, the cipherPay.js file, and jsencrypt.js file:

<script src=""/>

<script src="" />

If you are not already utilizing jQuery within your website, include the following script tag as well:

<script src=""/>

Protecting your form is as simple as a single line of javascript:


If you are testing this in sandbox you will want to set sandbox to true using one of these methods



$("#idOfYourForm").cipherPayInit( "");

This method will look for the form fields "credit_card_number," "credit_card"cvv," "routing_number," and "account_number," and encrypt the data prior to being sent to your server. If you are not using these form fields, or want to specify your own form fields use the following:

$("#idOfYourForm").cipherPay( [ 'field_name', 'field_name', 'field_name', 'field_name'] );

Alternatively, if you don't want it to overwrite your form and you just want to encrypt the fields, after you initialize the CipherPay object, if you call this to encrypt those fields for you:

 $("#idOfYourForm").cipherPayEncrypt( [ 'field_name', 'field_name', 'field_name', 'field_name'] ); 

CypherPay will then encrypt the data in the specified fields prior to transmitting it to your servers. Once you have the encrypted data at your server, using our SDK simply set the appropriate fields as follows:

BankCardTransaction o_transaction = new BankCardTransaction(); 
o_transaction.setCardNumber( "the encrypted form field containg the credit card number" ); 
o_transaction.setCipherPayUUID( "the value of cipher_pay_uuid from the submited form" );
o_transaction.setCardName( "Test Card"); 
o_transaction.setType( BankCardTransaction.XS_BCT_TYPE_AUTH );

Required Fields

Fields that can be encrypted using CypherPay that will be decrypted and parsed by Base Commerce. Any additional fields encrypted using CypherPay will not be decrypted on our end and will be forever stored in its encrypted format without being able to decrypt it.

Bank Card / Bank Card Transaction

  • Card Track 1 Data (not the encrypted track data field)
  • Card Track 2 Data (not the encrypted track data field)

Either track data needs to be set ( track 2 is not required ) or the card number needs to be set

  • Card Number
  • CVV (this only applies to BankCardTransaction's not adding a BankCard to a vault)

Bank Account / Bank Account Transaction

Both of these fields are required to be encrypted if using CypherPay

  • Bank Account Number
  • Routing Number