CommSecure Modules
The commsecure modules are available independantly of this registration project.
Essentially, it is done by a set of HTTP(S) calls; some by us giving the HTTP(S) web user client a redirect to the CommSecure web server, and some by CommSecure contacting us with CGI requests. These CGI requests may be questioing us for verification, or giving us a result.
As far as CommSecure can see, we give them a Customer Number (see the CustNum field in the Person table), a RefNum (which we generate for each proposed credit card transaction), and an Amount in cents (ie, integer).
Thus, we start this off after a person's details have been captured to the Person table and they have been assigned a Customer Number (CustNum). When they want to start the credit card transaction, we generate a Reference Number (RefNum) and give them a redirect to CommSecure's clearance server.
CommSecure Validation
Some time after that, CommSecure themselves have a request to our server on a URL we have given them, with CGI paramaters of the RefNum, CustNum and Amount that the client has given them (from our redirect). Our response here is improtant. If the RefNum was raised 'recently' we want to confirm this request. However, you may want to extend our implementation by checking that it hasn't already been 'validated' in the last few moments (ie, 5 seconds). They may avoid the 'page refresh' problem, whereby a user refreshes the web page on commsecures server, and submits their request to pay twice, resulting in CommSecure querying us twice, and processing it twice.
It is possible to implement single submit forms (see elsewhere on this site); CommSecure could look into their on their server so that one display of the credit card details page can only be submitted and processed once.
Either way, our result to the probe from CommSecurfe is to approve or decline the transaction (from our point of view, that is).
CommSecure Result
What we're waiting for on each RefNum transaction is the result (which may never come if things broke or the user went away, however generally if you got a Validate probe, then you should get a result too).
The result has several parts to it (as details in the CommSecure implementation manual, and as can be seen in the code. Most importantly, the crypto version of the result can be used to get the authenticity of the message (we dont want random people telling us that million dollar transactions have succeeded!). The Perl implementation of this takes this into account. Yes, watch out for the extra space in the 'no error' message!
Once we have a result, we can issue a receipt.