# Payment communication points
# Payment form
The shop and Giffits in total must at no time have access to the user-provided credit card data. Credit card number and verification code are completely covered by Concardis.
This is implemented by a JS SDK provided by Concardis. It provides methods to embed either the whole form or just the confidential fields as iFrames. All iFrames point to Concardis; The browser is responsible for denial of foreign access to the iFrame contents.
# Payment submission
The Concardis SDK sends the credit card information to the Concardis server. In its simplest implementation the SDK just returns the payment instrument ID. At this point no customer data is needed yet. There has been no payment yet, just securely stored credit card information.
To perform a payment Concardis needs the payment instrument ID and an existing concardis customer ID. Customer entities at Concardis are created using only these mandatory elements:
- Unique customer name
= Giffits CardCode - Unique email address
= Giffits unique email from customer entry.
So, payment finally looks as such:
- Create or get a Concardis Customer ID.
- Place a Concardis order using:
- Customer ID
- Giffits order number
- Amount and currency
- Payment instrument ID
On success Concardis will then return an order ID.
Reception of such an order ID means that Concardis has successfully
checked the payment formally. It does not represent a fully charged
payment, but it's used as representation of the standard case:
The customer's bank will transfer the agreed amount / currency.
# Processing of successful payment
A finalised Concardis order is handled by the shop. The according database entry of the order entity is updated with a "paid" flag.
An internal cron job assembles all entries of the order entity with updated state. If the order is marked as "paid" it will transfer the information into the SBO world.