#
Making card payments

In the previous guide we talked about how to get card data into Modernbanc Vault. In this one we'll reuse those secrets to make payments via Stripe with our Workflows .

Reminder on PCI

To minimize PCI burden you, your app, server and your employees aren't allowed to see or touch card data. This is why using Modernbanc Workflows is vital to staying compliant. Because then it's our servers that process it.

#
Building a workflow.

You can build workflows and deploy code that Modernbanc will execute on your behalf. It takes less than 2 minutes to build your first workflow in our UI.

Go to Modernbanc workflows page and create a workflow - let's call it "Create a Stripe payment method"

This workflow will look up the secrets by id, extract the underlying data and then make an API call to Stripe.

We can trigger this workflow via an API call from your server or directly in our UI.

#
Add following steps to the workflow:

Get card number

Step: find
Type: one
Model: secret
Where: id = {{_trigger_version._input.body.card_number_secret_id}}
Include: value: true

Get expiry month

Step: find
Type: one
Model: secret
Where: id = {{_trigger_version._input.body.card_expiry_month_secret_id}}
Include: value: true

Get expiry year

Step: find
Type: one
Model: secret
Where: id = {{_trigger_version._input.body.card_expiry_year_secret_id}}
Include: value: true

Get card cvv

Step: find
Type: one
Model: secret
Where: id = {{_trigger_version._input.body.card_cvv_secret_id}}
Include: value: true

Create a payment method in Stripe

Type: connection_query
URL: https://api.stripe.com/v1/payment_methods
Headers:

{ "authorization": "Bearer <your_stripe_api_key>" }

Body:

{
  "type" : "card",
  "card[number]" : "{{steps[0].result.value}}",
  "card[exp_month]" : "{{steps[1].result.value}}",
  "card[exp_year]" : "{{steps[2].result.value}}",
  "card[cvc]" : "{{steps[3].result.value}}"
}

Content-Type: application/x-www-form-urlencoded

Using JS inside steps

If you store expiry date and month as one secret you can use inline JS to split it!
"{{ 'card[exp_month]': "{{secret.value.split('/')[0]}}" }}"

Now you can use newly created payment method to run payments.

#
Adding a trigger

Now that we defined the steps we also need to add a way to run this workflow.

Since we'll be running it from your server by calling Modernbanc API we'll add a simple webhook trigger.

To learn about how to add triggers to workflows go here.

#
Running workflow

Now according to the workflow design above we'll need to run it with a following request body:


{
  "card_number_secret_id" : "SECRET_xxxxxx",
  "card_expiry_year_secret_id" : "SECRET_xxxxxx",
  "card_expiry_month_secret_id" : "SECRET_xxxxxx",
  "card_cvv_secret_id" : "SECRET_xxxxxx"
}

#
Removing card data from workflow execution logs.

For audit and debugging purposes Modernbanc stores a history of all workflow executions.

Therefore we need to ensure that we don't store any card data in logs - this is can be achieved via our replace feature.

The benefit of using a replace feature is that you can remove card data from logs while still keeping other data for debugging purposes.

You can add a replacement in our workflow editor left sidebar:

// Array of replacements
[
  {
    "paths" : ["data"], // array of paths (e.g data or data.[0].value) in workflow execution
    "with" : "REDACTED"
  }
]

This will remove the data from the execution body - therefore both the API Response and logs will have data = 'REDACTED'

#
Conclusion

This is just an example of how to manipulate card data in a PCI-compliant way without exposing it to your server.

  • Please refer to the most up-to-date API Reference on provider's website.
  • You can build a payment integration with ANY processor that provides API or a database access. There is no vendor lock-in.
  • You can add any other steps to that workflow.