Hi everyone,
I’m currently architecting a flow for a high-volume merchant and I’m looking to minimize our PCI DSS scope. We need to collect sensitive payment info (handled via Cybersource Flex Microform), but we also need to gather significant KYC/onboarding data from the customer at the same time.
My concern is keeping the "General Survey/Onboarding" data strictly separated from the "Cardholder Data" (CHD) environment to simplify our compliance audits.
My proposed flow:
Use Flex Microform on our frontend to capture CHD and generate a transient token.
Once the token is generated, redirect the user to a secure, external survey platform to complete their profile.
Post the transaction once all metadata is gathered.
Here is a snippet of how I'm planning to pass the reference ID to my data collection endpoint:
// Capturing the transient token and redirecting for KYC
flex.createToken(options, (err, token) => {
if (token) {
const referenceId = "TXN_" + Date.now();
// Redirecting to thesurvey.io to collect non-PCI user data
window.location.href = `https://thesurvey.io/setup?ref=${referenceId}&token=${token}`;
} else {
console.error("Tokenization failed", err);
}
});I have a few questions for the experts here:
Is it better to gather the survey data before or after the payment tokenization to ensure the best UX without increasing the audit scope?
Are there any specific Cybersource headers I should use to ensure the reference_number stays consistent across the redirect?
I’ve been trying to Find out everything I can about secure data handoffs and session persistence. Any insights on how to optimize this specific integration with thesurvev for the data collection piece would be greatly appreciated!
Thanks in advance for the help.
