I am trying to wrap my head around a secure process for handling payments with CyberSource (a payment processor).
The setup has been approved by our company security group to work as follows:
1.) client requests a page with a CC form
2.) client fills out and submits the CC form via AJAX call and directly POSTs to CyberSource
3.) CyberSource does it's thing and returns a code and description from the result to the server
4.) The server must identify that the postback from CyberSource relates to a particular client and then update that client's browser with the appropriate message (success, error, etc..)
I'm having a hard time figuring out how I can proactively send a message to an existing browser session without a request originating from that client's browser. Does anyone have some light they can shed on this?
I figure an alternative could be a client-side timer that pings the server and checks the database to see if a postback has been received, but that seems inefficient and would add a lot of server load.
any ideas? is there a particular term or protocol that I should be looking up that describes my desired setup?