Payment and Payer Data
Before you send a request to initiate a transaction, gather the necessary information directly from the payer or your system.
Although the Direct Payment integration method allows you to create your own payment page to gather data, ensure you do the following:
- Obtain the necessary data about the payer and their payment order.
- Ensure that the payer securely provides their details to you on your application.
- Include all the necessary data that any specific payment features require, and you would want to use in the request.
- Use meaningful order and transaction IDs to track the order and transaction throughout the payment process.
Request-related identifiers
To identify the order and transactions throughout your system and at your payment processor, use the following fields:
- Order ID
- Optional: Order reference
- Optional: Identifier for the acquirer
- Transaction ID
Generate these values by ensuring the required uniqueness and ideally taking advantage of any natural keys within your system.
For more information about each of these identifiers and how to use them, see Identifiers. For a basic understanding about Orders and transactions.
Mandatory fields for transaction operation
To identify the mandatory fields for the specific transaction operation, see the API Reference for that operation.
HTML form data display
When you gather the necessary data from the payer using HTML form fields, you must not display all request fields in the HTML form. Ensure the following actions:
- What to display.
- What to calculate in the code.
- What not to display, even tagged as hidden fields,
Secure your integration
To ensure the security of your integration, only expose the minimum amount of data to your payer. As a best practice, only render form fields that require input from the payer. For example, the shipping and billing address fields, the payment details, and the credit card data. Here are the important tips to secure you integration:
- Never use the hidden form fields to pass information relevant to processing a transaction, as the payer or someone with malicious intent can edit these fields to process transactions that are potentially fraudulent. This especially applies to fields like the merchant ID and API password. You must store these values securely in your server. If a fraudulent user were to gain access to this data, your account would be susceptible to a potential attack.
- Always calculate the order amount immediately before sending the transaction request. If you store the value as a hidden field, a fraudulent payer can alter the amount, and without the right checks in your integration, they can manipulate the transaction. For example, only paying 1 USD instead of 100 USD.
- For sample HTML forms for basic operations such as AUTHORIZE, CAPTURE, REFUND, and PAY, see Downloads.
Although the sample forms cover many fields as examples, your integration must not expose all those fields, but only the ones for which you need payer input.
Secure data transfer on your payment page
The websites that collect sensitive or confidential data must use TLS to protect the data passed between the payer's Internet browser and your application. When an Internet browser passes any data to a web server, such as your web application, using TLS secures the data, and unintended recipients cannot intercept or view the data.
If you use the Direct Payment integration method, your application must present the payer with a secure form using TLS for collecting sensitive payment data. Consider using a secure form also when collecting less sensitive but still confidential information, such as payer addresses.
Several browsers now require the use of HTTPS with valid TLS certificates to avoid presenting security errors to customers.