Our requirement was that our end users should be able to pay for our application services using their debit / credit cards. I embarked on the payment gateway integration journey initially thinking of traditional ways of integration. We did not wish to incur the additional overhead of any PCI DSS compliance that occurs, if you choose to store any card details on your site. Hence, I started considering more traditional approaches like our site will redirect payment requests to the payment gateway hosted "payment pages".
These typically gives the end user the ability to choose their payment method, input their card details and ask for their card to be charged for relevant amounts.
Even worldpay as our preferred payment gateway provider had these options under the integration type of "HTML Redirect". However the main drawbacks of this kind of "payment page" based integration were as follows:
- No control and limited customisation of the payment pages
- Lack of a strong application context while the user was on the payment pages
- The mechanism of gateway provider letting us know that the card was charged successfully made the whole process asynchronous, as it was a post back to our application servers
Well, it turns out there is a much simpler approach available in most modern payment gateways. Using the payment gateways REST APIs. I used the worldpay online REST APIs, to quickly integrate the payment gateway into our application. Here I will talk a bit about my experience using the worldpay online payment APIs.
Though we use the payment REST APIs, we still do not need to have an PCI-DSS compliance. The reason is that we never capture or store the card details on our application. The entire process is broken down into 2 steps:
Step 1: Our application displays inline or as pop-up a worldpay online screen. This worldpay screen captures the card details and gives back a temporary token to the application.
Step 2: The application uses the above temporary token and actually calls the REST payment API. The token acts as a proxy for the card details like card number, expiration date, CVV etc. Application never knows about card details, they are known only to worldpay online!
The best part is that:
- Except for a small portion of page which captures card details, rest of webpage is under applications control and hence customizable
- The actual REST API call is synchronous so error handling effort is reduced by a huge amount
The actual payment REST call is as simple as shown below
For more information please visit Worldpay online documentation
Worldpay as a gateway provides various features, (many of which I implemented successfully) like
- Recurring Payments
- Card-on-File (for re-using previously entered card information)
- 3d-Secure integration
- Dispute Defence
- Telephone orders
- .. and so on
Happy integration, people :-)