This approach is called Silent Order Post or Direct Post and is very similar to BNP hosted payment forms and leaves the merchant in full control of the checkout experience as all website elements are delivered from the merchant’s server.
The 3DS authentication is handled by the Axepta Platform.
Steps :
- The merchant creates and hosts a payment form. The form data is sent directly to Axepta using the "action" parameter of the HTML form which contains the URL of the Axepta server.
- Thus, sensitive data entered on the merchant’s website is transmitted directly to the Axepta server and is not transmitted to the merchant’s server (silent POST request).
Overview
A Silent Order Post or Direct Post is a transmission method where form data from a merchant website are getting directly posted to a third-party server. This is commonly achieved through the form action attribute that specifies the URL the data are sent to.
Sensitive data such as card details can be captured within a merchant’s website without being processed by the merchant server as the POST is submitted silently. The URL endpoint in to receive Silent Order Post requests is referred to as PayNow.
<form action="../payNow.aspx" method="post">
PCI-DSS Considerations
Merchants processing card transactions using the Silent Post model must submit the PCI DSS Self-Assessment Questionnaire (SAQ) A-EP. This SAQ is more comprehensive and thus might require more time and resources in comparison to SAQ A applicable to merchants that use hosted payment pages. However, merchants should always consult with their acquirer to evaluate the level of compliance required and refer to the PCI DSS guidelines. This does not affect the use of pseudo card numbers which is possible without submitting the SAQ questionaire.
The full documentation
The full documentation is available Merchant Credit Card Form - Silent Order Post (PayNow.aspx)