Merchant Credit Card Form
Create and host your own credit card to collect credit card data of your customer. PCI DSS Self-Assessment Questionnaire (SAQ) A-EP is mandatory.
This approach is very similar to BNP hosted payment forms and leaves the merchant in full control of the checkout experience as all website elements are delivered from the merchant’s server.
The 3DS authentication is handled by the Axepta Platform.
Steps :
- The merchant creates and hosts a payment form. The form data is sent directly to Axepta using the "action" parameter of the HTML form which contains the URL of the Axepta server.
- Thus, sensitive data entered on the merchant’s website is transmitted directly to the Axepta server and is not transmitted to the merchant’s server (silent POST request).
Overview
A Silent Order Post or Direct Post is a transmission method where form data from a merchant website are getting directly posted to a third-party server. This is commonly achieved through the form action attribute that specifies the URL the data are sent to.
Sensitive data such as card details can be captured within a merchant’s website without being processed by the merchant server as the POST is submitted silently. The URL endpoint in to receive Silent Order Post requests is referred to as PayNow.
<form action="../payNow.aspx" method="post">
PCI-DSS Considerations
Merchants processing card transactions using the Silent Post model must submit the PCI DSS Self-Assessment Questionnaire (SAQ) A-EP. This SAQ is more comprehensive and thus might require more time and resources in comparison to SAQ A applicable to merchants that use hosted payment pages. However, merchants should always consult with their acquirer to evaluate the level of compliance required and refer to the PCI DSS guidelines. This does not affect the use of pseudo card numbers which is possible without submitting the SAQ questionaire.
Notice about Cookie-/Session Handling
Please note that some browsers might block necessary cookies when returning to Your shop. Here you will find additial information and different solution approaches.
PayNow
Silent Mode for credit cards with SSL and 3-D Secure method
PayNow links the benefits of Platform forms and Server-to-Server connections: As opposed to the Platform form, where the form is loaded from the Platform server by calling payssl.aspx, the PayNow form has to be provided by the merchant’s system. The form uses the same parameters as described here below.
In contrast to the Platform form, the parameters are not forwarded as URL parameters as is the case when calling the payssl.aspx, but as form input parameters. By the way for calling the PayNow.aspx the same parameters can be used as for PaySSL.aspx.
Please notice that in case of Fallback to 3-D Secure 1.0 the URLSuccess or URLFailure is called with GET. Therefore your systems should be able to receive parameters both via GET and via POST.
|
|
Payment Request
The credit card data must be transmitted to paynow.aspx with the following parameters.
Please POST the form data as outlined in table below to payNow.aspx.
Form Elements
(-Â will continue to support the legacy form data fields that are currently in use. -)
Data
Sample HTML Form
BASEURL= https://paymentpage.axepta.bnpparibas/
<!DOCTYPE html> <html> <head> <title>Merchant Checkout</title> </head> <body> <form name="card form" action="BASEURLpayNow.aspx" method="post"> <input type="hidden" name="MerchantID" value="MerchantID"> <input type="hidden" name="Len" value="Length of the Blowfish encrypted data"> <input type="hidden" name="Data" value="Blowfish encrypted data"> Cardholder: <input type="text" name="cardholder"><br> Card number: <input type="text" name="number"><br> Expiry date: <input type="text" name="expiryDate"><br> CVV2: <input type="text" name="securityCode"><br> Card brand: <input type="text" name="brand"><br> <input type="submit" value="Submit"> </form> </body> </html>
When the payment is completed will send a notification to the merchant server (i.e. URLNotify) and redirect the browser to the URLSuccess resepctively to the URLFailure.
The blowfish encrypted data elements as listed in the following table are transferred via HTTP POST request method to the URLNotify and URLSuccess/URLFailure.