There are three integration methods that can be used to integrate into the payment system. The one that is most appropriate will depend on a number of factors. Our system doesn’t make the merchant select which integration method can be used, and allows different integrations against the same Gateway Account to be in place simultaneously – there are certain situations which this will actually be necessary. Once you have reviewed the information below and decided on the most appropriate integration method for your needs, please refer to the integration specific documentation for the technical details on its implementation.

1. Direct/API Integration – Direct/API processing allows merchants to keep their customers on their site throughout the entire checkout process. This provides a much smoother checkout experience, and keeps the details of the underlying payment processor completely hidden from the customers. The API for this method exposes the full functionality of the payment system. This method requires the merchant’s system to be able to serve out HTTPS pages, which will likely require them to have an SSL certificate.

Difficulty: 4/10. Of the integration methods, this is probably the easiest to implement, as well as giving you the most control of the transaction process. PCI-DSS SAQ*: SAQ-D

2. Hosted Payment Form – we can provide a secure payment form which the customer is redirected to during the checkout process. They will complete the order on our system and then be redirected back to the merchant’s system with the results of the transaction. Our system allows this payment form to be completely re-skinned so that it closely matches the merchant’s own branding. This method is generally used by merchants who are using a shopping cart that does not support the Direct/API integration method, merchants who cannot host secure (HTTPS) pages or merchants who would like to completely outsource the payment process of their website – usually for PCI compliance reasons.

Difficulty: 6/10. Because this integration uses the users browser as a data relay, there are some additional steps required to securely transmit the data to/from the payment gateway, as well as handling the response. These additional steps add complexity to the integration.

PCI-DSS SAQ*: SAQ-A

3. Hosted Payment Form (iFrame Mode) – The Hosted Payment Form can be used in “iFrame” mode, which would allow it to be embedded into a payment form that is hosted on the merchant’s system. The system will apply a different, cut-down skin to the Hosted Payment Form in this mode, which will only skin the direct form.

Difficulty: Intermediate. The integration is more or less identical to the Hosted Payment Form.

PCI-DSS SAQ*: SAQ-A

4. Hosted Fields – the Hosted Fields integration method allows the merchant’s system to appear to keep the customer on their own system during the checkout process, but the sensitive fields are served transparently by the payment system through iFrames. This approximates the appearance and experience of the Direct/API method, but has the same compliancy requirements as the Hosted Payment Form method.

Difficulty: 6/10. Because this integration uses the users browser as a data relay, there are some additional steps required to securely transmit the data to/from the payment gateway, as well as handling the response. These additional steps add complexity to the integration.

PCI-DSS SAQ*: SAQ-A

5. Transparent Redirect – the Transparent Redirect method allows the merchant’s system to appear to keep the customer on their own system during the checkout process, but the card details don’t actually touch the merchant’s system – they get posted directly across to the payment system. This approximates the appearance and experience of the Direct/API method, but it has the same compliancy requirements as the Hosted Payment Form method.

This method requires the merchant’s system to be able to serve out HTTPS pages, which will require them to have an SSL certificate.

Difficulty: 7/10. Because this integration uses the users browser as a data relay, there are some additional steps required to securely transmit the data to/from the payment gateway, as well as handling the response. These additional steps add complexity to the integration.

PCI-DSS SAQ*: SAQ-A-EP

* assumes that your annual transaction count (or any other factor) allows your PCI-DSS compliance to be self- attested