E-commerce payments make up the largest volume of card-not-present transactions. This guide provides information on important requirements and best practices for accepting e-commerce payments and card-not-present payments in general, as well as information on getting started with various CardPointe e-commerce solutions.
Before you begin your integration, you should review the information in this guide to help plan and guide your development.
What is E-Commerce?
E-commerce, short for electronic commerce, is a term used to describe payments accepted remotely over the internet. Similarly to a MOTO (mail order/telephone order) transaction, in an e-commerce transaction, the customer and their payment card are not physically present at the time of sale. Instead, the customer interacts with a mobile application, online checkout form, or other means of entering their payment information to complete a transaction.
Unlike card-present transactions, in which a secure payment terminal or card reader encrypts and transmits the payment data at the point-of-sale, e-commerce payments require additional layers of security to comply with Payment Card Industry Data Security Standards (PCI DSS). See the CardPointe E-commerce Solutions section below for detailed information on how our e-commerce solutions ensure the safety of your customers' data.
By building a safe, convenient, and user-friendly e-commerce experience, you can increase your customer base and rate of return customers. Additionally, the CardPointe platform's tokens (generated by CardSecure) support omnichannel payments, allowing your customers to move seamlessly between your card-present and card-not-present experiences.
The CardPointe Gateway is certified for compliance with the latest payment industry standards and requirements to help your business remain compliant while giving support tools to aid in protecting your cardholder's data.
Consider the following industry standards and requirements for accepting e-commerce payments:
Payment Card Industry Data Security Standards
CardSecure is the CardPointe Gateway's sensitive data encryption and tokenization service. CardSecure allows you to securely accept and tokenize payment card, ACH (eCheck), and mobile wallet data to ensure the safety of your customers' sensitive payment data. CardSecure and the CardPointe Gateway offer simple solutions to ensure that sensitive cardholder data is never exposed to your application or systems, helping to reduce your scope of PCI compliance.
See the PCI Council's Best Practices for Securing E-commerce for helpful information, and see the Council's official Document Library for additional resources.
Visa and Mastercard Stored Credential Transaction Framework Mandate
This mandate also referred to as credentials on file, card on file, or COF, requires merchants storing cardholder data to gain consent and to properly identify all transactions using stored data. See the Visa and Mastercard Stored Credential Transaction Framework Mandate guide for detailed information and requirements.
3-D Secure is a required protocol to accept e-commerce payments for merchants in the European Union, India, and Australia, among other countries and supranational institutions. 3DS was developed by the card brands and EMVCo to provide additional cardholder security for e-commerce credit and debit card transactions. It is EMVCo's standard for securing e-commerce payments to comply with the Strong Customer Authentication (SCA) mandate in the European Union. If you are located outside of the USA, it is recommended you check your national requirements for accepting e-commerce payments. To enable merchants to comply with this mandate, the CardPointe Gateway supports 3-D Secure 2.0. See the 3-D Secure 2.0 guide for detailed information and technical requirements.
The CardPointe Gateway offers a wide range of features designed to reduce friction and increase loyalty and satisfaction in your customers' experience.
Consider the following features and recommendations for accepting e-commerce payments
Obtain the best interchange rates
The CardPointe Gateway allows you to capture card address verification service (AVS) and cardholder verification value (CVV) to help your e-commerce transactions process at the lowest interchange rate, and to help prevent fraud. For e-commerce credit card payments, you should always provide the following information in the authorization request:
Cardholder Name - The exact name printed on the payment card.
Postal code - The zip or postal code associated with the account.
Cardholder verification value (CVV/CVV2/CID) - The 3 or 4-digit cardholder verification value printed on the payment card.
E-commerce indicator (ecomind) - Specifically for authorizations using the CardPointe Gateway API, include one of the following values in the
ecomind field, as appropriate:
T - telephone or mail payment
- R - recurring billing
- E - e-commerce web or mobile application
Additionally, you can request AVS and CVV validation for your merchant account, which requires this data to pass a verification check before attempting to authorize a transaction. See Using Test Payment Accounts for information on testing AVS and CVV verification responses. See the Security Settings section of the CardPointe Support Site for more information on the security features offered in the CardPointe Web Application.
Use customer profiles for frictionless repeat payments and customer loyalty
The CardPointe Gateway's profile service enables you to securely store tokenized customer payment data and associated billing information, allowing your customers to quickly and easily pay for follow-up purchases or to enroll in recurring billing plans. Additionally, CardSecure tokens support omnichannel payments, so whether you use the built-in profile service, or you develop your own solution for storing tokens and profiles, your customers can seamlessly make payments in both your card-present and card-not-present environments. For more information, refer to our documentation on the Gateway Profile API endpoint.
Review our Stored Credentials Mandate documentation for detailed information on compliance requirements for storing customer information.
Keep customer profiles up to date
The CardPointe Gateway's Card Account Updater value-added service enables you to keep your customer's CardPointe Gateway profiles up to date with the latest changes to their payment account information. If a customer's card expires or is replaced with a new card, the Card Account Updater service retrieves the updated information from the card brands and automatically updates the CardPointe Gateway profile, including a new token if applicable. If you manage your own customer profiles and tokens, the Card Account Updater API allows you to manually enroll and manage tokens in the service, and to retrieve update reports.
Accept all types of payments
The CardPointe Gateway supports a wide range of payment methods, allowing you to accept payments from credit card, electronic checking (ACH), and digital wallet (Apple Pay or Google Paytm) accounts to offer flexibility to your customers. CardSecure can securely tokenize any of these account types, allowing you to send a CardPointe Gateway API authorization request with little to no regard for the type of account.
See the following guides for additional information on ACH and Digital Wallet payments:
Secure your website and cardholder data
While CardSecure encrypts and tokenizes cardholder data, you should still take all precautions to secure your website or application. To prevent fraud (for example, Carding Attacks) we strongly recommend that you follow common best practices, such as using an SSL certificate to secure traffic, and requiring reCAPTCHA user authentication during the checkout process. For more information on preventing carding attacks, see our LaunchPointe article here.
CardPointe E-Commerce Solutions
The CardPointe Gateway provides numerous resources for integrating e-commerce payments into your application or website.
For example, you can use the Hosted iFrame Tokenizer to embed a secure, hosted tokenizer form in your website with minimal development effort, or you can use the CardSecure API to build a custom tokenizer that meets your specific needs. Once you have a token, you can use the CardPointe Gateway API to create and manage customer profiles and process payments.
The following topics describe each e-commerce solution in more detail.
The following CardPointe products provide hosted solutions to reduce your development effort and your scope of PCI compliance, by ensuring that no sensitive data is ever exposed to your application or systems.
CardPointe Hosted Payment Page
The CardPointe Hosted Payment Page (HPP) is a complete, ready-to-use hosted payment form, available at no cost for every CardPointe merchant account. Unlike the Hosted iFrame Tokenizer, the HPP does provide a complete payment solution.
The HPP's customizable UI and embedded iFrame capabilities allow you to seamlessly integrate the checkout page seamlessly with your website.
Like the Hosted iFrame Tokenizer, the HPP handles all sensitive cardholder data without ever exposing it to your application, helping to reduce your scope of PCI compliance.
See the Hosted Payment Page Developer Guide for more information and interactive examples.
CardPointe Virtual Terminal
The CardPointe Virtual Terminal allows you to accept payment cards and eChecks using your computer's web browser and an internet connection. Using the Virtual Terminal, you can initiate card-not-present and card-present authorizations, captures, settlements, voids, and refunds. In addition, you can easily and securely save customer payment information, and configure Billing Plans for recurring payments. For more information, refer to the CardPointe Virtual Terminal section on our Support Site.
The following solutions enable you to build a custom e-commerce experience depending on your specific business needs.
Hosted iFrame Tokenizer + CardPointe Gateway API
The Hosted iFrame Tokenizer is a simple tokenizer form that you can integrate with your web or mobile application with little development effort. The Hosted iFrame Tokenizer enables you to drop a hosted form into your checkout page to capture and encrypt sensitive cardholder account data and securely transmit it to CardSecure, CardPointe's patented P2PE tokenization solution, to retrieve a payment token.
The Hosted iFrame Tokenizer supports a wide range of optional features, including custom CSS styling, allowing you to design the form to match your payment needs and your brand's look and feel.
See the Hosted iFrame Tokenizer Developer Guide for detailed information and interactive examples.
The Hosted iFrame Tokenizer does not provide a complete payment solution on its own; you must also integrate the CardPointe Gateway API to make authorization requests using the payment tokens generated by the tokenizer, as well as to manage transactions and customer profiles. See the CardPointe Gateway API for more information on the API and its features.
CardSecure API + CardPointe Gateway API
CardSecure is the CardPointe Gateway's P2PE tokenization solution and patented tokenization engine. While the Hosted iFrame Tokenizer provides an out-of-box tokenization interface, the CardSecure API allows you to build a custom tokenizer that meets your specific needs.
See the CardSecure API for the complete API spec, and see the CardSecure Developer Guide for detailed information on CardSecure tokens and developing your integration.
Because developing a custom tokenizer will require you to handle sensitive card data within your application, you will be subject to an increased scope of PCI compliance requirements. We strongly recommend using the Hosted iFrame Tokenizer to minimize your scope of compliance by preventing card data from ever being exposed to your application.
Once you have a tokenizer, you can use the CardPointe Gateway API to:
See the CardPointe Gateway API for the complete API specification, and the CardPointe Gateway Developer Guide for helpful information for developing your integration.
The CardPointe Gateway supports Apple Pay and Google Pay for web and mobile checkout integrations.
The integration of Apple Pay and Google Pay with our CardPointe Mobile SDKs for mobile applications and/or a combination of the CardSecure API and CardPointe Gateway API for web-based applications.
Adding digital wallet functionality to your payment methods allows customers to use their stored digital wallet data to quickly and securely pay for goods and services. CardSecure handles the decryption and tokenization of the customer's payment data.
While integrations for both Apple Pay and Google Pay exist, the abilities for these integrations differ. For more information on integrating Apple Pay and Google Pay with your application and their abilities, please see our Apple Pay Developer Guide and Google Pay Developer Guide guides.