Payment Gateway without PCI Compliance ScanSecurity, security, security. It is a common theme anywhere you go in this day and age, even more so in the financial world with so many personal details linked to a simple plastic card. Cash may still be king in some places, but for the most part we all use credit cards. So, as usual when you make a purchase online and give a merchant all pertinent information needed, you want to know you can trust them.

In an earlier post we spoke about PCI compliance. Need a refresher? Well, PCI compliance in short is a set of requirements designed to ensure that all compliant companies that process, store or transmit credit card information maintain a secure environment. Meaning, they wont give your information out, and have a secure way of storing your personal details from the prying eyes of the public. Though PCI compliance is an industry standard, it can be a laborious, expensive, and sometimes daunting process for merchants- especially in the case of a security breach. But there’s ways to get around it and protect oneself from costly fines. Welcome to Three Step Redirect API.

What is Three Step Redirect API?

Three Step Redirect API (Application Programming Interface) is a three-step methodology using programming coding in which a customers sensitive credit card information is transmitted directly to a PCI compliant payment gateway through an end-to-end Secure Sockets Layer (SSL) connection, bypassing the merchant’s server and payment application. In laymen’s terms – the API ensures the merchant never sees or comes close to having contact with your payment information. This simultaneously takes the merchant out of payment process equation, while the seamless look and feel of the site throughout the process offers no cues whatsoever to the customer that they have left the merchants website for the payment gateway. Browsing and buying made easy.

What are the three magical steps? (see infographic below)

Step 1. Customer’s click on checkout, while a display form on the merchant’s site collects the required payment data. When the customer clicks submit, the data is posted via SSL connection directly to the merchant’s payment gateway. Sensitive payment information such as the credit card number, expiry date, and CVV code are not submitted during this step.

Step 2. The customer’s browser requests the redirected URL from the merchant’s site. The query string for the request URL contains a token that identifies the data stored in Step 1. A server-to-server call to the payment gateway completes the processing of the request ensuring that if the customer is not automatically redirected back to the merchant’s site, the payment gateway will not run the transaction. It is only in this step that the customer’s credit card details will be collected.

Step 3. After receiving the confirmation request, the payment gateway will run the transaction and send the response. A confirmation display will then be presented to the customer – again, all behind the scenes, all without giving any knowledge to the customer of ever leaving the merchants site.

Three Step Redirect

  • Implementing API is cost effective, and adds an extra layer of protection to merchants worried about PCI non-compliance or breach fines. By employing a payment gateway that utilizes API, tedious guesswork and liability can be taken off the merchant’s hands.
  • It is seamless. Customers wont have to be worried about being redirected to different windows, eliminating the hassle of waiting for a new page to load in their browsers, providing a more pleasant shopping experience. A happy customer equals a returning customer, which in turn equals a happy merchant.