Overview

Key information

Getting started

Further information

Overview

Version 1.0

The Smartpay Fuse REST API provides all the features required for a seamless backend integration into our payment processing and order management system. It allows you to initiate and manage transactions, as well as perform certain key administrative functions.

The REST API is our strategic interface and is the future single point of integration for Smartpay Fuse.

You can use the REST API on its own to process a transaction if you capture cardholder details directly on your own site. Alternatively, you can use the API to progress and manage transactions that have been performed using the Secure Acceptance Hosted Checkout or initiated using Flex Microforms solutions.

This guide will provide you with an introduction to the REST API, it’s key features and benefits, API integration flows, and some important information about PCI compliance that you should consider before handling cardholder details yourself.

To get going with the REST API, the following steps are required at a minimum:

  • Choose a method of authentication: shared secret and certificate based. Both are legitimate authentication options, select the option that best fits with your experience and estate.
  • Formulate your REST API requests:
    • Pass order and card data to Smartpay Fuse using the REST API to initiate a payment.
    • Integrate 3D Secure (payer authentication) if implementing ecommerce transactions.
  • Perform appropriate testing to validate your integration.


Review each Key information section below to gain a deeper understanding of the REST API and the scenarios and functionality it enables. Consider this information carefully before starting integration and ensure that a direct integration is right for your use case; it may be that our other integration options will work equally well for you, providing the right functionality with less direct implementation effort.

Key information

  • Full control of your user experience
  • Full control over the payment process
  • Suitable for web and mobile journeys
  • Access all features of the Smartpay Fuse platform
  • Use this API to complete transactions started with Plugin, Virtual Terminal, Hosted Checkout and Flex Microform Hosted Field integrations

Direct REST API integration is one integration option available for you to start accepting payments on your site. It exists alongside the other key integration options offered by Smartpay Fuse, each of which offers a subtly different range of capabilities. Before starting integration, it is important to ensure that the option you select provides the right features to meet your business needs.

The table below compares and contrasts the key features of Smartpay Fuse and how these are supported by the different integration options.

 Features  Virtual Terminal (in EBC *1)  Plugins (eCommerce platforms)   Hosted Payment Page   Direct API Integration (REST API Only)   Hosted Fields (Flex Microform + REST API) 
 PCI overhead SAQ C-VT Mixed *2 SAQ A SAQ D SAQ A *3
 Transaction Types  
  • Auth only
 yes yes (all plugins) yes yes yes *7
  • Auth and capture
 yes yes (all plugins) yes yes yes *7
  • Tokenise card (Credentials on file) 
 yes yes yes *4 yes yes *7

 CIT (initial/subsequent)

 yes yes yes *4 yes yes *7

MIT (continuous authority)

 no some *6 no yes yes *7
  • Refund (standalone)
 yes *8 some *6 via REST API & EBC*1 yes yes *7
  • Refund (existing transaction)
 yes yes (all plugins) via REST API & EBC*1 yes yes *7
  • Reversal
 yes yes (all plugins) via REST API & EBC*1 yes yes *7
  • Capture of standalone auth
 no yes (all plugins) via REST API & EBC*1 yes yes *7
 3D Secure Payer Authentication (v2)  n/a yes (all plugins) yes yes yes *7
 Account validation / verification n/a some *6 yes yes yes *7
 Basic fraud check rules *5 yes yes (all plugins) yes yes yes *7
 Low value exemptions n/a no yes yes yes *7
 AVS/CSC auto reversal/blocking yes *8 yes *6 *8 yes *8 yes *8 yes *7*8
 Digital wallets / APMs  
  • Apple Pay
 n/a some *6 no yes no *7
  • Google Pay
 n/a some *6 no yes no *7
 Card types supported  
  • Visa
 yes yes yes yes yes
  • Mastercard
 yes yes yes yes yes
  • Amex
 yes *8 yes *8 yes *8 yes *8 yes *8
 Channels  
  • eCommerce
 no yes yes yes yes *7
  • Moto
 yes some *6 yes *8 yes yes *7

If the capability you need is not supported by direct REST API integration, then you should consider one of the alternate integration options.

For more information on each of the options please see the following Quick Start guides:

 

  •  eCommerce Platform Pluginseasy integration to supported eCommerce platforms
  • Virtual Terminalno integration required, servicing agents can take payments using our back office portal
  • Hosted Fieldscapture individual payment card details as PCI safe fields
  • Hosted Paymentminimal integration, initiate the payment page & it takes care of the whole payment flow

If you have any questions about the Direct Integration REST API or its suitability for your needs then please don’t hesitate to get in contact.

Notes:
*1 - EBC is our back-office servicing portal; the Enterprise Business Center.
*2 - Different plugins use different integration methods. Please see te Hosted Payment Page, Hosted Fields (Flex Microform) and REST API guides for more details on the PCI implications of those integration approaches. If you are in any doubt about PCI, please get in contact.
*3 - SAQ A when using Flex Microforms to tokenize from web-applications.
*4 - Secure Acceptance Hosted Checkout can create tokenise from initial CIT transactions that can be used for subsequent CIT transactions.
*5 - Basic velocity rules via Decision Manager only available to SME clients; advanced fraud check and TRA on a case by case base.
*6 - Only available on some of our plugins, please see individual plugin solution pages.
*7 - Flex Microform simply allows card numbers to be tokenised in a PCI safe way; using the resulting transient token to process or manage the transaction is done with the direct integration REST API.
*8 - These features are not enabled out of the box and need further configuration by support teams, please contact support.

Using the REST API to take payments exposes the full capability of the Smartpay Fuse platform and offers your full control over the payment flow and processing. You will need to capture the cardholder details in your own front-end applications and relay cardholder details through your own back-end system to initiate the payment process with Smartpay Fuse. While this offers you a good level of control over the payment flow, you should be aware that if you choose to capture card details and pass them to Smartpay Fuse, then those card details will be passing through your own back-end service. This may bring your service in to scope of PCI compliance, level SAQ D, and should be carefully considered. Please see the PCI considerations section below for more details. Please get in contact if you are considering this integration approach so our technical and sales support teams can ensure you are fully aware of implementation processes, overheads, costs and compliance requirements.

 

The following flow illustrates the stages of the payment flow when using the REST API:

 

Please see the Getting Started section below for step by step instructions on how to use the REST API.

PCI overheads vary depending how you use the REST payments API:

 

  • If you capture card details on your own webpages and pass those to Smartpay Fuse using the REST API then card details will pass through your system and network. In this case, using the REST API will incur the highest PCI overhead of SAQ D.
  • If you tokenize card details using the Flex Microform Hosted Fields solution, cardholder data will have already been exchanged with Smartpay Fuse and the use of the REST API will not require you to pass cardholder data through your service and network. In this case, you will incur the lowest PCI overhead of SAQ A.

 

Consider how you will collect cardholder data as this will have an impact on the compliance requirements that you will be obliged to meet.

If you have any questions or concerns about the PCI implications of using the REST API for Direct Integration then please don’t hesitate to get in contact.

Getting started

Create a sandbox account

  1. Visit our sandbox creation page here.
  2. Complete the registration form.
  3. Click submit to create your sandbox account.
  4. Go to Getting Started Step 2 to log in to your Enterprise Business Centre to set up your REST API keys.

If you are using Flex Microform Hosted Fields to tokenize card details you will need to set-up, configure and and integrate to the Flex Microform solution first.

Note: on submitting your application you will receive an automated email from our partner Cybersource, with first time login and password reset instructions. Be sure the check your junk mail box if this doesn’t arrive within 2 minutes of clicking submit.

IMPORTANT: registration with our 3DSv2 Payer Authentication provider usually completes within 24 hours but can take up to 36 hours. During this time, you may see some transactions failing on 3D Secure authentication. These failures will be flagged as Decision Manager failures in the back-office portal transaction search. 

Log in to the Enterprise Business Centre

  1. Log in to the EBC (at https://admin.smartpayfuse-test.barclaycard/ebc2) using the credentials created in Getting Started Step 1:

  2. Use the username and password you created in Getting Started Step 1 when requesting your sandbox account. Note: you will be asked to set a new password when you first log on to the Enterprise Business Centre.

  3. Once logged in to the Enterprise Business Centre, proceed to Getting Started Step 3 to configure your Flex Microform service and retrieve credentials for the implementation.

Create your REST API key

An API Key is required to authenticate REST based requests on Smartpay Fuse. Once logged to the Smartpay Fuse EBC portal, head to the sidebar menu and select the Payment Configuration > Key Management menu item, which will display the main key management page. The initial view displays any keys already created on the account and allows you to search for keys by type and created date range.

To create a new key, you will need to select the ‘Generate Key’ button on the top right-hand side of the page:

A “Create Key” window will be displayed, offering a range of different key types. For REST API integration you will need to select a key type from the “REST APIs” section at the head of this page:

There are two options for REST key creation:

  • Shared Secret: creates a key id and shared secret keypair used to sign HTTP requests
  • Certificate: creates a PKCS12 certificate used for digitally signing API requests

For this guide select REST – Shared Secret.

When you’ve chosen your preferred key type, scroll to the bottom of the page and select ‘Generate Key’. Your new keys will be generated and displayed, ready to copy and download:

You now have the two parameters required for Flex Microform authentication:

  • A key id used to identify your new REST key in API requests
  • A shared secret used to digitally sign API requests

Important: these REST keys must be stored securely within your back-end service. They allow API access to your service and must be treated as highly sensitive information. Research and implement appropriate API key management best practices when considering how to store and manage these keys.

Note: clicking “Generate another key” at this stage will return you to the “Create Key” screen in readiness to create a fresh set of keys. Your keys have already been generated if this window is displayed, so it is safe to click “Cancel” or visit other screens via the menu at this stage.

If you would rather use certificates to sign your API requests then select the “REST – Certificate” option on the “Create Key” screen. This option generates a PKCS12 file that can be used to digitally sign your API request before transmitting the message to Smartpay Fuse. No data is displayed on the gateway in this case, so you must download the key ahead of future use.

You have now created your REST API, go to Getting Started Step 4 to test your integration. 

Testing your new REST API (using our developer hub request builder)

The REST API configuration is now ready to use. You will need to note the API Key, Secret (or Certificate) generated in Getting Started Step 3 to authenticate calls you make.

You can now start to run transactions, either making calls from our developer hub Live Console or directly through your own code. We will start by using the request builder as it provides a simple graphical representation of API REQ/RESP messages, will construct messages automatically for you and is accompanied by detailed field level documentation.

An introduction to the request builder is available here.

To demonstrate use of this tool we will perform a simple sale transaction using the POST method on the /payments endpoint.

  1. Open the Process a Payment page in the request builder, you should see the following screen:

  2. Configure the type of operation you would like to perform by clicking on the “Configuration” tab that is placed at the top of the “Request Builder” window. This pane allows you to configure key transaction parameters including:
      — The target API URL; destination endpoint of any API requests generated by the request builder
      — The request type; triggers the request builder to populate the request with appropriate fields
      — The payment processor; select Barclays Merchant Services

    See the example below for the simple authentication transaction we will run in this example:

    Try changing the “Simple Request” transaction type and notice how the JSON body content of the request message updates in the “Live Console” window:

  3. Once you have selected the type of operation to perform, continue on to configure API credentials by scrolling further down in the “Configuration” tab to the Authentication section:

    Here you can enter the credentials generated in Getting Started Step 3:
      — HTTP Signature: uses a Merchant ID, Key and Shared secret to authenticate requests
      — JSON Web Token: uses a Merchant ID and P12 certificate to authenticate requests

  4. Test the transaction.
    Having selected your transaction type and entered your credentials, return to the main “Request Builder” tab to execute your request. Click on the “Submit” button at the bottom of the Live Console and your request will be sent, with response displayed in the console at the bottom of the page.

Try experimenting by selecting different transaction types in the request builder “Configuration” tab and by selecting new objects and fields in the graphical request builder frame.

Note: each field in the request builder has a clickable tooltip that will provide further information on the field.

Congratulations, you should now have processed a transaction using our REST API using our online request builder. Proceed to Getting Started Step 5 to test execute transactions using sample code.

Testing your new REST API (using sample application code)

Having already run a transaction using our on-line request builder, you know that your credentials are valid and that your service configuration is correct. You will have been able to experiment with the request builder to send differing requests and tested a range of field values to evaluate the request types and parameters required to achieve your specific use case.

You will now probably want to start coding some simple transaction flows. To support this, we provide sample integrations in a number of languages to get a basic integration up and running. The links below are provided by our payment partner and are hosted within their GitHub account:

Note: Smartpay Fuse has been created in partnership with VISA Cybersource. You may notice some resources feature the Cybersource brand – these are still part of connecting to Barclaycard Payments.

Java      C#        PHP      NodeJS     Ruby    Python

These sample applications demonstrate a wide range of operations used in typical payment processing flows. The code will require modifying to work with your specific journey but serve to demonstrate the key steps required to interact with our REST API.

We will use the PHP example to demonstrate the necessary steps:

  1. Prepare your environment:
      — Ensure you are using PHP version 5.6 or greater.
      — Install the cURL, JSON, and APCU extensions.
      — Created your test account (see Getting Started Step 1).
      — Generate your API keys (see Getting Started Step 3).

  2. Clone the sample application code from GitHub.
    > git clone https://github.com/cybersource/cybersource-rest-samples-php
    > cd cybersource-rest-samples-php

  3. Run composer to update dependencies.
    > composer update

  4. Execute a simple test scenario.
      — The sample application has a wide range of example scenarios, each of which can be used as a template for your own code or executed standalone from the command line.
      — The code samples work out of the box with test credentials, but you may wish to amend the sample application configuration to use the credentials you created in Getting Started Step 3. Note: Using your own credentials will execute transactions against your account and will allow you to search for and manage those transactions in the Enterprise Business Centre.
      — Start by executing a simple auth and capture operation.
    > php ./Samples/Payments/Payments/AuthorizationWithCaptureSale.php

The code will execute the request and log the result of the operation to the console. You can also log in to the EBC back-office portal and view the transaction details there.

Congratulations, you should now have processed a transaction using the REST API.

Continue to explore the various operations in the sample applications and use these alongside the full REST API guide and Live Console to building out capabilities in your own code.

 

Further information



The full REST API integration guide can be found here

Smartpay Fuse REST API reference and request builder here

Process a payment request builder here

GitHub REST repositories list: Java, C#, PHP, NodeJS, Ruby, Python

Test card numbers and the testing guide here

Payer authentication test card numbers and use cases here

Implementing Payer Authentication Direct REST API here

Apple Pay Integration using REST API here

Google Pay Integration using REST API here

If you have any questions about the REST API its suitability for your needs then please don’t hesitate to get in contact.