Hosted Fields (microforms) quick start | Smartpay Fuse Developer Portal

Overview

Version 1.0

Hosted fields are a common approach to card capture. They offer greater control over UX than a fully hosted payment page, but with similar low levels of PCI compliance overhead. Under this model, individual input fields are hosted within their own iFrames, which are served by Smartpay Fuse, to capture sensitive cardholder data. Any data sent in a form post is dispatched to Smartpay Fuse, so no cardholder data ever transits your servers or service. This reduces your exposure to sensitive cardholder data, whilst allowing you to fully customise and control the checkout experience.

Flex Microform is the Smartpay Fuse hosted field solution. It offers you the ability to securely tokenise (store) card data for both immediate and future payments. This is achieved by replacing card details submitted by a consumer with a card token that can be presented in place of the actual card number in future API calls.

This guide will help you plan your integration, including providing a brief overview of the steps necessary to implement Flex Microform and links to helpful guides.

A microform integration is quite simple and requires the following steps to be performed by your software:

Server-side request: from your back-end to our service. This creates a time limited, signed JWT (the “capture context”) that encodes key parameters of the transaction. This includes the transaction details, target origin and one-time use public keys. This JWT can then be safely passed to your client side application to prime the client side JavaScript library and pass card details to our service.
Client-side implementation: on your front-end application. Embed our Flex Microform JavaScript library in your page and initialise it with the “capture context” generated by your server-side request. The library uses containers in your page to render iFrames. On-page submission will use the capture context and field content to generate, and return to your page, a PCI safe “transient token” that represents the cardholder details. A token is transient because it is valid for only 15 minutes.
Validate and use the transient token: pass the transient token representing the cardholder details to your service and make API calls to progress a transaction using the token.

If Flex Microforms sounds like the right integration option for your needs and integration appetite, then read on and review the Key Information below to find out more. Find out the steps required to get a simple integration running in the Getting Started section below.

Key information

No card data on your estate; full payment flow control, minimal PCI overhead
Accept a wide range of card types such as Visa, Mastercard, American Express
You are in full control of the look and feel of your card capture pages
Tokenise customer cards to control the payment flow yourself
Use one of our back-end APIs for full control of the payment process after tokenizing the cardholder details (see Getting Started)
Less complex than API only, direct integration (a little more involved than a fully Hosted Payment page)

Flex Microforms are one integration option available for you to start accepting payments on your site. It exists alongside the other key integration options offered by Smartpay Fuse, each of which offers a subtly different range of capabilities. Before starting integration, it is important to ensure that the option you select provides the right features to meet your business needs.

The table below compares the key features of Smartpay Fuse and how these are supported by the different integration options.

Features	Virtual Terminal (in EBC^*1)	Plugins (eCommerce platforms)	Hosted Payment Page	Direct API Integration (REST API Only)	Hosted Fields (Flex Microform + REST API)
PCI overhead	SAQ C-VT	Mixed ^*2	SAQ A	SAQ D	SAQ A ^*3
Transaction Types
Auth only	yes	yes (all plugins)	yes	yes	yes ^*7
Auth and capture	yes	yes (all plugins)	yes	yes	yes ^*7
Tokenise card (Credentials on file)	yes	yes	yes ^*4	yes	yes ^*7
CIT (initial/subsequent)	yes	yes	yes ^*4	yes	yes ^*7
MIT (continuous authority)	no	some ^*6	no	yes	yes ^*7
Refund (standalone)	yes ^*8	some ^*6	via REST API & EBC^*1	yes	yes ^*7
Refund (existing transaction)	yes	yes (all plugins)	via REST API & EBC^*1	yes	yes ^*7
Reversal	yes	yes (all plugins)	via REST API & EBC^*1	yes	yes ^*7
Capture of standalone auth	no	yes (all plugins)	via REST API & EBC^*1	yes	yes ^*7
3D Secure Payer Authentication (v2)	n/a	yes (all plugins)	yes	yes	yes ^*7
Account validation / verification	n/a	some ^*6	yes	yes	yes ^*7
*Basic fraud check rules ^5**	yes	yes (all plugins)	yes	yes	yes ^*7
Low value exemptions	n/a	no	yes	yes	yes ^*7
AVS/CSC auto reversal/blocking	yes ^*8	yes ^{6 8}	yes ^*8	yes ^*8	yes ^78
Digital wallets / APMs
Apple Pay	n/a	some ^*6	no	yes	no ^*7
Google Pay	n/a	some ^*6	no	yes	no ^*7
Card types supported
Visa	yes	yes	yes	yes	yes
Mastercard	yes	yes	yes	yes	yes
Amex	yes ^*8	yes ^*8	yes ^*8	yes ^*8	yes ^*8
Channels
eCommerce	no	yes	yes	yes	yes ^*7
Moto	yes	some ^*6	yes ^*8	yes	yes ^*7

If the capability you need is not supported by the Flex Microform solution, then you should consider one of the alternate integration options.

For more information on each of the options please see the following Quick Start guides:

eCommerce Platform Plugins: easy integration to supported eCommerce platforms
Virtual Terminal: no integration required, servicing agents can take payments using our back office portal
Hosted Payment: minimal integration, initiate the payment page & it takes care of the whole payment flow
Direct Integration: capture the card details yourself and initiate payment from your back-end through our APIs

If you have any questions about the Flex Microform product or its suitability for your needs then please don’t hesitate to get in contact.

Notes:
*1 - EBC is our back-office servicing portal; the Enterprise Business Center.
*2 - Different plugins use different integration methods. Please see te Hosted Payment Page, Hosted Fields (Flex Microform) and REST API guides for more details on the PCI implications of those integration approaches. If you are in any doubt about PCI, please get in contact.
*3 - SAQ A when using Flex Microforms to tokenize from web-applications.
*4 - Secure Acceptance Hosted Checkout can create tokenise from initial CIT transactions that can be used for subsequent CIT transactions.
*5 - Basic velocity rules via Decision Manager only available to SME clients; advanced fraud check and TRA on a case by case base.
*6 - Only available on some of our plugins, please see individual plugin solution pages.
*7 - Flex Microform simply allows card numbers to be tokenised in a PCI safe way; using the resulting transient token to process or manage the transaction is done with the direct integration REST API.
*8 - These features are not enabled out of the box and need further configuration by support teams, please contact support.

Using the Flex Microform approach to take payments can be considered a medium effort integration option. You will need to code for priming the process with the generation of a “capture context” and then embed and initialise a client-side JavaScript library with the capture context JWT. Tokenization of the cardholder details is performed for you by our JavaScript library and you will then need to manage the transaction through the rest of its lifecycle using the tokenized cardholder details and our back-end APIs.

The payment flow requires a combination of browser and back-end integration.

The following flow illustrates the stages of the payment flow:

This integration method offers low risk for merchants, as cardholder data does not transit merchant servers or networks. Card details are entered on a customer browser and are sent directly to the Smartpay Fuse payment gateway.

Flex Microform hosted fields are rendered within secure iFrames that are hosted by the Smartpay Fuse payment gateway. When the form is submitted, payment data is submitted directly to Barclaycard and never touches your systems.

This integration option attracts a PCI SAQ A level of compliance when used to host payment form frames within a web page. If you have any questions or concerns about the PCI implications of using Flex Microforms then please don’t hesitate to get in contact.

Getting started

Create a sandbox account

If you haven’t already done so, then creating a sandbox account will not only allow you to start programmatic integration but will also provide access to our Enterprise Business Centre. This is the tool to which you will require access to set up and configure the Flex Microform integration.

Visit our sandbox creation page here.
Complete the registration form.
Click submit to create your sandbox account.
Go to step 2 to create your profile and retrieve your access keys.

Note: on submitting your application you will receive an automated email from our partner Cybersource, with first time login and password reset instructions. Be sure to check your junk mail box if this doesn’t arrive within 2 minutes of clicking submit.

IMPORTANT: registration with our 3DSv2 Payer Authentication provider usually completes within 24 hours but can take up to 36 hours. During this time, you may see some transactions failing on 3D Secure authentication. These failures will be flagged as Decision Manager failures in the back-office portal transaction search.

Log in to the Enterprise Business Centre

Log in to the Enterprise Business Centre (at https://admin.smartpayfuse-test.barclaycard/ebc2) using the credentials created in Getting Started Step 1:
Use the username and password you created in Getting Started Step 1 when requesting your sandbox account. Note: you will be asked to set a new password when you first log on to the Enterprise Business Centre.
Once logged in to the Enterprise Business Centre proceed to Getting Started Step 3 to configure your Flex Microform service and retrieve credentials for the implementation.

Create Flex Microform API keys

An API Key is required to authenticate flex Microform requests on Smartpay Fuse. Once logged in to the Smartpay Fuse EBC portal, head to the sidebar menu and select the Payment Configuration > Key Management menu item, which will display the main key management page. The initial view displays any keys already created on the account and allows you to search for keys by type and created date range.

To create a new key, you will need to select the ‘Generate Key’ button on the top right-hand side of the page:

A “Create Key” window will be displayed, offering a range of different key types. For REST API integration you will need to select a key type from the “REST APIs” section at the head of this page:

There are two options for REST key creation:

Shared Secret: creates a key id and shared secret keypair used to sign HTTP requests

Certificate: creates a PKCS12 certificate used for digitally signing API requests

For this guide select REST – Shared Secret.

When you’ve chosen your preferred key type, scroll to the bottom of the page and select ‘Generate Key’. Your new keys will be generated and displayed, ready to copy and download:

You now have the two parameters required for Flex Microform authentication:

A key id used to identify your new REST key in API requests

A shared secret used to digitally sign API requests

Important: these REST keys must be stored securely within your back-end service. They allow API access to your service and must be treated as highly sensitive information. Research and implement appropriate API key management best practices when considering how to store and manage these keys.

Note: clicking “Generate another key” at this stage will return you to the “Create Key” screen in readiness to create a fresh set of keys. Your keys have already been generated if this window is displayed, so it is safe to click “Cancel” or visit other screens via the menu at this stage.

You have now created the keys you need to initiate a Flex Microform request, go to Getting Started Step 4 to test the integration.

Test your integration - tokenize a payment card using Flex Microforms

Now that you have set up your API keys, you have all the information you require to perform a quick test integration using some of our sample code.

Note: Smartpay Fuse has been created in partnership with VISA Cybersource. You may notice some resources feature the Cybersource brand – these are still part of connecting to Barclaycard Payments.

We provide sample integration code in a variety of languages to get a basic integration up and running. The code will require modifying to work with your specific payment journey, but the following examples will get your very first Flex Microform payment card tokenization working with the profile you created in the previous steps:

NodeJS DotNet PHP Java

Each repository above will have README content associated, with instructions on how to deploy, configure and run the examples.

NOTE: be sure to use the Microform sample code and microform approach when implementing Hosted Fields. The sample code references flexjs, which is a different integration approach that does not provide the low PCI overheads of Microforms. If you would like to discuss using the flexjs integration approach please get in contact first to discuss whether this is right for your use case and PCI appetite.

The first step is to create the server-side request that generates the “capture context”. The capture context is a digitally signed JSON Web Token (JWT) that provides authentication and the one-time key required by the Flex Microform front-end.

Firstly, ensure that you have PHP installed such that you can successfully run a phpinfo test:
  — Ensure that you are using PHP version 5.6 or greater.
  — Install cURL, JSON and APCU extensions.
  — Have created your test account (see Getting Started Step 1).
  — Have generated your API keys (see Getting Started Step 3).
Download and unpack the sample code above.
Unpack the example code and check all file permissions.
Edit the file ExternalConfiguration.php and replace the apiKeyId, secretKey and merchantID defaults with the values generated when you created and set-up your credentials in Getting Started Step 3.
Update currency used during transaction processing:
a. Edit php-microform/paymentWithFlexTransientToken.php.
b. Change the value of "currency" from "USD" to "GBP".
Upload the edited PHP sample code to your web server OR simply run on localhost.
Note: if deploying somewhere other than http://localhost you will need to set the value of targetOrigins when creating the server side content, as discussed in the full guide here.
Use composer to ensure dependencies are up to date (see README.md).
Deploy to your webserver or run standalone (see README.md).
Navigate to the URL hosting the application to see the sample web-page with embedded microform fields, for example if running on localhost:
https://localhost:8000/checkout.php
On navigating to the target URL you’ll see a payment form presented, with input fields for the usual payment form field.
Enter some TEST payment card details (please see test card numbers here) and press Pay.

Pressing Pay will POST the sensitive card details directly to Smartpay Fuse and initiate the generation of a PCI safe “transient token” that will be safe to pass through your back office systems.

In this demo the transient token is returned and displayed on the response page. You can proceed to Step 5 and use the transient token to perform a transaction, or, just hit the “Make a Payment with Transient Token” button in the demo to process a transaction.

In a live system you will want to capture this token in the browser and return it to your back-office systems and continue the payment process using our REST API.

Next Step: to process the transaction further you will need to use our REST API to send these encrypted payment details to Smartpay Fuse.

Test your integration - process a payment with the back-end API using a tokenized payment card

In Getting Started Step 4 you used Flex Microforms to successfully tokenize a payment card. You now have a transient token that can be safely passed through your back-end infrastructure and used by your service to make a payment. Because this transient token is a representation of a payment card, and not the card itself, it is safe to pass this information through your service without incurring anything more than SAQ A PCI overheads.

To process a payment using the transient token, you need to use our REST based transaction processing API. This will allow you to progress and control the lifecycle state of a transaction fully from your own back-office servers.

Please note that there may be additional steps that require further consumer and browser interactions; fraud and Strong Customer Authentication are examples. These can be complex flows to navigate, so you may wish to consider using our fully hosted payment page solution (Secure Acceptance Hosted Checkout - see the Quick Start Guide here).

To process a payment using the transient token created in Getting Started Step 4, use the standard ‘process payment’ REST message but replace the card details with the transient token JWT, an example request is shown below:

{ "clientReferenceInformation": { "code": "TC50171_3" }, "processingInformation": { "commerceIndicator": "internet" }, "orderInformation": { "amountDetails": { "totalAmount": "22", "currency": "GBP" }, "billTo": { "firstName": "John", "lastName": "Doe" } }, "tokenInformation": { "transientTokenJwt": "" } }

You can actually test this in the “live console”, using the credentials you created in Getting Started Step 3 and the transient token you generated in Getting Started Step 4.

An introduction to the request builder is available here.

To demonstrate use of this tool we will perform a simple sale transaction using the POST method on the /payments endpoint.

Open the Process a Payment page in the request builder, you should see the following screen:
Configure the type of operation you would like to perform by clicking on the “Configuration” tab that is placed at the top of the “Request Builder” window. This pane allows you to configure key transaction parameters including:
  — The target API URL; destination endpoint of any API requests generated by the request builder
  — The reqeuest type; triggers the request builder to populate the request with appropriate fields
  — The payment processor; select Barclays Merchant Services

See the example below for the simple authentication transaction we will run in this example:

In this example we will be performing a simple authorization of the card that you tokenised using the Microform; the card that is now represented by your “transient token” JWT.

Continue on to configure API credentials by scrolling further down in the “Configuration” tab to the Authentication section:

Here you can enter the credentials required to authenticate any request to Smartpay Fuse. The key parameters here are:
  — The merchant ID generated during your account creation
  — The REST API Key ID you created in Getting Started Step 3
  — The REST API Secret you created in Getting Started Step 3

Because the standard live console test is set-up to process a card number, you will need to modify the JSON payload in the “Request: Live Console” window as follows:

{       "clientReferenceInformation": {          "code": "TC50171_3"       },       "orderInformation": {          "amountDetails": {             "totalAmount": "102.21",             "currency": "GBP"          },          "billTo": {             "firstName": "John",             "lastName": "Doe",             "address1": "1 Wokes Street",             "locality": "Fleet",             "postalCode": "GU51 WKS",             "country": "GB",             "email": "[email protected]",             "phoneNumber": "4158880000"          }       },       "tokenInformation": {          "transientTokenJwt": "THE JWT RETURNED FROM YOUR MICROFORM     INTERACTIONT"       }    }

Click on the Send button to send the request to Smartpay Fuse.

The live console takes care of the message digests, the required HTTP headers and message signatures allowing you to test transactions without actually coding the exchange in an application.

The authorization should complete successfully. It may fail if you did not enter a valid card expiry date or use test cards outside of those defined in the sandbox testing guide here.

As a final step, log in to the Enterprise Business Centre and check that the transaction ran in the Transaction Management view:

Congratulations, you should now have processed a transaction using a Flex Microform test application and the REST API through the online request builder.

Please see the Further Information section for links to key guides and resources that will help you build out your full integration.

Further information

The full Flex Microform guide can be found here

Test card numbers and the testing guide here.

Payer authentication test card numbers and use cases here.

GitHub repositories list: NodeJS, DotNet, PHP, Java

If you have any questions about the Flex Microform product for Hosted Fields or its suitability for your needs then please don’t hesitate to get in contact.