On This Page

Secure Acceptance
Hosted Payments Page
 Overview

Barclays
Hosted Payments Page
 is your secure hosted customer checkout experience. It consists of securely managed payment forms or as a single-page payment form for capturing payment card data, processing transactions, enabling you to simplify your Payment Card Industry Data Security Standard (PCI DSS) compliance and reduce risks associated with handling and/or storing sensitive payment card information. You, the merchant, out-source capturing and managing sensitive payment card data to
Secure Acceptance
, which is designed to accept card payments.
Secure Acceptance
 is designed to process transaction requests directly from the customer browser so that sensitive payment data does not pass through your servers. Sending server-side payments using
Secure Acceptance
 incurs unnecessary overhead and could result in the suspension of your and subsequent failure of transactions.
To create your customer's experience, take these steps:
  1. Create and configure
    Secure Acceptance
     profiles.
  2. Update the code on your web site to render the
    Hosted Payments Page
     and immediately process card transactions. See Scripting Language Samples. Sensitive card data bypasses your network and is accepted by
    Secure Acceptance
     directly from the customer.
    Barclays
     processes the transaction on your behalf by sending an approval request to your payment processor in real time. See Secure Acceptance Hosted Payments Page Transaction Flow.
  3. Use the response information to display an appropriate transaction response page to the customer. You can view and manage all orders in . See Viewing Transactions in the Smartpay Fuse Portal.

Required Browsers

You must use one of these browsers in order to ensure that the
Secure Acceptance
 checkout flow is fast and secure.
Internet Explorer is no longer supported.
Desktop browsers:
  • Chrome 80, released February 4, 2020 or later
  • Edge 109, released January 12, 2023 or later
  • Firefox 115, released June 29, 2023 or later
  • Opera 106, released December 19, 2023 or later
  • Safari 13, released September 20, 2019 or later
Mobile browsers:
  • Android Browser 123, released March 12, 2024 or later
  • Chrome Mobile 80, released February 4, 2020 or later
  • iOS Safari 13, released September 20, 2019 or later

Secure Acceptance
 Profile

A
Secure Acceptance
 profile consists of settings that you configure to create a customer checkout experience. You can create and edit multiple profiles, each offering a custom checkout experience. See Custom Checkout Appearance. For example, you might need multiple profiles for localized branding of your websites. You can display a multi-step checkout process or a single page checkout to the customer as well as configure the appearance and branding, payment options, languages, and customer notifications. See Checkout Configuration.

Secure Acceptance
Hosted Payments Page
 Transaction Flow

Figure:

Hosted Payments Page
 Transaction Flow
  1. The customer clicks the button on your website, which triggers an HTTPS POST that directs the customer to the that you configured in . The HTTPS POST includes the signature and signed data fields containing the order information.
    Hosted Payments Page
     works best with JavaScript and cookies enabled in the customer browser.
    Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonating
    Barclays
    , do not allow unauthorized access to the signing function. See Required Signed Fields.
  2. Secure Acceptance
     verifies the signature to ensure that the order details were not amended or tampered with and displays the . The customer enters and submits payment details their billing and shipping information. The customer confirms the payment, and the transaction is processed.
  3. Barclays
     recommends that you configure a custom receipt page in so that the signed transaction response is sent back to your merchant server through the browser. See Merchant Notifications. You must validate the response signature to confirm that the response data was not amended or tampered with.
    Hosted Payments Page
     can also display a standard receipt page to your customer, and you can verify the result of the transaction search in or the standard
    Barclays
     reports.
    If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.
    Secure Acceptance
     signs every response field. Ignore any response fields in the POST that are not in the
    signed_fields
     field.
  4. Barclays
     recommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.
    If the transaction type if sale, it is immediately submitted for settlement. If the transaction type is
    authorization
    , use the
    Barclays
     Simple Order API to submit a capture request when goods are shipped.

Payment Tokens

Contact
Barclays
 Customer Support to activate your merchant account for
the
Token Management Service
 (
TMS
). You cannot use payment tokens until your account is activated and you have enabled payment tokens for
Secure Acceptance
. See Creating a Secure Acceptance Profile.
Payment tokens are unique identifiers that replace sensitive payment information and that cannot be mathematically reversed.
Barclays
 securely stores all the card information, replacing it with the payment token. The token is also known as a subscription ID, which you store on your server.
The payment token replaces the card number, and optionally the associated billing, shipping, and card information. No sensitive card information is stored on your servers, thereby reducing your PCI DSS obligations.

Tokens That Represent a Card or Bank Account Only

Instrument identifier tokens
created using the Token Management Service (TMS) and third-party tokens
represent a payment card number or bank account number. The same card number or bank account number sent in multiple token creation calls results in the same payment token being returned.
TMS instrument identifier and third-party tokens cannot be updated. If your merchant account is configured for one of these token types, you receive an error if you attempt to update a token.
When using
Secure Acceptance
 with tokens that represent only the card number or bank account, you must include associated data, such as expiration dates and billing address data, in your transaction request.

One-Click Checkout

With
one-click checkout
, customers can buy products with a single click.
Secure Acceptance
 is integrated to
Barclays
 , so returning customers are not required to enter their payment details. Before a customer can use one-click checkout, they must create a payment token during the first transaction on the merchant website. See Payment Token Transactions. The payment token is an identifier for the payment details; therefore, no further purchases require that you enter any information. When the payment token is included in a payment request, it retrieves the card, billing, and shipping information related to the original payment request from the payment repository.
To use one-click checkout, you must include the one-click checkout endpoint to process the transaction. See Endpoints and Transaction Types.

Level II Data

Secure Acceptance
 supports Level II data. Level II cards, also known as Type II cards, provide customers with additional information on their payment card statements. Business and corporate cards along with purchase and procurement cards are considered Level II cards.