On This Page

Secure Acceptance
Checkout API
 Overview

Barclays
Secure Acceptance
Checkout API
 provides a seamless customer checkout experience that keeps your branding consistent. You can create a
Secure Acceptance
Checkout API
 profile and configure the required settings to set up your customer checkout experience.
Secure Acceptance
Checkout API
 can significantly simplify your Payment Card Industry Security Standard (PCI DSS) compliance by sending sensitive payment card data directly from your customer’s browser to
Barclays
 servers. Your web application infrastructure does not come into contact with the sensitive payment data and the transition is silent.
Secure Acceptance
 is designed to process transaction requests directly from the customer browser so that sensitive payment data does not pass through your servers. Sending server-side payments using
Secure Acceptance
 incurs unnecessary overhead and could result in the suspension of your and subsequent failure of transactions.
To create your customer's
Secure Acceptance
 experience, you take these steps:
  1. Create and configure
    Secure Acceptance
    Checkout API
     profiles.
  2. Update the code on your web site to POST payment data directly to
    Barclays
     from your secure payment form. See Sample Transaction Process Using JSP.
    Barclays
     processes the transaction on your behalf by sending an approval request to your payment processor in real time. See Secure Acceptance Checkout API Transaction Flow.
  3. Use the response information to generate an appropriate transaction response page to display to the customer. You can view and manage all orders in the Business Center. You can configure the payment options, response pages, and customer notifications. See Creating a Secure Acceptance Profile.

Required Browsers

You must use one of these browsers in order to ensure that the
Secure Acceptance
 checkout flow is fast and secure.
Internet Explorer is no longer supported.
Desktop browsers:
  • Chrome 80, released February 4, 2020 or later
  • Edge 109, released January 12, 2023 or later
  • Firefox 115, released June 29, 2023 or later
  • Opera 106, released December 19, 2023 or later
  • Safari 13, released September 20, 2019 or later
Mobile browsers:
  • Android Browser 123, released March 12, 2024 or later
  • Chrome Mobile 80, released February 4, 2020 or later
  • iOS Safari 13, released September 20, 2019 or later

Secure Acceptance
 Profile

A Secure Acceptance profile consists of settings that you configure to create a customer checkout experience. You can create and edit multiple profiles, each offering a custom checkout experience. For example, you might want to offer different payment options for different geographic locations.

Secure Acceptance
Checkout API
 Transaction Flow

Figure:

Secure Acceptance
Checkout API
 Transaction Flow
  1. Display the checkout page on your customer's browser with a form to collect their payment information and include a signature to validate their order information (signed data fields).
    Your system should sign all request fields with the exception of fields that contain data the customer is entering. To prevent malicious actors from impersonating
    Barclays
    , do not allow unauthorized access to the signing function.
  2. The customer enters and submits their payment details (the unsigned data fields). The transaction request message, the signature, and the signed and unsigned data fields are sent directly from your customer's browser to the
    Barclays
     servers. The unsigned data fields do not pass through your network.
    Barclays
     reviews and validates the transaction request data to confirm it has not been amended or tampered with and that it contains valid authentication credentials.
    Barclays
     processes the transaction and creates and signs the response message. The response message is sent to the customer's browser as an automated HTTPS form POST.
    If the response signature in the response field does not match the signature calculated based on the response data, treat the POST as malicious and disregard it.
    Secure Acceptance signs every response field. Ignore any response fields in the POST that are not in the
    signed_fields
     field.
  3. The response HTTPS POST data contains the transaction result in addition to the masked payment data that was collected outside of your domain. Validate the response signature to confirm that the response data has not been amended or tampered with.
    If the transaction type is
    sale
    , it is immediately submitted for settlement. If the transaction type is
    authorization
    , use the Simple Order API to submit a capture request when goods are shipped.
  4. Barclays
     recommends that you implement the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. See Merchant Notifications.

Payment Tokens

Contact
Barclays
 Customer Support to activate your merchant account for
the
Token Management Service
 (
TMS
). You cannot use payment tokens until your account is activated and you have enabled payment tokens for
Secure Acceptance
. See Creating a Secure Acceptance Profile.
Payment tokens are unique identifiers that replace sensitive payment information and that cannot be mathematically reversed.
Barclays
 securely stores all the card information, replacing it with the payment token. The token is also known as a subscription ID, which you store on your server.
The payment token replaces the card number, and optionally the associated billing, shipping, and card information. No sensitive card information is stored on your servers, thereby reducing your PCI DSS obligations.

Tokens That Represent a Card or Bank Account Only

Instrument identifier tokens
created using the Token Management Service (TMS) and third-party tokens
represent a payment card number or bank account number. The same card number or bank account number sent in multiple token creation calls results in the same payment token being returned.
TMS instrument identifier and third-party tokens cannot be updated. If your merchant account is configured for one of these token types, you receive an error if you attempt to update a token.
When using
Secure Acceptance
 with tokens that represent only the card number or bank account, you must include associated data, such as expiration dates and billing address data, in your transaction request.

Level II Data

Secure Acceptance
 supports Level II data. Level II cards, also known as Type II cards, provide customers with additional information on their payment card statements. Business and corporate cards along with purchase and procurement cards are considered Level II cards.
RELATED TO THIS PAGE