fbpx Skip to main content

How to ensure proper payment gateway integration with popular methods

Piotr Horzycki

Payment gateways are becoming more and more important players to improve the shopping experience and effective payment gateway integration is ever more vital. Credit cards, one-click payments, installments, recurring payments, refunds, withdraws, digital wallets, invoice payment links — it’s good to have these technologies integrated into one place. Customers don’t want to remember multiple login credentials, and merchants are not happy digging through complicated system integration guides. Both sides want faster, easier and more secure operations. Let’s see how we can bring modern payment solutions closer to our customers.

 

Deep analysis of integration documentation

Every payment method provides various integration guides. Starting from tutorials and frequently asked questions, going through software development kits tailored for most popular programming languages and ending with a comprehensive API reference for developers. Dedicated people have to carefully study all these materials.

 

Most payment methods will have limited availability by countries and regions. They can be subject to different regulations that can cause transaction limits, limited functionality or additional formal requirements.

 

An example can be offering recurring payments for markets around the globe. Subscription models are very convenient for customers and merchants, but they usually require additional development work. Acquirers will expect you to distinguish all transactions made within a specific recurring payment plan from ordinary, one-time e-commerce transactions. A subscription plan is an agreement between a customer and a merchant. Your job is to keep track of that agreement by providing the initial transaction ID. Mexico’s Banamex also requires providing a unique contract number for every payment plan. If in doubt, always contact a support person from the payment provider’s side.

 

Security considerations

Payment solution providers will expect you to ensure the best security level possible. For example, PayPal provides extensive “Security guidelines and best practices” in their developers portal. One of the most common security measures is using the latest encryption protocols, maintaining anti-phishing processes and regular security audits. 

 

The basic requirement for a modern payment platform is using secure communication protocols. In 2020, the minimum version for transport layer security — TLS — is 1.2. Industry security experts have long considered older protocols — especially secure socket layer, or SSL — vulnerable. Payment methods will not accept connections using vulnerable protocols.

 

PayPal, along with with many other providers, dropped support for TLS versions older than 1.2 back in 2016. It happened after the company discovered several serious vulnerabilities like POODLE and Heartbleed. Hackers could exploit these and breach the system. Also, the SHA-1 cryptographic algorithm is discouraged in favor of a stronger SHA-256. Security best practices change rapidly as new software versions emerge. Staying ahead of all these changes and setting them up is a huge challenge. 

 

Internet protocols change frequently in response to threats. The best practice is not to hardcode a specific version, but let the software negotiate the highest version available. This can happen automatically, but still your DevOps team has to be up to date with recent security news. Most payment providers will help you by sending informative and warning emails. Do not ignore any of them and set up any development or maintenance work immediately instead of rushing just before a deadline.

 

Apart from staying up to date with payment method news, you should take your own actions to reduce systems vulnerability. Check your integration standards against industry best practices at least once a year. Introduce anti-phishing processes and monitor spoof sites which could lead your clients to pass their sensitive data to scammers. Warn your customers and accept spoof site reports from them.

 

The payment industry often relies on professional security tools from reliable sources like iDefense or Veracode. These companies provide software for automatic known vulnerability scans, which it categorizes by severity. These scan reports often come with proposed solutions and even time estimates. Combined with development and continuous integration plugins, these tools bring invaluable help to your product team.

 

Security considerations are vital if you deal with customer credit card details. This includes not only the classic scenarios when a customer enters data directly in your form but also some electronic wallet solutions like Masterpass. This is even more important while using its express checkout functionality where a customer consents to share data without even logging into their Masterpass wallet. Other wallet providers like Apple Pay try to mitigate the risk by using payment tokens instead of actual card numbers.

 

Performing sandboxed payment gateway integration tests

During onboarding, all payment companies will provide sandboxing environments for development and testing. First, you receive a test environment account with a public/private key pair, and then login credentials. Your developers and quality assurance team can test all the integration scenarios.

 

Some providers, like Apple Pay or Trustly, will also perform additional acceptance tests for both frontend and backend integration, domain verification, and so on. Part of EVO Snap the mandatory certification process is to run test scripts in your application and send results to the certification team. Then, after receiving approval, you will be provided with live credentials.

 

Make sure no data gets between your test and live environments. It would be very unprofessional for your customers to see some random test records. Even worse, your development team should not see any production data unless explicitly allowed.

 

In addition to making transactions with test cards in a sandbox environment, you might need to perform some transactions with real cards in a production environment.

 

Receiving notifications from payment systems

Integrating your payment system with external solutions is a two-way integration. Not only your application is going to send payment requests, but it also has to accept and respond to any notifications and feedback from a payment solution. The most obvious example is a notification confirming or rejecting payment. If a particular payment method does not receive a valid answer from your system, it will likely raise a warning.

 

Read the documentation carefully to learn what contact attempts you can expect from a payment method and how to respond.

 

Adapting your system to API changes

Every payment method provider can introduce changes in their APIs. Some of them do not break compatibility with existing integrations, some others do. These changes may occur due to different circumstances — either new business functionalities, new market regulations or simply removing obsolete procedures.

 

Of course, such updates are always announced in advance. Watch out for any announcements from your payment method providers. Do not ignore them! If they sound too technical for you, forward them immediately to your payment gateway integration development teams and ask for explanations. Usually, companies allow their clients at least six months to adapt. But time flies, so schedule an update as soon as possible.

 

Logging communication with APIs for quick troubleshooting

Sooner or later something will go wrong. Your customers will file complaints and your team will have to respond quickly. It is crucial to prepare for such cases by logging all communication with payment method APIs, so the team can perform a proper investigation.

 

What to log? Your software should at least query the exact API version of each payment method. This is basic information while reporting problems to a payment method provider. Every piece of information exchanged between your application and the API also has to be logged. Developers have to make sure that all the logs include transaction identifiers so that the support team can easily find all information related to that particular transaction.

 

However, excessive application logs are very difficult to browse. Your team has to use a log aggregator or browser which allows them to quickly find relevant information. Most log aggregators, like Logentries or Papertrail, are paid software-as-a-service platforms. The cost will be related to the velocity of the logs. While choosing a proper solution, analyze different payment plans. You need to be prepared for sudden spikes in application usage. Other solutions include hosted or self-deployed ELK Stack.

 

While it may sound unnecessary to invest money in yet another development or support tool, it is going to pay off quickly. For payment gateway providers, it is crucial to have a fast incident response time. Your support team needs a reliable tool to identify the root cause as soon as possible.

 

Conclusion

Payment gateways bring huge value to the market by simplifying payments for customers and merchants. Payment gateway integration with the payment methods your customers are using improves the UX and overall usefulness of the app. It is a payment gateway vendor’s job to ensure proper integration with payment method providers where every solution has a separate set of requirements. With more and more payment solutions coming, customers and merchants will put even more trust in payment gateways.

Download "How to ensure proper payment gateway integration with popular methods."

I hereby give consent for my personal data included in the contact form to be processed by Espeo according to the terms indicated in Information about personal data processing for requests via contact form at Espeo Software.

Related posts: