Secure Hosted Checkout (SHC) is a JavaScript library that lets merchants collect and submit cardholder information to PayFacto for verification, without ever handling that information directly. This page covers what SHC is, how to set it up, how to call it, how to handle responses, and how to customize the form to match your site.
Contents
Secure Hosted Checkout (SHC) is a JavaScript library that allows merchants to collect and send cardholder information to PayFacto for verification without needing to access that information directly. When called, SHC verifies the card information and provides the merchant with a token that can be used with the /v1/preauthorizationWithToken or /v1/purchaseWithToken endpoints in PayFacto's Payment API.
SHC creates a secure iframe for accepting credit card information. Four steps are required to configure it:
Include the SHC library
Add the script tag to your webpage: <script src="https://form.gateway.staging.payfacto.cloud/secure-hosted-checkout/v1/shc.js"></script>
Add a container div
Add a <div id="shc-fields"></div> tag where the iframe should appear.
Acquire an SHC token
Call the /secure-hosted-checkout/v1/session endpoint from your server application to obtain a secure token.
Call the shc function
Call shc(shcToken, callback) with the secure token and a callback function. The callback receives the results of the credit card verification.
A fully functional example application is available in PayFacto's public Bitbucket repository.
A merchant will need the following information to get started:
A Company Number
A Merchant Number
An API Key
This information is provided when you create a new developer account with PayFacto.
For developers who have previously worked with SecureFields: SHC is not a new version of SecureFields — it is an entirely new product, with new API calls for both the server and the client. A number of requested changes were incorporated into SHC to simplify development and integration:
The endpoint for requesting a shcToken is different than for a secureToken.
The request object no longer needs to be converted into a string.
The request object properties no longer start with an upper case letter.
A shcToken is an object rather than a string. The whole object needs to be passed to the shc function.
The shc function takes a callback rather than returning a promise.
shc is not in a modal by default — there is no longer a need to embed an iframe in the page to have the fields appear within it.
Calling SHC is a two-step process:
Obtain a Secure Token
Call the /secure-hosted-checkout/v1/session endpoint.
Pass the token to shc()
After obtaining the token, pass it to the shc function, which displays the fields for the cardholder to fill in.
Why a two-step process?
The first step — calling /secure-hosted-checkout/v1/session — requires secret information that could be stolen if it was available to the client application. This call must be made by the merchant's server, with the result passed to the client.
All the examples on this page use JavaScript.
Obtaining a Secure Token for SHC
Secure tokens are obtained by having the merchant's server call the /secure-hosted-checkout/v1/session endpoint. This endpoint is RESTful — it expects a JSON object as input and returns a JSON object as output.
Displaying the Fields on the Screen
The fields for the cardholder to fill in are created and displayed when the shc function is called. The secure token is retrieved from the merchant server and passed to shc. The second argument, the callback, is a merchant-defined function that receives the results of the credit card validation and decides what action to take.
After calling SHC, the response guides you to the next step.
SHC Callback Response Object
When shc is called, it is passed a callback to accept the results of the card validation. When validation succeeds, the resulting object looks like this:
The Error Response
Sometimes things don't go as expected. When that happens, an error is returned to the calling object:
Errors Returned by 3DS
By default, SHC displays the minimum number of fields needed to validate a credit card online — cardholder name, card number, expiry date, and CVV. SHC can also display fields for address, postal code, and email address, and can change the display behavior of the Pay button. By default the Pay button changes from the word "Pay" to a spinner; you can disable this if needed.
To include these fields, supply the optional values when creating the secure token:
companyNumber, merchantNumber, customerNumber, operatorId, and language are all required when calling SHC.
Disabling useRecaptcha
SHC uses Google's reCAPTCHA to prevent some automated attacks. For security purposes, useRecaptcha is set to true by default. However, some merchants have reported that reCAPTCHA interferes with their site. In these rare instances, SHC allows you to disable this feature.
Risks of disabling useRecaptcha
If you pass useRecaptcha as false in the options, you are disabling the SHC reCAPTCHA feature and you risk exposing your custom form to various attacks, including a velocity attack.
Usage of ignoreInitAuthTimeout
As part of the 3D Secure authentication process, SHC collects information about the customer's device and browser. In rare cases, this can cause a timeout and generate an initAuthTimeout error that fails the transaction. Setting ignoreInitAuthTimeout to true ignores the timeout error and allows the rest of the 3D Secure process to continue.
Risks of disabling ignoreInitAuthTimedOut
If you pass ignoreInitAuthTimeout as true, part of the 3D Secure process is bypassed and the merchant may be liable for fraudulent transactions.
In some cases, additional information is required to render the fields correctly in your custom form. For this, you can provide a third argument containing options.
Available option
Currently, the only supported option for custom forms is sourceElement.
sourceElement
When working with custom forms, SHC requires the id of the tag containing the form. This id is passed to SHC as the sourceElement property in the options parameter.
SHC provides a number of CSS classes that you can override to change the appearance of the SHC fields. The classes are structured so you can overwrite fields as a group for consistency, while each element also has its own unique id for granular manipulation.
A field's generic layout resembles the following:
Where ${name} represents the field name. Valid field names are: name, card, expiry, cvv, email, address, and postal.
You can also customize the Pay button. The default layout is:
Use the #shc-pay-button CSS identifier to apply different styles to the Pay button.
Where to Put the CSS Styles
Place the shc-style id in a style tag so all the styles inside are applied to the SHC fields and buttons:
No need to use the default form — custom forms allow for a standardized look that matches your website. SHC allows a merchant developer to create a custom form containing both SHC fields and the merchant's own fields. To designate a field as an SHC field, the field id must match an auto-generated SHC field id.
If a field has an SHC field id, all the formatting and listeners are applied to that field. When the Pay button is clicked, the values in the user fields are collected and returned to the caller.
To use your custom form, pass the form's id to shc as an option in the third argument:
Custom Required Fields
If you add a required custom field, set the required attribute on the field to prevent the Pay button from enabling until that field contains a value:
Custom Forms and 3DS
When working with custom forms, the merchant is responsible for adding the hidden 3DS fields:
These fields are treated as read-only by SHC, so the required values can be safely pre-loaded before SHC is called.
To protect against the injection of fraudulent code, SHC prevents the transfer of the following HTML tags to the SHC secure iframe:
<SCRIPT>
<IFRAME>
<OBJECT>
<A> (the anchor tag)
<INPUT TYPE="SUBMIT">
<BUTTON TYPE="SUBMIT">
As an added measure of security, the ACTION and METHOD attributes are removed from the <FORM> tag. In addition, no JavaScript is transferred to the SHC secure iframe — including JavaScript that is part of a permissible HTML tag, or any events attached to an HTML tag before transferring the form to the SHC secure iframe.
In a custom form, buttons that contain the data-message attribute send the contents of that message to the parent form via a message event. Use a message event listener to receive it:
The message uses the format { message: 'data-message contents' }.
The shcMessenger object allows the SHC form to communicate with the calling application. It is created when the shc function is called.
Receiving Messages
The SHC form emits messages during execution. Receive them with shcMessenger.on(event, callback):
Sending Messages
The SHC form can also accept messages from the shcMessenger via method calls: