There are three ways in which you can collect and tokenize a customer's card information.
The option you choose will depend on your requirements and the PCI scope you are willing to accept:
-
REST API: When using this method you collect a user’s card information yourself and then invoke the Create Token API from either your server or a native mobile app. If you are using native mobile apps, we recommend choosing this option. If you invoke the API from your server, you must be SAQ-D compliant. If you invoke the API from a native mobile app, your compliance requirements are reduced to SAQ-A as per the PCI Council's current assessment (since each mobile device runs its own app instance, the chance of widespread hacks is lower).
-
Javascript API: When using this method you collect card information in the browser. With this option, you create the payment form and control how the information is collected. The Javascript API then sends the information to PaymentsOS, where it is tokenized. This option reduces your PCI scope, requiring you to be SAQ A-EP compliant.
-
Secure Fields Form: When using this method you collect card information from an embedded HTML form that uses secure fields. PaymentsOS generates the card details input fields, handles the logic of grabbing the card information, and sends it on to our servers for tokenization. This option further reduces your PCI scope, requiring you to be SAQ A compliant.
When card information is submitted using any of these options, PaymentsOS returns a token representation of the card which you must use when accepting payments.
If you want to offer your customers the option of using a payment method other than cards (such as bank transfers or e-Wallets), then you can create a checkout page that lists all available payment methods. For more information see Building a Checkout Page.
You can also read more in the PaymentsOS documentation.