To ensure PCI compliance when you build your own cards payment form, use our client-side solutions to help encrypt card details.
If you prefer not to build your own card payment form, use Drop-in or Card Component for web, iOS, Android, React Native, or Flutter instead.
Requirements
Requirement | Description |
---|---|
Integration type | Make sure that you have built an API-only integration. |
Setup steps | Before you begin, add the cards that you want to support in your test Customer Area. |
Show the available cards in your payment form
For information about the supported locations and currencies for each card, refer to Payment methods.
Specify in your /paymentMethods request a combination of countryCode and amount.currency, and use the /paymentMethods response to determine which cards are available to the shopper. For more information, refer to our API-only integration guide.
Next, use our client-side solutions to validate and encrypt your shopper's card details. Select the platform below:
Make a payment
From your server, make a POST /payments request, specifying:
Parameter | Description |
---|---|
amount |
The currency of the payment and its value in minor units. |
reference |
Your unique reference for this payment. |
paymentMethod |
Object that contains the encrypted card details from the client side, the card holder's name (if you collected it), and a type parameter set to scheme. |
returnUrl |
URL to where the shopper should be taken back to after a redirection. The URL can contain a maximum of 1024 characters and should include the protocol: http:// or https:// . You can also include your own additional query parameters, for example, shopper ID or order reference number. If the URL to return to includes non-ASCII characters, like spaces or special letters, URL encode the value. The URL must not include personally identifiable information (PII), for example name or email address. |
merchantAccount |
Your merchant account name. |
riskData |
Device characteristics and other data that we use to detect fraudulent payment activity, and mitigate fraud. If you collect additional data from other pages on your website, that data is also included in this object. |
The /payments response contains:
- pspReference: Our unique identifier for the transaction.
resultCode
: Use this to present the payment result to your shopper.merchantReference
: Thereference
from the /payments request.additionalData
: Additional information about the transaction.
To specify the fields that you want to receive inadditionalData
, log in to your Customer Area, and go to Developers > Additional data.
Present the payment result
Use the resultCode from the /payments response to present the payment result to your shopper. You will also receive the outcome of the payment asynchronously in a webhook.
For card payments, you can receive the following resultCode
values:
resultCode | Description | Action to take |
---|---|---|
Authorised | The payment was successful. | Inform the shopper that the payment has been successful. If you are using manual capture, you also need to capture the payment. |
Cancelled | The shopper cancelled the payment. | Ask the shopper whether they want to continue with the order, or ask them to select a different payment method. |
Error | There was an error when the payment was being processed. For more information, check the
refusalReason
field. |
Inform the shopper that there was an error processing their payment. |
Refused | The payment was refused. For more information, check the
refusalReason
field. |
Ask the shopper to try the payment again using a different payment method. |
Additional resultCode
values are possible in case of the 3D Secure authentication flow. For more information, refer to Result codes.
Showing co-badged cards
Regulatory guidelines for some regions require the following:
- When a shopper presents a co-badged card, they must be allowed to select their preferred brand.
- If the shopper selected a preferred brand, the payment must be completed with this brand.
To comply with these guidelines:
- Use the
onBinLookup
event to detect if a card is co-badged. - If a card is co-badged, present all supported brands to the shopper, allowing them to click on the brand they want to pay with. Each of the presented brands should have an
alt
or adata-value
attribute. - If the shopper makes a choice, pass the corresponding event to the
dualBrandingChangeHandler
function.
The shopper's selected brand will then be included in thestate.data
from the Component.
The following example shows how to present brand logos for a co-badged Bancontact/Maestro card:
function onBinLookup(pCallbackObj) {
// Handle a dual branded result
if (pCallbackObj.supportedBrandsRaw?.length > 1) {
onDualBrand(pCallbackObj);
}
}
// Implement dual branding
function onDualBrand(pCallbackObj) {
const logoOne = document.getElementById('pmImageDual1');
const logoTwo = document.getElementById('pmImageDual2');
const supportedBrands = pCallbackObj.supportedBrandsRaw;
//Set one brand icon, add alt or data-value attributes; add an event listener
logoOne.setAttribute('src', supportedBrands[0].brandImageUrl);
logoOne.setAttribute('alt', supportedBrands[0].brand);
logoOne.setAttribute('data-value', supportedBrands[0].brand);
logoOne.addEventListener('click', dualBrandListener);
// Set the other brand icon, add alt or data-value attributes; add an event listener
logoTwo.setAttribute('src', supportedBrands[1].brandImageUrl);
logoTwo.setAttribute('alt', supportedBrands[1].brand);
logoTwo.setAttribute('data-value', supportedBrands[1].brand);
logoTwo.addEventListener('click', dualBrandListener);
}
Implementing dualBrandListener
to pass the selected attributes to to dualBrandingChangeHandler
:
function dualBrandListener(e) {
securedFields.dualBrandingChangeHandler(e);
}
Present debit and credit cards separately
This requires Checkout API v53 and later.
In some scenarios, you may want to present your shoppers with separate payment forms for debit cards and credit cards. Some examples include:
- If you accept payments in Sweden, you need to present debit cards before credit cards in order to comply with local legislation.
- In Brazil, many shoppers use Combo cards, allowing for both debit and credit transactions. Having a separate form for Debit Card and Credit Card gives your shoppers a clear indication of whether they are making a debit or credit transaction.
For more details, see the corresponding sections about Brazil and Sweden.
To show debit and credit cards separately:
-
If you are using the /paymentMethods endpoint to get a list of payment methods to present on the client side, include:
- splitCardFundingSources: Set this to true to receive separate objects for credit and debit cards in the response.
The following example shows how to get the available payment methods for a shopper in the Netherlands, making a EUR 47.00 payment.
The response includes the list of available payment methods, with debit and credit cards split into separate objects.
- splitCardFundingSources: Set this to true to receive separate objects for credit and debit cards in the response.
-
When the shopper selects to pay with either a debit or credit card, proceed to make a POST /payments request and include:
paymentMethod.fundingSource
: Set this to either credit or debit.
The following example shows how you can make a payment request for a debit card.
Brazil
For debit transactions, we highly recommend using 3D Secure and Automatic Capture due to some issuers' restrictions.
Sweden
When accepting payments in Sweden, present debit before credit cards, and label the forms clearly in order to comply with Swedish legislations.
Stored card payments
Adyen's tokenization service allows you to securely store shopper's card details for recurring payments. To make recurring payments, you first need to create a shopper token, and then use the token to make future payments for the shopper.
Create a token
To store shopper's card details, include in your /payments request:
storePaymentMethod
: true- shopperReference: Your unique identifier for the shopper.
- recurringProcessingModel: Defines the recurring payment type.
The /payments response contains:
recurringDetailReference
: This is the token that you'll need to make recurring payments for this shopper.
The recurringDetailReference
is also contained in the AUTHORISATION webhook that you will receive for this payment.
Show a stored card in your payment form
-
To get the stored payment methods for a shopper, include in your /paymentMethods request:
- shopperReference: The unique shopper identifier that you specified when creating the token.
The /paymentMethods response includes a
storedPaymentMethods
array containing the stored payment methods for this shopper. ThestoredPaymentMethods
array contains theid
that you need when making the payment.
If your Components version is 3.2.0 or lower, use the
oneClickPaymentMethods
array and therecurringDetailReference
instead.{ ... "storedPaymentMethods":[ { "brand":"visa", "expiryMonth":"10", "expiryYear":"2020", "holderName":"John Smith", "id":"8415718415172204", "lastFour":"1111", "name":"VISA", "supportedShopperInteractions":[ "Ecommerce", "ContAuth" ], "type":"scheme" }, { "brand":"visa", "expiryMonth":"08", "expiryYear":"2018", "holderName":"John Smith", "id":"8315720121476805", "lastFour":"0008", "name":"VISA", "supportedShopperInteractions":[ "ContAuth", "Ecommerce" ], "type":"scheme" } ] ... }
- shopperReference: The unique shopper identifier that you specified when creating the token.
-
Use the Custom Card Component to collect the following details from the shopper:
Card details Example input The security code (CVV / CVC) "737" When
onSubmit
callback is triggered and ifstate.isValid
is true, get the encrypted values fromstate.data
and pass these values to your server. -
Proceed to submit a payment request from your server.
Make a payment with a token
When the shopper selects to pay, the Component calls the onSubmit
event, which contains a state.data
.
- Pass the
state.data
to your server. -
From your server, make a /payments request, specifying:
paymentMethod.storedPaymentMethodId
: Theid
from the the /paymentMethods response. This is therecurringDetailReference
that you received when creating the token.paymentMethod.encryptedSecurityCode
: Thestate.data.paymentMethod.encryptedSecurityCode
from theonSubmit
event.
shopperReference
: The unique shopper identifier that you specified when creating the token.shopperInteraction
: ContAuth.recurringProcessingModel
: CardOnFile.
The /payments response contains:
resultCode
: Use this to inform the shopper about the payment status.
You can also use tokens to make shopper-not-present payments for subscriptions or contracts. For more information, refer to Making a payment for a subscription or contract.
Collecting additional data to detect fraud
For Web Drop-in/Components integrations, you can optionally collect data to detect fraud outside of the checkout page, in addition to the data that you send when the shopper checks out. We recommend that you collect data about the shopper's activity on every page of your site.
To do this, add the following script to any of your web pages.
When the shopper checks out, the Custom Card Component sends all of the data collected by the script to Adyen. This includes the data from the checkout page as well as any data collected from other web pages that contain the script.
Test and go live
If your client-side integration isn't ready, you can test API requests with encrypted card details by adding a test_
prefix to the test card details.
v5.20.0 or later: Card input fields use JSON Web Encryption, so your test environment must be a secure context. Use either a local or https
domain, and add it to your allowed origins.
Before making live card payments:
-
Test your integration using our test card numbers. You can check the status of test payments in your Customer Area > Transactions > Payments.
-
Add the cards that you want to accept in your live Customer Area.
-
Before you can start accepting card payments in the live environment, you need to assess your PCI DSS compliance and submit the required Self-Assessment Questionnaire A document. For more information, refer to PCI DSS compliance guide.