Ecommerce checkout solutions are built on top of APIs to help with the heavy lifting that’s required to integrate directly with a full-featured API. Integrating directly with a payment API may be a good fit for businesses that need maximum control over the solution design and user experience, but they require a significant amount of development work and place the full burden of Payment Card Industry (PCI) responsibility on the business. (Learn more about integrating directly with a full-featured payment API here.)

Checkout products work with payment gateway APIs behind the scenes and handle complex functionality out-of-the-box, like collecting customer payment data and securely passing that data to the payment API. Because these products handle the sensitive data for the business, PCI scope can be significantly reduced. In general, these products can be categorized as either hosted payments or shopping cart integrations. Choosing between them will depend on business requirements, such as the amount of control needed over the user experience, the level of customization required, and more.

Shopping carts are a great fit for businesses that already have a website with a platform such as WordPress and just want to add secure payments to turn their static site into an online shop. This is generally a good option for businesses with minimal developer resources that need a no-code option, or those that need to add a checkout process as quickly as possible. Adding payments on these types of platforms can allow businesses to take advantage of advanced functionality that would be significantly more difficult to integrate outside of the platform. For example, with North’s WooCommerce Plugin, staff can view sales from the business’s WooCommerce dashboard and directly refund orders using the platform’s interface, without having to code that functionality into an application. With these products, the payment provider is responsible for most or all of the PCI responsibility, making it easy for businesses to get started with little effort required to comply with data security standards.

Hosted payment options, such as hosted checkout pages or hosted form fields, look like they’re part of a business’s website, but they aren’t. They’re hosted by the payment provider, meaning that the provider directly accepts the customer’s input, so sensitive data never enters the business’s system. Because the payment provider is responsible for securely handling and transmitting the sensitive payment data, hosted solutions are generally considered low-code options. When using a product that hosts the form fields for the business, such as North’s iFrame JavaScript SDK, businesses simply need to add the hosted fields to their checkout form and make a few updates to their application code to begin processing payments. These are a great fit for businesses that need to accept ecommerce payments, such as telehealth apps and websites, without taking on the burden of data security.

Similarly, businesses embedding checkout pages, such as EPX Hosted Checkout, just need to provide the payment partner with the code for their payment page, and the partner assumes responsibility for securely handling all data accepted on the form. Some hosted payment pages require that the business’s URL redirects to the payment company’s domain. These would be a good fit for businesses that don’t need to control the entire user experience or keep the customer on their domain throughout the checkout process.

Hosted payment methods typically minimize the business’s PCI scope, meaning the business is not responsible for meeting many of the PCI Data Security Standard (DSS) requirements. However, they are more likely to have limited functionality and may not allow as much control over the user experience as building a direct connection to a payment API into their website or application.

Businesses that want to use a hosted solution to minimize PCI scope but require more functionality may choose to handle the initial transactions with a hosted form that returns a transaction token. The token can then be used to make secondary API calls for functions such as refunds, tip adjustments, and reporting. This is a great option for ISVs because it can add advanced features to existing software without requiring that the existing code be rewritten to meet stringent payment security requirements. The functionality to call a hosted payment solution and make subsequent API calls with tokenized data can typically just be stitched into an ISV’s existing website.

One example of this setup is North’s Browser Post API, which returns tokenized data after completing the initial hosted transaction. The tokens can be included in subsequent requests to the Server Post API to perform follow-up functions. Using tokens to handle additional requests keeps the PCI scope minimized since the sensitive card data that the customer enters into the hosted solution during the initial transaction never enters the business’s server environment.