Payment APIs are the backbone of all payment products, as they’re used to send requests to financial resources to accomplish a variety of goals. Users can develop software applications to make sales, get transaction reports, set up recurring billing, and much more. Because the data that payment APIs transmit is often highly sensitive, they generally enforce stringent authentication processes. For example, when requesting any transfer of funds, payment APIs must be authenticated to a Merchant ID (MID). To obtain a MID, businesses must submit financial and business information to the payment provider, who underwrites the account and provides a MID if the application is approved.

After successful authentication, users can easily make requests from an online application to payment resources. As long as the data that’s required for each API call is passed in the request, developers can integrate payment APIs into most web-connected payment environments, in whatever way makes the most sense for the business.

Embedded payment solutions that are facilitated using a payment API offer a variety of benefits, including the following.

• Increased Sales: Online purchases can be made from any location at any time, meaning sales aren’t limited to business hours and your customer base instantly expands across the country (or beyond).
• Improved Record-Keeping: Since digital payments are automatically recorded, record-keeping is built into your online payments software making it easy to review sales reports.
• Advanced Customer Data: Embedded payments allow businesses to automatically collect transaction data that can be used to improve the customer experience and generate targeted promotions in the future, increasing repeat business.
• Automated Invoices: With products like North’s Invoicing API, businesses can set up a branded portal where customers can pay invoices. Merchants can even schedule invoices to be sent at a later date so merchants can “set it and forget it.”
• Various Payment Methods: Offering different types of payment options, such as subscriptions to products and services, is a great way to increase customer loyalty. These autopay products work by saving a secure, tokenized version of the customer's card data on file. The buyer agrees for a specified amount of money to be withdrawn from their bank account on a fixed day of each week or month for a predetermined length of time (or indefinitely until they cancel the subscription). Schedule recurring payments can increase repeat business, and your bottom line.

Payment APIs handle the transmission of transaction data from a business to a payment gateway or directly to an integrated payment processor (learn more about the benefits of direct integration here). In order to integrate with a full-featured payment API (as opposed to a hosted checkout page, shopping cart plugin, payment gateway API, etc.) businesses must build an application to collect customer data and initiate the API request calls that transmit that data to the next stop on the transaction request path.

The application collects the raw credit card and customer data during the checkout experience, encrypts it, and sends it in an API request to the payment processor. Businesses that integrate directly with a payment API may need to make changes to their server environment and security infrastructure to properly handle this sensitive data and meet Payment Card Industry (PCI) requirements. To learn more about PCI requirements, review the latest PCI Data Security Standards (DSS) or read an overview of what PCI compliance means.

For businesses that need to accept payments in person, such as contractor services, and want to connect directly to a payment API, they must either develop a native app that runs on a physical credit card terminal, or build a Point of Sale system that integrates payment data collection into the software and POS hardware. To complete the payments process, the application must work with the firmware to accept the raw data that’s read via the hardware, including standard transaction data, as well as additional fields that are unique to the physical acceptance method, such as the following.

• EMV Data: The request data from the EMV kernel.
• Track Data: The information held on the credit or debit card’s computer chip or magnetic strip.
• Card Entry Method: The method by which the card data was read, for example, Swiped Track 1 or 2, Contactless EMV or non-EMV, Bar Code, and more.

Example Request:

    {
      "trackData": "4111111111=491210100000000000?",
      "amount": 10,
      "transaction": 123,
      "batchID": 12345,
      "emvData": "820258008407A000000031010950580000080009A",
      "cardEntryMethod": "G",
      "industryType": "P"
    }
  

Businesses that need to accept ecommerce payments via a web browser must develop an application that collects transaction data from customers with a form on the website. When customers enter their card information and submit the form using an online payment API, the business is responsible for securely handling that data. This includes securing the form itself, the transmission of the data to the server, and the data storage on the business’s server(s). For businesses that don’t want to handle sensitive payment data, ecommerce checkout integrations like North’s iFrame JavaScript SDK place most of the responsibility for credit card security on the payment service provider, who hosts the sensitive form fields separately on their own servers. Because ecommerce requests do not have the benefit of accessing the data about the card and cardholder that’s stored on a physical card, these additional fields of data must be included in API requests where the acceptance method is ecommerce.

• Account: The card number to be acted on during the request.
• CVV2: Card Verification Value.
• Customer ZIP code or complete address.

Example request:

    {
      "account": "4111111111",
      "expirationDate": "2512",
      "amount": 177.99,
      "address": {
        "address": "123 Street",
        "zipCode": "12345",
        "firstName": "Sarah",
        "lastName": "Smith"
      },
      "cvv2": "123",
      "batchID": 12345,
      "transaction": 123,
      "cardEntryMethod": "E",
      "industryType": "E"
    }
  

After collecting the data required for the transaction request, the application must securely encrypt all data in accordance with PCI requirements. It must also format the data so that the API can accept it, then it must initiate the transaction request and listen for the response. Once the response is received, the app must again follow PCI requirements for securely handling the response data and destroying sensitive data when it’s no longer in use.

It is typically more complex to integrate directly with a full-featured API as opposed to using a pre-built solution that collects transaction data and handles the API requests. However, direct integrations give businesses the most control to customize the user experience and develop software that perfectly meets a business’s needs.

For many businesses, the best solution is one that enables payment acceptance and embedded finance across many channels, in which case a dual integration with a payment terminal and a web form is a great fit. One example of this is North’s Custom Pay API, which can handle requests from a physical payment device or can complete the checkout process from a web-based application. The best payment partners will be able to offer businesses a variety of options that work together seamlessly in one payment ecosystem.