Collecting Customer Payment Information Securely
Now that you’ve set up your environment and access secrets, the next step is to securely collect your customers' payment information. How can you do this while ensuring maximum PCI compliance? Let's explore the best methods for achieving this. By the end of this module, you'll understand:
- How to create a payment method via the API
- How to create a payment method via iFrame
Payment Method Tokens
When you store your customers' payment information in Spreedly, it is securely converted into a payment method token. This means that sensitive payment data is never stored directly on your servers, enhancing security and minimizing your PCI compliance burden.
You can create payment method tokens for testing purposes via the Spreedly API. The API documentation provides the request structure for creating a credit card payment method, and you should use test card data for these operations.
Once you have the payment method token, you can use it to transact with any gateway or receiver supported by Spreedly. But how do you actually obtain this token?
iFrame: Secure and Flexible Payment Method Collection
For the most flexible and secure way to capture payment information, we recommend using Spreedly’s iFrame and selecting Enable secure tokenization. This solution enables a custom checkout experience and securely passes the cardholder’s information directly to the Spreedly vault.
The iFrame is a JavaScript library that provides two managed fields for securely collecting the credit card number and CVV—the two PCI-sensitive elements of a payment method. Your checkout page places and styles these fields, and the iFrame then returns a tokenized payment method to your page once the card details have been successfully submitted.
To integrate iFrame into your checkout page, follow the steps in our Spreedly iFrame Payment Form guide.
To tokenize a payment method, you’ll need your environment key and access secret, along with the requirements for secure tokenization, which will change each time iFrame is initialized. Keep in mind that the environment key you use will determine where your payment method is vaulted, and the generated payment tokens will be valid only in that environment.
Important Note: Tokenizing a payment method does not verify or authorize the payment. Once the tokenization is successful, you’ll need to initiate a purchase or authorization request from your secure, server-side environment (more on this in later modules).
Alternative Tokenization Methods
If the iFrame solution does not meet your specific needs, there are other ways to tokenize payment information. However, be aware that these methods may increase your PCI compliance responsibilities. If you require an alternative approach, please review our Collecting Payment Information Guide for additional options.
You’ve Completed Module 2 If:
- You’ve created a payment method via the API
- You’ve created a payment method via iFrame