Bank of America Gateway Integration Methods Overview
Description
What's in this article?
Bank of America offers four types of integration methods to connect to the Bank of America Gateway for card not present payment transactions (e-commerce). Each method requires coding development by an integration developer.
NOTE:
An existing website with a custom (non-third party) shopping cart built by a developer is needed in order to integrate to the Bank of America Gateway.
An overview of each of these integration methods is provided below:
| Descriptor type | Hosted Payments Page | Checkout API | Microform Integration | Card Not Present Integration Toolkit |
|---|---|---|---|---|
| Complexity | Least complex | More complex | Increasingly complex | Most complex |
| What it is and how it works | Provides a checkout web form to handle payments made with credit/debit cards. Handles all payment data security and transaction processing. | Similar to HPP, provides a seamless and secure checkout experience. Allows the payment page to be customized with branding. | Provides a secure iFrame (pop up window) to collect customer card data. Bank of America hosts the iFrame and transmits the card data through the secure single-use token API. | Provides control of the entire checkout experience (i.e., everything the end-user sees) including the payment form, the response pages and the receipt. |
| Integration effort | Some coding required | Considerable coding required | More extensive coding required | Most extensive coding required |
| Level of checkout control | No control of the checkout experience | Little control of the checkout experience | More control of the checkout experience | Most control of the checkout experience |
| Customization allowed | Little customization | Customizable checkout form | Customizable experience | Fully customizable |
| PCI burden | Reduced scope for PCI | Reduced scope for PCI | Reduced scope for PCI | Largest PCI scope |
The implementation requirements and transaction flow for each integration method is provided below:
- Hosted Payments Page (HPP)
Bank of America’s HPP provides a checkout web form to handle payments made with credit/debit cards. This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) A, which significantly reduces the amount of questions to answer to validate PCI compliance. Coding is needed to embed the HPP on a website to take payments.
Implementation requires:
- Hosted Payments Page Profile: Settings and configurations dictate the cardholder experience on the HPP.
- Security Key: Authenticates HPP transaction messages to the Bank of America Gateway.
Online checkout flow using the HPP
- Cardholder enters their card data on a checkout page that is hosted and rendered by Bank of America.
- The transaction is submitted directly from the client webpage to the bank for processing.
- The Bank of America Gateway submits the transaction to the Bank of America Host (the bank's payment processing platform) for processing.
- The host submits the transactions to the card brands for processing.
- An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).
- Checkout API
A Checkout API integration submits card data directly from the web browser to the Bank of America Gateway. A developer controls the receipt customization. This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) A-EP, which reduces the amount of questions for answering to validate PCI compliance.
Coding is required to create the checkout page. A developer creates the user interface and experience on the checkout page.
Implementation requires:
- Checkout API Page Profile: Settings and configurations dictate the end user experience on the checkout page.
- Security Key: Authenticates Checkout API transaction messages to the Bank of America Gateway.
For more information see the Checkout API Developer's Guide.
Online checkout flow using the Checkout API
- Cardholder enters card data into the website.
- The transaction is submitted directly from the website to the Bank of America Gateway for processing.
- The Bank of America Gateway submits the transaction to the Bank of America Host (the bank's payment processing platform) for processing.
- The host submits the transactions to the card brands for processing.
- An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).
- Microform Integration
The Bank of America Gateway renders a secure iFrame to collect the cardholder's card data. The iFrame is hosted by the Bank of America Gateway and transmits the card data via the secure Single Use Token API.
This integration type reduces the risk of a third-party gaining access of the sensitive customer information during the transaction. This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) A, which significantly reduces the amount of questions for answering to validate PCI Compliance.
Considerable coding is required to create the checkout page. A developer is responsible for creating the user interface and experience on the checkout page.
Implementation requires:
- Security Key: Generates either an HTTPS (Shared Secret Key) or JSON Web Token, based on the need.
Online checkout flow using Microform Integration
- Cardholder enters card data into the website. The PAN data field and CVV on the payment page is replaced with a secure iFrame.
- An asynchronous request is made to the Bank of America Gateway which will return a temporary token to the web page.
- The temporary token is passed to the online business' back office.
- The back-office server will then initiate a REST API call using the temporary token to initiate a payment.
- The Bank of America Gateway submits the transaction to the Bank of America host (the Bank's payment processing platform) for processing.
- The host submits the transactions to the card brands for processing.
- An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).
- Card Not Present (CNP) Integration Toolkit (REST API)
The CNP Present Integration Toolkit provides the ability to fully control a customer's checkout experience. The entire customer checkout experience, including the payment form, response pages, and receipts, are coded by a developer. This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) D, which requires that the site owner be responsible for answering all PCI compliance questions. Extensive coding is required to create the checkout page. A developer is responsible for creating the user interface and experience on the checkout page.
Implementation requires:
- Security Key: Generates either an HTTPS (Shared Secret Key) or JSON Web Token, based on the need.
For more information see the Card Not Present (CNP) Integration Toolkit (REST API) Developer's Guide.
Online checkout flow using the Card Not Present Integration Toolkit
- Cardholder enters their card data into the website.
- Provider captures the card data and submits the transaction to the Bank of America Gateway.
- The Bank of America Gateway submits the transaction to the Bank of America Host (the bank's payment processing platform) for processing.
- The host sends the transactions to the card brands for processing.
- An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).
A Demonstration & Certification Environment (DCE) is available, giving developers the ability to test their integration in a test environment prior to going live with a website. For HPP and Checkout API integrations, Secure Acceptance profiles and security keys are required in order to send transactions to the test environment. Microform Integration and CNP Integration Toolkit integrations require security keys. There are separate endpoint URLs for each integration method that are used for DCE.
To learn more about the DCE and these four types of integration methods to the Bank of America Gateway, refer to the Bank of America Gateway Integration Guide.