Skip to main content

Bank of America Gateway Integration Methods Overview

August 26, 2025

Description

An overview and comparison of gateway integration methods for custom-built online shopping carts

What's in this article?

Bank of America offers four types of integration methods to connect to the Bank of America Gateway for card not present payment transactions (e-commerce). Each method requires coding development by an integration developer. 

NOTE:
An existing website with a custom (non-third party) shopping cart built by a developer is needed in order to integrate to the Bank of America Gateway. 

An overview of each of these integration methods is provided below:

Table comparing the four Bank of America Gateway integration methods
Descriptor typeHosted Payments PageCheckout APIMicroform IntegrationCard Not Present Integration Toolkit
ComplexityLeast complexMore complexIncreasingly complexMost complex
What it is and how it worksProvides a checkout web form to handle payments made with credit/debit cards.
Handles all payment data security and transaction processing.		Similar to HPP, provides a seamless and secure checkout experience.
Allows the payment page to be customized with branding.		Provides a secure iFrame (pop up window) to collect customer card data.
Bank of America hosts the iFrame and transmits the card data through the secure single-use token API.		Provides control of the entire checkout experience (i.e., everything the end-user sees) including the payment form, the response pages and the receipt.
Integration effort
Some coding required
Considerable coding required
More extensive coding required
Most extensive coding required
Level of checkout control
No control of the checkout experience
Little control of the checkout experience
More control of the checkout experience
Most control of the checkout experience
Customization allowed
Little customization
Customizable checkout form
Customizable experience
Fully customizable
PCI burden
Reduced scope for PCI
Reduced scope for PCI
Reduced scope for PCI
Largest PCI scope

The implementation requirements and transaction flow for each integration method is provided below:

Hosted Payments Page (HPP)

Bank of America’s HPP hosts a checkout web form to handle payments made with credit/debit cards. Card data is submitted directly to the Bank of America Gateway. For this reason, this integration method is also referred to as a Secure Acceptance integration method.

This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) A, which significantly reduces the amount of questions to answer to validate PCI compliance. 

Coding is needed to embed the HPP on a website to take payments.

Implementation requires:

  • Hosted Payments Page Profile: Settings and configurations dictate the cardholder experience on the HPP.
  • Security Key: Authenticates HPP transaction messages to the Bank of America Gateway.

For more information and a detailed checkout flow see the Hosted Payments Page (HPP) Integration Guide.

Online checkout flow using the HPP: high-level

  1. Card holder clicks the Checkout Now button on your website and enters their card data on a checkout page that is hosted and rendered by Bank of America.
  2. The transaction is submitted directly from the HPP to Bank of America for processing.
  3. The Bank of America Gateway submits the transaction to the Bank of America Host (the bank's payment processing platform)  for processing.
  4. The host submits the transactions to the card brands for processing.
  5. An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).
Checkout API

A Checkout API integration submits card data directly from a customer's web browser to the Bank of America Gateway. For this reason, this integration method is also referred to as a Secure Acceptance integration method. 

This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) A-EP, which reduces the amount of questions for answering to validate PCI compliance.

Coding is required to create the checkout page. A developer creates the user interface and experience on the checkout page, and controls the receipt customization.

Implementation requires:

  • Checkout API Page Profile: Settings and configurations dictate the end user experience on the checkout page.
  • Security Key: Authenticates Checkout API transaction messages to the Bank of America Gateway. 

For more information see the Checkout API Developer's Guide.

Online checkout flow using the Checkout API

  1. Display the checkout page on the cardholder's browser with a form to collect their payment information and include a signature to validate their order information (signed data fields). The cardholder enters and submits their payment details (unsigned data fields).
  2. The transaction request message, and the signed and unsigned data fields are sent  directly from the cardholder's browser to the Bank of America Gateway for processing.
  3. The Bank of America Gateway submits the transaction to the Bank of America Host (the bank's payment processing platform). The host reviews and validates the transaction request data to confirm it has not been amended or tampered with and that it contains valid authentication credentials.  
  4. The host submits the transactions to the card brands for processing.
  5. An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response). A reply message is sent to the cardholder's browse.


Microform Integration

The Bank of America Gateway renders a secure iFrame to collect the cardholder's card data. The iFrame is hosted by the Bank of America Gateway and transmits the card data via the secure Single Use Token API. 

This integration type reduces the risk of a third-party gaining access of the sensitive customer information during the transaction. This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) A, which significantly reduces the amount of questions for answering to validate PCI Compliance. 

Considerable coding is required to create the checkout page. A developer is responsible for creating the user interface and experience on the checkout page.

Implementation requires:

  • Security Key: Generates either an HTTPS (Shared Secret Key) or JSON Web Token, based on the need.
For more information see the Microform Developer's Guide.

Online checkout flow using Microform Integration

Online checkout flow using Microform Integration architecture diagram

  1. Cardholder enters card data into the website. The PAN data field and CVV on the payment page is replaced with a secure iFrame.
  2. An asynchronous request is made to the Bank of America Gateway which will return a temporary token to the web page.
  3. The temporary token is passed to the online business' back office.
  4. The back-office server will then initiate a REST API call using the temporary token to initiate a payment.
  5. The Bank of America Gateway submits the transaction to the Bank of America host (the Bank's payment processing platform) for processing.
  6. The host submits the transactions to the card brands for processing.
  7. An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).
Card Not Present (CNP) Integration Toolkit (REST API)

The CNP Present Integration Toolkit provides the ability to fully control a customer's checkout experience. The entire customer checkout experience, including the payment form, response pages, and receipts, are coded by a developer. 

This integration qualifies for Payment Card Industry Data Self-Assessment Questionnaire (PCI SAQ) D, which requires that the site owner be responsible for answering all PCI compliance questions. Extensive coding is required to create the checkout page. A developer is responsible for creating the user interface and experience on the checkout page.

Implementation requires:

  • Security Key: Generates either an HTTPS (Shared Secret Key) or JSON Web Token, based on the need.

For more information see the Card Not Present (CNP) Integration Toolkit (REST API) Developer's Guide.

Online checkout flow using the Card Not Present Integration Toolkit

Online checkout flow using the Card Not Present Integration Toolkit architecture diagram

  1. Cardholder enters their card data into the website.
  2. Provider captures the card data and submits the transaction to the Bank of America Gateway.
  3. The Bank of America Gateway submits the transaction to the Bank of America Host (the bank's payment processing platform) for processing.
  4. The host sends the transactions to the card brands for processing.
  5. An approval or decline is provided back in the response (Bank of America provides a PAN token in every authorization response).

A Demonstration & Certification Environment (DCE) is available, giving developers the ability to test their integration in a test environment prior to going live with a website. For HPP and Checkout API integrations, Secure Acceptance profiles and security keys are required in order to send transactions to the test environment. Microform Integration and CNP Integration Toolkit integrations require security keys. To learn more about the DCE and generating security keys, refer to Demonstration & Certification Environment (DCE) Testing.

To learn more about these four types of integration methods to the Bank of America Gateway, refer to the Bank of America Gateway Integration Guide.


Did you find this article helpful?