Skip to main content

Hosted Payments Page Integration Guide

November 6, 2024

Description

The Integration Guide and website requirements for integration to the Hosted Payments Page (HPP) with connection to the Bank of America Gateway

What's in this article?

Integration guide

The Hosted Payments Page Integration Guide is written for business owners who want to accept payments using the Hosted Payments Page (HPP) and who do not want to handle or store sensitive payment information on their own servers. Using HPP requires coding by an integration developer. The developer must create a security script and modify the HTML form to invoke Secure Acceptance, that is, passing payment transaction requests directly from a cardholder's browser to the Bank of America Gateway. You will also use your Merchant Services account to review and manage orders.

Website requirements

A website must meet the following requirements in order to accept payment using HPP:

  • It must have a shopping cart, customer order creation software, or an application for initiating disbursements to send funds to payment accounts. 
  • It must contain product pages in one of the supported scripting languages. See page 29 of the Hosted Payments Page Integration Guide: "Sample Transaction Process Using JSP".
  • The IT infrastructure must be Public Key Infrastructure (PKI)-enabled to use SSL-based form POST submissions.
  • The IT infrastructure must be capable of digitally signing customer data prior to submission to HPP. 
Detailed HPP checkout flow

The HPP transaction flow is illustrated and described below.

Hosted Payments Page transaction flow

  1. Your customer clicks the Checkout Now button on your website, which triggers an HTTPS POST that directs your customer to the HPP that you have configured in your Merchant Services account.
    • The HTTPS POST includes the signature and signed data fields containing the order information.
    • HPP works best with JavaScript and cookies enabled in your customer's browser.
  2. Secure Acceptance verifies the signature to ensure that the order details were not amended or tampered with and displays the HPP. Your customer enters and submits payment details and/or their billing and shipping information. 
    • Your customer confirms the payment, and the transaction is processed. 
  3. Bank of America recommends that you configure a custom receipt page in your Merchant Services account so that the signed transaction response is sent back to your server through the browser. You must validate the reply signature to confirm that the reply data was not amended or tampered with. Secure Acceptance can also display a standard receipt page to your customer, and you can verify the result of the transaction using search features in your Merchant Services account or the standard Bank of America reports.
    • If the reply signature in the reply field does not match the signature calculated based on the reply data, you treat the POST as malicious and disregard it.
    • Secure Acceptance signs every response field. You ignore any reply fields in the POST that are not in the signed_fields field.
  4. Bank of America recommends implementing the merchant POST URL notification as a backup means of determining the transaction result. This method does not rely on your customer's browser. You receive the transaction result even if your customer lost connection after confirming the payment. 
    • If the transaction type is a sale, it is immediately submitted for settlement. If the transaction type is an authorization, use the Bank of America Simple Order API to submit a capture request when goods are shipped.

HPP payment form example

Hosted Payments payment form and receipt example

Did you find this article helpful?