Checkout is a script which is added on your web site, collects card data from a specified form and uses them a cryptogram for a payment via our API.
The cryptogram is generated by the RSA algorithm with a key length of 2048 bit and complies with a standard to protect card data. If below requirements are complied with, card data do not reach you, but your server influences their security.
Requirements to a Form:
- It shall function over HTTPS to connect to a valid SSL certificate.
- Fields shall not have a «name» attribute- it prevents a penetration of card data to a server when sending a form.
- A field to enter a card number shall support 14 to 19 digits
Requirements to a Cryptogram:
- It shall be generated only by an original checkout script, loaded from system addresses.
- The cryptogram cannot be stored after a payment and reused.
Requirements to Security According to PCI DSS:
From the PCI DSS point of view, a similar connection method is classified as follows: «E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website (s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises." That is, payment data are processed by a third party, but the web site influences a security of card data.
To comply with standard requirements, you shall fill a SAQ-EP self-estimation sheet and quarterly pass an ASV test.
For more information on compliance with PCI requirements, see PCI DSS.
To create a cryptogram, you shall add ф checkout script on ф page with a checkout page.
<form id="paymentFormSample" autocomplete="off"> <input type="text" data-cp="cardNumber"> <input type="text" data-cp="expDateMonth"> <input type="text" data-cp="expDateYear"> <input type="text" data-cp="cvv"> <input type="text" data-cp="name"> <button type="submit">Оплатить 100 р.</button> </form>
Fields to enter card data shall be marked with attributes:
- data-cp=«cardNumber» — a field with a card number
- data-cp=«expDateMonth» — a field with an expiration month
- data-cp=«expDateYear» — a field with an expiration year
- data-cp=«cvv» — a field with a CVV code
- data-cp=«name» — a field with a last name and a first name of the card holder
Pay 100 roubles.
To fill out a form use a test card number (4925 0000 0000 0087), other data are random.
When developing your own form, pay attention to following issues:
- a card number length is 16 to 19 digits
- a checkout script does not function in out-of-date, unsafe browsers which do not support TLS encryption protocols, version 1.1 or higher. For example, in Internet Explorer 7
- a 3DS window can be displayed both in a new window, and in a frame over a page. A window size shall be at least 500×500 pixels