Secure Fields Overview
SecureFields JS Overview
SecureFields JS is a hosted field (payment, PII) solution that helps developers provide additional security to a merchant’s website. They are plug-in fields in your platform's "end-user" interface that provide an easy way to securely implement data collection without needing to pass through your systems. SecureFields JS fields are customizable, secure, input elements. When a user enters secure data in these fields, the data is converted into a token/s. The token/s can be used to send the sensitive data to the specified destination.
If you are looking for specific commands or options, please see the reference to the developer API specs provided from within your partner portal
Advantages of using SecureFields JS
Instantly create customized forms that adhere to PCI and other PII requirements. Our servers intercept the sensitive data before it hits your servers and replaces it with aliased version, while securing the original data in our vault.
The following example shows a rendered payments form using the SecureFields JS to serve the card holder name, card number, expiration date and CVV fields.
Implementing SecureField JS
1. Add SecureFields JS to your checkout page
There are two ways to load SecureFields JS
Option #1 - To add SecureFields JS to your checkout page, include our JavaScript library in your host page:
Note: Replace <payengine-partner-server> in the script with the following values based on the environment
a. Sandbox environment - https://console.payengine.dev
b. Production environment - https://console.payengine.co
Option #2 - Alternatively, to load only the SecureField JS library without the web components, include the following JavaScript library in your host page:
Then copy the following checkout form into the checkout page:
This will create a very simple (and unstyled) payment form. However, the payment form will not yet contain the fields nor will it be functional. It must first be configured before it can successfully tokenize your payment methods.
Important:
For credit card form, the field ids must match exactly the pre-defined field ids by our system in order for us to tokenize the appropriate data.
card-name,card-number,card-expiry,card-cvcFor general PII data any IDs can be utilized.Cardholder's address fields -
address_line1,address_line2,address_state,address_country,address_zipif you are planning to capture address fields as part of secure fields. But these fields can be captured outside of secure fields too and in that case, these fields should not be included in the above form. Refer to this section on more details
2. Initialization
Once the host form is on the page, the fields are initialized with the SecureFields JS module.
Place the below snippet in a new script tag on the bottom of your checkout page, swapping out the example environment key with your own.
Note
If the merchant enters the credit card information, set the parameter manuallyEntered to true. And on the other hand, if you enter the credit card information, set the parameter manuallyEntered to false
To link the created card to a specific merchant, pass the corresponding Platform
merchant_idin themerchant_idparameter. The card will then be restricted to that merchant's use only.
Capturing cardholder's billing address fields
There are two ways to capture address fields and send to Platform
Capture address fields within the secure fields (refer here for sample)
Capture address fields outside of the secure fields, in your own form and pass these address fields via createCard (refer here for sample)
2a. Capture address fields within the secure fields
2b. Capture address fields outside of secure fields, in your own form and you can pass the address info via createCard
In this scenario, you will capture the address fields in your own form and provide those values in the form.createCard function as shown below
Following sections are only applicable if you're tokenizing card data for payments. For general PII information, please refer to Using tokens .
Visa 3D Secure Update: Action Required
Partners must collect cardholder's mobile number OR email address during payment processing by January 20, 2025. Update existing tokens with this information before use (refer step 3 below for tokenizing payment details)
See Visa Secure Program Guide Updates for details. Contact Platform support with any questions you have.
3. Tokenize payment details
Note from the example code above that SecureFields JS doesn’t automatically hook into any form events. Instead, you must explicitly tell it when you want to send the collected card data for tokenization.
As shown in the example above, the most straightforward approach is to create a form onSubmit handler or an element eventListener that serves as a trigger to delegate to SecureFields JS createCard() method. This method will in turn return the tokenized card object that you can safely store within your system.
4. Executing an auth transaction
After the SecureFields JS tokenizes your payment method, it is up to you to execute the actual transaction from your backend server environment. This is necessary because the browser is not a secure environment and should never contain your access secret (which is required to invoke the transactional portion of our API).
When the checkout form is submitted, extract the token parameter and use it to execute an auth and capture using the direct APIs:
The above call will authorize a payment method to be charged a specific amount and return an authorization id. No funds are taken with an auth – a follow-up capture transaction is required to actually move the funds.
5. Executing a capture transaction
To capture the amount, you must next call the capture API endpoint
the amount and currency_code are optional fields within the capture call if a partial capture is desired.
At this point, you should be able to see the posted transactions via the merchant's transactions page available via your partner portal.
6. Refund the transaction
To refund the amount, void or reverse the transaction you must make next call
Implementing CSS for secure fields
To customize the appearance of secure fields in your payment form, you can add CSS to style them according to your needs. Here's a sample CSS snippet:
SecureField JS with OAuth token
Before proceeding with this guide, ensure that you have already integrated with Platform OAuth 2.0. This setup requires obtaining a Merchant Session Token using an OAuth access token and providing a function (fetchAccessToken) when initializing the Platform library.
Load Platform library
We recommend using npm to install Platform, as shown in the following example. However, it is also possible to integrate Platform without npm.
Install payengine library from npm public registry:
To use SecureField JS with an OAuth token, you must implement an endpoint on your server that retrieves a Merchant Session Token. This token allows SecureField JS to process payments securely.
Create a function that calls your server’s new endpoint (/session/token) to retrieve the Merchant Session Token:
If you are not using npm, you need to manually load the SecureField script in your HTML head and define the fetchAccessToken function globally.
Modify your HTML <head> tag to include the SecureField JS script. Instead of providing a public key, define an onload function that initializes SecureField.
Once the payengine library is loaded and configured with fetchAccessToken, you can initialize the SecureField JS
Creating a Merchant Session Token
To interact with SecureField JS, you must obtain a short-lived Merchant Session Token. This requires calling the Platform API with your OAuth access token.
1. Implement a server-side endpoint
Your server should expose an endpoint (/session/token) that requests a Merchant Session Token from Platform using an OAuth access token:
Last updated