The document discusses payment acceptance and card tokenization in JavaScript using the PayMaya Payment Gateway. It describes how the Payment Gateway provides an abstraction layer to enable merchants to accept card payments without needing to understand complex card network standards. It also explains how card tokenization allows collecting card data in apps and websites while reducing PCI compliance requirements by replacing sensitive card details with tokens. Finally, it outlines the PayMaya Payment Gateway APIs and SDKs that make integration easy for developers.
10. REVIEWING THE TERMS IN A CARD TRANSACTION
▸ Card issuer - Entity that creates and issues a card, e.g.
issuing bank, PayMaya
▸ Card scheme / network - Network technology provider,
e.g. VISA, MasterCard, JCB
▸ Acquirer / payment processor - Financial institution that
processes card payments on behalf of a merchant, e.g.
PayMaya Business, BDO, BPI
11. HOW DO CARD ISSUERS,
ACQUIRERS, AND CARD
SCHEMES COMMUNICATE?
12. ISO8583
▸ By Wikipedia: “ISO 8583 Financial transaction card
originated messages — Interchange message
specifications is the International Organization for
Standardization standard for systems that exchange
electronic transactions made by cardholders using
payment cards. “
13. SO DO I NEED TO LEARN
ISO8583 TO ACCEPT CARD
PAYMENTS?
20. PAYMENT ACCEPTANCE AND CARD TOKENIZATION IN JAVASCRIPT
GOALS OF THE PAYMAYA PAYMENT GATEWAY
▸ Enable merchants to accept card payments
▸ Make card payment acceptance easy for developers
▸ Deliver business value (accept payments, mitigate fraud,
real-time monitoring, next day settlement)
24. WHAT IF I WANT TO COLLECT
CARD HOLDER DATA IN MY
WEB SITE OR APP?
25.
26. BEFORE THAT, LET’S DISCUSS PCI-DSS
▸ PCI-DSS - Payment Card Industry Data Security Standards
▸ From Wikipedia: “Proprietary information security standards
for card schemes like VISA, MasterCard, AMEX, JCB, etc. It
was created to increase controls to prevent card fraud”
▸ Validation is performed by Qualified Security Assessor
(QSA) or Internal Security Assessor (ISA) via a Report on
Compliance (ROC)
▸ For smaller firms: Self-Assessment Questionnaire
27. PCI-DSS APPLIES TO ANY ENTITY
THAT STORES, PROCESSES, OR
TRANSMIT CARD DATA
28. TEXT
WHAT DOES IT MEAN?
▸ If you’re a merchant, technically you’re in scope for PCI-
DSS
▸ For most merchants, it’s a Self-Assessment Questionnaire
(SAQ)
▸ Can I still accept card holder data in my web site or app?
Yes
30. TEXT
WHAT IS TOKENIZATION?
▸ The tokenization process transforms a card primary
account number (PAN) to a surrogate random string called
a “token”
▸ Since tokens are not PANs, they’re out of scope from PCI-
DSS
▸ As a merchant, you still need to answer a Self-Assessment
Questionaire (SAQ A-EP)
31.
32. PAYMENTSTOKENISATION
• Allows merchants to embed
payment form into their web site
or mobile app, i.e. better
experience
• Reduces merchant’s PCI-DSS
scope by providing a one-time
use “payment token” as reference
to customer’s card details
• Increased level of technical effort
compared to PayMaya Checkout
(Payment Page)
33. CARDVAULTING AS A
SERVICE
• Provides merchants the ability to
store their customer’s card details
and charge for payments on-
demand
• Superior user experience
• Reduces merchant’s PCI-DSS
scope by providing a multi-time
use “card token” as reference to
customer’s card details
• High-level of technical integration
effort
34. RECURRING PAYMENTS
• Provides merchants the ability
to charge for payments
periodically: daily, weekly,
monthly, etc
• Reduces merchant’s PCI-DSS
scope by providing a multi-time
use “card token” as reference
to customer’s card details
• High-level of technical
integration effort
35. VAULT A CARD
POST /CUSTOMERS/123/CARD/1/PAYMENTS
MAKE A PAYMENT
POST /CUSTOMERS/123/CARD
39. PAYMENT ACCEPTANCE AND CARD TOKENIZATION IN JAVASCRIPT
SUMMARY
▸ We learned that a Payment Gateway provides payment
acceptance services
▸ Card tokenization is a technique to provide flexibility,
better user experience, while maintaining high-levels of
security
▸ We also learned how to use PayMaya Payment Gateway’s
APIs and JavaScript SDK