CloudPayments

Checkout is a script which is added to your website, collects the card data from the specified form, and creates a cryptogram of this data for payments through our API.

The cryptogram is done by using RSA algorithm with 2048 bit key length, and is compliant with the industry standards for card data protection. If you follow the requirements below, you will not receive the card data, but your server will still influence data safety.

Requirements

Form requirements:

Must work via HTTPS protocol with a valid SSL certificate.
Fields must not contain a "name" attribute – this will ensure that any card data will not be sent to your server when form is submited.

Cryptogram requirements:

Must be generated only by the original checkout script, loaded from our system URLs.
Cryptogram cannot be stored after the payment and used for any other payment.

PCI DSS security requirements:

PCI DSS sees this method of payment as "E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises."

Until 1 January 2015, SAQ-A self-assessment form must be filled out
From 1 January 2015, SAQ-EP self-assessment form must be filled out, with quarterly ASV scans and yearly penetration tests.

Embedding

To create a cryptogram you must add a checkout script to your website

                            <script src="https://widget.cloudpayments.ru/bundles/checkout?language=en-US"></script>
            
        

Then create a card data input form

                            <form id="paymentFormSample" autocomplete="off">
                    <input type="text" data-cp="cardNumber">
                    <input type="text" data-cp="name">
                    <input type="text" data-cp="expDateMonthYear">
                    <input type="text" data-cp="cvv">
                    <button type="submit">Pay 100 roubles</button>
                </form>
            
        

Card data input fields must contain the following attributes:

data-cp="cardNumber" — card number field
data-cp="name" — cardholder name field
data-cp="expDateMonthYear" — expiry date field in MMYY format
data-cp="expDateMonth" — month expiry date field
data-cp="expDateYear" — year expiry date field
data-cp="cvv" — CVV code field

Add a script for cryptogram creation

                            this.createCryptogram = function () {
                    var result = checkout.createCryptogramPacket();

                    if (result.success) {
                        // cryptogram creation is successfull
                        alert(result.packet);
                    }
                    else {
                        // some input data is invalid, `result.messages` will contain something like:
                        // { name: "CArdholder name is too long", cardNumber: "Invalid card number" }
                        // where `name`, `cardNumber` correspond to attributes' names `<input ... data-cp="cardNumber">`, e.t.c.
                        for (var msgName in viewModel.messages) {
                            viewModel.messages[msgName](result.messages[msgName]);
                        }
                    }
                };

                $(function () { // make sure we access frame after DOM is loaded.
                    /* Creating checkout */
                    checkout = new cp.Checkout(
                    // Public ID from merchant account
                    "test_api_00000000000000000000001",
                    // element that contains card data fields (may contain any other fields which are ignored)
                    document.getElementById("paymentFormSample"));
                });
            
        

Send the cryptogram and card holder name to server and call payment method via API

Sample payment form

To fill out the form, use test card number 4925 0000 0000 0087, other data can be random.

Checkout script