Addressing common misconceptions about the Payment Request API
Even with the PR API, developers still have to send the payment information provided by users to a payment gateway or a payment processor in order to be processed and for the money transfer to happen. Upon user tapping a "PAY" button, instead of a form being POSTed to a server, the website's JavaScript will receive the user's payment information so you can handle it however you want. Typically, you would forward that directly to a payment gateway to obtain a token and then process the payment from your server.The Payment Request API is designed to handle virtually any kind of payment methods including bank transfers, cryptocurrencies, e-money, points, etc.
If your site is compliant with PCI DSS or PCI SAQ A-EP, you are probably working at a relatively large company and there's not much to worry about to implement the PR API as long as you implement it securely.
If your site is compliant with PCI SAQ A, be careful. With PCI SAQ A, you are not supposed to handle raw credit card information directly. This means using the Payment Request API with "basic-card" as a payment method is outside of PCI SAQ A v3.2 compliance.
Comments