Professional Documents
Culture Documents
November 2021
Version 2.7.0.0
Copyright © 2021 JPMorgan Chase & Co. All rights reserved.
All Information contained herein is STRICTLY CONFIDENTIAL AND PROPRIETARY – Not for Use
or Disclosure outside JPMorgan Chase Bank N.A., and its respective affiliates or customers.
This publication is for informational purposes only, and its content does not represent a contract or
agreement, in any form. Chase reserves the right to alter product specifications without notice. No part of
this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopy, recording, or any information storage or retrieval system, without Chase’s
permission.
All brand names and product names used in this document are trade names, service marks, or registered
trademarks of their respective owners. No part of this publication shall be construed as any license,
express or implied, to any of the respective owners’ trade names, service marks or trademarks or any
patents, copyrights or other intellectual property of JPMorgan Chase Bank, N.A., and its respective
affiliates and shall not be used or furnished as any reference and/or in connection with any
advertisement, announcement, release or promotional materials by any persons other than such
respective owners.
Orbital Gateway Hosted Payment Solution What’s New in Version 2.7.0.0
Page 3 of 121
Orbital Gateway Hosted Payment Solution Table of Contents
Table of Contents
What’s New in Version 2.7.0.0 ................................................................................................................................. 3
About This Guide ...................................................................................................................................................... 7
Audience .............................................................................................................................................................. 7
Product Overview ................................................................................................................................................. 7
Hosted Payment Page (HPP) ........................................................................................................................ 8
Hosted Payment Form (HPF) ........................................................................................................................ 9
Supported Browsers ............................................................................................................................................. 9
Implementation Testing ...................................................................................................................................... 10
Getting Started ................................................................................................................................................... 10
Implementation Options ........................................................................................................................................ 11
Hosted Payment Form ....................................................................................................................................... 11
Essential elements for the Integration of HPF ............................................................................................. 11
Technical Prerequisites to HPF Integration ................................................................................................. 11
How Hosted Payment Form Works ............................................................................................................. 12
Parent Page ................................................................................................................................................. 13
PostMessaging ............................................................................................................................................ 14
Callback File ................................................................................................................................................ 15
HPF Parameters .......................................................................................................................................... 16
HPF Customization ...................................................................................................................................... 16
iFrame Implementation ................................................................................................................................ 21
Response Functions .................................................................................................................................... 21
Hosted Payment Page ....................................................................................................................................... 22
Essential Elements for the Integration of HPP ............................................................................................ 22
Technical Prerequisites to HPP Integration ................................................................................................. 22
How Hosted Payment Page Works ............................................................................................................. 22
Payment Page Template ............................................................................................................................. 23
HPP Customization ..................................................................................................................................... 24
Transaction Success Response Page ........................................................................................................ 30
Order Abstraction Service .................................................................................................................................. 31
Order Abstraction Three-Step Process: ...................................................................................................... 31
Order Abstraction Request uID Service ...................................................................................................... 32
Setting Maximum Number of Retries in HPF and HPP ............................................................................... 34
Fraud Mitigation Best Practices ......................................................................................................................... 35
Prevent Website Spoofing ........................................................................................................................... 35
Reduce Bot Attacks ..................................................................................................................................... 35
HPS Addresses .................................................................................................................................................. 36
Page 4 of 121
Orbital Gateway Hosted Payment Solution Table of Contents
Page 5 of 121
Orbital Gateway Hosted Payment Solution Table of Contents
Page 6 of 121
Orbital Gateway Hosted Payment Solution About This Guide
Audience
This guide is intended for use by Merchant Services clients processing payments via online e-commerce, and
Chase personnel assisting with a Hosted Payment Solution implementation. To take advantage of this interface, a
developer should be familiar with web-based forms and sending and receiving name-value pairs of data.
Note: Due to account setup restrictions, this product is only intended for U.S. Merchant Services clients.
Product Overview
The Hosted Payment Solution allows clients to offer a secure interface for customers to submit payment
information without the overhead of maintaining sensitive data in transit. Payment processing within this secure
environment removes the client from potential Payment Card Industry (PCI) liability.
HPS can perform authorization requests and create Orbital profiles (stored credentials) to be used for subsequent
transactions, but it cannot process transactions that use profiles, update profiles or delete profiles. Transactions
that use Orbital profiles require an Orbital API or the Orbital Virtual Terminal to process. HPS does not perform
voids, refunds, mark for captures or subsequent authorization transactions.
Page 7 of 121
Orbital Gateway Hosted Payment Solution About This Guide
High Level Process Flow: Illustrates how the flow of information works in a Hosted Payment environment.
2. The Request Payment interface sends the uID to the Hosted Payment interface.
The Orbital Gateway’s secure servers receive the checkout order and payment request. One of two Hosted
Payment Solutions is available to the client: Hosted Payment Page and Hosted Payment Form.
1. The HPP provides a secure hosted payment interface to the customer that mirrors the client’s website.
2. Users are redirected from the merchant website to the HPP where they submit their card information.
3. Upon a successful transaction, the user is redirected back to the merchant website on the return URL along
with the response URL.
Page 8 of 121
Orbital Gateway Hosted Payment Solution About This Guide
1. The HPF provides a payment form in an iFrame (Inline Frame) that allows users to submit their card
information via the client’s website (hosted by Orbital Gateway)
2. The cardholder data and payment transaction is securely processed by the Orbital Gateway. Payment
information can be stored in a customer profile, triggering a reference value that is not directly engineered
from payment information. The customer profile safely abstracts a client from sensitive customer data and can
be used, retrieved, or updated at any time.
Chase Merchant Services maintains two proprietary Authorization and Deposit platforms. The Orbital Gateway
processes to both platforms using identical transaction information as presented in this specification, except for
any features that may only be available on one of the two platforms. Contact the merchant Analyst or Relationship
Manager if the merchant is unsure of the correct platform where the client account resides.
Supported Browsers
Orbital’s Hosted Payment Solution (HPS) should be used with browser versions that are supported by their
developers and can run on current versions of Operating System (OS). After a company ends the support cycle
for an OS version, any browsers intended for that OS version are not supported.
When a browser reaches end-of-life support by its developer, HPS will no longer support it, but will not
intentionally disable it. Updates and patches made to HPS for security or to enhance the product may result in
system breaks if deprecated browsers are used.
Browser Versions
Page 9 of 121
Orbital Gateway Hosted Payment Solution About This Guide
Implementation Testing
Before aggregators, software vendors or merchants can process using this interface, the implementation must go
through the appropriate testing process with Chase Merchant Services. Work with your Merchant Services
Representative to schedule testing as necessary. Every feature that you will implement must go through
implementation testing.
Getting Started
The following links are to help guide the merchant to the steps required to complete the merchant Hosted
Payment Solution implementation:
6. Use uID to load Hosted Payment Form (HPF) or Hosted Payment Page (HPP).
Page 10 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Implementation Options
The Orbital Gateway Hosted Payment Solution (HPS) makes two separate but similar interfaces available: the
Hosted Payment Page and the Hosted Payment Form.
Note: Custom modifications made to HPS that are outside of the scope of this guide will not be supported.
• A suite of response functions on the merchant webpage to handle transaction and error data
• PostMessaging or a callback.html file to direct responses from Orbital Gateway to the correct response function
• A Cascading Style Sheet (CSS) file to set the appearance of the payment form
Optional element for the integration of HPF: A transaction response API call
Note: To request a payment form, set the iFrame source (src) attribute to the HPF request URL.
• Website must have a digital certificate installed (private or shared) with TLSv1.2 protocol enabled in order to post
to the service and to have the merchant images and CSS incorporated into HPF.
Note: Posting to the HPF service from a non-TLS URL results in a 404 error. Only secure connections are
accepted by the HPF servers. Merchant Services does not support local SSL storing/caching, as they are
frequently updated
Page 11 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Page 12 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
1. A customer creates an order on the merchant website. When the customer indicates they are ready to check
out, they are directed to a page within the merchant website framework that includes a particular iFrame.
2. The content of this iFrame is derived by a call out to the Orbital Gateway Hosted Payment servers. The
customer then inputs the proper payment information into the iFrame and submits the payment.
3. When the customer submits the payment information, the Orbital Gateway validates the formatting of the
request.
b. The customer must correct the information or reach out to the merchant for assistance.
After a payment is successfully processed, the payment information can be stored in a customer profile, if
desired. The customer profile ID (also known as a customer reference number) is a unique reference value
that is not derived from the customer’s information in any manner.
a. The merchant payment site displays the status of the request to the customer.
b. Orbital Gateway returns the payment information in an XML format to the merchant.
Parent Page
A parent page must be present on the merchant company website and must include an iFrame to display the
Hosted Payment Form. The merchant parent page must also include the Response Functions to handle the data
returned by the HPF during transaction processing.
Note: Modern web browsers do not allow the parent page to access data within the child iFrame. However, the
best practice is to ensure that the merchant parent page is not editable or subject to malicious action from users.
• PostMessaging (preferred)
• Callback File
Page 13 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
PostMessaging
PostMessaging redirects responses and error messages to the iFrame parent page. PostMessaging eliminates
cross-domain restrictions and safely allows cross-origin communication between a page and an iFrame
embedded within.
To use postMessaging, the merchants need to add the hpfParent.min.js script on their parent page as
shown below:
Sandbox environment:
<script src="https://www.chasepaymentechhostedpay-
var.com/hpf/js/hpfParent.min.js"></script>
Production environment:
<script
src="https://www.chasepaymentechhostedpay.com/hpf/js/hpfParent.min.js"></script>
When HPF loads, it attempts to send an init postmessage to the parent page, and if it receives a response it
knows the merchant has implemented postMessaging and sets a flag indicating that it is the method of
communication to be used going forward.
If no response is received, it defaults to the callback.html method. Although callback.html is not required when
using postMessaging, it can be used for compatibility with older browsers and some legacy corporate
implementations.
Note: Merchants must not load the postMessaging script with the async or defer attributes.
PostMessage Requirements
The hpfParent.min.js script must be loaded before the iframe loads so that it is reached on the first init
message. If for some reason the iframe sends the init message before the parent script is ready, it would cause
it to default to the callback.html method.
Page 14 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
If callback.html is not implemented by the merchant, they would not receive any response from HPF. So the
merchant must make sure that the hpfParent.min.js script is loaded before the iFrame. The callback.html
method may be used as an alternative to postMessaging for improved backward compatibility.
There are two optional callback functions: hpfReady() and scrollRelay(). The hpfReady() function
notifies the parent page that the form has finished loading and scrollRelay relays the x, y coordinates of each
scroll event in the iFrame.
PostMessages that are sent or received can be viewed in the DevTools of a browser. See Appendix D for
samples in response handling.
The hpfReady() function will trigger after the form finishes loading.
Callback File
The callback file redirects responses and error messages to the iFrame parent page. The content of the callback
file is provided on Developer Center under Orbital APIs / Hosted Payment Processing API download page. If the
callback is viewed in a browser, white page displays black text with the version number, for example, Version
1.6.4.1.
When the Gateway responds to an action taken on the merchant HPF, it looks for the callback page in the
location specified within the Hosted Payment Page Admin screen or with the callback_url parameter in the
payment form request. When the HPF system responds to an action taken on the merchant's HPF form, it looks
for the callback page in the location specified within the Hosted Payment Page Admin screen or with the
callback_url parameter in the payment form request. The callback page then directs the response to the
appropriate response function on the merchant iFrame parent page. For more information about response
handling, see Customer-Facing Response Handling.
• The callback file is required if postmessaging is not being used, and the callback file must not be altered.
Page 15 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
• The callback page must match exactly the merchant designated callback URL or what is passed in a transaction
request.
• The callback page must be accessible via the Internet to the Orbital Gateway servers without a login prompt.
• The callback page must be hosted on the same domain or subdomain as the form page that contains the
response functions.
HPF Parameters
The Orbital Gateway requires static parameters be configured before the Hosted Payment Form can be built
within the merchant website. The values for these parameters must be configured in the Hosted Payment Page
Admin screen of the merchant Virtual Terminal. Refer to the HPF URL Configuration for additional information.
• Return URL=URL of the page which handles Response XML returned by the HPF
Note: An invalid URL can cause delays in processing. Ensure that even if you are not using the Return XML
response, the return URL is valid/resolvable.
The source URL of the iFrame may override the callback URL and CSS URL set in the Gateway.
HPF Customization
The Hosted Payment Form exists as an iFrame element within a merchant’s parent page. The size and
placement of the HPF itself within the page is designated entirely within that parent page.
The payment fields presented in a Hosted Payment Form are defined by the request parameters, which are
based on a combination of the method of payment requested, the formType request element, and the
collectAddress request element.
Page 16 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
The formType request element allows for several different variations of field placement: Short, Tall, iPhone,
Mobile Friendly, Div Based or ECP tableless. See formType in HPF Request Definitions for more information.
Page 17 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Additional parameters can be used to add duplicate fields on the form for Routing Number and Account Number
to verify the entered data:
• confirm_routing_number=1
• confirm_account_number=1
Page 18 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Note: If using HPF in conjunction with the Early Warning Service (EWS), ensure that the account holder name is
included in the form. Leaving the account holder’s name blank will result in a failure at settlement. The account
holder name can be made mandatory by adding required=all in the post message.
Collection of the billing address is an optional function of the Hosted Payment Form. Address Verification Service
(AVS) data may be submitted by the merchant as part of the HPF request parameters, or it may be submitted on
the same form as the payment information input by the consumer.
The collectAddress element may be set to request the customer provide a billing address. Either a domestic
or an international address is supported, based on the collectAddress value. See collectAddress in HPF
Request Definitions for additional information.
Page 19 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Page 20 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Additional customization is available by modifying the CSS elements used by the Hosted Payment Service when
producing an HPF. The Hosted Payment Form does not use a merchant-defined template page, so the style
sheet which contains these CSS elements must be an external style sheet. A style sheet is used to match the
formatting of the HPF to the merchant website calling the form. The style sheet can also disable and change the
appearance of the submit button after it has been clicked. The URL of the style sheet is defined within the Hosted
Payment admin page or using the css_url parameter in the payment form request.
Several different base styles are available for the hosted pay form. These options are set by sending a value for
formType in the form request post. Refer to the formType field in the HPF Customization section and Appendix
B: Payment Form CSS Classes for more details.
iFrame Implementation
Customers can interact with the payment interface that is contained within an iFrame on the merchant payment
website. The contents of the iFrame are determined by setting the “src” attribute to the URL of the desired
content. To request a payment form, the “src” attribute of the iFrame is set to the intended endpoint.
Response Functions
The response functions handle the data returned to the customer by the HPF during transaction processing. The
response functions are JavaScript functions that must be located in the root frame (window top) of the merchant
parent page. Refer to Customer-Facing Response Handling.
Page 21 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
• Website must either be publicly accessible via the internet, or allow HPS requests through a firewall.
• Website must have a digital certificate installed with the TLSv1.2 protocol enabled in order to utilize the Hosted
Payment service. Connection requests coming from servers using protocols older than v1.2 will fail.
TLS certificate must also be installed on the parent page in order to incorporate images and use
Cascading Style Sheets (CSS)
Note: Merchant Services does not support local SSL storing/caching, as they are frequently updated.
A customer navigates a website to create a purchase order. The customer completes the order in the shopping
cart, and then selects a “checkout” option. This checkout process includes a call to the Orbital Gateway Hosted
Payment Service to collect the customer’s payment data.
The Orbital Gateway receives the checkout request, starting the hosted payment process. A standardized
template page is retrieved from the website design in real time. Any potentially malicious code is purged, and the
template is merged with a securely generated payment collection form.
Page 22 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
The Orbital Gateway HPP interface presents this secure hosted payment page to the customer, which emulates
the merchant website. The customer retains access to all links and live navigation of the merchant website via the
template page.
The Hosted Payment Page itself is served from an Orbital Gateway server. All payment information is handled
between the customer and the Gateway. After a payment has processed, the payment information can be stored
in a customer profile, if desired. The customer profile ID (also known as a customer reference number) is a unique
reference value that is not derived from the customer’s information in any manner.
After the payment transaction is complete, the customer is connected directly back to the Transaction Success
Response page on the merchant website. The response page interprets the order status at the merchant
discretion and includes transaction information such as masked payment data. If a customer profile is requested,
that profile reference value can be used for subsequent authorizations.
The payment template is a page on the merchant website used to present the Hosted Payment Page. The
template includes user session logic of the payment page, along with a [[FORM INSERT]] value in the content
area. The service reads the contents of the page, searches for [[FORM INSERT]], and replaces it with the
customer payment form.
The URL of the template on the merchant website is passed to the Orbital Gateway in the
content_template_url post variable.
• [[FORM INSERT]] value must be placed wherever the payment form is to appear
• Page title and any text above and/or below the [[FORM INSERT]] must be specified within the template
• URL of the payment template page can be any URL of the site, and must be accessible over HTTPS protocol
and directly available to a web browser
• Use absolute URLs for Cascading Style Sheet (CSS) and image SRC values.
• CSS file and images must be accessible via the HTTPS domain
• Template page must allow for the user session to be set via the URL
• Page should render using the application template logic and preferences set for the merchant website
Page 23 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
• HTML output (<script> and <iframe> tags) is removed for security (ensure the payment template page
renders correctly without these tags)
HPP Customization
The central element to the look and feel of a Hosted Pay Page is the merchant’s template page. The Orbital
Gateway does not place any limitations on the look and feel of the template page, outside of the basic security
procedures outlined in Payment Page Template.
Processing Overlay
The Processing Overlay feature is available on the Hosted Pay Page and creates an “in progress” screen to
overlay the Payment Page after the “Submit” button has been clicked by the customer, ensuring that the customer
sees that the transaction is still in progress and should not leave the page or click on the “Back” button. This
prevents any processing errors that may occur should the customer attempt to leave the Payment Page due to
perceived lack of activity. To enable the Processing Overlay feature, set the processing_overlay request
parameter to “1” for the merchant HPP request: processing_overlay=1.
Page 24 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
The payment fields presented on a Hosted Payment Page are defined by the request parameters.
Form Type
The form request element allows for several different variations of field placement: OS Commerce style, Magento
style, Mobile first, tableless or ECP tableless. See form in HPP Request Definitions for more information.
Page 25 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Page 26 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Additional parameters can be used to add duplicate fields on the page for Routing Number and Account Number
to verify the entered data:
• confirm_routing_number=1
• confirm_account_number=1
Note: If using HPP in conjunction with the Early Warning Service (EWS), ensure that the account holder name is
included on the page. Leaving the account holder’s name blank will result in a failure at settlement. The account
holder name can be made mandatory by adding required=all in the post message.
Address Fields
The collectAddress element may be set to request the customer provide a billing address. Either a domestic
or an international address is supported, based on the collectAddress value. See collectAddress in HPP
Request Definitions for additional information.
Page 27 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Page 28 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Language
Text presented within the template page by the Hosted Payment Service defaults to English as the language of
choice. Additional options for French Canadian or North American Spanish translations are available by modifying
the lang element when submitting a request to the Hosted Payment Service.
In order to ensure the transaction amount is displayed on the Hosted Payment Page pass the
collect_total_amount parameter along with an appropriate value:
Sample code:
Standard CSS may be used to further stylize the input fields. Most elements use a class named “main,” which
may be modified within the template page as necessary to stylize the payment fields presented to the customer. A
style sheet is used to match the formatting of the HPP to the merchant website calling the form. The style sheet
can also disable and change the appearance of the submit button after it has been clicked.
Several different base styles are available for the hosted payment page. Refer to the HPP Customization section
for more details.
• H2 (form title)
• table
• tr
• td.main
• span.main
• input
Page 29 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
• select
• #submit
Note: The payment page displays an error at any time a request fails validation. To customize the error message
text, set a hidden DIV in the merchant Payment Page Template HTML.
After the payment transaction is complete, the customer is connected directly back to the Transaction Success
Response page on the merchant website. The response is returned as name/value pairs in an HTTP $_GET
(postback) to the supplied return URL.
Page 30 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
• A payment receives a decline or error, and the number of allowed attempts is exceeded.
Declines and errors are treated as user input error. The customer is shown the error message (with suffix
if present) and asked to try again.
Note: If the customer leaves the page by clicking any link in the template HTML, the customer is no longer on the
HPP.
Order Abstraction allows the merchant to hide transaction details and the HPP/HPF request elements from the
customer’s browser. All parameters and values must be sent in a server-to-server request to generate a unique
uID, which can then be used to initiate either HPP or HPF.
The merchant’s system makes a GET call to generate the uID with 90 seconds to create an HPP/HPF payment
form using the uID. This means that the merchant has 90 seconds to pull up HPP or HPF before the uID expires
(this does not apply to the time taken to fill out the form). Exceeding the 90-second timeframe requires the
merchant to create a new uID. After the transaction is complete, the transaction response must be obtained using
a server-to-server query.
1. uID init request (Required): Send the HPF request parameters or HPP request parameters in a server-to-
server request to the Direct Services init address to generate a uID.
2. uID redeem (Required): Pass the uID to the HPP/HPF endpoint to request the payment page/form (see HPP
and HPF Web Addresses).
3. uID transaction query (Optional): Send the uID and the Account ID/API Token to the query address to
retrieve response details.
Page 31 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
To use Order Abstraction, the merchant server must submit the request elements and the Secure API Token as
an HTTPS GET message to the specified Order Abstraction hosted payment service address. Order Abstraction
begins before payment data is input into the payment interface provided by the Hosted Payment Service. Forced
Order Abstraction is configured in the Hosted Payment Page Admin screen and will require that all requests utilize
Order Abstraction. Refer to Appendix C: Hosted Payment Admin.
Page 32 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
https://www.chasepaymentechhostedpay-
var.com/direct/services/request/init/?hostedSecureID=cpt123456789012ab&hostedSecure
APIToken=12345a12b123c1d1e12345f1g12hi1jk&action=buildForm&content_template_url=htt
ps://company.mytestsite.php&return_url=https://companytest.com&cancel_url=https://c
ompanytest.com&total_amt=1.00&order_id=hps123456
uID=337DA68A0915EAEBF4F6360148218A88
Note: The uID is a one-time use token with respect to generating a payment interface to the cardholder. A
merchant has 90 seconds to redirect the consumer to the HPP or HPF, or the uID token will expire. Order
Abstraction must be re-initiated if the end user decides to refresh the page.
The merchant browser then invokes the Hosted Payment Service, passing only the uID element via HTTPS
POST. No other request elements are sent. The Hosted Payment Interface retrieves the request parameters
associated to that uID and produces a payment interface for the customer.
uID Request
uID=32F2B889D3812A3B5DFC00471279DA05
After the transaction is complete, response data is returned to the customer browser and (optionally) the
merchant. The response echoes the uID, returns the transaction status, and suppresses all other response
elements. Also refer to the table, HPF JSON Response on the Callback File. Response handling proceeds as
normal.
HPP Response
code=000&message=Success&uID=32F2B889D3812A3B5DFC00471279DA05
HPF Response
code=000&rurl=https://www.chasepaymentechhostedpay-
var.com/hpf/1_1/&message=Success&uID=32F2B889D3812A3B5DFC00471279DA05&profileId=cpt
123456789SB
Page 33 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
The merchant server may retrieve the suppressed elements by submitting a query request as an HTTPS GET to
the specified hosted payment service address. The transaction results associated with the uID token are queried,
and response data is returned to the merchant server for response handling. The Merchant Services Secure ID
(hostedSecureID) in the uID query request is case sensitive and must be expressed as “cpt” or the query will be
unsuccessful.
Note: In the HPF response, &profileId allows additional logging in the HPF system against the callback file
used by the merchant.
In Order Abstraction integration, passing max_user_retries count will restrict the number of retry attempts with
incorrect payment information; thereby curbing fraudulent retries.
Pass the parameter max_user_retries and its value in the merchant uID initialization request.
In HPP, the user is redirected to return_url after max retry count is reached.
In HPF, “Complete” button changes to “Finished” after max retry count is reached.
A retry attempt will only work if an error is returned by the gateway. It will not work on pre-fail errors which are
returned by the built-in form validation in HPP/HPF.
https://www.chasepaymentechhostedpay-
var.com/direct/services/request/init/?hostedSecureID=cpt123456789012ab&hostedSecure
APIToken=12345a12b123c1d1e12345f1g12hi1jk&action=buildForm&css_url=https://companyt
est.com/cptcodebuilder/hpfstyle.css&callback_url=https://companytest.space/cptcodeb
uilder/callback.html&sessionId=7u0sliplohkhdpt6f5625hm6k1&max_user_retries=
5&amount=1.00&orderId=hps123456
If max_user_retries is set to “5,” then a customer will be redirected to the defined return_url on the 6th
failed authorization attempt on the hosted pages.
Page 34 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Website spoofing, although very rare with HPS, is the act of creating a replica of a trusted site with the intention of
misleading shoppers to a phishing site. Normally, the spoof website will adopt the design of the target website,
and it sometimes has a similar URL.
Merchants are required to integrate HPS using Forced Order Abstraction. Order Abstraction hides key data that
could be captured and used by a bot performing systemic monitoring.
Implementing IP allow lists will only allow calls from designated IP addresses as it travels from a merchant’s
server to HPS servers when initiating a transaction.
A bot (short for “robot”) is an automated program that runs over the Internet that is used to exploit or disrupt a
merchant’s site. Some bots run automatically, while others execute commands after they receive specific input.
Attackers often create an account on a merchant’s site or use the guest checkout process and use a bot to run
transaction attempts. Requiring a guest to only supply an email address is not enough to stop these attacks.
Attackers can also attempt to test cards for legitimacy to determine whether stolen or computer-generated card
numbers are valid. Bot traffic may not be detected by a merchant if the merchant is not capturing all responses.
This is often the case if a merchant’s developers assume cardholders will occasionally need to retry their
transaction to correct an invalid card entry. Typically, retries of a single transaction are seen, and at times tens of
thousands.
• Implement max_user_retries into all transactions to limit the number of retries on a transaction.
• Using a low max_user_retries value to reduce the likelihood of an attack. For example,
max_user_retries=1 will allow two attempts (initial attempt and a retry attempt), preventing repeated retries
on a single transaction.
Page 35 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
Some merchants reuse the same order ID on all transactions, while others do not use an order ID at all. Reusing
the same order ID for all transactions can limit protections available with HPS and increase the potential for bot
traffic.
• Require Address Verification Service (AVS) and Card Security Value (CVV) validation.
• Adopt CAPTCHA to most effectively thwart bot attacks, as it requires human input into a data field.
Note: A merchant must not use formtype 5 in HPF integrations. Form type 5 was originally designed for flip
phones, and CAPTCHA and other key security features are not available with form type 5. It was deprecated
years ago and is out of scope for any security updates. All existing merchants must select another form type. See
the valid values for formType in HPF Request Definitions.
HPS Addresses
The merchant must complete implementation testing via the testing system and have the integration approved
before submitting transactions to the production system.
Page 36 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
When submitting a request, use the HTTPS GET method to submit the expected request elements, including the
hostedSecureAPIToken name-value pair, to the following addresses:
Production
https://www.chasepaymentechhostedpay.com/direct/services/request/init
Testing
https://www.chasepaymentechhostedpay-var.com/direct/services/request/init
The uID token associated to a request must be used to retrieve the corresponding response elements. To
retrieve this information, use the HTTPS GET method to submit the uID of the request, as well as the
hostedSecureID and hostedSecureAPIToken of the associated merchant to the following addresses:
Production
https://www.chasepaymentechhostedpay.com/direct/services/request/query
Testing
https://www.chasepaymentechhostedpay-var.com/direct/services/request/query
Page 37 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
IP Addresses
The following IP addresses need to be added to the merchant firewall allow list to ensure that the transaction
process flows without interruption:
40.143.178.128/25
173.237.133.128/25
3.218.44.149
34.197.32.87
54.196.87.235
54.85.151.115
chasepaymentechhostedpay-var.com
Given the inherent risks associated with processing transactions over the Internet, the Orbital Gateway has the
following two requirements:
The Orbital Gateway Hosted Payment interface must be accessed using the https protocol so that private
information is encrypted and transferred securely. This requires the use of a Transport Layer Security (TLS)
implementation. Refer to Hosted Payment Page and Hosted Payment Form for additional information on the
digital implementation testing requirements.
Page 38 of 121
Orbital Gateway Hosted Payment Solution Implementation Options
When a shopping cart makes a call to invoke the Hosted Payment Solution, the Orbital Gateway requires a
Secure Account ID to validate the request. The Orbital Gateway then compares the source of the request against
a list of authorized websites and moves forward with the request.
In addition, some requests are made in a server-to-server manner. All such requests require a Secure API Token,
in addition to the Secure Account ID.
Both of these data elements are assigned to a merchant by the Orbital Gateway at the time the Hosted Payment
Solution is enabled.
Page 39 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
Functional Processing
Customer Profile Management
The Orbital Gateway includes functionality called Customer Profile Management, which allows cardholder data to
be stored with the Orbital Gateway. Profile Management is available while using a Hosted Pay Page or Hosted
Pay Form, but is not required on a transactional basis.
After a profile is created, subsequent transactions can be processed through any online interface or the Orbital
Virtual Terminal (VT) simply by referencing the customer Profile and filling in any additional information not stored
in the profile.
Eliminates Risk
Using the Customer Profile Management feature eliminates the need to store sensitive information about a
customer on the merchant database, allowing the merchant to focus on business. It also allows Chase Merchant
Services to focus on securely processing the merchant transactions.
The merchant can request a customer profile via the HPP or the HPF during a regular payment transaction, or by
making a new token-only request without performing a transaction.
To request a token, include the hosted_tokenize element in the merchant request. This element has two
possible values:
• store_only – Creates a customer profile without submitting the transaction for approval
• store_authorize – Creates a customer profile “on-the-fly” while submitting the transaction for approval
To request a specific, unique token value for a customer profile, include the customerRefNum element in the
merchant request. The profile ID is generated automatically when the customerRefNum is not present.
Any errors with profile creation will be returned as a profileProcStatus error. These errors should not prevent a
transaction from processing.
Page 40 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
Note: For field parameter information, see the Hosted Payment Page and the Hosted Payment Form.
Image CAPTCHA
The term CAPTCHA is a program that is used to protect websites against bot attacks. An image-based
CAPTCHA option is available for HPF and HPP to provide increased security and reduce the likelihood of
fraudulent activity. This option will prevent browser based automated fraud by requiring a user to manually select
the correct answer for the CAPTCHA.
To use this feature, call Merchant Services support to enable it on the Chase Secure ID.
After Image CAPTCHA is enabled for HPF, the cardholder will see a pop-up where they must enter the text from
the image to submit the transaction. An audio CAPTCHA button is available to allow visually impaired users to
hear the pronunciation of the CAPTCHA code, and then type the spoken code from the image to submit the
transaction. If an incorrect answer is submitted, a pre-fail error 380 will be returned.
HPF CAPTCHA
Page 41 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
After Image CAPTCHA is enabled for HPP, the cardholder will see a captcha on the payment page. After they
select the correct answer, the CAPTCHA will be replaced with the payment form. If an incorrect answer is
submitted, an error will be shown on the page. An audio CAPTCHA button is available to allow visually impaired
users to hear the pronunciation of the CAPTCHA code, and then type the spoken code from the image to submit
the transaction. After four unsuccessful attempts, the user will be redirected to the return URL with the following
CAPTCHA related responses, along with other response parameters:
code=380&message=CaptchaRetryExceeded&action=captcha
Default CAPTCHA and CSS Styled
Safetech Tokenization
Merchant Services Safetech tokens can be used to replace a customer’s payment data with a value (or token).
This capability allows merchants to avoid storing and transmitting data that could be targeted by hackers by
protecting payment account information in transit and at rest. As a result, this reduces the risk of card data
exposure in case of a breach and also reduces chargebacks. Merchants can also use the same token across
multiple Merchant Services engines.
Page 42 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
Safetech Tokens must be enabled for the merchant in order to use them. If using Safetech Tokens alongside
Profile Management, profiles must be enabled on the Merchant or Chain account level. See the Virtual Terminal
User Guide located in Developer Center.
To use Safetech tokenization, a merchant must send the following parameters in the transaction requests:
requestSafetechToken=1
Visa, ChaseNet, Mastercard, American Express and Discover support the use of Safetech Tokens.
When a transaction is processed, a Safetech token will be returned with the safetechToken parameter along with
other response parameters. A sample transaction response is as follows:
transId=5EF61D0F7EAD54C8E1163EDAB30EAEF5121154B1&appCode=tst248&name=John+Doe&payme
ntType=CC&ccNumber=XXXXXXXXXXXX4448&expMonth=01&expYear=2027&ccType=Visa&cardBrandS
elected=Visa&CVVMatch=M&AVSMatch=3&safetechToken=4444440223074448
Merchants create a custom fraud analysis strategy for their business using the Safetech Agent Web Console. The
Safetech service applies this strategy to provide the following benefits:
The Safetech service is fully integrated with Orbital Gateway processing. The overall process flow is described as
the following:
2. The merchant sends an HPP or HPF request, including any additional or optional elements available, to the
Hosted Payment Service.
3. The Hosted Payment Service produces a payment interface for the customer to enter payment data. The
‘Kaptcha’ Device Data Collection seamlessly captures location and device data from the consumer.
Page 43 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
5. In the payment response, the Safetech fraud score information is included with the authorization.
a. A dynamic suite of detectors are utilized to perform real-time checks on over 200 variables, to produce a
riskScore from 1 to 99
6. Based on the Safetech response, the merchant determines whether to complete or reject the approved
transaction.
An alternative Orbital Gateway interface must be used to Void or Reverse the transaction.
Important:
Merchants may consider the request or response information provided by the Safetech Fraud Tools to be
sensitive information. Orbital Gateway requires merchants use Order Abstraction functionality to maintain
cardholder information security. See Order Abstraction.
Setup Requirements
For more information on the program, including how to obtain a Safetech Merchant ID (used in addition to the
hostedSecureID) and the assignment of a risk analyst, contact your Account Executive.
• Provides ongoing monitoring of rule strategy effectiveness, including modification of rules as needed
• Assists with creation of fraud strategy and establishment of respective custom fraud rules
Configuration within the Virtual Terminal’s Hosted Pay Page Admin screen is necessary for any merchant who
wishes to utilize Safetech Fraud Tools. See Appendix B for more information.
The Device Data Collector (also referred to as “Kaptcha”) collects and analyzes data from the customer’s browser
as a function of the Safetech Fraud Tools. The information collected by the Kaptcha process can then be applied
to a transaction to produce a more accurate fraud score. Use Kaptcha when the end user of the payment page is
the cardholder.
Note: In this document, the term “Kaptcha” is not related in any way to the common authentication practice of
CAPTCHA.
Page 44 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
Device data collection can be implemented by the Hosted Payment Service on behalf of a merchant. To request
the Hosted Payment Service to implement Kaptcha on your behalf, add the safetech_kaptcha name-value pair to
you request.
A unique session ID is needed to utilize Kaptcha. The session ID is alphanumeric and may be up to 32 characters
in length. This session id is automatically generated when safetech_kaptcha is utilized, unless the request
contains a safetech_kaptcha_id value.
Successful use of the Kaptcha functionality will produce a Chase logo on the page.
Fraud scoring information may be requested on any transaction requested by the Hosted Payment Service. The
hosted_tokenize element may be left empty or set to store_authorize; the store_only value is not supported,
because a transaction is not initiated.
Safetech Fraud Tools are only utilized on transactions which specifically request the service. This is done by
setting the safetech_enable element to ‘true’.
All data elements submitted in an HPP or HPF request are submitted to the Orbital Gateway by the Hosted
Payment Service. The overall value of the fraud score result is directly related to the transaction data included in
the request.
The scope of data returned by the Safetech Fraud Tools is designated by the safetech_format element.
Two Safetech formats are available:
A value of 2 returns the long form fraud analysis information. Additional request elements are available, and the
volume of response data is greatly expanded.
The Safetech service also allows for additional shopping cart data and/or user defined fields to be passed on a
transaction by transaction basis. These data sets are referred to as “KTT Data”, and may be submitted through
the safetech_ktt_data_string element in the request message.
Page 45 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
KTT Data is a collection of name-value pairs. Each name value pair is either a Used Defined Field, or a portion of
shopping cart data. Each User Defined Field or each shopping Cart Data set is pipe delimited (the | character).
Additionally, each User Defined Field or individual element of shopping cart data must be ampersand delimited
(the & character).
UPROMOCODE=X6Y3Z1&|UCUSTOMERREFERAL=SocialMedia&|UDISCOUNTGIVEN=10.00&|
T=Tickets&I=FridayNightBaseballGame&D=SeatsBehindHomePlate&Q=2&P=20000&|
T=StadiumParking&I=FridayNightBaseBallGame&D=VIPParkingPass&Q=1&P=2000&|
Where T=Type; I = Item; D = Description; Q = Quantity; and P = Price. All five sub-elements must be present and
valid, or the fraud analysis fails.
Merchants may submit up to 996 total characters of KTT Data, in whatever combination of User Defined Fields or
Shopping cart data they so choose.
Note: HPP merchants who utilize KTT Data do not need to use any special formatting for delimiters, such as
& or URI encoding. However, any specific value within the KTT Data string which contains a delimiting
character must URI encode that character.
Important:
HPF merchants using KTT data are required to use URI encoding for delimiters. These are %26 for an
ampersand, %3D for an equal sign and %7C for a pipe. However, any specific value within the KTT Data string
which contains a delimiting character must be URI encoded, and the percent sign used to do so must also be URI
encoded as %25.
Example:
• T= StadiumParking
• I = FridayNightGame&PostGameConcert
• D = VIPParking&BackstagePass
• Q=1
• P = 2000
Page 46 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
The Safetech service needs to receive the following string from the Hosted payment service (note the delimiting
characters):
T=StadiumParking&I=FridayNightGame%26PostGameConcert&D=VIPParking%26BackstagePass&Q
=1&P=2000&|
For the Hosted Pay Form, using
safetech_ktt_data_string=T%3DStadiumParking%26I%3DFridayNightGame%26PostGameConcert
%26D%3DVIPParking%26BackstagePass%26Q%3D1%26P%3D2000%26%7C
will result in the following (invalid) string going to the Safetech service:
T=StadiumParking&I=FridayNightGame&
safetech_ktt_data_string=T%3DStadiumParking%26I%3DFridayNightGame%2526PostGameConce
rt%26D%3DVIPParking%2526BackstagePass%26Q%3D1%26P%3D2000%26%7C
Safetech Fraud Tools is a solution which enables a merchant to better determine the risk involved with a
transaction. The riskScore is a numerical representation of the relative risk of each transaction that is screened.
The information returned can be used to enhance any current risk program, or to develop a customized approach
to risk management.
All response elements related to Safetech Fraud Tools are encapsulated in the safetech_response element of
the applicable HPP or HPF response. The following sub-elements are of particular note:
• The fraudStatusCode provides the status of the request to the Safetech service.
• The autoDecisionResponse provides a high level suggestion of what the riskScore means to the merchant.
Possible responses are A for Approved, D for Decline, R for Review, E for Manager Review
Thresholds for each value are configured by the merchant in the Safetech Agent Web Console as part of
a custom fraud analysis strategy.
Page 47 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
The Orbital Gateway provides the response information provided by the Safetech service; however it is the
merchant’s decision to proceed or not to proceed with a transaction.
Key items to remember when handling transactions which utilize the Safetech Fraud Tools:
• The authorization returned by the issuer and the safetech_response data from the Safetech service are two
separate and distinct data sets. Example: safetech_response: fraudScoreIndicator:2|fraudStatusCode:X006
• The riskScore or autoDecisionResponse does not impact the Merchant Selectable Response functionality
provided by the Orbital Gateway. Safetech Fraud Tools cannot trigger the Gateway to override an approval with
a decline.
• When a transaction receives a fraud score a merchant deems unacceptable, the merchant should submit a
corresponding Void or Reversal request to the Gateway, before the next End of Day, to prevent the transaction
from going out in settlement.
Void or Reversal requests are not available through the Hosted Payment Service and must be performed
using a separate API.
Rules Data
Requests to the Safetech service include an element labeled safetech_rulesTrigger. This element in the request
will ask the Safetech Fraud Tools to return the discreet set of rules or validations applied to this transaction.
Information on triggered rules is returned in the rulesData element of the safetech_response data. This element
contains the number of rules triggered, an equal sign, and a comma delimited text string of the individual rules
triggered by the transaction.
0003=1234,338,2974642135
Note: The setup and management of rules is done through the Safetech Agent Web Console.
Additional Notes
The Safetech Fraud Tools support the use of a stand-alone Fraud Analysis message, which requests a fraud
score without performing an authorization.
Merchants who wish to utilize stand-alone Fraud Analysis requests may use the Hosted Payment service to
create a customer profile, and then use that customer profile to submit the stand-alone request to the Orbital
Gateway. This may be done with a separate API or with the Virtual Terminal.
Page 48 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
Merchants who request a fraud score as part of their transaction are encouraged to utilize the Kaptcha device
data collector. The safetech_kaptcha element is the suggested way to use this, but merchants may separately
integrate this service into any other page on their website. Ask your Technical Consultant for documentation on
how to do so.
Card Indicators
Card Indicators are authorization data elements available to merchants who utilize the Stratus (BIN 000001)
platform. Card Indicators, also referred to as Card Type Indicators (CTI) are designed to capture valuable data
that helps merchants make better payment decisions – both at the time of the transaction and afterward.
All businesses can identify key data points that can drive payment decisions. Examples of the information
returned by Card Indicators include:
• Signature Debit cards, which are backed by a checking account of some sort.
Note: Important Card Indicators are intended only for internal use by merchants, and may not be appropriate for
customer consumption. Forced Order Abstraction shields this data from the customer’s browser.
Card Indicators are supported for both HPP and HPF integrations. The HPP or HPF requests Card Indicator data
for either of the following two conditions:
• The ‘Card Indicators’ checkbox is selected in the HPS Admin Page in the Virtual Terminal.
Note: To override the default setting for a specific transaction, set cardIndicators to N.
Additionally, the following conditions are required for Card Indicators to be returned:
• The merchant’s Orbital Gateway account must be set up on the Stratus platform.
Page 49 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
The customer must submit a Visa, Mastercard, Discover, Diners, or JCB credit card.
Additional response parameters are present in the HPP response, the HPF Inquiry Response, and/or the HPF
Return XML when this data is returned. Each indicator is returned in a separate element with a ‘Y’ (Yes), ‘N’ (No),
or ‘X’ (Not Applicable or Unknown) value. The country of issuance is returned as a 3 letter ISO country value.
Additional Notes
To request Card Indicators on all transactions through the Hosted Payment Service (HPS), select the Card
Indicators checkbox within the HPS Admin page in the Virtual Terminal.
Caution: Unexpected response parameters can negatively impact merchant integrations to the Hosted Payment
Service. Contact your Technical Implementation Manager before enabling Card Indicators.
Account Verification
Account Verification provides the ability to verify a card-holder’s account without financially impacting their open-
to-buy.
The principle behind Account Verification is that either a zero-value or a one-dollar amount (see below for
difference) is submitted as part of the authorization process, instead of a full transaction amount. This enables the
merchant to verify that the card-holder has provided an active card and that the address information provided is
accurate and aligns to the details held on file by the card-holder’s bank, without reserving funds against the card.
As with a standard authorization, both Address Verification Service (AVS) and Card Security Value (CVV) can be
verified along with the account number.
To specifically flag a request for account verification, set the account_verification request parameter to ‘yes’ for
your HPP or HPF request.
Page 50 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
• The transaction amount will be zero if the customer submits a Visa or Mastercard.
• The transaction amount will be 1.00 if the customer submits another card type.
A Profile will be returned in the transaction response which should be captured and used to complete the
transaction for the desired amount as per the Customer Profile Management section of this guide.
In addition to generating transactions via cardholder-initiated events, there are also transactions where payment
facilitators need to use a cardholder’s payment credentials (i.e., account details) that were previously stored for
future purchases. A stored credential is information including, but not limited to, an account number or payment
token that is stored by a payment facilitator to process future transactions.
With Stored Credential and Merchant Initiated Transaction Framework, data is presented with authorizations and
transactions to identify stored credentials and indicate cardholder consent was obtained. Within these
frameworks, transactions are presented as either a Cardholder Initiated Transaction (CIT) or a Merchant Initiated
Transaction (MIT). An Orbital API must be leveraged in order to complete MIT transactions. For details regarding
MIT, refer to the applicable Orbital API documentation on Developer Center.
Within this Framework, the merchant is responsible for receiving and retaining the Transaction ID (TXID) for use
on subsequent transactions.
When a credential is used for a single, one-time use, that transaction is considered outside of the Stored
Credential Framework. If a credential is instead used to set up a cardholder account that will support future
purchases, that credential use is considered within the Stored Credential Framework. The initial use of a
credential within the Framework is initiated by the cardholder, and creates a Stored Credential. The Stored
Credential is intended to support more than one transaction.
Page 51 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
All Stored Credential transactions must be part of the framework. However, not all credential transactions will
necessarily be part of the framework.
A CIT can be submitted to use a stored credential for a transaction. When initiating a transaction using the
framework, the appropriate message type must be sent. The Comparison of Credentials in Framework table
illustrates the parameters when using both Credentials and Stored Credentials within the framework.
• First transaction initiated by the • Account (Stored Credential) will be used for future purchases,
cardholder/customer such as card on file, wallet, recurring, etc.
• Can also be used to complete a • Future purchases will use stored information
single transaction or single • Stored Credential can be Payment Token or PAN (Primary
purchase Account Number)
• PAN (Primary Account Number) or • Stored credential can be used by either a cardholder or
Payment Token merchant
Cardholder-Initiated Transactions
With a Cardholder-Initiated Transaction (CIT), the cardholder/customer performs the transaction. A CIT can be
submitted through a terminal, in a store or an online checkout; available types will vary based on specification
support. A CIT can use payment credentials, which can be a PAN or payment token. A CIT can also use a Stored
Credential.
Typically, an initial CIT is performed using payment credentials to establish an account on file and the Stored
Credential. When a CIT is performed using payment credentials, additional cardholder data such as CVV2 or chip
data (as applicable) is recommended as part of the validation process to demonstrate that the cardholder is
involved in the transaction. Once the account on file is created, the cardholder can also perform CITs using the
Stored Credential.
Page 52 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
• If an amount is due at the time credentials are stored, submit the CIT as an authorization for a purchase
transaction.
• If no amount is due when the credentials are stored, submit the CIT as an Account Verification.
Orbital maintains stored credential related data on our clients’ behalf. For Visa and Discover profiles, the MIT
(transaction) Type together with the MIT TXID or Network Reference ID (NRID) is stored in the Profile and is
visible to you. MIT TXID/NRID is then used by Orbital to tie subsequent MIT transactions to the initial CIT
Transaction that initiated the CIT sequence. For Mastercard profiles, MIT Types are stored in the profile and will
be visible to merchants.
Card on file profiles need to use CIT data in order to use the CIT framework for both HPP and HPF.
While initiating a new CIT transaction, create a new profile and store the CIT information on that profile. Orbital
Gateway will use the stored credential information associated with saved profile to complete a CIT framework
transaction. Two parameters are necessary to use the CIT framework:
• The hosted_tokenize parameter is used to identify that a customer profile should be created as part of a
request. Set the hosted_tokenize parameter to store_only to create the profile without submitting for approval,
or set to store_authorize to create the profile while submitting for approval.
• The mitMsgType parameter is used to process the transactions; it indicates the message type code to be used
for the message type records. Set mitMsgType to one of the following:
Page 53 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
(mitMstType)
Signifies that the merchant is storing the cardholder credentials for Mastercard
the first time in anticipation of future stored credential transactions. Discover
Example: A cardholder sets up a customer profile for future American Express
purchases.
Page 54 of 121
Orbital Gateway Hosted Payment Solution Functional Processing
(mitMstType)
Note: Refer to the HPP Request Definitions and HPF Request Definitions for more details regarding parameters.
Page 55 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
HPS Parameters
This chapter provides definitions for the name-value pair elements used by the Hosted Payment Solution.
• Elements which are only required by certain actions are classified as Conditional.
• Fields may be Alpha (A) only, Alphanumeric (AN), or Numeric (N) only.
• Special characters such as pipe characters should generally be URL encoded, while punctuation should not.
The Payment Request Form URL Value Descriptions table describes the name-value pairs used in the iFrame request URL.
Page 56 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
callback_url Sets the URL of the callback.html file. This value Optional AN Varies
overrides the URL set in the Hosted Payment Page
Admin screen.
css_url Sets the URL of the CSS file used to style the payment Optional AN Varies
form.
allowed_types The card types to display on the payment form. Conditional A Varies
Valid values:
• American Express
• Diners Club
• Discover
• JCB
• Mastercard
• Visa
Page 57 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Valid values:
• Credit_Card
• ECP
• SAFETECH
Valid values:
Valid values:
Page 58 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
collect_total_amount Displays the total amount field on the payment page. Optional N 1
Valid values:
• 1 = read only
• 2 = editable
Sample code:
Page 59 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
• abcdefghijklmnopqrstuvwxyz
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• 0123456789
Valid values:
• 1 = read only
• 2 = editable
Page 60 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
sessionId Unique session identifier for the customer/user on the Mandatory AN Varies
client site; at least eight characters in length.
analysis Card type and card level options are available. Both Optional AN 20
can be used. Involves BIN lookup to determine P2 or
P3. (Debit or credit)
Valid values:
Page 61 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
formType Sets the base layout for the payment form. Optional N 1
Valid values:
• 0 = Short
• 1 = Tall
• 4 = iPhone
• 7 = Div Based
• 9 = ECP tableless
confirm_routing_number Works with formType=9 for ECP. When used, Routing Optional N 1
Number field appears twice for verification on the
payment page.
Valid value = 1
confirm_account_number Works with formType=9 for ECP. When used, Account Optional N 1
Number field appears twice for verification on the
payment page.
Valid value = 1
Page 62 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
required Defines which fields on the payment form are required. Optional A 7
Valid values:
collectAddress Sets the option to display billing address fields on the Optional N 1
payment form.
Valid values:
Page 63 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Valid values:
Valid values: Y or N
Page 64 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
country ISO code of the country billing address. Two or three Optional A 3
character ISO code (depends on merchant entry).
Default = USA.
Page 65 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Valid values:
Valid values:
• Blank = null
• Y = Yes
• N = No
Page 66 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Valid values:
Valid value = 1
Valid values:
Valid values:
• 1=Short response
• 2=Long response
Page 67 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Valid values:
Valid values:
• enabled
enabledNoLogo
safetech_websiteShortName This value is used by the Safetech service for Fraud Optional A 8
Analysis rules.
safetech_cashValueOfFencibleItems The cash value of any fencible items in the order. Optional N 12
Page 68 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
safetech_customerIDCreationTime A Unix Epoc format timestamp for the creation of the Optional N 10
value in safetech_customerID.
safetech_ktt_data_string This element can be populated with a string of user- Optional AN 996
defined Fraud Analysis rules, Shopping Cart Data, or
both.
Valid value = 1
hostedSecureID=cpt000000000SB&hostedSecureAPIToken=12345a12b123c1d1e12345f1g12hi1jk&action=buildForm&css_ur
l=https://company.mytestsite.css&callback_url=https://https://companytest.callback.html&sessionId=2e1b7klm7
7fk11id70kl4japr5&payment_type=Credit_Card&allowed_types=Visa|Mastercard|AmericanExpress&analysis=card_type
|card_level&trans_type=auth_only&required=all&formType=1&lang=en_US&collect_total_amount=1&hosted_tokenize=
store_authorize&max_user_retries=3&account_verification=yes&amount=1.00&orderId=hps123456&name=John
Doe&customer_phone=1234567890&address=Apt #123&address2=123 Test
Road&city=BOSTON&state=MA&postal_code=02135&country=US&customer_email=testemail@test.com&customer_id=123456
78
Page 69 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
The Hosted Pay Form returns transaction response data in two separate methods: in a Javascript Object
Notation (JSON) response sent through the customer’s browser and in an XML file directly to the
merchant’s server. This allows both customer–facing and merchant–facing responses to be handled as a
merchant sees fit.
• hpfReady()
This function is called when HPF has finished loading and ready for user input.
• startPayment()
When the user clicks the Submit button, this function is triggered.
• cancelPayment()
This function triggers when the user cancels the payment by clicking the cancel button.
• handlePaymentErrors()
This function is called when the customer submits data that does not pass form validation or the
credit card does not process as expected. This function returns a single object containing a list of
error codes, the gateway code and message rather than a pipe delimited string of error codes. Refer
to Appendix A for a list of error codes.
• completePayment()
• scrollRelay()
When a user scrolls over the payment form, this function relays the X and Y coordinates of each
scroll event in the iframe.
Page 70 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Callback Functions
Customer-facing responses are handled in functions contained in the Callback page of the HPF
implementation. Those functions are listed below:
• cancelCREPayment()
Called when the customer clicks the cancel button on the payment form
Function closes the iFrame and indicates that the customer’s card was not charged
• whatCVV2()
Called when the customer clicks the link for more information about CVV2 numbers
Function displays a popup window, which describes what the CVV2 number is and where to find
it on the card
• completeCREPayment(transaction)
Optionally called for transaction errors when more detailed information is required for debugging
Note: Transaction responses are also sent directly to the merchant in an XML format. See HPF
Response on the Return URL for more details.
• creHandleErrors(errorCode)
This function is called when the customer submits data that does not pass form validation or the
credit card does not process as expected.
The errorCode parameter is a pipe-delimited string containing three-digit error codes that correspond
to the errors that occurred. Possible error responses are listed in Appendix A: Error Handling.
This function is a more detailed version of CREHandleErrors, for situations where more detailed
debugging information is required.
Page 71 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
errorCode = A pipe delimited string of three-digit error codes returned specifically by the Hosted
Payment service. Possible error responses are listed in Appendix A: Error Handling.
gatewayCode = The proc status code returned by the Orbital Gateway. These are common
response messages to all Orbital Gateway interfaces.
gatewayMessage = The proc status text reported by the Orbital Gateway for the transaction.
These are common response messages to all Orbital Gateway interfaces.
code Success or failure code. See Appendix A: Error Handling for Varies
details.
uID Contains the unique value used to identify the transaction Varies
requested.
rurl Hosted Payment Solution endpoint used to submit the HPF Varies
request.
Customize the display of error messages and transaction responses by editing the Merchant-Facing
Response Handling.
Page 72 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Your server may retrieve the suppressed elements by submitting a query request as an HTTPS GET to
the specified hosted payment service address. The transaction results associated with the uID token are
queried, and response data is returned to your server for response handling.
Max
Parameter Name Description
Size
Valid value: 1
code Success or failure code. See Appendix A: Error Handling for Varies
details.
type Card brand type, auto detected based on the starting Varies
number or BIN Range.
Page 73 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Max
Parameter Name Description
Size
callback_url Callback file URL used in the uID init request. Varies
css_url CSS URL file URL used in the uID init request. Varies
profileProcStatus Value indicating the success or failure of the profile portion Varies
of a store_authorize or store_only request.
Page 74 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Max
Parameter Name Description
Size
Sub-elements include:
• A=Approved
• D=Decline
• E=Manager Review
• R=Review
Page 75 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Max
Parameter Name Description
Size
Page 76 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Max
Parameter Name Description
Size
The return URL is not used for handling responses in HPF. Its only purpose is to provide additional
information for database insertion or as a secondary validation of a transaction result. The return file
information is not available in real time and may take several minutes to populate.
Page 77 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
transId Null 0
cardBrandSelected Contains the payment association for the selected card. Varies
Page 78 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Sub-elements include:
• D=Decline
• E=Manager Review
• R=Review
Page 79 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Page 80 of 121
Orbital Gateway Hosted Payment Hosted Payment Form
Notes:
• The HPF only returns a merchant-facing response when a transaction is successful. In the event of a
failed payment, the customer is shown the payment form again with an error message. The customer
can either correct the form and retry the transaction or leave the page.
• Response parameters are not guaranteed to appear in the order they are documented. Responses may
contain deprecated response elements, which should be ignored. This is more likely if a previous “Orbital
Hosted Payment Specification” value has been selected in your Virtual Terminal HPP Admin Page.
Refer to Appendix C: Hosted Payment Admin for more information.
Page 81 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
The values in the Payment Request Page Post Value Descriptions table are used in a call to the Hosted Payment Page service.
content_template_url URL where the merchant template resides – must be https Mandatory AN Varies
accessible
return_url URL on the merchant site where the customer is returned, Mandatory AN Varies
along with the values from a successful transaction; must
be https accessible.
Page 82 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
cancel_url URL on the merchant site where the customer is returned Optional AN Varies
if the customer clicks “Cancel” on the payment form; must
be https accessible. If not defined, HPP returns the
customer to the URL set by the return_url post value.
Valid values:
• American Express
• Diners Club
• Discover
• JCB
• Mastercard
• Visa
Valid values:
• Credit_Card (default)
• ECP
• SAFETECH
Page 83 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid values:
Valid values:
Page 84 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
collect_total_amount Displays the total amount field on the payment page Optional N 1
Valid values:
• 1 = read only
• 2 = editable
Sample code:
Valid values:
• 1 = read only
• 2 = editable
Page 85 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
currency_code The three-letter ISO currency displayed with the amount. Optional A 3
sess_name Used in conjunction with the session ID to pass a session Conditional AN Varies
variable to the client payment template.
sess_id Used in conjunction with the session name to pass a Conditional AN Varies
session variable to the client payment template.
analysis Card type and card level options are available. Both can Optional AN 20
be used. Involves BIN lookup to determine P2 or P3.
(Debit or credit)
Valid values:
Page 86 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
form Sets the base layout for the payment form. Optional AN 13
Valid values:
confirm_routing_number Works with form = ecp_tableless for ECP. When used, Optional N 1
Routing Number field appears twice for verification on the
payment page.
Valid value = 1
confirm_account_number Works with form = ecp_tableless for ECP. When used, Optional N 1
Account Number field appears twice for verification on the
payment page.
Valid value = 1
Page 87 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid values:
• 0 = “Submit” (default)
• 1 = “Pay $ {Amount} “
• 2 = “Pay”
• 3 = “Pay Now”
• 4 = “Complete”
required Defines which fields on the payment form are required. Optional A 7
Valid values:
Page 88 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
collectAddress Sets the option to display billing address fields on the Optional N 1
payment page.
Valid values:
lang Indicates the input fields are presented to the consumer in Optional AN 5
a language other than English.
Valid values:
Page 89 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid values: Y or N
customer_postal_code Postal (ZIP) code of the billing address; at least five Optional AN 10
characters in length.
customer_country ISO code of the country billing address. Two or three Optional A 3
character ISO code (depends on merchant entry). Default
= USA.
customer_email Customer email for the billing address; must follow valid Optional AN 50
email formatting
Page 90 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid value = 1
Page 91 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid values:
Valid values:
• Blank = null
• Y = Yes
• N = No
Page 92 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid values:
Valid values:
Valid values:
• 1=Short response
• 2=Long response
Page 93 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
Valid values:
Valid values:
• enabled
• enabledNoLogo
safetech_websiteShortName This value is used by the Safetech service for Fraud Optional A 8
Analysis rules.
safetech_cashValueOfFencibleItems The cash value of any fencible items in the order. Optional N 12
Page 94 of 121
Orbital Gateway Hosted Payment Hosted Payment Page
safetech_customerIDCreationTime A Unix Epoc format timestamp for the creation of the value Optional N 10
in safetech_customerID.
safetech_ktt_data_string This element can be populated with a string of user- Optional AN 996
defined Fraud Analysis rules, Shopping Cart Data, or both.
requestSafetechToken This element is used to request a Safetech token for the Conditional AN 1
card to make a payment. Must also send mitMsgType=
CSTO, CREC, CINS, CGEN, CEST
Valid value = 1
hostedSecureID=cpt0000000SB&hostedSecureAPIToken=12345a12b123c1d1e12345f1g12hi1jk&action=buildForm&content_
template_url=https://www.website.com/hpptemplate.html&return_url=https://companytest.return.html&cancel_url
=https://companytest.cancel.html&allowed_types=Visa|Mastercard&trans_type=auth_only&processing_overlay=1&co
llectAddress=1&hosted_tokenize=store_authorize&total_amt=1.00&order_id=hps123456
Page 95 of 121
Orbital Gateway Hosted Payment HPS Parameters
After the payment transaction is complete, the customer is connected directly back to the Transaction
Success Response page on your website. The response is returned as name/value pairs in an HTTP
$_GET (postback) to the supplied return URL.
Max
Parameter Name Description
Size
code Success or failure code. See Appendix A: Error Handling for Varies
details.
Valid values:
Page 96 of 121
Orbital Gateway Hosted Payment HPS Parameters
Max
Parameter Name Description
Size
Valid value: 1
type Card brand type, auto detected based on the starting Varies
number or BIN Range.
Page 97 of 121
Orbital Gateway Hosted Payment HPS Parameters
Max
Parameter Name Description
Size
profileProcStatus Value indicating the success or failure of the profile portion Varies
of a store_authorize or store_only request.
mitMsgType Indicates the CIT message type code to be used for the 4
message type records
Sub-elements include:
Page 98 of 121
Orbital Gateway Hosted Payment HPS Parameters
Max
Parameter Name Description
Size
• A=Approved
• D=Decline
• E=Manager Review
• R=Review
Page 99 of 121
Orbital Gateway Hosted Payment HPS Parameters
Max
Parameter Name Description
Size
Max
Parameter Name Description
Size
1. Why do I see a page I did not design with the words “[[FORM INSERT]]?”
The template file is fetched in real time, every time an HPP request is made to the Hosted Payment
Solution. The service must be given a valid, https accessible URL to fetch the template.
The service returns this error when a template URL is provided, but the process of fetching the
template fails. See the issue description for 10034-2351 in the Integration Error table located in
Appendix A: Error Handling for more information.
Separate, direct integration points are helpful to perform actions that are not supported by the Hosted
Payment Solution. For example, HPS can create Orbital profiles, but does not process requests that
use the profiles. Clients need a separate integration to one of the Orbital APIs or need to utilize
Orbital Virtual Terminal in order to process requests that use profiles.
The hostedSecureAPIToken is used to engage the service to generate the uID prior to displaying
the form/page for payment. The value is not visible to the end user. The only Order Abstraction
scenarios that require the use of this value are initial uID generation and uID response query.
The hostedSecureAPIToken is meant to remain secret to everyone but the client and the server.
This name-value pair should only be submitted to the Order Abstraction endpoints, and should never
be submitted to the standard HPP/HPF endpoints.
5. How does the collectAddress request element interact with my request parameters?
The collectAddress request element gives customers the ability to input a billing address in the form
fields provided by the HPP or HPF. A valid billing address is required when collectAddress is
utilized. U.S. addresses (including Armed Forces) and International addresses are supported, based
on the collectAddress value.
Billing address details are also supported using request parameters for each address field (i.e.,
customer_address, customer_city, customer_state, customer_zip). These details are passed as-
is to the issuer when collectAddress is off, and they pre-fill the HPP or HPF address form when
collectAddress is used.
6. Why does my HPP implementation display with broken content, such as images?
A common mistake when working with HPP is to forget the “base” HTML element, which is used in
the template page to resolve content such as images.
The template forms the base of the Hosted Payment Page, and the payment fields are woven where
the service finds a [[FORM INSERT]] string. If this string is located within a wrapper with a relative
URL, such as a Form or DIV, the payment links can be misdirected to relative links which do not exist.
The parent page contains response functions, and the buttons on the page can trigger those
functions. Response data is fed from the iFrame to the parent page via the callback file.
The parent page must contain response functions to take action on a transaction.
If the web browser does not contain the correct domain, the browser prevents data flow between
iFrame and parent page, including any prefixes, such as “www.”
The callback file must be available to the Hosted Payment service. To test this, place the exact
callback URL in a web browser and confirm the page can be found.
The most common reason for this error is when an HPP merchant has not listed any authorized
domains in the HPP Admin Settings in the Virtual Terminal, or when the HPP parameters are
submitted as a GET instead of a POST.
This error can also be triggered when the service cannot find a valid secure account ID in the request.
This is most likely due to an incorrectly encoded uID in the initial request.
Validate the secure account ID name-value pair is correct in the merchant uID request; the name is
case sensitive and the value will never be a merchant number nor a Virtual Terminal username.
Depending on the merchant environment, contact Gateway Support or the merchant Analyst for
further details.
1. Integration errors
2. Pre-fail errors
Integration Errors
Integration errors can occur if there are issues integrating the HPS system into the merchant application.
Issue 10034-2351 has been HPP The service returns this error when a template URL
encountered is provided, but the process of fetching the template
fails. Possible triggers include:
Issue 10034-2356 has been HPP Often occurs after issue 10034-2351 has been
encountered cleared. See description above.
Domain validation check failed for HPP This error occurs when the domain sending the
https://www.example.com HTTPS form POST is not entered into the
Authorized Websites list in a merchant's profile.
Ensure the domains are entered without spaces or
carriage returns and no "http://" or “https://.”
Example: domain1,domain2,domain3.
Store profile is incomplete … HPF This error means your profile is missing some
aborting! required information. This error typically occurs when
the following HPF URLs are missing in your profile
configuration:
• CSS URL
• Return URL
• Callback URL
Missing or unknown profile HPP and This error occurs if the merchant is using an
HPF incorrect hostedSecureID or endpoints in the
integration.
TEXT_ERROR_HPF_MERCHANT HPP and Parameter names and values are case sensitive,
_ID_MISSING HPF and they are different according to the integration
method such as HPP or HPF.
Pre-Fail Errors
Pre-fail errors can occur if a transaction fails prior to submission to HPS. This typically indicates the built–
in validation found an error and did not submit the transaction for processing. See the Hosted Payment
Specific Response Codes table.
In HPF, only the error response codes are returned (see Response Code column). The message
descriptions can be customized according to the error code on the merchant system.
In HPP, message descriptions are returned and can appear on the page or as pop-ups on the screen
(see the Description column).
Response Description
Code
100 Merchant Identifier left blank or not valid. The transaction was not processed.
110 Session Identifier left blank. The transaction was not processed.
310 Credit card number left blank or did not pass Mod10.
350 CVV2 field submitted but does not match the card.
360 Payment declined by financial institution, or some other error has occurred (returned
from Orbital), such as an invalid message type.
Response Description
Code
The following table contains the most common Orbital Gateway interface error codes.
05 Do Not Honor
52 Processor Decline
89 Credit Floor
841 Account number has failed a prefix check and is invalid for the merchant account
0,1 .creExpirationMonth Drop down containing the credit card expiration month.
0,1 .creExpirationYear Drop down containing the credit card expiration year.
0,1 .finishedCompleteButton Persistent style for the complete button after the
transaction is complete.
0,1,5 .creAccountNameField ECP Only: Input containing the name on account value
0,1,5 .creAccountTypeField ECP Only: Drop down containing the account type
value
0,1,5 .creAccountNumberField ECP Only: Input containing the DDA Account number
label
Refer to the Orbital Virtual Terminal User’s Manual located in Developer Center for additional information
on how to log in or navigate within the Virtual Terminal.
Note: The Google Chrome browser provides for the best Virtual Terminal viewing experience.
Users with permission to access the Hosted Payment Admin page will find the Admin dropdown list at the
top of the page:
Select the Hosted Solution dropdown to designate an implementation of a Hosted Payment Page or
Hosted Payment Form for the merchant account:
Enter the list of approved domains that are authorized to the merchant account profile in the Authorized
Websites field:
Authorized IP Addresses increases security and reduces the likelihood of fraud. If a merchant is using
an Order Abstraction integration, they can add all their server IP addresses in a comma-separated list in
the Authorized IP Addresses box. This list will be checked when uID init requests are sent to the HPF and
HPP. If an IP requesting a uID init request does not exist in the box, that request will be rejected.
If the box is empty, HPF and HPP will not check IP addresses for the uID init requests.
Select the Forced Order Abstraction checkbox to generate a secure payment interface for the merchant
customers. Order Abstraction is a required feature.
American Express does not send CIT/MIT information by default, however Merchant Services will
automatically enable the feature for new customers. For existing customers, select Enable CIT/MIT for
American Express to enable CIT/MIT functionality for American Express transactions.
https://www.chasepaymentechhostedpay-
var.com/direct/services/request/init/?hostedSecureID=xxxx&hostedSecureAPIToken=xxxx&action=buildF
orm&css_url=xxxx&callback_url=xxxx&sessionId=xxxx&amount=1.00&orderId=hps123456
uID=BF7380E2B7xxxxxxxxxxx
<script>
function handlePaymentErrors(data){
alert( "postMessage function handlePaymentErrors is called. \nError: " +
Object.values(data) );
}
function completePayment(data){
alert("postMessage function completePayment is called. \n Response:"+
Object.values(data) );
alert(data.uID);
}
function hpfReady(){
console.log("HPF Form finished loading.");
}
function startPayment(){
console.log("Payment processing start.");
}
function cancelPayment(){
alert("postMessage function cancelPayment is called. \n You have canceled
the payment.");
}
<div id="secureFrameWrapper">
<iframe id="secureFrame" class="secureFrame" style="border:1px dashed
slategrey; background-color:#f4f4f4;" height="270px" width="400px"
src="https://www.chasepaymentechhostedpay-var.com/hpf/1_1/?uID=UID_HERE">
</iframe>
</div>
function removeElement(element) {
element && element.parentNode && element.parentNode.removeChild(element);
}
removeElement( document.getElementById("secureFrame") );
document.getElementById("secureFrameWrapper").innerHTML = "<p>Your
transaction was successful!</p>"
+ "<p>Code: "+code+"</p>"
+ "<p>Message: "+message+"</p>"
+ "<p>uID: "+uID+"</p>";
}
function cancelCREPayment() {
alert("Payment Cancelled");
}
<div id="secureFrameWrapper">