Merchants that are not PCI-DSS Level 1 certified cannot allow credit card details to interact with their backend servers.
Thus, charging cards on Xendit usually requires the card details to be sent from the merchant's frontend web or app client to our Tokenization API, which are converted to a token. A Charge request is then sent via a server-to-server API call using the token ID.
We recognize that some merchants may not have a use case for Tokenization, and prefer to charge cards directly from their frontend clients. These merchants may prefer having more control over the payment flow and their user interface, and choose not to use Xendit's CheckoutUI.
Further, Xendit's server-to-server Charge API endpoint does not support card processors where the payment interface belongs to a third party i.e. card details are not directly received by Xendit but entered by the cardholder directly on a page which Xendit redirects to.
To serve the above use cases, Xendit has developed a Safe Acceptance API endpoint as an alternative for charging cards. The fields accepted via this API endpoint are very similar to our Charge API, with a few key differences:
- Safe Acceptance requests are validated and authenticated via signatures and not using API keys;
- Card details can be sent directly in the Safe Acceptance request, from your frontend client, without prior tokenization (but it works with token IDs as well);
- The payment result is returned via a webhook instead of an immediate response, and you will need to send us a URL address used by you to receive these;
- It supports transactions where the payment page is controlled by a third party and Xendit redirects the cardholder to enter card details on that page.
The Xendit Safe Acceptance API must be used for charging the following types of cards:
- BCA (Bank Central Asia)-branded local credit/debit cards (has the BCA logo where you would normally find the Visa/MasterCard/etc logo)
- GPN Indonesian debit cards
See our Integration and Testing page to learn how to integrate with our Safe Acceptance API, and importantly how to generate and validate signatures.