The EPX Browser POST API is an https service designed to allow the secure integration of financial transactions from a developer-hosted website. The system allows a merchant to accept a web payment via a browser form and submit the transaction request directly to EPX for financial processing, with no critical card information ever existing on, or available to, the developer’s system.

Delivering definitive business benefits:

The EPX Browser POST API combines security and simplicity in one package: Its as easy to use as adding a form on a webpage,  but provides advanced security via seamless connections and tokenized session support. Once the transaction is processed, the data is sent back to the developer’s server via a redirect with the response data attached.

The EPX Browser POST API imparts an added layer of payment security by confirming transaction details directly with your system before accepting the transaction directly from the merchant’s or customer’s browser. This information is secured through an encrypted token referred to as a Terminal Authentication Code (TAC).

How it works:

The Browser POST requires Key exchange processes employing TAC to proceed. Before serving a payment page via Browser POST, the developer must obtain a TAC from the EPX system. The key exchange process ensures transaction integrity and security by encrypting developer provided values into a TAC to be included in the browser form for submission to the Browser POST API. Every submission to the Browser POST API must contain a unique TAC token or it will be rejected. The TAC value is a safeguard against many man-in-the-middle attacks that could otherwise occur. Additionally, the TAC value is time-stamped and expires after 4 hours as an extra layer of control.

After the TAC is acquired, the developer serves a payment page to a merchant agent’s or customer’s browser consisting of a form containing the TAC, the transaction information, and fields for the customer to complete. Upon submitting the form, this information will be sent to the EPX system for processing. After completion, the browser is redirected to the merchant site with the results of the financial operation attached.

How to get started with the EPX Browser POST API Process Flow Description:

  1. The end user signals the developer’s system that the customer is ready to “check out” and complete the financial transaction. The final transaction amount must be available to the developer’s system at this time.
  2. The developer’s system makes a TAC request to the EPX key exchange service via HTTPS.
  3. The TAC is returned directly to the developer’s system.
  4. The developer’s system serves a payment page with a form to the merchant’s or customer’s browser. This form should POST directly to the Browser POST API url. The form must contain the TAC token and may also include any merchant provided information for the transaction, e.g. invoice number, user data fields, etc.
  5. After entering their financial information, the user submits the web payment form directly to the Browser POST API url.
  6. The transaction is verified using a two-phase validation process.
    1. First, the TAC token is decrypted, and all critical transaction information verified against the values POSTed to the Browser POST API.
    2. Second, all POSTed fields are checked for potentially harmful content including: cross-site scripting, SQL injection, etc. If all validations are successful, a financial transaction is formatted and submitted to the EPX Payments Gateway for processing.
  7. Financial transaction results are returned to the Browser POST API.
  8. The Browser POST API redirects the merchant’s/customer’s browser back to the developer’s system, with the transaction response values attached.
  9. The developer’s system returns a receipt page to the merchant’s/customer’s browser.

How to get started:

EPX provides developers access to a test environment for application building and separate credentials for production after completing certification.

The typical steps to certification:

  1. A developer must register to access the dashboard, initiate a project, and receive test credentials.
  2. With these credentials, the developer can build their application against the test environment.
  3. Webhook URLs to be provided by client during registration. Browser Post URL endpoints to be provided by EPX during registration.
  4. Once development is complete, you can submit your application for certification.
  5. After certification has been passed, the integration team will issue a certification letter, which can be used to acquire your production credentials.