Introducing the Checkout SDK

Access Worldpay's Checkout SDK is a secure, PCI compliant and customizable way to capture card data on websites or apps. This article explains how it works.

Product Knowlegde

Written by the Access Worldpay Team
24 February 2022


Access Worldpay's Checkout SDK is a hosted fields integration solution. It gives merchants and developers a secure and PCI compliant way to capture card details using a checkout form that can be customized to your own unique style and brand.

What is the Checkout SDK?

The Checkout SDK (software development kit) is a hosted payment fields integration solution. As such, it gives you a secure way to capture sensitive card data while also qualifying for SAQ-A, the lowest PCI compliance level.

The SDK can be integrated into websites and used to build native Android or iOS apps. In addition, its checkout form can be fully customized to suit your own brand and style.

Checkout is the first step of the payment journey. It can be used with different Access Worldpay APIs to complete the payment flows you need, such as one-time, stored card and/or repeat payments.

How does it work?

Once it has captured your customer's card details, the Checkout SDK uses them to generate an encrypted session - a unique, encrypted identifier for that card's details. Using our Verified Tokens API, you can then use this session to create a reusable verified token. In conjunction with our Payments API, this lets you take a payment now or in the future.

There are three different ways you can take payments using SDK-created sessions:

  1. Pay with a new card - after the SDK creates an encrypted session, Access Worldpay verifies the card details and creates a reusable verified token for the card number and expiry date.

Most card issuers only need the card number, expiry date and account details to take a payment. Once the CVC number has been used to verify the card, it is not stored - this is in line with PCI compliance. Worldpay stores the verified token for future use.

  1. Pay with a new card and CVC - as well as verifying the card details and creating a verified token, Access Worldpay also creates an encrypted CVC session.

This means that when you're taking a payment, you can gain extra security by submitting the CVC number along with the card number and expiry date. In accordance with PCI guidelines, Worldpay stores the card number and expiry date as a verified token for repeat payments and stores the CVC for 15 minutes as an encrypted CVC session.

  1. Pay with a stored card and CVC - in this instance, you use the SDK to create an encrypted CVC session that captures your customer's CVC number. You then use the CVC session, together with a previously created verified token, to take a payment.

Why use the Checkout SDK?

The SDK has a variety of features that can help you, your developers and your customers. More details are provided below but, in summary, these include:

  • Qualification for the lowest level of PCI compliance (SAQ-A)
  • Fully customizable checkout form
  • Support for web, iOS and Android
  • Automatic card brand identification and configuration
  • User input validation and PAN formatting
  • Support for a WCAG AA level compliant checkout page

Low PCI compliance

The Checkout SDK enables you to qualify for the lowest level of PCI compliance (SAQ-A) because it provides a hosted fields integration solution. This means that Worldpay handles all the sensitive card data - you never see the data at all. In every transaction, the card number, expiry date and CVC data are sent directly from your customer's browser or app to Worldpay without ever touching your server.

Why does PCI compliance matter?

The Payment Card Industry (PCI) Data Security Standard (DSS) is a global initiative to ensure that every organization using cardholder information does so in a consistently secure way. Enforcement is becoming stricter across the world and compliance requires continuous, active work to ensure systems are secure.

PCI DSS has a number of different levels. Fundamentally, these depend on two things:

  1. the number of card transactions a merchant processes each year; and
  2. how the merchant integrates with its payment provider (e.g. Worldpay).

Integrating directly with a payments provider requires the highest level of PCI compliance, involving the greatest number of requirements. By contrast, using a hosted integration solution only demands the lowest level of compliance - an annual self-assessment questionnaire (SAQ-A). That's because the primary responsibility for securely collecting, storing and processing cardholder data lies with the payments provider, not the merchant.

Customizable checkout form

The Checkout SDK lets you design exactly how your checkout form will appear to your customers. The solution is fully customizable, giving you full control over the location of each field and how these are branded and styled.

Website and native app support

We've developed specific versions of the Checkout SDK for web, Android and iOS. In addition, our web SDK documentation includes examples for integration into modern frameworks such as Vue.js and React.js. As a result, it's a straightforward process to integrate the SDK into your website and native apps. The SDKs also ensure full responsiveness to different screen sizes.

Automatic card recognition and configuration

The SDK automatically recognizes every brand of card. It also includes a configuration feature that lets you list the different card brands that you support. By default, the SDK allows every brand of card.

User input validation

User input error is a common issue, so the SDK automatically ensures that the card data entered by your customer makes sense. For example, it checks that the card number length is correct, and that the expiry date is in the future, not the past. Alongside this, it allows for ‘PAN formatting' - automatically formatting the card number as your customer types it in, depending on the brand of the card itself. For example:

  • Visa and MasterCard: XXXX XXXX XXXX XXXX (4 blocks of 4)
  • American Express: XXXX XXXXXX XXXXX (3 blocks of 4, 6 and 5)

Accessibility

The Checkout Web SDK enables and supports you in ensuring that your checkout page meets at least AA level of WCAG compliance. Our SDK provides some default values for certain attributes that are also fully customizable. In addition to the configuration customization, we have some recommendations to help your checkout page meet an AA rating against WCAG standards.

Visit w3.org for more information on WCAG accessibility compliance.

Next steps

We hope that this article has explained what the Checkout SDK is, how it works, and the potential features and benefits it offers merchants, developers and customers. More information and support materials for the SDK are available - simply click on one of the links below.

More information

  • Detailed Checkout SDK Developer documents for web, iOS and Android including code examples and simulations - click here.
  • Checkout Android SDK GitHub repo, including demo app - click here.
  • Checkout iOS SDK GitHub repo, including sample app - click here.