Skip navigation
All Places > Developer News and Updates > Blog > 2019 > April

Financial account data is considered to be some of the most important and sensitive data in existence. And in today’s world, it is also among the most commonly requested data on the Internet. Let’s face it — everybody shops online. And online shopping requires merchants to request payment data from the shopper. This presents inherent risks associated with providing financial data using online forms. It is due to these risks that a high importance has been placed on protecting user payment data.




So, how can we reduce the risk of compromising account data and ensure a positive experience for users visiting an online store? WorldPay has the solution in the form of eProtect.


WorldPay eProtect provides merchants with a solution for card-not-present processing risks, allowing the merchant to protect shopper payment data, and providing application developers with several API solutions that are both secure and easy to implement.


This article walks through what eProtect does and how it works.

What is eProtect and how does it protect account data?


As mentioned above, WorldPay eProtect is a solution for reducing the risks associated with card-not-present (cnp) payment processing. But you may be wondering exactly how it reduces these risks. WorldPay eProtect assumes the responsibility for protecting payment data through several solutions. These include hosting the fields that hold this payment data, as done through use of the iFrame API, or through calls on form submit to the eProtect JavaScript API that passes the payment information from form fields hosted on the application web server to the eProtect server for processing. In short, through the use of an eProtect API, the transmission of sensitive data by the application web server is rather limited.


For our purposes, let’s take a closer look at the eProtect iFrame API. Through the use of this API, the fields that will hold sensitive account data are embedded on the page using an iFrame. This iFrame is hosted by the eProtect server. When the user submits the account data (card number, CVV value, expiration date), this data is submitted to the eProtect server rather than transmitted via your own web server.

This eProtect server is a PCI-compliant environment to ensure data security. The moment eProtect receives the card data, it triggers a cnpAPI call to register a token with the Vault where the account data is securely stored. It is this token that will be used for retrieving account data when the payment is processed. The eProtect server then returns a registration ID to the web page. Finally, when the actual payment has been authorized, the registration ID and payment information is sent to the Vault. The Vault then uses this registration ID to efficiently find the token and card number, and processes the payment securely. This transaction simply returns the previously registered token that can be stored by the client as they would card data. This ensures that no actual account data is stored by the client, significantly reducing the risk of an issue due to compromised user account information.


Implementing eProtect from WorldPay


One of the most encouraging parts of utilizing eProtect from WorldPay is the ease in which the solution can be implemented in a web application. Sticking with the iFrame API solution that we discussed above, let’s take a look at some sample code where an iFrame running code hosted by the eProtect server is embedded in a payment page in a web application to allow account data to be processed via the secure, PCI-compliant eProtect environment.


The first step in implementing the iFrame solution from eProtect is to include the jQuery library. After that, we also need to ensure that we have included the client JavaScript for the eProtect iFrame API. This is done by adding a script tag to download the JS from the following URL:


It should be noted that this URL is not for production use. For the sake of this example, I utilized the “pre-live” URL from the eProtect documentation.


The final steps from an HTML perspective are as follows. We will need to include the div element representing the iFrame to be embedded on the web page. In the screenshot of the sample code, you can see that it is assigned the ID attribute iFrameElem. This will be important when configuring the iFrame via custom JavaScript. In addition, we need to include form fields for holding attributes of the response from the eProtect service. Hidden fields such as that shown below in the screenshot (input with ID attribute response$paypageRegistrationId) are added to the form to assign values with the JavaScript. And finally, we need to provide ourselves with a spot to write some custom JS for instantiating the iFrame and handling the response. We do so by creating impl.js to properly configure the iFrame.  Finally, we download this custom JS file as represented by the last script tag in the head container of our HTML file.


eProtect code 1


In the custom JavaScript associated with the example, two important actions need to take place. First, the iFrame needs to be configured so that it can be properly added to the checkout page. Next, the response from the eProtect server must be handled to retrieve what is known as the paypageRegistrationId — the registration ID that will be sent with payment information to the Vault post-authorization to map to the account data and process the payment.


In configuring the iFrame, several properties are required. These required properties include the following:

  • paypageId - ID value provided by WorldPay
  • reportGroup - required by cnpAPI for reporting purposes
  • style - Custom CSS for styling the iFrame
  • timeout - Allotted time in milliseconds before the call times out
  • div - ID value of the HTML div where the iFrame is embedded (in our case: iFrameElem)
  • callback - the function to call for handling the response from the eProtect server


Please see the screenshot below for the portion of impl.js representing the configuration of the iFrame. Notice the line that instantiates iFrameElem passing the configuration JSON to construct the iFrameElem object.


 eProtect 2


The next step in the process is to handle the response from eProtect in our callback function. In our particular example, this is the function called iFrameElemCallback. A key element in the callback response is the paypageRegistrationId as that is what will be used by the cnpAPI to locate the associated token and card information in the Vault when processing the actual payment.


In the screenshot below, you will see the defined callback function. This is used to check the response code, handle the response data, and submit the form. The snippet below shows the first two steps. The hidden form field for paypageRegistrationId has the value set after we check and find that the call to eProtect has been successful. Other attributes of the response object can be handled in the same manner. This success response is defined by the response code 870, which we check for prior to setting the hidden form field value and submitting the form. Additional response codes and additional information on the response object from the eProtect service can be found in the eProtect online documentation.


 eProtect 3



Storing payment data that is later compromised is among the worst possible events that can happen to an Internet merchant. It damages the trust necessary for a merchant to be successful. WorldPay eProtect can help in mitigating the risks associated with collecting payment data, ensuring that shoppers have a positive experience and feel comfortable engaging in future transactions.

In part one of this two-part series, we highlighted five critical payment integration questions for the development team.


These questions looked at data security, integration capability, the ability to scale and access to support. Answers from the development team provide a way to plan and work with a payment solution provider. There are more questions to consider for your payment integration.


five additional questions to ask developers


Let’s look at five more critical questions to ask the development team:


1) Does the payment integration technology provider have a testing platform?

Worldpay has a developer sandbox that serves as a secure testing platform for card payments, a wide range of currencies and alternative payment options.


The sandbox offers simulators so developers can create mock retail orders to test every aspect of the payment lifecycle -- from payment submission to authorization and capture to settlement or refund.


During the testing process, developers can include various payment parameters like payment outcome. Throughout the simulations, developers can also gauge shopper payment flow. Knowing how to address different shopper volume levels can help the company design a payment processing system that delivers an enhanced customer experience.


Developers can also use magic values in Worldpay’s sandbox. These values represent specific payment parameters added to an XML order. Using one or more of these magic values accelerates the testing process.


2) How do Worldpay’s features and benefits compare to payment industry competitors?

From helping small businesses to enterprises, Worldpay’s payment solution is a comprehensive product suite. Depending on the complexity of your business, the development team has the possibility to implement a wide range of features to realize significant benefits. 


Worldpay enables smarter, faster, and easier payment processing with alternative payment methods, cross-border payments, gateway services, fraud and risk management, omni-channel, treasury services, and more. 


For small businesses, including pop-up shops and kiosk businesses, there are many features to help the connected consumer buy anytime, anywhere. Payment acceptance options include terminals and POS systems, mobile payments, credit cards, gift cards, and prepaid cards.


Enterprises share some of the same needs as small businesses, but they also have other requirements that Worldpay understands. These advantages offer frictionless, on-demand payments for in-store and online environments across all card types.


Beyond delivering a full feature set for all types of businesses, Worldpay ensures a secure payment environment. Working as both a gateway and acquirer means we own and operate the entire payment journey. Data is not lost during any touchpoint due to the greater level of control. Proprietary in-house fraud tools bolster payment and data security.


3) Why do some payment integration processes take longer than others? Which features take the longest to integrate?

Security compliance complexity impacts payment integration timing. The degree of customization a company needs may also affect the process.


Developers can provide guidance on delays to better inform the team on payment integration progress. They can test available fraud protection and screening tools.


To gain some momentum, developers can leverage Worldpay’s range of APIs for every business type. For example, JSON API is our newest offering and includes a combination of rich payment features and alternative payment options.


XML API is a comprehensive API designed for global enterprises that seek advanced card payment features, alternative payment options and enhanced functionality and granular control. Small business can use HTML API to enjoy hosted payment pages. In each case, these payment integration APIs can improve the timeline.


4) Are mobile wallet capabilities worth adding to our payment integration platform?

Mobile wallets usage in the U.S. has surpassed debit cards by seven percent in 2017. This payment method will become the top payment choice by 2021, according to research.


Many companies have struggled to decide whether they should integrate this feature in their payment processing. With research pointing to growing mobile wallet market share in the U.S., your company may want to include this payment option now or in the future.


In tracking these payment trend changes, Worldpay provides a fast, effective way for developers to add mobile wallets to the payment processing environment.


5) How can our company prepare for alternative payment methods, such as voice payments?

A company should evaluate what’s driving trends in alternative payment methods like voice payments, assess adoption rates and understand the consumer’s point-of-view.


Interest in this alternative payment method has grown as more consumers and businesses have started using voice-driven digital assistants like Alexa and Google Home. As users become more accustomed to relying on these digital assistants, the devices will need more digital banking integration solutions to handle voice-driven payments.


A BI Intelligence research report stated that 18 million US consumers have already made a voice payment. Millions more stated that they plan to try voice payments soon or want to learn more about how they work. By 2022, this figure will grow because of technology and security improvements.


In the discussion between you and your development team, ask developers to be aware of these types of trends as well as explore the technical components of emerging alternative payments methods. When the company is ready to implement this type of payment acceptance method, the development team is more prepared.


Time to Talk

Although there is a lot to think about, it’s time to talk with the Worldpay integration team, ask these payment integration questions and discuss the available solutions. Contact Worldpay to discover the best payment integration framework for your company and improve how you work with merchants and shoppers.


Related Links:

3 Considerations for Building a Gig Economy App


The largest hotel chain in the world (Airbnb) has no hotels, and the largest taxi company in the world (Uber) has no taxis. How did this come about? How did these and other so-called “gig economy” companies impose massive disruption on billion-dollar industries in such a short time?

Part of the answer, of course, involves their novel business strategies. But also at play are the apps that drive these gig-economy companies. Uber, Airbnb and the like would be nothing without well-designed apps that deliver an excellent user experience.


In this regard, there is a lot that developers can learn from the gig economy. Traditionally, programmers haven’t spent much time thinking about how to develop the type of app that powers a company like Uber. But as the gig economy grows more and more important, that will likely change.


Toward that end, let’s take a look at what developers should be thinking about if they’re building a gig-economy app. The lessons below apply whether you’re creating such an app from scratch, or improving one that already exists (and yes, while gig-economy apps like the ones I’ve mentioned above may be great, there is always room for improvement).


Scaling the stack


To be competitive and relevant in today’s gig economy market, where customer expectations are basically going through the roof, scalability is key. It doesn’t matter whether there is just one user on your app or 100,000 — They all expect your app to perform like Netflix. Accounting for spikes in usage is an important part of scaling and you need to be ready to handle the traffic before you start advertising or giving out discounts. The key here is to scale horizontally and automate the process of adding and removing containers or virtual machines based on demand.


Automated scaling isn’t just about adding more nodes based on a preset threshold. It’s also about automatically rebalancing the workload among the servers and hosting virtual machines in multiple regions. Load balancers monitor nodes and distribute traffic efficiently among them so no one node takes on too much work. However, this process must be repeated every time there’s a significant change in workload, or some servers may be overworked while others just waste away. That’s why it’s a good idea to automate the process with a tool like Elastic Load Balancer from AWS or Cloud Load Balancer from Google.

Location and architecture


Location is important, too, and multi-region hosting offers much better latency for end users. This is because apps deployed across multiple regions can not only serve users from more data centers, but also from data centers that are in closer proximity to them. It’s good to not have all your eggs in one basket, especially in case of a DDoS attack. Multi-region hosting is critical with regards to disaster management, as it not only keeps your data safe, but also allows for a backup cloud to pick up the load if one cloud service is attacked or compromised.


Scaling out is different from scaling up, and it’s where you add more nodes as opposed to upgrading them. Without the proper application architecture, however, scaling out can lead to a drop in performance as the nodes struggle to communicate with each other. This is especially true for microservice architecture where services communicate with each other in more ways than we ever thought possible. A microservice service mesh like Istio facilitates this inter-service communication by acting as a communication layer for your services. Istio provides a way for developers to seamlessly connect, manage and secure networks of different microservices, regardless of platform.

Simplicity and security


Local services apps like TaskRabbit, Handy, and Thumbtack have numerous service options like plumbing, moving and packing, home improvement, and more. The secret to managing this complexity, however, is to keep it all as simple and organized as possible. The more complex your application, the harder it is to scale, so the secret lies in masking all that complexity behind an extremely well thought-out and simple user interface. It’s also important to keep app size down to a minimum. A smaller app not only makes your life as a developer easier, it also takes into account the limited storage capabilities of most mobile phone users.

Online payments are a great way to make the app experience convenient, and more payment options mean a higher conversion rate. Where there’s money involved, the risks of a breach are always higher, so be proactive about security. Encourage users to change passwords frequently, especially when there are digital wallets linked to your app. You also need to be quick to disclose when a data breach happens and keep all user data encrypted to the maximum level.


Cloud vendors follow the model of shared responsibility where they are responsible for the security “of” their cloud platform, but you are responsible for security “in” their cloud. Key management services that can encrypt data at various levels both in transit and at rest can give you more control over data access and better security.


Lastly, future-proof your app to take into account your industry and the technology you are currently using. Your app will never stop needing enhancements, so don’t get comfortable, or you’ll be a sitting duck for the next startup thinking about “disruption.”




Software is eating the world, and the gig economy is no exception. While the innovative business models of gig-economy companies may be part of the reason for these companies’ success, the apps that gig-economy companies build are also key — and can be the deciding factor between a successful gig-economy company and a failure. Winning in the gig economy requires an app designed for scalability, security, performance and future-proofing by following the tips outlined above. 

5 Critical Payment Integrations Questions for Your Dev Team


Payments were once a standalone process that signaled the end to a sale of a product or service. Today, global payments are an integral part of a customer experience and involve more interactions and transaction opportunities.


In this new payments world, traditional web, mobile, and storefront environments are converging. Many payment gateway options have appeared. At the same time, there are growing security concerns.


Payment integration has provided a way to bring a wide range of tools together to address these trends and challenges. However, it is not as simple as developing and launching a payment integration platform. Planning involves leveraging payment API options, creating secure and scalable payment processing integrations, and launching to add merchants for payment facilitators.


To plan and launch a payment integration solution, there are some critical questions to ask developers. In part one of this two-part series, we tackle five of these payment integration questions.


1) How long will a payment integration solution take to develop before we can start onboarding merchants? 


Development and launch timing depend on many factors. These include company needs, integrationmodel, availability of a POS, and certification competition. Also, it's important to have proper coding and testing resources.


These steps include kickoff followed by development, testing, and certification. Then, it's pre-production, production go-live, and processing go-live.


The ability to accelerate merchant onboarding also depends on the development team’s availability and support. Find out what empowers developers to complete these steps.


Working with Worldpay can connect developers with a comprehensive set of automated onboarding tools.


2) How will you secure cardholder data throughout payment processing?


Data security is one of the most pressing issues facing the global payments industry.


Since cardholder data is such a tempting and vulnerable target for fraudsters, high-profile security breaches continue at a rampant pace with the liability resting on the shoulders of the company experiencing the breach. 


Ask your development team about their experience with security compliance. Find out how they can ensure that information is safe.


Worldpay can help tokenize and anonymize data to strengthen your security efforts. Worldpay implementation specialists can also tell you what the mean for your company.


Yet, every company handles data according to applicable regulations as well as to their processes for returns, subscription sign-ups, and similar situations that involve cardholder data.


That’s where developers can describe how your company handles those processes so Worldpay can recommend the most appropriate solution to minimize cardholder data risk. 


3) Does the payment solution provider’s technology integrate with what we plan to do? If not, how can we use a payment API to achieve payment integration?


This is a question where developers will need to be visionary in their responses. That’s because what you plan to do as a company involves the near and distant future. In return, this leads to a more complex environment for payment integration.


When asking developers, it's important to find out if the payment solution provider’s technology will scale with the business.


This inquiry may lead to other questions like, “Do we want to enable shopping online with in-store pick-up to address the current on-demand trend consumers expect?”


Or, do we plan to open more locations that need more payment gateway and security features?


It's a lot to consider, especially when trends and expectations are always shifting. That’s when you and the developer team must look outward at trending technology for retail payments and fulfillment.


In exploring these trends together and using the developers' insights, you and your payment solution provider can address these changing trends within your current and future payment integration processes.


4) Are there tools and resources available if payment integration process issues appear?


Your development team has extensive knowledge, experience, and skill. However, even with such talent, they may still need to tap external expertise if they are stuck with the payment integration development process.


They will need access to support, tools, and resources should they get stuck with some aspect of the payment integration process now or in the future. This is where developers will need to explain what type of specialized support would help.


Knowing what they need in terms of external support enables you to find the right payment integration partner. For example, developers can enjoy 24/7 access  to Worldpay integration specialists and support forums.


Documentation and features like searchable/code samples are useful when there is a question. Or, it may help to tap into Worldpay’s Point of sale for XML, JSON, and HTML as well as connect to a knowledge base.


5) Are there available payment processing and security features to include as we scale our business? 



While stakeholder and business leadership define requirements, developers can enable the experience as well as support the plan and vision. Developers also can explain how extra functionality may affect integration performance.


You’ll be able to get a better sense of what features could create an enhanced customer experience by turning to the development team. For example, some companies need credit card terminals to accept payments by mail or telephone. Others might seek features that account for gratuities and enable pre-authorizations.


Another company may want to know how to better leverage available cardholder data for new insights to drive personalization. Reports and analytics offer a way to identify shopping conversion paths. It can also tell you where buyers are coming from and what type of payment they are using. 


Open Communication Equates to Greater Payment Integration Success


Ask the integration team, listen to their answers, and direct your payment integration strategy toward their recommendations.


Having an open communication process between the technical and strategic components of your company will increase the chances of successful development and implementation now and in the future.