Young Developers - eProtect Quickstart Guide

Document created by gjsissons on Mar 28, 2017Last modified by gjsissons on Apr 10, 2017
Version 5Show Document
  • View in full screen mode


About eProtect


eProtect is an optional security service provided by Vantiv that helps reduce security risk and PCI scope in payment applications by avoiding the need for payment applications to handle sensitive card-holder data or third party network tokens.  The technology was originally called "Paypage". You will see that this old name lingers in the technical documentation.  With the increased popularity of cloud-based wallets and mobile wallets, eProtect is now used for several purposes:

  • It is a JavaScript library that can be embedded in a web-page to securely collect sensitive credit card information in such a way that a web application doesn't need to handle sensitive cardholder data.  The JavaScript library transparently calls Vantiv's eProtect endpoint and securely exchanges the card holder information for a low-value token (LVT) as we'll describe shortly.  eProtect always stores the sensitive payment credential (a credit card for example) in Vantiv's vault and the low-value token can be used for up to 24 hours to reference the actual payment information.
  • The eProtect network end-point can also be called directly from an application to exchange an Apple Pay token (PKPaymentToken) for an eProtect low-value token.  For example, when implementing Apple Pay in-app payments, an iOS app can call Vantiv's eProtect endpoint and exchange the PKPaymentToken for a low-value token. This makes it much each for developers to implement Apple Pay payments since they don't need to worry about decrypting the PKPaymentToken.
  • eProtect is also used behind the scenes with major mobile wallets like Android Pay. When processing an Android Pay transaction, Google's servers will call Vantiv's eProtect service directly, and return the client Android application the low-value token that they can use as a source of payment.


eProtect credentials


To make getting started with eProtect easy, we've setup some shared credentials in advance that you can use for testing. eProtect can be used either with the eCommerce platform or with the Mercury Pay platform.  If you are just playing with eProtect to get a feel for how it works, you can use either credential below.


Credential required to call the eProtect endpointValue
paypageId configured for use with the Vantiv eCommerce platforma2y4o6m8k0
paypageId configured for use the with Mercury Pay platformxxx


Testing basic functionality


If you have access to a Linux platform or an OS/X platform supporting bash (born-again shell) and cURL, you can simply run a script like the one below:



# Call eProtect with a PayPage account and test MasterCard to retrieve a low-value token
curl -H "Content-Type: application/x-www-form-urlencoded" \
 -d"paypageId=a2y4o6m8k0&reportGroup=67890&orderId=cust_order&id=12345&accountNumber=5454545454545454&cvv=111" \



Assuming the script is called, you can run it as follows:



[gord@localhost eprotect_curl]$ . ./



If you've typed everything corectly and if you have internet access and no firewalls are blocking access to Vantiv's pre-live eProtect testing environment you should see a JSON formatted response like this following:






If you got this to work, congratulations! From the account number Vantiv was able to determine this was a MasterCard.  The key value that you need to retain is the paypageRegistrationId (TTBOOT ...) in this example.  This is the low-value token.  The low-value token is only valid for 24 hours, and you will receive a different token every time you call the eProtect endpoint.  Note in this example the response was "870". This code is simply telling us that the card has been vaulted previously.  This is expected since it is a test card that others are using as well.