The Hosted Payments API handles the collection and storage of sensitive customer payment information, significantly reducing your PCI DSS compliance requirements. The Hosted Payments API can be used for a range of payments, including card, direct debit, and alternative payments. It also supports 3D Secure cardholder authentication – for those customers using the scheme – and recurring payment scenarios, for merchants wishing to make repeat payments using stored customer details.

The scenarios below describe the ways in which merchants can set up payment processing with Paysafe using the Hosted Payments API. They all POST a request to the same endpoint,, but different attributes in the body of the request result in different behavior.

Scenario 1: Redirect Customer to Hosted Payment Page

Paysafe handles the collection of customer payment details on a secure payment page, which behaves in one of these ways:

Hosted API Overview

Hosted API Overview

In the "Simple" scenario, the merchant uses the Hosted Payments API to set up an order using a request that includes payment details, such as the amount, the currency, and the merchant account number. The response from Paysafe contains the URI of the Hosted Payment page, to which the customer should be redirected to complete the order, and a second URI that merchants can use to check the status of the order request. When the merchant redirects the customer's browser to the secure Paysafe-hosted page, payment details are collected, the payment is authorized with the customer's bank, and funds are captured to settle the payment.

In the "Authorize Only" scenario, the payment is not settled on the Hosted Payments page. In this case, the merchant includes in the body of the request an extendedOptions array where the authType parameter is set to auth. Then they must make a separate settlement request to Paysafe – for example, when the goods are dispatched – that includes the order ID received in the initial order response. For more information, see Process an order with Settlement.

Depending on the card issuer, an authorization is typically valid for between 1–5 days (debit cards) or up to 30 days (credit cards) before it expires and a new authorization must be obtained.

Scenario 2: Hosted API: Silent Post

The Silent Post order option can be used by merchants who want to provide the customer with their own branded payment page, instead of the Paysafe Hosted page.

Hosted API: Silent Post

Hosted API: Silent Post

Hosted API: Silent Post

This is similar to scenario 1, but the merchant includes the extendedOptions attribute, with silentPost set to true; they then use their own web form to collect customer details and post the contents to Paysafe.

By setting the extendedOptions parameter authType to auth, merchants can also provide their customers with the ability to make authorization only orders through their corporate web form.

Although your systems do not directly handle the customer's payment details, which are managed by the client-side browser page, the page you provide to customers must be secure and the information that is sent to Paysafe appropriately encrypted via an SSL connection. PCI DSS Compliance to level A-EP is mandatory for merchants who want to use this option.

Did you find this page useful?