Payments with Hellgate Tokens
Hellgate Tokens are a great way to securely and compliantly store sensitive cardholder data. As they are by default made for exchange and multi-acquirer use, they are a splendid way to unlock your payment method data from your current payment service provider or to prevent such a lock-in upfront.
Conceptional View
Consider the following setup, where a merchant (you) maintains a solution for the shopper (your customers) to tokenize cardholder data (CHD) using our Hellgate® SDKs. The SDKs exchange the sensitive data into Hellgate® tokens, which are passed back to your backend.
With that you as the merchant are free to use the create tokens with any payment service provider of your choice. The token will be exchanged by Hellgate® on the go with the original cardholder data.
Compliance Service
The following description will focus on the approach to use existing tokens in payment processes. You can get these tokens in place using our SDKs. Please refer to the corresponding documentation for more details.
Exemplary Use
Our compliance service, as part of the Hellgate® is responsible for exchanging token information with original cardholder data in a secure way. Please see our API documentation for technical details on how to use this service.
Instead of calling the API of your payment service provider directly, you send the request to Hellgate® and instruct how the sensitive information of the cardholder will be used.
Cardholder data can only be forwarded to allowed destinations. To add allowed destinations, please contact your Hellgate® representative. Any attempts to forward data to non-allowed destinations will result in a rejection.
- Adyen v69
- Checkout.com
- Stripe
curl 'https://api.hellgate.io/forward' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'X-API-KEY: <HELLGATE-API-KEY>' \
-H 'X-HELLGATE-TOKEN: d7d272f7-f0e8-44c6-9459-c60e1ef279d5' \
-H 'X-DESTINATION-URL: https://checkout-test.adyen.com/v69/payments' \
-H 'X-API-KEY-ADYEN-NAME: X-API-KEY' \
-H 'X-API-KEY-ADYEN-VALUE <ADYEN-API-KEY>' \
--data '
{
"amount": {
"currency": "EUR",
"value": 1234
},
"reference": "Payment-0001",
"paymentMethod": {
"type": "scheme",
"number": "{{ account_number }}",
"expiryMonth": "{{ expiration_month }}",
"expiryYear": "{{ expiration_year }}",
"cvc": "{{ security_code }}"
},
"merchantAccount": "<adyen_merchant_account>",
"recurringProcessingModel": "CardOnFile",
"shopperInteraction": "Ecommerce",
"storePaymentMethod": "true"
}
'
curl 'https://api.hellgate.io/forward' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'X-API-KEY: <HELLGATE-API-KEY>' \
-H 'X-HELLGATE-TOKEN: d7d272f7-f0e8-44c6-9459-c60e1ef279d5' \
-H 'X-DESTINATION-URL: https://api.sandbox.checkout.com/payments' \
-H 'Authorization: Bearer <YOUR KEY>' \
--data '
{
"source": {
"type": "card",
"number": "{{ account_number }}",
"expiry_month": "{{ expiration_month }}",
"expiry_year": "{{ expiration_year }}"
},
"amount": 6540
"currency": "EUR",
"reference": "Payment-0001",
...
}
'
For this payment service provider, the cardholder data cannot be used directly. The card needs to be imported first, but be then used in a payment.
curl --location 'https://api.hellgate.io/forward' \
--header 'X-HELLGATE-TOKEN: d7d272f7-f0e8-44c6-9459-c60e1ef279d5' \
--header 'X-DESTINATION-URL: https://api.stripe.com/v1/payment_methods' \
--header 'X-API-KEY-VALUE: <STRIPE-API-KEY>' \
--header 'X-API-KEY-NAME: Authorization' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'X-API-Key: <HELLGATE-API-KEY>' \
--data-urlencode 'type=card' \
--data-urlencode 'card%5Bnumber%5D={{ account_number }}' \
--data-urlencode 'card%5Bexp_month%5D={{ expiration_month }}' \
--data-urlencode 'card%5Bexp_year%5D={{ expiration_year }}'
Then the returned payment_method_id can be used in the payment, but this does not require the use of the Compliance Service.
The security_code is only available for 15 minutes after the cardholder data has been stored.