An account ID identifies each of a merchant’s accounts, which can include multiple credit and eCheck accounts. Every transaction applies to only one account, specified with its account ID. Merchants can see their account IDs in the AffiniPay web application.
AffiniPay Payment Platform
The AffiniPay Payment Platform enables professionals to process payments. It has a suite of APIs that developers use to integrate payment solutions into websites or applications.
AffiniPay web application
The AffiniPay web application URL varies depending on which AffiniPay product you’re using:
- For AffiniPay: https://secure.affinipay.com/login
- For ClientPay: https://secure.clientpay.com/login
- For CPACharge: https://secure.cpacharge.com/login
- For LawPay: https://secure.lawpay.com/login
AffiniPay provides each merchant with a public key that identifies that merchant to AffiniPay. AffiniPay also provides test- and live-mode secret keys that authenticate API requests made on that merchant’s behalf.
If you are a partner taking payments on behalf of a merchant, you received the merchant’s secret keys when you retrieved their payment gateway credentials from the https://secure.affinipay.com/api/v1/chargeio_credentials endpoint.
If a merchant accepts payments through an AffiniPay partner’s application (like a practice management, association administration, or donation management application), that application must also be on the merchant’s authorized applications list.
To help ensure only authorized users are making purchases, the major credit card networks, such as Visa, MasterCard, American Express, and Discover, provide Address Verification System (AVS) security checks. AffiniPay uses these security checks to validate credit card transactions like online payments.
A contact is an entity (representing a person or business organization) that acts within the AffiniPay Payment Portal system, such as the merchant that creates the invoice and the user who is associated with the invoice.
To help ensure only authorized users are making purchases, the major credit card networks, such as Visa, MasterCard, American Express, and Discover, provide Card Verification Value (CVV) security checks. AffiniPay uses these security checks to validate credit card transactions like online payments. CVV is often used for card-present retail transactions as well.
Electronic check (eCheck) payments move funds electronically between banks using routing and account numbers.
An invoice lists an amount to be paid by the client to the merchant. The merchant creates and sends an invoice from the partner’s application. When the user receives the email, they can click a link and pay the invoice in the AffiniPay payment portal. Portal payments are only available for partners to integrate into their applications.
A merchant is a business for whom payments are processed using the AffiniPay Payment Platform. Merchants can take payments for themselves; partners can take payments on behalf of their customers, who are AffiniPay merchants.
OAuth authorization code flow
The OAuth authorization code flow uses an authorization code grant to facilitate the OAuth 2.0 flow. The authorization code flow enables a partner’s customers (who are AffiniPay merchants) to give the partner’s application permission to perform operations on the merchant’s behalf.
OAuth client library
OAuth client credentials flow
The OAuth client credentials flow uses a client credentials grant to facilitate the OAuth 2.0 flow. The client credentials flow enables a partner to access protected API resources that don’t require a resource owner, in particular to submit a merchant application to AffiniPay. To do so, the partner’s application must acquire an access_token based on partner OAuth application credentials.
one-time payment token
A one-time payment token is obtained as a result of the tokenization process, where software running on the customer’s device securely exchanges sensitive payment details for an opaque token generated by the PCI DSS-compliant payment gateway. A one-time token can be used in transactions or to create a saved payment token. One-time tokens expire five minutes after creation.
A partner is a business that takes payments on behalf of an AffiniPay merchant.
partner OAuth application
Integrating an application with the AffiniPay system requires a partner OAuth application. An AffiniPay employee creates a partner’s first partner OAuth application.
Merchants can revoke a partner OAuth application’s access to their AffiniPay account at any time by logging in to the AffiniPay web application and removing their connection to the partner OAuth application.
A payment token is a payment method, such as a one-time payment token or a saved payment token like a saved card or bank. In a transaction, a payment token obscures the sensitive aspects of the payment details while providing an ID that may be used in any API that accepts card or bank details.
Storing and transmitting cardholder data makes a business’s infrastructure a target for attacks, which is why any organization that processes credit card transactions must certify compliance with the Payment Card Industry Data Security Standard (PCI DSS).
AffiniPay maintains a Level 1 PCI certification, which requires annual audits, but we also encourage our security auditor to audit us randomly throughout the year. We pride ourselves in aspiring to a higher security standard than the minimum requirements of PCI compliance.
A public key is the API key used to create tokens that secure the payment details sent to the AffiniPay Payment Gateway API. The public key is available in the My Website section of the AffiniPay web application.
saved payment token
A saved payment token is a payment token that provides a managed mechanism for supporting multiple payments over time. Saved payment methods are typically integrated into a site or application to support “remembered” payment details for users.
Secret keys are the API key issued to merchants and used to perform operations using the AffiniPay Payment Gateway API. Merchants should store their secret keys securely and keep their secret keys confidential so no one can run transactions without their permission.
Note: If you suspect your test- or live-mode secret keys have been compromised, contact AffiniPay immediately to reset your secret keys.
The secret key you specify when making an API request affects how the operation is processed.
- The test-mode secret key only allows you to create new charges and other transactions against TEST accounts.
- The live-mode secret key only works in conjunction with accounts associated with live payment processing networks.
Attempts to mix secret keys and accounts will fail.
Tokenization is the process of sending payment details (such as credit card and bank account numbers) to a secure PCI DSS-compliant payment gateway in exchange for a one-time token. The token can be used to make a payment, but it must be used along with the merchant’s secret key.
Here’s the tokenization flow:
- The cardholder enters payment details in a form and triggers a click event.
- The payment page responds to the click event and requests a payment token from the AffiniPay Payment Gateway.
- The AffiniPay Payment Gateway stores payment details and returns a token to the payment page.
- The payment page receives a payment token from the AffiniPay Payment Gateway and POSTs the token and amount to charge to the web server.
- The web server sends a charge request to the AffiniPay Payment Gateway API using the merchant’s secret key.
- The web server processes the response from the AffiniPay Payment Gateway and checks for any errors that have occurred.
- After the web server receives the transaction response from the web server, the payment page is updated.