Introducing Direct Payment

Direct Payment lets buyers who do not have a PayPal account use their credit cards without leaving your website. PayPal processes the payment in the background.

The Direct Payment User Experience

Direct Payment enables buyers to pay by credit or debit card during your checkout flow. You have complete control over the experience; however, you must consider PCI compliance.

When buyers choose to pay with a credit or debit card, they enter their card number and other information on your website. After they confirm their order and click Pay, you complete the order in the background by invoking the DoDirectPayment API operation. Buyers never leave your site. Although PayPal processes the order, buyers aren't aware of PayPal's involvement; PayPal will not even appear on the buyer's credit card statement for the transaction.

The following diagram shows a typical Direct Payment flow:


Direct Payment Flow

The numbers in the diagram correspond to the following implementation steps:

  1. On your checkout pages, you need to collect the following information from a buyer to be used in the DoDirectPayment request:
    • Amount of the transaction
    • Credit card type
    • Credit card number
    • Credit card expiration date
    • Credit card CSC value
    • Cardholder first and last name
    • Cardholder billing address

    The following example shows the collection of credit card information from a US buyer after the transaction amount has been determined:


    Collection of Credit Card Information
    Note: In some cases, the billing address and CSC value may be optional. You must also identify debit on your PCI compliant checkout page when you reference a direct card checkout image.
  2. You must also retrieve the IP address of the buyer's browser and include this with the request.
  3. When a buyer clicks the Pay button, invoke the DoDirectPayment API operation.
  4. The PayPal API server executes the request and returns a response.
    • Ack code (Success, SuccessWithWarning, or Failure)
    • Amount of the transaction
    • AVS response code
    • CSC response code
    • PayPal transaction ID
    • Error codes and messages (if any)
    • Correlation ID (unique identifier for the API call)
  5. If the operation is successful, you send the buyer to an order confirmation page.

    The Ack code determines whether the operation is a success.

    • If successful, you should display a message on the order confirmation page.
    • Otherwise, you should show the buyer information related to the error. You should also provide an opportunity to pay using a different payment method.

User Interface Recommendations for Direct Payment Checkout

Your checkout pages must collect all the information you need to create the DoDirectPayment request. The request information can be collected by your site's checkout pages.

The following recommendations help process requests correctly and make it easier for buyers to provide necessary information:

TipImportant: You are responsible for processing card industry (PCI) compliance for protecting cardholder data. For example, storing the Card Security Code (CSC) violates PCI compliance. For more information about PCI compliance, see PCI Security Standards Council.
  • Provide a drop-down menu for the state or province fields for addresses in countries that use them. For U.S. addresses, the state must be a valid 2-letter abbreviation for the state, military location, or U.S. territory. For Canada, the province must be a valid 2-letter province abbreviation. For the UK, do not use a drop-down menu; however, you may need to provide a value for the state in your DoDirectPayment request.
  • Ensure buyers can enter the correct number of digits for the Card Security Code (CSC). The value is 3 digits for Visa, MasterCard, and Discover. The value is 4 digits for American Express.
  • Show information on the checkout page that shows where to find the CSC code on the card and provide a brief explanation of its purpose.
  • Configure timeout settings to allow for the fact that the DoDirectPayment API operation might take as long as 60 seconds to complete, even though completion in less than 3 seconds is typical. Consider displaying a "processing transaction" message to the buyer and disabling the Pay button until the transaction finishes.
  • Use the optional Invoice ID field to prevent duplicate charges. PayPal ensures that an Invoice ID is used only once per account. Duplicate requests with the same Invoice ID result in an error and a failed transaction.