Merchants that are not PCI-DSS Level 1 certified cannot allow credit card details to interact with their backend servers.
Thus, charging cards on Xendit usually requires the card details to be sent from the merchant's frontend web or app client to our Tokenization API, which are converted to a token. A Charge request is then sent via a server-to-server API call using the token ID.
We recognize that some merchants may not have a use case for Tokenization, and prefer to charge cards directly from their frontend clients. These merchants may prefer having more control over the payment flow and their user interface, and choose not to use Xendit's CheckoutUI.
Further, Xendit's server-to-server Charge API endpoint does not support card processors where the payment interface belongs to a third party i.e. card details are not directly received by Xendit but entered by the cardholder directly on a page which Xendit redirects to.
To serve the above use cases, Xendit has developed a Safe Acceptance API endpoint as an alternative for charging cards. The fields accepted via this API endpoint are very similar to our Charge API, with a few key differences:
The Xendit Safe Acceptance API must be used for charging the following types of cards:
See our Integration and Testing page to learn how to integrate with our Safe Acceptance API, and importantly how to generate and validate signatures.