A few definitions before we all get confused about who's who.
Paystation: that's us.
Developer: that's you.
Merchant: the shop owner - the one who holds the Merchant account at the bank. Usually they are your customer, and our customer, but they're not the end customer.
Customer / Card Holder: the end customer - the one who is buying goods or service.
This is how we refer to the different roles in documentation, over email, and when talking over the phone.
3-Party Hosted vs. 2-Party Merchant Hosted Processing
3-Party hosted processing is where the merchants system redirects the browser to screens from Paystation's servers. Paystation collects all of the card data and processes the transaction, and then redirects back to the merchants system with the result.
With 2-Party merchant hosted processing Paystation recieve the transactions directly from the merchant's systems, with the card data passed from that system to ours.
Every account is technically able to transact via 2-Party and 3-Party at the same time, and turning the interfaces on and off is a matter of policy (if the bank says yes then we turn everything on). As a general rule, PCI compliance and bank approvals are required to process via 2-Party.
3-Party Hosted Processing
Most payments will use 3-Party hosted processing, which has three advantages:
- the card holder puts card numbers into bank branded screens;
- the merchant never sees card numbers;
- and things like PCI compliance and 3DS authentication are our problem and not yours or your Merchants.
For 3-Party payments we need to know where to send the response to. We call this the 'Return URL', and we need you to tell us what the return URL will be for each merchant you integrate, including your development account. We also have the ability to redirect the browser to a dynamic URL sent to us when the teansaction is initiated - this requires the use of HMAC authentication.
Sometimes you need more control, and 2-party might be the thing for you - this is where you gather the card number your application sends it to us as an HTTPS POST and we come directly back to your application with an XML or JSON response. Call centres use 2-Party, as do some really big online merchants. As a general rule, PCI compliance and bank approvals are required to process via 2-Party.