Skip to main content

How Bold handles payment information

When a customer places an order in your store, Bold separates their payment information from everything else that happens during checkout. This separation increases the security of customer payment information and ensures alignment with the latest PCI DSS requirements.

Several components work together to keep payment data secure:

  • Secure Payments Interface (SPI) — The UI a customer uses to input their payment information and add a payment to an order
  • Enhanced Payment Service (EPS) — Bold's isolated payment processing service
  • Payment SDK — Bold's compiled JavaScript SDK that ensures SPI and EPS communicate correctly and process payments for your store
  • Your storefront
  • The payment gateway your store uses

Information flow

The following diagram and corresponding steps show the flow of information when a customer places an order.

  1. The customer clicks Checkout or a similar button to initialize the checkout process.
  2. The storefront code calls to render the payment by calling Payments.renderPayments('divContainer').
  3. The SPI performs security checks and initializes an <iframe> on the provided div container.
  4. The customer enters their payment information in the <iframe> and clicks Place Order or a similar button to complete the checkout process. The SPI never reads or stores this payment information.
  5. The storefront code calls getDataRequirements from the Payment SDK.
  6. The Payment SDK returns the list of data SPI needs in order to tokenize.
  7. The storefront calls tokenize with the provided data as the payload from previous step.
  8. The SPI sends the tokenize request to EPS.
  9. EPS tokenizes the payment.
  10. The Payment SDK returns the token to the storefront.
  11. The storefront processes the order with Bold Checkout.
  12. Bold Checkout calls EPS to authorize the payment.
  13. EPS calls the payment gateway to authorize the payment.
  14. The payment gateway responds to Bold checkout to authorize the payment.
  15. Bold Checkout processes the order.
  16. The storefront displays a message confirming the order has been placed.

Strong Customer Authentication (SCA)

SCA is a regulatory requirement set by the second Payment Services Directive (PSD2), which aims to create additional layers of security for banks and customers in Europe. Banks that facilitate transactions between a merchant and customer that are both in Europe may require two of the following three methods of authentication:

  • Something the customer knows (such as a password).
  • Something the customer has (such as a token or physical item).
  • Something the customer is (such as biometric data).

To meet SCA requirements, Bold uses 3D Secure (3DS), a technology that requires customers to complete additional steps to verify their identity. Bold displays 3DS in the SPI iframe, and you can use the onScaPaymentOrder callback.