Accept card payments
Accept Visa, Mastercard, and RuPay credit, debit, and prepaid card payments with Pine Labs Online โ with 3DS authentication, tokenization, and pre-authorization.
Cards, in the context of payments, refer to physical or virtual instruments used to facilitate financial transactions. They typically come in the form of plastic cards with embedded microchips or magnetic stripes, although virtual cards are gaining popularity for online transactions. These cards are linked to a specific account, allowing users to make purchases or withdrawals without carrying cash.
๐ง Watch Out
- To Integrate with Pine Labs Online seamless checkout flow you must have a PCI compliance certificate.
What are the different types of cards?
Prepaid Cards
Cards that are loaded with funds in advance and can be used until the balance is depleted.
Debit Cards
Linked directly to the cardholder's bank account, allowing them to make purchases using funds available in the account.
Credit Cards
Provide a line of credit to the cardholder, allowing them to borrow funds up to a certain limit for purchases, subject to interest charges if the balance is not paid in full by the due date.
Corporate Cards
Issued to employees of companies for business-related expenses, with features such as expense tracking, spending limits, and integration with corporate accounting systems.
How card payments work?
The card payments ecosystem involves a complex network of entities and processes that facilitate electronic transactions between customers, merchants, banks, and payment gateways. Here's an overview of how the system works:
- Customer Initiates Payment: The process begins when a customer makes a purchase using a credit or debit card on the merchant's website. The customer provides card details, including the card number, expiry date, and CVV code.
- Merchant's Website & Mobile Apps: The merchant's website/mobile application collects the payment information and securely transmits it to the Payment Gateway.
- Payment Gateway: The Payment Gateway acts as an intermediary between the merchant's website and the acquiring bank. It encrypts the customer's payment details and forwards the information to the acquiring bank for authorization.
- Acquiring Bank: The Acquiring Bank receives the payment authorization request from the Payment Gateway. It checks the transaction details, verifies the customer's account, and ensures that there are sufficient funds in the account for the transaction.
- Authorization: If the transaction is approved, the acquiring bank sends an authorization code back to the Payment Gateway. If declined, the reason for the decline is communicated back to the merchant.
Payment Processor: The Payment Processor, affiliated with the acquiring bank, processes the authorized transactions. It debits the customer's account and credits the merchant's account with the transaction amount, minus any fees. - Merchant Confirmation: The Payment Gateway informs the merchant's website about the transaction status. The customer receives a confirmation of the successful payment.
๐ Note:
- Support for American Express transactions is not available at the moment; however, it is included in the future roadmap.
- Diners cards are supported only when using the
HDFC_FSS_IN_HOUSEacquirer.
Key Participants in the Card Payments Ecosystem
Cardholders
Individuals or entities who own and use the cards for purchases or transactions.
Merchants
Businesses or individuals who accept card payments for goods or services.
Card Issuers
Banks or financial institutions that issue cards to customers and are responsible for account management, risk assessment, and authorization.
Card Networks
Organizations such as Visa, Mastercard, American Express, and Discover, which facilitate transactions between cardholders, merchants, and issuers.
Acquiring Banks
Financial institutions that establish and maintain merchant accounts, enabling businesses to accept card payments.
Payment Gateways
Companies that provide technology and infrastructure for transaction processing, often acting as intermediaries between merchants and card networks.
Supported Card Payment Flows
Pine Labs Online supports multiple card payment experiences to help merchants optimize conversion, improve customer experience, and meet regulatory requirements. Depending on your integration and merchant configuration, you can choose one of the following card payment options.
Native OTP Flow
Complete OTP verification directly within your app or website without redirecting customers to an external authentication page.
Explore Native OTP Flow โCVV-less Flow
Allow returning customers to pay without entering CVV when supported conditions and token requirements are met.
Explore CVV-less Flow โTokenized Card Flow
Use network-issued tokens to process repeat or saved-card payments without storing sensitive card details.
Explore Tokenized Card Flow โDecoupled Authorization Flow
Manage customer authentication through your own 3DS provider and submit the outcome to Pine Labs for authorization.
Explore Decoupled Authorization โ1. Native OTP Flow
The Native OTP Flow allows merchants to handle OTP authentication directly within their application, providing a seamless customer experience without redirecting the customer to an external authentication page.
Key Benefits
| Benefit | Description |
|---|---|
| Seamless Authentication | Your customers can complete the entire authentication flow on your platform without redirections. |
| Brand Consistency | This allows you to customize the OTP entry interface to align with your brand identity. |
| Lower Drop-offs | Reduce transaction abandonment due to redirection delays or network issues. |
| Enhanced Insights | Helps you to gain better visibility of your customer authentication behavior. |
| Higher Conversion Rates | Improve authentication success rates by 2-3%. |
| Flexible Implementation | Supports fallback to traditional ACS redirection when necessary. |
How it Works?
Instead of directing your customers to an external 3D Secure page, the entire OTP-based authentication process happens within your website or application:
- The customer initiates a payment on your platform.
- The system triggers an OTP request via API.
- The issuing bank sends the OTP to the customer.
- The customer enters the OTP using your customized interface.
- The OTP is submitted via API for verification.
- The transaction is processed seamlessly without redirection.
๐ Note:
- This approach enhances user experience, reduces friction, and improves transaction success rates by keeping customers engaged within your platform.
Supported Issuer Banks and Card Networks
| Card Issuer | VISA | MASTERCARD | RUPAY |
|---|---|---|---|
| ICICI Credit Card | โ | โ | |
| ICICI Debit Card | โ | โ | |
| HDFC Credit Card | โ | โ | โ |
| HDFC Debit Card | โ | โ | |
| AXIS Credit Card | โ | โ | |
| AXIS Debit Card | โ | โ | |
| SBI Credit Card | โ | โ | โ |
| SBI Debit Card | โ | โ | |
| KOTAK Credit Card | โ | ||
| KOTAK Debit Card | โ | ||
| YESBANK Credit Card | โ | โ |
2. CVV-Less Flow
A CVV-less transaction allows your customers to process a payment without requiring their card's CVV [Card Verification Value]. This can be used for saved cards as tokens, where CVV is not necessary for repeated transactions, such as tokenized payments or card-on-file services.
CVV-less transactions enhance customer convenience by simplifying the payment process for recurring or saved card transactions. This improves the customer experience by reducing friction during checkout. While still maintaining security through tokenization and other robust verification methods. This balance enhances convenience without compromising safety.
Supported Networks:
- Visa
- Mastercard
๐ Note:
- This feature is only supported for seamless card transactions.
- You can implement a CVV-less flow for processing payments on your systems, provided > that the token type used is
NETWORK_TOKEN.- For Visa and Mastercard tokenized transactions, the cvv parameter can be omitted.
3. Tokenized Card Flow
Pine Labs Online Token Management allows you to securely process payments by using network-issued tokens instead of storing sensitive card details. In compliance with COFT regulations, you cannot save customer card information directly. Instead, payment networks provision tokens against a customerโs card with their consent.
How Tokens Are Stored in the System
Token : A Token is a non-sensitive replacement for the actual Primary Account Number (PAN) of a payment card. Its primary role is to store card information securely and be used for future transactions without exposing sensitive data. When a user saves a card on a Pine Labs Online platform, the system generates a Token ID. This ID can then be used for transactions, subscriptions, or recurring payments, without the need to store or transmit the actual card number.
Service provider token : A Service Provider Token is a specific token that is created and managed by an external entity - either a card network (e.g., Visa, Mastercard) or a card issuer (e.g., a bank). This token is essentially a representation of the card created by the third-party service provider to replace the actual PAN. The Service Provider Token is linked to the Token ID within the platform, but it reflects the external tokenization source used for the token creation.
Refer to our Tokenization documentation to learn more.
4. Decoupled Authorization Flow
The Decoupled Authorization Flow is designed for merchants who want to manage the customer authentication experience with their own third-party 3DS provider, while using Pine Labs APIs for payment authorization and processing.
In this flow, authentication and authorization are handled separately. You complete 3DS authentication first, then submit the successful authentication outcome to Pine Labs when authorizing the payment.
Authenticate with your 3DS provider
Control the cardholder authentication journey and collect the successful 3DS authentication response.
Submit authentication data
Pass the 3DS identifiers, CAVV, and ECI to Pine Labs exactly as received from the same authentication event.
Authorize with Pine Labs
Pine Labs uses the authentication outcome to process the card payment authorization securely.
When to use this flow
Use Decoupled Authorization when you need:
- Complete control over checkout, authentication, and customer redirection experiences.
- A custom payment flow across web, mobile apps, or other digital channels.
- Consistent branding throughout the authentication journey.
- Flexibility to use your preferred 3DS authentication provider.
Merchant responsibilities
Because the merchant controls the checkout and authentication experience, the merchant is responsible for:
| Responsibility | What you must manage |
|---|---|
| Customer journey | Design and maintain the payment and authentication experience. |
| Customer inputs | Collect, validate, and securely handle customer-provided payment details. |
| Authentication handling | Manage customer redirection or in-app authentication steps, where required. |
| Order operations | Maintain order management, retries, reconciliation, and transaction tracking. |
| Compliance | Meet applicable security, payment network, and regulatory requirements. |
3DS authentication data consistency
๐ง Watch Out
The transaction amount and currency submitted to Pine Labs for authorization must exactly match the amount and currency used during 3DS authentication. Any mismatch may result in transaction declines.
For 3DS-authenticated transactions, ensure the following values all belong to the same successful authentication event:
directory_server_transaction_idacs_transaction_idthree_ds_server_transaction_idcavveci
Pass these values exactly as received from your 3DS provider. Do not alter, substitute, or mix values from different authentication attempts.
| Authentication event | 3DS transaction IDs | CAVV / ECI |
|---|---|---|
| Original 3DS authentication | Use the DS, ACS, and 3DS Server transaction IDs generated for the authentication. | Use the CAVV and ECI generated for the same authentication. |
| Authorization retry for the same payment attempt | Reuse the same 3DS transaction IDs. | Reuse the same CAVV and ECI. |
| New customer authentication attempt | Use newly generated 3DS transaction IDs. | Use newly generated CAVV and ECI. |
๐ Note:
If you retry authorization for the same payment attempt, reuse the same 3DS authentication data. If the customer completes a new authentication attempt, submit the newly generated 3DS identifiers and authentication values.
Failure to follow these guidelines may make the merchant liable for fraudulent transactions.
Integration Options
Hosted Checkout
Redirect customers to a Pine Labs-hosted payment page. Ideal for merchants that want a faster integration with Pine Labs managing checkout, payment collection, and secure processing.
Learn more โCustom Checkout
Best suited for businesses that want full control over the payment experience and branding. Customize the checkout flow, payment methods, and customer journey directly within your website or application.
Learn more โPayment Links
Collect payments from Indian customers without building a full checkout flow. Useful for service-based payments, education fees, consulting, travel bookings, or other eligible use cases.
Learn more โ