By default, Helcim merchants cannot send full card numbers, expiry dates, or CVV numbers via the Helcim API. This is to reduce the security scope and PCI-DSS compliance requirements of our merchants. Instead, we encourage merchants to tokenize card numbers using HelcimPay.js or Helcim.js before submitting them to one of the Payment API endpoints.
Merchants can request permission to send full cardholder information if their unique integration needs require this. If you want to send full card numbers through the Helcim API you will need to do the following:
- Contact Helcim to review your business needs BEFORE signing up for Helcim
- Once you have spoken to Helcim, you can proceed with completing your sign up
- After signing up, read, complete, and sign the PCI SAQ-D within 90 days. Your dashboard will start to remind you 45 days after your account activation.
- Once complete, the SAQ-D needs to be uploaded to the dashboard in your Helcim account
The SAQ-D must be completed with an independent third party auditor, signed and then uploaded annually. You will be responsible for complying with all of the obligations of the SAQ-D, for example arranging to have your network scanned. Please also note that AVS information will be mandatory for all transactions.
If your Helcim account configurations allows for full card information, below are the required
cardData body parameters that should be sent in lieu of the
cardToken details. Full card numbers can be used for "purchase", "pre-authorization", and "verify" transaction API endpoints.
Please review our documentation for more information on processing through our Payment API endpoints.
|string (13-16 length)||The full card number, which can vary between 13 and 16 digits based on the card type.|
|string (4 length)||The card expiry date, in MMYY format (total of 4 digits without spaces or slashes, including a leading zero for single digit months).|
|string (3-4 length)||The card CVV (3-4 digits on back of credit card). American Express shows this number on the front of the card.|
Your website or application should store relevant
cardToken information and use these when processing in lieu of full card numbers if you are not approved to send with them. The card token is not considered sensitive cardholder information and can only be used within the Helcim system, unless migrated to another PCI compliant payment processor through a secure data migration process.
When ready to process a new payment, the
cardToken should be sent to the Helcim Payment API endpoint in the
cardData object instead of the credit card number, expiry and CVV fields.
|String (23)||The 23-digit, alpha-numeric card token representing the stored card information.|
Updated 2 months ago