Skip to main content

Overview

Tokenization lets you store a customer's credit card details securely so that repeat payments can be processed without asking for card data again.

The Hosted Model checkout page collects card data during tokenization. As with other Hosted Model payments, PCI DSS compliance is not required because BBMSL stores all tokenized data.

Features

Supported payment methods

  • Payment Card: Visa, Mastercard

Supported currency

Payment Method/CurrencyHKDUSD
Visa/Mastercard

Compatible browsers

The hosted checkout page is fully compatible with the following web browsers:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Apple Safari

Customization options

Page presentation

You can redirect the customer to the hosted checkout page, or embed the payment page in an iframe element.

Page design

You can upload your company logo and configure the checkout page theme color in the BBMSL Business Portal. Additional UI options are available through PayAPI request parameters. The diagrams below show the available customization options for desktop and mobile layouts.

Docusaurus
Docusaurus

Security

  • Payment Card: Tokenization supports 3-D Secure (3DS) verification to protect each payment. The 3DS challenge page is presented automatically when the issuing bank requires it.
  • Digital Wallet: Authentication is conducted by the wallet's service provider through biometric authentication or username and password.

Payment flow

Before processing a payment with a saved card, you must first tokenize the customer's card. The customer is charged a small verification amount during tokenization; this amount is voided immediately after the card is verified.

The diagram below shows the full tokenization and payment workflow.

Docusaurus

  1. Add token — Call PayAPI Add Token: /tokenization/add-token to generate a checkoutUrl for the customer to enter their card data. BBMSL charges the verification amount and tokenizes the card data in the BBMSL payment gateway.
  2. Query token — Call PayAPI Query Token: /tokenization/query-token with the userId used in the previous step to retrieve the tokenId assigned to the tokenized card.
  3. Sale — Call PayAPI Sale: /tokenization/sale with the tokenId to process a payment without requesting card data again. The tokenId can be reused until it expires or is deleted.
Error handling

Handle failure results at every stage of the payment process. If a network error occurs, query the order result rather than assuming the payment succeeded. See Result Notification for details.