Overview

Octane supports a PCI/DSS SAQ-A compliant solution for payment integration that will allow your business to automate payments, while keeping your customer data safe and secure.

Octane currently supports payments via Westpac's QuickStream platform and requires users to integrate through a mix of Octane's REST API suite and Westpac's Trusted Frame.

The guide below details steps required to Onboard with us to be able to user our APIs, as well as the integration requirements.

Payment API Onboarding Process

Raise a ticket in Assist indicating your intention to integrate with Octane's Payment APIs

As part of fulfilment, you will be onboarded into the Westpac platform and provided with a Publishable API Key and Supplier Business Code to use with your TrustedFrame integration.

You will also be provided with an Octane API Username and Password, if you haven't received that already.

Integration

Integration Overview

Your server hosts a web page containing a form and quickstream-api.js
a. Test:
https://api.quickstream.support.qvalent.com/rest/v1/quickstream-api-1.0.min.js
b. Production: https://quickstream.westpac.com.au/docs/quickstreamapi/v1/quickstream-api-js/

You call the init() method with your Publishable API key and createTrustedFrame() which creates a QuickStream iFrame for collecting card details.

The User enters details into the iFrame, and then submits the card details securely to QuickStream.

Single use token is generated by QuickStream and then sent back to your website.

You can then use this Single-Use Token when calling Octane's Make Payment API (to take payment) or Add Payment Method API (to register the card for direct debit).

Example Flow (Make Payment)

Example Flow (Setup Direct Debit)

Detailed Steps

Step 1 - Host Example Page

You can use the sample code below to create a JS page in your code project, and host it on your server. Your Users will enter their Credit Card details on this page.

<html>
  <body>
    <!-- this form will POST a single use token to your server -->
    <form id="payment-form" action="/process-payment" method="post">
        <div data-quickstream-api="creditCardContainer"></div>
        <input id="make-payment-submit" type="submit" disabled="true"/>
    </form>
    <script src="https://api.quickstream.westpac.com.au/rest/v1/quickstream-api-1.0.min.js">
    </script>
    <script type="text/javascript">
        var submit = document.getElementById('make-payment-submit');
        QuickstreamAPI.init({
          publishableApiKey: "{publishableAPIKey}"
        });
        var trustedFrame;
        var options = {
          config: {
            supplierBusinessCode: "{supplierBusinessCode}"
          }
        };
        QuickstreamAPI.creditCards.createTrustedFrame(options, function(errors, data){
            trustedFrame = data.trustedFrame;
            if(errors){
              submit.disabled = true;
            } else {
              submit.disabled = false;
            }
        });
        var form = document.getElementById("payment-form");
        form.addEventListener("submit", function(event){
          event.preventDefault();
          trustedFrame.submitForm(function(errors, data){
            if(!errors){
              QuickstreamAPI.creditCards.appendTokenToForm(form, data.singleUseToken.singleUseTokenId);
              form.submit();
            }
          });
        });
    </script>       
  </body>
</html>

IMPORTANT
The URL shown in the snippet above is for the Production environment. To use QuickStream-API.js in the Support environment replace this URL with https://api.quickstream.support.qvalent.com/rest/v1/quickstream-api-1.0.min.js.

Please refer to the below page for more information on how to setup the Trusted Frame and different options for displaying this for Bank Accounts rather than Credit Cards - https://quickstream.westpac.com.au/docs/quickstreamapi/v1/trusted-frame/

Step 2 - Set your Publishable API Key & Supplier Business Code

If you've completed Onboarding as detailed above, you would have received both the Publishable API Key & Supplier Business Code you need to use in the Trusted Frame.

Update the variables in the JS page with these details (the variables are enclosed within curly brackets {{}} )

You can optionally update the form action of the code to another URL you prefer. The default is set to /process-payments

Step 3 - Test the page

Load the page on your server and confirm it is rendering as expected.

You should see a page that looks like this:

Use the test data below to make a payment:

Field	Value
Cardholder name	Token tutorial
Credit card number	4242 4242 4242 4242
Expiry Date	12/2028 (this can be any future date)
CVN	123

Step 4 - Take payment or register a payment method

You can now use the single use token to take a payment or register the card in QuickStream.

When you receive a POST to /process-payment you should:

Read the single use token from the parameter.

Verify your customer using a session cookie.

Use your Octane API credentials and the Single Use Token to take a one-time payment via the Make Payment API or register a Payment Method via the Add Payment Method API

Additional Tips

Avoiding duplicates by using an Idempotency-Key header.

Error handling

Styling the iFrame

Protect your site from card testing

Payment Integration

Overview#

Payment API Onboarding Process#

Integration#

Integration Overview#

Example Flow (Make Payment)#

Example Flow (Setup Direct Debit)#

Detailed Steps#

Step 1 - Host Example Page#

Step 2 - Set your Publishable API Key & Supplier Business Code#

Step 3 - Test the page#

Step 4 - Take payment or register a payment method#

Additional Tips#