Sending Credit Card Data to IIG Directly
IIG's systems will not accept credit card numbers via the API. The API will only accept the payment nonce generated by Braintree. This is a requirement for our PCI compliance, and exceptions cannot be made. If your agency cannot work with the Braintree requirement, we suggest you use the Agent Issue functionality.
Extra Steps?
Issuing policies using a Credit Card is a difficult propisition, given the security requirements of PCI.
Credit Card Nonce
The Credit Card workflow adds extra steps in order to obtain a client_key used for encrypting and transmitting the credit card data to Braintree, IIG's payment card processor. The new workflow looks like this (errors withstanding):
-
Send Quote data to the API.
- Receive back rating data.
-
Send Coverage data to the API.
- Requires the same data as fully issuing a policy except for the
-
Receive back:
- Rating data for the selected coverage.
-
A payment client_key specific to this client, quote, and coverage.
- Will appear in the response under payment.client_key.
-
Collect payment information via AJAX from Braintree's Javascript API.
- Braintree will return a nonce (one time use identifier) for the client's credit card information.
- Send Policy data to the API, including the nonce.
- Receive links to policy documents.
Braintree Javascript API
The Braintree Javascript API (click for documentation) is very straight forward, and is used to encrypt the client's credit card data, to avoid having a cardholder data environment. This drastically reduces the impact of PCI compliance on systems using this payment method.
Example
We have a non-working example (missing the client_key), to guide your implementation.