API Resources

This document is for developers who wish to use the Primoris Payment API. If you are not a developer, but still wish to use the API, please contact us. We can help.

The Primoris Payment API processes single and batch credit card and electronic check payments, primarily for insurance policies. Payments are easily accepted from agents or individual insureds. The Payment API is simple and easy to use. You can get started in minutes and have a working system in almost no time.

Security and PCI DSS Compliance

To ensure data privacy, unencrypted HTTP is not supported. All requests, even in the testing environment, must be over HTTPS.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Primoris is PCI DSS complaint. Even if your company is not PCI DSS compliant, using the Primoris Payment API in accordance with this document will ensure compliance.

About REST (REpresentational State Transfer)

We designed the Primoris Payment API in a RESTful way, so that it is simple and straightforward to use. The API has 'endpoints', which are predictable, defined URLs to which requests can be made. JSON, a lightweight data format, will be returned from the API for all requests.

Authentication

We assume you already have your API public/private key pair. If not, contact us and we will provide them for you.

Primoris issues API keys for each different configuration needed. For example, you might have multiple products that settle to different bank accounts. The API keys consist of a public key and a private key. The private key must be kept secret. No passwords are needed. You may have many active key pairs at any time.

Test transactions will not work until Primoris issues your keys.

Jumping Right In

The quickest way to get started is to use Primoris' PCI DSS compliant JavaScript library. By including this in your website, you can secure collection of payment information without concern for meeting PCI DSS compliance in your own facilities. The credit card or electronic check information that the user enters will never touch your servers - it will only pass through the secure, PCI DSS compliant, Primoris servers. This JavasScript embeds a payment form directly into your website, using the same technology that Google Maps^™ uses to embed interactive maps into websites.

To see this in action, go to our demo site , select a sample policy, and sign in. On the second screen is the embedded payment form. Everything in gray is embedded and the data entered there will never touch your servers.

The script to embed is simply:

  <script>
    PaymentPrefs = {
      embedWindow : "/paymentEmbed.php",
      actionPage : "/processPayment.php",
      // cancelPage link is optional. If you would like to hide this button,
      //   simply comment this line out.
      cancelPage : "/cancelPayment.php",
      listeners : {
        // Binds a listener from an existing element (id) to an embed form element (key)
        // key: id
        // amount: 'paymentAmount'
      }
    }
  </script>
  
  <script src="https://frodo.dev.policy-service.com/assets/javascripts/controller.js"
    type="text/javascript" id="primoris_controller"></script>
  
  <div style="display:none;" id="loading"> 
    Place any message or progress bar for payment processing here. 
    The confirmation page expects an element with id="loading" 
  </div>
                    

Where the /paymentEmbed file, in PHP, is:

  <!doctype html />
  <html>
    <head></head>
    <body>
      <div id="paymentForm">
        <script>
          PaymentPrefs = {
            pubkey : "$publicKey",
            // formID is only if you need the form variables
            //  listed below to be injected into an existing form
            // formID: "paymentForm",
            view : "default",
            account_token : "$policy.accountToken",
            userCanSaveInfo : true,
            userCanPayWithPrepaid : true,
            readOnly : [ "amount" ],
            showAmount : true,
            showPhoneNumber : true,
            showEmail : true,
            // paymentType:
            //   1) is an optional field
            //   2) takes one of two params: "card", "bank"
            //   3) only works with the following views: "default", "recurring"
            paymentType: "card",
            amount : "$policy.formatted_amount",
            domain : "https://frodo.dev.policy-service.com",
            form : {
              name : "$policy.insuredName",
              address : "$policy.insuredAddress1",
              city : "$policy.insuredCity",
              state : "$policy.insuredState",
              zip : "$policy.insuredZip",
              account_number : "$policy.policyNumber",
              customer_identifier : "$policy.insuredID",
              user_identifier : "$user.userID",
              transaction_identifier : "$payment.paymentID"

            }
          }
        </script>
        <script src="https://frodo.dev.policy-service.com/assets/javascripts/embed.js"
          type="text/javascript" id="tolkien_embed"></script>
      </div>
    </body>
  </html>
                    

So What's Going On Here?

The first section is setting up the associated files for processing the payment. The 'embedWindow' sets the path of the file for the embedded JavaScript. The 'actionPage' sets the path to the form action page in your site - there are form inputs that are created in the embed file that you can then use to POST form data in your site. Finally, there is the 'cancelPage' which is the path to a custom cancel page, if you have one. The cancel page may be left as an empty string if you don't have one.

The HTML form elements that are available to your action page are listed below. Note: the card number and the card security code are not available.

Endpoints

Primoris Payment API resources are identified as URLs that map to endpoints. You can access the resources using a web browser, curl, other command line tools, or through HTTP client tools, like Postman.

The requests endpoints are only available via the secure HTTPS protocol, and the domain names for the production and development endpoints, respectively, are:

                        paymentapi.policy-service.com         // production
                        frodo.dev.policy-service.com          // development
                    

All successful API responses will be in JSON format, wrapped in a "data" object if successful or an "error" object if not.

Account

The account endpoint supports GET, POST, and PUT HTTP methods.

GET /payments/account/{account_token}

Returns a list of information for the specified {account}. The {account_token} is a alpha-numeric string 24 characters long.

Request

Successful Returned Values

POST /payments/account

Creates a credit card or bank account_token.

Request

Successful Returned Values

POST /payments/account/{account_token}

Creates a payment_token for a single sale with an {account_token}.

Request

Successful Returned Values

PUT /payments/account/{account_token}

Updates a credit card or bank account using the {account_token}.

Request

Successful Returned Values

Sale

The sale endpoint supports GET and POST methods.

GET /payments/{payment_token}

Returns a list of information for the specified payment. The {payment_token} is a alpha-numeric string 24 characters long.

Request

Successful Returned Values

POST /payments/sale/{payment_token}

Processes a sale for the specific {payment_token}.
Note: If a payment is processed multiple times, the Payment API will return the original results of the request. The card or bank account will NOT be charged again.

Request

Successful Returned Values

Confirmation

The confirmation endpoint supports the POST HTTP method. The confirmation process is used to verify that the successful payment has been applied to the policy/account.

POST /payments/confirmation

Provides the Payment API with a confirmation number for a payment to indicate that the payment has been applied to the policy/account.

Request

Successful Returned Values

Refund

The refund endpoint supports the POST HTTP method. The refund will return a partial or full amount of the payment using the {payment_token}.

If a full refund is run before 12AM ET for a same-day sale transaction, the charge will not show up on the cardholder's statement. This is often referred to as a "void."

If the total amount charged or the policy amount is refunded, a full refund will be processed, including the refund of the Primoris fee.

POST /payments/refund/{payment_token}

Processes a partial or full refund on a complete payment using the {payment_token}.

Request

Successful Returned Values

Client View

The client endpoint supports the GET HTTP method.

GET /client/view

Returns a list of information for the specific client and returns a list of fees for a specific payment amount for this client.

Request

Successful Returned Values

Batch

The batch view endpoint supports the GET and POST HTTP method.

GET /batch/payments

Returns a list of Payment Views (Sale GET Request) given a batch_id.

Request

Successful Returned Values

POST /batch/payments/sale

Processes sale requests (Sale POST) for all listed accounts.

Request

Successful Returned Values

Test Card Numbers

Card Type	Card Number	CVV/CVC	Street Address	Zip Code
Visa	4012301230123010	123	123	55555
Master Card	5123012301230120	123	123	55555
American Express	349999999999991	123	123	55555
Discover	6011011231231235	123	123	55555

NOTE: It is important to start the street address with '123'. You can follow it with anything after.
For Example: 123 Main St.

Address Verification Testing

The card associations have developed Address Verification as a tool to assist a merchant in processing a transaction based on information submitted that is compared to the credit card billing address. In order to test the variety of possible responses, the table below can be used. Defined input values will result in responses as described:

Street Address	Zip Code	AVS Result Code
123	55555	Y – street and postal code match
123	999991111	Y – street and postal code match (Visa) X – street and postal code match (MasterCard)
123	EH8 9ST	D - exact match, international
123	Other Zip	A - address match, zip mismatch
234	Any Zip	U - address unavailable
345	Any Zip	G - verification unavailable due to international issuer non - participation (Visa and MasterCard only)
456	Any Zip	R - issuer system unavailable, retry
235	Any Zip	S – AVS not supported
Other Address	55555	Z - address mismatch, 5-digit zip match
Other Address	EH8 9ST	Z - address mismatch, international zip match
Other Address	999991111	Z- address mismatch, zip match (Visa) W- address mismatch, zip match (MasterCard)
Other Address	Other Zip	N - address and zip mismatch

CVV, CVC, CID Testing

This table will test CVV, CVC, and CID which is the 3 or 4 digit code printed on the back of a card. This security feature assists merchants processing in a Card Not Present environment and receiving a positive response ensures the likely hood that the cardholder making the purchase is in physical possession of the card. Visa, MC, and Discover encode a 3 digit value on the cards and American Express encodes either a 3 or 4 digit value. Defined input values will result in responses as described:

CVV / CVC Value	Result Code
123	M-Match
234	P-Not Processed
345	U-Issuer is not certified
else	N-No Match

This table will test American Express CID:

CID Value	Result Code
1234	M-match (this response is generated when the CID flag is enabled on the MeS Profile ID)
2345	P-not processed (this response is generated when the CID flag is enabled on the MeS Profile ID)
**** (any value other than 1234 or 2345)	N-no match (with a response code of 000) (this response is generated when the CID flag is enabled on the MeS Profile ID)

CVV, CVC, CID Testing

This table will test CVV, CVC, and CID which is the 3 or 4 digit code printed on the back of a card. This security feature assists merchants processing in a Card Not Present environment and receiving a positive response ensures the likely hood that the cardholder making the purchase is in physical possession of the card. Visa, MC, and Discover encode a 3 digit value on the cards and American Express encodes either a 3 or 4 digit value. Defined input values will result in responses as described:

CVV / CVC Value	Result Code
123	M-Match
234	P-Not Processed
345	U-Issuer is not certified
else	N-No Match

Amount Driven Response Testing

In addition to testing for approval codes, this table will allow testing for a wide variety of potential response codes:

Amount	Response Code	Auth response text	Reason/Description
0.00	085	"Card OK"	For card verification testing, submit a transaction code=A
0.01	001	"Call"	refer to issuer
0.02	002	"Call"	refer to issuer - special condition
0.04	004	"Hold-call"	pick up card (no fraud)
0.05	005	"Decline"	do not honor
0.07	007	"Hold-call"	pick up card (fraud)
0.14	014	"Card No. Error"	Invalid card number
0.15	015	“No Such Issuer”	Invalid card number
0.19	019	"RE Enter"	re-enter transaction
0.41	041	"Hold-call"	pick up card (fraud: lost card)
0.43	043	"Hold-call"	pick up card (fraud: stolen card)
0.51	051	"Decline"	insufficient funds
0.54	054	"Expired Card"	issuer indicates card is expired
0.57	057	"Serv Not Allowed"	transaction not permitted to cardholder
0.59	059	“Suspected Fraud”	Do not honor card
0.84	084	“Invalid Auth”	Invalid Authorization Life Cycle
0.86	086	“Can’t Verify PIN”	System is unable to validate the Pin #
1.10	0TA	"CT NOT ALLOWED"	Merchant does not accept this type of card

American Express – AAV (Cardholder Email, Name and Phone Number Verification)

The following AAV or ITD values will cause the simulator to return a 'Y' response in the appropriate response field.

Field Name	Group	Value
Billing Street Address	AAV	123 (only numeric part matters)
Billing Postal Code	AAV	55555 or 999999999
Billing First Name	AAV	CHRIS
Billing Last Name	AAV	FROST
Billing Phone Number	AAV	7035551212
Customer Email	ITD	cffrost@emailaddress.com

Any other value will cause the simulator to return a 'N' response in the appropriate response field. If a given data element is not supplied the simulator will return a space.

Display Loading Message

The purpose of this section is to give some interactive feedback to the customers once they click the submit button. When the submit button is clicked, the data will be sent to the processor. This process will show some delay, during that time, it would be better if the customer looks at a 'loading' image.

Requirements For Loading Message

• The 'div' tag has to go under controller.js
• The 'div' display style has to equal 'none'
• The 'id' of 'div' tag has to equal 'loading'

Here is an example of loading message code:

    <div style="display: none;" id="loading">
        Processing Payment<br />
        <img alt="Loading" src="/images/busy.gif" width="220" height="19" /> <br />
    </div>

Here is an example of loading message image:

Processing Payment

Payment Flow Information

Embedded Form.

• Initially, the customer inputs their information in the embedded form. Once they fill it out, they have the option to click 'Continue Payment'.
• Before the customer clicks 'Continue Payment', they also have the option to save their account information.
• Once the 'Continue Payment' is clicked, they are prompted to confirm the typed information. There is also a disclaimer that informs the customer that their card has not been charged yet, if they wish to charge it, they need to click 'Process Payment'

Action Page

• Once the 'Process Payment' is clicked, the form data is sent to the Primoris server where the data is manipulated.
• The manipulated data is then sent to the client server where it submits the request.
• After the client server processes the data, it will assign a confirmation for the sale request.
• This confirmation number comes back to Primoris server where it will be stored as well.

Payment Repair Process Flowchart

The flow chart below indicates the repair process of point of sale payments with 'payment_status' 'active'.