This SDK makes it easy to integrate your Java application with Heartland's Portico Gateway API. Supported features include:
- Card Not Present (eCommerce and mobile)
- Card Present (Retail and Restaurant)
- Secure Submit single-use tokenization and multi-use tokenization
- Heartland Secure End-to-End Encryption (E3)
- Credit, Gift & Loyalty,and eCheck/ACH
- Recurring Payments
- Apple Pay
- Android Mobile
| Data Security | API Reference | Testing & Certification | API Keys | Links |
|---|---|---|---|---|
| Register an Account Partner with Heartland Developer Support |
####Developer Support
You are not alone! If you have any questions while you are working through your development process, please feel free to reach out to our team for assistance.
- Java 1.7
- ApplePay MerchantID Certificate in p12 format
- PCI DSS TLS 1.1+ Capability
Download and unzip or, using Git, clone the repository where our Java SDK is located on Github. Link in the project using the IDE of your choice and run! Because this SDK uses Maven your build process should automatically download the external dependencies needed to build your application.
When adding the SDK to your project, you may need to follow these additional steps:
- Upgrade to the latest version of the Heartland SDK
- Add a new repository for the
ksoap2-androidlibrary so that the dependency is resolved - Install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” for your JDK. See Java documentation for more details.
You will use your public key when implementing card tokenization and your private key will be used when communicating with our Portico Gateway. More details can be found in our documentation.
Note: Multi-Use tokenization is not enabled by default when creating an account. You can contact Heartland's Specialty Products Team to have this enabled. This is also true if you wish to use Gift & Loyalty, ACH, and Debit.
-
Secure Submit for eCommerce web or mobile applications ("card-not-present"), which leverages single-use tokenization to prevent card data from passing through the merchant or integrator's webserver. It only requires a simple JavaScript inclusion and provides two options for payment field hosting:
-
Self-Hosted Fields - this approach relies upon the standard, appropriately named, HTML form controls on the integrator's served web page.
-
Heartland Hosted Fields - this approach combines the Secure Submit service with iframes to handle presentation of the form fields and collection of sensitive data on Heartland servers. Since PCI version 3.1 the PCI Council and many QSAs advocate the iframe-based approach as enabling a merchant to more readily achieve PCI compliance via the simplified SAQ-A form. Check out the CoalFire's whitepaper for more information.
-
Heartland Secure for card-present retailers, hospitality, and other "POS" applications, comprises three distinct security technologies working in concert:
-
End-to-End Encryption (E3) - combines symmetric and asymmetric cryptography to form an "Identity-Based Encryption" methodology which keeps cardholder data encrypted from the moment of the swipe.
-
Tokenization - replaces sensitive data values with non-sensitive representations which may be stored for recurring billing, future orders, etc.
-
EMV - though less about data security and more about fraud prevention, EMV or chip card technology guarantees the authenticity of the payment card and is thus an important concern for retailers.
Depending on your (or your customers') payment acceptance environment, you may need to support one or more of these technologies in addition to this SDK. This SDK also supports the ability to submit cleartext card numbers as input, but any developer who does so will be expected to demonstrate compliance with PA-DSS. Likewise any third party integrator who is planning on handling cleartext card data on behalf of other merchants will be expected to demonstrate their PCI DSS compliance as a Service Provider prior to completing certification with Heartland.
If you implement Secure Submit tokenization for your web or mobile application you will never have to deal with handling a card number - Heartland will take care of it for you and return a token to initiate the charge from your servers.
Similarly, if you implement Heartland Secure with E3 (for both swiped and keyed entry methods) then your POS application will be out-of-scope for PA-DSS. Heartland Secure certified devices will only ever return E3 encrypted data which can safely be passed through your systems as input to this SDK. Heartland Secure devices include many popular models manufactured by PAX and Ingenico.
To summarize, when you create a paymentMethod using this SDK you have the following options for securely avoiding interaction with sensitive cardholder data:
-
Card data (track or PAN) may be sent directly from a web browser to Heartland, returning a SecureSubmit single use token that is then sent to your server.
-
Encrypted card data (track or PAN) may be obtained directly from a Heartland Secure device and passed to the SDK
Quick Tip: The included test suite can be a great source of code samples for using the SDK!
Note that our SDK provides a Fluent Interface which allows you to replace a charge call that looks like this:
HpsCharge response = charge(new BigDecimal("13.01"), "USD", card, cardHolder, true, true)With one that reads like this:
HpsAuthorization response = creditService.charge(BigDecimal.valueOf(13.01))
.withCard(card)
.withCardHolder(cardHolder)
.withRequestMultiUseToken(true)
.execute();Between the two samples you can more easily read and understand what the code is doing in the second example than the first. That is a big advantage and helps speed development and reduce errors when using methods that allow a large number of parameters.
Java developers can easily integrate with Heartland Payment Systems for ApplePay.
Below is one of the delegate methods for PKPaymentAuthorizationViewControllerDelegate. It is called after the iOS user has selected their method of payment and authorized the ApplePay transaction. The first portion converts the payment data to a JSON string, which is what is expected when you create a new PaymentToken object in the SDK.
- (void) paymentAuthorizationViewController:(PKPaymentAuthorizationViewController *)controller
didAuthorizePayment:(PKPayment *)payment
completion:(void (^)(PKPaymentAuthorizationStatus))completion
{
NSString *json = [[NSString alloc] initWithData:payment.token.paymentData
encoding:NSUTF8StringEncoding];
// Here is where you might post the json to a service for decryption and authorization.
if( transactionSuccessful ) // pseudo code to complete the transaction in PassKit
{
completion(PKPaymentAuthorizationStatusSuccess);
}
else
{
completion(PKPaymentAuthorizationStatusFailure);
}
}These three lines of code are all that is required to decrypt your PKPaymentToken. The JSON string in the PaymentToken constructor represents JSON data obtained from the iOS device as displayed in the previous code block.
PaymentToken token = new PaymentToken("{ data: ..., header: { ... }, signature: ... }");
DecryptService service = new DecryptService("PrivateKeyExport.p12", "PrivateKeyPassword");
PaymentData paymentData = service.decrypt(token);Quick Tip: You can get a head start on your certification by reviewing the certification tests in the included test suite.
####Test Card Data
The following card numbers are used by our Certification environment to verify that your tests worked. Note that while variations (such as 4111111111111111) will work for general testing the cards listed below are required to complete certification.
| Name | Number | Exp Month | Exp Year | CVV | Address | Zip |
|---|---|---|---|---|---|---|
| Visa | 4012002000060016 | 12 | 2025 | 123 | 6860 Dallas Pkwy | 750241234 |
| MasterCard | 5473500000000014 | 12 | 2025 | 123 | 6860 Dallas Pkwy | 75024 |
| Discover | 6011000990156527 | 12 | 2025 | 123 | 6860 | 750241234 |
| Amex | 372700699251018 | 12 | 2025 | 1234 | 6860 | 75024 |
| JCB | 3566007770007321 | 12 | 2025 | 123 | 6860 | 75024 |
####Testing Exceptions
During your integration you will want to test for specific issuer responses such as 'Card Declined'. Because our sandbox does not actually reach out to issuers we have devised specific transaction amounts that will trigger issuer response codes and gateway response codes. Please contact Heartland for a complete listing of values you can charge to simulate AVS, CVV and Transaction declines, errors, and other responses that you can catch in your code:
try
{
chargeService.charge(new BigDecimal("-5"), "usd", creditCard, cardHolder);
}
catch (HpsInvalidRequestException e)
{
// handle error for amount less than zero dollars
}
catch (HpsAuthenticationException e)
{
// handle errors related to your HpsServiceConfig
}
catch (HpsCreditException e)
{
// handle card-related exceptions: card declined, processing error, etc
}
catch (HpsGatewayException e)
{
// handle gateway-related exceptions: invalid cc number, gateway-timeout, etc
}More exceptions can be found here.
All our code is open sourced and we encourage fellow developers to contribute and help improve it!
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Ensure SDK tests are passing
- Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
####Included Test Suite
The included test suite can help ensure your contribution doesn't cause unexpected errors and is a terrific resource of working examples that you can reference. As mentioned earlier, the certification folder contains tests that mirror the types of requirements you will encounter when you certify your integration for production.