Payment Methods in Magento
Payment methods have very different requirements.
For example, some payment methods - like the built-in Check / Money Order - can work completely within Magento. They do not require contacting an external Payment Service Provider (PSP) because no credit card data is collected.
In Magento, such payment methods sometimes are referred to as "offline payment methods".
Nowadays offline payment methods are an exception - most eCommerce transactions use a credit card.
Collecting credit card data requires compliance with high-security standards. Keeping credit card data and personally identifiable information safe is in essence what the PCI-DSS (Payment Card Industry Data Security Standard) is about.
This is why payment methods collecting credit card information are built by integrating external Payment Service Providers.
On Magento, such payment methods are sometimes called "gateway" payment methods.
They delegate the actual collection of card data to the PSP and only operate with result information provided by the Payment Service Provider API.
How a Magento Payment method delegates a customer to the PSP to collect the required data from customers varies.
Some PSPs may require the customer to leave the Magento website and complete steps on their website, after which the customer is redirected back to the Magento checkout.
If the payment was successful, an authorization token is passed to Magento, either when the customer is redirected back or via a side channel.
The validity of payment tokens will always have to be confirmed on the Server Side in PHP at the time the order is placed since all frontend Browser validation is easy to bypass for a skilled developer/hacker.
Such a payment token means the credit card data was valid, and it authorizes the token holder (that is, Magento) to capture the given amount.
These payment tokens usually are only valid for a limited amount of time.
Capturing the payment with the token may happen when the order is placed, or it may happen later, for example when the order is shipped.
This depends on the business process of the merchant.
There are many other scenarios of how PSP integrations can be implemented besides the ones described above.
Payment Methods in Hyvä Checkout
The Hyvä Checkout payment integration API provides a framework to implement any payment scenario.
Because every payment method is different, it is not possible to provide simple step-by-step instructions that are always applicable.
How a PSP API can be implemented using the Hyvä Checkout Payment Method API has to be determined in each project individually.
A Hyvä Checkout payment integration is responsible for the front-end user interaction.
It complements the underlying matching Magento Payment Method.
If there is an existing Magento Payment integration for the PHP, much of the backend PHP code can be reused for the Hyvä Checkout integration, for example validating payment tokens or capturing payments via the PSP Web API.
Only the frontend part has to be implemented for Hyvä Checkout.
When a visitor selects a payment method in Hyvä Checkout, it is stored as the selected payment method on the customer quote automatically.
The logic to create the order in Magento is the same that is used with the Luma front-end and can probably be reused.
The Hyvä Checkout payment component's responsibility is to gather the required data for the payment.
As described above, this will be some interaction with a PSP that results in a payment authorization token.
The actual capture then happens via a Magento Payment Method.
The Hyvä API consists of hook methods, that will be called automatically at the appropriate time if they are implemented by a payment method.
From a very high-level point of view, the steps are as follows:
- register the payment method in the checkout
- implement the template
- implement the required hook methods
- set the gathered payment data on the Magento payment method
- place the order