Checkout

Cashier checkout

Cardflo's cashier checkout provides a hosted payment page solution, redirecting customers to a secure, Cardflo-branded or co-branded environment for payment. This approach significantly reduces PCI compliance scope for merchants while offering a robust, feature-rich payment experience.

It is suitable for businesses prioritising security and rapid deployment with minimal development overhead.

Category
Checkout
Capabilities
10
Available on
All plans
Apply now

The overview

A cashier checkout functions as a hosted payment environment where the customer is redirected from the merchant site to a secure interface managed by a payment service provider.

This architectural choice places the burden of sensitive data capture on the acquirer or gateway infrastructure, effectively isolating the merchant from primary cardholder data.

By utilising a hosted page, businesses can facilitate transactions via various methods including credit cards, digital wallets, and alternative payment methods without the development complexity of bespoke integrations.

The system handles the entire authorisation flow, including the execution of Strong Customer Authentication and 3DS protocols, before returning the customer to the merchant site with a success or failure notification.

This model is common for businesses that require high security and minimal data handling, as it simplifies the process of achieving and maintaining PCI DSS compliance through the use of pre-certified components.

How it works

  1. Initialisation and Redirect

    When a customer initiates a transaction, the merchant server sends a request to the payment gateway API. The gateway generates a unique session and returns a secure URL.

    The merchant site then redirects the browser to this hosted environment, ensuring no card data enters the merchant infrastructure.

  2. Payment Method Selection

    The hosted page presents the available payment options based on the merchant configuration, customer location, and transaction currency.

    The customer selects their preferred method, such as a scheme card or digital wallet, and enters the necessary credentials within the secure, governed frame of the payment provider.

  3. Authentication and Authorisation

    The system executes required security checks, including CVV verification and AVS. If mandated by PSD2 regulations, the interface triggers a 3DS challenge.

    Once authenticated, the transaction request is routed through the acquirer to the issuer for authorisation, following standard clearing and settlement protocols.

  4. Callback and Reconciliation

    Following the issuer response, the hosted page redirects the customer back to the merchant site. Simultaneously, an asynchronous webhook is sent to the merchant server to update the order status.

    This ensures that the transaction state is synchronised across both systems for accurate record keeping.

Why it matters

Reduces PCI Compliance Scope

By utilising a hosted cashier, the merchant avoids direct contact with sensitive cardholder data. This allows for the use of simpler Self-Assessment Questionnaires, such as SAQ A, rather than more complex assessments required for direct API integrations.

It reduces the technical and operational overhead associated with maintaining a secure environment and performing regular vulnerability scans and audits.

Facilitates Global Expansion

A hosted checkout environment typically supports a wide range of alternative payment methods and local currencies without requiring the merchant to build individual integrations for each.

The service provider manages the underlying relationships with various local acquirers and schemes, allowing businesses to accept payments in multiple jurisdictions while maintaining a uniform reporting structure and settlement process.

Security and Maintenance

Hosted pages are updated by the provider to include the latest security patches, compliance requirements, and payment technologies.

This eliminates the need for the merchant to manually update their code when schemes mandate changes to 3DS specifications or when new regulatory requirements like PSD3 are introduced. It ensures the payment flow remains functional and compliant with minimal internal developer intervention.

Use cases

High Volume Retailers

Large merchants prioritising rapid deployment across multiple regional storefronts use hosted pages to maintain a consistent payment experience while offloading the security risks associated with handling card data during peak traffic periods.

Cross Border E-commerce

Businesses expanding into international markets utilise hosted checkouts to instantly offer local payment methods and currency conversion, which are often pre-configured within the provider's global acquiring network.

SME and Boutique Brands

Smaller enterprises with limited technical resources favour this model to achieve secure, professional grade checkout functionality with minimal coding effort, ensuring focus remains on core business operations rather than infrastructure.

Subscription Based Services

Services requiring initial tokenisation of payment methods for recurring billing use hosted environments to securely capture and vault credentials before initiating subsequent merchant initiated transactions.

By the numbers

60-80%
PCI Compliance Savings

This represents a typical reduction in the volume of security controls a merchant must personally manage when moving from a direct API to a hosted redirect model.

3-5x
Deployment Speed

Industry benchmarks suggest that hosted pages can be integrated multiple times faster than bespoke API integrations, depending on the complexity of the existing tech stack.

<2s
Transaction Latency

High performance gateways aim for processing times under two seconds, though total redirect time depends on the customer's network and the issuer's 3DS response speed.

Ready to route with Cashier checkout?

Talk to our team about a live rollout on your acquiring stack.

Apply now

What you get with Cashier checkout

  • Minimises PCI DSS compliance burden by ensuring card data never touches the merchant server
  • Provides automatic updates for SCA and 3DS compliance without requiring manual code changes
  • Supports multiple currencies and local settlement to facilitate efficient cross border commerce
  • Integrates diverse alternative payment methods through a single, managed checkout interface
  • Allows for co-branding and custom CSS to maintain brand consistency throughout the payment journey
  • Triggers real time webhooks to ensure merchant order management systems remain synchronised
  • Handles complex routing and failover logic automatically to improve authorisation success rates
  • Includes built in fraud prevention tools such as AVS and CVV verification requirements
  • Reduces development time through pre-built templates and standardised API redirection protocols
  • Supports secure tokenisation for subsequent recurring transactions and merchant initiated payments
See Cashier checkout on your acquiring stack.

A short scoping call, then a written plan for your MIDs.

Apply now

Questions about Cashier checkout

How does a hosted cashier checkout impact my PCI DSS compliance status?

A hosted checkout significantly reduces the scope of PCI DSS compliance. Because the payment data is captured on the provider's servers, the merchant typically qualifies for SAQ A.

This is the simplest form of compliance, as the merchant does not store, process, or transmit sensitive cardholder data. It removes the need for complex network segmentation and rigorous technical controls that are required for direct integrations where card data passes through the merchant's infrastructure.

Can I customise the appearance of the hosted payment page?

Yes, most hosted checkouts allow for various levels of customisation. This typically includes the ability to upload a company logo, adjust primary and secondary colours, and modify CSS to match the merchant's brand identity.

While the core structural elements remain managed by the provider for security reasons, the visual styling can be adjusted to ensure the transition from the merchant site to the payment page is as unobtrusive as possible for the customer.

Does this checkout method support Strong Customer Authentication?

Yes, the hosted environment is designed to handle the complexities of PSD2 and SCA. When a transaction requires authentication, the page will automatically trigger the necessary 3DS flow, directing the customer to their issuing bank's portal.

Once the customer completes the challenge, the result is processed by the gateway, and the customer is returned to the merchant site. This ensures compliance with regional regulations without additional development work from the merchant.

What happens if a customer closes the window during the redirect?

If a customer terminates the session before the redirect is complete, the transaction remains in a pending or cancelled state. Systems typically use webhooks to notify the merchant server if a session expires or is abandoned.

The merchant's order management system should be configured to handle these status updates, either by allowing the customer to retry the payment or by automatically cancelling the order after a specific period of inactivity.

Is a hosted checkout suitable for mobile applications?

Hosted checkouts can be used in mobile applications, often through a web view or by opening the mobile browser. However, for a fully native experience, some providers suggest using SDKs.

The hosted page itself is usually designed with responsive web design principles to ensure it functions correctly on various screen sizes, providing a functional payment path for mobile users while maintaining the security benefits of a hosted environment.

How are alternative payment methods configured in the checkout?

Alternative payment methods like digital wallets or bank transfers are typically enabled at the PSP or gateway level. Once configured in the merchant's account, these options automatically appear on the hosted checkout page based on the transaction's parameters.

This allows merchants to dynamically offer relevant payment methods to different customer segments without needing to update the integration code on their own website.

What is the difference between a hosted page and an iFrame?

A hosted page involves a full redirect where the URL in the browser changes to the provider's domain. An iFrame embeds the payment form directly within the merchant's page, keeping the merchant's URL visible.

While both methods help reduce PCI scope, a full redirect is often considered easier to implement and provides a clear separation of environments, whereas an iFrame requires more careful handling to ensure it remains responsive and secure.

Get started

Ready for velocity?

Tell us about your business. We'll match you with the right acquiring partners and the right route, typically inside a week.

Apply now
Apply now