Skip to main content
The Payment Methods API provides endpoints for managing tokenized payment instruments including cards, SEPA Direct Debit mandates, and ACH mandates. Commerce V1 securely stores payment credentials while maintaining PCI DSS compliance through tokenization.

Payment Instruments

Commerce V1 supports multiple payment instrument types, each with specific setup and management requirements:
  • Cards: Tokenized card data for credit and debit card payments
  • SEPA Mandates: Direct debit authorization for SEPA regions (Core and B2B)
  • ACH Mandates: Direct debit authorization for US bank accounts
Each payment instrument is associated with a customer and can be used for both one-time and recurring payments.

Payment Method Setup

The payment method setup flow handles the process of securely collecting and storing payment credentials. Setup flows integrate with your extension services to provide custom checkout experiences. Key setup capabilities:
  • Initiate setup: Create a new payment method setup session for a customer
  • Track progress: Query setup status and details
  • Handle callbacks: Process setup completion callbacks from extension services
  • Access stored methods: Retrieve tokenized payment methods after successful setup
The setup process follows this pattern:
  1. Create a setup session via API
  2. Customer completes payment method collection in your checkout experience
  3. Extension service returns setup results via callback
  4. Payment method becomes available for transactions

Token Management

Access and manage stored payment method tokens through the payment methods endpoints. Tokens provide secure references to payment credentials without exposing sensitive data. Operations include:
  • List payment methods: Query all stored payment methods for a customer or account
  • Get details: Retrieve specific payment method information
  • Terminate tokens: Remove payment methods when no longer needed
  • Download documents: Access mandate documents for SEPA and ACH mandates

PCI Compliance

Commerce V1’s tokenization approach reduces your PCI DSS compliance scope. Sensitive card data is never stored in your systems - instead, you work with secure tokens that reference the underlying payment credentials. When integrating with the Payment Methods API, follow these guidelines:
  • Use session-based tokenization through extension services (SAQ-A/SAQ-A+)
  • Never log or store raw card data in your application
  • Implement proper access controls for payment method tokens
  • Monitor token usage and revoke unused tokens regularly
For SEPA mandate signature requirements, see the SEPA Mandate Service documentation.