Inbound payments integration

The inbound payments demonstration-only feature includes a PCI-compliant simulated integration framework and user interface elements that simulate accepting a credit card. Credit card information is tokenized. The simulation allows a PolicyCenter user to interact with a JavaScript library that transmits card information directly to a payment gateway. Neither the JavaScript library or card information is stored in PolicyCenter. Instead, the information is passed to the payment gateway, which responds with representing the card information as a token for future use for payments.

This feature is not enabled in the base application. To enable inbound payments, set the EnableCreditCardCollectionUI application configuration parameter to true and perform additional configuration steps with your payment gateway vendor and Guidewire. In addition, follow the steps provided in GWEmbedded iframe security configuration.

Note: Payment Card Industry (PCI) compliance refers to a security standard for processing credit card transactions and other electronic means of payment. For more information, see https://www.pcisecuritystandards.org/.

Note: Additional configuration and integration steps can be performed by Guidewire to assist you in enabling this feature.

When enabled, the Actions > Collect Credit Card option appears in the submission wizard. The screens included in the Collect Credit Card option consist of a reference HTML iframe page to collect and display credit card information associated with an account, including the value of the token. The reference page serves as a template for similar card collection patterns that can be used with other payment gateways.

There are two parts to the inbound payments reference integration feature. The first part is how information is communicated to the payment gateway. The second part is communication between the iframe and PolicyCenter.

Communication between HTML iframe and payment gateway

Card information, such as the credit card number, is not stored in PolicyCenter or in the PolicyCenter user interface. The credit card number is known as a Primary Account Number (PAN). Instead, there is an integration with a page that calls a JavaScript library provided by the payment gateway. This library redirects to the payment gateway's UI elements (JavaScript, HTML) that collect the PAN. This library also sends the PAN to the Payment Gateway. This library is also used for retrieving the credit card token from the gateway. After the payment gateway collects the PAN and other information, such as the billing contact information, it responds with the credit card token as well as the last four digits of the credit card. This process reduces the PCI compliance burden on PolicyCenter.

The integration is summarized in the following diagram:

Communication between HTML iframe and PolicyCenter

The GWEmbedded JavaScript library enables PolicyCenter and its PCF files to communicate with an HTML iframe hosted on the application server. This library is named gw-embedded.js. The iframe is contained within an embedded widget. This widget is a mechanism that can be used to share information between the NewCreditCardPopup.pcf and the iframe. Information is shared using post messages through a JavaScript library that is imported by the iframe HTML. The update method in the PaymentIntegrationUpdateHandler class in PolicyCenter receives a message containing the JSON object with the response from the payment gateway. While this may depend on the format that the payment gateway provides, in most cases, the message includes the last four digits of the PAN and the token.

GWEmbedded iframe security configuration

The GWEmbedded JavaScript library utilizes post-messages, which broadcasts messages to an open channel. For security reasons, this library only supports post-messages that originate from InsuranceSuite and throws an exception of untrusted origin for other messages.

In the inbound payments user interface iframe components, there is often an outside vendor running code in the payment HTML page, and, subsequently utilizing post-messages as well. For example, Stripe is one such vendor that utilizes a JavaScript library to communicate with its payment gateway. While the GWEmbedded library does not process these messages, they are not unexpected, and the exceptions that this library are throwing are extraneous.

Modify PaymentsForm.html with the following code to ignore post-messages for your specific payment gateway's library. This file is located in:

app-pc/pc/webresources/pages/payments/PaymentsForm.html:30

Code to remove

<script src="/pc/resources/js/gen/gw-embedded-ts.js"></script>

Code to replace

<script>
            if (GwCrossOriginExternal) {
                const originalReceive = GwCrossOriginExternal.receiveMessageFromGwApp;

                const newRecieveFunctionThatWillBeBoundInTheInitMethod = function (event) {
                    if (event.origin && event.origin.includes("js-sdk-test.payments.guidewire.net")) {
                        return;
                    }

                    GwCrossOriginExternal.receiveMessageFromGwAp = originalReceive;
                    originalReceive.call(GwCrossOriginExternal, event);
                };

                GwCrossOriginExternal.receiveMessageFromGwApp = newRecieveFunctionThatWillBeBoundInTheInitMethod;
            }
        </script>
        <script> GwCrossOriginExternal.init(origin, "*") </script>
    </head>

Note:

Replace the js-sdk-test.payments.guidewire.net value in the following line with your specific payment gateway's JavaScript library.

event.origin.includes("js-sdk-test.payments.guidewire.net"))