# Your own payment form
If you value aesthetic consistency, and you'd like to design your payment form, Straal gives you full freedom and flexibility in this matter. This also gives you the possibility to maintain the purchasing process fully on your website.
We provide a safe way for your customers to provide their card details. They are encrypted and sent securely to the system using Straal.js, our helper library. Straal.js encrypts the Cardholder's data before sending it to us, so we take care of its security. Because the data isn't sent through your back end, you have to keep in mind fewer PCI-compliance requirements. Straal.js processes requests encrypted with CryptKeys.
CryptKeys are special objects that allow you to send encrypted data directly to our API endpoint. They have a one-time token inside at the same time. This can be useful in various scenarios, such as making a request from mobile or web applications where you can't expose the API Key.
Read more about using CryptKeys in APIref: CryptKeys.
For more information about Straal.js, our helper library, refer to API Reference: Straal.js.
Create your own checkout
Your back end must send a request to Straal to have a CryptKey created for a specific permission.
Pass the CryptKey to your front end.
StraalJSvia NPM and import sendEncrypted method from
When your customer fills in the form with their information, you need to prepare a payload consistent with the specific permission, and pass it to a relevant method of the
Straalobject. For example, after creating a CryptKey for
v1.cards.create_with_customer, build a payload as for
https://api.straal.com/v1/cards, and pass it to the method
Straal.cards.createWithCustomeralong with the CryptKey.
You get a response on the front end. You can show a status notification to the customer on its basis.
Your back end receives a confirmed answer as a notification. Only now you should consider the payment as successful, as the front end response is not 100% reliable.
# Managing payments via Straal API
We recommend that most of our clients choose the ready-made Straal Checkout Page. Although isn't as powerful as a full back-end-to-back-end integration, it's connected with less strict PCI security requirements.
Achieving back-end-to-back-end integration and using the Straal API is the most flexible and powerful way of interacting with Straal. Using the Straal API is an option when you'd like to have your own checkout page – one that fits into your company's branding and UX.
It's possible if you're PCI Compliant, which means you can process payment data through your back end. This integration method is not often possible because of the high requirements of PCI-DSS compliance.
The minimum PCI requirement is completing a Self-Assessment Questionnaire type D. SAQ D is the strictest of the SAQs, and it's required when you aim to process card details. For more information, see Assessing the Security of Your Cardholder Data and the PCI Compliance section of this documentation. During the onboarding process Straal will inform you if filling out the SAQ form is required.
On the other hand, if you'd rather not process card data, and we recommend you don't, there are options to shift some responsibility over the data to Straal, as we're fully PCI Certified. In most cases, we recommend using the ready-made Straal Checkout Page or they build their own payment form using Straal.js, our helper library.
It comes with less strict PCI requirements, because card data doesn't pass through your back end. And in most cases, you're required to complete a PCI Type A-EP Questionnaire (SAQ A-EP), much less demanding than SAQ D.
To learn how to make the most of our RESTful API, consult our API Reference or various use cases in this documentation.