Keap is enhancing its security for processing sensitive payment data. This initiative involves updating your payment configuration by integrating a new JavaScript Package, which updates how Keap stores Payment Methods (i.e. credit cards). This update aims to align with industry best practices, and PCI Security Standards, to ensure a higher level of protection for sensitive customer information.
Please upgrade to Keap's new Payments API Integration Configuration by March 20th, 2025. Failure to complete the upgrade and ensure PCI compliance will lead to an interruption in your ability to process payments.
What to check
Developers
If you send payments to Keap using the endpoints or the data table below, you will need to update your payment configuration.
Rest API Endpoints
/v1/contacts/{contactId}/creditCards POST
XML-RPC Endpoints
InvoiceService.validateCreditCard
XML-RPC Data Table
- CreditCard
Keap Customers
Please review how your customers make their payments, there are two main ways:
Through Keap: This includes using Keap features like Invoices, Order Forms, and Shopping Carts.
Through External Services: This refers to using any external platform or app to capture payment information and send it to Keap to process.
This update is required only if you take Keap Payments through non-Keap payment forms. If you only use Keap's built-in payment features, you don't need to implement the new JavaScript Package.
How to Upgrade
Developers
If you send API calls to the endpoints listed above, you are required to implement the updated JavaScript package to be PCI compliant. The new JS Package allows you to utilize Keap's hosted secure payment component.
Additional Resources
Keap Customers
If you capture payment information and send it to Keap to process as described above, the new JS Package will need to be implemented. Reach out to the 3rd party platform/ app that developed the external service and provide them with the new JS Package.
Reminder: If you only use Keaps built-in payment features, you do not need to use the JS Package.
Once this is implemented, you won't need to do it again, even if you change the payment processor(s) you use. This new package will also allow additional payment methods as updates are released over time.
General FAQ’s
Q - I know it’s for PCI compliance, but why else is this important?
A - As updates are made to ensure that Keap has the most modern and secure payment features, we knew that changes would need to be made to how payments were captured over the API. With the introduction of Tokenized Payment Methods, updates needed to be made to payment capture through API connection. The new JS Package not only keeps payment processing PCI compliant, but it also allows for the ability to capture payments for Tokenized Payment Methods.
Q - Is this just for Keap Pay customers?
Q - What will the new JS Package allow for in the future?
Q - I use Authorize.net to process payments. Do they need to make any changes?
A - Maybe. What matters is where your clients enter their payment information. This update only applies if your clients enter their credit card details in a non-Keap form to process a Keap Payment.
Examples of this could include things like a membership site that has the order form built into the site, or a booking software that includes an order form in the sign up process to pay for a consultation. There are other examples but hopefully this helps you determine if there’s anything that might be impacted in your business.
Technical FAQs
Q - Can payments be collected without using an embedded webpage?
A - No, there is currently no support for collecting payment outside of an embedded webpage.
Q - Will credit cards still be stored persistently?
A - Credit cards will not be stored persistently for Keap Pay. However, for our other processors, credit cards are being stored for now, but this is changing at some point in the future once we’ve fully transitioned to tokenized payment methods.
Q - Can we still process our customers' stored credit cards??
A - Yes, this update only impacts creating new payment methods. The APIs that process payments with existing credit cards will still operate as usual. You will still be able to get the list of cards on file and continue to use them to process payments.
Q - Can I parse out the iframe for the payment component instead of using the JS code provided?
A- This JS package provides the following:
Extraction of correct environment (INTG, STGE, PROD).
Dynamically build URLs.
Support for postMessage-based submission.
However, using the iframe also has downsides such as:
Cross-origin issues - it may fail is X-Frame-Options: DENY is set.
postMessage functions like this.submit() won’t work.
Q - Do I need to create a 2 step checkout process for the order forms on my site?
A - As seen in the documentation, this code requires a contact ID in order to create a session key. This means that this API update does require a 2 step checkout process for an order form on a public facing webpage.
The reason for this change is enhanced security of the payment information.
Q - Does this JS Package allow me to update cards rather than create new cards?
A - This API update will create new cards but it will not update existing cards.
Q - Does this update validate the data entered into the payment as they are added?
A - This JS Package will render the payment component for the default processor in the Keap application. The component for each processor will validate the basic format of the characters entered (e.g. were the correct number of digits entered for the PAN, etc).
Q - Does the JS Package update determine if the cards being entered are valid cards?
A - This update does not determine whether or not the cards are valid. Card authorization is determined by the card networks and issuing banks during the transaction.
Q - Can I change the styling of the payment component that’s rendered on my site?
A - No, you’re unable to change the styling of the component at this time.
Q - Does this API update support my payment processor?
A - This API update supports all of Keap’s supported payment processors which include Keap Pay, Stripe, PayPal, Authorize.net and Eway.
Need an Extension?
If you need a short extension, please reach out to [email protected] no later than February 20th, 2025 . Note that extensions are not guaranteed and will only be granted for a small group based on payment volume per vendor.
