CardPointe Gateway Credentials

Note: CardPointe is owned by Fiserv, but is a different product than Fiserv Commerce Hub. We are using CardPointe Gateway, not Commerce Hub.

UAT/Sandbox Environment (ACTIVE)

Environment: UAT (User Acceptance Testing) Host URL: https://fts-uat.cardconnect.com Status: ✅ Active and working

API Credentials

CARDPOINTE_API_URL=https://fts-uat.cardconnect.com
CARDPOINTE_MERCHANT_ID=490000000069
CARDPOINTE_API_USERNAME=testing
CARDPOINTE_API_PASSWORD=testing123

Merchant Details

Merchant Name: UAT Test Merchant
MID: 490000000069
Processor: RPCT (First Data Rapid Connect emulator)
Platform: CARDPOINTE

Enabled Features

Card Networks: Visa, MasterCard, Amex, Discover
Security: CardPointe HIT (Hosted iFrame Tokenizer) - SAQ-A PCI compliant
Transaction Types: Auth, Capture, Refund, Void
Stored Credentials: Card-on-file (COF) support for recurring payments
Amount-Driven Responses: Test specific response codes in UAT

CardPointe HIT (Hosted iFrame Tokenizer)

Iframe URL (UAT): https://fts-uat.cardconnect.com/itoke/ajax-tokenizer.html

Parameters:

useexpiry=true - Capture expiration date
usecvv=true - Capture CVV
tokenizewheninactive=true - Auto-tokenize
inactivityto=2000 - Tokenize after 2 seconds of inactivity
enhancedresponse=true - Return additional data
formatinput=true - Format card number with spaces

Returns via postMessage:

token - Tokenized card number (e.g., 9418594164541111)
expiry - Expiration in variable format (MMYY, MMYYY, or MMYYYY)

Test Cards (CardPointe UAT)

Standard test cards for CardPointe UAT environment:

Card Brand	Card Number	Expected Result
Visa	4111111111111111	Approval
Visa	4387751111111012	Approval (for testing association codes)
Amex	371449635398431	Approval
Mastercard	5442981111111064	Approval

CVV: Any 3 digits for Visa/MC (4 for Amex, e.g., 1234) Expiry: Any future date (MM/YY format, e.g., 12/25) ZIP: Any 5 digits

Amount-Driven Response Codes

CardPointe UAT supports amount-driven responses for testing specific scenarios:

Amount	Response
$9.32	Approval (respcode: 000)
$1,100.35	Decline - "Do not honor" (respcode: 100)

How it works: Use amounts in the $1,000-$1,999 range where the last 3 digits (with leading 0 for 2-digit codes) specify the desired response code.

Example: $1,116.95 → respcode 116 ("Not sufficient funds")

API Endpoints

Authorization (Auth)

POST /cardconnect/rest/auth

Authentication: Basic Auth (username:password)

Request:

{
  "merchid": "490000000069",
  "account": "9418594164541111",
  "expiry": "1225",
  "amount": "10.00",
  "currency": "USD",
  "orderid": "ORD123",
  "capture": "Y",
  "cof": "C",
  "cofscheduled": "N"
}

Response:

{
  "respstat": "A",
  "retref": "279971160962",
  "amount": "10.00",
  "respcode": "000",
  "resptext": "Approval",
  "token": "9418594164541111",
  "authcode": "PPS123"
}

Capture

POST /cardconnect/rest/capture

Refund

POST /cardconnect/rest/refund

Void

POST /cardconnect/rest/void

Stored Credential Framework Parameters

CardPointe supports Visa/Mastercard Stored Credential Framework:

cof (Card-on-File):

C - Customer-Initiated Transaction (customer is present)
M - Merchant-Initiated Transaction (automated/recurring)

cofscheduled:

Y - Scheduled/recurring payment
N - One-time payment

Examples:

# Customer making a one-time payment
{ cof: "C", cofscheduled: "N" }

# Customer enrolling in subscription
{ cof: "C", cofscheduled: "Y" }

# Automated subscription charge
{ cof: "M", cofscheduled: "Y" }

# Merchant-initiated split shipment charge
{ cof: "M", cofscheduled: "N" }

Production Environment (PENDING APPROVAL)

Status: 🚧 Awaiting production credentials from Fiserv

Host URL: https://fts.cardconnect.com (Production)

Production Checklist

Before going live:

[ ] Receive production credentials from Fiserv
[ ] Update environment variables in production .env
[ ] Update iframe URL from UAT to production
[ ] Test with real cards (small amounts)
[ ] Verify Stored Credential Framework parameters work
[ ] Complete PCI SAQ-A attestation
[ ] Test capture, refund, and void flows
[ ] Monitor first 100 transactions closely

Production Environment Variables

# CardPointe Production
CARDPOINTE_API_URL=https://fts.cardconnect.com
CARDPOINTE_MERCHANT_ID=<production_merchant_id>
CARDPOINTE_API_USERNAME=<production_username>
CARDPOINTE_API_PASSWORD=<production_password>

# Payment Processor Selection
DEFAULT_PAYMENT_PROCESSOR=fiserv

Production Iframe URL

// Update in app/views/app/quotes/payment.html.erb
iframe.src = 'https://fts.cardconnect.com/itoke/ajax-tokenizer.html'

Fiserv Validation Testing Results

Status: ✅ COMPLETED (2025-10-06)

All required validation scenarios tested and retrefs generated:

Card Not Present Scenarios

Scenario	Amount	Card	Retref	Status
Visa Approval	$9.32	4111111111111111	279319061767	✅ Approved
Visa Decline	$1,100.35	4111111111111111	279330061781	✅ Declined
Amex Approval	$9.32	371449635398431	279347061815	✅ Approved
Amex Decline	$1,100.35	371449635398431	279326161827	✅ Declined

Customer-Initiated Transactions

Scenario	Amount	Retref	cof	cofscheduled
Token storage w/ transaction	$55.25	279389161947	C	N
Token storage, no transaction	$0.00	279510761959	C	N
Stored token usage	$100.25	279432061972	C	N

Merchant-Initiated Transactions

Scenario	Amount	Retref	cof	cofscheduled
Token storage for recurring	$40.25	279461162062	M	Y
Stored token recurring	$26.50	279583762074	M	Y
Stored token one-time	$150.00	279499062084	M	N

Security Notes

⚠️ IMPORTANT:

These UAT credentials are for TESTING ONLY
NEVER commit production credentials to git
Production credentials must be stored in .env (already in .gitignore)
CardPointe uses Basic Auth (username:password encoded in Base64)
Always use HTTPS for all API requests
Tokens are specific to merchant ID - don't share across environments

Integration Endpoints (UAT)

Base URL: https://fts-uat.cardconnect.com

Available Endpoints

/cardconnect/rest/auth - Authorization
/cardconnect/rest/capture - Capture
/cardconnect/rest/refund - Refund
/cardconnect/rest/void - Void
/cardconnect/rest/inquire - Transaction inquiry
/cardconnect/rest/profile - Profile management (optional)

Authentication

All requests use Basic Auth:

auth = Base64.strict_encode64("#{username}:#{password}")
headers = {
  "Authorization" => "Basic #{auth}",
  "Content-Type" => "application/json"
}

Support Resources

CardPointe Documentation:

Developer Portal: https://developer.cardpointe.com/
API Reference: https://developer.cardpointe.com/cardconnect-api
HIT Guide: https://developer.cardpointe.com/hosted-iframe-tokenizer
UAT Test Data: https://developer.cardpointe.com/guides/uattest-card-data

Fiserv Support:

Email: quarryrents@fiserv.com (if assigned account manager)
Portal: https://developer.fiserv.com/ (requires login)
Phone: Contact your Fiserv account representative

Status Page:

Check CardPointe service status at https://status.cardconnect.com/

Differences from Fiserv Commerce Hub

Feature	CardPointe Gateway	Fiserv Commerce Hub
Product	CardPointe	Commerce Hub
API Style	RESTful (simple)	RESTful (complex)
Authentication	Basic Auth	HMAC signatures
Tokenization	HIT iframe	Hosted Fields
Base URL	fts.cardconnect.com	fiservapis.com
Endpoints	/cardconnect/rest/*	/ch/payments/v1/*
PCI Compliance	SAQ-A	SAQ-A
Ownership	Fiserv	Fiserv

Note: We originally planned to use Commerce Hub but implemented CardPointe Gateway instead due to simpler integration and equivalent PCI compliance.

Last Updated: 2025-10-06 Environment: UAT (Testing) Production Status: Pending Approval