Quickbooks Payment API

Today I learned how the Quickbooks Payment API system works from the standpoint of the C# Quickbooks API client. The architecture or pattern used to process credit cards is known as Tokenization. I've used tokenization for years in authentication flows, but never thought about how it could be applied to credit card processing. Today was my first time experiencing the concept in a payment gateway.

Tokenization is a security method used to protect sensitive data, in my case today it was credit card information, by replacing it with a unique identifier (aka the token) that can be used as a reference for processing transactions without exposing the original data. Unlike an OAuth access token, the Quickbooks token is not a JWT and therefore doesn't contain any data that could be read.

When a webpage submits credit card information to QuickBooks, Quickbooks securely stores the account details and returns a token. This token serves as a reference to the stored card information within QuickBooks. When you need to process a transaction from your app, you use the generated token instead of the actual credit card details. QuickBooks then uses this token to charge the card for the amount specified in your request. This approach enhances security by ensuring that sensitive card information is not exposed or stored insecurely on your systems.

Here's the Process Overview

  1. Posting Credit Card Information to QuickBooks:
    • You securely collect the credit card details from the customer using a form on your website or application.
    • You send this credit card information to the QuickBooks Payments API via the /tokens endpoint.
    • This step is done over HTTPS to ensure the data is encrypted during transmission.
  2. QuickBooks Generates a Payment Token:
    • QuickBooks receives the credit card information, validates it, and securely stores it on their servers.
    • QuickBooks then generates a payment token (a unique identifier) that represents the stored credit card information.
    • This payment token is returned to you in the API response.
  3. Using the Payment Token to Process Transactions:
    • You store this payment token in your system instead of the actual credit card information, which helps you stay compliant with PCI DSS standards.
    • When you need to charge the customer's card, you use this token in a transaction request to the QuickBooks Payments API.
    • You send a POST request to the /charges endpoint with the token and the transaction details (amount, currency, etc.) are posted as part of the request body.
  4. QuickBooks Processes the Payment:
    • QuickBooks uses the token to look up the stored credit card information.
    • QuickBooks processes the payment by charging the card for the specified amount.
    • The result of the transaction (e.g., success, failure, amount charged) is returned in the API response.

It's such a simple and neat payment flow. I can't believe this is my first time really experiencing this.