PCI Configuration for Non-Compliant Clients

If your organization is not PCI compliant, MassPay will automatically enable a configuration flag upon account setup. This flag ensures that whenever PCI-sensitive information must be collected via the Get User Attributes for destination_token endpoint, the data will be gathered through a secure iframe interface.

Example Attribute Response

[
  {
    "input_type": "text",
    "token": "attr_8bff08d2-16e8-11f0-9853-02a851951a6d",
    "label": "Debit Card Information",
    "validation": "https://dev.members.masspay.io/pci/<token>",
    "is_optional": false,
    "type": "IFramePaymentCollection",
    "expected_value": "Display validation url in an iFrame",
    "last_attr_value_used": false
  }
]

`validation` Field

The validation field provides a URL that can be embedded in your application via an iframe or a webview. You can customize the appearance and behavior of the iframe by appending optional query parameters.

Optional Query Parameters

Parameter	Description	Accepted Values
`background_color`	Page background color	HEX value (e.g., `FFFFFF`)
`button_background_color`	Background color for submit/cancel buttons (requires `show_button` or `show_cancel_button`)	HEX value
`button_text_color`	Text color for submit/cancel buttons (requires `show_button` or `show_cancel_button`)	HEX value
`input_background_color`	Background color of input fields	HEX value
`text_color`	Text color for page content	HEX value
`show_logo`	Display your configured logo	`true` or `false`
`show_button`	Display a submit button. If `false` or omitted, submission occurs on input `blur`	`true` or `false`
`show_cancel_button`	Display a cancel button	`true` or `false`
`return_url`	URL to redirect to after a successful submission	Full URL

PostMessage Events

The iframe will communicate back to the parent window using the postMessage API. Below are the possible event payloads:

1. Successful Submission

{
  "action": "submit",
  "attr_set_token": "attr_set_1d147a0e-3408-472c-926d-6f74e7e23532"
}

Use the attr_set_token when initiating a payout.

2. Validation Failure

{
  "action": "form_not_valid"
}

Indicates that one or more fields failed validation.

3. User Cancelled

{
  "action": "cancel"
}

Triggered when the user presses the cancel button.