I've spent the last few weeks adding the ability to pay by credit or debit card to an application. Our customer has picked HSBC e-Secure Payments as their payment provider so I needed to integrate with their payment API. HSBC provide two mechanism, an API so that you can capture payment information within your own site and maintain your own branding, or you can redirect to a HSBC site for payment and then they'll redirect the customer back to your own site again once payment is complete. We wanted to use the API since we want customers to remain within our application.
Firstly HSBC do not provide a developer's site with documentation, code or even frequently asked questions so I had a little difficulty getting started. All questions and requests must go to their call centre who, while they are quite helpful, are no substitute for comprehensive documentation. They will email you their specifications - but why not have them on a web site, this is the twenty-first century after all. Secondly, the documentation that they do provide is lacking in a number of areas and incorrect in others (meaning that I have run up quite a phone bill calling their support number). Worst of all, HSBC do not provide a test or integration system.
I was shocked when I realised that I would have to do all my testing in a live environment, and remember that this is for financial transactions!
They do allow you to mark a transaction as "test", but that only allows you to test successful or declined payments. It doesn't allow you to test the other hundred or so error conditions that might occur. This set my alarm bells ringing, every other payment provider I've worked with have provided a comprehensive test system that lets you test all valid and error scenarios without the risk of performing a real financial transaction because your application has an error and hasn't properly set the "test" flag.
In addition there is not even a test mode for 3D Secure processing, one can only perform live 3D secure authentication with real payment cards! Of course I don't have a wide selection of cards from each card type and from different issuing banks in order to test with, so I can't test that our system successfully handles cards from banks that are participating in a 3D Secure scheme, or where a customer is not enrolled in their bank's 3D Secure system, or more problematic, I can't test scenarios where HSBC encounters an error - there is no way to simulate that to ensure that my application handles it correctly.
The very worst problem with having no test environment is that I've had to know the live password for our customer's merchant accounts! Now I'm an honest person so perhaps that's not a problem, but we're talking about a password that gives access to real payment card transactions. With that password I can cancel or refund previous transactions, that's not the kind of authority that should be available to me, and wouldn't need to be if I were integrating with a test environment.
The final pain I've had to deal with is that HSBC's 3D Secure system does not have an API. So even though we're an API customer, we would have to redirect to a HSBC branded page to handle 3D Secure authentication, which of course defeats the object of using the API for the rest of the payment handling. To solve this problem I've essentially had web-scrape their HTML pages to extract the data required to host our own 3D Secure authentication page that embeds the card holder's issuing bank's authentication frame.
Overall, I feel like I've been working with both hands tied behind my back, where it wouldn't have taken HSBC much effort to provide a test environment to help their customer's integrate with their system. How do I know it wouldn't be much effort? Well because I've had to develop my own test system that allows me to demonstrate that our application correctly handles the error conditions that HSBC "say" their system could return to me. I say "say" since I've had to go from their specifications, which I've already found to be erroneous in a number of places! How much easier it would have been for HSBC to provide that?
In all we have successfully completed the integration, but it's been very painful. So I'm afraid to say that I can't recommend HSBC eSecure Payments.