"Business cannot perform credit card transactions because transaction using pan is blocked" error indicated that you perform tokenisation / authentication / charge requests via API call using a full card number and other sensitive cards information when your business is not configured / authorized to do so. 

• Please be informed that ONLY merchant who has PCI DSS certification that is allowed to submit any cards request using a full card number and other sensitive cards information.
  • If your business in fact possesses PCI DSS certification and you would like your Xendit account to be configured to send request using the full card number and other sensitive cards information, please send the request to our customer support team along with the AoC (Attestation of Compliance) PCI DSS for further verification. When the document is successfully verified, we will configure your Xendit account accordingly.
• If you do not have such PCI DSS certification, you can still use Xendit to accept your cards transactions, however, you need to perform tokenisation / authentication at the frontend level using our Javascript (not via backend API call). With this integration, all sensitive cards information is only visible by the payer, merchant will not be able to view or save these full cards information, merchant will only be able to see and save the token ID / payment token (after the tokenisation process). The integration flow is explained below:
  • For Cards Direct API integration,
    • to integrate tokenisation and authentication process, you need to use Xendit.js.
    • when a token ID has been successfully created or authenticated, then you can use the token ID for charge request.
  • For Payment API integration,
    • you need to use CARDS_SESSION_JS
    • according to your use case, please make sure to choose the correct session type:
      • PAY > ONE TIME PAYMENT. No card information will be saved.
      • PAY AND SAVE > ONE TIME PAYMENT but the card details will be saved / converted into payment token ID which you can use for future charges.
      • SAVE > If you just would like to convert cards transaction details into payment token that you can use for future charges (no payment attempt)

  • Please note that these integrations have been thoughtfully designed to enhance user experience but at the same time comply with the PCI DSS regulations.