Overview of Pace Software APIs
Thank you for your interest in Pace Software REST APIs.
Use this Pace Software REST API Reference to learn about the API endpoints and operations available for accessing, creating, or modifying resources.
The Pace Software REST API provides an interface for users to interact with Pace Software by sending and receiving data as JSON (JavaScript Object Notation) objects.
The Pace Software API is RESTful
Our API is designed with RESTful principles to foster seamless application development across a diverse range of platforms. Key features include:
- Resource-oriented URLs that simplify navigation and enhance predictability.
- Use of built-in HTTP capabilities for passing parameters for streamlined data exchange.
- Standard HTTP response codes to clearly indicate errors, which promotes efficient error handling and improved application stability.
- Support for sending and receiving data in JSON format, which ensures a lightweight data transfer and easy parsing while it maintains cross-platform compatibility and readability.
We designed and developed the Pace Software API from day one with audit criteria in mind to make sure we offer the maximum benefit and minimal overhead for partners that integrate with our APIs.
Our APIs help clients easily extend their payment options, building trust and brand loyalty with customers while easing the burden on their IT departments — ensuring smooth and secure integration.
Overview of Solution
The Pace Software Mobile Solution is a SaaS payment gateway that enables merchants to securely accept credit and debit card payments. The solution includes a virtual terminal accessible through a web browser, a mobile application for Android, and public APIs for integration with other systems. The back-end of the solution is based on the .NET framework, and the solution uses microservices architecture, this allows for high scalability and easy maintenance.
Public APIs: The public APIs enable merchants and third-party developers to integrate the payment gateway solution into their systems. The APIs use RESTful architecture and JSON data format. The APIs are also PCI-compliant and use the latest security protocols to ensure the security of sensitive customer information.
Security: The solution uses various security measures to ensure the security of sensitive customer information. The mobile application and public APIs are all PCI-compliant, and they use the latest security protocols, such as encryption and tokenization, to protect sensitive customer information. The solution also uses a key vault for the storage of encryption keys and an HSM, for the generation and storage of public/private encryption keys.
System Overview
This section sets the stage for a deeper dive into the system's design, implementation, and operation. It outlines the system's high-level architecture, the different components that make up the system, and how they interact with each other to deliver the desired functionality.
Backend APIs:
The backend APIs handle business logic and data management. The APIs are responsible for handling user authentication and authorization, payment processing, data encryption and decryption, logging, and error handling. They are built on the .NET framework and they communicate with the mobile app, the database, and the HSM.
Database:
The system uses a relational database to store user information, payment data, and transaction history.
Hardware Security Module (HSM):
The system uses a third-party, external HSM to store and manage the cryptographic keys used to encrypt and decrypt sensitive data. The HSM is a tamper-resistant device that is used to store cryptographic keys, and it is designed to protect the keys from unauthorized access, even in the event of a security breach.
Cloud Provider:
The system is cloud-hosted, which provides the necessary infrastructure and services for the system to run. This includes virtual machines, storage, and networking services. The cloud host also provides the Kubernetes cluster, which is used to orchestrate the deployment and scaling of the microservices. The Pace Software system is cloud agnostic.
Payment Processors:
Payment processors like Chase, Fiserv, or TSYS receive the transaction request from the backend API, process the transaction, and send the response to the user via the backend APIs and the mobile application.
Backend API Microservices
Several different microservices provide various API endpoints to the mobile application
Authentication service: The Login microservice provides API endpoints for user authentication and authorization. The API endpoints in this microservice allow users to log in to the system and verify their credentials, such as usernames and passwords. This microservice also provides endpoints for generating and managing access tokens for authorized users.
Transactions service: The Payments microservice provides API endpoints for handling payment requests and sending transaction requests to the payment processor. The API endpoints in this microservice allow clients to initiate transactions, view transaction history and check the status of payment requests.
User Profile Service: The User Profile microservice provides API endpoints for managing user profile data, such as email, phone, and company information. The API endpoints in this microservice allow users to update their personal information, view their transaction history, and view their account balance. Additionally, this microservice provides endpoints for managing user access and permissions.
Client service: The Client microservice provides API endpoints for managing merchant and miscellaneous accounts, such as bank or merchant accounts. The API endpoints in this microservice allow clients to create, update, and view their accounts. This microservice also provides endpoints for managing account access and permissions.
Cryptography service: The Cryptography microservice provides API endpoints for encrypting and decrypting API messages and for requesting new encryption keys from the HSM. The encryption and decryption endpoints in this microservice ensure that all communication between the various components of the system is secure. Additionally, the API endpoints in this microservice allow for the management of encryption keys, including the generation and rotation of new keys.
Report service: The Reports microservice provides API endpoints for generating transaction records and transaction reports. The API endpoints in this microservice allow clients to view transaction history, generate reports on transaction activity, and view account balance.
Together, these microservices provide a complete and robust set of API endpoints that support all the functionality of the system, and allow for the secure, reliable, and efficient exchange of data between the various components of the system.
Technical details
The following are some of the technical details of Pace Software APIs:
API Protocols: Pace Software's APIs use HTTPS as the primary protocol for communication. HTTPS is used to secure communication between the microservices and the clients, using SSL/TLS certificates to encrypt the data in transit. Additionally, the system uses an asyncronous messaging protocol for communication between microservices.
Data Formats: The system's APIs support JSON. JSON is used as the default format for data transfer between the microservices and the clients.
Security Measures: The system uses a modern firewall to secure the communication between the microservices and the PostgreSQL database. Additionally, it uses a key vault to encrypt the sensitive data in the database at rest, and Azure AD for the authentication and authorization of the microservices and the database.
Error Handling: The system includes a centralized error handling mechanism, which captures and logs all errors. The system also includes an error notification feature, which allows the system administrator to configure notifications to be sent to specific email addresses or mobile numbers when an error occurs.
API documentation: The system includes API documentation, which is generated using OpenAPI specification, providing all the information about the system's APIs, including their endpoints, request and response formats, and other details. The documentation can be accessed via the developer portal, which includes detailed information about the system's APIs, including examples of requests and responses.
Authentication
The system's APIs use API Key based authentication for secure communication between the microservices and the clients. The API Key is a unique identifier that is assigned to each client, and it is used to authenticate the client's identity and authorize access to the system's APIs.
The API Key is passed in the header of each request to the APIs, and it is verified by the system's authentication and authorization service before the request is processed. The system's authentication and authorization service uses the API Key to identify the client and to determine the level of access that the client has to the system's APIs.
API Key-based authentication is a simple and secure way to authenticate clients and authorize access to the system's APIs. It ensures that only authorized clients can access the system's resources, while also providing a high level of security for the system.
The system also supports role-based access control, which means that different clients can have different levels of access to the system's APIs based on their roles. This allows the system to provide a high level of security while still providing flexibility in terms of access to the system's resources.
API Technical Specifications
The following are some of Pace Software API technical specifications:
Endpoints:
The system's APIs consist of a set of endpoints that are organized by functionality. Each endpoint represents a specific functionality of the system, such as user authentication, payment processing, and data management. The endpoints are organized into logical groups, such as login, transactions, user profile, client, and reports.
Request and Response Formats:
The system's APIs support the JSON format for requests and responses. Each endpoint in the system's APIs has a specific request format and a specific response format. The request format includes information about the data that is required to be sent in the request, such as the API Key, the data payload, and any additional headers. The response format includes information about the data that is returned in the response, such as the status code, the data payload, and any additional headers.
API Error Handling:
The system's APIs include a centralized error handling mechanism that captures and logs all errors. The system's APIs return error messages in the response in case of any errors.
Pagination:
Some endpoints of the system's APIs support pagination, which allows clients to retrieve large sets of data by specifying the number of records to be returned in each request, and the starting point for the next set of records.
HTTP Methods:
The system's APIs support standard HTTP methods such as GET, POST, PUT, and DELETE for interacting with the system's resources.
Rate Limiting:
The system's APIs include rate-limiting mechanisms to prevent excessive usage and to ensure that the system's resources are not overburdened.
Caching: Some endpoints of the system's APIs support caching, which allows clients to retrieve data more efficiently by storing a copy of the data locally and using it instead of requesting the data from the server each time.
Filtering and Sorting: Some endpoints of the system's APIs support filtering and sorting, which allows clients to retrieve specific subsets of data by specifying filter criteria and sorting options.
Searching: Some endpoints of the system's APIs support searching, which allows clients to find specific records by specifying search criteria.
Client SDKs: The system provides SDKs (Software Development Kits) for different programming languages to interact with the system's APIs easily, this will help developers to integrate the system's APIs into their applications without having to implement the APIs from scratch.
Integration options
The following are current integration options with Pace Software Public APIs:
Direct Integration:
Pace Software APIs can be integrated directly into other systems using standard protocols such as HTTPS. This option allows for a direct and real-time connection between the systems, allowing for fast and efficient data transfer.
SDKs:
The system provides SDKs (Software Development Kits) for different programming languages, such as Java, Python, and .NET, that can be used to interact with the system's APIs easily. These SDKs provide a set of pre-built libraries that can be used to access the system's APIs, eliminating the need to implement the APIs from scratch.
API security
The following detail some of the more important security features of Pace Software APIs:
Encryption:
The system's APIs use HTTPS as the primary protocol for communication, which encrypts all data in transit using SSL/TLS certificates. Additionally, the system uses a key vault to encrypt the sensitive data at rest, such as payment card data, user credentials, and other sensitive information, using the Advanced Encryption Standard (AES) algorithm.
Authentication and Authorization:
The system's APIs use API Key-based authentication and role-based access control for secure communication between the microservices and the clients.
Tokenization:
The system's APIs use tokenization to protect sensitive data, such as payment card data, by replacing it with a unique token that cannot be used for fraudulent purposes. Tokenization helps to reduce the risk of data breaches and to comply with PCI DSS (Payment Card Industry Data Security Standard) requirements.
Firewall:
The system uses a modern Firewall to secure the communication between the microservices and the PostgreSQL database, as well as between the microservices and the clients. The firewall rules are configured to allow only authorized traffic to access the system's resources.
Audit Logs:
The system's APIs include an audit logging mechanism that captures and logs all the transactions, requests, and responses to the system, this is critical for compliance with the MPoC requirements and troubleshooting. The audit logs are stored in a secure location and are accessible only to authorized personnel.