Skip to main content
Branding mascot

Welcome! How can we help you?

Got a Question? Ask our Community!

Have a question, or a tip or trick to share! Sign in with your Thryv credentials and post in our User Community!

Master Thryv Like a Pro!

Sign in and take our self-guided courses to maximize your experience and boost productivity!

You appear to be not logged in so your learning paths progress may not be saved.

Update Your Keap Payments API Integration for PCI Compliance

Product Success Team
  • Updated
  • Keap-Pro
  • Keap-Max
  • Keap-Ultimate

This article covers Keap's™ updated Payments API integration configuration, including who needs to implement the update, how to upgrade, and technical FAQs for developers. Keap updated its payment configuration to integrate a new JavaScript package that changes how payment methods are stored, in alignment with PCI Security Standards for protecting sensitive customer payment information. This article does not cover how to use Keap's built-in payment features such as Invoices, Order Forms, and Shopping Carts — those features do not require this update.

Who Needs to Implement the Payments API Update

Developers

Developers who send payments to Keap using any of the following API endpoints or data tables are required to implement the updated JavaScript package to maintain PCI compliance:

REST API Endpoints

  • /v1/contacts/{contactId}/creditCards POST

XML-RPC Endpoints

  • InvoiceService.validateCreditCard

XML-RPC Data Table

  • CreditCard

Keap Customers

This update is required only for customers who capture payment information through a non-Keap form and send it to Keap to process. There are two ways customers typically accept payments through Keap:

  • Through Keap built-in features — Invoices, Order Forms, and Shopping Carts. No update required.

  • Through external services — Any external platform or application that captures payment information and sends it to Keap for processing. Update required.

How to Implement the Updated JavaScript Package

For Developers

Developers using the API endpoints listed above must implement the updated JavaScript package to maintain PCI compliance. The new JavaScript package allows use of Keap's hosted secure payment component. Once implemented, no further updates are needed even if the payment processor changes. The package will also support additional payment methods as they are released.

Additional Resources:

For Keap Customers Using External Services

Customers who capture payment information through an external platform or application should contact the third-party developer of that platform and provide them with the JavaScript package documentation so they can implement the update. Once implemented, no further action is needed for future payment processor changes.

Frequently Asked Questions — General

What does this article cover?

This article covers Keap's updated Payments API integration configuration, including who needs to implement the update, how to implement it, and technical FAQs for developers. For help with Keap's built-in payment features, see how to manage payments in Keap Pay.

Why is this update important beyond PCI compliance?

The new JavaScript package introduces Keap's hosted payment component, which supports tokenized payment methods. As Keap transitions to tokenized payment storage, the new JavaScript package ensures that payment capture through API connections remains compatible. The package also enables support for additional payment methods including Apple Pay, Google Pay, and ACH bank transfers. For more information about tokenized payment methods, see tokenized payment methods in Keap Pay.

Is this update only for Keap Pay customers?

No. This update applies to any customer or developer who captures payment information through an API connection and sends it to Keap for processing, regardless of which payment processor is used.

What additional payment methods will the new JavaScript package support?

The new JavaScript package introduces Keap's hosted payment component, which is designed to support new payment capture methods currently in development including Apple Pay, Google Pay, and ACH bank transfers.

Does this update apply to accounts using Authorize.net?

It depends on where customers enter their payment information. The update applies only when customers enter credit card details in a non-Keap form to process a Keap payment. Examples include a membership site with an order form built into the site, or a booking application that includes a payment form during sign-up. If all payment capture happens through Keap's built-in features, no update is required.

Frequently Asked Questions — Technical

Can payments be collected without using an embedded webpage?

No. The current implementation requires payments to be collected through an embedded webpage. There is no support for collecting payments outside of an embedded webpage at this time.

Will credit cards continue to be stored persistently?

For Keap Pay, credit cards are not stored persistently — they are tokenized. For other supported processors, credit cards are currently still stored persistently, but this will change as Keap completes its transition to tokenized payment methods.

Can existing stored credit cards still be used to process payments?

Yes. This update only affects the creation of new payment methods. APIs that process payments with existing stored credit cards continue to operate as usual. Existing cards on file can still be retrieved and used for payment processing.

Can the iframe be used directly instead of the JavaScript package?

Using the JavaScript package is the recommended approach. The package provides the following functionality that an iframe alone does not:

  • Automatic detection of the correct environment (Integration, Staging, or Production)

  • Dynamic URL building

  • Support for postMessage-based form submission

Using an iframe directly is simpler and works in platforms that do not support custom components — such as WordPress, Shopify, or Wix. However, the direct iframe approach has limitations including cross-origin issues if X-Frame-Options: DENY is set, and postMessage functions such as this.submit() will not work.

Does this update require a two-step checkout process for order forms?

Yes. The JavaScript package requires a contact ID to create a session key. This means that order forms on public-facing webpages that use this API integration require a two-step checkout process. This requirement exists to enhance the security of payment information.

Can the JavaScript package be used to update existing cards rather than create new ones?

No. The JavaScript package creates new payment methods only. Updating existing stored cards is not supported through this package.

Does the JavaScript package validate payment data as it is entered?

The JavaScript package renders the payment component for the default processor configured in the Keap application. Each processor's component validates the basic format of the data entered — for example, whether the correct number of digits were entered for the card number. Full card authorization is determined by the card networks and issuing banks during the transaction, not by the JavaScript package.

Can the styling of the payment component be customized?

No. The styling of the rendered payment component cannot be customized at this time.

Which payment processors does this API update support?

The updated JavaScript package supports all Keap-supported payment processors — Keap Pay, Stripe, PayPal, Authorize.net, and eWay.

Related articles

Comments

0 comments

Can't find what you are looking for?

Our customer support team is available 24/7 by online chat, phone, or email

© 2026 Thryv, Inc. All rights reserved.