Why Canadian Payment Integration Is a Bit Different
The fundamentals are the same as anywhere: capture card details securely, send a charge request, handle success and failure states. But Canada adds three layers of complexity that don't exist or matter less for US-only integrations.
Interac debit is a distinctly Canadian payment network, and it's not a single thing. "Interac debit" in a retail context (the card you tap at a terminal) is completely different from "Interac Online" (a bank-redirect flow for ecommerce). If your product handles both in-person and online payments, you need to handle these as separate flows with different processor support.
CAD settlement timing affects cash flow planning. Most gateways settle in T+2 business days for CAD accounts, but the actual cut-off time, banking partner, and any holds for new accounts vary. A checkout-to-cash timeline that works fine in USD can behave differently in CAD.
Provincial tax is the most frequently overlooked issue in Canadian SaaS and subscription integrations. HST applies in Ontario, New Brunswick, Nova Scotia, PEI, and Newfoundland. GST applies everywhere else. Quebec charges QST separately. Payment gateways do not handle tax calculation — that's your responsibility or a dedicated tax tool's job.
Stripe Canada: Best Developer Experience
Stripe is the default choice for developers building new Canadian payment integrations. Their REST API is the industry benchmark for design quality: consistent naming conventions, predictable error codes, idempotency key support built in, and documentation that's genuinely useful rather than just technically complete.
The core Stripe workflow for a Canadian integration:
- Use Stripe.js or Stripe Elements in your frontend to collect card data. This moves card numbers off your server and reduces your PCI scope to SAQ A — the simplest level.
- Create a PaymentIntent from your server using the Stripe SDK for your language (Node, Python, PHP, Ruby, Go, Java, .NET are all first-party supported).
- Confirm the PaymentIntent client-side to handle 3DS2 authentication when required.
- Handle webhooks for asynchronous events — payment_intent.succeeded, payment_intent.payment_failed, charge.dispute.created.
CAD settlement with Stripe is T+2 for most Canadian bank accounts. New Stripe accounts often face a 7-day rolling payout hold during the first few weeks — budget for this in cash flow projections. Once established, standard T+2 applies.
Interac debit online is not natively supported through Stripe's charge API. In-person Interac debit works through Stripe Terminal (physical readers only — Tap to Pay does not support Interac debit). If your product needs Interac Online as a checkout option, Stripe is not the right fit — look at Moneris or a dedicated Interac Online integration.
Moneris API: Canadian-First, Interac Debit Support
Moneris is the only major processor with native Interac debit support across both in-person and online contexts. If Interac Online as a checkout option is a requirement for your product, Moneris is the starting point.
The Moneris API comes in two main flavours. The legacy XML-based API is still supported and widely used in existing integrations. The newer Moneris Checkout (hosted payment page approach) is simpler to implement and reduces PCI scope to SAQ A — you redirect to or embed Moneris's hosted checkout, and card data never touches your servers.
The direct API integration (where you collect card data and call the Moneris API yourself) requires full SAQ D PCI compliance — the most demanding assessment level. Most new integrations should use Moneris Checkout unless there's a specific business reason to handle card data directly.
Moneris's developer experience is functional but dated compared to Stripe. The documentation covers standard cases well but has gaps in edge cases and webhook behaviour. Error handling requires more defensive coding — responses aren't as consistently structured as Stripe's. Expect to spend more integration time than Stripe, especially for anything beyond basic charge/refund flows.
The upside: Moneris is a Canadian bank-owned processor (BMO + RBC joint venture), which matters for certain merchants who need a Canadian financial institution relationship, and for Interac Online support that no US-based processor matches.
Braintree/PayPal Canada: Mature API, Limited Interac Story
Braintree (owned by PayPal) offers a mature REST API with a GraphQL option for newer integrations. It's a solid choice for merchants who need to accept both PayPal and credit cards through a single integration — particularly useful for B2C ecommerce where PayPal checkout conversion matters.
Braintree supports both CAD and USD accounts, which is useful if you're selling to both Canadian and American customers and want settlement in both currencies. The client-side SDK (Drop-in UI or custom fields) handles PCI scope reduction similarly to Stripe Elements.
The Interac story is weak. Braintree doesn't support Interac Online and has limited in-person Interac debit support compared to Moneris. For products where Interac is a core payment method, Braintree is not the right choice.
Braintree's documentation quality sits between Stripe and Moneris — better than Moneris's XML era, not as refined as Stripe's current docs. The GraphQL API is genuinely useful for complex integrations where you want to batch operations or query transaction state efficiently.
Helcim API: Newer, CAD-Native, Good for Subscriptions
Helcim's REST API is newer and simpler than Moneris's. It's a Canadian company with CAD-native settlement, transparent interchange-plus pricing, and decent documentation for standard use cases. The API covers charges, refunds, customers, subscriptions, and invoices.
Helcim is a good fit for developers building subscription or recurring billing products for Canadian businesses where Stripe Billing's added cost doesn't make sense, and where Moneris's complexity isn't needed. The API handles recurring charges, customer vaulting, and payment method updates without requiring a separate billing layer.
The weakness is ecosystem depth. Stripe has client libraries maintained by their engineering team in every major language. Helcim's SDK support is thinner — for languages outside the supported list, you're writing raw HTTP calls against the REST API, which is straightforward but adds integration time.
PCI Scope: The Decision That Shapes Your Architecture
PCI DSS compliance scope is the single most important architectural decision in a payment integration. Getting it wrong doesn't just create compliance risk — it shapes how much ongoing security work your engineering team carries.
SAQ A is the simplest level and applies when card data never touches your servers. You achieve this by using hosted fields (Stripe Elements, Moneris Checkout hosted page, Braintree Drop-in UI). Your frontend loads a JavaScript widget from the processor, the customer enters card details into that widget (which runs in a separate iframe under the processor's domain), and your server only receives a token. SAQ A requires a relatively short self-assessment questionnaire annually.
SAQ D is the full PCI audit and applies if you collect, transmit, or store raw card data. This is an extensive assessment — hundreds of requirements covering network architecture, access controls, logging, key management, and more. Very few development teams want to be here unless there's a specific reason.
The practical advice: use hosted fields unless there's a compelling reason not to. The UX trade-off is minimal. The compliance difference is substantial.
Webhook Idempotency: Handle This Correctly
Webhooks are where most payment integration bugs live. The core issue: webhooks can be delivered more than once. A network timeout between your endpoint and the processor's delivery system means the processor will retry — often with the same event. If your webhook handler isn't idempotent, you can process a successful payment twice, issue duplicate refunds, or double-count revenue in your database.
The correct pattern: before processing any webhook, check if you've already handled an event with the same event ID. Store processed event IDs in your database with a unique constraint. If the ID already exists, return HTTP 200 immediately without processing. This prevents duplicate processing regardless of how many times the processor retries.
Stripe makes this easier with their event IDs (evt_xxxx format). Moneris's event format is less consistent — some legacy endpoints use order IDs rather than unique event IDs, which requires additional deduplication logic on your side.
3DS2 (3D Secure) for Card-Not-Present
3DS2 is the authentication layer for card-not-present transactions that shifts liability for fraudulent chargebacks from merchant to issuer when the cardholder successfully authenticates. In Canada, 3DS2 is not legally mandated the way it is in the European Union, but it's increasingly enabled by major card issuers.
Stripe handles 3DS2 automatically within the PaymentIntent flow — when an issuer requires authentication, the PaymentIntent status moves to requires_action, and your frontend handles the challenge via Stripe.js. No extra code required beyond handling the requires_action state.
Moneris Checkout handles 3DS2 on the hosted page. Direct API integrations require a separate 3DS2 implementation, which adds considerable complexity. This is another argument for using Moneris Checkout over direct API integration unless you have a specific reason to handle card data directly.
Sandbox Testing with Canadian Test Cards
All major processors provide sandbox environments for testing. The Canadian-specific consideration is making sure your sandbox testing uses CAD-denominated test cards — some processors have separate test card ranges for different currencies and regions.
Stripe's test card documentation includes CAD-specific details. Visa test card 4242 4242 4242 4242 works in CAD. For 3DS2 testing, Stripe provides specific cards that trigger authentication challenges (4000 0027 6000 3184 for authentication required). Testing declined states (4000 0000 0000 0002) is equally important.
Moneris provides a separate sandbox environment (esqa.moneris.com vs. www3.moneris.com for production). Their sandbox test credentials are available through their developer portal. Test Interac debit transactions require specific sandbox configuration that isn't always obvious from the main documentation — their developer support can help if you're stuck.
Interac Online vs. Interac Debit: Different Products
This confusion trips up developers repeatedly. They're worth clarifying explicitly.
Interac Debit is the card network used for in-person debit transactions — what Canadians use at terminals when they tap or insert their debit card and enter a PIN. It runs on Interac's own network (not Visa or Mastercard). In-person Interac debit processing requires hardware terminal support and a processor that has a direct Interac acquiring relationship (Moneris, Global Payments, and some others — not Stripe directly).
Interac Online is a completely different product: a bank-redirect flow for ecommerce, where the customer is redirected to their bank's online banking portal to authorize the payment directly from their bank account. It's similar conceptually to iDEAL in the Netherlands or SOFORT in Germany. It doesn't involve a card at all. Moneris supports Interac Online; Stripe does not.
If a client asks you to "support Interac," ask which one. The answer shapes which processor you need and how the checkout flow is architected.
Canadian Tax Handling: Not the Gateway's Job
Payment gateways process payment. They do not calculate tax. The invoice amount you pass to the gateway is what gets charged — if you pass $100 and the tax should be $13, the gateway charges $100 unless you've calculated and included the tax in your amount.
For Canadian SaaS and subscription businesses, HST/GST/QST calculation is your responsibility. The correct approach depends on your business:
- Simple products, few provinces: Manual rate tables per province, applied at checkout based on customer billing address.
- Multi-province SaaS with high volume: Avalara AvaTax or TaxJar for automatic rate calculation and remittance reporting. These integrate with most major gateways via their billing platforms.
- Digital services sold internationally: Consider Paddle, which acts as the merchant of record and handles Canadian provincial tax compliance entirely — at the cost of higher transaction fees.
Tax is a legal requirement, not a nice-to-have. Get it right before you scale.
Choosing the Right Gateway for Your Integration
| Requirement | Best Choice |
|---|---|
| Best developer experience, complex integrations | Stripe |
| Interac Online support (bank-redirect checkout) | Moneris |
| Interac debit in-person | Moneris, Helcim (terminal) |
| PayPal + cards in single integration | Braintree |
| Canadian subscriptions, transparent pricing | Helcim, Stripe Billing |
| International multi-currency | Stripe |
| Canadian tax compliance offloaded | Paddle (merchant of record) |
| Simplest PCI scope (SAQ A) | Stripe Elements, Moneris Checkout, Braintree Drop-in |
For most Canadian developers building a new product without a specific Interac Online requirement, Stripe is the right starting point. If Interac Online becomes a requirement, a Moneris integration alongside Stripe is manageable — many products use Stripe as primary and Moneris for the Interac-specific flow.
- Stripe Canada full review — rates, features, developer tools
- Moneris review — Canadian-first processing with Interac support
- Interac Online in Canada — how it works for ecommerce
- PCI compliance guide for Canadian businesses
- Recurring billing for Canadian subscription businesses
- Best payment gateways in Canada — full comparison