Canada (PAD) custom payment pages

The following is a guide to building custom payment pages for merchants using GoCardless Advanced or GoCardless Pro, and for partners, using the add-on feature Custom checkout experience and payer notifications.

Payers in Canada need to complete a Pre-Authorized Debit Agreement to authorise merchants to take payments from them via PAD, the local Direct Debit scheme.

Customers using GoCardless Advanced or GoCardless Pro, have the option to use GoCardless’ own payment pages, or to build their own custom payment pages by using our Custom checkout experience and payer notifications add-on feature. Please note there is an additional “add-on” monthly fee called Custom checkout experience and payer notifications.

Partners can opt to build and use custom payment pages as well. This will enable merchants who are using GoCardless through their app to offer their customers (payers) a consistent branding experience.

Please note: Before building custom payment pages, you should be aware that there are compliance requirements for the content and formatting of these pages. Once ready, custom payment pages have to receive a sign off by GoCardless, and you could be asked to remove or amend any part of the signed off pages at any time if notified to do so.

Please note: For HTTPS hosted payment pages, to ensure payers’ details are safely transmitted, your website must be configured to only accept secure (SSL - minimum of SHA-256 SSL support TLS.1 or TLS1.2) connections.

Authorization types

GoCardless allows you to build custom payment pages to suit your business model and needs. The type of PAD Agreement you choose to set up will impact the requirements of your payment pages. We call the different types of PAD Agreements “authorization types”.

Open Pre-Authorized Debit Agreement
One-time Pre-Authorized Debit Agreement
Recurring Pre-Authorized Debit Agreement
Sporadic Pre-Authorized Debit Agreement

We strongly recommend that, within the same Billing Request, you combine your:

One-time and Sporadic PAD Agreements with a payment request
Recurring PAD Agreement with a subscription or instalment schedule request

However, if you want to set up an Open PAD Agreement, or set up your payments at a later date, it is your responsibility to make sure your payer is aware of the amount, and number and/or frequency of any debits (i.e. those outlined in step 2 of this guide) in advance of the payment, as required by Payments Canada Rule H1, so they know what payments to expect before their account is debited.

You can find more information about the different authorization types, payment types, and combinations of the two here.

Approval process

Once you've completed the design and build of your custom payment pages, you need to submit templates to GoCardless for approval prior to your go-live date. We will provide you with feedback on any required changes (if necessary). Only once you have written approval from GoCardless, may you implement the payment pages. More information can be found below and here.

Merchants:
You must submit your payment pages to GoCardless through our Support Center.

To test your payment pages, you can sign up here for a sandbox account. You should create an API access token with read-write access, and use the access token to interact with the GoCardless API. Test the mandate creation process, as outlined in the developer documentation here.

To move your integration from sandbox to a live environment, change your access token from your sandbox to your production GoCardless account.

Partners:
When creating a new partner app and going through our technical certification process, you must submit your payment pages to GoCardless for approval through our Partner Portal.

Quick guide

To create fully compliant Custom Payment Pages, there are a number of requirements you must meet. Here’s the short version for quick reference. Keep reading and we’ll explain each step in more detail:

Step	Quick reference
1	Information entry: You must capture the payer’s full name, email address, country of residence, account holder name, account number, institution number, transit number and PAD category (whether the PAD is a Personal PAD (e.g. for mortgage payments, utility payments, charity donations, etc.) or a Business PAD (e.g. for supplies, lease payments, etc.).
2	Authorization details: You should present to your payer a description of what they are going to be making payment(s) for and what authorization type you are asking for to make those payment(s). Depending on the authorization type, you must present the key payment details, including start date, amount, number and frequency of payments, and a description of any affirmative action they must take.
3	Regulatory statements: You must include certain regulatory statements which are required for a legally binding PAD Agreement: Your contact information Modification of confirmation and advance notice requirements Recourse / reimbursement statement A description of GoCardless being the payee (collecting on your behalf)
4	Summary & consent: You must explain what the payer is being asked to consent to and how they can revoke that consent, include a consent button, and capture the payer’s IP address.
5	Success: You should let your payer know that they have successfully set up an Pre-Authorized Debit Agreement, include the key payment details, and remind them what they will see on their bank statements.
6	Footer: You must remind the payer how their payment is being processed and provide information about GoCardless’ regulatory status and privacy notice.

1. Information entry

This page should be used to capture your payer’s personal and billing information, which is necessary to set up their PAD Agreement.

Requirement	Explanation	Recommendation
Page heading	You should include a page heading that is identifiable to your payers, i.e. it tells them that they are being asked to set up a PAD Agreement with you.If you are submitting an authorization type, you should include this in the heading.	Open: “Set up a Pre-Authorized Debit Agreement with [merchant name]” One-time: “Set up a one-time Pre-Authorized Debit Agreement with [merchant name]” Recurring: “Set up a recurring Pre-Authorized Debit Agreement with [merchant name]” Sporadic: “Set up a sporadic Pre-Authorized Debit Agreement with [merchant name]”
Mandatory personal details	You must collect the following personal details from your payer: Full name Email address Country of residence	“Your personal details Name ____ Email address ____ Country of residence: Canada ___ ”
Mandatory billing details	You must collect the following billing / bank account details from your payer: Account holder name Account number Institution number Transit number Name of Financial Institution PAD Category (personal or business)	“Your bank details Account holder name ___ Institution number (identifies the bank)___ Transit number (identifies the branch where the account was opened) ___ Name of Financial Institution_____ Account number ___ PAD Category ___”

2. Authorization details

Before your payer provides their explicit consent to the PAD Agreement, present them with the relevant details about the payments you will take against it.

Requirement	Explanation	Recommendation
Payment description	You should include a description, which makes clear what the payer is going to be making payments for	E.g. “Cat food”
Authorization type	If you are setting up a One-time, Recurring, or Sporadic PAD Agreement, you should include a description of that authorization type to help your payer understand what they are being asked to consent to. This can be done via direct display of the information, tooltips, or links to the details.	One-time: “A one-time payment will be debited from your account.” Recurring: “A recurring payment will be debited from your account at regular intervals without any additional action needed from you.” Sporadic: “Future payments will only be debited from your account following your pre-approval. You will be informed about how you can approve these transactions, which may include a phone call, online confirmation, or a text message.”
Date of authorization	You must present the date of the PAD Agreement - this is when your payer’s authorization will become effective, on or after which their account will be debited.
Amount of payments	If you are combining your One-time, Recurring, or Sporadic PAD Agreement with a payment, subscription or instalment schedule request, you must display the amount of the payment(s) to be debited from your payer’s account. If you are setting up an Open PAD Agreement, or setting up a payment, subscription or instalment schedule at a later date, it is your responsibility to ensure your payer is made aware of, and that you keep a record of, the amount(s) of any debits, so they know what payments to expect. If you don’t provide this information via your custom payment pages, you must ensure it is provided elsewhere in your customer journey.	Open (or payments being set up at a later date): “Your Pre-Authorized Debit Agreement will be set up in accordance with the amount and timings agreed with [merchant].” One-time: “One time payment: $10.00. This Pre-Authorized Debit Agreement will no longer be valid once the payment has been fulfilled. Any subsequent PAD(s) will require a newly authorized PAD Agreement.” Recurring (subscription): “Recurring payment: $200.00, billed monthly on the 1st until revocation or termination of the Pre-Authorized Debit Agreement” Recurring (instalment schedule): “12 payments billed as follows: $200.00 on 1 November 2024, $120.00 on 1 December 2024…” Sporadic: “One time payment of $50.00, after which your debit amounts will differ. When [merchant] wants to charge you in the future, you’ll be asked for your approval first by [method].”
Number and frequency of payments	If you are combining your One-time, Recurring, or Sporadic PAD Agreement with a payment, subscription or instalment schedule request, you must display the number and frequency of payment(s) to be debited from your payer’s account. If you are setting up an Open ACH Debit Authorization, or setting up a payment, subscription or instalment schedule at a later date, it is your responsibility to ensure your payer is made aware of, and that you keep a record of, the timings of any debits, so they know when to expect these payments. If you don’t provide this information via your custom payment pages, you must ensure it is provided elsewhere in your customer journey. For a One-time PAD Agreement, the number and frequency will always be one. You must include a statement that PAD Agreement will no longer be valid once the payment has been fulfilled. Any subsequent PAD(s) require a newly Authorized Payer’s PAD Agreement. For a Recurring PAD Agreement the number of debits can either be a set amount (for example ‘twelve (12)’), or until the end of the PAD Agreement (for example ‘Until revocation or termination of the PAD Agreement’), and the frequency will be in accordance with your regular timings (for example ‘monthly’). For a Sporadic PAD Agreement, the number of debits can be until the end of the PAD Agreement, and for frequency you can refer to the fact that payments will be taken as often as the payer initiates them (for example ‘Frequency to be determined by your future actions’ or ‘As initiated by you’).
Validity	In the case of a One-time PAD Agreement (not relevant for Recurring or Sporadic PAD Agreements) you must specify that the PAD Agreement will no longer be valid once the payment has been fulfilled and that any subsequent PAD(s) require a newly authorized PAD Agreement.
Affirmative action	In the case of a Sporadic PAD Agreement (not relevant for One-time or Recurring PAD Agreements), payments can only be initiated by your payer through their “affirmative action”. This means you must let your payer know what action they should take in the future to initiate the payment. For example, the payer might need to initiate payments via their online account, or the payer might need to phone you.

3. Regulatory statements

In order for your PAD Agreement to be legally binding, you must present to your payer certain regulatory statements, explained below.

Requirement	Explanation	Recommendation
Contact information	You must include reasonable and accurate contact information so that your payer may contact you by any method of communication you use (e.g. postal address, fax number, telephone number, email address) to make inquiries (e.g. regarding your practices related to personal information, privacy, and information security), obtain information or seek recourse with respect to any PAD Agreement issued by you.	“[Merchant name] [Merchant address] [Merchant email]”
Modification of confirmation and advance notice requirements	As GoCardless has chosen to improve your payers’ payment journey by reducing your confirmation of PAD Agreement and advance notice of debits to be taken from 10 to 3 days you must prominently display a statement (e.g. bold, highlighted or underlined) to let your payers know about this reduction.	“You have agreed to a reduction of the standard period of PAD agreement confirmation and pre-notification for future PADs. We will send your PAD agreement confirmation and any future notices of each PAD 3 days before the PAD is due.”
Recourse / reimbursement statements	Each PAD Agreement must contain the following statement in its entirety: “You [or I/We, depending on the context] have certain recourse rights if any debit does not comply with this agreement. For example, you [I/we] have the right to receive reimbursement for any debit that is not authorized or is not consistent with this PAD Agreement. To obtain more information on your [my/our] recourse rights, [I/we may] contact your [my/our] financial institution or visit www.payments.ca.”	“You have certain recourse rights if any debit does not comply with this agreement. For example, you have the right to receive reimbursement for any debit that is not authorized or is not consistent with this PAD Agreement. To obtain more information on your recourse rights, contact your financial institution or visit www.payments.ca.”
A description of GoCardless being the payee	As GoCardless is collecting payments on your behalf, the Payer’s PAD Agreement must include a statement that describes the arrangement between GoCardless and you, the merchant.	“GoCardless Ltd may appear in your banking information as the debitor of the PAD. GoCardless Ltd has been contracted by [merchant] and you, the Payor, authorize GoCardless Ltd to debit the bank account identified above and, if necessary, electronically credit your account to correct erroneous debits for recurring, one time, or sporadic payments depending on the terms of the agreement.”

4. Summary and consent

In order for your payer to consent to the PAD Agreement, this page ensures that they are clear on what they’re consenting to and how they can revoke that consent.

Requirement	Explanation	Recommendation
Clear explanation	You must clearly explain to your payer exactly what they are being asked to consent to. This reduces the risk of your payer, at a later date, saying that they did not authorize the debit to their account.	“[Merchant] needs your consent to set up this [insert authorization type, if applicable] PAD Agreement. Please check if the details below are correct. Details of your payments will be provided via email notification.”
Revocation instructions	You must provide details of how the payer can revoke the PAD Agreement, including the time and manner in which this revocation must be communicated to you (e.g. how many reasonable days’ notice you require, not exceeding 30 days). A Payer’s PAD Agreement shall also advise the Payer may obtain a sample cancellation form, or further information on their right to cancel a PAD Agreement, at their financial institution or by visiting www.payments.ca. You must also advise your payer of the cancellation terms should you, the merchant, decide to cease issuing PADs.	“You, the Payer, may revoke your [insert authorization type, if applicable] PAD Agreement at any time by emailing [merchant name] at [merchant email address]. Please allow up to [reasonable number, as per your practices] days for this authorization to be cancelled. Please note that any scheduled debits due during this time may still be honored. To obtain a sample cancellation form, or further information on their right to cancel a PAD Agreement, contact your financial institution or visit www.payments.ca. [Merchant] may also cancel this PAD agreement on not less than 30 days notice to you.”
Redisplay key details	If your payment pages are split over multiple screens, you should redisplay certain payer personal and billing information and PAD Agreement details just before you collect the payer’s consent: Payer full name Account holder name Hashed account number Payment description Authorization type Amount of payments (where relevant) Number and frequency of payments (where relevant)	Open (or payments being set up at a later date): “Confirm your details Name ___ Account holder name ___ Bank account ending with ***5645 Your PAD Agreement will be set up in accordance with the amount and timings agreed with [merchant]” One-time: “Confirm your details Name ___ Account holder name ___ Bank account ending with *5645 One time payment: $10.00” Recurring: “Confirm your details Name ___ Account holder name ___ Bank account ending with *56 $200.00, billed monthly on the 1st ” Sporadic: “Confirm your details Name ___ Account holder name ___ Bank account ending with ***56 Your PAD Agreement will be set up now and when [merchant] wants to charge you in the future, you’ll be asked for your approval first by [method].”
Clear consent	You must provide the payer with an opportunity to show that they have authority to let you debit their account and actively consent to all of the above.	“By continuing, you, the payer, confirm that you have authority under the terms of your account agreement to authorize this debit and consent to the terms of your PAD Agreement”. ” + “Continue” or “Consent” button.
Capture IP address	You must capture the payer’s IP address. This serves as evidence of the payer’s consent to the PAD Agreement setup and is used by GoCardless for Financial Crime and Fraud controls

5. Set up success

After the payer has provided their consent, you can provide messaging to let them know the set up was successful.

Requirement

Explanation

Recommendation

Confirmation of success

After your payer has provided their consent, you should use this page to confirm to them that the PAD Agreement has been successfully set up.

If you are combining your One-time, Recurring, or Sporadic PAD Agreement with a payment, subscription or instalment schedule request, you should include any relevant payment details here.

“Good news, [payer name]. You’ve successfully authorized a [insert authorization type, if applicable] PAD Agreement. [Insert any relevant payment details]”

Reminder of what the payer will see on their bank statements

You should take this opportunity to remind your payer what they will see on their bank statements to avoid any confusion when you take a payment.

“GoCardless LTD has been contracted by [merchant]. You, the payer, authorize GoCardless LTD to debit your bank account ******[last four digits of account number] and GoCardless LTD may appear on your bank statement ”

6. Footer

On all Custom Payment Pages , you must include a page footer with certain information about GoCardless.

Requirement

Explanation

Recommendation

Regulatory status disclosure

You must remind your payer about how their payment is being processed and provide information about GoCardless’ regulatory status.

“Payments securely processed by GoCardless. GoCardless Ltd (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.”

Privacy notice

You must display our Privacy Notices.

“GoCardless uses personal data as described in these Privacy Notices.”

Record keeping

When using Custom Payment Pages, you must keep certain records. We’ve set these records and retention periods out below.

Record	Retention period
If you are setting up an Open PAD Agreement, or setting up a One-time, Recurring or Sporadic PAD Agreement, but setting up payment, subscription or instalment schedule at a later date, you must keep a record of how you made your payer aware of and got their consent to those payment terms (i.e. step 2 of this guide).	For a minimum of 12 months following the last PAD processed in accordance with that Payer’s PAD Agreement.
If you are setting up a Standing Authorization, you must keep a record of your payer’s affirmative action to each payment taken against that authorization type.	For a minimum of 12 months following the last PAD processed in accordance with that Payer’s PAD Agreement.
You must keep a system log tracking your payer’s activity as they pass through your custom payment pages for setting up their PAD Agreement.	For a minimum of 12 months following the last PAD processed in accordance with that Payer’s PAD Agreement.
You must collect and keep a record of your payer’s IP address used when setting up their PAD Agreement.	For a minimum of 12 months following the last PAD processed in accordance with that Payer’s PAD Agreement.

Summary table

The below shows a summary of the relevant information that you should capture or display at each stage of your payment pages.

	INFORMATION ENTRY PAGE	AUTHORIZATION DETAILS	REGULATORY STATEMENTS	SUMMARY & CONSENT	SET UP SUCCESS
Page heading	Displayed Displayed (recommended)
Payer full name	Captured (mandatory)			Displayed (recommended)
Payer email address	Captured (mandatory)
Payer country of residence	Captured (mandatory)
Account holder name	Captured (mandatory)			Displayed (recommended)
Account number	Captured (mandatory)			Displayed (recommended)
Institution number	Captured (mandatory)
Transit number	Captured (mandatory)
Name of Financial Institution	Captured (mandatory)
PAD Category	Captured (mandatory)
Payment description		Displayed (recommended)		Displayed (recommended)
Authorization type description		Displayed (recommended)		Displayed (recommended)
Date of authorization		Displayed (mandatory)
Amount of payments		Displayed (mandatory depending on authorization type - see above)		Displayed (mandatory depending on authorization type - see above)	Displayed (mandatory depending on authorization type - see above)
Number and frequency of payments		Displayed (mandatory depending on authorization type - see above)		Displayed (mandatory depending on authorization type - see above)	Displayed (mandatory depending on authorization type - see above)
Validity statement		Displayed (mandatory for One-time authorizations only)
Description of affirmative action		Displayed (mandatory for Sporadic authorizations only)
Contact information			Displayed (mandatory)
Modification of confirmation and advance notice			Displayed (mandatory)
Recourse statement			Displayed (mandatory)
Description of GoCardless being the payee			Displayed (mandatory)
Explanation of what consent is required for				Displayed (mandatory)
Revocation instructions				Displayed (mandatory)
Clear consent + button				Displayed (mandatory)
IP address				Captured (mandatory)
Confirmation of successful set up					Displayed (recommended)
Bank statements reminder					Displayed (recommended)
Regulatory status disclosure	Displayed (mandatory)	Displayed (mandatory)	Displayed (mandatory)	Displayed (mandatory)	Displayed (mandatory)
Privacy notice	Displayed (mandatory)	Displayed (mandatory)	Displayed (mandatory)	Displayed (mandatory)	Displayed (mandatory)