Dynamic script/SDK load — only pulled in if this PSP is active.
Renders PayZen's embedded card form (kr-pan / kr-expiry / kr-security-code become Lyra-hosted iframes — SAQ-A eligible, card data never touches the host DOM). KR is a single page-global managing forms globally, so mounting tears down any previous form first; two PayZen forms cannot coexist on one page.
fieldOptions passes through to KR.setFormConfig untouched (placeholders
kr-placeholder-*, kr-hide-debug-toolbar, …). Protected keys the host
cannot override: formToken (from clientSecret), kr-public-key,
kr-spa-mode, and language when MountOptions.locale is given.
appearance is accepted but has no JS hook to land on: krypton mirrors
the host page's CSS into its iframes automatically, so theming is done
with plain CSS (or a cssUrl override) — documented no-op.
Confirm-on-client shape: KR.submit() makes the krypton form create the transaction, with 3DS2 running INLINE in Lyra's pop-in (no navigation). The outcome arrives via KR.onSubmit (accepted) or KR.onError (refused/ client error) — both resolve, never reject. The browser kr-answer is NOT hash-verified here (the validation keys are server secrets); the host's source of truth stays server-side (IPN / retrievePayment).