The document contains technical description of credit card data transfer from Online Store (OS) system to payment gateway (PG) services with the aim to perform the authorisation of money - store-system-side card data input scheme, host-to-host two-calls functional of card data transfer.
Basic requirements: - basic API knowledge - certificate of PCI DSS SAQ D compliance
The following steps must be organised on the OS system side, to ensure the correct data exchange between OS and PG system.
Note: the number of steps depends on chosen type of integration.
To organise the input of credit card data inside the web-site of OS, OS has to register an order in PG system to receive the JSON authorisation web service address. The request must contain the identifier of chosen card data entry type. This identifier is value rest in Showcase parameter of order registration request.
Request example:
<soap-env:Envelope
xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Body>
<register>
<order>
<shop_id>123</shop_id>
<number>123456789</number>
</order>
<cost>
<currency>RUB</currency>
<amount>100</amount>
</cost>
<customer>
<phone>+79859998877</phone>
<name>Пупкин Вася</name>
<email>vasya@mail.ru</email>
</customer>
<description>
<timelimit>2016-04-23T10:42:00.000Z</timelimit>
</description>
<postdata>
<PostEntry>
<name>Showcase</name>
<value>rest</value>
</PostEntry>
</postdata>
</register>
</soap-env:Body>
</soap-env:Envelope>In case of successful request processing by PG, OS system will receive redirect_url and session - the JSON authorisation web service address (service_url = redirect_url + session). Session value is unique, and can be used only once.
Response example:
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Body>
<registerResponse>
<retval>
<session>6b221924756b46a4bdf323763900baaa</session>
<paycode></paycode>
<redirect_url>https://sandbox.egopay.ru/rest/v2/</redirect_url>
</retval>
</registerResponse>
</soap-env:Body>
</soap-env:Envelope>After the card data is collected on the OS side, OS system transfers it for PG system.
Note: in case of store-system-side card data input scheme, it is assumed that the primary check of entered card data will be carried out by the OS system.
Primary check functional recommendations:
Note: authorisation request send requires basic HTTP authorisation.
Request type: POST
Authorisation request parameters:
| Path | Mandatory(M) / Optional(O) | Type | Length | Description | Example |
|---|---|---|---|---|---|
| ver | M | number | max 1 | authorisation service version | 2 by default |
| txns | M | complex | card and customer information | ||
| txns/pan | M | string | min 13max 19 | card primary account number (PAN) | 4111111111111111 |
| txns/masked_pan | O | string | min 13max 19 | masked card primary account number (PAN), mandatory for POS payments | ************4444 |
| txns/exp | M | string | max 6 | card expiration date, YYYYMM format | 201512 |
| txns/cvv | O | string | min 3 max 4 | CVC2/CVV2/4DBC Isn’t used only for cards that don’t have this code, otherwise Store system should transfer it. | 123 |
| txns/amt | M | number | authorisation amount | 28500 | |
| txns/cy | M | string | max 3 | currency code | RUB |
| txns/holder | O | string | min 2 max 64 | card holder name | Vasya Pupkin |
| txns/phone | O | string | max 15 | customer phone number | +79011230405 |
| txns/email | O | string | max 256 | customer email address | vasya@gmail.com |
| txns/rrn | O | string | external system payment RRN, mandatory for POS payments | 225456441682 | |
| txns/response_code | O | string | external system payment state, mandatory for POS payments | 00 | |
| txns/auth_code | O | string | external system payment authorisation code, mandatory for POS payments | 53494D | |
| txns/tsi | O | string | external system transaction status information | 5657657658575657 | |
| txns/tvr | O | string | external system terminal verification results | 0480800001 | |
| txns/datetime | O | string | external system authorisation date and time, mandatory for POS payments | 20190621075857 | |
| txns/aid | O | string | application identifier – terminal | A0000006581010 | |
| device | O | complex | customer browser/device information | ||
| device/ip | O | string | min 2 max 40 | IP v4 address | 188.225.12.161 |
| device/agent | O | string | max 256 | browser description (User-Agent HTTP header) | Chrome / Opera / Safari etc. |
| device/guid | O | string | max 32 | device id | 123e4567-e89b-12d3-a456-426655440000 |
| device/appid | O | string | max 32 | application id | 123e47774-e89b-12d3-a456-426655440000 |
| device/serial_number | O | string | device serial number, mandatory for POS payments | 0000000000521 | |
| device/vendor | O | string | vendor code, mandatory for POS payments | aqsi | |
| settings | O | complex | additional settings | ||
| settings/cpolicy | O | string | max 32 | 3ds policy settings - available only after Acquire approval | grey |
Online payment card request example:
{
"ver": 2,
"txns": [
{
"pan": "5100000000000008",
"exp": "201512",
"cvv": "222",
"amt": 28500,
"cy": "RUB",
"holder": "Vasya Pupkin",
"phone": "89119111213",
"email": "pupkin@vasya.ru"
}
],
"device": {
"ip": "127.0.0.1",
"agent": "Mozilla"
}
}POS payment request example:
{
"ver": 2,
"txns": [
{
"masked_pan": "************4444",
"exp": "202512",
"amt": 28500,
"cy": "RUB",
"holder": "Vasya Pupkin",
"phone": "89119111213",
"email": "pupkin@vasya.ru",
"rrn": "225456441682",
"response _code": "00",
"auth_code": "53494D",
"tsi": "5657657658575657",
"tvr": "0480800001",
"datetime": "20190621075857",
"aid": "A0000006581010"
}
],
"device": {
"serial_number": "0000000000521",
"vendor": "aqsi"
}
}Note: Authorisation request can be send only once on the received web service address. If an additional attempt to pay is required within the same order, OS must receive new web service address.
Note: In case of timeout on authorisation request, OS should check status of web service address session. If the status is active - OS can repeat authorisation request within the same web service address session.
The general timeout for response is 30 seconds.
Response example:
{
"ver": 2,
"status": "success"
}Authorisation request status check is used:
The general timeout for response is 10 seconds.
OS should send GET request on the same web service address (as it was used for authorisation request sending).
The format of the response is the same as the response on authorisation request.
Request type: GET
Authorisation request processing status can be:
| status | description | final (Y-yes, N-no) |
|---|---|---|
| success | authorisation request is processed successfully | Y |
| active | authorisation request is expected - it was not send or timeout occurred | N |
| in_progress | authorisation request is processing, resend status check request later | N |
| ready | customer card is involved in 3ds program, PG started 3ds verification session | N |
| started | 3ds customer verification is in process | N |
| invalid_request | authorisation request is incorrect | Y |
| duplicate_session | web service address session is already used in another authorisation request | Y |
| timeout | web service address session is expired | Y |
| already_processed | the web order is already payed for | Y |
In case if authorisation request status is ready, response will contain the following additional fields with data for 3ds verification of customer:
OS can hold 3ds verification of customer in 2 ways:
Note: the choice to use its of own MPI functional assumes that OS specialist have enough working experience in 3D Secure protocol, PaReq/PaRes operations. This document doesn’t contain any information about MPI functional.
Response example:
{
"ver": 2,
"status": "ready",
"url": "https://sandbox.egopay.ru/mpi",
"txns": [
{
"id": "12345",
"pareq": "dsfastewKJHsdf==",
"acs_url": "https://acs.bank.hz"
}
]
}In case if OS specialists decide to use its own MPI functional, the following steps should be performed:
POST request should be sent on the same web service address (as it was used for authorisation request sending).
Request type: POST
3DS results data transfer request parameters:
| Path | Mandatory(M) / Optional(O) | Type | Length | Description | Example |
|---|---|---|---|---|---|
| ver | M | number | max 1 | authorisation service version | 2 by default |
| md | M | string | identifier of authentication session | ||
| pares | M | string | pares ACS response |
Request example:
{
"ver": 2,
"md": "12345",
"pares": "dsfastewKJHsdf=="
}The general timeout for response is 10 seconds.
The format of the response is the same as the response on authorisation request.
OS system should send GET request to get the status of PARes data transfer (see 2.3). The response will also include the ReturnURLOk/ReturnURLFault address, depending on order status.
Response example:
{
"ver": 2,
"status": "success",
"url": "http://abc.ru"
}| type | description |
|---|---|
| black | authorisation decline |
| grey | only 3ds authorisation |
| secure | 3ds authorisation if it is available |
| white | authorisation with 3ds or with attempt of 3ds check or without 3ds |
| yellow | authorisation with 3ds or with attempt of 3ds check or without 3ds or if 3ds functional is unavailable |
| green | authorisation without 3ds |