Payment window API

This document is intended to describe the communications protocols that are used for communication between the Partner and Direct2Internet.

Production URL: https://{psp-url}/pay

Test URL: https://{psp-url}/pay/test

Merchant admin URL: https://{psp-url}/admin

The value {psp-url} depends on your setup. This can be your company name for instance the test URL could be located at https://pay.mycompany.com/pay/test. If you are setting up a test merchant the psp-url will commonly be pay.direct2internet.com, this means you will commonly make test payment calls to https://pay.direct2internet.com/pay/test and use https://pay.direct2internet.com/admin for accessing the administration gui.

To succesfully integrate a single merchant to D2I PSP you need a merchant id, secret key, user login, user password and the psp-url

Authentication using a checksum is based on the sum of parameter values and a secret key

Status return codes for success and failure are based on ISO8583 status codes ver 1993 with some minor differences. Status return code "000" is success while other return codes are basically failures.

Note that the parameter order id can be no longer than 20 characters. The exact length of order id depends on how transactions are sent through Mastercard/Visa payment system. Many Mastercard/Visa systems cannot handle more than 20 characters, and in some rare cases only handle as few as 10 characters.

Parameters

Name	Format	Mandatory	Description
merchant_id	string	yes	Merchants unique id.
order_id	string	yes	Order id is a reference generated by the merchants system it often has maximum length of 20 chars. Order id should be unique to make it easy to trace payment issues and avoid errors with certain payments. Payments may however reuse order id when customers have issues with owned payment cards and try using another payment card.
amount	string	yes	The amount of the transaction must be 1 unit-of-currency (100 = 1 kr).
currency	string	no	Currency to be used in payment: ‘SEK’,‘EUR’,‘DKK’,‘NOK’,‘GBP’,‘USD’,'PLN', 'HRK'. Default ‘SEK’.
language	string	no	Language in payment window. ‘SE’,’NO’,’DK’,’GB’, 'FI', 'PL', 'HR'. Default ‘SE’.
accept_url	string	yes	URL where customer is redirected after successful payment.
cancel_url	string	no	URL where customer is redirected when clicking cancel in payment window.
callback_url	string	no	URL where payment gateway sends transaction data after successful payment.
do_3d_secure	string	yes	‘NO’ disables 3D-Secure. Please note that the banks liability shift is not active if 3D-secure is not used. Default ’YES’.
pay_method	string	no	To control which payment methods to display in payment window. ‘PAYWIN’ displays all payment methods. ‘CARD’/ 'DEBITCARD'/'CREDITCARD' displays only card entry. ‘BANK’ displays only bank payment. 'INVOICE' displays only invoice payment,'SWISH' displays only swish payment. Default ‘PAYWIN’.
return_method	string	no	Method to call accept_url. ’POST’ or ’GET’. Default ’POST’.
prompt_name_entry	string	no	Control if cardholder name entry should be displayed in payment window. ‘YES’ activates fields. Default ‘NO’.
result_redirect	string	no	‘NO’ means that customer is displayed a web page after successful payment instead of being redirected to accept_url. Default ‘YES’.
create_subscription	string	no	‘YES’ means that an extra parameter ‘subscription_trans_id’ is sent to accept and callback-url if payment is successful. This is a reference to the card number that can be used later to debit the card. Please note that this requires support at the acquiring bank.
posenv	string	no	Used to define where the transaction originates. This is important to match the acquiring agreement. ‘SSL’, ‘MAIL’, ‘TELEPHONE’ Default: ‘SSL’
capture_now	string	no	‘YES’ means that the payment is flagged for automatic debit. No separate call for debit is required. Default ‘NO’.
customer_name	string	no	The full name of the customer. `Required for invoice payments.`
customer_street1	string	no	Street address of customer. `Required for invoice payments.`
customer_street2	string	no	Street address of customer
customer_zipcode	string	no	Zip code of customer. `Required for invoice payments.`
customer_city	string	no	Customers city. `Required for invoice payments.`
oiTypes	string	no	Names of columns for order rows described left to right. Names are seperated by ';' (semi colon). Valid names are: `AMOUNT, DESCRIPTION, ITEMID, ITEMPRICE, QUANTITY, DISCOUNT, VATPERCENT`
oiRow(1..n)	string	no	Contains the order row for the payment in the same order as oiTypes. Each row is described by "oiRow1", "oiRow2" and so on.
mac	string	no	SHA-256 checksum calculated as the example below.

Example call




<html>
<body>
<form action="https://<psp-url>/pay" method="post">
<input type="hidden" name="merchant_id" value="1007">
<input type="hidden" name="order_id" value="WebOrder-2023">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="currency" value="SEK">
<input type="hidden" name="accept_url" value="https://www.butiken.com/store/show_receipt?order_id=WebOrder-2023">
<input type="hidden" name="callback_url" value="https://payment.butiken.com/notification">
<input type="hidden" name="pay_method" value="PAYWIN">
<input type="hidden" name="mac" value="0a87b7f2c02f661d9bc982de586346f5dfd6ce0017cf8cdf74067c6518704639">
</form>
</body>
</html>

Flowchart

Order rows

Column description

Column name	Description
AMOUNT *	The total amount (without vat) of all items in the row (minus discount if present)
DESCRIPTION *	The description of the product
ITEMID	Specific ID for the product
ITEMPRICE	Price for one item (without vat)
QUANTITY	Quantity of items
DISCOUNT	Discount for this row, substract this value in the amount field
VATPERCENT *	Valid values are: 2500, 1200, 600, 0

(* Mandatory fields)

Example order rows



<input type="hidden" name="oiTypes" value="AMOUNT;DESCRIPTION;ITEMID;ITEMPRICE;QUANTITY;DISCOUNT;VATPERCENT">
<input type="hidden" name="oiRow1" value="800;T-shirt blue;12211;500;2;200;2500">
<input type="hidden" name="oiRow2" value="1800;T-shirt red;12212;1000;2;200;2500">
<input type="hidden" name="oiRow3" value="-100;Discount;;;;;0">
<input type="hidden" name="oiRow4" value="2500;Shipping fee;;;;;0">

AMOUNT	DESCRIPTION	ITEMID	ITEMPRICE	QUANTITY	DISCOUNT	VATPERCENT
8.00	T-shirt blue	12211	5.00	2	2.00	25.00
18.00	T-shirt red	12212	10.00	2	2.00	25.00
-1.00	Discount					0
25.00	Shipping fee					0

Total amount that has to be sent to paywin is including VAT:

VAT Product 1: 8.00 * 0.25 = 2.00
VAT Product 2: 18.00 * 0.25 = 4.5
VAT Product 3: 0
VAT Product 4: 0

Round(6.5) = 7.00

Paywin amount = (800 + 1800 - 100 + 2500 + 700) = 5700

Call to accept_url

Call to accept_url sends through the customers web browser after a successful payment with HTTP GET or HTTP POST depending on the value of the parameter return_method. The parameters below is example on parameters that is sent:

Name	Value	Note
trans_id	2457
merchant_id	1007
order_id	WebOrder-2023
amount	1000
currency	SEK
mac	2637ace2f7863540bd3eb477e1 4ee675b74eb8f38da18b9172f7 00d215f5afe2
status	0
pay_method	visa	Shows the payment method the customer choosed.(card: visa/mc or bank: handelsbanken/sebprivate/sebbusiness/ nordea/swedbank)
time	2012-03-06 09:58:49
error_message	Approved

Card payments parameters:

Name	Value	Note
card_no	422222......2222
exp_mon	12
exp_year	14
approval_code	AB1624

Invoice payments parameters:

Name	Value	Note
invoice_number	10006	The invoice number generated.
invoice_name	Kjell Börje Håkan Zerykier
invoice_street1	Lillavan 7
invoice_zipcode	52230
invoice_city	Tidaholm
invoice_update_delivery_address	NO	If set to YES the address returned is the updated address of consumer.

Call to callback_url

Same parameters that is sent to accept_url is also sent to callback_url after a successful payment. This is sent directly from the payment gateway. Format of the data is in JSON, example:

{
    "trans_id": "2457", 
    "merchant_id": "1007", 
    "order_id": "WebOrder-2023",
    "amount": "1000",
    "currency": "SEK",
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "card_no": "422222......2222",
    "pay_method": "visa",
    "time": "2012-03-06 09:58:49",
    "approval_code": "AB1624",
    "exp_mon": "12",
    "exp_year": "14",
    "error_message": "Approved",
}

The callback_url is also used for asynchronous reporting of sudden and unexpected changes to the payment state. This happens regularly for some payment types or when an unusual and unexpected error occurs in the payment processing. Format of the data is in JSON, for example an error due to a sudden cable break somewhere in the payment network may in response send the following:

{
    
    "mac":"2637ace2f7863540bd3eb477e56ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "909",
    "trans_id": "5034523",
    "event": "capture",

}

MAC calculation

Sort all parameters in alphabetic order based on the parameter name. Concatenate all parameter values into a single string. Append the merchant secret key to the string. Calculate SHA256 sum on the string to produce the mac value.

For example using the following parameter in the post call:

accept_url	https://www.butiken.com/store/show_receipt?order_id=WebOrder-2023
amount	1000
callback_url	https://payment.butiken.com/notification
currency	SEK
merchant_id	1007
order_id	WebOrder-2023
pay_method	PAYWIN

After copying all parameter values into a string we get the following:

https://www.butiken.com/store/show_receipt?order_id=WebOrder- 20231000https://payment.butiken.com/notificationSEK1007WebOrder-2023PAYWIN

Append the merchants secret key, in this example X85LmHiJ98, to produce the final string:

https://www.butiken.com/store/show_receipt?order_id=WebOrder- 20231000https://payment.butiken.com/notificationSEK1007WebOrder-2023PAYWINX85LmHiJ98

Calculate SHA-256-sum on the final string:

0a87b7f2c02f661d9bc982de586346f5dfd6ce0017cf8cdf74067c6518704639

The javascript code below can be used to calculate the MAC value. It depends on javascript JQuery, sha256 libs and the html form element included in the example.

<pre>
The following form should be sent to the client

<form action="https://pay.direct2internet.com/pay/test" 
    method="post" id="store-send-params">
 
	<input name="merchant_id" value="your merchant id">
        ... and additional fields..

        .. and include the mac field ..
        <input  id="actMAC" name="mac" value="">

</form>

Secret key (this key should be stored on server and never be sent to client)
<input  id="mac-secret" name="mac-secret" value="a secret key">  

Recalc button
<button onclick="recalcMAC()">Calc Mac</button>
<script>

function recalcMAC() {
        function joinData(data) {
                out = ""
                for(var i=0;i<data.length;i++) {
                        out = out + data[i][1];
                }
                return out;
        }

        var allInputsJQ = $("#store-send-params :input" );
        var allInputs = [];
        for(var i=0;i<allInputsJQ.length;i++) {
                var v = allInputsJQ[i];
                if(v.name!="" && v.name!="mac" && v.value!="") {
                        allInputs.push([v.name,v.value]);
                }
        }

        allInputs.sort();
        var nstr = joinData(allInputs) + $("#mac-secret")[0].value;
        var machash = Sha256.hash(nstr)
        $("#actMAC")[0].value = machash;
}


</script>
</pre>

API debit payment

On payments where capture_now is not set on the call to payment window, you can later call for a debit on the payment. (You can also debit payments through the administration interface.)

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally URL: https://{psp-url}/admin/capture

Parameters

Name	Format	Mandatory	Description
merchant_id	string	yes	Merchants unique id.
order_id	string	yes	Order-ID that were used during payment that will be debited.
trans_id	string	yes	Transaction-id that were returned during the payment.
amount	string	yes	Amount to debit. Must be 1 unit-of- currency (100 = 1 kr).
mac	string	no	SHA-256 checksum.

Response

{
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}

API void payment

To void a reserved (authorized) amount wihout using the administration interface it's also possible to call it externally.

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally

URL: https://{psp-url}/admin/void

Parameters

Name	Format	Mandatory	Description
merchant_id	string	yes	Merchants unique id.
order_id	string	yes	Order-ID that were used during payment that will be voided.
trans_id	string	yes	Transaction-id that were returned during the payment.
amount	string	yes	Amount to void. Must be 1 unit-of- currency (100 = 1 kr).
mac	string	no	SHA-256 checksum.

Response

{
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}

API credit payment

To credit a debited payment without using the administration interface it’s also possible to call externally.

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally

URL: https://{psp-url}/admin/credit

Parameters

Name	Format	Mandatory	Description
merchant_id	string	yes	Merchants unique id.
order_id	string	yes	Order-ID that were used during payment that will be credited.
trans_id	string	yes	Transaction-id that were returned during the payment.
amount	string	yes	Amount to credit. Must be 1 unit-of- currency (100 = 1 kr).
mac	string	yes	SHA-256 checksum.

Response

{
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}

API recurring payment

To authorize/debit on a stored card number it’s possible to call:

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally

URL: https://{psp-url}/admin/subscription_auth

Parameters

Name	Format	Mandatory	Description
merchant_id	string	yes	Merchants unique id.
order_id	string	yes	Unique order-id.
trans_id	string	yes	subscription_trans_id that was returned during the payment.
amount	string	yes	Must be 1 unit-of-currency (100 = 1 kr).
currency	string	yes	Default: ‘SEK’
capture_now	string	yes	‘YES’, means the card is automatically debited after successful authorization. Default: ‘NO’
mac	string	yes	SHA-256 checksum.

Response

{
    "trans_id":""
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}