Payment window API

This document is intended to describe the communications protocols that are used for communication between the Partner and Direct2Internet.

Production URL: https://{psp-url}/pay

Test URL: https://{psp-url}/pay/test

Merchant admin URL: https://{psp-url}/admin

The value {psp-url} depends on your setup. This can be your company name for instance the test URL could be located at https://pay.mycompany.com/pay/test. If you are setting up a test merchant the psp-url will commonly be pay.direct2internet.com, this means you will commonly make test payment calls to https://pay.direct2internet.com/pay/test and use https://pay.direct2internet.com/admin for accessing the administration gui.

To succesfully integrate a single merchant to D2I PSP you need a merchant id, secret key, user login, user password and the psp-url

Authentication using a checksum is based on the sum of parameter values and a secret key

Status return codes for success and failure are based on ISO8583 status codes ver 1993 with some minor differences. Status return code "000" is success while other return codes are basically failures. 

Note that the parameter order id can be no longer than 20 characters. The exact length of order id depends on how transactions are sent through Mastercard/Visa payment system. Many Mastercard/Visa systems cannot handle more than 20 characters, and in some rare cases only handle as few as 10 characters.

Parameters

NameFormatMandatoryDescription
merchant_idstringyesMerchants unique id.
order_idstringyesOrder id is a reference generated by the merchants system it often has maximum length of 20 chars. Order id should be unique to make it easy to trace payment issues and avoid errors with certain payments. Payments may however reuse order id when customers have issues with owned payment cards and try using another payment card.
amountstringyesThe amount of the transaction must be 1 unit-of-currency (100 = 1 kr).
currencystringnoCurrency to be used in payment: ‘SEK’,‘EUR’,‘DKK’,‘NOK’,‘GBP’,‘USD’,'PLN', 'HRK'. Default ‘SEK’.
languagestringnoLanguage in payment window. ‘SE’,’NO’,’DK’,’GB’, 'FI', 'PL', 'HR'. Default ‘SE’.
accept_urlstringyesURL where customer is redirected after successful payment.
cancel_urlstringnoURL where customer is redirected when clicking cancel in payment window.
callback_urlstringnoURL where payment gateway sends transaction data after successful payment.
do_3d_securestringyes‘NO’ disables 3D-Secure. Please note that the banks liability shift is not active if 3D-secure is not used. Default ’YES’.
pay_methodstringnoTo control which payment methods to display in payment window. ‘PAYWIN’ displays all payment methods. ‘CARD’/ 'DEBITCARD'/'CREDITCARD' displays only card entry. ‘BANK’ displays only bank payment. 'INVOICE' displays only invoice payment,'SWISH' displays only swish payment. Default ‘PAYWIN’.
return_methodstringnoMethod to call accept_url. ’POST’ or ’GET’. Default ’POST’.
prompt_name_entrystringnoControl if cardholder name entry should be displayed in payment window. ‘YES’ activates fields. Default ‘NO’.
result_redirectstringno‘NO’ means that customer is displayed a web page after successful payment instead of being redirected to accept_url. Default ‘YES’.
create_subscriptionstringno‘YES’ means that an extra parameter ‘subscription_trans_id’ is sent to accept and callback-url if payment is successful. This is a reference to the card number that can be used later to debit the card. Please note that this requires support at the acquiring bank.
posenvstringnoUsed to define where the transaction originates. This is important to match the acquiring agreement. ‘SSL’, ‘MAIL’, ‘TELEPHONE’ Default: ‘SSL’
capture_nowstringno‘YES’ means that the payment is flagged for automatic debit. No separate call for debit is required. Default ‘NO’.
customer_namestringnoThe full name of the customer. Required for invoice payments.
customer_street1stringnoStreet address of customer. Required for invoice payments.
customer_street2stringnoStreet address of customer
customer_zipcodestringnoZip code of customer. Required for invoice payments.
customer_citystringnoCustomers city. Required for invoice payments.
oiTypesstringno

Names of columns for order rows described left to right. Names are seperated by ';' (semi colon). Valid names are: AMOUNT, DESCRIPTION, ITEMID, ITEMPRICE, QUANTITY, DISCOUNT, VATPERCENT

oiRow(1..n)stringnoContains the order row for the payment in the same order as oiTypes. Each row is described by "oiRow1", "oiRow2" and so on.
macstringnoSHA-256 checksum calculated as the example below.

Example call

<html> <body> <form action="https://<psp-url>/pay" method="post"> <input type="hidden" name="merchant_id" value="1007"> <input type="hidden" name="order_id" value="WebOrder-2023"> <input type="hidden" name="amount" value="1000"> <input type="hidden" name="currency" value="SEK"> <input type="hidden" name="accept_url" value="https://www.butiken.com/store/show_receipt?order_id=WebOrder-2023"> <input type="hidden" name="callback_url" value="https://payment.butiken.com/notification"> <input type="hidden" name="pay_method" value="PAYWIN"> <input type="hidden" name="mac" value="0a87b7f2c02f661d9bc982de586346f5dfd6ce0017cf8cdf74067c6518704639"> </form> </body> </html>

Flowchart

Order rows 

Column description

Column nameDescription
AMOUNT *The total amount (without vat) of all items in the row (minus discount if present)
DESCRIPTION *The description of the product
ITEMIDSpecific ID for the product
ITEMPRICEPrice for one item (without vat)
QUANTITYQuantity of items
DISCOUNTDiscount for this row, substract this value in the amount field
VATPERCENT *Valid values are: 2500, 1200, 600, 0

(* Mandatory fields)

Example order rows

<input type="hidden" name="oiTypes" value="AMOUNT;DESCRIPTION;ITEMID;ITEMPRICE;QUANTITY;DISCOUNT;VATPERCENT"> <input type="hidden" name="oiRow1" value="800;T-shirt blue;12211;500;2;200;2500"> <input type="hidden" name="oiRow2" value="1800;T-shirt red;12212;1000;2;200;2500"> <input type="hidden" name="oiRow3" value="-100;Discount;;;;;0"> <input type="hidden" name="oiRow4" value="2500;Shipping fee;;;;;0">
AMOUNTDESCRIPTIONITEMIDITEMPRICEQUANTITYDISCOUNTVATPERCENT
8.00T-shirt blue122115.0022.0025.00
18.00T-shirt red1221210.0022.0025.00
-1.00Discount    0
25.00Shipping fee    0
Total amount that has to be sent to paywin is including VAT:

VAT Product 1: 8.00 * 0.25 = 2.00
VAT Product 2: 18.00 * 0.25 = 4.5
VAT Product 3: 0
VAT Product 4: 0

Round(6.5) = 7.00

Paywin amount = (800 + 1800 - 100 + 2500 + 700) = 5700

Call to accept_url

Call to accept_url sends through the customers web browser after a successful payment with HTTP GET or HTTP POST depending on the value of the parameter return_method. The parameters below is example on parameters that is sent:

NameValueNote
trans_id2457 
merchant_id1007 
order_idWebOrder-2023 
amount1000 
currencySEK 
mac2637ace2f7863540bd3eb477e1 4ee675b74eb8f38da18b9172f7 00d215f5afe2 
status0 
pay_methodvisaShows the payment method the customer choosed.(card: visa/mc or bank: handelsbanken/sebprivate/sebbusiness/ nordea/swedbank)
time2012-03-06 09:58:49 
error_messageApproved 
Card payments parameters:
NameValueNote
card_no422222......2222 
exp_mon12 
exp_year14 
approval_codeAB1624 
Invoice payments parameters:
NameValueNote
invoice_number10006The invoice number generated.
invoice_nameKjell Börje Håkan Zerykier 
invoice_street1Lillavan 7 
invoice_zipcode52230 
invoice_cityTidaholm 
invoice_update_delivery_addressNOIf set to YES the address returned is the updated address of consumer.

Call to callback_url

Same parameters that is sent to accept_url is also sent to callback_url after a successful payment. This is sent directly from the payment gateway. Format of the data is in JSON, example:
{
    "trans_id": "2457", 
    "merchant_id": "1007", 
    "order_id": "WebOrder-2023",
    "amount": "1000",
    "currency": "SEK",
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "card_no": "422222......2222",
    "pay_method": "visa",
    "time": "2012-03-06 09:58:49",
    "approval_code": "AB1624",
    "exp_mon": "12",
    "exp_year": "14",
    "error_message": "Approved",
}
The callback_url is also used for asynchronous reporting of sudden and unexpected changes to the payment state. This happens regularly for some payment types or when an unusual and unexpected error occurs in the payment processing. Format of the data is in JSON, for example an error due to a sudden cable break somewhere in the payment network may in response send the following:
{
    
    "mac":"2637ace2f7863540bd3eb477e56ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "909",
    "trans_id": "5034523",
    "event": "capture",

}

MAC calculation

Sort all parameters in alphabetic order based on the parameter name. Concatenate all parameter values into a single string. Append the merchant secret key to the string. Calculate SHA256 sum on the string to produce the mac value.

For example using the following parameter in the post call:

accept_urlhttps://www.butiken.com/store/show_receipt?order_id=WebOrder-2023
amount1000
callback_urlhttps://payment.butiken.com/notification
currencySEK
merchant_id1007
order_idWebOrder-2023
pay_methodPAYWIN

After copying all parameter values into a string we get the following:

https://www.butiken.com/store/show_receipt?order_id=WebOrder- 20231000https://payment.butiken.com/notificationSEK1007WebOrder-2023PAYWIN

Append the merchants secret key, in this example X85LmHiJ98, to produce the final string:

https://www.butiken.com/store/show_receipt?order_id=WebOrder- 20231000https://payment.butiken.com/notificationSEK1007WebOrder-2023PAYWINX85LmHiJ98

Calculate SHA-256-sum on the final string:

0a87b7f2c02f661d9bc982de586346f5dfd6ce0017cf8cdf74067c6518704639

The javascript code below can be used to calculate the MAC value. It depends on javascript JQuery, sha256 libs and the html form element included in the example.

<pre>
The following form should be sent to the client

<form action="https://pay.direct2internet.com/pay/test" 
    method="post" id="store-send-params">
 
	<input name="merchant_id" value="your merchant id">
        ... and additional fields..

        .. and include the mac field ..
        <input  id="actMAC" name="mac" value="">

</form>

Secret key (this key should be stored on server and never be sent to client)
<input  id="mac-secret" name="mac-secret" value="a secret key">  

Recalc button
<button onclick="recalcMAC()">Calc Mac</button>
<script>

function recalcMAC() {
        function joinData(data) {
                out = ""
                for(var i=0;i<data.length;i++) {
                        out = out + data[i][1];
                }
                return out;
        }

        var allInputsJQ = $("#store-send-params :input" );
        var allInputs = [];
        for(var i=0;i<allInputsJQ.length;i++) {
                var v = allInputsJQ[i];
                if(v.name!="" && v.name!="mac" && v.value!="") {
                        allInputs.push([v.name,v.value]);
                }
        }

        allInputs.sort();
        var nstr = joinData(allInputs) + $("#mac-secret")[0].value;
        var machash = Sha256.hash(nstr)
        $("#actMAC")[0].value = machash;
}


</script>
</pre>

API debit payment

On payments where capture_now is not set on the call to payment window, you can later call for a debit on the payment. (You can also debit payments through the administration interface.)

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally URL: https://{psp-url}/admin/capture

Parameters

Name Format Mandatory Description
merchant_id string yes Merchants unique id.
order_id string yes Order-ID that were used during payment that will be debited.
trans_id string yes Transaction-id that were returned during the payment.
amount string yes Amount to debit. Must be 1 unit-of- currency (100 = 1 kr).
mac string no SHA-256 checksum.
Response
{
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}

API void payment

 To void a reserved (authorized) amount wihout using the administration interface it's also possible to call it externally.

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally

URL: https://{psp-url}/admin/void

Parameters

NameFormatMandatoryDescription
merchant_idstringyesMerchants unique id.
order_idstringyesOrder-ID that were used during payment that will be voided.
trans_idstringyesTransaction-id that were returned during the payment.
amountstringyesAmount to void. Must be 1 unit-of- currency (100 = 1 kr).
macstringnoSHA-256 checksum.
Response
{
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}

API credit payment

To credit a debited payment without using the administration interface it’s also possible to call externally.

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally

URL: https://{psp-url}/admin/credit

Parameters

NameFormatMandatoryDescription
merchant_idstringyesMerchants unique id.
order_idstringyesOrder-ID that were used during payment that will be credited.
trans_idstringyesTransaction-id that were returned during the payment.
amountstringyesAmount to credit. Must be 1 unit-of- currency (100 = 1 kr).
macstringyesSHA-256 checksum.
Response
{
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}

API recurring payment

To authorize/debit on a stored card number it’s possible to call:

When calling from an external source you must use html basic access authentication adding the user name and the password in the html header (Authorization field).

Address to call externally

URL: https://{psp-url}/admin/subscription_auth

Parameters

NameFormatMandatoryDescription
merchant_idstringyesMerchants unique id.
order_idstringyesUnique order-id.
trans_idstringyessubscription_trans_id that was returned during the payment.
amountstringyesMust be 1 unit-of-currency (100 = 1 kr).
currencystringyesDefault: ‘SEK’
capture_nowstringyes‘YES’, means the card is automatically debited after successful authorization. Default: ‘NO’
macstringyesSHA-256 checksum.
Response
{
    "trans_id":""
    "mac":"2637ace2f7863540bd3eb477e14ee675b74eb8f38da18b9172f700d215f5afe2",
    "status": "0",
    "error_message": "",
}