This part of documentation has been deprecated. To check the most up to date solutions regarding tokenized card payments, including the "Secure Forms" feature, please visit: card tokenization section.
Transparent payment with a single-use token (first payment):
Transparent payment with a multi-use token (second and next payments):
Note: in case of an inline widget or your own inputs, you should display text provided in the Information Requirements section.
This section provides information on the pop-up widget. It may either use POST method or a callback function to provide output.
Output example:
value:"TOK_1IOPVS7EMKVT4GYvs44XPxAOb8yc", maskedCard:"424242******4242", tokenType:"STANDARD", type:"CARD_TOKEN"
| Parameter name | Description |
|---|---|
| value | one-time token ("TOK_") - expires after first usage |
| maskedCard | masked card number |
| tokenType | fixed value (always STANDARD) |
| type | fixed value (always CARD_TOKEN) |
Widget implementation has 3 steps:
<form action="http://exampledomain.payu.com/processOrder.php" method="post">
<button id="pay-button">Pay now</button>
</form>
2. Include the PayU widget bootstrap JS script. Define all the parameters according to your needs and POS configuration.
Note: the widget can pass the data via POST method or through a callback function provided in success-callback parameter.
Compare the inline widget example below.
<script
src="https://secure.payu.com/front/widget/js/payu-bootstrap.js"
pay-button="#pay-button"
merchant-pos-id="145227"
shop-name="Shop name"
total-amount="9.99"
currency-code="PLN"
customer-language="en"
store-card="true"
customer-email="email@exampledomain.com"
sig="6c9bb18db84165f53b5918380833723bc5fbb95ec5a9b73a4cb02dd60c11c64e">
</script>
3. Calculate the SIG parameter necessary to secure communication. Widget parameters and SIG algorithm: Widget parameters.
<script
src="https://secure.payu.com/front/widget/js/payu-bootstrap.js"
merchant-pos-id="145227"
shop-name="Shop name"
total-amount="9.99"
currency-code="PLN"
customer-language="pl"
widget-type="cvv"
cvv-url="https://secure.payu.com/api/v2/token/token.json?refReqId=c4b31c492b0a5aaa9eb12d07578286a0"
cvv-success-callback="cvvSuccess"
sig="e08f617240bac43954bcbb5782a0ce203a23717ba9760be71c9ea8cab127ad12">
</script>
<script type="text/javascript">
function cvvSuccess() {
//display "payment successfully initiated" page
}
</script>
Inline widget is a modification of the pop-up widget. It does not contain the header with shop name and purchase amount and uses some additional parameters.
1. The widget is displayed inline if the page includes the following element:
<div id="payu-widget"></div>
2. Inline widget can either HTTP POST the output or provide it via a callback function. To use the callback instead of
POST, simply add success-callback parameter.
The callback function may look like below (it will allow you to see widget's output
in your browser's console):
<script>
function test($data) {
console.log("callback");
console.log($data);
}
</script>
3. To display the widget, include the PayU widget bootstrap JS script. Define all the parameters according to your needs. Below example will display a white-background widget without PayU branding and "Use" button (instead of "Pay"). To check what it displays simply copy&paste the below script into the body of your page along with div element and callback function provided above.
<script
src="https://secure.payu.com/front/widget/js/payu-bootstrap.js"
merchant-pos-id="145227"
shop-name="TEST"
total-amount="12345"
currency-code="PLN"
customer-language="en"
store-card="true"
payu-brand="false"
success-callback="test"
widget-mode="use"
customer-email="test@test.com"
sig="203ec8c4b9571ce6b4c03058f57264f04d06d00a86da19390d47ba1be4551578">
</script>
4. Calculate the SIG parameter necessary to secure communication. Widget parameters and SIG algorithm: Widget parameters.
Calculate the SIG parameter necessary to secure communication. SIG is calculated in the following way:
Parameters need to be sorted alphabetically:
Then you need to concatenate the values to get a string like below:
EURtest@test.comen145227TEST12345
and add to it the second private key (the example uses a production test POS key value). The final concatenation is:
EURtest@test.comen145227TEST1234513a980d4f851f3d9a1cfc792fb1f5e50
After SHA256 function is performed, we get the sig value:
6dc0247030fa2da54754517586ce02a905e1ff2a21181105174dccec5e291789
| Parameter name | Required | Required for SIG | Description |
|---|---|---|---|
| pay-button | yes | no | CSS selector of the payment button |
| merchant-pos-id | yes | yes | Id of a POS which will be used to create a payment |
| shop-name | yes | yes | Name of a shop displayed to the Payer inside the widget |
| total-amount | yes | yes | Total amount of payment displayed to the Payer |
| currency-code | yes | yes | Payment currency displayed to the Payer, must match the POS currency |
| customer-language | yes | yes | Language in which the widget will be displayed to the Payer. If the language parameter is missing or is incorrect, the default one - obtained from the Payer's browser configuration - will be used. Available parameters: bg, cs, de, en, es, fr, hu, it, pl, pt, ro, sk. |
| customer-email | no | yes | Payer's email |
| widget-type | no | no | Optional value used for selecting type of widget. By default, the widget presents a card form. Provide a cvv value if you want to show the CVV widget. |
| store-card | no | yes | Values: true/false (default: "false"). Enables multi-use tokens. Required for storing a token. |
| recurring-payment | no | yes | Values: true/false (default: "false"). Displays a recurring version of the Widget. Requires the storecard parameter set to "true". |
| payu-brand | no | yes | Values: true/false (default: "true"). Displays widget without PayU branding (only for inline widget). |
| widget-mode | no | yes | Values: pay/use (default: "pay"). Configures widget buttons. "Pay" mode assumes payment to happen immediately after the widget is used. "Use" mode allows to capture card data without immediate payment. |
| success-callback | no | no | Name of the callback function which will handle widget's output. |
| sig | yes | no | Value of a signature providing secure communication. |
| Parameter name | Required | Required for SIG | Description |
|---|---|---|---|
| merchant-pos-id | yes | yes | Id of a POS which will be used to create a payment. |
| shop-name | yes | yes | Name of a shop displayed to the Payer inside the widget. |
| total-amount | yes | yes | Total amount of payment displayed to the Payer |
| currency-code | yes | yes | Payment currency displayed to the Payer, must match the POS currency. |
| customer-language | yes | yes | Language in which the widget will be displayed to the Payer. If the language parameter is missing or is incorrect, the default one - obtained from the Payer's browser configuration - will be used. |
| widget-type | yes | no | Optional value used for selecting type of widget. By default, the widget presents a card form. Provide a cvv value if you want to show the CVV widget. |
| cvv-url | yes | yes | CVV URL taken from redirectUri from OrderCreateResponse (when statusCode == WARNING_CONTINUE_CVV) or the query string parameter (refReqId=...) taken from continueUrl after a successful response from the bank (when 3DS was required). |
| cvv-success-callback | no | no | Callback function executed on successful authorization after the Payer has provided a CVV. |
| sig | yes | no | Value of a signature providing secure communication. |
If you have enabled payments via credit cards, you are obliged to be PCI DSS compliant.
You should annually complete a Self-Assessment Questionnaire (SAQ) and conduct on a quarterly basis network scan by an Approved Scan Vendor (ASV).
Additionally if you process over 6 million card transactions annually you should complete Report on Compliance (ROC) by Qualified Security Assessor (QSA).
You can find more information at Security Standards Council.
<script src="https://secure.payu.com/res/v2/openpayu-2.1.js"></script>
<script src="https://secure.payu.com/res/v2/plugin-token-2.1.js"></script>
Create the credit card payment form in a way that the scripts are able to retrieve the correct information. To achieve the desired result, add "input" elements to your page with "class" attributes named as in the example below.
Note: it is unnecessary to embed the "input" elements in a "form" element as the card data should not be sent to your server.
In case you want to send the data and fell under the full scope of PCI DSS compliance, please check Card on file section.
<table>
<tr>
<td>card number</td>
<td><input type="text" class="payu-card-number"></td>
</tr>
<tr>
<td>card cvv</td>
<td><input type="text" class="payu-card-cvv"></td>
</tr>
<tr>
<td>exp month</td>
<td><input type="text" class="payu-card-expm"></td>
</tr>
<tr>
<td>exp year</td>
<td><input type="text" class="payu-card-expy"></td>
</tr>
<tr>
<td>PayU terms of condition and acceptance to save credit card</td>
<td><input type="checkbox" value="false" class="payu-agreement"></td>
</tr>
<input type="hidden" class="payu-customer-email" value="...@...">
<tr>
<td><input type="submit" id="payu-cc-form-submit"></td>
</tr>
</table>
The scripts searches the page for the following class names:
| Class name | Required | Description |
|---|---|---|
| payu-card-cardholder | optional | cardholder name |
| payu-card-number | yes | card number (PAN) |
| payu-card-cvv | yes | CVV2/CVC2 code of the card |
| payu-card-expm | yes | card expiration month |
| payu-card-expy | yes | card expiration year |
| payu-agreement | yes | value true/false. Means that the cardholder agreed to save credit card and accepted PayU Account Terms and Conditions. If the value is false PayU will not return multi-use token. |
| payu-customer-email | optional | cardholder email address |
(function () {
var button = document.querySelector('#payu-cc-form-submit');
button.addEventListener('click', function (event) {
OpenPayU.merchantId = 'your POS ID';
var result = OpenPayU.Token.create({}, function (data) {
// handle tokenization response, see status code table below
});
if (result !== true) {
// tokenization request has not been submitted,
// check "result" object for validation errors
}
}, false);
})();
true and the below objects are passed to callback function.
The token property should be passed to your back-end and included in the OrderCreateRequest
(see Charging tokens section).
{
data: {
mask: "444433******1111",
token: "TOK_1JKQSX1FMNTU831B8a6z4LDHbzsv",
type: "STANDARD"
},
status: {
statusCode: "SUCCESS",
codeLiteral: "SUCCESS",
code: "0"
}
}
{
card.expirationDate: "formatInvalid",
card.expirationMonth: "formatInvalid",
card.expirationYear: "formatInvalid",
card.number: "unsupportedType"
}
Status codes returned in response to tokenization request are outlined below:
| Code | Status code | Code literal | Description |
|---|---|---|---|
| 0 | SUCCESS | SUCCESS | Successful tokenization, "data" object returned. |
| 100 | ERROR_INTERNAL | GENERAL_ERROR | Other error. |
| 101 | ERROR_UNKNOWN_MERCHANT_POS | UNKNOWN_MERCHANT | Incorrect POS ID. |
| 4003 | ERROR_VALUE_INVALID | CARD_INVALID_CVV | CVV length is incorrect (only 3 or 4 digits allowed). |
| 4100 | SERVICE_NOT_AVAILABLE | CARD_TOKENIZATION_DISABLED | Tokenization is not enabled for your POS ID. |
| 4101 | SERVICE_NOT_AVAILABLE | CARD_MERCHANT_INACTIVE | Card payments not enabled for your POS ID. |
A device fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can fully or partially identify devices or individual users
Fingerprint value is generated by static function Fingerprint2.get, which replaced new Fingerprint2().get. Beacuse of this the result will not be hashed anymore.
Needed libiraries can be found Here.
var options = {}
Fingerprint2.get(options, function (components) {
// components is array of {key: 'foo', value: 'component value'}
...
})
// or
Fingerprint2.getPromise(options).then(function (components) {
// components is array of {key: 'foo', value: 'component value'}
...
})
Fingerprint2.get(options, function (components) {
var values = components.map(function (component) { return component.value })
var murmur = Fingerprint2.x64hash128(values.join(''), 31)
})
The hash value should be passed to PayU in OrderCreateRequest body, see example below.
Your front-end should be also able to handle CVV2-only submission.
<input type="text" class="payu-card-cvv">
CVV2 may need to be collected in case it is needed to authenticate payment with a previously tokenized card.
There are 2 cases to handle:
continueUrl provided in OrderCreateRequest. Query string
example:
https://your.shop.com/payment?statusCode=WARNING_CONTINUE_CVV&refReqId=b20399775cbf48a00469280499bdd912Script example to handle this scenario (the below code should be triggered after the payer clicked a button to submit the CVV2):
var url = "refReqId=" + 'refReqId value from query string';
var options = {url: url};
OpenPayU.authorizeCVV(options, function(data) {
if (data.status === 'SUCCESS') {
// CVV2 submitted correctly, hide input field
} else {
// handle error (see table above)
}
});
var options = {url: 'redirectUri value from OrderCreateResponse'};
OpenPayU.authorizeCVV(options, function(data) {
if (data.status === 'SUCCESS') {
// CVV2 submitted correctly, hide input field
} else {
// handle error (see table above)
}
});
Multi-use token (TOKC_) is created after first use of single-use token (TOK_).
OrderCreateRequest should be extended by buyer and
payMethod sections where single-use token (TOK_) is used as a
value parameter. Order involving REST API is described in:
Creating a new order.
cardOnFile parameter, which informs about party
initializing payment:
Detailed descriptions of cardOnFile parameter values can be
found in JSON properties section.
Setting this parameter in the correct
way can increase conversion for payment cards.
curl -v -X POST https://secure.payu.com/api/v2_1/orders \
-H "Content-Type: application/json" \
-H "Authorization: Bearer 3e5cac39-7e38-4139-8fd6-30adc06a61bd" \
-d '{
"notifyUrl":"https://your.eshop.com/notify",
"customerIp":"127.0.0.1",
"merchantPosId":"145227",
"description":"Laptop",
"currencyCode":"PLN",
"totalAmount":"15000",
"extOrderId":"[generateExtOrderId]",
"products":[
{
"name": "Laptop",
"unitPrice":"15000",
"quantity": "1"
}
],
"buyer": {
"email": "john.doe@example.com",
"firstName": "John",
"lastName": "Doe",
"language": "en"
},
"payMethods": {
"payMethod": {
"value": "TOK_1IHRPT6HKSSS3H62K0GS8pElP862",
"type": "CARD_TOKEN"
}
},
"deviceFingerprint": "[generateFingerPrint2]"
}'
Authentication methods are described in: Signing API calls parameters.
Warning! POS used in the example does not have tokenization switched on.
{
"orderId": "ORDER_ID",
"payMethods": {
"payMethod": {
"card": {
"number": "424242******4242",
"expirationMonth": "12",
"expirationYear": "2017"
},
"type": "CARD_TOKEN",
"value": "TOKC_KPNZVSLJUNR4DHF5NPVKDPJGMX7"
}
},
"status": {
"statusCode": "SUCCESS",
"statusDesc": "Request successful"
}
}
This response means that there is no need for additional payer authentication (3D Secure or passing CVV2 code).
PayU informs Shop about the payment by submitting a notification to the address
provided in the orders notifyUrl parameter. To learn more about
notifications, please read Notifications.
curl -v -X POST https://secure.payu.com/api/v2_1/orders \
-H "Content-Type: application/json" \
-H "Authorization: Bearer 3e5cac39-7e38-4139-8fd6-30adc06a61bd" \
-d '{
"notifyUrl":"https://your.eshop.com/notify",
"customerIp":"127.0.0.1",
"merchantPosId":"145227",
"description":"Laptop",
"currencyCode":"PLN",
"totalAmount":"15000",
"cardOnFile": "STANDARD_MERCHANT",
"extOrderId":"9xl0x8nr1wk7m0i3ltqbja",
"products":[
{
"name": "Laptop",
"unitPrice":"15000",
"quantity": "1"
}
],
"buyer": {
"email": "john.doe@example.com",
"firstName": "John",
"lastName": "Doe",
"language": "en"
},
"payMethods": {
"payMethod": {
"value": "TOKC_2IHRST6HKSST3H62K2GS8pElI862",
"type": "CARD_TOKEN"
}
},
"deviceFingerprint": "0372098a4a90927db053463454491d78"
}'
In case of WARNING_CONTINUE_3DS response, payer should be redirected to card
issuer page (redirectUri parameter) for additional payment
authentication in 3D Secure process.
{
"status": {
"statusCode": "WARNING_CONTINUE_3DS",
"severity": "WARNING"
},
"redirectUri": "{redirectUri}",
"threeDsProtocolVersion": "3DS2",
"orderId": "ORDER_ID"
}
{
"status": {
"statusCode": "WARNING_CONTINUE_3DS",
"severity": "WARNING"
},
"redirectUri": "{redirectUri}",
"threeDsProtocolVersion": "3DS2",
"orderId": "ORDER_ID",
"payMethods": {
"payMethod": {
"card": {
"number": "401200******1112",
"expirationMonth": 12,
"expirationYear": 2020
},
"type": "CARD_TOKEN",
"value": "TOKC_H1ZOE5YXLJPKMUUSDSJRARON0WH"
}
}
}
continueUrl in
OrderCreateRequest. Additionally address in query string is extended
by two parameters:
statusCode - values SUCCESS or WARNING_CONTINUE_CVV;refReqId - random alfanumeric string of characters.https://your.shop.com/payment?statusCode=SUCCESS&refReqId=5c867936fbb3cc2c373820b4550b4645
When the statusCode parameter adopts SUCCES value it means that
order has been accepted without need for another authentication of the payer and you
can wait for order status.
On the other hand whenstatusCode parameter adopts
WARNING_CONTINUE_CVV value, then refReqId parameter should be
taken:
refReqId=5c867936fbb3cc2c373820b4550b4645
{
"orderId": "ORDER_ID",
"status": {
"statusCode": "WARNING_CONTINUE_CVV",
"severity": "WARNING"
},
"redirectUri": "{redirectUri}"
}
Sample value of redirectUri parameter:
https://secure.payu.com/api/v2/token/token.json?refReqId=11ed628ebe88ef6837d90ebb26f1a8b9
Order status will be sent after CVV2/CVC2 code has been provided by the payer.
Payment methods available for a given user should not be stored locally on merchant's server, but rather retrieved from PayU system for each payment. Retrieved are both the stored (tokenized) payments methods and generic payment methods. Using the retrieve service gives the following benefits:
- only payment methods available at the moment for the user are provided,
- payment methods stored for the user are always up to date and synchronized with user's active PayU Account.
In order to retrieve the payment methods, you need first to obtain OAuth access token.
To obtain OAuth access token, use the POST method to send request to endpoint
/pl/standard/user/oauth/authorize.
Sample request:
curl -X POST https://secure.payu.com/pl/standard/user/oauth/authorize \
-H "Cache-Control: no-cache"
-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=trusted_merchant&client_id=[provided by PayU]&client_secret=[provided by PayU]&email=[users email]&ext_customer_id=[Id of the customer used in merchant system]'
ext_customer_id is unique customer identifier given by merchant, it
is necessary in order to correctly generate the OAuth token.
{
"access_token": "4099c2c3-276f-488a-90e2-32620ac441dc",
"token_type": "bearer",
"expires_in": 43199,
"grant_type": "trusted_merchant"
}
Insert the access token into header and use the GET method to send request to endpoint
api/v2_1/paymethods .
curl -X GET https://secure.payu.com/api/v2_1/paymethods \
-H "Authorization: Bearer 87ad751f-7ea5-4023-a16f-04b6647a07f5"
-H "Cache-Control: no-cache"
Sample postive response (HTTP 200). Description of fields are below the sample:
{
"cardTokens":[
{
"cardExpirationYear":"2017",
"cardExpirationMonth":"12",
"cardNumberMasked":"411111******1111",
"cardBrand":"VISA",
"value":"TOKC_XATB7DF8ACXYTVQIPLWTVPFRKQE",
"brandImageUrl":"http://static.payu.com/images/mobile/visa.png",
"preferred":true,
"status":"ACTIVE"
},
{
"cardExpirationYear":"2014",
"cardExpirationMonth":"12",
"cardNumberMasked":"424242******4242",
"cardBrand":"VISA",
"value":"TOKC_XATB7DF8ACXYTVQIPLWTVPFRKQE",
"brandImageUrl":"http://static.payu.com/images/mobile/visa.png",
"preferred":false,
"status":"EXPIRED"
}
],
"pexTokens":[
{
"accountNumber":"5311...7744",
"payType":"mtex",
"value":"TOKE_XPJ4UKJGHVRPMQPGB6X1JJQCUSS",
"name":"account name set by the user",
"brandImageUrl":"http://static.payu.com/images/mobile/logos/pex_mbank.png",
"preferred":false,
"status":"ACTIVE"
}
],
"payByLinks":[
{
"value":"c",
"name":"Płatność online kartą płatniczą",
"brandImageUrl":"http://static.payu.com/images/mobile/logos/pbl_c.png",
"status":"ENABLED",
"minAmount": 50,
"maxAmount": 100000
},
{
"value":"o",
"name":"Pekao24Przelew",
"brandImageUrl":"http://static.payu.com/images/mobile/logos/pbl_o.png",
"status":"DISABLED",
"minAmount": 50,
"maxAmount": 100000
},
{
"value":"ab",
"name":"Płacę z Alior Bankiem",
"brandImageUrl":"http://static.payu.com/images/mobile/logos/pbl_ab.png",
"status":"TEMPORARY_DISABLED",
"minAmount": 50,
"maxAmount": 100000
}
]
}
| Parameter | Description |
|---|---|
| cardExpirationYear | YYYY |
| cardExpirationMonth | MM |
| cardNumberMasked | First 6 and last 4 digits of the PAN (card number). |
| cardBrand | Possible values: 'VISA', 'MASTERCARD', 'MAESTRO'. Other card types are not supported, moreover 'MAESTRO' is not supported in recurring payments. VISA describes various Visa card brands, incl. Visa Electron. MASTERCARD also includes MasterCard Debit. |
| value | Card token value. |
| brandImageUrl | Link to card brand graphic on PayU server. |
| preferred | true/false; it is set to 'true' for a cardToken or bankToken used most recently by the user. |
| status | Possible values: 'ACTIVE' and 'EXPIRED'.
'EXPIRED' tokens may be skipped or presented to the user with a prompt to update or add a new card. If a token has been closed by the user or blocked for security reasons by PayU, it will not be provided in retrieve response. |
pexTokens relate to bank accounts tokenized through PayU|Express service.
| Parameter | Description |
|---|---|
| accountNumber | First and last 4 digits of the bank account in the IBAN format. |
| payType | Represents payType of the token. |
| name | Name of the bank account set by the user. |
| value | Bank token value. |
| brandImageUrl | Link to bank logo graphic on PayU server. |
| preferred | true/false; it is set to 'true' for a cardToken or bankToken used most recently by the user. |
| status | Possible value: 'ACTIVE'.
If a token has been closed by the user or blocked for security reasons by PayU, it will not be provided in retrieve response. If payType of the token is not configured on merchant's POS, the token will not be provided. |
| Parameter | Description |
|---|---|
| value | payType value. Available values are here. |
| name | Name of payType set by PayU |
| brandImageUrl | Link to payType logo graphic on PayU server. |
| status | Possible values: 'ENABLED', 'DISABLED', 'TEMPORARY_DISABLED'. |
In case the buyer terminates the user account in your shop or chooses to remove the stored card from the user account, you need to delete the token.
In order to do it, simply send a DELETE message to https://secure.payu.com/api/v2_1/tokens/{tokenValue}
The header should contain a trusted.merchant OAuth token.
For example:
curl -X DELETE https://secure.payu.com/api/v2_1/tokens/TOKC_XATB7DF8ACXYTVQIPLWTVPFRKQE \
-H "Authorization: Bearer cccbbc40-8113-443b-b4ea-c4b266272b22"
-H "Cache-Control: no-cache"
Warning! This integration type is available only for POSes meeting PCI DSS requirements and requires additional configuration. Therefore, please contact your sales representative in PayU before the integration.
Standard OrderCreateRequest should be extended by
payMethods.payMethod section containing plain card data
and cardOnFile parameter:
Detailed descriptions of cardOnFile parameter values can be
found in JSON properties section.
Only in case of one-time card payment this cardOnFile parameter can
be skipped.
Setting this parameter in the correct way can increase conversion for payment cards and can guarantee transaction security.
"payMethods": {
"payMethod": {
"card": {
"number":"5100052384536818",
"expirationMonth":"11",
"expirationYear":"2020",
"cvv":"123"
}
}
},
"payMethods": {
"payMethod": {
"card": {
"number":"5100052384536818",
"expirationMonth":"11",
"expirationYear":"2020",
"cvv":"123",
"firstTransactionId": "MCC0111LL1121"
}
}
},
Also for plain card data payments you should be prepared for handling responses with: WARNING_CONTINUE_3DS or WARNING_CONTINUE_CVV.
In case of already existing integration with provider of 3D Secure service (later
called 3DS) you can pass parameters that have been returned from 3DS handling process
in
OrderCreateRequest. Standard
OrderCreateRequest should be extended by
payMethods.threeDsData section containing result data from 3DS process.
WARNING_CONTINUE_3DS will never be returned if the result of 3DS handling process will be delivered with Order.
"payMethods": {
"payMethod": {
...
},
"threeDsData": {
"status3Ds": "Y",
"status3DsDescription": "Authentication successful",
"dsTransactionId": "3b31b19d-1c06-4ea4-a85a-00af10c66588",
"eciCode": 5,
"cavv": "AAABBBEAUAAAABgICABQAAAAAAA="
}
}
}
"payMethods": {
"payMethod": {
...
},
"threeDsData": {
"status3Ds": "A",
"status3DsDescription": "Authentication attempt",
"dsTransactionId": "3b31b19d-1c06-4ea4-a85a-00af10c66588",
"eciCode": 6,
"cavv": "BwABCJQnYgAAACdENCdiAAAAAAA="
}
}
}
| Parameter | Description |
|---|---|
| status3Ds | 3DS status. Following values are allowed to be used:
|
| status3DsDescription |
Description related to 3DS result.
Optional field. However passing additional description with the MPI will allow better potential customer support from BOK. |
| xid | XID - unique identifier of 3DS transaction given by the
shop. Field required within 3DS version 1 section. This field should not be sent when attempting 3DS2.x authentication. |
| dsTransactionId | Field required within 3DS2.x section. This field should not be sent when attempting 3DS version 1 authentication. |
| eciCode | E-commerce Indicator / UCAF. Permitted values:
|
| cavv |
3DS cryptogram.
Optional field.It should be passed always if the MPI provided this information. |
Below you can find a handy reference of all PayU|Express flow types.
redirectUri provided in the response.continueUrl.notifyUrl.notifyUrl.redirectUri provided in the response.continueUrl.notifyUrl.notifyUrl.