GPN DATA MERCHANT API
INTEGRATION GUIDE

API INTEGRATION GUIDE (v 1.12.0)

API Commands are send from merchant’s system to the Gateway with HTTP protocol. Request need to be sent to URL provided by GPN Data. Data is transmitted as POST parameter strrequest, which contain XML string with the API Command required details.

Overview

The GPN DATA Payment Page is the method by which GPN DATA conducts secure CNP (Card Not Present) transactions when the Merchant either chooses not to provide the Payment Page or the Merchant site does not meet PCI requirements. The target audience of this document is the Programmer or IT Professional who will be integrating the GPN DATA Payment Page into the Merchant’s web site.

GPN DATA strictly adheres to the standards set forth by PCI-DSS (Payment Card Industry – Data Security Standard). The intent of the Payment Page is to remove the possibility of the Merchant acquiring CHD (Card Holder Data). Any attempts to circumvent this protection and attempt to acquire CHD (Card Holder Data) are a violation of PCI-DSS standards. To obtain the latest information regarding PCI-DSS please consult:

https://www.pcisecuritystandards.org/security_standards/documents.curl

All information contained in this document is the intellectual property of GPN DATA Europe Ltd. and is protected by International Copyrights.

All references in this document to “gateway” or Gateway” directly refer to GPN DATA Europe unless otherwise specified.

All information in this document is subject to Non Disclosure Agreements signed by the principal officer of the Merchant.

Terminology Used

Gateway - The web server, database server and programs associated with Credit Card processing

Transaction - Any exchange of date between the Gateway and the Merchant.

CHD - Card Holder Data as described by PCI (the Payment Card Industry and CHD are addressed in more detail in the Security section of this document).

Charge - A Charge transaction performs an Authorize transaction and immediately follows with an automatic Capture transaction

Chargeback - Chargebacks are created when the Cardholder informs the Issuing Bank that there is a problem with the goods or services received or not received from the merchant.

3DS - 3DS is a generic name for programs from several of the card companies. The formal names are: Verified by Visa, Secure Code by Mastercard and JSecure from JCB. Transactions processed under 3DS involve the Cardholder being redirected to the Issuing Bank for transaction Authorization. Transactions processed as 3DS provide some levels of protection for the Merchant against Chargebacks resulting from fraudulent charges.

Testing

For each Merchant account, the Merchant will be issued login credentials and URL for the Merchant Back Office on a TEST server. All necessary API documentation and connection information will be located there. The TEST server has the following features to assist in integration:

1. Initially, the Acquiring Bank will be an internal “test bank“ and no actual charges will be placed on any card used for testing.
2. CVV values of 000 to 799 will result in the transaction returning as following:
   • 001 to 249 – emulate non-enrolled card, transaction approved;
   • 250 to 499 – emulate enrolled card (with 3D Secure redirection), Transaction approved after successful ACS authentication;
   • 500 – emulate transaction error
   • 501 to 749 – emulate non-enrolled card, transaction declined;
   • 750 to 799 – emulate enrolled card (with 3D Secure redirection), Transaction declined even after successful ACS authentication.
   • There is no limit to the number of transactions or the access time for testing.
   • Avoid isuing Customer names like Test Test or John Dohn, You may use any valid card number (except 4111111111111111). If you need test card numbers, please search the web for “get credit card numbers”.
   • No transaction fees will be assesed to the Merchant during testing
   • Once testing is completed with the “test bank“, the Merchant account will be connected to the Acquirer assigned by Sales as indicated by the Merchant Agreement and all further testing will involve actual processing by the Acquirer and all transactions will be treated as actual charges to the card.
   • Once all testing is completed and Sales has issued instructions, new Merchant Back Office login credentials and URL will be issued, along with a new URL for transmitting API Transactions. The Merchant Account on the TEST server will remain active after the Live Account is operational.

Security

There are several overriding concerns with regard to security: CHD (Card Holder Data), Transaction Verification and Intrusion Prevention to mention just a few.

GPN DATA does not record or save sensitive CHD. Even the transaction logs are “sanitized” before being written to disk to mask the PAN (Primary Account Number) and the CVV. All GPN DATA procedures with regard to CHD are in adherence to PCI-DSS specifications as mentioned in the Overview section.

All Transactions between merchants and GPN DATA include a checksum. The checksum is created using a Secure Hash Algorithm. The Payment Page uses SHA-1 algorithm and an API key assigned to every merchant by GPN DATA. This API key is never included in the actual transaction, but is used in calculating the checksum. You will find the API key on the “Technical Integration” menu in the Merchant Back Office.

All transactions will contain a checksum; the checksum is calculated by concatenating data from specific fields in the transaction (the appropriate fields are indicated in the API Transaction Tables listed below), the secret API key is then appended to the end of the string and the checksum is calculated using SHA-1 algorithm. Before accepting the transaction request, each side must perform this procedure and compare checksums in order to validate the transaction.

GPN DATA MERCHANT API

API Commands are send from merchant’s system to the Gateway with HTTP protocol. Request need to be sent to URL provided by GPN Data. Data is transmitted as POST parameter strrequest , which contain XML string with the API Command required details.

700 – Start Credit Card charge (3DS Enabled)

Description: Allows the merchant to submit a charge to the cardholder’s Credit Card and includes 3DS capability when 3DS is specified in the Merchant Agreement. (See Appendix for “3DS Explanation”).

700 Request Data description:

700 – Response

The response to a 700-Start Credit card Charge Transaction is:
• The completion of the transaction if the Merchant Agreement does NOT require 3DS.
• The completion of the transaction if the Merchant Agreement DOES require 3DS and the Issuing Bank is NOT a 3DS participant.
• The end of the first step for a 3DS transaction if the Issuing Bank IS a 3DS participant. The merchant must continue with the 705 command to complete the transaction IF the merchant receives a response from the redirect screen (see Appendix “3DS Explanation” for more information).

Response Data description:

701 – Request Capture Authorization

Description: Allows the merchant to submit a request to capture an authorized only transaction previously submitted and approved using the 700 command.

701 Request Data description:

701 Response Data description

702 – Request Cancel Authorization

Description: Allows the merchant to submit a request to cancel an authorized only transaction previously submitted and approved using the 700 command.

702 Request Data description:

702 Response Data description

705 – 3DS Transaction Continuation

Description: This applies only when Merchant Agreement is for 3DS and is a “followup” transaction to the 700 command when the results of the cardholder authentication have been returned by the Issuing Bank’s ACS.

705 Request Data description:

705 Response Data description

709 – Check transaction status

Description: Returns current transaction state. Optionally sends Notification 850.

709 Request Data description:

709 Response Data description

708 – Check transaction details

Description: Returns current transaction details including rebill child transactions.

708 Request Data description:

708 Response Data description

720 – Credit Request

Description: Allows the merchant to submit a request for credit to the cardholder’s Credit Card.

720 Credit Request Data description

720 – Response

Response Data description:

755 – Update Rebill Instructions

Description: Allows the merchant to stop, restart, or change the amount for an existing rebilling transaction (submitted using the 700 transaction).

755 Request Data description:

755 Response Data description

756 – Manual Rebill Request

Description: Allows the merchant to manually request the execution of the Rebill and follow-up transaction when authorized by Merchant Agreement and indicated in the Merchant Profile. (Submitted using the 700 transaction)
Note: All Manual Rebill Requests must occur within the timeframe(s) indicated in the rebillwindows->window tags returned in the 700 Response or an error will be returned.

756 Manual Rebill Request data description

756 Manual Rebill Request Response

756 Manual Rebill Request Response data description

760 – Request Refund

Description: Allows the merchant to submit a refund request.

760 Request Data description

760 Response Data description

Notifications

As an additional way of informing your system about command results or changes of the transaction state, our system sends notifications to the merchant’s system. After each transaction is completed, an Asynchronous Notification message will be sent from the Gateway Transaction Server to the Merchant Transaction Server at the URL provided by the Merchant. While charge transactions can be processed without the Notification, it is highly recommended to add the necessary program logic for handling the Notifications as additional information about the transaction is contained therein. Some API commands, such as Refunds, cannot be transmitted without the additional data contained in the Notifications.

Additionally notification will inform about changes to transaction, for example when Chargeback, TC-40 Fraud, Alert was issued or when transaction was refunded from MBO or by GPN Data staff.

Notifications are sent with HTTP protocol to URL provided by merchant. Data is transmitted as POST parameter strdata, which contain XML structure.

850 – Transaction state Notification

Description: Notifies the merchant about the result of a submitted charge as well as most other commands except for Credits (720), Refunds (760), Rebills (756) and received chargebacks, frauds, alerts and other disputes.

850 Notification Data description

860 – Refund Notification.

Description: Notifies the merchant about the result of a submitted refund.

860 Notification Data description

870 – Rebill Notification.

Description: Notifies the merchant about the result of a submitted Rebill transaction.

870 Notification Data description

880 – Dispute Notification.

Description: Notifies the merchant about disputes to transaction.

880 Notification Data description

Transaction Status Codes

ERROR

3D Secure Explanation

3DS is a fraud prevention system that has different names depending on the Card Issuer (Verified by Visa, Mastercard SecureCode, etc.) but it functions the same way. During a CNP (Card Not Present) e-Commerce transaction, the CH (Card Holder) will be redirected to a page hosted by the Issuing Bank for his Card and there he will input identification information as required by his bank to verify that he is indeed the CH. The information may be as simple as a PIN or may ask other questions known only to the CH and the Issuing Bank. No one else is involved, not the Merchant, the Gateway or the Acquiring Bank. The process works as follows:

1. Once the CH has completed the payment form and has entered the card data (PAN, CVV, etc.) the CH selects 'Submit' (or pay now or whatever is used on the Merchant site to submit the payment)
2. The merchant transmits the payment transaction to the Gateway
3. The Gateway submits the PAN to an MPI (an authorized participant in the 3DS system) who then checks to see if the Issuing Bank is a participant in the associated 3DS program and if so, obtains the ACS (Access Control Server) Url.
   • If the Issuing Bank is NOT a participant in 3DS, the transactin will be dealt with in the manner proscribed by the Gateway for non-3DS transactions
   • If the Issuing Bank IS a participant in 3DS, the following steps will continue.
4. The Gateway sends to the Merchant the PaReq, MD and the ACS URL which will be used by the Merchant to provide a redirect for the CH to the Secure web page provided by the Issuing Bank for 3DS validation.
5. The Merchant constructs a redirection form which sends the PaReq, MD and TermUrl via POST fields to the ACS URL (the ACS URL is the form's "action" attribute), and presents it to the user's browser.
6. The Cardholder follows the redirection form to the ACS website and performs the authentication procedure.
7. There are four possible outcomes to this part of the process:
   • The CH is properly validated and the ACS returns to the TermUrl provided in the redirect the proper 3DS authorization for this transaction only (any subsequent transactions must repeat this process). The authorization consists of several POST variables which are meant to be forwarded to the Gateway in an API call (ACSRes node in 705).
   • The CH takes too long to decide and the page times out – Transaction ends in Error
   • The CH fails validation – Transaction ends in Decline (with possible fraud notation)
   • The CH's card is not enrolled in his banks program and declines to enroll at this time – Transaction ends in Decline
8. Assuming a successful validation, the process continues and the transaction is submitted to the Acquiring Bank along with the data (ACSRes) returned by the ACS for normal processing. The outcome of the transaction is still based upon normal criteria such as sufficient funds available, etc.

With 3DS, the Issuing Bank is hard pressed to accept a declaration of fraud from the CH if a chargeback is attempted. Non-fraud reasons are still acceptable (did not receive promised goods or services, etc.)

Note:

Display the 3D authentication inline - do not use popups or separate windows for the authentication because popups/separate windows may be blocked by the shopper’s browser settings. Also it is forbidden by Visa and MasterCard rules. Even when the window is not blocked (e.g. by using target="_blank") it is still confusing for the shopper to face multiple windows. 3D Secure Best Practices strongly encourage you to use the inline approach - for U.S. merchants this is even a „must have“-requirement. After this redirect, the merchant has no longer any control over the client browser and therefore awaits the asynchronous response message from the payment server about the final result of the payment transaction.

What is 3DS?

Verified by Visa, SecureCode by MasterCard and similar programs from JCB (J/Secure, American Express and other card companies are programs introduced to fight fraudulent use of cards (collectively referred to as “3DS”). These programs also alleviate some of the pain to the merchant caused by fraudulent activity.

Why should I use 3DS?

In the e-Commerce community, fraudulent use of credit cards can be a painful and expensive experience. The protection of Chargeback is designed to protect the cardholder from fraudulent activity, but the burden is simply shifted to the e-Commerce merchant. The situation is further compounded by fraudulent use of the Chargeback protection afforded to the cardholder by unscrupulous cardholders. Since the burden of proof on a Chargeback is placed upon the merchant, many cardholders (especially in the USA) have learned that they can use the Chargeback to get relief for “buyer’s remorse” when the normal refund policy of the merchant does not allow them to escape the responsibilities of their purchasing decisions. Simply by claiming that they were not the person who authorized the charge, the cardholder requests a Chargeback by claiming “fraud” further compounding the problems for the merchant.

While Chargebacks, in general, are problems for the e-Commerce merchant, the frequent use of certain categories of Chargebacks described as “fraudulent” (the chargeback codes are different for different card companies) can result in cancellation of the MID. Enrollment and use of the 3DS programs offered by the card companies can offer some protection for the merchant from possible loss of their MID due to excessive Chargeback claims of this nature. (Visa Reason codes 75, 83)

How does 3DS work?

During a financial transaction, after the cardholder has input his card details for the charge and hit the Submit or Pay button, the cardholder is redirected to a verification web page provided by the Bank that issued his card. The process of verification is unique for each bank and is known only to the cardholder and the bank. The process of charging the card is then resumed as normal, but the transaction is noted to be a 3DS transaction. Standard reasons for Chargebacks (“Did not receive product or service”, “Terms of sale were not met”, etc.) are unaffected. However, claims that are fraud based (“I did not authorize that transaction”) are rejected. The actual list of 3DS protected Chargeback codes is unique to each card company and provided upon enrollment.

Not all Issuing Banks participate in 3DS so what happens then?

If the merchant is enrolled in a 3DS program all transactions submitted as 3DS receive the same protection, even if the Issuing Bank is not a 3DS participant or the cardholder has not enrolled his card. The process works like this: at the beginning of the transaction, it is submitted to a server to see if the Issuing Bank is a 3DS participant. If yes, then the normal 3DS process is continued. If no, then the card is processed normally, however, the transaction is “marked” as a 3DS transaction, thus incurring the protections proscribed by the card companies.

What is the downside of 3DS?

All good things have a price. During a 3DS transaction with a card from a participating bank, the cardholder may perceive being redirected to another website as a “scam” and simply close the browser. There are two causes for this problem:

1. The most frequently occurring is that the screen given to the cardholder by the merchant before he is redirected does not contain an explanation or the 3DS logos from the card companies (“Verified by Visa”, “Secure Card by MasterCard”) . This is easily corrected by the merchant presenting an “assuring” redirect screen to the cardholder.
2. Some banks contract out their 3DS authorization process and the Verification screen where they have been redirected does not contain the URL for their bank. This is infrequent, but does happen.

Rebill Explanation

As noted before, a Rebill transaction (also known as Recurring Charge) occurs when the cardholder and merchant agree to purchase goods or services on an ongoing basis over a period of time. Recurring transactions are multiple transactions processed at predetermined intervals, not to exceed one year between transactions. Examples of recurring transactions include insurance premiums, subscriptions, Internet service provider fees, membership fees, tuition, or utility charges.

At the time of the original 700 Start Credit Card charge transaction, all Rebill information must be included in order for our Gateway to issue the Rebill charges for the amount and frequency specified. It is not possible to ask for Rebill charges if the original transaction did not include this information. It is possible to request an increase in the amount originally specified for the Rebill, up to 15% of the original transaction. It is NOT possible to change the frequency of the Rebill charges, however, the Rebill may be cancelled and a new Transaction issued with the new frequency. This will require the complete Cardholder data (PAN, CVV, Exp Date, Name on Card)

A Rebill transaction is a “contract” between the Merchant and the Cardholder according to the Terms and Conditions provided to the Cardholder by the Merchant at the time of purchase. The Cardholder is in effect agreeing to the Rebill charges that are stipulated at that time, by providing their Cardholder Data. This is why changes to Amount (greater than previously specified), Frequency and Number of Occurrences are not possible. Only when the Cardholder enters his Cardholder Data, can we show that the Cardholder is aware of the terms of the Rebill charges.

The Command 700 Start Credit Card Charge used to initiate a series of Rebill transactions contains all of the necessary tags for establishing a Rebill series. The Merchant Account Profile will be populated with default data for these tags (derived from the Merchant’s published pricing and Terms and conditions) and any of the tags omitted will be filled with the default data. One exception to this is the “followup” charge and it will be explained in the next paragraph. If “followup is not used, by the merchant, no data will be inserted.

The “followup” feature allows a third amount and billing date to be inserted into the Rebill series and is not counted when calculating the rebill->count. The intent of this feature is best outlined in an example:

Product sell price is $100.00, but is offered with a “Trial Price” of 15.00 and if the customer keeps the product, the balance of the first order is billed at 85.00 on the date specified. Future Rebills begin either on a date specified or if not specified, one period (rebill->frequency) from the original transaction date.

IFrame Integration

Rebill Feature

In order to enable rebill feature a "data-rebill" node with a TRUE value must be added on the button data.

Payment Page Instructions using HTTP Form Post

Revised 2015-10-29

Integration from an eCommerce web page can be accomplished using HTTP Form Post. These instructions are designed to allow you to cut and paste the HTML code into your webpage and simply replace various parameters as indicated.These instructions are intended for the person who is capable of making HTML changes to your website. If you cannot do this, forward these instructions to someone who can and have THEM contact our Technical Support team on your behalf.

• DO NOT ask the Technical team to do the integration for you or to teach you about HTML.
• DO NOT play middleman and relay instructions between the GPN Tech Team and your programmer
• DO NOT ask the GPN Tech Team any questions until you have read this document in its entirety.

Step 1

login to your MBO (Merchant Back Office) using the credentials emailed to you. Navigate to the Merchant::Technical Integration page and obtain your:

• MerchantID
• Transaction Currencies
• Transaction URL
• apiKey

Step 2

For each product or service you offer on your web page, you must add an HTML form using method=”post” with a submit button (or image used as a button). Use hidden HTML tags to send the data.

• MerchantID
• Transaction Currencies
• Transaction URL
• apiKey

Note #1

Replace https://your Transaction URL with the Transaction URL obtained in Step 1

Note #2

Replace your MerchantID the MerchantID obtained in Step 1

Note #3

Replace the amount of this item the exact amount listed on your website for this plan. The amount must be expressed as 129.00 using a period for the decimal and including the 00.

Note #4

Replace the currency used with one of the Transaction Currencies obtained in Step 1

Note #5

Replace the name of the your plan with the name of your Plan, exactly as it appears on your website.

Note #6

Replace the calculated checksum with the checksum calculated in Step 3

Step 3 - Checksum

To assure the integrity of the information being sent, we use a checksum calculated using various parameters in a concatenated string and a sha1() function. The parameters used are the following and MUST be used in the order given:

merchantid amount currency description (maintain any spaces used in the description) apikey

The apiKey can be obtained from the MBO (see Step #1)

Using the following example:

Merchantid = 9101 amount = 29.99 currency = USD description = My Product apikey = 66D91A29-0E7A-4D72-AE75-D2C4C5DBE223

$str = 910129.99USDMy Product66D91A29-0E7A-4D72-AE75-D2C4C5DBE223

Checksum = sha1($str) = 2ae38e4d472f077c40e22d675beee5db2de117dc

The checksum will be unique for each HTML Form (see Step#2) used. If you make any changes to any of the 5 elements used to calculate the checksum, you must recalculate.

Step 4 - Testing

Once you have completed your HTML Form(s), you must make a test transaction.

1. During Testing, no transactions will be submitted to a real bank and no cards will be charged
2. You may use any valid card number (except 4111111111111111). If you need test card numbers, please search the web for “get credit card numbers”.
3. Select an expiration date greater than this month and year
4. Use 300 for the CVV for Approved results or 800 for Declined results
5. Use a realistic values for the customer details (first and last name, email, etc). DO NOT USE NAMES LIKE TEST OR TESTTEST!
6. If you choose to make multiple tests using the same card number you MUST use the same customer details! (we do not support different people using the same card number)
7. It is best that you test each of your Plans
8. Notify our Technical Support team when you believe you have finished testing. You may do so via the online chat in your MBO or via email: [email protected]

Note:

Your transactions will be processed as 3D Secure (Verified by Visa, SecureCard by MasterCard). During testing, your account is connected to a TEST bank to simulate live processing and no cards are actually sent to a live bank. The GPN Test bank includes a 3D Secure Authentication Page. This is for Testing only and no customer will see this page. If their card is enrolled in a 3D Secure program, they will see an Authentication Page from the Bank that issued their card. If the card is not enrolled, the card will be processed normally.

Step 5 – Migrating to PRODUCTION account and live processing

Once our Technical Team checks your test transactions and are satisfied they meet our requirements, the Tech will notify you via online chat in your MBO and email. At that time, the GPN DATA Sales team will be notified that you have completed integration. When the Tech Support Team receives permission from the Sales Team that all agreements are in order, you will be contacted by the Technical Team regarding your next steps.

Do not ask the Technical Support Team when you will be able to begin live processing. If you have questions such as this, refer them (as well as any other commercial questions) to your Account Manager.

Step 6 – Migrating to PRODUCTION account and live processing

Once we receive permission from your Account Manager, you will receive an email with login credentials to your MBO on the PRODUCTION server.

1. You must repeat
   Step 1 to obtain your PRODUCTION account details.
2. Change the MerchantID and Transaction URL for each Plan (see Step 2)
3. Recalculate the checksums using the new API key
4. Notify Technical Support via online chat in your MBO that you are ready to try at least one of your Plans on the PRODUCTION server to be certain your changes are correct. This MUST be accomplished during live communications between you and the Tech.
5. Wait for the Tech to tell you that you may begin to test one of your plans with the new account information. You may use a test card number (Step 4 Item 2) or a real credit card as the test will not result in any charges to the card.
6. If the test is unsuccessful, work with the Tech to see what is wrong and correct it.
7. If the test is successful, the Tech will inform you to wait a few minutes while your account is connected to the live Acquiring Bank.
8. Once the Tech confirms that you are connected to a live Acquiring Bank, you are ready to begin accepting real credit card transactions.

Optional Additional Transaction Data

The HTML Form must contain these fields at a minimum:

• merchantid
• amount
• currency
• description
• checksum

You may also select to “pre-populate” the Payment Page with Customer data. Simply add additional lines with hidden tags:

<input type="hidden" name="" value="”>

The names for the additional Tags are:

• orderid (if not included, this will be generated by the PaymentPage)
• firstname
• lastname
• birthday
• birthmonth
• birthyear
• email
• country (3 character iso code)
• stateregion (2 character iso code)
• zippostal
• city
• address1
• address2 (optional second address line if needed)
• phone (full with country code and area code, without +)
• accountid (Your own method of customer id used in your system. If not provided email is used).

ERROR CODES

Error codes may include but not be limited to the ones listed below. At any time new error codes may be introduced.

Remember that the above codes are not the only error codes, simply some of the more common and basic ones. The full description of the error will be returned in the errormessage node in case of error and in description node otherwise.

Transaction limits Error Codes