DB Merchant Solutions REST API V2.1 Documentation

The updated total amount.

shippingOptions

ShippingOption[]

The updated shipping options.

shippingAddress

CommonAddress

The (possibly corrected) shipping address. If omitted, the shipping address remains unchanged.

billingAddress

CommonAddress

The billing address (not used currently, reserved for future use).

basket

Basket

The updated basket.

AmountCurrency

Objects of type AmountCurrency represent an amount (expressed in minor units) and its currency, for example, for the total amount, shipping costs, or a basket discount.

Name	Type	Description
amount	number required	The amount in minor units.
currency	string required	The ISO-Alpha-3 currency code of the amount.

Name

Type

Description

amount

number

required

The amount in minor units.

currency

string

required

The ISO-Alpha-3 currency code of the amount.

ApplePayButtonStyle

Name Type Description

Name	Type	Description
type	string
style	string
width	string	Button width and unit. Example: `'250px'`
height?	string	Button height and unit. Example: `'50px'`

type

string

style

string

width

string

Button width and unit.

Example: '250px'

height?

string

Button height and unit.

Example: '50px'

ApplePayTransactionData

Apple Pay specific transaction data.

Name Type Description

Name	Type	Description
displayName	string \| undefined
requiredBillingContactFields	string[]\| undefined	The fields of the customers’s billing address which are passed to the merchant. Example: `['email', 'name', 'phone', 'postalAddress']`.
requiredShippingContactFields	string[] \| undefined
shippingContactEditingMode	string \| undefined
supportedNetworks	string[] \| undefined
supportedCountries	string[] \| undefined
shippingType	string \| undefined
buttonStyle	ApplePayButtonStyle

displayName

string | undefined

requiredBillingContactFields

string[]| undefined

The fields of the customers’s billing address which are passed to the merchant.

Example: ['email', 'name', 'phone', 'postalAddress'].

requiredShippingContactFields

string[] | undefined

shippingContactEditingMode

string | undefined

supportedNetworks

string[] | undefined

supportedCountries

string[] | undefined

shippingType

string | undefined

buttonStyle

ApplePayButtonStyle

Basket

Name	Type	Description
shippingCosts	AmountCurrency required	The shipping costs.

Name

Type

Description

shippingCosts

required

The shipping costs.

CommonAddress

The fields of a common (personal) address.

Name	Type	Description
first_name	string	The first name.
last_name	string	The last name.
email	string	The email.
phone_contact	PhoneContact	The phone number and its type.
address_line_1	string	The first address line.
address_line_2	string	The second address line.
address_line_3	string	The third address line.
postal_code	string	The postal code.
city	string	The city.
state	string	The state or province.
country	string	The two-letter country code of the country (ISO 3166-1 alpha-2).

Name

Type

Description

first_name

string

The first name.

last_name

string

The last name.

string

The email.

phone_contact

PhoneContact

The phone number and its type.

address_line_1

string

The first address line.

address_line_2

string

The second address line.

address_line_3

string

The third address line.

postal_code

string

The postal code.

city

string

The city.

state

string

The state or province.

country

string

The two-letter country code of the country (ISO 3166-1 alpha-2).

GooglePayButtonStyle

Data to customize the Google pay button.

Name Type Description

Name	Type	Description
buttonColor	string	`default`: A Google-selected default value. Currently black, but it may change over time. `black`: A black button suitable for use on white or light backgrounds. `white`: A white button suitable for use on colorful backgrounds. Default: `default`.
buttonType	string	`book`: The "Book with Google Pay" payment button. `buy`: The "Buy with Google Pay" payment button. `checkout`: The "Checkout with Google Pay" payment button. `donate`: The "Donate with Google Pay" payment button. `order`: The "Order with Google Pay" payment button. `pay`: The "Pay with Google Pay" payment button. `plain`: The Google Pay payment button without additional text. `subscribe`: The "Subscribe with Google Pay" payment button. Default: `buy`. Note: When `buttonType` is `buy` and the customers’s payment method is an available card, the payment button displays the card brand and the last four digits of the card number. Note: If a language specified in the viewer’s browser matches an available language, a translated button label appears. Note: The following `buttonType` values have been kept to allow backward compatibility with previous versions: `long`: The same as `buy`. `short`: The same as `plain`.
buttonLocale	string	The ISO 639-1 code of the desired button language. Supported locales include `en`, `ar`, `bg`, `ca`, `cs`, `da`, `de`, `el`, `es`, `et`, `fi`, `fr`, `hr`, `id`, `it`, `ja`, `ko`, `ms`, `nl`, `no`, `pl`, `pt`, `ru`, `sk`, `sl`, `sr`, `sv`, `th`, `tr`, `uk`, and `zh`. Default: Set to the browser or operating system language settings.
buttonSizeMode	string	`static`: The button has a static width and height. `fill`: The button fills its container. Default: `static`.

buttonColor

string

default: A Google-selected default value. Currently black, but it may change over time.
black: A black button suitable for use on white or light backgrounds.
white: A white button suitable for use on colorful backgrounds.

Default: default.

buttonType

string

book: The "Book with Google Pay" payment button.
buy: The "Buy with Google Pay" payment button.
checkout: The "Checkout with Google Pay" payment button.
donate: The "Donate with Google Pay" payment button.
order: The "Order with Google Pay" payment button.
pay: The "Pay with Google Pay" payment button.
plain: The Google Pay payment button without additional text.
subscribe: The "Subscribe with Google Pay" payment button.

Default: buy.

Note: When buttonType is buy and the customers’s payment method is an available card, the payment button displays the card brand and the last four digits of the card number.

Note: If a language specified in the viewer’s browser matches an available language, a translated button label appears.

Note: The following buttonType values have been kept to allow backward compatibility with previous versions:

long: The same as buy.
short: The same as plain.

buttonLocale

string

The ISO 639-1 code of the desired button language. Supported locales include en, ar, bg, ca, cs, da, de, el, es, et, fi, fr, hr, id, it, ja, ko, ms, nl, no, pl, pt, ru, sk, sl, sr, sv, th, tr, uk, and zh.

Default: Set to the browser or operating system language settings.

buttonSizeMode

string

static: The button has a static width and height.
fill: The button fills its container.

Default: static.

GooglePayTransactionData

Google Pay specific transaction data.

Name Type Description

Name	Type	Description
allowedCardNetworks	string[]	One or more card networks that you support, also supported by the Google Pay API. Default: all card networks supported by the Google Pay API, that is, `['AMEX', 'DISCOVER', 'INTERAC', 'JCB', 'MASTERCARD', 'VISA']`.
allowedCountries	string[]	ISO 3166-1 alpha-2 country code values of the countries where shipping is allowed. If not set, all shipping address countries are allowed. Default: empty.
buttonStyle	GooglePayButtonStyle	Data to customize the Google pay button.
defaultSelectedOptionId	string	ID of the shipping option that shall be initially selected. If this field isn’t provided, the first option is selected.
displayName	string required	The merchant name encoded in UTF-8 to be rendered in the payment sheet.
emailRequired	boolean	Set to `true` when the customer’s email is be required. Default: `false`.
shippingAddressRequired	boolean	Set to `true` when customer’s shipping address is required. Default: `false`.

allowedCardNetworks

string[]

One or more card networks that you support, also supported by the Google Pay API.

Default: all card networks supported by the Google Pay API, that is, ['AMEX', 'DISCOVER', 'INTERAC', 'JCB', 'MASTERCARD', 'VISA'].

allowedCountries

string[]

ISO 3166-1 alpha-2 country code values of the countries where shipping is allowed. If not set, all shipping address countries are allowed.

Default: empty.

buttonStyle

GooglePayButtonStyle

Data to customize the Google pay button.

defaultSelectedOptionId

string

ID of the shipping option that shall be initially selected. If this field isn’t provided, the first option is selected.

displayName

string

required

The merchant name encoded in UTF-8 to be rendered in the payment sheet.

emailRequired

boolean

Set to true when the customer’s email is be required.

Default: false.

shippingAddressRequired

boolean

Set to true when customer’s shipping address is required.

Default: false.

Events

Contains event handlers for the various events.

Name	Type	Description
onInit	OnInit	Called after widget is initially displayed.
onShippingAddressChanged	OnShippingAddressChanged	Called after the customer selected a new shipping address.
onShippingOptionChanged	OnShippingOptionChanged	Called after the customer selected a new shipping option.
onAuthorize	OnAuthorize required	Called after the customer confirmed the payment.

Name

Type

Description

onInit

OnInit

Called after widget is initially displayed.

onShippingAddressChanged

OnShippingAddressChanged

Called after the customer selected a new shipping address.

onShippingOptionChanged

OnShippingOptionChanged

Called after the customer selected a new shipping option.

onAuthorize

OnAuthorize

required

Called after the customer confirmed the payment.

OnAuthorize

An event handler of type onAuthorize is called after the customer confirms the payment. In case of error, the customer will get an error message that the payment failed and will be able to restart the payment process.

If for Google Pay a 3DS challenge is required, the payment sheet will be automatically closed. This means that merchant JavaScript must handle the promise returned by the init method, even when the onAuthorize event handler is provided.

OnInit

An event handler of type OnInit is called after the widget button is initially displayed. It does not receive arguments and has no return value.

OnShippingAddressChanged

An event handler of type OnShippingAddressChanged is called after the customer changed the shipping address. It receives as input an object of type IntermediateAddress.

If the new shipping address is supported, the event handler must resolve a promise with an object of type AddressChangeResult, containing updated amounts and updated shipping options.
Otherwise, that is, if the new shipping address is not supported, the event handler must reject the promise. The payment system then will show the customer a corresponding message, that is, that the new shipping address is not supported.

OnShippingOptionChanged

An event handler of type OnShippingOptionChanged is called after the customer changed the shipping option. It receives as input an object of type Shipping Option. The event handler must resolve a promise with an object of type ShippingChangeResult, containing the updated total amount.

PayPalButtonStyle

Options to style the PayPal button.

Name Type Description

Name	Type	Description
color	string	Color of the button. Possible values: `gold` `blue` `silver` `white` `black` Default: `gold`.
disableMaxWidth	boolean	By default `false`, that is, the button has a maximum width of 750px. If set to `true`, the button will be larger if allowed by the surrounding `div`.
height	number	By default, the button adapts to the size of its container element. `height` allows the button to be set to a fixed height between 25 and 55 px.
label	string	Label of the button, displayed in the customer’s language. Possible values: `buynow` `checkout` `donate` `installment` `pay` `paypal` `subscribe` Default: `paypal`.
layout	string	Layout of the button. Possible values: `horizontal` `vertical` Default: `horizontal`.
shape	string	Shape of the button. Possible values: `rect`: The default button shape. `pill`: Rounds the sides of the button. Default: `rect`.
tagline	boolean	Indicates if a tagline shall be displayed. If `true`, it is necessary to set the layout to `horizontal`. Default: `false`.

color

string

Color of the button. Possible values:

gold
blue
silver
white
black

Default: gold.

disableMaxWidth

boolean

By default false, that is, the button has a maximum width of 750px. If set to true, the button will be larger if allowed by the surrounding div.

height

number

By default, the button adapts to the size of its container element. height allows the button to be set to a fixed height between 25 and 55 px.

label

string

Label of the button, displayed in the customer’s language. Possible values:

buynow
checkout
donate
installment
pay
paypal
subscribe

Default: paypal.

layout

string

Layout of the button. Possible values:

horizontal
vertical

Default: horizontal.

shape

string

Shape of the button. Possible values:

rect: The default button shape.
pill: Rounds the sides of the button.

Default: rect.

tagline

boolean

Indicates if a tagline shall be displayed.

If true, it is necessary to set the layout to horizontal.

Default: false.

PayPalTransactionData

PayPal specific data.

Name	Type	Description
buttonStyle	PayPalButtonStyle	Options to style the button.

Name

Type

Description

buttonStyle

PayPalButtonStyle

Options to style the button.

PhoneContact

A phone number and its type.

Name Type Description

Name	Type	Description
phone_type	string required	Possible values: `FAX`, `HOME`, `MOBILE`, `OTHER`, `PAGER`, `WORK`.
phone_number	string required

phone_type

string

required

Possible values: FAX, HOME, MOBILE, OTHER, PAGER, WORK.

phone_number

string

required

IntermediateAddress

Contains the parts of a shipping address which are relevant for determining the shipping costs (but omits personal information).

Name	Type	Description
city	string required	City
state	string	State or province
country	string required	The two-letter country code of the country (ISO 3166-1 alpha-2).
postalCode	string required	ZIP code or postal code

Name

Type

Description

city

string

required

City

state

string

State or province

country

string

required

The two-letter country code of the country (ISO 3166-1 alpha-2).

postalCode

string

required

ZIP code or postal code

ShippingChangeResult

Return type of the event handler OnShippingOptionChanged.

Name	Type	Description
amountTotal	AmountCurrency	The updated total amount.

Name

Type

Description

amountTotal

The updated total amount.

ShippingOption

A shipping option.

Name	Type	Description
id	string required	ID to identify the shipping option at the merchant.
label	string required	The label to be displayed as the option.
description	string	A descriptive text that is displayed below the option label.
price	AmountCurrency required	The price of the shipping option.

Name

Type

Description

string

required

ID to identify the shipping option at the merchant.

label

string

required

The label to be displayed as the option.

description

string

A descriptive text that is displayed below the option label.

price

Initialize fingerprinting (step 4)

required

The price of the shipping option.

TransactionData

Contains different data for the transaction.

Name Type Description

Name	Type	Description
shippingOptions	ShippingOption[]	The default shipping options which will be displayed on the payment sheet. These are used, if the shipping options are not set by the OnShippingAddressChanged event handler. For PayPal, this property must not be set, if `paypal_shipping_preference` is set to `NO_SHIPPING` or `SET_PROVIDED_ADDRESS` in create a session for Widget Solution.
googlepay	GooglePayTransactionData	Google Pay specific data.
paypal	PayPalTransactionData	PayPal specific data.
applepay	ApplePayTransactionData	Apple Pay specific data.

shippingOptions

ShippingOption[]

The default shipping options which will be displayed on the payment sheet.

These are used, if the shipping options are not set by the OnShippingAddressChanged event handler.

For PayPal, this property must not be set, if paypal_shipping_preference is set to NO_SHIPPING or SET_PROVIDED_ADDRESS in create a session for Widget Solution.

googlepay

GooglePayTransactionData

Google Pay specific data.

paypal

PayPalTransactionData

PayPal specific data.

applepay

ApplePayTransactionData

Apple Pay specific data.

WidgetRequest

The configuration object to pass to the window.widgetsolution.init method has the following properties.

Name Type Description

Name	Type	Description
sessionId	string required	Set to `id` obtained from create session.
paymentMethod	string required	Payment system type of the widget. Possible values: `googlepay` `paypal`.
container	string required	`id` of the div in which the widget shall be shown.
events	Events	Event handlers.
transactionData	TransactionData	Transaction data.

sessionId

string

required

Set to id obtained from create session.

paymentMethod

string

required

Payment system type of the widget. Possible values:

googlepay
paypal.

container

string

required

id of the div in which the widget shall be shown.

events

Events

Event handlers.

transactionData

TransactionData

Transaction data.

3.4.7. Finalize payment

Use the Widget solution create payment endpoint to finalize the payment as follows:

For the path parameters, set the id to the originally obtained session ID.
Set amount_total to the (recalculated) amount.

The amount_total is compared with the actual total amount of a PayPal transaction after the transaction has taken place. In case of a discrepancy, the response code 1004 "Money amount discrepancy" is returned.

This may indicate a fraud attack and therefore requires the merchant’s action (like cancellation of the payment).

3.4.8. Capture, refund, and reversal

See Subsequent transaction as well as Capture, Refund, and Reversal for general information about capture, refund, and reversal.

Use the general subsequent transaction endpoint to conduct a capture, refund, or reversal.

3.4.9. Diagnosis request

See Diagnosis request for general information about retrieving information about a previous transaction.

Use the general endpoints Get information for an event ID or Get information for a transaction ID.

3.5. Direct integration

Merchants can use DB Merchant Solutions REST API directly to process payment transaction for the following payment methods:

Credit card transactions,
SDD,
Klarna,
Google Pay,
Apple Pay.

See Payment API for credit card transactions, SDD, and Klarna, Google Pay API for Google Pay, and Apple Pay API for Apple Pay.

The endpoints given there also allow the merchant to receive details about previous transactions.

3.6. PCI DSS compliance

3.6.1. Introduction

This document provides only guidance and should not be taken as definitive advice. Consult with your credit card acquirer or a PCI DSS Qualified Security Assessor (QSA) for clarification.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards from the major credit card schemes (MasterCard, Visa, American Express, Diners, China UnionPay, and JCB). The technical and organizational requirements of PCI DSS help to protect cardholder data, reduce fraud, and minimize the chances of a data breach.

See PCI DSS Quick Reference Guide for a more detailed introduction.

3.6.2. Which SAQ to complete according to the integration type

As mandated by the card schemes, every e-commerce merchant that accepts credit cards as a payment method must annually demonstrate their compliance to the standard by completing a self-assessment questionnaire (SAQ).

There are nine different types of SAQs, three of which are relevant for e-commerce merchants:

SAQ A: Contains 14 questions. For e-commerce merchants that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider.
SAQ A-EP. Contains 139 questions. For e-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website that does not directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider.
SAQ D-Merchant: Contains 329 questions. For all e-commerce merchants not included in SAQ A or SAQ A-EP.

For a detailed comparison of the SAQs, see PCI DSS - Understanding the SAQs for PCI DSS version 3 and PCI DSS - SAQ Instructions and Guidelines.

For the purposes of checking eligibility criteria, note the following:

DB Merchant Solutions REST API is a PCI DSS validated third-party provider.
While a merchant can configure the payment page (in particular, its layout) when using a shop plug-in or the Form service, each element of the payment page originates from DB Merchant Solutions REST API.

The following table shows which type of SAQ to use depending on the integration type.

Integration type	SAQ to use	Rationale
Shop plug-ins	A	The shop plug-in redirects the customer to a payment page hosted by DB Merchant Solutions REST API, the elements of which all originate only and directly from DB Merchant Solutions REST API.
Form service	A	Similar to shop plug-ins, here the merchant’s website redirects the customer to a payment page hosted by DB Merchant Solutions REST API, the elements of which all originate only and directly from DB Merchant Solutions REST API.
iFrame service	A-EP	When using the iFrame service, the merchant hosts the payment page themselves, with only the iFrames for entering card data originating from DB Merchant Solutions REST API. Since DB Merchant Solutions REST API sends the merchant a token for the entered cardholder data, the merchant does not need to store, process, or transmit cardholder data.
Direct integration	D-Merchant	Since a merchant has to transmit cardholder data from their system to DB Merchant Solutions REST API when using direct integration, SAQ A and SAQ A-EP are not applicable.

Integration type

SAQ to use

Rationale

Shop plug-ins

The shop plug-in redirects the customer to a payment page hosted by DB Merchant Solutions REST API, the elements of which all originate only and directly from DB Merchant Solutions REST API.

Form service

Similar to shop plug-ins, here the merchant’s website redirects the customer to a payment page hosted by DB Merchant Solutions REST API, the elements of which all originate only and directly from DB Merchant Solutions REST API.

iFrame service

A-EP

When using the iFrame service, the merchant hosts the payment page themselves, with only the iFrames for entering card data originating from DB Merchant Solutions REST API. Since DB Merchant Solutions REST API sends the merchant a token for the entered cardholder data, the merchant does not need to store, process, or transmit cardholder data.

Direct integration

D-Merchant

Since a merchant has to transmit cardholder data from their system to DB Merchant Solutions REST API when using direct integration, SAQ A and SAQ A-EP are not applicable.

3.6.3. PCI DSS 3.2.1 and 4.0

PCI DSS Version 3.2.1 has been retired at 2024-03-31.

This means that from 2024-04-01 on, a merchant has to demonstrate their compliance to PCI DSS Version 4.0.

Up to 2024-03-31, a merchant could still demonstrate their compliance to PCI DSS Version 3.2.1. Assessment results from before 2024-03-31 remain valid (for a period depending on the merchant’s specific situation).

See

PCI DSS 4.0 at a glance for a few key facts on PCI DSS Version 4.0,
PCI DSS Summary Of Changes from Version 3.2.1 to 4.0 for the differences between the two versions, and
PCI DSS v3.2.1 is Retiring on 31 March 2024 – Are You Ready? for details concerning the transition.

3.6.4. Additional obligations when handling larger volumes

When handling more than 6 million credit card transactions per year, a merchant has to additionally provide an Attestation of Compliance (AOC) as well as a Report on Compliance (ROC). Consult with your credit card acquirer or a PCI DSS Qualified Security Assessor (QSA) for more information. See PCI DSS QSA companies to find a QSA.

4. User guide

4.1. Getting started

4.1.1. Manual tests

To become acquainted with DB Merchant Solutions REST API, download the OpenAPI 3.0 specification of DB Merchant Solutions REST API as .yaml file and import it in a tool like Swagger Editor or Postman.

These tools allow to try out the API functionality. For authentication, generate a bearer token as described in Authentication.

4.1.2. Next steps

The interface is implemented as a REST API. The data transfer is via HTTPS with bearer authentication. Your application acts as REST client, DB Merchant Solutions acts as REST server. As a rule, you will send a REST request to DB Merchant Solutions and you will receive the result of the transaction as JSON response. 3-D Secure credit card payments and payments via the Form service require a more complex interaction between the client, your application and DB Merchant Solutions.

You may access more information in the description of the individual payment procedures and transaction kinds.

In the case of form service payments your application acts as REST server upon the callback regarding the outgoing payment, DB Merchant Solutions as REST client.

For the realization of the connection you have a test system available, where payment transactions are only simulated.

There are numerous REST implementations for various programming languages and hardware platforms, which you may use for the connection of your application.

The specification for the DB Merchant Solutions REST API in the OpenAPI 3.0 format is available as a .yaml file. Based on this file your chosen REST implementation can generate a large part of the code required for the connection.

The use of SDKs may help integration and development significantly (see SDKs for web and mobile development).

The field descriptions in the OpenAPI specification state the general purpose of the fields. For further information how to use the fields depending on the use case, and in particular which fields may be required for a certain use case, refer to the User guide.

The examples provided in the OpenAPI specification are a good starting point to get acquainted with the API. In particular, they can serve as minimal examples for which fields are required.

The examples use www.example.com as an example for a domain name. When implementing the API, replace this domain name by the corresponding shop domain.

Precautions have been taken to prevent inadvertent processing of duplicate transactions. See Using idempotency keys for details.

4.1.3. API version, test and production, and base URLs

The current API version is 2.1.

Users of DB Merchant Solutions REST API use different environments for test and production. The test environment is used for test and integration (of a whole application or new features), and to get acquainted with DB Merchant Solutions REST API, while the production environment is used for productive merchant’s applications (with real payment).

Test and production have different base URLs but the same rest endpoints.

The following information is important to be known:

Within test environment no real payment transactions are carried out. The test environment communicates only with sandbox systems and test systems for the different payment methods.
The production environment communicates with the productive payment backends for the different payment methods.
Test and production environment are completely separated. No objects like events or transactions, access authorizations, or configuration of one environment are available in the other. Contact Deutsche Bank customer support for providing access and configuration for the environments.
Make sure that you don’t use real payment data (like credit card or bank account numbers) in the test environment.

As base URL, use the following:

test: https://testmerch.directpos.de/rest-api/services/v2.1
production: https://merch.directpos.de/rest-api/services/v2.1.

4.1.4. Breaking and non-breaking changes

Any breaking changes will be released in a new API version. Breaking changes are changes that can potentially break an integration. Breaking changes include:

removing an entire operation
removing or renaming a parameter
removing or renaming a response field
adding a new required parameter in an existing structure
making a previously optional parameter required
changing the type of a parameter or response field
removing enum values in a request
adding enum values in a response
adding a new validation rule to an existing parameter if the validation is stronger than the current one
changing authentication or authorization requirements.

Any additive (non-breaking) changes will be available in all supported API versions. Additive changes are changes that should not break an integration. Additive changes include:

adding an operation
adding an optional parameter
adding an optional request header
adding a response field
adding a response header
adding enum values in a request
removing enum values in a response.

When a new REST API version is released, the previous API version will be supported for at least 24 more months following the release of the new API version.

Contact Deutsche Bank customer support for which API versions are currently supported.

4.1.5. Data types

See the Open API specification for an explanation of the primitive data types used.

DB Merchant Solutions REST API also employs complex types, that is, objects. DB Merchant Solutions REST API reuses the complex types in different contexts. Depending on the context, a subfield of the complex type may not be applicable. In this case, check the user guide for further information.

For example, the complex type Basket is used for many different payment methods to model the shopping basket of a customer. It contains a subfield extensions which in turn contains a subfield paypal_data for PayPal specific information. The field basket.extensions.paypal_data appears in all requests which contain a basket, but it should be set (and will be processed) only for PayPal transactions.

4.2. Authentication

DB Merchant Solutions REST API requires a valid bearer token to be present in all requests. A merchant can obtain this bearer token by calling the security API, see Security API for details.

Merchants will be provided with a client_id and a client_key which is a shared secret used for calculating the client_secret.

For DB Merchant Solutions REST API, set scope to ftx.

The API responds with an object that contains the access_token which will be used as a bearer token.

4.2.1. Calculating the client_secret

The client_secret is determined by calculating an HMAC-256 signature over the following values:

Value Contained in Example

Value	Contained in	Example
the client-id	`client_id` in request body	client_id_value
current timestamp	HTTP-header `X-RequestDate`	Fri, 10 Jan 2020 14:41:15 GMT
a random value	HTTP-header `X-RandomValue`	ifZonlwJWrTJii3aTFV83jMyl7yNe9QM

the client-id

client_id in request body

client_id_value

current timestamp

HTTP-header X-RequestDate

Fri, 10 Jan 2020 14:41:15 GMT

a random value

HTTP-header X-RandomValue

ifZonlwJWrTJii3aTFV83jMyl7yNe9QM

All three values are concatenated and an HMAC-256 signature is calculated using the client_key as the secret. The client_secret is then built by Base64 encoding the resulting value prepended by the version-prefix V1 and the delimiter :.

The current_timestamp must be formatted according to the standard RFC 7231. Especially, the valid range for hours is from 00 to 23.

4.2.2. Kotlin implementation

The following code fragment shows a sample Kotlin implementation of calculating the client secret.

val clientId = "client_id_value"
val secret = "5Jz2GJGWxXzaP3SeH1nN"

// alpha-numeric for display purposes only
val random = RandomStringUtils.randomAlphanumeric(50)
// -> ifZonlwJWrTJii3aTFV83jMyl7yNe9QMRHiDdb8YRaIHR4w3eB
val timestamp = DateTimeFormatter.ofPattern("E, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US)
    .withZone(ZoneOffset.UTC).format(Instant.now())

val stringToSign = clientId + timestamp + random
// -> client_id_valueFri, 10 Jan 2020 15:10:38 GMTifZonlwJWrTJii3aTFV83jMyl7yNe9QMRHiDdb8YRaIHR4w3eB

val sha256Hmac = Mac.getInstance("HmacSHA256")
sha256Hmac.init(SecretKeySpec(secret.toByteArray(), "HmacSHA256"))

val signatureBytes = sha256Hmac.doFinal(stringToSign.toByteArray())
val signatureEncoded = Base64.encodeBase64String(signatureBytes)

val clientSecret = "V1:$signatureEncoded"
// -> V1:8uhlrw3ikttmmPr8o/M7rNwsfkf68a2sKyNYsIXPWKU=

4.2.3. JavaScript implementation

The following code fragment shows a sample JavaScript (ES6) implementation of calculating the client secret.

const clientId = "merchantClientId"; // replace by individual client ID
const clientKey = "merchantClientKey"; // replace individual client key

// Create client secret
const timestamp = new Date().toUTCString(); // also set as header X-RequestDate
const random = Array.from(Array(50), () => Math.floor(Math.random() * 36).toString(36)).join(''); // also set as header X-RandomValue
const stringToSign = clientId + timestamp + random;
const hash = CryptoJS.HmacSHA256(stringToSign, clientKey);
const hashInBase64 = hash.toString(CryptoJS.enc.Base64);
const clientSecret = "V1:" + hashInBase64;

The CryptoJS library used can be included as follows.

<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js"></script>

4.3. Using idempotency keys

4.3.1. Background

DB Merchant Solutions REST API supports idempotent HTTP requests through the use of idempotency keys. This is useful when a request should time out: You can safely retry the same request, for example to create a payment, with the guarantee that the payment is created only once.

More specifically, DB Merchant Solutions REST API supports for each request the header parameters Idempotency-Key and Idempotency-Key-TTL where TTL stands for time to live. When processing a request with these header parameters, DB Merchant Solutions REST API will ensure that during the TTL of the key each request with this key will be idempotent.

4.3.2. The idempotency key

An idempotency key may be any alphanumeric character sequence between 1 and 64 characters length. To create an idempotency key, it is highly encouraged to use the UUID v4 algorithm. This makes sure that each new request gets a new key and no key is reused accidentally.

The idempotency key needs to be placed in the HTTP header named Idempotency-Key. If this header is present then an idempotency key of the defined format is expected, that is this header must not be empty.

4.3.3. Time to live

Idempotency keys are stored in a cache. You can control for how long an idempotency key will be stored in the cache with the optional header Idempotency-Key-TTL. This header needs to contain an integer value between 1 and 8760 (= 365 * 24, that is one year) indicating the time to live in hours. Values outside this range will be treated as client errors.

When the parameter is not present, the TTL is set by default to 720, that is 30 days.

An expired idempotency key is only guaranteed to be deleted from the cache not before its TTL is expired. Nevertheless, it is not guaranteed that it is deleted precisely immediately after TTL expiration. So do not rely on any exact expiration calculation for any reuse of idempotency keys.

4.3.4. Responses

When idempotency keys are used five different responses may be observed:

Direct success

This is the most common kind of response. The first request was processed successfully and its result is returned. The HTTP status code is 200 or whatever status code corresponds to the outcome of that request. (This may include codes from the 300 and even from the 400 family in cases where requests are erroneous in other aspects.)

Cached success

In case of a repeated request, that is the request headers including the idempotency key and the request payload coincide with those of an already processed request, the cached result will be returned as response. This is indicated by the presence of the additional HTTP response header Idempotency-Cached with the value true.

Bad request due to missing or illegal headers

If the idempotency key has some illegal format or length, this is treated as a client error with HTTP status code 400. If the header for TTL of an idempotency key is present but its value has some illegal format or value, this is also treated as a client error with HTTP status code 400.

Bad request due to illegal reuse of idempotency key

If the same idempotency key is used for a different request, this is detected as an illegal reuse of that idempotency key and treated as a client error with HTTP status code 422 (Unprocessable Entity). See RFC 4918 for further information.

Bad request due to pending processing of previous request

There may be (rare) cases where the first request is still being processed while a second repeated request is sent to the server. In this case the second request is perfectly legal but there is no (cached) response available yet, that is the repeated request was sent too quickly. This is treated as an error with HTTP status code 409 (Conflict).

4.4. Verifying callback requests

To verify the integrity and authenticity of a callback request for a shop notification, check the signature of the callback as set by DB Merchant Solutions REST API in the HTTP header Signature as follows.

4.4.1. Format of the signature

DB Merchant Solutions REST API calculates a signature as follows.

In the following, use the same client_id and client_key as for authorization (see Authorization).

Concatenate the following three fields:

Value Contained in Example

Value	Contained in	Example
a digest of the request body	HTTP-Header `Digest` or calculated	SHA-256=SDqXIq66dJrK69hBh2y9hDEA7xBHRdouGJ5aZ75wGs8=
current timestamp	HTTP-header `X-RequestDate`	Fri, 10 Jan 2020 14:41:15 GMT
a random value	HTTP-header `X-RandomValue`	ifZonlwJWrTJii3aTFV83jMyl7yNe9QM

a digest of the request body

HTTP-Header Digest or calculated

SHA-256=SDqXIq66dJrK69hBh2y9hDEA7xBHRdouGJ5aZ75wGs8=

current timestamp

HTTP-header X-RequestDate

Fri, 10 Jan 2020 14:41:15 GMT

a random value

HTTP-header X-RandomValue

ifZonlwJWrTJii3aTFV83jMyl7yNe9QM

Here the request body digest is calculated by using the SHA-256 hash function and prepending SHA-256= to the resulting value.

Calculate a HMAC-SHA256 signature for the resulting value using the client_key as the secret.
Base64 encode the resulting value and place it in the HTTP header Signature.

4.4.2. Example signature validation method

The signature can be validated by recalculating it and comparing it to the value sent, for example as follows.

val base64: Base64.Encoder = Base64.getEncoder()
const val digestAlgorithm = "SHA-256"
const val clientKey = "5Jz2GJGWxXzaP3SeH1nN"
const val randomValue = "X1c1IInswtMPNSTfmtGx"
const val requestDate = "Fri, 10 Jan 2021 14:41:15 GMT"
const val bodyExample = """{
  "client_id": "client_id_value",
  "transaction_info": {
    "type": "bankaccount",
    "transaction_bankaccount_info": {
      "bankAccount": {
        "bic": "TESTDEL0BK2",
        "iban": "DE39123456790009290701",
        "account_holder": "Jörg Müller-Beßler"
      }
    }
  },
  "rc": "0000",
  "message": "Genehmigt oder erfolgreich beendet.",
  "amount_total": {
    "amount": 100,
    "currency": "EUR"
  },
  "event_id": "id1622635202153",
  "kind": "DIRECTDEBIT",
  "tx_action": "preauthorization",
  "tx_id": "pmrM4SYsoJo5jQgtnlDzwm",
  "basket_id": "bid1622635202153",
  "additional_data": "ADDI_1234XY"
}"""

fun verifySignature(
    requestBody: ByteArray,
    headerXRandomValue: String,
    headerXRequestDate: String,
    headerSignature: String,
    secret: String,
): Boolean {
    val digest = MessageDigest.getInstance(digestAlgorithm)
        .digest(requestBody)

    val digestValue = "$digestAlgorithm=${base64.encodeToString(digest)}"
    println("digestValue " + digestValue)
    // -> SHA-256=SDqXIq66dJrK69hBh2y9hDEA7xBHRdouGJ5aZ75wGs8=

    val stringToSign = digestValue + headerXRequestDate + headerXRandomValue
    // -> SHA-256=SDqXIq66dJrK69hBh2y9hDEA7xBHRdouGJ5aZ75wGs8=Fri, 10 Jan 2021 14:41:15 GMTX1c1IInswtMPNSTfmtGx

    val signed = hmacSHA256(secret.encodeToByteArray(), stringToSign.encodeToByteArray())

    val signedBase64 = base64.encodeToString(signed)
    // -> Jy9J6OdYBxtM046XzBxFlyqn8W7BhetbgPHoKg6ecoA=

    return signedBase64.equals(headerSignature)
}

4.5. Transactions kind details

The following sections describe the supported common transactions kinds for payments in detail. A transaction is initiated using the endpoints of DB Merchant Solutions REST API as described in Getting started. The transaction kind of such an initiated transactions is specified by the path parameter tx_action. Different endpoints may permit different transaction kinds. This depends on the integration type and the transaction context (initial, or subsequent transaction, see below).

The transaction kinds can be divided as follows (the symbol for tx_action is given in brackets):

initial transactions: pre-authorization (preauthorization), authorization (authorization), credit (credit), and verification of means of payment (verify-mop)
subsequent transactions which relate to a previous transaction: capture (capture), refund (refund), and reversal (reversal)
further transactions: diagnosis request and verification of means of payment.

4.5.1. Authorization

Carry out an authorization to initiate the payment of a concluded business operation. Compared to a pre-authorization and subsequent capture, an authorization requires only one step.

A payment system may support recurring transactions. These are transactions that are authorized once by the customer and then subsequently initiated by the merchant without further customer interaction, for example for magazine subscriptions.

4.5.2. Pre-authorization

Carry out a pre-authorization to reserve the customer’s funds for an order that will take place at a later point in time.

A pre-authorization only reserves the customer’s funds for a certain time, the so-called reservation period, which depends on the payment method. To actually initiate clearing and settlement, a merchant has to carry out a capture.

If no capture is carried out during the reservation period, the customer’s funds will be freed again, in which case a capture is no longer possible. The customer’s funds can also be (partially) freed before the expiry of the reservation period by carrying out a (partial) reversal of the pre-authorization.

Typical use cases

Hotels use a pre-authorization at check-in to reserve funds for additional charges incurred during the guest’s stay, for example for room service. If there are additional charges at the end of the stay, the hotel uses a (partial) capture, otherwise the hotel reverses the pre-authorization. If the hotel had directly used an authorization for these additional charges and the guest had not used the services, the hotel would have to carry out a refund.
Car rentals or tour operators use a pre-authorization as a security deposit to be assured of payment in case the car or equipment is damaged, while in the case that the car or equipment is not damaged, they need not issue a refund.

Credit card

Reservation period

The reservation period for credit card pre-authorizations typically is 7 days. The precise value depends on several factors, such as the card brand, the transaction type (regular, recurring, or UCOF), and your merchant category code (MCC). It is regulated in your acceptance contract with your credit card acquirer. Contact your credit card acquirer if there are any ambiguities.

For example, the reservation period for Visa credit card transactions for merchants outside the US currently is as follows: The reservation period is 7 days for e-commerce transactions (more precisely: card-absent transactions) except for the following cases:

For all recurring or UCOF transactions: 1 day (24 hours)
For all other transactions:
- Merchant categories lodging, vehicle rental, and cruise line (MCCs 3501-3999, 7011, 3351-3500, 7512, 7513, 7519): 31 days
- Taxi cabs (MCC 4121): 1 day (24 hours).

Checks for a pre-authorization

DB Merchant Solutions verifies that the card provided exists, is not blocked and may be charged with the desired amount. This request may be refused or accepted by providing an authorization number. In the case of authorization the amount queried is reserved within the credit limit of the card provided.

Direct debit

Reservation period

The reservation period is 30 days for direct debit pre-authorizations.

Checks for a pre-authorization

DB Merchant Solutions verifies the format and check digit of the submitted IBAN. For German IBANs DB Merchant Solutions verifies that the bank identification number included in the IBAN exists and that the account number included in the IBAN is valid for the check digit algorithm of this bank.

Other payment methods

For the other payment methods which support a pre-authorization, DB Merchant Solutions REST API carries out the same checks as for an authorization.

Contact the corresponding payment system support for questions about the reservation period and about blocking of the customer’s funds.

4.5.3. Credit

A credit is a transaction which provides a reimbursement to the customer and does not relate to a preceding capture or authorization.

If you may carry out a credit depends on the configuration of your access. The process for the submission and the clearing of credits on your customers' current accounts may need to be coordinated with your account-holding institution.

4.5.4. Subsequent transactions

A subsequent transaction (capture, refund, or reversal) follows an initial transaction (pre-authorization, authorization, or credit) or another subsequent transaction.

A subsequent transaction is connected to its related transaction: Using the diagnosis request for the event_id, subsequent transactions are given as children of their related transaction (see Diagnosis request).

Possible subsequent transactions

The following table shows for each transaction kind the transaction kinds of a subsequent transaction which are in general possible.

For example, a capture or a reversal is possible for a pre-authorization, while a reversal or a refund is possible for a capture.

	Capture	Refund	Reversal
Pre-authorization	✔		✔
Capture		✔	✔
Authorization		✔	✔
Credit			✔
Refund			✔

Capture

Refund

Reversal

Pre-authorization

✔

Capture

✔

Authorization

✔

Credit

✔

Refund

✔

Some payment methods may not support all shown possibilities. Refer to the corresponding payment method documentation to check for exceptions.

Carrying out a subsequent transaction

To carry out a subsequent transaction, proceed as follows:

Use the general subsequent transaction endpoint.
Use the same event_id as for the initial transaction.
Set tx_id to the transaction ID of the initial transaction, which can be found as follows:
- Form service: tx_id from the callback request (not tx_id from the initial transaction)
- iFrame Service, Payment API: tx_id from the response to the initial transaction
With a subsequent transaction, the following fields can be changed from the initial transaction:
1. changed_amount: different transaction amount to support partial reversals or partial captures. For example, after a pre-authorization with amount 100.00 EUR (that is, amount = 10000 and currency = EUR), set the field changed_amount to 2000 to do a partial capture of 20.00 EUR. If the field changed_amount is not set, DB Merchant Solutions REST API will use the amount from the initial transaction it refers to, that is, perform a full capture, reversal, or refund. In particular, when using multiple partial captures, always set the field changed_amount to the amount of the transaction at hand.
2. due_date: SDD only: different due date.
3. basket.basket_id: For SDD, the basket ID is displayed on the customer’s bank account statement. Changing the basket ID in a capture then allows for setting a temporary basket ID in the pre-authorization and then setting the final basket ID during the capture.

4.5.5. Capture

A capture initiates the booking of the funds reserved by a pre-authorization. For a capture, the business operation needs to be concluded, thus for example that a shopping basket was offered, ordered, and delivered to the customer.

In general, the amount to be booked has to be the same as or less than the pre-authorized amount. These cases are called full capture and partial capture, respectively. Certain payment methods such as credit card and PayPal support an overcapture, that is a capture whose amount exceeds the pre-authorized amount up to certain percentage. See the corresponding sections for the payment systems for details.

Upon capture, the customer’s account is charged with the requested amount and the merchant’s account is similarly credited.

Depending on the payment system, for a pre-authorization and a partial capture one of the following is applicable:

several partial captures are possible as long as the combined amount is the same or less than the amount reserved
only one partial capture is possible, the remaining amount is automatically reversed.

In general, a capture cannot be reversed. A refund has to be carried out.

4.5.6. Refund

A refund is a transaction which provides a reimbursement to the customer which relates to a preceding capture or authorization. The amount refunded may be less than or equal to the amount paid.

Depending on the payment system, for a capture or authorization either only one refund is possible or several (partial) refunds are possible.

The process for the submission and the clearing of refunds on your customers' current accounts may need to be coordinated with your account-holding institution.

4.5.7. Reversal

Depending on the payment system, pre-authorizations, authorizations, captures, credits, and refunds may be reversed, that is, cancelled.

See Supported transaction kinds for which payment systems support reversals in general. See the sections on the individual payment methods for particular restrictions.

For all payment systems, the reversal of a pre-authorization is possible as long as no booking notification has been sent and as long as the reservation period has not expired.

For SDD, the reversal of an authorization, capture, credit, or refund is possible until the end of the day of the transaction (Central European Time (CET) or Central European Summer Time (CEST)).

For other payment systems, contact the payment system support for how long a reversal for an authorization, capture, credit, or refund is possible.

4.5.8. Verify means of payment

For the payment methods credit card and SDD, carry out the transaction kind 'verify means of payment' (tx_action: verfiy-mop) to check whether the supplied credit card or bank account actually exists. For credit card, in the context of EMVCo 3-D Secure, it is also checked whether the card is owned by the customer (see Credit card transactions). Therefore, verfiy-mop is used to authorize future recurring payments (which are then initiated by the merchant), see Tutorial: recurring credit card transactions.

Within Widget Solution, verfiy-mop is also used to authorize recurring payments for PayPal.

4.5.9. Diagnosis request

Diagnosis requests are used to retrieve information on previous transactions from DB Merchant Solutions REST API. They don’t have an explicit tx_action, but tx_action appears as a field in their response and is needed to interpret this.

Diagnosis endpoints

Use the endpoint GET /payment/event/{event_id} to retrieve details of an event (consisting of one or more payment transactions, for example several cancelled transactions and one successful transactions).

Use the endpoint GET /payment/tx/{tx_id} to retrieve the details of a (single) transaction, for example an authorization.

Only less than 100 diagnosis requests are possible for an event (or an event_id, resp.). The exact number depends on the transaction history for the event.

Interpreting the response

Diagnosis requests may be used to inform about the status of a payment transaction.

The response contains one or more objects of type PaymentResponse or its super type PaymentDiagnosisResponse. They contain information on payment transactions as described in this chapter. PaymentDiagnosisResponse may contain a field children which contains subsequent transactions of the transaction (see Subsequent transactions). PaymentResponse appears as response object of GET /payment/tx/{tx_id}, while the response object of GET /payment/event/{event_id} contains an array of PaymentDiagnosisResponse in its field transactions.

For an event_id, all related transactions are either contained in the field transactions of the response of GET /payment/event/{event_id}, or in one of its child objects in children.

PaymentResponse and PaymentDiagnosisResponse both contain the required field rc (response code) which holds status information of the transaction (for example, 0 means success).

They may also contain the optional field tx_action which contains the transaction kind. tx_action given in the response the may contain the values of the transaction kinds specified as the path parameter tx_action described in this chapter, but further values are possible as well.

For inital transactions the objects in transactions typically have the same tx_action as the path parameter of the endpoints by which they have been created (authorization, preauthorization, credit, or verify-mop), but this is not true in any case. Details are given in the payment method specific sections Diagnosis request in Payment methods (for example Diagnosis request for PayPal).

4.5.10. Typical transaction flows

The following transaction flows occur frequently:

authorization: one-stop payment
pre-authorization, capture with capture amount equal to pre-authorization amount: reserve funds and book the reserved funds completely
pre-authorization, capture with capture amount less than pre-authorization amount: reserve funds and book the reserved funds only partially
pre-authorization, reversal: reserve funds and later free them because they were not needed.

The following transaction flows occur less frequently:

pre-authorization: reserve funds, then later on the funds are freed automatically after expiry of the reservation period since no capture and no reversal followed
authorization, refund: payment, then later on a refund for the payment because the customer returned the goods
pre-authorization, capture, refund: reservation and booking of funds, then later on a refund
credit: credit a customer without a preceding payment
verify means of payment: validate entered data for future use
authorization, diagnosis request: initiate payment and then check the status of the authorization.

5. Payment methods

5.1. Credit card transactions

5.1.1. Introduction

EMVCo 3-D Secure

Traditional credit card transactions in which the cardholder only enters their credit card number and the card verification value (CVV) suffer from a certain fraud risk for which the merchant is liable. The aim of EMVCo’s 3-D Secure protocol is to secure credit card transactions with a strong customer authentication (SCA) so that the fraud rate is notably reduced and the liability usually shifts from the merchant to the issuer. While the need for a second factor authentication may inconvenience the customer (and thus lead to a lower conversion rate), in certain jurisdictions such as the European Economic Area (EEA) an SCA now is required.

The 3-D stands for the three domains which participate in it: the merchant / acquirer domain, the issuer domain and the interoperability (infrastructure) domain. The credit card companies brand the 3-D Secure protocol under different names: Mastercard SecureCode, Visa Secure and American Express SafeKey.

See Wikipedia for an extended introduction and EMVCo 3-D Secure specification for the technical protocol specification.

For 3-D Secure payments, a merchant has to be additionally registered and authorized for Mastercard SecureCode, Visa Secure or American Express SafeKey. You have to contact Deutsche Bank customer support about this.

Similarly, cardholders have to be registered and authorized for Mastercard SecureCode, Visa Secure or American Express SafeKey with their banks.

You may obtain detailed information about liability shifting from Deutsche Bank customer support.

Supported countries and currencies

Mastercard and Visa credit cards are available in more than 240 countries, while American Express credit cards are available in more than 130 countries. Contact your acquirer for a precise list.

Mastercard and Visa credit cards support more than 70 currencies, while American Express credit cards support more than 40 currencies. Contact your acquirer for a precise list.

Supported transaction kinds

DB Merchant Solutions REST API supports the following initial transaction kinds for 3-D Secure:

authorization (standard and recurring)
pre-authorization
verify means of payment
credit.

Use the general subsequent transaction endpoint, setting kind = CREDITCARD, to conduct the transaction kinds

capture (full and single partial)
reversal (full and single partial)
refund (full and single partial)

for a preceding 3-D Secure transaction.

Supported types of reversals

For a pre-authorization, a full or a partial reversal is possible.
For a capture or an authorization, a full or a partial reversal is possible until the transaction has been cleared. After clearing, a reversal is declined, in which case a refund has to be used.
For a credit or a refund, a reversal is not possible.

Reservation period for pre-authorizations

For all recurring or UCOF transactions: 1 day (24 hours)
For all other transactions:
- Merchant categories lodging, vehicle rental, and cruise line (MCCs 3501-3999, 7011, 3351-3500, 7512, 7513, 7519): 31 days
- Taxi cabs (MCC 4121): 1 day (24 hours).

Overcapture

Depending on the jurisdiction of the customer, credit cards do support an overcapture, that is, a capture with an amount exceeding the amount of the pre-authorization up to 15%, or do not support an overcapture. Contact your credit card acquirer for details.

Recurring payments

DB Merchant Solutions REST API also supports recurring payments, such as for magazine subscriptions. In this case the first transaction is carried out as usual a 3-D Secure payment, while the subsequent transactions can be carried out without 3-D Secure. Recurring payments require additional parameters:

series_flag: possible values:
- RECURRING: for recurring (scheduled) payments, for example in the case of a subscription or standing order.
- UCOF (unscheduled credentials on file): when a card number alias is created for future payments with the same credit card. In this case use alias_action.action = CREATE with the first payment and the card number alias with the following payments. You can specify action = verify-mop (verify means of payment) for the first transaction to register a card number alias without a payment.
sequence_type: possible values:
- FIRST for the first payment
- RECURRING for the following payments
- FINAL for the last payment.
recurring_payment: recurring payment identifier. This field is returned in the response of the first payment and has to be submitted with all following payments of this recurring payment.

Supported integration types

DB Merchant Solutions REST API supports credit card transactions in the following integration types:

Form service checkout page (only web payments)
direct integration (both web and app payments)
iFrame Service (only web payments).

See Integration types for general information on the offered integration types.

The 3DS Server

Part of the interoperability domain are the issuers' access control server (ACS), which handles the customer authentication, and the 3DS Server, which establishes the connection from the merchant to the responsible ACS. According to the credit card schemes' rules, merchants may not connect directly to the ACS but need to use a 3DS Server.

DB Merchant Solutions REST API offers a 3DS Server to its merchants. Additionally, for merchants who have already integrated a different 3DS Server, DB Merchant Solutions REST API offers the option to carry out the final step of the 3-D Secure protocol only.

Integration type endpoints to use

Integration type	endpoints to use
Use DB Merchant Solutions REST API as 3DS Server	`POST /headless3DSecure/…`
Use external 3DS Server	`POST /payment/event/{event_id}/creditcard/{tx_action}`

Use DB Merchant Solutions REST API as 3DS Server

POST /headless3DSecure/…

Use external 3DS Server

POST /payment/event/{event_id}/creditcard/{tx_action}

5.1.2. Using DB Merchant Solutions REST API as the 3DS Server

Flow of a 3DS transaction

The following diagram shows the transaction flow for a 3DS transaction. Shown here are the customer’s browser, the shop, DB Merchant Solutions REST API and the ACS with which the browser interacts. Not shown are further backend systems with which DB Merchant Solutions REST API interacts such as the Directory Server and the credit card acquirer.

Transaction flow of a 3DS transaction with DB Merchant Solutions REST API as 3DS Server

The customer’s browser communicates the payment relevant data to the shop. Possibly it improves the transaction flow if the shop catches the form "submit". In this case the customer stays on the current shop page almost until the end of the course of transaction.
The shop sends the payment data to DB Merchant Solutions REST API. See Initializing the payment (steps 1-4) for details.
DB Merchant Solutions REST API verifies the data. In the case of an error continue with step 22. Otherwise, DB Merchant Solutions REST API determines the further course of action, in particular the responsible Access Control Server (ACS) if needed.
DB Merchant Solutions REST API sends a response to the shop with the following possibilities:
- A 3DS (authentication) method has to be chosen. Continue with step 5.
- It is not necessary to choose a 3DS method, the customer can directly proceed to the authentication at the ACS. Continue with step 15.
- The payment had been carried out without further authentication of the cardholder. Continue with step 23.
The shop signals the browser that the "3DS Method" is to be carried out (outcome = METHOD_REQUIRED).
The browser creates a hidden iframe (see section Adaptations in the browser).
From the hidden iframe a form is automatically sent to the ACS.
The ACS interacts with the hidden iframe. The response to the iframe includes a message to URL as set in the parameter tds_20_data.communication_data.method_notification_url.
The hidden iframe automatically sends the message from the ACS to the URL set by tds_20_data.communication_data.method_notification_url of the shop.
The shop sends a response which causes the hidden iframe to be closed.
The main window of the browser automatically sends a message to the shop.
The shop sends the request method_completed to DB Merchant Solutions REST API. See section Completion of "3DS Method“ (step 12-14).
DB Merchant Solutions REST API determines how the payment has to be continued.
DB Merchant Solutions REST API responds to the shop.
- If the 3-D Secure 2.1 or 2.2 payment had been carried out without further authentication of the cardholder, the response contains the message about the outcome of the payment. Continue with step 23.
- Otherwise, the response includes the data to redirect the customer to the ACS. Continue with step 15.
The shop sends the redirect to the ACS to the customer’s browser. See section Redirect to the ACS (steps 15+16) for details.
The browser redirects to the ACS.
The customer authenticates themselves at the ACS.
The ACS sends a redirect to the shop to the browser, using the URL provided in cres_notification_url.
The browser redirects to the shop.
The shop informs DB Merchant Solutions REST API that the payer authentication was made (see section Concluding the payment (step 20-22)).
DB Merchant Solutions REST API finds out the credit card payment outcome.
DB Merchant Solutions REST API informs the shop about the payment outcome.
The shop informs the browser about the payment outcome.

Initializing the payment (steps 1-4)

Request (step 2)

To carry out step 2 as described in the transaction flow, that is to initialize a 3-D Secure credit card payment, use the endpoint

/headless3DSecure/event/{event_id}/{tx_action}/initialize

where event_id is as usual a unique id for this event and tx_action is the desired action, that is, one of preauthorization, authorization or verify-mop (verify means of payment: online check of the credit card without payment).

Set the parameters as follows:

TDS20Data: This field is required to conduct a 3-D Secure 2.1 or 2.2 transaction. The TDS20Data object includes numerous parameters:
- Required parameters: Until 2024-08-11, for all card brands, all parameters are optional. For all card brands except for Mastercard and Visa, the parameters will also remain optional after this date until further notice.
  
  Mastercard: Starting from 2024-08-12, for transactions with Mastercard credit cards, the following parameters under credit_card_data.tds_20_data are required:
  device_information: ip_address
  
  customer_data.billing_address: street, postal_code, city, and country. If country is US, state is also required.
  
  customer_data.shipping_address: street, postal_code, city, and country. If country is US, state is also required.
  
  customer_data.cardholder_email
  
  One of home_phone_number, mobile_phone_number, or work_phone_number and its subfields country and regional.
  Visa: Starting from 2024-08-12, for transactions with Visa credit cards, the parameter credit_card.cardholder and the following parameters under credit_card_data.tds_20_data are required (if not set, Visa will decline the transaction):
  device_information: ip_address, http_browser_screen_height, and http_browser_screen_width
  
  customer_data.billing_address: street, postal_code, city, and country. If country is US, state is also required.
  
  Either customer_data.cardholder_email or one of customer_data.home_phone_number, customer_data.mobile_phone_number, or customer_data.work_phone_number and its subfields country and regional.
  Note that the billing address information for 3DS must be supplied under tds_20_data.customer_data.billing_address. It is not sufficient to supply the billing address information under the top-level element billing_address.
- Optional parameters: The credit card issuer uses the remaining parameters to assess the risk of a payment default and to decide if the cardholder is required to carry out a two-factor authentication. We recommend submitting these parameters as far as the data are available. Information about the customer’s browser (parameters in device_information), the cardholder (parameters in customer_data) and the shipping address (parameters in customer_data.shipping_address) is especially important.
requestor_challenge_indicator: Use the field to indicate the shop’s preference whether a challenge (that is, an authentication) shall be performed. The parameter values take the form NO_PREFERENCE, CHALLENGE_REQUESTED and NO_CHALLENGE_REQUESTED as prefix and the reason for this preference as suffix, for example NO_CHALLENGE_REQUESTED_DATA_SHARE_ONLY.
processing_options option FALL_BACK_ON_SSL: To find out the Access Control Server which is responsible for the customer’s credit card, DB Merchant Solutions REST API sends a message to a so-called Directory Server.

DB Merchant Solutions REST API might receive the answer from the Directory Server that it could not determine if the credit card is enrolled for 3D Secure. This happens for example for so-called one leg out transactions, where the customer is located outside the EEA but the customer’s account is held within the EEA. In this case, DB Merchant Solutions REST API proceeds as follows (for Mastercard, Visa, and American Express):
- If the request does not contain the parameter FALL_BACK_ON_SSL, the transaction is stopped.
- If the request does contain the parameter FALL_BACK_ON_SSL, the payment is continued as an SSL transaction without liability shifting.
Occasionally, DB Merchant Solutions REST API might not receive an answer from the Directory Server because of connection problems. Due to the different regulations of Mastercard, Visa, and American Express, DB Merchant Solutions REST API proceeds as follows in this case:
- Mastercard and American Express: the transaction is continued.
- Visa: the transaction is stopped unless the request contained the parameter FALL_BACK_ON_SSL. In this case, the transaction is carried out as an SSL transaction without liability shifting.

Basket ID

For a credit card transaction, the field basket.basket_id is optional. If it is set, it must conform to the pattern [a-zA-Z0-9] {1,30}.

Requirements for the shop

At the beginning of the 3-D Secure 2.1 or 2.2 processing the shop has to display a “processing screen” with a processing graphic (for example progress bar or spinning wheel) to the customer for at least two seconds. Other design elements are not permitted in the processing screen.

Response (step 4)

Unless an error occurs, DB Merchant Solutions REST API will send a Headless3DSecureResponse which in particular includes the following attributes.

outcome: Indicates the outcome of the current headless 3-D Secure transaction.
- METHOD_REQUIRED: The 3-D Secure method flow needs to be started. Consult the attribute method_required for required data (method_request, method_url) and proceed with step 5.
- CHALLENGE_REQUIRED: The 3-D Secure challenge flow needs to be started. Consult attribute challenge_required for required data (acs_url and either pareq (3-D Secure 1.0) or creq (3-D Secure 2.1 or 2.2) and proceed with step 14.
- PROCESSED: The transaction has been processed, no further action is required. Consult the attribute processed for details of the processed transaction. In particular, the response code processed.rc contains the information if the transaction was successful (response code equal to 0) or not (response code different from 0). Proceed with step 23.

Note that for the time being it is possible that the payment is carried out according to the 3-D Secure 1.0 protocol even if you submitted the 3-D Secure 2.1 or 2.2 data with the payment initialization. If the response contains the PaReq field, the payment has to be continued according to 3-D Secure 1.0, otherwise according to 3-D Secure 2.1 or 2.2.

3DS Method Flow (steps 5-14)

Adaptations in the browser

The customer does not take part actively in the process of the "3DS Method". Insert a hidden iframe in the HTML page which is displayed to the customer and send a form with a field named threeDSMethodData which includes the unaltered content of method_request to the URL you received in method_url. The subsequent example contains JavaScript code which can help you to adapt the shop page for the "3DS Method". You need the values of the method_request and method_url fields of the Headless3DSecureResponse.

function tdsMethod() {
  // set default values
  $( "#tdsFsMethodJsStatus" ).val( "undefined" );
  $( "#tdsFsMethodResult" ).val( "N" );

  // this listener will receive a message when acs communication has been finished
  window.addEventListener( "message", function ( event ) {
    if (event.origin !== 'TODO: domain of method_notification_url') {
      console.warn( "wrong origin", {
        e: event.origin,
        d: docOrigin
      } );
      // TODO abort transaction if origins do not match
    }
    event.preventDefault();
    var eventData = event.data;
    if (eventData.hasOwnProperty( 'value' )) {
      $( "#tdsFsMethodResult" ).val( eventData.value );
    }
    // TODO submit original form, remove iframe
  } );

  // example URL, use value from Headless3DSecureResponse
  var methodURL = "https://acs.cccompany.com/method";

  // example data, use value from Headless3DSecureResponse
  var methodRequest = "eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjNhYzdjYWE3LWFhNDItMjY2My" +
    "03OTFiLTJhYzA1YTU0MmM0YSIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJ0aHJl" +
    "ZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIn0";

  // place in html document where the iframe will be inserted
  var tdsMethod = document.getElementById( "tdsMethod" );

  // create invisible iframe
  var iframe = document.createElement( 'iframe' );
  iframe.width = "0";
  iframe.height = "0";
  iframe.name = "tdsMethodIFrame";
  iframe.setAttribute( 'frameborder', '0' );
  iframe.setAttribute( 'border', '0' );
  iframe.scrolling = "no";
  iframe.setAttribute( "seamless", "seamless" );
  iframe.setAttribute( "style", "display:none;" );
  iframe.setAttribute( "tabindex", "-1" );
  tdsMethod.appendChild( iframe );

  var methodForm = document.createElement( 'form' );
  methodForm.style.display = 'none';
  methodForm.name = "tdsMethodForm";
  methodForm.action = methodURL;
  methodForm.method = "POST";
  methodForm.target = "tdsMethodIFrame";

  var valueInput = document.createElement( 'input' );
  valueInput.name = "threeDSMethodData";
  valueInput.value = methodRequest;
  methodForm.appendChild( valueInput );
  tdsMethod.appendChild( methodForm );

  setTimeout( function () {
    tdsMethod.removeChild( methodForm );
  }, 1000 );

  // send request to methodURL
  methodForm.submit();
}

Completion of "3DS Method“ (step 12-14)

Request (step 12)

For step 12, use the endpoint /headless3DSecure/event/{event_id}/method_completed/{completed} to signal DB Merchant Solutions REST API that the 3DS method has been chosen.

To allow DB Merchant Solutions REST API to assign your request to the preceding initialization it is necessary that you submit the same event_id. Set the parameter completed to indicate if the shop has received a request from the ACS to the method_notification_url within 10 seconds (true) or not (false).

Response (step 14)

See the API doc for the format of the response.

Redirect to the ACS (steps 15+16)

The ACS is not part of DB Merchant Solutions REST API. The data to the ACS are transferred in an HTTPS POST form. The target URL is included in the field challenge_required.acs_url of the payment initialization response.

In the case of 3-D Secure 2.1 or 2.2 the redirect should be implemented in such a way that the cardholder authentication (step 17) takes place in an iframe. In this case the sequence of steps corresponds to the "3DS Method" request.

Future versions of this interface will include additional parameters which enable you to specify the size of the iframe content provided by the ACS.

3DS Version 1

You can implement the redirect by sending the customer an HTML form that is automatically submitted via JavaScript as a response to the payment request (step 1).

As an example, a simple response to the customer could look like this:

<html>
<body onLoad="document.PaReqForm.submit()">
<form name="PaReqForm" action="https://aacse.3ds.verifiedbyvisa.com/cgi-
bin/PAResnosession" method="post">
    <noscript>
        <input type="submit" value="Continue"/>
    </noscript>
    <input type="hidden" name="MD" value="session091234_a"/>
    <input type="hidden" name="TermUrl" value="https://pay.mycompany.com/TermUrl"/>
    <input type="hidden" name="PaReq" value="eJxVUk1z2jAQvfdXeHwurGzSODCLMpDQqTslpZ
RMc+vY8o6t1JaNZFPMr68Epmkv0r79eKt9K7w/VqV3IG1kreZ+MGa+R0rUmVT53H/efRzd+ff8He4KTfT4n
USnieOajEly8mRmS8IJm7IbNp1MAuZz3Cy2tOc4UHLLOA4RrtCWalEkquWYiP0yfuI30S1jAcIAsSIdP/K0
bgvqVHaoKbXh0YeI2SuMEC5xVElF/CB12hmEM0BRd6rVPQ+jW4QrwE6XvGjbZgawT0DkcpRKBSXliehbMq0
p6gbcoWnfWfzTmHLclAiuEOHtvZvOWcY2OsqMxw+LPKvKPp18/vVyWvXrUxx+3eX9+lXMEVwGZklLPGRWHa
uRx6azgM3cBGc/JpV7IQ/eM+atnrdWgIsDG9dnMUQZQ/jXgXYB2i6o59Pozk55RUjHplZkM6zYf23MyAg7x
HC9TfDwyekvWqvkcrFabptvofwBT4rBlxf5quj3+qQ28dxt5Zzk6KVVMwiDC78DCI4GhoXD8Cms9d9n+QOC
+csc"/>
</form>
</body>
</html>

Table 5. Table 3-D Secure 1 redirect to the ACS, request parameters
Parameter	Explanation
PaReq	Required. Contains the value you received in the paReq field of the payment initialization response from DB Merchant Solutions REST API.
TermUrl	Required. This is the URL where you will receive the response of the ACS.
MD	"Merchant Data". Required but can be empty. May contain up to arbitrary 1024 ASCII characters. You will get this value back in the response from the ACS. You can use this field for example to assign the response of the ACS to a specific payment transaction.

Response

After the customer has authenticated themselves you will receive an HTTP(S) POST request from the ACS at the TermUrl in a redirect via the customer’s browser. This request contains the following parameters:

Table 6. Table 3D-Secure 2 redirect to the ACS, response parameters
Parameter	Explanation
PaRes	Required, Base64 encoded character string.
MD	Required, contains the value you submitted to the ACS earlier.

3DS Version 2

Request

For the redirect in version 2, you can proceed as in version 1 with the difference that the parameters in the request must be as follows.

Table 7. Table 3D-Secure redirect to the ACS, request parameters
creq	Required. Contains the value you received from DB Merchant Solutions REST API in the response to the payment initialization in the cReq field.
threeDSSessionData	Optional. Freely assignable. May contain up to 1024 base64url characters (letters, digits, "-", "_"). The content of this field will be returned later in the response of the ACS. You can use this field for example to assign the response of the ACS to a particular payment.

The example in this case looks like this:

<html>
<body onLoad="document.PaReqForm.submit()">
<form name="PaReqForm" action="https://aacse.3ds.verifiedbyvisa.com/cgi-
bin/PAResnosession" method="post">
    <noscript>
        <input type="submit" value="Continue"/>
    </noscript>
    <input type="hidden" name="creq" value="c2FtcGxlIGNyZXFfZGF0YQ=="/>
    <input type="hidden" name="threeDSSessionData" value="c2FtcGxlIHRocmVlRFNTZXNzaW9uRGF0YQ=="/>
</form>
</body>
</html>

Response

After the cardholder authenticated the payment the ACS sends you an HTTPS POST request by using a redirect via the customer’s browser to the URL you submitted with the payment initialization in the parameter tds_20_data.communication_data.cres_notification_url. The request contains these parameters:

Table 8. Table 3D-Secure 2 redirect to the ACS, response parameters
Parameter	Explanation
cres	Required. base64url encoded character string.
threeDSSessionData	Optional. Contains the value you submitted in the request to the ACS.

Concluding the payment (step 20-22)

Request (step 20)

Use the endpoint POST /headless3DSecure/event/{event_id}/final to conclude the payment.

To allow DB Merchant Solutions REST API to assign your request to the preceding initialization it is necessary that you submit the same event_id.

Response (step 22)

See the API doc for the format of the response.

5.1.3. Using an external 3DS Server

If you already have access to a 3DS Server, you can use it for 3-D Secure transactions for the initialization, method and challenge flow and only use DB Merchant Solutions REST API for the authorization. The transaction then is as follows:

Transaction flow of a 3DS transaction with an external 3DS Server

Request (step 20)

Use the endpoint POST /payment/event/{event_id}/creditcard/{tx_action} for 3-D Secure transactions with an external 3DS Server. Before using this endpoint it is necessary to obtain the required data from the 3DS Server. In particular, for 3-D Secure 2.1 or 2.2 transactions the following parameters (grouped under tds_external_data.tds_20_external_data) must be obtained from the 3DS Server:

tds_ds_trans_id (unique transaction identifier assigned by the 3-D Secure Directory Server)
tds_authentication_value (authentication value assigned by the 3-D Secure Directory Server or ACS)
eci (electronic commerce indicator provided by the 3-D Secure Directory Server or ACS)

Response (step 22)

DB Merchant Solutions REST API sends a response with the same parameters as in the case of a 3D-secure transaction with using DB Merchant Solutions as the 3DS Server, see section Concluding the payment (step 20-22).

5.1.4. Credit

See Credit for general information about issuing a credit.

For credit cards, use the payment credit card endpoint with tx_action = credit for all integration types.

5.1.5. Tutorial: recurring credit card transactions

Background

DB Merchant Solutions REST API supports not only the usual (so-called one-off) credit card transactions, where the customer pays for a single purchase, but also recurring transactions, where the merchant bills a customer repeatedly. There are two types of recurring transactions:

Table 9. Recurring and UCOF transactions
Type	Definition	Examples
Recurring	A transaction in a series of transactions that use a stored credential and that are processed at fixed, regular intervals (not to exceed one year between transactions), representing cardholder agreement for the merchant to initiate future transactions for the purchase of goods or services provided at regular intervals. Typically, all transactions will have the same amount.	Magazine subscriptions, electricity bills, insurance payments.
Unscheduled credential on file (UCOF)	A transaction using a stored credential for a fixed or variable amount that does not occur on a scheduled or regularly occurring transaction date, where the cardholder has provided consent for the merchant to initiate one or more future transactions.	Account auto-top up transactions, for example recharging a prepaid card for a mobile phone.

3D Secure and recurring transactions

The first transaction of a sequence of recurring transactions has to be customer-initiated (CIT) and must be secured with 3D Secure.

The subsequent transactions are merchant-initiated (MIT) and need not be secured with 3D Secure. This is because clearly no customer interaction is possible and the customer has already authenticated themselves with the first transaction.

Course of transactions

To use recurring or UCOF transactions, proceed as follows.

Create a credit card alias using POST /alias/creditcard or POST /form/alias/creditcard.

Save the response parameter alias_info.alias for use in further transactions.

For the first transaction, use the request POST /headless3DSecure/event/{event_id}/{tx_action}/initialize or POST /payment/event/{event_id}/creditcard/{tx_action} depending on whether using an internal or an external 3-D Secure Server. Set the following parameters:
- series_flag: RECURRING or UCOF
- sequence_type: FIRST
- alias: as obtained in step 1.

Save the response parameter recurring_payment to use in further transactions.

For further transactions, use the same request as in step 2 and set the parameters
- series_flag: RECURRING or UCOF
- sequence_type: RECURRING
- recurring_payment: as obtained in step 2
- alias: as obtained in step 1.
For the last transaction, use the same request as in step 2 and set the parameters
- series_flag: RECURRING or UCOF
- sequence_type: FINAL
- recurring_payment: as obtained in step 2
- alias: as obtained in step 1.

Note: If the merchant does not know if the transaction is the final transaction in the sequence, they may also set sequence_type = RECURRING indefinitely after the first transaction.

Declined transactions and how to deal with them

For one-off transactions, the issuer has the possibility of a so-called "soft decline", that is requesting a 3D Secure authentication. For recurring transactions, soft declines are not possible. However, as is the case with all credit card transactions, a recurring transaction might be declined because of lack of funds or other reasons. In particular, a recurring transaction might be declined because the card has expired in the meantime. In this case, the merchant has to start another series of recurring transactions:

The credit card alias created in step 1 above can be reused, so step 1 is not necessary.
The merchant has to contact the customer for step 2, that is start another transaction with 3D secure and set sequence_type = FIRST.
The following transactions then can be carried out as before.

5.1.6. Response codes

The following table shows the most common response codes for credit card transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1548	Transaction is pending.
1507	Transaction rejected.
1554	3-D Secure authentication failed.
1806	Strong customer authentication required.
1524	3-D Secure authorisation failed on directory lookup.
1502	Configuration problem.
1512	Card suspicious.
1510	Card invalid.
1504	System error.
1509	Card expired.
1105	Backend system error.
1516	Retain card.
1103	Illegible gateway response.
1100	Unexpected error.
1506	Temporary error.
1514	Card restricted.
9000	Indeterminate error
1102	Gateway connection problem.
1515	Invalid amount.
1511	Card stolen.
1501	Voice authorisation expected.
1401	Cancelled by user.
1503	Card issuer not reachable.
1537	Outcome of the transaction unknown.
1508	Transaction rejected by card holder.
1513	Card unknown.
1536	Configuration problem.
1101	Wrong field in response message from backend gateway.

5.1.7. Test data

In the test system, a credit card payment with an amount of 10XX.00 EUR, that is amount_total.amount = 10XX00 and amount_total.currency = EUR, will be rejected with back_rc = XX.

Do not use real credit card data for your tests.

For tests of credit card payments the card numbers listed in the following tables are available. Use an expiry date in the future for successful test payments. The card verification code is not verified on the test system. You can enter any three-digit number.

The columns have the following meaning:

Brand: Credit card brand (Visa, Mastercard, or Maestro)
Number: credit card number
flow: Type of 3D secure flow. Possible values:
- No 3DS
- Without cardholder authorization
- With cardholder authorization
- With 3DS Method
- With 3DS Method and cardholder authorization
3DS required field check: See 3DS required fields for the requirements for required fields for 3D Secure transactions. Possible values:
- not applicable: for non 3DS transactions
- never: The test simulation will never check the 3DS required fields, that is, accept transactions that do not include one or more of these fields.
- always: The test simulation will always check the 3DS required fields, that is, decline transactions that do not include one or more of these fields.
- starting from 2024-08-12: The test simulation will not check the 3DS required fields before 2024-08-11 and will check the 3DS required fields from 2024-08-12.
This allows for testing the new requirements already before 2024-08-12.
Issuer country: Possible values DE (Germany) or US. This allows for testing blocked issuer countries.

Brand

Number

Flow

3DS required field check

Issuer country

Visa

4116111111111116

No 3DS

not applicable

Mastercard

5232050000010003

No 3DS

not applicable

Maestro

6799990100000000019

No 3DS

not applicable

To carry out a 3-D Secure 2.1 or 2.2 simulation you can use the test card numbers given in the following table.

Brand

Number

Flow

3DS required field check

Issuer country

Visa

4012001037167778

Without cardholder authorization

from 2024-08-12

Visa

4111111111111111

Without cardholder authorization

from 2024-08-12

Visa

4012001037664444

With cardholder authorization

from 2024-08-12

Visa

4012001037484447

With cardholder authorization

never

Visa

4761739090000088

With cardholder authorization

always

Visa

4005559876540

With 3DS Method

from 2024-08-12

Visa

4012001036853337

With 3DS Method and cardholder authorization

from 2024-08-12

Mastercard

5453010000062745

With cardholder authorization

never

Mastercard

5453010000084541

With cardholder authorization

always

5.2. Google Pay

5.2.1. Introduction

Background

Google Pay is offered as a variant of credit card transactions. If customers have their credit card connected to their Google account or digitized into their Google Wallet, they can make purchases using Google Pay with a simpler and secure checkout process on a web page or in an Android app.

The merchant will obtain the card data in an encrypted form. Within DB Merchant Solutions REST API, the keys for decryption of the card data are always held by Deutsche Bank’s backend systems. Therefore, a merchant will not come in contact with PCI relevant data.

Getting started: documentation provided by Google

For getting started, refer to the Google Pay documentation, which provides both business and implementation information.

Supported countries and currencies

DB Merchant Solutions REST API supports Google Pay for all countries and currencies that are also supported for conventional credit card transactions.

Supported integration types

DB Merchant Solutions REST API supports Google Pay in the following integration types:

Form service checkout page,
direct integration,
Widget Solution.

See Integration types for general information on the offered integration types.

Supported cards, transaction kinds, and authorization methods

DB Merchant Solutions REST API supports Google Pay for the same credit card schemes as for conventional credit card payments, that is, Mastercard and Visa.

Google Pay supports the following transaction kinds:

authorization (standard and recurring)
pre-authorization
capture (full and single partial)
refund (full and single partial)
reversal (full)
verify means of payment (MOP).

Google Pay has the same reservation period for pre-authorizations, the same time frame for reversals, and the same support for overcaptures as conventional credit cards.

DB Merchant Solutions REST API supports all Google Pay authorization methods:

CRYPTOGRAM_3DS (with CDCVM as SCA)
PAN_ONLY (potentially including the additional 3-D Secure authentication).

Both authMethod types are supported when Deutsche Bank provides the customer interface (Form service). Deutsche Bank therefore recommends merchants that implement their own customer interface, that is, use the direct integration, to also support both authMethod types.

The difference between CRYPTOGRAM_3DS and PAN_ONLY is as follows:

CRYPTOGRAM_3DS: This is available only when using an Android device and the Chrome browser. Here the authentication is handled by the device using the Device Cardholder Verification Method (CDCVM), for example by using the devices fingerprint sensor, to perform a strong customer authentication (SCA). In this case, 3D Secure is not required.
PAN_ONLY: This is available on all devices and all browsers. In this case, the authentication uses the 3D Secure flow in the same way as conventional credit card transactions.

Merchant integration and onboarding requirements

In order to offer Google Pay to their customers, merchants need to integrate with Google Pay and therefore agree with Google Pay’s Terms of Service. In particular, merchants need to fulfill the relevant integration checklists:

for payments via a web page: Google Pay Web integration checklist
for payments via an Android app: Google Pay Android integration checklist.

To offer Google Pay via DB Merchant Solutions REST API, a merchant must meet the following requirements:

Sign up with Google following Google’s quick start guide.

Provide the domain merch.directpos.de as payment gateway and as one of the domains from which you intend to call the Google Pay API (see Google Pay Setup).

Provide the required configuration concerning your payment gateway within Google Pay’s merchant’s business console.
The merchant must contact Deutsche Bank customer support for onboarding. When using direct integration, a merchant will receive the gatewayMerchantId as issued by DB Merchant Solutions REST API as a gateway for Google Pay, which they need to use when processing Google Pay transactions.
The merchant must also support regular credit card payments, see Credit card transactions.

5.2.2. Authorization and pre-authorization

For authorization and pre-authorization, use the following endpoints depending on the integration type:

Form service checkout page: Use the standard checkout endpoint and supply the parameter google_pay_credit_card_data to initialize the transaction. The subfields googlepay_country_code, googlepay_domain_name, and googlepay_merchant_id are required.

The fields basket.shipping_costs and for each basket_item, name, unit_price.net` and unit_price.gross, are required as they are displayed to the customer when using Google Pay. For each basket item, the basket item gross amount is calculated as quantity.quantity_amount * unit_price.gross - item_discount.gross. It is required that amount_total.amount equals the sum over each basket item gross amount plus the shipping costs minus the basket discount.

Direct integration: Use the Google Pay endpoint to initialize the transaction. Use the endpoints Headless 3D secure Method Completed and Headless 3D secure Final to complete the transaction just as with conventional 3D-secure credit card transactions.

Details for Form service checkout page integration

The course of transaction for Form service checkout page is the standard checkout page transaction flow.

Details for direct integration

The authorization and pre-authorization course of transaction is - compared to the regular credit card flow - extended by additional Google Pay specific communication and therefore potentially more complex.

Follow the instructions provided in Google Pay Web developer documentation for the integration of Google Pay within a web page.

Follow the instructions provided in Google Pay Android developer documentation for the integration of Google Pay within an Android app.

Course of transaction

The course of transaction is as follows:

The customer enters the shop’s pay page.
The shop displays the Google Pay button or mark.
The customer selects Google Pay by tapping the Google Pay button.
The shop displays the Google Pay interaction as a modal window.
The customer selects the payment method, that is, the credit card to be used.
Google sends the credit card token to the shop.
The shop sends the token together with additional fields to DB Merchant Solutions REST API.
DB Merchant Solutions REST API processes the token.
DB Merchant Solutions REST API sends the response to the shop.
Depending on the response in 9, the shop redirects to 11, or continues with the transaction as a headless 3D Secure transaction (see authorization types, Flow of a 3DS transaction (steps 5 - 22)).
The shop informs the customer about the payment outcome.

Display the Google Pay button or Google Pay mark (step 2)

The initiation of a Google Pay transaction is triggered by the customer tapping a dedicated Google Pay payment button or Google Pay pay mark.

Use the payment button when offering Google Pay as the only payment method. Use the pay mark when offering Google Pay as one of several payment method options.

For obtaining the payment button or the pay mark as well as their presentation requirements, see

for payments via a web page: Google Pay web brand guidelines
for payments via an Android app: Google Pay Android brand guidelines.

Use the Google Pay API JavaScript library to display the button by including it as follows:

<script src="https://pay.google.com/gp/p/js/pay.js"></script>

Obtain the Google Pay token (steps 4 to 6)

In the request to obtain a token, a merchant shall set the required IDs as follows:

Set gatewayId (used in PaymentMethodTokenizationSpecification) to 'processingpagateq', DB Merchant Solutions REST API’s identifier as issued by Google Pay.
Set gatewayMerchantId (used in PaymentMethodTokenizationSpecification) to the value obtained during onboarding with DB Merchant Solutions REST API.
Set merchantId (used in merchantInfo) to the value obtained from the Google Pay Business Console.

Send the token to DB Merchant Solutions REST API (step 7)

Use the Google Pay endpoint to initiate the transaction at DB Merchant Solutions REST API. Only the fields amount and googlepay_token are required. For a 3DS transaction, additionally the field tds20_data and its subfields as described in 3DS required fields are required.

Use the field billingAddress.name from Google’s response for the field cardholder if it is not available otherwise.

If Google’s response did include a shipping address, set the parameters shipping_address accordingly.

If the request shall initiate a series of transactions (for example for recurring transactions), the merchant must use an alias, that is, set alias_action to create in the initial request. All follow-up transactions must use the standard credit card payment endpoint and contain not the googlepay_token but instead contain the alias obtained in the response to the first request. Moreover, the follow-up transactions must contain the parameters sequence_type (either RECURRING or FINAL), series_flag (either RECURRING or UCOF), and recurring_payment. See also Credit card recurring transactions.

The usage of an alias is necessary as the original googlepay_token might expire and therefore a follow-up transaction request might be declined by DB Merchant Solutions REST API.

Basket ID

The requirements for the parameter basket.basket_id for Google Pay are the same as for a credit card transaction, see Credit card basket ID.

Using the risk check

DB Merchant Solutions REST API supports a risk check to calculate a risk score for a transaction and then automatically decline a transaction which has a high risk score or which triggers certain rules.

Add RISKCHECK to the parameter processing_options to calculate this risk score and then automatically decline high risk transactions. Furthermore, supply as much information as possible in the following parameters to allow for a good risk score calculation:

shipping_address
billing_address
basket
customer_information
device_information
account_information
merchant_risk_indicators.

The billing address information will not be parsed out of the Google Pay specific data object. If the merchant wants to include the billing address in the risk check, it must be provided explicitly as in the context of other payment types. Also, the format must obey the general requirements of DB Merchant Solutions REST API.

Pre-transaction checks

DB Merchant Solutions REST API checks the following:

The provided googlepay_token is valid, that is,
- the signature is valid (including checks that the used keys are valid and not expired),
- the token can be decrypted to meaningful payment data, and
- the token itself is not expired.
The requested card scheme is supported (see above for the supported schemes).
Furthermore, all checks for credit card transactions are also applied to Google Pay transactions.

If one of the checks fails, the transaction is declined.

Form of the response (step 9)

DB Merchant Solutions REST API generates the response to a merchant’s request for Google Pay in the same way as for a credit card transaction.

Continue with the transaction as a headless 3D Secure transaction (step 10)

Continue with the transaction as a conventional headless 3D Secure transaction, see Creditcard 3D Secure transaction flow.

In particular, use the endpoints Headless 3D secure Method Completed and Headless 3D secure Final to complete the transaction.

5.2.3. Capture, refund, and reversal

For captures, reversals, and refunds, for all integration types use the general subsequent transaction endpoint, setting kind = CREDITCARD (as a Google Pay transaction is a credit card transaction).

5.2.4. Diagnosis requests

For retrieving information about a previous transaction, use the general endpoints for diagnosis for an event and diagnosis for a single transaction.

5.2.5. Test data

Google Pay provides a test card suite for testing (see Test card suite).

This test card suite is used in TEST mode if the customer’s Google account is not assigned to the real data group.

For the integration types Form service and Widget Solution, TEST mode is used automatically in the test environment DB Merchant Solutions REST API (see test and production). For Direct integration, the environment must be set to TEST.

In this case, the cards of the test cards suite are offered as means of payment. The test card numbers and test data (names, addresses, and telephone numbers) are transferred to the test gateway.

The test card suite only supports the authentication method PAN_ONLY and can therefore be used to test 3DS integration (see Supported cards, transaction kinds, and authorization methods).

The following card are supported by the test backends of DB Merchant Solutions REST API. Other cards lead to errors in the 3DS flow.

Scheme

PAN

Masked PAN

3DS Flow

Visa

4111111111111111

****1111

Frictionless

Mastercard

5555555555554444

****4444

Frictionless

Amex

378282246310005

****0005

Challenge

If the customer’s Google account is assigned to the real data group, the cards of the Google web wallet are offered if available. If the customer uses the Chrome Browser on an Android device and has a tokenized card in his Google Wallet app, this credit card is also offered as means of payment.

In this case, sample tokens are transferred to the payment backends (see Test with sample tokens). Especially, no real credit card data is transferred. If further customer data (like names, telephone numbers, or addresses) are transferred, the real data from the Google account are taken.

Important: If a card from the Google Wallet app is chosen, the sample token also uses the authentication method CRYPTOGRAM_3DS (see Supported cards, transaction kinds, and authorization methods). In this case, 3D Secure is not required. Transaction always succeed in TEST mode.

5.3. Apple Pay

5.3.1. Introduction

Background

Apple Pay is a technical scheme (based on an underlying card payment scheme) that supports paying with a digital wallet

at a merchant’s web page (web payments) for customers using the Safari browser on an Apple device or
within a merchant’s iOS app (app payments).

DB Merchant Solutions REST API supports Apple Pay for credit cards (Mastercard and Visa).

When integrating Apple Pay in a web page, a merchant needs to comply with Acceptable Use Guidelines for Apple Pay on the Web. When integrating Apple Pay in an app, a merchant needs to comply with Apple In-App Purchase regulations.

Getting started: documentation provided by Apple

For getting started, refer to the Apple documentation, which provides both business and implementation information.

Supported countries and currencies

DB Merchant Solutions REST API supports Apple Pay for all countries and currencies that are also supported for conventional credit card transactions.

Supported integration types

DB Merchant Solutions REST API supports Apple Pay in the integration types

Form service checkout page,
Widget Solution,
direct integration (web payment and app payment).

See Integration types for general information on these integration types.

For direct integration, Apple Pay furthermore distinguishes two types of integration: Apple Managed Integration and Apple Individual Integration.

The following table gives an overview on the main differences for a merchant between the two direct integration types:

Apple Managed Integration

Apple Individual Integration

Web payments

supported

App payments

not supported

supported

Onboarding with Apple necessary

yes

Certificate signing and renewal necessary

yes

Communication with the Apple Pay Server necessary

yes

The integration type Widget Solution requires Apple Managed Integration.

Supported cards, transaction kinds, and authorization methods

DB Merchant Solutions REST API supports Apple Pay for the card networks Mastercard and Visa.

Apple Pay supports the following transaction kinds:

authorization
pre-authorization
capture (full and single partial)
reversal (full)
refund (full and single partial)
verify means of payment (MOP).

An Apple Pay transaction is always based on a card cryptogram generated by the digital card and secured with a Consumer Device Cardholder Verification Method (CDCVM). Therefore, an Apple Pay transaction will not result in the customer having to perform a 3-D secure authentication.

Apple Pay has the same reservation period for pre-authorizations, the same time frame for reversals, and the same support for overcaptures as conventional credit cards.

Apple Pay and PCI DSS

During the payment process, the merchant receives the card data in an encrypted form. As the keys for decryption of the card data are always held by DB Merchant Solutions REST API’s backend systems, a merchant does not come into contact with PCI relevant data.

5.3.2. Onboarding

Requirements for all integration types

Contact Deutsche Bank customer support for onboarding as this currently requires a manual process. A merchant needs to be onboarded or in the process of onboarding for credit card payments in general.

For Form service no further steps are necessary because the Apple Pay payment button is displayed on the hosted page of DB Merchant Solutions REST API.

For direct integration and Widget Solution, the Apple Pay button is displayed directly on the merchant’s web shop (or mobile app). To enable this, the merchant requires an Apple merchant identifier.

For Apple Managed Integration, the registration of the Apple merchant identifier is done by Deutsche Bank customer support while, for Apple Individual Integration, this must be done by the merchants themselves.

The following issues are common to managed and individual integration:

Using the Apple merchant identifier

The Apple merchant identifier is needed to integrate Apple Pay as a payment method. For Apple Managed Integration, merchants receive this identifier during the onboarding process from Deutsche Bank customer support (see Apple Managed Integration).

For Apple Individual Integration, the ID is created during registration (see Apple Individual Integration).

Testing and production

For integration of Apple Pay with DB Merchant Solutions REST API, different Apple merchant identifiers are needed for testing and production environment (to provide additional data security). This implies that all the following steps have to be done separately for the two environments.

Identify the domain list

During registration of an Apple merchant identifier, the merchant has to specify a list of all domains which offer Apply Pay. As described at Configuring Your Environment this means:

The merchant must register and verify all top-level domains and subdomains where the Apple Pay button is displayed.

Example:

The Apple Pay button is displayed on wwww.example.com and shop.example.com. Then, the domain list consists of

example.com (as the top level domain),
www.example.com,
shop.example.com.

Special care has to taken in the following situation:

To simplify integration, a merchant may display the pay button on page under a different domain (like payment.example.com). This page might be embedded in the origin page using an IFrame. In this case, the origin page and the embedded page must have the same top-level domain, and both subdomains must be registered.

Therefore, in this example the following domain has to be added to the domain list:

payment.example.com

Prepare the domain verification

During the registration process of an Apple merchant identifier the domains in the domain list (see above) are verified. It is checked whether the merchant actually has access to the domains.

For the verification, for each domain [DOMAIN_NAME] of the domain list, the merchant has to host a domain verification file under the following URI:

https://[DOMAIN_NAME]/.well-known/apple-developer-merchantid-domain-association

For example, if an Apple Pay payment button will be displayed on https://shop.example.com, then the subdomain is shop.example.com and the top-level domain is example.com. The domain verification file shall be hosted under the URIs

https://example.com/.well-known/apple-developer-merchantid-domain-association and
https://shop.example.com/.well-known/apple-developer-merchantid-domain-association.

It’s important to note that for Apple Managed Integration the preparation of the domain verification has to be finished before the onboarding starts.

The following points have to be considered. For further details, see Configuring Your Environment.

The domain verification file is provided differently for Apple Managed Integration and Apple Individual Integration:
- For Apple Managed Integration:
  
  Download the following domain verification files or contact Deutsche Bank customer support:
  - Domain verification file test for the sandbox domains,
  - Domain verification file production for the productive domains.
- For Apple Managed Integration merchants receive the domain verification file in their Apple Developer Account which is necessary for registering an Apple merchant identifier individually.
Note that it is possible that a domain may be registered and verified for more than one Apple Pay merchant identifier: The domain verification file may be changed or removed after the successful verification of a domain for an Apple Pay merchant identifier.

This applies (for example) when subdomains for testing and production are hosted under the same top-level domain.
It is important that the domain verification files are publicly accessible and not protected by authentication or firewalls.
The URI has to point to the domain verification file itself, not to a directory which contains a file. Therefore, the domain verification may have to be renamed.
The location for the top-level domain (for example example.com) may be redirected to a subdomain (for example www.example.com).

Apple Managed Integration

If a merchant decides to use Apple Managed Integration (see Supported integration types) they have to do the following steps.

The process has to be done separately for testing and production environment. If the test environment is hosted under the same top-level domain, the onboarding for the test environment has to be successfully finished before starting onboarding for the production environment.

Identify the domain list (see Identify the domain list).
Prepare the domain verification (see Prepare the domain verification).
Contact Deutsche Bank customer support, provide the following information:
- The environment to be used (test or production),
- the domain list.
Receive the Apple Pay merchant identifier from Deutsche Bank customer support (see Using the Apple merchant identifier).
The further onboarding will take place without further involvement of the merchant. Deutsche Bank customer support will inform the merchant when onboarding has been completed successfully.
Integrate the Apple Pay according to the integration type of choice.

For the test environment a Sandbox Apple Pay account can be used for testing. If the merchant chooses to use such an account, the following steps have to be done. This step can also be included in step 3.

Provide an email address to Deutsche Bank customer support which is not yet linked to an Apple account.
Receive the credentials and settings of the created Sandbox Apple Pay account to log into a supported Apple device.

If the domain list changes, the merchant must contact Deutsche Bank customer support and inform of the removed or added domains. For added domains, the domain verification has to be prepared as described above.

Apple Individual Integration

For Apple Individual Integration merchants create Apple merchant identifiers by themselves (see Using the Apple merchant identifier).

Setting up Apple Pay is described under Setting up Apple Pay.

Note the following issues:

If you haven’t already access to Apple Developer, create an Apple Developer account.
Register different Apple merchant identifiers for test and production.
For each Apple merchant identifier, two certificates have to be created: The Apple Pay Payment Processing Certificate and the Apple Pay Merchant Identity Certificate.
Concerning the Apple Pay Payment Processing Certificate:
- Contact Deutsche Bank customer support to receive a certificate signing request for a public key, which will enable Apple Pay to encrypt the transferred credit card data.
- When creating the payment processing certificate, upload the certificate signing request you received from Deutsche Bank customer support.
- You receive a .cer file containing the certificate.
The signing request for the Apple Pay Merchant Identity Certificate is not received from Deutsche Bank customer support but created by the merchants themselves.
Identify the domain list as described in Identify the domain list.
Add the domains of the domain list to the Apple merchant identifier: For each domain, you download a verification file apple-developer-merchantid-domain-association which has to be added to the domain as described in Prepare the domain verification.
After completing setting up Apple Pay, contact Deutsche Bank customer support to inform about the successful onboarding. Provide the Apple merchant identifier and the received .cer file for the payment processing certificate (but not the also obtained .cer file for the merchant identity certificate). Deutsche Bank customer support will use this information to complete the merchant’s configuration for Apple Pay.

5.3.3. Certificate renewal

The payment processing certificates used in transaction processing have a period of validity of 25 months and therefore need to be renewed accordingly:

Apple Managed Integration

For merchants that are integrated via Apple Managed Integration, the process of certificate renewal is completely in the hands of DB Merchant Solutions REST API and will be done transparently for the merchant.

Apple Individual Integration

For merchants that are integrated via Apple Individual Integration, the process of certificate renewal is mainly in the responsibility of the merchants themselves, who have to follow Apple’s instructions (Maintaining your environment).

As with the initial onboarding (see section Apple Individual Integration), merchants have to register a payment transaction processing certificate corresponding to a key from DB Merchant Solutions REST API. Therefore, they need to contact Deutsche Bank customer support to obtain a renewed certificate signing request, which they need to use during certificate renewal with Apple.

In the process, they again will receive a corresponding certificate and will have to provide this back to Deutsche Bank customer support.

5.3.4. Authorization and pre-authorization

The authorization and pre-authorization process is - compared to the regular credit card flow - extended by additional Apple Pay specific communication and therefore potentially more complex. The transaction flow depends on the kind of integration the merchant is using:

Form service checkout page: Use the standard checkout endpoint and supply the corresponding Apple Pay data. The process itself will be identical to other payment processes via this endpoint, see checkout page transaction flow.
Direct integration: The transaction processing flow depends on the kind of integration, the merchant chose for Apple Pay, see section Transaction processing for Apple Managed Integration for Apple Managed Integration and Transaction processing for Apple Individual Integration for Apple Individual Integration.

Direct integration: displaying the Apple Pay button

When using direct integration (for both Apple Managed Integration and Apple Individual Integration), the initiation of an Apple Pay transaction is triggered by the customer tapping a dedicated Apple Pay payment button.

For obtaining the payment button and its presentation requirements, see Apple Pay buttons and the references given there.

Use the Apple Pay API JavaScript library to display the button by including it as follows:

<script src="https://applepay.cdn-apple.com/jsapi/v1/apple-pay-sdk.js"></script>

Transaction processing for Apple Managed Integration

Before the merchant can obtain the actual payment token that will be used for transaction processing, a Payment Session with Apple must be established. In case of Apple Managed Integration, the Payment Session is initiated by DB Merchant Solutions REST API based on a request from the merchant. In its response, DB Merchant Solutions REST API will include an applepay_payment_session_token, which is needed to proceed the transaction with the customer.

It is important to take in mind that the apple_payment_session_token in the ApplePayPaymentSessionResponse of the Apple Pay payment session request is Base64 encoded. It has to be decoded before further use. In JavaScript this can be done with the atob function using the following code snippet:

var decodedToken = atob(paySessToken);
if (useDevice===true) {
    applePaySession.completeMerchantValidation( JSON.parse( decodedToken ) );
} else {
    addlog("do not use device");
}

Once the customer has finished the transaction, the browser will call the 'onpaymentauthorized' method of the merchant and hand over an ApplePayPayment object to the merchant.

The merchant can extract the ApplePayPaymentToken from this object and set up a request to DB Merchant Solutions REST API including this object to finish the transaction. After processing the request, DB Merchant Solutions REST API will send a response to the merchant. The transaction result is contained in processed.rc, either indicating a successful (processed.rc equal to 0) or non-successful (processed.rc different from 0) transaction. The merchant must present the result by calling the completepayment method.

Transaction processing for Apple Individual Integration

Before the merchant can obtain the actual payment token that will be used for transaction processing, a Payment Session with Apple must be established.

In case of Apple Individual Integration, the Payment Session is initiated directly by the merchant with an ApplePayPaymentSessionRequest. In its response, Apple Pay will include an ApplePaySession, which is needed to proceed the transaction with the customer.

Once the customer has finished the transaction, the browser will call the onpaymentauthorized method of the merchant and hand over an ApplePayPayment object to the merchant. The merchant can extract the ApplePayPaymentToken from this object and set up a request to DB Merchant Solutions REST API including this object to finish the transaction. After processing the request, DB Merchant Solutions REST API will send a response to the merchant. The transaction result is contained in processed.rc, either indicating a successful (processed.rc equal to 0) or non-successful (processed.rc different from 0) transaction. The merchant must present the result by calling the completepayment method.

Using the parameters

A minimal example

Use the Apple Pay endpoint to initiate the transaction at DB Merchant Solutions REST API. As indicated above, for each initial Apple Pay transaction the following fields are required:

amount_total.amaount and amount_total.currency
means_of_payment.applepay_token.

If the request shall initiate a series of transactions (for example for recurring transactions), the merchant must use an alias, that is, set alias_action to create in the initial request. All follow-up transactions must use the standard credit card payment endpoint and contain not the applepay_token but instead contain the alias obtained in the response to the first request. Moreover, the follow-up transactions must contain the parameters sequence_type (either RECURRING or FINAL), series_flag (either RECURRING or UCOF), and recurring_payment. See also Credit card recurring transactions.

Also note Apple Pay’s specific requirements on recurringPaymentRequests.

The usage of an alias is necessary as the original applepay_token might expire and therefore a follow-up transaction request might be declined by DB Merchant Solutions REST API.

Submitting basket items and consistency of amounts

If basket items are submitted, for each basket item the fields unit_price.net and unit_price.gross are required.

Furthermore, the amounts have to be consistent as follows.

For each basket item, the basket item gross amount is calculated as quantity.quantity_amount * unit_price.gross - item_discount.gross. It is required that amount_total.amount equals the sum over each basket item gross amount plus the shipping costs minus the basket discount.

Basket ID

The requirements for the parameter basket.basket_id for Apple Pay are the same as for a credit card transaction, see Credit card basket ID.

Using the risk check

shipping_address
billing_address
basket
customer_information
device_information
account_information
merchant_risk_indicators.

The billing address information will not be parsed out of the Apple Pay specific data object. If the merchant wants to include the billing address in the risk check, it must be provided explicitly as in the context of other payment types. Also, the format must obey the general requirements of DB Merchant Solutions REST API.

Pre-transaction checks

DB Merchant Solutions REST API checks the following:

The provided applepay_token is valid, that is,
- the signature is valid (including checks that the used keys are valid and not expired),
- the token can be decrypted to meaningful payment data, and
- the token itself is not expired.
The requested card scheme is supported (see above for the supported schemes).
Furthermore, all checks for credit card transactions are also applied to Apple Pay transactions.

If one of the checks fails, the transaction is declined.

Form of the response

DB Merchant Solutions REST API generates the response to a merchant’s request for Apple Pay in the same way as for a credit card transaction.

5.3.5. Capture, refund, and reversal

For captures, reversals, and refunds, for all integration types use the general subsequent transaction endpoint, setting kind = CREDITCARD (as an Apple Pay transaction is a credit card transaction).

5.3.6. Diagnosis requests

For retrieving information about a previous transaction, use the general endpoints for diagnosis for an event and diagnosis for a single transaction.

5.3.7. Test data

When using Apple Individual Integration, refer to Apple test data for test data for Apple Pay.
When using Apple Managed Integration, contact Deutsche Bank customer support for test data for Apple Pay.

5.4. SEPA Direct Debit (SDD)

5.4.1. Introduction

Background

SEPA Direct Debit (SDD) is a payment method which allows a customer having a bank account in one of the 36 SEPA member states to pay by giving their bank account information and authorizing the transaction by issuing a mandate.

SEPA Credit Transfer (SCT) similarly supports credit transfers for the SEPA region.

Supported countries and currencies

SDD is available in the following countries (with their ISO country codes):

Members of the European Union:

Austria (AT), Belgium (BE), Bulgaria (BG), Croatia (HR), Republic of Cyprus (CY), Czech Republic (CZ), Denmark (DK), Estonia (EE), Finland (FI), France, Germany (FR), Greece (GR), Hungary (HU), Ireland (IE), Italy (IT), Latvia (LV), Lithuania (LT), Luxembourg (LU), Malta (MT), Netherlands (NL), Poland (PL), Portugal (PT), Romania (RO), Slovakia (SK), Slovenia (SI), Spain (ES), and Sweden (SE).
Members of EFTA:

Iceland (IS), Liechtenstein (LI), Norway (NO), and Switzerland (CH).
Further countries:

Andorra (AD), Monaco (MC), San Marino (SM), and Vatican City (VA).

SDD supports EUR as currency.

Merchant obligations

When using SDD, the merchant has to observe the SEPA regulations regarding the pre-notification of customers and the issuing of mandates by customers.

Requirements

To use SDD/SCT, you have to provide the following information during onboarding:

IBAN and BIC of the merchant’s bank account (to which the payments shall be transferred and from which the refunds shall be credited),
the name of the bank account holder,
the merchant’s SEPA creditor ID,
the name of the shop.

Supported integration types

DB Merchant Solutions REST API supports SDD/SCT in all integration types.

Supported transaction kinds

SDD/SCT supports the following transaction kinds:

authorization (standard and recurring)
pre-authorization
capture (full and multiple partial)
refund (full and multiple partial)
reversal (full and single partial)
credit
verify means of payment (MOP).

Contact Deutsche Bank customer support to activate multiple captures and refunds.

For an SDD pre-authorization, the reservation period is 30 days. For SDD, the reversal of an authorization, capture, credit, or refund is possible until the end of the day of the transaction (Central European Time (CET) or Central European Summer Time (CEST)).

SDD supports a capture with an amount less than or equal to the amount of the pre-authorization for all customers, but does not support an overcapture, that is, a capture with an amount exceeding the amount of the pre-authorization.

5.4.2. Authorization, pre-authorization, and verify means of payment

See Authorization, Pre-authorization, and Verify means of payment for general information about authorization, pre-authorization and verify means of payment.

For SDD, use the following endpoints:

Payment: Use the endpoint /payment/event/{event_id}/directdebit/{tx_action}.
iFrame Service: Use the standard endpoint /iframe/initialize to initialize the action and then use the payment endpoint.
Form service with payment method selection: Use the standard endpoint /form/event/{event_id}/checkout/{tx_action} and supply the data under checkout_page_configuration.direct_debit_data.
Form service with payment method already set to SDD: Use the endpoint /form/event/{event_id}/directdebit/{tx_action}.

Required and optional fields

For each SDD authorization or pre-authorization, the following fields are required:

The total amount (amount_total),
customer’s bank account information,
and the mandate information (mandate).

All other fields are optional.

For the payment endpoint customer’s bank account information is provided within the field means_of_payment. It can be supplied in one of three ways:

Direcly provide it via bank_account.iban and bank_account.bic.
Use a previously created alias (see Aliases).
When using the iFrame service, use the token it provides (see iFrame Service).

The BIC is optional in countries of the European Union and required in all other countries (see Supported countries and currencies). This is not validated by DB Merchant Solutions REST API but is in the responsibility of the merchant (who may use the country codes given in Supported countries and currencies which are the prefixes of the IBAN).

For Form service customer’s bank account information is input in the form provided by DB Merchant Solutions. By default, the form contains input fields for IBAN and BIC. BIC is required for countries outside the European Union. This is validated by Form service. The merchant’s shop can be configured to only accept payments from german accounts (ask Deutsche Bank customer support for details if required). In this case the input field for BIC is omitted.

The mandate information has to be supplied via the field mandate which is a required field of the payment endpoint and required subfield of direct_debit_data for Form service. The required and optional field of mandate are described in SEPA mandate management

Use the parameter due_date to indicate when the SDD shall be booked. The due date has to be at least three TARGET2 business days after the current date and at most 14 calendar days after the current date. If the due date is less than three TARGET2 business days after the current date, the SDD will be booked three TARGET2 business days from the current date. Likewise, if the due date is more than 14 calendar days after the current date, it will be booked 14 calendar days from the current date.

TARGET2 business days are Monday to Friday except for TARGET2 closing days, see the TARGET2 calendar.

If you leave due_date empty, the direct debit is carried out as soon as possible.

The parameter basket_id will be set in the customer bank account statement in the field Remittance information (unstructured). Therefore, the basket_id for SDD must meet the following requirements:

maximal length: 140
allowed characters: a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 / - ? : ( ) . , + '.

Pre-transaction checks

DB Merchant Solutions REST API checks the following:

the BIC exists, if provided
the check digits of the provided IBAN are correct
the error checking number of the bank account number, which is part of the IBAN, is calculated correctly according to the bank’s verification rule
the IBAN is not on a blocklist as configured by Deutsche Bank customer support according to the merchant’s requirements.

If one of the checks fails, the transaction is declined.

Note that the online verification whether the account provided actually exists may not be carried out due to the current regulation of the German credit services sector.

Using the checklist

DB Merchant Solutions REST API supports a checklist with suspicious IBANs. This checklist is updated regularly with fraudulent IBANs.

Add CHECKLIST to the parameter processing_options to automatically decline a transaction in case the customer IBAN is on the checklist.

See SDD test data for an IBAN to test the checklist.

Using the risk check

DB Merchant Solutions REST API supports a risk check to calculate a risk score for a transaction and then automatically decline transactions which have a high risk score or which trigger certain rules.

shipping_address
billing_address
basket
customer_information
device_information
account_information
merchant_risk_indicators.

Using additional SEPA features: B2B payments and custom due date

For B2B payments, which differ in certain regulatory aspects from the default SEPA Core Direct Debit, set debit_method to B2B.
By default, the SDD will be cleared as soon as possible. To allow for a later clearing (for example to notify the customer), set due_date to the desired clearing date. The due date has to be at least three TARGET2 business days (not on weekends or the so called TARGET2 or TARGET holidays) after the current date and has to be less than or equal to 14 days in the future.

5.4.3. SEPA mandate management

To use SEPA direct debit (SDD) as a payment method, a merchant first has to obtain a mandate from the customer. A mandate can be issued in a paper or electronic format.

The merchants are responsible for obtaining the mandate from the customer and for using it correctly. For the validity of SEPA mandate it is especially important that the creditor’s ID is contained in the SEPA mandate. This value has to coincide with the value given during onboarding (see Requirements).

The mandate specific information is configured in the field mandate (see also Required and optional fields).

The subfields reference and signed_on are required. Both are attributes of a valid SEPA mandate. The mandate reference reference must be unique for the creditor’s ID.

The mandate sequence type (subfield mandate_sequence_type) is particularly important:

By this fields mandates for single payments and mandates for recurrent payments are distinguished. (This information must also be registered in an electronic representation of the mandate, see SEPA Direct Debit Core Scheme Rulebook of the EPC.)

For single payments the value ONEOFF is used.

For recurrent payments the values RECURRING, FIRST, and LAST can be used. FIRST may optionally be used to indicate the first payment in a sequence. Using the value LAST indicates that the mandate is invalidated after the transaction. Subsequent SDD transaction with the mandate (usually) will fail.

Note, that RECURRING must be used for pre-authoriztations if multiple captures are used.

The default value of mandate_sequence_type is ONEOFF. If the field is omitted, only one transaction per reference is possible. Subsequent transactions (of any sequence type) are (usually) rejected by the customer’s bank.

The merchant may send further optional fields when required, for example support changes to the mandate in case the mandate was previously issued and a change of reference, creditor ID, BIC or IBAN has taken place.

For further details concerning these and other parameters, consult the API documentation.

5.4.4. Clearing and settlement

Clearing and settlement, that is the funds transfer from the customer to the merchant, takes place at due_date, see Setting the due date. For example, an authorization without a specific due date sent to DB Merchant Solutions REST API on Monday 23:59:00 CET will be cleared on Thursday, while an authorization without a specific due date sent to DB Merchant Solutions REST API on Tuesday 00:01:00 CET will be cleared on Friday.

Form of end-to-end ID and handling debit returns

DB Merchant Solutions REST API generates an end-to-end ID for an SDD transaction as follows: the final six characters of the system reference followed by a dot and the last 28 characters of the event_id. In the process, underscores which are not allowed in the end-to-end ID are removed from the transaction number.

A customer or their bank may return a direct debit transaction which then can be seen on the merchant’s bank account statement. In this case, the return contains the end-to-end ID from the initial direct debit, which allows to identify the original transaction.

Customer bank account statement

camt.053 and MT940 format

When a customer obtains their bank account statement electronically in the camt.053 format or the older MT940 statement, the parameters set in DB Merchant Solutions REST API are used as follows.

DB Merchant Solutions REST API camt.053 MT940

basket_id

RmtInf/Ustrd

SVWZ+

event_id

PmtId/EndToEndId

EREF+

mandate.reference

DrctDbtTx/MndtRltdInf/MndtId

MREF+

mandate.signed_on

DrctDbtTx/MndtRltdInf/DtOfSgntr

MREF+

Note that for a pre-authorization and a capture, the basket ID can be changed with the capture, see Transaction kind details. In this case, the basket ID as set in the capture will be displayed in the account statement.

Online banking

When a customer obtains their bank account statement via their online banking, the information displayed or printed depends on the customer’s bank. For example, the following two screenshots show SDD transactions as displayed by two different German banks.

Merchant bank account statement and reconciliation

To check if every SDD transaction submitted via DB Merchant Solutions REST API has been successfully booked, it is possible to reconcile the merchant’s bank account statement as follows.

Contact Deutsche Bank customer support to receive camt.053 (Bank to Customer Statement) or camt.054 (Bank to Customer Debit Credit Notification, formerly DTI) bank account statements of the merchant’s SDD bank account.
When using camt.053 bank account statements, contact Deutsche Bank customer support to set the SDD configuration to single collection ("Einzelbuchung"). This will set BatchBooking = false during clearing, which makes the camt.053 display single transactions. camt.054 statements will automatically display single transactions.
The field EndToEndId of a booking in the camt.053 or camt.054 statement has the following form:
- position 1-6: DB Merchant Solutions REST API internal ID
- position 7: "."
- position 8-35: last 28 characters of event_id (path parameter as set by merchant)

For example, for event_id = 12345678901234567890123456789012 (length: 32 characters), EndToEndId will have the form eaaxY5.5678901234567890123456789012 where eaaxY5 is some DB Merchant Solutions REST API internal ID and 5678901234567890123456789012 are the last 28 characters of event_id.

Thus, to reconcile SDD transactions, for each transaction check if the last 28 characters of its event_id are contained in the bank account statement’s EndToEndId of some transaction.
Note that a refund (initiated by the merchant) or a return (initiated by the customer or the customer’s bank) for an SDD transaction has the same EndToEndId as the SDD transaction. To distinguish an SDD transaction from a return or refund, take the booking direction into account: an SDD transaction will credit the merchant’s account, whereas a refund or a return will debit the merchant’s account.

5.4.5. Capture, refund, and reversal

See Subsequent transaction as well as Capture, Refund, and Reversal for general information about capture, refund, and reversal.

For SDD, use the general subsequent transaction endpoint for all integration types, setting kind = DIRECTDEBIT.

5.4.6. Credit

See Credit for general information about issuing a credit.

For SDD, use the payment SDD endpoint with tx_action = credit for all integration types.

5.4.7. Diagnosis request

See Diagnosis request for general information about retrieving information about a previous transaction.

For SDD, use the general endpoints GET /payment/event/{event_id} and GET /payment/tx/{tx_id} for all integration types.

5.4.8. Response codes

The following table shows the most common response codes for direct debit transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1548	Transaction is pending.
1399	Incomplete SEPA mandate data.
1521	Invalid currency.
1601	Mandate signed in the future.

5.4.9. Test data

Use the following IBANs for successful test payments:

DE87123456781234567890
DE63123456791212121212.

The following IBANs are invalid and result in the response code 1507 (Transaction rejected):

DE52123456771234567890
DE90123456791212121211.

To test the checklist, the following IBAN will result in a successful transaction when processing_options does not include CHECKLIST and will result in a rejected transaction with response code 1523 (Means of payment blocked) when processing_options does include CHECKLIST:

DE63593501100229286232.

5.4.10. Monitoring SDD returns

After performing an SDD authorization or capture, the transaction amount will be charged from the customer’s bank account and transferred to the merchant’s bank account. However, the customer’s bank as well as the customer have the possibility to return the direct debit transaction:

The bank may return the transaction for technical reasons, for example because the given bank account does not exist or the given bank accounts exists but does not have sufficient funds.
The customer may return the transaction for different reasons, for example when the direct debit was issued without a proper mandate.

For this reason, merchants need to monitor their accounts for direct debit returns.

DB Merchant Solutions REST API offers the feature to alert a merchant whenever a direct debit return is booked on their bank account. To use this feature, proceed as follows:

Implement the SDD return callback API as server. This means to implement the endpoint /sddreturncallback.
Contact Deutsche Bank customer support to enable DB Merchant Solutions REST API to access account statements of the merchant’s bank account. Supply the URL of your endpoint.

Whenever a direct debit return then is booked on the merchant’s bank account, DB Merchant Solutions REST API will send a request to your endpoint with all relevant information about this direct debit return. In particular, the following fields are always included:

the event_id of the original transaction which is returned to match the return to the original transaction
the reason for the return (reason_code, reason_code_proprietary, and additional_reason_information)
all relevant amounts (original_amount, fee_customerbank, and fee_merchantbank).

Respond with status code 200 for a successful receipt of a callback and with status code 400 if an error occurred.

5.5. PayPal

5.5.1. Introduction

DB Merchant Solutions REST API supports payments with PayPal for the transaction kinds authorization, pre-authorization, capture, refund, and reversal.

Supported countries and currencies

PayPal is available in the following countries: Albania, Algeria, Andorra, Angola, Anguilla, Antigua and Barbuda, Argentina, Armenia, Aruba, Australia, Austria, Azerbaijan Republic, Bahamas, Bahrain, Barbados, Belarus, Belgium, Belize, Benin, Bermuda, Bhutan, Bolivia, Bosnia and Herzegovina, Botswana, Brazil, British Virgin Islands, Brunei, Bulgaria, Burkina Faso, Burundi, Cambodia, Cameroon, Canada, Cape Verde, Cayman Islands, Chad, Chile, Colombia, Comoros, Cook Islands, Costa Rica, Cote d’Ivoire, Croatia, Cyprus, Czech Republic, Democratic Republic of the Congo, Denmark, Djibouti, Dominica, Dominican Republic, Ecuador, Egypt, El Salvador, Eritrea, Estonia, Ethiopia, Falkland Islands, Faroe Islands, Federated States of Micronesia, Fiji, Finland, France, French Guiana, French Polynesia, Gabon Republic, Gambia, Georgia, Germany, Greece, Greenland, Grenada, Guadeloupe, Guatemala, Guinea, Guinea-Bissau, Guyana, Honduras, Hong Kong SAR China, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Jamaica, Japan, Jordan, Kazakhstan, Kenya, Kiribati, Kuwait, Kyrgyzstan, Laos, Latvia, Lesotho, Liechtenstein, Lithuania, Luxembourg, Madagascar, Mainland China, Malawi, Malaysia, Maldives, Mali, Malta, Marshall Islands, Martinique, Mauritania, Mauritius, Mayotte, Mexico, Moldova, Monaco, Mongolia, Montenegro, Montserrat, Morocco, Mozambique, Namibia, Nauru, Nepal, Netherlands, Netherlands Antilles, New Caledonia, New Zealand, Nicaragua, Niger, Nigeria, Niue, Norfolk Island, North Macedonia, Norway, Oman, Palau, Panama, Papua New Guinea, Paraguay, Peru, Philippines, Pitcairn Islands, Poland, Portugal, Qatar, Republic of the Congo, Reunion, Romania, Russia, Rwanda, Saint Helena, Saint Kitts and Nevis, Saint Lucia, Saint Pierre and Miquelon, Saint Vincent and the Grenadines, Samoa, San Marino, Sao Tome and Principe, Saudi Arabia, Senegal, Serbia, Seychelles, Sierra Leone, Singapore, Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Korea, Spain, Sri Lanka, Suriname, Svalbard and Jan Mayen, Swaziland, Sweden, Switzerland, Taiwan China, Tajikistan, Tanzania, Thailand, Togo, Tonga, Trinidad and Tobago, Tunisia, Turkmenistan, Turks and Caicos, Tuvalu, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uruguay, Vanuatu, Vatican City, Venezuela, Vietnam, Wallis and Futuna, Yemen, Zambia, and Zimbabwe.

PayPal supports the following currencies: AUD, BRL, CAD, CHF, CNY, CZK, DKK, EUR, GBP, HKD, HUF, ILS, JPY, MXN, MYR, NOK, NZD, PHP, PLN, RUB, SEK, SGD, THB, TWD, and USD.

Prerequisites

You need a PayPal business account, and you have to allow DB Merchant Solutions REST API carrying out payments on your behalf. You may contact Deutsche Bank customer support how to grant these permissions.

You have to pass the email address and the merchant ID of your PayPal business account to Deutsche Bank customer support.

DB Merchant Solutions REST API supports the versions v1 and v2 of the PayPal API. Which version is used internally depends on the merchant’s configuration. For internally using version v2, the PayPal merchant ID is required. Existing merchants who want to change to v2 have to contact Deutsche Bank customer support and pass this ID.

The differences in DB Merchant Solutions REST API for merchants using version v1 or v2 are as follows:

Widget Solution is only supported for version v2.
Form service behaves differently (see Handling of the shipping address).
Recurring payments are only supported in version v2.

Supported integration types

PayPal is supported by

the general Form service checkout page and in the Form service with PayPal already selected,
Widget Solution.

Supported transaction kinds

PayPal supports the following transaction kinds:

authorization (standard)
pre-authorization
capture (full and multiple partial)
refund (full and single partial) (possible only for authorizations or captures)
reversal (full) (possible only for pre-authorizations).

A PayPal pre-authorization reserves funds for 29 days, after which the funds are automatically released and a capture is no longer possible.

The merchant may capture or reverse a pre-authorization during this time.
If the capture amount is less than the pre-authorized amount (partial capture), the remaining amount remains pre-authorized.
If no capture has taken place or if one or more partial captures have taken place, the merchant can only reverse the full remaining amount of the pre-authorization.
If a capture has taken place, the merchant can not reverse the transaction but has to issue a refund instead.

For captures exceeding the amount of pre-authorization (overcaptures) the situation depends on the applicable regulations at the customer’s billing address. Overcaptures are ruled by PSD2 regulation. In countries where this regulation applies (EEA and others) overcaptures are prevented by PayPal. In other countries (including the US) overcaptures may be possible within a limit depending on the merchant. This overcharge limit is set to 115% by default. In principle the merchant is responsible to comply with legislation. See PayPal documentation for details.

5.5.2. Authorization and pre-authorization

For the integration type Form service, use the standard checkout endpoint and supply PayPal data, or use the Form service PayPal endpoint and supply the necessary data.

The following fields are required:

amount_total and subfields
form_customer_continuation and subfields
callback and subfields.

Course of transaction

When using the Form service endpoint for PayPal, the course of transaction is as follows.

PayPal course of transaction

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API.
DB Merchant Solutions REST API creates an order on the merchant’s behalf at PayPal.
PayPal responds to the creation of the order.
DB Merchant Solutions REST API sends a response message to the shop. In case of success it will include the redirect URL to the PayPal front end. In case of an error the transaction is finished.
As response step 1 the shop sends a redirect to the redirect URL received in step 5 to the customer.
The customer’s browser redirects to PayPal.
The customer carries out the necessary steps for the payment on the PayPal site:

Login to their PayPal account, inspect the order which was created in step 3, choose a means of payment, and confirm the payment.
PayPal sends a redirect to DB Merchant Solutions REST API the customer.
The customer’s browser redirects to DB Merchant Solutions REST API.
DB Merchant Solutions notifies the shop about the transaction result. The URL supplied in the initialization request is used for this (notify_url). This step and step 11 are skipped if you submit the skip parameter in the initial request. In this case your application has to send a status request to DB Merchant Solutions for finding out the outcome of the payment. For details see Callback and diagnosis request.
The shop confirms receipt of the notification.
DB Merchant Solutions REST API sends the customer a redirect to the URL submitted in step 1.
The customer’s browser redirects to this URL.
The shop displays the payment result to the customer.

When using the Form service checkout endpoint, step 7 starts after the customer chooses their payment method.

Callback and transaction result

For Form service, the transaction result is passed to the merchant’s using the callback mechanism (see Callback and diagnosis request).

The callback request contains the parameters rc and message. For PayPal, the following scenarios need to be considered, where 2. is specific for PayPal:

If rc = 0 and message= "Transaction successful", the transaction was successful.
If rc= 1345 or 1548 and message = "The selected transaction is currently in work." or "Transaction is pending.", the transaction might require a manual approval from the merchant. In this case, check the PayPal merchant portal for the transaction and approve or decline it manually.
A transaction that contains a different rc value is completed and not successful.

5.5.3. Capture, refund, and reversal

For PayPal, a refund is possible for authorizations and captures. A reversal is possible for pre-authorizations.

Use the general endpoint for the transaction kinds capture, refund, and reversal, setting kind = PAYPAL. See the next section on which tx_id to use.

5.5.4. Handling of the shipping address

For the integration type Widget Solution, the merchants may either pass the shipping address to PayPal or not (see create session endpoint). They can also choose whether the provided address is used for shipping (paypal_shipping_preference set to SET_PROVIDED_ADDRESS) or whether the shipping address is provided from file (the customer’s PayPal account) and chosen by the customer (GET_FROM_FILE). The customers choose their address (or enter a new one) in the PayPal modal window after they log in to their PayPal account.

If the shipping address is not passed, only GET_FROM_FILE is possible. If the shipping address is passed, it is contained in the list of addresses to choose from.

For Widget Solution, the merchant can implement event handlers which react on the chosen address, for example by rejection if the shipping country is not supported. They can also adopt the shipping costs to the address.

If no shipping is required (meaning that the basket_type in Basket is DIGITAL), the option NO_SHIPPING can be used for paypal_shipping_preference.

Form Service

For the integration type Form service the following has to be considered:

If the merchant’s account is configured to use version v1 of the PayPal API (see Prerequisites), the customer is presented the GET_FROM_FILE behaviour although the customer’s choice is not passed to the merchant. This may lead to mistakes. Merchants should contact Deutsche Bank customer support and use version v2 to prevent this.

If the merchant’s account is configured to use version v2 of the PayPal API (see Prerequisites), the handling of the shipping address is as follows:

If the basket_type is DIGITAL, no shipping address is shown in the PayPal window (like NO_SHIPPING in Widget Solution). In the case, the shipping_address can be omitted in the initialization request (for PayPal or checkout).
If the basket_type is PHYSICAL or MIXED and the shipping_address is missing in the initialization request, the customer may choose an address from file or enter a new one in the PayPal modal window (GET_FROM_FILE).

After the successful transaction, the shipping address is passed to the merchant in the callback request.

In this case, the merchant can not react to the customer’s choice of the shipping address (for example to reject the address).
If the basket_type is PHYSICAL or MIXED and the shipping_address is provided, this provided address is used and can not be changed by the customer (SET_PROVIDED_ADDRESS).

5.5.5. Recurring payments

PayPal supports recurring payments. The customer issues a billing agreement which is referenced by an alias within DB Merchant Solutions REST API (see Aliases and recurring payments). Billing agreements are called automatic payments in the PayPal terminology.

Recurring payments can be created using the integration types Form service or Widget Solution.

Alias and recurring payments are only supported for version v2 of the PayPal API, see Prerequisites.

Creating an alias

An alias referencing a billing agreement is created using the alias_action CREATE in the initialization request for Form service or the create session request for Widget Solution:

Field alias_action for creating an alias:

"alias_action": {
    "action": "CREATE"
}

For Widget Solution alias_action is a sub-field of transaction_data.

The creation of the alias may be included in an initial transaction (of transaction kind authorization or preauthorization) or not. In the latter case, the transaction kind (tx_action) verify-mop has to be used as a path parameter for Form service or POST /widgetsolution/session/event/{event_id}/{tx_action}.

In case of success, the alias is returned in the field alias_info in the callback request for Form service and in the response of the finalization for Widget Solution.

Subsequent transactions

A PayPal alias can be used to initiate MIT (see Recurring payments) without the customer’s interaction.

This is done using the PayPal endpoint of the Payment API. This alias is used as a subfield of means_of_payment there.

5.5.6. Diagnosis request

Use the general endpoints GET /payment/event/{event_id} and GET /payment/tx/{tx_id} for retrieving information about a previous PayPal transaction.

Important:

The structure of the PayPal transactions given by GET /payment/event/{event_id} differs from the general case: When a transaction is initialized, the result of GET /payment/event/{event_id} is a transaction with response code "rc": "0" (meaning success) and "tx_action": "payment". This refers to a "create order" transaction (or similar) in the PayPal backend.

The existence and the response code of this transaction does not mean that the payment has been successful. The actual transaction has tx_action set to authorization, preauthorization, or verify-mop and appears in the children field of the payment transaction.

The status of this child transaction is relevant for the status of the payment transaction. This child transaction is referenced in the callback request.

If the children field of the "outer" transaction (with tx_action = payment) is not present, the customer has either not yet logged in to PayPal or has not yet confirmed the transaction, meaning that the transaction is pending.

When creating a capture, reversal, or refund for an authorization or pre-authorization, it is important to refer to the tx_id of the child transaction having the corresponding tx_action.

Example of a pending PayPal transaction:

{
  "transactions": [
    {
      "rc": "0",
      "message": "Transaction successful.",
      "event_id": "event_123",
      "tx_id": "hIhpADmiuQUelPHKc2IG5z",
      "amount_total": {
        "amount": 1300,
        "currency": "EUR"
      },
      "kind": "PAYPAL",
      "tx_action": "payment",
      "back_rc": "SUCCESS",
      "timestamp": "2025-01-10T17:45:27.992"
    }
  ],
  "rc": "0",
  "message": "Transaction successful."
}

Example of a successful PayPal transaction:

{
  "transactions": [
    {
      "children": [
        {
          "rc": "0",
          "message": "Transaction successful.",
          "event_id": "event_123",
          "tx_id": "pvsKJHMmy0zk2qDU4TpFIs",
          "amount_total": {
            "amount": 1300,
            "currency": "EUR"
          },
          "kind": "PAYPAL",
          "tx_action": "authorization",
          "back_rc": "SUCCESS",
          "back_ext_id": "1GX723645E506494K",
          "timestamp": "2025-01-10T17:48:56.45"
        }
      ],
      "rc": "0",
      "message": "Transaction successful.",
      "event_id": "event_123",
      "tx_id": "hIhpADmiuQUelPHKc2IG5z",
      "amount_total": {
        "amount": 1300,
        "currency": "EUR"
      },
      "kind": "PAYPAL",
      "tx_action": "payment",
      "back_rc": "SUCCESS",
      "timestamp": "2025-01-10T17:45:27.992"
    }
  ],
  "rc": "0",
  "message": "Transaction successful."
}

5.5.7. Response codes

The following table shows the most common response codes for PayPal transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1598	Transaction cancelled on PayPal.
1552	Invalid amounts.
1595	Transaction not confirmed.
1504	System error.
1548	Transaction is pending.
1105	Backend system error.
1594	Change payment method.
1592	Invalid PayPal token.

5.5.8. Test data

PayPal offers a developer environment which covers sandbox accounts. These are used for transactions in the sandbox environment which is used by the test environment of DB Merchant Solutions (see API version, test and production, and base URLs).

It is recommended to create a sandbox business account as the merchant’s account and (at least one) sandbox personal account as a customer’s account, see PayPal sandbox testing guide. For this, you have to log in with a regular PayPal account.

Within the sandbox personal account, a credit card is preconfigured which can be used for testing successful transactions.

The page Card testing provides a "credit card generator" to generate further cards, and it describes how to simulate card error scenarios.

For this, you need to add a new credit card where the first name contains a "rejection trigger". Adding a new credit card is neither possible in the PayPal developer dashbord nor from the sandbox account: The name of the cardholder cannot be entered there.

Instead, you have to add this card as a new means of payment on the PayPal payment page:

5.6. Request to Pay (RtP)

5.6.1. Introduction

Request to Pay (RtP) is a payment method in which the customer is redirected to their bank during the checkout process. The customer then logs in to their banking account and authorizes the payment, after which the payment is carried out via SEPA Credit Transfer (SCT, conventional credit transfer, taking one or more days) or SEPA Instant Credit Transfer (SCT inst, real-time funds transfer).

The merchant may inquire at any time about the status of the payment, in particular for SCT inst. For this, the diagnosis request has to be used.

Supported countries and currencies

RtP is available in the following countries: Austria, Belgium, Estonia, Finland, France, Germany, Ireland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Portugal, Spain, and United Kingdom.

DB Merchant Solutions REST API supports the following locales for RtP: de (German), en (English), es (Spanish), fi (Finnish), fr (French), it (Italian), nl (Dutch), pt (Portuguese), and ru (Russian). The default locale is English.

Supported integration types

DB Merchant Solutions REST API supports RtP in the general Form service checkout page and in the Form service with RtP already selected for the transaction kind authorization.

Supported transaction kinds

RtP supports the following transaction kinds:

authorization (standard)
refund (full and multiple partial).

Requirements

To use RtP, provide the following information during onboarding:

IBAN of the merchant’s bank account to which the payments shall be transferred
IBAN of the merchant’s bank account from which refunds shall be transferred.

The two IBANs may be identical.

5.6.2. Authorization

Endpoints

To offer RtP in the Form service checkout page, use the standard checkout endpoint. To offer RtP via form service with RtP already selected, use the Request to Pay endpoint.

Using the parameters

Only the parameters amount_total, callback, and form_customer_continuation are required, the other parameters are optional.

To automatically receive updates about the transaction status, supply callback and subfields.

To enhance the customer experience, set the parameters under request_to_pay_data as follows:

request_to_pay_data.customer_id: The customer’s technical ID with the merchant. When set, the customer has the additional option to select a previously used account associated to this customer ID.
request_to_pay_data.iban: The customer’s IBAN. When set, the customer has the additional option to select this bank account directly without first having to select a bank.

To choose if the payment shall be made via conventional SCT or real-time SCT inst, set processing_options as follows:

not set: process as SCT (supported by all banks).
INSTANT: require SCT inst. If the selected bank does not support SCT inst, the payment will be cancelled.
INSTANT_IF_POSSIBLE: If possible, process as SCT inst, otherwise as SCT.

Set formdata.locale to one of the supported values to ensure the display texts are displayed in this locale.

Basket ID

The field basket.basket_id is used as a business reference field that will be passed as a part of the end-to-end reference.

For RtP, basket_id may contain only the following characters: a b c d e f g h i j k l m n o p q r s t u v w x y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 / - ? : ( ) . , + '.

For RtP, basket_id must not contain // and must not start or end with a / .

The field length validation depends on the beneficiary account currency:

EUR: 129 chars
GBP: 7 chars.

Example: "PMNTREF".

Course of transaction

See the standard form service Course of transaction for the course of transaction for a Request to Pay transaction.

5.6.3. Checking the transaction status

Use the general endpoint GET /payment/tx/{tx_id} to obtain the status of a payment, which can be found in the field back_rc.

If in the authorization callback and subfields have been set, you will receive the status update automatically in the callback.

The following diagram shows the possible transaction statuses and their connections.

Initially, the status is RECEIVED.
If a customer cancels the transaction, the status changes to CANCELLED.
If the Request to Pay system or the customer’s bank should reject the transaction, the status changes to REJECTED.
Otherwise, the transaction will be authorised, so that the status changes to AUTHORISED.
If the transaction uses SCT inst, the status will then change to SETTLED.
Otherwise, that is if the transaction uses conventional SCT, the status will first change to PROCESSED after the payer bank has confirmed that the payment has been sent to clearing.
After the beneficiary bank has confirmed that it has accepted the payment received from clearing, the status changes to ACCEPTED.
The status then changes to CLEARED and SETTLED.

5.6.4. Refund

A refund is possible only after the transaction has the status SETTLED.

Use POST /payment/event/{event_id}/tx/{tx_id}/refund to refund a payment, setting kind = CREDITTRANSFER.

This endpoint does not support the callback mechanism, therefore this is not offered for monitoring RtP refunds. The Diagnosis request has to be used to track the transaction status.

5.6.5. Diagnosis request

See Diagnosis request for retrieving information about a previous transaction.

For Request to Pay, use the general endpoints GET /payment/event/{event_id} and GET /payment/tx/{tx_id} for all integration types.

For Rtp, diagnosis request is only supported in the production system, not in the test system.

5.6.6. Reports

Use the RtP payment report endpoint to receive information about RtP authorizations in a given time period.

Similarly, use the RtP refund report endpoint to receive information about RtP refunds in a given time period.

5.6.7. Response codes

The following table shows the most common response codes for Request to Pay transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1548	Transaction is pending.
1549	Amount too high.
1504	System error.
1547	Input failure.
1521	Invalid currency.
1566	Service blocked for bank account.
1569	Incorrect state of referenced transaction.

5.6.8. Test data

Successful authorization

On the first page the Request to Pay test website displays the amount of the payment and the name of the shop as it is registered in the Request to Pay system. Press the "Continue" button to get to the next page.

Here the customer has to find their bank. Start typing "Demo" in the input field, after which a list of banks will be displayed. Select one of them. Depending on the selection, another page with a list of options may be displayed. Select one of them and press the submit button.

On the next page enter a login name and password. The labels of the input fields may vary depending on the selected bank. Type for example "1234567890" and "123456" and press the "Login" button.

On the next page you will see a list of bank accounts. Select one of them.

On the final page enter a TAN. For some test banks a hint like "Please type 12345" is displayed. If not, try "123456". Depending on the selections on the previous pages the expected TAN format may vary. If the TAN is not accepted, a hint will be displayed, for example that the TAN has to be at least seven characters long. Then enter another TAN.

Press the submit button to finish the payment.

Unsuccessful authorization

To test a failed payment, press the "Cancel" button on one of the pages.

5.7. Klarna

5.7.1. Introduction

For general information about payments with Klarna, see the Klarna business information.

Klarna supports the transaction kinds authorization, pre-authorization, capture, reversal, and refund.

Supported countries and currencies

Klarna is available in the following countries: Austria, Belgium, Denmark, Finland, Germany, Great Britain, Netherlands, Norway, Sweden, Switzerland, and United States.

Klarna supports the following currencies: AUD, CAD, CHF, DKK, EUR, GBP, NOK, SEK, and USD.

Supported integration types

Klarna is supported in the Form service checkout page and in the Form service with Klarna already selected.

Supported purchase countries, currencies, and locales

See Klarna purchase countries which purchase countries (that is, the country of the billing address), currencies, and locales Klarna supports. For example, for Germany Klarna supports EUR as currency and the locales de and en, while for Switzerland Klarna supports CHF as currency and the locales de, fr, it, and en.

Supported transaction kinds

Klarna supports the following transaction kinds:

authorization (standard and recurring)
pre-authorization (standard and recurring)
capture (full and multiple partial)
refund (full and multiple partial)
reversal (full).

A Klarna pre-authorization reserves funds for 28 days, after which the funds are automatically released and a capture is no longer possible.

Klarna supports full captures and (multiple) partial captures. Klarna does not support overcaptures, that is captures with an aggregated amount exceeding the pre-authorized amount.

Prerequisites

Please register with Klarna.

5.7.2. Authorization and pre-authorization

Course of transaction

The following illustration shows the course of a Klarna authorization or pre-authorization in a sequence diagram.

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API. See Initializing the payment: Klarna for details.
DB Merchant Solutions REST API checks the submitted data. In case of an error DB Merchant Solutions REST API continues with step 6.
DB Merchant Solutions REST API sends a payment request to Klarna.
Klarna sends the response to DB Merchant Solutions REST API .
DB Merchant Solutions REST API sends a response message to the shop. In the case of success it will include the redirect URL to Klarna. In the case of an error the transaction is finished.
As response to step 1 the shop sends a redirect to the redirect URL received in step 6 to the customer.
The customer’s browser redirects to Klarna.
The customer carries out the necessary steps for the payment on the Klarna website.
Klarna sends the customer a redirect to DB Merchant Solutions REST API.
Klarna sends the current status and details of the payment to DB Merchant Solutions REST API.
DB Merchant Solutions REST API updates the status of the payment internally.
DB Merchant Solutions REST API notifies the shop about the payment result.
The shop confirms receipt of the notification.
The customer’s browser redirects to DB Merchant Solutions REST API.
DB Merchant Solutions REST API sends the customer a redirect to the URL submitted in step 1.
The customer’s browser redirects to this URL.
The shop displays the payment result for the customer.

Initializing the authorization or pre-authorization (step 2)

Submit the payment data via the Klarna form service endpoint or the standard checkout endpoint.

Required and optional fields

See Klarna request examples for a minimal and a typical example of a Klarna request.

The following fields and their subfields are required:

amount_total
form_customer_continuation
callback
basket.basket_items: For each basket item, name, quantity, and unit_price.

Next to the required fields, include as many optional fields as possible to enhance the customer experience (in particular, in the Klarna app) and to allow Klarna a better credit assessment.

Contact Deutsche Bank customer support before using the parameter shipping_delay as an activation is necessary.

Customer data requirements

Klarna’s requirements on customer data depend on the purchase country, that is the country of the billing address. For example, national identification numbers are commonly only used in Nordic countries, while not in other countries.

See Klarna customer data requirements for further details:

Klarna requires certain fields in billing_address and shipping_address depending on the purchase country.
If not supplied initially, Klarna will request some fields from the customer during the payment process, for example the date of birth or the phone number.
When supplying shipping_address, the subfield email is required. If email is not set, DB Merchant Solutions REST API will submit the transaction to Klarna but suppress shipping_address so that the customer will be able to enter it.
Note that the Klarna fields national_identification_number, gender, and date_of_birth can be found in DB Merchant Solutions REST API under customer.
The Klarna fields given_name, family_name and street_address are set by DB Merchant Solutions REST API’s fields first_name, last_name and address_line_1. DB Merchant Solutions REST API does not support the Klarna field care_of.

Klarna metadata

Klarna allows the merchant to store additional metadata with an order (see Klarna metadata). Orders are generated during authorization and pre-authorization and can be access by the merchant, for example in the Klarna Merchant Portal. Some of the metadata is used in the Klara Settlement Report which is available to the merchant.

Klarna metadata is passed within the field merchant_information of the request body of the Klarna form service endpoint or the standard checkout endpoint.

The relevant subfields of merchant_information and the metadata fields of Klarna are named differently. The following table provides the field mapping and the default values if the corresponding subfield of merchant_information is omitted.

Subfield Klarna metadata Default value Usage

merchant_data_1

merchant_data

Order metadata

merchant_data_2

merchant_reference1

event_id

Order metadata,
Merchant Settlement Report,
Customer’s account statement

merchant_data_3

merchant_reference2

tx_id

Order metadata,
Merchant Settlement Report

Breakdown of total amount and validation

For each basket item, Klarna calculates the basket item gross amount as

quantity.quantity_amount * unit_price.gross - item_discount.gross.

Klarna then validates that amount_total.amount equals the sum over each basket item gross amount plus the shipping costs minus the basket discount.

Klarna supports only one currency per transaction, which means that all amount fields must have the same currency.

Using a discount

Use basket_item.item_discount to indicate a discount for the corresponding basket item.

Use basket_discount to indicate a discount for the whole basket.

Response (step 6)

After a successful initialization you receive a response containing the Klarna URL to which you redirect your customer afterwards.

If an error occurs during the initialization you receive a response that contains some of the request data as well as an error code and an error message.

Redirect customer (step 7)

Use the redirect URL received in step 6 to redirect your customer. This may be via HTTP redirect header, via HTML page with a meta tag or via a JavaScript form.

The actual clearing and settlement of the payment takes place when the customer carries out the necessary steps for the payment on the Klarna site.

Notification about the outcome of the payment (step 13)

After concluding the Klarna payment you receive a REST request from DB Merchant Solutions REST API, which informs your application about the outcome of the payment, see Callback API.

5.7.3. Capture

Use the general endpoint for a full or partial capture, setting kind = KLARNA. For a partial capture, optionally set those basket items which have been captured.

Provide the same basket_id as used in the pre-authorization.

For both full and partial captures, provide the shipping costs accordingly as they are part of the amount validation.

5.7.4. Refund

Use the general endpoint to issue a refund, setting kind = KLARNA. For both authorization and capture transactions, Klarna supports full and partial refunds. Multiple partial refunds are allowed for a transaction.

5.7.5. Reversal

Klarna supports the following kinds of reversals:

For a pre-authorization for which no subsequent (partial or full) capture has been made yet: Use the general endpoint, setting kind = KLARNA, for a full reversal.
For a pre-authorization for which at least one subsequent partial capture has been made: Use the general endpoint, setting kind = KLARNA, to release the entire remaining reserved funds by a single partial reversal transaction subsequent to the pre-authorization transaction.

DB Merchant Solutions REST API supports single partial reversals for Klarna, but only over the entire remaining reserved funds.

Klarna does not support reversals for authorizations or captures, instead Klarna requires issuing a refund.

Klarna does not support reversals for refunds or reversals of reversals.

5.7.6. Diagnosis request

Use the general endpoints GET /payment/event/{event_id} and GET /payment/tx/{tx_id} for retrieving information about a previous Klarna transaction.

5.7.7. Recurring transactions

Klarna supports recurring transaction, that is transactions where the merchant bills the customer repeatedly, for example magazine subscriptions or top-up transactions. For a customer, the start of a recurring transaction proceeds as a usual transaction, while the subsequent payment are initiated by the merchant without a customer interaction.

To use recurring transactions as a merchant, proceed as follows.

Start

For the first transaction in a series of recurring transactions, there are two options available:

Option 1: The customer does a checkout like for a standard transaction and additionally agrees to further billings in the future. Like for a standard transaction, the customer is billed for the checkout.
Option 2: The customer does a checkout like for a standard transaction and agrees to further billings in the future. However, here the customer is not yet billed for the checkout but will be billed only starting with the first subsequent transaction.

For the technical implementation, proceed as follows.

For both option, use the endpoint Klarna form service endpoint and set alias_action.action = CREATE.

For option 1, use the transaction kind (tx_action) authorization or preauthorization
For option 2, use the transaction kind (tx_action) verify-mop.

In the callback, the field alias_info is additionally returned. The value of alias_info.alias must be saved. It either contains the value supplied in the request or, if not supplied there, a system generated alias.

Note that it is possible to save the created alias under an existing name by using alias_action.action = UPDATE (which means renewing a billing agreement).

The value alias_action.action = USE is not applicable for Klarna in Form service.

Note that DB Merchant Solutions REST API does not support recurring transactions in the Form service checkout page with payment method selection as some payment methods do not offer recurring payments.

Subsequent transactions

Use the endpoint Klarna payment endpoint and supply the alias received in the first transaction under means_of_payment.alias. This endpoint will not require a customer interaction but directly book the subsequent transaction.

For each subsequent transaction, use a new event_id.

Fallback for subsequent transactions

In case a subsequent transaction cannot be captured, Klarna behaves as follows:

If the payment method is direct debit, Klarna will fall back to invoice and reply as if it is a successful capture.
Otherwise, Klarna responds with "payment method failed". In this case, Klarna recommends trying again at a later time. If this also does not work, Klarna recommends sending a notice to the customers that they need to create a new subscription or add funds to their payment method if they wish to continue.

5.7.8. Test data

For Klarna integration testing, it suffices to fill in the forms with plausible values. There is no special test data required.

See the Klarna developer tools for test data and other subjects concerning testing.

5.8. Sofortüberweisung

The payment method Sofortüberweisung has now fully been integrated in Klarna, see Sofortüberweisung ist jetzt Klarna.

This means that Sofortüberweisung as a separate payment method has been disabled.

Merchants who still offer Sofortüberweisung as a payment method have to remove it from their website.

5.8.1. Introduction

DB Merchant Solutions REST API supports payments with Sofortüberweisung with Klarna for the transaction kinds authorization which is integrated in the payment method Klarna.

Refunds for previous transactions may still be carried out via the Sofortüberweisung merchant portal.

Supported transaction kinds

Sofortüberweisung supported the following transaction kinds:

authorization (standard)
refund (full and single partial).

Completed transactions can still be accessed using the diagnosis endpoints (get-requests) of the Payment API.

Prerequisites

Merchants can’t register anymore with the Sofortüberweisung merchant portal although the link is still available and may be used for existing accounts.

5.8.2. Authorization

No new authorizations can be made with Sofortüberweisung.

5.8.3. Refund

Use the Sofortüberweisung merchant portal for creating refunds.

5.9. giropay

5.9.1. Introduction

The payment method giropay has been discontinued at 2024-12-31, see giropay wurde eingestellt.

Payments with giropay are not possible anymore.

Merchants who still offer giropay as a payment method have to remove it from their website.

Refunds for giropay transactions can not be carried out anymore using the giropay system, or DB Merchant Solutions REST API. They have to be carried out by the merchant directly.

Supported transaction kinds

DB Merchant Solutions REST API supported the following giropay functionality:

authorization (standard)
preauthorization and capture (full and multiple partial)
refund (full and multiple partial).

No new transactions of one these kinds can be made, but completed transactions can still be accessed using the diagnosis endpoints (get-requests) of the Payment API.

5.10. Przelewy24 (P24)

5.10.1. Introduction

DB Merchant Solutions REST API supports Przelewy24 (or P24 for short), a Poland-based real-time online bank transfer payment, for the transaction kinds authorization and refund.

When using P24, a customer selects the name of their bank and logs into their online banking environment. They review the pre-populated payment details and then authorize the payment.

Supported countries and currencies

P24 is available in Poland and supports EUR and PLN as currencies.

Supported integration types

P24 is supported in the Form service checkout page and in the Form service with P24 already selected.

Supported transaction kinds

P24 supports the following transaction kinds:

authorization (standard)
refund (full and multiple partial).

Prerequisites

To use P24 payments via DB Merchant Solutions REST API, contact Deutsche Bank customer support which will supply a contract ID.

5.10.2. Authorization

Course of transaction

When using the Form service with P24 already selected, the course of transaction is as follows. When using the Form service general checkout page with P24 as a payment option, the course of transaction is the same after the selection of P24.

P24 course of transaction

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API. See Initializing the payment: P24 for details.
DB Merchant Solutions REST API checks the submitted data. In case of an error DB Merchant Solutions REST API continues with step 6.
DB Merchant Solutions REST API sends a payment request to P24.
P24 sends the response to DB Merchant Solutions REST API .
DB Merchant Solutions REST API sends a response message to the shop. In the case of success it will include the redirect URL to P24. In the case of an error the transaction is finished.
As response to step 1 the shop sends a redirect to the redirect URL received in step 6 to the customer.
The customer’s browser redirects to P24.
The customer chooses their bank on the P24 website.
P24 redirects the customer to their bank website.
The customer logs into their online banking
The customer confirms the transaction
The bank notifies the customer about the payment result.
The bank notifies P24 about the payment result.
P24 notifies DB Merchant Solutions REST API about the outcome of the payment.
DB Merchant Solutions REST API updates the status of the payment internally.
DB Merchant Solutions REST API notifies the shop about the payment result.
The shop confirms receipt of the notification.
The customer’s browser redirects to DB Merchant Solutions REST API.
DB Merchant Solutions REST API sends the customer a redirect to one of the URLs submitted in step 1:

Regular case: If the notification of step 15 is received within a time limit of 20 s, the redirect_url is chosen according to the transaction status (success_url for successful transaction, error_url for failure, or notification_failed_url if the notification to the shop failed).

Exceptional case: If the notification is not received within the time limit, DB Merchant Solutions REST API redirects to the success_url.
The customer’s browser redirects to this URL.
The shop displays the payment result for the customer.

Initializing the payment

Use the standard checkout endpoint and supply P24 data, or use the P24 form service endpoint and supply the necessary data.

Required and optional fields

The following fields are required:

amount_total
billing_address: first_name, last_name, email, and country
form_customer_continuation
callback.

The following optional field has a specific meaning for P24:

merchant_information.merchant_data_1: defines the text on the consumer’s bank account statement. Typically, this field is used for providing a (sub-)shop name, a thank-you message, or a product description.

5.10.3. Refund

P24 supports full and (multiple) partial refunds. Use the general endpoint to issue a refund for an authorization, setting kind = P24.

5.10.4. Test data

When using P24 in a test environment, DB Merchant Solutions REST API does not redirect to a P24 test environment (and thus simulate the customer experience) but instead redirects to a page where it is possible to select P24’s behavior.

Therefore, no special test data is needed.

5.11. WeChat Pay

5.11.1. Introduction

DB Merchant Solutions REST API supports WeChat Pay, a China-based QR code payment method, for the transaction kinds authorization and refund.

When using WeChat Pay, a customer is redirected to a page where they see the transaction details and a QR code. The customer then scans the QR code with their WeChat Pay app on their mobile phone. After the customer has reviewed and confirmed the payment with their password, the payment is complete.

Supported countries and currencies

WeChat Pay is available in the following countries: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Lithuania, Luxembourg, Malta, Netherlands, Norway, Portugal, Spain, Sweden, and United Kingdom.

WeChat Pay supports the following currencies: CHF, CNY, EUR, GBP, and USD.

Supported integration types

WeChat Pay is supported in the Form service checkout page and in the Form service with WeChat Pay already selected.

Supported transaction kinds

WeChat Pay supports the following transaction kinds:

authorization (standard)
refund (full and multiple partial).

Prerequisites

To use WeChat Pay payments via DB Merchant Solutions REST API, contact Deutsche Bank customer support which will supply a contract ID.

5.11.2. Authorization

Course of transaction

When using the Form service with WeChat Pay already selected, the course of transaction is as follows. When using the Form service checkout page with WeChat Pay as a payment option, the course of transaction is the same after the selection of WeChat Pay.

WeChat Pay course of transaction

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API. See Initializing the payment for details.
DB Merchant Solutions REST API checks the submitted data. In case of an error DB Merchant Solutions REST API continues with step 6.
DB Merchant Solutions REST API sends a payment request to WeChat Pay.
WeChat Pay sends the response to DB Merchant Solutions REST API .
DB Merchant Solutions REST API sends a response message to the shop. In the case of success it will include the redirect URL to WeChat Pay. In the case of an error the transaction is finished.
As response to step 1 the shop sends a redirect to the redirect URL received in step 6 to the customer.
The customer’s browser redirects to WeChat Pay.
The customer reviews the transaction details and scans the displayed QR code with their WeChat Pay app on their mobile phone.
The customer confirms the transaction in the WeChat Pay app.
The customer’s app sends the confirmation to WeChat Pay.
WeChat Pay notifies DB Merchant Solutions REST API about the outcome of the payment.
DB Merchant Solutions REST API updates the status of the payment internally.
DB Merchant Solutions REST API notifies the shop about the payment result.
The shop confirms receipt of the notification.
The customer’s browser redirects to DB Merchant Solutions REST API.
DB Merchant Solutions REST API sends the customer a redirect to one of the URLs submitted in step 1:

Regular case: If the notification of step 12 is received within a time limit of 20 s, the redirect_url is chosen according to the transaction status (success_url for successful transaction, error_url for failure, or notification_failed_url if the notification to the shop failed).

Exceptional case: If the notification is not received within the time limit, DB Merchant Solutions REST API redirects to the success_url.
The customer’s browser redirects to this URL.
The shop displays the payment result for the customer.

Initializing the payment

Use the standard checkout endpoint and supply WeChat Pay data, or use the WeChat Pay form service endpoint and supply the necessary data.

Required and optional fields

The following fields are required:

amount_total
billing_address: first_name, last_name, email, and country
form_customer_continuation
callback.

The following optional field has a specific meaning for WeChat Pay:

merchant_information.merchant_data_1: defines the text on the consumer’s bank account statement. Typically, this field is used for providing a (sub-)shop name, a thank-you message, or a product description.

5.11.3. Refund

WeChat Pay supports full and (multiple) partial refunds. Use the general endpoint to issue a refund for an authorization, setting kind = ẀECHATPAY.

5.11.4. Test data

When using WeChat Pay in a test environment, DB Merchant Solutions REST API does not redirect to a WeChat Pay test environment (and thus simulate the customer experience) but instead redirects to a page where it is possible to select WeChat Pay’s behavior.

Therefore, no special test data is needed.

5.12. iDEAL

5.12.1. Introduction

iDEAL is a payment method used in the Netherlands that allows customers to pay via their bank account.

When using iDEAL, a customer selects the name of their bank and logs into their online banking environment. They review the pre-populated payment details and then authorize the payment.

Fast checkout

In the future, a merchant may request customer and address data fields from iDEAL to support a fast checkout.

While DB Merchant Solutions REST API already supports the fields for a fast checkout, the feature is not yet implemented at iDEAL. Therefore, when currently requesting a fast checkout (by setting transaction_flow to FAST_CHECKOUT and supplying expected_checkout_data), DB Merchant Solutions REST API will return an error. The feature is expected to be available in 2024 Q3.

Supported countries and currencies

iDEAL is available in the Netherlands and supports EUR as currency.

Supported integration types

DB Merchant Solutions REST API supports iDEAL in the general Form service checkout page and in the Form service with iDEAL already selected for the transaction kind authorization.

Supported transaction kinds

iDEAL supports only authorization as transaction kind.

5.12.2. Authorization

Course of transaction

When using the Form service with iDEAL already selected, the course of transaction is as follows. When using the Form service general checkout page with iDEAL as a payment option, the course of transaction is the same after the selection of iDEAL.

iDEAL course of transaction

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API. See Initializing the authorization for details.
DB Merchant Solutions REST API checks the submitted data. In case of an error, DB Merchant Solutions REST API continues with step 6.
DB Merchant Solutions REST API sends a payment request to iDEAL.
iDEAL sends the response to DB Merchant Solutions REST API .
DB Merchant Solutions REST API sends a response message to the shop. In the case of success, it will include the redirect URL to iDEAL. In the case of an error the transaction is finished.
As response to step 1 the shop sends a redirect to the redirect URL received in step 6 to the customer.
The customer’s browser redirects to iDEAL.
The customer chooses their bank on the iDEAL website.
iDEAL redirects the customer to their bank website.
The customer logs into their online banking.
The customer confirms the transaction.
As the response to the customer’s confirmation, the bank requests DB Merchant Solutions REST API. The result of the transaction (failure or success) is not awaited or submitted. Notification about the transaction status is done asyncnronously from step 18.
DB Merchant Solutions REST API waits for a time limit (20 s) for the notification on the transaction status.
Regular case: If the notification is received within the time limit, the redirect URL is chosen accordingly from the field form_customer_continuation of the initialization request of step 2 (success_url for successful transaction, error_url for failure, or notification_failed_url if the notification to the shop failed).
Redirect to the chosen URL.
Exceptional case: If the notification is not received within the time limit, DB Merchant Solutions REST API redirects to the success_url.
As a reaction to the confirmation of the transaction (step 12), the transaction is processed by the customer’s bank.
The bank notifies iDEAL about the transaction result.
iDEAL notifies DB Merchant Solutions REST API about the transaction result.
DB Merchant Solutions REST API updates the transaction status.
DB Merchant Solutions REST API notifies the shop about the payment result (if this had been configured in the initialization in step 2).
The shop confirms receipt of the notification.
The shop may send a message about the purchase status to the customer.

Initializing the authorization (step 2)

To offer iDEAL in the Form service checkout page, use the standard checkout endpoint. To offer iDEAL via form service with iDEAL already selected, use the iDEAL endpoint.

Handling the transaction status (steps 13 - 24)

The outcome of the payment is not submitted synchronously by the iDEAL backend after the customer confirms the payment (in step 12): The response to the order confirmation does not contain any status information. The handling of the transaction status is done asynchronously in a notification mechanism.

To provide feedback about the payment outcome for the customer, DB Merchant Solutions REST API uses a synchronization mechanism by waiting for a time limit of 20 seconds for being notified about the transaction status. When a notification takes place in time, this is used to choose the redirect URL. This may take the values success_url, error_url, or notification_failed_url from the field form_customer_continuation of the initialization request. This regular case occurs in most situations.

In exceptional cases, it may happen that the notification takes longer than the time limit. Then, the success_url is used as redirect URL.

This has the consequence that displaying the success_url may only mean "unknown status" of the payment in exceptional cases. The merchant may display a message that the final purchase confirmation is done in a separate message.

Displaying error_url, meanwhile, certainly means failure of the payment.

For notification_failed_url, see Callback and diagnosis request.

Required and optional fields

See iDEAL request examples for a minimal example of an iDEAL request.

The following fields are required:

amount_total.amount and amount_total.currency
basket.basket_id
form_customer_continuation.success_url
ideal_data.description.

For an iDEAL transaction, basket.basket_id must conform to the pattern [a-zA-Z0-9] {1,35}.

The other fields of ideal_data can be used as follows:

issuer_id: If set, the customer will not need to choose a bank at iDEAL but will directly be redirected to the bank given by the BIC in issuer_id.
transaction_flow:
- If not set or set to STANDARD, the shop will not receive additional fields (that is, a standard checkout will take place). In this case, do not set the field expected_checkout_data.
- Reserved for future use (see above): If set to FAST_CHECKOUT, the shop will receive additional address and customer information fields as requested via the field expected_checkout_data and its subfields (that is, a fast checkout can take place).

5.12.3. Response codes

The following table shows the most common response codes for iDEAL transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1548	Transaction is pending.
1002	Cancelled - timeout.
1400	No user input/timeout.
1507	Transaction rejected.
1401	Cancelled by user.
1504	System error.
1502	Configuration problem.
1546	Transaction rejected.
9000	Indeterminate error.
1506	Temporary error.
1368	Transaction kind transition invalid.
1105	Backend system error.
1337	Event ID already assigned.
1102	Gateway connection problem.
1333	Given country rejected by list.
1100	Unexpected error.
1545	Authorisation problem.
1547	Input failure.

5.12.4. Checking the transaction status

For checking the transaction status, the callback mechanism or diagnosis requests may be used, see Callback and diagnosis request. The callback request contains some information the diagnosis request does not reveal like the iDEAL transaction ID.

The following table shows the mapping of iDEAL status codes to response codes:

iDEAL status

Response code

Message

SUCCESS

Transaction successful.

EXPIRED

1002

Cancelled - timeout.

CANCELLED

1401

Cancelled by user.

FAILURE

1504

System error.

IDENTIFIED

1548

Transaction is pending.

Don’t send a diagnosis request before receiving a callback request. For iDEAL, a diagnosis request may prevent subsequent callback requests.

5.12.5. Test data

To test an iDEAL authorization, choose the bank "TESTNL2A" and then the corresponding test simulation to run (success, cancellation, cancellation before login, expiration, or failure).

5.13. TWINT

5.13.1. Introduction

DB Merchant Solutions REST API supports TWINT, a Swiss-based real-time bank transfer payment, for the transaction kinds authorization and refund.

When using TWINT, a customer is presented a QR-code (or 5-digit numerical code) which he uses to authorize a payment in his mobile TWINT-app (provided by his bank).

Supported countries and currencies

TWINT is available in Switzerland and supports CHF as currency.

Supported integration types

TWINT is supported in the Form service checkout page and in the Form service with TWINT already selected.

Note that the payment methods configured in the checkout request all have to support the currency given in total_amount which must be CHF for TWINT.

Supported transaction kinds

TWINT Pay supports the following transaction kinds:

authorization (standard)
refund (full and multiple partial).

Prerequisites

A Merchant who is planning to use TWINT DB Merchant Solutions REST API requires a postal address and a bank account (in CHF) in Switzerland.

Contact Deutsche Bank customer support for further information.

5.13.2. Authorization

Course of transaction

When using the Form service with TWINT already selected, the course of transaction is as follows.

TWINT course of transaction

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API. See Initializing the payment for details.
DB Merchant Solutions REST API checks the submitted data. In case of an error DB Merchant Solutions REST API continues with step 6.
DB Merchant Solutions REST API sends a payment request to TWINT.
TWINT sends the response to DB Merchant Solutions REST API .
DB Merchant Solutions REST API sends a response message to the shop. In the case of success it will include the redirect URL to TWINT. In the case of an error the transaction is finished.
As response to step 1 the shop sends a redirect to the redirect URL received in step 6 to the customer.
The customer’s browser redirects to TWINT.
The customer scans the displayed QR code with their TWINT app on their mobile phone.
The customer confirms the transaction in the TWINT app.
The customer’s app sends the confirmation to TWINT.
TWINT notifies DB Merchant Solutions REST API about the outcome of the payment.
DB Merchant Solutions REST API updates the status of the payment internally.
DB Merchant Solutions REST API notifies the shop about the payment result.
The shop confirms receipt of the notification.
The customer’s browser redirects to DB Merchant Solutions REST API.
DB Merchant Solutions REST API sends the customer a redirect to one of the URLs submitted in step 1:

Regular case: If the notification of step 12 is received within a time limit of 20 s, the redirect_url is chosen according to the transaction status (success_url for successful transaction, error_url for failure, or notification_failed_url if the notification to the shop failed).

Exceptional case: If the notification is not received within the time limit, DB Merchant Solutions REST API redirects to the success_url.
The customer’s browser redirects to this URL.
The shop displays the payment result for the customer.

Initializing the payment

Use the TWINT form service endpoint and supply the necessary data.

Required and optional fields

The following fields are required:

amount_total (with currency CHF)
billing_address: first_name, last_name, email, and country
form_customer_continuation
callback.

The following optional field has a specific meaning for TWINT:

merchant_information.merchant_data_1: defines the text on the consumer’s bank account statement. Typically, this field is used for providing a (sub-)shop name, a thank-you message, or a product description.

5.13.3. Refund

TWINT supports full and (multiple) partial refunds. Use the general endpoint to issue a refund for an authorization, setting kind = TWINT.

5.13.4. Test data

When using TWINT in a test environment, DB Merchant Solutions REST API does not redirect to a TWINT test environment (and thus simulate the customer experience) but instead redirects to a page where it is possible to select TWINT’s behavior.

Therefore, no special test data is needed.

5.14. Wero

5.14.1. Introduction

Wero is a European payment method operated by the Europen Payment Initiative (EPI) that allows customers to pay via their bank account.

When using Wero, a merchant displays a QR code which the customer scans with their smartphone and gives consent to the payment.

Supported countries and currencies

Wero is currently available in Belgium, France, and Germany. The Netherlands, Luxembourg, and more countries will be coming soon.

Wero supports EUR as currency.

Supported integration types

DB Merchant Solutions REST API supports Wero in the general Form service checkout page and in the Form service with Wero already selected.

Supported transaction kinds

Wero supports the following transaction kinds:

authorization
pre-authorization and (multiple partial) capture

5.14.2. Authorization and pre-authorization

Course of transaction

When using the Form service with Wero already selected, the course of transaction is as follows. When using the general Form service checkout page with Wero as a payment option, the course of transaction is the same after the selection of Wero.

A Wero transaction consists of three parts:

Consent: The customer consents to the payment requested by the merchant. The consent is received by the EPI central services and does not affect the customer’s bank.
Bank-authorization: The consent is authorized by the customer’s. The authorization may, for example due to insufficient creditworthiness. The money transfer takes place yet.
Capture: The actual money transfer (using SCT Inst) to the merchant’s bank account.

Within DB Merchant Solutions REST API, an authorization comprises parts 1 to 3 of a Wero transaction.

For a pre-authorization in DB Merchant Solutions REST API parts 1 and 2 are carried out, while step 3 takes place in the subsequent capture-transaction.

Wero course of transaction

The customer makes a purchase in the shop and starts the payment process.
The shop generates an HTTP request and sends it to DB Merchant Solutions REST API. See Initializing the authorization for details.
DB Merchant Solutions REST API checks the submitted data. In case of an error, DB Merchant Solutions REST API continues with step 6.
DB Merchant Solutions REST API sends a consent request to EPI.
EPI sends the response to DB Merchant Solutions REST API.
DB Merchant Solutions REST API sends a response message to the shop. In the case of success, it will include the redirect URL to a Wero QR code. In the case of an error the transaction is finished.
As response to step 1 the shop sends a redirect to the redirect URL received in step 6 to the customer.
The customer’s browser requests the Wero QR code.
EPI returns the QR code.
The customer’s browser displays the QR code to the customer.
The customer uses their Wero app to scan the QR code.
The customer’s app requests consent data from EPI.
EPI sends the consent data to the app.
The app shows the consent data to the customer.
The customer gives consent to the payment in the app.
The app sends the signed consent token to EPI.
EPI redirects the customer’s browser to the return URL.
The customer’s browser requests the return URL from the merchant.
EPI sends a notification about the given consent to DB Merchant Solutions REST API.
DB Merchant Solutions REST API notifies the shop about the given consent.
The shop delivers the return URL tot the customer’s browser.
The consent is authorized by the customer’s bank.
EPI returns as response a payment guarantee.
DB Merchant Solutions REST API notifies the shop about the payment guarantee or rejection.
The shop informs the customer about the authorization result ("order has been confirmed [or declined] by your bank").
DB Merchant Solutions REST API sends a capture request to EPI.
EPI returns a capture notification to DB Merchant Solutions REST API.
DB Merchant Solutions REST API notifies the shop about the capture.

Initializing the transaction

The initialization of an authorization or pre-authorization takes place in step 2 of the Course of transaction.

To offer Wero in the Form service checkout page, use the standard checkout endpoint. To offer Wero via form service with Wero already selected, use the Wero endpoint.

Required and optional fields

See Wero request examples for a minimal example of a Wero request.

The following fields are required:

amount_total with the subfields amount and currency,
form_customer_continuation (see Redirect to merchant’s website),
callback (see Callback and diagnosis request),
wero_data and its subfield authorization_reference.
For a pre-authorization the field wero_data.payment_plan and its subfields amount_payment_type and capture_event are required.

5.14.3. Capture

See Subsequent transaction and Capture for general information about captures.

For Wero, captures are governed by the subfields of the field wero_data.payment_plan of the pre-authorization request (see PaymentPlan):

A capture is possible up to a time limit set by max_auth_to_capture_time. The value is given in seconds and defaults to 604800 (one week).
Multiple partial captures are possible if the field multi_capture_allowed is set to true.

Use the general subsequent transaction endpoint for captures, setting tx_action=capture and kind = WERO.

5.14.4. Checking the transaction status

For checking the transaction status, use either the callback mechanism (Callback and diagnosis request) or diagnosis requests

5.14.5. Testing Wero transactions

EPI provides the following test portal:

Consumer PSP test portal INT environment.

To test a Wero authorization or pre-authorization, the portal can be used as follows:

Create a transaction in DB Merchant Solutions REST API. Set the amount to less or equal to 5,000.00 EUR to create a successful authorization or greater than 5,000.00 EUR to create an unsuccessful authorization (see below).
Follow the redirect link to see a QR code.
Click on the QR code to see a numeric code. Copy this numeric code.
Navigate to the portal. In the portal, proceed as follows:
- Select "Quick tools"
- Click "Add consumer"
- Click the created consumer
- Click "Consents"
- Click "Give consent"
- Enter the numeric code from step 3 as "Short ID".
- Scroll down, click "Approve consent" or "Deny consent" depending on which scenario you want to test.
Your shop will then receive callbacks for consent, authorization, and capture at the callback URL provided in step 1. Depending on steps 4 and 1, the consent will either be approved or denied and the authorization similarly will either be approved or denied.

6. Additional services

6.1. Aliases

DB Merchant Solutions provides a possibility to manage so-called aliases for means of payment. Currently the supported types of means of payment are credit card (including Google Pay and Apple Pay), direct debit, and Klarna.

Aliases provide a possibility to carry out recurring payments without saving the actual means of payment details in your system. Thus, for example if you use the iFrame Service to carry out the first payment with a credit card you do not have to participate in the "Payment Card Industry Data Security Standard" (PCI DSS) program by Visa and MasterCard.

Your account needs to be configured accordingly to use credit card or direct debit aliases. DB Merchant Solutions guarantees an unambiguous assignment of an alias to a means of payment. A means of payment may have exactly one alias assigned to it. Conversely, an existing alias cannot be assigned to another means of payment.

It is necessary to obtain the customer’s approval before storing their payment data as an alias.

DB Merchant Solutions provides APIs to create, update, get, and delete aliases. See Alias API, POST /form/alias/bankaccount, and POST /form/alias/creditcard for details.

6.2. Multi-currency pricing (MCP)

6.2.1. Introduction

Multi-currency pricing (MCP) allows merchants to offer goods in the customer’s preferred currency, which may be different from the merchant’s settlement currency (also known as funding currency). This has the advantage that the customer sees already during the payment which amount will be booked from their account and not only when they check their account statement later on. Multi-currency pricing therefore can increase the conversion rate.

6.2.2. DB Merchant Solutions REST API support for MCP

Merchants who integrate MCP have to be registered for this service. Contact Deutsche Bank customer support for this. The MCP merchant id, which is handed out during registration, has to be used in the multi-currency pricing endpoint.

Check with Deutsche Bank customer support the currency of your settlement account. For example, this may be EUR. To offer payments in a customer’s currency different from the settlement account currency, for example in USD and PLN, proceed as follows:

Check that the offered payment system supports this currency. When using Form service or iFrame Service with payment selection, check that all offered payment systems support this currency.
Optionally use the multi-currency pricing endpoint to get information about the exchange rates which will be used by Deutsche Bank during settlement. For DB Merchant Solutions REST API, only channel = ECOM for general transactions and channel = MOTO for mail order / telephone order transactions are applicable.

Contact Deutsche Bank customer support if one of the required currency pairs is not available in the response.
Optionally calculate the price in customer’s currency using the obtained exchange rate.
Offer the payment transaction in the consumer’s currency with the chosen amount. The rates will be applied to the payments in supported currencies.

For example, if the settlement currency is EUR and the obtained exchange rate has currrency_pair = EURUSD and consumer_rate = 1.17, this means that 1.00 EUR = 1.17 USD. The payment in USD will be considered as MCP transaction and the merchant will receive 20.00 EUR for a transaction with amount 23.40 USD. The payment in EUR will be considered as none-MCP transaction, as it is same as settlement currency.

6.2.3. Test data

The MCP merchant id TEST-MERCHANT-1 can be used (as the field merchant_id_mcp) in the multi-currency pricing endpoint.

6.3. Risk management

6.3.1. Introduction

DB Merchant Solutions REST API supports a risk check for credit card and SDD transactions to assess the transaction’s risk and then automatically reject the transaction in case of high risk. To assess the risk, DB Merchant Solutions REST API uses three mechanisms:

A positive list and a negative list, specific to each merchant. A transaction matching all criteria of an entry on the positive list will have lower risk. A transaction matching one or more criteria of an entry on the negative list will have higher risk.
General rules pertaining to transaction data elements or derived from these elements.
A risk score calculated by machine learning algorithms.

These mechanisms then are taken together and prioritized to assess the risk.

The quality of the risk assessment improves strongly with the amount of data sent to DB Merchant Solutions REST API, which is why it is recommended to send as many of the optional data elements as possible.

For further information on the calculation details, you may contact Deutsche Bank customer support.

Integration types

DB Merchant Solutions REST API supports the following integration types for risk score calculation:

Calculating a risk score prior to a credit card payment: credit card checkout page, credit card Form service, credit card headless 3-D Secure and credit card payments API.
Calculating a risk score prior to an SDD payment: SDD checkout page, SDD Form service, and SDD payments API.
Calculating a risk score without a subsequent transaction.

Furthermore, DB Merchant Solutions REST API supports modifying the positive and the negative list via the list handling endpoint.

Course of transaction

For credit card and SDD transactions, include RISKCHECK in the parameter processing_options to perform a risk check. The parameter then is used as shown in the following diagram.

6.3.2. Providing the necessary data to calculate the risk score

General parameters

Set as many parameters as possible to allow for a good risk score calculation. Next to general fields like shipping_address and billing_address, the following fields are specifically designed for the risk score calculation:

account_information
basket.extensions.riskcheck_data
device_information
merchant_defined_information
merchant_risk_indicators
risk_check_additional_information
travel_information.

Merchant defined information

DB Merchant Solutions REST API allows merchants to send additional individual data points to be used for the risk calculation via the parameter merchant_defined_information. This parameter is an array of key-value pairs of strings. To use this parameter, proceed as follows:

Contact Deutsche Bank customer support about which data you would like to send and agree upon the keys to be used.
Deutsche Bank customer support will incorporate these fields into specific rules for the risk score calculation according to your specifications.

Merchant-defined data fields are not intended to and must not be used to capture personally identifiable information. Accordingly, merchants are prohibited from capturing, obtaining, and/or transmitting any personally identifiable information in or via the merchant-defined data fields. Personally identifiable information includes, but is not limited to, address, credit card number, social security number, driver’s license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). In the event DB Merchant Solutions REST API discovers that a merchant is capturing and/or transmitting personally identifiable information via the merchant-defined data fields, whether or not intentionally, Deutsche Bank will immediately suspend the merchant’s account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension.

Device fingerprinting

Background

Device fingerprinting is a process to gather information about the devices that are used to order from the merchant’s shop, using persistent cookies. Examples for these devices include desktop PCs, notebooks and mobile phones. Using a device fingerprint significantly improves the risk score calculation and is therefore recommended from a risk perspective. For example, with a device fingerprint it is possible to detect common fraud patterns such as

using multiple identities from the same device, even when hidden behind a proxy
language settings inconsistent with the country.

Implementation considerations

The European Union’s Privacy and Electronic Communications Directive (the “Directive”) restricts the deposit and storage of cookies on the devices of customers of online merchants operating in the European Union. When used without the device fingerprint, DB Merchant Solutions REST API does not store cookies. When used with the device fingerprint, the device fingerprint feature enables the deposit and storage on the customer’s device of a cookie that is used to mitigate fraud. The cookie profiles the specific attributes of the device used in transactions.

While Deutsche Bank cannot provide legal advice, the following information applies. The restrictions under the Directive require, among other things, that a merchant:

Provide “clear and comprehensive information” to visitors of the merchant’s website about the storage of cookies on their device.
Obtain the consent of visitors before depositing and storing cookies on their device unless certain exceptions apply.

If a merchant operates in Europe and uses the device fingerprint, they should consult their legal counsel and other advisors to find out how to comply with the requirements of the Directive.

To ensure the customers’ privacy, fingerprints are encoded as soon as they are received. Fingerprints persist for approximately 24 hours. This interval begins when the customer opens the HTML page with the tags, and it ends when the transaction request is sent. Add the fingerprinting code to the request as early in the transaction process as possible.

Device fingerprinting stops working when the IP address of the domain name changes. To avoid interruptions in device fingerprinting, use domain names instead of using IP addresses and relying on domain name resolution.

To allow device profiling time to complete, ensure that 3 to 5 seconds elapse between the execution of the profiling code and the customer’s order submission.

After adding the device fingerprinting code to the website, set the parameter device_fingerprint_id to the session ID.

Integrating device fingerprinting in the checkout process

The information given above can be implemented in the checkout process as follows.

Add the following JavaScript / iFrame snippet to your site to initialize device fingerprinting in step 4.

<head>
  <script type="text/javascript"
          src="https://h.online-metrix.net/fp/tags.js?org_id={org_id}&session_id={rmid}{session_id}>
  </script>
</head>
<body>
  <noscript>
    <iframe style="width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;"
            src="https://h.online-metrix.net/fp/tags?org_id={org_id}&session_id={rmid}{session_id}">
    </iframe>
  </noscript>
</body>

Set the parameters as follows:

${org_id}: Organization ID. Contact Deutsche Bank customer support for the value to use. Note that there are different values to be used for test and for production.
${rmid}: Risk management merchant ID. Similarly, contact Deutsche Bank customer support for the value to use.
${session_id}: Session ID. It can contain lowercase and uppercase English letters, digits, hyphens (-), and underscores (_). The maximum length is 88 characters. Do not use the same uppercase and lowercase letters to indicate different session IDs.

The session ID must be unique for each combination of transaction and page load, regardless of the customer’s web session ID. If a customer navigates to a profiled page and is assigned a web session, navigates away from the profiled page, then navigates back to the profiled page, the generated session ID must be different and unique.

It is recommended to use an application GUID (Globally Unique Identifier). This measure ensures that a unique ID is generated every time the page is loaded, even if it is the same customer reloading the page.

6.3.3. Risk score information response

Whenever a risk score is requested, the response will contain the field riskmanagement_info, which includes in particular the following fields:

score: the risk score with values between 1 (low risk) and 100 (very high risk)
tx_risk_status: indicates whether the transaction is ACCEPTED or REJECTED. Note that score is only one element in deciding the tx_risk_status, that is, when specific rules take effect (say, the positive list), transactions with a high score may still have tx_risk_status = ACCEPTED. Similarly, transactions with a low score may have tx_risk_status = REJECTED, for example when the negative list takes effect.
score_factor_codes is an array of possible factors which account for the score. See Score factor codes for the meaning of the enumeration values.
Fields starting with infocodes transport information about suspicious aspects of the transaction. See Infocodes for the possible enumeration values.

Enumeration values

Score factor codes

For the array score_factor_codes, the following items are possible.

Code

Description

Excessive address change. The customer changed the billing address two or more times in the last six months.

Card BIN or authorization risk. Risk factors are related to credit card BIN and/or card authorization checks.

High number of account numbers. The customer used more than six credit cards numbers in the last six months.

Email address impact. The customer uses a free email provider, or the email address is risky.

Positive list. The customer is on your positive list.

Negative list or negative history. The account number, street address, email address, or IP address for this order appears on your negative list or negative history.

Geolocation inconsistencies. The customer’s email domain, phone number, billing address, shipping address, or IP address is suspicious.

Excessive name changes. The customer changed the name two or more times in the last six months.

Internet inconsistencies. The IP address and email domain are not consistent with the billing address.

Nonsensical input. The customer name and address fields contain meaningless words or language.

Obscenities. The customer’s input contains obscene words.

Identity morphing. Multiple values of an identity element are linked to a value of a different identity element. For example, multiple phone numbers are linked to a single account number.

Phone inconsistencies. The customer’s phone number is suspicious.

Risky order. The transaction, customer, and merchant information show multiple high-risk correlations.

Time hedge. The customer is attempting a purchase outside of the expected hours.

Unverifiable address. The billing or shipping address cannot be verified.

Velocity. The account number was used many times in the past 15 minutes.

Marked as suspect. The billing or shipping address is similar to an address previously marked as suspect.

Gift Order. The street address, city, state, or country of the billing and shipping addresses do not correlate.

Invalid value. Because the request contains an unexpected value, a default value was substituted. Although the transaction can still be processed, examine the request carefully for abnormalities in the order.

Infocodes

Address

Code

Description

COR-BA

The billing address has corrected elements or can be normalized.

COR-SA

The shipping address has corrected elements or can be normalized.

INTL-BA

The billing country is outside of the U.S.

INTL-SA

The shipping country is outside of the U.S.

MIL-USA

The address is a U.S. military address.

MM-A

The billing and shipping addresses use different street addresses.

MM-BIN

The card BIN (the first six digits of the number) does not match the country.

MM-C

The billing and shipping addresses use different cities.

MM-CO

The billing and shipping addresses use different countries.

MM-ST

The billing and shipping addresses use different states.

MM-Z

The billing and shipping addresses use different postal codes.

UNV-ADDR

The address is unverifiable.

Customer list

Code

Description

CONPOSNEG

The order triggered both a positive and negative list match. The result of the positive list match overrides that of the negative list match.

NEGACRB

The transaction was automatically marked as a creditback and is on the negative list.

NEG-AFCB

The transaction was automatically marked as a fraud chargeback and is on the negative list.

NEGANFCB

The transaction was automatically marked as a non-fraud chargeback and is on the negative list.

NEGASUSP

The transaction was automatically marked as suspected fraud and is on the negative list.

NEG-BA

The billing address is on the negative list.

NEG-BCO

The billing country is on the negative list.

NEG-BIN

The credit card BIN (the first six digits of the number) is on the negative list.

NEGBINCO

The country in which the credit card was issued is on the negative list.

NEG-BZC

The billing postal code is on the negative list.

NEG-CC

The credit card number is on the negative list.

NEG-CPF

The CPF or CNPJ identification number is on the negative list.

NEG-CRB

The transaction was marked as a creditback and is on the negative list.

NEG-EM

The email address is on the negative list.

NEGEMCO

The country in which the email address is located is on the negative list.

NEGEMDOM

The email domain (for example, mail.example.com) is on the negative list.

NEG-FCB

The transaction was marked as a fraud chargeback and is on the negative list.

NEG-FP

The device fingerprint is on the negative list.

NEG-HIST

The transaction is related to a previous suspect transaction.

NEG-ID

The customer’s account ID is on the negative list.

NEG-IP

The IP address (for example, 10.1.27.63) is on the negative list.

NEG-IP3

The network IP address (for example, 10.1.27) is on the negative list. A network IP address includes up to 256 IP addresses.

NEG-IPCO

The country in which the IP address is located is on the negative list.

NEG-NFCB

The transaction was marked as a non-fraud chargeback and is on the negative list.

NEG-PEM

A passenger’s email address is on the negative list.

NEG-PH

The phone number is on the negative list.

NEG-PID

A passenger’s account ID is on the negative list.

NEG-PIP

The proxy IP address is on the negative list.

NEG-PPH

A passenger’s phone number is on the negative list.

NEG-SA

The shipping address is on the negative list.

NEG-SCO

The shipping country is on the negative list.

NEG-SID

The Smart ID is on the negative list.

NEGSUSP

The transaction was marked as suspected fraud and is on the negative list.

NEG-SZC

The shipping postal code is on the negative list.

NEG-TIP

The true IP address is on the negative list.

POSTEMP

The customer is on the temporary positive list.

POSPERM

The customer is on the permanent positive list.

REV-BA

The billing address is on the review list.

REV-BCO

The billing country is on the review list.

REV-BIN

The credit card BIN (the first six digits of the number) is on the review list.

REVBINCO

The country in which the credit card was issued is on the review list.

REV-BZC

The billing postal code is on the review list.

REV-CC

The credit card number is on the review list.

REV-CPF

The CPF or CNPJ identification number is on the review list.

REV-CRB

The transaction was marked as a creditback and is on the review list.

REV-EM

The email address is on the review list.

REVEMCO

The country in which the email address is located is on the review list.

REVEMDOM

The email domain (for example, mail.example.com) is on the review list.

REV-FCB

The transaction was marked as a fraud chargeback and is on the review list.

REV-ID

The customer’s account ID is on the review list.

REV-IP

The IP address (for example, 10.1.27.63) is on the review list.

REV-IP3

The network IP address (for example, 10.1.27) is on the review list. A network IP address includes up to 256 IP addresses.

REV-IPCO

The country in which the IP address is located is on the review list.

REV-NFCB

The transaction was marked as a non-fraud chargeback and is on the review list.

REV-PEM

A passenger’s email address is on the review list.

REV-PH

The phone number is on the review list.

REV-PID

A passenger’s account ID is on the review list.

REV-PIP

The proxy IP address is on the review list.

REV-PPH

A passenger’s phone number is on the review list.

REV-SA

The shipping address is on the review list.

REV-SCO

The shipping country is on the review list.

REV-SID

The Smart ID is on the review list.

REV-SUSP

The transaction was marked as suspected fraud and is on the review list.

REV-SZC

The shipping postal code is on the review list.

REV-TIP

The true IP address is on the review list.

Device behavior

Code

Description

AC-ADDR

Auto-completed address information

AC-CC

Auto-completed credit card information

AC-EMAIL

Auto-completed email

AC-NAME

Auto-completed name

AC-PASSWORD

Auto-completed password

AC-PHONE

Auto-completed telephone number

AC-USERNAME

Auto-completed user name

AutoCompleteDetected

Auto complete detected

AF-ADDR

Auto-filled address information

AF-CC

Auto-filled credit card information

AF-EMAIL

Auto-filled email

AF-NAME

Auto-filled name

AF-PASSWORD

Auto-filled password

AF-PHONE

Auto-filled telephone number

AF-USERNAME

Auto-filled user name

AutoFillDetected

Auto fill detected

KeyMouseDisabled

Keyboard or mouse detection disabled

MOP-ADDR

Mouse-off-page address information

MOP-CC

Mouse-off-page credit card information

MOP-EMAIL

Mouse-off-page email

MOP-NAME

Mouse-off-page name

MOP-PASSWORD

Mouse-off-page password

MOP-PHONE

Mouse-off-page telephone number

MOP-USERNAME

Mouse-off-page user name

MouseOffPageDetected

Mouse off page detected

PASTED-ADDR

Pasted address information

PASTED-CC

Pasted credit card information

PASTED-EMAIL

Pasted email

PASTED-NAME

Pasted name

PASTED-PASSWORD

Pasted password

PASTED-PHONE

Pasted telephone number

PASTED-USERNAME

Pasted user name

PasteDetected

Paste detected

Global velocity

The velocity information codes with the suffix -CC refer to credit card and direct debit account numbers.

Code

Description

VEL-ADDR

Different billing and/or shipping states (U.S. and Canada only) have been used several times with the credit card number and/or email address.

VEL-CC

Different account numbers have been used several times with the same name or email address.

VEL-NAME

Different names have been used several times with the credit card number and/or email address.

VELS-CC

The account number has been used several times during the short tracking interval.

VELI-CC

The account number has been used several times during the medium tracking interval.

VELL-CC

The account number has been used several times during the long tracking interval.

VELV-CC

The account number has been used several times during the very long tracking interval.

VELS-EM

The customer’s email address has been used several times during the short tracking interval.

VELI-EM

The customer’s email address has been used several times during the medium tracking interval

VELL-EM

The customer’s email address has been used several times during the long tracking interval.

VELV-EM

The customer’s email address has been used several times during the very long tracking interval.

VELS-FP

The device fingerprint has been used several times during the short tracking interval.

VELI-FP

The device fingerprint has been used several times during the medium tracking interval.

VELL-FP

The device fingerprint has been used several times during the long tracking interval.

VELV-FP

The device fingerprint has been used several times during the very long tracking interval.

VELS-IP

The IP address has been used several times during the short tracking interval.

VELI-IP

The IP address has been used several times during the medium tracking interval.

VELL-IP

The IP address has been used several times during the long tracking interval.

VELV-IP

The IP address has been used several times during the very long tracking interval.

VELS-SA

The shipping address has been used several times during the short tracking interval.

VELI-SA

The shipping address has been used several times during the medium tracking interval.

VELL-SA

The shipping address has been used several times during the long tracking interval.

VELV-SA

The shipping address has been used several times during the very long tracking interval.

VELS-TIP

The true IP address has been used several times during the short interval.

VELI-TIP

The true IP address has been used several times during the medium interval.

VELL-TIP

The true IP address has been used several times during the long interval.

Identity change

Code

Description

MORPH-B

The same billing address has been used several times with multiple customer identities.

MORPH-C

The same account number has been used several times with multiple customer identities.

MORPH-E

The same email address has been used several times with multiple customer identities.

MORPH-I

The same IP address has been used several times with multiple customer identities.

MORPH-P

The same phone number has been used several times with multiple customer identities.

MORPH-S

The same shipping address has been used several times with multiple customer identities.

ID-M-NEG

Correlation with past negative behavior.

ID-M-POS

Correlation with past positive behavior.

ID-M-HNEG

Correlation with past negative behavior is high.

ID-M-HPOS

Correlation with past positive behavior is high.

ID-MNoHistory

Correlation with past behavior not available due to no history.

ID-X-NEG

Correlation with past negative global behavior.

ID-X-POS

Correlation with past positive global behavior.

ID-X-HNEG

Correlation with past negative global behavior is high.

ID-X-HPOS

Correlation with past positive global behavior is high.

ID-XNoHistory

Correlation with past global behavior not available due to no history.

Internet

Code

Description

FREE-EM

The customer’s email address is from a free email provider.

INTL-IPCO

The country of the customer’s IP address is outside of the U.S.

INV-EM

The customer’s email address is invalid.

MMEMBCO

The domain in the customer’s email address is not consistent with the country in the billing address.

MM-IPBC

The customer’s IP address is not consistent with the city in the billing address.

MM-IPBCO

The customer’s IP address is not consistent with the country in the billing address.

MM-IPBST

The customer’s IP address is not consistent with the state in the billing address. However, this information code may not be returned when the inconsistency is between immediately adjacent states.

MM-IPEM

The customer’s email address is not consistent with the customer’s IP address.

RISK-EM

The customer’s email domain (for example, mail.example.com) is associated with higher risk.

UNV-NID

The customer’s IP address is from an anonymous proxy. These entities completely hide the IP information.

UNV-RISK

The IP address is from a risky source.

UNVEMBCO

The country of the customer’s email address does not match the country in the billing address.

Phone

Code

Description

MMACBST

The customer’s phone number is not consistent with the state in the billing address.

RISK-AC

The customer’s area code is associated with higher risk.

RISK-PH

The U.S. or Canadian phone number is incomplete, or one or more parts of the number are risky.

TF-AC

The phone number uses a toll-free area code.

UNV-AC

The area code is invalid.

UNV-OC

The area code and/or the telephone prefix are/is invalid.

UNV-PH

The phone number is invalid.

Suspicious

Code

Description

BAD-FP

The device is risky.

INTL-BIN

The credit card was issued outside of the U.S.

MM-TZTLO

The device’s time zone is inconsistent with the country’s time zones.

MUL-EM

The customer has used more than four different email addresses.

NON-BC

The billing city is nonsensical.

NON-FN

The customer’s first name and last name are identical.

NON-LN

The customer’s last name is nonsensical.

OBS-BC

The billing city contains obscenities.

OBS-EM

The email address contains obscenities.

OBS-FN

The customer’s first and last names contain obscenities.

OBS-LN

The customer’s middle or last name contains obscenities.

RISK-AVS

The combined AVS test result and normalized billing address are risky, such as when the AVS result indicates an exact match, but the normalized billing address is not deliverable.

RISK-BC

The billing city has repeated characters.

RISK-BIN

In the past, this payment card BIN has shown a high incidence of fraud.

RISK-DEV

Some of the device characteristics are risky.

RISK-FN

The customer’s first and last names contain unlikely letter combinations.

RISK-GEO

Indicates a suspicious combination of geographic location elements.

RISK-LN

The customer’s middle or last name contains unlikely letter combinations.

RISK-PIP

The proxy IP address is risky.

RISK-SD

The inconsistency in billing and shipping countries is risky.

RISK-TB

The day and time of the order associated with the billing address is risky.

RISK-TIP

The true IP address is risky.

RISK-TS

The day and time of the order associated with the shipping address is risky.

6.3.4. List handling

Use the list handling endpoint to add or delete entries from the negative or positive list. Set the parameters as follows:

list_name: NEGATIVE or POSITIVE according to which list to modify
action: either ADD or DELETE according to which action to perform
reason: the reason why to add or delete an entry to or from the list

Set the further fields to specify the matching criteria for the list entry.

6.3.5. Reporting fraudulent transactions

To improve the quality of the risk score, merchants are strongly encouraged to contact Deutsche Bank customer support to report fraudulent transactions.

6.4. eScore

eScore offers you various services to minimize the risk of non-payment. The following services are available:

Address Verification (ES0013)
Credit Assessment (ES0012)
Integrated Address Verification, Credit Assessment and Scoring (ES0015)
RPP Check (ES0024)

See the linked sections for details on these services. The following sections include additional information regarding certain parameters of the request or response message.

6.4.1. Score

The following tables show the evaluation scheme for the determination of the return value for the parameter score for the different services.

score - Credit Assessment (ES0012)

Value scoring_rc Credit Assessment Description

550

There are no negative features.

540

Feature cleared

A soft feature, cleared.

340

Feature cleared

Medium feature(s), cleared or more than one soft feature cleared

320

Mwr

A message with reservations, soft

310

Feature

A soft feature

250

Mwr

Message with reservations marked a) hard/medium or b) more than one data record exist

120

Person registered as deceased

110

TKZ 5

Requested address is registered as risk address

100

Features

Person with negative feature(s) medium or hard or more than one soft

Score - Integrated Address Verification, Credit Assessment and Scoring (ES0015)

Value scoring_rc Credit Assessment Address Verification Description

980

PPB

no negative features, score >=500

970

PHB

no negative features, score >=500

960

PPB

no negative features, score >450 <500

950

PHB

no negative features, score >450 <500

760

PAB

no negative features, score >=500

750

PAB

no negative features, score >450 <500

560

PKI

no negative features, score >=500

550

PKI

no negative features, score >450 <500

540

Feature cleared

Any

a soft feature, cleared

530

Any

no negative features, score not possible

460

PPF

no negative features, score >=500

450

PPF

no negative features, score >450 <500

370

PNZ

no negative features, score >=500

360

PNZ

no negative features, score >450 <500

350

Any

no negative features, score ⇐450

340

Feature cleared

Any

medium feature(s), cleared or more than one soft feature, cleared

320

Mwr

Any

A message with reservations, soft

310

Feature

Any

A soft feature

250

Mwr

Any

Message with reservations marked a) hard/medium or b) more than one data record exist

120

Any

Person registered as deceased

110

TKZ 5

Any

Requested address is registered as risk address

100

Features

Any

Person with negative feature(s) medium or hard or more than one soft

6.4.2. Notifications upon divergence of request data

If in a credit assessment request all the following conditions occur:

No absolute match with one of the stored address or data records
Using phonetic and/or associative search algorithms, DB Merchant Solutions REST API determines that there is a data record (or several) stored, with only a (slight) divergence from the request data
DB Merchant Solutions REST API does not know whether the stored data are actually to be allocated to the requested person

then a respective note in the shape of a three-digit code is given, which consists of the following:

The first digit contains the number of data records, which were found and which differ (slightly) (max. 9). The second digit shows the “hardest” markedness of the respective negative feature on hand. The following codes are possible:

H (hard) – entries in the debtor register
M (medium) – court collection proceedings
W (soft) – pre-court collection proceedings

The third digit signifies the address component, which differs from the requested address with the “hardest” feature in the differing address.

The following codes are possible:

N – divergent surname
A – divergent address
V – divergent first name
G – divergent date of birth

The date stated is the date of creation of the negative feature on hand; in the case of several features it is the date of creation of the most recent, “hardest” feature. It is pointed out expressly that the data based on the code supplied is not necessary to be allocated to the requested person, but possibly (only) to a person of the same or very similar name and the same or very similar address.

That means that the code supplied does not readily allow deductions regarding the financial situations or the payment behavior of the requested person. The note should motivate and put the participant in a position to ascertain his request data, the data which is the basis for the credit assessment and/or the identity of the requested person.

Example 1

1WG 22.11.2000 means: Related to the request data the system could not ascertain any data record with a hundred percent match. However, 1 address or data record with divergent date of birth with (at least) one negative feature from the “soft” feature section (= pre-court collection proceedings; date of creation 22nd of November 2000) was ascertained.

Example 2

2MA 15.04.2000 means: Related to the request data the system could not ascertain any data record with a hundred percent match. However, 2 address or data records with negative features were ascertained. The “hardest” of the negative features on hand is allocated to the “medium” feature section (= court collection proceedings; date of creation: 15th of April 2000). The divergence of the data record with the “medium” feature lies in the address.

Example 3

3HV 30.03.2000 means: Related to the request data the system could not ascertain any data record with a hundred percent match. However, 3 address or data records with negative features were ascertained. The “hardest” of the negative features on hand is allocated to the “hard” feature section (= entries in the debtor register; entry dated: 30th of March 2000). The divergence of the data record with the “hard” feature lies in the first name.

Example 4

1WN * 12.02.2000 means: Related to the request data the system could not ascertain any data record with a hundred percent match. However, 1 address or data record with negative features was ascertained. The “hardest” of the negative features on hand is allocated to the “soft” feature section (= pre-court collection proceedings). The asterisk (*) means that the pre-court collection proceedings were cleared by payment. The divergence lies in the surname.

6.4.3. Response codes

The following table shows the most common response codes for eScore transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1523	Means of payment blocked.
1102	Gateway connection problem.
1213	No contract configured.
9000	Indeterminate error
1532	No suitable match.
1502	Configuration problem.

6.4.4. Test data

Address verification

For the address verification no explicit test data are available. However, even in the test system the address verification is against the entire data record of the Deutsche Post Direkt GmbH (German mail). The interface therefore can be tested by providing the interface with real address details.

Credit assessment

For the credit assessment there are two test data records in the following tables, which can be ascribed distinctly to the traffic light value.

Table 10. Test data scoring_rc=G
Parameter	Data record 1	Data record 2
title	Mr	Mrs
first_name	Fritz	Anka
last_name	Wald	Wild
date_of_birth	1957-01-01	1957-01-01
street	August-Laemmle-Str.	Speiersgasse
number	58	61
postal_code	72411	97475
city	Bodelshausen	Zeil
country	DE	DE

Table 11. Test data scoring_rc=Y
Parameter	Data record 1	Data record 2
title	Mr	Mrs
first_name	Wolfgang	Jovanka
last_name	Schmitt	Zeilfelder
date_of_birth	1957-01-01	1971-11-14
street	Hans-Otto-Str.	Koelner Str.
number	13	63
postal_code	04279	33647
city	Leipzig	Bielefeld
country	DE	DE

Table 12. Test data scoring_rc=R
Parameter	Data record 1	Data record 2
title	Mr	Mrs
first_name	Gildo	Engel
last_name	Gauner	Zeilfelder
date_of_birth	1975-21-01	1975-21-01
street	Ottersdorfer Str.	Tilsiter Str.
number	17	55
postal_code	76437	28844
city	Rastatt	Weye
country	DE	DE

RPP Check

Table 13. Test data: valid bank account (ES0024), scoring_rc = G
IBAN	BIC
DE25662500300000010868	SOLADES1BAD

Table 14. Test data: bank account (ES0024), return debit note, scoring_rc = R
IBAN	BIC
DE62100208900001317270	HYVEDEMM488

Table 15. Test data: bank account (ES0024), non consumer account, scoring_rc = R
IBAN	BIC
DE43120965970001131079	GENODEF1S10

6.5. PSD2 AIS

6.5.1. Introduction

DB Merchant Solutions REST API supports bank account information services as stipulated by the Payment Services Directive 2, abbreviated to PSD2 AIS.

The following services are available:

GET /info/banks/psd2: Retrieves how banks matching the given search criteria support PSD2 account information services.
POST /form/event/{event_id}/psd2/account_info: Creates a PSD2 account information transaction via form service.
GET /info/event/{event_id}/psd2/account_info: Retrieves bank account details which were stored in a previous PSD2 account information transaction.

6.5.2. Check banks for supported PSD2 AIS functionality

Use the endpoint GET /info/banks/psd2 with the search criteria bank name, BIC, or German bank code (Bankleitzahl) to obtain a list of banks matching the search criteria and for each returned bank the following information:

psd2_supported: indicates if this bank supports PSD2 account information services.
capabilities:
- AVAILABLE_ACCOUNTS: AIS can be used to find all the customer’s accounts with this bank.
- AVAILABLE_ACCOUNTS_WITH_BALANCE: AIS can be used to find all the customer’s accounts with this bank, including the balances.
- BANK_OFFERED_CONSENT: AIS can be used to find all the customer’s accounts with this bank. If the customer has more than one account, the bank will display the list of accounts and the customer chooses the accounts for which they grant access.
- GLOBAL_CONSENT: AIS can be used to get the customer’s consent to access all accounts.

6.5.3. Obtain bank account information

Course of transaction

The course of transaction for PSD2 AIS is the same as for other Form service services, see Course of transaction. The following paragraphs detail the relevant steps for PSD2 AIS.

Initializing the AIS (step 2)

Use the endpoint POST /form/event/{event_id}/psd2/account_info for initialization.

Use the parameters bank, bank_code, or bank_id to identify the customer’s bank to which they will be redirected.

Use requested_details to furthermore request the owner, the balance, and the transactions (filtered by transaction_filter) of each account.

Use form_data, form_customer_continuation and callback as in other Form service requests. Note that via form_data.labels the following labels specific to PSD2 AIS may be changed:

TITLE_PSD2_ACCOUNT_INFO
TITLE_PSD2_AUTHORISATION_REQUIRED
TITLE_PSD2_AUTHORISE_AIS

Redirect (step 4 and 5)

Redirect the customer to the URL received in the response. The data to be entered may differ from bank to bank, as seen for example for Deutsche Bank and Postbank (here with locale set to de_DE):

PSD2 AIS login Deutsche Bank

PSD2 AIS login Postbank

Customer interaction with the bank (step 8)

How the customer interacts with their bank depends on each bank and their PSD2 capabilities. The bank may choose one of the following approaches:

decoupled
embedded
redirect.

For the merchant, however, these approaches do not make a difference as DB Merchant Solutions REST API encapsulates the functionality.

Callback (step 9)

In the callback request from DB Merchant Solutions REST API to the merchant, the account data is returned in the field accounts.

6.5.4. Retrieve stored bank account details

Use GET /info/event/{event_id}/psd2/account_info with the event_id of the AIS call above to retrieve the bank account information as previously sent in the callback.

6.5.5. Response codes

The following table shows the most common response codes for PSD2 AIS transactions. See Response codes for a complete list of possible response codes.

Response code	Description
0	Transaction successful.
1548	Transaction is pending.
1504	System error.
1547	Input failure.
1545	Authorisation problem.
1103	Illegible gateway response.
1506	Temporary error.
1615	Login/customer ID missing.

7. API reference

As a merchant, use DB Merchant Solutions REST API’s Security API as client for authentication and use DB Merchant Solutions REST API’s Services API as client to use the main functionality.

Implement the Callback API as server to receive callbacks during the transaction processing.

7.1. Security API

7.1.1. Authorization

POST /token

Header Parameters

Name Type Description

X-RandomValue

string

required
minLength: 1
maxLength: 100

A random value; part of the signature input.

Example: 4D-#h+P:I}x:tQ[UUWX)_{2/J/(;2]4wu=y?SipcRV8}B*/V^

X-RequestDate

string

required

Current timestamp formatted according to RFC 7231, section 7.1.1.2; part of the signature input.

Example: Fri, 10 Jan 2020 14:41:15 GMT

Request Body (required)

Type Content-Type

AccessTokenRequest

application/x-www-form-urlencoded

Responses

Code Type Content-Type Description

200

AccessTokenResponse

application/json

Authorization successful.

401

AccessTokenError

application/json

Not authorized, check credentials, scope and implementation.

default

AccessTokenError

application/json

An error occured during authorization process.

7.1.2. Model

AccessTokenError

The response object that is received after a failed authorization.

Property Type Description

cause

string

required
enum
- request_invalid
- grant_type_invalid
- scope_invalid
- unauthorized

grant_type_invalid - Invalid value in property grant_type.
request_invalid - Invalid request.
scope_invalid - Invalid value in property scope.
unauthorized - Invalid credentials.

description

string

A textual description detailing the cause of the failure.

AccessTokenRequest

Perform the request to get an authorization token. Make sure to have URL-encoding applied to the parameter values by your HTTP-client or implementation.

Property Type Description

client_id

string

required
minLength: 1
maxLength: 100

The client-id; part of the signature input.

Example: client_id_value

client_secret

string

required
minLength: 1
maxLength: 100

The calculated client secret. Consult the documentation for implementation details.

Example: V1:VoKCzVc+Cy0wmwpaqo/98KQheTjFvXL8w0xsfwZG68M=

grant_type

string

required
enum
- client_credentials

The grant type of the request. Use fixed value client_credentials.

scope

string

required
enum
- ftx
- configuration

The application scope of the request.

AccessTokenResponse

The response object that is received after a successful authorization.

Property Type Description

access_token

string

required

The access token is used as credential for service requests.

Example: eyJraWQiOiJrMSIsInR5cCI6IkpXVCIsImFsZyI6IkhTMjU2In0…

expires_in

integer

required

The duration in seconds the token is valid.

Example: 3600

expires_on

integer

required
format: int64

The time the token expires. Format is Unix time.

Example: 1579182837

scope

string

required
enum
- ftx
- configuration

The application scope of the request. Corresponds to scope in the request.

token_type

string

required
enum
- Bearer

The type of the token.

7.2. Services API

7.2.1. Alias

The alias API contains endpoints to add, update or delete aliases for means of payment.

GET /alias/bankaccount/{alias}

Retrieves a bank account alias by its name.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the alias. Sensitive bank account data may be masked, depending on the configuration of the merchant’s account. If the alias is unknown or in case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

DELETE /alias/bankaccount/{alias}

Deletes a bank account alias.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

BaseResponse

application/json

A return code and a message, indicating whether or not the operation was successful.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

PATCH /alias/bankaccount/{alias}

Updates the address attached to a bank account alias.

In most SEPA countries, address data is not required for payment processing. However, some countries require addresses in addition to means of payment data for successful authorization. This endpoint provides functionality to update this address data.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample update of alias address

Request type: CommonAddress

{
  "address_line_1" : "Rohrteichstr 18",
  "postalCode" : "98765",
  "city" : "newCity",
  "country" : "DE"
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the updated alias. Sensitive bank account data may be masked, depending on the configuration of the merchant’s account. If the alias was unknown or in case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /alias/bankaccount

Creates a new bank account alias.

Clients may specify a bank account alias themselves by submitting the desired value in the alias field. If the alias field is left blank, an alias will be generated. Bank account aliases may also be created during payment processing. The bank account field of the request requires an iban to be present. All other fields are optional. In most SEPA countries, address data is not required for payment processing. However, some countries require addresses in addition to means of payment data for successful authorization. This is why this endpoint provides an option to specify additional address data which will be stored along with the new alias if present. Bank accounts and aliases have a 1:1 relation, that is if an alias is assigned to a bank account creating another alias for the same bank account results in an error, as does assigning an existing alias to another bank account.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

AliasBankAccountRequest

application/json

Request example Sample creation of alias for a bank account

Request type: AliasBankAccountRequest

{
  "alias" : "example-dd-alias",
  "bank_account" : {
    "iban" : "DE39123456790009290701",
    "account_holder" : "Rene Holder"
  }
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the created alias. Sensitive bank account data may be masked, depending on the configuration of the merchant’s account. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /alias/bankaccount/get

Retrieves a bank account alias by bank account data.

Due to security reasons, this is a GET with body payload (see https://opensource.zalando.com/restful-api-guidelines/#get-with-body) operation. No resources will be created.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

BankAccount

application/json

Request example Sample get bank account

Request type: BankAccount

{
  "iban" : "DE39123456790009290701",
  "account_holder" : "Rene Holder"
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the alias. Sensitive bank account data may be masked, depending on the configuration of the merchant’s account. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /alias/creditcard

Creates a new credit card alias.

Clients may specify a card number alias themselves by submitting the desired value in the alias field. If the alias field is left blank, an alias will be generated. Card number aliases may also be created during payment processing. The credit card field of the request requires a number and an expiry date to be present. All other fields are optional. Credit cards and aliases have a 1:1 relation, that is if an alias is assigned to a credit card creating another alias for the same card results in an error, as does assigning an existing alias to another credit card.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

AliasCreditCardRequest

application/json

Request example Sample creation of an alias for a credit card

Request type: AliasCreditCardRequest

{
  "alias" : "example-cc-alias",
  "credit_card" : {
    "number" : "4111111111111111",
    "code" : "123",
    "cardholder" : "Card T. Holder",
    "expiry_date" : {
      "year" : 2029,
      "month" : 11
    }
  }
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the created alias. Sensitive credit card data may be masked, depending on the configuration of the merchant’s account. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

GET /alias/creditcard/{alias}

Retrieves a credit card alias by its name.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the alias. Sensitive credit card data may be masked, depending on the configuration of the merchant’s account. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

DELETE /alias/creditcard/{alias}

Deletes a credit card alias.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

BaseResponse

application/json

A return code and a message, indicating whether or not the operation was successful.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /alias/creditcard/get

Retrieves a credit card alias by credit card data.

Due to security reasons, this is a GET with body payload (see https://opensource.zalando.com/restful-api-guidelines/#get-with-body) operation. No resources will be created.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

CreditCard

application/json

Request example Sample retrieve credit card alias

Request type: CreditCard

{
  "number" : "4111111111111111",
  "code" : "123",
  "cardholder" : "Card T. Holder",
  "expiry_date" : {
    "year" : 2029,
    "month" : 11
  }
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the alias. Sensitive credit card data may be masked, depending on the configuration of the merchant’s account. If the credit card data did not match a known credit card or in case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

GET /alias/{alias}

Retrieves an alias (credit card, bank account, or Klarna) by its name.

This is a generalized variant of the other GET alias endpoints of this API. May be used by clients that cannot or do not want to decide on the type of alias to be retrieved.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by information about the alias. Depending on the type of means of payment this alias is connected to, the appropriate fields will be set in the response. Sensitive means of payment data may be masked, depending on the configuration of the merchant’s account. If the alias is unknown or in case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

DELETE /alias/{alias}

Deletes an alias (credit card, bank account, or Klarna).

This is a generalized variant of the other DELETE alias endpoints of this API. May be used by clients that cannot or do not want to decide on the type of alias to be deleted.

Path Parameters

Name Type Description

alias

string

required

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

BaseResponse

application/json

A return code and a message, indicating whether or not the operation was successful.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

ApplePayPaymentSessionRequest

application/json

Access to this resource is forbidden with these credentials.

7.2.2. Apple Pay

The Apple Pay API contains endpoints to initiate a payment session to perform credit card payment transactions based on Apple Pay payment information.

POST /applepay/paymentSession/{event_id}

Perform payment session requests based on Apple Pay data.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample Apple Pay Payment Session request

Request type: ApplePayPaymentSessionRequest

{
  "merchant_id" : "merchant.processingpagateq.merchantsolution",
  "initiative_context" : "testmerch.directpos.de"
}

Responses

Code Type Content-Type Description

200

ApplePayPaymentSessionResponse

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

ApplePayPaymentSessionResponse

application/json

Access to this resource is forbidden with these credentials.

Response examples Session has been created, no further actions required.

Status code:

200

Return type:

{
  "applepay_payment_session_token" : "eyJlcG9jaFRpbWVzdGFtcCI6MTY1OTUyODYxMzQ5MywiZXhwaXJlc0F0IjoxNjU5NTMyMjEzNDkzLCJtZXJjaGFudFNlc3Npb25JZGVudGlmaWVyIjoiU1NIRjUyNTM0MUM1OTY1NDE4ODkwMkZBRDM0RDA2NEQ0OTZfNTE2OTYyRkI1NUYyNEQ2NTU5RTg2MkU5Nzk5OTJCRDI5RENGQTVEMkJBOEFEOEQ0RDg5M0Y4Mzc1OTYwODNDQSIsIm5vbmNlIjoiNGEyMWYzZjAiLCJtZXJjaGFudElkZW50aWZpZXIiOiIyODczMkE0RjA1QUUwNTU1MDA3NzY0MkNDNkJBQkE4QzU5MjNFMzQ3QTA4MzgwM0MwQjdBODA4ODcxMEMzMUU0IiwiZG9tYWluTmFtZSI6InRlc3RtZXJjaC5kaXJlY3Rwb3MuZGUiLCJkaXNwbGF5TmFtZSI6IkRCLk1lcmNoYW50U29sdXRpb24uVGVzdE1lcmNoYW50Iiwic2lnbmF0dXJlIjoiMzA4MDA2MDkyYTg2NDg4NmY3MGQwMTA3MDJhMDgwMzA4MDAyMDEwMTMxMGYzMDBkMDYwOTYwODY0ODAxNjUwMzA0MDIwMTA1MDAzMDgwMDYwOTJhODY0ODg2ZjcwZDAxMDcwMTAwMDBhMDgwMzA4MjAzZTMzMDgyMDM4OGEwMDMwMjAxMDIwMjA4NGMzMDQxNDk1MTlkNTQzNjMwMGEwNjA4MmE4NjQ4Y2UzZDA0MDMwMjMwN2EzMTJlMzAyYzA2MDM1NTA0MDMwYzI1NDE3MDcwNmM2NTIwNDE3MDcwNmM2OTYzNjE3NDY5NmY2ZTIwNDk2ZTc0NjU2NzcyNjE3NDY5NmY2ZTIwNDM0MTIwMmQyMDQ3MzMzMTI2MzAyNDA2MDM1NTA0MGIwYzFkNDE3MDcwNmM2NTIwNDM2NTcyNzQ2OTY2Njk2MzYxNzQ2OTZmNmUyMDQxNzU3NDY4NmY3MjY5NzQ3OTMxMTMzMDExMDYwMzU1MDQwYTBjMGE0MTcwNzA2YzY1MjA0OTZlNjMyZTMxMGIzMDA5MDYwMzU1MDQwNjEzMDI1NTUzMzAxZTE3MGQzMTM5MzAzNTMxMzgzMDMxMzMzMjM1Mzc1YTE3MGQzMjM0MzAzNTMxMzYzMDMxMzMzMjM1Mzc1YTMwNWYzMTI1MzAyMzA2MDM1NTA0MDMwYzFjNjU2MzYzMmQ3MzZkNzAyZDYyNzI2ZjZiNjU3MjJkNzM2OTY3NmU1ZjU1NDMzNDJkNTA1MjRmNDQzMTE0MzAxMjA2MDM1NTA0MGIwYzBiNjk0ZjUzMjA1Mzc5NzM3NDY1NmQ3MzMxMTMzMDExMDYwMzU1MDQwYTBjMGE0MTcwNzA2YzY1MjA0OTZlNjMyZTMxMGIzMDA5MDYwMzU1MDQwNjEzMDI1NTUzMzA1OTMwMTMwNjA3MmE4NjQ4Y2UzZDAyMDEwNjA4MmE4NjQ4Y2UzZDAzMDEwNzAzNDIwMDA0YzIxNTc3ZWRlYmQ2YzdiMjIxOGY2OGRkNzA5MGExMjE4ZGM3YjBiZDZmMmMyODNkODQ2MDk1ZDk0YWY0YTU0MTFiODM0MjBlZDgxMWYzNDA3ZTgzMzMxZjFjNTRjM2Y3ZWIzMjIwZDZiYWQ1ZDRlZmY0OTI4OTg5M2U3YzBmMTNhMzgyMDIxMTMwODIwMjBkMzAwYzA2MDM1NTFkMTMwMTAxZmYwNDAyMzAwMDMwMWYwNjAzNTUxZDIzMDQxODMwMTY4MDE0MjNmMjQ5YzQ0ZjkzZTRlZjI3ZTZjNGY2Mjg2YzNmYTJiYmZkMmU0YjMwNDUwNjA4MmIwNjAxMDUwNTA3MDEwMTA0MzkzMDM3MzAzNTA2MDgyYjA2MDEwNTA1MDczMDAxODYyOTY4NzQ3NDcwM2EyZjJmNmY2MzczNzAyZTYxNzA3MDZjNjUyZTYzNmY2ZDJmNmY2MzczNzAzMDM0MmQ2MTcwNzA2YzY1NjE2OTYzNjEzMzMwMzIzMDgyMDExZDA2MDM1NTFkMjAwNDgyMDExNDMwODIwMTEwMzA4MjAxMGMwNjA5MmE4NjQ4ODZmNzYzNjQwNTAxMzA4MWZlMzA4MWMzMDYwODJiMDYwMTA1MDUwNzAyMDIzMDgxYjYwYzgxYjM1MjY1NmM2OTYxNmU2MzY1MjA2ZjZlMjA3NDY4Njk3MzIwNjM2NTcyNzQ2OTY2Njk2MzYxNzQ2NTIwNjI3OTIwNjE2ZTc5MjA3MDYxNzI3NDc5MjA2MTczNzM3NTZkNjU3MzIwNjE2MzYzNjU3MDc0NjE2ZTYzNjUyMDZmNjYyMDc0Njg2NTIwNzQ2ODY1NmUyMDYxNzA3MDZjNjk2MzYxNjI2YzY1MjA3Mzc0NjE2ZTY0NjE3MjY0MjA3NDY1NzI2ZDczMjA2MTZlNjQyMDYzNmY2ZTY0Njk3NDY5NmY2ZTczMjA2ZjY2MjA3NTczNjUyYzIwNjM2NTcyNzQ2OTY2Njk2MzYxNzQ2NTIwNzA2ZjZjNjk2Mzc5MjA2MTZlNjQyMDYzNjU3Mjc0Njk2NjY5NjM2MTc0Njk2ZjZlMjA3MDcyNjE2Mzc0Njk2MzY1MjA3Mzc0NjE3NDY1NmQ2NTZlNzQ3MzJlMzAzNjA2MDgyYjA2MDEwNTA1MDcwMjAxMTYyYTY4NzQ3NDcwM2EyZjJmNzc3Nzc3MmU2MTcwNzA2YzY1MmU2MzZmNmQyZjYzNjU3Mjc0Njk2NjY5NjM2MTc0NjU2MTc1NzQ2ODZmNzI2OTc0NzkyZjMwMzQwNjAzNTUxZDFmMDQyZDMwMmIzMDI5YTAyN2EwMjU4NjIzNjg3NDc0NzAzYTJmMmY2MzcyNmMyZTYxNzA3MDZjNjUyZTYzNmY2ZDJmNjE3MDcwNmM2NTYxNjk2MzYxMzMyZTYzNzI2YzMwMWQwNjAzNTUxZDBlMDQxNjA0MTQ5NDU3ZGI2ZmQ1NzQ4MTg2ODk4OTc2MmY3ZTU3ODUwN2U3OWI1ODI0MzAwZTA2MDM1NTFkMGYwMTAxZmYwNDA0MDMwMjA3ODAzMDBmMDYwOTJhODY0ODg2Zjc2MzY0MDYxZDA0MDIwNTAwMzAwYTA2MDgyYTg2NDhjZTNkMDQwMzAyMDM0OTAwMzA0NjAyMjEwMGJlMDk1NzFmZTcxZTFlNzM1YjU1ZTVhZmFjYjRjNzJmZWI0NDVmMzAxODUyMjJjNzI1MTAwMmI2MWViZDZmNTUwMjIxMDBkMThiMzUwYTVkZDZkZDZlYjE3NDYwMzViMTFlYjJjZTg3Y2ZhM2U2YWY2Y2JkODM4MDg5MGRjODJjZGRhYTYzMzA4MjAyZWUzMDgyMDI3NWEwMDMwMjAxMDIwMjA4NDk2ZDJmYmYzYTk4ZGE5NzMwMGEwNjA4MmE4NjQ4Y2UzZDA0MDMwMjMwNjczMTFiMzAxOTA2MDM1NTA0MDMwYzEyNDE3MDcwNmM2NTIwNTI2ZjZmNzQyMDQzNDEyMDJkMjA0NzMzMzEyNjMwMjQwNjAzNTUwNDBiMGMxZDQxNzA3MDZjNjUyMDQzNjU3Mjc0Njk2NjY5NjM2MTc0Njk2ZjZlMjA0MTc1NzQ2ODZmNzI2OTc0NzkzMTEzMzAxMTA2MDM1NTA0MGEwYzBhNDE3MDcwNmM2NTIwNDk2ZTYzMmUzMTBiMzAwOTA2MDM1NTA0MDYxMzAyNTU1MzMwMWUxNzBkMzEzNDMwMzUzMDM2MzIzMzM0MzYzMzMwNWExNzBkMzIzOTMwMzUzMDM2MzIzMzM0MzYzMzMwNWEzMDdhMzEyZTMwMmMwNjAzNTUwNDAzMGMyNTQxNzA3MDZjNjUyMDQxNzA3MDZjNjk2MzYxNzQ2OTZmNmUyMDQ5NmU3NDY1Njc3MjYxNzQ2OTZmNmUyMDQzNDEyMDJkMjA0NzMzMzEyNjMwMjQwNjAzNTUwNDBiMGMxZDQxNzA3MDZjNjUyMDQzNjU3Mjc0Njk2NjY5NjM2MTc0Njk2ZjZlMjA0MTc1NzQ2ODZmNzI2OTc0NzkzMTEzMzAxMTA2MDM1NTA0MGEwYzBhNDE3MDcwNmM2NTIwNDk2ZTYzMmUzMTBiMzAwOTA2MDM1NTA0MDYxMzAyNTU1MzMwNTkzMDEzMDYwNzJhODY0OGNlM2QwMjAxMDYwODJhODY0OGNlM2QwMzAxMDcwMzQyMDAwNGYwMTcxMTg0MTlkNzY0ODVkNTFhNWUyNTgxMDc3NmU4ODBhMmVmZGU3YmFlNGRlMDhkZmM0YjkzZTEzMzU2ZDU2NjViMzVhZTIyZDA5Nzc2MGQyMjRlN2JiYTA4ZmQ3NjE3Y2U4OGNiNzZiYjY2NzBiZWM4ZTgyOTg0ZmY1NDQ1YTM4MWY3MzA4MWY0MzA0NjA2MDgyYjA2MDEwNTA1MDcwMTAxMDQzYTMwMzgzMDM2MDYwODJiMDYwMTA1MDUwNzMwMDE4NjJhNjg3NDc0NzAzYTJmMmY2ZjYzNzM3MDJlNjE3MDcwNmM2NTJlNjM2ZjZkMmY2ZjYzNzM3MDMwMzQyZDYxNzA3MDZjNjU3MjZmNmY3NDYzNjE2NzMzMzAxZDA2MDM1NTFkMGUwNDE2MDQxNDIzZjI0OWM0NGY5M2U0ZWYyN2U2YzRmNjI4NmMzZmEyYmJmZDJlNGIzMDBmMDYwMzU1MWQxMzAxMDFmZjA0MDUzMDAzMDEwMWZmMzAxZjA2MDM1NTFkMjMwNDE4MzAxNjgwMTRiYmIwZGVhMTU4MzM4ODlhYTQ4YTk5ZGViZWJkZWJhZmRhY2IyNGFiMzAzNzA2MDM1NTFkMWYwNDMwMzAyZTMwMmNhMDJhYTAyODg2MjY2ODc0NzQ3MDNhMmYyZjYzNzI2YzJlNjE3MDcwNmM2NTJlNjM2ZjZkMmY2MTcwNzA2YzY1NzI2ZjZmNzQ2MzYxNjczMzJlNjM3MjZjMzAwZTA2MDM1NTFkMGYwMTAxZmYwNDA0MDMwMjAxMDYzMDEwMDYwYTJhODY0ODg2Zjc2MzY0MDYwMjBlMDQwMjA1MDAzMDBhMDYwODJhODY0OGNlM2QwNDAzMDIwMzY3MDAzMDY0MDIzMDNhY2Y3MjgzNTExNjk5YjE4NmZiMzVjMzU2Y2E2MmJmZjQxN2VkZDkwZjc1NGRhMjhlYmVmMTljODE1ZTQyYjc4OWY4OThmNzliNTk5Zjk4ZDU0MTBkOGY5ZGU5YzJmZTAyMzAzMjJkZDU0NDIxYjBhMzA1Nzc2YzVkZjMzODNiOTA2N2ZkMTc3YzJjMjE2ZDk2NGZjNjcyNjk4MjEyNmY1NGY4N2E3ZDFiOTljYjliMDk4OTIxNjEwNjk5MGYwOTkyMWQwMDAwMzE4MjAxOGMzMDgyMDE4ODAyMDEwMTMwODE4NjMwN2EzMTJlMzAyYzA2MDM1NTA0MDMwYzI1NDE3MDcwNmM2NTIwNDE3MDcwNmM2OTYzNjE3NDY5NmY2ZTIwNDk2ZTc0NjU2NzcyNjE3NDY5NmY2ZTIwNDM0MTIwMmQyMDQ3MzMzMTI2MzAyNDA2MDM1NTA0MGIwYzFkNDE3MDcwNmM2NTIwNDM2NTcyNzQ2OTY2Njk2MzYxNzQ2OTZmNmUyMDQxNzU3NDY4NmY3MjY5NzQ3OTMxMTMzMDExMDYwMzU1MDQwYTBjMGE0MTcwNzA2YzY1MjA0OTZlNjMyZTMxMGIzMDA5MDYwMzU1MDQwNjEzMDI1NTUzMDIwODRjMzA0MTQ5NTE5ZDU0MzYzMDBkMDYwOTYwODY0ODAxNjUwMzA0MDIwMTA1MDBhMDgxOTUzMDE4MDYwOTJhODY0ODg2ZjcwZDAxMDkwMzMxMGIwNjA5MmE4NjQ4ODZmNzBkMDEwNzAxMzAxYzA2MDkyYTg2NDg4NmY3MGQwMTA5MDUzMTBmMTcwZDMyMzIzMDM4MzAzMzMxMzIzMTMwMzEzMzVhMzAyYTA2MDkyYTg2NDg4NmY3MGQwMTA5MzQzMTFkMzAxYjMwMGQwNjA5NjA4NjQ4MDE2NTAzMDQwMjAxMDUwMGExMGEwNjA4MmE4NjQ4Y2UzZDA0MDMwMjMwMmYwNjA5MmE4NjQ4ODZmNzBkMDEwOTA0MzEyMjA0MjBjYWRlZWE1ODc3MTE1OTVlMTg5ZDNhOTUyMDBmMDdhZTQwNTE2M2JmNzA1MTk2MWRlMDk1NzY0ZGYyOTcxOTQzMzAwYTA2MDgyYTg2NDhjZTNkMDQwMzAyMDQ0NzMwNDUwMjIxMDA5MDUyMWYzNjJmYzk1ZGNiMDhhZjQxOTMyYTNkM2Y2YTNhYzVkNWFiZTIyMmYxY2YxZDAxMDNiMjM5MWI3MzEwMDIyMDYxMzZlYzJkNGQ2N2MwODZiZDRiYTA5YTJjZjMwODY1ZjJhYTM5NWMwODlmZTFkM2UwYWM4YTgzM2YwNjIwZDUwMDAwMDAwMDAwMDAiLCJvcGVyYXRpb25hbEFuYWx5dGljc0lkZW50aWZpZXIiOiJEQi5NZXJjaGFudFNvbHV0aW9uLlRlc3RNZXJjaGFudDoyODczMkE0RjA1QUUwNTU1MDA3NzY0MkNDNkJBQkE4QzU5MjNFMzQ3QTA4MzgwM0MwQjdBODA4ODcxMEMzMUU0IiwicmV0cmllcyI6MCwicHNwSWQiOiIyODczMkE0RjA1QUUwNTU1MDA3NzY0MkNDNkJBQkE4QzU5MjNFMzQ3QTA4MzgwM0MwQjdBODA4ODcxMEMzMUU0In0=",
  "rc" : "0",
  "message" : "success"
}

Session creation failed

Status code:

200

Return type:

ApplePayPaymentSessionResponse

{
  "rc" : "1547",
  "message" : "Payment Services Exception merchantId=28 not registered for domain=unknown.domain.com"
}

POST /applepay/pay/{event_id}/{tx_action}/initialize

Perform payment requests based on Apple Pay data.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- credit
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

ApplePayPaymentRequest

application/json

Request example Sample Apple Pay payment request

Request type: ApplePayPaymentRequest

{
  "means_of_payment" : {
    "applepay_token" : "eyJwYXltZW50RGF0YSI6eyJ2ZXJzaW9uIjoiRUNfdjEiLCJkYXRhIjoiYWJONTBPS0FNd1pUU0lJV2Z4VWpYWGhncVVZNTIrMlVnZWY4Q0VMUTg2QTE3eFJwdEdhTWFjWHhvNXl1Um1UVDFOb2Y3VERYeHFncHFkL2Mwa2l1OXZKcy9DcVNKUHZNUG9BbkJEemlYTGtDK0JnRFBJVERuMzFLTlVHU3dYQ1QrVkJZdy85cHVocVVvSWQwcU1QRzRUQ2E1cDBVc3k4VmkxN0g2bGpJaGhpdStKNXoxWWpsTTJBbXZtMmdxSUZ2WHRWdmJYbTBGL05tZDBqZWEvcUQ4UUNmQURJa0NkSHZwQWJic2gyTlVMbzFYbm1UNFlodFRjN1o5Zy9helVtMm9YTjZWdlRYYXY0SHhzZGJueERjN2tpWGo5U3VYYVN3anZudTdtS21uUG0zVXlQMkk2QWc1cDJZTGQ3dXg4bURpUmxQUG9WY0FLM0U4N2dxRU90a0lHUGRaM0JCZ1paOHNjaFlJQVRqR1p4aWI4aHRFNk1mcE1jV0VJdFlrVlZ5QzFIREpMcWdsY2VjRU1rUWhRPT0iLCJzaWduYXR1cmUiOiJNSUFHQ1NxR1NJYjNEUUVIQXFDQU1JQUNBUUV4RFRBTEJnbGdoa2dCWlFNRUFnRXdnQVlKS29aSWh2Y05BUWNCQUFDZ2dEQ0NBK013Z2dPSW9BTUNBUUlDQ0V3d1FVbFJuVlEyTUFvR0NDcUdTTTQ5QkFNQ01Ib3hMakFzQmdOVkJBTU1KVUZ3Y0d4bElFRndjR3hwWTJGMGFXOXVJRWx1ZEdWbmNtRjBhVzl1SUVOQklDMGdSek14SmpBa0JnTlZCQXNNSFVGd2NHeGxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1STXdFUVlEVlFRS0RBcEJjSEJzWlNCSmJtTXVNUXN3Q1FZRFZRUUdFd0pWVXpBZUZ3MHhPVEExTVRnd01UTXlOVGRhRncweU5EQTFNVFl3TVRNeU5UZGFNRjh4SlRBakJnTlZCQU1NSEdWall5MXpiWEF0WW5KdmEyVnlMWE5wWjI1ZlZVTTBMVkJTVDBReEZEQVNCZ05WQkFzTUMybFBVeUJUZVhOMFpXMXpNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVFzd0NRWURWUVFHRXdKVlV6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNSVZkKzNyMXNleUlZOW8zWENRb1NHTng3QzlieXdvUFlSZ2xkbEs5S1ZCRzROQ0R0Z1I4MEIrZ3pNZkhGVEQ5K3N5SU5hNjFkVHY5SktKaVQ1OER4T2pnZ0lSTUlJQ0RUQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZDUHlTY1JQaytUdkorYkU5aWhzUDZLNy9TNUxNRVVHQ0NzR0FRVUZCd0VCQkRrd056QTFCZ2dyQmdFRkJRY3dBWVlwYUhSMGNEb3ZMMjlqYzNBdVlYQndiR1V1WTI5dEwyOWpjM0F3TkMxaGNIQnNaV0ZwWTJFek1ESXdnZ0VkQmdOVkhTQUVnZ0VVTUlJQkVEQ0NBUXdHQ1NxR1NJYjNZMlFGQVRDQi9qQ0J3d1lJS3dZQkJRVUhBZ0l3Z2JZTWdiTlNaV3hwWVc1alpTQnZiaUIwYUdseklHTmxjblJwWm1sallYUmxJR0o1SUdGdWVTQndZWEowZVNCaGMzTjFiV1Z6SUdGalkyVndkR0Z1WTJVZ2IyWWdkR2hsSUhSb1pXNGdZWEJ3YkdsallXSnNaU0J6ZEdGdVpHRnlaQ0IwWlhKdGN5QmhibVFnWTI5dVpHbDBhVzl1Y3lCdlppQjFjMlVzSUdObGNuUnBabWxqWVhSbElIQnZiR2xqZVNCaGJtUWdZMlZ5ZEdsbWFXTmhkR2x2YmlCd2NtRmpkR2xqWlNCemRHRjBaVzFsYm5SekxqQTJCZ2dyQmdFRkJRY0NBUllxYUhSMGNEb3ZMM2QzZHk1aGNIQnNaUzVqYjIwdlkyVnlkR2xtYVdOaGRHVmhkWFJvYjNKcGRIa3ZNRFFHQTFVZEh3UXRNQ3N3S2FBbm9DV0dJMmgwZEhBNkx5OWpjbXd1WVhCd2JHVXVZMjl0TDJGd2NHeGxZV2xqWVRNdVkzSnNNQjBHQTFVZERnUVdCQlNVVjl0djFYU0Job21KZGk5K1Y0VUg1NXRZSkRBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZSktvWklodmRqWkFZZEJBSUZBREFLQmdncWhrak9QUVFEQWdOSkFEQkdBaUVBdmdsWEgrY2VIbk5iVmVXdnJMVEhMK3RFWHpBWVVpTEhKUkFDdGg2OWIxVUNJUURSaXpVS1hkYmRickYwWURXeEhyTE9oOCtqNXE5c3ZZT0FpUTNJTE4ycVl6Q0NBdTR3Z2dKMW9BTUNBUUlDQ0VsdEw3ODZtTnFYTUFvR0NDcUdTTTQ5QkFNQ01HY3hHekFaQmdOVkJBTU1Fa0Z3Y0d4bElGSnZiM1FnUTBFZ0xTQkhNekVtTUNRR0ExVUVDd3dkUVhCd2JHVWdRMlZ5ZEdsbWFXTmhkR2x2YmlCQmRYUm9iM0pwZEhreEV6QVJCZ05WQkFvTUNrRndjR3hsSUVsdVl5NHhDekFKQmdOVkJBWVRBbFZUTUI0WERURTBNRFV3TmpJek5EWXpNRm9YRFRJNU1EVXdOakl6TkRZek1Gb3dlakV1TUN3R0ExVUVBd3dsUVhCd2JHVWdRWEJ3YkdsallYUnBiMjRnU1c1MFpXZHlZWFJwYjI0Z1EwRWdMU0JITXpFbU1DUUdBMVVFQ3d3ZFFYQndiR1VnUTJWeWRHbG1hV05oZEdsdmJpQkJkWFJvYjNKcGRIa3hFekFSQmdOVkJBb01Da0Z3Y0d4bElFbHVZeTR4Q3pBSkJnTlZCQVlUQWxWVE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRThCY1JoQm5YWklYVkdsNGxnUWQyNklDaTc5NTdyazNnamZ4TGsrRXpWdFZtV3pXdUl0Q1hkZzBpVG51NkNQMTJGODZJeTNhN1puQyt5T2dwaFA5VVJhT0I5ekNCOURCR0JnZ3JCZ0VGQlFjQkFRUTZNRGd3TmdZSUt3WUJCUVVITUFHR0ttaDBkSEE2THk5dlkzTndMbUZ3Y0d4bExtTnZiUzl2WTNOd01EUXRZWEJ3YkdWeWIyOTBZMkZuTXpBZEJnTlZIUTRFRmdRVUkvSkp4RStUNU84bjVzVDJLR3cvb3J2OUxrc3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWZCZ05WSFNNRUdEQVdnQlM3c042aFdET0ltcVNLbWQ2K3ZldXYyc3NrcXpBM0JnTlZIUjhFTURBdU1DeWdLcUFvaGlab2RIUndPaTh2WTNKc0xtRndjR3hsTG1OdmJTOWhjSEJzWlhKdmIzUmpZV2N6TG1OeWJEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VBWUtLb1pJaHZkalpBWUNEZ1FDQlFBd0NnWUlLb1pJemowRUF3SURad0F3WkFJd09zOXlnMUVXbWJHRyt6WERWc3Bpdi9RWDdka1BkVTJpanI3eG5JRmVRcmVKK0pqM20xbWZtTlZCRFkrZDZjTCtBakF5TGRWRUliQ2pCWGRzWGZNNE81Qm4vUmQ4TENGdGxrL0djbW1DRW05VStIcDlHNW5MbXdtSklXRUdtUThKa2gwQUFER0NBWWd3Z2dHRUFnRUJNSUdHTUhveExqQXNCZ05WQkFNTUpVRndjR3hsSUVGd2NHeHBZMkYwYVc5dUlFbHVkR1ZuY21GMGFXOXVJRU5CSUMwZ1J6TXhKakFrQmdOVkJBc01IVUZ3Y0d4bElFTmxjblJwWm1sallYUnBiMjRnUVhWMGFHOXlhWFI1TVJNd0VRWURWUVFLREFwQmNIQnNaU0JKYm1NdU1Rc3dDUVlEVlFRR0V3SlZVd0lJVERCQlNWR2RWRFl3Q3dZSllJWklBV1VEQkFJQm9JR1RNQmdHQ1NxR1NJYjNEUUVKQXpFTEJna3Foa2lHOXcwQkJ3RXdIQVlKS29aSWh2Y05BUWtGTVE4WERUSXlNVEV3TnpFeE1qWXpObG93S0FZSktvWklodmNOQVFrME1Sc3dHVEFMQmdsZ2hrZ0JaUU1FQWdHaENnWUlLb1pJemowRUF3SXdMd1lKS29aSWh2Y05BUWtFTVNJRUlITDBiWkczRk51NHhsZ0tCcW9hVGh5dm1DWnJTeXY5UG51NjlZcUFrK2dVTUFvR0NDcUdTTTQ5QkFNQ0JFY3dSUUlnSnpFNG1adjNYc003M01PZHJFcU9EWjN0cXQ0ZE9wdlFhc0YyRGpyOVFiNENJUUMzT2hGczJmMVM0ZndhRThuNDNGVlRTZWo0NDl4YUpiZElMbnFHQVlMcXFRQUFBQUFBQUE9PSIsImhlYWRlciI6eyJlcGhlbWVyYWxQdWJsaWNLZXkiOiJNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVpbXhhUmR4dGJaeFNVUEtYSVh2NG5RS3lSTHdUQjdHcUN5UjhDc2hKTGhraTlJUXErTVNsaHArOXlqQURvcVR1a0R6VkVXblBabUNnTnBDUTNUZ3ZyUT09IiwicHVibGljS2V5SGFzaCI6ImI2UXJSemt6NnJzRGdWV2hTdzh0ZkdGRHprcHdtOTV4RUpzYnFGSWJVcDQ9IiwidHJhbnNhY3Rpb25JZCI6IjY1ODYwNjA4Y2YwZDAxYzgzNTUyNmIwOGZjOTNmNTE1M2Y0NDdlZDgwZDU3MjhkMjNjMDMwNzhjZmIxMWIxMjUifX0sInBheW1lbnRNZXRob2QiOnsiZGlzcGxheU5hbWUiOiJNYXN0ZXJDYXJkIDA4MzkiLCJuZXR3b3JrIjoiTWFzdGVyQ2FyZCIsInR5cGUiOiJjcmVkaXQifSwidHJhbnNhY3Rpb25JZGVudGlmaWVyIjoiNjU4NjA2MDhDRjBEMDFDODM1NTI2QjA4RkM5M0Y1MTUzRjQ0N0VEODBENTcyOEQyM0MwMzA3OENGQjExQjEyNSJ9"
  },
  "processing_options" : [ "RISKCHECK" ],
  "amount_total" : {
    "amount" : 1000,
    "currency" : "EUR"
  },
  "tds_20_data" : {
    "communication_data" : {
      "method_notification_url" : "https://example.com/method_notification_url",
      "cres_notification_url" : "https://example.com/cres_notification_url"
    }
  }
}

Responses

Code Type Content-Type Description

200

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response examples Transaction has been processed, no further actions required

Status code:

200

Return type:

{
  "outcome" : "PROCESSED",
  "processed" : {
    "amount_total" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "event_id" : "id1628241502404",
    "kind" : "CREDITCARD_3DS20",
    "tx_action" : "preauthorization",
    "tx_id" : "fCDszGoUje8piOUC2tVVU9",
    "back_rc" : "00",
    "transaction_info" : {
      "type" : "creditcard",
      "transaction_creditcard_info" : {
        "credit_card" : {
          "number" : "401200******7778",
          "expiry_date" : {
            "year" : 2034,
            "month" : 12
          },
          "cardholder" : "Card Holder"
        }
      }
    },
    "rc" : "0",
    "message" : "Transaction successful."
  },
  "rc" : "0",
  "message" : "Transaction successful."
}

Proceed with 3-D Secure method flow

Status code:

200

Return type:

{
  "outcome" : "METHOD_REQUIRED",
  "method_required" : {
    "method_request" : "ew0KICAiY29udGVudCIgOiAiZHVtbXkiDQp9",
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

Proceed with 3-D Secure challenge flow

Status code:

200

Return type:

EScoreAddresscheckResponse

{
  "outcome" : "CHALLENGE_REQUIRED",
  "challenge_required" : {
    "acs_url" : "https://acs.example.com/acs/challenge/ew0KICAiZHVtbXkiIDogImR1bW15Ig0KfQ==",
    "creq" : "ew0KICAiZHVtbXkiIDogImNvbnRlbnQiDQp9"
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

7.2.3. eScore

The eScore API contains endpoints to minimize non-payment risk.

POST /escore/event/{event_id}/addresscheck

Performs an Address Verification (ES0013).

Two scenarios of use are possible:

The address details of a customer are verified with the address verification. If an address is supplied wrongly the customer is requested to correct it. Thereafter the address is verified again. After a successful address verification further information has to be collated via credit assessment.
The transaction “integrated address verification, credit assessment and scoring” is carried out.

The address verification may only be carried out in connection with the credit assessment. Using the address verification on its own is not permissible for contractual reasons.

With the address verification the supplied address (name, town of residence, post code and street) is verified. This means that as a rule the address verification is related to the person.

The basis for the query is the post directory of the Deutsche Post Direkt GmbH (German mail) with roughly 95 m validated consumer addresses. The correction function is differentiated according to the individual address components and can provide evidence for their coherence and correct wrong details respectively.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

EScoreRequest

application/json

Request example Sample eScore address check

Request type: EScoreRequest

{
  "reason" : "ABK",
  "billing_address" : {
    "title" : "Mrs",
    "first_name" : "KATJA",
    "last_name" : "KOPLIN",
    "postal_code" : "10407",
    "city" : "BERLIN",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "DANZIGER STR.",
        "street_number" : "67"
      }
    }
  },
  "basket" : {
    "basket_id" : "basketId1641228398709"
  },
  "customer_information" : {
    "customer_id" : "5x14120ffrG",
    "date_of_birth" : "1979-10-27"
  }
}

Responses

Code Type Content-Type Description

200

application/json

If the query could be carried out you receive the return value rc=0 as response independent from the outcome of the address verification. The outcome of the address verification is returned in the field address_note. Where applicable, the address fields of the response include the address components, which could be corrected. If possible you will receive the freight routing code for the corrected address in the field freight_routing_code.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

EScoreAddresscheckResponse

application/json

Access to this resource is forbidden with these credentials.

Response example Sample eScore address verification response

Status code:

200

Return type:

{
  "address_note" : "PPB",
  "freight_routing_code" : "10435003067",
  "rc" : "0",
  "message" : "Transaction successful.",
  "event_id" : "9184bf11-75ed-4a11-b9e6-557c11bd3853",
  "tx_id" : "2yYJ5nYkDIGuTdjWgCkJoK",
  "action" : "addresscheck",
  "basket_id" : "basketId1641293516625",
  "scoring_rc" : "G",
  "reason" : "ABK",
  "billing_address" : {
    "title" : "Mrs",
    "first_name" : "KATJA",
    "last_name" : "KOPLIN",
    "date_of_birth" : "1979-10-27",
    "postal_code" : "10407",
    "city" : "BERLIN",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "DANZIGER STR.",
        "street_number" : "67"
      }
    }
  }
}

POST /escore/event/{event_id}/creditassessment

Performs a Credit Assessment (ES0012).

The credit assessment provides information about the customers' negative features. From the result the possible general payment behaviour and the creditworthiness of a purchaser may be deduced.

Upon entering the customer details during the order process it is verified in the background whether there is a negative feature related to this person resulting from extra judicial or judicial collection proceedings, enforcement by writ or affidavit.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

EScoreRequest

application/json

Request example Sample eScore credit assessment

Request type: EScoreRequest

{
  "reason" : "ABK",
  "billing_address" : {
    "title" : "Mrs",
    "first_name" : "KATJA",
    "last_name" : "KOPLIN",
    "postal_code" : "10407",
    "city" : "BERLIN",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "DANZIGER STR.",
        "street_number" : "67"
      }
    }
  },
  "basket" : {
    "basket_id" : "basketId1641228398709"
  },
  "customer_information" : {
    "customer_id" : "5x14120ffrG",
    "date_of_birth" : "1979-10-27"
  }
}

Responses

Code Type Content-Type Description

200

EScoreCreditassessmentResponse

application/json

Depending on the negative features found you will receive in the field scoring_rc a classification of the data record following the traffic light system 'green', 'yellow/amber' and 'red' (This classification only takes place if the address was rectifiable postally, otherwise you will receive the return value rc=1538). The negative features are divided into the categories 'soft', 'medium' and 'hard'.

The allocation of the negative features to the traffic light values is as follows:

G: green - There are no negative features.
Y: yellow/amber - There is a soft negative feature.
R: red - There are more than one soft negative features or at least one medium or hard negative feature.

The field score provides you with a more subtly graduated result of the credit assessment.

In addition to the traffic light values and score all negative features are returned, which were relevant for the generation of the traffic light value.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

EScoreCreditassessmentResponse

application/json

Access to this resource is forbidden with these credentials.

Response example Sample eScore credit assessment response

Status code:

200

Return type:

{
  "customer_id" : "5x14120ffrG",
  "score" : "100",
  "negative_criteria" : [ {
    "kind" : "LP",
    "date" : "2021-01-08",
    "doc_reference" : "8IN303"
  }, {
    "kind" : "VB",
    "date" : "2021-12-07",
    "doc_reference" : "8IN306"
  } ],
  "rc" : "0",
  "message" : "Transaction successful.",
  "event_id" : "9dd00d1d-7888-4679-af78-7dc95eef052d",
  "tx_id" : "fC1DpbpWZeELL6tzmoHcKL",
  "action" : "creditassessment",
  "basket_id" : "basketId1641293519408",
  "scoring_rc" : "R",
  "reason" : "ABK",
  "billing_address" : {
    "title" : "MRS",
    "first_name" : "KATJA",
    "last_name" : "KOPLIN",
    "date_of_birth" : "1979-10-27",
    "postal_code" : "10407",
    "city" : "BERLIN",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "DANZIGER STR.",
        "street_number" : "67"
      }
    }
  }
}

POST /escore/event/{event_id}/bankaccount

Performs an RPP Check (ES0024).

This service checks bank details for plausibility and current return debit notes.

The “return debit note prevention pool” (RPP) is a data pool where bank details are saved for which return debit notes are currently known. The pool primarily serves the prevention of cash loss for direct debits.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

EScoreRPPRequest

application/json

Request example Sample eScore RPP request

Request type: EScoreRPPRequest

{
  "bank_account" : {
    "bic" : "PZHSDE66XXX",
    "iban" : "DE84666500855073321010"
  },
  "basket" : {
    "basket_id" : "basketId1641228398709"
  },
  "customer_information" : {
    "customer_id" : "5x14120ffrG",
    "date_of_birth" : "1979-10-27"
  }
}

Responses

Code Type Content-Type Description

200

EScoreRPPResponse

application/json

In addition to information on return debit notes the following data are available:

data of stolen or lost EC cards (for example from the KUNO database)
data about publicly known bank details (NCA = non consumer account)
customer specific negative and positive lists

No personal data are saved in the RPP. This means it is not known who is the account holder.

The return debit note service is currently available for Germany.

The bank account details in the response possibly include corrections or additional information, for example IBAN and BIC when you submitted account number and bank code in the request.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response example Sample eScore RPP check response

Status code:

200

Return type:

EScoreRPPResponse

{
  "bank_account" : {
    "bic" : "PZHSDE66XXX",
    "iban" : "DE84666500855073321010",
    "bank_name" : "Sparkasse Pforzheim Calw"
  },
  "bank_account_validation_result" : "00",
  "bank_account_validation_message" : "The bank account is valid.",
  "rpp_match" : "0",
  "rc" : "0",
  "message" : "Transaction successful.",
  "event_id" : "abf1ccf6-a9d6-4904-99d3-cadb6521ee90",
  "tx_id" : "np5yYhvMr2dZQqWNub0BGj",
  "action" : "bankaccount",
  "basket_id" : "basketId1641293501021",
  "scoring_rc" : "G"
}

POST /escore/event/{event_id}/scoring

Performs an integrated Address Verification, Credit Assessment, and Scoring (ES0015).

This kind of transaction consists of address verification, credit assessment, and scoring.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

EScoreRequest

application/json

Request example Sample eScore scoring request

Request type: EScoreRequest

{
  "reason" : "ABK",
  "billing_address" : {
    "title" : "Mrs",
    "first_name" : "KATJA",
    "last_name" : "KOPLIN",
    "postal_code" : "10407",
    "city" : "BERLIN",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "DANZIGER STR.",
        "street_number" : "67"
      }
    }
  },
  "basket" : {
    "basket_id" : "basketId1641228398709"
  },
  "customer_information" : {
    "customer_id" : "5x14120ffrG",
    "date_of_birth" : "1979-10-27"
  }
}

Responses

Code Type Content-Type Description

200

EScoreScoringResponse

application/json

If there are no negative entries for a person’s given name the probability of non-payments may be determined in a further step with help of the INFORMA score. The INFORMA score collates information from various socio-demographic parameters, such as details about the social structure of the town of residence. According to the risk assessment a recommendation for proceeding is provided. This value is included as essential component in the parameter score.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response example Sample eScore scoring response

Status code:

200

Return type:

EScoreScoringResponse

{
  "customer_id" : "5x14120ffrG",
  "address_note" : "PPB",
  "freight_routing_code" : "10435003067",
  "score" : "980",
  "informa_score_value" : "670",
  "rc" : "0",
  "message" : "Transaction successful.",
  "event_id" : "f66400e4-40f2-4fdf-8229-d6e7dca3bf4d",
  "tx_id" : "pXKc6vH91ASi0QrYfH7Ch7",
  "action" : "scoring",
  "basket_id" : "basketId1641293520741",
  "scoring_rc" : "G",
  "reason" : "ABK",
  "billing_address" : {
    "title" : "MRS",
    "first_name" : "KATJA",
    "last_name" : "KOPLIN",
    "date_of_birth" : "1979-10-27",
    "postal_code" : "10407",
    "city" : "BERLIN",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "DANZIGER STR.",
        "street_number" : "67"
      }
    }
  }
}

7.2.4. Forms

The Forms API contains endpoints to initialize a form service interaction. It allows the merchant to redirect the customer to a customizable frontend page where the customer may enter sensitive payment data. After receipt of the necessary information, the frontend will carry out the transaction and redirect the customer back to the merchant’s page.

POST /form/alias/bankaccount

Creates a form to enter bank account data and create an alias for it.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormRegisterAliasRequest

application/json

Request example Sample registration of an alias for a bank account

Request type: FormRegisterAliasRequest

{
  "alias" : "AL1234_XY",
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  }
}

Responses

Code Type Content-Type Description

200

FormNoTxResponse

application/json

Values required to initialize a form interaction. No transaction is created.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/alias/creditcard

Creates a form to enter credit card data and create an alias for it.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormRegisterAliasRequest

application/json

Request example Sample registration of an alias for a credit card

Request type: FormRegisterAliasRequest

{
  "alias" : "AL1234_XY",
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  }
}

Responses

Code Type Content-Type Description

200

FormNoTxResponse

application/json

Values required to initialize a form interaction. No transaction is created.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/checkout/{tx_action}

Creates a redirect to a checkout page where the customer may choose one of the offered payment methods (for instance credit card or Request to Pay) and then continue the payment.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormCheckoutRequest

application/json

Request examples Sample initialization for a checkout selection with SDD and Request to Pay

Request type: FormCheckoutRequest

{
  "checkout_page_configuration" : {
    "direct_debit_data" : {
      "mandate" : {
        "reference" : "MDT1620213727383XY",
        "signed_on" : "2025-08-12",
        "mandate_sequence_type" : "RECURRING"
      }
    },
    "request_to_pay_data" : {
      "customer_id" : "testCustrID"
    },
    "checkout_entry_sorting_order" : [ "DIRECTDEBIT", "REQUEST_TO_PAY" ]
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  }
}

Sample initialization for a checkout selection with all payment methods (English)

Request type: FormCheckoutRequest

{
  "amount_total" : {
    "amount" : 1300,
    "currency" : "EUR"
  },
  "basket" : {
    "basket_id" : "basketId1643192827792",
    "shipping_costs" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "PhysicalBasketItem",
      "description" : "A basket item",
      "reference" : "basketItem-reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 1008,
        "gross" : 1200,
        "currency" : "EUR",
        "tax" : 1900
      }
    } ]
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "shipping_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "checkout_page_configuration" : {
    "checkout_entry_sorting_order" : [ "DIRECTDEBIT", "CREDITCARD", "GOOGLEPAY", "REQUEST_TO_PAY", "PAYPAL", "KLARNA", "WECHATPAY", "P24", "CLICKTOPAY", "APPLEPAY", "IDEAL", "WERO" ],
    "apple_pay_credit_card_data" : { },
    "wero_data" : {
      "authorization_reference" : "user-123456-order-123456"
    },
    "click_to_pay_credit_card_data" : { },
    "credit_card_data" : {
      "tds_20_data" : {
        "customer_data" : {
          "billing_address" : {
            "city" : "Leipzig",
            "country" : "DE",
            "postal_code" : "04347",
            "street" : "Rohrteichstr 18"
          },
          "home_phone_number" : {
            "country" : "+49",
            "regional" : "2630864618"
          },
          "cardholder_email" : "heinz@email.com"
        }
      }
    },
    "google_pay_credit_card_data" : {
      "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
      "googlepay_domain_name" : "www.example.com",
      "googlepay_country_code" : "DE"
    },
    "direct_debit_data" : {
      "mandate" : {
        "reference" : "MDT1643192827814",
        "signed_on" : "2020-12-30"
      }
    },
    "request_to_pay_data" : {
      "processing_options" : [ "INSTANT" ]
    },
    "paypal_data" : { },
    "wechatpay_data" : { },
    "p24_data" : { },
    "klarna_data" : { },
    "ideal_data" : {
      "description" : "description"
    }
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "form_data" : {
    "locale" : "en"
  }
}

Sample initialization for a checkout selection with all payment methods (German)

Request type: FormCheckoutRequest

{
  "amount_total" : {
    "amount" : 1300,
    "currency" : "EUR"
  },
  "basket" : {
    "basket_id" : "basketId1643192827792",
    "shipping_costs" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "PhysicalBasketItem",
      "description" : "A basket item",
      "reference" : "basketItem-reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 1008,
        "gross" : 1200,
        "currency" : "EUR",
        "tax" : 1900
      }
    } ]
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "shipping_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "checkout_page_configuration" : {
    "checkout_entry_sorting_order" : [ "DIRECTDEBIT", "CREDITCARD", "GOOGLEPAY", "REQUEST_TO_PAY", "PAYPAL", "KLARNA", "WECHATPAY", "P24", "CLICKTOPAY", "APPLEPAY", "IDEAL", "WERO" ],
    "credit_card_data" : {
      "tds_20_data" : {
        "customer_data" : {
          "billing_address" : {
            "city" : "Leipzig",
            "country" : "DE",
            "postal_code" : "04347",
            "street" : "Rohrteichstr 18"
          },
          "home_phone_number" : {
            "country" : "+49",
            "regional" : "2630864618"
          },
          "cardholder_email" : "heinz@email.com"
        }
      }
    },
    "click_to_pay_credit_card_data" : { },
    "apple_pay_credit_card_data" : { },
    "wero_data" : {
      "authorization_reference" : "user-123456-order-123456"
    },
    "google_pay_credit_card_data" : {
      "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
      "googlepay_domain_name" : "www.example.com",
      "googlepay_country_code" : "DE"
    },
    "direct_debit_data" : {
      "mandate" : {
        "reference" : "MDT1643192827814",
        "signed_on" : "2020-12-30"
      }
    },
    "request_to_pay_data" : {
      "processing_options" : [ "INSTANT" ]
    },
    "paypal_data" : { },
    "wechatpay_data" : { },
    "p24_data" : { },
    "klarna_data" : { },
    "ideal_data" : {
      "description" : "description"
    }
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "form_data" : {
    "locale" : "de"
  }
}

Sample initialization for a checkout selection with CHF and TWINT

Request type: FormCheckoutRequest

{
  "amount_total" : {
    "amount" : 1300,
    "currency" : "CHF"
  },
  "basket" : {
    "basket_id" : "basketId1643192827792",
    "shipping_costs" : {
      "amount" : 100,
      "currency" : "CHF"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "PhysicalBasketItem",
      "description" : "A basket item",
      "reference" : "basketItem-reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 1008,
        "gross" : 1200,
        "currency" : "CHF",
        "tax" : 1900
      }
    } ]
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "shipping_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "checkout_page_configuration" : {
    "checkout_entry_sorting_order" : [ "CREDITCARD", "GOOGLEPAY", "REQUEST_TO_PAY", "PAYPAL", "KLARNA", "WECHATPAY", "TWINT", "APPLEPAY", "IDEAL" ],
    "credit_card_data" : {
      "tds_20_data" : {
        "customer_data" : {
          "billing_address" : {
            "city" : "Leipzig",
            "country" : "DE",
            "postal_code" : "04347",
            "street" : "Rohrteichstr 18"
          },
          "home_phone_number" : {
            "country" : "+49",
            "regional" : "2630864618"
          },
          "cardholder_email" : "heinz@email.com"
        }
      }
    },
    "apple_pay_credit_card_data" : { },
    "google_pay_credit_card_data" : {
      "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
      "googlepay_domain_name" : "www.example.com",
      "googlepay_country_code" : "DE"
    },
    "request_to_pay_data" : {
      "processing_options" : [ "INSTANT" ]
    },
    "paypal_data" : { },
    "wechatpay_data" : { },
    "twint_data" : { },
    "klarna_data" : { },
    "ideal_data" : {
      "description" : "description"
    }
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "form_data" : {
    "locale" : "de"
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/creditcard/{tx_action}

Creates a form to enter credit card data and then proceed with the transaction (pre-authorization, authorization, or verify MOP).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormCreditCardRequest

application/json

Request example Sample initialization of a credit card transaction

Request type: FormCreditCardRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Müller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "address_line_2" : "EG R. 184",
    "address_line_3" : "Wohnhaus",
    "state" : "SN",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "credit_card_data" : {
    "tds_20_data" : {
      "customer_data" : {
        "billing_address" : {
          "city" : "Leipzig",
          "country" : "DE",
          "postal_code" : "04347",
          "street" : "Rohrteichstr 18"
        },
        "home_phone_number" : {
          "country" : "+49",
          "regional" : "2630864618"
        },
        "cardholder_email" : "heinz@email.com"
      }
    }
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/directdebit/{tx_action}

Creates a form to enter bank account data and then proceed with an SDD transaction (pre-authorization, authorization, or verify MOP).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormDirectDebitRequest

application/json

Request example Minimal direct debit initialization request

Request type: FormDirectDebitRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "direct_debit_data" : {
    "mandate" : {
      "reference" : "MDT1620213727383XY",
      "signed_on" : "2025-08-12"
    }
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/ideal

Initializes an iDEAL transaction (authorization).

Start a new iDEAL transaction sequence. Customers should be redirected to the returned URL.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormIdealRequest

application/json

Request example Minimal iDEAL initialization request.

Request type: FormIdealRequest

{
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "basket" : {
    "basket_id" : "basketId1639066152436"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "ideal_data" : {
    "description" : "Purchase at example shop"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  }
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by an appropriate redirect URL. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/klarna/{tx_action}

Initializes a Klarna transaction (pre-authorization or authorization).

Start a new Klarna transaction sequence. Customers should be redirected to the returned URL.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormKlarnaRequest

application/json

Request examples Minimal Klarna initialization request

Request type: FormKlarnaRequest

{
  "amount_total" : {
    "amount" : 59500,
    "currency" : "EUR"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "basket" : {
    "basket_items" : [ {
      "name" : "A fine shirt",
      "quantity" : {
        "quantity_amount" : 5,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 10000,
        "gross" : 11900,
        "currency" : "EUR",
        "tax" : 1900
      }
    } ]
  }
}

Sample Klarna initialization request

Request type: FormKlarnaRequest

{
  "shipping_address" : {
    "title" : "Ms",
    "first_name" : "Jane",
    "last_name" : "Doe",
    "email" : "test_jane@gmail.com",
    "address_line_1" : "Main Street 123",
    "address_line_2" : "Building A",
    "address_line_3" : "Apartment 12",
    "postal_code" : "80469",
    "city" : "Munich",
    "state" : "BY",
    "country" : "DE",
    "extensions" : {
      "alternative_address_data" : {
        "street" : "Main Street",
        "street_number" : "123a"
      }
    }
  },
  "billing_address" : {
    "title" : "Ms",
    "first_name" : "Jane",
    "last_name" : "Doe",
    "email" : "test_jane@gmail.com",
    "address_line_1" : "Main Street 123",
    "address_line_2" : "Building A",
    "address_line_3" : "Apartment 12",
    "postal_code" : "80469",
    "city" : "Munich",
    "state" : "BY",
    "country" : "DE"
  },
  "basket" : {
    "basket_id" : "basket123456",
    "invoice_id" : "RE123345",
    "soft_descriptor" : "800-123-1234",
    "shipping_costs" : {
      "amount" : 200,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "A fine shirt",
      "description" : "BI123456",
      "reference" : "UGG-BB-PUR-06",
      "quantity" : {
        "quantity_amount" : 5,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 10000,
        "gross" : 11900,
        "currency" : "EUR",
        "tax" : 1900
      },
      "item_discount" : {
        "net" : 0,
        "gross" : 0,
        "currency" : "EUR",
        "tax" : 1900
      },
      "extensions" : {
        "klarna_data" : {
          "image_url" : "https://upload.wikimedia.org/wikipedia/commons/thumb/a/a5/Camisade_pu%C3%B1o_doble.jpg/256px-Camisade_pu%C3%B1o_doble.jpg"
        }
      }
    } ]
  },
  "customer_information" : {
    "customer_id" : "C1234-AX",
    "date_of_birth" : "1975-06-30",
    "gender" : "FEMALE",
    "title" : "Ms",
    "personal_identifications" : [ {
      "type" : "PASSPORT",
      "id" : "T220001297",
      "issued_by" : "DE"
    } ]
  },
  "form_data" : {
    "locale" : "en"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "amount_total" : {
    "amount" : 59700,
    "currency" : "EUR"
  },
  "merchant_information" : {
    "merchant_data_1" : "merchantData1",
    "merchant_data_2" : "merchantData2",
    "merchant_data_3" : "merchantData3"
  }
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by an appropriate redirect URL. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/p24

Initializes a P24 transaction (authorization).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormP24Request

application/json

Request example Minimal P24 initialization request

Request type: FormP24Request

{
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Müller",
    "email" : "heinz@email.com",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

FormPSD2AuthorizationRequest

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/psd2/authorization

Initializes a PSD2 payment transaction (authorization).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample initialization PSD2 payment

Request type: FormPSD2AuthorizationRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "form_data" : {
    "locale" : "en"
  },
  "psd2_pis_data" : {
    "processing_options" : [ "INSTANT_IF_POSSIBLE" ]
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/psd2/reversal

Initializes a cancellation (reversal) of a PSD2 future dated payment.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormPSD2ReversalRequest

application/json

Request example Sample initialization of a PSD2 reversal

Request type: FormPSD2ReversalRequest

{
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  }
}

Responses

Code Type Content-Type Description

200

FormPSD2ReversalResponse

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response examples The transaction has been processed, no further action is required

Status code:

200

Return type:

FormPSD2ReversalResponse

{
  "outcome" : "PROCESSED",
  "processed" : {
    "amount_total" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "tx_action" : "reversal",
    "transaction_info" : {
      "type" : "bankaccount",
      "transaction_bankaccount_info" : {
        "bank_account" : {
          "bic" : "TESTDEL0BK2",
          "iban" : "DE3912345679123456****"
        }
      }
    },
    "rc" : "0",
    "message" : "Transaction successful.",
    "event_id" : "e1661530099420",
    "tx_id" : "7PzZdYtamuTcTl8yhMpPXD"
  },
  "rc" : "0",
  "message" : "Transaction successful."
}

The customer has to authorize the reversal

Status code:

200

Return type:

FormPSD2ReversalResponse

{
  "outcome" : "REDIRECT_REQUIRED",
  "rc" : "0",
  "message" : "Transaction successful.",
  "tx_id" : "pOMnecOgs6cxDv34jrTVx9",
  "redirect_url" : "https://testmerch.directpos.de/web-api/de_DE/R.po?n=KMpGwCyjXoWq85VF9pKl4oMD9JXqYMT3yqgamsbhGjAm21"
}

POST /form/event/{event_id}/paypal/{tx_action}

Initializes a PayPal transaction (pre-authorization or authorization).

Start a new PayPal transaction sequence. Customers should be redirected to the returned URL.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormPayPalRequest

application/json

Request example Minimal PayPal initialization request

Request type: FormPayPalRequest

{
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

application/json

A return code and a message, accompanied by an appropriate redirect URL. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

FormPSD2AccountInfoRequest

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/psd2/account_info

Initializes a PSD2 account information transaction.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample initialisation PSD2 account information

Request type: FormPSD2AccountInfoRequest

{
  "bank_id" : "bG0E",
  "requested_details" : [ "OWNER" ],
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "skip" : true
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialise a form interaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/credittransfer

Initializes a Request to Pay transaction (authorization).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormRequestToPayRequest

application/json

Request example Minimal Request to Pay initialization request

Request type: FormRequestToPayRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "basket" : {
    "basket_id" : "basketId1639066152436"
  },
  "form_data" : {
    "locale" : "en"
  },
  "request_to_pay_data" : {
    "processing_options" : [ "INSTANT_IF_POSSIBLE" ]
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/twint

Initializes a TWINT transaction (authorization).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormTwintRequest

application/json

Request example Minimal TWINT initialization request

Request type: FormTwintRequest

{
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Müller",
    "email" : "heinz@email.com",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "CHF"
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/wechatpay

Initializes a WeChat Pay transaction (authorization).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormWeChatPayRequest

application/json

Request example Minimal WeChat Pay initialization request

Request type: FormWeChatPayRequest

{
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Müller",
    "email" : "heinz@email.com",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

WeChatPayResponse

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /form/event/{event_id}/wero/{tx_action}

Initializes a Wero transaction (pre-authorization or authorization).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

FormWeroRequest

application/json

Request examples Minimal Wero authorization request

Request type: FormWeroRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "wero_data" : {
    "authorization_reference" : "user-123456-order-123456"
  }
}

Minimal Wero pre-authorization request

Request type: FormWeroRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "wero_data" : {
    "payment_plan" : {
      "amount_payment_type" : "PAY_UP_TO",
      "capture_event" : "SHIPPING"
    },
    "authorization_reference" : "user-123456-order-123456"
  }
}

Responses

Code Type Content-Type Description

200

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

7.2.5. Google Pay

The Google Pay API contains endpoints to perform credit card payment transactions based on Google Pay payment information.

POST /googlepay/pay/{event_id}/{tx_action}/initialize

Perform payment requests based on Google Pay data.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- credit
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

GooglePayRequest

application/json

Request example Sample Google Pay request

Request type: GooglePayRequest

{
  "means_of_payment_google_pay" : {
    "googlepay_token" : "{\"signature\":\"MEUCIEx9BeftghFS3BeKpaOsmBYyOtP5NzJiBN9NknaTAUypAiEAgkDAuAa8upeKpKx3xWDMKvp4YvOY60jpPneFA/LGtBs\\u003d\",\"intermediateSigningKey\":{\"signedKey\":\"{\\\"keyValue\\\":\\\"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/Cs+e5QTjlzCSkOeGy0UtI8waUV+2xxep1+MdYHOcFT1F/K0d55UidOTht9wziNEInHqCj3o+3X2+8H8hZEKoA\\\\u003d\\\\u003d\\\",\\\"keyExpiration\\\":\\\"1646101850734\\\"}\",\"signatures\":[\"MEUCIQD9TzJS/FYPaAbhPvKklnVj9IDkhZDXxgBWxnkFaboHSAIgDGU9MI3uKf9NG3eEL+B25eW+ylIzYnX8lzm6rysiKNQ\\u003d\"]},\"protocolVersion\":\"ECv2\",\"signedMessage\":\"{\\\"encryptedMessage\\\":\\\"qlZOdNSdm/G5pEFuyUWxZhjG2TSQrtq9c1xZIAaKs5ocrqs/EfcO/rTR0/SMHsxxdqlSv0TMduJUrzD1k7BCXQjamvST0DRVrz48bAeCDuXIitzKQcil/JvLqZA04DASMVSHMmEy2wCCXvzZndXvOob6nx95l2G/f3wlGfolfj9uCGp/W7LohCqvpTc/Eovp+sVfsSTRsb2QDNzm8awXPwnOAAfn4yqbLE4Be7mbaSQDGwhGI5tJYSJrJtOTsjAYlZWfjchKMRu49rW1NE0ghUOLeGWvWub7Qvj4bB9xVN1SBQIvvzswWDkXiDw3xPsVNs5dFoCwBip7OJp+xsOHXM/Xx+eKWR3fgNMQNvuzm4mLhaE4v2R56xQlUjWt21FhPg/iUY6fO9wws71hCjuSuOeBxkqFi7qGvvN2/0jDjyaW7c/4SBO9Dc1T4g/F7t60/77fmrHlMYzflC4j2n0EKAsaWr5BBNkcta9+DjDT9ahzvjNQlueD15abKaoOfuogC73T5D5wpHiFT0Uz657bWXYlMpVEACdu\\\",\\\"ephemeralPublicKey\\\":\\\"BIxk2eXO3LCyKyCytyYVi6MqIfSJ6HbJsxI/To4oVodJjiUi+l55Or9APgSKowxeLh5S+1mGP/zm83vEAGm1WvQ\\\\u003d\\\",\\\"tag\\\":\\\"8vMJhy/dCOtUIo4YQlOlLn7fys+BVAqmx2Lh9aWZaGU\\\\u003d\\\"}\"}"
  },
  "processing_options" : [ "RISKCHECK" ],
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "tds_20_data" : {
    "communication_data" : {
      "method_notification_url" : "https://example.com/method_notification_url",
      "cres_notification_url" : "https://example.com/cres_notification_url"
    }
  }
}

Responses

Code Type Content-Type Description

200

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response examples Transaction has been processed, no further actions required

Status code:

200

Return type:

{
  "outcome" : "PROCESSED",
  "processed" : {
    "amount_total" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "event_id" : "id1628241502404",
    "kind" : "CREDITCARD_3DS20",
    "tx_action" : "preauthorization",
    "tx_id" : "fCDszGoUje8piOUC2tVVU9",
    "back_rc" : "00",
    "transaction_info" : {
      "type" : "creditcard",
      "transaction_creditcard_info" : {
        "credit_card" : {
          "number" : "401200******7778",
          "expiry_date" : {
            "year" : 2034,
            "month" : 12
          },
          "cardholder" : "Card Holder"
        }
      }
    },
    "rc" : "0",
    "message" : "Transaction successful."
  },
  "rc" : "0",
  "message" : "Transaction successful."
}

Proceed with 3-D Secure method flow

Status code:

200

Return type:

{
  "outcome" : "METHOD_REQUIRED",
  "method_required" : {
    "method_request" : "ew0KICAiY29udGVudCIgOiAiZHVtbXkiDQp9",
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

Proceed with 3-D Secure challenge flow

Status code:

200

Return type:

Headless3DSecureFinalRequest

{
  "outcome" : "CHALLENGE_REQUIRED",
  "challenge_required" : {
    "acs_url" : "https://acs.example.com/acs/challenge/ew0KICAiZHVtbXkiIDogImR1bW15Ig0KfQ==",
    "creq" : "ew0KICAiZHVtbXkiIDogImNvbnRlbnQiDQp9"
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

7.2.6. Headless 3-D Secure

The Headless 3-D Secure API contains endpoints to conduct headless 3-D Secure transactions.

POST /headless3DSecure/event/{event_id}/final

Step 3 of a headless 3-D Secure transaction: finalizes transaction.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event. Use the same value as in the predecessor transaction the current transaction relates to.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample credit card headless 3-D secure final request

Request type: Headless3DSecureFinalRequest

{
  "cres" : "ew0KICAiZXhhbXBsZSIgOiAicmVxdWVzdCINCn0="
}

Responses

Code Type Content-Type Description

200

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response example Sample headless 3-D secure final response

Status code:

200

Return type:

Headless3DSecureInitializeRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "event_id" : "id1628241998006",
  "kind" : "CREDITCARD_3DS20",
  "tx_action" : "preauthorization",
  "tx_id" : "7P6cconB5vYqBQqGjyO8yR",
  "back_rc" : "00",
  "transaction_info" : {
    "type" : "creditcard",
    "transaction_creditcard_info" : {
      "credit_card" : {
        "number" : "401200******4444",
        "expiry_date" : {
          "year" : 2034,
          "month" : 12
        },
        "cardholder" : "Card Holder"
      }
    }
  },
  "rc" : "0",
  "message" : "Transaction successful."
}

POST /headless3DSecure/event/{event_id}/{tx_action}/initialize

Step 1 of a headless 3-D Secure transaction (authorization, pre-authorization, credit, verify MOP): initializes transaction.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- credit
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request examples Sample headless 3-D Secure initialize request

Request type: Headless3DSecureInitializeRequest

{
  "means_of_payment" : {
    "credit_card" : {
      "number" : "4012001037167778",
      "expiry_date" : {
        "year" : 2034,
        "month" : 12
      },
      "code" : "123",
      "cardholder" : "Cardholder"
    }
  },
  "tds_20_data" : {
    "communication_data" : {
      "method_notification_url" : "https://example.com/method_notification_url",
      "cres_notification_url" : "https://example.com/cres_notification_url"
    },
    "device_information" : {
      "ip_address" : "192.168.0.1",
      "http_browser_screen_height" : 1080,
      "http_browser_screen_width" : 1920
    },
    "customer_data" : {
      "billing_address" : {
        "street" : "Main street",
        "postal_code" : "12345",
        "city" : "New York",
        "state" : "NY",
        "country" : "US"
      },
      "cardholder_email" : "a@bc.de",
      "home_phone_number" : {
        "country" : "44",
        "regional" : "2071838750"
      }
    }
  },
  "merchant_risk_indicators" : {
    "delivery_email_address" : "delivery@example.com",
    "delivery_timeframe" : "ELECTRONIC",
    "gift_card_amount" : "900",
    "gift_card_count" : "1",
    "gift_card_currency" : "EUR",
    "pre_order_date" : "2021-10-25",
    "pre_order_purchase_indicator" : "AVAILABLE",
    "reordered_items_indicator" : "FIRST",
    "shipping_indicator" : "DIGITAL"
  },
  "device_information" : {
    "cookies_accepted" : "true",
    "http_accept_browser_value" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
    "http_accept_content" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
    "color_depth" : "B24",
    "http_browser_email" : "mustermann@example.com",
    "http_browser_java_enabled" : "true",
    "http_browser_java_script_enabled" : "true",
    "http_browser_language" : "de-DE",
    "http_browser_screen_height" : "1080",
    "http_browser_screen_width" : "1920",
    "http_browser_time_difference" : "60",
    "ip_address" : "192.168.0.1",
    "user_agent" : "Mozilla",
    "user_agent_browser_value" : "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Minimal Visa Headless 3-D Secure initialize request

Request type: Headless3DSecureInitializeRequest

{
  "means_of_payment" : {
    "credit_card" : {
      "number" : "4761739090000088",
      "expiry_date" : {
        "year" : 2034,
        "month" : 12
      },
      "code" : "123",
      "cardholder" : "Cardholder"
    }
  },
  "tds_20_data" : {
    "communication_data" : {
      "method_notification_url" : "https://example.com/method_notification_url",
      "cres_notification_url" : "https://example.com/cres_notification_url"
    },
    "device_information" : {
      "ip_address" : "192.168.0.1",
      "http_browser_screen_height" : 1080,
      "http_browser_screen_width" : 1920
    },
    "customer_data" : {
      "billing_address" : {
        "street" : "Main street",
        "postal_code" : "12345",
        "city" : "New York",
        "state" : "NY",
        "country" : "US"
      },
      "cardholder_email" : "a@bc.de"
    }
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Minimal Mastercard Headless 3-D Secure initialize request

Request type: Headless3DSecureInitializeRequest

{
  "means_of_payment" : {
    "credit_card" : {
      "number" : "5453010000084541",
      "expiry_date" : {
        "year" : 2034,
        "month" : 12
      },
      "code" : "123",
      "cardholder" : "Cardholder"
    }
  },
  "tds_20_data" : {
    "communication_data" : {
      "method_notification_url" : "https://example.com/method_notification_url",
      "cres_notification_url" : "https://example.com/cres_notification_url"
    },
    "device_information" : {
      "ip_address" : "192.168.0.1",
      "http_browser_screen_height" : 1080,
      "http_browser_screen_width" : 1920
    },
    "customer_data" : {
      "billing_address" : {
        "street" : "Main street",
        "postal_code" : "12345",
        "city" : "New York",
        "state" : "NY",
        "country" : "US"
      },
      "shipping_address" : {
        "street" : "Main street",
        "postal_code" : "12345",
        "city" : "New York",
        "state" : "NY",
        "country" : "US"
      },
      "cardholder_email" : "a@bc.de",
      "home_phone_number" : {
        "country" : "44",
        "regional" : "2071838750"
      }
    }
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response examples Transaction has been processed, no further actions required

Status code:

200

Return type:

{
  "outcome" : "PROCESSED",
  "processed" : {
    "amount_total" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "event_id" : "id1628241502404",
    "kind" : "CREDITCARD_3DS20",
    "tx_action" : "preauthorization",
    "tx_id" : "fCDszGoUje8piOUC2tVVU9",
    "back_rc" : "00",
    "transaction_info" : {
      "type" : "creditcard",
      "transaction_creditcard_info" : {
        "credit_card" : {
          "number" : "401200******7778",
          "expiry_date" : {
            "year" : 2034,
            "month" : 12
          },
          "cardholder" : "Card Holder"
        }
      }
    },
    "rc" : "0",
    "message" : "Transaction successful."
  },
  "rc" : "0",
  "message" : "Transaction successful."
}

Proceed with 3-D Secure method flow

Status code:

200

Return type:

{
  "outcome" : "METHOD_REQUIRED",
  "method_required" : {
    "method_request" : "ew0KICAiY29udGVudCIgOiAiZHVtbXkiDQp9",
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

Proceed with 3-D Secure challenge flow

Status code:

200

Return type:

{
  "outcome" : "CHALLENGE_REQUIRED",
  "challenge_required" : {
    "acs_url" : "https://acs.example.com/acs/challenge/ew0KICAiZHVtbXkiIDogImR1bW15Ig0KfQ==",
    "creq" : "ew0KICAiZHVtbXkiIDogImNvbnRlbnQiDQp9"
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

POST /headless3DSecure/event/{event_id}/method_completed/{completed}

Step 2 of a headless 3-D Secure transaction: processes method completion.

Path Parameters

Name

Type

Description

completed

boolean

required

Indicates if the shop has received a request from the ACS to the methodNotificationURL within 10 seconds (true) or not (false).

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event. Use the same value as in the predecessor transaction the current transaction relates to.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response examples Transaction has been processed, no further actions required

Status code:

200

Return type:

{
  "outcome" : "PROCESSED",
  "processed" : {
    "amount_total" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "event_id" : "id1628241502404",
    "kind" : "CREDITCARD_3DS20",
    "tx_action" : "preauthorization",
    "tx_id" : "fCDszGoUje8piOUC2tVVU9",
    "back_rc" : "00",
    "transaction_info" : {
      "type" : "creditcard",
      "transaction_creditcard_info" : {
        "credit_card" : {
          "number" : "401200******7778",
          "expiry_date" : {
            "year" : 2034,
            "month" : 12
          },
          "cardholder" : "Card Holder"
        }
      }
    },
    "rc" : "0",
    "message" : "Transaction successful."
  },
  "rc" : "0",
  "message" : "Transaction successful."
}

Proceed with 3-D Secure challenge flow

Status code:

200

Return type:

{
  "outcome" : "CHALLENGE_REQUIRED",
  "challenge_required" : {
    "acs_url" : "https://acs.example.com/acs/challenge/ew0KICAiZHVtbXkiIDogImR1bW15Ig0KfQ==",
    "creq" : "ew0KICAiZHVtbXkiIDogImNvbnRlbnQiDQp9"
  },
  "rc" : "1548",
  "message" : "Transaction is pending."
}

7.2.7. iFrame

The iFrame API contains an endpoint to initialize an iFrame interaction. It allows the merchant to embed specific elements of a frontend page into their own web page. Entry of sensitive data is done in these elements so that they can be sent to the merchant without the merchant ever being in contact with it. After the API receives the entered data, it will inform the merchant who then calls the corresponding Payment API endpoint.

POST /iframe/initialize

Prepares an iFrame interaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

IFrameInitializeRequest

application/json

Request example Sample iFrame initialize request

Request type: IFrameInitializeRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

IFrameInitializeResponse

application/json

Values required to initialize an iFrame interaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

7.2.8. Info

Information related operations.

GET /info/banks/psd2

Retrieves how banks matching the given search criteria support PSD 2 account information services.

Finds and returns banks which match the given query parameter. Use either name or bic or bank_code or any for filtering. If you use any banks including the given value in any of the fields name, bic or bank_code will be returned. Searching is carried out case-insensitive. When no search criteria are submitted, the complete list will be returned.

Query Parameters

Name Type Description

any

string

Fragment of either bank name, BIC or bank code.

bank_code

string

Fragment of German bank code (Bankleitzahl, BLZ).

bic

string

Fragment of BIC (business identifier code).

limit

integer

format: int32
default: 10

Maximum number of result items to be returned.

name

string

Fragment of bank name.

Example: Sparkasse

offset

integer

format: int32
default: 0

Number of rows to skip at the beginning of the total result set.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

PSD2BankResults

application/json

Paged response with matching banks.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

Response example Sample bank PSD2 support response

Status code:

200

Return type:

PSD2BankResults

{
  "metadata" : {
    "limit" : 10,
    "offset" : 0,
    "total" : 2
  },
  "banks" : [ {
    "name" : "Sparkasse KölnBonn",
    "town" : "Köln",
    "bic" : "COLSDE33XXX",
    "bank_code" : "37050198",
    "psd2_supported" : false
  }, {
    "id" : "lsw",
    "name" : "Stadt- und Kreissparkasse Leipzig",
    "town" : "Leipzig",
    "bic" : "WELADE8LXXX",
    "bank_code" : "86055592",
    "psd2_supported" : true,
    "capabilities" : [ "AVAILABLE_ACCOUNTS", "AVAILABLE_ACCOUNTS_WITH_BALANCE", "GLOBAL_CONSENT" ]
  } ]
}

GET /info/event/{event_id}/psd2/account_info

Retrieves bank account details which were stored in a previous PSD 2 account information transaction.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

PSD2AccountInfoResponse

application/json

Bank account details which were stored in a previous step.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

404

RequestToPayPaymentsReport

application/json

The event_id was not found.

GET /info/request_to_pay/reports/payments

Retrieves a Request to Pay payments report.

Query Parameters

Name Type Description

from

string

format: date

Date from which resource details should be returned. If not specified current details are returned.

Example: 2007-09-23

limit

integer

format: int32
default: 100

Maximum number of result items to be returned.

offset

integer

format: int32
default: 0

Number of rows to skip at the beginning of the total result set.

statuses

array

Statuses of which resource details should be returned.

Example: ["SETTLED","REJECTED"]

string

format: date

Date until which resource details should be returned. If not specified current details are returned.

Example: 2007-09-23

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

Request to Pay payments report.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

RequestToPayRefundsReport

application/json

Access to this resource is forbidden with these credentials.

GET /info/request_to_pay/reports/refunds

Retrieves a Request to Pay refunds report.

Query Parameters

Name Type Description

from

string

format: date

Date from which resource details should be returned. If not specified current details are returned.

Example: 2007-09-23

limit

integer

format: int32
default: 100

Maximum number of result items to be returned.

offset

integer

format: int32
default: 0

Number of rows to skip at the beginning of the total result set.

statuses

array

Statuses of which resource details should be returned.

Example: ["SETTLED","REJECTED"]

string

format: date

Date until which resource details should be returned. If not specified current details are returned.

Example: 2007-09-23

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

Request to Pay refunds report.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

GET /info/multicurrencypricing

Performs a Multi Currency Pricing request to provide currently valid merchant specific exchange rates.

Query Parameters

Name Type Description

channel

string

enum
- ECOM
- POS
- MOTO

Channel of the request.

Example: ECOM

merchant_id_mcp

string

Requesting merchant’s merchantId for Multi Currency Pricing at Deutsche Bank (GlueX) registered with funding currency.

Example: TEST-MERCHANT-1

req_currency_date

string

format: date-time

Requesting currency date and time. Date-time notation as defined by RFC 3339, section 5.6.

Example: 2023-07-14T08:59:12Z

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

McpConsumerRatesResponse

application/json

Information about the outcome of the transaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

PaymentCreditCardRequestInitial

application/json

Access to this resource is forbidden with these credentials.

Response examples Consumer rates have been evaluated, no further actions required.

Status code:

200

Return type:

McpConsumerRatesResponse

{
  "merchant_id_mcp" : "28",
  "fundingCurrency" : "EUR",
  "response_timestamp" : "2022-11-30T08:32:56.849+01:00",
  "consumer_rates" : [ {
    "consumer_rate" : 0.982,
    "currency_pair" : "EURCHF",
    "offerable_from" : "2022-11-30T08:30:00+01:00",
    "offerable_to" : "2022-12-01T08:30:00+01:00"
  }, {
    "consumer_rate" : 1.0375,
    "currency_pair" : "EURUSD",
    "offerable_from" : "2022-11-30T08:30:00+01:00",
    "offerable_to" : "2022-12-01T08:30:00+01:00"
  } ],
  "rc" : "0",
  "message" : "Transaction successful."
}

Consumer rates evaluation failed

Status code:

200

Return type:

McpConsumerRatesResponse

{
  "rc" : "1547",
  "message" : "Payment Services Exception merchantId=28 not registered for multi currency pricing"
}

7.2.9. Payment

The Payment API contains endpoints to add or modify payment transactions. When using the API, the merchant is only integrated to the API at the backend. All use cases are triggered via an API call. It is the merchant’s responsibility to collect all relevant payment data via their own frontend.

POST /payment/event/{event_id}/creditcard/{tx_action}

Creates an initial creditcard payment transaction (authorization, pre-authorization, credit, or verify MOP).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- credit
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample credit card initial request

Request type: PaymentCreditCardRequestInitial

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "means_of_payment" : {
    "credit_card" : {
      "number" : "4111111111111111",
      "expiry_date" : {
        "year" : 2027,
        "month" : 12
      },
      "code" : "111",
      "cardholder" : "Rene Meier"
    }
  }
}

Responses

Code Type Content-Type Description

200

application/json

Information about the payment

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

PaymentDirectDebitRequestInitial

application/json

Access to this resource is forbidden with these credentials.

POST /payment/event/{event_id}/directdebit/{tx_action}

Creates an initial SDD payment transaction (pre-authorization, authorization, credit, or verify MOP).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- credit
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request examples Sample SEPA direct debit initial request

Request type: PaymentDirectDebitRequestInitial

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "means_of_payment" : {
    "bank_account" : {
      "account_holder" : "Rene Meier",
      "iban" : "DE39123456790009290701"
    }
  },
  "mandate" : {
    "reference" : "MDT1620213727383XY",
    "signed_on" : "2025-08-12",
    "mandate_sequence_type" : "RECURRING"
  }
}

Sample SEPA direct debit authorization with checklist

Request type: PaymentDirectDebitRequestInitial

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "means_of_payment" : {
    "bank_account" : {
      "account_holder" : "Rene Meier",
      "iban" : "DE78860700000111111115"
    }
  },
  "mandate" : {
    "reference" : "MDT1620213727383XY",
    "signed_on" : "2025-08-12",
    "mandate_sequence_type" : "RECURRING"
  },
  "processing_options" : [ "CHECKLIST" ]
}

Responses

Code Type Content-Type Description

200

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

PaymentDiagnosisEventResponse

application/json

Access to this resource is forbidden with these credentials.

GET /payment/event/{event_id}

Retrieves details of an event (consisting of one or more transactions).

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

PaymentKlarnaRequestInitial

application/json

Access to this resource is forbidden with these credentials.

POST /payment/event/{event_id}/klarna/{tx_action}

Creates an initial Klarna payment transaction (pre-authorization, authorization) using an alias.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample Klarna initial request

Request type: PaymentKlarnaRequestInitial

{
  "customer_information" : {
    "date_of_birth" : "1980-01-01"
  },
  "shipping_address" : {
    "title" : "Ms",
    "first_name" : "Jane",
    "last_name" : "Doe",
    "email" : "test_jane@gmail.com",
    "address_line_1" : "Main Street 123",
    "address_line_2" : "Building A",
    "address_line_3" : "Apartment 12",
    "postal_code" : "80469",
    "phone_contact" : {
      "phone_type" : "MOBILE",
      "phone_number" : "+4917614287464"
    },
    "city" : "Munich",
    "country" : "DE",
    "extensions" : { }
  },
  "billing_address" : {
    "title" : "Ms",
    "first_name" : "Jane",
    "last_name" : "Doe",
    "email" : "test_jane@gmail.com",
    "address_line_1" : "Main Street 123",
    "address_line_2" : "Building A",
    "address_line_3" : "Apartment 12",
    "postal_code" : "80469",
    "phone_contact" : {
      "phone_type" : "MOBILE",
      "phone_number" : "+4917614287464"
    },
    "city" : "Munich",
    "country" : "DE",
    "extensions" : {
      "klarna_data" : {
        "custom_payment_method_ids" : [ ]
      }
    }
  },
  "basket" : {
    "basket_id" : "basket123456",
    "invoice_id" : "RE123345",
    "soft_descriptor" : "800-123-1234",
    "shipping_costs" : {
      "amount" : 200,
      "currency" : "EUR"
    },
    "basket_type" : "DIGITAL",
    "extensions" : {
      "paypal_data" : {
        "custom_id" : "CUSTOMID123"
      }
    },
    "basket_items" : [ {
      "name" : "A fine shirt",
      "description" : "BI123456",
      "reference" : "UGG-BB-PUR-06",
      "quantity" : {
        "quantity_amount" : 5,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 100,
        "gross" : 100,
        "currency" : "EUR",
        "tax" : 1900
      },
      "item_discount" : {
        "net" : 0,
        "gross" : 0,
        "currency" : "EUR",
        "tax" : 1900
      },
      "extensions" : {
        "klarna_data" : {
          "klarna_type" : "PHYSICAL",
          "image_url" : "https://upload.wikimedia.org/wikipedia/commons/thumb/a/a5/Camisade_pu%C3%B1o_doble.jpg/256px-Camisade_pu%C3%B1o_doble.jpg"
        }
      }
    } ]
  },
  "form_data" : {
    "locale" : "en"
  },
  "amount_total" : {
    "amount" : 700,
    "currency" : "EUR"
  },
  "merchant_information" : {
    "merchant_data_1" : "merchantData1",
    "merchant_data_2" : "merchantData2",
    "merchant_data_3" : "merchantData3"
  },
  "means_of_payment" : {
    "alias" : "the_alias"
  }
}

Responses

Code Type Content-Type Description

200

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

PaymentPayPalRequestInitial

application/json

Access to this resource is forbidden with these credentials.

POST /payment/event/{event_id}/paypal/{tx_action}

Creates an initial PayPal payment transaction (pre-authorization, authorization) using an vault alias.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample PayPal initial request

Request type: PaymentPayPalRequestInitial

{
  "shipping_address" : {
    "title" : "Ms",
    "first_name" : "Jane",
    "last_name" : "Doe",
    "email" : "test_jane@gmail.com",
    "address_line_1" : "Main Street 123",
    "address_line_2" : "Building A",
    "address_line_3" : "Apartment 12",
    "postal_code" : "80469",
    "phone_contact" : {
      "phone_type" : "MOBILE",
      "phone_number" : "+4917614287464"
    },
    "city" : "Munich",
    "country" : "DE",
    "extensions" : { }
  },
  "billing_address" : {
    "title" : "Ms",
    "first_name" : "Jane",
    "last_name" : "Doe",
    "email" : "test_jane@gmail.com",
    "address_line_1" : "Main Street 123",
    "address_line_2" : "Building A",
    "address_line_3" : "Apartment 12",
    "postal_code" : "80469",
    "phone_contact" : {
      "phone_type" : "MOBILE",
      "phone_number" : "+4917614287464"
    },
    "city" : "Munich",
    "country" : "DE",
    "extensions" : {
      "klarna_data" : {
        "custom_payment_method_ids" : [ ]
      }
    }
  },
  "basket" : {
    "basket_id" : "basket123456",
    "invoice_id" : "RE123345",
    "soft_descriptor" : "800-123-1234",
    "shipping_costs" : {
      "amount" : 200,
      "currency" : "EUR"
    },
    "basket_type" : "DIGITAL",
    "extensions" : {
      "paypal_data" : {
        "custom_id" : "CUSTOMID123"
      }
    },
    "basket_items" : [ {
      "name" : "A fine shirt",
      "description" : "BI123456",
      "reference" : "UGG-BB-PUR-06",
      "quantity" : {
        "quantity_amount" : 5,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 100,
        "gross" : 100,
        "currency" : "EUR",
        "tax" : 1900
      },
      "item_discount" : {
        "net" : 0,
        "gross" : 0,
        "currency" : "EUR",
        "tax" : 1900
      },
      "extensions" : {
        "klarna_data" : {
          "klarna_type" : "PHYSICAL",
          "image_url" : "https://upload.wikimedia.org/wikipedia/commons/thumb/a/a5/Camisade_pu%C3%B1o_doble.jpg/256px-Camisade_pu%C3%B1o_doble.jpg"
        }
      }
    } ]
  },
  "amount_total" : {
    "amount" : 700,
    "currency" : "EUR"
  },
  "means_of_payment" : {
    "alias" : "the_alias"
  }
}

Responses

Code Type Content-Type Description

200

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /payment/event/{event_id}/tx/{tx_id}/{tx_action}

Creates a subsequent transaction (capture, reversal, or refund) referencing a predecessor transaction (pre-authorization, capture, authorization, or credit).

Path Parameters

Name Type Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event. Use the same value as in the predecessor transaction the current transaction relates to.

tx_action

string

required
enum
- capture
- reversal
- refund

The action of a subsequent transaction.

tx_id

string

required
minLength: 1
maxLength: 50
pattern: [/0-9a-zA-Z=_-]+

A reference to a transaction retrieved in a response (tx_reference_id).

Example: 020LMG10jxSI8FN0OC4vLR

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

PaymentRequestSubsequent

application/json

Request example Sample credit card subsequent transaction

Request type: PaymentRequestSubsequent

{
  "kind" : "CREDITCARD",
  "basket" : {
    "basket_id" : "basket123456"
  }
}

Responses

Code Type Content-Type Description

200

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

GET /payment/tx/{tx_id}

Retrieves details of a (single) transaction.

Path Parameters

Name Type Description

tx_id

string

required
minLength: 1
maxLength: 50
pattern: [/0-9a-zA-Z=_-]+

A reference to a transaction retrieved in a response (tx_reference_id).

Example: 020LMG10jxSI8FN0OC4vLR

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

WidgetSolutionFinalRequest

application/json

Access to this resource is forbidden with these credentials.

POST /payment/widgetsolution/session/{id}

Creates the final widget solution payment transaction.

Path Parameters

Name

Type

Description

string

required
minLength: 3
maxLength: 1024
pattern: [a-zA-Z0-9]+

Widget Solution session ID of the transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample widgetsolution final request

Request type: WidgetSolutionFinalRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

WidgetSolutionPaymentResponse

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

7.2.10. Payment Link

The Payment Link API contains endpoints to prepare payments your customers can carry out later by using the provided link.

POST /paymentlink/event/{event_id}/checkout/{tx_action}

Creates a link to a checkout page you can forward to your customer. Later, the customer can use this link to choose one of the offered payment methods and then carry out the payment.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

PaymentLinkRequest

application/json

Request examples Sample initialization for a checkout selection with SDD and Request to Pay

Request type: PaymentLinkRequest

{
  "expires" : "2023-12-19T19:11:59.212+01:00",
  "checkout_page_configuration" : {
    "direct_debit_data" : {
      "mandate" : {
        "reference" : "MDT1620213727383XY",
        "signed_on" : "2025-08-12",
        "mandate_sequence_type" : "RECURRING"
      }
    },
    "request_to_pay_data" : {
      "customer_id" : "testCustrID"
    },
    "checkout_entry_sorting_order" : [ "DIRECTDEBIT", "REQUEST_TO_PAY" ]
  },
  "basket" : {
    "basket_id" : "basketId1639066152436",
    "order_amount" : {
      "amount" : 900,
      "currency" : "EUR"
    },
    "shipping_costs" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "PhysicalBasketItem",
      "description" : "A basket item",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 756,
        "gross" : 900,
        "currency" : "EUR",
        "tax" : 1900
      }
    } ]
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  }
}

Sample initialization for a payment link with all payment methods (English)

Request type: PaymentLinkRequest

{
  "expires" : "2024-01-15T09:32:04.024",
  "amount_total" : {
    "amount" : 1300,
    "currency" : "EUR"
  },
  "basket" : {
    "basket_id" : "basketId1643192827792",
    "shipping_costs" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "PhysicalBasketItem",
      "description" : "A basket item",
      "reference" : "basketItem-reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 1008,
        "gross" : 1200,
        "currency" : "EUR",
        "tax" : 1900
      }
    } ]
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "address_line_2" : "EG R. 184",
    "address_line_3" : "Wohnhaus",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "state" : "SN",
    "country" : "DE"
  },
  "shipping_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "checkout_page_configuration" : {
    "checkout_entry_sorting_order" : [ "DIRECTDEBIT", "CREDITCARD", "GOOGLEPAY", "REQUEST_TO_PAY", "PAYPAL", "KLARNA", "WECHATPAY", "P24", "APPLEPAY", "IDEAL" ],
    "credit_card_data" : {
      "tds_20_data" : {
        "customer_data" : {
          "billing_address" : {
            "city" : "Leipzig",
            "country" : "DE",
            "postal_code" : "04347",
            "street" : "Rohrteichstr 18"
          },
          "home_phone_number" : {
            "country" : "+49",
            "regional" : "2630864618"
          },
          "cardholder_email" : "heinz@email.com"
        }
      }
    },
    "google_pay_credit_card_data" : {
      "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
      "googlepay_domain_name" : "www.example.com",
      "googlepay_country_code" : "DE"
    },
    "apple_pay_credit_card_data" : { },
    "direct_debit_data" : {
      "mandate" : {
        "reference" : "MDT1643192827814",
        "signed_on" : "2020-12-30"
      }
    },
    "request_to_pay_data" : {
      "processing_options" : [ "INSTANT" ]
    },
    "paypal_data" : { },
    "wechatpay_data" : { },
    "p24_data" : { },
    "klarna_data" : { },
    "ideal_data" : {
      "description" : "description"
    }
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "form_data" : {
    "locale" : "en"
  }
}

Sample initialization for a payment link with all payment methods (German)

Request type: PaymentLinkRequest

{
  "expires" : "2024-01-15T09:32:04.024",
  "amount_total" : {
    "amount" : 1300,
    "currency" : "EUR"
  },
  "basket" : {
    "basket_id" : "basketId1643192827792",
    "shipping_costs" : {
      "amount" : 100,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "PhysicalBasketItem",
      "description" : "A basket item",
      "reference" : "basketItem-reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 1008,
        "gross" : 1200,
        "currency" : "EUR",
        "tax" : 1900
      }
    } ]
  },
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "address_line_2" : "EG R. 184",
    "address_line_3" : "Wohnhaus",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "state" : "SN",
    "country" : "DE"
  },
  "shipping_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mueller",
    "email" : "heinz@email.com",
    "address_line_1" : "Rohrteichstr 18",
    "postal_code" : "04347",
    "city" : "Leipzig",
    "country" : "DE"
  },
  "callback" : {
    "notify_url" : "http://www.example.com/notify"
  },
  "checkout_page_configuration" : {
    "checkout_entry_sorting_order" : [ "DIRECTDEBIT", "CREDITCARD", "GOOGLEPAY", "REQUEST_TO_PAY", "PAYPAL", "KLARNA", "WECHATPAY", "P24", "APPLEPAY", "IDEAL" ],
    "credit_card_data" : {
      "tds_20_data" : {
        "customer_data" : {
          "billing_address" : {
            "city" : "Leipzig",
            "country" : "DE",
            "postal_code" : "04347",
            "street" : "Rohrteichstr 18"
          },
          "home_phone_number" : {
            "country" : "+49",
            "regional" : "2630864618"
          },
          "cardholder_email" : "heinz@email.com"
        }
      }
    },
    "google_pay_credit_card_data" : {
      "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
      "googlepay_domain_name" : "www.example.com",
      "googlepay_country_code" : "DE"
    },
    "apple_pay_credit_card_data" : { },
    "direct_debit_data" : {
      "mandate" : {
        "reference" : "MDT1643192827814",
        "signed_on" : "2020-12-30"
      }
    },
    "request_to_pay_data" : {
      "processing_options" : [ "INSTANT" ]
    },
    "paypal_data" : { },
    "wechatpay_data" : { },
    "p24_data" : { },
    "klarna_data" : { },
    "ideal_data" : {
      "description" : "description"
    }
  },
  "form_customer_continuation" : {
    "success_url" : "https://www.example.com/target.php?success",
    "error_url" : "https://www.example.com/target.php?error",
    "notification_failed_url" : "https://www.example.com/target.php?notifyfailed"
  },
  "form_data" : {
    "locale" : "de"
  }
}

Responses

Code Type Content-Type Description

200

PaymentLinkResponse

application/json

Values required to initialize a form interaction, a return code and a message. In case of a known business or persistence error, only error code and message are provided.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

GET /paymentlink/event/{event_id}

Retrieves details of a payment link.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

PaymentLinkEventResponse

application/json

The request has been processed.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

POST /paymentlink/event/{event_id}/deactivate

Deactivates a payment link.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Responses

Code Type Content-Type Description

200

PaymentLinkEventResponse

application/json

Response of the deactivation request of the payment link.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

PaymentLinkManagementUpdateRequest

application/json

Access to this resource is forbidden with these credentials.

POST /paymentlink/event/{event_id}/update

Updates a payment link.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample update request

Request type: PaymentLinkManagementUpdateRequest

{
  "expires" : "2022-11-29T19:41:30.681"
}

Responses

Code Type Content-Type Description

200

PaymentLinkEventResponse

application/json

Response of the update request of the payment link.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

RiskmanagementEntryRequest

application/json

Access to this resource is forbidden with these credentials.

7.2.11. Risk Management

The Risk Management API contains endpoints to add and remove risk list entries and to calculate a risk score.

POST /riskmanagement/entry/{event_id}

Adds data to or deletes data from the positive or the negative list.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample risk management entry request

Request type: RiskmanagementEntryRequest

{
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mustermann",
    "email" : "heinz.mustermann@example.com",
    "phone_contact" : {
      "phone_type" : "MOBILE",
      "phone_number" : "+442071838750"
    },
    "address_line_1" : "Musterstraße 18",
    "address_line_2" : "EG Rechnungsraum. 184",
    "address_line_3" : "Rechnungsgebäude/Buchhaltung",
    "postal_code" : "84347",
    "city" : "Musterstadt",
    "state" : "SN",
    "country" : "DE"
  },
  "basket" : {
    "basket_id" : "123456-basketId-dummy",
    "shipping_costs" : {
      "amount" : 50,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "productName1",
      "description" : "productDescription1",
      "reference" : "reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 84034,
        "gross" : 100000,
        "currency" : "EUR",
        "tax" : 1900
      },
      "item_discount" : {
        "net" : 0,
        "gross" : 0,
        "currency" : "EUR",
        "tax" : 1900
      },
      "extensions" : {
        "riskcheck_data" : {
          "riskcheck_type" : "SHIPPING_ONLY",
          "distributor_product_sku" : "1234567890",
          "gift_card_currency" : "EUR",
          "product_risk" : "LOW",
          "risk_check_passenger" : {
            "type" : "ADT",
            "status" : "standard",
            "phone" : {
              "phone_type" : "MOBILE",
              "phone_number" : "+4917223456789"
            },
            "first_name" : "Maria",
            "last_name" : "Musterfrau",
            "id" : "B7564",
            "email" : "maria.musterfrau@passenger.com",
            "country" : "DE"
          },
          "shipping_destination_types" : "RESIDENTIAL",
          "is_gift" : false
        }
      }
    } ]
  },
  "device_information" : {
    "cookies_accepted" : true,
    "http_accept_browser_value" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
    "http_accept_content" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
    "color_depth" : "B24",
    "http_browser_email" : "mustermann@example.com",
    "http_browser_java_enabled" : true,
    "http_browser_java_script_enabled" : true,
    "http_browser_language" : "de-DE",
    "http_browser_screen_height" : 1080,
    "http_browser_screen_width" : 1920,
    "http_browser_time_difference" : 60,
    "ip_address" : "192.168.0.1",
    "user_agent" : "Mozilla",
    "user_agent_browser_value" : "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
  },
  "shipping_address" : {
    "first_name" : "Klaus",
    "last_name" : "Mustermann",
    "address_line_1" : "Musterstraße 7",
    "address_line_2" : "2. OG Lieferraum 333",
    "address_line_3" : "Lieferhaus",
    "postal_code" : "10243",
    "city" : "Musterdorf",
    "state" : "BE",
    "country" : "DE"
  },
  "customer_information" : {
    "date_of_birth" : "1985-12-30",
    "gender" : "FEMALE",
    "title" : "Prof. Dr. Dr.",
    "personal_identifications" : [ ],
    "contacts" : {
      "phone_contacts" : [ {
        "phone_type" : "MOBILE",
        "phone_number" : "+442071838750"
      }, {
        "phone_type" : "FAX",
        "phone_number" : "+442071838751"
      } ]
    }
  },
  "credit_card_data" : {
    "number" : "4000056655665556",
    "expiry_date" : {
      "year" : 2028,
      "month" : 11
    },
    "code" : "123",
    "cardholder" : "Card T. Holder"
  },
  "bank_account" : {
    "bic" : "HYVEDEMMXXX",
    "iban" : "DE02700202700010108669",
    "account_holder" : "Rene Meier",
    "bank_name" : "UniCredit Bank - HypoVereinsbank"
  },
  "address" : {
    "first_name" : "Fritz",
    "last_name" : "Mustermann",
    "address_line_1" : "Musterteichstr 18",
    "address_line_2" : "EG R. 184",
    "address_line_3" : "Wohnhaus",
    "postal_code" : "94347",
    "city" : "Musterhausen",
    "state" : "SN",
    "country" : "DE"
  },
  "reason" : "SUSPECTED",
  "action" : "DELETE",
  "list_name" : "NEGATIVE"
}

Responses

Code Type Content-Type Description

200

RiskmanagementEntryResponse

application/json

Indicates the list interaction to add/remove an entry was performed. Result can be success or information regarding the problems occured.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

RiskmanagementScoringRequest

application/json

Access to this resource is forbidden with these credentials.

POST /riskmanagement/scoring/{event_id}

Calculates risk score of given data.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request example Sample risk management scoring request

Request type: RiskmanagementScoringRequest

{
  "billing_address" : {
    "first_name" : "Heinz",
    "last_name" : "Mustermann",
    "email" : "heinz.mustermann@example.com",
    "phone_contact" : {
      "phone_type" : "MOBILE",
      "phone_number" : "+442071838750"
    },
    "address_line_1" : "Musterstraße 18",
    "address_line_2" : "EG Rechnungsraum. 184",
    "address_line_3" : "Rechnungsgebäude/Buchhaltung",
    "postal_code" : "84347",
    "city" : "Musterstadt",
    "state" : "SN",
    "country" : "DE"
  },
  "basket" : {
    "basket_id" : "123456-basketId-dummy",
    "shipping_costs" : {
      "amount" : 50,
      "currency" : "EUR"
    },
    "basket_type" : "PHYSICAL",
    "basket_items" : [ {
      "name" : "productName1",
      "description" : "productDescription1",
      "reference" : "reference1",
      "quantity" : {
        "quantity_amount" : 1,
        "quantity_unit" : "pcs"
      },
      "unit_price" : {
        "net" : 84034,
        "gross" : 100000,
        "currency" : "EUR",
        "tax" : 1900
      },
      "item_discount" : {
        "net" : 0,
        "gross" : 0,
        "currency" : "EUR",
        "tax" : 1900
      },
      "extensions" : {
        "riskcheck_data" : {
          "riskcheck_type" : "SHIPPING_ONLY",
          "distributor_product_sku" : "1234567890",
          "gift_card_currency" : "EUR",
          "product_risk" : "LOW",
          "risk_check_passenger" : {
            "type" : "ADT",
            "status" : "standard",
            "phone" : {
              "phone_type" : "MOBILE",
              "phone_number" : "+4917223456789"
            },
            "first_name" : "Maria",
            "last_name" : "Musterfrau",
            "id" : "B7564",
            "email" : "maria.musterfrau@passenger.com",
            "country" : "DE"
          },
          "shipping_destination_types" : "RESIDENTIAL",
          "is_gift" : false
        }
      }
    } ]
  },
  "device_information" : {
    "cookies_accepted" : true,
    "http_accept_browser_value" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
    "http_accept_content" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
    "color_depth" : "B24",
    "http_browser_email" : "mustermann@example.com",
    "http_browser_java_enabled" : true,
    "http_browser_java_script_enabled" : true,
    "http_browser_language" : "de-DE",
    "http_browser_screen_height" : 1080,
    "http_browser_screen_width" : 1920,
    "http_browser_time_difference" : 60,
    "ip_address" : "192.168.0.1",
    "user_agent" : "Mozilla",
    "user_agent_browser_value" : "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
  },
  "shipping_address" : {
    "first_name" : "Klaus",
    "last_name" : "Mustermann",
    "address_line_1" : "Musterstraße 7",
    "address_line_2" : "2. OG Lieferraum 333",
    "address_line_3" : "Lieferhaus",
    "postal_code" : "10243",
    "city" : "Musterdorf",
    "state" : "BE",
    "country" : "DE"
  },
  "account_information" : {
    "account_change_date" : "2021-10-25",
    "account_creation_indicator" : "GUEST",
    "account_id" : "MC_ACC_12345678",
    "account_opened_date" : "2021-10-25",
    "modification_indicator" : "ACCOUNT_UPDATED_NOW",
    "password_change_date" : "2021-10-25",
    "password_change_indicator" : "PASSWORD_CHANGED_NOW",
    "payment_account_date" : "2021-10-25",
    "payment_account_history" : "PAYMENT_ACCOUNT_ADDED_NOW",
    "add_card_attempts" : 1,
    "provisioning_day_count" : 1,
    "purchases_six_month_count" : 2,
    "shipping_address_first_use_date" : "2021-10-25",
    "shipping_address_first_use" : false,
    "shipping_name_indicator" : "02",
    "suspicious_account_activity" : false,
    "transactions_day_count" : 1,
    "transactions_year_count" : 1
  },
  "customer_information" : {
    "date_of_birth" : "1985-12-30",
    "gender" : "FEMALE",
    "title" : "Prof. Dr. Dr.",
    "personal_identifications" : [ {
      "type" : "PASSPORT",
      "id" : "T220001297",
      "issued_by" : "DE"
    }, {
      "type" : "DRIVERS_LICENSE",
      "id" : "DL220001297",
      "issued_by" : "BE"
    } ],
    "contacts" : {
      "phone_contacts" : [ {
        "phone_type" : "MOBILE",
        "phone_number" : "+442071838750"
      }, {
        "phone_type" : "FAX",
        "phone_number" : "+442071838751"
      } ]
    }
  },
  "merchant_risk_indicators" : {
    "delivery_email_address" : "delivery@example.com",
    "delivery_timeframe" : "MORE_THAN_ONE_DAY",
    "gift_card_amount" : "0",
    "gift_card_count" : "0",
    "gift_card_currency" : "EUR",
    "pre_order_date" : "2021-10-25",
    "pre_order_purchase_indicator" : "AVAILABLE",
    "reordered_items_indicator" : "FIRST",
    "shipping_indicator" : "DIGITAL"
  },
  "merchant_defined_information" : [ {
    "key" : "2",
    "value" : "high_volume_order"
  }, {
    "key" : "11",
    "value" : "nightly_order"
  }, {
    "key" : "52",
    "value" : "donation"
  }, {
    "key" : "99",
    "value" : "multi-packaging"
  }, {
    "key" : "100",
    "value" : "reordered-8times"
  }, {
    "key" : "103",
    "value" : "devices"
  } ],
  "travel_information" : {
    "actual_final_destination" : "LEJ",
    "complete_route" : "LEJ-LHR:LHR-JFK:JFK-LHR:LHR-LEJ",
    "departure_time" : "2024-07-01T07:40+01:00",
    "journey_type" : "ROUNDTRIP",
    "legs" : [ {
      "origination" : "LEJ",
      "destination" : "LHR",
      "carrier_code" : "LH",
      "departure_date" : "20240701"
    }, {
      "origination" : "LHR",
      "destination" : "JFK",
      "carrier_code" : "BA",
      "departure_date" : "20240701"
    }, {
      "origination" : "JFK",
      "destination" : "LHR",
      "carrier_code" : "BA",
      "departure_date" : "20240714"
    }, {
      "origination" : "LHR",
      "destination" : "LEJ",
      "carrier_code" : "LH",
      "departure_date" : "20240714"
    } ],
    "number_of_passengers" : 2,
    "passengers" : [ {
      "first_name" : "Heinz",
      "last_name" : "Mueller"
    }, {
      "first_name" : "Klaus",
      "last_name" : "Mueller"
    } ]
  },
  "risk_check_additional_information" : {
    "fingerprint_session_id" : "1234567890-0000000005"
  },
  "credit_card_data" : {
    "number" : "4000056655665556",
    "expiry_date" : {
      "year" : 2028,
      "month" : 11
    },
    "code" : "123",
    "cardholder" : "Card T. Holder"
  },
  "bank_account" : {
    "bic" : "HYVEDEMMXXX",
    "iban" : "DE02700202700010108669",
    "account_holder" : "Rene Meier",
    "bank_name" : "UniCredit Bank - HypoVereinsbank"
  },
  "address" : {
    "first_name" : "Fritz",
    "last_name" : "Mustermann",
    "address_line_1" : "Musterteichstr 18",
    "address_line_2" : "EG R. 184",
    "address_line_3" : "Wohnhaus",
    "postal_code" : "94347",
    "city" : "Musterhausen",
    "state" : "SN",
    "country" : "DE"
  },
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  }
}

Responses

Code Type Content-Type Description

200

RiskmanagementScoringResponse

application/json

Calculates the score of the given data and gives back more detailed information regarding the result calculation.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

WidgetSolutionCreateSessionRequest

application/json

Access to this resource is forbidden with these credentials.

7.2.12. Widget Solution

The Widget Solution API contains an endpoint to create a session for Widget Solution transactions.

POST /widgetsolution/session/event/{event_id}/{tx_action}

Prepares a new session for a Widget Solution transaction.

Path Parameters

Name

Type

Description

event_id

string

required
minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

tx_action

string

required
enum
- authorization
- preauthorization
- verify-mop

The action of an initial transaction.

Header Parameters

Name Type Description

Merchant-ID

string

minLength: 10
maxLength: 10
pattern: [0-9]+

Unique identification of the merchant for which the transaction is carried out. This parameter is required if the Merchant-ID cannot be derived from the client_id you used for authentication.

Request Body (required)

Type Content-Type

application/json

Request examples

Request type: WidgetSolutionCreateSessionRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "merchant_country" : "DE",
  "transaction_data" : {
    "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
    "googlepay_domain_name" : "testshop.de"
  }
}

Request type: WidgetSolutionCreateSessionRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "merchant_country" : "DE"
}

Request type: WidgetSolutionCreateSessionRequest

{
  "amount_total" : {
    "amount" : 100,
    "currency" : "EUR"
  },
  "merchant_country" : "DE",
  "transaction_data" : {
    "billing_address" : {
      "first_name" : "Heinz",
      "last_name" : "Mustermann",
      "email" : "heinz.mustermann@example.com",
      "phone_contact" : {
        "phone_type" : "MOBILE",
        "phone_number" : "+442071838750"
      },
      "address_line_1" : "Musterstraße 18",
      "address_line_2" : "EG Rechnungsraum. 184",
      "address_line_3" : "Rechnungsgebäude/Buchhaltung",
      "postal_code" : "84347",
      "city" : "Musterstadt",
      "state" : "SN",
      "country" : "DE"
    },
    "basket" : {
      "basket_id" : "123456-basketId-dummy",
      "shipping_costs" : {
        "amount" : 50,
        "currency" : "EUR"
      },
      "basket_type" : "PHYSICAL",
      "basket_items" : [ {
        "name" : "productName1",
        "description" : "productDescription1",
        "reference" : "reference1",
        "quantity" : {
          "quantity_amount" : 1,
          "quantity_unit" : "pcs"
        },
        "unit_price" : {
          "net" : 84034,
          "gross" : 100000,
          "currency" : "EUR",
          "tax" : 1900
        },
        "item_discount" : {
          "net" : 0,
          "gross" : 0,
          "currency" : "EUR",
          "tax" : 1900
        },
        "extensions" : {
          "riskcheck_data" : {
            "riskcheck_type" : "SHIPPING_ONLY",
            "distributor_product_sku" : "1234567890",
            "gift_card_currency" : "EUR",
            "product_risk" : "LOW",
            "risk_check_passenger" : {
              "type" : "ADT",
              "status" : "standard",
              "phone" : {
                "phone_type" : "MOBILE",
                "phone_number" : "+4917223456789"
              },
              "first_name" : "Maria",
              "last_name" : "Musterfrau",
              "id" : "B7564",
              "email" : "maria.musterfrau@passenger.com",
              "country" : "DE"
            },
            "shipping_destination_types" : "RESIDENTIAL",
            "is_gift" : false
          }
        }
      } ]
    },
    "device_information" : {
      "cookies_accepted" : true,
      "http_accept_browser_value" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
      "http_accept_content" : "text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8",
      "color_depth" : "B24",
      "http_browser_email" : "mustermann@example.com",
      "http_browser_java_enabled" : true,
      "http_browser_java_script_enabled" : true,
      "http_browser_language" : "de-DE",
      "http_browser_screen_height" : 1080,
      "http_browser_screen_width" : 1920,
      "http_browser_time_difference" : 60,
      "ip_address" : "192.168.0.1",
      "user_agent" : "Mozilla",
      "user_agent_browser_value" : "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
    },
    "shipping_address" : {
      "first_name" : "Klaus",
      "last_name" : "Mustermann",
      "address_line_1" : "Musterstraße 7",
      "address_line_2" : "2. OG Lieferraum 333",
      "address_line_3" : "Lieferhaus",
      "postal_code" : "10243",
      "city" : "Musterdorf",
      "state" : "BE",
      "country" : "DE"
    },
    "merchant_information" : {
      "locale" : "en",
      "merchant_data_1" : "further merchant information (1)",
      "merchant_data_2" : "further merchant information (2)",
      "merchant_data_3" : "further merchant information (3)"
    },
    "account_information" : {
      "account_change_date" : "2021-10-25",
      "account_creation_indicator" : "GUEST",
      "account_id" : "MC_ACC_12345678",
      "account_opened_date" : "2021-10-25",
      "modification_indicator" : "ACCOUNT_UPDATED_NOW",
      "password_change_date" : "2021-10-25",
      "password_change_indicator" : "PASSWORD_CHANGED_NOW",
      "payment_account_date" : "2021-10-25",
      "payment_account_history" : "PAYMENT_ACCOUNT_ADDED_NOW",
      "add_card_attempts" : 1,
      "provisioning_day_count" : 1,
      "purchases_six_month_count" : 2,
      "shipping_address_first_use_date" : "2021-10-25",
      "shipping_address_first_use" : false,
      "shipping_name_indicator" : "02",
      "suspicious_account_activity" : false,
      "transactions_day_count" : 1,
      "transactions_year_count" : 1
    },
    "customer_information" : {
      "date_of_birth" : "1985-12-30",
      "gender" : "FEMALE",
      "title" : "Prof. Dr. Dr.",
      "personal_identifications" : [ {
        "type" : "PASSPORT",
        "id" : "T220001297",
        "issued_by" : "DE"
      }, {
        "type" : "DRIVERS_LICENSE",
        "id" : "DL220001297",
        "issued_by" : "BE"
      } ],
      "contacts" : {
        "phone_contacts" : [ {
          "phone_type" : "MOBILE",
          "phone_number" : "+442071838750"
        }, {
          "phone_type" : "FAX",
          "phone_number" : "+442071838751"
        } ]
      }
    },
    "merchant_risk_indicators" : {
      "delivery_email_address" : "delivery@example.com",
      "delivery_timeframe" : "MORE_THAN_ONE_DAY",
      "gift_card_amount" : "0",
      "gift_card_count" : "0",
      "gift_card_currency" : "EUR",
      "pre_order_date" : "2021-10-25",
      "pre_order_purchase_indicator" : "AVAILABLE",
      "reordered_items_indicator" : "FIRST",
      "shipping_indicator" : "DIGITAL"
    },
    "merchant_defined_information" : [ {
      "key" : "2",
      "value" : "high_volume_order"
    }, {
      "key" : "11",
      "value" : "nightly_order"
    }, {
      "key" : "52",
      "value" : "donation"
    }, {
      "key" : "99",
      "value" : "multi-packaging"
    }, {
      "key" : "100",
      "value" : "reordered-8times"
    }, {
      "key" : "103",
      "value" : "devices"
    } ],
    "travel_information" : {
      "actual_final_destination" : "LEJ",
      "complete_route" : "LEJ-LHR:LHR-JFK:JFK-LHR:LHR-LEJ",
      "departure_time" : "2024-07-01T07:40+01:00",
      "journey_type" : "ROUNDTRIP",
      "legs" : [ {
        "origination" : "LEJ",
        "destination" : "LHR",
        "carrier_code" : "LH",
        "departure_date" : "20240701"
      }, {
        "origination" : "LHR",
        "destination" : "JFK",
        "carrier_code" : "BA",
        "departure_date" : "20240701"
      }, {
        "origination" : "JFK",
        "destination" : "LHR",
        "carrier_code" : "BA",
        "departure_date" : "20240714"
      }, {
        "origination" : "LHR",
        "destination" : "LEJ",
        "carrier_code" : "LH",
        "departure_date" : "20240714"
      } ],
      "number_of_passengers" : 2,
      "passengers" : [ {
        "first_name" : "Heinz",
        "last_name" : "Mueller"
      }, {
        "first_name" : "Klaus",
        "last_name" : "Mueller"
      } ]
    },
    "risk_check_additional_information" : {
      "fingerprint_session_id" : "1234567890-0000000005"
    },
    "googlepay_merchant_id" : "BCR2DN4T7D65Z6BX",
    "googlepay_domain_name" : "testshop.de",
    "alias_action" : {
      "action" : "CREATE"
    },
    "processing_options" : [ "RISKCHECK" ],
    "recurring_payment" : "07H987Tx3PF9VxL5G7RfNp",
    "sequence_type" : "RECURRING",
    "series_flag" : "RECURRING",
    "tds_20_data" : {
      "communication_data" : {
        "method_notification_url" : "https://example.com/method_notification_url",
        "cres_notification_url" : "https://example.com/cres_notification_url"
      }
    }
  }
}

Responses

Code Type Content-Type Description

200

WidgetSolutionCreateSessionResponse

application/json

Values required to initialize session for a Widget Solution interaction.

400

application/json

Response in case of an error. Includes a response code and an error message.

401

application/json

Unauthorized request. Response body may be empty.

403

application/json

Access to this resource is forbidden with these credentials.

7.2.13. Model

AccountInformation

Information on a user’s account usage, payment history, transaction statistics.

Property Type Description

account_change_date

string

format: date

Date of the last change to the client’s account. This includes changes to the billing or shipping addresses, new payment methods or new users added.

Example: 2021-10-25

account_creation_indicator

string

enum
- GUEST
- NEW_ACCOUNT
- EXISTING_ACCOUNT

What kind of account is it?

GUEST
NEW_ACCOUNT
EXISTING_ACCOUNT

Example: GUEST

account_id

string

The account ID.

Example: MC_ACC_12345678

account_opened_date

string

format: date

Date the client opened the account. This usually only applies if this is an EXISTING_ACCOUNT.

Example: 2021-10-25

add_card_attempts

integer

format: int32
maximum: 999

Number of add card attempts during the last 24 hours.

Example: 1

modification_indicator

string

enum
- ACCOUNT_UPDATED_NOW
- ACCOUNT_UPDATED_PAST

This field is applicable only if this is an EXISTING_ACCOUNT.

ACCOUNT_UPDATED_NOW
ACCOUNT_UPDATED_PAST

Example: ACCOUNT_UPDATED_NOW

password_change_date

string

format: date

Date the client last changed the account’s password. May be empty if the password has not been changed yet.

Example: 2021-10-25

password_change_indicator

string

enum
- PASSWORD_CHANGED_NOW
- PASSWORD_CHANGED_PAST
- PASSWORD_NEVER_CHANGED

This field is applicable only if this is an EXISTING_ACCOUNT.

PASSWORD_CHANGED_NOW
PASSWORD_CHANGED_PAST
PASSWORD_NEVER_CHANGED

Example: PASSWORD_CHANGED_NOW

payment_account_date

string

format: date

Only applicable if PAYMENT_ACCOUNT_EXISTS.

Example: 2021-10-25

payment_account_history

string

enum
- PAYMENT_ACCOUNT_EXISTS
- PAYMENT_ACCOUNT_ADDED_NOW

This field is applicable only if this is a NEW_ACCOUNT or EXISTING_ACCOUNT.

PAYMENT_ACCOUNT_EXISTS
PAYMENT_ACCOUNT_ADDED_NOW

Example: PAYMENT_ACCOUNT_EXISTS

provisioning_day_count

integer

format: int32
maximum: 9999

The provisioning day counter.

Example: 1

purchases_six_month_count

integer

format: int32
maximum: 9999

Number of purchases with this account during the previous six months.

Example: 2

shipping_address_first_use

boolean

Applicable if this is not a guest account.

Example: false

shipping_address_first_use_date

string

format: date

Date when the shipping address was first used for this transaction. Only applies if firstUseOfShippingAddress is false and this is not a guest account.

Example: 2021-10-25

shipping_name_indicator

string

The shipping name indicator. Indicates if the account’s cardholder name equals the shipping name used for this transaction.

Example: 02

suspicious_account_activity

boolean

Indicates whether the merchant experienced suspicious activity (including previous fraud) on the account.

Example: false

transactions_day_count

integer

format: int32
maximum: 999

Number of transactions (successful or abandoned) of this account during the last 24 hours.

Example: 1

transactions_year_count

integer

format: int32
maximum: 9999

Number of transactions (successful or abandoned) of this account during the last 365 days.

Example: 1

AddressRequestData

Property Type Description

addition

boolean

Request to provide the addition of the address

Example: false

city

boolean

Request to provide the city of the address

Example: false

company_name

boolean

Request to provide the company name of the debtor

Example: false

country_name

boolean

Request to provide name of the country

Example: false

first_name

boolean

Request to provide the first name of the debtor

Example: false

house_number

boolean

Request to provide the house number of the address

Example: false

last_name

boolean

Request to provide the last name of the debtor

Example: false

postal_code

boolean

Request to provide the postal code of the address without spaces

Example: false

street

boolean

Request to provide the street of the address

Example: false

AliasAction

Specifies an alias and an operation to perform on it.

Property Type Description

action

string

required
enum
- CREATE
- UPDATE
- USE

The action to perform.

CREATE: creates a new alias
UPDATE: updates an existing alias
USE: uses the data stored under the given alias (for example, to prefill a form).

alias

string

The alias value. If no value is set an alias is created by the system.

Example: 221f56ca355d8e6c42517749cf79ceb8

AliasBankAccountRequest

Contains information used to create an alias for a bank account. Either token or bank_account must be specified.

Property Type Description

address

Address data as applicable to most use cases.

alias

string

minLength: 0
maxLength: 50

The alias value. If no value is set an alias is created by the system.

Example: 221f56ca355d8e6c42517749cf79ceb8

bank_account

BankAccount

Information about a bank account.

token

string

minLength: 0
maxLength: 500
pattern: [a-zA-Z0-9/+=_-]*

The token value.

Example: eyJ0IjoiSFcyaS13cTB3PT0iLCJzIjoiaWIybzFRMHEifQ

AliasCreditCardRequest

Contains information used to create an alias for a credit card. Either token or credit_card must be specified.

Property Type Description

alias

string

minLength: 0
maxLength: 50

The alias value. If no value is set an alias is created by the system.

Example: 221f56ca355d8e6c42517749cf79ceb8

credit_card

CreditCard

Information about a credit card.

token

string

minLength: 0
maxLength: 500
pattern: [a-zA-Z0-9/+=_-]*

The token value.

Example: eyJ0IjoiSFcyaS13cTB3PT0iLCJzIjoiaWIybzFRMHEifQ

AliasInfo

Contains information about the created or updated alias. This field is null if the there was no 'alias_info' in the request.

Property Type Description

address

Address data as applicable to most use cases.

alias

string

Name of the alias.

Example: da2c9029-b180-42a7-b473-50d182a01f8a

bank_account

BankAccount

Information about a bank account.

credit_card

CreditCardInfo

Information about a credit card.

AliasResponse

Common response of all alias requests.

Property Type Description

alias_info

AliasInfo

Contains information about the created or updated alias. This field is null if the there was no 'alias_info' in the request.

message

string

required

Success or error message, text for the response code.

Example: Transaction successful.

string

required

Response code of the transaction. "0" in the case of a successful transaction. Other values signify errors.

Example: 0

AlternativeAddressData

Alternative address fields.

Property Type Description

street

string

minLength: 0
maxLength: 100

The street.

Example: Main Street

street_number

string

minLength: 0
maxLength: 10

The street number.

Example: 123a

AmountCurrency

An amount and a currency.

Property Type Description

amount

integer

required
format: int64

Minor currency value of an amount of money.

Example: 200

currency

string

required
minLength: 3
maxLength: 3
pattern: [A-Z]{3}

ISO 4217 currency code, three uppercase letters.

Example: EUR

ApplePayPaymentRequest

The payment request of the Apple Pay API.

Property Type Description

account_information

AccountInformation

Information on a user’s account usage, payment history, transaction statistics.

alias_action

AliasAction

Specifies an alias and an operation to perform on it.

amount_total

required

An amount and a currency.

basket

Basket

A generalized shopping basket.

billing_address

RiskCheckAdditionalInformation

Address data as applicable to most use cases.

customer_information

CustomerInformation

Details of a customer.

device_information

DeviceInformation

Technical details of a client.

means_of_payment

MeansOfPaymentApplePay

required

The means of payment that will be used. Exactly one of the given means is valid.

merchant_defined_information

Array[RiskCheckMerchantDefinedInformation]

merchant_information

MerchantInformation

Further information from the merchant.

merchant_risk_indicators

MerchantRiskIndicators

Contains data about the specific 3-D Secure 2.0 purchase which can be used for risk assessment.

processing_options

Array[string]

enum
- FALLBACK_ON_SSL
- RISKCHECK

Additional processing option for headless 3-D Secure transactions.

FALLBACK_ON_SSL: process the transaction flagged as channel-encrypted (SSL, 3-D Secure authentication was not performed) instead of 3-D Secure in case 3-D Secure authentication could not be performed.
RISKCHECK: process risk check transaction before start of 3-D Secure authentication. In case of declined risk check no credit card transaction is started

Example: ["RISKCHECK"]

recurring_payment

string

minLength: 1
maxLength: 50
pattern: [/0-9a-zA-Z_.:,+*$%-]+

Identifier of a recurring credit card payment.

Example: 07H987Tx3PF9VxL5G7RfNp

risk_check_additional_information

Additional information for calculation of the risk of a transaction.

sequence_type

string

enum
- FINAL
- FIRST
- RECURRING

If this payment is part of a sequence of payments

FIRST: first payment of a sequence
RECURRING: follow-up payment
FINAL: last payment of a sequence

series_flag

string

enum
- INSTALMENT
- RECURRING
- UCOF

Designates a payment as part of a series of payments.

INSTALMENT: for example in the case of paying a fixed sum in multiple partial payments.
RECURRING: for example in the case of a subscription or standing order.
UCOF: when a card number alias is created for future payments with the same credit card. In this case use alias_action with action CREATE with the first payment and the card number alias with the following payments. You can use the tx_action verify-mop with the first UCOF transaction to register a card number alias without a payment.

shipping_address

RiskCheckTravelInformation

Address data as applicable to most use cases.

tds_20_data

TDS20Data

3-D Secure data. Activates 3-D Secure processing if values are set.

travel_information

Travel information of the order.

ApplePayPaymentSessionRequest

The payment session creation request of the Apple Pay API.

Property Type Description

initiative_context

string

required

Domain where the payment is initiated and which is registered and validated at Apple Pay.

Example: testmerch.directpos.de

merchant_id

string

required

Merchant Identifier registered for payments at Apple Pay.

Example: merchant.9999900999.1.processingpagateq.merchantsolution

ApplePayPaymentSessionResponse

Property Type Description

applepay_payment_session_token

string

minLength: 1
maxLength: 10000
pattern: [a-zA-Z0-9:,\/+=_\-\\\{\}\[\]\" ]*

The Base64 encoded payment session response from Apple Pay.

Example: ewoJImVwb2NoVGltZXN0YW1wIjoxNjYzNzU0OTQwMDY5LAoJImV4cGlyZXNBdCI6MTY2Mzc1ODU0MDA2OSwKCSJtZXJjaGFudFNlc3Npb25JZGVudGlmaWVyIjoiU1NINTk3RjRCQjk5MkMzNEEzNjgwNDkwNTc1RjhEMTJBQ0NfQzIzQTBEMzAyNEZBQjhCMTJDQkI2NzY2MEI0QzFCNDhBQkYxMjcyRUM4QjYxMzk5RTNBNjQ3MjkwQzhCRTY3QSIsCgkibm9uY2UiOiI4NmI1ZDlmMSIsCgkibWVyY2hhbnRJZGVudGlmaWVyIjoiMjg3MzJBNEYwNUFFMDU1NTAwNzc2NDJDQzZCQUJBOEM1OTIzRTM0N0EwODM4MDNDMEI3QTgwODg3MTBDMzFFNCIsCgkiZG9tYWluTmFtZSI6InRlc3RtZXJjaC5kaXJlY3Rwb3MuZGUiLAoJImRpc3BsYXlOYW1lIjoiREIucHJvY2Vzc2luZ3BhZ2F0ZXEubWVyY2hhbnRzb2x1dGlvbiIsCgkic2lnbmF0dXJlIjoiMzA4MDA2MDkyYTg2NDg4NmY3MGQwMTA3MDJhMDgwMzA4MDAyMDEwMTMxMGYzMDBkMDYwOTYwODY0ODAxNjUwMzA0MDIwMTA1MDAzMDgwMDYwOTJhODY0ODg2ZjcwZDAxMDcwMTAwMDBhMDgwMzA4MjAzZTMzMDgyMDM4OGEwMDMwMjAxMDIwMjA4NGMzMDQxNDk1MTlkNTQzNjMwMGEwNjA4MmE4NjQ4Y2UzZDA0MDMwMjMwN2EzMTJlMzAyYzA2MDM1NTA0MDMwYzI1NDE3MDcwNmM2NTIwNDE3MDcwNmM2OTYzNjE3NDY5NmY2ZTIwNDk2ZTc0NjU2NzcyNjE3NDY5NmY2ZTIwNDM0MTIwMmQyMDQ3MzMzMTI2MzAyNDA2MDM1NTA0MGIwYzFkNDE3MDcwNmM2NTIwNDM2NTcyNzQ2OTY2Njk2MzYxNzQ2OTZmNmUyMDQxNzU3NDY4NmY3MjY5NzQ3OTMxMTMzMDExMDYwMzU1MDQwYTBjMGE0MTcwNzA2YzY1MjA0OTZlNjMyZTMxMGIzMDA5MDYwMzU1MDQwNjEzMDI1NTUzMzAxZTE3MGQzMTM5MzAzNTMxMzgzMDMxMzMzMjM1Mzc1YTE3MGQzMjM0MzAzNTMxMzYzMDMxMzMzMjM1Mzc1YTMwNWYzMTI1MzAyMzA2MDM1NTA0MDMwYzFjNjU2MzYzMmQ3MzZkNzAyZDYyNzI2ZjZiNjU3MjJkNzM2OTY3NmU1ZjU1NDMzNDJkNTA1MjRmNDQzMTE0MzAxMjA2MDM1NTA0MGIwYzBiNjk0ZjUzMjA1Mzc5NzM3NDY1NmQ3MzMxMTMzMDExMDYwMzU1MDQwYTBjMGE0MTcwNzA2YzY1MjA0OTZlNjMyZTMxMGIzMDA5MDYwMzU1MDQwNjEzMDI1NTUzMzA1OTMwMTMwNjA3MmE4NjQ4Y2UzZDAyMDEwNjA4MmE4NjQ4Y2UzZDAzMDEwNzAzNDIwMDA0YzIxNTc3ZWRlYmQ2YzdiMjIxOGY2OGRkNzA5MGExMjE4ZGM3YjBiZDZmMmMyODNkODQ2MDk1ZDk0YWY0YTU0MTFiODM0MjBlZDgxMWYzNDA3ZTgzMzMxZjFjNTRjM2Y3ZWIzMjIwZDZiYWQ1ZDRlZmY0OTI4OTg5M2U3YzBmMTNhMzgyMDIxMTMwODIwMjBkMzAwYzA2MDM1NTFkMTMwMTAxZmYwNDAyMzAwMDMwMWYwNjAzNTUxZDIzMDQxODMwMTY4MDE0MjNmMjQ5YzQ0ZjkzZTRlZjI3ZTZjNGY2Mjg2YzNmYTJiYmZkMmU0YjMwNDUwNjA4MmIwNjAxMDUwNTA3MDEwMTA0MzkzMDM3MzAzNTA2MDgyYjA2MDEwNTA1MDczMDAxODYyOTY4NzQ3NDcwM2EyZjJmNmY2MzczNzAyZTYxNzA3MDZjNjUyZTYzNmY2ZDJmNmY2MzczNzAzMDM0MmQ2MTcwNzA2YzY1NjE2OTYzNjEzMzMwMzIzMDgyMDExZDA2MDM1NTFkMjAwNDgyMDExNDMwODIwMTEwMzA4MjAxMGMwNjA5MmE4NjQ4ODZmNzYzNjQwNTAxMzA4MWZlMzA4MWMzMDYwODJiMDYwMTA1MDUwNzAyMDIzMDgxYjYwYzgxYjM1MjY1NmM2OTYxNmU2MzY1MjA2ZjZlMjA3NDY4Njk3MzIwNjM2NTcyNzQ2OTY2Njk2MzYxNzQ2NTIwNjI3OTIwNjE2ZTc5MjA3MDYxNzI3NDc5MjA2MTczNzM3NTZkNjU3MzIwNjE2MzYzNjU3MDc0NjE2ZTYzNjUyMDZmNjYyMDc0Njg2NTIwNzQ2ODY1NmUyMDYxNzA3MDZjNjk2MzYxNjI2YzY1MjA3Mzc0NjE2ZTY0NjE3MjY0MjA3NDY1NzI2ZDczMjA2MTZlNjQyMDYzNmY2ZTY0Njk3NDY5NmY2ZTczMjA2ZjY2MjA3NTczNjUyYzIwNjM2NTcyNzQ2OTY2Njk2MzYxNzQ2NTIwNzA2ZjZjNjk2Mzc5MjA2MTZlNjQyMDYzNjU3Mjc0Njk2NjY5NjM2MTc0Njk2ZjZlMjA3MDcyNjE2Mzc0Njk2MzY1MjA3Mzc0NjE3NDY1NmQ2NTZlNzQ3MzJlMzAzNjA2MDgyYjA2MDEwNTA1MDcwMjAxMTYyYTY4NzQ3NDcwM2EyZjJmNzc3Nzc3MmU2MTcwNzA2YzY1MmU2MzZmNmQyZjYzNjU3Mjc0Njk2NjY5NjM2MTc0NjU2MTc1NzQ2ODZmNzI2OTc0NzkyZjMwMzQwNjAzNTUxZDFmMDQyZDMwMmIzMDI5YTAyN2EwMjU4NjIzNjg3NDc0NzAzYTJmMmY2MzcyNmMyZTYxNzA3MDZjNjUyZTYzNmY2ZDJmNjE3MDcwNmM2NTYxNjk2MzYxMzMyZTYzNzI2YzMwMWQwNjAzNTUxZDBlMDQxNjA0MTQ5NDU3ZGI2ZmQ1NzQ4MTg2ODk4OTc2MmY3ZTU3ODUwN2U3OWI1ODI0MzAwZTA2MDM1NTFkMGYwMTAxZmYwNDA0MDMwMjA3ODAzMDBmMDYwOTJhODY0ODg2Zjc2MzY0MDYxZDA0MDIwNTAwMzAwYTA2MDgyYTg2NDhjZTNkMDQwMzAyMDM0OTAwMzA0NjAyMjEwMGJlMDk1NzFmZTcxZTFlNzM1YjU1ZTVhZmFjYjRjNzJmZWI0NDVmMzAxODUyMjJjNzI1MTAwMmI2MWViZDZmNTUwMjIxMDBkMThiMzUwYTVkZDZkZDZlYjE3NDYwMzViMTFlYjJjZTg3Y2ZhM2U2YWY2Y2JkODM4MDg5MGRjODJjZGRhYTYzMzA4MjAyZWUzMDgyMDI3NWEwMDMwMjAxMDIwMjA4NDk2ZDJmYmYzYTk4ZGE5NzMwMGEwNjA4MmE4NjQ4Y2UzZDA0MDMwMjMwNjczMTFiMzAxOTA2MDM1NTA0MDMwYzEyNDE3MDcwNmM2NTIwNTI2ZjZmNzQyMDQzNDEyMDJkMjA0NzMzMzEyNjMwMjQwNjAzNTUwNDBiMGMxZDQxNzA3MDZjNjUyMDQzNjU3Mjc0Njk2NjY5NjM2MTc0Njk2ZjZlMjA0MTc1NzQ2ODZmNzI2OTc0NzkzMTEzMzAxMTA2MDM1NTA0MGEwYzBhNDE3MDcwNmM2NTIwNDk2ZTYzMmUzMTBiMzAwOTA2MDM1NTA0MDYxMzAyNTU1MzMwMWUxNzBkMzEzNDMwMzUzMDM2MzIzMzM0MzYzMzMwNWExNzBkMzIzOTMwMzUzMDM2MzIzMzM0MzYzMzMwNWEzMDdhMzEyZTMwMmMwNjAzNTUwNDAzMGMyNTQxNzA3MDZjNjUyMDQxNzA3MDZjNjk2MzYxNzQ2OTZmNmUyMDQ5NmU3NDY1Njc3MjYxNzQ2OTZmNmUyMDQzNDEyMDJkMjA0NzMzMzEyNjMwMjQwNjAzNTUwNDBiMGMxZDQxNzA3MDZjNjUyMDQzNjU3Mjc0Njk2NjY5NjM2MTc0Njk2ZjZlMjA0MTc1NzQ2ODZmNzI2OTc0NzkzMTEzMzAxMTA2MDM1NTA0MGEwYzBhNDE3MDcwNmM2NTIwNDk2ZTYzMmUzMTBiMzAwOTA2MDM1NTA0MDYxMzAyNTU1MzMwNTkzMDEzMDYwNzJhODY0OGNlM2QwMjAxMDYwODJhODY0OGNlM2QwMzAxMDcwMzQyMDAwNGYwMTcxMTg0MTlkNzY0ODVkNTFhNWUyNTgxMDc3NmU4ODBhMmVmZGU3YmFlNGRlMDhkZmM0YjkzZTEzMzU2ZDU2NjViMzVhZTIyZDA5Nzc2MGQyMjRlN2JiYTA4ZmQ3NjE3Y2U4OGNiNzZiYjY2NzBiZWM4ZTgyOTg0ZmY1NDQ1YTM4MWY3MzA4MWY0MzA0NjA2MDgyYjA2MDEwNTA1MDcwMTAxMDQzYTMwMzgzMDM2MDYwODJiMDYwMTA1MDUwNzMwMDE4NjJhNjg3NDc0NzAzYTJmMmY2ZjYzNzM3MDJlNjE3MDcwNmM2NTJlNjM2ZjZkMmY2ZjYzNzM3MDMwMzQyZDYxNzA3MDZjNjU3MjZmNmY3NDYzNjE2NzMzMzAxZDA2MDM1NTFkMGUwNDE2MDQxNDIzZjI0OWM0NGY5M2U0ZWYyN2U2YzRmNjI4NmMzZmEyYmJmZDJlNGIzMDBmMDYwMzU1MWQxMzAxMDFmZjA0MDUzMDAzMDEwMWZmMzAxZjA2MDM1NTFkMjMwNDE4MzAxNjgwMTRiYmIwZGVhMTU4MzM4ODlhYTQ4YTk5ZGViZWJkZWJhZmRhY2IyNGFiMzAzNzA2MDM1NTFkMWYwNDMwMzAyZTMwMmNhMDJhYTAyODg2MjY2ODc0NzQ3MDNhMmYyZjYzNzI2YzJlNjE3MDcwNmM2NTJlNjM2ZjZkMmY2MTcwNzA2YzY1NzI2ZjZmNzQ2MzYxNjczMzJlNjM3MjZjMzAwZTA2MDM1NTFkMGYwMTAxZmYwNDA0MDMwMjAxMDYzMDEwMDYwYTJhODY0ODg2Zjc2MzY0MDYwMjBlMDQwMjA1MDAzMDBhMDYwODJhODY0OGNlM2QwNDAzMDIwMzY3MDAzMDY0MDIzMDNhY2Y3MjgzNTExNjk5YjE4NmZiMzVjMzU2Y2E2MmJmZjQxN2VkZDkwZjc1NGRhMjhlYmVmMTljODE1ZTQyYjc4OWY4OThmNzliNTk5Zjk4ZDU0MTBkOGY5ZGU5YzJmZTAyMzAzMjJkZDU0NDIxYjBhMzA1Nzc2YzVkZjMzODNiOTA2N2ZkMTc3YzJjMjE2ZDk2NGZjNjcyNjk4MjEyNmY1NGY4N2E3ZDFiOTljYjliMDk4OTIxNjEwNjk5MGYwOTkyMWQwMDAwMzE4MjAxOGQzMDgyMDE4OTAyMDEwMTMwODE4NjMwN2EzMTJlMzAyYzA2MDM1NTA0MDMwYzI1NDE3MDcwNmM2NTIwNDE3MDcwNmM2OTYzNjE3NDY5NmY2ZTIwNDk2ZTc0NjU2NzcyNjE3NDY5NmY2ZTIwNDM0MTIwMmQyMDQ3MzMzMTI2MzAyNDA2MDM1NTA0MGIwYzFkNDE3MDcwNmM2NTIwNDM2NTcyNzQ2OTY2Njk2MzYxNzQ2OTZmNmUyMDQxNzU3NDY4NmY3MjY5NzQ3OTMxMTMzMDExMDYwMzU1MDQwYTBjMGE0MTcwNzA2YzY1MjA0OTZlNjMyZTMxMGIzMDA5MDYwMzU1MDQwNjEzMDI1NTUzMDIwODRjMzA0MTQ5NTE5ZDU0MzYzMDBkMDYwOTYwODY0ODAxNjUwMzA0MDIwMTA1MDBhMDgxOTUzMDE4MDYwOTJhODY0ODg2ZjcwZDAxMDkwMzMxMGIwNjA5MmE4NjQ4ODZmNzBkMDEwNzAxMzAxYzA2MDkyYTg2NDg4NmY3MGQwMTA5MDUzMTBmMTcwZDMyMzIzMDM5MzIzMTMxMzAzMDM5MzAzMDVhMzAyYTA2MDkyYTg2NDg4NmY3MGQwMTA5MzQzMTFkMzAxYjMwMGQwNjA5NjA4NjQ4MDE2NTAzMDQwMjAxMDUwMGExMGEwNjA4MmE4NjQ4Y2UzZDA0MDMwMjMwMmYwNjA5MmE4NjQ4ODZmNzBkMDEwOTA0MzEyMjA0MjAwOWNhYmJiZWVhMjFmNWRiOWM4ZDdjNzdjMjM3N2ZkOThkNDdkYjQ2ZTIxNjlkZmU1ZWU1MGM0OWQwZTRmNjJkMzAwYTA2MDgyYTg2NDhjZTNkMDQwMzAyMDQ0ODMwNDYwMjIxMDA5ZDczN2Q4NTY5YmE0M2U4NTkyODU3MmZlNThkYzIxODYzODMzY2JhY2QxNTI1YTlhZWQ3NjE0ODk4NGFkMjc0MDIyMTAwZDA3YWNiOTUyYTBhMGVlMzk0ZGZlYjY5ZWUxMmRiODFmNDRmY2JmMGRjMWRmMzMxMTFkMmUxOTBkZTNhYjIyMTAwMDAwMDAwMDAwMCIsCgkib3BlcmF0aW9uYWxBbmFseXRpY3NJZGVudGlmaWVyIjoiREIucHJvY2Vzc2luZ3BhZ2F0ZXEubWVyY2hhbnRzb2x1dGlvbjoyODczMkE0RjA1QUUwNTU1MDA3NzY0MkNDNkJBQkE4QzU5MjNFMzQ3QTA4MzgwM0MwQjdBODA4ODcxMEMzMUU0IiwKCSJyZXRyaWVzIjowLAoJInBzcElkIjoiMjg3MzJBNEYwNUFFMDU1NTAwNzc2NDJDQzZCQUJBOEM1OTIzRTM0N0EwODM4MDNDMEI3QTgwODg3MTBDMzFFNCIKfQo=

message

string

required

Success or error message, text for the response code.

Example: Transaction successful.

string

required

Response code of the transaction. "0" in the case of a successful transaction. Other values signify errors.

Example: 0

BankAccount

Information about a bank account.

Property Type Description

account_holder

string

minLength: 1
maxLength: 70

The account holder of the bank account.

Example: Max Muster

bank_name

string

Name of the bank.

Example: Musterbank

bic

string

minLength: 11
maxLength: 11
pattern: [A-Z]{6}[A-Z2-9][A-NP-Z0-9][A-Z0-9]{3}

The business identifier code (BIC) of a bank account. If the branch identifier (positions 9 to 11) is not applicable, it is set to "XXX".

Example: VZVDDED1XXX

iban

string

required
minLength: 15
maxLength: 34
pattern: [A-Z]{2}[0-9]{2}[A-Z0-9*]{11,30}

The international bank account number of the bank account.

Example: DE86100700004567891263

BaseResponse

Property Type Description

message

string

required

Success or error message, text for the response code.

Example: Transaction successful.

string

required

Response code of the transaction. "0" in the case of a successful transaction. Other values signify errors.

Example: 0

Basket

A generalized shopping basket.

Property Type Description

basket_discount

An amount and a currency.

basket_id

string

minLength: 0
maxLength: 140

Identification of the basket. Depending on the backend services the value might be shortened or special characters might be removed before sending.

See the user guide for the respective payment system for more information.

Example: basket123456

basket_items

Array[BasketItem]

An array of items that the customer purchases from the merchant.

basket_type

string

enum
- DIGITAL
- MIXED
- PHYSICAL

Type of a shopping basket.

DIGITAL: Basket contains digital items only.
MIXED: Basket contains items of various types.
PHYSICAL: Basket contains physical items only.

Example: DIGITAL

extensions

BasketExtensions

Service specific basket fields.

invoice_id

string

minLength: 0
maxLength: 127

The API caller-provided external invoice number for this order.

Example: RE123345

shipping_costs

CustomerInformationExtensions

An amount and a currency.

soft_descriptor

string

Dynamic text used to construct the statement descriptor that appears on a payer’s card statement.

Example: 800-123-1234

BasketExtensions

Service specific basket fields.

Property

Type

Description

paypal_data

BasketPayPalData

Service specific basket fields for PayPal.

BasketItem

A purchasable item that is part of a shopping basket’s list of items.

Property Type Description

description

string

minLength: 0
maxLength: 127

Used for storing merchant’s internal order number or other reference.

Example: BI123456

extensions

BasketItemExtensions

Service specific basket item fields.

item_discount

TaxedAmountCurrency

Net and gross money amount accompanied by a tax percentage and currency.

name

string

minLength: 0
maxLength: 127

Descriptive name of the order item.

Example: A fine shirt

quantity

Quantity

A quantity.

reference

string

minLength: 0
maxLength: 64

Article number, SKU or similar.

Example: UGG-BB-PUR-06

unit_price

TaxedAmountCurrency

Net and gross money amount accompanied by a tax percentage and currency.

BasketItemExtensions

Service specific basket item fields.

Property

Type

Description

klarna_data

BasketItemKlarnaData

Service specific basket item fields for Klarna related use cases.

paypal_data

BasketItemPayPalData

Service specific basket item fields for PayPal.

riskcheck_data

BasketItemRiskCheckData

Service specific basket item fields for riskcheck related use cases.

BasketItemKlarnaData

Service specific basket item fields for Klarna related use cases.

Property Type Description

image_url

string

minLength: 0
maxLength: 1024

Product image URL in the merchant’s webshop. May be used to embed the image into communication between Klarna and the customer.

Example: https://www.exampleobjects.com/product-image-1200x1200.jpg

product_identifiers

Array[KlarnaProductIdentifier]

Additional information identifying the basket item.

product_url

string

minLength: 0
maxLength: 1024

Product’s URL in the merchant’s webshop. May be used in communication between Klarna and the customer.

Example: https://www.exampleobjects.com/products/123456789

BasketItemPayPalData

Service specific basket item fields for PayPal.

Property Type Description

paypal_type

string

required
enum
- DIGITAL_GOODS
- PHYSICAL_GOODS
- DONATION

PayPal specific type of an order item.

DIGITAL_GOODS: Goods that are stored, delivered, and used in electronic format.
PHYSICAL_GOODS: A tangible item that can be shipped with proof of delivery.
DONATION: A contribution or gift for which no good or service is exchanged.

Example: PHYSICAL_GOODS

BasketItemRiskCheckData

Service specific basket item fields for riskcheck related use cases.

Property Type Description

distributor_product_sku

string

minLength: 0
maxLength: 15

Product’s identifier code.

Example: 12345678

gift_card_currency

string

If riskcheck_type is GIFT_CERTIFICATE, this field must contain the ISO-4217-3 alpha-numeric currency code used for the gift card purchase.

Example: EUR

is_gift

boolean

If billing and shipping addresses are different:

true: Order risk increases slightly. false: Order risk increases significantly.

Example: true

product_risk

string

enum
- LOW
- NORMAL
- HIGH

Indicates the product’s risk level. This field may contain one of the following values:

LOW: The product is associated with a low number of chargebacks.
NORMAL: The product is associated with a normal number of chargebacks.
HIGH: The product is associated with a high number of chargebacks.

Example: NORMAL

risk_check_passenger

RiskCheckPassenger

A (plane) passenger as modelled from the point of view of a risk check service.

riskcheck_type

string

enum
- ADULT_CONTENT
- COUPON
- DEFAULT
- ELECTRONIC_GOOD
- ELECTRONIC_SOFTWARE
- GIFT_CERTIFICATE
- HANDLING_ONLY
- SERVICE
- SHIPPING_ONLY
- SHIPPING_AND_HANDLING
- SUBSCRIPTION

Riskcheck specific type of an order item.

ADULT_CONTENT: Adult content.
COUPON: Coupon applied to the entire order.
DEFAULT: Default value for the product code. This value is used if a request message does not include a value for the product code.
ELECTRONIC_GOOD: Electronic product other than software.
ELECTRONIC_SOFTWARE: Software distributed electronically rather than on physical media.
GIFT_CERTIFICATE: Gift certificate.
HANDLING_ONLY: A fee that covers the merchant’s administrative selling costs.
SERVICE: An arbitrary service that a merchant performs for customers.
SHIPPING_ONLY: Charge for transporting tangible personal property from the merchant to the customer.
SHIPPING_AND_HANDLING: Handling & Shipping fees combined.
SUBSCRIPTION: Subscription to a website or other type of subscribable content.

Example: SHIPPING_ONLY

shipping_destination_types

string

enum
- COMMERCIAL
- RESIDENTIAL
- STORE

Destination to where the item will be shipped.

COMMERCIAL
RESIDENTIAL
STORE

Example: RESIDENTIAL

BasketPayPalData

Service specific basket fields for PayPal.

Property Type Description

custom_id

string

minLength: 0
maxLength: 127

The API caller-provided external ID. Used to reconcile client transactions with PayPal transactions. Appears in transaction and settlement reports but is not visible to the payer.

Example: CUSTOMID123

Callback

Data for the shop notification.

Property Type Description

additional_data

string

minLength: 0
maxLength: 255

Freely allocatable field. Will be returned in the shop notification.

Example: SESSION_1234X

notify_url

string

minLength: 1
maxLength: 500

URL for the shop notification.

Example: https://www.example.com/notify/e1234123489

skip

boolean

default: false

If true the shop notification is skipped.

CommonAddress

Address data as applicable to most use cases.

Property Type Description

address_line_1

string

minLength: 0
maxLength: 60

An address line.

Example: Main Street 123

address_line_2

string

minLength: 0
maxLength: 60

An address line. For 3DS this maps to additional1.

Example: Building A

address_line_3

string

minLength: 0
maxLength: 60

An address line. For 3DS this maps to additional2.

Example: Apartment 12

city

string

minLength: 0
maxLength: 60

City of the address.

Example: Munich

company_name

string

minLength: 0
maxLength: 60

Name of the company.

Example: Acme Inc.

country

string

minLength: 2
maxLength: 2
pattern: [A-Z]{2}

The ISO 3166 Alpha-2 country code (upper case) of the individual’s homeland.

Example: DE

string

minLength: 0
maxLength: 255
pattern: .*@.*\..*

Email address of the individual.

Example: test_jane@gmail.com

extensions

CommonAddressExtensions

Service specific address fields.

first_name

string

minLength: 0
maxLength: 60

First name of the individual.

Example: Jane

last_name

string

minLength: 0
maxLength: 60

Last name of the individual.

Example: Doe

phone_contact

PhoneContact

A means of contacting a customer by phone.

postal_code

string

minLength: 0
maxLength: 60

Postal code of the address.

Example: 80469

state

string

minLength: 0
maxLength: 100

State or province of the address.

Example: BY

title

string

minLength: 0
maxLength: 100

Customer’s title.

Example: Mrs

CommonAddressExtensions

Service specific address fields.

Property

Type

Description

alternative_address_data

AlternativeAddressData

Alternative address fields.

Contacts

Means of contacting the customer.

Property

Type

Description

phone_contacts

Array[PhoneContact]

A means of contacting a customer by phone.

Example:

{"phone_contacts":[{"phone_type":"FAX","phone_number":"+442071838750"}]}

CreditCard

Information about a credit card.

Property Type Description

cardholder

string

minLength: 2
maxLength: 27

The holder of a credit card. Required for 3-D Secure 2.0 payments.

Example: Max Muster

code

string

minLength: 3
maxLength: 4
pattern: [0-9]*

Card verification number of the credit card (also CVV or CVC).

Example: 332

expiry_date

ExpiryDate

required

The credit card expiry date.

number

string

required
minLength: 10
maxLength: 19
pattern: [0-9]*

The credit card number (Primary Account Number). It is sometimes masked in response messages, for example 411111**1111.

Example: 41111111111111111

CreditCardInfo

Information about a credit card.

Property Type Description

brand

string

enum
- AMEX
- DINERS
- JCB
- MAESTRO
- MASTERCARD
- VISA

The credit card brand. The use of this field requires an explicit activation. Please contact customer support. Possible values:

AMEX
DINERS
JCB
MAESTRO
MASTERCARD
VISA

Example: VISA

cardholder

string

minLength: 2
maxLength: 27

The holder of a credit card.

Example: Max Muster

expiry_date

ExpiryDate

required

The credit card expiry date.

issuer_country

string

The card issuers country of origin. The use of this field requires an explicit activation. Please contact customer support.

number

string

required
minLength: 10
maxLength: 19
pattern: [0-9]*

The credit card number (Primary Account Number). It is sometimes masked in response messages, for example 411111**1111.

Example: 41111111111111111

CustomerExtensionPayPalData

PayPal specific customer information fields.

Property Type Description

payer_id

string

minLength: 0
maxLength: 13

Example: 23456789ABCDE

tax_info

TaxInfo

Legal tax information of the payer.

CustomerInformation

Details of a customer.

Property Type Description

contacts

Contacts

Means of contacting the customer.

customer_id

string

minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

Technical identification number of a customer.

Example: C1234-AX

date_of_birth

string

format: date

Customer’s date of birth.

Example: 1975-06-30

extensions

Service specific customer information fields.

gender

string

enum
- DIVERSE
- FEMALE
- MALE

Customer’s gender.

DIVERSE
FEMALE
MALE

Example: FEMALE

personal_identifications

Array[PersonalIdentification]

Customer’s available identifications.

title

string

minLength: 0
maxLength: 100

Customer’s title.

Example: Mrs

CustomerInformationExtensions

Service specific customer information fields.

Property

Type

Description

paypal_data

CustomerExtensionPayPalData

PayPal specific customer information fields.

DebtorContactDetailsRequestData

Property Type Description

boolean

Request to provide the e-mail address of the debtor

Example: false

phone_number

boolean

Request to provide the phone number of the debtor in E.164 format

Example: false

DeviceInformation

Technical details of a client.

Property Type Description

color_depth

string

enum
- B1
- B4
- B8
- B15
- B16
- B24
- B32
- B48

The bit depth of the color palette for displaying images, in bits per pixel. See https://en.wikipedia.org/wiki/Color_depth. Possible values:

B1
B4
B8
B15
B16
B24
B32
B48.

If the actual color depth is not supported by this enum, round down to the nearest supported color depth. For example, in case of deep color (30-bit), set B24.

Example: B24

cookies_accepted

boolean

Whether or not the browser accepts cookies.

Example: true

http_accept_browser_value

string

minLength: 0
maxLength: 2048

Value of the 'Accept' header sent by the customer’s web browser. Note: If the customer’s browser provides a value, you must include it with your request.

Example: text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, /;q=0.8

http_accept_content

string

minLength: 0
maxLength: 2048

The exact content of the HTTP accept header.

Example: text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, /;q=0.8

http_browser_email

string

minLength: 0
maxLength: 255
pattern: .*@.*\..*

Email address set in the customer’s browser. May differ from customer’s actual email.

Example: mustermann@example.com

http_browser_java_enabled

boolean

Is the browser able to execute Java. Value is taken from the navigator.javaEnabled property.

Example: false

http_browser_java_script_enabled

boolean

Is the browser able to execute JavaScript. Background: Merchants may want to fingerprint a cardholder’s browser.

Example: false

http_browser_language

string

minLength: 0
maxLength: 8

Browser language as defined in IETF BCP47. See https://en.wikipedia.org/wiki/IETF_language_tag.

Example: en-US

http_browser_screen_height

integer

format: int32
minimum: 0

Total height of the client’s screen in pixels.

Example: 864

http_browser_screen_width

integer

format: int32
minimum: 0

Total width of the client’s screen in pixels.

Example: 1536

http_browser_time_difference

integer

format: int32
minimum: -1440
maximum: 1440

Time difference between UTC time and the client’s browser’s local time in minutes.

Example: 300

ip_address

string

minLength: 0
maxLength: 45
pattern:
((^\s*((([0-9]|..
Show Pattern

IP address of the client. Both IPv4 and IPv6 are supported.

Example: 192.168.0.1

user_agent

string

minLength: 0
maxLength: 40

Client’s browser as identified by the HTTP header data.

Example: Mozilla

user_agent_browser_value

string

minLength: 0
maxLength: 255

Value of the User-Agent header sent by the client’s browser.

Example: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

EScoreAddresscheckResponse

Property Type Description

address

Address data as applicable to most use cases.

address_note

string

enum
- PPB
- PHB
- PAB
- PNZ
- PPV
- PKI
- PPF
- PNP
- PUG
- PUZ

Possible features for the result of address verification. The following values are valid:

PPB: Confirmation on personal level. The address supplied (incl. name and first name) was completely correct or could be corrected completely. In this case only the freight routing code and possibly the corrected fields are returned to the initiator.

PHB: Confirmation on household level. The address supplied (incl. name without first name) could be corrected completely or was completely correct on household level and had a first name, which is not rectifiable/known. In this case the corrected fields except the first name are returned to the initiator, as the first name could not be confirmed. The existence of the first name at this address could not be confirmed. In addition the field eScoreFreightRoutingCode is returned to the initiator as long as the freight routing code is available.

PAB: Confirmation on address level. The address supplied (without name, without first name) could be corrected completely or on address level was already complete and had not rectifiable/known personal data. In this case the corrected fields except the first name and surname are returned to the initiator, as the first name and surname could not be confirmed. The existence of the first name and surname at this address could not be confirmed. In addition the field eScoreFreightRoutingCode is returned to the initiator as long as the freight routing code is available.

PNZ: The person at the address supplied is known, but at this address is not or no longer deliverable. This corresponds to a confirmation on address level (PAB), however, with the above-mentioned limitation, that the person queried is undeliverable there.

PPV: The person at the address supplied is deceased according to the Deutsche Post (German mail).

PKI: The response of the Deutsche Post (German mail) is possibly contradictory and/or ambiguous. Therefore the person/address is not assessed!

PPF: The address is postally wrong.

PNP: The address cannot be checked because it contains structural errors, for example the name is missing.

PUG: The address is formally correct, but the building is not known.

PUZ: Outdated address. The person moved away, but the new address is known.

Example: PPB

customer_information

CustomerInformation

Details of a customer.

event_id

string

minLength: 1
maxLength: 50
pattern: [\/0-9a-zA-Z_.:,\-+*$%]+

A unique ID for the event.

Example: E5686585867636541231230

freight_routing_code

string

minLength: 0
maxLength: 12
pattern: .*

Freight routing code of the Deutsche Post AG (German mail).

Example: 04109056012

message

string

required

Success or error message, text for the response code.

Example: Transaction successful.

string

required

Response code of the transaction. "0" in the case of a successful transaction. Other values signify errors.

Example: 0

reason

string

required
default: ABK
enum
- ABK
- ABV
- BZV
- BMT
- BFT
- ABI
- ABF
- ABD
- ABW
- ABL
- BKV
- BKE
- BKA
- BBS
- BMV
- BFV
- BER

Codes for the classification of the credit assessments. The following values are valid:

ABK: Request for credit assessment before concluding a purchase contract (in particular purchase on account or by instalments.

ABV: Request for credit assessment before concluding an insurance contract.

BZV: Credit assessment within the scope of evaluating the reliability of an insurance broker or an insurance field representative.

BMT: Credit assessment before opening or installing a mobile telecommunication account.

BFT: Request for credit assessment before or in connection with the initiation or carrying out of debt-collecting measures.

ABI: Request for credit assessment before takeover/purchase of a claim or before assuming del credere liability.

ABF: Request for credit assessment before concluding a service contract.

ABD: Request for credit assessment before concluding a contract for work and labour.

ABW: Request for credit assessment before concluding a contract for work and labour.

ABL: Request for credit assessment before concluding a lease or rental contract (chattels).

BKV: Credit assessment before granting of credit.

BKE: Credit assessment before opening an account.

BKA: Credit assessment due to a credit or customer card application.

BBS: Credit assessment before concluding a building loan contract.

BMV: Credit assessment before concluding a rental contract (real estate).

BFV: Credit assessment before concluding a franchising contract.

BER: Credit assessment due to ascertainment order (credit agency company).

Example: ABD

scoring_rc

string

default: U
enum
- G
- Y
- R
- U

Traffic light value that allows you a basic estimate of a customer’s credit-worthiness. The following values are valid:

G: green - There are no negative features.

Y: yellow/amber - There is a soft negative feature.

R: red - There are more than one soft negative features or at least one medium or hard negative feature.

U: unknown

Example: G

tx_id

string

Unique transaction identifier. Can be used to reference this transaction.

Example: 020LMG10jxSI8FN0OC4vLR

EScoreCreditassessmentResponse

Property Type Description

address