Protocol Rules
Example Secure Payment APIs Security: Encrypted Data
The Example Secure Payment APIs protect all HTTPS Request and Response data according to PCI and PII standards with the AES-GCM encryption (Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenticated encryption operation). Please see the Protocol Rules "AES-GCM encrypted request and response data" section for these and other Example Secure Payment API security-related details.
The API is implemented as a RESTful (Representational State Transfer) API.
- If you make an API HTTPS Request using a correct URL with a HTTPS Method and any resource, the HTTPS Response will be presented as encrypted string data.
- This Restful API observes the HTTPS 1.1 Specification and all exchangeable messages are in UTF-8 encoded format.
Resource URL description
- Resource URL syntax
Syntax: {HTTPS_METHOD} https://{host}/{resourcepath}?{parameter} Item Description Example {HTTPS_METHOD} One of several HTTPS Methods used in the API. GET, PUT, POST, DELETE https://{host} The host address. https://127.0.0.1 {resourcepath} The resource path. Note: a resource is one of the
API endpoints described in the "Payment API
endpoints overview" in the Introduction page./billing/
89396B99-5A57
-4ECA-96C9-
60ED109F8C8A
/transactions{parameter} Parameters (optional) ?data=3230313530393
2323136313733306330
6261373832326330383
9e61251256b1bd3583b
2f02642a2e678debda2
f67a685d3e56e034f8- Request URL example:
GET https://127.0.0.1/billing/ 89396B99-5A57-4ECA-96C9-60 ED109F8C8A/transactions? data=323031353039323231363 13733306330626137383232633 03839e61251256b1bd3583b2f0 2642a2e678debda2f67a685d3e 56e034f8
Request and Response examples
- Request examples
- Using the HTTPS POST Method
POST https://{host}/{resourcepath} "Content-Type: application/x-www-form-urlencoded" "Authorization: PLTOKEN {TOKEN}" data={Encrypted Request Data}
- Using the HTTPS GET Method
GET https://{host}/{resourcepath}?data={Encrypted Request Data} "Authorization: PLTOKEN {TOKEN}"
- Response example
HTTPS Status Code XXX {Encrypted Response Data}
AES-GCM encrypted request and response data
To tighten up security, all request and response data should be encrypted.
- HTTPS Request data
- All HTTPS Request data should have an encrypted string format. The encrypted request data has the following form:
PCNG Encrypt Function (Key, Data) = Encrypted Request Data
- HTTPS Response data
- The client should decrypt the response data in order to verify the result.
PCNG Decrypt Function (Key, Data) = Decrypted Response Data
- Examples
- GET Transactions
- URL : GET https://127.0.0.1/billing/{UUID}/transactions?data={data}
- UUID : 187b2be8-24fb-4892-b16a-7d84d1d0fe83
- data : pageNo=1&pageSize=10&fromDate=20150101&toDate=20150831
- Step 1. Encrypt UUID
PCNG Encrypt Function (Key, UUID) = "3230313530393233313033333034 663036386562316461373432ab97d c062040796e4943cb9a2e31ab493f 4c10cc670de4d840469a7b771b59e 9432b48b69fe6dd19c41675e4ccda 06966216f1678838"
PCNG Encrypt Function (Key, Data) = 32303135303932323136313733306 33062613738323263303839e61251 256b1bd3583b2f02642a2e678debd a2f67a685d3e56e034f8
- Step 2. Send Request
URL : GET https://127.0.0.1/billing/ 323031353039323331303333303466 3036386562316461373432ab97dc06 2040796e4943cb9a2e31ab493f4c1c c670de4d840469a7b771b59e9432b4 8b69fe6dd19c41675e4ccda0696621 6f1678838/transactions? data=3230313530393232313631373 330633062613738323263303839e61 251256b1bd3583b2f02642a2e678de bda2f67a685d3e56e034f8
- Step 3. Decrypt Response
- Success Case
3230313530393233313033333432 353433313832636138663238864934 fe9dd274394853102e05b1d5028626 dfb9f23ae17cc4f8c4060b20844036 747de4a96d7d876ca639a7e83fae26 e3e82bfa0f5d7371096a7bac8a95f5 c0c23fa363d6dbd285227c33db95f1 98f5c2f797d24d4a7f8bcc43bb9391 b0c4561a10c80f880d8f0f82b1c45b 58aa3db8f9ba
- PCNG Decrypt Function (Key, Success Response Data)
{ "orderID": "83C2A1E7-BF50-440C-AB94-DF24E0533145", "applicationId": "ABC", "amount": 10, "currencyCode": "GBP", "ipAddr": "1.1.1.1", "paymentInfoID": "517c654b-e956-49e5-a0c5-4d6de609b6dd", "paymentInfo": { "paymentType": "CreditCard", "card": { "cardCVVEncKey": "94b2d1f484d3410b90b1d7d52d3479ea" } } }
- Failure Case
3230313530393233313033363433383 8653338313235323039618016d11daa43e01 68437b21d16cb8acbbe46ed66b125248d30c bcf47a327097deeca14bb9004f1fb3872338 134ca82bc18875fef763ef05d92c84e76bda 4aa9bd4223b6d6f0a678f6fa32cf97e21759 59806df5dffd93dca8d6acd854ed17fd0d5a6
- PCNG Decrypt Function (Key, Failure Response Data)
{ "error": { "code": 997, "message": "The request is invalid.", "detail": "Invalid uuid" } }
- Create Billing Transaction
- URL : POST https://127.0.0.1/billing/{uuid}/transaction
- Request Data
{ "orderID": "83C2A1E7-BF50-440C-AB94-DF24E0533145", "applicationId": "ABC", "amount": 10, "currencyCode": "GBP", "ipAddr": "1.1.1.1", "paymentInfoID": "517c654b-e956-49e5-a0c5-4d6de609b6dd", "paymentInfo": { "paymentType": "CreditCard", "card": { "cardCVVEncKey": "94b2d1f484d3410b90b1d7d52d3479ea" } } }
- Step 1. Encrypt Content
PCNG Encrypt Function (Key, Request Data) = "323031353039323331303333303466303638 6562316461373432ab97dc062040796e4943c b9……”
- Step 2. Send Request
- URL : POST https://127.0.0.1/billing/3230313530393.../transaction
- Content-Type : application/x-www-form-urlencoded
- Content:
data=323031353039323331303333303466 3036386562316461373432ab97dc06204079 6e4943cb9……
- Step 3. Decrypt Response
- Success Case
323031353039323331303530353363343937 3632326336613936c00d50a2157b281e6360 7ef843a87d10cf05cd4669fde2b8cafa3f3c 8fc1f5f57771e6ee6f3f653d869bcd4f0151 3230f933b4a8502f00ff1a608367064b803f af0ed02d06ecd928f18b0c15f055116c4bff c9dd711e5eb150f7757d6132206020605d6c 85605e5e34…
- PCNG Decrypt Function (Key, Success Response Data)
{ "data": { "uuid": "187b2be8-24fb-4892-b16a-7d84d1d0fe83", "orderID": "939da16f-a4ac-4c15-86cb-3dc9602197d4", "transactionID": "201509230000066", "amount": 10, "currencyCode": "GBP", "paymentDate": "23/09/2015 10:51:22", "paymentInfo": { "paymentType": "creditcard", "card": { "cardBrand": "Visa", "cardLastNum": "1881" } } } }
- Failure Case
32303135303932333130333634333838 653338313235323039618016d11daa43e0168 437b21d16cb8acbbe46ed66b125248d30cbcf 47a327097deeca14bb9004f1fb3872338134c a82bc18875fef763ef05d92c84e76bda4aa9b d4223b6d6f0a678f6fa32cf97e2175959806d f5dffd93dca8d6acd854ed17fd0d5a6
- PCNG Decrypt Function (Key, Failure Response Data)
{ "error": { "code": 997, "message": "The request is invalid.", "detail": "Invalid uuid" } }
Response data type
All HTTPS Responses will return an AES-GCM encrypted string in the following format.
32303135303932323136313733306330626 13738323263303839e61251256b1bd3583b2f02642a 2e678debda2f67a685d3e56e034f827047c583ac13a 76dc69c498e2a92789a9bf644c3f6a1ab07859646a8 87827189e452fd1e94f3faf6061cdf42297b6b2e981 b8c9b40e5c7ac98a534439a32d32df42a68ceb19226 2a8fb3872cc4b20ad3d5aa5cbba95b8eba26e45b302 b8d796f29e37e65575ec41d1b2be67d88404fa225aa 6e999274b563f7b2c207c3
To verify a response, you should decrypt the response data. If the response data is successfully decrypted, you can confirm the JSON data.
{ "data": { "authTransID": "E37C8425-B947-4EB3-903C-8E44E916DDFD", "authDate": "12/11/2015 10:01:01" } }
How to verify HTTPS Response data
If you decrypt HTTPS Response string data:
- The success response has a "data" object.
- The fail response has an "error" object.
A HTTPS Status Code of 200 or 201 means successful transactions; otherwise a different code means a failed transaction.
- In the case of a failed transaction, you should refer to the "error" object which includes a relevant error description.
- Eventually, you should double check the validation of the transaction by checking if the HTTPS Status Code is "200" and has a "data" object.
- Success case : HTTPS Status Code = 200 AND a data object.
200 OK { "data": { "authTransID": "E37C8425-B947-4EB3-903C-8E44E916DDFD", "authDate": "12/11/2015 10:01:01" } }
- Failure case : HTTPS Status Code != 200 AND has an error object.
404 Not Found { "error": { "code": 901, "message": "This account (89396B99-5A57-4ECA-96C9-60ED109F8C8A) does not exist.", "detail" : null } }
Security (HMAC Authentication)
A. The Authentication Header using API Key Authentication
This RESTful API uses the HTTPs Authorization header to pass authentication information. The Authorization header has the following form:
Authorization : PLTOKEN {APP_ID}:{Signature}:{Nonce}:{Timestamp}
- "PLTOKEN"
- This is a predefined custom scheme by Example for an Authorization header. (Not changed.)
- "APP_ID" and "APP_KEY"
- These will be provided by Example. APP_ID is public. BUT, APP_KEY should ONLY be shared between Example and Example.
- "Signature"
- This is a hashed value produced by using the HMAC-SHA256 algorithm.
- "Nonce"
- This is generated at Client and should be a unique value on each request. Example receives the request and checks to prevent a replay attack.
- Example will cache Nonce during a period of 5 minutes. Therefore, a request that has the same Nonce will be rejected during those 5 minutes.
- Nonce should be generated as a unique value.
- "Timestamp"
- This is calculated using a UNIX timestamp based on UTC Time to overcome different Time Zone issues between Client and Server.
- Note: If the time gap is longer than 5 minutes, your request will be failed.
B. Constructing the Signature
Note: Please keep the order of the parameters and their encoding as shown in the following diagram.
Authorization = "PLTOKEN" + " " + "APP_ID" + ":" + Signature + ":" + Nonce + ":" + Timestamp Signature = Base64 ( HMAC-SHA256 (Decode(APP_KEY) , UTF-8-Encoding ( RequestString ) ) ) RequestString = APP_ID + Request-HTTPS-Method + URI-Encoding( LowerCase ( Request-Uri) ) ) + UNIX-Timestamp + Nonce + Base64( MD5 ( Request-Content) ) )
C. HTTPS Request example
- Request
- GET https://127.0.0.1/account/89396B99-5A57-4ECA-96C9-60ED109F8C8A/paymentinfo
- Credential (Note: The following credential is an example. Please do not use it.)
- APP_ID : 44f0878d9bc947e6a4be54aec17632a5
- APP_KEY : 6cuzw6qG3vsJ3DIEm+PmJe37Jm1ceOmyUIj2T18VWYHA=
Please see the following steps:
- Step 1.
- Generate the UUID as a Nonce.
- Step 2.
- Calculate the Unix Time stamp based on UTC Now.
- Step 3.
- Make the Signature.
Field Value APP_ID 44f0878d9bc947e6
a4be54aec17632a5Request-HTTPS-Method GET URI-Encoding
(LowerCase(Request-Uri)))https%3a%2f%2f127.0.0.1 %2faccount%2f9396b99-5 a57-4eca-96c9-60ed109f 8c8a%2fpaymentinfo
UNIX-Timestamp 1441009867 Nonce 27071fad-ad4d-4abe
-b250-7a20679cd1e3Base64
(MD5(Request-Content)))- - Make "RequestString" concatenate values:
RequestString = 44f0878d9bc947e6a4be54aec17632a5GEThttp %3a%2f%2f127.0.0.1%2faccount%29396b99-5 a57-4eca-96c9-60ed109f8c8a%2fpaymentinfo 144100986727071fad-ad4d-4abe-b250-7a2067 9cd1e3
- Make a "Signature" hashing of the above RequestString using APP_KEY:
Signature = 0/V3xVN8rzfU8fj6lLTSIHF co9NnXBXVGHlKIkiwKUc=
- Step 4.
- Add the "Authorization Header" to the Request
Authorization: PLTOKEN 44f0878d9bc947e6a4be54aec17632a5:0/V3x VN8rzfU8fj6lLTSIHFco9NnXBXVGHlKIkiwKUc =:27071fad-ad4d-4abe-b250-7a20679cd1e3 :1441009867
Error Handling (HTTPS Status Codes and Error object)
When the API encounters any errors, the corresponding HTTPS Status Code and Error Object will be returned in the following JSON format:
HTTPS Status Code XXX { error{ "code": (Error code), "message": "(Error description)", "details": "(Additional details about the error)" } }
Common Error Code list
Code Message Name Message HTTPS Status Code 901 ACCOUNT_NOTFOUND_ERR This account does not exist.
Cannot find related account by requested uuid.404: Not Found 903 PAYMENTINFO_NOTFOUND_ERR This account's payment information does not exist.
Cannot find related payment method by requested uuid and pmid.404: Not Found 911 TRANSACTION_NOTFOUND_ERR This account does not have transactions.
Cannot find related transactions.404: Not Found 912 REQUEST_NOTFOUND_ERR Request does not exist.
Cannot find related request log from mobile client.404: Not Found 932 PAYMENTINFO_VERIFICATION_PSP_ERR PSP verification processing failed.
Detailed information about the reason of failure (PSP error etc.).
Payment Service Provider returns error when verifying the payment method.
"detail" attribute describes the reason of failure.400: Bad Request 933 PAYMENTINFO_CREATE_ERR Failed to create payment information.
Error occurred in Example process while user creates a payment method.
"detail" attribute describes the reason of failure.400: Bad Request 934 PAYMENTINFO_UPDATE_ERR Failed to update payment information.
Error occurred in the Example process while user updates payment method.
"detail" attribute describes the reason of failure.400: Bad Request 935 PAYMENTINFO_DELETE_ERR Failed to delete payment information.
Error occurred in the Example process while user deletes payment method.400: Bad Request 936 PAYMENT_CREATE_ERR Failed to create payments.
Error occurred in Example process while user creates payment transaction.400: Bad Request 937 PAYMENTINFO_REVERIFY_ERR Failed to re-verify payment information.
Error occurred in Example process while user re-verifies payment method.400: Bad Request 938 PAYMENT_CREATE_PSP_FAIL_ERR PSP payment processing failed.
Payment Service Provider returns error when authorizing payment transaction.
Detailed information about the reason of failure (PSP error etc.).
"detail" attribute describes reason of failure.400: Bad Request 939 PAYMENT_CHECK_ERR Failed to check to create payments.
Error occurred in Example process while checking 3DS and Sphonic.400: Bad Request 940 PAYMENT_PSP_ROUTER_ERR There is no available Payment Service Provider. Please try again.
Error is occurred in the Example process while routing PSP.400: Bad Request 941 PAYMENT_PAYOUT_ERR Failed to payout payments.
Error occurred in Example process while CORE makes payout transaction.400: Bad Request 942 PAYMENT_PAYOUT_PSP_ERR PSP payout processing is failed.
Error occurred in Example process while CORE makes payout transaction.
"detail" attribute describes reason of failure.400: Bad Request 943 PAYMENT_REFUND_ERR Failed to refund payments
Error occurred in Example process while CORE makes refund transaction.400: Bad Request 944 PAYMENT_REFUND_PSP_ERR PSP refund processing is failed.
Detailed information about the reason of failure (PSP error etc.) is provided.
Error occurred in a Example process while CORE makes refund transaction.
"detail" attribute describes reason of failure.400: Bad Request 945 PAYMENT_3DS_PSP_ERR PSP 3DS processing is failed.
Detailed information about the reason of failure (PSP error etc.) is provided.
Payment Service Provider returns error when proceeding with the 3DS process.
"detail" attribute describes reason of failure.400: Bad Request 946 PAYMENT_PSP_TIMEOUT PSP Timeout.
Connection with the Payment Service Provider has timed out.400: Bad Request 947 PAYMENT_REJECT_ERR Failed to reject payment.
Error occurred in the Example process while CORE makes a reject transaction.400: Bad Request 949 PAYMENTINFO_CANCEL_ERR Request is canceled by the mobile client.
Mobile client made a request using a canceled orderId.400: Bad Request 950 PAYMENT_CANCEL_ERR Request is canceled by the mobile client.
Mobile client made a request using a canceled orderId.400: Bad Request 974 PAYMENTINFO_CREATE_FAIL_ERR An unexpected error occurred during create account payment information.
Please try again.
Unexpected error occurred in Example process while user creates payment method.500: Internal Server Error 975 PAYMENTINFO_UPDATE_FAIL_ERR An unexpected error occurred during update account payment information.
Please try again.
Unexpected error occurred in Example process while user updates payment method.500: Internal Server Error 976 PAYMENTINFO_DELETE_FAIL_ERR An unexpected error occurred during delete account payment information.
Please try again.
Unexpected error occurred in Example process while user deletes payment method.500: Internal Server Error 979 PAYMENTINFO_REVERIFY_FAIL_ERR An unexpected error occurred during re-verify account payment information.
Please try again.
Unexpected error occurred in Example process while user reverifies payment method.500: Internal Server Error 981 PAYMENT_CHECK_FAIL_ERR An unexpected error occurred during check create payment.
Please try again.
Unexpected error occurred in Example process while checking 3DS and Sphonic.500: Internal Server Error 982 PAYMENT_CREATE_FAIL_ERR An unexpected error occurred during create payment.
Please try again.
Unexpected error occurred in Example process while user creates payment transaction.500: Internal Server Error 984 PAYOUT_CREATE_FAIL_ERR An unexpected error occurred during payout payment.
Please try again.
Unexpected error occurred in Example process while CORE makes payout transaction.500: Internal Server Error 985 PAYMENT_REFUND_FAIL_ERR An unexpected error occurred during refund payment.
Please try again.
Unexpected error occurred in Example process while CORE makes refund transaction.500: Internal Server Error 987 PAYMENT_REJECT_FAIL_ERR An unexpected error occurred during a reject payment. Please try again.
Unexpected error occurred in a Example process while CORE makes a reject transaction.500: Internal Server Error 993 AUTHORIZATION_ERR You do not have authorization.
The client does not have an authorization target in the API.403: Forbidden 994 NOTIMPLEMENTED_METHOD_ERR Related function is not implemented.
The client invokes no implemented API.501: Not Implemented 995 NOTALLOWED_METHOD_ERR Requested method is not allowed.
The client invokes a non-existing method.405: Method Not Allowed 996 RESOURCE_NOTFOUND_ERR Cannot find resource. Please check resource.
The client invokes a non-existing resource.404: Not Found 997 REQUEST_ERR The request is invalid.
Information is provided about the invalid field.
Client doesn't send to Example a required attribute.
"detail" attribute describes reason of failure.400: Bad Request 998 AUTHENTICATION_ERR Authentication token is missing or incorrect.
The client does not have authentication.401: Unauthorized 999 API_INTERNAL_ERR Internal Error.
Unexpected error occurred.
"detail" attribute describes reason of failure.500: Internal Server Error 1001 CORE_API_SEND_ERR CORE Service Error (detailed CORE Service Error).
CORE returns error.
"detail" attribute describes reason of failure.400: Bad Request 1600 SAKA_GET_CVV_ERR SAKA error - Get CVV
Cannot get CVV from SAKA.400: Bad Request 1601 SAKA_GET_CARD_DETAIL_ERR SAKA error - Get Card Detail
Cannot get Card Details from SAKA.400: Bad Request 1602 SAKA_ENC_CARD_DETAIL_ERR SAKA error - Tokenized Card Detail
Cannot tokenize Card Details with SAKA.400: Bad Request 1603 SAKA_ENC_CARD_SUMMARY_ERR SAKA error - Tokenized Card Summary
Cannot tokenize Card Summary with SAKA.400: Bad Request 1604 SAKA_ENC_CARD_NUM_ERR SAKA error - Tokenize Card Number
Cannot tokenize Card Number (PAN) with SAKA.400: Bad Request 1700 SPHONIC_CHECK_ERR Sphonic error - Cannot check Risk level.
If Sphonic does not return anything,
or failed to connect to Sphonic.
"detail" attribute describes reason of failure.400: Bad Request 1701 SPHONIC_RISK_TRANSACTION_ERR Sphonic error
This transaction is detected as risk transaction.
Detailed Sphonic Error.
Occurs ff Sphonic returns "Fraud" while checking AML.
"detail" attribute describes reason of failure.400: Bad Request