[УКР](https://hackmd.io/oXcYbY08Tq69ggTIX9OyaA) | ENG ![](https://i.imgur.com/ULmPUgP.jpg) # Server-Server Card Payment :::info [TOC] ::: ## What is Server-Server Card Payment? **Server-Server Card Payment** is the payment acceptance from client's card on the Partner website without client following to the Operator payment system. :::warning For payments by the Server-Server method, the Partner must have a confirmed [PCI DSS](https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard) (Payment Card Industry Data Security Standard) certificate of the appropriate level, depending on the number of operations per year. ::: ## Authentication of the payment sender During the payment, the sender is authenticated using [3DSecure 2.0](https://en.wikipedia.org/wiki/3-D_Secure) technology. If the sender's card does not support 3DSecure technology, authentication is executed using a zero sum AV transaction. For authentication, Partner is given the HTML code of the base64 encoded page, that must be displayed on the site: - **for cards supporting 3DSecure technology** - the HTML code of the page is given with automatic redirection to the ACS of the issuing bank (Access Control Server), where the one-time password entry field is displayed (i.e., a confirmation code assigned by the card issuer for each transaction). - **for cards that do not support 3DSecure technology** - the HTML code of the page is given with a field for entering a one-time password (i.e., a verification code specified in the purpose field debiting a zero sum). :::success <details> <summary>Example of "3dsHtml"</summary> <br> ~~~md { "Code": 102, "Message": "needACS", "Data": { "3dsHtml": "PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFsLy9FTiIKCSJodHRwOi8vd3d3LnczLm9yZy9UUi9odG1sNC9sb29zZS5kdGQiPgo8aHRtbD4KPGJvZHkgb25sb2FkPSJkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnYWNzJykuc3VibWl0KCkiPgo8Zm9ybSBpZD0iYWNzIiBtZXRob2Q9IlBPU1QiIGFjdGlvbj0iaHR0cHM6Ly8zZHMuc2VydmVyL3Byb2Nlc3MvMGEyZGU5Ij4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iUGFSZXEiIHZhbHVlPSJlSnhWVDBFVFlqUDhDMVVoVFpRPT0iPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJNRCIgdmFsdWU9IjI2ODY2Ij4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iVGVybVVybCIgdmFsdWU9Imh0dHBzOi8vcmV0dXJuLnhwYXkudWEvQVl6dnZ4LzMwNzIvMzY2Ij4KPC9mb3JtPgo8L2JvZHk+CjwvaHRtbD4=", "LongPollerID": "63453891", "OperationID": 63453891, "OperationStatus": 2 }, "KeyAES": "", "Sign": "" } ~~~ </details> ::: ## How Server-Server Card Payment Works 1. Сlient completes an order and fills the card details on the Partner website. 2. Partner forms a request to the Operator (for example, [[10102] "Card-wallet"](https://hackmd.io/MUZzd3mTRQeQfBsE-emVVQ)), in which the card number, validity period, CVV and other parameters are transmitted according to technical documentation. 3. Operator processes the request and returns the result. ## Browser Data structure For payment using *3DSecure version 2.0* technology, it is optionally necessary to transmit the sender's browser settings (if they are not available, Operator gets them independently): |Parameter|Required|Type|Description|Example| |:----:|:----:|:----:|----|:----:| |`device`|No|Structure| Structure transmits data about the interface channel type, where the `channel` field has the next values: </br> `APP` - mobile application channel, </br> `BRW` - Web application channel. </br> For `3RI` channel no 3DS prep is done.|`BRW`| |`browserIP`|No / </br> Yes - for requests [10101], [10102]|String|Sender IP address.|`146.120.244.242`| |`browserTZ`|No|Integer|Time difference from UTC, in minutes.|`180`| |`browserLanguage`|No|String|Interface language. Maximum length is 8 characters.|`UA`| |`browserUserAgent`|No|String|Value of the header "User-Agent". Maximum length is 2048 characters. | `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36`| |`browserColorDepth`|No|Integer|Display color bit code. Possible values: `1`, `4`, `8`, `15`, `16`, `24`, `32`, `48`.|`24`| |`browserJavaEnabled`|No|Bool|Java browser permission. Possible values: `true`/`false`. |`false`| |`browserScreenWidth`|No|Integer|Screen resolution - width.|`1920`| |`browserScreenHeight`|No|Integer|Screen resolution - height.|`1080`| |`fraudhuntFingerprint`|No|String|[Browser Fingerprint](https://en.wikipedia.org/wiki/Device_fingerprint).|`kHqPGWS1Mj18sZFsP8Wl`| |`challengeWindowSize`|No|Integer|Window size code for client interaction within the "challenge". Possible values: `01`, `02`, `03`, `04`.|`01`| :::success <details> <summary>Example of "BrowserData" structure</summary> <br> ~~~md { "BrowserData": { "device": { "channel": "BRW" }, "browserIP": "146.120.244.242", "browserTZ": 180, "browserLanguage": "ru-RU", "browserUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36", "browserColorDepth": 24, "browserJavaEnabled": false, "browserScreenWidth": 1920, "browserScreenHeight": 1080, "fraudhuntFingerprint": "kHqPGWS1Mj18sZFsP8Wl" } } ~~~ </details> ::: ## Client Redirect to CallbackURL After the operation is completed, the client is redirected to the payment results page **CallbackURL** (the parameter sent in the request): ``` "CallbackURL": "https://partner.host/resul_page" ``` ## Get Operation Status on "SuccessCallback/FailedCallback" URL The final operation step is to get the operation status to the following Partner URL addresses: **SuccessCallback** or **FailedCallback** (the parameters sent in the request): ``` "SuccessCallback": "https://partner.host/cb_success" or "FailedCallback": "https://partner.host/cb_fail" ``` The `state` and `xrayOperationID` parameters are added during the generation of the URL data: |Parameter|Required|Type|Description|Example| |:----:|:----:|:----:|----|:----:| |`state`|No|Integer|Operation status, according to the table "[Operation status](https://hackmd.io/16yLv895Qo-FWTvrWWQwbg#Operation-Status)". | `10` - operation successfully completed, </br> `21` - operation failed.| |`xrayOperationID`|No|String|Unique operation identifier in the Operator system.|`245786`| :::success <details> <summary>Example of "Operation Successfully Completed" URL </summary> <br> ~~~md https://partner.host/cb_success?state=10&xrayOperationID=245786 ~~~ </details> ::: :::success <details> <summary>Example of "Operation Failed" URL</summary> <br> ~~~md https://partner.host/cb_fail?state=21&xrayOperationID=245786 ~~~ </details> ::: ## Get Operation Status To get the current operation status at any time, the next request can be sent: [[20003] "Get Operation Status"](https://hackmd.io/_eAjmoG-QPWoWWmsLOGf1g). ## Testing of Card Debit/Credit :::info **Test Partner** with all necessary permissions is created for testing debit/credit operations. See details in the section: ["Testing of Card Debit/Credit"](https://hackmd.io/1Ftkd9PVSvGBc9JV8f9b9A#Testing-of-Card-DebitCredit). ::: ## Related Requests [[10101] Card-Card](https://hackmd.io/VYlXRMiWRkimK0sxlTZ2BA) [[10102] Card-Wallet](https://hackmd.io/MUZzd3mTRQeQfBsE-emVVQ) [[10103] Card-IBAN for Physical Person](https://hackmd.io/9c9kaHeMTH-LiGf_mVWwpg) [[101031] Card-IBAN for Legal Entity](https://hackmd.io/XQDv9qmoRiqFzfzcD0H1uA) [[10150/10051] Card-Phone-Card](https://hackmd.io/ES9hW5BlS6CozQAmULgnRw) **Token Payment** [[104021] Card Payment by Token](https://hackmd.io/I4FJ0d0eStuvfqG2YmS8IQ) [[104121] Auto Debit by Token (MOTO Operations)](https://hackmd.io/X4ImobdtSJ-Hy1qM-p7PWA) **Get Card Data** [[20400/20410] Get Card Data by Phone Number](https://hackmd.io/Xd9OZWXARcSZRTCsu-1jrw) [[20404] Get Card Data by Token](https://hackmd.io/PSdh1ldNSmmJMR4OIhM_-Q) ## Reference Materials General parameters of the XPAY system are given in the section ["Reference Materials"](https://hackmd.io/16yLv895Qo-FWTvrWWQwbg):  operation types, payment types, response codes, operation status, reasons of operation rejection, etc. ![](https://i.imgur.com/17gAyWb.png) :arrow_left: [XPAY API Guide](https://hackmd.io/QA2NYRliRLGviJl5P4-ZCw) :arrow_left: [XPASS API Guide](https://hackmd.io/pa6TRNZTTa67jO_qYDuRBQ) :arrow_left: [General API Integration Information](https://hackmd.io/ijxPm0xtTpycgTjuU_NHQQ) <details> <summary>XPAY Support</summary> </br> Phone: +38 093 891 92 00 Email: info@xpay.com.ua Telegram: @xpaysupportbot </details>