Api products
Redirect with token

Overview

This page provides overview and details about the function and interfaces of Cardlink Tokenization along with Cardlink Payment Gateway.

Tokenization Process Overview

The tokenization process will be performed by Cardlink Payment Gateway, under the condition that merchant is activated as Tokenized merchant.

During the first usage of a card from a consumer/payer to Cardlink Payment Gateway, apart from the authorization message, the following (at a high level) should also be performed: The card details (i.e. pan, expiry date) will be forwarded to the Cardlink Tokenization Manager for the creation of the Token, the Token will be returned to the response message received by the merchant and the Token will be stored from the e-shop.

Tokens are calculated by Cardlink Tokenization Manager service and they are being provided to merchant after initial successful payment if the merchant is participating in this extension service (Tokenized merchant).

After the completion of the transaction, it will be stored by merchant’s site for future use.

Use Cases

First time Payment (Registration)

The first-time payment use case covers the scenario that a consumer/payer places an order for the first time. If a consumer/payer uses another credit card for the first time with the same merchant, the same use case applies too. The flow for the first-time payment is:

  • After concluding the order in the merchant’s web shop, the customer enters the credit card details to confirm the payment on the payment page
  • The Cardlink Payment Gateway forwards the transaction details to the payment network (and all the necessary authentication steps are being performed)
  • If the transaction is accepted by the payment network, the Cardlink Payment Gateway (thru the Cardlink Tokenization Manager) tokenizes the PAN and returns the transaction confirmation with the token, the PAN’s 4 last digits & token expiration date back to the merchant
  • The merchant stores the above info (instead of the PAN and using possibly an alias that the consumer will define & use for now on).

Figure 1: First-time payment (high-level) diagram

Successive payment

The successive payment use case applies to the scenario where a registered consumer/payer places an order (using the registered card, meaning that the merchant has a token on file for that consumer/payer). The use case also applies for the situation where a consumer/payer has multiple cards (tokens) on file for the given merchant (i.e. the consumer/payer has already registered more than one cards with the same merchant). The flow is:

  • The merchant presents (possibly the alias and) the PAN’s 4 last digits to the consumer/payer to select one for executing the payment
  • The merchant forwards the payment (with the token) to the Cardlink Payment Gateway
  • The Cardlink Payment Gateway (thru Cardlink Tokenization Manager) executes a detokenization with the provided token from the merchant. This results in a PAN and expiry date, which are required for the actual payment transaction
  • The Cardlink Payment Gateway forwards the transaction details to the payment network or presents payment page with the prefilled data (pan, expiration date)
  • The Cardlink Payment Gateway returns the transaction result back to the merchant with the token used
  • The confirmation is presented to the customer.

Figure 2: Successive payment (high-level) diagram

Specification Details

Redirection model

For the initial transaction, the merchant’s request should contain a variable indicating that a Token needs to be retrieved (extTokenOptions), whereas for a secondary transaction that merchant has an already received Token from a previous transaction. The already received Token should be sent in merchant’s request.

The variables extToken ,extTokenPanEnd and extTokenExp will be sent in the response message and they will be considered in the response digest calculation if they have been sent in the response message.

On repeating purchase, the merchant will send the Token in field extToken .

On the payment page the token is decoded and displayed as masked pan in the card number box and the expiry date is prefilled as well.

There are specific parameters that allow for the smoother model operation, like the CVV flag. Τhe merchant will mutually agree with the Bank to set it and allow for the consumer/payer not to fill the CVV in the secondary transactions.
The payment page display/existence is also a parameter and will also be defined at merchant level.

The previous options, if used together, will allow for the “one-click checkout” experience for the consumer/payer side.

Merchant shop request (initiate payment) 

The Merchant shopping cart sends to Cardlink Payment Gateway via http POST the appropriate HTML code with the relative information of the transaction that starts. The following table describes the parameters of the POST from the payment page to Cardlink Payment Gateway.

CounterField (HTTP POST parameter)Required / OptionalDescription
1.versionRValue = 2
2.midRMerchant id supplied (integer number) will be supplied to merchant, max length 30
3.langOLanguage selection for payment page (ISO 639-1 language code  en, fi, sv…)
4.deviceCategoryOOptional user device category (default 0 www browser, 1 mobile browser)
5.orderidRUnique merchant shop order id provided by merchant shop max length 50 chars (string 1..50 – only letters and numbers are accepted with no any space between them). For recurring transactions max length is 45 chars.
6.orderDescROrder description text (string 1..128 – special characters are accepted )
7.orderAmountROrder amount (decimal number >0.0) max length 15 with decimal point.
Amount is set to 0.0 for Tokenizer*
8.currencyROrder amount currency (string 3 ISO ISO 4217 alphabetic code (EUR))
9.payerEmailROrder payer email address (string 1..64). Format name@domain.tld
10.payerPhoneOOrder  payer   phone  number.
Format
• cc: 1–3 characters
• subscriber: variable, maximum 15 characters
11.billCountryRBilling address country code (string 2 ISO 3166-1-alpha-2 code (GR,US, FI, GB)).
12.billStateOBilling address state (str 2 3166-2 country subdivision code). this value only applies to countries that have states (e.g USA). For Greece, strongly recommended to be omitted
13.billZipRBilling address zip code (string..16)
14.billCityRBilling address city (string..50). Recommended to avoid special characters.
15.billAddressRBilling address street (string..50). Recommended to avoid special characters.
16.weightOOrder shipping weight (kg) if item is shippable and shipping needs to be calculated by Cardlink Payment Gateway (decimal number >0) max length 12 with decimal point)
17.dimensionsOOrder shipping dimensions (mm) in format width:height:depth for example a box 200:200:200 (string..25) can be used for shipping calculation if implemented so
18.shipCountryO/RShipping address country code (string 2 ISO 3166-1-alpha-2 code (GR, US, FI, GB)) Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made.
19.shipStateO/RShipping address state (string..50) Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made. This value only applies to countries that have states (e.g USA). For Greece, strongly recommended to be omitted.
20.shipZipO/RShipping address zip code (string..16). Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made.
21.shipCityO/RShipping address city (string..50) Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made. Recommended to avoid special characters.
22.shipAddressO/RShipping address street (string..50) Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made. Recommended to avoid special characters.
23.addFraudScoreOIncoming starting risk score (integer) max length 12
24.maxPayRetriesOMaximum payment retries allowed before user is sent back to merchant, overrides specific profile setting if present (integer) max length 2
25.reject3dsUOShould 3-D Secure return U status, merchant has option of continuing the transaction without liability shift or reject the transaction. >If this value is true, the transaction will not be accepted. (string 1 Y/N)
26.payMethodOFor pre selection of payment method. Paymethod id, can be used to preselect payment method at merchant site, so user cannot select other payment method later (string..20), exact values  will  depend  of  implemented  methods  on  service provider side.
27.trTypeOOptional transaction type default assumed payment, valid  values 1 – payment, 2 – pre authorization (applicable only to card payments only), 8 – tokenizer
28.extInstallmentoffsetOOptional. In case installments are supported by the processing system then this parameter of installments can be used to indicate initial offset in months when first payment will be submitted (by acquirer). Applicable for card payments only. Integer max length 3. Currently, should have value 0. 
29.extInstallmentperiodO/ROptional, required in case previous parameter is present. In case installments are supported by the processing system then this parameter of installments is used to indicate the number of payments/months the merchant requests for installments. Applicable for card payments only. Value must be >1. Max length 3 Installment parameters and recurring parameters together are not allowed on same request
30.extRecurringfrequencyOOptional. In case recurring payments are supported by the processing system then this parameter can be used to indicate frequency of recurring payments, defines minimum number of days between any two subsequent payments .The number of days equal to 28 is special value indicating that transactions are to be initiated on monthly basis. Applicable for card payments only. Max length 3
31.extRecurringenddateO/ROptional, required in case previous parameter is present. In case recurring payments are supported by the processing system then this parameter can be used to indicate date after which recurring ends and no more transactions no more transactions are initiated. The format is YYYYMMDD.
Applicable for card payments only.
Installment parameters and recurring parameters together are not allowed on same request.
32.blockScoreOOptional block score parameter that will be used to block the transaction if transaction riskScore reaches this value or above. (Positive Integer number) max length 9.
33.cssUrlOThe absolute or relative (to Cardlink Payment Gateway location on server) url of custom CSS stylesheet, to be used to display payment  page  styles.  (string..128)  Note:  if  absolute  and payment page is SSL secured make sure the url is also SSL secured as browsers will not show unsecure element object warning.
34.confirmUrlRConfirmation url where to send payment confirmation in case payment was successful (string..128)
35.cancelUrlRCancel url where to send payment feedback in case payment has failed or was canceled by user (string..128)
36.extTokenOptionsOif merchant requests token value should be 100
37.var1OOptional merchant and acquirer agreed free variable type  string ..255
38.var2OOptional merchant and acquirer agreed free variable type string ..255
39.var3OOptional merchant and acquirer agreed free variable type string ..255
40.var4OOptional merchant and acquirer agreed free variable type string ..255
41.var5OOptional merchant and acquirer agreed free variable type string ..255
42.var6OOptional merchant and acquirer agreed free variable type string ..255
43.var7OOptional merchant and acquirer agreed free variable type string ..255
44.var8OOptional merchant and acquirer agreed free variable type string ..255
45.var9OOptional merchant and acquirer agreed free variable type string ..255
46.digestRMessage digest to ensure and verify message security and integrity.  SHA256  digest  of  all  the  field  values  above concatenated together with the shared secret (see section Calculation of the Digest).

*Tokenizer: Tokenization without Authorization

Return message POST (inform merchant for payment execution)

The following table describes the parameters of the POST from Cardlink Payment Gateway back to merchant shop.

CounterField (HTTP POST parameter)Required / OptionalDescription
1.versionRValue = 2
2.midRMerchant id supplied (integer number) max length 30
3.orderidRMerchant shop order id string max length 50. For recurring transactions, max length 45 chars.
4.statusRPayment status (string..16) see section 2.4 payment statuses
5.orderAmountROrder amount (decimal number >0.0) same as in request
6.currencyROrder amount currency (string 3, ISO ISO 4217 alphabetic  code (EUR)) same as in request
7.paymentTotalROrder amount plus fees and shipping and additional service charges if applicable (decimal number >0,0) Required when payment was a success, can be omitted when payment was failed or canceled
8.messageOOptional  message  (string..128)  can  provide  optional information about payment or error description.
9.riskScoreOOptional information about the possible risk with transaction (integer number)
10.payMethodOOptional information about payment method used to complete transaction (string20).Is present only when payment was success
11.txIdOOptional system assigned transaction reference id (integer number)
12.paymentRefOOptional end payment system reference or approval code. String 1..64
13.extTokenOIf merchant requested tokenization then on successful payment token value of card used will be returned.
14.extTokenPanEndOIf merchant requested tokenization and tokenization enabled then on successful payment last 4 digits of tokenized pan are returned.
15.extTokenExpOIf merchant requested tokenization and tokenization enabled then on successful  token payment, token expiration is returned in format YYYYMMDD
16.digestRMessage digest to ensure and verify message security and integrity. SHA256 digest of all the field values above concatenated  together with the shared secret.

Merchant shop request (tokenized payment) 

CounterField (HTTP POST parameter)Required / OptionalDescription
1.versionRValue = 2
2.midRMerchant id supplied (integer number) will be supplied to merchant, max length 30
3.langOLanguage selection for payment page (ISO 639-1 language code  en, fi, sv…)
4.deviceCategoryOOptional user device category (default 0 www browser, 1 mobile browser)
5.orderidRUnique merchant shop order id provided by merchant shop max length 50 chars (string 1..50 – only letters and numbers are accepted with no any space between them). For recurring transactions, max length 45 chars.
6.orderDescROrder description text (string 1..128 – special characters are accepted )
7.orderAmountROrder amount (decimal number >0.0) max length 15 with decimal point
8.currencyROrder amount currency (string 3 ISO ISO 4217 alphabetic code (EUR))
9.payerEmailROrder payer email address (string 1..64). Format name@domain.tld
10.payerPhoneOOrder  payer   phone  number.
Format
• cc: 1–3 characters
• subscriber: variable, maximum 15 characters
11.billCountryRBilling address country code (string 2 ISO 3166-1-alpha-2 code (GR, US, FI, GB))
12.billStateOBilling address state (str 2 3166-2 country subdivision code). this value only applies to countries that have states (e.g USA)
13.billZipRBilling address zip code (string..16)
14.billCityRBilling address city (string..50). Recommended to avoid special characters.
15.billAddressRBilling address street (string..50). Recommended to avoid special characters.
16.weightOOrder shipping weight (kg) if item is shippable and shipping needs to be calculated by Cardlink Payment Gateway (decimal number >0) max length 12 with decimal point)
17.dimensionsOOrder shipping dimensions (mm) in format width:height:depth for example a box 200:200:200 (string..25) can be used for shipping calculation if implemented so
18.shipCountryO/RShipping address country code (string 2 ISO 3166-1-alpha-2 code (GR, US, FI, GB)) Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made.
19.shipStateO/RShipping address state (string..50). Recommended when parameter weight or dimensions are present or when shipping of goods has to be made. This value only applies to countries that have states (e.g USA). For Greece, strongly recommended to be omitted.
20.shipZipO/RShipping address zip code (string..16). Optional, recommended when parameter weight or dimensions are present or when shipping of goods has to be made.
21.shipCityO/RShipping address city (string..50). Recommended when parameter weight or dimensions are present or when shipping of goods has to be made. Recommended to avoid special characters.
22.shipAddressO/RShipping address street (string..50). Recommended when parameter weight or dimensions are present or when shipping of goods has to be made. Recommended to avoid special characters.
23.addFraudScoreOIncoming starting risk score (integer) max length 12
24.maxPayRetriesOMaximum payment retries allowed before user is sent back to merchant, overrides specific profile setting if present (integer) max length 2
25.reject3dsUOShould 3-D Secure return U status, merchant has option of continuing the transaction without liability shift or reject the transaction. >If this value is true, the transaction will not be accepted. (string 1 Y/N)
26.payMethodOFor pre selection of payment method. Paymethod id, can be used to preselect payment method at merchant site, so user cannot select other payment method later (string..20), exact values  will  depend  of  implemented  methods  on  service provider side.
27.trTypeOOptional transaction type default assumed payment, valid  values 1 – payment, 2 – pre authorization (applicable only to card payments only)
28.extInstallmentoffsetOOptional. In case installments are supported by the processing system then this parameter of installments can be used to indicate initial offset in months when first payment will be submitted (by acquirer). Applicable for card payments only. Integer max length 3. Currently, should have value 0. 
29.extInstallmentperiodO/ROptional, required in case previous parameter is present. In case installments are supported by the processing system then this parameter of installments is used to indicate the number of payments/months the merchant requests for installments.
Applicable for card payments only. Value must be >1. Max length 3
Installment parameters and recurring parameters together are not allowed on same request.
30.extRecurringfrequencyOOptional. In case recurring payments are supported by the processing system then this parameter can be used to indicate frequency of recurring payments, defines minimum number of days between any two subsequent payments .The number of days equal to 28 is special value indicating that transactions are to be initiated on monthly basis. Applicable for card payments only. Max length 3
31.extRecurringenddateO/ROptional, required in case previous parameter is present. In case recurring payments are supported by the processing system then this parameter can be used to indicate date after which recurring ends and no more transactions no more transactions are initiated. The format is YYYYMMDD.
Applicable for card payments only.
Installment parameters and recurring parameters together are not allowed on same request.
32.blockScoreOOptional block score parameter that will be used to block the transaction if transaction riskScore reaches this value or above. (Positive Integer number) max length 9.
33.cssUrlOThe absolute or relative (to Cardlink Payment Gateway location on server) url of custom CSS stylesheet, to be used to display payment  page  styles.  (string..128)  Note:  if  absolute  and payment page is SSL secured make sure the url is also SSL secured as browsers will not show unsecure element object warning.
34.confirmUrlRConfirmation url where to send payment confirmation in case payment was successful (string..128)
35.cancelUrlRCancel url where to send payment feedback in case payment has failed or was canceled by user (string..128)
36.extTokenOptionsO· Value = 100
Displaying payment page with prefilled card data and 3D authentication required.
(extToken field should be sent for tokenized payments)· Value = 110
Auto payment without displaying payment page and 3D authentication required.
(extToken field should be sent for tokenized payments)
37.extTokenOGenerated card token value
38.var1OOptional merchant and acquirer agreed free variable type  string ..255
39.var2OOptional merchant and acquirer agreed free variable type string ..255
40.var3OOptional merchant and acquirer agreed free variable type string ..255
41.var4OOptional merchant and acquirer agreed free variable type string ..255
42.var5OOptional merchant and acquirer agreed free variable type string ..255
43.var6OOptional merchant and acquirer agreed free variable type  string ..255
44.var7OOptional merchant and acquirer agreed free variable type  string ..255
45.var8OOptional merchant and acquirer agreed free variable type  string ..255
46.var9OOptional merchant and acquirer agreed free variable type  string ..255
47.digestRMessage digest to ensure and verify message security and integrity.  SHA256  digest  of  all  the  field  values  above concatenated together with the shared secret (see section Calculation of the Digest).

Return message POST (inform merchant for payment execution).

The following table describes the parameters of the POST from Cardlink Payment Gateway back to merchant shop.

CounterField (HTTP POST parameter)Required / OptionalDescription
1.versionRValue=2
2.midRMerchant id supplied (integer number) max length 30
3.orderidRMerchant shop order id string max length 50. For recurring transactions, max length 45 chars.
4.statusRPayment status (string..16) see section Payment statuses in response message
5.orderAmountROrder amount (decimal number >0.0) same as in request
6.currencyROrder amount currency (string 3, ISO ISO 4217 alphabetic  code (EUR)) same as in request
7.paymentTotalROrder amount plus fees and shipping and additional service charges if applicable (decimal number >0,0) Required when payment was a success, can be omitted when payment was failed or canceled
8.messageOOptional  message  (string..128)  can  provide  optional information about payment or error description.
9.riskScoreOOptional information about the possible risk with transaction (integer number)
10.payMethodOOptional information about payment method used to complete transaction (string20).Is present only when payment was success
11.txIdOOptional system assigned transaction reference id (integer number)
12.paymentRefOOptional end payment system reference or approval code. String 1..64
13.extTokenOIf payment is successful and  token value of card used will be returned.
14.extTokenPanEndOIf payment is successful, last 4 digits of tokenized pan are returned.
15.extTokenExpOIf merchant requested tokenization and tokenization enabled then on successful  token payment, token expiration is returned in format YYYYMMDD
16.digestRMessage digest to ensure and verify message security and integrity. SHA256 digest of all the field values above concatenated  together with the shared secret.

Payment statuses in response message

AUTHORIZED, CAPTUREDPayment was successful (accept order)
CANCELEDPayment failed, user canceled the process (deny order)
REFUSEDPayment failed, payment was denied for card or by bank (deny order)
ERRORNon recoverable system or other error occurred during payment process (deny order)

Table : Payment Statuses in Response message

Calculation of the Digest

Digest is the safety valve for the transactions between Company and Cardlink e- Commerce. Digest is one of the fields that the payment page sends and certifies the safe data transferring between the company and the Bank.

Requirements for Digest creation:

  1. The field values that the POST form sends (post_fields_values).

Based on the values of the payment page fields, the company needs to create a string with all the field values sent by payment page in the bank system.

  1. Concatenate all the values of all the possible fields listed in the table, the same order as parameters are listed in Payment page fields
  2. If a parameter is omitted, empty string is concatenated.
  3. The string must be encoded using UTF – 8 char encoding. This can be achieved by using the functions provided by the language that implements the solution (eg utf8_encode for PHPor Encoding.Convert for .NET).

2.The SHARED SECRET

The bank communicates to every merchant a unique code which is called SHARED SECRET. The SHARED SECRET must be included at the end of the previous string.

3. The base64 and sha-256 functions.

Digest in the request POST (and in the return POST) is calculated by the following rule:

  1. Concatenate all the values of all the possible fields listed in the table, the same order as parameters are listed in Payment page fields
  2. Add SHARED SECRET
  3. Encryption and Encoding using base64 and sha-256 functions
    1. Calculate SHA256 digest of step 1 (using of UTF-8 char encoding when converting string to bytes).
    2. Return the SHA256 digest.
    3. Encode digest bytes with Base64 encoding.

Digest=base64( sha-256( utf8bytes(value1|value2|…|secret) ) )

Note: ‘|’ indicates concatenation of data in formula and must not be added to data.

Never implement the digest calculation in browser using javascript or similar as this way you expose your shared secret to the world. Only implement it in server side executed code as (jsp/servlet/asp/phpetc).

For Digest Calculation please visit: Digest Calculation Guide