Notices and Versions
Come here often and look for important information, including information about current and future releases... You might have to do a browser refresh to get the latest version of this WebSite.Important Notices
Between November and January is time for our Annual PCI Tasks and Audit.
Between March and June is time for our Annual SOC Audits.
Doing a lot (or constant API Call) of Retrieves, either:
is NOT the correct way to use our API. Please contact support@TabaPay.com.We have enabled Rate Limiting on the Sandbox Environment. Sandbox is a Shared Environment used by many Clients and meant only for Development purposes...
● SSO Token will Expire after 5-10 minutes and will therefore be rendered invalid.
● CreateKey will be deprecating soon. When the CreateKey replacement becomes available, CreateKey will be disabled...
● RetrieveAccount by ReferenceID is deprecated and should only be used in the case of a HTTP Communications Error where an AccountID was not returned back.
● RetrieveTransaction by ReferenceID is deprecated and should only be used in the case of a HTTP Communications Error where a TransactionID was not returned back.
If you continue to use Retrieve by ReferenceID, the API will return a Status Code of 421 Misdirected Request:
- For RetrieveAccount by ReferenceID, if the Account was created over 24 hours ago
- For RetrieveTransaction by ReferenceID, if the Transaction was created over 24 hours ago
ReferenceID Change:
ReferenceID will no longer be required to be UNIQUE on a CreateAccount. If you do a Retrieve by ReferenceID, you will get the last one (the most recently added).
- RetrieveAccount - Changed on 06/02/2019
Anti-Pattern Detection:
See the Anti-Pattern FAQ...
Anti-Pattern or incorrect use of TabaPay’s API is not permitted on Sandbox, UAT, or Production Environments as they can impact the overall Environment. Examples of incorrect use of TabaPay’s API:
- Probe, Client is sending a probe to see if our system is up, types of probes we have seen (so far):
- Query Card with a fake card number every so often but at a consistent interval
- Retrieve Client, comment was that it shouldn't be an expensive request (but it adds up and if everyone does it, it becomes overwhelming)
- HTTP GET / every second
- Logic Errors (Bugs):
- Repetitive doing the following sequence: Query Card -> Add Account -> Delete Account
- RetrieveAccount by ReferenceID multiple times (a lot)
- RetrieveTransaction by ReferenceID multiple times (a lot)
- CreateKey multiple times (a lot)
- CreateKey -> DeleteKey multiple times (a lot)
- Design Errors (Bugs):
- Using Retrieve by ReferenceID because you don't know if you Created the Transaction (Account) or not
Also see the Anti-Pattern FAQ for more examples...
We will only keep transactions accessible to the TabaPay API for approximately 120 days. This means that Delete Transaction will only work for transactions within approximately 120 days. However, we archive transactions for many years (as legally required).
Inactive IP Addresses will be disabled in the Sandbox Environment. Contact TabaPay Support if you need to reenable a disabled IP Address. If you need more IP Addresses whitelisted, consider using a Proxy (or our Proxy).
Creating too many Keys in the Sandbox and/or Production Environment will cause your CreateKey to be disabled.
Inactive and Duplicate Accounts, created with the Account Create API in the Sandbox, UAT, or Production Environment, may result in these inactive and duplicate accounts being deleted and/or additional charges will be charged for these accounts.
Please inform us of possible Volume Spikes.
If you do not inform us of unexpected Volume Spikes, our systems may detect it as abnormal and our systems may block all IP Addresses causing this unexpected Volume Spikes. Volume Spikes that are all (or mostly) Errors, like:
- SC=404 coming from Retrieve Transactions
- Network RC of 51 or 14 from Create Transactions
- SC=409 coming from Create Accounts or Create Transactions
There should be no expectations on the Sandbox or UAT Environments, see the FAQ for the Sandbox Environment and see the FAQ for the UAT Environment. The Sandbox and UAT Environments use Simulators, so the accuracy of these Simulators may not be exactly the same as you will see in Production. For example, AVS calls will most likely always return a Network Response Code of 85, we will change the Simulator in the near future to reflect this.
Ready for Production? Please read the Production FAQ.
We have multiple Environments:
- Production USE1 (Active-Active DR)
- Production USE2 (Active-Active DR)
- UAT
- Sandbox
- QA
- Dev
We will try not to update this WebSite before the corresponding Code Release to the Sandbox Environment. However, this WebSite might be slightly ahead of the Code Release to the Sandbox and Production Environments. So some things that are described on this WebSite may not yet be available and working in the Environment you are using.
Operations Notes
On Sandbox and UAT Environments, your Client will now be limited to the IPs Whitelisted for that Client. If you have more than one Client, you will need to specify the IPs to be Whitelisted for each Client separately. This will also be implemented on the Production Environment soon...
Questions of the Month (or Answers of the Month):
Creating unused and/or inactive Accounts will result in:
- These Accounts incurring an extra charge (fee)
- These Accounts being automatically deleted
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
If you need help, please contact support@TabaPay.com with the following:
- Date and Time of the Request and Time Zone (we have many Clients in many different parts of the world)
- URL
- Request Data
- HTTP Status Code
- Response Data (if any, JSON or HTML)
SLA / Outages
See the Environments' Status and SLA / Outages Page.WebSite Updates
This WebSite was last updated on 03/21/2022 at 11:55 PDT.Sandbox/UAT Maintenance
| Environment | Maintenance | |
|---|---|---|
| Date | Task | |
| UAT | 02/28/2021 | Database Cleaned Up* |
| Sandbox | 02/28/2021 | Database Cleaned Up* |
| Sandbox | 05/26/2020 - 08/03/2020 | Migrate to New Sandbox Environment |
| UAT | 05/24/2020 | Database Cleaned Up* |
| Sandbox | 05/24/2020 | Database Cleaned Up* |
* There should be no expectations on the Sandbox or UAT Environments.
Nothing is unlimited, this includes the database, so the database was cleaned up.
Versions
| Environment | Current | |
|---|---|---|
| Version | Deployment Date | |
| Production USE1 | v22.0124 | 01/29/2022 |
| Production USE2 | v22.0124 | 01/29/2022 |
| UAT | v22.0124 | 02/01/2022 |
| Sandbox | v22.0124 | 02/01/2022 |
Developers WebSite
This WebSite is a SPA (Single Page Application), which means:- the Back button will not work as expected, navigation will require the use of the links on:
- the top right hand side of the page
- and the left hand side of the page
- the complete WebSite can be used when you are offline (not connected to the internet)
Terms and Conditions
By using this WebSite and/or using the software (API), you agree that neither this WebSite nor the information disclosed therein nor the software nor any part thereof shall be reproduced or transferred to other WebSites or documents nor used or disclosed for any purpose except as specifically authorized in writing by TabaPay.This WebSite is preliminary and is subject to change.
TabaPay makes no representation or warranties, expressed or implied, as to the truth or accuracy of any information contain herein. This WebSite may include typographical errors and technical inaccuracies. This WebSite is provided "as is" and all expressed or implied conditions, representations and warranties, including any implied warranty of merchantability, fitness for a particular purpose, or non-infringement, are disclaimed; except to the extent that such disclaimers are held to be legally invalid.
The URLs and ResourceIDs specified on this WebSite are only used for illustrative purposes (temporary place holders and/or samples) and does not reflect the actual URLs and ResourceIDs to be used (in Sandbox or Production). Please contact TabaPay Support for the actual URLs and ResourceIDs to be used for your situation.
Overview
The TabaPay Web Service (API) is just a simple RESTful Web Service that uses standard HTTPS to:- connect
- send request
- receive response
- disconnect
HTTP Header
Authorization: Bearer <TokenValue>Content-type: application/json
HTTP Cookies
No cookies are used.IP Whitelisting
Only the IP Addresses that you specify to us will work. Our Firewalls will block all non-whitelisted IP Addresses.You will need to reverify your IP Addresses every year, otherwise they will be removed.
Client Certificate
Possible future support, but from past experience, no one really wanted to use Client Certificates.API Descriptions Notations
Request:| Code | Description |
|---|---|
| R | Required |
| O | Optional |
| C | Conditional |
| ® | Restricted Usage (Permissions Required) |
| CR | Conditional Required - Choice |
| Code | Description |
|---|---|
| R n | Required if chosing Non-Encrypted Card Data |
| O n | Optional if chosing Non-Encrypted Card Data |
| R e | Required if chosing Encrypted Card Data |
| O e | Optional if chosing Encrypted Card Data |
| RAVS | Required if AVS |
| ® t | Restricted Usage (Permissions Required) if chosing Token |
| ® m | Restricted Usage (Permissions Required) if chosing MobilePay |
| R m | Required if chosing MobilePay |
| O m | Optional if chosing MobielPay |
| R a | Required if chosing Bank Data (ACH) |
| R c | Required if chosing Company Name |
| R n | Required if chosing Name |
| O n | Optional if chosing Name |
Response:
| Code | Description |
|---|---|
| ✔ | Returned |
| O | Optional |
Resources
The TabaPay Web Service (API) consist of the following resources and operations (methods):Some characteristics of a Resource are:- A Resource cannot be shared across Clients
- A Resource is identified by a ResourceID
- A Resource can be identified by multiple different ResourceIDs
Resource IDs
Some characteristics of a ResourceID are:- A ResourceID identifies a Resource
- A ResourceID can expire (by the number of days since creation)
- A ResourceID is 22 characters in length
- A ResourceID is made up of only Base64 URL-Safe characters:● A-ZUppercase alphabetic characters● a-zLowercase alphabetic characters● 0-9Digits● -Minus Sign● _Underscore
Services
The TabaPay Web Service (API) also consist of the following services:Client
This resource represents a Client.The only operation available for this resource is:
● Retrieve
Retrieves the attributes of a Client
Only TabaPay can:
● Create
● Update
including locking a Client
● Delete
Retrieve Client
Retrieves the attributes of a Client.URL
https://<FQDN>/v1/clients/<ClientID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Client's Attributes are returned. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| 200 | Other | ||||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | |||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | |||
| EM | String | Error Message | O | ||||
| label | String (no whitespaces) | Client Label | ✔ | ||||
| networks | object | List of Available Networks | ✔ | ||||
| pull | array of Strings | For Pull Transactions Array can be empty or is a List of Network Names | ✔ | ||||
| push | array of Strings | For Push Transactions Array can be empty or is a List of Network Names | ✔ | ||||
| limits | object | ✔ | |||||
| currency | String 3-digit code | ISO 4217 Currency Number | ✔ | ||||
| pull | object | ✔ | |||||
| transaction | String Amount | Pull Transaction Limit | ✔ | ||||
| daily | String Amount | Approximate Pull Daily Limit | ✔ | ||||
| networks | array of objects | List of Network Limits Network is listed only if different from above Pull Limits | O | ||||
| network | String | Network Name | ✔ | ||||
| transaction | String Amount | Network Pull Transaction Limit | ✔ | ||||
| daily | String Amount | Approximate Network Pull Daily Limit | ✔ | ||||
| push | object | ✔ | |||||
| transaction | String Amount | Push Transaction Limit | ✔ | ||||
| daily | String Amount | Approximate Push Daily Limit | ✔ | ||||
| networks | array of objects | List of Network Limits Network is listed only if different from above Push Limits | O | ||||
| network | String | Network Name | ✔ | ||||
| transaction | String Amount | Network Push Transaction Limit | ✔ | ||||
| daily | String Amount | Approximate Network Push Daily Limit | ✔ | ||||
View
Hide
Samples Client's Attributes returned:
Client not found:
Client locked:
{
"SC": 200,
"EC": "0",
"label": "ClientLabel",
"networks":
{
"pull":
[
"STAR",
"Visa"
],
"push":
[
"STAR",
"CU24",
"Visa"
]
},
"limits":
{
"currency": "840",
"pull":
{
"transaction": "0.25",
"daily": "1.00"
},
"push":
{
"transaction": "0.25",
"daily": "1.00",
"networks":
[
{
"network": "CU24",
"transaction": "0.20",
"daily": "1.00"
}
]
}
}
}
Client not found:
{
"SC": 404,
"EC": "3A100000",
"EM": "Not Found"
}
Client locked:
{
"SC": 423,
"EC": "3A100000",
"EM": "Locked"
}
Notes
The Client Label is the human readable identifier used to identify you versus using your ClientID. It may be used:
- in part of the file name for various Reports we generate for you, and
- in part of the URL for access to the Client WebSite.
Key
This resource represents a RSA Encryption Key.The operations that are available for this resource are:
Create Key
Creates a Key.URL
https://<FQDN>/v1/clients/<ClientID>/keys
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | ||
|---|---|---|---|---|---|---|
| format | String | R | Public Key Response Format, either:
| |||
| expiration | Integer Between 30 and 365 | R | 365 | Key Expiration Time:
| ||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
ASN.1
{
"format": "ASN.1",
"expiration": 365
}
Raw (Modulus and Public Exponent)
{
"format": "Raw",
"expiration": 365
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A Key is created. |
| 429 | Too Many Requests | Created too many Keys See Notes Below... |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| ASN.1 | Raw | Other | |||||
| 200 | 200 | ||||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | ||
| EM | String | Error Message | O | ||||
| keyID | String 22 characters | KeyID | ✔ | ✔ | |||
| key | String | ASN.1 encoded in Base64 URL-Safe Character Set | ✔ | ||||
| keyModulus | String | Modulus encoded in Base64 URL-Safe Character Set | ✔ | ||||
| keyExponent | String | Public Exponent encoded in Base64 URL-Safe Character Set | ✔ | ||||
| expiration | String | Key Expiration in yyyy-MM-ddTHH:mm:ssZ Format. | ✔ | ✔ | |||
| notices | String | Important Notices | O | O | O | ||
View
Hide
Samples Key created returned in ASN.1 format:
{
"SC": 200,
"EC": "0",
"keyID": "TabaPay_KeyID_22-chars",
"key": "Base64_Encoded_Key",
"expiration": "2017-04-03T00:00:00Z"
}
Key created returned in Raw format:
{
"SC": 200,
"EC": "0",
"keyID": "TabaPay_KeyID_22-chars",
"keyModulus": "Base64_Encoded_Modulus",
"keyExponent": "Base64_Encoded_Exponent",
"expiration": "2017-04-03T00:00:00Z"
}
Notes
Keys are valid for 365 days. Key Expiration is now deprecated.
You should only have at most 2 keys active at any one time. If you create more than 2 keys that are currently active (expiration date), you might get a return of SC=429, Too Many Requests. However, if the system detects that there are more than 2 keys that are currently active (expiration date), the system may automatically delete the older keys until there are at most 2 keys that are currently active.
Retrieve Key
Retrieves the Key.URL
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>?Format=ASN.1
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>?Format=Raw
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>?Format=ASN.1
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>?Format=Raw
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Key is returned. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| ASN.1 | Raw | Other | |||||
| 200 | 200 | ||||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | ||
| EM | String | Error Message | O | ||||
| key | String | ASN.1 encoded in Base64 URL-Safe Character Set | ✔ | ||||
| keyModulus | String | Modulus encoded in Base64 URL-Safe Character Set | ✔ | ||||
| keyExponent | String | Public Exponent encoded in Base64 URL-Safe Character Set | ✔ | ||||
| expiration | String | Key Expiration in yyyy-MM-ddTHH:mm:ssZ Format. | ✔ | ✔ | |||
View
Hide
Samples Key returned in ASN.1 format:
{
"SC": 200,
"EC": "0",
"keyID": "TabaPay_KeyID_22-chars",
"key": "Base64_Encoded_Key",
"expiration": "2017-04-03T00:00:00Z"
}
Key returned in Raw format:
{
"SC": 200,
"EC": "0",
"keyID": "TabaPay_KeyID_22-chars",
"keyModulus": "Base64_Encoded_Modulus",
"keyExponent": "Base64_Encoded_Exponent",
"expiration": "2017-04-03T00:00:00Z"
}
Notes
The default Format is Raw.
Delete Key
Deletes a Key.URL
https://<FQDN>/v1/clients/<ClientID>/keys/<KeyID>
HTTP Method
DELETE
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Key is marked for deletion. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
View
Hide
Samples Key deleted:
Key not found:
Key already marked for deletion:
{
"SC": 200,
"EC": "0"
}
Key not found:
{
"SC": 404,
"EC": "10000000"
}
Key already marked for deletion:
{
"SC": 410,
"EC": "50000000"
}
Notes
Keys are automatically deleted after their expiration.
Card
This resource represents a Payment Card (Debit Card, PrePaid Card, or Credit Card).The only operation available for this resource is:
● Query
Returns the attributes for the requested Payment Card
Query Card
Returns the attributes for the requested Payment Card. Optionally:- AVS Check (Address Verification)
- Fees Check
- Verify Name with Phone Number
If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/cards
https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS
https://<FQDN>/v1/clients/<ClientIDISO>/cards?Fees
https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS+Fees
https://<FQDN>/v1/clients/<ClientIDISO>/cards?Verify
https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS
https://<FQDN>/v1/clients/<ClientIDISO>/cards?Fees
https://<FQDN>/v1/clients/<ClientIDISO>/cards?AVS+Fees
https://<FQDN>/v1/clients/<ClientIDISO>/cards?Verify
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | Conditional | ||
|---|---|---|---|---|---|---|---|
| networks | String | O | List of Network Codes For ISOs, please contact TabaPay Support for details on when and how to use. | ||||
| cardTypesPull | String | O | List of Card Type Codes For ISOs, please contact TabaPay Support for details on when and how to use. | ||||
| cardTypesPush | String | O | |||||
► account | object View Object | CR | Either Account or Card | Account | |||
| accountID | String 22 characters | R | AccountID | Account | |||
| securityCode | String 3-4 digits | O | CVV2 | Account AVS | |||
► card | object View Object | CR | Either Account or Card Either Payment Card Not Encrypted:
| Card Data Encrypted? | |||
| accountNumber | String 13-19 digits | R n | Payment Card Account Number | Card Not Encrypted | |||
| expirationDate | String YYYYMM Format | O n RAVS | Expiration Date | Card Not Encrypted AVS | |||
| securityCode | String 3-4 digits | O n | CVV2 | Card Not Encrypted AVS | |||
| keyID | String 22 characters | R e | KeyID | Card Encrypted | |||
| mode | Integer 0, 1, or 2 | D e | 2 | Encryption Mode (Transformation) 0 = PKCS#1 v1.5 1 = Java OAEP 2 = OAEP SHA-256 | Card Encrypted | ||
| data | String | R e | Encrypted Card Data, see below encoded in Base64 URL-Safe Character Set | Card Encrypted | |||
| token | String | ® t | Card Token (from SSO) Restricted Usage | Card Token | |||
► device | object View Object | ® d | Card Data from P2PE Device Restricted Usage | Card Device | |||
| id | String | ® d | Device Identifier | Card Device | |||
| blob | Hex String | ® d | Blob in Hex | Card Device | |||
► mobilePay | object View Object | ® m | Card Data from Mobile Payment Restricted Usage | SA PC Mobile Pay | |||
| accountNumber | String 13-19 digits | R m | Pseudo Payment Card Account Number | SA PC Mobile Pay | |||
| expirationDate | String YYYYMM Format | R m | Expiration Date | SA PC Mobile Pay | |||
| cryptogram | Base64 String 28 characters | R m | Payment Data Cryptogram | SA PC Mobile Pay | |||
| transactionID | Hex String 64 characters | R m | Transaction Identifier in Hex | SA PC Mobile Pay | |||
| eciIndicator | String 1 character | O m | Usually only Visa cards | SA PC Mobile Pay | |||
| network | String | R m | Card Network (Visa, MasterCard, Amex, Discover, etc...) | SA PC Mobile Pay | |||
| type | String | R m | Card Type (Debit, Credit, PrePaid, etc...) | SA PC Mobile Pay | |||
► owner | object View Object | C | Card Holder | AVS / Verify | |||
► name | object View Object | C | Name on Card | Verify | |||
| first | String | R | First Name | Verify | |||
| middle | String | O | Middle Name or Initial | Verify | |||
| last | String | R | Last Name | Verify | |||
| suffix | String | O | Suffix | Verify | |||
▼ address | object Hide Object | C | Billing Address | AVS | |||
| line1 | String | O | Address Line 1, for AVS, see notes below | AVS | |||
| line2 | String | O | Address Line 2 | AVS | |||
| city | String | O | City | AVS | |||
| state | String 2-character code | O | State Code | AVS | |||
| zipcode | String | R | Zip Code | AVS | |||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | AVS | ||
► phone | object View Object | C | Phone Number (E.164 Numbering) | Verify | |||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | Verify | ||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | Verify | |||
| currency | String 3-digits | O | 840 | ISO 4217 Currency Number | Fees Check | ||
| amount | String Amount | C | Amount of Transaction | Fees Check | |||
| timeout | Number Between 15 and 50 | O | 39 | Maximum time to wait for AVS and/or Verify Response | AVS / Verify | ||
(Encrypted) Card Data
| Field | Required | Description | UnEncrypted Card Data Format |
|---|---|---|---|
| Card Number | R | 13-19 digit Card Number | CardNumber | Expiration Date | Security Code (no spaces, pipe symbol separated) see samples |
| Expiration Date | O RAVS | Expiration date in YYYYMM Format | |
| Security Code | O | 3 or 4 digit CVV2 |
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Query Card and Fees Check:
Unencrypted Card Data:
Query Card:
{
"card":
{
"accountNumber": "9999999999999999"
}
}
Query Card using Encrypted Data:
{
"card":
{
"keyID": "TabaPay_KeyID_22-chars",
"data": "Base64_Encoded_Encrypted_Data"
}
}
Query Card using AccountID:
{
"account":
{
"accountID": "TabaPay_AccountID_22ch"
}
}
Query Card and Fees Check:
{
"card":
{
"accountNumber": "9999999999999999"
},
"amount": "0.50"
}
Unencrypted Card Data:
1111111111111111|| where Card Number: 1111111111111111 Expiration Date: None Security Code: None
1111111111111111|203001| where Card Number: 1111111111111111 Expiration Date: January 2030 Security Code: None
1111111111111111|203001|333 where Card Number: 1111111111111111 Expiration Date: January 2030 Security Code: 333
1111111111111111||333 where Card Number: 1111111111111111 Expiration Date: None Security Code: 333
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Payment Card's Attributes are returned. |
| 207 | Multi-Status | One or more Failures occurred while processing the Request. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | Conditional | ||||
|---|---|---|---|---|---|---|---|---|
| 200 | 207 | Other | ||||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | |||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | |||
| EM | String | Error Message | O | |||||
| card | object | Card Attributes | ✔ | ✔ | ||||
| pull | object | Debit Transaction | ✔ | ✔ | ||||
| enabled | Boolean | ✔ | ✔ | |||||
| network | String | O | O | |||||
| type | String | Credit, Debit, Prepaid | O | O | ||||
| regulated | Boolean | O | O | |||||
| currency | String 3-digit code | ISO 4217 Currency Number | O | O | ||||
| country | String 3-digit code | ISO 3166-1 Country Code | O | O | ||||
| push | object | Credit Transaction | ✔ | ✔ | ||||
| enabled | Boolean | ✔ | ✔ | |||||
| network | String | O | O | |||||
| type | String | Credit, Debit, Prepaid | O | O | ||||
| availability | String | Estimated Funds Availability | O | O | ||||
| regulated | Boolean | O | O | |||||
| currency | String 3-digit code | ISO 4217 Currency Number | O | O | ||||
| country | String 3-digit code | ISO 3166-1 Country Code | O | O | ||||
| AVS | object | AVS Results | C | C | AVS | |||
| networkRC | String 2 or 3-character code | Network Response Code | ✔ | O | AVS | |||
| authorizeID | String | ID | ✔ | O | AVS | |||
| resultText | String | AVS Result Text | O | O | AVS | |||
| codeAVS | String | AVS Response Code | ✔ | O | AVS | |||
| codeSecurityCode | String | Security Code Response Code | ✔ | O | AVS | |||
| EC | String 1 or 8 characters | Internal Error Code | O | AVS | ||||
| fees | object | Fees Check | C | C | Fees Check | |||
| pull | object | Debit Transaction | O | O | Fees Check | |||
| interchange | String Amount | Interchange Fees | ✔ | ✔ | Fees Check | |||
| network | String Amount | Network Fees | ✔ | ✔ | Fees Check | |||
| tabapay | String Amount | TabaPay Fees | ✔ | ✔ | Fees Check | |||
| push | object | Credit Transaction | O | O | Fees Check | |||
| interchange | String Amount | Interchange Fees | ✔ | ✔ | Fees Check | |||
| network | String Amount | Network Fees | ✔ | ✔ | Fees Check | |||
| tabapay | String Amount | TabaPay Fees | ✔ | ✔ | Fees Check | |||
View
Hide
Samples Query Card:
Query Card (pull disabled):
Query Card (push disabled):
Query Card (disabled/unsupported):
{
"SC": 200,
"EC": "0",
"card":
{
"pull":
{
"enabled": true,
"network": "Visa",
"type": "Debit",
"regulated": true,
"currency": "840",
"country": "840"
},
"push":
{
"enabled": true,
"network": "Visa",
"type": "Debit",
"regulated": true,
"currency": "840",
"country": "840",
"availability": "Immediate"
}
}
}
Query Card (pull disabled):
{
"SC": 200,
"EC": "0",
"card":
{
"pull":
{
"enabled": false
},
"push":
{
"enabled": true,
"network": "Visa",
"type": "Debit",
"regulated": true,
"currency": "840",
"country": "840",
"availability": "Immediate"
}
}
}
Query Card (push disabled):
{
"SC": 200,
"EC": "0",
"card":
{
"pull":
{
"enabled": true,
"network": "Visa",
"type": "Debit",
"regulated": true,
"currency": "840",
"country": "840"
},
"push":
{
"enabled": false
}
}
}
Query Card (disabled/unsupported):
{
"SC": 200,
"EC": "0",
"card":
{
"pull":
{
"enabled": false
},
"push":
{
"enabled": false
}
}
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
There is an extra charge (fee) for using Query Card and there is also an additional charge (fee) for using AVS.
Creating an Account just to do a Query Card is not the valid way to use our API (it is an Anti-Pattern). As we try to show in the Sample Flows: Query Card should be done first before Creating an Account, this is the correct Pattern (or use of our API).
If using Account, only:
For AVS, Address Line 1 is optional, but you will get an AVS Code that says only Zip Code was matched (or not) and Address was not matched.
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
There is an extra charge (fee) for using Query Card and there is also an additional charge (fee) for using AVS.
Creating an Account just to do a Query Card is not the valid way to use our API (it is an Anti-Pattern). As we try to show in the Sample Flows: Query Card should be done first before Creating an Account, this is the correct Pattern (or use of our API).
Creating unused and/or inactive Accounts will result in:
- These Accounts incurring an extra charge (fee)
- These Accounts being automatically deleted
- Your Requests failing
- Your Client being locked
If using Account, only:
- Card Account Number
- Expiration Date (for AVS)
For AVS:
- Security Code
- Owner Address
For Verify:
- Owner Name
- Owner Phone
For AVS, Address Line 1 is optional, but you will get an AVS Code that says only Zip Code was matched (or not) and Address was not matched.
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
| card.mode | Description |
|---|---|
| 0 | RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure |
| 1 | Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
| 2 | (non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.
Bank
This resource represents a Bank.The only operation available for this resource is:
● Query
Returns the attributes for the requested Bank
Query Bank
Returns the attributes for the requested Bank.URL
https://<FQDN>/v1/clients/<ClientIDISO>/banks
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description |
|---|---|---|---|---|
| routingNumber | String 9 digits | R | Routing Number |
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Query Bank:
{
"routingNumber": "999999999"
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Bank's Attributes are returned. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |
|---|---|---|---|---|
| 200 | Other | |||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O |
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O |
| EM | String | Error Message | O | |
| RTP | Boolean | RTP | ✔ | |
View
Hide
Samples Query Bank:
{
"SC": 200,
"EC": "0",
"RTP": true
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
OFAC
This resource represents a Name on the OFAC Sanctions List.The only operation available for this resource is:
● Query
Returns the OFAC Match Codes
Query OFAC
Returns the OFAC Match Codes.URL
https://<FQDN>/v1/clients/<ClientIDISO>/ofac
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | |
|---|---|---|---|---|---|
| name | object | R | Name | ||
| first | String | R | First Name | ||
| last | String | R | Last Name | ||
| address | object | O | Address | ||
| requestID | String up to 32 Characters | O | WatchDog Request Identifier This is Required if the Bank requires the use of WatchDog | ||
| birthYear | String YYYY Format | O | Birth Year This is Optional if the Bank requires the use of WatchDog | ||
| country | String 3-digit code | O | ISO 3166-1 Country Code This is Optional if the Bank requires the use of WatchDog | ||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Query OFAC:
{
"name":
{
"first": "John",
"last": "Smith"
}
}
Query OFAC (using WatchDog):
{
"name":
{
"first": "John",
"last": "Smith"
},
"requestID": "ABC123"
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The OFAC Match Codes are returned. |
| 207 | Multi-Status | Unable to contact WatchDog. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||
|---|---|---|---|---|---|
| 200 | 207 | Other | |||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O |
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O |
| EM | String | Error Message | O | O | |
| ofacMatchCodes | String | OFAC Match Codes | ✔ | ||
| ofacValue | String | OFAC Value to be used in Create Transaction | ✔ | ||
| errors | Array of 8 characters Strings | Array of Internal Error Codes | ✔ | ||
View
Hide
Samples Query OFAC:
{
"SC": 200,
"EC": "0",
"ofacMatchCodes": "LN",
"ofacValue": "7nGfHHedKNe1aw"
}
Query OFAC (using WatchDog):
{
"SC": 200,
"EC": "0",
"ofacMatchCodes": "H",
"ofacValue": "8oHgIIfeLOf2bx"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
| OFAC Match Codes | Description |
|---|---|
| LN | Last Name did Not Match |
| LM | Last Name Matched, but First Name did Not Match |
| LMFM | Last Name Matched and First Name Matched |
| LMFP | Last Name Matched, but First Name was just a Partial Match |
| LMFO | Last Name Matched, but First Name was just a Partial (out of order) Match |
| LP | Last Name was just a Partial Match and First Name did Not Match |
| LPFM | Last Name was just Partial Match, but First Name Matched |
| LPFP | Last Name and First Name were both just a Partial Match |
| LPFO | Last Name partial Match and First Name Out Of Order |
| LOFM | Last Name was just a Partial (out of order) Match, but First Name Matched |
| LOFP | Last Name was just a Partial (out of order) Match and First Name was just a Partial Match |
| LOFO | Last Name and First Name were both just a Partial (out of order) Match |
| N | No Hit |
| H | Hit |
| HN | Hit by Name |
Please speak to your Bank to determine if this is required in Create Transaction.
Account
This resource represents a Client's Account.The operations that are available for this resource are:
● Create
Creates an Account containing a Payment Card Account Number
● Retrieve
Retrieves an Account, but the full Payment Card Account Number is never returned
● Update
Updates an Account
Update specific fields of an Account
● Delete
Deletes an Account
Create Account
Creates an Account.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts
https://<FQDN>/v1/clients/<ClientIDISO>/accounts?RejectDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts?OKToAddDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts?RejectDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts?OKToAddDuplicateCard
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | Conditional | ||
|---|---|---|---|---|---|---|---|
| referenceID | String 1-15 characters | R | Your unique Reference ID | ||||
| bank | object | CR | Either Bank or Card | ACH | |||
| routingNumber | String 9 digits | R a | Routing Number | ACH | |||
| accountNumber | String 4-17 digits | R a | Account Number | ACH | |||
| accountType | String 1-character code | R a | Account Type | ACH | |||
| card | object | CR | Either Bank or Card Either Payment Card Not Encrypted:
| Payment Card | |||
| accountNumber | String 13-19 digits | R n | Payment Card Account Number | Payment Card Not Encrypted | |||
| expirationDate | String YYYYMM Format | R n O n | Expiration Date | Payment Card Not Encrypted | |||
| keyID | String 22 characters | R e | KeyID | Payment Card Encrypted | |||
| mode | Integer 0, 1, or 2 | D e | 2 | Encryption Mode (Transformation) 0 = PKCS#1 v1.5 1 = Java OAEP 2 = OAEP SHA-256 | Payment Card Encrypted | ||
| data | String | R e | Encrypted Card Data, see below encoded in Base64 URL-Safe Character Set | Payment Card Encrypted | |||
| token | String | ® t | Card Token (from SSO) Restricted Usage | Payment Card Token | |||
| device | object | ® d | Card Data from P2PE Device Restricted Usage | Payment Card Device | |||
| id | String | ® d | Device Identifier | Payment Card Device | |||
| blob | Hex String | ® d | Blob in Hex | Payment Card Device | |||
| owner | object | R | Account Owner | ||||
| name | object | R | Name Either Company or First, Middle, Last, and Suffix | ||||
| company | String | R c | Company Name | ||||
| first | String | R n | First Name | ||||
| middle | String | O n | Middle Name or Initial | ||||
| last | String | R n | Last Name | ||||
| suffix | String | O n | Suffix | ||||
| address | object | O | Address | ||||
| line1 | String | R | Address Line 1 | ||||
| line2 | String | O | Address Line 2 | ||||
| city | String | R | City | ||||
| state | String 2-character code | R | State Code | 840 | |||
| zipcode | String | R | Zip Code | 840 | |||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | 840 | ||
| phone | object | O | Phone Number (E.164 Numbering) | 840 | |||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | 840 | ||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | 840 | |||
(Encrypted) Card Data
| Field | Required | Description | UnEncrypted Card Data Format |
|---|---|---|---|
| Card Number | R | 13-19 digit Card Number | CardNumber | Expiration Date | (no spaces, pipe symbol separated) see samples |
| Expiration Date | R | Expiration date in YYYYMM Format |
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Unencrypted Card Data:
Create Payment Card Account:
{
"referenceID": "1",
"card":
{
"accountNumber": "9999999999999999",
"expirationDate": "202012"
},
"owner":
{
"name":
{
"first": "John",
"last": "Customer"
},
"address":
{
"line1": "465 Fairchild Drive",
"line2": "Suite #222",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
}
}
}
Unencrypted Card Data:
1111111111111111|203001| where Card Number: 1111111111111111 Expiration Date: January 2030
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | An Account is Created. |
| 207 | Multi-Status | Account created, but Duplicate Card Check Failed. |
| 409 | Conflict | Duplicate Card Check Matched. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||||
|---|---|---|---|---|---|---|---|---|
| 200 | 207 | 409 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | ✔ | O | ||
| EM | String | Error Message | ✔ | ✔ | O | |||
| accountID | String 22 characters | AccountID | ✔ | ✔ | ||||
| card | object | Card | O | O | ||||
| last4 | String 4 digits | Last 4 of Card Account Number (PAN) | ✔ | ✔ | ||||
| expirationDate | String 6 digits | Expiration Date YYYYMM Format | O | O | ||||
| notices | String | Important Notices | O | O | O | |||
| duplicateAccountIDs | Array of Strings | AccountIDs using the same Card Account Number | O | |||||
View
Hide
Samples Account created:
{
"SC": 200,
"EC": "0",
"accountID": "TabaPay_AccountID_22ch"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
Creating an Account just to do a Query Card is not the valid way to use our API (it is an Anti-Pattern). As we try to show in the Sample Flows: Query Card should be done first before Creating an Account, this is the correct Pattern (or use of our API).
Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Creating an Account just to do a Query Card is not the valid way to use our API (it is an Anti-Pattern). As we try to show in the Sample Flows: Query Card should be done first before Creating an Account, this is the correct Pattern (or use of our API).
Creating unused and/or inactive Accounts will result in:
- These Account incurring an extra charge (fee)
- These Account being automatically deleted
- Your Requests failing
- Your Client being locked
| card.mode | Description |
|---|---|
| 0 | RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure |
| 1 | Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
| 2 | (non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
Retrieve Account
Retrieves the Account.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Account is retrieved. |
| 421 | Misdirected Request | Too late to Retrieve Account by ReferenceID, use AccountID. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
| referenceID | String | ReferenceID | ✔ | |||
| bank | object | Bank | O | |||
| routingNumber | String 9 digits | Routing Number | O | |||
| last4 | String 4 digits | Last 4 of Account Number | O | |||
| accountType | String 1-character code | Account Type | O | |||
| card | object | Card | O | |||
| last4 | String 4 digits | Last 4 of Card Number | O | |||
| expirationDate | String 6 digits | Expiration Date | O | |||
| owner | object | Account Owner | ✔ | |||
| name | object | Name | ✔ | |||
| first | String | First Name | ✔ | |||
| middle | String | Middle Name or Initial | O | |||
| last | String | Last Name | ✔ | |||
| suffix | String | Suffix | O | |||
| address | object | Address | O | |||
| line1 | String | Address Line 1 | ✔ | |||
| line2 | String | Address Line 2 | O | |||
| city | String | City | ✔ | |||
| state | String 2-character code | State Code | ✔ | |||
| zipcode | String | Zip Code | ✔ | |||
| country | String 3-digit code | ISO 3166-1 Country Code | O | |||
| phone | object | Phone Number (E.164 Numbering) | O | |||
| countryCode | String 1-3 digits | Country Calling Code | O | |||
| number | String Min: 4 digits Max: 12-14 digits | Phone Number | ✔ | |||
View
Hide
Samples Account retrieved:
{
"SC": 200,
"EC": "0",
"referenceID": "1",
"card":
{
"last4": "9990",
"expirationDate": "202012"
},
"owner":
{
"name":
{
"first": "John",
"last": "Customer"
},
"address":
{
"line1": "465 Fairchild Drive",
"line2": "Suite #222",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
}
}
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
If there was a HTTP communication error and you did not get back an AccountID, you can try to Retrieve the AccountID using the ReferenceID.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
If there was a HTTP communication error and you did not get back an AccountID, you can try to Retrieve the AccountID using the ReferenceID.
Retrieve Account by ReferenceID
Retrieves the Account by ReferenceID. This should only be used in the case of a HTTP communication error and you did not get back the AccountID in the response. Using this for any other purposes is Anti-Pattern and is subject to failing and/or locking of your Client for all requests. You should use Retrieve Account with the AccountID to retrieve Account Information.This request is only valid if the Account was created within 24 hours ago, otherwise SC=421 will be returned, use Retrieve by AccountID.
If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts?referenceID=<ReferenceID> See Notes below and Anti-Pattern FAQ
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Account is retrieved. |
| 421 | Misdirected Request | Too late to Retrieve Account by ReferenceID, use AccountID. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
| accountID | String 22 characters | AccountID | ✔ | |||
| bank | object | Bank | O | |||
| routingNumber | String 9 digits | Routing Number | O | |||
| last4 | String 4 digits | Last 4 of Account Number | O | |||
| accountType | String 1-character code | Account Type | O | |||
| card | object | Card | O | |||
| last4 | String 4 digits | Last 4 of Card Number | O | |||
| expirationDate | String 6 digits | Expiration Date | O | |||
| owner | object | Account Owner | ✔ | |||
| name | object | Name | ✔ | |||
| first | String | First Name | ✔ | |||
| middle | String | Middle Name or Initial | O | |||
| last | String | Last Name | ✔ | |||
| suffix | String | Suffix | O | |||
| address | object | Address | O | |||
| line1 | String | Address Line 1 | ✔ | |||
| line2 | String | Address Line 2 | O | |||
| city | String | City | ✔ | |||
| state | String 2-character code | State Code | ✔ | |||
| zipcode | String | Zip Code | ✔ | |||
| country | String 3-digit code | ISO 3166-1 Country Code | O | |||
| phone | object | Phone Number (E.164 Numbering) | O | |||
| countryCode | String 1-3 digits | Country Calling Code | O | |||
| number | String Min: 4 digits Max: 12-14 digits | Phone Number | ✔ | |||
View
Hide
Samples Account retrieved:
{
"SC": 200,
"EC": "0",
"accountID": "TabaPay_AccountID_22ch",
"owner":
{
"name":
{
"first": "John",
"last": "Customer"
},
"address":
{
"line1": "465 Fairchild Drive",
"line2": "Suite #222",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
}
}
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
You should use Retrieve Account with the AccountID to retrieve Account Information.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
You should use Retrieve Account with the AccountID to retrieve Account Information.
Update Account
Updates the Account.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>?RejectDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>?OKToUpdateDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>?RejectDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>?OKToUpdateDuplicateCard
HTTP Method
PUT
Request
Request Data
| JSON Name | Value | Required | Default | Description | Conditional | ||
|---|---|---|---|---|---|---|---|
| bank | object | CR | Either Bank or Card | ACH | |||
| routingNumber | String 9 digits | R a | Routing Number | ACH | |||
| accountNumber | String 4-17 digits | R a | Account Number | ACH | |||
| accountType | String 1-character code | R a | Account Type | ACH | |||
| card | object | CR | Either Bank or Card Either Payment Card Not Encrypted:
| Payment Card | |||
| accountNumber | String 13-19 digits | R n | Payment Card Account Number | Payment Card Not Encrypted | |||
| expirationDate | String YYYYMM Format | R n O n | ExpirationDate | Payment Card Not Encrypted | |||
| keyID | String 22 characters | R e | KeyID | Payment Card Encrypted | |||
| mode | Integer 0, 1, or 2 | D e | 2 | Encryption Mode (Transformation) 0 = PKCS#1 v1.5 1 = Java OAEP 2 = OAEP SHA-256 | Payment Card Encrypted | ||
| data | String | R e | Encrypted Card Data, see below encoded in Base64 URL-Safe Character Set | Payment Card Encrypted | |||
| token | String | ® t | Card Token (from SSO) Restricted Usage | Payment Card Token | |||
| device | object | ® d | Card Data from P2PE Device Restricted Usage | Payment Card Device | |||
| id | String | ® d | Device Identifier | Payment Card Device | |||
| blob | Hex String | ® d | Blob in Hex | Payment Card Device | |||
| owner | object | R | Account Owner | ||||
| name | object | R | Name Either Company or First, Middle, Last, and Suffix | ||||
| company | String | R c | Company Name | ||||
| first | String | R n | First Name | ||||
| middle | String | O n | Middle Name or Initial | ||||
| last | String | R n | Last Name | ||||
| suffix | String | O n | Suffix | ||||
| address | object | O | Address | ||||
| line1 | String | R | Address Line 1 | ||||
| line2 | String | O | Address Line 2 | ||||
| city | String | R | City | ||||
| state | String 2-character code | R | State Code | 840 | |||
| zipcode | String | R | Zip Code | 840 | |||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | 840 | ||
| phone | object | O | Phone Number (E.164 Numbering) | 840 | |||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | 840 | ||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | 840 | |||
(Encrypted) Card Data
| Field | Required | Description | UnEncrypted Card Data Format |
|---|---|---|---|
| Card Number | R | 13-19 digit Card Number | CardNumber | Expiration Date | (no spaces, pipe symbol separated) see samples |
| Expiration Date | R | Expiration date in YYYYMM Format |
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Unencrypted Card Data:
Update Payment Card Account:
{
"card":
{
"accountNumber": "9999999999999999",
"expirationDate": "202012"
},
"owner":
{
"name":
{
"first": "John",
"last": "Customer"
},
"address":
{
"line1": "465 Fairchild Drive",
"line2": "Suite #222",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
}
}
}
Unencrypted Card Data:
1111111111111111|203001| where Card Number: 1111111111111111 Expiration Date: January 2030
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Account is Updated. |
| 207 | Multi-Status | Account updated, but Update Duplicate Card Check Failed. |
| 409 | Conflict | Duplicate Card Check Matched. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||||
|---|---|---|---|---|---|---|---|---|
| 200 | 207 | 409 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | ✔ | O | ||
| EM | String | Error Message | ✔ | ✔ | O | |||
| duplicateAccountIDs | Array of Strings | AccountIDs using the same Card Account Number | O | |||||
View
Hide
Samples Account updated:
{
"SC": 200,
"EC": "0"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
Update will delete the previous Account Data and replace the Account Data with the new Data in the Request. An Update Account is basically a Create Account but reusing the AccountID and the ReferenceID. The previous Account Data is deleted and is no longer usable or recoverable.
Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Update will delete the previous Account Data and replace the Account Data with the new Data in the Request. An Update Account is basically a Create Account but reusing the AccountID and the ReferenceID. The previous Account Data is deleted and is no longer usable or recoverable.
| card.mode | Description |
|---|---|
| 0 | RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure |
| 1 | Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
| 2 | (non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
Update Account v2
Coming SoonUpdate specific fields in the Account. Currently does not work with DuplicateCardCheck. Currently only works with Unencrypted Cards (Card in the Clear) and/or Bank Accounts.
If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v2/clients/<ClientIDISO>/accounts/<AccountID>
HTTP Method
PUT
Request
Request Data
| JSON Name | Value | Required | Default | Description | Conditional | ||
|---|---|---|---|---|---|---|---|
| bank | object | CO | Either Bank or Card | ACH | |||
| routingNumber | String 9 digits | O a | Routing Number | ACH | |||
| accountNumber | String 4-17 digits | O a | Account Number | ACH | |||
| accountType | String 1-character code | O a | Account Type | ACH | |||
| card | object | CO | Either Bank or Card | Payment Card | |||
| accountNumber | String 13-19 digits | O n | Payment Card Account Number | Payment Card Not Encrypted | |||
| expirationDate | String YYYYMM Format | O n | ExpirationDate | Payment Card Not Encrypted | |||
| owner | object | O | Account Owner | ||||
| name | object | O | Name Either Company or First, Middle, Last, and Suffix | ||||
| company | String | O c | Company Name | ||||
| first | String | O n | First Name | ||||
| middle | String | O n | Middle Name or Initial | ||||
| last | String | O n | Last Name | ||||
| suffix | String | O n | Suffix | ||||
| address | object | O | Address | ||||
| line1 | String | O | Address Line 1 | ||||
| line2 | String | O | Address Line 2 | ||||
| city | String | O | City | ||||
| state | String 2-character code | O | State Code | 840 | |||
| zipcode | String | O | Zip Code | 840 | |||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | 840 | ||
| phone | object | O | Phone Number (E.164 Numbering) | 840 | |||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | 840 | ||
| number | String Min: 4 digits Max: 12-14 digits | O | Phone Number | 840 | |||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Update First Name on Account:
{
"owner":
{
"name":
{
"first": "Jane"
}
}
}
Update Address on Account:
{
"owner":
{
"address":
{
"line1": "605 Ellis St",
"line2": "Suite #110",
}
}
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Account is Updated. |
| 207 | Multi-Status | Account updated, but Update Duplicate Card Check Failed. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| 200 | 207 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | ||
| EM | String | Error Message | ✔ | O | |||
View
Hide
Samples Account updated:
{
"SC": 200,
"EC": "0"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
WARNING
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
WARNING
Updating specific fields must make logical sense, here are some examples of illogical updates that will fail with SC=400 Bad Request:
| Current Account State | Update Wanted | Reason for Failure |
|---|---|---|
| Account is a Card | bank.accountNumber | In order to Change an Account from Card to Bank, you will need to provide all the Bank Fields:
|
| Account Owner's Address is Country 840 | Postal Code of "A1A 1A1" | The Postal Code is not a US Zip Code |
| Account Owner's Address is Country 124 | State Code of "CA" | The State Code is not a Canadian Province |
| Account Name is a Company | Last Name of "Smith" | In order to change the Name, you will need to provide at least:
|
Delete Account
The Account is marked for Deletion.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>?DeleteDuplicateCard
https://<FQDN>/v1/clients/<ClientIDISO>/accounts/<AccountID>?DeleteDuplicateCard
HTTP Method
DELETE
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Account is marked for deletion. |
| 207 | Multi-Status | Account marked for deletion, but Delete Duplicate Card Check Failed. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| 200 | 207 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | ||
| EM | String | Error Message | ✔ | O | |||
View
Hide
Samples Account marked for deletion:
{
"SC": 200,
"EC": "0"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Transaction
This resource represents a Client's Transaction.The operations that are available for this resource are:
Create Transaction
Creates a Transaction.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | Choice | ||||
|---|---|---|---|---|---|---|---|---|---|
| referenceID | String 1-15 characters | R | Your unique Reference ID | ||||||
| correspondingID | String 22 characters | O | Either Corresponding TransactionID or Corresponding (For a Pull Transaction, this would be the corresponding Push Transaction or For a Push Transaction, this would be the corresponding Pull Transaction) | CID | |||||
► corresponding | object View Object | O | Either Corresponding or Corresponding TransactionID (For a Push Transaction, this would be the corresponding Pull Transaction) | C | |||||
| ofacValue | String | O | Sender OFAC Value from Query OFAC... | C | |||||
▼ name | object Hide Object | R | Sender Name | C | |||||
| first | String | R | First Name | C | |||||
| last | String | R | Last Name | C | |||||
▼ address | object Hide Object | O | Sender Address | C | |||||
| line | String | O | Address Line | C | |||||
| city | String | O | City | C | |||||
| state | String 2-character code | O | State Code | C | |||||
| zipcode | String | O | Zip Code | C | |||||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | C | ||||
| accountNumber | String | O | Sender Account Number | C | |||||
| sourceOfFunds | String | O | Sender Source of Funds:
| C | |||||
| type | String 4 characters Either push or pull | R | Transaction Type This is used to verify that your Source and Destination Accounts are valid. | ||||||
| networks | String | O | List of Network Codes For ISOs, please contact TabaPay Support for details on when and how to use. | ||||||
| cardTypes | String | O | List of Card Type Codes For ISOs, please contact TabaPay Support for details on when and how to use. | ||||||
▼ accounts | object Hide Object | R | Accounts | ||||||
| sourceAccountID | String 22 characters | CR | Either Source AccountID or Source Account | SAID | |||||
► sourceAccount | object View Object | CR | Either Source Account or Source AccountID | SA | |||||
► bank | object View Object | CR | Either Bank or Card | SA ACH | |||||
| routingNumber | String 9 digits | R a | Routing Number | SA ACH | |||||
| accountNumber | String 4-17 digits | R a | Account Number | SA ACH | |||||
| accountType | String 1-character code | R a | Account Type:
| SA ACH | |||||
► card | object View Object | CR | Either Bank or Card Either Payment Card Not Encrypted:
| SA PC | |||||
| accountNumber | String 13-19 digits | R n | Payment Card Account Number | SA PC Not Encrypted | |||||
| expirationDate | String YYYYMM Format | R n | Expiration Date | SA PC Not Encrypted | |||||
| securityCode | String 3-4 digits | O n | Security Code | SA PC Not Encrypted | |||||
| keyID | String 22 characters | R e | KeyID | SA PC Encrypted | |||||
| mode | Integer 0, 1, or 2 | D e | 2 | Encryption Mode (Transformation) 0 = PKCS#1 v1.5 1 = Java OAEP 2 = OAEP SHA-256 | SA PC Encrypted | ||||
| data | String | R e | Encrypted Card Data, see below encoded in Base64 URL-Safe Character Set | SA PC Encrypted | |||||
| token | String | ® t | Card Token (from SSO) Restricted Usage | SA PC Token | |||||
► device | object View Object | ® d | Card Data from P2PE Device Restricted Usage | SA PC Device | |||||
| id | String | R d | Device Identifier | SA PC Device | |||||
| blob | Hex String | R d | Blob in Hex | SA PC Device | |||||
► mobilePay | object View Object | ® m | Card Data from Mobile Payment Restricted Usage | SA PC Mobile Pay | |||||
| accountNumber | String 13-19 digits | R m | Pseudo Payment Card Account Number | SA PC Mobile Pay | |||||
| expirationDate | String YYYYMM Format | R m | Expiration Date | SA PC Mobile Pay | |||||
| cryptogram | Base64 String 28 characters | R m | Payment Data Cryptogram | SA PC Mobile Pay | |||||
| transactionID | Hex String 64 characters | R m | Transaction Identifier in Hex | SA PC Mobile Pay | |||||
| eciIndicator | String 1 character | O m | Usually only Visa cards | SA PC Mobile Pay | |||||
| network | String | R m | Card Network (Visa, MasterCard, Amex, Discover, etc...) | SA PC Mobile Pay | |||||
| type | String | R m | Card Type (Debit, Credit, PrePaid, etc...) | SA PC Mobile Pay | |||||
► processor | object View Object | ® p | Processor Restricted Usage | SA PC Processor | |||||
| name | String | R p | Name | SA PC Processor | |||||
| token | String | R p | Token | SA PC Processor | |||||
► owner | object View Object | R | Account Owner | SA | |||||
► name | object View Object | R | Name Either Company or First, Middle, Last, and Suffix | SA | |||||
| company | String | R c | Company Name | SA | |||||
| first | String | R n | First Name | SA | |||||
| middle | String | O n | Middle Name or Initial | SA | |||||
| last | String | R n | Last Name | SA | |||||
| suffix | String | O n | Suffix | SA | |||||
► address | object View Object | O | Address | SA | |||||
| line1 | String | O | Address Line 1 | SA | |||||
| line2 | String | O | Address Line 2 | SA | |||||
| city | String | O | City | SA | |||||
| state | String 2-character code | O | State Code | SA | |||||
| zipcode | String | O | Zip Code | SA | |||||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | SA | ||||
► phone | object View Object | O | Phone Number (E.164 Numbering) | SA | |||||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | SA | ||||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | SA | |||||
| destinationAccountID | String 22 characters | CR | Either Destination AccountID or Destination Account | DAID | |||||
► destinationAccount | object View Object | CR | Either Destination Account or Destination AccountID | DA | |||||
► bank | object View Object | CR | Either Bank or Card | DA ACH | |||||
| routingNumber | String 9 digits | R a | Routing Number | DA ACH | |||||
| accountNumber | String 4-17 digits | R a | Account Number | DA ACH | |||||
| accountType | String 1-character code | R a | Account Type:
| DA ACH | |||||
► card | object View Object | CR | Either Bank or Card Either Payment Card Not Encrypted:
| DA PC | |||||
| accountNumber | String 13-19 digits | R n | Payment Card Account Number | DA PC Not Encrypted | |||||
| expirationDate | String YYYYMM Format | R n | Expiration Date | DA PC Not Encrypted | |||||
| securityCode | String 3-4 digits | O n | CVV2 | DA PC Not Encrypted | |||||
| keyID | String 22 characters | R e | KeyID | DA PC Encrypted | |||||
| mode | Integer 0, 1, or 2 | D e | 2 | Encryption Mode (Transformation) 0 = PKCS#1 v1.5 1 = Java OAEP 2 = OAEP SHA-256 | DA PC Encrypted | ||||
| data | String | R e | Encrypted Card Data, see below encoded in Base64 URL-Safe Character Set | DA PC Encrypted | |||||
| token | String | ® t | Card Token (from SSO) Restricted Usage | DA PC Token | |||||
► device | object View Object | ® d | Card Data from P2PE Device Restricted Usage | DA PC Device | |||||
| id | String | ® d | Device Identifier | DA PC Device | |||||
| blob | Hex String | ® d | Blob in Hex | DA PC Device | |||||
► processor | object View Object | ® p | Processor Restricted Usage | SA PC Processor | |||||
| name | String | R p | Name | SA PC Processor | |||||
| token | String | R p | Token | SA PC Processor | |||||
► owner | object View Object | R | Account Owner | DA | |||||
► name | object View Object | R | Name Either Company or First, Middle, Last, and Suffix | DA | |||||
| company | String | R c | Company Name | DA | |||||
| first | String | R n | First Name | DA | |||||
| middle | String | O n | Middle Name or Initial | DA | |||||
| last | String | R n | Last Name | DA | |||||
| suffix | String | O n | Suffix | DA | |||||
► address | object View Object | O | Address | DA | |||||
| line1 | String | O | Address Line 1 | DA | |||||
| line2 | String | O | Address Line 2 | DA | |||||
| city | String | O | City | DA | |||||
| state | String 2-character code | O | State Code | DA | |||||
| zipcode | String | O | Zip Code | DA | |||||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | DA | ||||
► phone | object View Object | O | Phone Number (E.164 Numbering) | DA | |||||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | DA | ||||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | DA | |||||
| currency | String 3 digits | O | 840 | ISO 4217 Currency Number | |||||
| amount | String Amount | R | Transaction Amount | ||||||
| ofacValue | String | O | OFAC Value from Query OFAC... | ||||||
| memo | String Max of 32 characters | O | Memo | ||||||
| achOptions | String 1-character code | O R>ACH | ACH Options: (Required for ACH)
| ACH | |||||
| overrides | String | O RISO | Overrides For ISOs, please contact TabaPay Support for details on when and how to use. | Required for ISOs | |||||
► pullOptions | object View Object | O | Additional Pull Options | ||||||
| lender | Boolean | O | Lender - deprecating, use overrides | ||||||
| quasiCash | Boolean | O | Quasi-Cash - deprecating, use overrides | ||||||
| securityCode | String 3-4 digits | O | CVV2 Valid only when using sourceAccountID (Pull) | ||||||
| recurring | Boolean | O | Recurring Pull Transaction | ||||||
| 3DSecure | Object | O | 3D Secure | ||||||
| version | String | O RMasterCard | Version Required by MasterCard | ||||||
| ECI | String | R | ECI (Electronic Commerce Indicator) | old: 3dsECI | |||||
| UCAF | String | R | UCAF (Universal Cardholder Authentication Field) | old: 3dsUCAF | |||||
| XID | String | O | XID (Transaction ID) | old: 3dsXID | |||||
| dsTransactionID | String | O RMasterCard | Directory Server TransactionID Required by MasterCard | ||||||
| level2TaxExempt | boolean | O | Level 2: Tax Exempt | Level 2 | |||||
| level2TaxAmount | String Amount | O | Level 2: Tax Amount (Currency is the same as the Transaction Amount) | Level 2 | |||||
| level3 | Object | O | Level 3 | Level 3 | |||||
| amountTax | String Amount | R | Tax Amount (Currency is the same as the Transaction Amount) | Level 3 | |||||
| tax | Code 1 digit | R | 0 = Sales Tax Not Included 1 = Sales Tax Included 2 = Tax Exempt | Level 3 | |||||
| taxRate | Number Max 2 decimal places | R | Tax Rate | Level 3 | |||||
| amountDiscount | String Amount | R | Discount Amount | Level 3 | |||||
| amountShipping | String Amount | R | Shipping Amount | Level 3 | |||||
| amountDuty | String Amount | R | Duty Amount | Level 3 | |||||
| itemCommodityCode | String | R | Item Commodity Code | Level 3 | |||||
| itemDescription | String | R | Item Description | Level 3 | |||||
| productCode | String | R | Product Code | Level 3 | |||||
| quantity | Number | R | Quantity | Level 3 | |||||
| unitOfMeasure | String | R | Unit of Measure | Level 3 | |||||
| amountUnitCost | String Amount | R | Unit Cost | Level 3 | |||||
| amountItemDiscount | String Amount | R | Discount per Line Item | Level 3 | |||||
| amountTotal | String Amount | R | Total | Level 3 | |||||
| poNumber | String | R | Purchase Order Number | Level 3 | |||||
► softDescriptor | object View Object | ® | Soft Descriptor Restricted Usage | ® | |||||
| name | String | R | Name | ® | |||||
▼ address | object Hide Object | R | Address | ® | |||||
| line1 | String | R | Address Line 1 | ® | |||||
| line2 | String | O | Address Line 2 | ® | |||||
| city | String | R | City | ® | |||||
| county | String 3 characters | R | County | ® | |||||
| state | String 2-character code | R | State Code | ® | |||||
| zipcode | String | R | Zip Code | ® | |||||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | ® | ||||
▼ phone | object Hide Object | O | Phone Number (E.164 Numbering) | ® | |||||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | ® | ||||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | ® | |||||
email | String | O RAmex | Email Address For American Express Bill Pay Provider program: Seller Email Address (max of 40 characters) | ® | |||||
id | String | O RAmex | ID For American Express Bill Pay Provider program: Seller ID (max of 20 digits) | ® | |||||
► location | object View Object | O | Location of the Origination of Transaction | ||||||
| name | String | R | Location Name | ||||||
▼ address | object Hide Object | R | Location Address | ||||||
| line1 | String | R | Address Line 1 | ||||||
| line2 | String | O | Address Line 2 | ||||||
| city | String | R | City | ||||||
| state | String 2-character code | R | State Code | ||||||
| zipcode | String | R | Zip Code | ||||||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | |||||
| Integer Between 15 and 39 | O | 39 | Time to wait for a response Default is 39 seconds See Notes Below... | ||||||
(Encrypted) Card Data
| Field | Required | Description | UnEncrypted Card Data Format |
|---|---|---|---|
| Card Number | R | 13-19 digit Card Number | CardNumber | Expiration Date | Security Code (no spaces, pipe symbol separated) see samples |
| Expiration Date | R | Expiration date in YYYYMM Format | |
| Security Code | O | 3 or 4 digit CVV2 |
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Unencrypted Card Data:
Create Transaction:
{
"referenceID": "1",
"type": "push",
"accounts":
{
"sourceAccountID": "TabaPay_AccountID_22-c",
"destinationAccountID": "TabaPay_AccountID_22-c"
},
"amount": "1.00"
}
Create Pull Transaction:
{
"referenceID": "1",
"type": "pull",
"accounts":
{
"sourceAccount":
{
"card":
{
"accountNumber": "9999999999999999",
"expirationDate": "202012"
},
"owner":
{
"name":
{
"first": "John",
"last": "Benson"
},
"address":
{
"line1": "465 Fairchild Drive",
"line2": "Suite #222",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
}
}
},
"destinationAccountID": "TabaPay_AccountID_22-c"
},
"amount": "0.10"
}
Create Push Transaction:
{
"referenceID": "1",
"type": "push",
"accounts":
{
"sourceAccountID": "TabaPay_AccountID_22-c",
"destinationAccount":
{
"card":
{
"accountNumber": "9999999999999999",
"expirationDate": "202012"
},
"owner":
{
"name":
{
"first": "John",
"last": "Benson"
},
"address":
{
"line1": "465 Fairchild Drive",
"line2": "Suite #222",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
}
}
}
},
"amount": "0.10"
}
Unencrypted Card Data:
1111111111111111|203001| where Card Number: 1111111111111111 Expiration Date: January 2030 Security Code: None
1111111111111111|203001|333 where Card Number: 1111111111111111 Expiration Date: January 2030 Security Code: 333
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A Transaction is created and processing is completed. |
| 201 | Created | A Transaction is created, but the transaction is waiting to be processed (batch). |
| 207 | Multi-Status | One or more Failures occurred while processing the Request. |
| 429 | Too Many Requests | Over your Daily (24-hour rolling) Approximation Limit. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||||
|---|---|---|---|---|---|---|---|---|
| 200 | 201 | 207 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | ✔ | O | ||
| EM | String | Error Message | O | O | ||||
| transactionID | String 22 characters | TransactionID | ✔ | ✔ | ✔ | |||
| network | String | Network | ✔ | ✔ | ✔ | |||
| networkRC | String 2 or 3-character code | Network Response Code | ✔ | O | ||||
| networkID | String | NetworkID (Network TransactionID) | O | |||||
| status | String | Status | ✔ | ✔ | ✔ | |||
| approvalCode | String 6 characters | Approval Code | ✔ | O | ||||
| errors | Array of 8 characters Strings | Array of Internal Error Codes | ✔ | |||||
| AVS | object | AVS Results | C | |||||
| codeAVS | String | AVS Response Code | O | |||||
| codeSecurityCode | String | Security Code Response Code | O | |||||
| fees | object | Estimated Fees | O | O | ||||
| interchange | String Amount | Interchange Fees | ✔ | ✔ | ||||
| network | String Amount | Network Fees | ✔ | ✔ | ||||
| tabapay | String Amount | TabaPay Fees | ✔ | ✔ | ||||
| card | object | Card | O | O | ||||
| last4 | String 4 digits | Last 4 of Card Account Number (PAN) | ✔ | ✔ | ||||
| expirationDate | String 6 digits | Expiration Date YYYYMM Format | O | O | ||||
View
Hide
Samples Transaction created:
{
"SC": 200,
"EC": "0",
"transactionID": "TabaPay_TransactionID_",
"network": "Visa",
"networkRC": "00",
"status": "COMPLETED",
"approvalCode": "000000"
}
Transaction created but waiting to be processing (batch):
{
"SC": 201,
"EC": "0",
"transactionID": "TabaPay_TransactionID_",
"network": "CreditCards",
"status": "PENDING"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
One of the accounts in the Request, Source Account or Destination Account, must be your Settlement Account. If disbursing funds (push) the Source Account should be your Settlement Account. If collecting funds (pull) the Destination Account should be your Settlement Account.
A Timeout does not STOP the Transaction from continuing to be processed. It does mean that the Transaction Status will be temporarily in an UNKNOWN status. The SC (Status Code) in the Response will be 207.
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
One of the accounts in the Request, Source Account or Destination Account, must be your Settlement Account. If disbursing funds (push) the Source Account should be your Settlement Account. If collecting funds (pull) the Destination Account should be your Settlement Account.
On a Pull Transaction, specifying at least the Owner Address Line 1 and/or Owner Zip Code will result in an automatic AVS check which may result in lower fees. However, a bad AVS will not stop the Transaction. You should have previously done a Query Card with AVS to check the Card.
A Timeout does not STOP the Transaction from continuing to be processed. It does mean that the Transaction Status will be temporarily in an UNKNOWN status. The SC (Status Code) in the Response will be 207.
Once the Transaction finished processing, the Actual Status of the Transaction will be reflected. You can do a Retrieve Transaction to check on the actual Transaction Status. However, do not poll, otherwise you will get SC=429.
After 90 seconds, the Transaction Status will NOT change. We have given up waiting for a response. Most likely, the Transaction Status will remain in an UNKNOWN status. Contact TabaPay Support if you need us to investigate what really happened with this Transaction.
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
| card.mode | Description |
|---|---|
| 0 | RSA with PKCS#1 v1.5 Padding, however this is considered to be insecure |
| 1 | Java RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
| 2 | (non-Java) RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding |
Unfortunately, for RSA/ECB/OAEPWithSHA-256AndMGF1Padding, Java's implementation (as of Java 1.8) is currently incompatible with other implementations.
Retrieve Transaction
Retrieves the Transaction.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Transaction is retrieved. |
| 421 | Misdirected Request | Too late to Retrieve Transaction by ReferenceID, use TransactionID. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
| referenceID | String | ReferenceID | ✔ | |||
| network | String | Network | O | |||
| networkRC | String 2 or 3-character code | Network Response Code | O | |||
| status | String | Status | ✔ | |||
| originally | String | Original Status | O | |||
| approvalCode | String 6 characters | Approval Code | O | |||
| errors | Array of 8 characters Strings | Array of Internal Error Codes | O | |||
| currency | String 3-digit code | ISO 4217 Currency Number | O | |||
| amount | String | Amount in Currency | ✔ | |||
| amountUSD | String | Amount in USD if Currency is not 840 (USD) | O | |||
| last4 | String | Last 4 of Card Account Number (PAN) or Last 4 of Bank Account Number | ✔ | |||
| memo | String | Memo | O | |||
| fees | object | Fees | O | |||
| interchange | String Amount | Interchange Fees | ✔ | |||
| network | String Amount | Network Fees | ✔ | |||
| tabapay | String Amount | TabaPay Fees | ✔ | |||
| reversalStatus | String | Reversal Status | O | |||
| reversal | object | Reversal | O | |||
| networkRC | String 2 or 3-character code | Network Response Code | O | |||
| networkRC2 | String 2 or 3-character code | Network Response Code | O | |||
| error | String 1 or 8 characters | Internal Error Code | O | |||
View
Hide
Samples Transaction retrieved using TransactionID:
{
"SC": 200,
"EC": "0",
"referenceID": "1",
"network": "Visa",
"networkRC": "00",
"status": "COMPLETED",
"approvalCode": "000000",
"amount": "0.10",
"fees":
{
"interchange": "0.50",
"network": "0.50",
"tabapay": "0.25"
}
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
If there was a HTTP communication error and you did not get back a TransactionID, you can try to Retrieve the TransactionID using the ReferenceID.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
If there was a HTTP communication error and you did not get back a TransactionID, you can try to Retrieve the TransactionID using the ReferenceID.
Retrieve Transaction by ReferenceID
Retrieves the Transaction by ReferenceID. This should only be used in the case of a HTTP communication error and you did not get back the TransactionID in the response. Using this for any other purposes is Anti-Pattern and is subject to failing and/or locking of your Client for all requests. You should use Retrieve Transaction with the TransactionID to retrieve Transaction Information.This request is only valid if the Transaction was created within 24 hours ago, otherwise SC=421 will be returned, use Retrieve by TransactionID.
If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions?referenceID=<ReferenceID> See Notes below and Anti-Pattern FAQ
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Transaction is retrieved. |
| 421 | Misdirected Request | Too late to Retrieve Transaction by ReferenceID, use TransactionID. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
| transactionID | String 22 characters | TransactionID | ✔ | |||
| network | String | Network | O | |||
| networkRC | String 2 or 3-character code | Network Response Code | O | |||
| status | String | Status | ✔ | |||
| originally | String | Original Status | O | |||
| approvalCode | String 6 characters | Approval Code | O | |||
| errors | Array of 8 characters Strings | Array of Internal Error Codes | O | |||
| currency | String 3-digit code | ISO 4217 Currency Number | O | |||
| amount | String | Amount in Currency | ✔ | |||
| amountUSD | String | Amount in USD if Currency is not 840 (USD) | O | |||
| last4 | String | Last 4 of Card Account Number (PAN) or Last 4 of Bank Account Number | ✔ | |||
| memo | String | Memo | O | |||
| fees | object | Fees | O | |||
| interchange | String Amount | Interchange Fees | ✔ | |||
| network | String Amount | Network Fees | ✔ | |||
| tabapay | String Amount | TabaPay Fees | ✔ | |||
| reversalStatus | String | Reversal Status | O | |||
| reversal | object | Reversal | O | |||
| networkRC | String 2 or 3-character code | Network Response Code | O | |||
| networkRC2 | String 2 or 3-character code | Network Response Code | O | |||
| error | String 1 or 8 characters | Internal Error Code | O | |||
View
Hide
Samples Transaction retrieved:
{
"SC": 200,
"EC": "0",
"transactionID": "TransactionID_22chars_",
"network": "Visa",
"networkRC": "00",
"status": "COMPLETED",
"approvalCode": "000000",
"amount": "0.10",
"fees":
{
"interchange": "0.50",
"network": "0.50",
"tabapay": "0.25"
}
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
You should use Retrieve Transaction with the TransactionID to retrieve Transaction Information.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
The Fees are only an estimation. The actual Fees will be shown on your daily settlement reports.
See Anti-Pattern FAQ for proper usage of Retrieve by ReferenceID.
You should use Retrieve Transaction with the TransactionID to retrieve Transaction Information.
Delete Transaction
Try to request a reverse of a previous Pull Transaction.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>?reversal
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>?void
https://<FQDN>/v1/clients/<ClientIDISO>/transactions/<TransactionID>?void
HTTP Method
DELETE
Request
No Request Data or Overrides Required for ISOs or Optional Partial Reversal
| JSON Name | Value | Required | Default | Description | Choice | ||||
|---|---|---|---|---|---|---|---|---|---|
| overrides | String | O RISO | Overrides For ISOs, please contact TabaPay Support for details on when and how to use. | Required for ISOs | |||||
| currency | String 3 digits | O | 840 | ISO 4217 Currency Number | |||||
| amount | String Amount | O | Partial Reversal Amount | ||||||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Partial Reversal:
{
"amount": "1.00"
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A Request for a Reversal of the previous Transaction is successful. |
| 207 | Multi-Status | One or more Failures occurred while processing the Request. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| 200 | 207 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | ||
| EM | String | Error Message | O | O | |||
| status | String | Status | ✔ | ✔ | |||
| reversal | object | Reversal | ✔ | O | |||
| networkRC | String 2 or 3-character code | Void Network Response Code | ✔ | O | |||
| networkRC2 | String 2 or 3-character code | Refund after failed Void Network Response Code | ✔ | O | |||
View
Hide
Samples Transaction reversed:
{
"SC": 200,
"EC": "0",
"status": "COMPLETED",
"reversal":
{
"networkRC": "00"
}
}
Dual Message Network:
{
"SC": 200,
"EC": "0",
"status": "COMPLETED",
"reversal":
{
"networkRC": "21",
"networkRC2": "00"
}
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
You can only Delete (reverse) a Pull Transaction. A Delete is just only a request for a reversal. Dual Message Networks may cause a networkRC2 if:
We will only keep transactions accessible to the TabaPay API for approximately 120 days. This means that Delete Transaction will only work for transactions within approximately 120 days. However, we archive transactions for many years (as legally required).
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
You can only Delete (reverse) a Pull Transaction. A Delete is just only a request for a reversal. Dual Message Networks may cause a networkRC2 if:
- the networkRC was non-zero.
A status of COMPLETED and either networkRC equals to 00 or networkRC2 equals to 00 means a successful request for a reversal.
We will only keep transactions accessible to the TabaPay API for approximately 120 days. This means that Delete Transaction will only work for transactions within approximately 120 days. However, we archive transactions for many years (as legally required).
TransactionRequest (OTPP)
This resource represents a TransactionRequest (OTPP).The operations that are available for this resource are:
● Create
Creates a TransactionRequest (OTPP)
Create TransactionRequest (OTPP)
Creates a TransactionRequest (OTPP).If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v2/clients/<ClientIDISO>/transactionrequests
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | Choice | ||||
|---|---|---|---|---|---|---|---|---|---|
| type | String 4 characters Either pull or push | R | Transaction Type | ||||||
| user1 | String 1-15 characters | O | User1 | ||||||
| user2 | String 1-15 characters | O | User2 | ||||||
| currency | String 3 digits | O | 840 | ISO 4217 Currency Number | |||||
| amount | String Amount | R | Transaction Amount | ||||||
► customer | object View Object | R | Customer | ||||||
► name | object View Object | R | Name | ||||||
| first | String | R | First Name | ||||||
| last | String | R | Last Name | ||||||
► address | object View Object | O | Address | ||||||
| line1 | String | R | Address Line 1 | ||||||
| line2 | String | O | Address Line 2 | ||||||
| city | String | R | City | ||||||
| state | String 2-character code | R | State Code | ||||||
| zipcode | String | R | Zip Code | ||||||
| country | String 3-digit code | R | 840 | ISO 3166-1 Country Code | |||||
► callback | object View Object | O | Callback, contact TabaPay | ||||||
| type | String | R | URL | ||||||
| value | String | R | URL String | ||||||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
{
"type": "pull",
"user1": "123456789",
"amount": "1000.00",
"customer":
{
"name":
{
"first": "TabaPay",
"last": "Inc",
},
"address":
{
"line1": "605 Ellis Street",
"line2": "Suite 110",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043",
}
}
}
With Callback:
{
"type": "pull",
"user1": "123456789",
"amount": "1000.00",
"customer":
{
"name":
{
"first": "TabaPay",
"last": "Inc",
},
"address":
{
"line1": "605 Ellis Street",
"line2": "Suite 110",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043",
}
},
"callback":
{
"type": "URL",
"value": "https://somewhere.com"
}
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A Transaction is created and processing is completed. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | O | ||
| otppID | String 22 characters | TransactionRequestID (OTPPID) | ✔ | |||
| link | String URL | URL | ✔ | |||
View
Hide
Samples
{
"SC": 200,
"EC": "0",
"otppid": "TabaPay_OTPPID_22Chars",
"link": "https://link/?ID=TabaPay_OTPPID_22Chars"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
If using URL Callback, the Callback URL will get a POST Request with the following data:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
If using URL Callback, the Callback URL will get a POST Request with the following data:
{
"request":
{
"amount": "1000.00",
"card":
{
"last4": "1234",
"expirationDate": "202512"
},
"user1": "123456789",
"name":
{
"first": "TabaPay",
"last": "Inc"
},
"address":
{
"line1": "605 Ellis Street",
"line2": "Suite 110",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043",
}
},
"response":
{
"SC": "200",
"EC": "0",
"transactionID": "TabaPay_TransactionID_",
"network": "Visa",
"networkRC": "00",
"status": "COMPLETED",
"approvalCode": "230402",
"AVS":
{
"codeAVS": "Y",
"codeSecurityCode": "M"
}
}
}
3D Secure
This represents the 3D Secure Service.The functions that are available for this service are:
Also please read the 3D Secure FAQ.
3D Secure Initialize
Initializes a 3D Secure Card Authentication Request.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v2/clients/<ClientIDISO>/3ds/init
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | |||
|---|---|---|---|---|---|---|---|
| account | object | R | Account | ||||
| accountID | String 22 characters | R | AccountID | ||||
| owner | object | O | Owner | ||||
| phone | object | O | Phone Number (E.164 Numbering) | ||||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | |||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | ||||
| order | object | R | Order | ||||
| orderID | String 1-50 characters | R | Order Number | ||||
| currency | String 3 digits | O | 840 | ISO 4217 Currency Number | |||
| amount | String Amount | R | Transaction Amount | ||||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
{
"account": {
"accountID": "TabaPay_AccountID_22-c"
},
"order": {
"orderID": "12345678",
"amount": "0.10"
}
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A JWT is created. |
| 207 | Multi-Status | One or more Failures occurred while processing the Request. |
| 404 | Not Found | The AccountID does not point to a valid Account. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||||
|---|---|---|---|---|---|---|---|
| 200 | 207 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O | ||
| EM | String | Error Message | O | O | |||
| 3dsID | String | An identifier representing this Request | ✔ | ||||
| jwt | String | JWT (JSON Web Token) | ✔ | ||||
| deviceCollectionURL | String URL | URL for Device Data Collection | ✔ | ||||
View
Hide
Samples
{
"SC": 200,
"EC": "0",
"3dsID": "ID_BASE64-URL-SAFE-VALUE",
"jwt": "JWT-BASE64-URL-SAFE-VALUE",
"deviceCollectionURL": "https://someplace.somewhere.com/DeviceCollect"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
Also please read the 3D Secure FAQ.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Also please read the 3D Secure FAQ.
3D Secure Lookup
3D Secure Card Lookup.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v2/clients/<ClientIDISO>/3ds/lookup
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | |||
|---|---|---|---|---|---|---|---|
| 3dsID | String | R | 3dsID from 3D Secure Initialize | ||||
| authenticationIndicator | String 2 digits | R | |||||
| transactionMode | String 1 character | O | |||||
| transactionType | String 1 character | R | |||||
| productCode | String 3 characters | R | |||||
| account | object | R | Account | ||||
| accountID | String 22 characters | R | AccountID | ||||
| owner | object | R | Owner | ||||
| String | R | Email Address | |||||
| phone | object | O | Phone Number (E.164 Numbering) | ||||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | |||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | ||||
| order | object | R | Order | ||||
| orderID | String 1-50 characters | R | Order Number | ||||
| currency | String 3 digits | O | 840 | ISO 4217 Currency Number | |||
| amount | String Amount | R | Transaction Amount | ||||
| browser | object | R | Browser Info | ||||
| javascriptEnabled | boolean | O | |||||
| userAgent | String | O | |||||
| header | String | O | |||||
| javaEnabled | boolean | O | |||||
| language | String | O | |||||
| colorDepth | String | O | |||||
| screenHeight | String | O | |||||
| screenWidth | String | O | |||||
| ipAddress | String | O | |||||
| deviceChannel | String | R | Either:
| ||||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
{
"3dsID": "ID_BASE64-URL-SAFE-VALUE",
"authenticationIndicator": "01",
"transactionType": "C",
"productCode": "ACF",
"account": {
"accountID": "TabaPay_AccountID_22-c",
"owner": {
"email": "support@tabapay.com"
}
},
"order": {
"orderID": "12345678",
"amount": "0.10"
},
"browser": {
"deviceChannel": "Browser"
}
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A Lookup Response is returned. |
| 207 | Multi-Status | One or more Failures occurred while processing the Request. |
| 404 | Not Found | The AccountID does not point to a valid Account. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||||
|---|---|---|---|---|---|---|---|---|
| 200 | 200 Challenge | 207 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | ✔ | O | ||
| EM | String | Error Message | O | O | ||||
| 3dsVersion | String | The 3D Secure Version that was used to process this request | ✔ | ✔ | ||||
| enrolled | String | Authentication Eligibility Status | ✔ | ✔ | ||||
| processorTransactionID | String | Processor Transaction Identifier | ✔ | ✔ | ||||
| dsTransactionID | String | Directory Server Transaction Identifier | O | O | ||||
| status | String | Status | ✔ | |||||
| ECI | String | ECI (Electronic Commerce Indicator) | ✔ | |||||
| UCAF | String | UCAF (Universal Cardholder Authentication Field)
| ✔ | |||||
| XID | String | XID (Transaction ID) | O | |||||
| challengeURL | String | Consumer Authentication URL | ✔ | |||||
| payload | String | Encoded Payment Request | ✔ | |||||
View
Hide
Samples No Challenge:
{
"SC": 200,
"EC": "0",
"3dsVersion": "2.1.0",
"enrolled": "Y",
"processorTransactionID":"11111111111111111111",
"dsTransactionID": "11111111-2222-3333-4444-555555555555",
"status": "Y",
"ECI": "05",
"UCAF": "1111111111111111111111111111"
}
Challenge:
{
"SC": 200,
"EC": "0",
"3dsVersion": "2.1.0",
"enrolled": "Y",
"processorTransactionID": "11111111111111111111",
"dsTransactionID": "11111111-2222-3333-4444-555555555555",
"challengeURL":"https://someplace.somewhere.com/challenge",
"payload":"A_LONG_PAYLOAD"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
Also please read the 3D Secure FAQ.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Also please read the 3D Secure FAQ.
3D Secure Authenticate
3D Secure Card Challenge Authentication.If you are an ISO (Independent Sales Organization), you will need to specify a SubClientID.
URL
https://<FQDN>/v2/clients/<ClientIDISO>/3ds/authenticate
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | ||
|---|---|---|---|---|---|---|
| 3dsID | String | R | 3dsID from 3D Secure Initialize | |||
| jwt | String | R | JWT (JSON Web Token) from Challenge | |||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
{
"3dsID": "ID_BASE64-URL-SAFE-VALUE",
"jwt": "JWT-BASE64-URL-SAFE-VALUE"
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | A Lookup Response is returned. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
| actionCode | String | Result: Action Code | ✔ | |||
| errorNumber | String | Result: Error Number | ✔ | |||
| errorDescription | String | Result: Error Description | O | |||
| 3dsVersion | String | The 3D Secure Version that was used to process this request | ✔ | |||
| processorTransactionID | String | Processor Transaction Identifier | ✔ | |||
| status | String | Status | ✔ | |||
| ECI | String | ECI (Electronic Commerce Indicator) | ✔ | |||
| UCAF | String | UCAF (Universal Cardholder Authentication Field)
| ✔ | |||
| XID | String | XID (Transaction ID) | O | |||
View
Hide
Samples
{
"SC": 200,
"EC": "0",
"actionCode": "SUCCESS",
"errorNumber": "0",
"errorDescription": "Success"
"3dsVersion": "2.1.0",
"processorTransactionID":"11111111111111111111",
"status": "Y",
"ECI": "05",
"UCAF": "1111111111111111111111111111"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
Also please read the 3D Secure FAQ.
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Also please read the 3D Secure FAQ.
FXRate
Coming Soon
This resource represents an FX Rate.The operations that are available for this resource are:
● Query
Returns a real-time currency Exchange Rate from Visa or MasterCard
Query FXRate
Coming Soon
Returns the real-time FX-Rate and the amount in the beneficiary currency.URL
https://<FQDN>/v4/clients/<ClientIDISO>/fx
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | |
|---|---|---|---|---|---|
| type | String 4 characters Either push or pull | R | Transaction Type The direction of the transaction impacts the FX Rate | ||
| sourceCurrency | String 3-digit code | R | ISO 4217 Currency Number The source currency. On a push, the originator's currency. On a pull, the beneficiary's currency | ||
| destinationCurrency | String 3-digit code | R | ISO 4217 Currency Number The destination currency. On a push, the beneficiary's currency. On a pull, the originator's currency | ||
| amount | String Amount | R | Transaction Amount | ||
| network | String Either visa, mastercard, or bank | R | Transaction Network | ||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Query FXRate:
{
"type": "push",
"sourceCurrency": "840",
"destinationCurrency": "826",
"amount": "10.00",
"network" "visa"
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The FX Rate has been queried and the process is complete. |
| 207 | Multi-Status | One or more failures occurred while processing the Request. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||
|---|---|---|---|---|---|
| 200 | 207 | Other | |||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | ✔ | O |
| EC | String 1 or 8 characters | Internal Error Code | ✔ | ✔ | O |
| EM | String | Error Message | O | O | |
| sourceAmount | String Amount | On a push, this is the transaction amount. On a pull, this is the settlement amount. | ✔ | ||
| sourceCurrency | String 3-digit code | ISO 4217 Currency Number The source currency code. On a push, the originator's currency. On a pull, the beneficiary's currency | ✔ | ||
| destinationAmount | String Amount | On a push, this is the settlement amount. On a pull, this is the transaction amount. | ✔ | ||
| destinationCurrrency | String 3-digit code | ISO 4217 Currency Number The destination currency. On a push, the beneficiary's currency. On a pull, the originator's currency | ✔ | ||
| conversionRate | String Decimal | Conversion Rate without markup applied. | ✔ | ||
| markup | String Decimal | Markup Rate applied to the transaction amount. | ✔ | ||
| rateExpiration | String yyyy-MM-ddTHH:mm:ssZ Format. | All FX Rates expire 00:00:00 GMT the following calander day. | ✔ | ||
| errors | Array of 8 characters Strings | Array of Internal Error Codes | ✔ | ||
View
Hide
Samples Query FXRate:
{
"SC": 200,
"EC": "0",
"sourceAmount": "10.70",
"sourceCurrency":"840",
"destinationAmount": "8.22",
"destinationCurrency": "826",
"conversionRate": "0.7682243",
"markup": "0.07"
"rateExpiration": "2022-01-29 00:00:00 GMT"
}
Notes
For Clients who are an ISO (Independent Sales Organization), to specify your ClientID and a SubClientID, use the underscore character ("_") to separate the two values: <ClientID>_<SubClientID> where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
SubClient
Coming Soon
This resource represents a Client's SubClient.The operations that are available for this resource are:
Create a SubClient
Coming Soon
Creates a Client's SubClient Registration.For ISOs (Independent Sales Organization) only.
URL
https://<FQDN>/v4/clients/<ClientID>/subclients/<SubClientID>
HTTP Method
POST
Request
Request Data
| JSON Name | Value | Required | Default | Description | ||
|---|---|---|---|---|---|---|
| name | String | R | Company Name | |||
| tin | String 9 digits | R | Taxpayer Identification Number (EIN or SSN) | |||
| type | String | R | Company Type:
| |||
| url | String | O | URL | |||
| String | R | |||||
| address | object | R | Address | |||
| line1 | String | R | Address Line 1 | |||
| line2 | String | O | Address Line 2 | |||
| city | String | R | City | |||
| state | String 2-character code | R | State Code | |||
| zipcode | String | R | Zip Code | |||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | ||
| phone | object | R | Phone Number (E.164 Numbering) | |||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | ||
| number | String Min: 4 digits Max: 12-14 digits | R | Phone Number | |||
| mcc | String 4 digits | R | Merchant Category Code | |||
| mvv | String 6 digits | O | Visa Merchant Verification Code - requires Visa registration | |||
| maid | String 6 digits | O | MasterCard Identification - requires MasterCard registration | |||
| settlement | object | O | Settlement Accounts | |||
| purchase | object | R | Purchase | |||
| routingNumber | String 9 digits | R | Routing Number | |||
| accountNumber | String 4-17 digits | R | Account Number | |||
| disbursement | object | R | Disbursement | |||
| routingNumber | String 9 digits | R | Routing Number | |||
| accountNumber | String 4-17 digits | R | Account Number | |||
| fee | object | R | Fee | |||
| routingNumber | String 9 digits | R | Routing Number | |||
| accountNumber | String 4-17 digits | R | Account Number | |||
| exception | object | R | Exception | |||
| routingNumber | String 9 digits | R | Routing Number | |||
| accountNumber | String 4-17 digits | R | Account Number | |||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Client's SubClient:
{
"name": "TabaPay",
"tin": "123456789",
"type": "Corp",
"url": "www.tabapay.com",
"email": "help@tabapay.com",
"address":
{
"line1": "605 Ellis Street",
"line2": "Suite 110",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
},
"mcc": 1234,
"mvv": 1234,
"maid": 1234,
"settlement":
{
"purchase":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"disbursement":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"fee":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"exception":
{
"routingNumber": 121140399,
"accountNumber": 12345
}
}
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | Client's SubClient Registration Created. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||
|---|---|---|---|---|---|
| 200 | Other | ||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | |
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | |
| EM | String | Error Message | O | ||
View
Hide
Samples Client's SubClient:
{
"SC": 200,
"EC": "0"
}
Notes
Only for Clients who are ISO (Independent Sales Organization) where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Retrieve SubClient
Coming Soon
Retrieves a Client's SubClient Registration.For ISOs (Independent Sales Organization) only.
URL
https://<FQDN>/v4/clients/<ClientID>/subclients/<SubClientID>
HTTP Method
GET
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Transaction is retrieved. |
| 404 | Not Found | SubClient Registration not found. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | |||
|---|---|---|---|---|---|---|
| 200 | Other | |||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | ||
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | ||
| EM | String | Error Message | O | |||
| name | String | Company Name | ✔ | |||
| tin | String 9 digits | Taxpayer Identification Number (EIN or SSN) | ✔ | |||
| type | String | Company Type | ✔ | |||
| url | String | URL | O | |||
| String | ✔ | |||||
| address | object | Address | ✔ | |||
| line1 | String | Address Line 1 | ✔ | |||
| line2 | String | Address Line 2 | O | |||
| city | String | City | ✔ | |||
| state | String 2-character code | State Code | ✔ | |||
| zipcode | String | Zip Code | ✔ | |||
| country | String 3-digit code | ISO 3166-1 Country Code | O | |||
| phone | object | Phone Number (E.164 Numbering) | ✔ | |||
| countryCode | String 1-3 digits | Country Calling Code | O | |||
| number | String Min: 4 digits Max: 12-14 digits | Phone Number | ✔ | |||
| mcc | String 4 digits | Merchant Category Code | ✔ | |||
| mvv | String 6 digits | Visa Merchant Verification Code | O | |||
| maid | String 6 digits | MasterCard Identification | O | |||
| settlement | object | Settlement Accounts | O | |||
| purchase | object | Purchase | ✔ | |||
| routingNumber | String 9 digits | Routing Number | ✔ | |||
| accountNumber | String 4-17 digits | Account Number | ✔ | |||
| disbursement | object | Disbursement | ✔ | |||
| routingNumber | String 9 digits | Routing Number | ✔ | |||
| accountNumber | String 4-17 digits | Account Number | ✔ | |||
| fee | object | Fee | ✔ | |||
| routingNumber | String 9 digits | Routing Number | ✔ | |||
| accountNumber | String 4-17 digits | Account Number | ✔ | |||
| exception | object | Exception | ✔ | |||
| routingNumber | String 9 digits | Routing Number | ✔ | |||
| accountNumber | String 4-17 digits | Account Number | ✔ | |||
View
Hide
Samples Client's SubClient:
{
"SC": 200,
"EC": "0",
"name": "TabaPay",
"tin": "123456789",
"type": "Corp",
"url": "www.tabapay.com",
"email": "help@tabapay.com",
"address":
{
"line1": "605 Ellis Street",
"line2": "Suite 110",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
},
"mcc": 1234,
"mvv": 1234,
"maid": 1234,
"settlement":
{
"purchase":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"disbursement":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"fee":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"exception":
{
"routingNumber": 121140399,
"accountNumber": 12345
}
}
}
Notes
Only for Clients who are ISO (Independent Sales Organization) where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Update a SubClient
Coming Soon
Updates a Client's SubClient Registration.For ISOs (Independent Sales Organization) only.
URL
https://<FQDN>/v4/clients/<ClientID>/subclients/<SubClientID>
HTTP Method
PUT
Request
Request Data
| JSON Name | Value | Required | Default | Description | ||
|---|---|---|---|---|---|---|
| name | String | O | Company Name | |||
| tin | String 9 digits | O | Taxpayer Identification Number (EIN or SSN) | |||
| type | String | O | Company Type:
| |||
| url | String | O | URL | |||
| String | O | |||||
| address | object | O | Address | |||
| line1 | String | O | Address Line 1 | |||
| line2 | String | O | Address Line 2 | |||
| city | String | O | City | |||
| state | String 2-character code | O | State Code | |||
| zipcode | String | O | Zip Code | |||
| country | String 3-digit code | O | 840 | ISO 3166-1 Country Code | ||
| phone | object | O | Phone Number (E.164 Numbering) | |||
| countryCode | String 1-3 digits | O | 1 | Country Calling Code | ||
| number | String Min: 4 digits Max: 12-14 digits | O | Phone Number | |||
| mcc | String 4 digits | O | Merchant Category Code | |||
| mvv | String 6 digits | O | Visa Merchant Verification Code - requires Visa registration | |||
| maid | String 6 digits | O | MasterCard Identification - requires MasterCard registration | |||
| settlement | object | O | Settlement Accounts | |||
| purchase | object | O | Purchase | |||
| routingNumber | String 9 digits | O | Routing Number | |||
| accountNumber | String 4-17 digits | O | Account Number | |||
| disbursement | object | O | Disbursement | |||
| routingNumber | String 9 digits | O | Routing Number | |||
| accountNumber | String 4-17 digits | O | Account Number | |||
| fee | object | O | Fee | |||
| routingNumber | String 9 digits | O | Routing Number | |||
| accountNumber | String 4-17 digits | O | Account Number | |||
| exception | object | O | Exception | |||
| routingNumber | String 9 digits | O | Routing Number | |||
| accountNumber | String 4-17 digits | O | Account Number | |||
View
Hide
SamplesPack your Request, the following Samples shown here are unpacked only for human readability:
Client's SubClient:
{
"name": "TabaPay",
"tin": "123456789",
"type": "Corp",
"url": "www.tabapay.com",
"email": "help@tabapay.com",
"address":
{
"line1": "605 Ellis Street",
"line2": "Suite 110",
"city": "Mountain View",
"state": "CA",
"zipcode": "94043"
},
"phone":
{
"number": "4159808222"
},
"mcc": 1234,
"mvv": 1234,
"maid": 1234,
"settlement":
{
"purchase":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"disbursement":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"fee":
{
"routingNumber": 121140399,
"accountNumber": 12345
},
"exception":
{
"routingNumber": 121140399,
"accountNumber": 12345
}
}
}
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | Client's SubClient Registration Updated. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||
|---|---|---|---|---|---|
| 200 | Other | ||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | |
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | |
| EM | String | Error Message | O | ||
View
Hide
Samples Client's SubClient:
{
"SC": 200,
"EC": "0"
}
Notes
Only for Clients who are ISO (Independent Sales Organization) where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Delete a SubClient
Coming Soon
Deletes a Client's SubClient Registration.For ISOs (Independent Sales Organization) only.
URL
https://<FQDN>/v4/clients/<ClientID>/subclients/<SubClientID>
HTTP Method
DELETE
Request
No Request Data
Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The Transaction is deleted. |
| 404 | Not Found | SubClient Registration not found. |
See Status Codes for other possible Status Codes that might be returned.
Response Data
| JSON Name | Value | Description | Status Code | ||
|---|---|---|---|---|---|
| 200 | Other | ||||
| SC | Integer 3-digit code | HTTP Status Code | ✔ | O | |
| EC | String 1 or 8 characters | Internal Error Code | ✔ | O | |
| EM | String | Error Message | O | ||
View
Hide
Samples Client's SubClient:
{
"SC": 200,
"EC": "0"
}
Notes
Only for Clients who are ISO (Independent Sales Organization) where:
- ClientID is your unique 22-character string and
- SubClientID is an assigned 4, 6 or 8-digit value.
Networks
| Network Name | |
|---|---|
| STAR |  |
| Pulse |  |
| NYCE |  |
| CU24 |  |
| Accel |  |
| Visa |  |
| VisaFF | |
| MasterCard |  |
| MasterCardSend (MoneySend) | |
| Discover |  |
| Amex |  |
| CCPay | |
| IntlVisa | |
| IntlMasterCard | |
Network Response Codes
- ISO (International Organization for Standardization) Network Response Codes
- Accel Network Response Codes
- RTP Network Response Codes
A Financial Institution may decide to return a Network Response Code that may not match the ISO Code meaning.
| ISO CODE | Description |
|---|---|
| 00 | Approved or completed successfully |
| 01 | Refer to card issuer |
| 02 | Refer to card issuers special conditions |
| 03 | Invalid merchant |
| 04 | Pick-up |
| 05 | Do not honor |
| 06 | Error |
| 07 | Pick-up card, special conditions |
| 08 | Honor with identification |
| 09 | Request in progress |
| 10 | Approved for partial amount |
| 11 | Approved (VIP) |
| 12 | Invalid transaction |
| 13 | Invalid amount |
| 14 | Invalid card number (no such number) |
| 15 | No such issuer |
| 16 | Approved, update track 3 |
| 17 | Customer cancellation, reversal (unsupported) |
| 18 | Customer dispute, chargeback (future) |
| 19 | Re-enter transaction |
| 20 | Invalid response |
| 21 | No action taken, reversal (unsupported) |
| 22 | Suspected malfunction, reversal (unsupported) |
| 23 | Unacceptable transaction fee |
| 24 | File update not supported by receiver |
| 25 | Unable to locate record on file |
| 26 | Duplicate file update record, no action |
| 27 | File update field edit error |
| 28 | File update record locked out |
| 29 | File update not successful, contact acquirer |
| 30 | Format error (may also be a reversal) |
| 31 | Bank not supported by switch |
| 32 | Completed partially, reversal (unsupported) |
| 33 | Expired card, pick-up |
| 34 | Suspected fraud, pick-up |
| 35 | Card acceptor contact acquirer, pick-up |
| 36 | Restricted card, pick-up |
| 37 | Card acceptor call acquirer security, pick-up |
| 38 | Allowable PIN tries exceeded, pick-up |
| 39 | No credit account |
| 40 | Requested function not supported |
| 41 | Lost card, pick-up |
| 42 | No universal account |
| 43 | Stolen card, pick-up |
| 44 | No investment account |
| 45 | Reserved for ISO use |
| 46 | Reserved for ISO use |
| 47 | Reserved for ISO use |
| 48 | Reserved for ISO use |
| 49 | Reserved for ISO use |
| 50 | Reserved for ISO use |
| 51 | Insufficient funds |
| 52 | No checking account |
| 53 | No savings account |
| 54 | Expired card |
| 55 | Incorrect PIN |
| 56 | No card record |
| 57 | Transaction not permitted to cardholder |
| 58 | Transaction not permitted to terminal (may also be a chargeback) |
| 59 | Suspected fraud |
| 60 | Card acceptor contact acquirer |
| 61 | Exceeds withdrawal amount limit |
| 62 | Restricted card |
| 63 | Security violation (may also be a chargeback) |
| 64 | Original amount incorrect, reversal (unsupported) |
| 65 | Exceeds withdrawal frequency limit |
| 66 | Card acceptor call acquirer security |
| 67 | Hard capture, pick-up |
| 68 | Response received too late, reversal (unsupported) |
| 69 | Reserved for ISO |
| 70 | Reserved for ISO |
| 71 | Reserved for ISO |
| 72 | Reserved for ISO |
| 73 | Reserved for ISO |
| 74 | Reserved for ISO |
| 75 | Allowable number of PIN tries exceeded |
| 76 | Key synchronization error (FIS) |
| 77 | Reserved for private use |
| 78 | Customer not eligible for POS (Star SM ) |
| 79 | Invalid digital signature |
| 80 | Stale dated transaction (Star SM ) |
| 81 | Issuer requested standin |
| 82 | Count exceeds limit (VISANet) |
| 83 | Reserved for private use |
| 84 | Time limit for pre-authorization reached (VISANet) |
| 85* | Issuer has no reason to decline the transaction (Account Verification) |
| 86 | Cannot verify PIN (VISANet) |
| 87 | Check already posted |
| 88 | Information not on file |
| 89 | Card verification value (CVV) verification failed (no pickup) |
| 90 | Cutoff is in progress |
| 91 | Issuer or switch is inoperative |
| 92 | Financial institution or intermediate network unknown for routing |
| 93 | Transaction cannot be completed, violation of law |
| 94 | Duplication transaction |
| 95 | Reconcile error |
| 96 | System malfunction |
| 97 | Reserved for national use |
| 98 | Reserved for national use |
| 99* | Card network fault error |
| 0Z-9Z | Reserved for ISO use |
| C2-E0 | Reserved for national use (X9.2) |
| E1* | Invalid or unsupported SEC |
| E2* | AVS data required |
| E3* | CVV2 data required |
| E4* | Service not allowed. Transaction not permitted to cardholder. |
| E5* | Service not allowed. Transaction not permitted to cardholder. |
| E6* | Issuer country is blocked |
| E7* | Incorrect MAC was sent |
| E8* | Standard Entry Class requirements were not met |
| E9* | System time out |
| EA* | Account length error |
| EB* | Check digit error |
| EC* | CID format error |
| ED* | Authorization is too old to capture |
| EE* | Card product code is blocked Card product code is blocked |
| EF* | Attempt to process a BRIC transaction on a prior PIN based transaction |
| EG* | CyberSource Time Out Connection to CyberSource timed out |
| EH* | CARD_ENT_METH supplied is not valid or required additional data not provided as defined |
| EI* | CARD_ID is not valid |
| EJ* | Required PIN block not present |
| EK* | Bin is not valid for pinless routing |
| EL* | Signature store did not complete |
| EM* | Debit PIN transactions must be swiped |
| EN* | DB proxy response was not processed within the time out period |
| EO* | Transaction was declined by merchant due to mismatch of CVV2 data |
| EP* | Transaction not allowed as per a validation rule |
| EQ* | There were no available gateway nodes to route transaction |
| EZ-MZ | Reserved for national use (X9.2) |
| N0 | Authorization life cycle unacceptable |
| N1 | Authorization life cycle expired |
| N2 | Non-receipt of requested item (future) |
| N3 | Non-receipt of requested item, illegible copy (future) |
| N4 | Transaction exceeds floor limit (future) |
| N5 | Declined authorization (future) |
| N6 | Non-matching account numbers (future) |
| N7 | Error in addition (future) |
| N8 | Altered amount (future) |
| N9 | Incorrect account number (future) |
| P0 | Missing signature (future) |
| P1 | Slip without card imprint (future) |
| P2 | Imprinting of multiple slips (future) |
| P3 | Canceled pre-authorization transaction (future) |
| P4 | Delinquent settlement (future) |
| P5 | Currency conversion error (future) |
| P6 | Credit posted as a debit (sale) (future) |
| P7 | Claim or defense (future) |
| P8 | Non-receipt of goods (future) |
| P9 | Defective merchandise (future) |
| Q1* | Card authentication failed |
| R0 | Fraudulent transaction prior to embossed valid date (future) |
| R1 | Credit not received (future) |
| R2 | Allowable PAN entries warning -- approved |
| R3 | Approved with overdraft protection |
| R4 | Bad CVV3 |
| RR* | Unknown Backend Processing Error |
| S0 | Check not acceptable for cash |
| S1 | Check not acceptable |
| S2 | Check deposit limit exceeded |
| S3 | Cash back limit exceeded |
| S4 | Check amount does not match courtesy amount |
| S5 | PIN not selected |
| S6 | PIN already selected |
| S7 | Unmatched voucher information |
| S8 | Allowable PAN entries exceeded -- denial |
| S9 | Expiration date mismatch |
| SA | Inactive card |
| SB | Expiration date mismatch (card pickup) |
| SC | Item suspected for stop pay |
| SD | Account closed |
| SE | Ineligible account |
| SF | Item submitted more than two times |
| SG | No account on file - absolute |
| SH | Unable to locate |
| SI | General denial |
| SJ | Item settled via ACH |
| SK | Cross-reference card not found |
| SL | Category limit exceeded |
| SM | Transaction limit exceeded |
| SN | Daily limit exceeded |
| SO | Monthly limit exceeded |
| SP | Invalid secret code |
| SQ | PIN key sync error |
| SR | Bad CVV2 |
| SS | Stop payment order |
| ST | Revocation of authorization order |
| SV | Stop reoccurring payments |
| T3 | Lost card (no pickup) |
| T4 | Closed account |
| T5 | Dormant account |
| T6 | Special conditions (no pick-up) |
| T7 | Purchase only approval for purchase with cash back transaction. |
| T9 | Insufficient funds for fees |
| TA | ARQC validation failed for chip card |
| TB | Unsafe PIN |
| U0-YZ | Reserved for private use |
| ZD* | MasterCard Send (MoneySend) Error due to Expiration Date |
| ZN* | MasterCard Send (MoneySend) Decline due to Card was Declined |
| ZR* | MasterCard Send (MoneySend) Decline due to Unsupported Card |
| ZU* | MasterCard Send (MoneySend) Error due to an Unknown Reason |
| ZX* | MasterCard Send (MoneySend) Decline due to an Unknown Reason |
| ZY* | MasterCard Send (MoneySend) Request in Unknown Status |
| ZZ* | Used by TabaPay for Testing |
Notes:
* Not all Networks may return this Network Response Code.
| Accel Action Code | Description |
|---|---|
| 000 | Approved |
| 001 | Approved with identification |
| 002 | Approved for partial amount |
| 003 | Approved (VIP) |
| 100, 200 | Do not honor |
| 101, 201 | Expired card |
| 102, 202 | Suspected fraud |
| 103, 203 | Card acceptor contact acquirer |
| 104, 204 | Restricted card |
| 105, 205 | Card acceptor call acquirer’s security department |
| 106, 206 | Allowable PIN tries exceeded |
| 107 | Refer to card issuer |
| 108 | Refer to card issuer’s special condition |
| 109 | Invalid merchant |
| 110 | Invalid amount |
| 111 | Invalid card number |
| 112 | PIN data required |
| 113 | Unacceptable fee |
| 114, 214 | No account of type requested |
| 115 | Requested function not supported (invalid transaction) |
| 116, 216 | Insufficient funds |
| 117, 217 | Incorrect PIN |
| 118 | No card record |
| 119 | Transaction not permitted to cardholder |
| 120 | Transaction not permitted to terminal |
| 121 | Exceeds withdrawal amount limit |
| 122 | Security violation |
| 123 | Exceeds withdrawal limit frequency |
| 124 | Violation of law |
| 126 | Invalid PIN block |
| 127 | PIN length error |
| 128 | PIN key synchronization error (sanity error) |
| 129 | Suspected counterfeit card |
| 130 | Transaction failed OFAC check |
| 131 | Check not acceptable |
| 180 | Limit exceeded due to cashback amount |
| 181 | Enter lesser amount |
| 182 | Institution not supported by switch |
| 183 | Balances not available for inquiry |
| 184 | Resubmission in violation of network rules |
| 185 | Stop payment on check (shared branch only) |
| 207 | Special conditions |
| 208 | Lost card |
| 209 | Stolen card |
| 210 | Suspected counterfeit card |
| 907 | Card issuer or switch inoperative |
| 908 | Transaction destination cannot be found for routing |
| 909 | System malfunction |
| 999 | Used by TabaPay for Testing |
| RTP Response Code | Description |
|---|---|
| P01 | Insufficient Funds |
| P02 | Unknown customer, account closed |
| P04 | Debtor/Creditor Account invalid |
| P07 | Account blocked |
| P11 | Transaction forbidden on this account |
| P14 | Deceased customer |
| P18 | Invalid Date |
| P21 | Incorrect Agent |
| P23 | Amount not agreed upon or invalid |
| P24 | Duplicate message |
| P26 | Missing or invalid mandatory field |
| P27 | See narrative information for more detail about error |
| P28 | Incorrect RTN |
| P34 | Suspended account |
| Z01 | Internal RTP error |
| Z02 | Timeout |
| Z03 | Token error |
| Z0U | Unknown Network Error |
AVS Response Codes
| Code | Visa | MasterCard | Discover | American Express |
|---|---|---|---|---|
| Y | Address & 5-digit or 9-digit ZIP match | Address & 5-digit ZIP match | Address only matches | Address & ZIP match |
| A | Address matches, ZIP does not | Address matches, ZIP does not | Address & 5-digit ZIP match | Address only matches |
| S | AVS not supported | AVS not supported | AVS not supported | AVS not supported |
| R | System unavailable, retry | System unavailable, retry | Not applicable | System unavailable, retry |
| U | Information not available | Information not available | System unavailable, retry | Information not available |
| Z | Either 5-digit or 9-digit ZIP match, address does not | 5-digit ZIP matches, address does not | 5-digit ZIP matches, address does not | ZIP code only matches |
| N | Neither ZIP nor address match | Neither ZIP nor address match | Neither ZIP nor address match | Neither ZIP nor address match |
| W | Not applicable | For U.S., 9-digit ZIP matches, address does not. For non-U.S., ZIP matches, address does not | Information not available | Not applicable |
| X | Not applicable | For U.S., all digits match. For non-U.S., ZIP and address match. | Address & 9-digit ZIP match | Not applicable |
| B | Address matches, ZIP not verified | Not applicable | Not applicable | Not applicable |
| T | Not applicable | Not applicable | 9-digit ZIP matches, address does not | Not applicable |
| P | ZIP matches, address not verified | Not applicable | Not applicable | Not applicable |
| C | Address and ZIP not verified | Not applicable | Not applicable | Not applicable |
| D | Address & ZIP match (International only) | Not applicable | Not applicable | Not applicable |
| G | Address not verified for International transaction (International only) | Not applicable | Not applicable | Not applicable |
| I | Address not verified (International only) | Not applicable | Not applicable | Not applicable |
| M | Address & ZIP match (International only) | Not applicable | Not applicable | Not applicable |
| F | Address & ZIP match (UK only) | Not applicable | Not applicable | Not applicable |
Security Code Response Codes
| Response Code for Securtiy Code | Description |
|---|---|
| M | Security Code was matched |
| N | Security Code was not matched |
Internal Error Codes
These are Internal Error Codes used only for debugging. These are subject to change at any time and without any notice. You should be using SC and EM to determine what might be wrong if you are getting an error.| EC | Description |
|---|---|
| 0 | OK |
| != 0 | Error |
If you need to contact TabaPay Support, be sure to send:
- Timestamp including Timezone
- Request (be sure to mask out any card data)
- Response
Status Codes
| Status Code | Description | |
|---|---|---|
| 200 | OK | The API Request was successfully processed. |
| 201 | Created | Transaction Created, but Transaction Processing is Pending (batch). |
| 207 | Multi-Status | One or more upstream processing failed. |
| 400 | Bad Request | The ResourceID is invalid or The Request Data is invalid. |
| 401 | UnAuthorized | The Authorization Token is invalid or The IP Address is invalid (not whitelisted). |
| 403 | Forbidden | Invalid permissions to access the Resource, please contact TabaPay support. |
| 404 | Not Found | The ResourceID does not point to a valid Resource. |
| 405 | Method Not Allowed | Request Method Not Allowed for the Requested Resource. |
| 406 | Not Acceptable | Our Web Application Firewall (WAF) found something invalid in your request. |
| 409 | Conflict | ReferenceID already used or Conflicting Request Parameters. |
| 410 | Gone | The Resource pointed to by the ResourceID has been marked for deletion. |
| 415 | Unsupported Media Type | Content-type must be application/json. |
| 421 | Misdirected Request | Too late to Retrieve by ReferenceID, use AccountID or TransactionID. |
| 422 | Unprocessable Entity | The Resource pointed to by the ResourceID is in an invalid state or The Transaction Amount exceeded one or more Limits. |
| 423 | Locked | The Resource pointed to by the ResourceID is locked. |
| 429 | Too Many Requests | Retrieve: Too many requests, please do not poll. Create Transaction: Over your Daily (24-hour rolling) Approximation Limit. |
| 431 | Request Header Fields Too Large | Too many HTTP Header Lines and/or HTTP Header Lines too big. |
| 500 | Server Error | There was a problem processing the Request. |
| 502 | Bad Gateway | Problem connecting to an Application Server. |
| 503 | Service Unavailable | Your request cannot be processed, should be only a Temporary Condition. |
| 504 | Gateway Timeout | Connection to an Application Server timed out. |
A 400 Series Error is usually something that you can fix by changing something in your request. A 500 Series Error is usually something that you need to contact us (support@TabaPay.com) to look at. If we determine that a 500 Series Error can be fixed by you, we will try to change this error situation to a 400 Series Error in a future code release.
Currency Numbers
We are using ISO 4217 Currency Numbers.| Currency Number | Decimal Places | Decimal Separator | Currency Code | Currency Name |
|---|---|---|---|---|
| 784 | 2 | . (period) | AED | United Arab Emirates dirham |
| 971 | 2 | . (period) | AFN | Afghan afghani |
| 008 | 2 | , (comma) | ALL | Albanian lek |
| 051 | 2 | , (comma) | AMD | Armenian dram |
| 532 | 2 | . (period) | ANG | Netherlands Antillean guilder |
| 973 | 2 | , (comma) | AOA | Angolan kwanza |
| 032 | 2 | , (comma) | ARS | Argentine peso |
| 036 | 2 | . (period) | AUD | Australian dollar |
| 533 | 2 | . (period) | AWG | Aruban florin |
| 944 | 2 | , (comma) | AZN | Azerbaijani manat |
| 977 | 2 | , (comma) | BAM | Bosnia and Herzegovina convertible mark |
| 052 | 2 | . (period) | BBD | Barbados dollar |
| 050 | 2 | . (period) | BDT | Bangladeshi taka |
| 975 | 2 | , (comma) | BGN | Bulgarian lev |
| 048 | 3 | . (period) | BHD | Bahraini dinar |
| 108 | 0 | N/A | BIF | Burundian franc |
| 060 | 2 | . (period) | BMD | Bermudian dollar |
| 096 | 2 | . (period) | BND | Brunei dollar |
| 068 | 2 | , (comma) | BOB | Boliviano |
| 986 | 2 | , (comma) | BRL | Brazilian real |
| 044 | 2 | . (period) | BSD | Bahamian dollar |
| 064 | 2 | . (period) | BTN | Bhutanese ngultrum |
| 072 | 2 | . (period) | BWP | Botswana pula |
| 933 | 2 | , (comma) | BYN | Belarusian ruble |
| 084 | 2 | . (period) | BZD | Belize dollar |
| 124 | 2 | . (period) | CAD | Canadian dollar |
| 976 | 2 | . (period) | CDF | Congolese franc |
| 756 | 2 | . (period) | CHF | Swiss franc |
| 152 | 0 | N/A | CLP | Chilean peso |
| 156 | 2 | . (period) | CNY | Renminbi yuan |
| 170 | 2 | , (comma) | COP | Colombian peso |
| 188 | 2 | , (comma) | CRC | Costa Rican colon |
| 931 | 2 | , (comma) | CUC | Cuban convertible peso |
| 192 | 2 | , (comma) | CUP | Cuban peso |
| 132 | 2 | . (period) | CVE | Cape Verdean escudo |
| 203 | 2 | . (period) | CZK | Czech koruna |
| 262 | 0 | N/A | DJF | Djiboutian franc |
| 208 | 2 | , (comma) | DKK | Danish krone |
| 214 | 2 | . (period) | DOP | Dominican peso |
| 012 | 2 | , (comma) | DZD | Algerian dinar |
| 818 | 2 | . (period) | EGP | Egyptian pound |
| 232 | 2 | . (period) | ERN | Eritrean nakfa |
| 230 | 2 | . (period) | ETB | Ethiopian birr |
| 978 | 2 | , (comma) | EUR | Euro |
| 242 | 2 | . (period) | FJD | Fiji dollar |
| 238 | 2 | . (period) | FKP | Falkland Islands pound |
| 826 | 2 | . (period) | GBP | Pound sterling |
| 981 | 2 | , (comma) | GEL | Georgian lari |
| 936 | 2 | . (period) | GHS | Ghanaian cedi |
| 292 | 2 | . (period) | GIP | Gibraltar pound |
| 270 | 2 | . (period) | GMD | Gambian dalasi |
| 324 | 0 | N/A | GNF | Guinean franc |
| 320 | 2 | . (period) | GTQ | Guatemalan quetzal |
| 328 | 2 | . (period) | GYD | Guyanese dollar |
| 344 | 2 | . (period) | HKD | Hong Kong dollar |
| 340 | 2 | . (period) | HNL | Honduran lempira |
| 191 | 2 | . (period) | HRK | Croatian kuna |
| 332 | 2 | . (period) | HTG | Haitian gourde |
| 348 | 2 | , (comma) | HUF | Hungarian forint |
| 360 | 2 | , (comma) | IDR | Indonesian rupiah |
| 376 | 2 | . (period) | ILS | Israeli new shekel |
| 356 | 2 | . (period) | INR | Indian rupee |
| 368 | 3 | . (period) | IQD | Iraqi dinar |
| 364 | 2 | . (period) | IRR | Iranian rial |
| 352 | 0 | N/A | ISK | Icelandic króna |
| 388 | 2 | . (period) | JMD | Jamaican dollar |
| 400 | 3 | . (period) | JOD | Jordanian dinar |
| 392 | 0 | N/A | JPY | Japanese yen |
| 404 | 2 | . (period) | KES | Kenyan shilling |
| 417 | 2 | , (comma) | KGS | Kyrgyzstani som |
| 116 | 2 | . (period) | KHR | Cambodian riel |
| 174 | 0 | N/A | KMF | Comoro franc |
| 408 | 2 | . (period) | KPW | North Korean won |
| 410 | 0 | N/A | KRW | South Korean won |
| 414 | 3 | . (period) | KWD | Kuwaiti dinar |
| 136 | 2 | . (period) | KYD | Cayman Islands dollar |
| 398 | 2 | , (comma) | KZT | Kazakhstani tenge |
| 418 | 2 | . (period) | LAK | Lao kip |
| 422 | 2 | . (period) | LBP | Lebanese pound |
| 144 | 2 | . (period) | LKR | Sri Lankan rupee |
| 430 | 2 | . (period) | LRD | Liberian dollar |
| 426 | 2 | . (period) | LSL | Lesotho loti |
| 434 | 3 | . (period) | LYD | Libyan dinar |
| 504 | 2 | , (comma) | MAD | Moroccan dirham |
| 498 | 2 | , (comma) | MDL | Moldovan leu |
| 969 | 2 | . (period) | MGA | Malagasy ariary |
| 807 | 2 | , (comma) | MKD | Macedonian denar |
| 104 | 2 | . (period) | MMK | Myanmar kyat |
| 496 | 2 | . (period) | MNT | Mongolian tögrög |
| 446 | 2 | , (comma) | MOP | Macanese pataca |
| 929 | 2 | . (period) | MRU | Mauritanian ouguiya |
| 480 | 2 | . (period) | MUR | Mauritian rupee |
| 462 | 2 | . (period) | MVR | Maldivian rufiyaa |
| 454 | 2 | . (period) | MWK | Malawian kwacha |
| 484 | 2 | . (period) | MXN | Mexican peso |
| 458 | 2 | . (period) | MYR | Malaysian ringgit |
| 943 | 2 | , (comma) | MZN | Mozambican metical |
| 516 | 2 | . (period) | NAD | Namibian dollar |
| 566 | 2 | . (period) | NGN | Nigerian naira |
| 558 | 2 | . (period) | NIO | Nicaraguan córdoba |
| 578 | 2 | , (comma) | NOK | Norwegian krone |
| 524 | 2 | . (period) | NPR | Nepalese rupee |
| 554 | 2 | . (period) | NZD | New Zealand dollar |
| 512 | 3 | . (period) | OMR | Omani rial |
| 590 | 2 | . (period) | PAB | Panamanian balboa |
| 604 | 2 | , (comma) | PEN | Peruvian sol |
| 598 | 2 | . (period) | PGK | Papua New Guinean kina |
| 608 | 2 | . (period) | PHP | Philippine peso |
| 586 | 2 | . (period) | PKR | Pakistani rupee |
| 985 | 2 | , (comma) | PLN | Polish złoty |
| 600 | 0 | N/A | PYG | Paraguayan guaraní |
| 634 | 2 | . (period) | QAR | Qatari riyal |
| 946 | 2 | , (comma) | RON | Romanian leu |
| 941 | 2 | , (comma) | RSD | Serbian dinar |
| 643 | 2 | , (comma) | RUB | Russian ruble |
| 646 | 0 | N/A | RWF | Rwandan franc |
| 682 | 2 | . (period) | SAR | Saudi riyal |
| 090 | 2 | . (period) | SBD | Solomon Islands dollar |
| 690 | 2 | . (period) | SCR | Seychelles rupee |
| 938 | 2 | . (period) | SDG | Sudanese pound |
| 752 | 2 | , (comma) | SEK | Swedish krona/kronor |
| 702 | 2 | . (period) | SGD | Singapore dollar |
| 654 | 2 | . (period) | SHP | Saint Helena pound |
| 694 | 2 | . (period) | SLL | Sierra Leonean leone |
| 706 | 2 | . (period) | SOS | Somali shilling |
| 968 | 2 | , (comma) | SRD | Surinamese dollar |
| 728 | 2 | . (period) | SSP | South Sudanese pound |
| 930 | 2 | . (period) | STN | São Tomé and Príncipe dobra |
| 222 | 2 | . (period) | SVC | Salvadoran colón |
| 760 | 2 | . (period) | SYP | Syrian pound |
| 748 | 2 | . (period) | SZL | Swazi lilangeni |
| 764 | 2 | . (period) | THB | Thai baht |
| 972 | 2 | . (period) | TJS | Tajikistani somoni |
| 934 | 2 | , (comma) | TMT | Turkmenistan manat |
| 788 | 3 | , (comma) | TND | Tunisian dinar |
| 776 | 2 | . (period) | TOP | Tongan paʻanga |
| 949 | 2 | , (comma) | TRY | Turkish lira |
| 780 | 2 | . (period) | TTD | Trinidad and Tobago dollar |
| 901 | 2 | . (period) | TWD | New Taiwan dollar |
| 834 | 2 | . (period) | TZS | Tanzanian shilling |
| 980 | 2 | , (comma) | UAH | Ukrainian hryvnia |
| 800 | 0 | N/A | UGX | Ugandan shilling |
| 840 | 2 | . (period) | USD | United States dollar |
| 858 | 2 | , (comma) | UYU | Uruguayan peso |
| 927 | 4 | , (comma) | UYW | Unidad previsional |
| 860 | 2 | , (comma) | UZS | Uzbekistan som |
| 928 | 2 | , (comma) | VES | Venezuelan bolívar soberano |
| 704 | 0 | N/A | VND | Vietnamese đồng |
| 548 | 0 | N/A | VUV | Vanuatu vatu |
| 882 | 2 | . (period) | WST | Samoan tala |
| 950 | 0 | N/A | XAF | CFA franc BEAC |
| 951 | 2 | . (period) | XCD | East Caribbean dollar |
| 952 | 0 | N/A | XOF | CFA franc BCEAO |
| 953 | 0 | N/A | XPF | CFP franc |
| 886 | 2 | . (period) | YER | Yemeni rial |
| 710 | 2 | . (period) | ZAR | South African rand |
| 967 | 2 | . (period) | ZMW | Zambian kwacha |
| 932 | 2 | . (period) | ZWL | Zimbabwean dollar |
Country Codes
We are using ISO 3166-1 numeric (or numeric-3) codes.| Country Code | Country Name |
|---|---|
| 004 | Afghanistan |
| 248 | Åland Islands |
| 008 | Albania |
| 012 | Algeria |
| 016 | American Samoa |
| 020 | Andorra |
| 024 | Angola |
| 660 | Anguilla |
| 010 | Antarctica |
| 028 | Antigua and Barbuda |
| 032 | Argentina |
| 051 | Armenia |
| 533 | Aruba |
| 036 | Australia |
| 040 | Austria |
| 031 | Azerbaijan |
| 044 | Bahamas |
| 048 | Bahrain |
| 050 | Bangladesh |
| 052 | Barbados |
| 112 | Belarus |
| 056 | Belgium |
| 084 | Belize |
| 204 | Benin |
| 060 | Bermuda |
| 064 | Bhutan |
| 068 | Bolivia, Plurinational State of |
| 535 | Bonaire, Sint Eustatius and Saba |
| 070 | Bosnia and Herzegovina |
| 072 | Botswana |
| 074 | Bouvet Island |
| 076 | Brazil |
| 086 | British Indian Ocean Territory |
| 096 | Brunei Darussalam |
| 100 | Bulgaria |
| 854 | Burkina Faso |
| 108 | Burundi |
| 132 | Cabo Verde |
| 116 | Cambodia |
| 120 | Cameroon |
| 124 | Canada |
| 136 | Cayman Islands |
| 140 | Central African Republic |
| 148 | Chad |
| 152 | Chile |
| 156 | China |
| 162 | Christmas Island |
| 166 | Cocos (Keeling) Islands |
| 170 | Colombia |
| 174 | Comoros |
| 178 | Congo |
| 180 | Congo, the Democratic Republic of the |
| 184 | Cook Islands |
| 188 | Costa Rica |
| 384 | Côte d'Ivoire |
| 191 | Croatia |
| 192 | Cuba |
| 531 | Curaçao |
| 196 | Cyprus |
| 203 | Czechia |
| 208 | Denmark |
| 262 | Djibouti |
| 212 | Dominica |
| 214 | Dominican Republic |
| 218 | Ecuador |
| 818 | Egypt |
| 222 | El Salvador |
| 226 | Equatorial Guinea |
| 232 | Eritrea |
| 233 | Estonia |
| 231 | Ethiopia |
| 238 | Falkland Islands (Malvinas) |
| 234 | Faroe Islands |
| 242 | Fiji |
| 246 | Finland |
| 250 | France |
| 254 | French Guiana |
| 258 | French Polynesia |
| 260 | French Southern Territories |
| 266 | Gabon |
| 270 | Gambia |
| 268 | Georgia |
| 276 | Germany |
| 288 | Ghana |
| 292 | Gibraltar |
| 300 | Greece |
| 304 | Greenland |
| 308 | Grenada |
| 312 | Guadeloupe |
| 316 | Guam |
| 320 | Guatemala |
| 831 | Guernsey |
| 324 | Guinea |
| 624 | Guinea-Bissau |
| 328 | Guyana |
| 332 | Haiti |
| 334 | Heard Island and McDonald Islands |
| 336 | Holy See |
| 340 | Honduras |
| 344 | Hong Kong |
| 348 | Hungary |
| 352 | Iceland |
| 356 | India |
| 360 | Indonesia |
| 364 | Iran, Islamic Republic of |
| 368 | Iraq |
| 372 | Ireland |
| 833 | Isle of Man |
| 376 | Israel |
| 380 | Italy |
| 388 | Jamaica |
| 392 | Japan |
| 832 | Jersey |
| 400 | Jordan |
| 398 | Kazakhstan |
| 404 | Kenya |
| 296 | Kiribati |
| 408 | Korea, Democratic People's Republic of |
| 410 | Korea, Republic of |
| 414 | Kuwait |
| 417 | Kyrgyzstan |
| 418 | Lao People's Democratic Republic |
| 428 | Latvia |
| 422 | Lebanon |
| 426 | Lesotho |
| 430 | Liberia |
| 434 | Libya |
| 438 | Liechtenstein |
| 440 | Lithuania |
| 442 | Luxembourg |
| 446 | Macao |
| 807 | Macedonia, the former Yugoslav Republic of |
| 450 | Madagascar |
| 454 | Malawi |
| 458 | Malaysia |
| 462 | Maldives |
| 466 | Mali |
| 470 | Malta |
| 584 | Marshall Islands |
| 474 | Martinique |
| 478 | Mauritania |
| 480 | Mauritius |
| 175 | Mayotte |
| 484 | Mexico |
| 583 | Micronesia, Federated States of |
| 498 | Moldova, Republic of |
| 492 | Monaco |
| 496 | Mongolia |
| 499 | Montenegro |
| 500 | Montserrat |
| 504 | Morocco |
| 508 | Mozambique |
| 104 | Myanmar |
| 516 | Namibia |
| 520 | Nauru |
| 524 | Nepal |
| 528 | Netherlands |
| 540 | New Caledonia |
| 554 | New Zealand |
| 558 | Nicaragua |
| 562 | Niger |
| 566 | Nigeria |
| 570 | Niue |
| 574 | Norfolk Island |
| 580 | Northern Mariana Islands |
| 578 | Norway |
| 512 | Oman |
| 586 | Pakistan |
| 585 | Palau |
| 275 | Palestine, State of |
| 591 | Panama |
| 598 | Papua New Guinea |
| 600 | Paraguay |
| 604 | Peru |
| 608 | Philippines |
| 612 | Pitcairn |
| 616 | Poland |
| 620 | Portugal |
| 630 | Puerto Rico |
| 634 | Qatar |
| 638 | Réunion |
| 642 | Romania |
| 643 | Russian Federation |
| 646 | Rwanda |
| 652 | Saint Barthélemy |
| 654 | Saint Helena, Ascension and Tristan da Cunha |
| 659 | Saint Kitts and Nevis |
| 662 | Saint Lucia |
| 663 | Saint Martin (French part) |
| 666 | Saint Pierre and Miquelon |
| 670 | Saint Vincent and the Grenadines |
| 882 | Samoa |
| 674 | San Marino |
| 678 | Sao Tome and Principe |
| 682 | Saudi Arabia |
| 686 | Senegal |
| 688 | Serbia |
| 690 | Seychelles |
| 694 | Sierra Leone |
| 702 | Singapore |
| 534 | Sint Maarten (Dutch part) |
| 703 | Slovakia |
| 705 | Slovenia |
| 090 | Solomon Islands |
| 706 | Somalia |
| 710 | South Africa |
| 239 | South Georgia and the South Sandwich Islands |
| 728 | South Sudan |
| 724 | Spain |
| 144 | Sri Lanka |
| 729 | Sudan |
| 740 | Suriname |
| 744 | Svalbard and Jan Mayen |
| 748 | Swaziland |
| 752 | Sweden |
| 756 | Switzerland |
| 760 | Syrian Arab Republic |
| 158 | Taiwan, Province of China |
| 762 | Tajikistan |
| 834 | Tanzania, United Republic of |
| 764 | Thailand |
| 626 | Timor-Leste |
| 768 | Togo |
| 772 | Tokelau |
| 776 | Tonga |
| 780 | Trinidad and Tobago |
| 788 | Tunisia |
| 792 | Turkey |
| 795 | Turkmenistan |
| 796 | Turks and Caicos Islands |
| 798 | Tuvalu |
| 800 | Uganda |
| 804 | Ukraine |
| 784 | United Arab Emirates |
| 826 | United Kingdom |
| 581 | United States Minor Outlying Islands |
| 840 | United States of America |
| 858 | Uruguay |
| 860 | Uzbekistan |
| 548 | Vanuatu |
| 862 | Venezuela, Bolivarian Republic of |
| 704 | Viet Nam |
| 092 | Virgin Islands, British |
| 850 | Virgin Islands, U.S. |
| 876 | Wallis and Futuna |
| 732 | Western Sahara |
| 887 | Yemen |
| 894 | Zambia |
| 716 | Zimbabwe |
State Codes
We are using the United States Postal Service 2-letter codes.| State Code | State Name | State Numeric Code |
|---|---|---|
| AL | Alabama | 01 |
| AK | Alaska | 02 |
| AZ | Arizona | 04 |
| AR | Arkansas | 05 |
| CA | California | 06 |
| CO | Colorado | 08 |
| CT | Connecticut | 09 |
| DE | Delaware | 10 |
| DC | District of Columbia | 11 |
| FL | Florida | 12 |
| GA | Georgia | 13 |
| HI | Hawaii | 15 |
| ID | Idaho | 16 |
| IL | Illinois | 17 |
| IN | Indiana | 18 |
| IA | Iowa | 19 |
| KS | Kansas | 20 |
| KY | Kentucky | 21 |
| LA | Louisiana | 22 |
| ME | Maine | 23 |
| MD | Maryland | 24 |
| MA | Massachusetts | 25 |
| MI | Michigan | 26 |
| MN | Minnesota | 27 |
| MS | Mississippi | 28 |
| MO | Missouri | 29 |
| MT | Montana | 30 |
| NE | Nebraska | 31 |
| NV | Nevada | 32 |
| NH | New Hampshire | 33 |
| NJ | New Jersey | 34 |
| NM | New Mexico | 35 |
| NY | New York | 36 |
| NC | North Carolina | 37 |
| ND | North Dakota | 38 |
| OH | Ohio | 39 |
| OK | Oklahoma | 40 |
| OR | Oregon | 41 |
| PA | Pennsylvania | 42 |
| RI | Rhode Island | 44 |
| SC | South Carolina | 45 |
| SD | South Dakota | 46 |
| TN | Tennessee | 47 |
| TX | Texas | 48 |
| UT | Utah | 49 |
| VT | Vermont | 50 |
| VA | Virginia | 51 |
| WA | Washington | 53 |
| WV | West Virginia | 54 |
| WI | Wisconsin | 55 |
| WY | Wyoming | 56 |
| AS | American Samoa | 00 |
| GU | Guam | 00 |
| MP | Northern Mariana Islands | 00 |
| PR | Puerto Rico | 00 |
| UM | United States Minor Outlying Islands | 00 |
| VI | Virgin Islands | 00 |
Canadian Province Codes
We are using the Canadian postal abbreviations for provinces and territories.| Province Code | Province Name | Province Numeric Code |
|---|---|---|
| AB | Alberta | 60 |
| BC | British Columbia | 61 |
| MB | Manitoba | 62 |
| NB | New Brunswick | 63 |
| NL | Newfoundland and Labrador | 64 |
| NS | Nova Scotia | 66 |
| NT | Northwest Territories | 65 |
| NU | Nunavut | 72 |
| ON | Ontario | 67 |
| PE | Prince Edward Island | 68 |
| QC | Quebec | 69 |
| SK | Saskatchewan | 70 |
| YT | Yukon | 71 |
Resource Statuses
| Resource's Status | Any Resource | Transaction | Description |
|---|---|---|---|
| OK | ✔ | ✔ | Resource is in normal status. |
| LOCKED | ✔ | ✔ | Resource is locked. |
| DELETED | ✔ | ✔ | Resource is marked for deletion. |
| PENDING | ✔ | Transaction processing started. | |
| BATCH | ✔ | Transaction processing waiting to be processed (batch). | |
| FAILED | ✔ | Transaction processing failed. | |
| UNKNOWN | ✔ | Transaction processing result is unknown. | |
| ERROR | ✔ | Transaction processing error. | |
| COMPLETED | ✔ | Transaction completed processing successfully. | |
| REVERSED | ✔ | A Request to Reverse a previous PULL Transaction was requested. | |
| REVERSAL | ✔ | A Request to Reverse a previous PULL Transaction was tried, however the status is unknown. |
Transactions
The following tables shows the various statuses a Transaction Resource undergoes:Transaction Successful
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started or waiting to be processed (batch). |
| COMPLETED | Transaction processed successfully. |
Transaction Error
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started. |
| ERROR | Transaction processing error, see Network Response Code. |
Transaction Processing returned a non-successful Network Response Code from a Card Network.
Transaction Failed
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started. |
| FAILED | Transaction processing failed. |
Transaction Processing failed. The Transaction was unsuccessful.
Transaction Result is Unknown
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started. |
| UNKNOWN | Transaction processing result is unknown. |
The Transaction could have been successful or not. Manual intervention is required to determine the status of the Transaction. Please contact support@TabaPay.com.
Transaction Timed Out so Result was originally Unknown but actually Successful
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started. |
| UNKNOWN | Transaction processing result is unknown. |
| COMPLETED | Transaction processed successfully. |
The Transaction timed out so the Transaction Status was originally set to UNKNOWN. Your request returned a Status Code of 207. The Transaction Processing continue to be processed. The final and actual Transaction is COMPLETED.
Transaction Timed Out so Result was originally Unknown but actually Failed
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started. |
| UNKNOWN | Transaction processing result is unknown. |
| FAILED | Transaction processing failed. |
The Transaction timed out so the Transaction Status was originally set to UNKNOWN. Your request returned a Status Code of 207. The Transaction Processing continue to be processed. Something did go wrong and so the final and actual Transaction is FAILED.
Transaction Successful but a Request to Reverse the Transaction was requested
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started or waiting to be processed (batch). |
| COMPLETED | Transaction processed successfully. |
| REVERSED | Transaction Reversal was requested. |
Transaction Successful but a Request to Reverse the Transaction was tried
| Status | Description |
|---|---|
| OK | Transaction created. |
| PENDING | Transaction processing started or waiting to be processed (batch). |
| COMPLETED | Transaction processed successfully. |
| REVERSAL | Transaction Reversal was tried, however the status is unknown. |
Batch Transaction Successful
| Status | Description |
|---|---|
| OK | Transaction created. |
| BATCH | Transaction waiting to be processed (batch). |
| COMPLETED | Transaction processed successfully. |
Test Cards
PCI requires us and you to use Test Card Numbers when testing. You should never use a real Card Number in the Sandbox Environment. The following Card Numbers were randomly created, if they happen by chance to be a real Card Number, it is purely by coincidence only.| Network | Card Number | Regulated | Card Type | Pull | Push (Availability) | ||||
|---|---|---|---|---|---|---|---|---|---|
| Debit | Credit | PrePaid | Immediate | Next | Few | ||||
| Visa | 4000056655665556 | ✘ No | ✔ | ✔ | ✔ | ||||
| 4005519200000004 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 4111111111111111 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 4012000077777777 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 4000000760000002 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 4000001240000000 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 4000004840008001 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 4500600000000061 | ✘ No | ✔ | ✔ | ✔ | |||||
| 4217651111111119 | ✘ No | ✔ | ✘ | ✔ | |||||
| 4242424242424242 | ✘ No | ✔ | ✘ | ✔ | |||||
| MasterCard | 2223000048400011 | ✘ No | ✔ | ✔ | ✘ (✔*) | ||||
| 5200828282828210 | ✔ Yes | ✔ | ✔ | ✘ (✔*) | |||||
| 5403879999999997 | ✔ Yes | ✔ | ✔ | ✘ (✔*) | |||||
| 5105105105105100 | ✔ Yes | ✔ | ✔ | ✘ (✔*) | |||||
| MoneySend | 2223003122003222 | ✘ No | ✔ | ✘ | ✔ | ||||
| 5555555555554444 | ✔ Yes | ✔ | ✘ | ✔ | |||||
| American Express | 371449635398431 | ✔ Yes | ✔ | ✔ | ✔ | ||||
| 378282246310005 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 378734493671000 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| Discover | 6011111111111117 | ✔ Yes | ✔ | ✔ | ✔ | ||||
| 6011000990139424 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| 6011000991300009 | ✔ Yes | ✔ | ✔ | ✔ | |||||
| Network | Card Number | International | |
|---|---|---|---|
| Currency | Country | ||
| IntlVisa | 8405124124999998 | 124 | 124 |
| 8405840124999999 | 840 | 124 | |
| 8405704704999995 | 704 | 704 | |
| 8405840704999997 | 840 | 704 | |
| 8405764764999996 | 764 | 764 | |
| 8405840764999994 | 840 | 764 | |
| 8405458458999996 | 458 | 458 | |
| 8405360360999991 | 360 | 360 | |
| 8405946946999990 | 946 | 946 | |
| 8405978946999993 | 978 | 946 | |
| 8405144144999992 | 144 | 144 | |
| 8405946642999997 | 946 | 642 | |
| 8405558558999992 | 558 | 558 | |
| 8405340340999998 | 340 | 340 | |
| 8405840222999990 | 840 | 222 | |
| 8405978384999992 | 978 | 384 | |
| 8405051051999990 | 051 | 051 | |
| 8405981268999997 | 981 | 268 | |
| 8405348348999993 | 348 | 348 | |
| 8405398398999997 | 398 | 398 | |
| 8405600600999990 | 600 | 600 | |
| 8405949792999999 | 949 | 792 | |
| 8405980804999990 | 980 | 804 | |
| IntlMasterCard | 8505124124999997 | 124 | 124 |
| 8505840124999998 | 840 | 124 | |
| 8505704704999994 | 704 | 704 | |
| 8505840704999996 | 840 | 704 | |
| 8505764764999995 | 764 | 764 | |
| 8505840764999993 | 840 | 764 | |
| 8505458458999995 | 458 | 458 | |
| 8505360360999990 | 360 | 360 | |
| 8505946946999999 | 946 | 946 | |
| 8505978946999992 | 978 | 946 | |
| 8505144144999991 | 144 | 144 | |
| 8505946642999996 | 946 | 642 | |
| 8505558558999991 | 558 | 558 | |
| 8505340340999997 | 340 | 340 | |
| 8505840222999999 | 840 | 222 | |
| 8505978384999991 | 978 | 384 | |
| 8505051051999999 | 051 | 051 | |
| 8505981268999996 | 981 | 268 | |
| 8505348348999992 | 348 | 348 | |
| 8505398398999996 | 398 | 398 | |
| 8505600600999999 | 600 | 600 | |
| 8505949792999998 | 949 | 792 | |
| 8505980804999999 | 980 | 804 | |
Sample Flows
There are only a few simple flows:Retrieve Client's Attributes (Information) | |||||||
|---|---|---|---|---|---|---|---|
| API Call | Description | ||||||
| 1 | Retrieve Client | Client Attributes:
| |||||
| Create Key (optional) | |||||||
| API Call | Description | ||||||
| 2 | Create Key | Encryption Key RSA Public Key | |||||
| Transaction using an Account (Tokenization) | |||||||
| API Call | Description | ||||||
| 3 | Query Card | Card Attributes | |||||
| API Call | Description | ||||||
| 4 | Create Account | Type: Card | |||||
| API Call | Description | ||||||
| 5 | Create Transaction Push | Transaction:
| |||||
| API Call | Description | ||||||
| 6 | Create Transaction Pull | Transaction:
| |||||
| One Time Transaction | |||||||
| API Call | Description | ||||||
| 7 | Query Card | Card Attributes | |||||
| API Call | Description | ||||||
| 8 | Create Transaction Push | Transaction:
| |||||
| API Call | Description | ||||||
| 9 | Create Transaction Pull | Transaction:
| |||||
| Optionally Retrieve an Account, Update an Account, or Delete an Account | |||||||
| API Call | Description | ||||||
| 10 | Retrieve Account | ||||||
| API Call | Description | ||||||
| 11 | Update Account | Type: Card | |||||
| API Call | Description | ||||||
| 12 | Delete Account | ||||||
| Optionally Retrieve Transaction Information | |||||||
| API Call | Description | ||||||
| 13 | Retrieve Transaction | ||||||
| API Call | Description | ||||||
| 14 | Retrieve Transaction | ||||||
- Retrieve Client
- Create Key (optional)
- Query Card
- Create Account
- Create Transaction - Push
- Create Transaction - Pull
- Query Card
- Create Transaction - Push
- Create Transaction - Pull
- Retrieve Account
- Update Account
- Delete Account
- Retrieve Transaction
- Retrieve Transaction
Code Samples
There is no SDK because the TabaPay Web Service (API) is just a simple RESTful Web Service that uses standard HTTPS to:- connect
- send request
- receive response
- disconnect
Therefore, you can use almost any programming language. We assume that you are an expert in the language that you have selected to use.
You can also use command line utilities such as:
If you need help in using the TabaPay Web Service (API), we recommend using one of the command line utilities first. By doing this first, it eliminates any language specific issues or uniquenesses, and since there are so many programming languages available today, we may not be an expert in (or even have used) the language that you are trying to use. Also, by doing this first, it can help eliminate networking issues such as firewalls blocking the requests and/or responses.We do provide some simple samples in various common programming languages:
- Java
- JavaScript under node.js
- Go
- Python
- Ruby
curl
A GET Request (Retrieve Client):curl https://<FQDN>/v1/clients/<ClientID> -H "Authorization: Bearer <TokenValue>"A POST Request (Query Card):
curl https://<FQDN>/v1/clients/<ClientID>/cards -H "Authorization: Bearer <TokenValue>" -H "Content-type: application/json" -X POST -d "{\"card\":{\"accountNumber\":\"9999999999999999\"}}"These were last tested successfully using:
- curl 7.51.0 on a Mac OSX System on 05/29/2017
- curl 7.47.0 on a Ubuntu 16.04 System on 05/29/2017
- curl 7.54.0 on a Windows System on 05/29/2017
wget
A GET Request (Retrieve Client):
wget -qO-
https://<FQDN>/v1/clients/<ClientID>
--header "Authorization: Bearer <TokenValue>"
A POST Request (Query Card):
wget -qO-
https://<FQDN>/v1/clients/<ClientID>/cards
--header "Authorization: Bearer <TokenValue>"
--header "Content-type: application/json"
--post-data "{\"card\":{\"accountNumber\":\"9999999999999999\"}}"
These were last tested successfully using:- wget 1.17.1 on a Ubuntu 16.04 System on 05/29/2017
- wget 1.19.1 on a Windows System on 05/29/2017
openssl s_client
A GET Request (Retrieve Client):openssl s_client -connect <FQDN>:443 GET /v1/clients/<ClientID> HTTP/1.0 Authorization: Bearer <TokenValue>A POST Request (Query Card):
openssl s_client -connect <FQDN>:443 POST /v1/clients/<ClientID>/cards HTTP/1.0 Authorization: Bearer <TokenValue> Content-type: application/json Content-length: 45 {"card":{"accountNumber":"9999999999999999"}}These were last tested successfully using:
- OpenSSL 0.9.8zh on a Mac OSX System on 05/29/2017
- OpenSSL 1.0.2g on a Ubuntu 16.04 System on 05/29/2017
- OpenSSL 1.0.2g on a Windows System on 05/29/2017
Java
A GET Request (Retrieve Client):
import java.io.InputStream;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class Sample
{
public static void main( String[] asArgs )
{
try
{
URL urlService = new URL( "https://<FQDN>/v1/clients/<ClientID>" );
HttpsURLConnection connectionService =
(HttpsURLConnection) urlService.openConnection();
connectionService.setRequestMethod( "GET" );
connectionService.setRequestProperty(
"Authorization", "Bearer " + "<TokenValue>"
);
int iStatusCode = connectionService.getResponseCode();
System.out.println( "TabaPay API Call, SC=" + iStatusCode );
InputStream insResponse = iStatusCode == 200
? connectionService.getInputStream()
: connectionService.getErrorStream();
byte[] abResponse = new byte[1024];
int iLengthRead = insResponse.read( abResponse );
insResponse.close();
System.out.println( new String( abResponse, 0, iLengthRead, "UTF-8" ) );
}
catch ( Throwable t )
{
t.printStackTrace();
}
}
}
A POST Request (Query Card):
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
public class Sample
{
public static void main( String[] asArgs )
{
try
{
URL urlService = new URL( "https://<FQDN>/v1/clients/<ClientID>/cards" );
HttpsURLConnection connectionService =
(HttpsURLConnection) urlService.openConnection();
connectionService.setRequestMethod( "POST" );
connectionService.setRequestProperty(
"Authorization", "Bearer " + "<TokenValue>"
);
connectionService.setRequestProperty(
"Content-type", "application/json"
);
byte[] abDataRequest =
"{\"card\":{\"accountNumber\":\"9999999999999999\"}}".getBytes( "UTF-8" );
connectionService.setDoOutput( true );
OutputStream outsRequest = connectionService.getOutputStream();
outsRequest.write( abDataRequest, 0, abDataRequest.length );
outsRequest.close();
int iStatusCode = connectionService.getResponseCode();
System.out.println( "TabaPay API Call, SC=" + iStatusCode );
InputStream insResponse = iStatusCode == 200
? connectionService.getInputStream()
: connectionService.getErrorStream();
byte[] abResponse = new byte[1024];
int iLengthRead = insResponse.read( abResponse );
insResponse.close();
System.out.println( new String( abResponse, 0, iLengthRead, "UTF-8" ) );
}
catch ( Throwable t )
{
t.printStackTrace();
}
}
}
These were last tested successfully using Java 1.8 on 05/30/2017 and reverified on 08/08/2017.RSA Encryption using CryptoRSA Class in TabaPayAPIHelpers.jar:
import com.tabapay.api.helpers.security.rsa.CryptoRSA;
import com.tabapay.samples.CallTabaPay;
import com.tabapay.samples.CallTabaPay.KeyData;
public class APIHelpers
{
public static void main( String[] asArgs )
{
String sCardData = "9999999999999999|202012|"; // Card Number | Expiration Date | CVV2
try
{
int iExpirationInDays = 365;
KeyData dataKey = CallTabaPay.CreateKey( iExpirationInDays ); // You Provide
String sEncodedEncryptedData = CryptoRSA.encryptUsingPublicKey( // TabaPayAPIHelpers.jar
dataKey.m_sPublicKey, // Public Key from Create Key
sCardData // Card Data
);
CallTabaPay.QueryCard( dataKey.m_sKeyID, sEncodedEncryptedData ); // You provide
}
catch ( Throwable t )
{
t.printStackTrace();
}
}
}
JavaScript
A GET Request (Retrieve Client):
var https = require( "https" );
var options =
{
host: "<FQDN>",
port: 443,
path: "/v1/clients/<ClientID>",
method: "GET",
headers:
{
"Authorization": " Bearer <TokenValue>"
}
};
var req = https.request( options, function( res )
{
console.log( "statusCode: ", res.statusCode );
res.on( "data", function( d )
{
process.stdout.write( d );
});
}).on( "error", function( e )
{
console.error( e );
});
req.end();
A POST Request (Query Card):
var https = require( "https" );
var options =
{
host: "<FQDN>",
port: 443,
path: "/v1/clients/<ClientID>/cards",
method: "POST",
headers:
{
"Authorization": " Bearer <TokenValue>",
"Content-type": "application/json",
"Content-length": "45"
}
};
var req = https.request( options, function( res )
{
console.log( "statusCode: ", res.statusCode );
res.on( "data", function( d )
{
process.stdout.write( d );
});
}).on( "error", function( e )
{
console.error( e );
});
req.write( '{"card":{"accountNumber":"9999999999999999"}}' );
req.end();
These were last tested successfully using NodeJS 6.10.3 on 05/31/2017.Go
A GET Request (Retrieve Client):
package main
import (
"fmt"
"io/ioutil"
"net/http"
)
func main() {
client := &http.Client{}
req, err := http.NewRequest(
"GET",
"https://<FQDN>/v1/clients/<ClientID>",
nil)
if err != nil {
panic(err)
}
req.Header.Add("Authorization", "Bearer <TokenValue>")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
defer resp.Body.Close()
fmt.Println(string(body))
}
A POST Request (Query Card):
package main
import (
"fmt"
"io/ioutil"
"net/http"
"strings"
)
func main() {
client := &http.Client{}
req, err := http.NewRequest(
"POST",
"https://<FQDN>/v1/clients/<ClientID>/cards",
strings.NewReader("{\"card\":{\"accountNumber\":\"9999999999999999\"}}"))
if err != nil {
panic(err)
}
req.Header.Add("Authorization", "Bearer <TokenValue>")
req.Header.Add("Content-type", "application/json")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
defer resp.Body.Close()
fmt.Println(string(body))
}
These were last tested successfully using go 1.9.2 on 11/30/2017.Python
A GET Request (Retrieve Client):import httplib conn = httplib.HTTPSConnection( '<FQDN>' ) conn.putrequest( 'GET', '/v1/clients/<ClientID>' ) conn.putheader( 'Authorization', 'Bearer <TokenValue>' ) conn.endheaders() response = conn.getresponse() print response.read()A POST Request (Query Card):
import httplib conn = httplib.HTTPSConnection( '<FQDN>' ) conn.putrequest( 'POST', '/v1/clients/<ClientID>/cards' ) conn.putheader( 'Authorization', 'Bearer <TokenValue>' ) conn.putheader( 'Content-type', 'application/json' ) conn.putheader( 'Content-length', '45' ) conn.endheaders() conn.send( '{"card":{"accountNumber":"9999999999999999"}}' ) response = conn.getresponse() print response.read()These were tested successfully using Python 2.7.10 on 05/30/2017.
Ruby
A GET Request (Retrieve Client):require 'net/https' uri = URI.parse( 'https://<FQDN>/v1/clients/<ClientID>' ) http = Net::HTTP.new( uri.host, uri.port ) http.use_ssl = true request = Net::HTTP::Get.new( uri.request_uri ) request.add_field( "Authorization", "Bearer <TokenValue>") response = http.request( request ) puts response.bodyA POST Request (Query Card):
require 'net/https' require 'json' uri = URI.parse( 'https://<FQDN>/v1/clients/<ClientID>/cards' ) http = Net::HTTP.new( uri.host, uri.port ) http.use_ssl = true request = Net::HTTP::Post.new( uri.request_uri, 'Content-Type' => 'application/json' ) request.add_field( "Authorization", "Bearer <TokenValue>") request.body = {card:{accountNumber: '9999999999999999'}}.to_json response = http.request( request ) puts response.bodyThese were tested successfully using Ruby 2.0.0p648 on 05/31/2017.
PCI Helpers
These sections are still a Work in progress...
These TabaPay features are to help our Clients with PCI, but it does not remove the PCI requirements for the Client.
PCI Helper - SSO
This section is still a Work in progress... Also see the PCI Helper - SSO FAQ. The samples and examples decribed here are now running in the Sandbox Environment.
How SSO works
See some working samples on how this might work.
The samples are only samples. We can provide a generic (plain/simple) SSO HTML Web Page; but, we think that allowing you to customize it to match your WebSite (colors, layout, errors handling, etc...) would be a much better solution, however, that means you will need to provide the HTML, CSS, and JavaScript. Please see the PCI Helper - SSO FAQ for the current status of providing a customized SSO.
The Imbedded Form Sample (currently) only shows one input method:
- Keyboard Entry
while the Modal Dialog Box Overlay shows 3 possible input methods:
- Keyboard Entry
- KeyPad Entry
- Card Swipe Entry
- Card Account Number
- Expiration Date
- Security Code - CVV2 (optional)
- Google Chrome 65
- Mozilla FireFox 55
- Apple Safari 11.1
- Microsoft Edge 38
If you are authorized to create a Customized SSO, see SSO Samples for additional details; but, you must follow the procedures exactly, no deviations, and understand the timelines, no deviations.
View Addtional Details
Hide Addtional Details
The following is meant to be only a simple sample on how this may work and is not meant for production use or imply that it is production ready.
Client BackEnd Server
Customization of SSO
Other Notes:
Client Web Page
Add a Listener for the Return from TabaPay SSO
window.addEventListener( "message", pfReceivedMessage, false );
Function to handle Return from TabaPay SSO
var pfReceivedMessage = function( event )
{
if ( event.data != "Close" )
{
if ( event.data.slice( 0, 7 ) == "Error: " )
{
// Error
}
else
{
var asData = event.data.split( "|" );
if ( asData.length == 3 )
{
// asData[ 0 ] contains the Last 4
// asData[ 1 ] contains the Expiration Date in YYYYMM Format
// asData[ 2 ] contains the Card Token
}
else
{
// Data Error
}
}
}
else
{
// Close or Cancel
}
}
JavaScript Code to load TabaPay SSO when needed
document.getElementById( "sso" ).src = "https://<FQDN>/<PageName>.html?<Unique>";
HTML to include TabaPay SSO
<div><iframe id="sso"></iframe></div>
Client BackEnd Server
Can use the Card Token in the following TabaPay API Calls:
Customization of SSO
If you are providing the HTML, CSS, and JavaScript to us:
- HTML must be minifiable
- CSS must be minifiable
- JavaScript must be compilable (with no warnings or errors) with the Google Closure Compiler
- No External JavaScript Libraries, No External JavaScript Frameworks
- The Results will be a single HTML file
- Any external images will be hosted from your servers
- We will control and own the HTML, CSS, and JavaScript (please check with your legal department)
Clarifications (feedback from Early Users):
- You will provide us with the HTML, CSS, JavaScript:
- Formatted as for Development (leave spaces, indentation, whitespace, blank lines, etc...)
- Leave Comments in as for Development
- We have to understand the code you send to us, so keep it (very) simple...
- We (TabaPay) will minify the HTML, CSS, JavaScript:
- If there are issues, we will try to fix...
- If we can't fix (easily), we may ask you to revise it...
- Due to PCI, we cannot include external libraries or frameworks...
- And again due to PCI, we have to own the code (HTML, CSS, JavaScript), so please check with your Legal Department...
Also see the Step-by-Step Example below of this process including our expectations of the expected file (or 3 files: HTML, CSS, and JavaScript) that we will be receiving from you.
Common sense (real world) facts about this customization:
- Take advantage of this (almost) complete control of this customization and the ability for you to customize it, but:
- Be Simple
- Be Reasonable
- Understand some of the Restrictions, if any
- If we say we cannot do something, show us how to do it simply and we will take another look
- If we say no, please accept that it can't be done or we can't do it
- Due to time constraints, we can only do minor tweaks after the initial delivery of the HTML, CSS, and JavaScript.
Other Notes:
- Expiration of the Card Token?
- The Card Token will expire in 5-10 minutes.
View Step-by-Step Example
Hide Step-by-Step Example
The following is only a very simple example and is not meant for production use or imply that it is production ready. Also see the PCI Helper - SSO FAQ.
(1) My Custom SSO Web Page
It is:
- (Very) Simple
- Reasonable (in complexity and size)
- Easy to understand
- No External Libraries or Frameworks
and it is nicely formatted for a developer to read:
- Code is Indented
- Source is Commented
<!DOCTYPE html>
<html>
<head>
<style>
/*
* Table Header
* 1st Column
*/
th
{
text-align: right;
padding-right: 10px;
}
/*
* Form Button(s) Row
*/
.b
{
padding-top: 10px;
text-align: center;
}
</style>
<script>
function fCheckCardNumber( psCardNumber )
{
//
// Code to Check Card Number
//
if ( psCardNumber.length < 13 || psCardNumber.length > 19 )
{
return false;
}
//
// More Checks?
// Card Range?
// All Digits?
// Luhn Checksum?
//
//
// If you want use TabaPay's Common Utils,
// (1) remove the above check
// (2) and add the following if statement
//
// if ( ! TabaPayCommonUtils.fCheckCardNumber( psCardNumber ) )
// {
// return false;
// }
//
return true;
}
function fCheckExpirationDate( psExpirationDate )
{
//
// Code to Check Expiration Date
//
if ( psExpirationDate.length != 5 || psExpirationDate.slice( 2, 3 ) != "/" )
{
return false;
}
//
// More Checks?
// Check Month and Year
//
//
// If you want use TabaPay's Common Utils,
// (1) remove the above check
// (2) and add the following if statement
//
// if ( ! TabaPayCommonUtils.fCheckCardExpirationDate( psExpirationDate ) )
// {
// return false;
// }
return true;
}
function fCheckSecurityCode( psSecurityCode )
{
//
// Code to Check Security Code
//
if ( psSecurityCode.length < 3 || psSecurityCode.length > 4 )
{
return false;
}
//
// More Checks?
// Check Number
//
//
// If you want use TabaPay's Common Utils,
// (1) remove the above check
// (2) and add the following if statement
//
// // Currently this only does minimal checking
// // If you want a more thourogh Security Code check,
// // feel free to replace this with your own function
//
// if ( ! TabaPayCommonUtils.fCheckSecurityCode( psSecurityCode ) )
// {
// return false;
// }
//
return true;
}
function fClear()
{
document.getElementById("c").value="";
document.getElementById("e").value="";
document.getElementById("s").value="";
}
function fSubmit()
{
var sCardNumber = document.getElementById("c").value.trim();
var sExpirationDate = document.getElementById("e").value.trim();
var sSecurityCode = document.getElementById("s").value.trim();
//
// Check Card Number
//
if ( sCardNumber.length == 0 )
{
alert( "Missing Card Number" );
return;
}
if ( ! fCheckCardNumber( sCardNumber ) )
{
alert( "Bad Card Number" );
return;
}
//
// Check Expiration Date
//
if ( sExpirationDate.length == 0 )
{
alert( "Missing Expiration Date" );
return;
}
if ( ! fCheckExpirationDate( sExpirationDate ) )
{
alert( "Bad Expiration Date" );
return;
}
//
// Check Security Code (optional)
//
if ( sSecurityCode.length > 0 )
{
if ( ! fCheckSecurityCode( sSecurityCode ) )
{
alert( "Bad Security Code" );
return;
}
}
//
// All Checks ok
//
// TabaPay will add code here
// temporarily use an alert to display the values
alert( sCardNumber + "," + sExpirationDate + "," + sSecurityCode );
}
function fCancel()
{
// TabaPay will add code here
// temporarily use an alert to indicate Cancel
alert( "Cancelled" );
}
</script>
</head>
<body>
<form>
<table>
<tr>
<th>Card Number</th>
<td><input id="c" type="password" placeholder="13-19 digits"></td>
</tr>
<tr>
<th>Expiration Date</th>
<td><input id="e" placeholder="MM/YY Format"></td>
</tr>
<tr>
<th>Security Code</th>
<td><input id="s" placeholder="3-4 digits"></td>
</tr>
<tr>
<td class="b" colspan="2">
<input type="button" value="Clear" onclick="fClear()"/>
<input type="button" value="Use Card Data" onclick="fSubmit()"/>
</td>
</tr>
<tr>
<td class="b" colspan="2"><input type="button" value="Cancel" onclick="fCancel()"/></td>
</tr>
</table>
</form>
</body>
</html>
The use of Alerts in the above example was only used to simplify the example and not clutter the JavaScript Code in the example. We recommend that you change the usage of Alerts to something more appropriate that matches your WebSite. Again, the above example is not meant for production use or imply that it is production ready.
(2) Please QA the My Custom SSO Web Page before (3)
(2a) TabaPay QA will only do a cursory check
(2b) There will be a very limited number of back and forth
(2c) It will be your responsibility for your Custom SSO Web Page
(3) Submit My Custom SSO Web Page to TabaPay
(4) Wait for TabaPay to complete the modifications to the Custom SSO Web Page
(5) TabaPay will make your Custom SSO Web Page available
(6) Test using TabaPay's Test your SSO Web Page
Goto the See some working samples link above
Use the filename: MyCustomSSOExample
and be sure to set the desired width and height
also this Example has an image that is hosted externally
(7) Include in your Web Page
Goto the View Additional Details link above on how to do this...
PCI Helper - RSA
This section is still a Work in progress... Also see the PCI Helper - RSA FAQ.
How to use RSA
Due to the number of computer languages available today, we will be using OpenSSL, the well-known and widely used cryptography library, to show how to use RSA to create the value for the data parameter in the following TabaPay API Calls:
The data contains:
- Card Account Number
- Card Expiration Date
- Card Security Code
Here are the steps in creating the data parameter for the TabaPay API Calls:
Create a Key
- Use the TabaPay API Call: Create Key
- The returned format of the Public Key depends upon what language you are using and what libraries (in the language) you are using, however:
- RAW Format (consisting of exponent and modulus) can be easily converted to ASN.1 Format
- ASN.1 Format can be easily converted to RAW Format (consisting of exponent and modulus)
- The returned format of the Public Key depends upon what language you are using and what libraries (in the language) you are using, however:
- OpenSSL, for this example, will be using ASN.1 Format
- Use the TabaPay API Call: Create Key
Save the keyID
Convert the key (in ASN.1 Format) from Base64 URL-Safe to regular Base64 Encoding
Create a file containing the Public Key, we will use PEM Format, but we could have also use DER Format instead:
- Use an editor, like vi, and create a public.key
- First Line contains: -----BEGIN PUBLIC KEY-----
- Next Line contains the Base64 (not URL-Safe) Encoded Key: MIIBI...AQAB
- Last Line contains: -----END PUBLIC KEY-----
Create a file containing the Card Data, separated by "|" (pipe symbol):
- Card Account Number
- Card Expiration Date
- Card Security Code
Example is: 9400100999999993|209912|123
Use OpenSSL to encrypt the Card Data, RSA with Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding:
openssl pkeyutl -in card.data -out encrypted.data -inkey public.key -keyform PEM -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
Convert the Encrypted Data in the file to Base64 URL-Safe Encoding
- You can now use:
- keyID from (2)
- data, Base64 URL-Safe Encoding, from (7)
in the following TabaPay API Calls:
Make sure the version of OpenSSL that you are using is at least 1.0.2k.
If you are having problems, hopefully this example can help you in the language that you are using... Some languages, such as:
- Python
- Ruby
General FAQ
Need help?
Contact us at support@TabaPay.com and someone from our support team will get back to you as quickly as possible.
Why is there no SDK?
The API is just a simple RESTful Web Service that uses standard HTTPS to:
- connect
- send request
- receive response
- disconnect
Therefore, you can use almost any programming language; however, there are so many programming languages available today, we may not be an expert in (or even have used) the language that you are trying to use. We assume that you are an expert in the language that you have selected to use.
Having connection issues?
Try using one of the command line utilities first. Usually it can help diagnose networking issues such as firewall configurations, IP whitelisting, etc... Also it helps in eliminating any language specific issues or uniquenesses, and since there are so many programming languages available today, we may not be an expert in (or even have used) the language that you are trying to use.
Curious? What do we use?
ISO
Unfortunately this acronym stands for:Hopefully the context where it is being used will make the definition of the acronym obvious.
Data FAQ
Is there a JSON Schema?
We allow additional JSON pairs (NVPs) to be added in a request (though we don't recommend this) and we may return back additional JSON pairs (NVPs) in a response (optional JSON pairs (NVPs) that you may not be using but another client may be using). We also allow JSON pairs (NVPs) to be sent in a request in any order and we may return back JSON pairs (NVPs) in a response in any order.
Be sure you can handle "freeform" JSON responses.
What is the type of a Data Value? Is it a String, an Integer, an Amount, a Boolean, or what?
We treat all Data Values initially as Strings. We then apply a Value Restriction to the String. So for example:
- an Integer, we look for a string with only digits
- an Amount, for currency number 840, USD, we look for a string with only digits and a single decimal point with two decimal digits but no commas nor currency sign
- a Boolean, we look for a string with the value of either true or false
How to specify an Amount Value?
In order to handle international currencies, an Amount is a String. International currencies:
- use either a point or a comma as their decimal mark and
- might have a maximum of 0, 1, 2, 3, or 4 decimal places.
1000.20
Valid
1.20
Valid
0.20
Valid
.20
Valid
.4
Invalid, 2 decimal digits are required
1.4
Invalid, 2 decimal digits are required
1,000.21
Invalid, comma not needed
$10.21
Invalid, dollar sign not needed
Is there a size limitation to String Values?
Unless specified in the Value column, String Values can be of any reasonable size. However there is a limitation to the total number of bytes in your request. And remember, some Unicode characters, especially international characters, are more than one byte.
Are null Values valid?
JSON Values that are null are accepted, according to the JSON Specifications, but it is preferred that you just leave out the pair (NVP):
Works:
{
"NameA": "Test",
"NameB": null,
"NameC": "Test"
}
Preferred:
{
"NameA": "Test",
"NameC": "Test"
}
What valid characters can be used for fields such as Reference IDs, Memo, Names (first and last), etc...?
The API can accept any UTF-8 character; however, to be safe for other processes that may be using this data, we recommend the use of only the Base64 URL-Safe Character Set. We will also explicitly restrict the use of these characters:We do recommend the use of only the Base64 URL-Safe Character Set.
● ,
Comma (used in csv files)
● "
Double Quotes (used in csv files)
● ~
Tilde
● ^
Caret
Base64 Encoding
Binary Data and some Strings, that are beyond Alphanumeric, should be encoded in Base64 with no padding and using the URL-Safe Character Set:
● A-Z
Uppercase alphabetic characters
● a-z
Lowercase alphabetic characters
● 0-9
Digits
● -
Minus Sign
● _
Underscore
Format of the JSON Request and Response Data?
We required that all whitespaces are removed from the JSON Request (pack your JSON Request). We will also return a JSON Response in a packed format where all whitespaces are removed.
Nice for human:
{
"NameA": "Test",
"NameB": 1
}
But not so much for our Application and also it clutters our logs, so preferably:
{"NameA":"Test","NameB":1}
Errors FAQ
HTTP Status Codes?
See Status Codes for a list of HTTP Status Codes that might be returned.
A 400 Series Error is usually something that you can fix by changing something in your request. A 500 Series Error is usually something that you need to contact us (support@TabaPay.com) to look at. If we determine that a 500 Series Error can be fixed by you, we will try to change this error situation to a 400 Series Error in a future code release.
PCI does require us to be cryptic in the Error Messages that we return back; but for certain 400 Series Errors, we may return back something in the Error Message (EM) field of the JSON Response that indicates what might be wrong.
You should never get a HTTP Status Code of 400 on Production
If you are getting a HTTP Status Code of 400 on the Production Environment, that usually means you are not handling these errors correctly on your end. We strongly recommend completing the Production Certification Test in its entirety, specifically the portion where we recommend integrating your application with our API calls.
Also, please see the Coding FAQ.
Use of HTTP Status Code 207?
You might get HTTP Status Code 207, when there is an Error while processing your Transaction due to some Upstream Process.
Everything on our end processed successfully:
- Your request passed all our checks
- Configuration is available to process your request
- A record is created for your request (Transaction)
Customer Facing Error Messages?
We are a Server-to-Server Web Services (API) and we are not Customer Facing, so:
- We do not provide User Friendly Error Messages.
- We do not provide Error Details (because of PCI).
- We do not recommend showing your Customers our Error Messages or Error Codes.
Also, please see the Coding FAQ.
Coding FAQ
As mentioned elsewhere multiple times:We may not be an expert in (or even have used) the language that you are trying to use. We assume that you are an expert in the language that you have selected to use.
With that said, here are some questions that we have encountered that might be helpful to you:
My Program doesn't work?
Please provide the full Request and Response. If there was an error, the full error message (exception) and if available any stack trace. The more details, the better we can help you, and the faster we can help you.
If you contact TabaPay support, please send your Request and Response:
Request should include:
- Date and Time of the Request and Time Zone (we have many Clients in many different parts of the world)
- URL
- Request Method (Get, Post, Put, or Delete)
- Request Data (JSON), if any
Response should include:
- HTTP Status Code
- Response Data, if any
- (usually) JSON
- (but can be) HTML
- Exception and Stack Trace, if any
SC=406
We have a WAF, Web Applicaiton Firewall, in front of all internet facing systems. So if our WAF detects something funny, such as something in the OWASP Top 10, your request will get rejected with SC=406.
SC=400
If you are getting a HTTP Status Code of 400 on the Production Environment, that usually means you are not handling these errors correctly on your end. We strongly recommend completing the Production Certification Test in its entirety, specifically the portion where we recommend integrating your application with our API calls.
Why you should never see SC=400 in Production?
All errors with a HTTP Status Code of 400 should have been caught before the API request is sent to us. We shouldn't have to return back a HTTP Status Code of 400. A HTTP Status Code of 400 means that something in your request is bad: Bad Request. You should not use us (API Request) to check for Customer entered data errors.
For example:
- Card Account Number
- Card Expiration Date
- Amount
- the Customer's Device
- to your Servers
- to our Servers
- negative response (400) back to your Servers
- and then finally some error message back to the Customer's Device
- Card Account Number
- or Card Expiration Date
- or Amount
- Immediate
- Interactive
- Responsive
- JavaScript code
- Swift (or Objective-C) code on iOS
- or Java code on Android
Even if an error gets past the code on the Customer's Device and goes up to your Servers, your BackEnd Code on your Servers should also catch these obvious errors. That is two layers of code that should have caught the error, so that is why we say:
We should never have to return back a SC=400 in Production...
That is why you should test on the Sandbox Environment and pass the Certification Test completely.
Sandbox Environment FAQ
How quickly can we do a change (configuration) on the Sandbox Environment?
We are PCI Level 1 and SOC1 Type 1 and SOC2 Type 2 Compliant. So, what does that mean? We are procedure and process controlled.
Some companies require us to be PCI Level 1 and SOC Compliant (SOC1 Type 2 and SOC2 Type 2). And then some of those same companies still expect us to do things for them immediately (and even on Production). Here is a real life example that recently occurred:
- A Client demanded to change their limit on a weekend night immediately
- After changing their Limit, the same Client later demanded to change their limit again and again on a weekend night immediately
- After changing their Limit again, we see they never reached the Limits they demanded, in fact, they never even reached their original Limit
Not everything is or can be an emergency...
Schedule for Sandbox changes:
- Have your request by Friday morning
- Changes will be implemented by end of day Monday (or Tuesday, if Monday is a Holiday)
Are there Test Card Numbers to use in the Sandbox Environment?
PCI requires us and you to use Test Card Numbers when testing. You should never use a real Card Number in the Sandbox Environment. See Samples - Test Cards where we provide various Test Card Numbers...
How to generate an error in the Sandbox Environment?
For Create Transaction, the Amount is used to trigger various errors while processing the Create Transaction request in the Sandbox Environment (Accel uses a 3-digit Network Response Code):
| Amount | Response | Actual Response | Error Description | |||
|---|---|---|---|---|---|---|
| Status Code | Network Response Code | Resource Status | Network Response Code | Resource Status | ||
| 0.01 11.00 | 200 | ZZ (or 999) | ERROR | ZZ (or 999) | ERROR | Transaction Error |
| 0.02 12.00 | 207 | UNKNOWN | UNKNOWN | Transaction Processing Failed | ||
| 0.03 13.00 | 200 | 00 (or 000) | COMPLETED | 00 (or 000) | COMPLETED | Transaction Successful, but upstream processing was delayed for 30 seconds |
| 0.04 14.00 | 207 | UNKNOWN | 00 (or 000) | COMPLETED | Transaction Successful, but upstream processing was delayed for 40 seconds | |
For Delete Transaction, the Create Transaction Amount is used to trigger various errors while processing the Delete Transaction request in the Sandbox Environment (Accel uses a 3-digit Network Response Code):
| Amount | Create Transaction Response | Delete Transaction Response | Error Description | ||||
|---|---|---|---|---|---|---|---|
| Status Code | Network Response Code | Resource Status | Status Code | Reversal Network Response Code | Resource Status | ||
| 0.07 | 200 | 00 (or 000) | COMPLETED | 200 | ZZ (or 999) | UNKNOWN | Reversal Request failed |
| 0.08 | 200 | 00 (or 000) | COMPLETED | 200 | 21 | UNKNOWN | Reversal Request failed, the Reversal was too late. Not available when routed to any Regional Network: Currently only STAR and Accel. |
For AVS, Query Card, the Zip Code, Address, and Security Code are used to trigger various conditions while processing an AVS request in the Sandbox Environment:
| Request | Response | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| Zip Code | Address | Security Code | Response Text | Network Response Code | Code AVS Results | Code Security Code Results | ||
| Any* | Any* | None | NOT DECLINED | 85 | Y | Zip Code and Address were matched | ||
| Any* | None | None | NOT DECLINED | 85 | Z | Zip Code was matched | ||
| Any* | Any or None | Any* | DEPENDS | DEPENDS | DEPENDS | M | Depends upon if Zip Code and Address matches or not, but Security Code was matched | |
| Any* | Any or None | 999 | DECLINE | 05 | DEPENDS | N | Depends upon if Zip Code and Address matches or not, but Security Code was not matched | |
| 99990 | Any or None | Any or None | DECLINE | 05 | U | Information not available | ||
| 99991 | Any or None | Any or None | DECLINE | 05 | R | AVS unavailable, retry | ||
| 99992 | Any* | None | DECLINE | 05 | A | Zip Code was not matched, but Address was matched | ||
| 99992 | None or 999 Bad | None | DECLINE | 05 | N | Zip Code and Address were not matched | ||
| 99993 | Any or None | Any or None | DEPENDS | DEPENDS | DEPENDS | DEPENDS | AVS Request delayed for 30 seconds | |
| 99994 | Any or None | Any or None | UNKNOWN | UNKNOWN | UNKNOWN | UNKNOWN | AVS Request timed out | |
- Any* - Any Zip Code that is not explicitly used to trigger a condition (99990-99994)
- Any* - Any Address that is not explicitly used to trigger a condition (999...) - Address only checks the Street Number
- Any* - Any Security Code that is not explicitly used to trigger a condition (999)
How to generate a RTP error in the Sandbox Environment?
For Create Transaction, the Account Number for RTP is used to trigger various errors while processing the Create Transaction request in the Sandbox Environment (RTP uses a 3-character Network Response Code):
| Account Number | Create Transaction Response | Error Description | ||
|---|---|---|---|---|
| Status Code | Network Response Code | Resource Status | ||
| 100000000...111111111 | 200 | 000 | COMPLETED | N/A |
| 111111112 | 200 | P03 | ERROR | Invalid Account |
| 111111113 | 200 | P11 | ERROR | Sender not authorized |
| 111111114 | 200 | P07 | ERROR | Participant blocked |
| 111111115 | 200 | P02 | ERROR | Invalid Account |
| 111111116 | 200 | P11 | ERROR | Transaction forbidden on this account |
| 111111117 | 200 | P23 | ERROR | Amount received is not the amount agreed or expected |
| 111111118 | 200 | P23 | ERROR | Amount exceeds limits |
| 111111120 | 200 | P21 | ERROR | Incorrect routing number |
| 111111121 | 200 | P14 | ERROR | Participant deceased |
Is the Sandbox Environment PCI Compliant?
No.
You should be using Test Card Numbers when testing in the Sandbox Environment. You should never use a real Card Number in the Sandbox Environment. See Samples - Test Cards where we provide various Test Card Numbers...
What is the Sandbox Environment SLA?
There should be no expectations on the Sandbox Environment.
Running Performance Test?
You can not run a Performance Test in the Sandbox Environment. The Sandbox Environment is a very small fraction of the Production Environment. It would be a waste of everyone's resources to do a Preformance Test using the Sandbox Environment.
What happens if someone decides to run a Performance Test?
Your IPs will be blacklisted.
UAT Environment FAQ
UAT Environment?
See the FAQ for the Sandbox Environment
What is the UAT Environment SLA?
There should be no expectations on the UAT Environment.
Running Performance Test?
You can not run a Performance Test in the UAT Environment. The UAT Environment is a very small fraction of the Production Environment. It would be a waste of everyone's resources to do a Preformance Test using the UAT Environment.
What happens if someone decides to run a Performance Test?
Your IPs will be blacklisted.
Production Environment FAQ
What is the maintenance window for the Production Environment?
There should be no outage during normal maintenance. We have activity 24x7x365 and the low points seem to be around mid-week.
How quickly can we do a change (configuration) on the Production Environment?
We are PCI Level 1 and SOC1 Type 1 and SOC2 Type 2 Compliant. So, what does that mean? We are procedure and process controlled.
Some companies require us to be PCI Level 1 and SOC Compliant (SOC1 Type 1 and SOC2 Type 2). And then some of those same companies still expect us to do things for them immediately (and on Production). Here is a real life example that recently occurred:
- A Client demanded to change their limit on a weekend night immediately
- After changing their Limit, the same Client later demanded to change their limit again and again on a weekend night immediately
- After changing their Limit again, we see they never reached the Limits they demanded, in fact, they never even reached their original Limit
Not everything is or can be an emergency...
Schedule for Production changes:
- Have your request by Friday morning
- Changes will be implemented by end of day Monday (or Tuesday, if Monday is a Holiday)
Why? (in regards to the above question)
Here is a quote from one of our Clients about their PCI Environment (not ours but theirs):
Our IT department frowns upon rapid-fire changes to the PCI environment.
So I hope everyone understands the restrictions and constraints of being in a PCI Environment.
Funny, we previously have used the same word: "frown" when a Client asks us to do something outside of our normal policies and procedures.
Ready to go into Production?
In order to go into Production, we need the following things to be completed:
- PCI
- AOC or
- SAQ (select the correct questionnaire)
- Certification Test on Sandbox
- Just run your normal QA Tests against your Application connected to our backend (API)
- And run various Error Conditions/Scenarios, see the Certification Test document from TabaPay Support
- TabaPay Boarding Sheet
- Your Support Contact Information
- Your Financial (Accounting) Information
Certification Test?
- We want you to run your full QA tests on your Application that is connected to our backend (API).
- We want to see the different types of requests that you may be sending us.
- We can provide feedback on what we are seeing in your requests.
- We want to catch issues during this testing versus on Production.
- We can catch problems, here are some of the real issues we have seen before we revised our Certification Test:
- Security Code was misspelled, so they (CVV2s) showed up in the clear in our logs which exposes us (PCI) and your customer.
- Amounts were incorrectly formatted, so some requests were failing (.4) and others were not (0.40).
You should never get a HTTP Status Code of 400 on Production
If you are getting a HTTP Status Code of 400 on the Production Environment, that usually means you are not handling these errors correctly on your end. We strongly recommend completing the Production Certification Test in its entirety, specifically the portion where we recommend integrating your application with our API calls.
Also, please see the Coding FAQ.
Locking your Client?
If the Bank and/or TabaPay detect something funny happening:
- in your API Requests, or
- with your Limits, or
- with your Settlement Account
If your Client is LOCKed, please contact TabaPay support.
Disabling your IP Address?
If TabaPay detects something funny coming from one of your IP Addresses that you requested to be whitelisted, we may have to remove that IP Address. We have WAFs and IDS/IPSs protecting all Internet Facing Systems. We shouldn't be receiving any kind of probes from your systems, so all probes will be detected as a hack attempt and will be shutdown.
If we do remove an IP Address, you have to resubmit a request to reenable the IP Address, so please contact TabaPay support.
A reason for disabling?
“Insanity is doing the same thing, over and over again, but expecting different results.”
PCI / SOC FAQ
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. Also see PCI Security Standards Council.
What is SOC?
SOC stands for System and Organization Controls.
Are we PCI Compliant? SOC1 and SOC2 Certified?
Is the Sandbox and UAT Environments PCI Compliant?
No.
You should be using Test Card Numbers when testing in the Sandbox and UAT Environments. You should never use a real Card Number in the Sandbox and UAT Environments. See Samples - Test Cards where we provide various Test Card Numbers...
SSL/TLS Configuration?
We use Qualys SSL Server Test to check our SSL/TLS configuration on all internet facing systems:
TLS 1.3 is now available on all Environments.
We also removed some WEAK TLS 1.2 Cipher Suites:
We configure our Servers to the Recommended Cipher Suites as recommended by RFC 7525 and Mozilla Server Side TLS.
WAF, Web Application Firewall, protection?
We have a WAF, Web Applicaiton Firewall, in front of all internet facing systems. So if our WAF detects something funny, such as something in the OWASP Top 10, your request will get rejected with SC=406.
PCI Helper - SSO FAQ
Is it possible to customize the SSO?
We have temporarily suspended the fully Customization of the SSO. We will provide a generic SSO that you can modify only a few things like:
- Font
- Color
If you are authorized to create a Customized SSO, see SSO FAQ for additional details; but, you must follow the procedures exactly, no deviations, and understand the timelines, no deviations.
What is the process of submitting a customized SSO?
See PCI Helper - SSO in Samples... But to summarize:
- You need to create a fully working HTML Page that meets our requirements (see PCI Helper - SSO in Samples...)
- Our QA will only do a cursory check and will reject any HTML Page that doesn't do the basic error checking:
- Check Card Number
- Check Expiration Date
- Check Security Code
- Going to your Servers or even going to our Servers to do basic error checking, in our belief, is not the correct way to handle this, see the Coding FAQ.
- We prefer not to have to do a lot of back and forth, so please QA your HTML Page before submitting to us
- You can contact us if you want our QA to help QA your HTML
- Remember that this is your HTML Page that you are presenting to your Customers.
- Our QA will only do a cursory check and will reject any HTML Page that doesn't do the basic error checking:
- Once our QA ok your HTML, your HTML Page is sent to our Build/Operations Department:
- Add the TabaPay specific code
- Move HTML Page to Sandbox Environment
- Again, our QA will do a cursory check
At this point you should QA (Test) your HTML Page and you can call the TabaPay API.
How long this takes will depend upon when we receive a working HTML Page. So how long is up to you. Deviating from our requirements will only cause delays.
Customization timeline and availability?
The reason why we will suspend the fully Customization of the SSO is Client Expectations... and our Expectations for the submitted SSO Web Page. Unfortunately there is a mismatch, so trying to clarify this mismatch, here are some points to consider beforehand to avoid the frustration by all sides with the process:
- Normally we only do a build of a Client's SSO Web Page on the weekends and have it available by End-of-Day Monday, Tuesday if Monday is a holiday
- We expect the Client to QA their own SSO Web Page
- We will reject a Client's SSO Web Page if we find a problem
- Like previously mention elsewhere, we do not want a lot of back and forth with the SSO Web Page
- We hope this would be the sequence of events:
- The Client reads the Developers WebSite to understand the SSO Web Page
- The Client can ask support for any clarification
- The Client develops their SSO Web Page
- The Client tests (QA) their SSO Web Page
- When the Client completes their testing, the Client submits their SSO Web Page
- TabaPay only does a cursory QA of the Client's SSO Web Page
- If TabaPay QA finds a problem with the Client's SSO Web Page, it will be rejected
- TabaPay builds the SSO Web Page
- TabaPay makes the SSO Web Page available by End-of-Day Monday (Tuesday if Monday is a holiday)
- The Clients can now test the completed SSO Web Page
Please Keep it SIMPLE, the more complex your SSO Web Page is, the harder it is for us to Add our Changes and Test our Changes. And having an abnormal SSO Web Page that is hard to Test will eventually be unTested and we will have to leave it to you to test the changes. So in the future, if you do have a difficult SSO Web Page, you will need to tell us how to test it or even give us tools to test it.
Just think, how many different SSO Web Pages we get, and each so very different, so far, none are similar. Just think how hard it is for us to try to change that code and then try to test it... Just think... Be in our shoes... So this is one reason why we will suspend the fully Customization of the SSO.
Compiling with the Google Closure Compiler?
We use the following options:
--compilation_level ADVANCED_OPTIMIZATIONS
We use Advanced Optimizations for reasons other than for size. Size is just a nice side benefit.Just like the HTML and CSS, we actually do not minify the HTML and CSS, but we pack them.
PCI Helper - RSA FAQ
RSA?
RSA is the most widely used asymmetric algorithm.
Using Encrypted Data in the TabaPay API Calls don't seem to be working?
Make sure you are using RSA with the Transformation of RSA/ECB/OAEPWithSHA-256AndMGF1Padding and the language you are using supports the correct (common usage) implementation of that transform.
Receiving a SC=500?
If you pass in an Encrypted Data that was encrypted incorrectly, you will get a SC=500.
What languages (and libraries, if any) work (or tested)?
We have first hand knowledge that the following languages (and libraries, if any) works:
- Java with a slight tweak using the built in RSA encryption
- Go using the built in RSA encryption
- JavaScript on a browser using the Web Cryptography API which is available in (all) modern browsers
- .NET
Is there an example, a working example?
See PCI Helper - RSA in Samples...
Why only 2 active Keys?
The key you are using is just a Public Key.
Also, previously, we had Clients who were creating multiple Keys per Day and expiring the Keys in a Year. So we were holding a lot of active Keys for some Clients and the assumption is that most, if not all, of the Keys were no longer in use, see the Anti-Pattern FAQ
For Security Reasons, we want to have more than 2 active Keys?
The key you are using is just a Public Key.
TabaPay doesn't understand Mobile Payments, we need more than 2 active Keys?
The key you are using is just a Public Key.
Also, we have engineers with at least 5 years of mobile app development in the past for both iOS and Android, and they have built PCI Level 1 Compliant financial mobile apps.
Since we can only have 2 active Keys, can the Key expire in more than 1 year?
No, PCI.
3D Secure FAQ
If you are using Cardinal, this is how to use TabaPay’s 3D Secure API with Cardinal:
To help the Issuing Bank perform risk-based authentication, Device Data Collection must be executed prior to calling TabaPay's 3D Secure Lookup API. Failing to complete this step may result in the transaction being downgraded to 1.0, a less-secure version of 3DS.
While not required, including the Browser/Device data is strongly recommended. Doing so ensures the transaction will still be of 3DS 2.0, even if the Device Data Collection fails. The Device Data Collection may be done through the (Cardinal recommended) Songbird.js library or POSTing to the DDU returned in TabaPay’s 3D Secure Initialize.
Option 1: Cardinal Cruise Hybrid
The Cardinal Cruise Hybrid utilizes the Songbird.js library. Below are URLs a client can use to test various environments. Each build of Songbird is directly tied to an environment. To change environments simply edit the URL you are using.
Production: https://songbird.cardinalcommerce.com/edge/v1/songbird.js
Staging: https://songbirdstag.cardinalcommerce.com/edge/v1/songbird.js
Cardinal setup:
Setting up a transaction flow includes the following:
- Send a jwt object to Cardinal via Cardinal.setup(), which in turn...
- Triggers a payments.setupComplete() event:
<script src="https://songbirdstag.cardinalcommerce.com/edge/v1/songbird.js"></script>
Cardinal.setup("init", {
jwt: “{{Please insert JWT string here}}”
});
Cardinal.on('payments.setupComplete', function (setupCompleteData) {
// handle set up complete event
});
Option 2: POSTing to the Device Data Collection URL
If you do not want to include a 3rd party library, POST the jwt object to the Device Data Collection URL that was returned in the TabaPay's 3D Secure Initialize response:
<iframe name="collectionFrame" height="10" width="10"
style="visibility: hidden; position: absolute; top: -1000px; left: -1000px;">
</iframe>
<form id="collectionForm" target='collectionFrame' name="devicedata"
method="POST"
action="https://centinelapistag.cardinalcommerce.com/V1/Cruise/Collect">
<!-- POST Parameters: is the JWT
which is the Authentication JWT with the ReferenceId
from the BIN Intelligence API Response -->
<input type="hidden" name="JWT" value="…" />
</form>
<script>window.onload = function () {
// Auto submit form on page load
document.getElementById('collectionForm').submit();
}
</script>
Google Pay FAQ
Our Google Pay Processor Page may help answer additional integration questions.
How do I support Google Pay as a merchant?
- You must register as a Google Pay merchant.
- The
gatewayMerchantIdyou register for at Google for Google Pay must be"G"with your 6-digit clientID (and if applicable 4-8 digit subclientID) appended. - A merchant with a 6-digit clientID 123456 who wants to register for Google Pay using their subClient 0001, will have a
gatewayMerchantId G1234560001 - A merchant with a 6-digit clientID 123456 who wants to register for Google Pay will have a
gatewayMerchantId G123456
For example:
- The
- You must use
"tabapay"(case-sensitive) as yourgatewayId.
What
authMethod should I use for Google Pay?The merchant can choose to support
PAN_ONLY and/or CRYPTOGRAM_3DS. While the merchant can choose their authMethod, TabaPay strongly encourages the sole use of authMethod CRYPTOGRAM_3DS to mitigate fraud.Can I decrypt my own Google Pay
PaymentMethodToken?If a merchant's PCI-compliance allows them to handle real card numbers, the merchant may decrypt the
If the
The network of the card used (Visa, MasterCard, etc.) is mapped to the
If the
PaymentMethodToken that is produced from a Google Pay transaction.If the
authMethod is CRYPTOGRAM_3DS, then the PaymentMethodToken will be mapped to TabaPay's card.mobilePay fields. See the mapping below:Google Pay PaymentMethodToken | TabaPay card.mobilePay |
|---|---|
| pan | accountNumber |
| expirationMonth expirationYear | expirationDate YYYYMM |
| cryptogram | cryptogram |
| eciIndicator (optional) | eciIndicator (optional) |
The network of the card used (Visa, MasterCard, etc.) is mapped to the
network in the card.mobilePay. The type of card (debit, credit, prepaid, etc.) is mapped to the type in card.mobilePay.If the
authMethod is PAN_ONLY, then the Google Pay PaymentMethodToken will be mapped to TabaPay's card.accountNumber and card.expirationDate fields.Google Pay PaymentMethodToken | TabaPay card |
|---|---|
| pan | accountNumber |
| expirationMonth expirationYear | expirationDate YYYYMM |
If the merchant's PCI-compliance does not allow card-handling then the merchant will rely entirely on TabaPay to decrypt the PaymentMethodToken.
How do I use a Google Pay
PaymentMethodToken for Create Transaction?- Use the
card.deviceobject - In the
card.device:card.devicefieldValue Notes id "GooglePay|GooglePayMerchantID" GooglePay
is a static value
GooglePayMerchantID is the Google Pay merchantId you registered with Googleblob unaltered, URL-safe base64 encoded, fully encrypted Google Pay PaymentMethodTokenNo padding or spaces in your blob, remove any trailing =
before sending the request - Fill in the remaining required information for Create Transaction.
How do I test Google Pay for Create Transaction?
You can test in our Sandbox today if you are enabled by our support and operations teams. Ensure any PaymentMethodTokens you send are produced in the ENVIRONMENT_TEST.
If you are enabled to test Google Pay in Sandbox, but are not a registered (and approved) Google Pay merchant, use
or GooglePayVisa
piped with (GooglePayMasterCard|
id in the card.device object. See examples below:
GooglePayVisa|GooglePayMerchantId
GooglePayMasterCard|GooglePayMerchantId
Refer to the above FAQ: How do I support Google Pay as a merchant? for formatting your Google Pay merchantId.
The responses from Google Pay will stay consistent with the current Create Transaction responses.
How do I create the
card.device.blob?- Take the UNALTERED, encrypted
PaymentMethodToken:{"signature":"MEUCIHDD0DQ9XYJrerxeI0LpCQyFmqFqpJgHeeLqJDhF0z8TAiEA20LF0JUwEmE1dz2BFUgii3NFHzXDDmgsvBTHcdLVZ30\u003d","intermediateSigningKey":{"signedKey":"{\"keyValue\":\"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEr6dAac0eKNSjPE4er6DsMA4oTaoUXMERhL+7OOISIKhvo8K5OVrIuWfvKHYE2DNAmZkHSwitRs49gMHs5Q7aeA\\u003d\\u003d\",\"keyExpiration\":\"1606934885430\"}","signatures":["MEYCIQC/uS8hLRz8eZ2aQ4gi50HFW4IxEZcZ8Jj1hJwjaMCCHQIhAI0ry1VEAzGBu0hHrtGfvT11ZqnqFSjEupYS59+lG7NB"]},"protocolVersion":"ECv2","signedMessage":"{\"encryptedMessage\":\"aew8n0SadRGeorqyYSQCcufpnUU1d0+9D0TaCA+WIvSmY8IKtsVzXIJ0Wzsy2dIFHABzlaO5QpB+afyBZpqxET1v5t5bdjPhIREBDL3alkL2Hpteaz5xev+MD2e+JjCpwxhsKk0c8K/7uUDMUeu5Qt4sF+GvrPw4MheAWimNUb2JF+sqEGWmlmNxkOkz0D12xFH43avRkjlctcnNDWLGYhxiROBxePd1Hc5n6O5Nfc+nfx5HhjfNwm3R2Ey2WfVTwzd9pJ7xxXS/nd71C+cCSuIdMRDqgZxzjvSIMvkA8BBDSPTIAaurXo04uQRbqt+XW1JKOGSJkv7YccEUvnYnyDhP9YFCV6K8B7iCIMsvoKy1uaCVXNosjUKb3GuS3XvB8O8pylvuOWy0WMWK7zP3hGW8k5ruKTLadr2cytaBVt+5/oe7xkH8epjoVnuaNGgzZFl0blKwVtidLxKZ5S518oaZ6wu/+KkIDXR/2gCRk+oTPO2J9w8HoFJXuGWN1wLpdJ2nWdg4U3p83w/MEx7pUHGjcMDAdKvjnYrIMJwhRJBdqSyvCPdb574Uqbp1VUstDaBmHUR5xWVV8tBEj4lPq9C93nJdK3vsK078tAPmUwCyRkX2YwCbPrF7g8kVMuVwG7bgw4pn6BtgLaqkUD2xajWweRk\\u003d\",\"ephemeralPublicKey\":\"BOhQaWVgF2TAnFeypb/wxVGGSaSGlPfprP/ajMOI59VP6P/coWpWmMHrzi3IXI2AhaIHHrwM7xhsBheb6sxh8lQ\\u003d\",\"tag\":\"BGdAtaVKKP5vv6kTw9uJCZASdy8M0BAIUdTl/y/0vgU\\u003d\"}"} - URL-safe base64 encode to produce the
card.device.blobeyJzaWduYXR1cmUiOiJNRVVDSUhERDBEUTlYWUpyZXJ4ZUkwTHBDUXlGbXFGcXBKZ0hlZUxxSkRoRjB6OFRBaUVBMjBMRjBKVXdFbUUxZHoyQkZVZ2lpM05GSHpYRERtZ3N2QlRIY2RMVlozMFx1MDAzZCIsImludGVybWVkaWF0ZVNpZ25pbmdLZXkiOnsic2lnbmVkS2V5Ijoie1wia2V5VmFsdWVcIjpcIk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRXI2ZEFhYzBlS05TalBFNGVyNkRzTUE0b1Rhb1VYTUVSaEwrN09PSVNJS2h2bzhLNU9Wckl1V2Z2S0hZRTJETkFtWmtIU3dpdFJzNDlnTUhzNVE3YWVBXFx1MDAzZFxcdTAwM2RcIixcImtleUV4cGlyYXRpb25cIjpcIjE2MDY5MzQ4ODU0MzBcIn0iLCJzaWduYXR1cmVzIjpbIk1FWUNJUUMvdVM4aExSejhlWjJhUTRnaTUwSEZXNEl4RVpjWjhKajFoSndqYU1DQ0hRSWhBSTByeTFWRUF6R0J1MGhIcnRHZnZUMTFacW5xRlNqRXVwWVM1OStsRzdOQiJdfSwicHJvdG9jb2xWZXJzaW9uIjoiRUN2MiIsInNpZ25lZE1lc3NhZ2UiOiJ7XCJlbmNyeXB0ZWRNZXNzYWdlXCI6XCJhZXc4bjBTYWRSR2VvcnF5WVNRQ2N1ZnBuVVUxZDArOUQwVGFDQStXSXZTbVk4SUt0c1Z6WElKMFd6c3kyZElGSEFCemxhTzVRcEIrYWZ5QlpwcXhFVDF2NXQ1YmRqUGhJUkVCREwzYWxrTDJIcHRlYXo1eGV2K01EMmUrSmpDcHd4aHNLazBjOEsvN3VVRE1VZXU1UXQ0c0YrR3ZyUHc0TWhlQVdpbU5VYjJKRitzcUVHV21sbU54a09rejBEMTJ4Rkg0M2F2UmtqbGN0Y25ORFdMR1loeGlST0J4ZVBkMUhjNW42TzVOZmMrbmZ4NUhoamZOd20zUjJFeTJXZlZUd3pkOXBKN3h4WFMvbmQ3MUMrY0NTdUlkTVJEcWdaeHpqdlNJTXZrQThCQkRTUFRJQWF1clhvMDR1UVJicXQrWFcxSktPR1NKa3Y3WWNjRVV2bllueURoUDlZRkNWNks4QjdpQ0lNc3ZvS3kxdWFDVlhOb3NqVUtiM0d1UzNYdkI4TzhweWx2dU9XeTBXTVdLN3pQM2hHVzhrNXJ1S1RMYWRyMmN5dGFCVnQrNS9vZTd4a0g4ZXBqb1ZudWFOR2d6WkZsMGJsS3dWdGlkTHhLWjVTNTE4b2FaNnd1LytLa0lEWFIvMmdDUmsrb1RQTzJKOXc4SG9GSlh1R1dOMXdMcGRKMm5XZGc0VTNwODN3L01FeDdwVUhHamNNREFkS3ZqbllySU1Kd2hSSkJkcVN5dkNQZGI1NzRVcWJwMVZVc3REYUJtSFVSNXhXVlY4dEJFajRsUHE5QzkzbkpkSzN2c0swNzh0QVBtVXdDeVJrWDJZd0NiUHJGN2c4a1ZNdVZ3RzdiZ3c0cG42QnRnTGFxa1VEMnhhald3ZVJrXFx1MDAzZFwiLFwiZXBoZW1lcmFsUHVibGljS2V5XCI6XCJCT2hRYVdWZ0YyVEFuRmV5cGIvd3hWR0dTYVNHbFBmcHJQL2FqTU9JNTlWUDZQL2NvV3BXbU1IcnppM0lYSTJBaGFJSEhyd003eGhzQmhlYjZzeGg4bFFcXHUwMDNkXCIsXCJ0YWdcIjpcIkJHZEF0YVZLS1A1dnY2a1R3OXVKQ1pBU2R5OE0wQkFJVWRUbC95LzB2Z1VcXHUwMDNkXCJ9In0
Still have questions?
See our Google Pay Processor Page.
ACH / RTP FAQ
What fields are configurable in an ACH Bank Statement?
| Bank Statement Field | TabaPay default | Override |
|---|---|---|
| Company Name | Merchant Name Configured during on-boarding | Soft Descriptor Name |
What shows up on an RTP Bank Statement?
- Reference Number
- Date
- Name of Sender
- Name of Ultimate Sender ("Payment on behalf of...")
- Amount
What fields are configurable in an RTP Bank Statement?
| Bank Statement Field | TabaPay default | Configurable? | Override |
|---|---|---|---|
| Reference Number | referenceID | No | N/A |
| Date | Date of RTP Request | No | N/A |
| Name of Sender | Merchant Name Configured during on-boarding | Yes | Soft Descriptor Name |
| Name of Ultimate Sender | N/A | Yes | Corresponding Name |
| Amount | amount | N | N/A |
How can I reverse an RTP Transaction?
Send the request for reversal to help@Tabapay.com with the original Network ID. The reversal request must be no more than 24 hours from the original.
Clients WebSite FAQ
Limited availability...Passphrase
Refreshing Transaction Data
Refreshing the Transactions Web Page at intervals below 60 seconds does not do anything and just results in the same data being returned. Transaction Data is updated on the backends every 60 seconds.
Repeating trying to refresh Transaction Data may cause our WAF and/or IDS/IPS to blacklist you and eventually your access will be revoked.
SLA
| WebSite | Operational Times |
|---|---|
| Clients WebSite | Mon - Fri between 6am PT - 9pm PT |
| ClientsOps WebSite | Mon - Fri between 9am PT - 6pm PT |
Anti-Pattern FAQ
We have seen many different things from Clients while using the TabaPay API. Anti-Patterns will cause your IP Addresses to be automatically blocked by our WAF and/or IDS/IPS. Certain other Anti-Patterns will cause the TabaPay API to return either SC=429 or SC=503 or SC=423.So what are some Anti-Patterns we have seen from Clients while using the TabaPay API?
Retrieve by ReferenceID
You should only use the Retrieve by ReferenceID in the rare case when the connection is lost and you do not have:
- the AccountID
- the TransactionID
You should always use:
- the AccountID
- the TransactionID
4XX Errors
See Coding FAQ.
404 Errors
Using the API to tell you that a Resource is not found:
409 Errors
Using the API to tell you that you are reusing a ReferenceID:
Other Error Behaviors
- Repetitively retrying an API request even though you are getting a Status Code of 406...
- Creating multiple Accounts with the same Card Number
- Repetitively retrying the same API request with the same parameters, such as:
- ReferenceID (for Account or Transaction)
- KeyID
- AccountID
- TransactionID
What is the issue?
- the TabaPay API System was built (and optimized) for Transaction Processing
- the TabaPay API System was not built (and optimized) for Other Processing Tasks like:
- Creating and Managing Accounts
- Determining if an Account was previously created already or not
- Determining if a Transaction was previously submitted already or not
| API | Expected Usage |
|---|---|
| Retrieve Client | 0 % |
| Create Key | 0 to 1 % |
| Retrieve Key | 0 % |
| Delete Key | 0 % |
| Query Card | 39 % |
| Create Account | 5 % |
| Retrieve Account | 0 to 1 % |
| Update Account | 0 to 1 % |
| Delete Account | 0 to 1 % |
| Create Transaction | 47 % |
| Retrieve Transaction | 0 % |
| Delete Transaction | 6 % |
If you are outside these expected usage, your ClientID may be detected to be performing Anti-Pattern behavior and is subject to our Anti-Pattern Behavior Detection. You might want to consider using our future TabaPay PayFac Platform, see Future FAQ.
Our Anti-Pattern Behavior Detection has actually already caught numerous bugs in a few of our clients' code. So it does really work, but unfortunately we will need to protect our Systems from a runaway bug, so we will have to stop this behavior before it causes any issues... This means:
- Returning SC=429, Too many Requests
- Returning SC=503, Forbidden, Permissions
- Returning SC=423, Locked
- Removing IPs whitelisted for the Client
What are some Real Life Issues we have seen
Here is what we have seen so far:
A client doesn't know what transactions they sent to us, so they were sending a Retrieve Transaction with ReferenceID for all the possible Transactions they have Created even those not processed by us, so >99% of all this traffic was a Retrieve Transaction failure with SC=404, Not Found. That was >99%...
A client doesn't know what transactions they sent to us, so they were sending us 10 calls to Retrieve Transaction with ReferenceID (not actual but just an example) of:
- 000001-0
- 000001-1
- 000001-2
- 000001-3
- 000001-4
- 000001-5
- 000001-6
- 000001-7
- 000001-8
- 000001-9
What was incorrect?
- Doing a Retrieve by ReferenceID
- But the biggest concern was them not knowing if they sent the transaction or not
A client was using us to determine if an account was already added or not, so they were sending us a Create Account and expecting:
- 200 - new
- 409 - duplicate
Another client was using us to determine if an account was already added or not, so they were sending us a Retrieve Account with ReferenceID (not actual but just an example) of:
- 123v1
- 123v1
- 123v2
- 234v1
- 234v1
- 234v1
What was incorrect?
- >90%
- Doing a Retrieve by ReferenceID
- Doing a Retrieve with the same ReferenceID multiple times
This same client was also doing this behavior:
- Query Card
- Create Account
- Delete Account
So, what is the issue?
We are also holding a lot of inactive:
- Accounts
- Keys
- Accounts
- Retrieve Account
- Retrieve Transaction
- Create Account
- Create Transaction
From a Real Life Example described above:
Just think if all the clients where sending us requests where >90% of all these requests were basically useless.
Duplicate Card Check FAQ
The Duplicate Card Check feature will check if a Card Number is already in use by another Account. It can be used on the following:You will need permissions to use the Duplicate Card Check feature as there will be an extra charge (fee) for using this feature.How does Duplicate Card Check work?
You must always use the extra Query String Parameters on the following:
- CreateAccount
- RejectDuplicateCard
- OKToAddDuplicateCard
- UpdateAccount
- RejectDuplicateCard
- OKToUpdateDuplicateCard
- DeleteAccount
- DeleteDuplicateCard
What if I want to add an Account that is using a Card Number that is already used by another AccountID?
- For CreateAccount use:
- OKToAddDuplicateCard
- For UpdateAccount use:
- OKToUpdateDuplicateCard
Can I mix the usage of using the Query Parameters and not using the Query Parameters?
No
If you do, then the Duplicate Card Check feature might no longer be valid.
So, if you decide to do this (mixing), you might as well NOT use this feature, since using this feature will incur an extra charge (fee)...
Errors?
- CreateAccount
Status Code Account Created? Duplicate Card Check 200 ✔ Yes ✔ Yes, No Match 207 ✔ Yes ✘ Processing Error 409 ✘ No ✔ Yes, Match - UpdateAccount
Status Code Account Updated? Duplicate Card Check 200 ✔ Yes ✔ Yes, No Match 207 ✔ Yes ✘ Processing Error 409 ✘ No ✔ Yes, Match - DeleteAccount
Status Code Account Deleted? Duplicate Card Check 200 ✔ Yes ✔ Yes 207 ✔ Yes ✘ Processing Error
Future FAQ
What are our Future Feature Plans?UAT Environment
Authorization Tokens
- Authorization Tokens can Expire
- You will be able to change your Authorization Token
TabaPay PayFac Platform
- Future