Professional Documents
Culture Documents
NAPAS SYSTEM
TECHNICAL SPECIFICATION
Version 3.5.3
1
Document Control
Version Date Author Reviewer Note
3.0 17-Oct- Do Viet Nguyen Thi Initial version.
2017 Thanh Tuyet
3.1 20-Jun- Do Viet Nguyen Thi Added response code for Domestic card transaction.
2018 Thanh Tuyet
3.2 25-Jan- Do Viet Nguyen Thi Order information added and is mandatory in
2019 Thanh Tuyet DATA_KEY transaction.
Note for checking amount when receive response
from Napas.
Added CASHIN transaction type.
3.2.1 14-Jun- Do Viet Nguyen Thi Added Submerchant information for Whitelabel
2019 Thanh Tuyet service.
3.2.2 02-Jul- Do Viet Nguyen Thi Remove bannerUrl parameter in Hosted Checkout
2019 Thanh Tuyet method.
Added QRECOM as a cardScheme option in Hosted
Checkout method.
Added CREATE_QR transaction.
3.2.3 18-Jul- Do Viet Nguyen Thi Support merchant-hosted for processing domestic
2019 Thanh Tuyet card via PurchaseOtp transaction.
3.2.4 08-Aug- Do Viet Nguyen Thi Whitelabel service only requires submerchant.code
2019 Thanh Tuyet as mandatory field.
Update Response Code table.
3.3 10-Nov- Do Viet Nguyen Thi Added PURCHASE_WITH_RETURNED_TOKEN
2019 Thanh Tuyet supports merchant-hosted for processing Pay and
save domestic card details.
3.4 21-Nov- Do Viet Nguyen Thi Added RETRIEVE_TOKEN transaction.
2019 Thanh Tuyet Support promoBin parameter in Hosted Checkout.
3.4.1 10-Apr- Do Viet Nguyen Thi Added description for serviceCode parameter.
2021 Thanh Tuyet
3.4.2 10-May- Do Viet Nguyen Thi Update response code table.
2021 Thanh Tuyet
3.5 04-Mar- Do Viet Nguyen Thi Added PURCHASE_ACCOUNT and FAST_PAY.
2022 Thanh Tuyet Merge 4.8
PURCHASE_WITH_RETURNED_TOKEN with
4.3 PURCHASE_OTP description.
3.5.1 07-Jul- Tran Thi Nguyen Thi Added required information need to pass to Napas
2022 Nhung Tuyet when using account payment service (for merchant
hosted only)
3.5.2 20-Dec- Tran Thi Do Viet Thanh Update response code table.
2022 Nhung Update details for IPN response.
3.5.3 14-Feb- Tran Thi Do Viet Thanh Update API url from developer.napas.com.vn to
2023 Nhung developer.napas.com.vn
2
1 Introduction ............................................................................................................................ 4
1.1 Audience ................................................................................................................................. 4
1.2 Scope ....................................................................................................................................... 4
1.3 Support.................................................................................................................................... 4
1.4 How to Use this Document ..................................................................................................... 4
2 Technical Specification ............................................................................................................ 6
2.1 Security Access Control ........................................................................................................... 6
2.1.1 The OAuth 2.0 Authorization .......................................................................................... 6
2.1.2 SSL Protocol..................................................................................................................... 6
2.2 Test Information ..................................................................................................................... 7
2.2.1 Authentication Information ............................................................................................ 7
2.2.2 Card Information ............................................................................................................. 7
3 Hosted Checkout Implementation .......................................................................................... 8
3.1 Data Key transaction ............................................................................................................... 8
3.2 Pay / Pay with returned Token / Create Token – integrate with Napas Hosted Form ......... 10
3.3 Pay / Pay with returned Token / Create Token – integrate with Napas Payment Page ...... 13
3.4 Receive response from Napas............................................................................................... 16
4 Direct API Implementation ................................................................................................... 18
4.1 Pay / Authorize / Capture / Void / Refund (for International Card ...................................... 18
Processing) ........................................................................................................................................ 18
FastPay / Refund Domestic transaction (for Domestic Card Processing) ......................................... 18
4.2 Pay with 3DSecure transaction ............................................................................................. 26
4.3 Purchase OTP transaction / Purchase with returned Token transaction / Purchase Account
transaction (integrate with Napas Hosted Checkout) ...................................................................... 35
4.4 Retrieve Order transaction ................................................................................................... 46
4.5 Delete Token transaction ...................................................................................................... 54
4.6 Create QR transaction ........................................................................................................... 55
4.7 Error parameters................................................................................................................... 57
4.8 Retrieve Token transaction ................................................................................................... 58
5 Response Code ...................................................................................................................... 59
5.1 International Card Process .................................................................................................... 59
5.2 Domestic Card Process.......................................................................................................... 60
6 Appendix A: Napas Hosted Form Screenshots...................................................................... 63
6.1 Create Token transaction with Credit card ........................................................................... 63
6.2 Pay / Pay with returned Token transaction with Atm card and QRCode ............................. 63
7 Appendix B: Transaction flow ............................................................................................... 64
7.1 Pay with 3DSecure transaction flow ..................................................................................... 64
8 Appendix C: Required Information for Purchase Account .................................................... 65
3
Introduction
1.1 Audience
This document is intended to be used by developers, technical personnel and business analysts
to facilitate a successful integration by a partner to the Napas System.
This is reflected in the layout of the document, which covers the submission of data to the
Napas System.
1.2 Scope
This document describes the interfaces, messages, data formats, and responses used for
integration to the Napas System. The focus of this document is the integration of the token
payments method.
This is a technical API document and as such is concerned with specific message formats.
The services covered in this document are Token transactions.
1.3 Support
For any assistance or information pertaining to existing or new Napas System services, contact
Napas System Support.
4
All API’s fields are described by their attributes:
Field Usage:
5
2 Technical Specification
2.1 Security Access Control
2.1.1 The OAuth 2.0 Authorization
OAuth 2 is an authorization framework that enables applications to obtain limited access to
user accounts on an HTTP service, such as Facebook, Google, GitHub... It works by delegating
user authentication to the service that hosts the user account, and authorizing third-party
applications to access the user account. OAuth 2 provides authorization flows for web and
desktop applications, and mobile devices.
Protocol Flow:
6
2.2 Test Information
2.2.1 Authentication Information
Authentication endpoint: https://developer.napas.com.vn/api/rest/version/v2/oauth/token
Authentication elements:
- grant_type: password
- client_id: APITEST
- client_secret: TT3F6AM5UQZXJEJXAWJ8CHVC9ZJ02A51
- username: apitest
- password: fPJFVp5qnCWeFmtd
7
3 Hosted Checkout Implementation
3.1 Data Key transaction
Partner uses this transaction to initialize the order and obtain the secure keys needed for
integrating Napas Hosted Checkout.
URL https://developer.napas.com.vn/api/rest/version/32/merchant/{merchantId}/datak
ey
HTTP Method POST
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation string R R DATA_KEY: Request to obtain secure keys for integrating Napas Hosted Form.
inputParameters Input parameters data group.
8
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
dataKey string C A system-generated string that represents the session of merchant which wants
to do server-hosted form.
napasKey string C A system-generated string used for security reasons. This is a public key, used in
checking signature of Napas.
9
3.2 Pay / Pay with returned Token / Create Token – integrate with
Napas Hosted Form
- Pay: Customer pays for goods / services only.
- Pay with returned Token: Customer pays for goods / services, and also receives a
Token that can be used for payment afterwards.
- Create Token: Customer inputs card information, then receives a Token that can be
used for payment afterwards (this flow only supports Branded Card).
To integrate Napas Hosted Form, partner must obtain dataKey and napasKey (refer to 3.1.
DataKey transaction), then generate a HTML script as below:
<form id="merchant-form" action="https://web.merchant.com/result-page"
method="POST"></form>
<div id="napas-widget-container"></div>
<script
type="text/javascript"
id="napas-widget-script"
src="https://dps-
staging.napas.com.vn/api/restjs/resources/js/napas.hostedform.min.js"
merchantId="APITEST"
clientIP="192.168.1.1"
deviceId="ID_12345678"
environment="WebApp"
cardScheme="CreditCard"
enable3DSecure="true"
apiOperation="PAY"
orderAmount="150000"
orderCurrency="VND"
orderId="ORD_841015"
channel="7399"
sourceOfFundsType="CARD"
dataKey="232BBF38F081EB94C086E1BDC20E155C9C381FF2104E0A91ADA2B16B86206449D56CE780D2
AD5ED8E29C83B4AF515C656CCDD34C377D4A90"
napasKey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX0yRwcCBZIMrOhtdr2eO2hLlLtSmGERW+N
M1LoXLbg11fWPucJkqwqtLFrVHwPs6RR5wqsOk7UNf8PDLEgZFB3ybUed/XeWKpSBuDO+pZf5neVCZ0blzD
fZlaNaY3IL34QIgu9/zq/BlyjbIu/BSKl//Ugatc+bVRJX0+uD1XJwIDAQAB:MIIBsDCCARkCBgFaR+TbpT
ANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTE3MDIxNjE3MDc0N
VoXDTE3MDIxNzE3MDc0NVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAl9MkcHAgWSDKzobXa9njtoS5S7UphhEVvjTNS6Fy24NdX1j7nCZKsKrSxa1R8D7
OkUecKrDpO1DX/DwyxIGRQd8m1Hnf13liqUgbgzvqWX+Z3lQmdG5cw32ZWjWmNyC9+ECILvf86vwZco2yLv
wUipf/1IGrXPm1USV9Prg9VycCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBIUEse2etILP+33D9YZbgU0efBR
cSa94pgyC2ErymvHwWXMs9urF2hyK3Xy7+Ul8mg4m0iDVwBIBv0X1T0cQACe07ZOpu4M2B4XpdGri4Y8KDu
oHMSb23w4IhvneFUOWf0+kXbJoczKalT/y8Y866zn9OOTLPdUbsxZ5Kto5WLXw=="
10
>
</script>
Parameters details
Field name Field Description Pay Pay with Create
Type returned Token
Token
action string URL of the webpage that shows transaction result, includes https://... R R R
deviceId string Customer’s identifier, this will be returned after processing transaction RE RE RE
11
submerchantCode string Code of submerchant (required if partner is using Whitelabel service) C C C
12
3.3 Pay / Pay with returned Token / Create Token – integrate with
Napas Payment Page
- Pay: Customer pays for goods / services only.
- Pay with returned Token: Customer pays for goods / services, and also receives a
Token that can be used for payment afterwards.
- Create Token: Customer inputs card information, then receives a Token that can be
used for payment afterwards (this flow only supports International branded card).
To integrate Napas Payment Page, partner must obtain dataKey and napasKey (refer to 3.1.
DataKey transaction), then generate a HTML script as below:
<form id="merchant-form" action="https://web.merchant.com/result-page"
method="POST"></form>
<div id="napas-widget-container"></div>
<script
type="text/javascript"
id="napas-widget-script"
src="https://dps-
staging.napas.com.vn/api/restjs/resources/js/napas.paymentpage.min.js"
merchantId="APITEST"
clientIP="192.168.1.1"
deviceId="ID_12345678"
environment="WebApp"
cardScheme="CreditCard"
enable3DSecure="true"
apiOperation="PAY"
orderAmount="150000"
orderCurrency="VND"
orderId="ORD_841015"
channel="7399"
sourceOfFundsType="CARD"
dataKey="232BBF38F081EB94C086E1BDC20E155C9C381FF2104E0A91ADA2B16B86206449D56CE780D2
AD5ED8E29C83B4AF515C656CCDD34C377D4A90"
napasKey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX0yRwcCBZIMrOhtdr2eO2hLlLtSmGERW+N
M1LoXLbg11fWPucJkqwqtLFrVHwPs6RR5wqsOk7UNf8PDLEgZFB3ybUed/XeWKpSBuDO+pZf5neVCZ0blzD
fZlaNaY3IL34QIgu9/zq/BlyjbIu/BSKl//Ugatc+bVRJX0+uD1XJwIDAQAB:MIIBsDCCARkCBgFaR+TbpT
ANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTE3MDIxNjE3MDc0N
VoXDTE3MDIxNzE3MDc0NVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAl9MkcHAgWSDKzobXa9njtoS5S7UphhEVvjTNS6Fy24NdX1j7nCZKsKrSxa1R8D7
OkUecKrDpO1DX/DwyxIGRQd8m1Hnf13liqUgbgzvqWX+Z3lQmdG5cw32ZWjWmNyC9+ECILvf86vwZco2yLv
wUipf/1IGrXPm1USV9Prg9VycCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBIUEse2etILP+33D9YZbgU0efBR
cSa94pgyC2ErymvHwWXMs9urF2hyK3Xy7+Ul8mg4m0iDVwBIBv0X1T0cQACe07ZOpu4M2B4XpdGri4Y8KDu
oHMSb23w4IhvneFUOWf0+kXbJoczKalT/y8Y866zn9OOTLPdUbsxZ5Kto5WLXw=="
13
>
</script>
Parameters details
Field name Field Description Pay Pay with Create
Type returned Token
Token
action string URL of the webpage that shows transaction result, includes https://... R R R
deviceId string Customer’s identifier, this will be returned after processing transaction RE RE RE
14
submerchantCode string Code of submerchant (required if merchant is using Whitelabel service) C C C
15
3.4 Receive response from Napas
Partner will receive response in 2 separate ways:
- Form Submit: result will be submitted to the URL defined in action parameter.
The result will be included in napasResult parameter.
- IPN: result will be POST to the IPN URL that Partner has registered with Napas.
The result will be included in requestBody.
* Napas sends result via IPN in case of successful transaction. In some limited cases when
the issuer bank verifies OTP on their own page, the result sent via IPN might be successful or
even failure, depends on the verification process at the bank’s page.
* Partner should be aware of duplicate records of successful transaction when receiving both
Form Submit and IPN result.
* It is recommended that partner uses both methods to update the transaction status into their
database. Relying on only one of the above methods could lead to pending transaction result.
* Partner must carefully check the captured amount and compare with the initial order amount
once received response from Napas. If there is any discrepancy, please hold the transaction in
pending status and report the issue to Napas immediately.
checksum string Checksum of the data, calculated by sha256(data + client_secret), use to verify the data string is from Napas.
Value must be a member of the following list. The values are case sensitive.
FAILURE: The operation was declined or rejected by the gateway, acquirer or issuer
16
tokenResult.card Card data group
tokenResult.card.br string The brand name used to describe the card that is recognized and accepted globally.
and
tokenResult.card.sc string The organization that owns a card brand and defines operating regulations for its use.
heme
paymentResult Result of the Payment transaction, refer to 4.1 Pay transaction, response message for details.
17
4 Direct API Implementation
4.1 Pay / Authorize / Capture / Void / Refund (for International Card
Processing)
FastPay / Refund Domestic transaction (for Domestic Card Processing)
Partner use the following information to integrate with Napas system:
URL https://developer.napas.com.vn/api/rest/version/1/merchant/{merchantId}/order/{
orderId}/transaction/{transactionId}
HTTP Method PUT
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Validation orderId and transactionId must be unique, length must be less than 40 chars.
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation R R PAY: Authorise the payment and transfer funds.
AUTHORIZE: Request to obtain an authorization for a proposed funds transfer.
CAPTURE: Request to capture funds previously reserved by an authorization
VOID: Request to void a previous transaction
REFUND: Request to refund previously captured funds to the payer
REFUND_DOMESTIC: Request to refund previously captured funds to the
payer (for previous domestic transaction)
FAST_PAY: authorize the payment with card information, bypass second
authentication method.
authorizationResponse Authorization response data group.
Information on fields returned by some acquirers for an authorization or pay
transaction.
authorizationResponse. Data can C CSC Incorrect Indicator.
cardSecurityCodeError consist of any An indicator, provided by the Issuer in the authorization response, to identify the
characters presence of an invalid card security code (CSC). If there is an error, the Issuer
will respond with the 1-byte CSC Error Code (Y).
authorizationResponse. Data can C Indicates if the card used is a commercial card
commercialCard consist of any
characters
authorizationResponse. Data can C Indicates the type of commercial card as returned by the card issuer
CommercialCardIndicat consist of any
or characters
authorizationResponse. Data can C The local date, in MMDD format, on which the transaction occurred.
date consist of any
characters
authorizationResponse. Data must C The date for the Authorization as returned by the financial network.
financialNetworkDate comply with For transactions processed via the MasterCard Network this is the MasterCard
ISO 8601 Network Reference Date.
extended date
format, yyyy-
mm-dd
authorizationResponse. Data can C Identifies the type of Card Transaction sent to Card Acceptor.
processingCode consist of any
characters
18
authorizationResponse.r Data can C The response code which indicates the status of the transaction
esponseCode consist of any
characters
authorizationResponse.r Data can C Textual description of the acquirer response code for displaying on terminals
esponseMessage consist of any
characters
authorizationResponse.r Data can C The ACI (Authorization Characteristics Indicator) returned by the issuer
eturnAci consist of any
characters
authorizationResponse.s Data can C The System Trace Audit Number is assigned by a transaction originator to assist
tan consist of any in identifying a Card Transaction.
characters The trace number remains unchanged for the life of the Card Transaction.
authorizationResponse.t Data can C The local time, in HHMMSS format, during which the transaction occurred
ime consist of any
characters
authorizationResponse. Data can C The unique identifier for the transaction returned by the issuer
TransactionIdentifier consist of any
characters
authorizationResponse. Data can C The validation code returned by the issuer.
validationCode consist of any This value must be stored to be sent with the capture transaction.
characters
correlationId Data can O C A transient identifier for the request, that can be used to match the response to
consist of any the request
characters The value provided is not validated, does not persist in the gateway, and is
returned as provided in the response to the request
customer Customer data group.
Information associated with the customer's source of transaction
customer.email Ensures that O C The email address of the customer.
the email The field format restriction ensures that the email address is longer than 3
address is characters and adheres to a generous subset of valid RFC 2822 email addresses.
longer than 3
characters and
adheres to a
generous
subset of
valid RFC
2822 email
addresses
customer.firstName Data can O C The payer's first name
consist of any
characters
customer.lastName Data can O C The payer's last or surname
consist of any
characters
customer.mobilePhone Data can O C The contact person's mobile phone or cell phone number.
consist of any
characters
customer.phone Data can O C The phone number of the person to whom the order is being billed
consist of any
characters
device Device information data group.
Information associated with the device's source of transaction.
device.ipAddress Data can O C The IP address of the computer used by the customer, in nnn.nnn.nnn.nnn
consist of any format
characters
merchantId R Id of merchant
order Order data group.
Information about the order associated with this transaction
order.amount Data is a R R The total amount for the order.
string that
consists of the
characters 0-9
and '.' and
represents a
19
valid decimal
number
order.creationTime An instant in R The timestamp indicating the time the gateway considers the order to have been
time created
expressed in
ISO8601 date
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
order.reference Data can O C The identifier of the order.
consist of any For example, a shopping cart number, an order number, or an invoice number.
characters
order.currency Data must R R The currency of the order expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
order.id Data can R A unique identifier for this order to distinguish it from any other order you
consist of any create.
characters Use this identifier when referring to this order in subsequent transactions and in
retrieval operations.
This value must be unique for every order created by your merchant profile.
order.totalAuthorizedA A sequence of R The amount that has been successfully authorized for this order.
mount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalCapturedAm A sequence of R The amount that has been successfully captured for this order
ount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalRefundedAm R The amount that has been successfully refunded for this order
ount Max value:1000000000000
Min value: 0
maximum post-decimal digits: 3
redirectUrl Data can C The URL to which you want to redirect the payer after completing the payer
consist of any authentication process.
characters * Required in Verify Card transaction, which uses card information
response Response data group
response.acquirerCode Data consists C Value as generated by the acquirer that summarizes the success or otherwise of
of ASCII the proposed operation
characters
20
response.acquirerMessa Data consists C The response from the acquirer in the text form.
ge of ASCII This field is used in addition to response.acquirerCode for some acquirers where
characters additional information needs to be communicated. For example, contact details
to allow the merchant to contact the issuer directly to seek authorisation for the
transaction.
21
DECLINED_CSC: Transaction declined due to card security code
DECLINED_AVS_CSC: Transaction declined due to address verification and
card security code
DECLINED_PAYMENT_PLAN: Transaction declined due to payment plan
APPROVED_PENDING_SETTLEMENT: Transaction Approved - pending
batch settlement
PARTIALLY_APPROVED: The transaction was approved for a lesser amount
than requested. The approved amount is returned in
order.totalAuthorizedAmount.
UNKNOWN: Response unknown
result R A system-generated high level overall result of the operation
Value must be a member of the following list. The values are case sensitive.
SUCCESS: The operation was successfully processed
PENDING: The operation is currently in progress or pending processing
FAILURE: The operation was declined or rejected by the gateway, acquirer or
issuer
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
serviceCode C AUTOPAY: only use for recurring payments.
sourceOfFunds Source of fund data group.
Information about the payment type selected by the payer for this payment and
the source of the funds.
Depending on the payment type the source of the funds can be a debit or credit
card, bank account, or account with a browser payment provider (such as
PayPal).
sourceOfFunds.provide Source of fund provided data group.
d Information about the source of funds when it is directly provided (as opposed
to via a token or session).
22
characters 0-
9.
sourceOfFunds.provide Data can C The issuer of the card, if known.
d.card.issuer consist of any WARNING: This information may be incorrect or incomplete – use at your own
characters risk.
sourceOfFunds.provide Data is a O C For the local purpose
d.card.issuerCode string that Issuer code of local bank
consist of the
characters 0-9
sourceOfFunds.provide Data can C C The cardholder's name as printed on the card
d.card.nameOnCard consist of any
characters
sourceOfFunds.provide Data is a C C Card issue date, shown on the card.
d.card.issueDate string that MMYY format.
consist of the
characters 0-9
sourceOfFunds.provide Data is a C O Credit card number as printed on the card.
d.card.number string that
consist of the
characters 0-9
sourceOfFunds.provide R The organization that owns a card brand and defines operating regulations for its
d.card.scheme use.
The card scheme also controls authorization and settlement of card transactions
among issuers and acquirers.
Value must be a member of the following list. The values are case sensitive.
AMEX: American Express
DINERS_CLUB: Diners Club
DISCOVER: Discover
JCB: JCB (Japan Credit Bureau)
MASTERCARD: MasterCard
UATP: UATP (Universal Air Travel Plan)
VISA: Visa
OTHER: The scheme of the card used in the transaction could not be identified.
sourceOfFunds.provide Data may C The code used to indicate the existence of the Card Security Code value
d.card. consist of the
securityCodePresence characters 0-
9, a-z, A-Z
sourceOfFunds.provide Data is a C O Card verification code, as printed on the back or front of the card
d. string that
card.securityCode consist of the
characters 0-9
sourceOfFunds.token Data may C C Uniquely identifies a card and associated details
consist of the
characters 0-
9, a-z, A-Z
sourceOfFunds.type R C The payment method your payer has chosen for this payment.
Value must be a member of the following list. The values are case sensitive.
CARD: The payer selected to pay using a credit or debit card. The payer's card
details must be provided.
In case of token using, please send this parameter with value CARD.
submerchant Submerchant data group
submerchant.code Data may C C Code of submerchant.
consist of the This field is required if merchant is using Whitelabel service.
characters 0-
9, a-z, A-Z
submerchant.name Data may C C Name of submerchant.
consist of the
characters 0-
9, a-z, A-Z
submerchant.referenceI Data may C C ReferenceId of submerchant.
d consist of the
23
characters 0-
9, a-z, A-Z
timeOfRecord An instant in C Transaction Date.
time The date when the transaction happened.The time the gateway considers the
expressed in operation to have occurred. The gateway uses timeOfRecord as a point-in-time
ISO8601 date value for operations such as sorting, billing, and reporting.
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
transaction Transaction data group.
Information about this transaction.
transaction.acquirer Acquirer data group.
Information about this transaction
transaction.acquirer.id Data can R The ID for the acquirer used to process the transaction
consist of any
characters
transaction.acquirer.mer Data can C The Acquirer Merchant Identifier (also known as Card Acceptor Identification
chantId consist of any Code (CAIC)) is an identifier allocated to you by your acquirer.
characters
transaction.acquirer.tim Data can C The time the transaction was processed, as returned by the acquirer
e consist of any Not returned by most acquirers
characters
transaction.acquirer.tran Data can C Identifier used by the acquirer to identify the transaction.
sactionId consist of any This identifier may be used by the acquirer in settlement reports.
characters
transaction.amount A sequence of C R The total amount for the transaction
digits 0-9 maximum value: 1000000000000
separated by a minimum value: 0
'.' as a maximum post-decimal digits: 3
decimal *Required in Capture / Refund transaction
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.authorizatio Data consists C Value generated by the issuing bank in response to a proposal to transfer funds
nCode of ASCII
characters
transaction.currency Data must C R The currency of the transaction expressed as an ISO 4217 alpha code, e.g. USD
consist of the *Required in Capture / Refund transaction
characters A-
Z
transaction.id Data can R Unique identifier for this transaction to distinguish it from any other transactions
consist of any on the order
characters
transaction.receipt Data consists C The Reference Retrieval Number (RRN) is a unique number generated by the
of ASCII acquirer for a specific merchant transaction.
characters The RRN can be used to retrieve the transaction data from the acquirer.
transaction.reference Data can C An optional identifier for this transaction.
consist of any
characters
transaction.requestedA A sequence of C If the transaction was partially approved
mount digits 0-9 (response.gatewayCode=PARTIALLY_APPROVED), this field contains the
separated by a originally requested amount.
'.' as a The transaction amount (transaction.amount) and order amount (order.amount)
decimal are both set to the actually approved amount.
indicator.
Leading and
trailing zeroes maximum value: 1000000000000
24
are optional. minimum value: 0
If the maximum post-decimal digits: 3
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.targetTransa Data can C C The identifier for the transaction you wish to void or refund.
ctionId consist of any That is the {transactionId} URL field for REST and the transaction.id field for
characters NVP.
*Required in Void transaction
transaction.type R Indicates the type of action performed on the order.
Value must be a member of the following list. The values are case sensitive.
AUTHORIZATION: Authorization
AUTHORIZATION_UPDATE: Authorization Update
BALANCE_ENQUIRY: Balance Enquiry
CAPTURE: Capture
CREDIT_PAYMENT: Credit Payment
ORDER_AGREEMENT: Order Agreement
PRE_AUTHORIZATION: Pre-Authorization
PAYMENT: Payment (Purchase)
REFUND: Refund
VOID_AUTHORIZATION: Void Authorization
VOID_CAPTURE: Void Capture
VOID_CREDIT_PAYMENT: Void Credit Payment
VOID_PAYMENT: Void Payment
VOID_REFUND: Void Refund
VERIFICATION: Verification
REFUND_REQUEST: Refund Request
OTHER: Other transaction types
QR_PUSH: Payment by QRCode
transaction.otp Data consist O O One time password, use for local purpose
of a-z, A-Z,
0-9 characters
transaction.typeOfVerif C C Indicates the type of verification performed with debit/atm card.
ication Value must be a member of the following list. The values are case sensitive.
OTP: in this case, transaction.otp will contain the OTP value sent to payer
(payer inputs this value).
PIN: in this case, transaction.otp will contains the PIN value (payer inputs this
value).
channel Data consist R O The system uses MCC clarification from standard industry. Proper values will
0-9 characters be sent to merchant.
version Data can C The Web Services API version that you submitted the request in
consist of any
characters
25
4.2 Pay with 3DSecure transaction
Partner use the following information to integrate with Napas system:
URL https://developer.napas.com.vn/api/rest/version/1/merchant/{merchantId}/order/{
orderId}/transaction/{transactionId}/3DSecureId/{3DSecureId}
HTTP Method PUT
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Validation orderId, transactionId and 3DSecureId must be unique, length must be less than
40 chars.
Please refer to Appendix B, Pay with 3DSecure transaction flow to get more information of
how the transaction is being processed.
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation R R PAY_WITH_3DS: Authorise the payment and transfer funds, which includes a
3DSecure process that identify cardholder.
3DSecure Information on 3DSecure fields.
3DSecure.authenticatio A collection of parameters required to build the HTML form that is redirected
nRedirect to the ACS.
3DSecure.authenticatio The simple field is the response returned to those merchants who have chosen
nRedirect.simple the simple option for form submission.
3DSecure.authenticatio Data can C The generated form to post to the cardholder’s browser.
nRedirect.simple.htmlB consist of any
odyContent characters
3DSecure.authenticatio Data can R The URL to which you want to redirect the payer after completing the payer
nRedirect.responseUrl consist of any authentication process.
characters
3Dsecure.summaryStat Data can C The summarized response from the card issuer and the payment gateway
us consist of any indicating the overall status of the attempt to authenticate the cardholder.
characters
3DSecure.xid A unique transaction identifier generated by the Payment Gateway on behalf of
the merchant to identify the 3DS transaction.
3DSecureId Data can C A unique identifier supplied by the merchant for the authentication.
consist of any
characters
authorizationResponse Authorization response data group.
Information on fields returned by some acquirers for an authorization or pay
transaction.
authorizationResponse. Data can C CSC Incorrect Indicator.
cardSecurityCodeError consist of any An indicator, provided by the Issuer in the authorization response, to identify
characters the presence of an invalid card security code (CSC). If there is an error, the
Issuer will respond with the 1-byte CSC Error Code (Y).
authorizationResponse. Data can C Indicates if the card used is a commercial card
commercialCard consist of any
characters
authorizationResponse. Data can C Indicates the type of commercial card as returned by the card issuer
CommercialCardIndicat consist of any
or characters
authorizationResponse. Data can C The local date, in MMDD format, on which the transaction occurred.
date consist of any
characters
26
authorizationResponse. Data must C The date for the Authorization as returned by the financial network.
financialNetworkDate comply with For transactions processed via the MasterCard Network this is the MasterCard
ISO 8601 Network Reference Date.
extended date
format, yyyy-
mm-dd
authorizationResponse. Data can C Identifies the type of Card Transaction sent to Card Acceptor.
processingCode consist of any
characters
authorizationResponse.r Data can C The response code which indicates the status of the transaction
esponseCode consist of any
characters
authorizationResponse.r Data can C Textual description of the acquirer response code for displaying on terminals
esponseMessage consist of any
characters
authorizationResponse.r Data can C The ACI (Authorization Characteristics Indicator) returned by the issuer
eturnAci consist of any
characters
authorizationResponse.s Data can C The System Trace Audit Number is assigned by a transaction originator to
tan consist of any assist in identifying a Card Transaction.
characters The trace number remains unchanged for the life of the Card Transaction.
authorizationResponse.t Data can C The local time, in HHMMSS format, during which the transaction occurred
ime consist of any
characters
authorizationResponse. Data can C The unique identifier for the transaction returned by the issuer
TransactionIdentifier consist of any
characters
authorizationResponse. Data can C The validation code returned by the issuer.
validationCode consist of any This value must be stored to be sent with the capture transaction.
characters
correlationId Data can O C A transient identifier for the request, that can be used to match the response to
consist of any the request
characters The value provided is not validated, does not persist in the gateway, and is
returned as provided in the response to the request
customer Customer data group.
Information associated with the customer's source of transaction
customer.email Ensures that O C The email address of the customer.
the email The field format restriction ensures that the email address is longer than 3
address is characters and adheres to a generous subset of valid RFC 2822 email
longer than 3 addresses.
characters and
adheres to a
generous
subset of
valid RFC
2822 email
addresses
customer.firstName Data can O C The payer's first name
consist of any
characters
customer.lastName Data can O C The payer's last or surname
consist of any
characters
customer.mobilePhone Data can O C The contact person's mobile phone or cell phone number.
consist of any
characters
customer.phone Data can O C The phone number of the person to whom the order is being billed
consist of any
characters
device Device information data group.
Information associated with the device's source of transaction.
device.ipAddress Data can O C The IP address of the computer used by the customer, in nnn.nnn.nnn.nnn
consist of any format
characters
merchantId R Id of merchant
27
order Order data group.
Information about the order associated with this transaction
order.amount Data is a R R The total amount for the order.
string that
consists of the
characters 0-9
and '.' and
represents a
valid decimal
number
order.creationTime An instant in R The timestamp indicating the time the gateway considers the order to have
time been created
expressed in
ISO8601 date
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
order.reference Data can O C The identifier of the order.
consist of any For example, a shopping cart number, an order number, or an invoice number.
characters
order.currency Data must R R The currency of the order expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
order.id Data can R A unique identifier for this order to distinguish it from any other order you
consist of any create.
characters Use this identifier when referring to this order in subsequent transactions and in
retrieval operations.
This value must be unique for every order created by your merchant profile.
order.totalAuthorizedA A sequence of R The amount that has been successfully authorized for this order.
mount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalCapturedAm A sequence of R The amount that has been successfully captured for this order
ount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalRefundedAm R The amount that has been successfully refunded for this order
ount Max value:1000000000000
Min value: 0
maximum post-decimal digits: 3
28
response Response data group
response.3DSecure The response code which indicates the status.
response.3DSecure.gate C The detailed response from the payment gateway to indicate the status of the
wayCode 3DS authentication.
response.acquirerCode Data consists C Value as generated by the acquirer that summarizes the success or otherwise of
of ASCII the proposed operation
characters
response.acquirerMessa Data consists C The response from the acquirer in the text form.
ge of ASCII This field is used in addition to response.acquirerCode for some acquirers
characters where additional information needs to be communicated. For example, contact
details to allow the merchant to contact the issuer directly to seek authorisation
for the transaction.
29
LOCK_FAILURE: Order locked - another transaction is in progress for this
order
SUBMITTED: Transaction submitted - response has not yet been received
NOT_ENROLLED_3D_SECURE: Card holder is not enrolled in 3D Secure
PENDING: Transaction is pending
EXCEEDED_RETRY_LIMIT: Transaction retry limit exceeded
DUPLICATE_BATCH: Transaction declined due to duplicate batch
DECLINED_AVS: Transaction declined due to address verification
DECLINED_CSC: Transaction declined due to card security code
DECLINED_AVS_CSC: Transaction declined due to address verification and
card security code
DECLINED_PAYMENT_PLAN: Transaction declined due to payment plan
APPROVED_PENDING_SETTLEMENT: Transaction Approved - pending
batch settlement
PARTIALLY_APPROVED: The transaction was approved for a lesser amount
than requested. The approved amount is returned in
order.totalAuthorizedAmount.
UNKNOWN: Response unknown
result R A system-generated high level overall result of the operation
Value must be a member of the following list. The values are case sensitive.
SUCCESS: The operation was successfully processed
PENDING: The operation is currently in progress or pending processing
FAILURE: The operation was declined or rejected by the gateway, acquirer or
issuer
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
serviceCode O Reserved for future use
sourceOfFunds Source of fund data group.
Information about the payment type selected by the payer for this payment and
the source of the funds.
Depending on the payment type the source of the funds can be a debit or credit
card, bank account, or account with a browser payment provider (such as
PayPal).
sourceOfFunds.provide Source of fund provided data group.
d Information about the source of funds when it is directly provided (as opposed
to via a token or session).
30
sourceOfFunds.provide Data is a C R Month, as shown on the card.
d.card.expiry.month number Months are numbered January=1, through to December=12.
between 1
and 12
represented as
a string.
sourceOfFunds.provide Data is a C R Year, as shown on the card.
d.card.expiry.year string that The Common Era year is 2000 plus this value.
consist of the
characters 0-
9.
sourceOfFunds.provide Data can C The issuer of the card, if known.
d.card.issuer consist of any WARNING: This information may be incorrect or incomplete – use at your
characters own risk.
sourceOfFunds.provide Data is a O C For the local purpose
d.card.issuerCode string that Issuer code of local bank
consist of the
characters 0-9
sourceOfFunds.provide Data can O C The cardholder's name as printed on the card
d.card.nameOnCard consist of any
characters
sourceOfFunds.provide Data is a O C Card issue date, shown on the card.
d.card.issueDate string that MMYY format.
consist of the
characters 0-9
sourceOfFunds.provide Data is a O O Credit card number as printed on the card.
d.card.number string that
consist of the
characters 0-9
sourceOfFunds.provide R The organization that owns a card brand and defines operating regulations for
d.card.scheme its use.
The card scheme also controls authorization and settlement of card transactions
among issuers and acquirers.
Value must be a member of the following list. The values are case sensitive.
AMEX: American Express
DINERS_CLUB: Diners Club
DISCOVER: Discover
JCB: JCB (Japan Credit Bureau)
MASTERCARD: MasterCard
UATP: UATP (Universal Air Travel Plan)
VISA: Visa
OTHER: The scheme of the card used in the transaction could not be
identified.
sourceOfFunds.provide Data may C The code used to indicate the existence of the Card Security Code value
d.card. consist of the
securityCodePresence characters 0-
9, a-z, A-Z
sourceOfFunds.provide Data is a O O Card verification code, as printed on the back or front of the card
d. string that
card.securityCode consist of the
characters 0-9
sourceOfFunds.token Data may O C Uniquely identifies a card and associated details
consist of the
characters 0-
9, a-z, A-Z
sourceOfFunds.type C The payment method your payer has chosen for this payment.
Value must be a member of the following list. The values are case sensitive.
CARD: The payer selected to pay using a credit or debit card. The payer's card
details must be provided.
In case of token using, please send this parameter with value CARD.
submerchant Submerchant data group
31
submerchant.code Data may C C Code of submerchant.
consist of the This field is required if merchant is using Whitelabel service.
characters 0-
9, a-z, A-Z
submerchant.name Data may C C Name of submerchant.
consist of the
characters 0-
9, a-z, A-Z
submerchant.referenceI Data may C C ReferenceId of submerchant.
d consist of the
characters 0-
9, a-z, A-Z
timeOfRecord An instant in C Transaction Date.
time The date when the transaction happened.The time the gateway considers the
expressed in operation to have occurred. The gateway uses timeOfRecord as a point-in-time
ISO8601 date value for operations such as sorting, billing, and reporting.
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
transaction Transaction data group.
Information about this transaction.
transaction.acquirer Acquirer data group.
Information about this transaction
transaction.acquirer.id Data can R The ID for the acquirer used to process the transaction
consist of any
characters
transaction.acquirer.mer Data can C The Acquirer Merchant Identifier (also known as Card Acceptor Identification
chantId consist of any Code (CAIC)) is an identifier allocated to you by your acquirer.
characters
transaction.acquirer.tim Data can C The time the transaction was processed, as returned by the acquirer
e consist of any Not returned by most acquirers
characters
transaction.acquirer.tran Data can C Identifier used by the acquirer to identify the transaction.
sactionId consist of any This identifier may be used by the acquirer in settlement reports.
characters
transaction.amount A sequence of R The total amount for the transaction
digits 0-9 maximum value: 1000000000000
separated by a minimum value: 0
'.' as a maximum post-decimal digits: 3
decimal
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.authorizatio Data consists C Value generated by the issuing bank in response to a proposal to transfer funds
nCode of ASCII
characters
transaction.currency Data must R The currency of the transaction expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
transaction.id Data can R Unique identifier for this transaction to distinguish it from any other
consist of any transactions on the order
characters
transaction.receipt Data consists C The Reference Retrieval Number (RRN) is a unique number generated by the
of ASCII acquirer for a specific merchant transaction.
characters The RRN can be used to retrieve the transaction data from the acquirer.
32
transaction.reference Data can C An optional identifier for this transaction.
consist of any
characters
transaction.requestedA A sequence of C If the transaction was partially approved
mount digits 0-9 (response.gatewayCode=PARTIALLY_APPROVED), this field contains the
separated by a originally requested amount.
'.' as a The transaction amount (transaction.amount) and order amount (order.amount)
decimal are both set to the actually approved amount.
indicator.
Leading and
trailing zeroes maximum value: 1000000000000
are optional. minimum value: 0
If the maximum post-decimal digits: 3
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.targetTransa Data can O C The identifier for the transaction you wish to void or refund.
ctionId consist of any That is the {transactionId} URL field for REST and the transaction.id field for
characters NVP.
transaction.type R Indicates the type of action performed on the order.
Value must be a member of the following list. The values are case sensitive.
AUTHORIZATION: Authorization
AUTHORIZATION_UPDATE: Authorization Update
BALANCE_ENQUIRY: Balance Enquiry
CAPTURE: Capture
CREDIT_PAYMENT: Credit Payment
ORDER_AGREEMENT: Order Agreement
PRE_AUTHORIZATION: Pre-Authorization
PAYMENT: Payment (Purchase)
REFUND: Refund
VOID_AUTHORIZATION: Void Authorization
VOID_CAPTURE: Void Capture
VOID_CREDIT_PAYMENT: Void Credit Payment
VOID_PAYMENT: Void Payment
VOID_REFUND: Void Refund
VERIFICATION: Verification
REFUND_REQUEST: Refund Request
OTHER: Other transaction types
transaction.otp Data consist O O One time password, use for local purpose
of a-z, A-Z,
0-9 characters
transaction.typeOfVerif C C Indicates the type of verification performed with debit/atm card.
ication Value must be a member of the following list. The values are case sensitive.
OTP: in this case, transaction.otp will contain the OTP value sent to payer
(payer inputs this value).
PIN: in this case, transaction.otp will contains the PIN value (payer inputs this
value).
channel Data consist R O The system uses MCC clarification from standard industry. Proper values will
0-9 characters be sent to merchant.
language O O
Optional.
Value is sensitive, and must be one of the following list:
- vn: Vietnamese language is used in web UI. This is default value in
case of this field is not sent to Napas, or value is not in approved list.
- en: English language is used in web UI
version Data can C The Web Services API version that you submitted the request in
consist of any
characters
33
Important note for this transaction:
Base on the status of the card’s 3DSecure enrollment, partner can receive 2 different results
as follow:
• If card is enrolled with 3DS, partner will receive SUCCESS result with
htmlBodyContent field – which includes a HTML snippet used to send customer to
Issuer Bank’s Access Control Server in order to authorize the cardholder.
After the customer finish the purchase, partner will receive response in 2 ways:
o Form Submit: result will be submitted to the URL in
3DSecure.authenticationRedirect.responseUrl parameter
The result will be included in napasResult parameter.
o IPN: result will be POST to the IPN URL that Partner has registered with Napas.
The result will be included in requestBody.
Data structure of the response, please refer to 3.4 Receive response from Napas
* If the transaction is completed (customer successfully authorizes 3DS), Napas will
sends result via IPN.
* Partner should be aware of duplicate records of successful transaction when
receiving both Form Submit and IPN result
* It is recommended that partner uses both methods to update the transaction status
into their database. Relying on only one of the above methods could lead to pending
transaction result.
* Partner must carefully check the captured amount and compare with the initial
order amount once received response from Napas. If there is any discrepancy, please
hold the transaction in pending status and report the issue to Napas immediately.
• If card is not enrolled with 3DS, partner will receive the final result of the payment
transaction. There is no IPN result for this case.
34
4.3 Purchase OTP transaction / Purchase with returned Token
transaction / Purchase Account transaction (integrate with Napas
Hosted Checkout)
Partner use the following information to integrate with Napas system:
URL https://developer.napas.com.vn/api/rest/version/1/merchant/{merchantId}/order/{
orderId}/transaction/{transactionId}
HTTP Method PUT
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Validation orderId and transactionId must be unique, length must be less than 40 chars.
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation R R PURCHASE_OTP: Authorise the payment and transfer funds.
Verify card information (for debit card of local bank).
PURCHASE_WITH_RETURNED_TOKEN: Authorise the payment and
transfer funds, include tokenizing card details.
Verify card information (for debit card of local bank).
PURCHASE_ACCOUNT: Authorise the payment and transfer funds using
bank account information.
authorizationResponse Authorization response data group.
Information on fields returned by some acquirers for an authorization or pay
transaction.
authorizationResponse. Data can C CSC Incorrect Indicator.
cardSecurityCodeError consist of any An indicator, provided by the Issuer in the authorization response, to identify
characters the presence of an invalid card security code (CSC). If there is an error, the
Issuer will respond with the 1-byte CSC Error Code (Y).
authorizationResponse. Data can C Indicates if the card used is a commercial card
commercialCard consist of any
characters
authorizationResponse. Data can C Indicates the type of commercial card as returned by the card issuer
CommercialCardIndicat consist of any
or characters
authorizationResponse. Data can C The local date, in MMDD format, on which the transaction occurred.
date consist of any
characters
authorizationResponse. Data must C The date for the Authorization as returned by the financial network.
financialNetworkDate comply with For transactions processed via the MasterCard Network this is the MasterCard
ISO 8601 Network Reference Date.
extended date
format, yyyy-
mm-dd
authorizationResponse. Data can C Identifies the type of Card Transaction sent to Card Acceptor.
processingCode consist of any
characters
authorizationResponse.r Data can C The response code which indicates the status of the transaction
esponseCode consist of any
characters
authorizationResponse.r Data can C Textual description of the acquirer response code for displaying on terminals
esponseMessage consist of any
characters
35
authorizationResponse.r Data can C The ACI (Authorization Characteristics Indicator) returned by the issuer
eturnAci consist of any
characters
authorizationResponse.s Data can C The System Trace Audit Number is assigned by a transaction originator to
tan consist of any assist in identifying a Card Transaction.
characters The trace number remains unchanged for the life of the Card Transaction.
authorizationResponse.t Data can C The local time, in HHMMSS format, during which the transaction occurred
ime consist of any
characters
authorizationResponse. Data can C The unique identifier for the transaction returned by the issuer
TransactionIdentifier consist of any
characters
authorizationResponse. Data can C The validation code returned by the issuer.
validationCode consist of any This value must be stored to be sent with the capture transaction.
characters
correlationId Data can O C A transient identifier for the request, that can be used to match the response to
consist of any the request
characters The value provided is not validated, does not persist in the gateway, and is
returned as provided in the response to the request
customer Customer data group.
Information associated with the customer's source of transaction
customer.email Ensures that O C The email address of the customer.
the email The field format restriction ensures that the email address is longer than 3
address is characters and adheres to a generous subset of valid RFC 2822 email
longer than 3 addresses.
characters and
adheres to a
generous
subset of
valid RFC
2822 email
addresses
customer.firstName Data can O C The payer's first name
consist of any
characters
customer.lastName Data can O C The payer's last or surname
consist of any
characters
customer.mobilePhone Data can O C The contact person's mobile phone or cell phone number.
consist of any
characters
customer.phone Data can O C The phone number of the person to whom the order is being billed
consist of any
characters
device Device information data group.
Information associated with the device's source of transaction.
device.ipAddress Data can O C The IP address of the computer used by the customer, in nnn.nnn.nnn.nnn
consist of any format
characters
merchantId R Id of merchant
order Order data group.
Information about the order associated with this transaction
order.amount Data is a R R The total amount for the order.
string that
consists of the
characters 0-9
and '.' and
represents a
valid decimal
number
order.creationTime An instant in R The timestamp indicating the time the gateway considers the order to have
time been created
expressed in
ISO8601 date
+ time format
- "YYYY-
36
MM-
DDThh:mm:s
s.SSSZ"
order.reference Data can C C The identifier of the order.
consist of any For example, a shopping cart number, an order number, or an invoice number.
characters
For CASHIN transactions, this parameter is required and the value must starts
with “CASHIN” prefix
order.currency Data must R R The currency of the order expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
order.id Data can R A unique identifier for this order to distinguish it from any other order you
consist of any create.
characters Use this identifier when referring to this order in subsequent transactions and in
retrieval operations.
This value must be unique for every order created by your merchant profile.
order.totalAuthorizedA A sequence of R The amount that has been successfully authorized for this order.
mount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalCapturedAm A sequence of R The amount that has been successfully captured for this order
ount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalRefundedAm R The amount that has been successfully refunded for this order
ount Max value:1000000000000
Min value: 0
maximum post-decimal digits: 3
response Response data group
response.acquirerCode Data consists C Value as generated by the acquirer that summarizes the success or otherwise of
of ASCII the proposed operation
characters
response.acquirerMessa Data consists C The response from the acquirer in the text form.
ge of ASCII This field is used in addition to response.acquirerCode for some acquirers
characters where additional information needs to be communicated. For example, contact
details to allow the merchant to contact the issuer directly to seek authorisation
for the transaction.
37
response.cardSecurityC Data consists C The acquirer CSC response code generated by the card issuing institution
ode.acquirerCode of ASCII
characters
response.cardSecurityC C The card security code result generated to indicate whether the data supplied
ode.gatewayCode matches the data held by the cardholder's issuing bank
Value must be a member of the following list. The values are case sensitive.
MATCH: Valid or matched.
NOT_PRESENT: Merchant indicated CSC not present on card.
NOT_PROCESSED: Not processed.
NOT_SUPPORTED: Card issuer is not registered and/or certified
NO_MATCH: Invalid or not matched.
response.cardholderVer Response cardholder verification data group.
ification
response.cardholderVer Response cardholder verification detailed verification data group.
ification. Results of the additional verification checks where an acquirer offers advanced
detailedVerification[n] cardholder verification and the data has been supplied in the Verify request.
response.cardholderVer C The result returned after the specified data type has been verified by the
ification. acquirer
detailedVerification[n]. Value must be a member of the following list. The values are case sensitive.
gatewayCode MATCHED: Data provided by cardholder matches record held by the
cardholder's issuing bank.
NOT_MATCHED: Data provided by cardholder does NOT match record held
by the cardholder's issuing bank.
NOT_PROVIDED: Verification could not be performed as data not provided.
NOT_CHECKED: Unable to perform verification checks on data provided.
SERVICE_NOT_SUPPORTED: Service currently not supported by acquirer
or merchant
SERVICE_NOT_AVAILABLE_RETRY: Issuer system is unavailable. Retry
can be attempted
response.gatewayCode R Summary of the success or otherwise of the proposed operation
Value must be a member of the following list. The values are case sensitive.
APPROVED: Transaction Approved
UNSPECIFIED_FAILURE: Transaction could not be processed
DECLINED: Transaction declined by issuer
TIMED_OUT: Response timed out
EXPIRED_CARD: Transaction declined due to expired card
INSUFFICIENT_FUNDS: Transaction declined due to insufficient funds
ACQUIRER_SYSTEM_ERROR: Acquirer system error occurred processing
the transaction
SYSTEM_ERROR: Internal system error occurred processing the transaction
NOT_SUPPORTED: Transaction type not supported
DECLINED_DO_NOT_CONTACT: Transaction declined - do not contact
issuer
ABORTED: Transaction aborted by payer
BLOCKED: Transaction blocked due to Risk or 3D Secure blocking rules
CANCELLED: Transaction cancelled by payer
DEFERRED_TRANSACTION_RECEIVED: Deferred transaction received
and awaiting processing
REFERRED: Transaction declined - refer to issuer
AUTHENTICATION_FAILED: 3D Secure authentication failed
INVALID_CSC: Invalid card security code
LOCK_FAILURE: Order locked - another transaction is in progress for this
order
SUBMITTED: Transaction submitted - response has not yet been received
NOT_ENROLLED_3D_SECURE: Card holder is not enrolled in 3D Secure
PENDING: Transaction is pending
EXCEEDED_RETRY_LIMIT: Transaction retry limit exceeded
DUPLICATE_BATCH: Transaction declined due to duplicate batch
DECLINED_AVS: Transaction declined due to address verification
DECLINED_CSC: Transaction declined due to card security code
DECLINED_AVS_CSC: Transaction declined due to address verification and
card security code
DECLINED_PAYMENT_PLAN: Transaction declined due to payment plan
APPROVED_PENDING_SETTLEMENT: Transaction Approved - pending
batch settlement
38
PARTIALLY_APPROVED: The transaction was approved for a lesser amount
than requested. The approved amount is returned in
order.totalAuthorizedAmount.
UNKNOWN: Response unknown
result R A system-generated high level overall result of the operation
Value must be a member of the following list. The values are case sensitive.
SUCCESS: The operation was successfully processed
PENDING: The operation is currently in progress or pending processing
FAILURE: The operation was declined or rejected by the gateway, acquirer or
issuer
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
serviceCode O EC_CASHIN: used for cashin to e-wallet transaction
WHITELABEL: used for whitelabel payment gateway transaction
sourceOfFunds Source of fund data group.
Information about the payment type selected by the payer for this payment and
the source of the funds.
Depending on the payment type the source of the funds can be a debit or credit
card, bank account, or account with a browser payment provider (such as
PayPal).
sourceOfFunds.provide Source of fund provided data group.
d Information about the source of funds when it is directly provided (as opposed
to via a token or session).
39
sourceOfFunds.provide Data is a O O Credit card number as printed on the card.
d.card.number string that
consist of the
characters 0-9
sourceOfFunds.provide R The organization that owns a card brand and defines operating regulations for
d.card.scheme its use.
The card scheme also controls authorization and settlement of card transactions
among issuers and acquirers.
Value must be a member of the following list. The values are case sensitive.
AMEX: American Express
DINERS_CLUB: Diners Club
DISCOVER: Discover
JCB: JCB (Japan Credit Bureau)
MASTERCARD: MasterCard
UATP: UATP (Universal Air Travel Plan)
VISA: Visa
OTHER: The scheme of the card used in the transaction could not be
identified.
sourceOfFunds.provide O C Source of fund provided account data group.
d.account Details of the bank account.
sourceOfFunds.provide Data is a O C Code of the issuing bank.
d.account.issuerCode string that
consist of the
characters 0-9
sourceOfFunds.provide Data is a O C Customer’s bank account name
d.account.accountName string that
consist of the
characters A-
Za-z
sourceOfFunds.provide Data is a O C Customer’s bank account number
d.account.accountNumb string that
er consist of the
characters 0-9
sourceOfFunds.provide Data is a O C Customer’s indentification number or passport number
d.account. string that
identificationNumber consist of the
characters 0-
9A-Za-z
sourceOfFunds.provide Data is a O C Customer’s phone number (which is registered to the issuer bank)
d.account. string that
phoneNumber consist of the
characters 0-9
sourceOfFunds.provide Data is a O C Customer’s internet banking username used to login to the issuer bank’s
d.account.ibUsername string that internet banking
consist of the
characters 0-
9A-Za-z
sourceOfFunds.provide Data is a O C Customer’s email (which is registered to the issuer bank)
d.account.email string that
consist of the
characters 0-
9A-Za-z._@
sourceOfFunds.provide Data is a O C Customer’s tax code (which is registered to the issuer bank)
d.account.taxCode string that
consist of the
characters 0-
9A-Za-z
sourceOfFunds.provide Data is a O C Customer’s hard token (which is provided by the issuer bank)
d.account.hardToken string that
consist of the
characters 0-
9A-Za-z
40
sourceOfFunds.provide Data is a O C Customer’s customer code (which is provided by the issuer bank)
d.account.customerCod string that
e consist of the
characters 0-
9A-Za-z
sourceOfFunds.token Data may R C Uniquely identifies a card and associated details
consist of the
characters 0-
9, a-z, A-Z
sourceOfFunds.type R C The payment method your payer has chosen for this payment.
Value must be a member of the following list. The values are case sensitive.
CARD: The payer selected to pay using a credit or debit card. The payer's card
details must be provided.
In case of token using, please send this parameter with value CARD.
submerchant Submerchant data group
submerchant.code Data may C C Code of submerchant.
consist of the This field is required if merchant is using Whitelabel service.
characters 0-
9, a-z, A-Z
submerchant.name Data may C C Name of submerchant.
consist of the
characters 0-
9, a-z, A-Z
submerchant.referenceI Data may C C ReferenceId of submerchant.
d consist of the
characters 0-
9, a-z, A-Z
timeOfRecord An instant in C Transaction Date.
time The date when the transaction happened.The time the gateway considers the
expressed in operation to have occurred. The gateway uses timeOfRecord as a point-in-time
ISO8601 date value for operations such as sorting, billing, and reporting.
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
transaction Transaction data group.
Information about this transaction.
transaction.acquirer Acquirer data group.
Information about this transaction
transaction.acquirer.id Data can R The ID for the acquirer used to process the transaction
consist of any
characters
transaction.acquirer.mer Data can C The Acquirer Merchant Identifier (also known as Card Acceptor Identification
chantId consist of any Code (CAIC)) is an identifier allocated to you by your acquirer.
characters
transaction.acquirer.tim Data can C The time the transaction was processed, as returned by the acquirer
e consist of any Not returned by most acquirers
characters
transaction.acquirer.tran Data can C Identifier used by the acquirer to identify the transaction.
sactionId consist of any This identifier may be used by the acquirer in settlement reports.
characters
transaction.amount A sequence of R The total amount for the transaction
digits 0-9 maximum value: 1000000000000
separated by a minimum value: 0
'.' as a maximum post-decimal digits: 3
decimal
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
41
zero(es) can
be omitted
transaction.authorizatio Data consists C Value generated by the issuing bank in response to a proposal to transfer funds
nCode of ASCII
characters
transaction.currency Data must R The currency of the transaction expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
transaction.id Data can R Unique identifier for this transaction to distinguish it from any other
consist of any transactions on the order
characters
transaction.receipt Data consists C The Reference Retrieval Number (RRN) is a unique number generated by the
of ASCII acquirer for a specific merchant transaction.
characters The RRN can be used to retrieve the transaction data from the acquirer.
transaction.reference Data can C An optional identifier for this transaction.
consist of any
characters
transaction.requestedA A sequence of C If the transaction was partially approved
mount digits 0-9 (response.gatewayCode=PARTIALLY_APPROVED), this field contains the
separated by a originally requested amount.
'.' as a The transaction amount (transaction.amount) and order amount (order.amount)
decimal are both set to the actually approved amount.
indicator.
Leading and
trailing zeroes maximum value: 1000000000000
are optional. minimum value: 0
If the maximum post-decimal digits: 3
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.targetTransa Data can O C The identifier for the transaction you wish to void or refund.
ctionId consist of any That is the {transactionId} URL field for REST and the transaction.id field for
characters NVP.
transaction.type R Indicates the type of action performed on the order.
Value must be a member of the following list. The values are case sensitive.
AUTHORIZATION: Authorization
AUTHORIZATION_UPDATE: Authorization Update
BALANCE_ENQUIRY: Balance Enquiry
CAPTURE: Capture
CREDIT_PAYMENT: Credit Payment
ORDER_AGREEMENT: Order Agreement
PRE_AUTHORIZATION: Pre-Authorization
PAYMENT: Payment (Purchase)
REFUND: Refund
VOID_AUTHORIZATION: Void Authorization
VOID_CAPTURE: Void Capture
VOID_CREDIT_PAYMENT: Void Credit Payment
VOID_PAYMENT: Void Payment
VOID_REFUND: Void Refund
VERIFICATION: Verification
REFUND_REQUEST: Refund Request
OTHER: Other transaction types
transaction.otp Data consist O O One time password, use for local purpose
of a-z, A-Z,
0-9 characters
transaction.typeOfVerif C C Indicates the type of verification performed with debit/atm card.
ication Value must be a member of the following list. The values are case sensitive.
OTP: in this case, transaction.otp will contain the OTP value sent to payer
(payer inputs this value).
PIN: in this case, transaction.otp will contains the PIN value (payer inputs this
value).
42
channel Data consist R O The system uses MCC clarification from standard industry. Proper values will
0-9 characters be sent to merchant.
version Data can C The Web Services API version that you submitted the request in
consist of any
characters
inputParameters Input parameters data group.
Base on the status of the token/card at the time transaction is initialized, partner can receive
one of the following results:
• Transaction result is other than SUCCESS, then the token/card used is not eligible to
continue to payment. In this case partner display the error result to customer.
• Transaction result is SUCCESS, with dataKey and napasKey returned, partner then
generate a HTML script as below:
<form id="merchant-form" action="https://web.merchant.com/result-page"
method="POST"></form>
<div id="napas-widget-container"></div>
<script
type="text/javascript"
id="napas-widget-script"
src="https://dps-
staging.napas.com.vn/api/restjs/resources/js/napas.paymentpage.min.js"
merchantId="APITEST"
clientIP="192.168.1.1"
deviceId="ID_12345678"
environment="WebApp"
cardScheme="AtmCard"
enable3DSecure="false"
apiOperation="PURCHASE_OTP"
43
orderId="ORD_841015"
channel="7399"
sourceOfFundsType="CARD"
dataKey="232BBF38F081EB94C086E1BDC20E155C9C381FF2104E0A91ADA2B16B86206449D56CE780D2
AD5ED8E29C83B4AF515C656CCDD34C377D4A90"
napasKey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX0yRwcCBZIMrOhtdr2eO2hLlLtSmGERW+N
M1LoXLbg11fWPucJkqwqtLFrVHwPs6RR5wqsOk7UNf8PDLEgZFB3ybUed/XeWKpSBuDO+pZf5neVCZ0blzD
fZlaNaY3IL34QIgu9/zq/BlyjbIu/BSKl//Ugatc+bVRJX0+uD1XJwIDAQAB:MIIBsDCCARkCBgFaR+TbpT
ANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTE3MDIxNjE3MDc0N
VoXDTE3MDIxNzE3MDc0NVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAl9MkcHAgWSDKzobXa9njtoS5S7UphhEVvjTNS6Fy24NdX1j7nCZKsKrSxa1R8D7
OkUecKrDpO1DX/DwyxIGRQd8m1Hnf13liqUgbgzvqWX+Z3lQmdG5cw32ZWjWmNyC9+ECILvf86vwZco2yLv
wUipf/1IGrXPm1USV9Prg9VycCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBIUEse2etILP+33D9YZbgU0efBR
cSa94pgyC2ErymvHwWXMs9urF2hyK3Xy7+Ul8mg4m0iDVwBIBv0X1T0cQACe07ZOpu4M2B4XpdGri4Y8KDu
oHMSb23w4IhvneFUOWf0+kXbJoczKalT/y8Y866zn9OOTLPdUbsxZ5Kto5WLXw=="
>
</script>
Parameters details
Field name Field Description
Type
action string URL of the webpage that shows transaction result, includes https://... R
deviceId string Customer’s identifier, this will be returned after processing transaction RE
enable3DSecure string Supports 3DSecure to authorize cardholder (always be false with AtmCard) RE
false: disables 3DSecure flow
apiOperation string PURCHASE_OTP: payment with card details or token. RE
PURCHASE_WITH_RETURNED_TOKEN: pay and tokenize card details.
PURCHASE_ACCOUNT: payment with bank account information.
orderReference string Order short description (display on form) R
For CASHIN transactions, the value must starts with “CASHIN” prefix
orderId String Order identifier (must be unique) RE
(max 40)
channel string Partner business code R
44
dataKey string Secured key for communication with Napas R
45
4.4 Retrieve Order transaction
Partner use the following information to integrate with Napas system:
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation O R RETRIEVE: Request to retrieve the details of a transaction
authorizationResponse Authorization response data group.
Information on fields returned by some acquirers for an authorization or pay
transaction.
authorizationResponse. Data can C CSC Incorrect Indicator.
cardSecurityCodeError consist of any An indicator, provided by the Issuer in the authorization response, to identify the
characters presence of an invalid card security code (CSC). If there is an error, the Issuer
will respond with the 1-byte CSC Error Code (Y).
authorizationResponse. Data can C Indicates if the card used is a commercial card
commercialCard consist of any
characters
authorizationResponse. Data can C Indicates the type of commercial card as returned by the card issuer
commercialCardIndicat consist of any
or characters
authorizationResponse. Data can C The local date, in MMDD format, on which the transaction occurred.
date consist of any
characters
authorizationResponse. Data must C The date for the Authorization as returned by the financial network.
financialNetworkDate comply with For transactions processed via the MasterCard Network this is the MasterCard
ISO 8601 Network Reference Date.
extended date
format, yyyy-
mm-dd
authorizationResponse. Data can C Identifies the type of Card Transaction sent to Card Acceptor.
processingCode consist of any
characters
authorizationResponse.r Data can C The response code which indicates the status of the transaction
esponseCode consist of any
characters
authorizationResponse.r Data can C Textual description of the acquirer response code for displaying on terminals
esponseMessage consist of any
characters
authorizationResponse.r Data can C The ACI (Authorization Characteristics Indicator) returned by the issuer
eturnAci consist of any
characters
authorizationResponse.s Data can C The System Trace Audit Number is assigned by a transaction originator to assist
tan consist of any in identifying a Card Transaction.
characters
46
The trace number remains unchanged for the life of the Card Transaction.
authorizationResponse.t Data can C The local time, in HHMMSS format, during which the transaction occurred
ime consist of any
characters
authorizationResponse. Data can C The unique identifier for the transaction returned by the issuer
transactionIdentifier consist of any
characters
authorizationResponse. Data can C The validation code returned by the issuer.
validationCode consist of any This value must be stored to be sent with the capture transaction.
characters
correlationId Data can O C A transient identifier for the request, that can be used to match the response to
consist of the request
The value provided is not validated, does not persist in the gateway, and is
any
returned as provided in the response to the request
characters
customer Customer data group.
Information associated with the customer's source of transaction
customer.email Ensures that C The email address of the customer.
the email The field format restriction ensures that the email address is longer than 3
address is characters and adheres to a generous subset of valid RFC 2822 email addresses.
longer than 3
characters and
adheres to a
generous
subset of
valid RFC
2822 email
addresses
customer.firstName Data can C The payer's first name
consist of any
characters
customer.lastName Data can C The payer's last or surname
consist of any
characters
customer.mobilePhone Data can C The contact person's mobile phone or cell phone number.
consist of any
characters
customer.phone Data can C The phone number of the person to whom the order is being billed
consist of any
characters
device Device information data group.
Information associated with the device's source of transaction.
device.ipAddress Data can C The IP address of the computer used by the customer, in nnn.nnn.nnn.nnn
consist of any format
characters
merchantId R Id of merchant
order Order data group.
Information about the order associated with this transaction
order.amount Data is a R The total amount for the order.
string that
consists of the
characters 0-9
and '.' and
represents a
valid decimal
number
order.creationTime An instant in R The timestamp indicating the time the gateway considers the order to have been
time created
expressed in
ISO8601 date
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
47
order.reference Data can C The identifier of the order.
consist of any For example, a shopping cart number, an order number, or an invoice number.
characters
order.currency Data must R The currency of the order expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
order.id Data can R A unique identifier for this order to distinguish it from any other order you
consist of any create.
characters Use this identifier when referring to this order in subsequent transactions and in
retrieval operations.
This value must be unique for every order created by your merchant profile.
order.totalAuthorizedA A sequence of R The amount that has been successfully authorized for this order.
mount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalCapturedAm A sequence of R The amount that has been successfully captured for this order
ount digits 0-9 Max value:1000000000000
separated by a
Min value: 0
'.' as a
decimal maximum post-decimal digits: 3
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
order.totalRefundedAm R The amount that has been successfully refunded for this order
ount Max value:1000000000000
Min value: 0
maximum post-decimal digits: 3
response Response data group
response.acquirerCode Data consists C Value as generated by the acquirer that summarizes the success or otherwise of
of ASCII the proposed operation
characters
response.acquirerMessa Data consists C The response from the acquirer in the text form.
ge of ASCII This field is used in addition to response.acquirerCode for some acquirers where
characters additional information needs to be communicated. For example, contact details
to allow the merchant to contact the issuer directly to seek authorisation for the
transaction.
48
MATCH: Valid or matched.
NOT_PRESENT: Merchant indicated CSC not present on card.
NOT_PROCESSED: Not processed.
NOT_SUPPORTED: Card issuer is not registered and/or certified
NO_MATCH: Invalid or not matched.
response.cardholderVer Response cardholder verification data group.
ification
response.cardholderVer Response cardholder verification detailed verification data group.
ification. Results of the additional verification checks where an acquirer offers advanced
detailedVerification[n] cardholder verification and the data has been supplied in the Verify request.
response.cardholderVer C The result returned after the specified data type has been verified by the acquirer
ification. Value must be a member of the following list. The values are case sensitive.
detailedVerification[n]. MATCHED: Data provided by cardholder matches record held by the
gatewayCode cardholder's issuing bank.
NOT_MATCHED: Data provided by cardholder does NOT match record held
by the cardholder's issuing bank.
NOT_PROVIDED: Verification could not be performed as data not provided.
NOT_CHECKED: Unable to perform verification checks on data provided.
SERVICE_NOT_SUPPORTED: Service currently not supported by acquirer or
merchant
SERVICE_NOT_AVAILABLE_RETRY: Issuer system is unavailable. Retry
can be attempted
response.gatewayCode R Summary of the success or otherwise of the proposed operation
Value must be a member of the following list. The values are case sensitive.
APPROVED: Transaction Approved
UNSPECIFIED_FAILURE: Transaction could not be processed
DECLINED: Transaction declined by issuer
TIMED_OUT: Response timed out
EXPIRED_CARD: Transaction declined due to expired card
INSUFFICIENT_FUNDS: Transaction declined due to insufficient funds
ACQUIRER_SYSTEM_ERROR: Acquirer system error occurred processing
the transaction
SYSTEM_ERROR: Internal system error occurred processing the transaction
NOT_SUPPORTED: Transaction type not supported
DECLINED_DO_NOT_CONTACT: Transaction declined - do not contact
issuer
ABORTED: Transaction aborted by payer
BLOCKED: Transaction blocked due to Risk or 3D Secure blocking rules
CANCELLED: Transaction cancelled by payer
DEFERRED_TRANSACTION_RECEIVED: Deferred transaction received and
awaiting processing
REFERRED: Transaction declined - refer to issuer
AUTHENTICATION_FAILED: 3D Secure authentication failed
INVALID_CSC: Invalid card security code
LOCK_FAILURE: Order locked - another transaction is in progress for this
order
SUBMITTED: Transaction submitted - response has not yet been received
NOT_ENROLLED_3D_SECURE: Card holder is not enrolled in 3D Secure
PENDING: Transaction is pending
EXCEEDED_RETRY_LIMIT: Transaction retry limit exceeded
DUPLICATE_BATCH: Transaction declined due to duplicate batch
DECLINED_AVS: Transaction declined due to address verification
DECLINED_CSC: Transaction declined due to card security code
DECLINED_AVS_CSC: Transaction declined due to address verification and
card security code
DECLINED_PAYMENT_PLAN: Transaction declined due to payment plan
APPROVED_PENDING_SETTLEMENT: Transaction Approved - pending
batch settlement
PARTIALLY_APPROVED: The transaction was approved for a lesser amount
than requested. The approved amount is returned in
order.totalAuthorizedAmount.
UNKNOWN: Response unknown
result R A system-generated high level overall result of the operation
Value must be a member of the following list. The values are case sensitive.
SUCCESS: The operation was successfully processed
PENDING: The operation is currently in progress or pending processing
49
FAILURE: The operation was declined or rejected by the gateway, acquirer or
issuer
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
sourceOfFunds Source of fund data group.
Information about the payment type selected by the payer for this payment and
the source of the funds.
Depending on the payment type the source of the funds can be a debit or credit
card, bank account, or account with a browser payment provider (such as
PayPal).
sourceOfFunds.provide Source of fund provided data group.
d Information about the source of funds when it is directly provided (as opposed
to via a token or session).
50
consist of the
characters 0-9
sourceOfFunds.provide Data is a O Credit card number as printed on the card.
d.card.number string that
consist of the
characters 0-9
sourceOfFunds.provide R The organization that owns a card brand and defines operating regulations for its
d.card.scheme use.
The card scheme also controls authorization and settlement of card transactions
among issuers and acquirers.
Value must be a member of the following list. The values are case sensitive.
AMEX: American Express
DINERS_CLUB: Diners Club
DISCOVER: Discover
JCB: JCB (Japan Credit Bureau)
MASTERCARD: MasterCard
UATP: UATP (Universal Air Travel Plan)
VISA: Visa
OTHER: The scheme of the card used in the transaction could not be identified.
sourceOfFunds.provide Data may C The code used to indicate the existence of the Card Security Code value
d.card. consist of the
securityCodePresence characters 0-
9, a-z, A-Z
sourceOfFunds.provide Data is a O Card verification code, as printed on the back or front of the card
d.card.securityCode string that
consist of the
characters 0-9
sourceOfFunds.token Data may C Uniquely identifies a card and associated details
consist of the
characters 0-
9, a-z, A-Z
sourceOfFunds.type C The payment method your payer has chosen for this payment.
Value must be a member of the following list. The values are case sensitive.
CARD: The payer selected to pay using a credit or debit card. The payer's card
details must be provided.
In case of token using, please send this parameter with value CARD.
timeOfRecord An instant in C Transaction Date.
time The date when the transaction happened.The time the gateway considers the
expressed in operation to have occurred. The gateway uses timeOfRecord as a point-in-time
ISO8601 date value for operations such as sorting, billing, and reporting.
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
transaction Transaction data group.
Information about this transaction.
transaction.acquirer Acquirer data group.
Information about this transaction
transaction.acquirer.id Data can R The ID for the acquirer used to process the transaction
consist of any
characters
transaction.acquirer.mer Data can C The Acquirer Merchant Identifier (also known as Card Acceptor Identification
chantId consist of any Code (CAIC)) is an identifier allocated to you by your acquirer.
characters
transaction.acquirer.tim Data can C The time the transaction was processed, as returned by the acquirer
e consist of any Not returned by most acquirers
characters
transaction.acquirer.tran Data can C Identifier used by the acquirer to identify the transaction.
sactionId consist of any This identifier may be used by the acquirer in settlement reports.
characters
51
transaction.amount A sequence of R The total amount for the transaction
digits 0-9 maximum value: 1000000000000
separated by a minimum value: 0
'.' as a maximum post-decimal digits: 3
decimal
indicator.
Leading and
trailing zeroes
are optional.
If the
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.authorizatio Data consists C Value generated by the issuing bank in response to a proposal to transfer funds
nCode of ASCII
characters
transaction.currency Data must R The currency of the transaction expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
transaction.id Data can R Unique identifier for this transaction to distinguish it from any other transactions
consist of any on the order
characters
transaction.receipt Data consists C The Reference Retrieval Number (RRN) is a unique number generated by the
of ASCII acquirer for a specific merchant transaction.
characters The RRN can be used to retrieve the transaction data from the acquirer.
transaction.reference Data can C An optional identifier for this transaction.
consist of any
characters
transaction.requestedA A sequence of C If the transaction was partially approved
mount digits 0-9 (response.gatewayCode=PARTIALLY_APPROVED), this field contains the
separated by a originally requested amount.
'.' as a The transaction amount (transaction.amount) and order amount (order.amount)
decimal are both set to the actually approved amount.
indicator.
Leading and
trailing zeroes maximum value: 1000000000000
are optional. minimum value: 0
If the maximum post-decimal digits: 3
fractional part
is zero, the '.'
and following
zero(es) can
be omitted
transaction.targetTransa Data can C The identifier for the transaction you wish to void or refund.
ctionId consist of any That is the {transactionId} URL field for REST and the transaction.id field for
characters NVP.
transaction.type R Indicates the type of action performed on the order.
Value must be a member of the following list. The values are case sensitive.
AUTHORIZATION: Authorization
AUTHORIZATION_UPDATE: Authorization Update
BALANCE_ENQUIRY: Balance Enquiry
CAPTURE: Capture
CREDIT_PAYMENT: Credit Payment
ORDER_AGREEMENT: Order Agreement
PRE_AUTHORIZATION: Pre-Authorization
PAYMENT: Payment (Purchase)
REFUND: Refund
VOID_AUTHORIZATION: Void Authorization
VOID_CAPTURE: Void Capture
VOID_CREDIT_PAYMENT: Void Credit Payment
VOID_PAYMENT: Void Payment
VOID_REFUND: Void Refund
52
VERIFICATION: Verification
REFUND_REQUEST: Refund Request
OTHER: Other transaction types
transaction.otp Data consist O One time password, use for local purpose
of a-z, A-Z,
0-9 characters
channel Data consist O The system uses MCC clarification from standard industry. Proper values will
0-9 characters be sent to merchant.
version Data can C The Web Services API version that you submitted the request in
consist of any
characters
53
4.5 Delete Token transaction
Partner use the following information to integrate with Napas system:
URL https://developer.napas.com.vn/api/rest/version/1/merchant/{merchantId}/token/{
token}
HTTP Method DELETE
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation O R DELETE_TOKEN
merchantId Data may O O Id of merchant
consist of the
characters 0-
9, a-z, A-
token Data may O O Uniquely identifies a card and associated details
consist of the
characters 0-
9, a-z, A-Z
result R A system-generated high level overall result of the operation
Value must be a member of the following list. The values are case sensitive.
SUCCESS: The operation was successfully processed
PENDING: The operation is currently in progress or pending processing
FAILURE: The operation was declined or rejected by the gateway, acquirer or
issuer
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
54
4.6 Create QR transaction
Partner use the following information to integrate with Napas system:
URL https://developer.napas.com.vn/api/rest/version/1/merchant/{merchantId}/order/{
orderId}/createqr
HTTP Method PUT
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Fields detail
Field name Field type Request Response Description
Message Message
apiOperation R R CREATE_QR: request to create a QRCode string that includes all the order
information, which can be scanned with a QRCode scanner to make payment.
merchantId R Id of merchant
order Order data group.
Information about the order associated with this transaction
order.amount Data is a R R The total amount for the order.
string that
consists of the
characters 0-9
and '.' and
represents a
valid decimal
number
order.creationTime An instant in R The timestamp indicating the time the gateway considers the order to have
time been created
expressed in
ISO8601 date
+ time format
- "YYYY-
MM-
DDThh:mm:s
s.SSSZ"
order.reference Data can R R The identifier of the order.
consist of any For example, a shopping cart number, an order number, or an invoice number.
characters
For CASHIN transactions, this parameter is required and the value must starts
with “CASHIN” prefix
order.currency Data must R R The currency of the order expressed as an ISO 4217 alpha code, e.g. USD
consist of the
characters A-
Z
order.id Data can C A unique identifier for this order to distinguish it from any other order you
consist of any create.
characters Use this identifier when referring to this order in subsequent transactions and in
retrieval operations.
This value must be unique for every order created by your merchant profile.
response Response data group
response.acquirerCode Data consists C Value as generated by the acquirer that summarizes the success or otherwise of
of ASCII the proposed operation
characters
55
response.acquirerMessa Data consists C The response from the acquirer in the text form.
ge of ASCII This field is used in addition to response.acquirerCode for some acquirers
characters where additional information needs to be communicated. For example, contact
details to allow the merchant to contact the issuer directly to seek authorisation
for the transaction.
56
4.7 Error parameters
In case of error in validation of the request, the following fields will be send back to partner:
Field name Field type Response Description
Message
error.cause R Broadly categorizes the cause of the error.
For example, errors may occur due to invalid requests or internal system failures.
Value must be a member of the following list. The values are case sensitive.
REQUEST_REJECTED: The request was rejected due to security reasons such as
firewall rules, expired certificate, etc.
INVALID_REQUEST: The request was rejected because it did not conform to the API
protocol.
SERVER_FAILED: There was an internal system failure.
SERVER_BUSY: The server did not have enough resources to process the request at the
moment.
error.explanation Data may O Textual description of the error based on the cause.
consist of the This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.
characters
error.field Data may O Indicates the name of the field that failed validation
consist of the This field is returned only if the cause is INVALID_REQUEST and a field level
characters validation error was encountered.
error.supportCode O Indicates the code that helps the support team to quickly identify the exact cause of the
error.
This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.
error.validationType O Indicates the type of field validation error.
This field is returned only if the cause is INVALID_REQUEST and a field level
validation error was encountered.
Value must be a member of the following list. The values are case sensitive.
INVALID: The request contained a field with a value that did not pass validation.
MISSING: The request was missing a mandatory field.
UNSUPPORTED: The request contained a field that is unsupported.
result A system-generated high level overall result of the operation.
Value must be a member of the following list. The values are case sensitive.
ERROR: The operation resulted in an error and hence cannot be processed.
57
4.8 Retrieve Token transaction
Partner use the following information to integrate with Napas system:
URL https://developer.napas.com.vn/api/rest/version/1/merchant/{merchantId}/orderI
D/{orderId}/getToken
HTTP Method GET
Content-Type Application/json
Authentication This operation requires authentication via the following method:
OAuth2 (see section 2.1 “Security Access Control”).
Fields detail
Field name Field type Request Response Description
Message Message
merchantId C Id of merchant
result R A system-generated high level overall result of the operation
Value must be a member of the following list. The values are case sensitive.
SUCCESS: The operation was successfully processed
PENDING: The operation is currently in progress or pending processing
FAILURE: The operation was declined or rejected by the gateway, acquirer or
issuer
UNKNOWN: The result of the operation is unknown
ERROR: The operation was rejected during validation
token Data may C Uniquely identifies a card and associated details
consist of the
characters 0-
9, a-z, A-Z
domestic String C 1: token attached with domestic card details.
0: token attached with branded card details.
orderId String C OrderId from request message
status String C VALID: token is usable for payment
INVALID: token cannot be used for payment
58
5 Response Code
5.1 International Card Process
result response.gatewayCode / error.cause Description
59
CUSTOMER_CANCELLED Customer cancelled the payment
60
INELIGIBLE Card is not eligible to make payment
TRANSACTION_BELOW_LIMIT Transaction value does not meet minimum limit set by bank
TRANSACTION_OUT_OF_LIMIT_PG Transaction value is out of limit range set by the Payment gateway
61
INVALID_REQUEST Invalid request
62
6 Appendix A: Napas Hosted Form Screenshots
6.1 Create Token transaction with Credit card
6.2 Pay / Pay with returned Token transaction with Atm card and
QRCode
63
7 Appendix B: Transaction flow
7.1 Pay with 3DSecure transaction flow
The following figure shows the flow of pay with 3DSecure transaction:
64
8 Appendix C: Required Information for Purchase Account
The following parameters in sourceOfFunds.provided.account are required for Purchase
Account API, which corresponds to each issuer
No. Issuer issuer accountNa accountNumber identification phoneN ibUsername email taxCode hardToken customer
Code me Number umber Code
1 Smartlink SML R R R O O O O O O
Card
2 PVComB PVCB R R R O O O O O O
ank
3 MB Bank MB R R R O O O O O O
4 TPB TPB R R O O O O O O O
65