Sagepay-DIRECT Protocol and Integration Guidelines
Sagepay-DIRECT Protocol and Integration Guidelines
Document Index
The Sage Pay Payment system provides a secure, simple means of authorising
credit and debit card transactions from your website.
Direct is designed to enable you to take card details on your own secure servers
and pass them across to us for authorisation and secure storage in a server-to-
server session that does not involve redirecting the customer to the Sage Pay
pages. This enables you to white-label the payment process. Your customer never
leaves your site (unless you are using PayPal or the 3D-Secure authentication
processes) and they do not necessarily know that Sage Pay is authorising the
transaction on your behalf (although in practice many merchants choose to tell
their customers in case they have concerns about card number security).
To use Direct you will need a 128-bit SSL certificate to secure your payment pages.
These can be obtained from a number of sources, including VeriSign. You will also
need to be able to make HTTPS POSTs from scripts on your server (using
something like OpenSSL on Linux platforms, or the WinHTTP object in Win32). If
you are hosting with a third party company we recommend you talk to them about
these requirements before committing to use Direct. If you cannot install a
certificate for your payment pages, we would recommend using the Sage Pay
Server solution instead. If you cannot perform HTTPS POSTs from your scripts, we
would recommend Sage Pay Form.
If you wish to support Verified by Visa and MasterCard SecureCode (the cardholder
authentication systems collectively known as 3D-Secure), Direct provides a wrapper
for these systems, removing the need for you to purchase and support your own
Merchant Plug-In. All the messages will be created for you, and you’ll simply need
to redirect your customer to their issuing bank, then send on the results of their
3D-Authentication back to Direct to complete the payment process. Just like non
3D-Secure Direct transactions, the customer is never directed to Sage Pay. They
leave your site to authenticate with their bank, then return to your site when they
have finished.
This document explains how your Web servers communicate with Direct, goes on to
explain how to integrate with our testing and live environments. It also contains
the complete Payment Protocol in the Appendix.
NOTE: Since card details will be collected via your site, you will be obliged to
comply with the Payment Card Industry Data Security Standard (PCI-DSS). We
have been working with our own data security partner, Trustwave, to set up a
program for Sage Pay customers to make PCI DSS compliance easy and cost
effective. For further information please visit the link below:
http://www.sagepay.co.uk/partners_trustwave.asp
Page 1 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Direct payment requests are very simple. The interaction with your customer is
entirely yours. The customer will select items or services to purchase and fill up a
shopping basket. When they are ready to pay, you will first collect their name,
billing and delivery address, contact details (telephone number, e-mail address and
so forth) and perhaps allow them to sign up for quicker purchases in future. You
will total the contents of the basket and summarise its contents for them before
asking them to continue.
Your scripts should then store everything about the transaction and customer in
your database for future reference. You will not need to store any card details
because Sage Pay will hold those securely for you.
You will then present your customers with a payment page, secured with your 128-
bit SSL certificate. This page will ask the customer for:
This page is submitted to a script on your server that retrieves and pre-validates
those values (checking all fields are present, expiry dates are not in the past, the
card number field only contains numbers etc.) before constructing an HTTPS POST
containing your own unique reference to the transaction, the VendorTxCode (which
should be stored alongside the order details in your database) and the correctly
formatted data from your form. This HTTPS POST is sent to the Sage Pay Direct
gateway.
Sage Pay validates the data sent to us, checking that it has come from a valid
source and that all required information is present, before creating a transaction in
our database to securely hold all the data passed to us, contacting the bank for
authorisation and replying to you, in real-time, in the response part of the same
HTTPS POST. In practice this takes about 2-3 seconds to complete.
The same script on your server that initiated the POST simply reads the Response
from that POST to determine whether the transaction was authorised or not. It
then updates your database with transaction reference values and the authorisation
code (where appropriate) before displaying either a completion page to your
customer, or an error page explaining why the payment was not accepted.
Page 2 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Your own database will contain all the necessary information about the transaction,
the basket contents and the customer, but you will NOT need to store the card
details because the transaction IDs passed to you by the Direct system will enable
you to perform all other actions against that card (refunds, additional payments,
cancellations and so on). This allows you to be certain that even if your server is
compromised, no card details can be gleaned from your database.
The following sections explain the integration process in more detail. The Direct
Payment protocol is attached in the appendix, providing a detailed breakdown of
the contents of the HTTPS message sent between your servers and ours during a
payment.
A companion document, “Server and Direct Shared Protocols”, gives details of how
to perform other transaction-related POSTs, such as Refunds, Repeat payments and
the Release/Abort mechanisms for Deferred transactions.
Direct payments with 3D-Authentication are a little more complicated because your
customer has to be forwarded to their card issuer to authenticate themselves
BEFORE a card authorisation can occur. You must have 3D-Secure active on your
account before you can process this type of transaction. Contact
support@sagepay.com for more information about setting this up (although all new
accounts are set up with 3D-secure by default. Most likely you’ll just need to
enable it in your MySagePay area. See later)
If the card or the issuer is NOT part of the scheme, Direct checks your 3D-Secure
rule base (which you can modify in our My Sage Pay screens) to determine if you
wish to proceed with the authorisation in such circumstances. If the card or the
issuer is not part of the scheme and your rule base allows authorisation to proceed,
the card details are sent to the acquiring bank and the results of that process
returned to your site in the Response object of your POST (just like a non-3D-
authenticated Direct transaction, but with an additional 3DSecureStatus field
informing you about the results of the card lookup).
If authorisation cannot proceed because your rules do not allow it, a REJECTED
message is sent back in the Response object of your POST, outlining the reason for
the transaction rejection.
Page 3 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
If, however, the card AND issuer are part of the 3D-Secure scheme, Direct does not
attempt to obtain an authorisation from your acquiring bank. Instead it formats
and encrypts a 3D-Secure request message called a PaReq and replies to your
Direct POST in the Response object with this message, a unique transaction code
called the MD, and the URL of the 3D-Secure authentication pages at the
cardholder’s Issuing Bank (in a field called ACSURL). You can store the MD value if
you wish to, but the ACSURL and PAReq values should NEVER be stored in your
database.
Your server creates a simple, automatically-submitted HTML form that POSTs the
user, the MD and the PaReq fields across to the ACSURL, along with an additional
field called the TermURL which points to a page on your site to which the bank will
return the customer when they have been authenticated.
From the user’s perspective, they will have entered their card details on your
payment page, clicked submit, and will find themselves transferred to their card
issuer to validate their 3D-Secure credentials.
Once the user has completed their 3D-authentication, their Issuing Bank will
redirect the customer back to a script on your site pointed to by the TermURL. The
user returns to your site along with the MD of the transaction and the results of
their authentication in an encrypted field called the PaRes. Like before, Direct
takes care of decrypting and decoding this information for you, so your TermURL
page simply needs to format a server side HTTPS POST containing the MD and the
PaRes fields (all correctly URL Encoded) and send it to Direct. You do not need to
store the MD or PaRes fields in your database.
If Direct examines your PaRes and finds that authentication was NOT successful, it
again checks your 3D-Secure rule base to determine if you wish to proceed. Like
the original Transaction Registration POST, if you wish to obtain authorisations for
non-3D-authenticated transactions, Direct requests an authorisation from your
acquiring bank and replies as normal; if not, Direct returns a REJECTED message
and does not obtain an authorisation.
Your Terminal URL should update your database with the results of the
authorisation (or lack thereof) and display a completion page to your customer.
Page 4 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Sage Pay has integrated with PayPal Express Checkout, giving you the opportunity
to add PayPal as a payment option on your payment pages.
This facility is available to merchants who are a certified PayPal Business Account
holder. If you do not already have a PayPal Business Account, you can apply for a
PayPal Account by visiting the PayPal website:
https://www.paypal.com/uk/cgi-
bin/webscr?cmd=xpt/Marketing/general/ProtxSignUp-outside
To support PayPal Express Checkout in Direct involves a little more integration work
at your site, but nothing more complex than is currently required for 3D-
Authetication.
There is an initial server-to-server POST with Sage Pay, then a redirection to the
PayPal logon URL. After that, there is a call back to your servers from Sage Pay,
and an additional server-to-server POST to confirm the transaction and complete
the process.
The Direct PayPal transaction process is detailed in the Direct PayPal Payments
section later in this document.
Page 5 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
A payment begins with the customer ordering goods or services from your site.
This process can be as simple as selecting an item from a drop down list, or can
involve a large shopping basket containing multiple items with discounts and
delivery charges. Your interaction with your customer is entirely up to you and the
Direct system puts no requirement on you to collect any specific set of information
at this stage.
You then present a 128-bit SSL secured payment page into which the customer can
enter their card and billing address details. This page should contain the following
fields.
Page 6 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
• The Card Holder’s Billing Address, including the Post Code (if you have not
already asked for it and stored it in your database).
If you wish to provide list boxes for Start and Expiry Dates, please be aware that
Visa now issue cards valid for up to 20 years.
Once the customer has decided to proceed, a script on your web server will
construct a payment registration message (see Appendix A1) and POST it via
HTTPS to the Direct payment URL.
This POST contains your Vendor Name (chosen by you on the Sage Pay online
application form, or assigned to you by Sage Pay when your account is created)
and your own unique reference to this payment (in a field called VendorTxCode,
which you must ensure is a completely unique value for each transaction).
The message also contains the total value and currency of the payment, and billing
and delivery address details for the customer. You can specify a brief description of
the goods bought to appear in your reports, plus the entire basket contents if you
wish. The card details themselves are passed in dedicated fields whose format can
be found in Appendix A1. You can also pass, contact numbers and e-mail
addresses, flags to bypass or force fraud checking for this transaction and 3D-
Secure reference numbers and IDs where such checks have been carried out.
Because this message is POSTed directly from your servers to ours across a 128-bit
encrypted session, no sensitive information is passed via the customer’s browser,
and anyone who attempted to intercept the message would not be able to read it.
Using Direct you can be assured that the information you send us cannot be
tampered with or understood by anyone other than us. Your script sends the
payment registration message in the Request object of the HTTPS POST and the
response from Direct (see steps 4 and 9 below) is in the Response object of the
same POST.
Page 7 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
It first checks to ensure all the required fields are present, and that their format is
correct. If any are not present a reply with a Status of MALFORMED is generated,
with the StatusDetail field containing a human readable error message stating
which field is missing. This normally only happens during development stage whilst
you are refining your integration.
If all fields are present, the information in those fields is then validated. The
Vendor name is checked against a pre-registered set of IP addresses, so that Direct
can ensure the POST came from a recognised source. The currency of the
transaction is validated against those accepted by your merchant accounts. The
VendorTxCode is checked to ensure it has not been used before. The amount field
is validated. Flag fields are checked, in fact, every field is checked to ensure you
have passed the correct types of value. If any of the information does not check
out, a reply with a Status of INVALID is returned, again with a human readable
error message in StatusDetail explaining what was invalid.
If you receive either a MALFORMED or INVALID message you should use the
detailed response in the StatusDetail error message to help debug your scripts. If
you receive these messages on your live environment, you should inform your
customer that there has been a problem registering their transaction, then flag an
error in your back-office systems to help you debug. You can e-mail the Sage Pay
Support team (support@sagepay.com) for help with your debugging issues.
When your transaction is registered with the Direct system, a new transaction code
is generated that is unique across ALL vendors using the Sage Pay systems, not
just unique to you. This code, the VPSTxId, is our unique reference to the
transaction and is returned to you in the response part of the POST after we’ve
requested authorisation for you. This reference, whilst not the most easily
remembered number, will allow us to immediately find your transaction if you have
a query about it.
If your Sage Pay account is not set up with 3D-Secure or 3D-Authentication is not
active for this Direct transaction, the next step is for the system to obtain an
authorisation, so skip ahead to step 8. If, however, 3D-Secure is active on your
account, continue at step 3.
Page 8 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Direct sends the card details provided in your post to the Sage Pay 3D-Secure
Merchant Plug-In (MPI). This formats a verification request called a VeReq, which
is sent to the 3D-Secure directory servers to query whether the card and card
issuer are part of the 3D-Secure scheme.
The servers send a verification response, VERes, back to the MPI where it is
decoded and Direct informed of the inclusion or exclusion of the card.
If the card or the issuer is not part of the scheme, or if an MPI error occurs, our
server will check your 3D-Secure rule base to determine if authorisation should
occur. For information regarding 3D Secure rule bases please refer to the Sage Pay
Fraud Prevention Advice Guides, which can be downloaded from our Support
website: http://www.sagepay.com/developers.asp. By default you will not have a
rule base established and transactions that cannot be 3D-authenticated will still be
forwarded to your acquiring bank for authorisation.
If your rulebase rejects the transaction due to your criteria not being reached,
Direct replies with a Status of REJECTED and a StatusDetail indicating why. The
3DSecureStatus field will contain the results of the 3D-Secure lookup. REJECTED
transactions will never be authorised and the customer’s card never charged, so
your code should redirect your customer to an order failure page, explaining why
the transaction was aborted.
If the card and the card issuer are both part of the scheme, Direct continues with
3D-Authentication by replying to your post with a Status of 3DAUTH (see the next
step).
Page 9 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Direct stores all the information from your Transaction Registration POST in the
Sage Pay secure database before replying (see Appendix A3). The Status field will
be set to 3DAUTH with a StatusDetail informing you to redirect your customer to
their Issuing Bank to complete 3D-Authentication.
A field called ACSURL (Access Control Server URL) contains the fully qualified
address of the customer’s card Issuing Bank’s 3D-Secure module, as provided by
the directory service (see step 3 above). The last field is the 3DSecureStatus
field, which will always contain OK for transactions ready for 3D-authentication.
You do not need to store any of these values in your database. You can store the
MD value if you wish, but the ACSURL and PAReq values should NEVER be stored.
These values need only be used in the next step to redirect your customer to their
Issuing Bank and should then be discarded.
The first step of the Direct transaction is now complete. You have registered a 3D-
Secure transaction with Sage Pay, we have stored your payment details and replied
with everything you need to send your customer for 3D-Authentication. The next
parts of the process, steps 5 and 6, are out of our control and rely on a
communication between you, your customer and your customer’s card Issuing Bank.
Page 10 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
response.write "<NOSCRIPT>"
response.write "<center><p>Please click button below to Authenticate your
card</p><input type=""submit"" value=""Go""/></p></center>"
response.write "</NOSCRIPT>"
response.write "</form></body></html>"%>
</IFRAME>
The values in Red are those extracted from the Sage Pay response and built by
your script. If your user has Javascript enabled, they simply redirect to their
Issuing Bank site. If not, they will be presented with the message in the NOSCRIPT
section and need to click it to go to their Issuing Bank.
Page 11 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
At this stage the customer has left your site, and you must wait for them to be sent
back to you by the Issuing Bank. NOTE: You can either redirect the customer’s
entire browser page to their Issuing Bank ACSURL, or more commonly, use an
inline frame to redirect them. Visa recommend using inline frames for continuity of
customer experience, but if you do so, remember to add code to support IFRAME
incapable browsers (as above).
ADDITIONAL NOTE: When you forward the PAReq field to the ACSURL, please
ensure you pass the PAReq value that we send you, in a field called PaReq (note
the lower case “a”). Many ACSURL pages are case sensitive, and will not see the
data if you pass an upper case A. See the example code above for how to submit
the data.
Once complete (either successfully or not), the bank will redirect your customer
back to the page supplied in the TermUrl field you sent in step 5 above.
Along with this redirection, two fields are also sent. The MD value, to uniquely
identify the transaction you are being called back about, and the PARes, the
encrypted and encoded results of your customer’s 3D-authentication.
Like the PAReq value sent to your site by Sage Pay in step 5, you should NOT store
the PARes file in your database. Also, because it is strongly encrypted, only the
Sage Pay MPI can decode this for you, so you should not attempt to modify it or the
authentication process will fail.
At this stage the customer is back on your site and you have completion
information for the 3D-Authentication process. You now need to send those
through to Sage Pay to decode the results and, where appropriate, obtain a card
authorisation from your acquiring bank.
Page 12 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The code in your TermURL call-back page should format a simple HTTPS, server-
side POST, which it sends to the Sage Pay Direct 3D-Callback page.
This POST needs to contain the MD and PARes fields sent back to your site by the
cardholder’s Issuing Bank (suitably URL Encoded for safe transit across the Web).
No other information is necessary because the Sage Pay system can use these
values to retrieve all the transaction information you originally supplied.
If the decoded PARes indicates that the 3D-Authentication was successful, Direct
goes on to obtain an authorisation (see the next step). If not, the system
examines your 3D-Secure rule base to see if authentication should be attempted.
By default 3D-Authentication failures are NOT sent for authorisation, but all other
message types are. Refer to the Sage Pay Rulebase guide for more information
about using 3D-Secure and AVS/CV2 rules.
Transactions not sent for authorisation are returned with a REJECTED status.
ADDITIONAL NOTE: Similarly to the note in Step 5, the encrypted and encoded
results of your customer’s 3D-authentication (the PARes) will be returned to you
from the Issuing bank in a field called PaRes (lower case “a”), but you must forward
this value to Sage Pay in a field called PARes.
Page 13 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The Sage Pay services format a bank specific authorisation message (including any
3D-Secure authentication values where appropriate) and pass it to your merchant
acquirer over the private banking network.
This process happens whilst the script on your server is waiting for a response from
Direct. Depending on the response from the acquirer, Direct prepares either an OK
response with an Authorisation Code, a NOTAUTHED response if the bank declined
the transaction or an ERROR if something has gone wrong (you will very rarely
receive these, since they normally indicate an issue with bank connectivity).
If AVS and CV2 checks are being performed, the results are compared to any rule
bases you have set up (see the Sage Pay Rulebase Guide for more information). If
the bank has authorised the transaction but the card has failed the AVS and/or CV2
rules you have established, Sage Pay immediately reverse the authorisation on the
card and prepare a REJECTED response, returning the reason for the failure in the
AVSCV2 field.
Please note: Some card issuing banks may decline the online reversal
which can leave an authorisation shadow on the card for up to 10 working
days. The transaction will never be settled by Sage Pay and will appear as
a failed transaction in My Sage Pay.
Page 14 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Irrespective of the Status being returned, Direct always replies in the Response
section of the POST that your server sent to us. This will either be in response to
the Transaction Registration POST for non-3D-authenticated transactions, or in the
response to the Terminal URL POST if 3D-Authentication was attempted.
If the transaction was registered successfully, you will always receive the VPSTxId,
the unique transaction reference mentioned above. You will also receive a
SecurityKey, a 10-digit alphanumeric code that is used in digitally signing the
transaction. Whilst not used in the Direct messages, you do need to know this
value if you wish to REFUND the transaction, or perform any other actions on it
using the Sage Pay Direct interface. Therefore this value should be stored
alongside the VPSTxId, the order details and the VendorTxCode, in your
database.
If the transaction was authorised and the Status field contains OK, you will also
receive a field called TxAuthNo. The TxAuthNo field DOES NOT contain the actual
Authorisation Code sent by the bank, because it is not unique (although we do
store this in our system for you), but contains instead a unique reference number
to that authorisation that we call the VPSAuthCode. This is the transaction ID
sent to the bank during settlement (we cannot use your VendorTxCode because it is
too long and might contain unacceptable characters) so the bank will use this value
to refer to your transaction if they need to contact you about it. You should store
this value in your database along with all the other values returned to you.
The TxAuthNo field is ONLY present if the transaction was authorised by the bank.
All other messages are authorisation failures of one type or another (see Appendix
A2 for full details of the fields and errors returned by Direct) and you should inform
your customer that their payment was not accepted.
Having stored the relevant transaction IDs in your database, your payment
processing is now complete.
Page 15 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Once per day, after 2:00am, the Sage Pay system batches all authorised
transactions for each acquirer and creates a bank specific settlement file.
Transactions for ALL merchants who use the same merchant acquirer are included
in this file. Every transaction (excluding PayPal transactions*) that occurred from
00:00:00am until 11:59:59pm on the previous day, is included in the files.
They are uploaded directly to the acquiring banks on a private secure connection.
This process requires no input from you or your site. The contents of these batches
and confirmation of their delivery can be found in the My Sage Pay system.
If the file does not transmit correctly, the system tries a further nine times at 10-
minute intervals. If all 10 attempts fail the transactions for that bank are
rescheduled for inclusion in the following day’s batch instead. Sage Pay monitor
this process each day to ensure the files have been sent, and if not, the support
department correct the problem during the day to ensure the file is sent correctly
that evening (or normally resubmit the file manually the same day to ensure funds
are available to all vendors more expediently).
The acquirers send summary information back to Sage Pay to confirm receipt of the
file, then later more detailed information about rejections or errors. If transactions
are rejected, we correct any errors and resubmit them for you. Your bank will
contact you directly if there are payment related problems with the transactions.
Page 16 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The steps involved in using PayPal with Direct are detailed below and summarised
at the end in a diagram.
1. The customer shops at your site and fills up a shopping basket with items.
2. At the point the customer wishes to check-out, BEFORE they enter any
address or customer details, your site can optionally allow the customer to
select to pay either with PayPal, or another payment process. This is the
“Express Checkout” option and should be presented using the orange logo:
(To download the PayPal images to use on your own site visit:
https://www.paypal.com/express-checkout-buttons)
e.g.
This is optional because you may wish to use PayPal as a different “card
type” rather than an alternative payment method, (for example, if you wish
to collect customer details on your own pages first). This latter option is
described later.
If the customer selects this Express Checkout option, the process jumps
ahead to step 6.
3. Since the customer has not selected Express Checkout (or has not had the
option to do so), your site presents the normal customer detail entry screens,
requesting name, e-mail address, and billing address in the following format:
Page 17 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
4. Once the customer has entered their address details, they select their card
type, as in a normal Direct payment, with the addition of the PayPal Logo.
5. If the customer selects a method other than PayPal, then the normal Direct
process with 3D-authentication continues from this point onwards, as
detailed in the Direct payment process above, i.e. the customer enters the
card number, expiry date, CV2 etc. and the full server-to-server POST is
sent.
If the customer has selected PayPal, either Mark or Express Checkout, the
new process begins at this step.
6. The Direct registration message (see Appendix A1) is sent with the
cardtype field set to PAYPAL (no other card details should be sent). Mark
implementations will also require the full billingnnnnn AND deliverynnnn
sections to be completed as detailed above, but Express Checkouts will leave
these empty. This POST also includes a PayPalCallbackURL field which
points to a script on your site to handle the completion process (explained in
step 11).
8. The PayPal servers respond to Sage Pay with a unique token. The
transaction is updated in the Sage Pay Database to record this token against
the transaction, before returning the Direct response to your servers
(Appendix A6).
10. The customer logs into PayPal and selects their chosen payment method.
For Express Checkouts they will also enter/select their delivery address. For
Mark, this address selection is disabled.
11. Once the shopper confirms their details on the PayPal screens, PayPal
exchange information with Sage Pay, and then Direct builds a response
Page 18 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
message containing the fields listed in Appendix A7. This data is POSTed via
the customer’s browser to the PayPalCallbackURL (which you provided as
part of the original Direct POST Appendix A1). This URL is also the place to
which the customer’s browser is redirected in the event of any errors.
12. Your site can check the information in the message to determine if you wish
to proceed with the transaction. If the AddressStatus is UNCONFIRMED,
and the PayerStatus is UNVERIFIED, for example, you may not wish
continue without PayPal Seller Protection. If you do NOT wish to proceed,
you should build a Direct PayPal Capture message with the Accept field set
to NO (Appendix A8) and POST it to the Direct PayPal Completion URL. You
can then redirect the customer back to select a different payment method at
this stage, and begin the Direct process again.
13. If you DO wish to proceed, you should store the delivery address details in
your database (if they differ from those supplied), then build a Direct PayPal
Capture message with the Accept field set to YES (Appendix A8) and POST
it to the Direct PayPal Completion URL.
14. Direct will validate the POST and, if correct, forward that to PayPal.
15. PayPal will complete the transaction and return the details to Direct. Sage
Pay will update the transaction with the required IDs and build a completion
response.
16. Direct replies to the POST sent to the PayPal Completion URL with the Direct
completion message (Appendix A2).
Page 19 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The diagram below show the message and customer flow for a Direct PayPal
payment (described above).
Page 20 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Linking your Website to Direct involves creating one script (or modifying the
example provided in the integration kits), which both registers the transaction with
our servers and processes the response we send back. If you wish to support 3D-
Secure Authentication, you will also need to create or modify a second script to
handle the call back from the Issuing Bank. If you wish to integrate with PayPal,
additional coding is also required to redirect to a PayPal logon URL. After that,
there is a call back to your servers from Sage Pay, and an additional server-to-
server POST to confirm the transaction and complete the process.
Stage 1
The Simulator system is the starting point for your integration. This user-friendly
expert-system on our test environment analyses the messages your site sends to
us, reports any errors therein, and simulates all possible responses from the real
Direct, 3D-authentication and PayPal systems.
Payment transactions should be sent from your scripts to the following URL:
https://test.sagepay.com/Simulator/VSPDirectGateway.asp
Stage 2
Once your site is able to talk to the Simulator and process all possible outcomes, an
account will be created for you on the Test Server. This is an exact copy of the Live
site but without the banks attached and with a simulated 3D-Secure environment.
Authorisations on the Test Server are only simulated, but the user experience is
identical to Live, and a version of the My Sage Pay pages also run here so you can
familiarise yourself with the features available to you.
The My Sage Pay pages for viewing your Test transactions is at:
https://test.sagepay.com/mysagepay
Transactions from your scripts should be sent to the Test Site Direct at:
https://test.sagepay.com/gateway/service/vspdirect-register.vsp
Page 21 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Stage3
Once you are happily processing end-to-end transactions on the Test Server and we
can see test payments and refunds going through your account, AND you’ve
completed the online Direct Debit signup and your Merchant Account details have
been confirmed, your account will be set up on our Live servers. You then need to
redirect your scripts to send transactions to the Live service, send through a
Payment using your own credit card, then VOID it through the My Sage Pay service
so you don’t charge yourself. If this works successfully, then you are ready to
trade online.
Transactions from your scripts should be sent to the Live Site Direct at:
https://live.sagepay.com/gateway/service/vspdirect-register.vsp
Page 22 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The SAGE PAY Simulator is an expert system that emulates the Direct system and
allows you to develop your site to correctly send and process the messages
exchanged between your site and ours. The Simulator will provide more detailed
feedback of any errors or issues than the real Direct, allowing you to debug and
enhance your code at an earlier stage.
If you wish to test your integration with Sage Pay before you have obtained a
Merchant Account, you can do so free of charge with the Simulator. To register for
a Simulator account, please visit our website:
https://support/apply/requestsimaccount.aspx
If you already have a Test/Live account and would like a Simulator account, contact
our Support Team at support@sagepay.com, stating the Vendor Name of your
account.
Page 23 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
When you log in to the Simulator you will be presented with the main menu screen.
Extensive help is provided in the Simulator (click the context sensitive Help button
on each screen for more details). This document will not cover everything in too
much detail, but outlined in subsequent sections are the important steps you should
take to get your site talking to the Simulator.
Page 24 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Click the Account button in the main menu to open the following screen:
Add and/or correct any entries and click the Update button to save any changes.
Back takes you back to the main menu.
Page 25 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
2: Direct Set up
Click the Direct button in the main menu to open the Direct options page.
This page allows you to define the behaviour of the Simulator when it responds to
your transaction registrations. By default the system will verify your POST to
ensure the contents are correctly formatted and if they are, return a Random
Status, along with all relevant fields (StatusDetail, VPSTxID, SecurityKey and so
on). If your POST is incorrectly formatted or contains bad data, it will respond with
a Status of MALFORMED or INVALID and explain what was wrong in the
StatusDetail field.
This setting is useful in the final stages of testing, but for now you should select
OK/REGISTERED, to force the Simulator to always provide a TxAuthNo if your
data is not MALFORMED or INVALID (or a REGISTERED if your transaction type is
Page 26 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
an AUTHENTICATE). You can switch it back to Random once you are certain your
system can process a successful end-to-end transaction.
You can simulate NOTAUTHED responses from the bank, or REJECTED messages
as if your rule bases were applied. By simulating these messages you can check
your own pages respond to the customer in the correct manner. You can also force
errors, even if the data in the POST is okay. This is useful when testing upgrades
to your scripts and proofing your error handling routines.
For now, select the OK setting, update the details, and log out of the Simulator.
3: Registering a Payment
If you do not plan to implement the protocol entirely on your own, you should
install the most appropriate integration kit or worked example for your platform.
These can be downloaded as part of the application process or obtained from the
http://www.sagepay.com/developers.asp downloads area.
The kits will not quite run out of the box because you have to provide some specific
details about your site in the configuration files before a transaction can occur, but
they will provide end to end examples of registering the transactions and handling
the notification POSTs. Ensure you’ve completed all configuration in the includes
file as detailed in the kit instructions, then locate the Transaction Registration script
(called transactionRegistration).
If you plan to implement 3D-Secure Authentication, the kit also provides a Terminal
URL example page which implements section A3 of the attached protocol.
Check that the payment registration script is sending transactions to the Simulator
(rather than the test or live sites) then execute this script. You may need to
develop a simple payment page that allows you to enter card details and passes
them to this script if this page is not included in your kit. Use the script to send a
payment registration to the Simulator. You may wish to modify the script at this
stage to echo the results of the POST to the screen, or a file, so you can examine
the Status and StatusDetail reply fields to check for errors.
Once your script can successfully register a Payment and you receive a Status of
OK, you should ensure your code stores the VPSTxId, SecurityKey and
TxAuthNo fields alongside your uniquely generated VendorTxCode and the order
details in your own database. You may wish to store the 3DSecureStatus field if
you plan to support 3D-Secure.
Your script should then redirect the customer to a completion page thanking them
for their order.
In the real world, the bank will either authorise the transaction (an OK response) or
fail it (a NOTATUHED response), or Sage Pay may reverse an authorisation if your
fraud screening rules are not met (a REJECTED response). You should log into the
Simulator in a separate browser window and change the response type to each of
the failure messages in turn so you can write code to handle each message
appropriately. Normally NOTAUTHED messages would prompt the user to try
Page 27 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
another card and REJECTED messages would ask them to check their Address and
CV2 details are correct and resubmit, or to try another card. You may wish to store
the VPSTxId and SecurityKey of the failed transaction against your VendorTxCode
and generate a new VendorTxCode for the retry attempt if you wish to keep a
history of the failed transactions as well as the successful one.
You should then use the Simulator to send each type of error message
(MALFORMED, INVALID and ERROR) to your payment script to check that all
message types are handled correctly. MALFORMED messages should only occur
during development when the POST may be incorrectly formatted, and INVALID
messages can be avoided by pre-validating the user input. In the case of ERROR,
your code should present the customer with a page saying that online payment was
not currently available and offering them an alternative contact telephone number
for payment or request them to come back later.
Once your page can handle every type of message returned by the Simulator, you
should set the Simulator to Random mode and attach the payment pages onto the
end of your e-commerce site to test end-to-end transactions through your site.
The Random mode will respond with an OK message 60% of the time, a
NOTAUTHED 25% of the time, REJECTED 10% and ERROR 5% to allow you to
ensure you site respond correctly in each circumstance.
4: 3D-Authenticated Transactions
If you plan to support Verified by Visa and MasterCard SecureCode, collectively the
3D-Secure authentication system, you should now go on to test that your scripts
can handle these messages. You should ONLY do this once your transaction
registration script can successfully process non-authenticated transactions as
described in section 3 above.
Log into the Simulator, bring up the Direct configuration page and select 3DAUTH
as the response. Click the Update button.
Send a transaction registration POST to the Simulator and rather than receiving an
OK status, your script will receive a 3DAUTH Status instead. A simulated MD,
PAReq and ACSURL will be provided and you should ensure that your script builds
the simple, automatically-submitting, HTML FORM code (as described in the step by
step transaction process earlier in this document) and redirects your browser to the
simulated 3D-Authentication page.
Page 28 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
This page displays the Terminal URL you have provided, and you should check that
this points to the fully qualified URL of the Callback page provided in your kit. This
should begin with https:// (since the Terminal URL must be secured) and provide
the full path to the page.
Page 29 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
If the URL is correct, you can select one of the buttons to create a Simulated
PARes message that, when forwarded by your Terminal URL code to the Simulator
3D Callback page, will generate the Direct result of your choosing.
Your Terminal URL code (normally a page called 3DCallback in the kits) should be
modified to store the result fields in your database (as you did for your transaction
registration code in section 3 above), including the 3DSecureStatus field and, for
3D-Authenticated transactions, the CAVV field (the unique signature for a validated
3D-Secure transaction).
You can then direct your customer to the relevant completion page, depending on
the Status of the transaction. Like non-authenticated transactions, a Status of OK
should redirect the user to a success page, and ERROR, NOTAUTHED, REJECTED,
MALFORMED or INVALID to various error handling pages.
Page 30 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
You should ONLY begin to test your PayPal integration on the Simulator once you
are happy that your site can correctly send and process the messages exchanged
between your site and ours for a standard Direct transaction.
Log into the Simulator, click the ‘Account’ button, and ensure ‘Activate PayPal’ has
been selected in the Account Settings section.
Browse to your Direct integration kit and proceed to the checkout page. The kits
present both Express Checkout and Mark options:
Page 31 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Whichever option you choose, either Express Checkout or Mark, you should send
the Transaction Registration post to the Simulator with the CardType set to PAYPAL.
Your code should store the VPSTxId and redirect the customer’s browser to the
simulated PayPal Sign In page:
Click ‘Proceed’ on the PayPal Sign In Page to reach the screen below.
Page 32 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
On this screen, you can choose the message which is returned to your
PayPalCallbackURL upon completion of a PayPal payment. For now, we recommend
you to select OK to simulate a PAYPALOK response (see Appendix A7 below). Click
‘OK’.
The default PayPalCallbackURL code in the kits shows the results of the PayPal
Callback Post from Direct after the customer has completed PayPal Authentication,
and gives you the option of rejecting the transaction based on the results returned.
Page 33 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
This page does not necessarily have to be displayed to your customer; you can
choose to either handle the response behind the scenes, or display a page to the
shopper confirming the details of the transaction. If required, this page also allows
you to change the amount sent in the original POST in Appendix A1 by +/- 15% of
the original value (for example, if the delivery price changes as a result of the
address selected).
In the example above, the AddressStatus returned was CONFIRMED and the
PayerStatus returned was VERIFIED. As the customer has successfully completed
the PayPal verification process to help establish the shopper’s identity, and their
address has been reviewed by PayPal and found highly likely to be that of the User
to which it is associated, this is a strong indication that this is a genuine shopper.
If you wish to proceed with the transaction, you send a POST to the PayPal
Completion URL with a value of YES in the Accept field (see Appendix A8).
If the address was not confirmed, and the payer not verified, for example, you may
not wish continue without PayPal Seller Protection*. If you do NOT wish to
proceed, you would still need to send a POST to the Sage Pay servers to complete
the transaction, but enter a value of NO in the Accept field to cancel the
transaction (see Appendix A8).
* PayPal’s Seller Protection Policy can protect sellers from claims, chargebacks
and reversals. PayPal will reimburse you for a specified amount if you meet the
requirements set out in their Terms and Conditions of the User Agreement. Please
visit the link below for further information about Seller Protection:
https://www.paypal.com/uk/cgi-bin/webscr?cmd=p/gen/ua/policy_spp-
outside#spp-policy
NB: Sage Pay provides example code in several scripting languages to aid
developers integrate our Direct product with PayPal. Within the kits there is a file
called paypalCallback. This file provides a basic working example of completing a
successful PayPal transaction. By default, the Amount of the transaction is
unchanged from the original value, and the value returned in the Accept field is
always “YES”, regardless of the results returned to you in Appendix A7. You can
amend your own code and use the results returned to determine whether you wish
to proceed with the PayPal transaction.
You can create a Simulated PayPal Completion message that, when POSTed to the
Simulator PayPal Completion page, will generate the Direct result of your choosing.
By sending the Completion POST with Accept=YES, a Status of OK will be returned
in the final POST to your servers. A value of Accept=NO will return a Status of
NOTAUTHED.
When you receive this final response from Direct, (see Appendix A2), you should
redirect your customer to the relevant completion page on your site, depending on
the Status of the transaction. Like standard transactions, a Status of OK should
redirect the user to a success page, and ERROR, NOTAUTHED, REJECTED,
MALFORMED or INVALID to various error handling pages.
Page 34 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The Simulator keeps the last month’s worth of simulated transactions online for you
to examine at your leisure. Using the Transactions button you can view everything
you’ve sent us to ensure the data is as you expected.
You can also see from this screen which transactions have been subsequently
refunded or used as the basis for repeat payments (see 7 below).
Once your site can handle all Direct status types, on both your transaction
registration and 3D-Secure Terminal URL pages, then you’ve completed your basic
Direct integration and can move on to testing your site against the real Direct,
firstly on the Test Server (see the next main section). If, however, you wish to link
in additional processes, such as Refunds or Repeats, or the ability to Release or
Abort Deferred transactions, you should continue with step 7 below.
Page 35 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
DEFERRED transactions.
In some cases you may not wish to take the funds from the card immediately, but
merely place a “shadow” on the customer’s card to ensure they cannot
subsequently spend those funds elsewhere, and then only take the money when
you are ready to ship the goods. This type of transaction is called a DEFERRED
transaction and is registered in exactly the same way as a normal PAYMENT. You
just need to change your script to send a TxType of DEFERRED when you register
the transaction (protocol A1) instead of PAYMENT.
DEFERRED transactions are NOT sent to the bank for completion the following
morning. In fact, they are not sent at all until you RELEASE them by logging into
the My Sage Pay interface, finding the transaction and clicking the Release button.
You can release ONLY ONCE and ONLY for an amount up to and including
the amount of the original DEFERRED transaction.
If you are unable to fulfil the order, you can also ABORT deferred transactions in a
similar manner and the customer will never be charged.
DEFERRED transactions remain available for RELEASE for up to 30 days. After that
time they are automatically ABORTed by the Sage Pay systems.
When you RELEASE a DEFERRED PayPal transaction PayPal applies best efforts to
capture funds at that time, but there is a possibility that funds will not be available.
Page 36 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
REPEAT payments
If you wish to regularly REPEAT payments, for example for monthly subscriptions,
you should ensure you have a “Continuous Authority” merchant number from your
bank (please contact your acquiring bank for further details), but ad-hoc REPEATs
do not require a Continuous Authority merchant number. REPEAT payments cannot
be 3D-Secured, or have CV2 checks performed on them (unless you supply those
values again. Sage Pay are not allowed to store CV2 numbers) so you are better to
make use of Authenticate and Authorise if you need to vary the transaction amount
on a regular basis.
You can only REPEAT a PayPal transaction if the initial transaction was set up as a
PayPal Reference transaction (with BillingAgreement set to 1. See the Appendix for
details).
The AUTHENTICATE and AUTHORISE methods are specifically for use by merchants
who are either (i) unable to fulfil the majority of orders in less than 6 days (or
sometimes need to fulfil them after 30 days) or (ii) do not know the exact amount
of the transaction at the time the order is placed (for example, items shipped priced
by weight, or items affected by foreign exchange rates).
Your site will register your transaction with a TxType of AUTHENTICATE. Direct will
contact the 3D-Secure directories to check if the card is part of the scheme. If it is
not, then the card details are simply held safely at Sage Pay and Direct will reply
with a Status of REGISTERED (this also happens if you do not have 3D-Secure
active on your account or have used the Apply3DSecure flag to turn it off for that
transaction).
NB: For PayPal transactions, you can use the Authenticate and Authorise Payment
Type but the transaction will only ever be REGISTERED (because the transaction
will never be 3D Secured). Similarly to Releasing a Deferred transaction, we
recommend you to Authorise the transaction via the My Sage Pay area when you
are ready to ship the goods and take the funds.
If, however, the card is part of the 3D-Secure scheme, Direct will reply with a
Status of 3DAUTH along with the MD, PAReq and ACSURL. You must then redirect
the customer to their card issuing bank for authentication (just like a normal 3D-
Secure payment, see steps 5 and 6 in the Payment Process above). Here they will
authenticate themselves and be returned to your TermUrl along with the PARes and
MD. These you’ll forward to the Direct 3D Callback page and Sage Pay will decode
the response for you.
If the customer has not passed authentication, your rule base is consulted to check
if they can proceed for authorisation anyway. If not, Direct replies with a Status of
REJECTED. If the customer failed authentication but can proceed, Direct replies
Page 37 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
with a REGISTERED Status. If the user passed authentication with their bank and
a CAVV/UCAF value is returned, Direct sends a Status of AUTENTICATED and a
CAVV value for you to store if you wish.
In all cases, the customer’s card is never authorised. There are no shadows placed
on their account and your acquiring bank is not contacted. The customer’s card
details and their associated authentication status are simply held at Sage Pay for up
to 90 days (a limit set by the card schemes, 30 days for International Maestro
cards) awaiting an AUTHORISE or CANCEL request from your site (see the
“Server and Direct Shared Protocols” document for details of these messages).
To charge the customer when you are ready to fulfil the order, your site will need to
send an AUTHORISE request. You can Authorise any amount up to 115% of the
value of the original Authentication, and use any number of Authorise requests
against an original Authentication so long as the total value of those authorisations
does not exceed the 115% limit, and the requests are inside the 90 days limit. This
is the stage at which your acquiring bank is contacted for an auth code. AVS/CV2
checks are performed at this stage and rules applied as normal. This allows you
greater flexibility for partial shipments or variable purchase values. If the
AUTHENTICATE transaction was AUTHENTICATED (as opposed to simply
REGISTERED) all authorisations will be fully 3D-Secured, so will still receive the
fraud liability shift.
When you have completed all your Authorisations, or if you do not wish to take any,
you can send a CANCEL message to our Server to archive away the Authentication
and prevent any further Authorisations being made against the card. This happens
automatically after 90 days.
Both AUTHORISE and CANCEL operations can also be performed in the My Sage Pay
area.
If you wish to cancel that payment before it is settled with the bank the following
morning, you can send a VOID message to our servers to prevent the transaction
ever being settled (see the “Server and Direct Shared Protocols” document for
more detail), thus saving you your transaction charges and the customer from ever
being charged. You can also VOID transactions through the My Sage Pay Admin
interface. VOIDed transactions can NEVER be reactivated though, so use this
functionality carefully.
Once a transaction has been settled, however, you can no longer VOID it. If you
wish to return funds to the customer you need to send a REFUND message to our
servers, or use the My Sage Pay Admin screens to do the same.
You can REFUND any amount up to the value of the original transaction. You can
even send multiple refunds for the same transaction so long as the total value of
those refunds does not exceed the value of the original transaction. Again, the
Page 38 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
REFUND protocol can be found in the “Server and Direct Shared Protocols”
document.
You cannot VOID a PayPal transaction, but you are able to REFUND a PayPal
transaction.
The Sage Pay Simulator can handle all the additional transaction types discussed
above. It will accept PAYMENT, AUTHENTICATE and DEFERRED transactions at the
registration stage, plus it has services that emulate those of the real servers when
you send REFUND, RELEASE, ABORT, REPEAT, AUTHORISE, CANCEL and VOID
messages to it.
http://www.sagepay.com/developers.asp
Page 39 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
If your site works correctly against the Sage Pay Simulator then this is normally a
very quick step. The Test Server is an exact copy of the Live System but without
the banks attached. This means you get a true user experience but without the
fear of any money being taken from your cards during testing.
In order to test on the Test Server, however, you need a Test Server account to be
set up for you by the Sage Pay Support team. These accounts can only be set up
once you have completed all sections of the Online Registration forms
(https://support.sagepay.com/apply/) including the Merchant Account section.
Often when applying to trade online it takes a while for the Merchant Account to be
assigned by your acquirer, so you may wish to ensure that you set those wheels in
motion before you begin your integration with Sage Pay, to ensure things don’t
bottleneck at this stage.
The Support Team will set up an account for you on the Test Server under the
same Vendor Name as your online application form and Simulator account. You will,
however, be issued with different passwords for security purposes. The Support
Team will let you know how to retrieve those passwords and from there how to use
the My Sage Pay Admin screens to look at your transactions.
To link your site to the Test Server, you need only to change your transaction
registration script to send the message to the Test Server URL for the Server
integrated payment method rather than the Simulator. In many kits this is done
simply by changing the strConnectTo string in the includes file to “TEST”. If
you’ve been developing your own scripts, then the Test Site URL for payment
registration is:
https://test.sagepay.com/gateway/service/vspdirect-register.vsp
You will always receive an OK message and an Authorisation Code from the Test
Server if you are using one of the test cards listed over the page. All other valid
card numbers will be declined, allowing you to test your failure pages. If you do
not use the correct Address, Post Code and CV2 digits, the transaction will still
authorise, but you will receive NOTMATCHED messages in the AVS/CV2 checks,
allowing you to test your rule-bases and fraud specific code.
Page 40 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
If you have 3D-Secure set up on your test account, you can use the My Sage Pay
interface to switch on the checks at this stage to test your 3D-Secure Terminal URL
script against a simulation of the 3D-Secure environment.
This simulation is more advanced than the Simulator process because it creates real
PAReq and PARes messages. It does not talk to the real Visa and MasterCard
systems though, so no live authentications can occur.
At the 3D-secure callback stage you’ll need to change your POST to go to:
https://test.sagepay.com/gateway/service/direct3dcallback.vsp
Once you’ve checked you can process an end-to-end transaction and, where
appropriate, can successfully process 3D-Authentication, and tested any additional
transaction types you have set up (such as Refunds and Releases) then you are
almost ready to go live. Before doing so, however, you should log into your unique
My Sage Pay account on the test servers to view your transactions and familiarise
yourself with the interface.
Page 41 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
When you log in to the My Sage Pay screens you will be asked for a Vendor Name,
a User Name and a Password. The first time you log in you will need to do so as
your system Administrator:
• In the Vendor Name box, enter your Vendor Name, as selected in your
Online Registration screens and used throughout the development as your
unique merchant identifier.
• In the User Name box, enter the Vendor Name again.
• In the Password box, enter the Admin password as supplied to you by Sage
Pay when your test account was set up.
• Click Login.
Page 42 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
The administrator can ONLY create user accounts, unlock other accounts and
change account parameters. You cannot, whilst logged in as administrator, view
your transactions or take payments through the online terminal.
You are now logged in using your own account and can view your test transactions
and use all additional functions. You need only log in as Administrator again if you
wish to create additional users, or if you lock yourself out of your own account, you
can use the Administrator account to unlock yourself.
If you happen to lock out the Administrator account, you will need to contact Sage
Pay to unlock it for you: send an e-mail to unlock@sagepay.com stating the Vendor
Name and Merchant Number of the account. If you need reminding of your unique
account passwords, send an e-mail to the above and request a password retrieval
link, stating the Vendor Name and Merchant Number of the account.
Detailed context sensitive help is available on every My Sage Pay page by clicking
the Help button, so a description of the functions will not be presented here. Play
with the system until you are comfortable with it though; you cannot inadvertently
charge anyone or damage anything whilst on the test server.
Page 43 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
This does not mean you will immediately be able to use your Live account
You must ensure you have completed testing of your account before you are
granted access to your Live account. Details can be found below:
http://www.sagepay.com/developers/integration_manual/processes_go%20live.ht
ml
NB – Without confirmation from the bank and without Direct Debit submission,
Sage Pay will not be able to set your account Live. You will only be charged by Sage
Pay when your account has valid Direct Debit and confirmation of your merchant
details from the bank.
Once your Live account is active, you should point your website transaction
registration scripts to the following URL:
https://live.sagepay.com/gateway/service/vspdirect-register.vsp
https://live.sagepay.com/gateway/service/direct3dcallback.vsp
https://live.sagepay.com/gateway/service/complete.vsp
You should then run an end-to-end transaction through your site, ordering
something relatively inexpensive from your site and paying using your own valid
credit or debit card. If you receive an authorisation code, then everything is
working correctly.
Finally should then log into the Live Server My Sage Pay screens at
https://live.sagepay.com/mysagepay and in a similar manner to the Test Server,
first log in as the Administrator, then create a Live System User account for
yourself, log in as that user, locate your test transaction and VOID it, so you are
not charged for the transaction. At this stage the process is complete.
It is worth noting here that none of the users you set up on the My Sage Pay
system on the Test Server are migrated across to Live. This is because many
companies use third party web designers to help design the site and create users
for them during test that they would not necessarily like them to have in a live
environment. You will need to recreate any valid users on the Live system when
you first log in.
Page 44 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Here are the best ways to reach us and the best people to reach:
• If you have a question about a transaction, have issues with your settlement
files, are having problems with your payment pages or My Sage Pay screens,
or have a general question about online payments or fraud, e-mail
support@sagepay.com with your Sage Pay Vendor Name included in the
mail.
We will also keep you updated about major system changes, new reports and other
enhancements via the Updates section in My Sage Pay, plus your e-mail address
will be added to our group mail list used to alert you to upgrades and other pending
events.
You can also always check our system availability and current issues on the Sage
Pay Monitor page at http://www.sagepay.com/system_monitor.asp
Thanks again for choosing Sage Pay, and we wish you every success in your e-
commerce venture.
Page 45 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
This section details the Sage Pay Direct Protocol. It details the contents of the POSTs and responses, between your website and ours. The
format and size of each field is given, along with accepted values and characters. The legend below explains the symbols:
Page 46 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
This is performed via a HTTPS POST request, sent to the initial Direct Payment URL. The details should be URL encoded Name=Value
fields separated by ‘&’ characters.
TxType Alphabetic PAYMENT, DEFERRED or See companion document “Server and Direct Shared
Max 15 characters. AUTHENTICATE ONLY Protocols” other transaction types (such as Refund, Releases,
Aborts and Repeats). The value should be in capital letters.
Vendor Alphanumeric Your unique Vendor Login Name Used to authenticate your site. This should contain the Sage
Max 15 characters. Pay Vendor Name supplied by Sage Pay when your account
was created.
VendorTxCode Alphanumeric Vendor Transaction Code This should be your own reference code to the transaction.
Max 40 characters Your site should provide a completely unique VendorTxCode
for each transaction.
Amount Numeric. Amount for the Transaction containing minor digits Must be positive and numeric, and may include a decimal
0.01 to 100,000.00 formatted to 2 decimal places where appropriate. place where appropriate. Minor digits should be formatted to
two decimal places. e.g. 5.10, or 3.29. Values such as 3.235
will be rejected. Minimum for no minor unit currencies like
JPY is 1.
Currency Alphabetic Three-letter currency code to ISO 4217 Examples: GBP, The currency must be supported by one of your Sage Pay
3 characters EUR and USD merchant accounts or the transaction will be rejected.
Description Alphanumeric Free text description of goods or services being The description of goods purchased for you reference in the
Max 100 characters purchased My Sage Pay screens
CardHolder Alphabetic The card holder’s name. This should be the name displayed on the card. Not
Max 50 characters required if CardType=PAYPAL
CardNumber Numeric The credit or debit card number with no spaces. The full card number is required.
Max 20 characters Not required if CardType=PAYPAL
Page 47 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Optional: Numeric The Start date (required for some Maestro, Solo and The start date MUST be in MMYY format i.e. 0699 for June
4 characters Amex) in MMYY format. 1999. No / or – characters should be included. Not
StartDate
required if CardType=PAYPAL
ExpiryDate Numeric The Expiry date (required for ALL cards) in MMYY The expiry date MUST be in MMYY format i.e. 1206 for
4 characters format. December 2006. No / or – characters should be included.
Not required if CardType=PAYPAL
Optional: Numeric The card Issue Number (some Maestro and Solo cards The issue number MUST be entered EXACTLY as it appears on
Max 2 characters only) the card. e.g. some cards have Issue Number “4”, others
IssueNumber
have “04”. Not required if CardType=PAYPAL
Optional: Numeric The extra security 3 digits on the signature strip of the NB: If AVS/CV2 is ON for your account this field
Max 4 characters card, or the extra 4 digits on the front for American becomes compulsory. Not required if
CV2
Express Cards CardType=PAYPAL
CardType Alphabetic VISA, MC, DELTA, SOLO, MAESTRO, UKE, AMEX, DC, MC is MasterCard. UKE is Visa Electron. MAESTRO should be
Max 15 characters JCB, LASER, PAYPAL used for both UK and International Maestro. AMEX, DC
NB: “SWITCH” is still accepted for UK Maestro but you (DINERS) and PAYPAL can only be accepted if you have
should now use “MAESTRO” for both UK and Int. cards additional merchant accounts with those acquirers.
BillingSurname Alphabetic Customer’s surname In Protocol 2.23, unlike previous protocols, the Billingxxxxx
Max 20 characters columns are compulsory.
Page 48 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
DeliveryPostCode Alphanumeric The Post/Zip code of the Card Holder’s delivery address
Max 10 characters
DeliveryCountry Alphabetic ISO 3166-1 country code of the cardholder’s delivery
Max 2 characters address
Page 49 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Optional: Alphanumeric Full qualified domain name of the URL to which Must begin http:// or https:// Only required if the
Max 255 characters customers are redirected upon completion of a PayPal CardType=PAYPAL.
PayPalCallbackURL
transaction
Optional: Alphanumeric The customer’s e-mail address. The current version of Direct does not send confirmation e-
Max 255 characters NOTE: If you wish to use multiple e-mail addresses, you mails to the customer. This field is provided for your records
CustomerEMail
should add them using the : (colon) character as a only.
separator. e.g. me@mail1.com:me@mail2.com
Optional: Alphanumeric See the next page for the Format of the Basket field You can use this field to supply details of the customer’s
Max 7500 order. This information will be displayed to you in My Sage
Basket
characters Pay.
Optional: Flag 0 = This transaction is not a Gift Aid charitable donation Only of use if your vendor account is Gift Aid enabled.
(default) Setting this field means the customer has ticked a box on
GiftAidPayment
1 = This payment is a Gift Aid charitable donation and your site to indicate they wish to donate the tax.
the customer has AGREED to donate the tax.
Optional: Flag 0 = If AVS/CV2 enabled then check them. If rules apply, Using this flag you can fine tune the AVS/CV2 checks and
use rules (default). rule set you’ve defined at a transaction level. This is useful
ApplyAVSCV2
1 = Force AVS/CV2 checks even if not enabled for the in circumstances where direct and trusted customer contact
account. If rules apply, use rules. has been established and you wish to override the default
2 = Force NO AVS/CV2 checks even if enabled on security checks.
account. This field is ignored for PAYPAL transactions
3 = Force AVS/CV2 checks even if not enabled for the
account but DON’T apply any rules.
Optional: Numeric The IP address of the client connecting to your server This should be a full IP address which you can obtain from
Max 15 characters making the payment. your server scripts. We will attempt to Geolocate the IP
ClientIPAddress
address in your reports and fraud screening.
Optional (3D- Flag 0 = If 3D-Secure checks are possible and rules allow, Using this flag you can fine tune the 3D Secure checks and
perform the checks and apply the authorisation rules rule set you’ve defined, at a transaction level. This is useful
Secure only):
(default). in circumstances where direct and trusted customer contact
Apply3DSecure 1 = Force 3D-Secure checks for this transaction only (if has been established and you wish to override the default
your account is 3D-enabled) and apply rules for security checks.
authorisation.
2 = Do not perform 3D-Secure checks for this NB: If 3D Secure is ON for your account this field becomes
transaction only and always authorise. compulsory.
3 = Force 3D-Secure checks for this transaction (if your
account is 3D-enabled) but ALWAYS obtain an auth code, This field is ignored for PAYPAL transactions
irrespective of rule base.
Page 50 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Optional: Alphanumeric E = Use the e-commerce merchant account (default). This optional flag is used to tell the SAGE PAY System which
1 character C = Use the continuous authority merchant account (if merchant account to use. If omitted, the system will use E,
AccountType
present). then M, then C by default.
M = Use the mail order, telephone order account (if
present). This field is ignored for PAYPAL transactions
Optional: Flag 0 = This is a normal PayPal transaction, not the first in a This field must be set for PAYPAL REFERENCE
series of payments (default) transactions
BillingAgreement
1 = This is the first in a series of PayPal payments. All non-PayPal transactions can be repeated without
Subsequent payments can be taken using REPEAT. this flag.
If you wish to register this transaction as the first in a series
of regular payments, this field should be set to 1. If you do
not have a PayPal account set up for use via Sage Pay, then
this field is not necessary and should be omitted or set to 0.
Page 51 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Basket Contents
The shopping basket contents can be passed in a single, colon-delimited field, in the following format:
IMPORTANT NOTES:
o The line breaks above are included for readability only. No line breaks are needed; the only separators should be the colons.
o The first value “The number of lines of detail in the basket” is NOT the total number of items ordered, but the total number of
rows of basket information. In the example below there are 6 items ordered, (1 DVD player and 5 DVDs) but the number of
lines of detail is 4 (the DVD player, two lines of DVDs and one line for delivery).
Page 52 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
Items Quantity Item value Item Tax Item Total Line Total
If you wish to leave a field empty, you must still include the colon. e.g.
DVD Player:1:199.99:::199.99
Page 53 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
This is the plain text response part of the POST originated by your servers in A1 (or A4 for 3D-Secure transactions). Encoding will be as
Name=Value fields separated by carriage-return-linefeeds (CRLF).
INVALID – Transaction was not registered because although the POST format was Please notify Sage Pay if a
valid, some information supplied was invalid. E.g. incorrect vendor name or Status report of ERROR is seen,
currency. together with your
VendorTxCode and the
NOTAUTHED – The transaction was not authorised by the acquiring bank. No StatusDetail text.
funds could be taken from the card. A NOTAUTHED status is also returned for
PayPal transactions in response to the PayPal Completion Post (if Accept=NO was 3DAUTH is only returned if 3D-
sent to complete PayPal transaction, see Appendix A8). Authentication is available on
your account AND the directory
REJECTED – The SAGE PAY System rejected the transaction because of the rules services have issued a URL to
you have set on your account. which you can progress. A
Status of 3DAUTH only returns
3DAUTH – The customer needs to be directed to their card issuer for 3D- the StatusDetail,
Authentication. GO TO APPENDIX A3. 3DSecureStatus, MD, ACSURL
and PAReq fields. The other
PPREDIRECT – Customer needs to be redirected to PayPal GO TO APPENDIX A6 fields are returned with other
Status codes only. See Appendix
AUTHENTICATED – The 3D-Secure checks were performed successfully and the 3.
card details secured at Sage Pay.
AUTHENTICATED and
REGISTERED – 3D-Secure checks failed or were not performed, but the card REGISTERED statuses are only
details are still secured at Sage Pay. returned if the TxType is
AUTHENTICATE.
ERROR – An error occurred at Sage Pay which meant the transaction could not be
completed successfully.
Page 54 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
StatusDetail Alphanumeric Human-readable text providing extra detail for the Always check StatusDetail if the Status is not OK
Max 255 characters Status message.
VPSTxId Alphanumeric Sage Pay ID to uniquely identify the Transaction on You should store this value and quote it to us if you have a
38 characters our system. query about the transaction.
AddressResult Alphanumeric NOTPROVIDED, NOTCHECKED, MATCHED, The specific result of the checks on the cardholder’s address
Max 20 characters NOTMATCHED numeric from the AVS/CV2 checks.
PostCodeResult Alphanumeric NOTPROVIDED, NOTCHECKED, MATCHED, The specific result of the checks on the cardholder’s Post
Max 20 characters NOTMATCHED Code from the AVS/CV2 checks.
CV2Result Alphanumeric NOTPROVIDED, NOTCHECKED, MATCHED, The specific result of the checks on the cardholder’s CV2 code
Max 20 characters NOTMATCHED from the AVS/CV2 checks.
Page 55 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
3DSecureStatus Alphanumeric OK – The 3D-Authentication step completed successfully. If the This field holds the results of the 3D-
Max 20 characters Status field is OK too, then this indicates that the authorized Authentication steps carried out by Direct and
transaction was also 3D-authenticated and a CAVV will be returned. the Sage Pay MPI.
Liability shift occurs.
If 3D-Secure is not active on your account, this
NOAUTH – This means the card is not in the 3D-Secure scheme. field will always contain the value
NOTCHECKED.
CANTAUTH - This normally means the card Issuer is not part of the
scheme.
Page 56 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
If 3D-Authentication is available on your account and the Card AND the Card Issuer are (or can be) part of the scheme, this is the plain
text response part of the POST originated by your servers in A1. Encoding will be as Name=Value fields separated by carriage-return-
linefeeds (CRLF).
Response format:
Name Format Values Comments
Status Alphanumeric 3DAUTH – The customer needs to be 3DAUTH is only returned if 3D-Authentication is available on
Max 15 characters. directed to their card issuer for 3D- your account AND the directory services have issued a URL to
Authentication. which you can progress. A Status of 3DAUTH only returns the
StatusDetail, 3DSecureStatus, MD, ACSURL and PAReq fields.
StatusDetail Alphanumeric Human-readable text providing extra detail Always check StatusDetail if the Status is not OK
Max 255 characters for the Status message.
3DSecureStatus Alphanumeric OK – If the Status field is 3DAUTH, this If a Status of 3DAUTH is returned at this stage, the only value
Max 20 characters means the card is part of the scheme. you will receive for the 3DSecureStatus is OK.
MD Alphanumeric A unique reference for the 3D-Authentication Only present if the Status field is 3DAUTH.
Max 35 characters attempt.
ACSURL Alphanumeric A fully qualified URL that points to the 3D- Only present if the Status field is 3DAUTH.
Max Unlimited, but practical Authentication system at the Cardholder’s
limit should be 7,500 Issuing Bank.
characters
PAReq Alphanumeric A Base64 encoded, encrypted message to be Only present if the Status field is 3DAUTH.
Max Unlimited, but practical passed to the Issuing Bank as part of the 3D-
limit should be 7,500 Authentication. NOTE: When forwarding this value to the ACSURL, pass it in a
characters field called PaReq (note the lower case a). This avoids issues
with case sensitive ACSURL code.
Page 57 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
A4: 3D-Authentication Results POST from your Terminal URL to Sage Pay.
This is performed via a HTTPS POST request, sent to the Direct 3D-Secure Callback URL. The details should be URL encoded
Name=Value fields separated by ‘&’ characters.
Request format
Name Format Values Comments
MD Alphanumeric A unique reference for the 3D-Authentication attempt. This will match the MD value passed back to your site in
Max 35 characters response to your transaction registration POST.
PARes Alphanumeric A Base64 encoded, encrypted message sent back by Issuing Bank This field must be passed back to Direct along with the
Max Unlimited, but to your Terminal URL at the end of the 3D-Authentication process. MD field to allow the Sage Pay MPI to decode the result.
practical limit should be
7,500 characters You will receive this value back from the Issuing Bank in a field
called PaRes (lower case a”), but should be passed to Sage Pay as
PARes.
The response from the 3D Callback service is identical to that of the initial registration POST. See section A2 above.
Page 58 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
A6: Sage Pay Response to the Registration POST (for PayPal transactions)
If you supplied PayPal as a CardType in A1 above and PayPal is active on your account, this response is returned from the server.
Encoding will be as Name=Value fields separated by carriage-return-linefeeds (CRLF).
Response format
Name Format Values Comments
VPSProtocol Numeric. 2.23 in this release. Current system version
Fixed 4 characters.
PayPalRedirectURL Alphanumeric A fully qualified domain name URL to which you Forward the customer’s browser top frame to this URL to
Max 255 characters should redirect the customer. Contain the PayPal continue with the transaction.
token which should not be stripped out.
Page 59 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
After redirecting your customer to the PayPalRedirectURL in step A6 above, this message sent to your PayPalCallbackURL, along with the
customer, after they have completed their PayPal authentication and payment method selection.
It provides all relevant information about the transaction to allow you to decide if you wish to proceed with the payment (see A8 below).
The information will be in the form of URL encoded Name=Value fields separated by ‘&’ characters.
Status Alphanumeric PAYPALOK – The customer has selected a payment StatusDetail contains more information if the Status is not
Max 15 characters. type and the transaction is ready to be taken. PAYPALOK
Page 60 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
DeliverySurname Alphanumeric Customer’s surname These fields form the delivery address selected on the PayPal
Max 20 characters screens, or provided as part of your registration POST if you are
overriding the address (i.e. using a Mark integration rather than
DeliveryFirstnames Alphanumeric Customer’s first names Express)
Max 20 characters
Optional*: Alphanumeric State code for US customers only These fields form the delivery address selected on the PayPal
Max 2 characters screens, or provided as part of your registration POST if you are
DeliveryState
overriding the address.
Optional: Alphanumeric Phone number at delivery address
Max 20 characters
DeliveryPhone
CustomerEMail Alphanumeric Customer e-mail address registered at PayPal
Max 255 characters
PayerID Alphanumeric Unique PayPal User Reference ID
Max 15 characters
Page 61 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
If you wish to complete a PayPal transaction (whose details are returned in A7 above), you must send a completion POST the Sage Pay
servers.
This is performed via an HTTPS POST request, sent to the Direct PayPal Completion URL. The details should be URL encoded
Name=Value fields separated by ‘&’ characters.
The response to this POST is the normal Direct transaction response detailed in A2.
VPSTxId Alphanumeric Sage Pay ID to uniquely identify the You will need to use this when confirming the PayPal transaction
38 characters Transaction on our system.
Amount Numeric. Amount for the Transaction containing The amount can vary from the original POST in A1 by +/- 15% of
0.01 to 10,000.00 minor digits formatted to 2 decimal places the original amount (for example, if delivery prices change as a
where appropriate. result of the address selected).
Accept Alphanumeric YES or NO only YES if you wish to proceed with the PayPal transaction, NO if you
3 characters wish to cancel based on the information returned.
Page 62 of 63
Version Date: Friday, 14 August 2009 Version: 2.23
Direct Protocol and Integration Guidelines
3D-Secure Callback
Simulator: https://test.sagepay.com/Simulator/VSPDirectCallback.asp
TEST System: https://test.sagepay.com/gateway/service/direct3dcallback.vsp
Live System: https://live.sagepay.com/gateway/service/direct3dcallback.vsp
PayPal Completion
Simulator: https://test.sagepay.com/Simulator/complete.asp
TEST System: https://test.sagepay.com/gateway/service/complete.vsp
Live System: https://live.sagepay.com/gateway/service/complete.vsp
Please ensure that your firewalls allow outbound and inbound Port 443 (HTTPS only) access in order to communicate with our servers (on
Simulator/Test/Live).
Page 63 of 63
Version Date: Friday, 14 August 2009 Version: 2.23