Integration Guide
Start typing to search…

Classic Integration for Cards - OTP Integration

The Server-to-Server (S2S) integration for cards allows merchants to securely process card transactions using PayU’s classic integration method. This document describes the step-by-step process to integrate and handle card submissions, OTP verification, and transaction responses.

  1. Initiate Payment Request with PayU
    • The merchant sends a payment request to PayU with necessary parameters such as transaction details, customer information, and surl/furl URLs for redirection after processing.
    • The transaction parameters must comply with the PayU Classic Integration. For more information, refer to Cards Classic Integration.

📘

Reference:

This integration is supported for Cards, Network Tokens, Payu token based integrations. For more details how to pass the network token and payu token, refer to Collect Payments using a Saved Card.Handle the OTP Flow or Redirect the Customer

    • After receiving PayU’s response to the initiate payment request (Step 1), merchants can choose one of the below paths based on the response conditions:
    • Collect and submit the OTP using the Native Submit OTP API.
    • Redirect the customer to the Bank Page for OTP entry if required.

Step 1: Initiate Payment request with PayU

The merchant initiates PayU with the required transaction mandatory or optional parameters. This needs to be a server-to-server cURL call request. URL, parameters, and descriptions. For more information, refer to . Collect the response in the  under API Reference. The response for the S2S payment request is not similar to Merchant Hosted or PayU Hosted Checkout. For description of response parameters, refer to Additional Info for Payment APIs.

Environment

Test Environmenthttps://test.payu.in/_payment
Production Environmenthttps://secure.payu.in/_payment

Request parameters

Parameter

Description

key mandatory

StringMerchant key provided by PayU during onboarding.

txnid
mandatory

StringThe transaction ID is a reference number for a specific order that is generated by the merchant.

amount mandatory

StringThe payment amount for the transaction.

productinfo mandatory

StringA brief description of the product.

firstname mandatory

String The first name of the customer.

email
mandatory

StringThe email address of the customer.

phone
mandatory

StringThe phone number of the customer.

pg
mandatory

String The pg parameter determines which payment tabs will be displayed on the PayU page. For cards, 'CC' will be the value.

bankcode mandatory

String Each payment option is identified with a unique bank code at PayU. The merchant must post this parameter with the corresponding payment option’s bank code value in it. For more information, refer to Card Type Codes and Supported Banks for Cards

ccnum
mandatory

String Use 13-19 digit card number for credit/debit cards (15 digits for AMEX, 13-19 for Maestro) and validate with LUHN algorithm. Refer to Card Number Formats and display error message on invalid input.

ccname mandatory

String This parameter must contain the name on card – as entered by the customer for the transaction.

ccvv
mandatory

String Use 3-digit CVV number for credit/debit cards and 4-digit security code (4DBC/CID) for AMEX cards. Validate with BIN API.

ccexpmon mandatory

String This parameter must contain the card’s expiry month – as entered by the user for the transaction. It must always be in 2 digits or in MM format. For months 1-9, this parameter must be appended with 0 – like 01, 02…09. For months 10-12, this parameter must not be appended – It should be 10,11 and 12 respectively.

ccexpyr
mandatory

String This parameter must contain the card’s expiry year – as entered by the customer for the transaction. It must be of four digits.

furl
mandatory

StringThe success URL, which is the page PayU will redirect to if the transaction is successful.

surl
mandatory

StringThe Failure URL, which is the page PayU will redirect to if the transaction is failed.

hash
mandatory

StringIt is the hash calculated by the merchant. The hash calculation logic is:
sha512(key\|txnid\|amount\|productinfo\|firstname\|email\|udf1\|udf2\|udf3\|udf4\|udf5\||\||\||SALT)

txn_s2s_flow
mandatory

StringThis parameter must be passed with the value as:

  • 4for Legacy Decoupled flow.
  • 3 for Direct Authorization.

authorization_flow

optional

Controls OTP submission experience: “REDIRECT” for bank page redirect, omit for PayU’s decision

s2s_client_ip
mandatory

StringThis parameter must have the source IP of the customer.

s2s_device_info
mandatory

StringThis parameter must have the customer agent's device.

address1
optional

String The first line of the billing address.

  • For Fraud Detection*: This information is helpful when it comes to issues related to fraud detection and chargebacks. Hence, it is must to provide the correct information.

address2
optional

String The second line of the billing address.

city
optional

String The city where your customer resides as part of the billing address.

state
optional

String The state where your customer resides as part of the billing address,

country
optional

String The country where your customer resides.

zipcode
optional

String Billing address zip code is mandatory for the cardless EMI option.
Character Limit-20

udf1
optional

String User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.

udf2
optional

String User-defined fields (udf) are used to store any information corresponding to a particular transaction. You can use up to five udfs in the post designated as udf1, udf2, udf3, udf4, udf5.

udf3
optional

String User-defined fields (udf) are used to store any information corresponding to a particular transaction.

udf4
optional

String User-defined fields (udf) are used to store any information corresponding to a particular transaction.

udf5
optional

String User-defined fields (udf) are used to store any information corresponding to a particular transaction.

Hashing

You must hash the request parameters using the following hash logic:

sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)

Sample request

HTML form

Generate a payment form with all the required parameters. This can be an HTML form or a server-side request. Here’s an example of an HTML form:

<form action="https://test.payu.in/_payment" method="post">
    <input type="hidden" name="key" value="your_merchant_key" />
    <input type="hidden" name="txnid" value="unique_transaction_id" />
    <input type="hidden" name="amount" value="100.00" />
    <input type="hidden" name="productinfo" value="Product Description" />
    <input type="hidden" name="firstname" value="Customer Name" />
    <input type="hidden" name="email" value="[email protected]" />
    <input type="hidden" name="phone" value="9999999999" />
    <input type="hidden" name="surl" value="https://your-website.com/success" />
    <input type="hidden" name="furl" value="https://your-website.com/failure" />
    <input type="hidden" name="hash" value="calculated_hash_value" />
    <input type="hidden" name="txn_s2s_flow" value="3" />
    <input type="submit" value="Pay Now" />
</form>

cURL

curl --location --request POST 'https://secure.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'key=JP***g' \
--data 'txnid=payuTestTransaction3818940' \
--data 'amount=1.0' \
--data 'firstname=Ashish' \
--data '[email protected]' \
--data 'phone=9988776655' \
--data 'productinfo=Product Info' \
--data 'surl=https://admin.payu.in/test_response' \
--data 'furl=https://admin.payu.in/test_response' \
--data 'notifyurl=https://admin.payu.in/test_response' \
--data 'codurl=https://admin.payu.in/test_response' \
--data 'ipurl=https://admin.payu.in/test_response' \
--data 'lastname=' \
--data 'udf1=' \
--data 'udf2=' \
--data 'udf3=' \
--data 'udf4=' \
--data 'udf5=' \
--data 'pg=CC' \
--data 'bankcode=DC' \
--data 'ccnum=XXXXXXXXXXX8811' \
--data 'ccname=Ashish' \
--data 'ccvv=XXX' \
--data 'ccexpmon=12' \
--data 'ccexpyr=2023' \
--data 'authorization_flow=REDIRECT' \
 --data 'hash=d89e7d88863617baf01e504c50aa58e94d6ff3371c2ed409ca1f139cfee75d67e85ce7e91c4224790b6cc1b59bb149fc98b0272e27b335225a9d288a34290e42' \
--data 'txn_s2s_flow=4'

Response parameters

Parameter Description
mihpayid Unique payment ID generated by PayU
status Payment status (success, failure, pending)
txnid Merchant's transaction ID
amount Transaction amount
discount Discount amount, if any
net_amount_debit Actual amount debited
error_Message Error message, if any
pureS2SSupported Indicates if Native Submit OTP is supported (true/false)

Sample Responses

📘

Notes:

  • Reverse hashing: To validate the response from PayU, calculate the following hash and compare it with the hash received in the response:
    sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)
  • Handling errors: For handling errors, refer to Error Codes.

Response When Native Submit OTP is Supported

{
"metaData": {
"txnId": "payuTestTransaction3818940",
"txnStatus": "Enrolled",
"unmappedStatus": "pending",
...
},
"result": {
"acsTemplate": "Base64_encoded_HTML_form_string"
},
"binData": {
"pureS2SSupported": true,
"issuingBank": "UBI",
"category": "debitcard",
"cardType": "VISA",
"isDomestic": true
}
}

Response When Native Submit OTP is NOT Supported

{
"metaData": {
"txnId": "payuTestTransaction3818940",
"txnStatus": "Enrolled",
"unmappedStatus": "pending",
...
},
"result": {
"acsTemplate": "Base64_encoded_HTML_form_string"
},
"binData": {
"pureS2SSupported": false,
"issuingBank": "UBI",
"category": "debitcard",
"cardType": "VISA",
"isDomestic": true
}
}

Step 2: Handle OTP or Redirect customer

When Native Submit OTP is Supported

If the response from Step 1 contains the parameters: - metaData.unmappedStatus = pending - binData.pureS2SSupported = true

curl --location --request POST 'https://api.payumoney.com/payment/submit-otp' \
--header 'Content-Type: application/json' \
--data-raw '{
    "txnToken": "TRANSACTION_TOKEN_FROM_RESPONSE",
    "otp": "OTP_ENTERED_BY_CUSTOMER"
}'

Then, the following actions should be taken:

  1. Collect the OTP from the customer.
  2. Submit the OTP to PayU using the .

When Native Submit OTP is NOT Supported

If the response contains: - metaData.unmappedStatus = pending - binData.pureS2SSupported = false. The following actions should be performed:

  1. Decode result.acsTemplate from the response using Base64 decoding.
  2. Generate the HTML form from the decoded template.
  3. Redirect the customer to the Bank Page to enter the OTP.

Example code to decode and display the ACS template:

// Decode base64 encoded acsTemplate
const decodedTemplate = atob(acsTemplate);
// Create a container for the template
document.getElementById('acs-container').innerHTML = decodedTemplate;

Associated Actions on the OTP Page

When collecting the OTP on your page, you must provide the following functionality to the customer:

  • Resend OTP: Enable customers to request another OTP using the Resend OTP API.

  • Redirect to Bank Page: If merchants decide to redirect the customer, decode the acsTemplate and redirect them to the bank for transaction completion.

    Ensure you decode the acsTemplate to redirect the customer to the proper bank interface.

Verify the Transaction

After completing the payment flow, verify the transaction status using the Verify Payment API:

curl --location --request POST 'https://api.payumoney.com/payment/verify' \
--header 'Content-Type: application/json' \
--data-raw '{
    "merchantKey": "YOUR_MERCHANT_KEY",
    "paymentId": "PAYMENT_ID_FROM_RESPONSE"
}'

Alternatively, implement PayU’s webhooks to receive real-time payment status updates. For more information, refer to Payment Webhooks.

Updated about 16 hours ago