Cards Integration

PayU supports the following debit cards and credit cards:

  • American Express (AMEX)
  • Visa
  • Mastercard
  • Diners
  • Rupay

๐Ÿ“˜

Note:

PayU accepts domestic and international transactions, but international transactions need to be enabled by writing to PayU Integration Team ([email protected]).

If you are storing or transmitting cardholder data, you must fill the โ€œSelf-Assessment Questionnaire A-EP and Attestation of Complianceโ€ form. For more information on Save Cards API integration, refer to PayU Save Cards API Integration docs.

Steps to Integrate

  1. Validate the card type
  2. Initiate the payment to PayU
  3. Verify the payment

๐Ÿ‘

Before you begin:

Register for a account with PayU before you start integration. For more information, refer to Register for a Merchant Account.

Step 1: Validate the card type

When customers use debit cards or credit cards on your website, you can validate the card type with the first six digits. Use the check_isDomestic API (known as BIN API) to validate the type of card. For more information, refer to BIN APIs.

After the customer enters the card number, you can validate the first six digits with the check_isDomestic API. For more information, refer to Check is Domestic API.

Step 2: Initiate the payment to PayU

Post Request Syntax & Composition

Post Request Syntax & Composition for Cards

<body>
<form action='https://test.payu.in/_payment' method='post'>
<input type="hidden" name="key" value="JP***g" />
<input type="hidden" name="txnid" value="t6svtqtjRdl34W" />
<input type="hidden" name="productinfo" value="iPhone" />
<input type="hidden" name="amount" value="10" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="firstname" value="Ashish" />
<input type="hidden" name="lastname" value="Kumar" />
<input type="hidden" name="pg" value="CC" />
<input type="hidden" name="bankcode" value="MAST" />
<input type="hidden" name="ccnum" value="5123456789012346" />
<input type="hidden" name="ccname" value="Ashish Kumar" />
<input type="hidden" name="ccvv" value="123" />
<input type="hidden" name="ccexpmon" value="12" />
<input type="hidden" name="ccexpyr" value="2021" />
<input type="hidden" name="surl" value="your own success url" />
<input type="hidden" name="furl" value="your own failure url" />
<input type="hidden" name="phone" value="9988776655" />
<input type="hidden" name="hash" value="eabec285da28fd0e3054d41a4d24fe9f7599c9d0b66646f7a9984303fd6124044b6206daf831e9a8bda28a6200d318293a13d6c193109b60bd4b4f8b09c90972" />
<input type="submit" value="submit"> </form>
</body>
</html>

๐Ÿ“˜

Note:

The above code block is for Merchant Checkout integration on the credit card call for the test environment.

Request Parameters

Post the following additional parameters for the card payment to PayU using the Merchant Hosted integration.

Environment

๐Ÿ“˜

Reference:

For the complete list of parameters (with Try It experience ) and response, refer to Collect Payments API under API Reference.

ParameterDescriptionExample
pg mandatoryString The pg parameter determines which payment tabs will be displayed on the PayU page. For cards, 'CC' will be the value.CC
bankcode mandatoryString Each payment option is identified with a unique bank code at PayU. The merchant must post this parameter with the corresponding payment optionโ€™s bank code value in it.AMEX
ccnum mandatoryString Use 13-19 digit card number for credit/debit cards (15 digits for AMEX, 13-19 for Maestro) and validate with LUHN algorithm. Refer to Card Number Formats and display error message on invalid input.5123456789012346
ccname mandatoryString This parameter must contain the name on card โ€“ as entered by the customer for the transaction.Ashish Kumar
ccvv mandatoryString Use 3-digit CVV number for credit/debit cards and 4-digit security code (4DBC/CID) for AMEX cards. Validate with BIN API.123
ccexpmon mandatoryString This parameter must contain the cardโ€™s expiry month โ€“ as entered by the user for the transaction. It must always be in 2 digits or in MM format. For months 1-9, this parameter must be appended with 0 โ€“ like 01, 02โ€ฆ09. For months 10-12, this parameter must not be appended โ€“ It should be 10,11 and 12 respectively.10
ccexpyr mandatoryString This parameter must contain the cardโ€™s expiry year โ€“ as entered by the customer for the transaction. It must be of four digits.2021

Sample request

curl -X \
 POST "https://test.payu.in/_payment" -H \
 "accept: application/json" -H \
 "Content-Type: application/x-www-form-urlencoded" -d "key=JP***g&txnid=EaE4ZO3vU4iPsp&amount=10.00&firstname=Ashish&[email protected]&phone=9876543210&productinfo=iPhone&pg=cc&bankcode=MAST&surl=https://apiplayground-response.herokuapp.com/&furl=https://apiplayground-response.herokuapp.com/&ccnum=5123456789012346&ccexpmon=05&ccexpyr=2022&ccvv=123&ccname=undefined&hash=fc3206829a6b4f8e300aeefb8f91add568b83dc90d01383a8e16553cc9600a3aefd4be2e370d32f0315ef1b9f28740515a9556b55abfefa7b54b434f894c9304"

Sample response

Array
(
    [mihpayid] => 403993715524069222
    [mode] => CC
    [status] => success
    [unmappedstatus] => captured
    [key] => JF***g
    [txnid] => EaE4ZO3vU4iPsp
    [amount] => 10.00
    [cardCategory] => domestic
    [discount] => 0.00
    [net_amount_debit] => 10
    [addedon] => 2021-09-08 19:37:19
    [productinfo] => iPhone
    [firstname] => Ashish
    [lastname] => 
    [address1] => 
    [address2] => 
    [city] => 
    [state] => 
    [country] => 
    [zipcode] => 
    [email] => [email protected]
    [phone] => 9876543210
    [udf1] => 
    [udf2] => 
    [udf3] => 
    [udf4] => 
    [udf5] => 
    [udf6] => 
    [udf7] => 
    [udf8] => 
    [udf9] => 
    [udf10] => 
    [hash] => ed99957adb08fea56c907b88e8d158a79c3562c67f96c298461509826f77a7ae9e88b2a176b3234c25f50bcd451271728719656f3bb59c13a52bebabc468615a
    [field1] => 0608273386032718000015
    [field2] => 986987
    [field3] => 10.00
    [field4] => 403993715524069222
    [field5] => 100
    [field6] => 02
    [field7] => AUTHPOSITIVE
    [field8] => 
    [field9] => Transaction is Successful
    [payment_source] => payu
    [PG_TYPE] => CC-PG
    [bank_ref_num] => 0608273386032718000015
    [bankcode] => CC
    [error] => E000
    [error_Message] => No Error
    [name_on_card] => payu
    [cardnum] => 512345XXXXXX2346
)

Handling Guest Checkout Transactions

As per RBI compliances, acquirers are also not allowed to store card details after a stipulated timeline. As per recommendations from RBI end, Guest checkout transactions wonโ€™t be allowed post 31st Oct. 2023. Guest checkout PAN should be replaced with some alternative number for transaction processing. As per the new regulations on guest checkout, where we have to tokenise plain card numbers. This token is called Alternative ID or Alt ID.

There are three scenarios with Alternative ID:

  1. Merchant provisions and processes guest transaction with PayU
  2. Merchant provisions Alt ID outside Payu and uses PayU to process transaction
  3. Merchant only provisions Alt ID from PayU

Scenario 1: Provision & processes guest transaction with PayU

No changes required in the _payment request used to collect payments.

Scenario 2: Provision Alt ID outside PayU and use PayU to Process Transaction

You have to pass alt ID as a variable and pass TAVV (Cryptogram), last four digits and par parameter as part of additional_info JSON. There is no change in the response and it remains the same.

๐Ÿ“˜

Note:

The par parameter is optional as part of additional_info JSON.

Where:

  • trid (Token Requestor ID) is the identity given by the networks for creating the tokens. You should be able to get the same from your token provider.
  • tokenReferenceID (Token Reference ID) is generated along with the network token. You should be able to get the same from your token provider.
  • TAVV is a token authentication verification value given by schemes or interchange. Also, known as cryptogram.

๐Ÿ“˜

Reference:

For the description of parameters, refer to Integrate with Collect Payment API - Merchant Hosted Checkout.

Sample Request

๐Ÿ“˜

Note:

tokenReferenceid field is required in the additional_info parameter if you are provisioning Alt ID outside PayU for Diners card.

curl --location 'http://local.secure.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: PHPSESSID=1ea787db42b354192d1a4505154553b2' \
--data-urlencode 'key=smsplus' \
--data-urlencode 'firstname={{firstname}}' \
--data-urlencode 'email={{email}}' \
--data-urlencode 'amount={{amount}}' \
--data-urlencode 'phone=9999999999' \
--data-urlencode 'productinfo={{productinfo}}' \
--data-urlencode 'surl=your own success url'  \
--data-urlencode 'furl=your own failure url'  \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=MASTERCARD' \
--data-urlencode 'alt_id=5123456789012346' \
--data-urlencode 'additional_info={"tavv":"AKF/FaM3BPWoAAEWYTiQAAADFA==","last4Digits":"2346","par":"799F3ED865F5965CC760A32682BA8A80F19E99ECB3F7F03574C14F5B6C3EB2C1","tokenReferenceId":"3acdd709-3c4b-4280-a6db-3f02271d09a3"}' \
--data-urlencode 'ccname=Flipkart' \
--data-urlencode 'ccvv=126' \
--data-urlencode 'ccexpmon=05' \
--data-urlencode 'ccexpyr=2024' \
--data-urlencode 'txnid={{txnid}}' \
--data-urlencode 'hash={{hash}}' \
--data-urlencode 's2s_device_info=Mozilla/5.0 (Linux; Android 12; CPH2219 Build/RKQ1.211119.001) FKUA/Retail/1560600/Android/Mobile (OPPO/CPH2219/b0c21e94349008d9f1838c6e87fb49c7)' \
--data-urlencode 's2s_client_ip=157.51.149.40' \
--data-urlencode 'termUrl=https://acssimuat.payubiz.in/termUrl/DecoupledResponse' \
--data-urlencode 'methodCallReferenceId=test289024' \
--data-urlencode 'threeDSCompInd=Y' \
--data-urlencode 'threeDS2RequestData={"browserInfo":{"userAgent":"Mozilla\/5.0 (X11 Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/93.0.4577.0 Safari\/537.36","acceptHeader":"*\/*","language":"en-US","colorDepth":"24","screenHeight":"600","screenWidth":"800","timeZone":"-300","javaEnabled":true,"ip":"10.248.2.71"}}' \
--data-urlencode 'forceProtocolAs3DS2=1

Scenario 3: Provision Alt ID from PayU

The Provision Alt ID API is used to provision Alt ID from PayU, but process transaction outside PayU. For more information, refer to Provision Alt ID API.

Step 3: Verify the Payment

Verify the transaction details using the Verification APIs. For API reference, refer to Verify Payment API under API Reference.

๐Ÿ“˜

Note:

The transaction ID that you posted in Step 1 with PayU must be used here.

Recommended Integrations for Cards

  • Save Cards: Save cards and expedite the next payment from your customers with a better success rate. For more information, refer to Save Cards.
  • Recurring Payments: Enable recurring payments or subscriptions for cards. For more information, refer to Recurring Payments.
  • Offers: Configure offers for cards on Dashboard and then collect payments with offers. For more information, refer to Offers Dashboard or Offers Integration APIs.

Request Parameter for 3DS Secure 2.0 Transaction

Along with the parameters mentioned in the Collect Payment API - Merchant Hosted Checkout, you must include the threeDS2RequestData parameter in the following JSON format for 3DS Secure 2.0 support for cards:

{"device": {
    "browserInfo": "MOZILLA",
    "browserDetails": {
      "3DSecureChallengeWindowSize": "FULL_SCREEN",
      "acceptHeaders": "application/json",
      "colorDepth": 24,
      "javaEnabled": true,
      "language": "en-US",
      "screenHeight": 640,
      "screenWidth": 480,
      "timeZone": 273
    },
    }
}

3DS Secure 2.0 browserDetails JSON Fields Description

FieldDescriptionExample
userAgentThis field must include user agent of the device browser.ย 
acceptHeaderThis field contains the format of the header.application/json
languageThis field contains the language for the 3D Secure Challenge.en-US
colorDepthThis field contains the color depth of the screen.24
screenHeightThis field contains the screen height of the device displaying the 3D Secure Challenge.640
screenWidthThis field contains the screen width of the device displaying the 3D Secure Challenge.480
javaEnabledThis field contains whether Java is enabled for the device. It can be any of the following:true
timeZoneThis field contains the time zone code where the payment is accepted.273
ipThis should include the IP address of the device from which the browser is accessed.10.248.2.71

Sample cURL Request with 3DS Secure 2.0

The sample cURL request with 3DS Secure 2.0:

curl --location 'https://test.payu.in/_payment' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: PHPSESSID=nbn8otc350bsv6u5fqvhcbo73b; PHPSESSID=63a0499eaf13e' \
--data-urlencode 'key=JF****g' \
--data-urlencode 'firstname=Ashish' \
--data-urlencode '[email protected]' \
--data-urlencode 'amount=10' \
--data-urlencode 'phone= 9876543210' \
--data-urlencode 'productinfo=Product_info' \
--data-urlencode 'surl=http://pp30admin.payu.in/test_response' \
--data-urlencode 'furl=http://pp30admin.payu.in/test_response' \
--data-urlencode 'pg=CC' \
--data-urlencode 'bankcode=CC' \
--data-urlencode 'lastname=Test' \
--data-urlencode 'ccname=Test User' \
--data-urlencode 'ccvv=123' \
--data-urlencode 'ccexpmon=06' \
--data-urlencode 'ccexpyr=2024' \
--data-urlencode 'txnid=jYhbOYH9o4' \
--data-urlencode 'hash=e5b286a9c8545038de9d4e4ee4d8a2fd02e821015aff7e0323807ba174997d8643f9aa174981385e3e4dfe60b918650806ccb97b3e8e3471e1985ecadefd0184' \
--data-urlencode 'ccnum=4012000000002004' \
--data-urlencode 'txn_s2s_flow=4' \
--data-urlencode 'threeDS2RequestData={
    "browserInfo": {
        "userAgent": "Mozilla\/5.0 (X11 Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/93.0.4577.0 Safari\/537.36",
        "acceptHeader": "*\/*",
        "language": "en-US",
        "colorDepth": "24",
        "screenHeight": "600",
        "screenWidth": "800",
        "timeZone": "-300",
        "javaEnabled": true,
        "ip": "10.248.2.71"
    }
}'