Classic Integration for Cards
This is server-to-server integration over the Redirect experience for cards involves the following steps:
1. Initiate payment request with PayU
Create and send a payment request to PayU with all required parameters including merchant details and transaction information
2. Redirect the customer
Redirect the customer to PayU's payment page to complete the transaction securely
3. Check response from PayU
Handle the response from PayU after the customer completes or cancels the payment
4. Verify the payment
Verify the payment status using PayU's verification API and implement webhook monitoring
Step 1: Initiate payment request with PayU
The merchant initiates PayU with the required transaction mandatory or optional parameters. This needs to be a server-to-server cURL call request. URL, parameters, and descriptions. For more information, refer to Cards Classic Integration. Collect the response in the Cards Classic Integration under API Reference. The response for the S2S payment request is not similar to Merchant Hosted or PayU Hosted Checkout. For description of response parameters, refer to Additional Info for Payment APIs.
Environment
| Test Environment | https://test.payu.in/_payment |
| Production Environment | https://secure.payu.in/_payment |
Request parameters
| Parameter | Description | Example |
|---|---|---|
key mandatory | String Merchant key provided by PayU during onboarding. | |
txnid mandatory | String The transaction ID is a reference number for a specific order that is generated by the merchant. | |
amount mandatory | String The payment amount for the transaction. | |
productinfo mandatory | String A brief description of the product. | |
firstname mandatory | String The first name of the customer. | Ashish |
email mandatory | String The email address of the customer. | |
phone mandatory | String The phone number of the customer. | |
pg mandatory | String The pg parameter determines which payment tabs will be displayed on the PayU page. For cards, 'CC' will be the value. | CC |
bankcode mandatory | String Each payment option is identified with a unique bank code at PayU. The merchant must post this parameter with the corresponding payment option's bank code value. | AMEX |
ccnum mandatory | String Use 13-19 digit card number for credit/debit cards (15 digits for AMEX, 13-19 for Maestro) and validate with LUHN algorithm. | 5123456789012346 |
ccname mandatory | String This parameter must contain the name on card – as entered by the customer for the transaction. | Ashish Kumar |
ccvv mandatory | String Use 3-digit CVV number for credit/debit cards and 4-digit security code (4DBC/CID) for AMEX cards. | 123 |
ccexpmon mandatory | String This parameter must contain the card's expiry month in MM format. For months 1-9, append with 0 (01, 02...09). | 10 |
ccexpyr mandatory | String This parameter must contain the card's expiry year in four digits. | 2021 |
furl mandatory | String The success URL, which is the page PayU will redirect to if the transaction is successful. | |
surl mandatory | String The failure URL, which is the page PayU will redirect to if the transaction fails. | |
hash mandatory | String Hash calculated by merchant using sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT) | |
txn_s2s_flow mandatory | String Must be passed with value 4 for Legacy Decoupled flow or 3 for Direct Authorization. | |
s2s_client_ip mandatory | String The source IP of the customer. | |
s2s_device_info mandatory | String The customer agent's device information. | |
address1 optional | String The first line of the billing address. For fraud detection purposes. | |
address2 optional | String The second line of the billing address. | |
city optional | String The city where your customer resides as part of the billing address. | |
state optional | String The state where your customer resides as part of the billing address. | |
country optional | String The country where your customer resides. | |
zipcode optional | String Billing address zip code (mandatory for cardless EMI). Character limit: 20. | |
udf1 optional | String User-defined field for storing transaction information. | |
udf2 optional | String User-defined field for storing transaction information. | |
udf3 optional | String User-defined field for storing transaction information. | |
udf4 optional | String User-defined field for storing transaction information. | |
udf5 optional | String User-defined field for storing transaction information. |
Understanding Hashing and sample code
Hashing
You must hash the request parameters using the following hash logic:
sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)For more information, refer to Generate Hash.
Hashing Sample Code
<?php
function generateHash($params, $salt) {
// Extract parameters or use empty string if not provided
$key = $params['key'];
$txnid = $params['txnid'];
$amount = $params['amount'];
$productinfo = $params['productinfo'];
$firstname = $params['firstname'];
$email = $params['email'];
$udf1 = isset($params['udf1']) ? $params['udf1'] : '';
$udf2 = isset($params['udf2']) ? $params['udf2'] : '';
$udf3 = isset($params['udf3']) ? $params['udf3'] : '';
$udf4 = isset($params['udf4']) ? $params['udf4'] : '';
$udf5 = isset($params['udf5']) ? $params['udf5'] : '';
// Construct hash string with exact parameter sequence
$hashString = $key . '|' . $txnid . '|' . $amount . '|' . $productinfo . '|' .
$firstname . '|' . $email . '|' . $udf1 . '|' . $udf2 . '|' .
$udf3 . '|' . $udf4 . '|' . $udf5 . '||||||' . $salt;
// Generate hash and convert to lowercase
return strtolower(hash('sha512', $hashString));
}
// Example usage
$params = [
'key' => 'yourKey',
'txnid' => 'yourTxnId',
'amount' => 'yourAmount',
'productinfo' => 'yourProductInfo',
'firstname' => 'yourFirstName',
'email' => 'yourEmail',
'udf1' => 'optional_value1'
// udf2, udf3, udf4, udf5 not provided - will be empty strings
];
$salt = 'yourSalt';
$hash = generateHash($params, $salt);
echo 'Generated Hash: ' . $hash;
?>
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
public class ImprovedHashGenerator {
public static String generateHash(Map<String, String> params, String salt) {
// Extract parameters or use empty string if not provided
String key = params.get("key");
String txnid = params.get("txnid");
String amount = params.get("amount");
String productinfo = params.get("productinfo");
String firstname = params.get("firstname");
String email = params.get("email");
String udf1 = params.getOrDefault("udf1", "");
String udf2 = params.getOrDefault("udf2", "");
String udf3 = params.getOrDefault("udf3", "");
String udf4 = params.getOrDefault("udf4", "");
String udf5 = params.getOrDefault("udf5", "");
// Construct hash string with exact parameter sequence
String hashString = key + "|" + txnid + "|" + amount + "|" + productinfo + "|" +
firstname + "|" + email + "|" + udf1 + "|" + udf2 + "|" +
udf3 + "|" + udf4 + "|" + udf5 + "||||||" + salt;
return sha512(hashString);
}
private static String sha512(String input) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-512");
byte[] hashBytes = md.digest(input.getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (byte b : hashBytes) {
sb.append(String.format("%02x", b));
}
return sb.toString().toLowerCase();
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
public static void main(String[] args) {
// Example usage with parameters map
Map<String, String> params = new HashMap<>();
params.put("key", "yourKey");
params.put("txnid", "yourTxnId");
params.put("amount", "yourAmount");
params.put("productinfo", "yourProductInfo");
params.put("firstname", "yourFirstName");
params.put("email", "yourEmail");
params.put("udf1", "optional_value1");
// udf2, udf3, udf4, udf5 not provided - will be empty strings
String salt = "yourSalt";
String hash = generateHash(params, salt);
System.out.println("Generated Hash: " + hash);
}
}
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;
public class ImprovedHashGenerator
{
public static string GenerateHash(Dictionary<string, string> parameters, string salt)
{
// Extract parameters or use empty string if not provided
string key = parameters["key"];
string txnid = parameters["txnid"];
string amount = parameters["amount"];
string productinfo = parameters["productinfo"];
string firstname = parameters["firstname"];
string email = parameters["email"];
// Get UDF values if present, otherwise use empty string
string udf1 = parameters.ContainsKey("udf1") ? parameters["udf1"] : "";
string udf2 = parameters.ContainsKey("udf2") ? parameters["udf2"] : "";
string udf3 = parameters.ContainsKey("udf3") ? parameters["udf3"] : "";
string udf4 = parameters.ContainsKey("udf4") ? parameters["udf4"] : "";
string udf5 = parameters.ContainsKey("udf5") ? parameters["udf5"] : "";
// Construct hash string with exact parameter sequence
string hashString = $"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}";
return Sha512(hashString);
}
private static string Sha512(string input)
{
using (SHA512 sha512 = SHA512.Create())
{
byte[] bytes = sha512.ComputeHash(Encoding.UTF8.GetBytes(input));
StringBuilder sb = new StringBuilder();
foreach (byte b in bytes)
{
sb.Append(b.ToString("x2"));
}
return sb.ToString().ToLower();
}
}
public static void Main(string[] args)
{
// Example usage with parameters dictionary
Dictionary<string, string> parameters = new Dictionary<string, string>
{
["key"] = "yourKey",
["txnid"] = "yourTxnId",
["amount"] = "yourAmount",
["productinfo"] = "yourProductInfo",
["firstname"] = "yourFirstName",
["email"] = "yourEmail",
["udf1"] = "optional_value1"
// udf2, udf3, udf4, udf5 not provided - will be empty strings
};
string salt = "yourSalt";
string hash = GenerateHash(parameters, salt);
Console.WriteLine("Generated Hash: " + hash);
}
}import hashlib
def generate_hash(params, salt):
# Extract parameters or use empty string if not provided
key = params['key']
txnid = params['txnid']
amount = params['amount']
productinfo = params['productinfo']
firstname = params['firstname']
email = params['email']
udf1 = params.get('udf1', '')
udf2 = params.get('udf2', '')
udf3 = params.get('udf3', '')
udf4 = params.get('udf4', '')
udf5 = params.get('udf5', '')
# Construct hash string with exact parameter sequence
hash_string = f"{key}|{txnid}|{amount}|{productinfo}|{firstname}|{email}|{udf1}|{udf2}|{udf3}|{udf4}|{udf5}||||||{salt}"
# Generate SHA-512 hash
return hashlib.sha512(hash_string.encode('utf-8')).hexdigest()
# Example usage
params = {
'key': 'yourKey',
'txnid': 'yourTxnId',
'amount': 'yourAmount',
'productinfo': 'yourProductInfo',
'firstname': 'yourFirstName',
'email': 'yourEmail',
'udf1': 'optional_value1'
# udf2, udf3, udf4, udf5 not provided - will default to empty strings
}
salt = 'yourSalt'
hash_value = generate_hash(params, salt)
print("Generated Hash:", hash_value)
const crypto = require('crypto');
function generateHash(params, salt) {
// Extract parameters or use empty string if not provided
const key = params.key;
const txnid = params.txnid;
const amount = params.amount;
const productinfo = params.productinfo;
const firstname = params.firstname;
const email = params.email;
const udf1 = params.udf1 || '';
const udf2 = params.udf2 || '';
const udf3 = params.udf3 || '';
const udf4 = params.udf4 || '';
const udf5 = params.udf5 || '';
// Construct hash string with exact parameter sequence
const hashString = `${key}|${txnid}|${amount}|${productinfo}|${firstname}|${email}|${udf1}|${udf2}|${udf3}|${udf4}|${udf5}||||||${salt}`;
// Generate SHA-512 hash
return crypto.createHash('sha512').update(hashString).digest('hex');
}
// Example usage
const params = {
key: 'yourKey',
txnid: 'yourTxnId',
amount: 'yourAmount',
productinfo: 'yourProductInfo',
firstname: 'yourFirstName',
email: 'yourEmail',
udf1: 'optional_value1'
// udf2, udf3, udf4, udf5 not provided - will default to empty strings
};
const salt = 'yourSalt';
const hash = generateHash(params, salt);
console.log("Generated Hash:", hash);
Sample request
curl --location \
--request \
POST 'https://secure.payu.in/_payment' --header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: PHPSESSID=mj185cifujktpv1igu9tmuoaal; PAYUID=eac5648ac59712238883a78e71f35717; PHPSESSID=638b1b5173542' \
--data \
-urlencode 'hash=d89e7d88863617baf01e504c50aa58e94d6ff3371c2ed409ca1f139cfee75d67e85ce7e91c4224790b6cc1b59bb149fc98b0272e27b335225a9d288a34290e42' --data \
-urlencode 'key=s*****s' --data \
-urlencode 'txnid=payuTestTransaction3818940' --data \
-urlencode 'amount=1.0' --data \
-urlencode 'firstname=Ashish' --data \
-urlencode '[email protected]' --data \
-urlencode 'phone=9988776655' --data \
-urlencode 'productinfo=Product Info' --data \
-urlencode 'surl=https://admin.payu.in/test_response' --data \
-urlencode 'furl=https://admin.payu.in/test_response' --data \
-urlencode 'notifyurl=https://admin.payu.in/test_response' --data \
-urlencode 'codurl=https://admin.payu.in/test_response' --data \
-urlencode 'ipurl=https://admin.payu.in/test_response' --data \
-urlencode 'lastname=' --data \
-urlencode 'udf1=' --data \
-urlencode 'udf2=' --data \
-urlencode 'udf3=' --data \
-urlencode 'udf4=' --data \
-urlencode 'udf5=' --data \
-urlencode 'pg=CC' --data \
-urlencode 'bankcode=DC' --data \
-urlencode 'ccnum=XXXXXXXXXXX8811' --data \
-urlencode 'ccname=Ashish' --data \
-urlencode 'ccvv=XXX' --data \
-urlencode 'ccexpmon=12' --data \
-urlencode 'ccexpyr=2023' --data \
-urlencode 'txn_s2s_flow=4' --data \
-urlencode 'authentication_flow=REDIRECT' Sample response
{
"metaData": {
"message": null,
"referenceId": "a74a67e965537b0f817e925e45321194",
"statusCode": null,
"txnId": "payuTestTransaction3818940",
"txnStatus": "Enrolled",
"unmappedStatus": "pending"
},
"result": {
"otpPostUrl": "",
"acsTemplate": "PGh0bWw+PGJvZHk+PGZvcm0gbmFtZT0icGF5bWVudF9wb3N0IiBpZD0icGF5bWVudF9wb3N0IiBhY3Rpb249Imh0dHBzOi8vYWNzLmZzc25ldC5jby5pbi9hY3NhdXRoc2VydmVyL1VCSS9WL3BhcmVxLmh0bSIgbWV0aG9kPSJwb3N0Ij48aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJQYVJlcSIgdmFsdWU9ImVKeFVVdUZ1c2pBVWZSWGpBOUNXaWdaemJjTEViR1JEaVp2NWZuZHdveVFDV3NwRW4zNnRnTzRqSWJubjlIQTRQUzE4SFJSaStJbHBvMUJBakhVdDl6aktzOFdZY3NyWnpQVTVHd3RJZ2kyZUJmeWdxdk9xRk15aGpndGtnT1k3bFI1a3FRWEk5UHdTcmNXRVRiazdCZEpES0ZCRm9lQitzcVBkWTh3NWtJNkdVaFlvRW5uZGpWNGJ0WmRWQ2VST1FWbzFwVlpYd1Qzak5RQm8xRkVjdEQ3TkNibGNMbzdHV2hkOUFDZXRDZ0xFK29BOFV5V05uV3JqMk9hWmlKYkIvdkdHd1MwTzQzWjlpN3o0dGxvQXNRcklwRWJoVXRkbEx1VWo2czhuc3ptblFPNDh5TUpHRWR2YVlRNHpiSS9oWkg4VGRJRFpoYjhFbUlvVmx1bXdtd0VCdHFlcVJLTXdqVDVtSU0vTXl6ZmJhNnBOVlZQNTdudmZiWVBOZXZZdnE0cGp2ZHA4S085cnRiSFJlNUYxekUxUkxtZWRwUVZBckEzcEQ5SjBjejlwTS8xM0EzNEJBQUQvL3dYQWdRQUFBQUFBa1A5ckFHTkhyZkk9Ij48aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJUZXJtVXJsIiB2YWx1ZT0iaHR0cHM6Ly9zZWN1cmUucGF5dS5pbi83OGIxN2YyZWJkYmUyNjgwNjMzNDY3NzA0MjAzMzgyYS9Db21tb25QZ1Jlc3BvbnNlSGFuZGxlci5waHAiPjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Ik1EIiB2YWx1ZT0iMDMwMzE3MzA1NSI+PC9mb3JtPjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0Jz4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdpbmRvdy5vbmxvYWQ9ZnVuY3Rpb24oKXsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkb2N1bWVudC5mb3Jtc1sncGF5bWVudF9wb3N0J10uc3VibWl0KCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIDwvc2NyaXB0PjwvYm9keT48L2h0bWw+"
},
"binData": {
"pureS2SSupported": false,
"issuingBank": "UBI",
"category": "debitcard",
"cardType": "VISA",
"isDomestic": true
}
}
Step 2: Redirect the customer
Redirect the customer to the bank page using the acsTemplate as received in Step 1.
Step 3: Check response from PayU
This will be a call back on the URL provided by you.
Hash validation logic for payment response (Reverse Hashing)
While sending the response, PayU takes the exact same parameters that were sent in the request (in reverse order) to calculate the hash and returns it to you. You must verify the hash and then mark a transaction as a success or failure. This is to make sure the transaction has not tampered within the response.
The order of the parameters is similar to the following code block:
sha512(SALT|status||||||udf5|udf4|udf3|udf2|udf1|email|firstname|productinfo|amount|txnid|key)Response parameters
The parameters in the response for similar for all the S2S flows. For more information, refer to Classic Integrationfor response and Additional Info for Payment APIs for response parameter description.
Sample response
{
"mihpayid" : "403993715524046125"
"mode" : "DC"
"status" : "success"
"unmappedstatus" : "captured"
"key" : "smsplus"
"txnid" : "payuTestTransaction5700849"
"amount" : "1.00"
"cardCategory" : "domestic"
"discount" : "0.00"
"net_amount_debit" : "1.00"
"addedon" : "2022-12-03 15:03:08"
"productinfo" : "Product Info"
"firstname" : "Ashish"
"lastname" : ""
"address1" : ""
"address2" : ""
"city" : ""
"state" : ""
"country" : ""
"zipcode" : ""
"email" : "[email protected]"
"phone" : "9876543210"
"udf1" : ""
"udf2" : ""
"udf3" : ""
"udf4" : ""
"udf5" : ""
"udf6" : ""
"udf7" : ""
"udf8" : ""
"udf9" : ""
"udf10" : ""
"hash" : "6586bb33ed936d07f866cfeb42b9af99e9408270bd31c722ab3a11e61f6b6581cee3cd4f1b8b4aec3a6695c764e5cd76597832735e1e924f2ac0defbd6b3b68f"
"field1" : ""
"field2" : ""
"field3" : ""
"field4" : ""
"field5" : ""
"field6" : ""
"field7" : "AUTHPOSITIVE"
"field8" : ""
"field9" : "Success Transaction"
"payment_source" : "payuS2S"
"PG_TYPE" : "DC-PG"
"bank_ref_num" :
"bankcode" : "VISA"
"error" : "E000"
"error_Message" : "success"
"cardnum" : XXXXXXXXXXXX8811
"cardhash" : "This field is no longer supported in postback params."
"issuing_bank" : "UBI"
"card_type" : "VISA"
}Step 4. Verify the payment
Upon receiving the response, we recommend performing a reconciliation step to validate all transaction details.
You can verify your payments using either of the following methods:
Configure the webhooks to monitor the status of payments.
Webhooks enable a server to communicate with another server by sending an HTTP callback or message.
These callbacks are triggered by specific events or instances and operate at the server-to-server (S2S) level.
👉 For more details, refer to Webhooks for Payments.
Updated 14 days ago