Save Card BIN Info API

The Save Card BIN API () helps you determine whether CVV needs to be collected from your customers and validated or not be collected for saved card transactions.

HTTP Method: POST

Environment


Test Environment	https://test.payu.in/issuing-bank/v1/bin
Production Environment	https://info.payu.in/issuing-bank/v1/bin

Request headers

The request header contains the following fields:

Field	Description	Example
Date mandatory	The date and time should be in the GMT time conversion(not the IST). For example, current time in India is 18:00:00 IST, the time in the date header should be 12:30:00 GMT.	Thu, 17 Feb 2022 08:17:59 GMT
Digest mandatory	Base 64 encode of (sha256 hash of the JSON data (post to server).	`vpGay5D/dmfoDupALPplYGucJAln9gS29g5Orn+8TC0=`
Authorization mandatory	This field is in the following format: `hmac username="smsplus", algorithm="hmac-sha256", headers="date digest", signature="CkGfgbho69uTMMOGU0mHWf+1CUAlIp3AjvsON9n9/E4="` Where the above format includes the following: - username: The merchant key of the merchant. - algorithm: This must have the value as hmac-sha256 that is used for this API - headers: This must have the value as date digest - signature: This must contain the hmacsha256 of (signing_string, merchant_secret), where: - signing_string: This is in the "Date"+"\n"+"Digest" format. Here, the Date and Digest is the same values in the fields listed in this table For example, "Thu, 17 Feb 2022 08:17:59 GMT""\n"+“vpGay5D/dmfoDupALPplYGucJAln9gS29g5Orn+8TC0=“ - merchant_secret: The merchant Salt of the merchant. For more information on getting the merchant Salt, refer to Generate Merchant Key and Salt on PayU Dashboard	hmac username="smsplus", algorithm="hmac-sha256", headers="date digest", signature="zGmP5Zeqm1pxNa+d68DWfQFXhxoqf3st353SkYvX8HI="

The following sample Java code contains the logic used to encrypt as described in the above table:

import com.google.gson.Gson;
import com.google.gson.JsonObject;
import org.apache.commons.codec.binary.Base64;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class HmacAuth {

    public static String getSha256(String input) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            byte[] digest = md.digest(input.getBytes());
            return Base64.encodeBase64String(digest);
        } catch (NoSuchAlgorithmException ignored) {}
        return null;
    }

    public static JsonObject getRequestBody(){
        JsonObject requestJson = new JsonObject();
        requestJson.addProperty("firstname","John");
        requestJson.addProperty("lastname","Doe");
        return requestJson;
    }

    public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException {
        String key = "smsplus";
        String secret = "admin";
        Gson gson = new Gson();
        String date = DateTimeFormat.forPattern("EEE, dd MMM yyyy HH:mm:ss 'GMT'").withZoneUTC().print(new DateTime());
        System.out.println(date);
        JsonObject requestJson = getRequestBody();
        String digest = getSha256(gson.toJson(requestJson));
        System.out.println(digest);
        String signingString = new StringBuilder()
            .append("date: " + date)
            .append("\ndigest: " + digest).toString();
        Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
        sha256_HMAC.init(secret_key);
        String signature = Base64.encodeBase64String(sha256_HMAC.doFinal(signingString.getBytes()));
        String authorization = new StringBuilder()
            .append("hmac username=\"")
            .append(key)
            .append("\", algorithm=\"hmac-sha256\", headers=\"date digest\", signature=\"")
            .append(signature)
            .append("\"").toString();
        System.out.println(authorization);
    }
}

Request parameters

In addition to the Request Headers listed above, the data parameter is posted with the following fields are posted in an array:

Field	Description
bin	`String` The Network Token BIN or the first 9-digits of the network token is posted in this parameter.
checkCVVRequired	`Boolean` This parameter may contain any of the following: - True: Request the API to check if card CVV must be checked for the saved card transaction so that merchant need to validate the CVV accordingly. - False: Request the API not to check if card CVV need to be checked for the saved card transaction

Sample request

curl --location 'https://info.payu.in/issuing-bank/v1/bin' \
--header 'Content-Type: application/json' \
--header 'Date: Thu, 01 Jun 2023 06:59:03 GMT' \
--header 'Digest: sYxiEFksDG+h+sB11nonf9ry31aKynEJ/Hmxwc6M3pM=' \
--header 'Authorization: hmac username="smsplus", algorithm="hmac-sha256", headers="date digest", signature="F8D2PW2/Q2VF7FZKiY3RKJ6+1HU5OH8/HkxvitghvP4="' \
--header 'Cookie: PHPSESSID=lf33il1bio9scn7cars1hqsf05; PHPSESSID=o7bbf6gbociqmroctldtslkc21' \
--header 'mid: 2' \
--data '{
    "bin": "512345789",
    "checkCVVRequired": true
}'

Response parameters

The response involves the following parameters and the result parameter contains the offer results:

Parameter	Description	Example
code	This parameter returns the status of web service call. The status can be any of the following: 0: If web service call failed. 1 : If web service call succeeded.	200
result	`JSON Object` This parameter gives the information about the result of the API response in a JSON format. For more information, refer to the result Field JSON Details subsection.	Refer to the result Field JSON Details subsection.

result parameter JSON details

The result parameter contains the result in a JSON format and the fields in the JSON are described in the following table:

Field	Description	Example
status	This parameter returns the status of card. The status can be any of the following:	1
category	This field contains the card category of the card.	debitcard
bin	`Integer` This field contains the first 9-digits of the card or Network Token.	512345789
cvvLessSupported	This field contains any of the following values: - true: The card does not require CVV validation - false : The card requires CVV validation.	true
is_domestic	`Boolean` This field contains any of the following values: - true: The card is domestic card - false : The card is an international card or issued outside India	true
card_type	This field contains the card type or the card network.	VISA
issuing_bank	This field contains the card issuing bank.	HDFC
otp_on_fly	This field contains any of the following values: - true: The OTP needs to be entered by the customer when redirected - false : The customer need not enter the OTP to validate the card	false
is_atmpin_card	This field contains any of the following values: - 0: The card is not an ATM card - 1: The card is an ATM card	0

Sample response

Success scenario

{    
 "message": "Success",    
 "status": 1,    
 "result": 
 {        
   "status": 0,      
   "category": "debitcard",        
   "bin": "401151",        
   "cvvLessSupported": false,        
   "is_domestic": true,        
   "card_type": "VISA",        
   "issuing_bank": "HDFC",        
   "otp_on_fly": true,        
   "is_atmpin_card": 1    
  }
}