Save Card BIN Info API

The Save Card BIN API () helps you determine whether CVV needs to be collected from your customers and validated or not be collected for saved card transactions.



Request headers

The request header contains the following fields:

The date and time should be in the GMT time conversion(not the IST). For example, current time in India is 18:00:00 IST, the time in the date header should be 12:30:00 GMT.Thu, 17 Feb 2022 08:17:59 GMT
Base 64 encode of (sha256 hash of the JSON data (post to server).vpGay5D/dmfoDupALPplYGucJAln9gS29g5Orn+8TC0=
This field is in the following format:
hmac username="smsplus", algorithm="hmac-sha256", headers="date digest", signature="CkGfgbho69uTMMOGU0mHWf+1CUAlIp3AjvsON9n9/E4="
Where the above format includes the following:
- username: The merchant key of the merchant.
- algorithm: This must have the value as hmac-sha256 that is used for this API
- headers: This must have the value as date digest
- signature: This must contain the hmacsha256 of (signing_string, merchant_secret), where:
- signing_string: This is in the "Date"+"\n"+"Digest" format. Here, the Date and Digest is the same values in the fields listed in this table For example, "Thu, 17 Feb 2022 08:17:59 GMT""\n"+“vpGay5D/dmfoDupALPplYGucJAln9gS29g5Orn+8TC0=“
- merchant_secret: The merchant Salt of the merchant. For more information on getting the merchant Salt, refer to Generate Merchant Key and Salt on PayU Dashboard
 hmac username="smsplus", algorithm="hmac-sha256", headers="date digest", signature="zGmP5Zeqm1pxNa+d68DWfQFXhxoqf3st353SkYvX8HI="
This field contains the platform ID and include the value as 1.1

The following sample Java code contains the logic used to encrypt as described in the above table:

import org.apache.commons.codec.binary.Base64;
import org.joda.time.DateTime;
import org.joda.time.format.DateTimeFormat;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public class HmacAuth {

    public static String getSha256(String input) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            byte[] digest = md.digest(input.getBytes());
            return Base64.encodeBase64String(digest);
        } catch (NoSuchAlgorithmException ignored) {}
        return null;

    public static JsonObject getRequestBody(){
        JsonObject requestJson = new JsonObject();
        return requestJson;

    public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException {
        String key = "smsplus";
        String secret = "admin";
        Gson gson = new Gson();
        String date = DateTimeFormat.forPattern("EEE, dd MMM yyyy HH:mm:ss 'GMT'").withZoneUTC().print(new DateTime());
        JsonObject requestJson = getRequestBody();
        String digest = getSha256(gson.toJson(requestJson));
        String signingString = new StringBuilder()
            .append("date: " + date)
            .append("\ndigest: " + digest).toString();
        Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
        SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
        String signature = Base64.encodeBase64String(sha256_HMAC.doFinal(signingString.getBytes()));
        String authorization = new StringBuilder()
            .append("hmac username=\"")
            .append("\", algorithm=\"hmac-sha256\", headers=\"date digest\", signature=\"")

Request parameters

In addition to the Request Headers listed above, the data parameter is posted with the following fields are posted in an array:

binString The Network Token BIN or the first 9-digits of the network token is posted in this parameter.
checkCVVRequiredBoolean This parameter may contain any of the following:
- True: Request the API to check if card CVV must be checked for the saved card transaction so that merchant need to validate the CVV accordingly.
- False: Request the API not to check if card CVV need to be checked for the saved card transaction

Sample request

curl --location '' \
--header 'Content-Type: application/json' \
--header 'Date: Thu, 01 Jun 2023 06:59:03 GMT' \
--header 'Digest: sYxiEFksDG+h+sB11nonf9ry31aKynEJ/Hmxwc6M3pM=' \
--header 'Authorization: hmac username="smsplus", algorithm="hmac-sha256", headers="date digest", signature="F8D2PW2/Q2VF7FZKiY3RKJ6+1HU5OH8/HkxvitghvP4="' \
--header 'Cookie: PHPSESSID=lf33il1bio9scn7cars1hqsf05; PHPSESSID=o7bbf6gbociqmroctldtslkc21' \
--header 'mid: 2' \
--data '{
    "bin": "512345789",
    "checkCVVRequired": true

Response parameters

The response involves the following parameters and the result parameter contains the offer results:

codeThis parameter returns the status of web service call. The status can be any of the following:
0: If web service call failed.
1 : If web service call succeeded.
resultJSON Object This parameter gives the information about the result of the API response in a JSON format. For more information, refer to the result Field JSON Details subsection.Refer to the result Field JSON Details subsection.

result parameter JSON details

The result parameter contains the result in a JSON format and the fields in the JSON are described in the following table:

statusThis parameter returns the status of card. The status can be any of the following:1
categoryThis field contains the card category of the card.debitcard
binInteger This field contains the first 9-digits of the card or Network Token.512345789
cvvLessSupportedThis field contains any of the following values:
- true: The card does not require CVV validation
- false : The card requires CVV validation.
is_domesticBoolean This field contains any of the following values:
- true: The card is domestic card
- false : The card is an international card or issued outside India
card_typeThis field contains the card type or the card network.VISA
issuing_bankThis field contains the card issuing bank.HDFC
otp_on_flyThis field contains any of the following values:
- true: The OTP needs to be entered by the customer when redirected
- false : The customer need not enter the OTP to validate the card
is_atmpin_cardThis field contains any of the following values:
- 0: The card is not an ATM card
- 1: The card is an ATM card

Sample response

Success scenario

 "message": "Success",    
 "status": 1,    
   "status": 0,      
   "category": "debitcard",        
   "bin": "401151",        
   "cvvLessSupported": false,        
   "is_domestic": true,        
   "card_type": "VISA",        
   "issuing_bank": "HDFC",        
   "otp_on_fly": true,        
   "is_atmpin_card": 1