NAV
Purchase
version 4
PHP Java

Create a purchase order

Examples are for Verotel FlexPay PHP client library

$brand = Verotel\FlexPay\Brand::create_from_merchant_id(/* Your customer ID */ '9804000000000000');

$flexpayClient = new Verotel\FlexPay\Client(/* shop ID */ 12345, "FlexPay Signature Key", $brand);

$purchaseUrl = $flexpayClient->get_purchase_URL([
    "priceAmount" => 2.64,
    "priceCurrency" => "EUR",
    "description" => "Test purchase",
]);

Examples are for FlexPay Java client library

FlexPayClient flexPayClient = new FlexPayClient(
    685478,                 // shop ID / website ID
    "d6dToIj2d6YJ1PX2D1W9", // FlexPay signatureKey
    Brand.YOURSAFE_DIRECT
);

URL purchaseUrl = flexPayClient.purchaseBuilder()
    .withAmount(BigDecimal.valueOf(14), SaleCurrency.EUR)
    .withDescription("Purchase of foo")
    .withPaymentMethod(PaymentMethod.IDEAL)
    .withEmail("example@example.com")
    .withDeclineURL("http://example.com/declined")
    .withSuccessURL("http://example.com/back")
    .build();

FlexPay purchase call is used to redirect buyer to the Verotel Order Page in order to process the purchase sale.

HTTP request

Verotel
GET https://secure.verotel.com/startorder?

CardBilling
GET https://secure.billing.creditcard/startorder?

BitsafePay
GET https://secure.bitsafepay.com/startorder?

Bill
GET https://secure.bill.creditcard/startorder?

GayCharge
GET https://secure.gaycharge.com/startorder?

YoursafeDirect
GET https://secure.yoursafedirect.com/startorder?

Query parameters

Parameter Type Required Description
version Number mandatory version version of the FlexPay call, 4 for this version
shopID Number mandatory numerical ID of the website in the Verotel system
type String mandatory purchase
priceAmount Number mandatory priceAmount amount to be processed in nnn.nn format
priceCurrency String mandatory priceCurrency 3 char ISO code, must be one of the Sale currencies (USD EUR GBP AUD CAD CHF DKK NOK SEK)
NOTE: only EUR is can be used for DDEU payment method system
description String mandatory description of the product. Text is displayed on the order page - max 100 printable characters
paymentMethod String optional payment method, CC, YOURSAFE_DIRECT or, DDEU (if not set then buyers can choose from available payment methods)
NOTE: DDEU is available only in DE, AT, CH, BE, IT, NL, ES and FR

If oneClickToken is sent, the payment method must be set to CC.

When processing without Orderpage, IDEAL must be set.
referenceID String optional merchant's reference identifier. It must be unique if provided
custom1 String optional pass-through variable - max 255 printable characters
custom2 String optional pass-through variable - max 255 printable characters
custom3 String optional pass-through variable - max 255 printable characters
successURL String optional URL for redirect after successful transaction - max 255 characters. Defaults to success landing URL on the website.
declineURL String optional URL for redirect after declined transaction - max 255 characters. Defaults to decline landing URL on the website.
oneClickToken String optional the one-time oneClickToken from previous purchase
NOTE: oneClickToken is excluded from signature calculations
email String optional email of the buyer. If not set, it will be collected on the Order Page
NOTE: email is excluded from signature calculations (max 100 chars else it will be ignored)
signature String mandatory Signature calculation

Success redirect

After a successful transaction the buyer is redirected to one of these:

Parameter Type Description
shopID Number numerical ID of the website in the Verotel system
type String purchase
referenceID String merchant reference identifier. It must be unique if provided
saleID Number identifier of the sale in the Verotel system
priceAmount Number amount to be processed in nnn.nn format
priceCurrency String 3 char ISO code of the Sale currency
custom1 String pass-through variable - max 255 printable characters
custom2 String pass-through variable - max 255 printable characters
custom3 String pass-through variable - max 255 printable characters
paymentMethod String payment method, CC, YOURSAFE_DIRECT, DDEU
signature String Signature calculation

Postbacks

Examples are for Verotel FlexPay PHP client library

$brand = Verotel\FlexPay\Brand::create_from_merchant_id(/* Your customer ID */ '9804000000000000');

$flexpayClient = new Verotel\FlexPay\Client(/* shop ID */ 12345, "FlexPay Signature Key", $brand);

if (!$flexpayClient->validate_signature($_GET)){
    http_response_code(400);
    echo "ERROR - Invalid signature!";
    exit;
}

// handle correct postback
...

echo "OK";

Examples are for FlexPay Java client library


// pass GET params received in postback
Boolean paramsAreVerified = flexPayClient.validateSignature(Map.of(...));

After every sale or transaction based action a corresponding postback is sent to the registered Postback URL.

Postback data are sent as GET request.

Verifying postback

As a security measure postback have to be validated that it contains correctly computed Signature.

Responding to postback

Important: The Verotel system expects HTTP status code 200 and plain text "OK" response. The response must be returned within 30 seconds.

Success postback

The successful sale postback is sent to the website "Flexpay postback URL" immediately after the sale has been processed. The postback is sent only for successfully approved transactions. The data in the postback provide essential information about the sale. If more information is needed, for example billing address or email address of the buyer, the merchant should query the status page.

Important: The Verotel system expects HTTP status code 200 and plain text "OK" response. The response must be returned within 30 seconds.

Parameter Type Description
shopID Number numerical ID of the website in the Verotel system
type String purchase
referenceID String merchant reference identifier. It must be unique if provided
saleID Number identifier of the sale in the Verotel system
transactionID Number identifier of the transaction in the Verotel system (only avaible for postbacks version 2)
priceAmount Number amount to be processed in nnn.nn format
priceCurrency String 3 char ISO code of the Sale currency
custom1 String pass-through variable - max 255 printable characters
custom2 String pass-through variable - max 255 printable characters
custom3 String pass-through variable - max 255 printable characters
paymentMethod String payment method, CC, YOURSAFE_DIRECT, DDEU
oneClickToken String if the feature is enabled - oneClickToken valid for next purchase
signature String Signature calculation
truncatedPAN String Truncated (masked) payment instrument identification, e.g. card number
CCBrand String Only present if paid via Credit Card, represents the card brand, e.g. VISA

Credit postback

Credit postback call is sent to the merchant's postback URL when the sale transaction is credited by merchant, Verotel support or by system (e.g. when an automated refund is performed).

Parameter Type Description
shopID Number numerical ID of the website in the Verotel system
event String credit
referenceID String merchant reference identifier. It must be unique if provided
saleID Number identifier of the sale in the Verotel system
priceAmount Number amount of refunded transaction
priceCurrency String refunded transaction currency
transactionID Number transaction id of credit transaction
parentID Number transaction id of transaction which was credited
type String purchase
custom1 String pass-through variable - max 255 printable characters
custom2 String pass-through variable - max 255 printable characters
custom3 String pass-through variable - max 255 printable characters
signature String Signature calculation

Chargeback postback

Chargeback postback call is sent to the merchant's postback URL when sale transaction is chargebacked. This also blacklists the buyer.

Parameter Type Description
shopID Number numerical ID of the website in the Verotel system
event String chargeback
referenceID String merchant reference identifier. It must be unique if provided
saleID Number identifier of the sale in the Verotel system
priceAmount Number amount of chargebacked transaction
priceCurrency String chargebacked transaction currency
transactionID Number transaction id of credit transaction
parentID Number transaction id of transaction which was credited
type String purchase
custom1 String pass-through variable - max 255 printable characters
custom2 String pass-through variable - max 255 printable characters
custom3 String pass-through variable - max 255 printable characters
signature String Signature calculation

Status page request

Examples are for Verotel FlexPay PHP client library

Symfony\Component\Yaml\Yaml package used to parse status page. Packagist

$brand = Verotel\FlexPay\Brand::create_from_merchant_id(/* Your customer ID */ '9804000000000000');

$flexpayClient = new Verotel\FlexPay\Client(/* shop ID */ 12345, "FlexPay Signature Key", $brand);

$statusURL = $flexpayClient->get_status_URL(['saleID' => 123456]);

$statusPageData = Symfony\Component\Yaml\Yaml::parse(file_get_contents($statusURL));

// handle data fetched from status page

Examples are for FlexPay Java client library

URL statusUrl = flexPayClient.getStatusUrlBySale(1234);

A status of a sale made with a FlexPay API can be reviewed by querying the status page. Status page provides complete information about the sale, the buyer, and its status.

HTTP request

Verotel
GET https://secure.verotel.com/status/order?

CardBilling
GET https://secure.billing.creditcard/status/order?

BitsafePay
GET https://secure.bitsafepay.com/status/order?

Bill
GET https://secure.bill.creditcard/status/order?

GayCharge
GET https://secure.gaycharge.com/status/order?

YoursafeDirect
GET https://secure.yoursafedirect.com/status/order?

Query parameters

Parameter Type Description
version Number 4
shopID Number numerical ID of the website in the Verotel system
referenceID String Merchant's reference identifier if provided (referenceID OR saleID must be posted - NOT BOTH)
saleID Number Verotel saleID identifier (referenceID OR saleID must be posted - NOT BOTH)
signature String Signature calculation

Response

Parameter Description
response FOUND - purchase record found and returned
NOTFOUND - purchase not found
ERROR - error (see 'error' key)
error message (for response=ERROR)
saleID identifier of the transaction in Verotel System
shopID ID of website in Verotel system
paymentMethod an identifier of payment method that was used for the transaction.
Can be one of following: Credit Card or Direct Debit EU
priceAmount amount processed. in nnn.nn formatt
priceCurrency 3 char ISO code of the Sale currency
description Product description text - max 100 printable characters
referenceID Merchant reference identifier - max 100 printable characters
name name of the buyer
email email address of the buyer
country selected or detected country ISO code (ISO 3166-1-alpha-2 code)
oneClickToken If the feature is enabled - Currently valid oneClickToken
createdOn Timestamp of purchase creation
saleResult purchase processing result (APPROVED)
billingAddr_fullName billing address: full name field value
billingAddr_company billing address: company field value
billingAddr_addressLine1 billing address: 1st line field value
billingAddr_addressLine2 billing address: 2nd line field value
billingAddr_city billing address: city name
billingAddr_zip billing address: zip code / postal code
billingAddr_state billing address: US state code (ISO 3166-2)
billingAddr_country billing address: country ISO code (ISO 3166-1-alpha-2 code)

One Click Purchase

The One Click functionality allows buyers to pay instantly without any type of confirmation. The instant One Click will try to charge their previously saved credit card without the need to re-enter the CVV code or any other additional information. This allows the FlexPay purchase sales to be processed quickly without distracting the buyer unnecessarily.

Security

The One Click functionality has been designed to be as secure as possible to minimize any risks of misuse and to protect both merchants and buyers alike. The same fraud prevention measures apply as per standard Order Page interactions.

Enabling the One Click

The One Click feature is disabled by default and is a subject of approval by Verotel. Please contact merchantsupport@verotel.com to enquire. This document assumes the feature is enabled.

Limitations

Interaction

Initial sale

In order to charge the buyer again with One Click the "oneClickToken" is required.

The token is generated with the first successful sale (normal FlexPay purchase sale with full Order Page interaction initiated by "purchase order" request) when the buyer chooses to "Remember my card for future purchases".

The Successful sale postback returns the "oneClickToken" to merchant’s system.

One Click sale

Examples are for Verotel FlexPay PHP client library

$brand = Verotel\FlexPay\Brand::create_from_merchant_id(/* Your customer ID */ '9804000000000000');

$flexpayClient = new Verotel\FlexPay\Client(/* shop ID */ 12345, "FlexPay Signature Key", $brand);

$purchaseUrl = $flexpayClient->get_purchase_URL([
    "priceAmount" => 2.64,
    "priceCurrency" => "EUR",
    "description" => "Test purchase",
    "oneClickToken" => "1FD5F342-48DB-11E6-B445-A19150BFB283"
]);

Examples are for FlexPay Java client library

URL purchaseUrl = flexPayClient.purchaseBuilder()
    .withAmount(BigDecimal.valueOf(14), SaleCurrency.EUR)
    .withDescription("Purchase of foo")
    .withPaymentMethod(PaymentMethod.IDEAL)
    .withEmail("example@example.com")
    .withDeclineURL("http://example.com/declined")
    .withSuccessURL("http://example.com/back")
    .withOneClickToken("foo-token")
    .build();

To perform a One Click sale, the currently active token has to be included in the next "purchase order" request.

If the token is valid, the "purchase order" request is processed without any further buyer interaction.

If the order is approved, the buyer receives a standard receipt email, an approval page is displayed and the buyer is redirected to one of these:

The new valid "oneClickToken" is passed with the Successful sale postback call to the merchant’s system for use in the next sale.

Validity of the oneClickToken

  1. The "oneClickToken" can be only be used once. It is invalidated in case the transaction is either approved or declined.

This means that the merchant’s system has to manage storage and update the active tokens for users upon receiving Successful sale postback calls but also in case of declines. A user can be identified by e.g. custom1-3 fields or referenceID passed by the merchant’s system in the "purchase order" request and returned in the Successful sale postback.

  1. The "oneClickToken" expires automatically after 30 days. The buyer will need to enter CVV code to generate a new one and to resume the One Click functionality.

  2. The "oneClickToken" is linked to a website and to the buyer’s remembered card information stored in the form of a cookie in the browser.

This means that:

Signature calculation

Examples are for Verotel FlexPay PHP client library

$brand = Verotel\FlexPay\Brand::create_from_merchant_id(/* Your customer ID */ '9804000000000000');

$flexpayClient = new Verotel\FlexPay\Client(/* shop ID */ 12345, "FlexPay Signature Key", $brand);

$computed_signature = $flexpayClient->get_signature([
    'description' => 'Super video download',
    'priceAmount' => '9.99',
    'priceCurrency' => 'USD',
    'shopID' => 12345,
    'version' => 4,
]);

Examples are for FlexPay Java client library

String computedSignature = flexpayClient.getSignature(Map.of(
    "description", "Super video download",
    "priceAmount", "9.99",
    "priceCurrency", "USD",
    "shopID", 12345,
    "version", 4
));

If you are using one of our client libraries, signature calculation is handled by the library.

The signature used in FlexPay requests and postbacks is calculated as SHA-256 hash (hexadecimal output) from the request parameters.

The first parameter has to be your signatureKey, followed by the parameters ordered alphabetically by their names.

Optional arguments that are used (have value) must be contained in the signature calculation. Optional arguments that are not used must not be contained in the signature calculation.

The email parameter in "startorder" request is not included in the signature calculations.

It is mandatory to convert arguments values into UTF-8 before computing the signature.

e.g.

signature = sha256_hex( signatureKey + ":description=" + description + ":period=" + period + ":priceAmount=" + priceAmount + ":priceCurrency=" + priceCurrency + ":referenceID=" + referenceID + ":shopID=" + shopID + ":subscriptionType=" + subscriptionType + ":type=" + type + ":version=" + version )

Example calculation

Parameter Value
(signatureKey) BddJxtUBkDgFB9kj7Zwguxde4gAqha
description Super video download
priceAmount 9.99
priceCurrency USD
custom1 xxyyzz
shopID 64233
type purchase
version 4

Signature calculation using the values above

signature = sha256_hex(BddJxtUBkDgFB9kj7Zwguxde4gAqha:custom1=xxyyzz:description=Super video download:priceAmount=9.99:priceCurrency=USD:shopID=64233:type=purchase:version=4) => ccaf2357fe330654322a1b0f3f92984b3fe2a1462d6fc5082650a00c5ada2f2a

The FlexPay purchase request then is

https://secure.verotel.com/startorder?custom1=xxyyzz&description=Super+video+download&priceAmount=9.99&priceCurrency=USD&shopID=64233&type=purchase&version=4&signature=ccaf2357fe330654322a1b0f3f92984b3fe2a1462d6fc5082650a00c5ada2f2a

Payment processor

Processor name Allowed payment method Base URL
Verotel CC DDEU https://secure.verotel.com/
CardBilling CC https://secure.billing.creditcard/
BitsafePay CC DDEU https://secure.bitsafepay.com/
Bill CC DDEU https://secure.bill.creditcard/
GayCharge CC DDEU https://secure.gaycharge.com/
YoursafeDirect DDEU YOURSAFE_DIRECT https://secure.yoursafedirect.com/