-
Getting started
keyboard_arrow_down
Connect to the CCV Platform
Integrate our products into your software. Let's make payment happen together!
Look at all the possibilities
Integrate our products into your software. Let's make payment happen together!
Look at all the possibilitiesThe vault resource can be used to store sensitive data in our vault. This data is stored in an encrypted form. When storing something in the vault, through a process called Vault Enrollment, a Vault Access Token will be returned. The Vault Access Token is used to retrieve the stored information, and allows actions to be performed with the stored information through the VPOS API.
A Vault Access Token is obtained by performing an initial vault enrollment process. The enrollment can be achieved in two ways:
storeInVault field when performing a payment request (currently only supported for card payments).The vault enrollment process creates two transactions: a parent vault transaction and a child transaction. The parent vault transaction contains the Vault Access Token and a reference to the child transaction (childReferenceId). The child transaction is created to validate the sensitive information (e.g. for the card vault data type the child transaction is used to validate the card and authenticate the cardholder).
A vault transaction can only have 1 child transaction. When the child transaction reaches a final transaction status such as success or manualintervention, the vault (parent) transaction will be updated with the same status.
The general vault enrollment request flow is:
We do not expose the status of the vault transaction or any of its details to the customer. It is up to you to verify the status of the vault transaction and act accordingly. Webhooks are provided to give you feedback, but this principle remains.
After obtaining a Vault Access Token, there are three actions that can be taken in the system.
| Name | Description |
|---|---|
| status | Possible values: Transaction Status |
| merchantOrderReference | A reference, maximum 255 characters, of the order associated with this vault transaction |
| description | A description to show the customer |
| language | The language of the customer. Possible values: Languages |
| method | Fixed value vault |
| brand | The brand of the card that was entered by the user. Only included when the dataType is card |
| metadata | An arbitrary string, maximum 255 characters, that can be used to track vault transactions |
| payUrl | To complete the vault request the customer should be redirected to this URL. |
| returnUrl | After vault data storage is completed (successfully or otherwise) the customer is redirected to this URL |
| reference | A unique reference for the vault transaction |
| created | The local server datetime the vault transaction was created, epoch timestamp |
| lastUpdate | The local server datetime the vault transaction was updated, epoch timestamp |
| statusFinalDate | The local server datetime the vault transaction reached a final status, epoch timestamp |
| failureCode | An error code indication what caused the failure. Possible values: Failure Codes |
| details | An optional object listing specific vault details: Vault Details |
| notificationRequests | An object which is used to request Notifications for specific events related to this vault transaction. |
Example
{
"status" : "success",
"merchantOrderReference" : "8cdbb73f-6537-4b7f-a6de-6ddab6c283e1",
"description" : "API Vault description",
"language" : "eng",
"method" : "vault",
"brand" : "bcmc",
"metadata" : "my custom metadata",
"reference" : "V1505181754007360.1",
"created" : 1431964440770,
"lastUpdate" : 1431964458858,
"statusFinalDate" : 1431964458858,
"payUrl" : "https://onlinepayments.ccv.eu/vault/card.html?reference=C1505181754007360.1",
"returnUrl" : "http://shop/?order=8cdbb73f-6537-4b7f-a6de-6ddab6c283e1",
"details" : {
"expirationDuration" : "P0Y2M1DT0H0M0.000S",
"vaultAccessToken" : "5C810B0AD0B1BC0926EBEA53"
}
}
Important
When reading a vault enrollment response, you will also receive Child Card Details next to the details below. This will include a QrCode or UrlIntent link if Bancontact WIP is enabled.
The expiration of the vault token is configurable by account. By default this is set to 30 days. In some scenarios you want the default expiration set to the card expiry date. This is also configurable by account.
| Name | Description |
|---|---|
| expirationDuration | The time after which the vault access token expires in ISO 8601 Duration |
| expirationTimestamp | The datetime on which the vault access token will be expired after epoch timestamp |
| vaultAccessToken | The Vault Access Token |
| dataType | The data type that is stored in the vault for this Vault Access Token. At this moment only card is supported |
| maskedPan | The masked primary account number. Only included when the dataType is card |
| expiryDate | The expiry date of the card in format MMYY. Only included when the dataType is card |
| scaToken | Boolean value that indicates if the Vault Access Token is created for an SCA authenticated card. For more information refer to our 3-D Secure 2 compliance guide. Only included when the dataType is card |
| brand | The brand of the card. |
Example
{
"dataType" : "card",
"expirationDuration" : "P0Y2M1DT0H0M0.000S",
"expirationTimestamp" : 1420106400000,
"vaultAccessToken" : "5C810B0AD0B1BC0926EBEA53",
"maskedPan": "xxxxxxxxxxxx4242",
"expiryDate": "0424",
"scaToken": false,
"brand": "visa"
}
| Name | Sensitive | Description |
|---|---|---|
| token | no | The Vault Access Token |
| eraseTimestamp | no | The date that this token will be erased from the database, epoch timestamp |
| referenceId | no | A unique reference for the vault transaction |
| merchantOrderReference | no | An arbitrary string, maximum 255 characters, that can be used to track vault transactions |
| pan | yes | The primary account number |
| maskedPan | no | The masked primary account number |
| expiryDate | no | The expiry date |
| cardholderFirstName | no | The first name of the cardholder |
| cardholderLastName | no | The last name of the cardholder |
| created | no | The local server datetime the vault transaction was created, epoch timestamp |
The vault initiate request is used to create a new vault access token.
/api/v1/vault/initiatePOSTapplication/json| Name | Required | Description |
|---|---|---|
| dataType | Yes | The data type that should be requested from the customer. At this moment only card is supported |
| brand | No | The card brand selected by the customer. Possible values: Supported Brands |
| returnUrl | Yes | After the payment is completed (successfully or otherwise) the customer is redirected to this URL. |
| language | Yes | The language of the customer. Defines the language to be used in the payment screens the customer will see. Possible values: Languages |
| metadata | No | An arbitrary string, maximum of 255 characters, that can be used to track payments |
| merchantOrderReference | No | A reference, maximum of 255 characters, of the order associated with this payment |
| description | No | A description to show the customer |
| webhookUrl | No | The webhook URL invoked for transaction changes. This overrides the merchant webhook if one is present. We do not validate this url |
| scaReady | No | Indicates that the vault request is ready for SCA used for 3-D Secure 2 cardholder authentication. In addition, it enables strict validation of the SCA required fields for billing and shipping. See Strong Customer Authentication (SCA) for more information. Possible values: yes, no. Default: no |
| billingAddress | Conditional | The billing street address.{BR}{BR}Required when scaReady is set to yes. |
| billingCity | Conditional | The billing city of the customer.{BR}{BR}Required when scaReady is set to yes. |
| billingState | Conditional | The billing region/state of the customer, an ISO 3166-2 country subdivision code. See for more info: Country Subdivision Codes - ISO 3166-2.{BR}{BR}Required when scaReady is set to yes, and must be a valid subdivision code (if applicable for the country). An invalid subdivision code results in a input error response. |
| billingPostalCode | Conditional | The billing postal (zip) code of the customer.{BR}{BR}Required when scaReady is set to yes. |
| billingCountry | Conditional | The billing country of the customer, an ISO 3166 alpha-2 code. See for more info: Country Codes - ISO 3166.{BR}{BR}Required when scaReady is set to yes, and must be a valid alpha-2 code. An invalid alpha-2 code results in a input error response. |
| billingEmail | Conditional | The billing email of the customer.{BR}{BR}Required when scaReady is set to yes. Must be a valid email address if present. |
| billingPhoneNumber | Conditional | The billing phone number of the customer.{BR}{BR}Required when scaReady is set to yes, and must be a valid subscriber-section of a telephone number, see ITU-T E.164 for more information. An invalid telephone number format results in a input error response. |
| billingPhoneCountry | Conditional | The billing phone number country code of the customer.{BR}{BR}Required when scaReady is set to yes, and must be a valid ITU-T E.164 country code. An invalid country code results in a input error response. |
| billingFirstName | No | The billing first name of the customer |
| billingLastName | No | The billing last name of the customer |
| billingHouseNumber | No | The billing house number of the customer |
| billingHouseExtension | No | The billing house extension of the customer |
| shippingAddress | Conditional | The shipping street address.{BR}{BR}Required when shipping provided* if scaReady is set to yes. |
| shippingCity | Conditional | The shipping address city.{BR}{BR}Required when shipping provided* if scaReady is set to yes. |
| shippingState | Conditional | The shipping address region/state, an ISO 3166-2 country subdivision code.{BR}{BR}Required when shipping provided* if scaReady is set to yes, and must be a valid subdivision code (if applicable for the country). An invalid subdivision code results in a input error response. |
| shippingPostalCode | Conditional | The shipping address postal (zip) code.{BR}{BR}Required when shipping provided* if scaReady is set to yes. |
| shippingCountry | Conditional | The shipping address country, an ISO 3166 alpha-2 code.{BR}{BR}Required when shipping provided* if scaReady is set to yes, and must be a valid alpha-2 code. An invalid alpha-2 code results in a input error response. |
| shippingEmail | No | The shipping email of the custom. Must be a valid email address if present. |
| shippingPhoneNumber | No | The shipping phone number of the customer.{BR}{BR}If this field is provided when scaReady is set to yes it must be a valid subscriber-section of a telephone number, see ITU-T E.164 for more information. An invalid telephone number format results in a input error response. |
| shippingPhoneCountry | No | The shipping phone number country code of the customer.{BR}{BR}If this field is provided when scaReady is set to yes it must be a valid ITU-T E.164 country code. An invalid country code results in a input error response. |
| shippingFirstName | No | The shipping first name of the customer |
| shippingLastName | No | The shipping last name of the customer |
| shippingHouseNumber | No | The shipping house number of the customer |
| shippingHouseExtension | No | The shipping house extension of the customer |
| notificationRequests | No | An object which is used to request Notifications for specific events related to this vault token initiation. |
!INFO * The - Required when shipping provided - fields are mandatory if at least one of them is specified when the scaReady flag is set to yes. If all of them are left blank they become optional and are assigned the corresponding billing-value as default.
Example
{
"dataType" : "card",
"returnUrl" : "http://shop/?order=8cdbb73f-6537-4b7f-a6de-6ddab6c283e1",
"metadata" : "my custom metadata",
"merchantOrderReference" : "8cdbb73f-6537-4b7f-a6de-6ddab6c283e1",
"description" : "API Vault description",
"language" : "eng"
}
200application/jsonCreate a new vault request from a PCI compliant environment.
/api/v1/vault/tokenPOSTapplication/json| Name | Required | Description |
|---|---|---|
| merchantOrderReference | No | An arbitrary string, maximum 255 characters, that can be used to track vault transactions |
| pan | Yes | The primary account number |
| expiryDate | Yes | The expiry date |
| cardholderFirstName | No | The first name of the cardholder |
| cardholderLastName | No | The last name of the cardholder |
Example
{
"merchantOrderReference" : "abcddd",
"pan" : "6799998900000123456",
"expiryDate" : "1803"
}
200application/json| Name | Description |
|---|---|
| token | The Vault Access Token |
| eraseTimestamp | The date that this token will be erased from the database, in the format ISO 8601 DateTime |
| referenceId | A unique reference for the vault transaction |
| merchantOrderReference | An arbitrary string, maximum 255 characters, that can be used to track vault transactions |
| created | The local server datetime the vault transaction was created, epoch timestamp |
| lastUpdate | The local server datetime the vault transaction was updated, epoch timestamp |
| statusFinalDate | The local server datetime the vault transaction reached a final status, epoch timestamp |
This operation retrieves the sensitive data that was stored in the vault and returns it in plain text. The sensitive data can only be retrieved in plain text when this is allowed for your account. Default this is turned off, and will only be turned on when requested by the account owner.
/api/v1/vault/tokenGETapplication/jsonvaultToken: The vault access token for which the data must be retrieved.200application/jsonExample of retrieval with non-sensitive data because not allowed by configuration
curl https://api.psp.ccv.eu/api/v1/vault/token?vaultToken=TOKEN1 -u apikey:
{
"eraseTimestamp" : 1543155649042,
"referenceId" : "V181026162049038CB87E190.1",
"merchantOrderReference" : "321",
"maskedPan" : "4111XXXXXXXX1111",
"expiryDate" : "1221",
"cardholderFirstName" : "John",
"cardholderLastName" : "Doe"
}
This operation explicitly erases the sensitive data from the vault.
/api/v1/vault/tokenDELETE| Name | Required | Description |
|---|---|---|
| vaultToken | Conditional | The vault access token. If present, merchantOrderReference must not be present |
| merchantOrderReference | Conditional | The merchant order reference. If present vaultToken must not be present. |
Example
# Delete the vault token using the merchant order reference 321
curl https://api.psp.ccv.eu/api/v1/vault/token?merchantOrderReference=321 -u apikey:
200application/json