menu

Payment API

What's on this page

Online Payments / Payment Methods / Maestro

Card

CCV Online Payments supports multiple brands. All brands can be used in the same way.

Brand Shopper Country Sale Refund Authorise / Capture Void Token Vault Mandates
American Express Worldwide
Bancontact Belgium
Bancontact Mobile Belgium
Maestro Worldwide
Mastercard Worldwide
Visa / VPAY / Visa Electron Worldwide

Acquirers

Payments processed using the card method can be handled by different acquirers in the background. Dependent on your contract, Card payments are processed by Elavon, Valitor, American Express or Bancontact.

Brand Acquirers
Visa Elavon, Valitor
Mastercard Elavon, Valitor
Maestro Elavon, Valitor
American Express American Express
Bancontact Bancontact

Guidelines

The standard card payment flow follows the following steps:

  1. Create a payment with the payment method set to card and use a webhook or notification.
  2. Redirect your customer to the payment url, field payUrl in the payment response.
  3. Once the customer completes the payment, they are redirected to the return url defined in the payment request field returnUrl.
  4. When CCV receives the payment confirmation from the acquirer, the payment becomes successful.
  5. If you used a webhook or notification, CCV will inform you about the change. Alternatively, you can also query they payment status on regular intervals.

Cardholder authentication

Cardholder authentication is transparent for you. It is done after the customer enters their details on the CCV hosted payment page.

There are 2 distinct methods of authentication.

  • 3-D Secure Version 1 (Only Bancontact): This is the legacy authentication method, which, in case of the card is enrolled, the customer is redirected towards the ACS, an external system from the bank to authenticate themselves. The customer is returned to the CCV Online Payments system before returning to the shop.
  • 3-D Secure Version 2: This is the latest authentication method, which allows for many different modern methods for authentication. See 3DS2 Overview for more information.
  • For Bancontact payments, there is a third option: Bancontact QR / App payments. See the Bancontact guide for more information.

Method API details

Payment

The use case defines which additional parameters you can provide for card payments.

Redirect customer to CCV Pay for card entry

The easiest way to integrate card payments is to define the payment method card in the payment request and redirect the customer to CCV. CCV will handle the authentication if necessary and redirect the customer back to you.

Since the introduction of Strong Customer Authentication (SCA), additional customer information can be added to the request and is highly recommended. See more information on the dedicated SCA documentation

Example

{
    "amount": 9.99,
    "currency": "eur",
    "method": "card",
    "returnUrl": "https://shop/return?order=123456",
    "webhookUrl": "https://shop/payhook?order=123456",
    "merchantOrderReference": "123456",
    "description": "Order 123456",
    "language": "eng"
}
Brand detection

You can provide the customers card brand upfront in the payment request in the field brand. If you do not provide a brand, the CCV Hosted Payment Page will do brand detection.

The available values are

Brand API value
Visa visa
Mastercard mastercard
Maestro maestro
American Express amex
Bancontact bcmc

An example looks like

{
    "amount": 9.99,
    "currency": "eur",
    "method": "card",
    "brand": "amex",
    "returnUrl": "https://shop/return?order=123456",
    "webhookUrl": "https://shop/payhook?order=123456",
    "merchantOrderReference": "123456",
    "description": "Order 123456",
    "language": "eng"
}

Using a card stored in the vault

CCV provides a secure vault to store sensitive information like card data. The reference to a card in the vault is called a vault access token. You can provide a token in the payment request so the card holder does not need to enter their card details again.

Name Required Description
vaultAccessToken Conditional The Vault Access Token that has valid data card stored in the vault. Only required if transactionType equals sale

Example

{
    "amount": 9.99,
    "currency": "eur",
    "method": "card",
    "returnUrl": "https://shop/return?order=123456",
    "webhookUrl": "https://shop/payhook?order=123456",
    "merchantOrderReference": "123456",
    "description": "Order 123456",
    "language": "eng",
    "transactionType" : "sale",
    "details": {
        "vaultAccessToken": "1GV13YEY8ZKCH8ZBJCEOJKDI"
    }
}

Card data in the payment request

This means you capture the card data on your system before you send it to CCV. The customer does not enter their card data on a CCV Hosted Payment Page. If you don’t want to handle card data on your own, this scenario is not suited for you.

Warning

When you send card data directly from your backend to CCV, you must be PCI compliant.

Name Required Description
pan Yes The primary account number. All spaces and dashes are removed
expiryDate Yes The expiry date of the card. Format: MMyy or MMyyyy. Example: 0222 or 022022 are both February 2022
cardholderFirstName Yes The first name of the cardholder
cardholderLastName Yes The last name of the cardholder
cvc Conditional The CVC/CVV2 security code of the card. Only required if transactionType = sale or transactionType = credit and brand is not bcmc. When a vaultAccessToken is used, the cvc code is optional and depending on configuration.

Example

{
    "amount": 9.99,
    "currency": "eur",
    "method": "card",
    "returnUrl": "https://shop/return?order=123456",
    "webhookUrl": "https://shop/payhook?order=123456",
    "merchantOrderReference": "123456",
    "description": "Order 123456",
    "language": "eng",
    "details": {
        "pan": "67032222222222227",
        "expiryDate": "1225",
        "cardholderFirstName": "John",
        "cardholderLastName": "Doe"
    }
}

Embedded card data entry

The basic card payment integration means you redirect the customer to CCV. CCV requests the card data from the card holder in order to complete the payment. If your integration requires a more seamless integration with CCV, you can choose to create an embedded or native card data entry form for your customer. Once the card data is captured on the card holders device, you send the card data directly from the card holders device to CCV.

Info

CCV does not allow this feature by default, contact your CCV representative for more information.

The basic flow:

  1. Create a payment with the payment method set to card and use a webhook or notification.
  2. Present your customer a card data entry form to capture the card data on their device (mobile native, browser, …)
  3. Once the customer entered their card data, send a request to the CCV card data URL as returned in the payment response in the field cardDataUrl
  4. Redirect the customer to the CCV payUrl as received in the payment response. There is a possibility customer authentication is required. CCV does not support out of bounds authentication.
  5. Once the customer completes the payment, they are redirected to the return url defined in the payment request field returnUrl.
  6. When CCV receives the payment confirmation from the acquirer, the payment becomes successful.
  7. If you used a webhook or notification, CCV will inform you about the change. Alternatively, you can also query they payment status on regular intervals.
Card Data URL API

Resource: cardDataUrl e.g. https://onlinepayments.ccv.eu/card/carddata/embedded?reference=

  • Method: POST
  • Content-Type: application/json
  • Authentication: None
  • Parameters
Name Required Description
pan Yes The primary account number. All spaces and dashes are removed
expiryDate Yes The expiry date of the card. Format: MMyy or MMyyyy. Example: 0222 or 022022 are both February 2022
cardholderFirstName Yes The first name of the cardholder. Length of cardholderFirstName and cardholderLastName combined may not exceed 44 characters.
cardholderLastName Yes The last name of the cardholder. Length of cardholderFirstName and cardholderLastName combined may not exceed 44 characters.
cvc Conditional The 3 digit CVC/CVV2 security code of the card. Only required if transactionType = sale or transactionType = credit and brand is not bcmc. When a vaultAccessToken is used, the cvc code is optional and depending on configuration.

Example

{
  "pan": "67032222222222227",
  "expiryDate": "1220",
  "cvc": "1224",
  "cardholderFirstName": "testName",
  "cardholderLastName": "testLastName"
}

Card data response

  • Status Code: 200
PCI Compliance

PCI compliance may be required:

  • If the card data is provided directly by the customer to the PSP, No PCI compliance is required. E.g.: Mobile app or browser uses the cardDataUrl to submit the card data directly to CCV.
  • If the card data passes through your backend system, PCI compliance is always required. E.g.: Mobile app or browser submits card data to your backend system which in turn uses the cardDataUrl to submit the data to the PSP.

Refund

Card does not require method specific input.

{
  "reference": "P240226130441921CB87E195.Y",
  "description": "Refund of Order 123456"
}

Capture

Card does not require method specific input.

{
  "reference": "P240226130441921CB87E195.Y",
  "description": "Refund of Order 123456"
}

Void

Card does not require method specific input. The operations is only supported for authorisations, i.e. the payments have transaction type authorise.

{
  "reference": "P240226130441921CB87E195.Y",
  "description": "Refund of Order 123456"
}