Card Not Present Authorization Request
The following samples are for credit not present (raw PAN) credit card authorization requests.
Sample URI
/v1.0/stores/store123/payments/creditcard/auth/VC.xml
Sample Request Body
The request is a 3D secure CreditCardAuthRequest message which uses a raw credit card PAN with required elements.
<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0"
requestId="1234567890ABCD">
<PaymentContext>
<OrderId>OrderId0</OrderId>
<PaymentAccountUniqueId isToken="false">4387751111111111</PaymentAccountUniqueId>
</PaymentContext>
<ExpirationDate>2030-03</ExpirationDate>
<CardSecurityCode>737</CardSecurityCode>
<Amount currencyCode="USD">50.00</Amount>
<BillingFirstName>John</BillingFirstName>
<BillingLastName>Smith</BillingLastName>
<BillingPhoneNo>6101234567</BillingPhoneNo>
<BillingAddress>
<Line1>No1, Infinite Loop Cupertino</Line1>
<City>California</City>
<MainDivisionCode>CA</MainDivisionCode>
<CountryCode>US</CountryCode>
<PostalCode>95014</PostalCode>
</BillingAddress>
<CustomerEmail>customer@sample.com</CustomerEmail>
<CustomerIPAddress>208.247.73.130</CustomerIPAddress>
<ShipToFirstName>John</ShipToFirstName>
<ShipToLastName>Smith</ShipToLastName>
<ShippingAddress>
<Line1>No1, Infinite Loop Cupertino</Line1>
<City>California</City>
<MainDivisionCode>CA</MainDivisionCode>
<CountryCode>US</CountryCode>
<PostalCode>95014</PostalCode>
</ShippingAddress>
<!-- only set below to true if you got an auth + CVV/AVS error and are looking to
get a clean CVV/AVS before taking the order -->
<isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
<SchemaVersion>1.2</SchemaVersion>
<PaymentId>b33j9ynrb400</PaymentId>
<AuthenticationResult>fingerprint</AuthenticationResult>
</CreditCardAuthRequest>
The request is a CreditCardAuthRequest message which uses a raw credit card PAN with optional elements.
<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0"
requestId="1234567890ABCD">
<PaymentContext>
<OrderId>OrderId0</OrderId>
<PaymentAccountUniqueId isToken="false">4387751111111111</PaymentAccountUniqueId>
</PaymentContext>
<ExpirationDate>2030-03</ExpirationDate>
<CardSecurityCode>737</CardSecurityCode>
<Amount currencyCode="USD">50.00</Amount>
<BillingFirstName>John</BillingFirstName>
<BillingLastName>Smith</BillingLastName>
<BillingPhoneNo>6101234567</BillingPhoneNo>
<BillingAddress>
<Line1>No1, Infinite Loop Cupertino</Line1>
<Line2>Building 123</Line2>
<Line3>4th Floor</Line3>
<Line4>Apt 12</Line4>
<City>California</City>
<MainDivision>CA</MainDivision>
<MainDivisionCode>CA</MainDivisionCode>
<CountryCode>US</CountryCode>
<PostalCode>95014</PostalCode>
</BillingAddress>
<CustomerEmail>customer@sample.com</CustomerEmail>
<CustomerId>customer@sample.com</CustomerId>
<CustomerIPAddress>208.247.73.130</CustomerIPAddress>
<ShipToFirstName>John</ShipToFirstName>
<ShipToLastName>Smith</ShipToLastName>
<ShipToPhoneNo>6101234567</ShipToPhoneNo>
<ShippingAddress>
<Line1>No1, Infinite Loop Cupertino</Line1>
<Line2>Building 123</Line2>
<Line3>4th Floor</Line3>
<Line4>Apt 12</Line4>
<City>California</City>
<MainDivision>CA</MainDivision>
<MainDivisionCode>CA</MainDivisionCode>
<CountryCode>US</CountryCode>
<PostalCode>95014</PostalCode>
</ShippingAddress>
<!-- Optional Merchant details that can be sent in the request to reflect in the customer's
bank statement. To enable this feature for your store, please contact Radial's Payment
Support group as it needs internal and external configurations to be done.-->
<MerchantDetails>
<Description>Sample Online store</Description>
<Address>
<Line1>1 Foo Bar Street</Line1>
<Line2>Line 2</Line2>
<Line3>Line 3</Line3>
<Line4>Line 4</Line4>
<BuildingName>Building 2</BuildingName>
<PoBox>43068</PoBox>
<City>Reynoldsburg</City>
<MainDivision>OHIO</MainDivision>
<MainDivisionCode>OH</MainDivisionCode>
<CountryName>United States</CountryName>
<CountryCode>US</CountryCode>
<PostalCode>43068</PostalCode>
</Address>
<PhoneNumber>8667565005</PhoneNumber>
<Url>https://samplestore.com/customerservice</Url>
<EmailAddress>help@samplestore.com</EmailAddress>
</MerchantDetails>
<!-- only set below to true if you got an auth + CVV/AVS error and are looking to
get a clean CVV/AVS before taking the order -->
<isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
<!-- section below is to capture Verified By Visa/Mastercard SecureCode data -->
<SecureVerificationData>
<AuthenticationAvailable>Y</AuthenticationAvailable>
<AuthenticationStatus>A</AuthenticationStatus>
<CavvUcaf>gsdsXXggggg</CavvUcaf>
<TransactionId>AAAxxx6667dsfsdfd</TransactionId>
<ECI>05</ECI>
<PayerAuthenticationResponse>eJydVNtu4jAQ/RVE37oCJ+HSggZLKbQSqrpLuSy8mmSSWAsOjR2g+/
U7DhAi1IfdnYdkfDznzLHjGOZJhjiaYZBnyOENtRYx1mQ4qIt1ELpeq13nMPGnqG/BPWZapoq7TafpAbsMSSMLE
qEMBxF8PI2/804RwM5D2GI2HvFeNYCdQGBX9iS3mSZXRxnSTPEMhUHuOa7rdD2n5j70272+R/QCh52l+Ns0J/5j
u2ubViGgRWaogk+adICVI8DjLlVIFbSOMgd2dbATijtF3BdhM9ImFOYrDkZuq64eratWF1iBgzbC5Jr7wM4ZBGK
/58mvxSx6eniXs9l66Ps/li/fPvzVs08xIHO2BDCQ3HHJFL0Llr+J00yaZMtbp5orAMxaYcW34jCTsaJmGdaO24
3Sg3pizK7P2OFwaB5azTSLmUeLYE6PUUGoZXxXP7EwHKso/SfaUKhUyUBs5G9h6BC8oUnSsFZ6+0pmPrVKLps+D
xsk1QjctmpYxGm5HdJkX4tWVvY3XW7NZlo0dCJc2+BGiMMUI7QnAmuL6XhQvyu2UvXyaCmj9dqPwsXoJTq8TpbE
HskYtfkfC5f2VYWL3k+xybGcu4xKX2fTpy9U2YlL4S3wip+nylXH6Y2EEVRTScvpK7H4A4s7wJ6n6t3wB1RLYIQ
=</PayerAuthenticationResponse>
</SecureVerificationData>
<Recurrence>Initial</Recurrence>
<RecurrenceId>1234567890123456</RecurrenceId>
<SchemaVersion>1.2</SchemaVersion>
<DeviceInformation>
<DeviceFingerprint>e6b9acc2-d6db-4c61-8fdf-96fa55488853_1574205236741</DeviceFingerprint>
</DeviceInformation>
</CreditCardAuthRequest>
The request is a CreditCardAuthRequest message which uses a raw credit card PAN with required elements. The optional elements omitted from the above payload are SecureVerificationData, DeviceInformation and MerchantDetails
<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0"
requestId="1234567890ABCD">
<PaymentContext>
<OrderId>OrderId0</OrderId>
<PaymentAccountUniqueId isToken="false">4387751111111111</PaymentAccountUniqueId>
</PaymentContext>
<ExpirationDate>2030-03</ExpirationDate>
<CardSecurityCode>737</CardSecurityCode>
<Amount currencyCode="USD">50.00</Amount>
<BillingFirstName>John</BillingFirstName>
<BillingLastName>Smith</BillingLastName>
<BillingPhoneNo>6101234567</BillingPhoneNo>
<BillingAddress>
<Line1>No1, Infinite Loop Cupertino</Line1>
<City>California</City>
<MainDivisionCode>CA</MainDivisionCode>
<CountryCode>US</CountryCode>
<PostalCode>95014</PostalCode>
</BillingAddress>
<CustomerEmail>customer@sample.com</CustomerEmail>
<CustomerIPAddress>208.247.73.130</CustomerIPAddress>
<ShipToFirstName>John</ShipToFirstName>
<ShipToLastName>Smith</ShipToLastName>
<ShippingAddress>
<Line1>No1, Infinite Loop Cupertino</Line1>
<City>California</City>
<MainDivisionCode>CA</MainDivisionCode>
<CountryCode>US</CountryCode>
<PostalCode>95014</PostalCode>
</ShippingAddress>
<!-- only set below to true if you got an auth + CVV/AVS error and are looking to
get a clean CVV/AVS before taking the order -->
<isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
<SchemaVersion>1.2</SchemaVersion>
</CreditCardAuthRequest>
Request Elements
Element | Required | Description | Type | Restriction |
---|---|---|---|---|
PaymentContext | Yes | Unique identifier of the payment transaction for the order | ComplexType | |
PaymentContext/ OrderId |
Yes | Unique identifier of the order. The client must ensure uniqueness of OrderIds across different orders that the client initiates with this service. | String | Max 20 characters |
PaymentContext/ PaymentAccountUniqueId |
Yes - Either PaymentAccountUniqueId or EncryptedPayment AccountUniqueId must be present. | Either a raw PAN (payment account number such as a credit card number) or a token representing a PAN | String | Max 22 characters |
PaymentContext/ PaymentAccountUniqueId @isToken |
Yes (when PaymentAccountUniqueId is present) | Attribute that indicates whether the payment account number is tokenized | String | true or false |
PaymentContext/ |
Yes - Either PaymentAccountUniqueId or EncryptedPayment AccountUniqueId must be present. | Client-encrypted PAN. Used for clients who use client-side encryption to encrypt credit card numbers in the JavaScript that runs in their browser. For a webstore that is not PCI compliant, this ensures that the webstore never sees raw PANs. | String | Max 1000 characters |
ExpirationDate | Yes | Expiration date of the credit card | String | yyyy-MM (year followed by month) |
CardSecurityCode | No | CVV2 code on the back of the credit card | String | 3 or 4 digits |
EncryptedCardSecurityCode |
No | Client side encrypted CVV2 code on the back of the credit card | String | 1000 digits |
Amount | Yes | Currency amount being authorized on the credit card | Decimal |
Positive decimal, up to two decimal places (for example, 4.75) |
Amount/ @currencyCode |
Yes | Type of currency used for the order | String | 3-character ISO 4217 code (for example, USD, CAD, EUR). See
http://en.wikipedia.org/ wiki/ISO_4217. |
BillingFirstName | Yes | First name of the person on the billing address of the credit card | String | Max 64 characters |
BillingLastName | Yes | Last name of the person on the billing address of the credit card | String | Max 64 characters |
BillingPhoneNo | Yes | Phone number of the person on the billing address of the credit card | String | Max 15 characters |
BillingAddress | Yes (for AVS verification) | Billing address of the credit card | ComplexType | |
BillingAddress/ Line1 |
Yes |
Line# components of the street address and, if necessary, suite and building identifiers for the physical address. Line1 is required. Line2, Line3, and Line4 are optional. Include them only if the data exists. A blank AddressLine element will fail validation. |
String |
1 to 70 characters. |
BillingAddress/ Line2 |
No |
String |
1 to 70 characters. |
|
BillingAddress/ Line3 |
No |
String |
1 to 70 characters. |
|
BillingAddress/ Line4 |
No |
String |
1 to 70 characters. |
|
BillingAddress/ BuildingName |
No | Building name if any |
String |
|
BillingAddress/ PoBox |
No | Post Office Box. Do not pass the string "PO Box" as part of the request. For example, 765 |
String |
|
BillingAddress/ City |
Yes | Name of the city. | String | Max 40 characters |
BillingAddress/ MainDivision |
No | Two- or three-digit postal abbreviation for the state or province. The ISO 3166-2 code is recommended, but not required. See http://en.wikipedia.org/wiki/ISO_3166-2. | String | Max 30 characters |
BillingAddress/ CountryCode |
Yes |
Two digit ISO 3166 alpha 2 code country code. See: http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2. |
String | 2 characters |
BillingAddress/ PostalCode |
Depends on country. Yes for US and Canada | String of letters and/or numbers that specifies the delivery area more closely than the city alone (for example, US ZIP code). | String | Max 30 characters |
CustomerEmail | Yes | Email address of the customer who is making the purchase. Used for realtime fraud checking by our API and payment processors. | String | Max 70 characters |
CustomerId | No | A unique identifier for a customer such as a username or email address. | String |
Min 1 character Max 128 characters |
CustomerIPAddress | Yes | IP address of the customer who is making the purchase. Used for realtime fraud checking by our API and payment processors. | IPv4Address | Valid dotted quad IPv4 Address |
ShipToFirstName | Yes | First name of the person on the first/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. | String | 64 characters. |
ShipToLastName | Yes | Last name of the person on the first/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. | String | Max 64 characters. |
ShipToPhoneNo | No | Phone number of the person on the first/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. | String | Max 15 characters. |
ShippingAddress | Yes | First/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. For orders that do not have a shipping address, pass the billing address as the shipping address. | ComplexType | |
ShippingAddress/ Line1 |
Yes |
Line# components of the street address and, if necessary, suite and building identifiers for the physical address. Line1 is required. Line2, Line3, and Line4 are optional. Include them only if the data exists. A blank AddressLine element will fail validation. |
String |
1 to 70 characters. |
ShippingAddress/ Line2 |
No |
String |
1 to 70 characters. |
|
ShippingAddress/ Line3 |
No |
String |
1 to 70 characters. |
|
ShippingAddress/ Line4 |
No |
String |
1 to 70 characters. |
|
ShippingAddress/ BuildingName |
No | Building name, if any. |
String |
|
ShippingAddress/ PoBox |
No | Post Office Box. Do not pass the string "PO Box" as part of the request. For example, 765 |
String |
|
ShippingAddress/ City |
Yes | Name of the city. | String | Max 40 characters |
ShippingAddress/ MainDivision |
No |
Two- or three-digit postal abbreviation for the state or province. The ISO 3166-2 code is recommended, but not required. See http://en.wikipedia.org/wiki/ISO_3166-2. |
String | Max 30 characters |
ShippingAddress/ CountryCode |
Yes |
Two digit ISO 3166 alpha 2 code country code. See: http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2. |
String | 2 characters |
ShippingAddress/ PostalCode |
Varies based on country. Yes for US/Canada |
String of letters and/or numbers that specifies the delivery area more closely than the city alone (for example, U.S. ZIP code). |
String | Max 30 characters |
MerchantDetails | No |
Optional Merchant details that can be sent in the request to reflect in the customer's bank statement. To enable this feature for your store, please contact Radial's Payment Support group as it needs internal and external configurations to be done. |
ComplexType | |
MerchantDetails/
Description |
Yes |
Merchants to send the description that is to be displayed on the shoppers bank statement. The length may be trimmed according to the supporting processor's requirements. |
AlphaNumeric | Min 1 char Max 130 characters |
MerchantDetails/
Address |
Yes |
Merchant Address Information |
ComplexType | |
MerchantDetails/
Address/ Line1 |
Yes |
Line# components of the shipping street address and, if necessary, suite and building identifiers for the physical address. Line1 is required. Other Line# components are optional. |
String | Min 1 char Max 130 characters |
MerchantDetails/
Address/ Line2 |
No | String | Min 1 char Max 130 characters |
|
MerchantDetails/
Address/ Line3 |
No | String | Min 1 char Max 130 characters |
|
MerchantDetails/
Address/ Line4 |
No | String | Min 1 char Max 130 characters |
|
MerchantDetails/
Address/ BuildingName |
No | String | Min 1 char Max 130 characters |
|
MerchantDetails/
Address/ PoBox |
No | String | Min 1 char Max 20 characters |
|
MerchantDetails/
Address/ City |
Yes | Name of the city | String | Min 1 char Max 95 characters |
MerchantDetails/
Address/ MainDivision |
No |
This is the full displayable State/Province name |
String | Min 1 char Max 55 characters |
MerchantDetails/
Address/ MainDivisionCode |
No |
Typically a two- or three-digit postal abbreviation for the state or province. Mainly used in Canada and the US. This does not necessarily conform to the ISO 3166-2 code. |
String | Min 1 char Max 5 characters |
MerchantDetails/
Address/ CountryName |
No |
Country Name |
String | Min 1 char |
MerchantDetails/
Address/ CountryCode |
Yes |
Two digit ISO 3166 alpha 2 code country code. See: http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2. |
String | 2 characters |
MerchantDetails/
Address/ PostalCode |
No |
A value that specifies the delivery area more closely than the city alone (for example, U.S. ZIP code) |
String | Min 3 characters Max 15 characters |
MerchantDetails/
PhoneNumber |
Yes |
Phone number excluding the country code. No special characters are allowed |
Numeric | Min 6 characters
Max 16 characters |
MerchantDetails/
Url |
Yes |
Merchant's website Url |
String | Min 1 char
Max 255 characters |
MerchantDetails/
EmailAddress |
Yes |
Merchant's Email Address |
String | Min 6 characters
Max 130 characters <text>@<text>.<text> |
POSMethod | No |
An identifier for the type of Point Of Sale method used. This is used to mark transaction as being of a specific method. (ie: ApplePay, Virtual Wallet, Samsung Pay, Bitcoin).
Values: Afterpay - Indicates that the request is an Afterpay authorization AmexCheckout - Indicates that the request originated from an Amex Checkout ApplePay - Indicates that the request is an ApplePay authorization GooglePay - Indicates that the request is an Google Pay authorization VisaCheckout - Indicates that the request originated from a Visa Checkout |
Enum |
Can be any of these values:
|
isRequestToCorrect CVVOrAVSError |
Yes |
Setting that indicates this is an authorization re-submission to correct an AVS or CVV error. Even when an AVS or CVV error occurs, the credit card processor authorizes a credit card and reserves the authorized amount from the available credit limit on the credit card. Customers must fix AVS and CVV errors. We do not want to double-authorize the amount already authorized on the customer's card. If this element is set true, the Payment Service decrements the authorized amount for purposes of the AVS/CVV check (for example, in the US authorizes for $0.01). |
Boolean | true or false |
SecureVerificationData | No |
3D Secure and Verified by Visa verification data. 3D Secure is an XML-based protocol that provides additional security for online credit and debit card transactions. |
ComplexType | true or false |
SecurityVerificationData/ Version |
No (required as part of SecureVerificationData) |
If omitted, implicit version 1.0.0, all other version must be explicitly included. Value should be in the format MAJOR.MINOR.PATCH, for example, 2.1.0 |
String | 5 characters, 3 part dotted version notation. |
SecurityVerificationData/ AuthenticationAvailable |
Yes (required as part of SecureVerificationData) |
Code used for Verified by Visa eCommerce transactions only. For all other transactions, enter spaces. Verify enrollment response from the VERes message, returned to the POE from the Access Control Server (ACS) as a result of a Verify Enrollment Request. Y - Card eligible for authentication processing. N - Authentication attempted. Card eligible for attempts liability, but attempts proof is not available from issuer. U - Unable to process, or card not eligible for attempts liability. |
String | 1 character |
SecurityVerificationData/ AuthenticationStatus |
Yes (required as part of SecureVerificationData) | Transactions status code used for Verified by Visa and MasterCard SecureCode
transactions only. For all other transactions, enter spaces only. The code is returned in the PARes message from the ACS server in the Transaction Status field. Y - Authentication approved. A - Authentication attempted. U - Unable to authenticate due to technical problems or excluded card type. N - Authentication failed. |
String | 1 character |
SecurityVerificationData/ CavvUcaf |
Yes (required as part of SecureVerificationData) |
Data used for Verified by Visa and MasterCard SecureCode eCommerce transactions only. Data is returned in the authentication request. For Visa, this field contains the CAVV value in upacked, displayable format (0-9, A-F). For MasterCard, this field contains the UCAF data in upacked, displayable, base-64 format (A-Z, a-z, 0-9, +, /, -). Left justified, space-filled right. |
String | Max 64 characters |
SecurityVerificationData/ TransactionId |
Yes (required as part of SecureVerificationData) | ID used for Verified by Visa eCommerce transactions only. Contains XID data returned from the authentication request in upacked, displayable format (0-9, A-F). Left justified, space-filled right. | String | Max 64 characters |
SecurityVerificationData/ DirectoryServerTransactionId |
No | Directory server transaction ID. Required for master card 3DS 2.0 authentication. | String | UUID in the format specified by RFC 4122 |
SecurityVerificationData/ ECI |
Optional (Visa transactions only) | ECI value received from Visa | String | 1 character |
SecurityVerificationData/ PayerAuthenticationResponse |
Yes (required as part of SecureVerificationData) |
Result of the cardholder authentication performed by the card issuer Access Control Server(ACS) |
String | Max 10000 characters |
Recurrence | No |
To indicate the sequence of a payment in recurring payments.
Values: Subsequent - A subsequent instance in the recurrence Once - Recurring once only, useful for reattempt |
Enum |
Initial Subsequent Once |
RecurrenceId |
No Note : This field is mandatory for recurring subscription transactions. |
A unique identifier for recurring payments. |
String |
Min 16 characters Max 64 characters |
SchemaVersion | Yes |
Although marked as optional in the the schema, this element needs to be passed at all times with a value of 1.2 in order to receive elements like 'ResponseCode' and 'TenderType' in the Response message. |
String |
pattern = "([0-9]+\.)*[0-9]+". |
DeviceInformation | No | This object contains the details used by the device for authorization. | ComplexType | |
DeviceInformation/DeviceFingerprint | No | Radial Device Fingerprint
(RDF) is a Javascript application that captures information about a customer's device. This device information is used to create a virtual profile, which can then be compared against subsequent orders to help mitigate fraud. Radial Device Fingerprint is used to identify new customers and customers returning to a site using the same devices. Along with other Radial proprietary software solutions, Radial Device Fingerprint helps detect good and fraudulent orders. See: https://docs.radial.com/ptf/Content/Topics/risk/device-fingerprint.htm |
String |
Min 36 characters |
requestId | Yes | RequestId is used to uniquely identify a request, including as part of idempotent duplicate request processing. The value must be unique. It is recommended to use a variant 4 UUID for the request id. The same request id should only be reused if a read timeout occurs when attempting to receive a response from the payment service, or the payment service responds with a fault response. In all other cases a new request id must be sent for retried requests, including responses such as Fail, Timeout or PaymentProcessorTimeout. | String | Up to 40 Characters. |