Card Not Present Authorization Request

The following samples are for credit not present (raw PAN) credit card authorization requests.

Sample URI

/v1.0/stores/store123/payments/creditcard/auth/VC.xml

Sample Request Body

The request is a 3D secure CreditCardAuthRequest message which uses a raw credit card PAN with required elements.

<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0"
                       requestId="1234567890ABCD">
  <PaymentContext>
    <OrderId>OrderId0</OrderId>
    <PaymentAccountUniqueId isToken="false">4387751111111111</PaymentAccountUniqueId>
  </PaymentContext>
  <ExpirationDate>2030-03</ExpirationDate>
  <CardSecurityCode>737</CardSecurityCode>
  <Amount currencyCode="USD">50.00</Amount>
  <BillingFirstName>John</BillingFirstName>
  <BillingLastName>Smith</BillingLastName>
  <BillingPhoneNo>6101234567</BillingPhoneNo>
  <BillingAddress>
    <Line1>No1, Infinite Loop Cupertino</Line1>
    <City>California</City>
    <MainDivisionCode>CA</MainDivisionCode>
    <CountryCode>US</CountryCode>
    <PostalCode>95014</PostalCode>
  </BillingAddress>
  <CustomerEmail>customer@sample.com</CustomerEmail>
  <CustomerIPAddress>208.247.73.130</CustomerIPAddress>
  <ShipToFirstName>John</ShipToFirstName>
  <ShipToLastName>Smith</ShipToLastName>
  <ShippingAddress>
    <Line1>No1, Infinite Loop Cupertino</Line1>
    <City>California</City>
    <MainDivisionCode>CA</MainDivisionCode>
    <CountryCode>US</CountryCode>
    <PostalCode>95014</PostalCode>
  </ShippingAddress>
    <!-- only set below to true if you got an auth + CVV/AVS error and are looking to
         get a clean CVV/AVS before taking the order -->
  <isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
  <SchemaVersion>1.2</SchemaVersion>
  <PaymentId>b33j9ynrb400</PaymentId>
  <AuthenticationResult>fingerprint</AuthenticationResult>
</CreditCardAuthRequest>

The request is a CreditCardAuthRequest message which uses a raw credit card PAN with optional elements.

<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0"
                       requestId="1234567890ABCD">
  <PaymentContext>
    <OrderId>OrderId0</OrderId>
    <PaymentAccountUniqueId isToken="false">4387751111111111</PaymentAccountUniqueId>
  </PaymentContext>
  <ExpirationDate>2030-03</ExpirationDate>
  <CardSecurityCode>737</CardSecurityCode>
  <Amount currencyCode="USD">50.00</Amount>
  <BillingFirstName>John</BillingFirstName>
  <BillingLastName>Smith</BillingLastName>
  <BillingPhoneNo>6101234567</BillingPhoneNo>
  <BillingAddress>
    <Line1>No1, Infinite Loop Cupertino</Line1>
    <Line2>Building 123</Line2>
    <Line3>4th Floor</Line3>
    <Line4>Apt 12</Line4>
    <City>California</City>
    <MainDivision>CA</MainDivision>
    <MainDivisionCode>CA</MainDivisionCode>
    <CountryCode>US</CountryCode>
    <PostalCode>95014</PostalCode>
  </BillingAddress>
  <CustomerEmail>customer@sample.com</CustomerEmail>
  <CustomerId>customer@sample.com</CustomerId>
  <CustomerIPAddress>208.247.73.130</CustomerIPAddress>
  <ShipToFirstName>John</ShipToFirstName>
  <ShipToLastName>Smith</ShipToLastName>
  <ShipToPhoneNo>6101234567</ShipToPhoneNo>
  <ShippingAddress>
    <Line1>No1, Infinite Loop Cupertino</Line1>
    <Line2>Building 123</Line2>
    <Line3>4th Floor</Line3>
    <Line4>Apt 12</Line4>
    <City>California</City>
    <MainDivision>CA</MainDivision>
    <MainDivisionCode>CA</MainDivisionCode>
    <CountryCode>US</CountryCode>
    <PostalCode>95014</PostalCode>
  </ShippingAddress>
    <!-- Optional Merchant details that can be sent in the request to reflect in the customer's
            bank statement. To enable this feature for your store, please contact Radial's Payment
            Support group as it needs internal and external configurations to be done.-->
  <MerchantDetails>
    <Description>Sample Online store</Description>
    <Address>
        <Line1>1 Foo Bar Street</Line1>
        <Line2>Line 2</Line2>
        <Line3>Line 3</Line3>
        <Line4>Line 4</Line4>
        <BuildingName>Building 2</BuildingName>
        <PoBox>43068</PoBox>
        <City>Reynoldsburg</City>
        <MainDivision>OHIO</MainDivision>
        <MainDivisionCode>OH</MainDivisionCode>
        <CountryName>United States</CountryName>
        <CountryCode>US</CountryCode>
        <PostalCode>43068</PostalCode>
    </Address>
    <PhoneNumber>8667565005</PhoneNumber>
    <Url>https://samplestore.com/customerservice</Url>
    <EmailAddress>help@samplestore.com</EmailAddress>
  </MerchantDetails>
    <!-- only set below to true if you got an auth + CVV/AVS error and are looking to
         get a clean CVV/AVS before taking the order -->
  <isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
    <!-- section below is to capture Verified By Visa/Mastercard SecureCode data -->
  <SecureVerificationData>
  <AuthenticationAvailable>Y</AuthenticationAvailable>
  <AuthenticationStatus>A</AuthenticationStatus>
  <CavvUcaf>gsdsXXggggg</CavvUcaf>
  <TransactionId>AAAxxx6667dsfsdfd</TransactionId>
  <ECI>05</ECI>
  <PayerAuthenticationResponse>eJydVNtu4jAQ/RVE37oCJ+HSggZLKbQSqrpLuSy8mmSSWAsOjR2g+/
    U7DhAi1IfdnYdkfDznzLHjGOZJhjiaYZBnyOENtRYx1mQ4qIt1ELpeq13nMPGnqG/BPWZapoq7TafpAbsMSSMLE
    qEMBxF8PI2/804RwM5D2GI2HvFeNYCdQGBX9iS3mSZXRxnSTPEMhUHuOa7rdD2n5j70272+R/QCh52l+Ns0J/5j
    u2ubViGgRWaogk+adICVI8DjLlVIFbSOMgd2dbATijtF3BdhM9ImFOYrDkZuq64eratWF1iBgzbC5Jr7wM4ZBGK
    /58mvxSx6eniXs9l66Ps/li/fPvzVs08xIHO2BDCQ3HHJFL0Llr+J00yaZMtbp5orAMxaYcW34jCTsaJmGdaO24
    3Sg3pizK7P2OFwaB5azTSLmUeLYE6PUUGoZXxXP7EwHKso/SfaUKhUyUBs5G9h6BC8oUnSsFZ6+0pmPrVKLps+D
    xsk1QjctmpYxGm5HdJkX4tWVvY3XW7NZlo0dCJc2+BGiMMUI7QnAmuL6XhQvyu2UvXyaCmj9dqPwsXoJTq8TpbE
    HskYtfkfC5f2VYWL3k+xybGcu4xKX2fTpy9U2YlL4S3wip+nylXH6Y2EEVRTScvpK7H4A4s7wJ6n6t3wB1RLYIQ
    =</PayerAuthenticationResponse>
  </SecureVerificationData>
  <Recurrence>Initial</Recurrence>
  <RecurrenceId>1234567890123456</RecurrenceId>
  <SchemaVersion>1.2</SchemaVersion>
  <DeviceInformation>
     <DeviceFingerprint>e6b9acc2-d6db-4c61-8fdf-96fa55488853_1574205236741</DeviceFingerprint>
  </DeviceInformation>
</CreditCardAuthRequest>

The request is a CreditCardAuthRequest message which uses a raw credit card PAN with required elements. The optional elements omitted from the above payload are SecureVerificationData, DeviceInformation and MerchantDetails

<?xml version="1.0" encoding="UTF-8"?>
<CreditCardAuthRequest xmlns="http://api.gsicommerce.com/schema/checkout/1.0"
                       requestId="1234567890ABCD">
  <PaymentContext>
    <OrderId>OrderId0</OrderId>
    <PaymentAccountUniqueId isToken="false">4387751111111111</PaymentAccountUniqueId>
  </PaymentContext>
  <ExpirationDate>2030-03</ExpirationDate>
  <CardSecurityCode>737</CardSecurityCode>
  <Amount currencyCode="USD">50.00</Amount>
  <BillingFirstName>John</BillingFirstName>
  <BillingLastName>Smith</BillingLastName>
  <BillingPhoneNo>6101234567</BillingPhoneNo>
  <BillingAddress>
    <Line1>No1, Infinite Loop Cupertino</Line1>
    <City>California</City>
    <MainDivisionCode>CA</MainDivisionCode>
    <CountryCode>US</CountryCode>
    <PostalCode>95014</PostalCode>
  </BillingAddress>
  <CustomerEmail>customer@sample.com</CustomerEmail>
  <CustomerIPAddress>208.247.73.130</CustomerIPAddress>
  <ShipToFirstName>John</ShipToFirstName>
  <ShipToLastName>Smith</ShipToLastName>
  <ShippingAddress>
    <Line1>No1, Infinite Loop Cupertino</Line1>
    <City>California</City>
    <MainDivisionCode>CA</MainDivisionCode>
    <CountryCode>US</CountryCode>
    <PostalCode>95014</PostalCode>
  </ShippingAddress>
    <!-- only set below to true if you got an auth + CVV/AVS error and are looking to
         get a clean CVV/AVS before taking the order -->
  <isRequestToCorrectCVVOrAVSError>false</isRequestToCorrectCVVOrAVSError>
  <SchemaVersion>1.2</SchemaVersion>
</CreditCardAuthRequest>

Request Elements

Element Required Description Type Restriction
PaymentContext Yes Unique identifier of the payment transaction for the order ComplexType  
PaymentContext/
OrderId
Yes Unique identifier of the order. The client must ensure uniqueness of OrderIds across different orders that the client initiates with this service. String Max 20 characters
PaymentContext/
PaymentAccountUniqueId
Yes - Either PaymentAccountUniqueId or EncryptedPayment AccountUniqueId must be present. Either a raw PAN (payment account number such as a credit card number) or a token representing a PAN String Max 22 characters
PaymentContext/
PaymentAccountUniqueId
@isToken
Yes (when PaymentAccountUniqueId is present) Attribute that indicates whether the payment account number is tokenized String true or false

PaymentContext/
EncryptedPaymentAccount
UniqueId

Yes - Either PaymentAccountUniqueId or EncryptedPayment AccountUniqueId must be present. Client-encrypted PAN. Used for clients who use client-side encryption to encrypt credit card numbers in the JavaScript that runs in their browser. For a webstore that is not PCI compliant, this ensures that the webstore never sees raw PANs. String Max 1000 characters
ExpirationDate Yes Expiration date of the credit card String yyyy-MM (year followed by month)
CardSecurityCode No CVV2 code on the back of the credit card String 3 or 4 digits

EncryptedCardSecurityCode

No Client side encrypted CVV2 code on the back of the credit card String 1000 digits
Amount Yes Currency amount being authorized on the credit card Decimal

Positive decimal, up to two decimal places (for example, 4.75)

Amount/
@currencyCode
Yes Type of currency used for the order String 3-character ISO 4217 code (for example, USD, CAD, EUR). See http://en.wikipedia.org/
wiki/ISO_4217.
BillingFirstName Yes First name of the person on the billing address of the credit card String Max 64 characters
BillingLastName Yes Last name of the person on the billing address of the credit card String Max 64 characters
BillingPhoneNo Yes Phone number of the person on the billing address of the credit card String Max 15 characters
BillingAddress Yes (for AVS verification) Billing address of the credit card ComplexType
BillingAddress/
Line1
Yes

Line# components of the street address and, if necessary, suite and building identifiers for the physical address. Line1 is required.

Line2, Line3, and Line4 are optional. Include them only if the data exists. A blank AddressLine element will fail validation.

String

1 to 70 characters.

BillingAddress/
Line2
No

String

1 to 70 characters.

BillingAddress/
Line3
No

String

1 to 70 characters.

BillingAddress/
Line4
No

String

1 to 70 characters.

BillingAddress/
BuildingName
No Building name if any

String

BillingAddress/
PoBox
No Post Office Box. Do not pass the string "PO Box" as part of the request. For example, 765

String

BillingAddress/
City
Yes Name of the city. String Max 40 characters
BillingAddress/
MainDivision
No Two- or three-digit postal abbreviation for the state or province. The ISO 3166-2 code is recommended, but not required. See http://en.wikipedia.org/wiki/ISO_3166-2. String Max 30 characters
BillingAddress/
CountryCode
Yes

Two digit ISO 3166 alpha 2 code country code. See: http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

String 2 characters
BillingAddress/
PostalCode
Depends on country. Yes for US and Canada String of letters and/or numbers that specifies the delivery area more closely than the city alone (for example, US ZIP code). String Max 30 characters
CustomerEmail Yes Email address of the customer who is making the purchase. Used for realtime fraud checking by our API and payment processors. String Max 70 characters
CustomerId No A unique identifier for a customer such as a username or email address. String

Min 1 character

Max 128 characters

CustomerIPAddress Yes IP address of the customer who is making the purchase. Used for realtime fraud checking by our API and payment processors. IPv4Address Valid dotted quad IPv4 Address
ShipToFirstName Yes First name of the person on the first/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. String 64 characters.
ShipToLastName Yes Last name of the person on the first/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. String Max 64 characters.
ShipToPhoneNo No Phone number of the person on the first/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. String Max 15 characters.
ShippingAddress Yes First/primary shipping address of the order. Used for realtime fraud checking by our API and payment processors. For orders that do not have a shipping address, pass the billing address as the shipping address. ComplexType
ShippingAddress/
Line1
Yes

Line# components of the street address and, if necessary, suite and building identifiers for the physical address. Line1 is required.

Line2, Line3, and Line4 are optional. Include them only if the data exists. A blank AddressLine element will fail validation.

String

1 to 70 characters.

ShippingAddress/
Line2
No

String

1 to 70 characters.

ShippingAddress/
Line3
No

String

1 to 70 characters.

ShippingAddress/
Line4
No

String

1 to 70 characters.

ShippingAddress/
BuildingName
No Building name, if any.

String

ShippingAddress/
PoBox
No Post Office Box. Do not pass the string "PO Box" as part of the request. For example, 765

String

ShippingAddress/
City
Yes Name of the city. String Max 40 characters
ShippingAddress/
MainDivision
No

Two- or three-digit postal abbreviation for the state or province. The ISO 3166-2 code is recommended, but not required. See http://en.wikipedia.org/wiki/ISO_3166-2.

String Max 30 characters
ShippingAddress/
CountryCode
Yes

Two digit ISO 3166 alpha 2 code country code. See: http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

String 2 characters
ShippingAddress/
PostalCode
Varies based on country. Yes for US/Canada

String of letters and/or numbers that specifies the delivery area more closely than the city alone (for example, U.S. ZIP code).

String Max 30 characters
MerchantDetails No

Optional Merchant details that can be sent in the request to reflect in the customer's bank statement. To enable this feature for your store, please contact Radial's Payment Support group as it needs internal and external configurations to be done.

ComplexType
MerchantDetails/
Description
Yes

Merchants to send the description that is to be displayed on the shoppers bank statement. The length may be trimmed according to the supporting processor's requirements.

AlphaNumeric Min 1 char
Max 130 characters
MerchantDetails/
Address
Yes

Merchant Address Information

ComplexType
MerchantDetails/
Address/
Line1
Yes

Line# components of the shipping street address and, if necessary, suite and building identifiers for the physical address. Line1 is required. Other Line# components are optional.

String Min 1 char
Max 130 characters
MerchantDetails/
Address/
Line2
No String Min 1 char
Max 130 characters
MerchantDetails/
Address/
Line3
No String Min 1 char
Max 130 characters
MerchantDetails/
Address/
Line4
No String Min 1 char
Max 130 characters
MerchantDetails/
Address/
BuildingName
No String Min 1 char
Max 130 characters
MerchantDetails/
Address/
PoBox
No String Min 1 char
Max 20 characters
MerchantDetails/
Address/
City
Yes Name of the city String Min 1 char
Max 95 characters
MerchantDetails/
Address/
MainDivision
No

This is the full displayable State/Province name

String Min 1 char
Max 55 characters
MerchantDetails/
Address/
MainDivisionCode
No

Typically a two- or three-digit postal abbreviation for the state or province. Mainly used in Canada and the US. This does not necessarily conform to the ISO 3166-2 code.

String Min 1 char
Max 5 characters
MerchantDetails/
Address/
CountryName
No

Country Name

String Min 1 char
MerchantDetails/
Address/
CountryCode
Yes

Two digit ISO 3166 alpha 2 code country code. See: http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

String 2 characters
MerchantDetails/
Address/
PostalCode
No

A value that specifies the delivery area more closely than the city alone (for example, U.S. ZIP code)

String Min 3 characters
Max 15 characters
MerchantDetails/
PhoneNumber
Yes

Phone number excluding the country code. No special characters are allowed

Numeric Min 6 characters
Max 16 characters
MerchantDetails/
Url
Yes

Merchant's website Url

String Min 1 char
Max 255 characters
MerchantDetails/
EmailAddress
Yes

Merchant's Email Address

String Min 6 characters
Max 130 characters

<text>@<text>.<text>

POSMethod No

An identifier for the type of Point Of Sale method used. This is used to mark transaction as being of a specific method. (ie: ApplePay, Virtual Wallet, Samsung Pay, Bitcoin).

Values:
Virtual Wallet - Indicates the credit card from a virtual wallet is previously validated with CVV not requested (for fraud check use)

Afterpay - Indicates that the request is an Afterpay authorization

AmexCheckout - Indicates that the request originated from an Amex Checkout

ApplePay - Indicates that the request is an ApplePay authorization

GooglePay - Indicates that the request is an Google Pay authorization

VisaCheckout - Indicates that the request originated from a Visa Checkout

Enum

Can be any of these values:

  • Affirm
  • Afterpay
  • AmexCheckout
  • ApplePay
  • GooglePay
  • Hosted
  • Klarna
  • Mobile
  • VirtualWallet
  • VisaCheckout
isRequestToCorrect
CVVOrAVSError
Yes

Setting that indicates this is an authorization re-submission to correct an AVS or CVV error.

Even when an AVS or CVV error occurs, the credit card processor authorizes a credit card and reserves the authorized amount from the available credit limit on the credit card. Customers must fix AVS and CVV errors. We do not want to double-authorize the amount already authorized on the customer's card. If this element is set true, the Payment Service decrements the authorized amount for purposes of the AVS/CVV check (for example, in the US authorizes for $0.01).

Boolean true or false
SecureVerificationData No

3D Secure and Verified by Visa verification data.

3D Secure is an XML-based protocol that provides additional security for online credit and debit card transactions.

ComplexType true or false
SecurityVerificationData/
Version
No (required as part of SecureVerificationData)

If omitted, implicit version 1.0.0, all other version must be explicitly included.

Value should be in the format MAJOR.MINOR.PATCH, for example, 2.1.0

String 5 characters, 3 part dotted version notation.
SecurityVerificationData/
AuthenticationAvailable
Yes (required as part of SecureVerificationData)

Code used for Verified by Visa eCommerce transactions only. For all other transactions, enter spaces.

Verify enrollment response from the VERes message, returned to the POE from the Access Control Server (ACS) as a result of a Verify Enrollment Request.

Y - Card eligible for authentication processing.

N - Authentication attempted. Card eligible for attempts liability, but attempts proof is not available from issuer.

U - Unable to process, or card not eligible for attempts liability.

String 1 character
SecurityVerificationData/
AuthenticationStatus
Yes (required as part of SecureVerificationData) Transactions status code used for Verified by Visa and MasterCard SecureCode transactions only. For all other transactions, enter spaces only.

The code is returned in the PARes message from the ACS server in the Transaction Status field.

Y - Authentication approved.

A - Authentication attempted.

U - Unable to authenticate due to technical problems or excluded card type.

N - Authentication failed.

String 1 character
SecurityVerificationData/
CavvUcaf
Yes (required as part of SecureVerificationData)

Data used for Verified by Visa and MasterCard SecureCode eCommerce transactions only. Data is returned in the authentication request.

For Visa, this field contains the CAVV value in upacked, displayable format (0-9, A-F).

For MasterCard, this field contains the UCAF data in upacked, displayable, base-64 format (A-Z, a-z, 0-9, +, /, -). Left justified, space-filled right.

String Max 64 characters
SecurityVerificationData/
TransactionId
Yes (required as part of SecureVerificationData) ID used for Verified by Visa eCommerce transactions only. Contains XID data returned from the authentication request in upacked, displayable format (0-9, A-F). Left justified, space-filled right. String Max 64 characters
SecurityVerificationData/
DirectoryServerTransactionId
No Directory server transaction ID. Required for master card 3DS 2.0 authentication. String UUID in the format specified by RFC 4122
SecurityVerificationData/
ECI
Optional (Visa transactions only) ECI value received from Visa String 1 character
SecurityVerificationData/
PayerAuthenticationResponse
Yes (required as part of SecureVerificationData)

Result of the cardholder authentication performed by the card issuer Access Control Server(ACS)

String Max 10000 characters
Recurrence No

To indicate the sequence of a payment in recurring payments.

Values:
Initial - The first instance in the recurrence

Subsequent - A subsequent instance in the recurrence

Once - Recurring once only, useful for reattempt

Enum

Initial

Subsequent

Once

RecurrenceId

No

Note : This field is mandatory for recurring subscription transactions.

A unique identifier for recurring payments.

String

Min 16 characters

Max 64 characters

SchemaVersion Yes

Although marked as optional in the the schema, this element needs to be passed at all times with a value of 1.2 in order to receive elements like 'ResponseCode' and 'TenderType' in the Response message.

String

pattern = "([0-9]+\.)*[0-9]+".
Value Example: 1.1, 1.2

DeviceInformation No This object contains the details used by the device for authorization. ComplexType
DeviceInformation/DeviceFingerprint No Radial Device Fingerprint (RDF) is a Javascript application that captures information about a customer's device. This device information is used to create a virtual profile, which can then be compared against subsequent orders to help mitigate fraud.
Radial Device Fingerprint is used to identify new customers and customers returning to a site using the same devices. Along with other Radial proprietary software solutions, Radial Device Fingerprint helps detect good and fraudulent orders.
See: https://docs.radial.com/ptf/Content/Topics/risk/device-fingerprint.htm
String

Min 36 characters
Max 64 characters
Only Alphanumeric(a to z, A to Z & 0 to 9) and special characters(hyphen[-] & underscore[_]) is allowed.

requestId Yes RequestId is used to uniquely identify a request, including as part of idempotent duplicate request processing. The value must be unique. It is recommended to use a variant 4 UUID for the request id. The same request id should only be reused if a read timeout occurs when attempting to receive a response from the payment service, or the payment service responds with a fault response. In all other cases a new request id must be sent for retried requests, including responses such as Fail, Timeout or PaymentProcessorTimeout. String Up to 40 Characters.