• Required variable: HashDigest is missing
  • Required variable: MerchantID is missing
  • Required variable: Amount is missing
  • Required variable: CurrencyCode is missing
  • Required variable: OrderID is missing
  • Required variable: TransactionType is missing
  • Required variable: TransactionDateTime is missing
  • Required variable: CallbackURL is missing
The form was not skinned because the variable MerchantID was not submitted, or was invalid.
If you would like to use the hosted payment form helper page please follow this link:

Hosted Payment Form Helper Page

Request Variables
Form Variable NameForm Variable Value
No form variables posted to payment form
URL Variable NameURL Variable Value
No URL variables posted to payment form
Input Variables
Below is a description of the variables that comprise the input API of the payment form. These variables will be delivered as form variables.
Variable Name Data Type Max Length Mandatory Comments
HashDigest A - Yes A hashed string that contains all the variables passed and also data that is not passed but is known to both sides - namely the PreSharedKey and the gateway account password. (see section below)
MerchantID A 15 Yes The merchant ID that corresponds to the gateway account the transaction will be run through. NOTE: If this variable is not present, then the skinning of the payment form will not happen
Amount N 13 Yes The transaction amount in minor currency – e.g. for £10.00, it must be submitted as 1000
CurrencyCode N 3 Yes The currency of the transaction. ISO 4217 e.g. GBP: 826
EchoAVSCheckResult B true/false Yes Instructs the payment form to include the AVS check result of the transaction in the output variables
EchoCV2CheckResult B true/false Yes Instructs the payment form to include the CV2 check result of the transaction in the output variables
EchoThreeDSecureAuthenticationCheckResult B true/false Yes Instructs the payment form to include the 3D Secure check result of the transaction in the output variables
EchoCardType B true/false Yes Instructs the payment form to include the card type of the transaction in the output variables
AVSOverridePolicy A 4 No Sets the override AVS checking policy for this transaction
CV2OverridePolicy A 2 No Sets the CV2 checking policy for this transaction
ThreeDSecureOverridePolicy B true/false No Instructs the payment form to enable/disable the 3D Secure checking for this transaction (where possible)
OrderID A 50 Yes A merchant side ID for the order – primarily used to for determining duplicate transactions. Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType - - Yes Must be either SALE or PREAUTH
TransactionDateTime DT - Yes The date & time (as seen by the merchant's server) of the transaction. Needs to be in the form "YYYY-MM-DD HH:MM:SS ±OO:OO", with the time in 24 hour format, where OO:OO is the offset from UTC - e.g. "2008-12-01 14:12:00 +01:00"
CallbackURL A - Yes The URL of the page on the merchant's site that the results of the transaction will be posted back to (see section below)
OrderDescription A 256 No A description for the order. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName A 100 No The name of the customer
Address1 A 100 No Customer's billing address line 1
Address2 A 50 No Customer's billing address line 2
Address3 A 50 No Customer's billing address line 3
Address4 A 50 No Customer's billing address line 4
City A 50 No Customer's billing address city
State A 50 No Customer's billing address state
PostCode A 50 No Customer's billing address post code
CountryCode N 3 No Customer's billing country code. ISO 3166-1 e.g. United Kingdom: 826
EmailAddress A 100 No Customer's email address
PhoneNumber A 30 No Customer's phone number
DateOfBirth A 30 No Customer's date of birth. Must be in the format yyyy-MM-dd, e.g. 1980-03-20
EmailAddressEditable B true/false Yes Control variable that determines whether the Email Address field on the payment form will be editable
PhoneNumberEditable B true/false Yes Control variable that determines whether the Phone Number field on the payment form will be editable
DateOfBirthEditable B true/false Yes Control variable that determines whether the Date Of Birth field on the payment form will be editable
CV2Mandatory B true/false Yes Control variable that determines whether the CV2 field on the payment form will be mandatory
Address1Mandatory B true/false Yes Control variable that determines whether the Address1 field on the payment form will be mandatory
CityMandatory B true/false Yes Control variable that determines whether the City field on the payment form will be mandatory
PostCodeMandatory B true/false Yes Control variable that determines whether the PostCode field on the payment form will be mandatory
StateMandatory B true/false Yes Control variable that determines whether the State field on the payment form will be mandatory
CountryMandatory B true/false Yes Control variable that determines whether the Country field on the payment form will be mandatory
ResultDeliveryMethod A POST
SERVER
SERVER_PULL
Yes The delivery method of the payment result, either POST, SERVER or SERVER_PULL. POST will deliver the full results via the customer's browser as a form post back to the CallbackURL. With both SERVER and SERVER_PULL the results exchanged directly between the merchant's site and the payment form (removing the browser completely out of the process). With SERVER, the results are PUSHED TO the ServerResultURL on the merchant's webshop BEFORE the customer is redirected back to the webshop, and with SERVER_PULL, the results will be pulled from the payment form by the merchant's webshop AFTER the customer has been redirected back to the webshop
ServerResultURL A - Yes The merchant's external server URL used for SERVER result delivery method
PaymentFormDisplaysResult B true/false Yes Boolean that determines whether the payment result will be displayed on the PaymentForm page, or redirected to the merchant's site after a response from the merchant's external server (ServerResultURL)
Incoming Hash Digest
Below is the order that the variables should be listed when creating the hash digest. The string to be hashed must be comprised of the variables listed in the order below in standard URL format (i.e. listed in name/value pairs, delimited with an ampersand character e.g. "variable1=value&variable2=value&variable3=value"). The variable names and values are case-sensitive and the values should be represented EXACTLY as they appear in the form (NON-URL ENCODED)
Variable Name Mandatory Comments
PreSharedKey See comments The pre shared key should ONLY be included in the hash digest if the chosen hash method is standard (i.e. not HMAC) MD5 or SHA1. If the chosen hash method is either HMACMD5 or HMACSHA1, then the pre shared key is used as part of the hash generation so should be ENTIRELY omitted from the string to be hashed - if it is present in these cases (even as an empty string), then an error will be thrown
MerchantID Yes
Password Yes
Amount Yes
CurrencyCode Yes
EchoAVSCheckResult Yes Must be included as "EchoAVSCheckResult=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
EchoCV2CheckResult Yes Must be included as "EchoCV2CheckResult=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
EchoThreeDSecureAuthenticationCheckResult Yes Must be included as "EchoThreeDSecureAuthenticationCheckResult=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
EchoCardType Yes Must be included as "EchoCardType=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
AVSOverridePolicy Yes Must be included as "AVSOverridePolicy=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CV2OverridePolicy Yes Must be included as "CV2OverridePolicy=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
ThreeDSecureOverridePolicy Yes Must be included as "ThreeDSecureOverridePolicy=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
OrderID Yes Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType Yes
TransactionDateTime Yes
CallbackURL Yes
OrderDescription Yes Must be included as "OrderDescription=" if not submitted or empty in the form. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName Yes Must be included as "CustomerName=" if not submitted or empty in the form
Address1 Yes Must be included as "Address1=" if not submitted or empty in the form
Address2 Yes Must be included as "Address2=" if not submitted or empty in the form
Address3 Yes Must be included as "Address3=" if not submitted or empty in the form
Address4 Yes Must be included as "Address4=" if not submitted or empty in the form
City Yes Must be included as "City=" if not submitted or empty in the form
State Yes Must be included as "State=" if not submitted or empty in the form
PostCode Yes Must be included as "PostCode=" if not submitted or empty in the form
CountryCode Yes Must be included as "CountryCode=" if not submitted or empty in the form
EmailAddress Yes Must be included as "EmailAddress=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
PhoneNumber Yes Must be included as "PhoneNumber=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
DateOfBirth Yes Must be included as "DateOfBirth=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
EmailAddressEditable Yes Must be included as "EmailAddressEditable=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
PhoneNumberEditable Yes Must be included as "PhoneNumberEditable=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
DateOfBirthEditable Yes Must be included as "DateOfBirthEditable=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CV2Mandatory Yes Must be included as "CV2Mandatory=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
Address1Mandatory Yes Must be included as "Address1Mandatory=" if empty in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CityMandatory Yes Must be included as "CityMandatory=" if empty in the form. NOT included in the hash if not present in the form (only for backward compatibility)
PostCodeMandatory Yes Must be included as "PostCodeMandatory=" if empty in the form. NOT included in the hash if not present in the form (only for backward compatibility)
StateMandatory Yes Must be included as "StateMandatory=" if empty in the form. NOT included in the hash if not present in the form (only for backward compatibility)
CountryMandatory Yes Must be included as "CountryMandatory=" empty in the form. NOT included in the hash if not present in the form (only for backward compatibility)
ResultDeliveryMethod Yes
ServerResultURL Yes Must be included as "ServerResultURL=" if empty in the form. NOT included in the hash if not present in the form (only for backward compatibility)
PaymentFormDisplaysResult Yes Must be included as "PaymentFormDisplaysResult=" if empty in the form. NOT included in the hash if not present in the form (only for backward compatibility)
POST API Documentation
Output Variables
Below is a description of the variables will be posted to the merchant's CallbackURL. These comprise the output API of the payment form
Variable Name Data Type Max Length Comments
HashDigest A - A hashed string that contains all the variables passed and also data that is not passed but is known to both sides - namely the PreSharedKey and the gateway account password. (see section below)
MerchantID A 15 The merchant ID that was used to process the transaction
StatusCode N- This indicates the status of the transaction:
  • 0: transaction successful
  • 4: card referred
  • 5: card declined
  • 20: duplicate transaction
  • 30: exception
Message A 512 This gives a more detailed description of the status of the transaction
PreviousStatusCode N - If the transaction was deemed to be a duplicate transaction, this indicates the status of the previous transaction
PreviousMessage A 512 If the transaction was deemed to be a duplicate transaction, this gives a more detailed description of the status of the previous transaction
CrossReference A 24 This is the unique cross reference for this transaction. If the transaction was determined to be a duplicate transaction, this value will hold the cross reference of the previous transaction (which this transaction was deemed a duplicate of)
AddressNumericCheckResult A - If requested (input variable "EchoAVSCheckResult = true") this gives the results of the address numeric check – will be PASSED, FAILED, PARTIAL, NOT_CHECKED or UNKNOWN
PostCodeCheckResult A - If requested (input variable "EchoAVSCheckResult = true") this gives the results of the post code check – will be PASSED, FAILED, PARTIAL, NOT_CHECKED or UNKNOWN
CV2CheckResult A - If requested (input variable "EchoCV2CheckResult = true") this gives the results of the CV2 check – will be PASSED, FAILED, NOT_CHECKED or UNKNOWN
ThreeDSecureAuthenticationCheckResult A - If requested (input variable "EchoThreeDSecureAuthenticationCheckResult = true") this gives the results of the 3D Secure check - will be PASSED, FAILED, NOT_CHECKED or UNKNOWN
CardType A - If requested (input variable "EchoCardType = true") this gives the card type of the transaction
CardClass A - If requested (input variable "EchoCardType = true") this gives the card class of the transaction
CardIssuer A - If requested (input variable "EchoCardType = true") this gives the card issuer (if known)
CardIssuerCountryCode N 3 If requested (input variable "EchoCardType = true") this gives the 3 digit code of the country the card was issued in (if known)
Amount N 13 The amount, in minor currency, of the transaction that was processed
CurrencyCode N 3 The currency code of the transaction that was processed. ISO 4217 e.g. GBP: 826
OrderID A 50 The order ID of the transaction that was processed. Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType - - The transaction type of the transaction that was processed. Will be either SALE or PREAUTH
TransactionDateTime DT - The date & time (as seen by the gateway server) of the transaction. Will be in the form "YYYY-MM-DD HH:MM:SS ±OO:OO", with the time in 24 hour format, where OO:OO is the offset from UTC - e.g. "2008-12-01 14:12:00 +01:00"
OrderDescription A 256 The order description of the transaction that was processed. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName A 100 The name of the customer as it was submitted to the gateway
Address1 A 100 Customer's billing address line 1 as it was submitted to the gateway
Address2 A 50 Customer's billing address line 2 as it was submitted to the gateway
Address3 A 50 Customer's billing address line 3 as it was submitted to the gateway
Address4 A 50 Customer's billing address line 4 as it was submitted to the gateway
City A 50 Customer's billing city as it was submitted to the gateway
State A 50 Customer's billing state as it was submitted to the gateway
PostCode A 50 Customer's billing post code as it was submitted to the gateway
CountryCode N 3 Customer's billing country code as it was submitted to the gateway. ISO 3166-1 e.g. United Kingdom: 826
EmailAddress A 100 The customer's email address as it was submitted to the gateway
PhoneNumber A 30 The customer's phone number as it was submitted to the gateway
DateOfBirth A 10 The customer's date of birth as it was submitted to the gateway
Outgoing Hash Digest
Below is the order that the variables should be listed when creating the hash digest to check against the one in submitted in the form. The string to be hashed must be comprised of the variables listed in the order below in standard URL format (i.e. listed in name/value pairs, delimited with an ampersand character e.g. "variable1=value&variable2=value&variable3=value"). The variable names and values are case-sensitive and the values should be represented EXACTLY as they appear in the form (NON-URL ENCODED). This hash must be checked against the one submitted in the form, and it should be exactly the same as the hash digest created by us. Any differences should be treated with EXTREME caution, as this indicates that the variables in the form have been tampered with
Variable Name Mandatory Comments
PreSharedKey See comments The pre shared key should ONLY be included in the hash digest if the chosen hash method is standard (i.e. not HMAC) MD5 or SHA1. If the chosen hash method is either HMACMD5 or HMACSHA1, then the pre shared key is used as part of the hash generation so should be ENTIRELY omitted from the string to be hashed
MerchantID Yes
Password Yes
StatusCode Yes
Message Yes
PreviousStatusCode Yes Must be included as "PreviousStatusCode=" if an empty variable in the form
PreviousMessage Yes Must be included as "PreviousMessage=" if an empty variable in the form
CrossReference Yes
AddressNumericCheckResult Yes Must be included as "AddressNumericCheckResult=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
PostCodeCheckResult Yes Must be included as "PostCodeCheckResult=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CV2CheckResult Yes Must be included as "CV2CheckResult=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
ThreeDSecureAuthenticationCheckResult Yes Must be included as "ThreeDSecureAuthenticationCheckResult=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CardType Yes Must be included as "CardType=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CardClass Yes Must be included as "CardClass=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CardIssuer Yes Must be included as "CardIssuer=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
CardIssuerCountryCode Yes Must be included as "CardIssuerCountryCode=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
Amount Yes
CurrencyCode Yes
OrderID Yes Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType Yes
TransactionDateTime Yes
OrderDescription Yes Must be included as "OrderDescription=" if an empty variable in the form. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName Yes Must be included as "CustomerName=" if an empty variable in the form
Address1 Yes Must be included as "Address1=" if an empty variable in the form
Address2 Yes Must be included as "Address2=" if an empty variable in the form
Address3 Yes Must be included as "Address3=" if an empty variable in the form
Address4 Yes Must be included as "Address4=" if an empty variable in the form
City Yes Must be included as "City=" if an empty variable in the form
State Yes Must be included as "State=" if an empty variable in the form
PostCode Yes Must be included as "PostCode=" if an empty variable in the form
CountryCode Yes Must be included as "CountryCode=" if an empty variable in the form
EmailAddress Yes Must be included as "EmailAddress=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
PhoneNumber Yes Must be included as "PhoneNumber=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
DateOfBirth Yes Must be included as "DateOfBirth=" if an empty variable in the form. NOT included in the hash if not present in the form (only for backwards compatibility)
SERVER API Documentation
Request Variables Pushed To Merchant's External Server (ServerResultURL)
These are the transaction result variables that are PUSHED to the merchant's external server (ServerResultURL) after the transaction has been processed, but before the customer is redirected back to the merchant's webshop.
Variable Name Data Type Max Length Comments
HashDigest A - A hashed string that contains all the variables passed and also data that is not passed but is known to both sides - namely the PreSharedKey and the gateway account password. (see section below)
MerchantID A 15 The merchant ID that was used to process the transaction
StatusCode N- This indicates the status of the transaction:
  • 0: transaction successful
  • 4: card referred
  • 5: card declined
  • 20: duplicate transaction
  • 30: exception
Message A 512 This gives a more detailed description of the status of the transaction
PreviousStatusCode N - If the transaction was deemed to be a duplicate transaction, this indicates the status of the previous transaction
PreviousMessage A 512 If the transaction was deemed to be a duplicate transaction, this gives a more detailed description of the status of the previous transaction
CrossReference A 24 This is the unique cross reference for this transaction. If the transaction was determined to be a duplicate transaction, this value will hold the cross reference of the previous transaction (which this transaction was deemed a duplicate of)
Amount N 13 The amount, in minor currency, of the transaction that was processed
CurrencyCode N 3 The currency code of the transaction that was processed. ISO 4217 e.g. GBP: 826
OrderID A 50 The order ID of the transaction that was processed. Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType - - The transaction type of the transaction that was processed. Will be either SALE or PREAUTH
TransactionDateTime DT - The date & time (as seen by the gateway server) of the transaction. Will be in the form "YYYY-MM-DD HH:MM:SS ±OO:OO", with the time in 24 hour format, where OO:OO is the offset from UTC - e.g. "2008-12-01 14:12:00 +01:00"
OrderDescription A 256 The order description of the transaction that was processed. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName A 100 The name of the customer as it was submitted to the gateway
Address1 A 100 Customer's billing address line 1 as it was submitted to the gateway
Address2 A 50 Customer's billing address line 2 as it was submitted to the gateway
Address3 A 50 Customer's billing address line 3 as it was submitted to the gateway
Address4 A 50 Customer's billing address line 4 as it was submitted to the gateway
City A 50 Customer's billing city as it was submitted to the gateway
State A 50 Customer's billing state as it was submitted to the gateway
PostCode A 50 Customer's billing post code as it was submitted to the gateway
CountryCode N 3 Customer's billing country code as it was submitted to the gateway. ISO 3166-1 e.g. United Kingdom: 826
Request Hash Digest Pushed To Merchant's External Server (ServerResultURL)
Below is the order that the variables should be listed when creating the hash digest to check against the one in submitted in the form. The string to be hashed must be comprised of the variables listed in the order below in standard URL format (i.e. listed in name/value pairs, delimited with an ampersand character e.g. "variable1=value&variable2=value&variable3=value"). The variable names and values are case-sensitive and the values should be represented EXACTLY as they appear in the form (NON-URL ENCODED). This hash must be checked against the one submitted in the form, and it should be exactly the same as the hash digest created by us. Any differences should be treated with EXTREME caution, as this indicates that the variables in the form have been tampered with
Variable Name Mandatory Comments
PreSharedKey See comments The pre shared key should ONLY be included in the hash digest if the chosen hash method is standard (i.e. not HMAC) MD5 or SHA1. If the chosen hash method is either HMACMD5 or HMACSHA1, then the pre shared key is used as part of the hash generation so should be ENTIRELY omitted from the string to be hashed
MerchantID Yes
Password Yes
StatusCode Yes
Message Yes
PreviousStatusCode Yes Must be included as "PreviousStatusCode=" if an empty variable in the form
PreviousMessage Yes Must be included as "PreviousMessage=" if an empty variable in the form
CrossReference Yes
Amount Yes
CurrencyCode Yes
OrderID Yes Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType Yes
TransactionDateTime Yes
OrderDescription Yes Must be included as "OrderDescription=" if an empty variable in the form. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName Yes Must be included as "CustomerName=" if an empty variable in the form
Address1 Yes Must be included as "Address1=" if an empty variable in the form
Address2 Yes Must be included as "Address2=" if an empty variable in the form
Address3 Yes Must be included as "Address3=" if an empty variable in the form
Address4 Yes Must be included as "Address4=" if an empty variable in the form
City Yes Must be included as "City=" if an empty variable in the form
State Yes Must be included as "State=" if an empty variable in the form
PostCode Yes Must be included as "PostCode=" if an empty variable in the form
CountryCode Yes Must be included as "CountryCode=" if an empty variable in the form
Expected Response From Merchant's External Server (ServerResultURL)
These are the response variables from the merchant's external server (ServerResultURL). NOTE: the merchant's server MUST adhere to this specification. If the payment form CANNOT be sure that the results were delivered to the merchant's system, it WILL NOT redirect the customer back to the merchant's webshop, and will display the transaction result to the customer directly (regardless of the value of PaymentFormDisplaysResult). If this happens, an email will be sent to the merchant detailing the transaction result
Variable Name Data Type Max Length Comments
StatusCode N - The StatusCode returned from the merchant's external server (ServerResultURL). This indicates whether the merchant's system successfully received and procesed the transaction result
Message A - In the case of a non-zero StatusCode from the merchant's system, this gives more information about the failure.
Server Output Variables
These are the output variables delivered to the merchant's CallbackURL after the transaction has been processed. These variables will be delivered as query string variables on the URL.
Variable Name Data Type Max Length Comments
HashDigest A - A hashed string that contains all the variables passed and also data that is not passed but is known to both sides - namely the PreSharedKey and the gateway account password. (see section below)
MerchantID A 15 The merchant ID that was used to process the transaction
CrossReference A - The unique CrossReference of the transaction
OrderID A - The unique OrderID of the transaction
Server Outgoing Hash Digest
Below is the order that the variables should be listed when creating the hash digest to check against the one in submitted in the form. The string to be hashed must be comprised of the variables listed in the order below in standard URL format (i.e. listed in name/value pairs, delimited with an ampersand character e.g. "variable1=value&variable2=value&variable3=value"). The variable names and values are case-sensitive and the values should be represented EXACTLY as they appear in the form (NON-URL ENCODED). This hash must be checked against the one submitted in the form, and it should be exactly the same as the hash digest created by us. Any differences should be treated with EXTREME caution, as this indicates that the variables in the form have been tampered with
Variable Name Mandatory Comments
PreSharedKey See comments The pre shared key should ONLY be included in the hash digest if the chosen hash method is standard (i.e. not HMAC) MD5 or SHA1. If the chosen hash method is either HMACMD5 or HMACSHA1, then the pre shared key is used as part of the hash generation so should be ENTIRELY omitted from the string to be hashed
MerchantID Yes
Password Yes
CrossReference Yes
OrderID Yes
SERVER_PULL API Documentation
Server Pull Output Variables
These are the output variables delivered to the merchant's CallbackURL after the transaction has been processed. These variables will be delivered as query string variables on the URL.
Variable Name Data Type Max Length Comments
HashDigest A - A hashed string that contains all the variables passed and also data that is not passed but is known to both sides - namely the PreSharedKey and the gateway account password. (see section below)
MerchantID A 15 The merchant ID that was used to process the transaction
CrossReference A 24 This is the unique cross reference for the transaction
OrderID A 50 The order ID of the transaction that was processed
Server Pull Outgoing Hash Digest
Below is the order that the variables should be listed when creating the hash digest to check against the one in submitted in the form. The string to be hashed must be comprised of the variables listed in the order below in standard URL format (i.e. listed in name/value pairs, delimited with an ampersand character e.g. "variable1=value&variable2=value&variable3=value"). The variable names and values are case-sensitive and the values should be represented EXACTLY as they appear in the form (NON-URL ENCODED). This hash must be checked against the one submitted in the form, and it should be exactly the same as the hash digest created by us. Any differences should be treated with EXTREME caution, as this indicates that the variables in the form have been tampered with
Variable Name Mandatory Comments
PreSharedKey See comments The pre shared key should ONLY be included in the hash digest if the chosen hash method is standard (i.e. not HMAC) MD5 or SHA1. If the chosen hash method is either HMACMD5 or HMACSHA1, then the pre shared key is used as part of the hash generation so should be ENTIRELY omitted from the string to be hashed
MerchantID Yes
Password Yes
CrossReference Yes
OrderID Yes
Server Pull Request Variables
These are the request variables directly posted by the merchant's webshop to our transaction result query handler. The external URL address to send the request to is:
https://mms.cardsaveonlinepayments.com/Pages/PublicPages/PaymentFormResultHandler.ashx
Variable Name Data Type Max Length Comments
MerchantID A 15 The merchant ID that was used to process the transaction
Password A - The password that corresponds to the gateway account
CrossReference A 24 This is the unique cross reference for the transaction.
Transaction Result Pull Response Variables
These are the response variables from our transaction result query handler.
Variable Name Data Type Max Length Comments
StatusCode N- This indicates the status of the transaction result query:
  • 0: success
  • 30: exception
Message A - This gives a more detailed description of the status of the transaction result query
TransactionResult A - This is the URL encoded transaction result (see below for transaction result structure). Note: If StatusCode=30 this variable will not be returned by the external sever
Server Pull Transaction Result Variables
These are the transaction result variables. These variables are used to allow the merchant to display the payment result to the customer.
Variable Name Data Type Max Length Comments
MerchantID A 15 The merchant ID that was used to process the transaction
StatusCode N- This indicates the status of the transaction:
  • 0: transaction successful
  • 4: card referred
  • 5: card declined
  • 20: duplicate transaction
  • 30: exception
Message A 512 This gives a more detailed description of the status of the transaction
PreviousStatusCode N - If the transaction was deemed to be a duplicate transaction, this indicates the status of the previous transaction
PreviousMessage A 512 If the transaction was deemed to be a duplicate transaction, this gives a more detailed description of the status of the previous transaction
CrossReference A 24 This is the unique cross reference for this transaction. If the transaction was determined to be a duplicate transaction, this value will hold the cross reference of the previous transaction (which this transaction was deemed a duplicate of)
Amount N 13 The amount, in minor currency, of the transaction that was processed
CurrencyCode N 3 The currency code of the transaction that was processed. ISO 4217 e.g. GBP: 826
OrderID A 50 The order ID of the transaction that was processed. Note: make sure that special characters in the OrderID are properly escaped, otherwise the hash digest will not match
TransactionType - - The transaction type of the transaction that was processed. Will be either SALE or PREAUTH
TransactionDateTime DT - The date & time (as seen by the gateway server) of the transaction. Will be in the form "YYYY-MM-DD HH:MM:SS ±OO:OO", with the time in 24 hour format, where OO:OO is the offset from UTC - e.g. "2008-12-01 14:12:00 +01:00"
OrderDescription A 256 The order description of the transaction that was processed. Note: make sure that special characters in the OrderDescription are properly escaped, otherwise the hash digest will not match
CustomerName A 100 The name of the customer as it was submitted to the gateway
Address1 A 100 Customer's billing address line 1 as it was submitted to the gateway
Address2 A 50 Customer's billing address line 2 as it was submitted to the gateway
Address3 A 50 Customer's billing address line 3 as it was submitted to the gateway
Address4 A 50 Customer's billing address line 4 as it was submitted to the gateway
City A 50 Customer's billing city as it was submitted to the gateway
State A 50 Customer's billing state as it was submitted to the gateway
PostCode A 50 Customer's billing post code as it was submitted to the gateway
CountryCode N 3 Customer's billing country code as it was submitted to the gateway. ISO 3166-1 e.g. United Kingdom: 826