External system interacts with SOFI as an on-line client. SOFI provides SOAP interfaces which should be used. Data interchange is organized via HTTPS with trusted SSL certificates. Authorization with login/password is used.
The following root certificates have to be installed on the requester side for correct work with WEB-services:
- root certificate Thawte: Comodo: COMODO RSA Certification Authority (https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2);
- root certificate GlobalSign: GlobalSign Root CA R1 (https://www.globalsign.com/repository/ca-certificates/).
Before to start, check the presence of these certificates and add them if necessary.
API interface URL is https://afs-api.paysecure.ru/antifraudapi.
WSDL for SOAP protocol can be obtained by the following link: https://afs-api.paysecure.ru/antifraudapi?wsdl.
There are two possible modes of SOFI usage during checking a payment through the SOFI:
- The external system collects all possible data about payment operation and after that sends it to SOFI by calling SOAP procedure check and passing all the collected data. In this case SOFI uses all possible checking mechanisms to check the payment.
- The external system calls check several times passing the data in process of collection. Each new call of check should be performed with all collected at the moment data. Note that if in some future call of check some parameters are missed (that were passed before) then this data will be removed from the data pool, which SOFI uses for checking the payment.
After the decision of external system to authorize or reject the payment, the external system has to notify the SOFI about the decision by calling setPaymentStatus procedure. After this calling all calls of check will return the current fraud-status and SOFI don't perform any additional checks.
Procedure getFraudStatus can be used to receive the current fraud-status of the payment that was already checked by SOFI.
A merchant can be registered within the SOFI by calling setMerchantData procedure. This procedure can be also used to update a data of the merchant (when registered name or E-mail changes).
If a merchant which is indicated in a call of check procedure is not registered yet then SOFI automatically creates the merchant profile and notify the external system about this merchant profile creation. As a reaction on this notification the external system must update the merchant profile within the SOFI by calling the setMerchantData procedure.
If the payers make payments using web-pages, then it is desirable to place (on the web-page where payment verified via SOFI) the call of the following JavaScript code:
<script type="text/javascript">
window.collect_afs_data_func = function() {
try {
var url = "https://afs-api.paysecure.ru/antifraudapi/rest/afs_data_collector.js?outSystemId=...&outPaymentId=...";
var method = "GET";
var xhr = window.XMLHttpRequest ? new XMLHttpRequest() : new XDomainRequest();
if ("withCredentials" in xhr) {
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined") {
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
xhr = null;
}
if (xhr) {
xhr.onreadystatechange=function() {
if (xhr.readyState==4 || xhr.readyState=="complete") {
try {
eval(xhr.responseText);
} catch (e) {alert(e);}
}
};
try {
xhr.withCredentials = true;
} catch (e) {
}
xhr.send('');
}
} catch (e) {
alert(e);
}
};
if (window.addEventListener) {
window.addEventListener('load', function(){window.collect_afs_data_func(); }, false);
} else if (window.attachEvent) {
window.attachEvent('onload', function(){window.collect_afs_data_func();});
}
</script>
Parameters outSystemId and outPaymentId should be assigned to the corresponding ID values (see table "Mandatory fields of CheckPaymentParams").
Payment check procedure
Payment check procedure name is check.
Input parameters
The only input parameter that is transmitted from external system for SOFI analysis of the payment transaction is parameter params, which is a data structure called CheckPaymentParams.
Mandatory fields of CheckPaymentParams
Required fields of CheckPaymentParams are transferred as simple data types (integer, string, boolean).
Mandatory fields of CheckPaymentParams
Field | Description | Type |
outPaymentId | Payment operation identity number, which is assigned to the operation within the external system. | Integer (15) |
outSystemId | External system ID. | Integer (15) |
outMerchantId | Merchant identity number (external merchant ID). | Integer (15). |
domainId | Application/service code. | Integer (15) |
paymentTypeId | Payment type. | Integer (15) Integer code from the table "Payment types". |
Payment types
Name | Код |
e-commerce | 1 |
MO/TO | 2 |
POS | 3 |
Optional fields of CheckPaymentParams
The optional fields also can be transferred via parameter.
When fields of CheckPaymentParams are passed to SOFI by several calls of check, the fields of CheckPaymentParams, which were provided in previous call of check should be also provided in the next call. Fields that are not known on the time of calling check are passed as null value.
If in some future calls of check some fields of CheckPaymentParams are missed (that were passed before) then this data will be removed from the data pool that SOFI uses for checking the payment.
Optional fields of CheckPaymentParams
Field | Description | Type |
paymentAttributes | Payment data (see table "Payment operation data" for details). | List of structures |
clientAttributes | Data of client browser, which is used for payment. | List of structures |
httpAttributes | Headers of HTTP-request from client browser to external system during the payment. | List of structures |
serverAttributes | Variables of environment. | List of structures |
timeOut | SOFI response time out (in milliseconds). If this parameter is not set then the default value 10 seconds is used. Negative value will indicate that there is no time-out. NOTE. There is a possibility to switch off the SOFI notification about fraud-status when time-out expired (by default SOFI sends notifications even if time-out expired). Please, contact the support team to change this behavior. | Integer |
sendNotification | True value enforces SOFI to mandatory notify the external system about payment fraud-status after the check finishes its work. By default notification is not send. | Logical (true, false) |
paymentStatus | Data for payment status change (see more sect.5.4.1) | Structure of data |
Stuctures in the fields descriptions of CheckPaymentParams
Structure | Description | Type |
name | Parameter name | Sting (case-insensitive) |
booleanValue | Filled when the parameter type is logical. | Logical (true, false) |
doubleValue | Filled when the parameter type is numerical. | Decimal |
stringValue | Filled when the parameter type is string. | String |
intValue | Filled when the parameter type is integer. | Integer |
dateValue | Filled when the parameter type is data. | Data |
Payment operation data (paymentAttributes)
Payment operation data
Field | Description | Type |
Meannumber | The encrypted card number* has to be passed as following string: "IR_TOKEN=<irreversible token PAN> BIN=<6 first digits of PAN> POST==<4 last digits of PAN>". Alternatively, you can pass the payment mean number in unencrypted form, but this ability will be removed in the future. | String (70 chars) |
meanTypeGroup | Group of payment means: 1 - card (by default), 2 – E-wallet | Integer (1) |
meanType | Type of E-wallet (required for E-wallets). Available types of electronic wallets are presented in the table «Type of E-wallets». | String (3 chars) |
OutAmount | Payment amount in original currency | Decimal (15,2) |
OutCurrencyCode | Currency code (ISO 42 17) | String (3 chars) |
BillNumber | Bill number from external system | String (30 chars) |
OrderNumber | Order number for payment operation | String (128 chars) |
Customer Email | String (128 chars) | |
Firstname | Customer name | String (128 chars) |
Middlename | Customer middle name | String (70 chars) |
Lastname | Customer second name | String (70 chars) |
Regioncode | Customer region code | String (8 chars) |
Regionname | Customer region name | String (70 chars) |
City | City | String (70 chars) |
Countrycode | Country code (ISO 3166 alpha-2) | String (2 chars) |
Address | Customer postal address | String (256 chars) |
Postcode | Postal index | String (25 chars) |
Phone | Phone number | String (20 chars) |
Workphone | Work phone number | String (20 chars) |
Mobilephone | Mobile phone number | String (20 chars) |
Fax | Fax number | String (20 chars) |
Cardholder | Card-holder name | String (130 chars) |
Bankname | Issuer-Bank name | String (100 chars) |
Acquirer | Acquirer name (unique within the external system). | String (10 chars) |
Date | Payment data (UTC data (GMT-0) or GMT+ hour-offset). If it is not provided then current date is used. | Data |
Expiredate | Card expire date (month, year). UTC data (GMT-0) or GMT+ hour-offset when time is including. | Data |
BillingNumberTag | Type of billing number in favor of which the payment is made as cell phone number, contract number for communication services, etc. Currently, the following types of billing are available for activation: · YBIL (Yota billing); · MTSBelBlN (MTS Belarussia BillNumber); · MTSBelPhN (MTS Belarussia PhoneNumber); · MTTPhN (MTT Phone Number); · MTTTel (MTT Telecommunication); · MTTInt (MTT Internet). | String (10 chars) |
BillingNumber | Billing number in favor of which the payment is made. | String (10 chars) |
TwoStepSchema | Double stage payment (separate authorization and charge operations are performed). If it is not provided then single stage (one operation assumes authorization and charge is performed). | Logical (true, false) |
Additional fields for payments by American Express cards | ||
billingPostalCode | Customer postal index | String (9 chars) |
billingAddress | Customer postal address | String (20 chars) |
billingFirstName | Customer name | String (15 chars) |
billingLastName | Customer second name | String (30 chars) |
billingPhoneNumber | Customer phone number | String (10 chars) |
billingEMailAddress | Customer E-mail | String (60 chars) |
TestMode | Test payment indicator. | Logical (true, false) |
RecurringIndicator | Recurring payment indicator | Logical (true, false) |
usedCSC | Card Secure Code was used | Logical (true, false) |
3DSecAuthresult | 3DSecure authorization result (Y - success, N - fail, A - attempt, U –unknown) | String (1 char) |
AirData | XML with additional flight data (for air companies)** | Text |
BookingData | XML with additional booking data*** | Text |
3DSecAuthrequired | Result of card 3dS involvement check (1 – involved, 0 – not involved, -1 – not-known, null – all rest) | Decimal (1) |
*To get access to the service for receiving irreversible token from ASSIST company, you have to contact technical support team (support@assist.ru).
Fields, which are highlighted by bold – are necessary for math methods of analysis. Underscored fieldss are important for the quality of math methods of analysis.
Type of E-wallets