Hyp Website

Card Verification Authorization

The second two-phase commit flow is a card verification authorization, and it actually involves three requests:

  1. An initial authorization request for a small amount that only serves to save the card details. This is normally done upon customer registration, and there's no follow-up capture request after this.

  2. A second authorization request that is performed when the customer is ready to make an actual purchase. This step must be performed on a terminal that does not require CVV entry.

  3. A capture request that is a follow-up to (2) that charges the customer.

This flow is best explained with an example. Imagine that you are an Airbnb-like service. When a new user signs up for your service, you ask them to enter their credit card details. You do this to ensure that their credit card is valid and, more importantly, to save their credit card details that you can use to charge them later when they're ready to make a booking.

Card verification request

During registration, you request a Hyp payment page configured for authorization and a small total — let's say, ₪1.

To do this, you need to send a payment page request where inside the doDeal command, mpiValidation is set to Verify:

<ashrait>
      <request>
          <version>2000</version>
          <language>ENG</language>
          <command>doDeal</command>
          <doDeal>
              <terminalNumber>{terminalNumber}</terminalNumber>
              <cardNo>CGMPI</cardNo>
              <total>100</total>
              <transactionType>Debit</transactionType>
              <creditType>RegularCredit</creditType>
              <currency>ILS</currency>
              <transactionCode>Internet</transactionCode>
              <validation>TxnSetup</validation>
              <mid>{mid}</mid>
              <uniqueid>{uniqueId}</uniqueid>
              <mpiValidation>Verify</mpiValidation>
              <successUrl>{successUrl}</successUrl>
              <errorUrl>{errorUrl}</errorUrl>
          </doDeal>
      </request>
  </ashrait>

Extract and handle the returned payment page URL as usual.

When Hyp performs a payment completion redirect, save the values of the following URL parameters:

  1. cardToken: the credit card token that Hyp generates and that you can use in further requests.

  2. cardExp: the credit card expiration date.

Some terminals also require the cardholder's Israeli ID number (תעודת זהות). In this case, you must save the ID number along with the token and expiration date. You receive the ID from the payment completion redirect as the personalId URL parameter and then use it in payment requests as the id parameter. Note that the Israeli ID number is considered sensitive personal data under privacy regulations such as the GDPR and the Israeli Privacy Law. As a merchant, you are responsible for ensuring the secure storage and handling of this information.

These are all the values you need to perform authorization requests at a later time. You don't need to perform a capture request for this authorization.

Authorization request for a purchase amount

At some point later, which can be days or months after the customer registers, they are ready to make their first booking. They've selected an apartment and booking dates, and they click Book.

At this point, you need to send an authorization request for the cost of the booking for the selected dates. Although you know the customer has a valid credit card, you need to make sure it currently has sufficient funds to cover the booking.

The authorization request is a standard Hyp API request where the int_in parameter contains the doDeal command payload with validation set to Verify:

Variable parameters of the doDeal command in an authorization request are:

  • terminalNumber: a unique number assigned to you as a merchant during registration.

  • cardId: the card token you saved from the cardToken URL parameter in the payment completion redirect following card verification.

  • cardExpiration: the card expiration date you saved from the cardExp URL parameter in the payment completion redirect following card verification.

  • total: the total amount to charge, which should be equal to or greater than the cost of the customer's booking.

  • id: the customer's Israeli ID, if required by the terminal, saved in the previous step from the personalId parameter.

Here's a sample response for a successful authorization request:

Show response

Save the cgUid value from the response, as you'll need it later for the capture request.

Capture request

If the apartment owner confirms each booking manually, your service gives them a 24-hour window to approve or decline the booking.

If the owner rejects the booking, you simply don't perform a follow-up capture request. If the owner confirms the booking, that's when you're ready to perform the capture request to charge the customer.

A capture request is a standard Hyp API request with the doDeal command payload in the int_in parameter:

Variable parameters of the doDeal command in a capture request are:

  • terminalNumber: a unique number assigned to you as a merchant during registration.

  • cardId: the card token saved from the cardToken URL parameter in the payment completion redirect following card verification. Alternatively, you can use the cardId from the authorization response.

  • cardExpiration: the card expiration date saved from the cardExp URL parameter in the payment completion redirect following card verification. Alternatively, you can use the cardExpiration from the authorization response.

  • total: the total amount to charge, which can be equal to or less than the authorized amount.

  • cgUid: the ID that Hyp returned in the authorization response.

Here's a sample response for a successful capture request:

Show response
PreviousPayment Page AuthorizationNextOverview of Recurring Payments

Last updated

Was this helpful?