Following table lists all card brands that can be uses via the Hosted Payment Page. When submitting the value CC in parameter PayTypes all brands are displayed that are configured for a certain merchant. Selecting specific brands can be done by submitting a string of the desired brand names separated by pipe signs.
To make payments via the Hosted Payment Page you send a request to following URL with HTTPS GET or HTTPS POST:
All details required for payment processing are forwarded as parameters. The parameters are encrypted with Blowfish to ensure that neither the customer nor a third party can manipulate the data.
When calling the form decrypts the parameters and shows the HTML page with the payment methods. The customer selects the payment method and triggers the forwarding by clicking the button "Next".
After the payment has been made redirects the customers back to a shop page via HTTPS GET (URLSuccess, URLFailure) and transmits the result of the payment as a Blowfish-encrypted parameter string to these URLs. In addition transmits the result via HTTPS POST to the shop's Notify page (URLNotify). The shop accepts the payment result and decrypts the data in order to inform the customer about the status.
Calling the Hosted Payment Page starts with the correct composition of the parameters which consist of a key and a value and which are separated by an equals sign (=):
All parameters are assembled in a character string and separated by the character &:
Notice: Since the characters "=" and "&" are used as separating characters, these characters cannot be transmitted as values. All values which you transmit without BlowFish-encryption must be URL-Encoded.
A correct parameter character string for contains three basic parameters: MerchantID, Len and Data. The parameters MerchantID and Len are unencrypted. Only the Data parameter is Blowfish-encrypted:
The Data parameter contains the sensitive payment details such as amount and currency. The encrypted bytes are Hex-encoded and completed to two characters from the left with a zero. Encryption is via Blowfish ECB and is available to you as source-code and components.
The Len parameter is very important for encryption because it contains the length of the unencrypted(!) character string in the Data parameter. Since the data quantity to be encrypted is increased by a multiple of 8 in the case of the Blowfish encryption, the correct length of the character string must be known for decryption. Otherwise accidental characters emerge at the end of the character string.
The parameters are transmitted via HTTPS POST or HTTPS GET. The recommended transmit method is HTTPS POST because the parameter character string in the case of GET is attached to the URL, which is limited to 2048 bytes depending on the browser.
Notice: Please note that the maximum length of a payment request is limited to 5120 characters. If you require longer strings please contact .
The following listings show the development of a payment request. The first listing is the unencrypted parameter character string:
Notice: Please note that a value is to be assigned to each parameter. Do not transmit empty parameters, as this can cause the payment to fail.
This character string is encrypted and transmitted as the Data parameter. The HTTPS GET request for the Hosted Payment Page looks like this:
Notice: Please note that parameters like Language or URLBack are transmitted unencrypted. A table with all possible unencrypted parameters can be found also witihn this document.
These parameters are mandatory for all payment methods and has to be submitted Blowfish-encrypted within the Data parameter to the Hosted Payment Page.
Notice: Please take all further parameters specifically for a payment method from the manual of that respective payment method.
The following table describes the encrypted payment request parameters:
Parameters for Hosted Payment Page
Following parameters are optional and can be submitted unencrypted to the Hosted Payment Page:
Optional parameters for Hosted Payment Page
You can change the parameter Template to create an individual layout for your Hosted Payment Page form which exactly matches the shop layout To this end your graphic designer can design an HTML-template in the shop-design based on XSLT (Extensible Stylesheet Language Transformation). copies this XSLT-template to our Server. If you enter the name of your XSLT-file in the Template parameter, the form will appear in your layout.
The XSLT templates for the Hosted Payment Page form have several advantages:
For general information about XSLT see www.w3.org.
The subsequent conventions apply for the use of the Corporate Paypage with XSLT:
A XSL file designed by you defines your individual layout. The associated XML file contains the texts that are to be displayed on the form. Hence, multilingualism is easy. Always use your MerchantID in the names of the files.
|XML text file||MerchantID_PaymentPage.xml|
|Sub folder for pictures, CSS- and JS-files||Templates/imagesMerchantID_PaymentPage|
In order not to receive safety notices, please ensure that external image sources are retrieved via SSL.
In order to call the individual layout, use the ‘Template’ parameter with your MerchantID and attach it unencrypted to the call of the form of Hosted Payment Page, for example:
The following hidden fields must be implemented so that the values can be passed on when sending the form:
|Value of||Name of hidden field|
|URL for back button||"URLBack"|
|Credit card brand||"CreditCardBrand"|
The ‘Language’ parameter controls which section of the XML text file is read out. German ‘de’ is always used as standard.
The XML file should have the following basic structure:
‘UTF-8’ is also possible for the encoding.
With <xsl:variablename=““ select=“paygate/language/@name”/> you can directly address an XML language section from the XSL file.
For an overview of which parameters are rendered by the Hosted Payment Page, please examine the following structure (XSL file is rendered against the following XML string):