Card callback
When the user confirms the payment in the Vipps MobilePay app and selects their card,
we send a POST request to your cardCallbackUrl with the card token or the PAN. We expect the PSP to answer the payment status synchronously.
Timeout is set to 20 seconds. This card callback will be exactly the same for ePayments and for Recurring CITs.
Example callback:
POST /psp-makepayment HTTP/1.1
Host: example.com
Content-Type: application/json
{
"pspReference": "7686f7788898767977",
"authorizationAttemptId": "3030303thisisaguid",
"merchantSerialNumber": "123456",
"softDeclineCompletedRedirectUrl": "https://vipps.no/mobileintercept?transactionId=123456789&responsecode=OK",
"maskedCardNumber":"47969485XXXX1234",
"cardType":"VISA-DEBIT",
"cardIssuedInCountryCode":"DK",
"paymentInstrument": "TOKEN",
"networkToken": {
"number": "5000000000000000001",
"cryptogram": "aFgdgjdkfgjdFDF=",
"expiryMonth": "03",
"expiryYear": "2030",
"tokenType": "VISA",
"eci": "7",
"paymentAccountReference":"5001BO8B9NXVVIXCT0HAJU98I512Z"
}
"encryptedPan": "xyzxyz"
}
The PSP responds with HTTP 200 OK with a status to reflect the payment:
{
"networkTransactionReference": "123456789",
"status": "RESERVE"
}
Status can be:
RESERVECAPTURE- If you process a payment as SALE or you are certain that you will capture the payment, you can respond with a CAPTURE on the card callback instead of sending a capture update to us later.
FAIL- With error reason and errorCodes that we can map and show to users.
SOFT_DECLINE- with softDeclineRedirectUrl
If we receive a FAIL response on the card callback, we will allow the user to retry with the same or a new payment source (unless the error_code maps to something non-retryable). More information about error cases and soft decline will come later.
Authentication​
HMAC authentication will be added to the callbacks. More information will come.