Another way to accept card payments is by using our server-to-server workflow. The detailed guide below will show you how to successfully charge cards on DusuPay using our APIs.
Before starting, your merchant account needs to have been enabled to do funds collections via card in the specified supported options. Supported card options are shown .
We equally recommend that you go through the section to have a high-level understanding of the funds collection process.
You're required to be PCI DSS certified (Level 1) in order to use the direct card charge workflow.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards designed to ensure that all entities that process, store or transmit cardholder data and/or sensitive authentication data maintain a secure environment. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem. It is applicable to any organization that accepts or processes payment cards. Learn more .
As a merchant, you can create a payment form on your interface and then send the card details within the request body. Card data however is not sent in plain text but rather as an encrypted string as described in more detail below.
Step 1: Collect the card payment data
After collecting the necessary card and payment information from your customer, prepare your data object to look like the example shown below. In this payload, you may choose to pass your user’s PIN or not. The purpose of this JSON is to prepare the card data for encryption since the request doesn't expect it in plain text. The outcome of the encryption will be value sent in a special parameter named card_cipher, which is sent alongside the main collection API request
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import base64
def encrypt_json(json_string, public_key_path):
with open(public_key_path, 'rb') as key_file:
public_key = RSA.import_key(key_file.read())
cipher = PKCS1_v1_5.new(public_key)
encrypted = cipher.encrypt(json_string.encode())
return base64.b64encode(encrypted).decode()
# Example usage
json_data = '{"first_name":"John","last_name":"Doe","card_no":"4622000000005678","exp_month":"06","exp_year":"22","cvv":"123","billing_address":"Second Street","billing_city":"San Francisco","billing_zip":"94105","billing_state":"CA","billing_country":"US"}'
public_key_path = 'path-to-file/dusupay.public.key.pem'
try:
encrypted_data = encrypt_json(json_data, public_key_path)
print("Encrypted data:", encrypted_data)
except Exception as e:
print("Encryption failed:", str(e))
require 'openssl'
require 'base64'
def encrypt_json(json_string, public_key_path)
public_key = OpenSSL::PKey::RSA.new(File.read(public_key_path))
encrypted = public_key.public_encrypt(json_string)
Base64.strict_encode64(encrypted)
end
# Example usage
json_data = '{"first_name":"John","last_name":"Doe","card_no":"4622000000005678","exp_month":"06","exp_year":"22","cvv":"123","billing_address":"Second Street","billing_city":"San Francisco","billing_zip":"94105","billing_state":"CA","billing_country":"US"}'
public_key_path = 'path-to-file/dusupay.public.key.pem'
begin
encrypted_data = encrypt_json(json_data, public_key_path)
puts "Encrypted data: #{encrypted_data}"
rescue => e
puts "Encryption failed: #{e.message}"
end
Step 3: Form the payment request payload
The table below describes the request parameters that are used for the collection/charge request. The encrypted string from Step 2 will be sent as part of the request as described in the table below.
Parameter
Type
Required
Description
merchant_reference
String
true
The unique reference for this request. It must be at least 8 characters long. Alternatively, the value auto can be passed, and a unique reference will be created for you by the API
transaction_method
String
true
The transaction method to be used. This will be CARD for this request
currency
String
true
The 3-character ISO currency code for the request currency
amount
Number
true
The amount being requested
provider_code
String
true
customer_name
String
false
The name of the customer
customer_email
String
false
The email of the customer
card_cipher
String
true
The resultant string after encryption above
description
String
true
The description/narration for the transaction. Between 10-30 characters
charge_customer
Boolean
false
Whether or not the customer should bear the charge for the transaction. By default, this is false to mean that the merchant bears the charge
allow_final_status_change
Boolean
false
redirect_url
String
true
The HTTPs redirect URL to which the API will redirect when the payment is successful/failed
After collecting the necessary card payment information from your customer, prepare your request payload as demonstrated below.
Notice the payment_url parameter in the callback body. The URL should be loaded in the browser so that the customer can proceed with the transaction. When the page loads, the customer will be guided through the payment process and on success/failure, the customer will be redirected to the redirect_url sent by the merchant in the request. Additionally, a callback/webhook will be sent to the configured collection callback URL.
Either of the two (redirect/callback) can be used to confirm the final status of the transaction. We recommend that in either situation, the redirect/callback request is verified (by verifying the signatures)
DusuPay ensures the complete security of card data in transit by using RSA encryption. The stringified payment data from Step 1 must be encrypted using the before making the collection request. To encrypt the JSON string correctly, we have organized a few code samples to illustrate how it could be done as shown below.
Copy the public key for the environment you're working with from . This document assumes that the public key would be stored somewhere on your server under the name dusupay.public.key.pem
The provider code as obtained from the payment options
Whether or not the final transaction status can be altered as described . By default, this is true to mean DusuPay will alter the final transaction status under the circumstances described.
On success/failure of the transaction, the customer will be redirected to the URL that was passed in the redirect_url request parameter. The sample requests below demonstrated the success and failure scenarios. You can copy the URL and paste it on online resource in order to view the query parameters therein.
Every merchant account is expected to have configured a callback/webhook URL for collections. For all collections that transition to the final state (COMPLETED, FAILED or CANCELLED), a JSON POST request will be made to the callback URL. Sample callback payloads (request bodies) are shared below. Be sure to check out to see how you should verify the signature(s) in the request headers and how to respond.