# Backend Integration source: https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/backend-integration/index.md ## Server SDKs {#server-sdks} For the simplest implementation of the Masterpass Merchant APIs, we recommend using our [Masterpass Merchant Server SDKs](https://developer.mastercard.com/masterpass-psp-integration-v7/documentation/masterpass-checkout-server-sdk-details/) in your preferred programming language: * [Java](https://developer.mastercard.com/masterpass-psp-integration-v7/documentation/masterpass-checkout-server-sdk-details/#java) * [C#](https://developer.mastercard.com/masterpass-psp-integration-v7/documentation/masterpass-checkout-server-sdk-details/#c) * [Ruby](https://developer.mastercard.com/masterpass-psp-integration-v7/documentation/masterpass-checkout-server-sdk-details/#ruby) * [PHP](https://developer.mastercard.com/masterpass-psp-integration-v7/documentation/masterpass-checkout-server-sdk-details/#php) The SDK links above explain how to obtain and set up the SDKs. For details of how to use the SDKs to integrate Masterpass, read the following sections which include details of how to make the necessary service calls in each language / SDK. If you wish to use the JSON RPC APIs directly, you can refer to our [API Reference documentation](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/api-reference/index.md) for full details. Note: All RPC endpoints use [OAuth1 authentication](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/). ## Standard Checkout {#standard-checkout} Use the **paymentData** service to request consumer's payment card, shipping and recipient information during a checkout. Note we also have an encrypted paymentData to receive the same data using the JSON Web encryption standard. #### For PCI DSS Compliant Merchants {#for-pci-dss-compliant-merchants} Call the **paymentdata** service to retrieve the consumer's payment and shipping information from Masterpass (for parameter descriptions and examples, see [SDK Reference](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/sdk-reference/index.md)). * Java * C# * Ruby * PHP ```Java QueryParams queryParams = new QueryParams() .add("checkoutId", ) .add("cartId", ); PaymentData paymentData = PaymentDataApi.show(, queryParams); ``` ```C# var queryParams = new QueryParams() .Add("checkoutId", ) .Add("cartId", ").add("checkoutId","") payment_data_response = MastercardMerchantCheckout::Api::PaymentDataApi.show("",query_params) ``` ```PHP use MasterCardCoreSDK\Helper\QueryParams; use Mastercard\Merchant\Checkout\Api\PaymentDataApi; $paramObj = new QueryParams (); $paramObj->add ( "cartId", "" ); $paramObj->add ( "checkoutId", "" ); $response = PaymentDataApi::show("",$paramObj); ``` Note: In order to call **paymentdata,** you will need a valid transaction identifier (transactionId) for each transaction. The transaction identifier is the oauth_verifier value sent by Masterpass in the callback URL after the Masterpass UI is closed. The following example shows the expected response (for response attribute descriptions and examples, see the [SDK Reference](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/sdk-reference/index.md)). * JSON ```JSON { "card" : { "brandId" : "master", "brandName" : "MasterCard", "accountNumber" : "1111111111111111", "cardHolderName" : "James Stone", "expiryMonth" : 11, "expiryYear" : 2021, "billingAddress" : { "city" : "New York", "country" : "US", "subdivision" : "US-NY", "line1" : "123 Main St", "postalCode" : "10011" } }, "shippingAddress" : { "city" : "New York", "country" : "US", "subdivision" : "US-NY", "line1" : "123 Main St", "postalCode" : "10011" }, "personalInfo" : { "recipientName" : "James Stone", "recipientPhone" : "9171234345", "recipientEmailAddress" : "james.stone@myemail.com" }, "walletId" : "101", "authenticationOptions" : { "authenticateMethod" : "3DS", "cardEnrollmentMethod" : "MANUAL", "eciFlag" : "01", "paResStatus" : "A", "scEnrollmentStatus" : "Y", "signatureVerification" : "Y", "xid" : "STdPVjNmZDNwV0ltR3NhZFpwRTA=" } } ``` #### For Non PCI DSS Compliant Merchants {#for-non-pci-dss-compliant-merchants} A non PCI DSS Compliant merchant, calling **paymentdata** service will retrieve the consumer's shipping information and transactionId from Masterpass. The following example shows the expected response (for response attribute descriptions and examples, see the [SDK Reference](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/sdk-reference/index.md)). * JSON ```JSON { "card":{ "brandId":"master", "brandName":"MasterCard", "accountNumber":"0022" }, "shippingAddress":{ "city":"London", "country":"GB", "subdivision":"GB-London", "line1":"123 Main St", "postalCode":"10011" }, "personalInfo":{ "recipientName":"James Stone", "recipientPhone":"9171234345", "recipientEmailAddress":"james.stone@myemail.com" }, "walletId":"101", "authenticationOptions":{ "authenticateMethod":"NO AUTHENTICATION" } } ``` Use the following endpoints for sandbox and production API: > **Sandbox:** *{transactionId*} > **Production:** *{transactionId*} #### Encrypted Payment Data {#encrypted-payment-data} The encrypted-payment data endpoint can be used to obtain an encrypted version of the information received through the standard paymentdata endpoint. The endpoint URL is /masterpass/encrypted-paymentdata/{transactionId}. The payment data is encrypted using the Standard JWE encryption mechanism. You can read more about the JWE Encryption standards here: The following sections are of specific relevance: The `enc` parameter --- A128CBC-HS256 The `alg` parameter --- RSA-OAEP **Example Encrypted Payment Data Response** {"encryptedPaymentData":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAifQ.fWOubNQaP_-W41kGBdvchxw9zIJDZmt06SlN2VaLhgpFD7YChEh5U3-INInebUyg5L60YUwJVL80saNZL3t8HyXgcH2Y2v4_2qus6vejFsEo5fWg3cgfLB5b8pMygVdzeN7J7iPBmULlHirex25a7Bh256qqWaRBmZImABEBRcGfVKOs7OQuUX4NP8dI7FZdDnCh7sIjA5y0svcz4K1DzOCIgDuU5J1muw6QTAyX946wGL1pRFOEENXI8vYmeAtCmV83HR7psCNkzN2Evup69yXrtRgzuUzKUucAjOn3QoLyMx4PB7cIJBztRMnYj2IXZhBU23wxQkuhJS2WPh_oKA.LEKYrRhmSDw_s5vfjggCQQ.NdK9eEF26HLua8HgHjnkGYRQr_kgu3emGHNfe128qqgZbIVQLUjqbsPStHVhgHKzlKSEQEgI40Trz1jtSER9MwK3l1Z3hkwRB7coaRm65DnjpDJaldfyBCc9tIPE8rhoMe_dWN0QMd9QKeB21TbbopeCDDADJtqK8J59OWQ43gJMV2jrJpCme9rUdlrxSBy7PC38gpF6jbqnfEfKdipC_ncowNm9YUyjNHtI_a5mhvEK2DhqMXnVOlefJQoRKorihY0TxV5HcocX41sLtRkgUCnniMfZkRiwgQA0SumO0Nm-DAdhJTpAMyT4acyTk7J283avGKoZNtqkJlJlshBjuecQY6ivAru85wsAxZ0D8iHsSGtqJeiRCkvjvxe9f5fL1kxRnVDqU4iBTN_uJCw4kuWSkdf0PeYBMnFO5KqxT9eCCp8CnGwSg2GZLiPeW3bToMglP5h0NzBJRhJzqyjpSPiIy09cvGKmlh-YB3Lp3BpadK4aanLE2yDt7pmeRJEIWF1Oj6l7LM-dlUq1YRxxQdmBtf7BG6RL_XJMju1JhH3n-4GP9bT1LvdUGVegtjDTCGY_LTTfNlaAMpwlIuTuz6o_208bf7_OuB4uFp82LHW6uWwyZZuWc1SP303nZFDAheSiNfW-ur4j1x0XQZsAGUuFxfrXScqT5gvArzZzOpg.tyj-qGmo-zE5r_agPvFPwg"} You will need to decrypt the contents of the encryptedPaymentData field above using the private key of the Encryption public / private key pair tagged with an E in the Merchant portal. The following code samples demonstrate how to decrypt encryptedpaymentdata responses using different programming languages. For each language, an example is shown using the Mastercard core SDK and another example is shown without this SDK. If no SDK is used, an alternative open source library is used instead. **C# example with SDK** * C# ```C# X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable; var certificate = new X509Certificate2("<.p12 Certificate file path>", ".p12 certificate password", flags); PaymentData paymentData = JweUtil.GetJweDecryptedPayload(encryptedPaymentData, (certificate.PrivateKey as RSACryptoServiceProvider)); ``` **C# example without SDK** If you do not wish to use the Masterpass Core SDK, you can use the /jose-jwt-signed library for the decryption. See * C# ```C# X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable; var certificate = new X509Certificate2("<.p12 Certificate file path>", "<.p12 certificate password>", flags); string jweDecoded = JWT.Decode(encryptedPaymentData, certificate.PrivateKey); ``` **Java example with SDK** * Java ```Java JSONObject decryptedJsonPayload = JweUtil.getJweDecryptedPayload(encryptedPaymentData, getPrivateKey(), JSONObject.class); ``` **Java example without SDK** If you do not wish to use the Masterpass Core SDK, you can use the nimbus-jose-jwt library for the decryption. See * Java ```Java JWEDecrypter jweDecrypter = new RSADecrypter(privateKey); JWEObject jweObject = JWEObject.parse(encryptedPaymentData); jweObject.decrypt(jweDecrypter); Payload payload = jweObject.getPayload(); ``` **Ruby example with SDK** * Ruby ```Ruby require 'mastercard_core_sdk' private_key = OpenSSL::PKCS12.new(File.open(), ).key decrypted_payload = MastercardCoreSdk::Util::JweUtil::get_jwe_decrypted_payload(, private_key, ) ``` **Ruby example without SDK** If you do not wish to use the Masterpass Core SDK, you can use the JWE gem for the decryption. See * Ruby ```Ruby require 'jwe' private_key = OpenSSL::PKCS12.new(File.open(), ).key decrypted_payload = JWE.decrypt(, private_key) ``` **PHP example with SDK** * PHP ```PHP include_once '../vendor/MasterCardCoreSDK.phar'; use MasterCardCoreSDK\Util\JweUtil; $keystore = array (); trim ( openssl_pkcs12_read ( file_get_contents (), $keystore, ) ); $decryptedPayload = JweUtil::getJweDecryptedPayload (, $keystore ['pkey'], ); ``` **PHP example without SDK** If you do not wish to use the Masterpass Core SDK, you can use the jose-jwt library instead to decrypt the encrypted data.See * PHP ```PHP null ``` ## Express Checkout {#express-checkout} ### Obtain a Pairing Id {#obtain-a-pairing-id} Once consumers have signed into their account on your ecommerce site and provided you with consent to pair their Masterpass Wallet with you, retrieve the **pairing_verifier** value from the callback URL. Call the **pairingid** service with this value as the pairingTransactionId to retrieve a new pairingId from Masterpass. **Express callback query string parameters** oauth_token=bdca06c0e9013fdc277a513c15de13772c0e2547\&oauth_verifier=bdca06c0e9013fdc277a513c15de13772c0e2547\&checkoutId=8016026951850986635\&checkout_resource_url=https%3A%2F%2Fsandbox.api.mastercard.com %2Fmasterpass%2Fpaymentdata%2Fbdca06c0e9013fdc277a513c15de13772c0e2547\&**pairing_verifier=2e74e13427dd82ab330142ec5ca27fee08ac721c**\&pairing_token=2e74e13427dd82ab330142ec5ca27fee08ac721c\&mpstatus=success * Java * C# * Ruby * PHP ```Java QueryParams queryParams = new QueryParams() .add("pairingTransactionId", ) .add("userId", ); Pairing pairingToken = PairingIdApi.show(queryParams); ``` ```C# var queryParams = new QueryParams() .Add("pairingTransactionId", ) .Add("userId", ); Pairing response = PairingIdApi.Show(queryParams); ``` ```Ruby require 'mastercard_merchant_checkout' query_params = MastercardCoreSdk::Core::QueryParams.new.add("pairingTransactionId","").add("userId","") pairing_id_response = MastercardMerchantCheckout::Api::PairingIdApi.show(query_params) ``` ```PHP add("pairingTransactionId",""); $queryParams->add("userId",""); $responsePairingId = PairingIdApi::show($queryParams); ?> ``` Note: In order to make a **pairingid** request, you will need a valid pairingTransactionId value. The pairingTransactionId is the pairing_verifier value sent by Masterpass in the callback URL after the Masterpass UI is closed The following example shows the expected response. * JSON ```JSON { "pairingId" : "03787bf8cd09e22c3185423a6998abd27069a881" } ``` #### Get Precheckout Data {#get-precheckout-data} Use the **precheckoutdata** service to request a previously paired consumer's data (card alias, shipping addresses (where relevant), and contact information). The wallet will send the last four digits of the FPAN to be displayed in the payment card alias for each card in the wallet. The consumer will use this information to select a payment card and shipping address on your site or app prior to you initiating an Express Checkout. The **precheckoutdata** service also returns a new pairingId. This pairingId should be used for the next **precheckoutdata** / **expresscheckout** service call for this consumer (typically, the latter). PairingIds are single-use only. Note: precheckout data must be called for every transaction. You should **not** store the consumer's last used card details for future use. * Java * C# * Ruby * PHP ```Java PreCheckoutData precheckoutData = PreCheckoutDataApi.show(); ``` ```C# PreCheckoutData precheckoutData = PreCheckoutDataApi.Show(); ``` ```Ruby require 'mastercard_merchant_checkout' pre_checkout_data = MastercardMerchantCheckout::Api::PreCheckoutDataApi.show('') ``` ```PHP $responsePrecheckoutData = PreCheckoutDataApi::show(''); ``` The following example shows the expected response. * JSON ```JSON { "cards" : [ { "brandName" : "MasterCard", "cardHolderName" : "James Stone", "cardId" : "6243e3bf-ea2a-4cbc-bec7-323684d5ee38", "expiryYear" : 2021, "expiryMonth" : 11, "lastFour" : "0014" }, { "brandName" : "Visa", "cardHolderName" : "James Stone", "cardId" : "2f6074b8-7f1e-4ac0-a1d0-f4679cac7f79", "expiryYear" : 2023, "expiryMonth" : 12, "lastFour" : "1111" } ], "shippingAddresses" : [ { "recipientInfo" : { "recipientName" : "James Stone", "recipientPhone" : "9171234567" }, "addressId" : "45910e9f-4887-48fc-9a79-0b39428e89e0", "city" : "New York", "country" : "US", "subdivision" : "US-NY", "line1" : "123 Main St", "postalCode" : "10011" }, { "recipientInfo" : { "recipientName" : "James Stone", "recipientPhone" : "9171234567" }, "addressId" : "122fcc06-4b1d-4520-b191-e9f8577b1a8a", "city" : "Boston", "country" : "US", "subdivision" : "US-MA", "line1" : "323 Grand Ave", "postalCode" : "02125" } ], "contactInfo" : { "firstName" : "James", "lastName" : "Stone", "country" : "US", "emailAddress" : "james.stome@myemail.com", "phoneNumber" : "9171234567" }, "preCheckoutTransactionId" : "dcdb243d-fbae-47fe-b59b-705e94242d2f", "consumerWalletId" : "30729ad10cf32ccde82e61938d79b195", "walletName" : "masterpass", "pairingId" : "be90edd54aaf343770e790679a23d66e8a615503" } ``` Use the following endpoints for sandbox and production API. (For parameter descriptions and examples, see [SDK Reference](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/sdk-reference/index.md)). > **Sandbox:** [https://sandbox.api.mastercard.com/masterpass/precheckoutdata/{pairingId}](https://sandbox.api.mastercard.com/masterpass/precheckoutdata/%7BpairingId%7D) > **Production:** [https://api.mastercard.com/masterpass/precheckoutdata/{pairingId}](https://api.mastercard.com/masterpass/precheckoutdata/%7BpairingId%7D) Note: If a merchant submits an **invalid** pairingId for precheckout, they will receive a **404** http status code response. If a merchant submits an **expired** pairingId for precheckout, they will receive a **403** http status code response. Additionally, merchants must revert to the Standard Checkout flow if the pairingId is invalid or expired and use the appropriate parameter to request a new pairing between the merchant and the consumer's Masterpass wallet. #### Request Express Checkout {#request-express-checkout} **For PCI DSS Compliant Merchants** After you have used the **precheckoutdata** API and received the consumer's payment information, use **expresscheckout** to complete the checkout with the consumer's selections and retrieve their full payment card, shipping address, and recipient personal information from Masterpass. * Java * C# * Ruby * PHP ```Java ExpressCheckoutRequest expressCheckoutRequest = new ExpressCheckoutRequest() .amount() .cardId() .checkoutId() .digitalGoods(false) .currency() .pairingId() .preCheckoutTransactionId() .shippingAddressId(); PaymentData paymentData = ExpressCheckoutApi.create(expressCheckoutRequest); ``` ```C# ExpressCheckoutRequest expressCheckoutRequest = new ExpressCheckoutRequest(); expressCheckoutRequest.Amount = ""; expressCheckoutRequest.CardId = ""; expressCheckoutRequest.CheckoutId = ""; expressCheckoutRequest.DigitalGoods = false; expressCheckoutRequest.Currency = ""; expressCheckoutRequest.PairingId = ""; expressCheckoutRequest.PreCheckoutTransactionId = ""; expressCheckoutRequest.ShippingAddressId = ""; PaymentData paymentData = ExpressCheckoutApi.Create(expressCheckoutRequest); ``` ```Ruby express_checkout = MastercardMerchantCheckout::ExpressCheckoutRequest.new(:checkout_id => "",:pairing_id => "",:pre_checkout_transaction_id => "" :currency => "USD", :amount => , :card_id => "", :shipping_address_id => "", :digital_goods => false) ``` ```PHP setCheckoutId ("")->setPairingId ("" )->setPreCheckoutTransactionId ( "")->setAmount ("")->setCurrency("")->setCardId ( "" )->setShippingAddressId ("")->setDigitalGoods (false); $expressCheckoutResponse = ExpressCheckoutApi::create ($expressCheckoutRequest); ?> ``` The following example shows the expected response. * JSON ```JSON { "card" : { "brandId" : "master", "brandName" : "MasterCard", "accountNumber" : "************0014", "cardHolderName" : "James Stone", "expiryMonth" : 11, "expiryYear" : 2021, "billingAddress" : { "city" : "New York", "country" : "US", "subdivision" : "US-NY", "line1" : "123 Main St", "postalCode" : "10011" } }, "shippingAddress" : { "city" : "New York", "country" : "US", "subdivision" : "US-NY", "line1" : "123 Main St", "postalCode" : "10011" }, "personalInfo" : { "recipientName" : "James Stone", "recipientPhone" : "9171234567", "recipientEmailAddress" : "james.stone@myemail.com" }, "walletId" : "101", "authenticationOptions" : { "authenticateMethod" : "NO AUTHENTICATION" }, "pairingId" : "2a185727a8dd79a2ada8944cc19b0d38abcf2f57" } ``` **For Non PCI DSS Compliant Merchants** After you have used the **precheckoutdata** API and received the consumer's payment information, use the **expresscheckout** service to retrieve the consumer's shipping information. The **expresscheckout** service returns a new pairingId. Store this pairingId with the consumer's profile for use with the next **precheckoutdata** service call for this consume. PairingIds are single-use only. The following example shows the expected response. * JSON ```JSON { "card" : { "accountNumber" : "0464" }, "shippingAddress" : { "city" : "New York", "country" : "US", "subdivision" : "US-NY", "line1" : "123 Main St", "postalCode" : "10011" }, "personalInfo" : { "recipientName" : "James Stone", "recipientPhone" : "9171234567", "recipientEmailAddress" : "james.stone@myemail.com" }, "walletId" : "101", "authenticationOptions" : { "authenticateMethod" : "NO AUTHENTICATION" }, "pairingId" : "feaea10701ca6ff11c4eb9960bf81e993ab85273" } ``` Use the following endpoints for sandbox and production API (for parameter descriptions and examples, see [SDK Reference](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/sdk-reference/index.md)). > **Sandbox:** > **Production:** Note: If a merchant submits an **invalid** pairingId for expresscheckout, they will receive a **404** http status code response. If a merchant submits an **expired** pairingId for expresscheckout, they will receive a **403** http status code response. Additionally, merchants must revert to the Standard Checkout flow if the pairingId is invalid or expired and use the appropriate parameter to request a new pairing between the merchant and the consumer's Masterpass wallet. As a PCI DSS Compliant merchant, once you receive the consumer's payment and shipping details, you can process and then report the transaction by calling the **postback** service. As a non-PCI DSS Compliant merchant, send the Masterpass preCheckoutTransactionId received in precheckoutdata response to PSP to retrieve PCI compliant data and process transaction, and then report the transaction by calling the **postback** service ## Processing Transactions {#processing-transactions} Merchants handling PCI data should use the consumer's payment details returned from Masterpass, via the **paymentdata** or **expresscheckout** call, to process the payment using their acquirer or payment processor. Merchants descoping PCI data should consult the PSP Express checkout documentation for details of the payment flow using a PSP. ## Reporting Transactions {#reporting-transactions} Use the **postback** service after every Masterpass transaction to communicate the result of the transaction. Note: With the exception of abandoned checkouts, all Masterpass transactions must be reported through the **Postback** API. * Java * C# * Ruby * PHP ```Java ZonedDateTime zdt = LocalDateTime.now().atZone(ZoneId.systemDefault()); Date date = Date.from(zdt.toInstant()); Postback postback = new Postback() .transactionId() .currency() .paymentCode() .paymentSuccessful(true) .amount() .paymentDate(date) PostbackApi.create(postback); ``` ```C# var postback = new Postback { Currency = "", PaymentCode = "", PaymentDate = DateTime.UtcNow, PaymentSuccessful = true, Amount = double.Parse(""), TransactionId = "" }; PostbackApi.Create(postback); ``` ```Ruby require 'mastercard_merchant_checkout' postback = MastercardMerchantCheckout::Postback.new(:transaction_id => "", :currency => "USD", :amount => , :payment_successful => true, :payment_code => "", :payment_date => Time.now.iso8601) postback_api_response = MastercardMerchantCheckout::Api::PostbackApi.create(postback) ``` ```PHP setTransactionId ("")->setCurrency ( "" )->setAmount ("")->setPaymentSuccessful (true)->setPaymentCode ("")->setPaymentDate (date ( DATE_ATOM, time () )); $postbackResponse = PostbackApi::create ($postbackRequest); ?> ``` The postback service returns HTTP response code 204 for successful response. Use the following endpoints for sandbox and production API. (For parameter descriptions and examples, see [SDK Reference](https://developer.mastercard.com/masterpass-merchant-integration-v7/documentation/sdk-reference/index.md)) > **Sandbox:** > **Production:**