Last update 6/09/2018

3. Integrating FlexCheckout as a tokenization page

You can use FlexCheckout in two ways:

  1. By redirecting your customer to FlexCheckout
  2. By encapsulating FlexCheckout within an iframe so customers remain on your page and build a complete One Page Check-out experience

Warning: We do not advise integrating FlexCheckout as pure in-app solution as some functions would not work on certain mid-range smartphones but rather on a mobile website solution using full browsers capabilities.

When the customer is redirected to FlexCheckout, he will need to fill his card details and submit for tokenization onto FlexCheckout. In this way, the card details never pass through your own web server. The URLs to access FlexCheckout are:

  • Test: https://ogone.test.v-psp.com/Tokenization/HostedPage
  • Production: https://secure.ogone.com/Tokenization/HostedPage

By default, FlexCheckout works with UTF-8 character encoding. If you work with ISO, make sure to adapt the "Character encoding" accordingly in your back office, via Configuration > Technical information > Global security parameters > Hashing method.

If ISO encoding is used in calculating the SHA, you will need to set this in the Back-Office. This setting validates the incoming SHA and the outgoing SHA. It will also be used to set the URL encoding scheme for the returned parameters.

3.1 Input fields

Field

Description Format Mandatory
ACCOUNT.PSPID A merchant identification AN, 30 Yes
ALIAS.ALIASID A customer alias. If left empty, a customer alias will be automatically created.
AN, 50 No
ALIAS.ORDERID A payment identification that is used to avoid duplicated alias creation. AN, 40 No
ALIAS.STORE
PERMANENTLY

It indicates whether you want to store a temporary (N) or indefinite (Y) Alias. The possible values are:

  • "N": the alias will be deleted after 2 hours.
  • "Y": the alias will be stored indefinitely, for future use.

Note: 
If an Alias is created with the N value and the transaction is completed within a two-hour timeframe, the transaction too must include this parameter/value combination for the alias to be deleted. If the transaction does not contain this parameter/value combination, the alias will be retained for future use.

Y / N No
CARD.BIC Bank Identification Code, used only for direct debits

 8
CARD.BIN Credit-card type payment methods

 6
CARD.BRAND Indicate which type of form needs to be displayed.

> Mandatory if no Payment Method is provided
AN, 25 Yes/No
CARD.PAYMENTMETHOD CreditCard or any supported Direct Debit Methods - Indicate which type of form needs to be displayed
> Mandatory if no Brand is provided

AN, 26

Yes/No



LAYOUT.LANGUAGE

Language used on the ISO code format language(iso639)_Country(iso3166) ("en_EN", "nl_BE", "fr_FR" etc.) .

AN, 5 No
LAYOUT.TEMPLATENAME

Template input parameter.

Include the name of the template and file extension, such as "new_user.html".

AN, 255
No
PARAMETERS.ACCEPTURL URL for redirection in the event of success AN, 255 Yes
PARAMETERS.EXCEPTIONURL URL for redirection in the event of error AN, 255 Yes
PARAMETERS.EXCLUDED
PAYMENTMETHODS
List of payment methods and/or credit card brands that should NOT be shown. Separated by a “;” (semicolon). AN, 50 No
PARAMETERS.PARAMPLUS Pass-Through field: Additional parameters to be sent by the merchant to retrieve within the output AN, 1000 No
SHASIGNATURE.SHASIGN String hashed using the Secure Hash Algorithm. AN, 128 Yes



Alias.StorePermanently: Important notes

  • Alias.StorePermanently should only be used in combination with Alias Manager. If the RECX option under Alias Manager is not activated on your account, the alias will only be stored during the transaction and for no more than 2 hours as allowed by the PCI DCSS rules.
  • If you are using a one-page-checkout integration, you should enable the "opt-in/out checkbox" option in your Alias Manager configuration to display the checkbox.
  • When Alias Manager is activated, you should be able to overlook the data stored by the merchant by ticking on the Opt-in/out checkbox. If the Opt-in/out checkbox option under Alias Manager configuration is enabled, it will override the use of Alias.StorePermanently parameter.

3.1.1 Check for duplicated OrderID

In order to prevent hackers from replacing card details linked to a specific Token (by capturing the link to trigger the request and replacing the card details of a genuine card with genuine card details), we perform a check on the OrderID (ALIAS.ORDERID) that you sent in the request.

If the OrderID has been detected to be used in creating a token, the alias update will be refused.

Important

The check on the OrderID only works if the OrderID (ALIAS.ORDERID) is sent. The OrderID alone is not enough, the AliasID (ALIAS.ALIASID) is required as well. If the AliasID is not sent, the check will not be performed and a new alias will be created.

With the detection of a duplicate OrderID and consequently the request being blocked, a generic error message will be displayed to the customer:

"An error has occurred while processing your request. Please try again later or contact your merchant."

Errors generated by a duplicate OrderID can be detected when the debug mode in the Error logs is activated (please contact our Customer Care department ).

3.2 SHA signature for input

To check the integrity of the data, we require all requests to be accompanied by a SHA signature, in the same way as for e-Commerce transactions.

Our system will use the SHA algorithm as defined in the Global security parameters tab of your Technical information page. It stays possible for you to change this algorithm back to SHA-1 or SHA-256.

Example

Fields (in alphabetical order):

Parameters.AcceptUrl: https://www.myshop.com/ok.html
Parameters.ExceptionUrl: https://www.myshop.com/nok.html
Account.PspId: test1
Card.Brand:VISA

Secret passphrase (as defined in Technical information): Mysecretsig1875!?

String to hash:

ACCOUNT.PSPID=test1Mysecretsig1875!?CARD.BRAND=VISAMysecretsig1875!?PARAMETERS.ACCEPTURL
=https://www.myshop.com/ok.htmlMysecretsig1875!?PARAMETERS.EXCEPTIONURL=https://www.myshop.com/nok.htmlMysecretsig1875!?

Resulting SHA signature (SHA-512):

563DC909F70BA5DDD470D69C1B390E7D1C1C47705AC5801B27038446D7033B5787728EA
754EF72E7FA2436FC5962E34E20DF64E7F9139893A33653F118816818

3.3 Output fields

The following fields, representing the status of the alias creation/update, can be returned to you. To include them in the feedback, they will need to be configured accordingly in the dynamic feedback parameters (Ingenico ePayments account: Configuration > Technical information > Transaction feedback > Alias gateway and Tokenization: Dynamic parameters).

The SHASIGN is not optional and thus will always be returned.

Field Description Max. Length
ALIAS.ALIASID

Alias sent by merchant or Generated alias by PSP (According to the 32-digit GUID format.)

Example: 34F5302C-85D7-4F35-BDF5-103CCEC2FB61

50
ALIAS.NCERROR Error code 50
ALIAS.NCERRORCARDNO Error code for CARDNO
50
ALIAS.NCERRORCN Error code for CN 50
ALIAS.NCERRORCVC Error code for CVC
50
ALIAS.NCERRORED
Error code for ED
50
ALIAS.ORDERID
The unique identifier of the order. (sent by Merchant or generated by system) 40
ALIAS.STATUS
Result of the alias creation
  • 0=OK
  • 1=NOK
  • 2=Alias updated
  • 3=Cancelled by user
1
ALIAS.STOREPERMANENTLY

It indicates whether you want to store a temporary (N) or indefinite (Y) Alias. The possible values are:

  • "N": the alias will be deleted after 2 hours.
  • "Y": the alias will be stored indefinitely, for future use.

Note: 
If an Alias is created with the N value and the transaction is completed within a two-hour timeframe, the transaction too must include this parameter/value combination for the alias to be deleted. If the transaction does not contain this parameter/value combination, the alias will be retained for future use.

1 (Y/N)
CARD.BIC Bank Identification Code, used only for direct debits  8
CARD.BIN Credit-card type payment methods  6
CARD.BRAND

Brand of the payment method

25
CARD.CARDHOLDERNAME
Cardholder name
50
CARD.CARDNUMBER

Card with Xs to replace sensitive information.

Example: XXXXXXXXXXXX1111

Note: In the event of an error, the card will also be masked.

35
CARD.CVC

Card Verification Code for credit cards, with Xs to replace sensitive data.

Example: XXX

6
CARD.EXPIRYDATE Expiry date, e.g. 0220 (February 2020) 4
PARAMPLUS Pass-through field: data provided in the input /
SHASIGN
SHA signature for output
128

In order to provide the feedback on the operation, the selected parameters will be appended to the Return URL defined in your request (PARAMETERS.ACCEPTURL or PARAMETERS.EXCEPTIONURL).

3.4 SHA signature for output

Our system will return a SHA-OUT signature, in the same way as e-Commerce transactions, for the following parameters:

ALIAS.ALIASID
ALIAS.NCERROR
ALIAS.NCERRORCARDNO
ALIAS.NCERRORCN
ALIAS.NCERRORCVC
ALIAS.NCERRORED
ALIAS.ORDERID
ALIAS.STATUS
ALIAS.STOREPERMANENTLY
CARD.BIC
CARD.BIN
CARD.BRAND
CARD.CARDHOLDERNAME
CARD.CARDNUMBER
CARD.CVC
CARD.EXPIRYDATE

As a leading global digital payment service provider, Ingenico Payment Services provides a seamless response to the complexity of payments, whatever the channel: online, mobile and point-of-sale. Offering innovative e-commerce, multi-channel, financial, and marketing solutions, it helps merchants to manage, collect and secure their payments, prevent fraud and increase their revenues through higher conversions. Ingenico Payment Services is part of the Ingenico Group, the global leader in seamless payment.

This website uses cookies to be able to give you the best user experience. If you don't want to accept these cookies, we allow you to change the cookie settings. Click 'Accept' to allow all cookies from this website.

Cookie settings

Introduction

Functional

Functional cookies are required for the website to operate correctly. These cookies cannot be disabled.

Optimized

Optimization cookies allow us to analyze site usage so we can measure and improve our website.
This is the default level.

Personalized

Personalization cookies are used for social media and advanced personalization. They allow us to show you information related to your company.


Example functionality allowed

  • Store country preference
  • Store language preference

Example functionality not allowed

  • Saving personal data
  • Anonymous tracking via Google Analytics
  • Tracking for remarketing purposes

Example functionality allowed

  • Store country preference
  • Store language preference
  • Anonymous tracking via Google Analytics

Example functionality not allowed

  • Saving personal data
  • Tracking for remarketing purposes

Example functionality allowed

  • Store country preference
  • Store language preference
  • Anonymous tracking via Google Analytics
  • Serve content relevant to your interests
  • Serve ads relevant to your interests
  • Tracking for remarketing purposes

Example functionality not allowed

  • Saving personal data